Risk – Based Internal Audit

• Auditing and Assurance
• ||
• October 3, 2019

Over the last few years, cyber-crimes have grown in number and in the ways cybercriminals exploit them. Due to this, the need to manage risks has been recognized by organizations and adopted as a crucial part of a good governance best practice. A Risk-Based Internal Audit (RBIA) is focused on the organization’s response to the risks they face in achieving their goals and objectives. An RBIA differs from other types of audits as it is based on the business goals and their associated risks. With this approach, internal auditors gain other responsibilities – now they not only manage the control activities, but also add an important contribution in the development of the risk management processes by defining the organization’s universe of risk. To define a right risk management process and conduct a RBIA, it is crucial to understand the business needs in order to define internal controls that can reduce risks at an acceptable level – the risk appetite of the organization. The following class of companies shall be required to appoint an internal auditor which may be either an individual or a partnership firm or a body corporate, namely:

(a) every listed company;

(b) every unlisted public company having –

• paid up share capital of INR 50 crore rupees or more during the preceding financial year; or
• turnover of INR 200 crore rupees or more during the preceding financial year; or
• outstanding loans or borrowings from banks or public financial institutions exceeding INR 100 crore rupees or more at any point of time during the preceding financial year; or
• outstanding deposits of INR 25 crore rupees or more at any point of time during the preceding financial year; and

 (c) every private company having-

• turnover of INR 200 crore rupees or more during the preceding financial year; or
• outstanding loans or borrowings from banks or public financial institutions exceeding INR 100 crore rupees or more at any point of time during the preceding financial year.

Provided that an existing company covered under any of the above criteria shall comply with the requirements of section 138 and this rule within six months of commencement of such section.

Benefits of an RBIA

Below are the several benefits of RBIA:

Strategic Benefits

• Easier adaptation to changing conditions by developing a consistent and comprehensive approach for risk management
• Provides a better understanding and management of the risks

Performance-Related Benefits

• Increases the risks of opportunity by reducing negative risks
• Provides the risks to be identified correctly and the existing management and internal control to ensure the best performance

Management of Unexpected Events

• Creates the ability to give the correct answer to unexpected demands and challenges in the face of deviations from targets
• Easier to understand the risks waiting for the business and their actual effects

Traditional Approach

The traditional approach’s focus is on

1. The audit plan based on the audit cycle (which imposes strict time duration).
2. Important risks may not be covered in the audit program.
3. Focusing on deficiencies in controls and cases of non-compliance of the firm’s policies and procedures.
4. An understanding of the business unit operations is built through time consuming process mapping exercises and might rely on outdated policies and procedures manuals.

Modern Approach

The Risk Based Internal Audit focus is on

1. The audit plan based on the results of the business unit’s risk evaluation. Risky areas are covered first and far more frequently.
2. Provides assurance that important risks are being managed properly.
3. The focus is on risks that are not properly controlled and/or overly controlled.
4. Creates an in-depth understanding of the business unit operations through risk assessment workshops and with the participation of business unit management.

By tackling the task from a risk angle internal audit should be able to form an opinion as to whether:

• the firm’s management has identified, assessed and responded to risks within and beyond the organization’s risk appetite,
• that the responses to risks are effective but not excessive in managing inherent risks within this risk appetite,
• residual risks that are not in line with the risk appetite, are subject to action to remedy this,
• risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively, and
• risks, responses and actions are being properly classified and reported.

Scope of the audit is defined as per the internal controls and is carried out with specific emphasis on cost control. The main purpose of an internal control audit system is to ensure no mistakes, omission or accidental or deliberate errors.

So if you are looking up for any internal checks and audit for your organization, our experts  can assist you for the same.

We can also assist you in setting up your business in India, accounting, bookkeeping, payroll, auditing, taxation, secretarial compliances, and trademark registration, business structuring and advisory services. If you require any assistance in this regard, kindly click here.