Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Internal Audit Policy

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14

INTERNAL AUDIT POLICY

Introduction The definition of Internal Auditing reads as ‘Internal


Auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations. It helps
an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance processes’.

Internal Audit function provides vital assurance to the Bank’s Board of


Directors and Senior Management as to the quality of the Bank’s internal
control system. In doing so, the function helps to reduce the risk of loss
and reputational damage to the Bank. It is, therefore, an indispensable
and an integral function for the safe and sound operation of a Bank.

II. OBJECTIVES OF THE RFIA SYSTEM :-

1. Deregulation of control over operations and liberalisation of policies and


procedures have provided to banks larger autonomy in their operations.
Globalisation of financial markets and the innovation of new products
have posed formidable challenges to Banks. Consequently, internal audit,
which is a part of the internal control process, has to take upon itself the
responsibility of assessing the systems and procedures for identification,
measurement, monitoring and control of the risk. There is, therefore, an
urgent need to reorient transaction based internal audit to risk focused
internal audit.

1
2. Under risk-focused internal audit, the focus will shift from the present
system of full-scale transaction testing to risk identification, prioritization
of audit areas and allocation of audit resources in accordance with the risk
assessment. This policy includes the risk assessment methodology for
identifying the risk areas based on which the audit plan would be
formulated.

3. This policy deals with internal audit of all branches i.e. business units of
the Bank. The internal audit of branches is further supplemented by the
Concurrent Audit Policy. The domain of risk-focused internal audit in the
Bank is further extended to audit of business activities / functional
entities which is separately addressed in respective audit policies i.e. IS
Audit Policy. Thus, every activity / location of the bank, including the
risk management function, are subjected to risk-focused audit.

4. The risk- focused internal audit of branches undertakes an independent


risk assessment solely for the purpose of formulating the risk- focused
audit plan keeping in view the inherent business risks of an activity /
location and the effectiveness of the control systems for monitoring the
inherent risks of the business activity.

III. Risk Assessment

The risk assessment of branches should be carried out on the basis of the
'inherent business risks' and 'control risks', as indicated in 'Guidance note on risk
focused internal audit'.

The risk assessment should not only indicate the level of risk as High, Medium,
Low and very low but also the trend of risk in terms of increasing, decreasing or
stable.

2
In the guidance dated 27th December 2002, RBI has advised the classification
of risk under various categories and sub categories as under:
1. Business Risk

a. Credit Risk

b. Earnings Risk

c. Liquidity Risk

d. Business Strategy Risk

e. Operational Risk

2. Control Risk.

A. Internal Control Risk

B. Compliance Risk
We are required to measure the Risk levels under each of the above categories
and the branch as a whole, draw the risk matrix and carry out the trend analysis.

OUR APPROACH

The risk assessment of branches would be on the basis of the 'inherent business
risks' and 'control risks', as indicated in 'Guidance note on risk based internal
audit'.
A. Business Risk Assessment - Business Risk Rating Model
Branches of the Bank are the primary outlet for selling our products. Business
risks at branch level is mainly a function of factors like volume of business &
complexities of activities, rate & pattern of growth of business, composition &
granularity of business, quality of assets created, extent of portfolio / industry /
activity concentration, cost of resources mobilised etc. A risk rating model to
assess business risk is to be put in place containing following broad parameters :
a. Business growth rate and pattern
b. Cost of resources mobilized
c. Dependence on bulk / Institutional Deposits
d. Concentration of credit

3
e. Credit portfolio quality
f. Asset quality
g. Level of advances including NFB
h. Risk Weight Exposure
i. Unsecured advances level
j. Fresh Slippage
k. Short Mortality

RATING SCALE: The Business risk captured through the model will be
assessed on a rating scale as under:
SCORE % RISK RATING
>= 85% and <= 100 VERY LOW
>= 70% and < 85 LOW
>= 60% and < 70 MEDIUM
>= 0% and <= 60 HIGH

B. Control Risk Assessment


The Control Risk Assessment is to be done on the basis of a scoring
model covering three broad risks namely Credit Risk, Operational Risk
and External Compliance risk. The risk assessment will be done on site
at the time of audit through a structured format. The structured format for
this purpose has already been devised. The control risk rating carried
out on site at the time of last RFIA for each branch available in the
March quarter will be reckoned for the purpose of preparing audit plan
for the next financial year.

Revised New RFIA format has been adopted by our Bank which is
advised by sponsor Bank and we updated it time to time as per
instruction given by sponsor Bank.

RATING SCALE: The Business risk captured through the model will be
assessed on a rating scale as under:
SCORE % RISK RATING
>= 85% and <= 100 VERY LOW
>= 70% and < 85 LOW
>= 60% and < 70 MEDIUM
>= 0% and <= 60 HIGH

4
IV. SCOPE OF AUDIT, ROLE & RESPONSIBILITIES OF AN
AUDITOR
RBI GUIDELINES
a. The Annual audit plan, approved by the Audit Committee of Board should
include the schedule and the rationale for audit work planned. It should also
include all risk areas and their prioritization based on the level and direction of
risk. Illustratively, the areas or activities identified high risk may be audited at
shorter intervals as compared to medium or low risk areas, which may be
audited at longer intervals subject to regulatory guidelines, as applicable.
b. The primary focus of risk- focused internal audit will be to provide
reasonable assurance to the Board and top management about the adequacy and
effectiveness of the risk management and control framework in the banks’
operations. While examining the effectiveness of control framework, the risk
focused internal audit should report on proper recording and reporting of major
exceptions and excesses. Transaction testing would continue to remain an
essential aspect of risk based internal audit. The extent of transaction testing
will have to be determined based on the risk assessment.

Our Guidelines
1. Audit is one of the important functions through which effective control is
exercised by the Head Office over the branches. It involves scrutiny of the
working of the branches in all aspects viz. verification of cash, stock of all
numbered items, securities and other assets, securities for advances (including
stock pledged, hypothecated and mortgages ), scrutiny of the books of accounts,
business of the branch with special reference to its profitability, assessment of
the performance of the branch in the mobilisation of deposits and financing of
hitherto neglected sectors and proper utilisation of manpower. It also includes
verification as to whether the books are properly maintained, regularly checked
and balanced, that instructions as laid down in the Bank's book of instructions,
policy documents and circulars issued by the Head Office from time to time are
scrupulously followed and that the accounting systems embodies necessary
safeguards against frauds and that there is no unnecessary duplication of work.
In short, the main objective of audit is to ensure that the branch is run on sound
lines both from the financial and organisational points of view.
2. Ordinarily, audit should cover the period from the date of the previous audit
till the date of the present audit, but in case it is necessary to go beyond the date
of the last audit in connection with certain important aspects during the course
of the present audit, the inspecting officers should not hesitate to do so in the
interest of the Bank.

5
3. As the duties of an auditor are onerous and responsible, he / she should be
fully conversant with the instructions / guidelines as laid down in the Circulars
issued by the Head Office from time to time and also have thorough knowledge
of the working of the various departments / sections of a branch. He should not
deviate from his duty and responsibility in the discharge of his functions on
account of any fear or favour.
4. An Auditing Officer should possess a high standard of integrity and
competence, and should be one who can be relied upon to conduct a thorough
examination of the varied affairs of the branch.

5. The auditor is required to perform an important job. His audit should


be thorough, exhaustive and dispassionate and should cover, inter alia,
the following :
● Verification of cash, bills, all numbered items, securities and other
assets and securities for advances (including stocks pledged /
hypothecated and mortgaged ).
● Ensure that proper safeguards are enforced in accordance with the
Head Office instructions as laid down in Bank and Circulars issued by
the Head Office from time to time.
● Ensure that the books are properly maintained regularly checked and
balanced or otherwise.
● Ensure that the prescribed returns to HO / RMs Office and statutory
returns to the Reserve Bank of India and other authorities are correctly
complied with and submitted regularly.
● Examine thoroughly all accounts in which credit facilities have been
granted, such as, cash credit, loans, overdrafts, bills purchased and
discounted, Letters of Credit, Bank Guarantee etc.
● Check correctness or otherwise of income / expenditure parameters in
relation to the operations of the branch.
● It is mandatory on the part of auditor to report compliance with KYC
guidelines and risk profiling / categorization of customers.
6. While going through the inward and outward correspondence, auditor
to pay particular attention to the promptness with the communications
received from HO / RM's office are replied to, as also to any complaints
which might have been received against the branch / its staff.
7. All frauds, serious cases of unauthorised business and other major
irregularities discovered by the auditor at the branch should be brought
to the notice of the H.O. (Audit and Inspection Depart.) by a separate
letter immediately and need not wait till the audit is completed. The
auditor should be constructive in approach. He should hand over, by end
of the day the list of irregularities to the Branch Manager so that, as far

6
as possible, before the completion of the audit of the branch, maximum
number of irregularities and wrong practices are rectified and the report
made as brief as possible. It is to be ensured by the auditors that all
irregularities which can be rectified on the spot should be rectified
immediately by the branch in his presence and these irregularities
should not be incorporated in the audit report.
8.The auditor will go through the previous RFIA report, Inspection report,
concurrent audit report, Statutory audit Report (LFAR), and see if the
irregularities pointed out earlier have been rectified by the branch.
Special attention should be given to the remarks such as 'since done',
'since rectified', 'noted', etc. submitted by the branch manager to the
Head Office / Regional Office and should be ensured that the
compliance has actually been done.
9. Auditors are not authorised to issue instructions to the branch
managers on matters other than those relating to irregularities in
procedure. Any recommendation which he may have to make with
regard to changes in the established procedure should not be made in
the audit Report as these will have to be considered and approved by
the management. He should, in the circumstances, forward his
suggestion in the separate letter to the Audit and Inspection Department
for necessary action.
10. He should freely discuss with the branch manager his findings which
he proposes to incorporate in his audit report in order to avoid any
unnecessary correspondence or controversy at a later stage. Such
discussion will also help in reducing number of irregularities and in
devising ways and means to improve the affairs at the branch.
a. If certain matter is of such nature that he does not consider it proper
to be discussed with the branch manager until it is brought to the notice
of controller / higher authorities, it should be reported to the Inspection
Department / HO in a separate confidential letter.
b. While discussing any matter with the branch manager, it should be
impressed upon him that any opinion, expressed by him should under no
circumstances, be construed as an instruction.
11. Before commenting on any matter relating to staff, the auditor should
make an independent assessment and should not be guided by the
branch manager or any other member of the staff in this regard.
12. The auditor should act as adviser / guide to staff of the branch under
audit. Discrepancies must, of course, be brought to light but descriptive
reports, if any, should be written keeping in view the difficulties
experienced by the staff. Reports must be clear, relevant concise and

7
brief. Auditors should strictly adhere to the sampling norms applicable to
the category of the branch.
13. The auditor shall submit a list of irregularities observed during the course of
audit on day-to-day basis to the Branch Manager with a request to rectify them
on the spot. It is the responsibility of the Branch Manager as well as of the
auditor to carry out on the spot rectification wherever possible.
An indicative list of other check points for internal audit is given in annexure I
which is further supported by the structured format, guidelines by HO from time
to time. The auditors are also required to certify verification of various items as
a part of their audit certificate and a copy of audit certificate is given in
Annexure II.
V. PERIODICITY OF AUDIT
Allocation of Audit resources for the branches is linked to risk profile of the
branches through periodicity differential. Periodicity differential is also linked
with the coverage of concurrent audit so that optimum allocation of audit
resources is achieved based on risk profiles.
In view of the Government of India guidelines on audit reforms, frequency of
audit under Risk focused Audit System should be uniformly fixed at 12 month
for High risk Branches and for Medium risk Branches and 18 month for Low
risk Branches and for very Low risk Branches.
The Audit and Inspection Department will identify branches for Risk Focused
Internal Audit based on Category awarded during last Risk Focused Internal
Audit. After identification of Branches for RFIA, the identified branches will be
segregated by the Audit and Inspection Department, Head Office and Audit plan
will be arrived by realigning due date based on last audit of these identified
branches and note will be placed to For
Periodicity of RFIA

CATEGORY RISK RATING(Periodicity in Months)


Very Low Low Medium High
Based on last Audit
For identification of 18 18 12 12
branches for RFIA Audit
Plan
New Branches Within 18 months of opening
Remarks:
1. Periodicity would be according to the category of Risk ratings without
making differentiation of branches under concurrent audit or not.

2. For newly opened branches, where RFIA rating is not available, will
considered as Low risk.

8
VI. FORMAT AND METHODOLOGY ADOPTED:-

New RFIA format provided by Sponsor Bank has been implemented by our
bank which contains following parameters:-
S. no. Core Parameters Maximum Score
1. Business Development 100
2. Credit Risk Management 450
3. Operational Risk Management 410
4. External Compliance 30
5. Self Audit 10
Total 1000

Grade Score Range


Well Controlled A+ 850 & Above
Adequately Controlled A 700 to 849
Moderately Controlled B 600 to 699
Unsatisfactorily Controlled C Below 600

Time limit for disposal I & A reported 45 Days from the date of report
by Branch

VII. ACTION PLAN :-


a. INDEPENDENT RISK ANALYSIS
i. Audit and Inspection Department to prepare an annual audit plan for Risk
Focused Internal Audit System based on Risk profiles of each auditee unit.
ii. RFIA Format for reporting is to be reviewed periodically and if any major
changes take place then the same is to be included immediately in RFIA format
as additional information.
iii. Auditors would base their risk profiling on past two inspection reports if
there are no previous RFIA reports.
iv. Auditors to carefully allot scores against each parameter in the questionnaire
of the audit format for performance of the branch under various business and
functional areas. In case any parameter is not applicable to the branch, the
aggregate score should be normalized on percentage basis.
v. Auditors are advised to keep themselves abreast with latest developments in
the Banking Industry as also our bank by referring to various Circulars issued
by the Bank which are available on Intra net as well as Internet on Website of
the Bank.
9
VIII. SPOT RECTIFICATION OF THE IRREGULARITIES

The guidelines have been issued to the auditing Officers to encourage spot
rectification of the irregularities which can be rectified on the spot. At the end
of each day of inspection period, Inspecting officials under this arrangement
would hand over a list of irregularities noticed during the day to the Branch
Manager / Accountant for rectifying the irregularities. Branches / Offices should
avail of this opportunity in letter and spirit. Under the revised RFIA system
substantial score and consequently good rating can be achieved if previous audit
irregularities and concurrent audit irregularities are rectified and spot
rectification of current RFIA is carried out.
IX. EXIT MEETING
All Auditors are under obligation to hold ‘EXIT’ meeting with the Head of the
Branch and all other staff after conclusion of the audit. This practice provides an
opportunity for useful interaction between the Auditor and the Branch staff.

X. TIME FRAME FOR RFIA, COMPLIANCE AND CLOSURE

Respective Head office’s Audit and Inspection Department to ensure that


inspectors undertaking RFIA audit are allotted sufficient man days to conducted
RFIA of Auditee Branch. Depending on the exigencies the Audit and Inspection
Department at Head office may suitably allot man days to conduct RFIA of
Auditee Branch. For the purpose following schedule to conduct RFIA may be
follow

Sr. Advance portfolio as on last March Number of Men Days


No.
1 Below 03 crore 05
2 03 crore to less than 08 crore 08
3 Above 08 crore 10

Sr. Deposit portfolio as on last March Number of Men Days


No.
1 Below 05 crore 01
2 05 crore to less than 15 crore 02
3 Above 15 crore 03

10
Depending on the exigencies, General Manager(Admin) may increase or
decrease the Men days suitably. General Manager(Admin) have to ensure that
the RFIA Audit is completed latest by 15th of March financial year.
Branch is require to submit point to point compliance and
recommendation for closure to Regional Office within 45 days of receipt
of report and Regional office is require to forward same to Head Office
with recommendation of closure of report.

XI. REPORTING SYSTEM:-


Submission of Special Reports:

The Auditors should submit their special report directly to Chairman / General
Manager Head office in the following circumstances without waiting for
completion of monthly / quarterly report. The report should also forward to
Head of Credit department, Head Office, if irregularities relate to Credit
portfolio.
●Shot of cash found while verification of cash
● Any fraudulent transaction observed.
● Any serious irregularities in the operation of any of the accounts including
suspicious transaction, violation of KYC / AML norms that may require
immediate attention of Higher Authority.
● Poor operations / abnormal operations in the borrowable accounts that may
lead the accounts to slip into NPA in near future.
● Any other observations, the auditors may find it necessary to be brought to
the notice of higher authority in the interest of the Branch / Bank.
●Irregularities of serious nature pointed out in any inspection / audit / LFAR
report remaining un rectified for more than three month.
● In cases of short mortality.

The auditors may not discuss this special reports with the Branch Manager if
there is sufficient ground to believe that the integrity of the Branch Manager is
suspected to forward same to Head office with recommendation of closure of
report.

Auditors are to specifically report, any matter susceptible to be fraud or


fraudulent activity or any foul play in any transactions, simultaneously, to the
Chairman of the Bank. All other instances may be reported to Audit and
Inspection Department or to Vigilance Officer of the Bank, Head Office, Sagar.

11
● The Auditing team should hand over daily jotting sheets to Branch Manager
with instructions to carry out the rectification of irregularities immediately and
take acknowledgments. The jotting sheets should contain the irregularities
noticed by the Auditors. Branch Manager should rectify the irregularities
immediately. Inspecting team should discuss the report with the Branch
Manager and take his signature having discussed the report with him.
● One copy of the report is to be handed over to the Branch Manager against
acknowledgment. Second copy should be sent to Head Office / Audit and
Inspection Department and third copy of the report should be sent to concerned
Regional Office. Management synopsis is the part of the audit report and should
be carefully filled up before dispatch of report.

XII. SCRUTINY, COMPLIANCE & CLOSURE

● Desk Officers at Regional Office should put up Management synopsis to RM


. Regional Manager should forthwith take up the matter for rectification and
also forward synopsis to Audit and Inspection department at Head Office.
● Inspection Cells should scrutinise the report, take up the matter for
rectification of irregularities with concerned Regional Managers, evaluate the
coverage of the report as per the format and also scrutinise the rating of the
branch given by the Inspectors.
● Audit and Inspection Department at Head Office, after receipt of
recommendation for closure from the Regional Office along with compliance
certificate from the Regional office, shall process the same and put up for
approval for closure of audit report to GMs and Chairman.

XIII. CLOSURE PROCEDURE


The recommendation should invariably be accompanied by clean compliance
certificate along with audit observations, Branch reply and Regional Office
comments in tabular format.
On receipt of audit closure recommendation from the Regional Office, Head
Office Audit and Inspection Department, GMs and Chairman Head Office after
being satisfied about the compliances shall close the report. General Manager,
Head Office may order for cross verification of compliance wherever deemed
necessary before closure of report.

Qualified compliance

Rectification of 100% of observations in an audit report may not be possible


within the time frame specified in the policy. In case of such reports, closing
authorities shall take a view after assessing the overall risk factors. The

12
Regional Office will send their recommendations along with the list of pending
compliances, specifying time frame for clean compliance to Head Office.
There may also be instances of deviations / irregularities which cannot
be rectified. The decision to close such report may be taken by the
closing authority on merits of such cases.

XIV. MIS & STATUS REPORT TO ACB


HO Audit and Inspection Department to submit the quarterly
performance review of the department to ACB and it shall inter alia
include.
● Target and achievement under RFIA - Number of branches allotted, audit in
progress, audit completed and reports received and rating.
● In case of High Risk branches based on the RFIA reports, the irregularities
pointed out by Auditors in the Report and the status of compliance / progress in
rectification of irregularities given by the controlling authorities etc. to be
included in the review report to be put up to Audit Committee of Board (ACB).

The annual audit plan for RFIA shall be finalised by the inspection
department, HO and approval to be obtained from Chairman.

XV. Cross Verification


In order to ensure that proper rectification of irregularities has taken place,
Inspection department Regional office be entrusted with the task of carrying out
random checking of compliance reports submitted by the branches. Respective
regional office inspection department to ensure that a minimum 25% of RFIA
audits have been cross verified by them.
General Manager, Head Office shall have power to order cross
verification even after closure of the report.

XVI. ROLE OF CONTROLLING AUTHORITY


● The Regional Manager, immediately on receipt of RFIA report, should take
up the matter with the concerned branch for rectification of observations. If the
rectification is not done within the prescribed time schedule, officers from
Regional office may be deputed for speeding up the process of rectification and
/ or close follow up should be made to ensure issuance of closure certificate.
They are accountable for timely issuance of compliance certificate.
● In case of observations of serious nature, which if allowed to persist, may lead
to short-circuiting of systems and procedures, fraudulent activities, tarnishing
the image of the Bank etc.,

13
● Controllers should issue proper guidance / advice to all the concerned for
speeding up of rectification of irregularities and continuously monitor till the
irregularities are rectified.
● If, it is found out later that closure certificate recommended by Regional
Office without satisfying himself regarding rectification of irregularities pointed
out in the audit reports or based on the vague replies given by the branches, they
will be personally held responsible.
● Compliance certificate in respect of special reports as per format has to be
issued by the concerned Regional Office within one month from the date of
submission of report.

Risk Mitigation :
Mitigation of risk factors in case of all the branches to be ensured by
concerned Regional Office and their efforts will also be supplemented by
Head office if necessary in case of High Risk branches.

XVII. IMPLICATIONS FOR SUBMISSION OF FALSE COMPLIANCE


CERTIFICATE.
The disciplinary Authority would consider initiating disciplinary proceedings
against the concerned erring official /s in appropriate cases, who is / are
responsible for giving False Compliance certificates.

XVIII. Review of Policy


In accordance with the Govt, of India Guidelines, review of the policy is to be
put up to ACB. Annual review or the policy will be put up to the Audit
Committee of the Board for recommending to the Board for approval. Approved
revised Policy & Guidelines will remain in force till next review.
In case of exigencies, Chairman will be the competent authority to effect
necessary changes in this policy and same will be placed before the Board for
information in the next meeting.
Any guideline(s) issued by regulators with regard to Concurrent Audit and / or
any other matter dealt with by this Policy will be deemed to be part & parcel of
this policy for operational purpose with immediate effect. A note regarding such
directive should be placed before ACB / Board for information.

14

You might also like