Internal Audit Policy
Internal Audit Policy
Internal Audit Policy
1
2. Under risk-focused internal audit, the focus will shift from the present
system of full-scale transaction testing to risk identification, prioritization
of audit areas and allocation of audit resources in accordance with the risk
assessment. This policy includes the risk assessment methodology for
identifying the risk areas based on which the audit plan would be
formulated.
3. This policy deals with internal audit of all branches i.e. business units of
the Bank. The internal audit of branches is further supplemented by the
Concurrent Audit Policy. The domain of risk-focused internal audit in the
Bank is further extended to audit of business activities / functional
entities which is separately addressed in respective audit policies i.e. IS
Audit Policy. Thus, every activity / location of the bank, including the
risk management function, are subjected to risk-focused audit.
The risk assessment of branches should be carried out on the basis of the
'inherent business risks' and 'control risks', as indicated in 'Guidance note on risk
focused internal audit'.
The risk assessment should not only indicate the level of risk as High, Medium,
Low and very low but also the trend of risk in terms of increasing, decreasing or
stable.
2
In the guidance dated 27th December 2002, RBI has advised the classification
of risk under various categories and sub categories as under:
1. Business Risk
a. Credit Risk
b. Earnings Risk
c. Liquidity Risk
e. Operational Risk
2. Control Risk.
B. Compliance Risk
We are required to measure the Risk levels under each of the above categories
and the branch as a whole, draw the risk matrix and carry out the trend analysis.
OUR APPROACH
The risk assessment of branches would be on the basis of the 'inherent business
risks' and 'control risks', as indicated in 'Guidance note on risk based internal
audit'.
A. Business Risk Assessment - Business Risk Rating Model
Branches of the Bank are the primary outlet for selling our products. Business
risks at branch level is mainly a function of factors like volume of business &
complexities of activities, rate & pattern of growth of business, composition &
granularity of business, quality of assets created, extent of portfolio / industry /
activity concentration, cost of resources mobilised etc. A risk rating model to
assess business risk is to be put in place containing following broad parameters :
a. Business growth rate and pattern
b. Cost of resources mobilized
c. Dependence on bulk / Institutional Deposits
d. Concentration of credit
3
e. Credit portfolio quality
f. Asset quality
g. Level of advances including NFB
h. Risk Weight Exposure
i. Unsecured advances level
j. Fresh Slippage
k. Short Mortality
RATING SCALE: The Business risk captured through the model will be
assessed on a rating scale as under:
SCORE % RISK RATING
>= 85% and <= 100 VERY LOW
>= 70% and < 85 LOW
>= 60% and < 70 MEDIUM
>= 0% and <= 60 HIGH
Revised New RFIA format has been adopted by our Bank which is
advised by sponsor Bank and we updated it time to time as per
instruction given by sponsor Bank.
RATING SCALE: The Business risk captured through the model will be
assessed on a rating scale as under:
SCORE % RISK RATING
>= 85% and <= 100 VERY LOW
>= 70% and < 85 LOW
>= 60% and < 70 MEDIUM
>= 0% and <= 60 HIGH
4
IV. SCOPE OF AUDIT, ROLE & RESPONSIBILITIES OF AN
AUDITOR
RBI GUIDELINES
a. The Annual audit plan, approved by the Audit Committee of Board should
include the schedule and the rationale for audit work planned. It should also
include all risk areas and their prioritization based on the level and direction of
risk. Illustratively, the areas or activities identified high risk may be audited at
shorter intervals as compared to medium or low risk areas, which may be
audited at longer intervals subject to regulatory guidelines, as applicable.
b. The primary focus of risk- focused internal audit will be to provide
reasonable assurance to the Board and top management about the adequacy and
effectiveness of the risk management and control framework in the banks’
operations. While examining the effectiveness of control framework, the risk
focused internal audit should report on proper recording and reporting of major
exceptions and excesses. Transaction testing would continue to remain an
essential aspect of risk based internal audit. The extent of transaction testing
will have to be determined based on the risk assessment.
Our Guidelines
1. Audit is one of the important functions through which effective control is
exercised by the Head Office over the branches. It involves scrutiny of the
working of the branches in all aspects viz. verification of cash, stock of all
numbered items, securities and other assets, securities for advances (including
stock pledged, hypothecated and mortgages ), scrutiny of the books of accounts,
business of the branch with special reference to its profitability, assessment of
the performance of the branch in the mobilisation of deposits and financing of
hitherto neglected sectors and proper utilisation of manpower. It also includes
verification as to whether the books are properly maintained, regularly checked
and balanced, that instructions as laid down in the Bank's book of instructions,
policy documents and circulars issued by the Head Office from time to time are
scrupulously followed and that the accounting systems embodies necessary
safeguards against frauds and that there is no unnecessary duplication of work.
In short, the main objective of audit is to ensure that the branch is run on sound
lines both from the financial and organisational points of view.
2. Ordinarily, audit should cover the period from the date of the previous audit
till the date of the present audit, but in case it is necessary to go beyond the date
of the last audit in connection with certain important aspects during the course
of the present audit, the inspecting officers should not hesitate to do so in the
interest of the Bank.
5
3. As the duties of an auditor are onerous and responsible, he / she should be
fully conversant with the instructions / guidelines as laid down in the Circulars
issued by the Head Office from time to time and also have thorough knowledge
of the working of the various departments / sections of a branch. He should not
deviate from his duty and responsibility in the discharge of his functions on
account of any fear or favour.
4. An Auditing Officer should possess a high standard of integrity and
competence, and should be one who can be relied upon to conduct a thorough
examination of the varied affairs of the branch.
6
as possible, before the completion of the audit of the branch, maximum
number of irregularities and wrong practices are rectified and the report
made as brief as possible. It is to be ensured by the auditors that all
irregularities which can be rectified on the spot should be rectified
immediately by the branch in his presence and these irregularities
should not be incorporated in the audit report.
8.The auditor will go through the previous RFIA report, Inspection report,
concurrent audit report, Statutory audit Report (LFAR), and see if the
irregularities pointed out earlier have been rectified by the branch.
Special attention should be given to the remarks such as 'since done',
'since rectified', 'noted', etc. submitted by the branch manager to the
Head Office / Regional Office and should be ensured that the
compliance has actually been done.
9. Auditors are not authorised to issue instructions to the branch
managers on matters other than those relating to irregularities in
procedure. Any recommendation which he may have to make with
regard to changes in the established procedure should not be made in
the audit Report as these will have to be considered and approved by
the management. He should, in the circumstances, forward his
suggestion in the separate letter to the Audit and Inspection Department
for necessary action.
10. He should freely discuss with the branch manager his findings which
he proposes to incorporate in his audit report in order to avoid any
unnecessary correspondence or controversy at a later stage. Such
discussion will also help in reducing number of irregularities and in
devising ways and means to improve the affairs at the branch.
a. If certain matter is of such nature that he does not consider it proper
to be discussed with the branch manager until it is brought to the notice
of controller / higher authorities, it should be reported to the Inspection
Department / HO in a separate confidential letter.
b. While discussing any matter with the branch manager, it should be
impressed upon him that any opinion, expressed by him should under no
circumstances, be construed as an instruction.
11. Before commenting on any matter relating to staff, the auditor should
make an independent assessment and should not be guided by the
branch manager or any other member of the staff in this regard.
12. The auditor should act as adviser / guide to staff of the branch under
audit. Discrepancies must, of course, be brought to light but descriptive
reports, if any, should be written keeping in view the difficulties
experienced by the staff. Reports must be clear, relevant concise and
7
brief. Auditors should strictly adhere to the sampling norms applicable to
the category of the branch.
13. The auditor shall submit a list of irregularities observed during the course of
audit on day-to-day basis to the Branch Manager with a request to rectify them
on the spot. It is the responsibility of the Branch Manager as well as of the
auditor to carry out on the spot rectification wherever possible.
An indicative list of other check points for internal audit is given in annexure I
which is further supported by the structured format, guidelines by HO from time
to time. The auditors are also required to certify verification of various items as
a part of their audit certificate and a copy of audit certificate is given in
Annexure II.
V. PERIODICITY OF AUDIT
Allocation of Audit resources for the branches is linked to risk profile of the
branches through periodicity differential. Periodicity differential is also linked
with the coverage of concurrent audit so that optimum allocation of audit
resources is achieved based on risk profiles.
In view of the Government of India guidelines on audit reforms, frequency of
audit under Risk focused Audit System should be uniformly fixed at 12 month
for High risk Branches and for Medium risk Branches and 18 month for Low
risk Branches and for very Low risk Branches.
The Audit and Inspection Department will identify branches for Risk Focused
Internal Audit based on Category awarded during last Risk Focused Internal
Audit. After identification of Branches for RFIA, the identified branches will be
segregated by the Audit and Inspection Department, Head Office and Audit plan
will be arrived by realigning due date based on last audit of these identified
branches and note will be placed to For
Periodicity of RFIA
2. For newly opened branches, where RFIA rating is not available, will
considered as Low risk.
8
VI. FORMAT AND METHODOLOGY ADOPTED:-
New RFIA format provided by Sponsor Bank has been implemented by our
bank which contains following parameters:-
S. no. Core Parameters Maximum Score
1. Business Development 100
2. Credit Risk Management 450
3. Operational Risk Management 410
4. External Compliance 30
5. Self Audit 10
Total 1000
Time limit for disposal I & A reported 45 Days from the date of report
by Branch
The guidelines have been issued to the auditing Officers to encourage spot
rectification of the irregularities which can be rectified on the spot. At the end
of each day of inspection period, Inspecting officials under this arrangement
would hand over a list of irregularities noticed during the day to the Branch
Manager / Accountant for rectifying the irregularities. Branches / Offices should
avail of this opportunity in letter and spirit. Under the revised RFIA system
substantial score and consequently good rating can be achieved if previous audit
irregularities and concurrent audit irregularities are rectified and spot
rectification of current RFIA is carried out.
IX. EXIT MEETING
All Auditors are under obligation to hold ‘EXIT’ meeting with the Head of the
Branch and all other staff after conclusion of the audit. This practice provides an
opportunity for useful interaction between the Auditor and the Branch staff.
10
Depending on the exigencies, General Manager(Admin) may increase or
decrease the Men days suitably. General Manager(Admin) have to ensure that
the RFIA Audit is completed latest by 15th of March financial year.
Branch is require to submit point to point compliance and
recommendation for closure to Regional Office within 45 days of receipt
of report and Regional office is require to forward same to Head Office
with recommendation of closure of report.
The Auditors should submit their special report directly to Chairman / General
Manager Head office in the following circumstances without waiting for
completion of monthly / quarterly report. The report should also forward to
Head of Credit department, Head Office, if irregularities relate to Credit
portfolio.
●Shot of cash found while verification of cash
● Any fraudulent transaction observed.
● Any serious irregularities in the operation of any of the accounts including
suspicious transaction, violation of KYC / AML norms that may require
immediate attention of Higher Authority.
● Poor operations / abnormal operations in the borrowable accounts that may
lead the accounts to slip into NPA in near future.
● Any other observations, the auditors may find it necessary to be brought to
the notice of higher authority in the interest of the Branch / Bank.
●Irregularities of serious nature pointed out in any inspection / audit / LFAR
report remaining un rectified for more than three month.
● In cases of short mortality.
The auditors may not discuss this special reports with the Branch Manager if
there is sufficient ground to believe that the integrity of the Branch Manager is
suspected to forward same to Head office with recommendation of closure of
report.
11
● The Auditing team should hand over daily jotting sheets to Branch Manager
with instructions to carry out the rectification of irregularities immediately and
take acknowledgments. The jotting sheets should contain the irregularities
noticed by the Auditors. Branch Manager should rectify the irregularities
immediately. Inspecting team should discuss the report with the Branch
Manager and take his signature having discussed the report with him.
● One copy of the report is to be handed over to the Branch Manager against
acknowledgment. Second copy should be sent to Head Office / Audit and
Inspection Department and third copy of the report should be sent to concerned
Regional Office. Management synopsis is the part of the audit report and should
be carefully filled up before dispatch of report.
Qualified compliance
12
Regional Office will send their recommendations along with the list of pending
compliances, specifying time frame for clean compliance to Head Office.
There may also be instances of deviations / irregularities which cannot
be rectified. The decision to close such report may be taken by the
closing authority on merits of such cases.
The annual audit plan for RFIA shall be finalised by the inspection
department, HO and approval to be obtained from Chairman.
13
● Controllers should issue proper guidance / advice to all the concerned for
speeding up of rectification of irregularities and continuously monitor till the
irregularities are rectified.
● If, it is found out later that closure certificate recommended by Regional
Office without satisfying himself regarding rectification of irregularities pointed
out in the audit reports or based on the vague replies given by the branches, they
will be personally held responsible.
● Compliance certificate in respect of special reports as per format has to be
issued by the concerned Regional Office within one month from the date of
submission of report.
Risk Mitigation :
Mitigation of risk factors in case of all the branches to be ensured by
concerned Regional Office and their efforts will also be supplemented by
Head office if necessary in case of High Risk branches.
14