Risk-based Internal Audit and Checklist-based Audit - Are They Mutually Exclusive?

Focus NBFCs & HFCs considering RBI’s recent guideline on RBIA

Background

Earlier this year (Feb'2021) RBI had released a circular for NBFCs (All deposit-taking NBFCs, irrespective of their size; All Non-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above; and All UCBs having asset size of ₹500 crores and above) to mandating Risk Based Internal Audits. Later there was another circular in June'21 mandating HFCs (All deposit-taking HFCs, irrespective of their size, and non-deposit-taking HFCs with asset size of ₹5,000 crores and above).  

RBI had also shared an annexure detailing the guidelines on Risk-Based Internal Audits (RBIA).  The timeline to adopt this was also fixed as the end of March 2022.  

Below are excerpts from the annexure that is relevant for the points being discussed here, in this article.  

Historically, the internal audit system in NBFCs/UCBs has generally been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, adherence to legal and regulatory requirements, etc. However, in the changing scenario, such testing by itself might not be sufficient. Therefore, SEs will have to move towards a framework that will include, in addition to selective transaction testing, an evaluation of the risk management systems and control procedures in various areas of operations. This will also help in anticipating areas of potential risks and mitigating such risks.

While the Risk Management Function should focus on identification, measurement, monitoring, and management of risks, development of risk policies and procedures, use of risk management models, etc., RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity/location and the effectiveness of the control systems for monitoring such inherent risks.

What is RBIA?

IIA defines risk-based internal auditing (RBIA) as a methodology that links internal auditing to an organization's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.

Stages involved in RBIA

1. Assessing Risk Maturity
2. Periodic Audit Planning - Risk-based planning
3. Individual Audit Assignments - Actual Audits

Not dwelling deeper into the above stages as that is not the topic intended to be discussed here.  

This article is about the third stage - Audit Execution.  

Carrying out the Audits - General RBIA approach.  

Generic RBIA process follows the below steps

1. Audit planning and research
2. On-site Audit  

               a. Process walkthrough

               b. Identifying the risks

               c. Identifying the controls - availability

      3. Control testing - existence and efficacy

       4. Report writing

The above is a high-level process followed by auditors in any mission/audit engagement and holds good for many industries/domains.  

Is this model practical for an NBFC or HFC? Will it work effectively? This approach may work for department/functional or head office audits only.  I see the following challenges for branch audits, which are an integral part of IA.  

1. Expecting every auditor to do a process walkthrough at a branch level, maybe too much of an overkill.
2. It will be left to the subjective call of the Individual Auditor (Very good in many circumstances)  
3. The outcome of the audits at a branch level may not be comparable
4. An overall rating/ranking of the branches on Audit performance may be skewed as the approach to audit is individualized.  
5. The model may not be scalable
6. Requires a high level of training
7. Requires highly qualified and experienced auditors (Senior auditors) to perform the Audits
8. Time spent on each audit engagement would be high

What is the solution then?

This is where the checklist comes in. The process followed across all Branches of an organization shall be the same and is guided by the organization's Policy, Process, and Procedures. So that process walkthrough, risk identification, assessment of available controls, required controls to be tested can all be decided centrally, by the Head of IA or is the core team. This understanding can be deduced then, into an elaborate (as required by the organization, and is demanded by the Risks identified) internal audit checklist. The advantages of this approach are,  

1. It retains the standardized approach to the audit
2. The audit is calibrated across all Auditors
3. Scoring and Rating are standardized, making comparison and ranking meaningful
4. It ensures all key aspects are audited
5. Makes audits faster and more efficient
6. Allows the CAE to have control over the audit process  

This in fact may be extended to other audits as well, e.g., Vendor audits, Functional Audits, etc can have standardized checklists with required variations according to the individual process managed or function involved. Here, the advantage is that a change in person (unavoidable) will not affect the Audit Process.  

Are RBIA and Check-list based audits in sync?

These are not mutually exclusive. The second read of RBIA requirements detailed by RBI or IIA would cut the clutter. Having to ensure RBIA is not about giving up a check-list based process. It is all about ensuring that the IA undertakes an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity/location and the effectiveness of the control systems for monitoring such inherent risks.

The art and science here are to ensure that this essence is encapsulated by the checklist that is used for Audits and it does not remain a cheat sheet.  

We have been lucky to discuss this with learned IA professionals at length and the article reflects their take as well. The idea of sharing this was to share this with the IA fraternity at large, especially with those adding value to NBFCs and HFCs.