Mr. Amit Shroff, CEO of Arvog
In recent years, there has been a noticeable shift in management’s emphasis on risk. Instead of relying on internal auditors to confirm that controls are adequate and effective, boards of directors increasingly seek to verify that risk management happens within acceptable bounds. When conducting internal audits, the notion is sadly not always well understood. So, let’s comprehend the nuances of risk-based internal audits better here.
Understanding Risk-Based Internal Audit
Risk-based internal auditing allows businesses to evaluate and minimise the risks in their processes. This method combines data analytics with risk assessments to determine which parts of the business are most susceptible to risk. For a risk-based internal audit to be successful, it must first offer an unbiased assessment of the company’s controls and then suggest changes to make operations safer and more efficient.
Traditional vs. risk-based internal audits
Risk-Based Internal Audit (RBIA) redefines traditional audit methods by focusing on management’s risk assessments. Here is how it differs from conventional internal audits:
- While traditional internal audits confirm control effectiveness and make recommendations, RBIA relies on management’s responsibility for organizational risk management.
- RBIA audits the management-built risk processes, aligning with their risk assessment. This approach ensures audit resources assess the most significant risks, fostering greater management involvement.
- RBIA may explore new organizational areas not covered by traditional internal audits, focusing on control effectiveness in managing risks
- Audit techniques remain similar, emphasising controls’ efficacy for significant risks over detecting incorrect or fraudulent transactions or insignificant risks.
Stages in RBIA
Employing the risk-based internal audit methodology, internal audit ensures a consistent approach through planning and execution processes, delivering risk management assurance
Planning: In planning, auditors familiarise themselves with the business, assess risk maturity, review management’s risk assessment, and decide reliance on the risk register.
Reporting: This phase concludes with identifying auditable units, grouping significant risks, scheduling audits, and presenting the yearly plan to the audit committee.
Executing: The execution process involves individual audits, reporting issues, and tracking management’s implementation of accepted recommendations.
RBIA, depicted in the accompanying diagram, provides a structured framework for delivering effective risk assurance.
Risk-Based Internal Audit RBI Guidelines
The Reserve Bank of India (RBI) has published guidelines defining the risk-based internal audit structure designed specifically for primary (urban) cooperative banks (UCBs) and non-banking financial companies (NBFCs). It has been effective since March 31, 2022.
The subject of this RBIA framework is supervised entities (SEs), which include
- Deposit-taking and non-deposit-accepting NBFCs (which include Core Investment Companies) with ₹5,000 crores or more in assets and
- UCBs with ₹500 crores or more in assets.
The aim is to enhance the efficiency of internal audit procedures and systems in these organisations.
Challenges and Considerations
Business plans shift daily, which presents a significant difficulty for RBIA because there is no consensus on the ideal way to handle its implementation. Compared to more conventional methods, managing RBIA is more difficult.
To have an effective RBIA, you must understand the association’s risk appetite and the company’s requirements for defining control measures that can reduce risks to a reasonable level.
Audit departments often assume they are risk-based, although the audit strategy typically focuses on departments and processes. Assessing management’s most pressing risks is the first step in conducting a risk-based audit.
Parting Thoughts
Each company has its own unique perspective on risk and its own unique set of structures, cycles, and procedures, making risk management a complex space that calls for a wide range of audits. Ultimately, an RBIA works to strengthen all risk management duties and contributes to the development of a robust risk management framework.