RISK BASED INTERNAL AUDIT

Risk Based Internal Audit

Risk Based Internal Audit

Introduction

The risk-based internal audit (RIBA) approach seeks to improve audit effectiveness and efficiency by shifting the function from a policing activity to one that contributes effectively to managing risk and achieving wider organizational goals. The approach aims to increase the accountability of government ministries and line agencies by ensuring transparency, validating key systems of internal control, and committing resources against key risks.

Risk Based Internal Audit (RBIA)

Traditional audits focus primarily on compliance with rules and procedures, and their recommendations may not give management enough information about the achievement of organizational goals. RIBA involves high-level risk profiling of the audit portfolio over time; thus it facilitates strategic use of scarce audit resources, aligns audit efforts with management objectives, facilitates institutional development, and reduces risk exposure by focusing attention on areas of weakness (Dessalegn et al, 2007, pp 470-484).

In RIBA, risk is measured by assessing the ethical climate, competence of personnel, size of assets and of operations, materiality, and results of previous audits. Direct probability estimates, normative tables, and comparative risk ranking are typically used to identify risk. Risk factors are then converted from conceptual and subjective (qualitative) data into quantitative data. An overall risk score is derived by scoring and weighing the risk factors. The result is a risk-based engagement plan that guides the deployment of audit resources to high-risk areas (Knechel and Willekens. 2006, pp 344-1367)..

Risk Based Internal Audit Function

A sound Risk Based Internal Audit function plays an important role in contributing to the effectiveness of the internal control system. It should provide the management with accurate information on the effectiveness of risk management and internal controls including regulatory compliance by the bank. At present, there are various types of internal audit, which basically adopt the methodology of transaction testing, testing of accuracy and reliability of accounting records and financial reports, integrity, reliability and timeliness of control reports, and adherence to legal and regulatory requirements. However, all these do not provide any opinion on the qualitative dimension of business management including risk management. As such, there is a need for redefining and redirecting the scope of audit so as to take care of adoption of modern tools of risk management, adequacy and effectiveness of such tools, as well as to assist the business units to mitigate the risks (Knechel and Willekens. 2006, pp 344-1367)..

The above paradigm shift in the focus of internal audit can be achieved by modifying the approach towards audit, making it risk based. Towards this end, RBI had issued to banks in December 2002 broad guidelines on RBIA, which are expected to undertake an evaluation of the risk management systems and control procedures prevailing in branches as well as in other functional areas. While focusing on effective risk management and controls, RBIA would not only offer suggestions for mitigating current risks but also anticipate areas of potential risks and play an important role in protecting the bank from various ...