Ramesh S Arunachalam
Rural Finance Practitioner
Risk assessment and risk-based auditing are very critical mechanisms and need to be undertaken at large and systemically important MFIs and this post provides some practical suggestions in this regard…
Risk assessment is a process by which an auditor identifies and evaluates the quantity of the MFIs risks and the quality of its controls over those risks. Through risk-based auditing, the board and auditors use the results of the risk assessments to focus on the areas of greatest risk and to set priorities for audit work. That however does not mean that the audit department can lose sight of or ignore areas that are rated low-risk. An effective risk-based auditing program will ensure adequate audit coverage for all of an MFI’s auditable activities. The frequency and depth of each area’s audit should vary according to the auditor’s risk assessment.
Program Design: Properly designed risk-based audit programs increase audit efficiency and effectiveness. The sophistication and formality of audit approaches will vary for individual MFIs depending on the MFIs’ size, complexity, scope of activities, staff capabilities, quality of control functions, geographic diversity, and technology used. All risk-based audit programs should:
· Identify all of the MFI’s operations, product lines, services, and functions (i.e., the audit universe).
· Identify the activities and compliance issues within those operations, product lines, services, and functions that the MFI should audit (i.e., auditable entities).
· Include profiles of significant operational units, departments, and products that identify business and control risks and document the structure of risk management and internal control systems.
· Use a measurement or scoring system to rank and evaluate business and control risks of significant operational units, departments, and products.
· Include board or audit committee approval of risk assessments or the aggregate result thereof and annual risk-based audit plans (that establish internal and external audit schedules, audit cycles, work program scope, and resource allocation for each area to be audited).
· Implement the audit plan through planning, execution, reporting, and follow-up.
· Have systems that monitor risk assessments regularly and update them at least annually for all significant operational units (regions or branches), departments, and products.
Risk Matrix and Guidelines: An effective scoring system is critical to a successful risk-based audit program. In establishing a scoring system, directors and management must consider all relevant risk factors so that the system minimizes subjectivity, is understood, and is meaningful. Major risk factors commonly used in scoring systems include:
· The nature of transactions (e.g., volume, size, liquidity);
· The nature of the operating environment (e.g., compliance with laws and regulations, complexity of transactions, changes in volume, degree of system and reporting centralization, economic and regulatory environment);
· Internal controls, security, and MIS;
· Human resources (e.g., experience of management and staff, turnover, competence, degree of delegation); and
· Senior management oversight of the audit process.
Auditors or risk managers should develop written guidelines on the use of risk assessment tools and risk factors and review the guidelines with the audit or risk committee. The sophistication and formality of guidelines will vary for individual MFIs depending on their size, complexity, scope of activities, geographic diversity, and technology used. Auditors will use the guidelines to grade or assess major risk areas. These guidelines generally define the basis for assigning risk grades, risk weights, or risk scores (e.g., the basis could be normal industry practices or the MFI’s own historical experiences). They also would define the range of scores or assessments (e.g., low, medium, and high, or a numerical sequence, for example, 1 through 5). The written guidelines should specify:
· The length of the audit cycles based on the scores or assessments. Audit cycles should not be open-ended. For example, some MFIs set audit cycles at 12 months or less for high-risk areas, 24 months or less for medium-risk areas, and 36 months or less for low-risk areas. However, individual judgment and circumstances at each MFI will determine the length of its audit cycles.
· Guidelines for overriding risk assessments. The guidelines should specify who could override the assessments, the approval process for such overrides, and the reporting process for overrides. The override process should involve the board or its audit committee, perhaps through final approval authority or through timely notification procedures. Overrides of risk assessments should be more the exception than the rule.
· Timing of risk assessments for each department or activity. Normally, risks are assessed annually, but they may need to be assessed more often if the MFI or a specific product experiences excessive growth (as between April 2007 – 2009), if MFI staff or activities change significantly, or changes to or new laws and regulations occur.
· Minimum documentation requirements to support scoring or assessment decisions.
Management Responsibilities: Day-to-day management of the risk-based audit program rests with the internal auditor or internal audit manager, who monitors the audit scope and risk assessments to ensure that audit coverage remains adequate. The internal auditor or audit manager also prepares reports showing the risk rating, planned scope, and audit cycle for each area. The audit manager should confirm the risk assessment system’s reliability at least annually or whenever significant changes occur within a department or function.
Line department managers and auditors should work together in evaluating the risk in all departments and functions. Auditors and line department managers should discuss risk assessments to determine whether they are reasonable. However, the auditors, with concurrence of the board, audit committee or risk committee, should have ultimate responsibility for setting the final risk assessment. Auditors should periodically review the results of internal control processes and analyze financial or operational data for any effect on a risk assessment or weighting. Accordingly, MFI management should keep auditors current on all major changes in departments or functions, such as the introduction of a new product, implementation of a new system, changes in laws or regulations, or changes in organization or staff.
I hope that systemically important MFIs including large NBFCs wake up to have serious internal audits as part of their institutions…this alone can help prevent the kind of institutional lapses that led to the present day crisis…
Have a Nice Day!