Internal Control and Compliance

Internal Control and Compliance (ICC)

Posted on by

Internal Control and Compliance (ICC)

Internal Control and Compliance (ICC)

01. Definition:

As per Guidelines on Internal Control & Compliance issued by Bangladesh Bank in 2016: Internal control is
a process, effected by a bank’s board of directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives relating to operations, reporting and
compliance.
Internal control is a process, rather than a structure. It is not a separate activity disconnected from the rest of business activities, rather is an integral part of those activities. It is a dynamic, continuing series of activities planned, implemented and monitored by the board of directors and management at all levels within an organization. Only part, not all, of internal control consists of policies and procedures. Policies are board or
management statements about what should be done, and may even be unwritten and implied by
management’s actions. Procedures are the actions that implement a policy, or how it should be
done. Internal control provides only reasonable assurance, not absolute assurance, with regard to
achievement of the organization’s objectives. External events can interfere with achievement of objectives,
no matter how good is the system of internal control.
ICC: Defined by Committee of Sponsoring Organizations of the Tread Way Commission (COSO).
“Internal Control is a process, affected by an entity’s board of directors, management and others personnel and
designed to provide reasonable assurance regarding the achievement of objectives relating to operations,
reporting and compliance”.
So, Internal control is the process, designed to provide reasonable assurance regarding the achievement of
objectives in the effectiveness and efficiency of operations, the reliability of financial reporting
and compliance with applicable laws, regulations, and internal policies. Although internal control and internal
audit are closely related, they are distinct from each other. Internal control is the systems, policies, procedures,
and processes effected by the board of directors, management, and other personnel to safeguard bank assets,
limit or control risks, and achieve a bank’s objectives.
02. Objectives of Internal Control & Compliance:
The primary objectives of internal control system in a bank are to help the bank perform better through the
use of its resources, to communicate better internally and with external stakeholders, and to comply with
applicable laws and regulations. The main objectives of internal control are as follows:
 Operations Objectives: achievement of a bank’s basic mission and vision.
 Reporting Objectives: timely, accurate, comprehensive reporting, financial and non-financial,
internal & external.
 Compliance Objectives: conducting activities and taking specific actions in accordance with
applicable laws and regulations.
03. There are three main types of internal controls:
Detective, Preventative and Corrective.
 Detective Internal Controls. Detective internal controls are designed to find errors after they have occurred.
 Preventative Internal Controls. …
 Corrective Internal Controls. …
 Limitations.
04. Five Integrated components and 17 Principles (COSO):
In an “effective” internal control system, the following five components work to support the achievement of an
entity’s mission, strategies and related business objectives.
 Control Environment. Integrity and Ethical Values. …
 Risk Assessment. Company-wide Objectives. …
 Control Activities. …
 Information and Communication. …
 Monitoring.
01. Control environment:
1. Demonstrates commitment to integrity and ethical values.
2. Exercise oversight responsibility.
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability.
02. Risk assessment
 6. Specifies suitable objectives.
 7. Identifies and analyze risk.
 8. Assesses fraud risk.
 9. Identifies and analyze significant changes.
03. Control activities:
 10. Select and develop control activities.
 11. Select and develop general controls over IT.
 12. Deploys through policies and procedure.
04. Information & communication systems:
 13. User relevant information.
 14. Communicates internally
 15. Communicates externally
05. Monitoring activities.
 16. Conduct ongoing and/ separate evaluations.
 17. Devaluates and communicates deficiencies.
05. Key components of ICC Environment:
1. Board of Directors
2. Board Audit Committee (BAC)
3. Senior Management & Management committee (M.C/MANCOM)
4. Risk Management committees
5. ICCW:
 ICC Risk Management committee
 Audit & Inspection Division
 Compliance Division
 Monitoring Division
6. Shariah Audit & Shariah supervisory committee
8. External Audit (BB & other regulator)
7. Policy/manuals/ Guidelines/ Circulars
8. All other officials HO & Zonal/branches
06. Line of Defences


Six Core Risks Management:
 Credit risk management guidelines
 Asset-liability management risk guidelines
 Foreign Exchange risk guidelines
 Money laundering risk management guidelines
 IT Security risk management guidelines
 Internal control and compliance policy guidelines
ICC policy guidelines:
It Covers  ▪ Internal Control & compliance policy,
 organizational structure,
 Components of ICC Environment
 Functions
 Operational process, etc.
(B) Audit & Inspection:
1.00 Origin of Audit:
The word “audit” is derived from the Latin word “audire” which means to hear. In the good old days whenever
the proprietor of a concern suspected a fraud, certain people were appointed to hear verbal evidence of
transactions of barter, etc. and to judge the facts. They ‘heard’ the points of view of those who maintained the
accounts.
1.01 Definition of Audit
According to R.K. Mautz, “Auditing has been defined as being concerned with the verification of accounting data, with determining the accuracy and reliability of accounting statements and reports.”
According to J.R. Bartliboi, “Auditing has been defined as an intelligent and critical scrutiny of the books of accounts of a business or other concern with the documents and vouchers from which they are written up in order to ascertain the true financial position of the affairs of the same. In fact, Audit is an instrument of financial control of accounts may be defined as statement of facts made out of transactions relating to money’s worth and recorded in the books of accounts.”
In simple term Audit means examination of books, vouchers, records and verification of facts etc. to ensure corrections of entries and genuineness of transactions to prevent fraud and to assess actual position of business.
Auditing in broad sense may be defined as “a systematic process of objectively obtaining and evaluating
evidence regarding assertions about economic actions and events to ascertain the degree of
correspondence between these assertions and established criteria and communicating the results to
interested users.”
1.02 Definition of Inspection:
An inspection is intended for looking into the various facts of business concern to find out the past & current
circumstances & error/mistake, lapses etc. and making of comments / suggestion for taking of immediate
remediable measures on the respective matter.
1.03 Difference between Auditing & Inspection
The expression “ Audit and Inspection ” are many times synonymously and interchangeably used. Audit – It is
quantitative analysis of the operations of an organization. It is essentially a review of financial records by an
independent person. It is an activity, which ensures that correct accounting principles, systems and
procedures have been followed. Proper and due provisions have been made & that the books of accounts
represent correct, true and fair picture of the affairs of the organization. Its basic purpose is to assess the
integrity of books of accounts and records. Audit is both internal and statutory requirement. Bank’s financial
results cannot be treated as correct unless certified by External Auditors’ i.e. Chartered Accountants. The board
adopts financial results only when they are certified and signed by auditors.
Audit is done by Inside Auditors & outside qualified auditors, whereas inspection is done by bank’s internal
team having experience in bank’s operations. In exceptional / special cases inspection is also assigned to
professionals outside the bank .In some banks audit nomenclature is also used for special inspection activities
carried out by internal team.
Inspection:  It is one of the important tools for controlling the affairs of bank and also judging the efficiency
of management. It is a multipurpose function, which gives feed back to the upper tier of management about the
affairs of bank. It is the physical verification of transactions. It includes all the elements of audit. It is a
qualitative review of the entire affairs of a branch. It is a mechanism, which helps, in overall improvement in the
working and efficiency of the branch.
The difference between audit and inspection is that Audit will go into all transactional & other details which the
inspection is not supposed to cover. The work of audit is restricted to point out of operational or financial
shortcoming/irregularities but the inspection is required to make detailed study of the specific issues/matters.
1.04 Internal Audit
Management of each organization (should) establish an internal audit unit in unique position to be
able to furnish management with necessary analysis, appraisals, and recommendations. As such, it
should provide a service of great value as regards the governance structure.
Internal audit is therefore defined as an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations. It helps in accomplishments of
objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control and governance processes.
As such, it is an important aspect of an internal control structure. The management of public entities
should be clearly responsible for defining the role of internal audit and ensuring that it has an
appropriate level of authority and independence including the right to report to the highest level of
management.
Audit : Detection of Deviations- Omission/Commission/Irregularities
Standards: Principles, Rules, Regulations, Procedures
Performance: Administration, General Banking, Investment, Foreign Exchange etc.
Internal Audit systematically and objectively evaluates the Bank’s operations and controls to determine if:
• Financial & operating information is accurate and reliable
• Risks to the Bank are identified and minimized
• External regulations and acceptable internal policies and procedures are followed
• Satisfactory standards are met
• Resources are used efficiently and economically
• Objectives are effectively achieved
All to assist other members of the Bank in the effective discharge of their responsibilities.
Friend Philosopher & Guide: Internal Auditors are not Opponents of Peoples in Operation,
They are Friend, Philosopher and Guide to the Management
1.05 Types of Audit & Inspection
a. Financial Audit, b. Operational Audit, c. Internal Audit, d. External Audit/Statutory Audit, e. Regulatory Audit,
f. Risk Based Internal Audit, g. Management Audit, h. Information System Audit, i. Compliance Audit, j. Shariah
Audit, k. Concurrent Audit, l. Surprise Inspection, m. Special Audit & Inspection n.Core Risk Management
System (CRM) Inspection
 Internal auditors to evaluate the economy, efficiency and effectiveness of the processes that are critical
to meeting their strategic objectives. These professionals are required to examine, monitor and analyse
activities related to the business’ structure, and–like in most professions – there is a certain set of skills
that can aid them in their work:
 Personable;
 Inquisitive;
 Good communications
 Commitment
 Integrity (Taqwa);
 Courage and competence.
 a thorough knowledge of both working procedures of all departments of a Branch and Head Office
as well as good grasp of Banking Law & Practice.
1.06 Qualities of Internal Auditor
Inspection Officers, being the representatives of the Management should possess his standard of integrity and
competence. They should have a thorough knowledge of both working procedures of all Departments of a
branch and Head Office as well as good grasp of Banking Law & Practice. They should be up-to-date with the
instructions contained in the circulars issued by Head Office and Bangladesh Bank and should have the ability
to explain the circulars in proper perspective to guide the branch/HO officials. During their inspection they
should ensure that there is proper compliance of these instructions.
1.07 Code of Ethics for Internal Auditor
 Integrity
 Objectivity
 Confidentiality
 Competency
 Independence
Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on
their judgment.
Rules of Conduct Internal auditors:
1. Shall perform their work with honesty, diligence and responsibility.
2. Shall observe the law and make disclosures expected by the law and the profession.
3. Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the Bank.
4. Shall respect and contribute to the legitimate and ethical objectives of the Bank.
Objectivity
Internal auditors make a balanced assessment of all the relevant circumstances and
are not unduly influenced by their own interests or by others in forming judgments.
Rules of Conduct Internal auditors:
1. Shall not participate in any activity or relationship that may impair or be presumed to
impair their unbiased assessment
2. Shall not accept anything that may impair or be presumed to impair their professional
judgment.
3. Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.
Confidentiality
Internal auditors respect the value and ownership of information they receive and do
not disclose information without appropriate authority unless there is a legal or professional
obligation to do so.
Rules of Conduct Internal auditors:
1. Shall be prudent in the use and protection of information acquired in the course of their
duties.
2. Shall not use information for any personal gain or in any manner that would be
contrary to the law or detrimental to the legitimate and ethical objectives of the Bank.
Competency
Internal auditors apply the knowledge, skills and experience needed in the performance of
internal auditing services.
Rules of Conduct Internal auditors:
1. Shall engage only in those services for which they have the necessary knowledge,
skills and experience.
2. Shall continually improve their proficiency and the effectiveness and quality of their
services
1.08 Quality of Auditor in the eye of Shariah:
Based on the Shariah foundations of the ethical principles for accountants/auditors and the principles that are
contained in currently available codes of professional ethics for accountants/auditors, provided these principles
do not contravene Shariah rules and principles, the following ethical principles for accountants/auditors are
derived: Trust worthiness, Legitimacy, Objectivity, Faith-driven conduct, Professional conduct & technical
standards
1.09 Elements of Audit Report
 Title: Report should have appropriate title. Titling the report as “Internal Audit Report” would be
appropriate and helps in demarcating the report from other reports
 Addressee: Should be addressed to the appropriate authority as mentioned in the charter. In case
legal requirement arises to send audit report, it should be addressed to appropriate authority mentioned
in the relevant law or regulation.
 Executive summary: Should mention period covered under audit and mention that establishing
appropriate internal controls and preparation of financial statement are the responsibilities of
management and responsibility of auditor is to express opinion on efficiency of internal controls in
achieving management objectives
 Scope paragraph: Nature of audit with reference to audit charter or engagement letter should be
mentioned. Scope refers to terms of engagement, requirements under relevant legislation and
applicable standards to be followed by the auditor. Auditor should mention scope with reference to
control environment.
Audit Observations: A paragraph should give reference to the control environment and legal
compliance required by the branch in conducting its operations and should be supplemented by report
of observations split into three section viz: very serious lapses (VSL), Serious Lapses (SL) and General
Lapses (GL).
Date of Report: Date of report is the date on which the report is signed. Significance of the date is that
auditor has considered effect financial transactions on cut-off till the date of signing the report. This
date in no case can be prior to the some important dates like of entry conference or date on which draft
report is discussed with the management etc.
Place of signature: Report should mention the location, which is city where audit report is signed.
Signature of the auditor: Report should be signed by appropriate authority in the audit department.
Name of the officer and designation should be mentioned under the signature.
It is a good practice is to categorize Audit Findings by Risk Severity. A priority designation (VSL, SL and GL)
may be assigned to each of the key areas of focus detailed in the report based on auditors’ assessment of the
severity of the issue.
Very Serious Lapses (VSL): The lapses for which the bank has already been financially impaired or if
immediate/urgent steps is not taken the bank will be financially impaired, that lapses/irregularities is
identified as VSL. This kind of lapses is especially punishable offence.
Serious Lapses (SL): The lapses for which the bank has not been financially impaired at this moment
but there is risk of loss in near future that kind of lapses/irregularities is identified as SL. The activities
violating rules, regulations of bank and regulatory authority are included in this type of lapses. This kind
of lapses is punishable offence.000
General Lapses (GL): The silly mistakes or lapses that is occurred inadvertently at time of operating
regular actives, the lapses for which the risk of becoming financial looser is very insignificant and which
is easily rectifiable at branch level, that kind of lapses/irregularities is identified as GL.
1.10 Elements of Audit Report
Another good practice is to classify possible causes of audit findings so that the auditee may address the
causes of audit findings as follows :
Compliance – Failure to comply with prescribed regulations, rules and
Guidelines- Absence of written procedures to guide staff in the performance of their functions
Guidance- Inadequate or lack of supervision by supervisors
Human error -Mistakes committed by staff entrusted to perform assigned functions.
Resources- Lack of or inadequate resources (funds, skills, staff, etc) to carry out an activity
or function.
1.11 Quality check of Audit Report:
As per the Standards for auditing, Auditor Report should be
 Complete
 Accurate
 Objective
 Convincing
 Clear
 Concise
 Constructive and
 Timely
Further to the above, auditor may perform the following checks:
 Report should be concise, free of unnecessary detail
 Contents in various sections i.e., executive summary, scope and audit observations are consistent
 Report is logically presented and easily understood
 Report is based on facts and is free from personal criticism
 Acronyms are defined
 Findings are worded constructively
 Recommendations are directed toward achieving objectives and not step by step actions.
 Report has proper spelling, grammar, and punctuation and is free of other surface errors.
 Spacing is proper and consistent
 Fonts and formatting are proper and consistent
 Report addressee name and title are proper and correctly spelled
 Names mentioned in ‘copy to’ column s are correct; names and titles are correctly spelled
 Audit Report number and subject title are included on the report and are correct.
1.12 Concluding Procedures
The audit is concluded once all the audit procedures and checks are completed. The internal audit
team leader should finally review the working papers to see that the audit has been conducted
according to plan and it has achieved its objectives. . He should then prepare a draft report which will
include his report on:
 Effectiveness of controls and any major / minor weaknesses in them;
 Non-compliance with law, codes and government orders with assessment of possible loss; and
 Any matters relating to propriety of transactions.
1.13 Exit Conference
Internal Auditor should seek appoint for an exit conference with preferably the head of the
branch/division/department once the final draft report is ready. The following should be the approach to
the exit conference:
 Auditee should be given opportunity to initiate the discussions and offer their views on
the report;
 In case of disagreement, auditee should be able to substantiate their views with
supporting evidence; and
 Auditor may agree to reconsider his conclusions in the light of the information provided
by the management.
A record of discussions of exit conference should be kept on file as a part of audit working papers. It is not
necessary for the branch/division/department’s representative to sign it. A copy of the record prepared by IA
may be given to the department for their information. In case they disagree with any part of the record it is for
the department to convey it to the IA. The record helps document reasons for dropping any audit paragraph
1.14 Reporting audit findings
Audit report is the final deliverable of audit process reflects the quality of audit. Hence, auditor should take
utmost care in drafting the report. Auditing standards suggest standardization of report to the extent possible.
1.15 Risk Based Internal Audit (RBIA)
Risk of the Bank: Before discussing the Risk based Internal Audit, it is relevant to discuss the matter of Risk
and related issues:
Broadly, Internal Control involves everything that controls Risk in an Organization.
 To mitigate the risk
 To management the risk
 To earn profit
 To maximization of profit
 Finally to achieve the goal
 To achieve the set Goals, an independent and strong ICC Division is a must in every Banking
Organization.
Risk:
 What is Risk…Ris is the chance of probability of hazard causing harm or damage to (a) People (b)
property or the Environment etc. It is an integral part of our life. In banking point of view: Risk may be
defined as Possible negative outcomes of a decision.
 What is the entry point of risk and what are the defenses against risk

1.15.1 What is Risk Management?
Risk Management is a logical process that seeks to eliminate or at least minimize the level of risk.
In case of Banks & Financial Institutions, “Risk management is the deliberate acceptance of risk for
profit‐making”.
Risk-taking is an inherent element of the banking business and, indeed, profits are in part the reward
for successful risk taking in business. On the other hand, excessive and poorly managed risk can
lead to losses and thus endanger the safety of a bank’s depositors and other stake-holders.
Risk Management without Risks?
“Bankers sometimes think that risk management is about not taking risks.
How wrong.
If bankers didn’t take risks, then what would have to be managed?”
On Abnormal Profits:“Abnormal profits are often a sign of excessive risk taking.”

1.15.2 Concept of Risk Based Internal Audit (RBIA)
• It identifies, assesses & measures risk in different functional areas of bank
• It is a process of allocating audit resources
• It emphasizes quantification & grading of risk
• It sets priority audit areas as per risk assessment & measurement
• Conducts audit as per set priority based on degree of risk & trend of the same.
• Reporting to appropriate authority
• Prepare Monitor able Action Plan.

1.15.3 Risk Based Audit

(a) Audit is generally based on a test check of some transactions. A hundred percent audit check is not only highly expensive but also unwarranted as the objective of audit (which is assurance about operation of internal controls and effective compliance with laws, rules, etc.) could be well achieved by a test check. The question is –what is the criterion used for selecting the areas of audit and transactions. One important criterion in prioritizing the audit focus is based on risk. Risk is nothing but the exposure to the chance of failure or loss. It is related to the probability that an event or action will occur which would adversely affect the organization. In analyzing risks, following questions should be asked:
What can go wrong?
What is the probability of it going wrong? What are the consequences?

(b) It is thus important to identify and analyze the risks associated with the audited organization. The
risk of misstatement or error is not uniformly distributed across all areas or transactions. In other
words, some areas or transactions tend to be more prone to errors or misstatements. Sometimes,
a risk is inherent in the given circumstances. To illustrate, when there is a pressure to incur
expenditure (say due to threat of lapse of funds); there is a tendency to bend the rules to
withdraw money as an advance and deposit in a bank account. Establishment expenditure has
lower risk compared to expenditure on procurement. Therefore, one way of selecting areas and
transactions would be based on internal auditors’ assess there is discretion exercised by
the department/division/wing/branch should be considered more risky than where the rule is clear
and permits no deviation. Although higher value transactions are not necessarily more risky,
being fewer it would be wiser to check as many of them as possible.

1.15.4 Definition of Risk Based Internal Audit

Risk Based Internal Audit (RBIA) is the methodology, which provides assurance that risks are being
managed within the organization’s risk appetite. level considered acceptable by the Board are working
effectively and efficiently.

a. Identify areas where is a higher risk of materials misstatement and concentrate audit efforts in
those areas, caused by either high inherent or control risk.

b. Identify lower-risk areas in which to perform less extensive procedures.
c. A recent shift of Bank Management to Risk Bases Approach in every aspect

a) Calculation of MCR/ Adequate capital requirement
b) AML Compliance Assessment on a Risk Based Approach
c) Risk Based IS Audit
d) Risk Based Shariah Audit
e) Other Core Risks Management
d. BASEL –II recommended for Risk Based Internal Audit in the bank instead of Traditional Transaction Audit.
e. Bangladesh Bank also emphasizes on implementation of Risk Based Internal Audit in the Commercial
Banks.

1.15.5 Importance of Risk Based Internal Audit (RBIA)

To ensure that risks are identified, assessed & the process for monitoring & controlling the risks are effective
as per observation & recommendation of RBIA team and
• To ensure proper allocation of resources.
• Tailoring audit plan as per risk assessment.
• Deepen the scrutiny of areas with high or increasing risks.
• RBIA is for appropriate resources allocation of internal audit on the basis of risk exposures of the
branches and assuring optimum risk management, supervision and monitoring in the bank.
• The RBIA approach essentially entails the allocation of supervisory resources and paying supervisory
attention in accordance with the risk profile of each institution.
• The approach is expected to optimize utilisation of supervisory resources and minimize the impact of
crisis situation in the financial system.
• The RBIA process essentially involves continuous monitoring and evaluation of the risk profiles of the
supervised institutions in relation to their business strategy and exposures.
• This assessment will be facilitated by the construction of a Risk matrix for each institution.

1.15.6 Process of Risk Based Internal Audit

• Overview the existing risk profile of the bank.
• Development of RBIA Policy.
• Risk assessment.
• Preparation of Audit Plan.
• Conduct on sight audit & prepare report.
• Prepare monitor-able Action Plan.

1.15.7 Policy for Risk-based Internal Audit

• Under risk-based internal audit, the focus will shift from the present system of full-scale transaction testing to risk identification, prioritization of audit areas and allocation of audit resources in accordance with the risk assessment.
• Banks will, therefore, need to develop a well defined policy, duly approved by the Board, for undertaking risk-based internal audit.
• The policy should include the risk assessment methodology for identifying the risk areas based on which the audit plan would be formulated.
• The policy should also lay down the maximum time period beyond which even the low risk business activities/locations should not remain unaudited.

1.15.6 Risk assessment

• The risk-based internal audit undertakes risk assessment solely for the purpose of formulating the risk-based
audit plan.
• The risk assessment would, as an independent activity, cover risks at various levels (corporate and branch; the
portfolio and individual transactions, etc.) as also the processes in place to identify, measure, monitor and
control the risks.
The internal audit department should devise the risk assessment methodology, with the approval of the Board of
Directors, keeping in view the size and complexity of the business undertaken by the bank
1.15.7 Risk Assessment Process
• Identification of inherent business risks in various activities undertaken by the bank.
• Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities(`Control risk’).
• Drawing up a risk-matrix for taking into account both the factors viz., inherent business risks and control risks. An illustrative risk-matrix is shown as a box item.
• The basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business
risks and control risks should be clearly spelt out.
• The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of controls in various business activities.
• In order to focus attention on areas of greater risk to the bank, an activity-wise and location-wise identification of risk should be undertaken.

1.15.8 Measurement of Risk Magnitude

1.15.9 Risk Assessment Methodology
The following parameters should be included:
• Previous internal audit reports and compliance
• Proposed changes in business lines or change in focus
• Significant change in management / key personnel
• Results of latest regulatory examination report
• Reports of external auditors
• Industry trends and other environmental factors
• Time lapsed since last audit
• Volume of business and complexity of activities
• Substantial performance variations from the budget
• For the risk assessment to be accurate, it will be necessary to have in place proper MIS and data
integrity.
• The internal audit function should be kept informed of all developments such as introduction of new
products, changes in reporting lines, changes in accounting practices/policies etc.
• The risk assessment should invariably be undertaken on a yearly basis.
• The assessment should also be periodically updated to take into account changes in business
environment, activities and work processes, etc.
• All banks need to put in place an independent risk assessment system in the internal audit department
for focusing on the material risk areas and prioritizing the audit work.
• The methodology may range from a simple analysis of why certain areas should be audited more
frequently than others in the case of small sized banks undertaking traditional banking business, to
more sophisticated assessment systems in large sized banks undertaking complex business activities.
1.15.10 Control Risk
• Internal Control Environment is the framework under which internal controls are developed,
implemented and monitored.
• An essential part of the internal control framework is periodic testing to determine how well the
framework is operating, so that any required remedial actions can be taken.
• The frequency of testing should be risk-based and should involve as appropriate sample transaction
testing, with the sample size being determined by volume and the degree of risk of the activity.
1.15.11 Risk Grading for the purpose of RBIA are grouped into two categories:
(a) Inherent Business Risks indicate the intrinsic risk in a particular area or activity of bank before
considering internal controls. e.g. investment/credit risk, market risk, operational risk, liquidity risk, etc.
(b) Control Risks arises out of inadequate control systems, deficiencies or gaps and or likely failures in
the existing control processes e.g. management risk, compliance risk etc.
1.15.12 The risk assessment process includes the following 3 steps:
1. Identification of inherent ‘Inherent Business Risks’ in various activities undertaken by the bank.
2. Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business
activities (‘Control risk’).
3. Drawing up a ‘Risk-Matrix’ for taking into account both the factors viz., `Inherent Business Risks’ and
‘Control Risks’.
1.15.13 Business and Control Risks Score & Category
• Parameters for assessment of the both major areas are to be developed as demand of the time and
complexity of the business.
• Developed Parameters should be approved by the Board Audit Committee (BAC).
• The bank should adopt scoring models for determining the level of risk and thus the levels of risk would
be Low, Medium or High.
1.15.14 Risk Measurement

1.15.16 Risk Based Internal Audit Plan

The composite audit gradation is used for preparing the Annual Risk Based Internal Audit Plan by allocation of
ICCD resources appropriately on the basis of risk prioritization. Assessment of Inherent Business Risk and
Control Risk are made through predetermined parameters and score/weightage.

(C) & (D) Importance of Audit & Inspection in a bank:

Internal audit programs are critical for monitoring and assuring that all of your business assets have been
properly secured and safeguarded from threats. It is also important for verifying that your business processes
reflect your documented policies and procedures.
1. To Keep overall accounts of the Bank / Branch under active supervision.
2. To Make rectifications in the procedural aspects of the work as and when the mistake/lapses occur .
3. To contain possibility of frauds that may take place in the Branch.
4. To adhere to the systems and procedures laid down by the head office or the Regulators of the
Banking industry such as BB.
5. To arrive at the correct levels and numbers of Profit and loss of the branch / Bank as per the
adopted accounting system.
6. By internal audit system , inspection by the internal auditors will provide for surprise verification of
accounts and thus not giving any room for misappropriation by bad elements in the Bank.
7. It is also required to show to the public/stakeholders at large that the Bank is subjected to scrutiny by
auditors, will assist to gain public/stakeholders confidence.
8. Periodical inspections by internal auditors of the Bank will make the operational wing of the Bank to
be alert and adhere to the systems & procedures of Bank and discharge duties as per several
guidelines/policies of the bank.
9. It is one of the mandatory procedure ( internal audit ) to be adopted by any Bank to keep itself
healthy and avoid exposure to financial risks .

Importance of audit & inspections may be described in nutshell as follows:
 Helping protect assets and reduce the possibility of fraud
 Improving efficiency in operations
 Increasing financial reliability and integrity
 Ensuring compliance with laws and statutory regulations
 Establishing monitoring procedures
So an internal audit is essentially a pre-emptive exercise to maintain operational efficiency and financial
reliability, and to safeguard assets. It provides independent assurance that an organization’s risk management,
governance and internal control processes are operating effectively.
Contributor: Md.Abdur Rahim Duary, EVP & Principal, AIBTRI