Banking

Risk Based Internal Audit Need for Such Approach in Banking Sector for Implementation of BASEL II Accord: Bangladesh Perspective
Anjan Kumer Roy Abstract:
This study on risk based internal audit (RBIA) is an attempt study is given on the banking sector of Bangladesh, where the management in the development of risk database, which is an which is the demand of present time from internal auditor and regulatory requirements, a shift to the risk based internal audit

to identify the importance of RBIA in banking sector for efficient implementation of BASEL II accord. Focus in this early 2009. RBIA will act as an important tool by facilitating essential document to comply with Pillar-1(Minimum capital requirement) of BASEL II. Though there are some difficulties or disadvantages in implementation of RBIA, earliest move to is required to tackle increased complexities resulted from this approach is recommended for the dual benefits: firstly, increased use of information technology (IT), regulatory requirement and globalization in this regard and secondly, of risk database. facilitate management in the development and up-gradation Accord, Risk database, Risk, Internal control. Keywords: Risk based internal audit (RBIA), BASEL II new capital accord (BASEL II) will be implemented from

2.0 Objective of the study:

following bullet points:

(RBIA) approach is desirable.

The objective of the study could be summarized using the To portray the importance of RBIA in banking sector in To conceptualize RBIA approach.

the event of increased complexity of operational activities resulted from increased use of information technology (IT), regulatory requirements and globalization of business activities.

improved and effective way for conducting internal audit that

implementation of BASEL II. approach.

To identify RBIA as an important tool for effective To address difficulties in implementation of such an

3.0 Methodology of the study:

The study has been conducted on the basis of secondary operating in Bangladesh having a foreign branch and a

information and experience gained as a team member of a statutory audit of financial statements of a commercial bank evaluating appropriateness of the work of internal auditor for statutory (external) audit purposes. Some of the members of in this respect. foreign subsidiary. The experience gained at the time of the internal audit team of the said bank have been interviewed

1.0 Introduction:

Internal auditing means an appraisal activity established within an entity as a service to the entity1. The internal audit effectiveness of risk assessment, internal control systems, and add value to the organization by addressing the exposure to different kinds of risk to which an organization may be exposed for various reasons including increased use of regulatory requirements for assessment of risks in different

function is responsible for evaluating and commenting on the corporate governance process. There is increasing pressure to

4.0 Internal audit: conceptual issues

Internal auditing means an appraisal activity established the organizations risk management process and systems of

information technology, and globalization. There are also sectors like financial sector. In this context of value addition -

within an entity as a service to the entity. It is an independent control and to make recommendations for the achievement of

activity established by management to examine and evaluate

Author is senior articled student of ACNABIN, Chartered Accountant.

The Bangladesh Accountant/July - September 2008

73

company objectives. Internal audit is an independent,

Banking

objective assurance and consulting activity designed to add value and improve an organizations operations2. In other words the internal audit function is responsible for evaluating and commenting on the effectiveness of risk assessment, Thus, an understanding of internal audit requires an understanding on the following three areas: Risk assessment is the identification and analysis of risks Internal control systems (ICS) is a system, structure, or reporting and compliance goals and objectives. internal control systems, and corporate governance process.

risks and reports whether these are managed (David M.

Griffiths, 2006). It is the contemporary expression of

transition from auditing focused on past activities to

managing the future. The definition of RBIA requires that the organization (a) knows all its significant inherent risks (b) has evaluated these risks so that they can be prioritized in order of whether these are above or below it. the following assumptions: the threat they represent and (c) has defined its appetite such that inherent and residual risks can be evaluated to determine The effectiveness of RBIA revolves around a reliable risk register a database of organizations risk. RBIA is based on Audit resources are not infinite importance Unit activities to be audited are subject to different risks

associated with the achievement of operations, financial

process, implemented by a firms board of directors, management, and other personnel, intended to provide the following categories: (a) effectiveness and efficiency of reasonable assurance about achieving control objectives in operations, (b) reliability of financial reporting, and (c) compliance with applicable laws and regulations (COSO3,

Unit activities to be audited have different degree of

RBIA involves the following three steps: (a) confirm the organizations risk register is suitable for us to use as a basis are to provide an opinion, and compile risk and audit universe 5 ; and (c) carryout the individual audit that will provide the opinion. for planning; (b) select those risks on whose management we

Corporate Governance (CG) is the relationship between the

1994).

investor, the management team and the board of directors of a

company (Arther Levitt, 2002:209). CG is a system that tells of good CG. It is an important issue that requires internal and external audit.

about how a company will be directed and controlled. A properly functioning internal audit department is also a part understanding by auditors because of their significant role in Objective of internal audit is to advise management about loss that would be resulted from various risks to which an control and corporate governance. whether the organization has a sound ICS and functioning

Preparation of an annual risk based (macro risk) audit plan

aims at: (a) determining audit priorities, and (b) mobilizing

5.0 BASEL II Accord: conceptual issues

resources to prioritized areas.

recommendations by bank supervisors and central bankers from the 13 countries making up the BASEL Committee on deliberations began in January 2001. Banking Supervision to revise the international standards for Framework of BASEL II consists of three pillars: measuring the adequacy of a banks capital. The BASEL II Pillar-1 (Minimum capital requirement) provides approaches

BASEL II is the second BASEL Accord and represents

efficiently and effectively to protect the organization against organization is exposed. Thus, internal auditors are Approaches of internal audit may take the following forms: (a) Traditional processes or systems based approach4 of prevent the organization from accomplishing its objectives. These are measured in terms of their frequency of occurrence and the damage they will cause. Risk based approach of internal audit is most recent
The Bangladesh Accountant/July - September 2008

responsible to advise and make recommendations on internal

to the calculation of required capital charges considering the different constituents of capital such as credit risk, operational risk have been considered for the first time evolving technology, outsourcing and recent bank failures. because of new complex financial products and strategies, Pillar-2 (Supervisory review) provides the framework to 74 operational risk and market risk. Capital charges in relation to specialized processing operations and reliance on rapidly ensure that each bank has sound internal processes to enable it to perform a through evaluation of its risks and therefore

Risks are all kinds of events or circumstances that may

internal audit; and (b) Risk based internal audit (RBIA).

development in the arena of internal audit. RBIA is driven by

assess the required capital.

Banking

Pillar-3 (Market disclosure) requires new disclosures to

implemented in the organization, the internal auditor (IA) will verify the risk register for its completeness and accuracy. Under RBIA it is auditors responsibility to form an opinion whether they are properly managed. Thus, the internal auditor effective risk database, which is the fundamental document in BASEL II accord.

encourage market discipline. These disclosures address disclosure requirements.

market, credit and operational risks and supervisors are Objectives of the Accord are: (a) to maintain safety and

required to implement at least a minimum core set of soundness in the financial system (b) to enhance competitive capital; and (d) to focus on internationally active banks.

will contribute to the development of a complete and for calculating minimum required capital under IRB approach The role of auditor under RBIA for the development of rich and effective risk database will vary according to the level of risk maturity the degree to which the organization understands risk and has implemented risk management. The IIA8, UK and Ireland, in a publication of RBIA defines 5 (five) levels of risk maturity: risk enable, risk managed, risk

equality; (c) to introduce a more risk sensitive framework that

closely aligns internal economic capital with regulatory

6.0 Risk based internal audit an important tool for implementation of BASEL II: Bangladesh perspective

BASEL II in banking sector of Bangladesh will be implemented from early 2009 according to BRPD6 Circular New Capital Accord (BASEL II) in Bangladesh promulgated by Bangladesh Bank7 with the following specific approaches as initial steps: a. Standardized approach for calculating risk weighted b. Standardized rule based approach for operational risk After parallel run of present regulation (BASEL I) and BASEL II in the first year of adoption, the concerned banks have to develop database for switching up to internal rating based (IRB) approach. The foundation IRB approach for Under foundation IRB approach, banks will derive figure for determining probability of default (PD) on the basis of own database and seek figure on loss given to default (LGD), c. Basic indicator approach for market risk. credit assessment institutions (ECAIs) amount (RWA) against credit risk supported by external No. 14 (dated December 30, 2007) on Implementation of

defined, risk aware and risk nave. In a risk enabled organization9, the RBIA will emphasize on whether the risk management process is working properly, in particular, on whether key risks are reported to the board and accordingly managements proposed action where weaknesses are found. On the other hand, in risk defined organization11 the internal enable the organization to enrich its risk database. Whereas in a risk-managed organization 10 , it may facilitate audit activity will act as a consultant to facilitate the compilation of a complete risk register from the list of risks already complied by mangers. In a risk aware organization, the RBIA activity will act as a consultant to undertake a risk assessment in conjunction with management to determine the the requirements of management to comply with Pillar-I of BASEL II. As with the risk aware organization, in a risk establishment of a risk management framework. work required to implement a risk framework that will fulfill nave organization RBIA will promote and consult on the

calculating minimum capital has to be implemented by 2012.

exposure at default (EAD) and maturity of credit exposure approach, banks will derive all those components (LGD, EAD, and MCE) along with PD on the basis of their own loss database and it will be a continuous effort. (MCE) from Bangladesh Bank. Under advanced IRB

7.0 Implementation of RBIA: difficulties

Some difficulties or disadvantages are associated with the

implementation of RBIA like, (a) auditors independence may be compromised due to close relationship with management; (b) existing staffs may be required to be retrained; (c) stakeholder management is very important and takes time; like petty cash audit will disappear due to excessive concentration on audit of inherent risk. and (d) some of the audits previously considered important

The RBIA, as preventive measures against risk, gives emphasis on identifying and categorizing of risk involved in different operational area. The implementation of RBIA risks and has evaluated these risks to prioritize. On the other switching to IRB approach. If RBIA methodology is
The Bangladesh Accountant/July - September 2008

requires that the organization has identified all the inherent hand bank management is responsible to develop database for

8.0 Conclusion and recommendation

Above discussion leads to the conclusion that bank 75

companies can derive dual benefits from the implementation

of RBIA. Firstly, RBIA methodology is an improved and effective approach over previous traditional process or system Secondly, it will act as an important tool that will facilitate based approach for conducting internal audit activities.

Banking

minimum required capital through the application of IRB approach under BASEL II. Thus, bank companies in our country those still not adopted paragraph. RBIA methodology should switch to it at earliest convenient
n

management in the development and up-gradation of risk database, which is an essential document to calculate REFERENCES:

time to capitalize the dual benefit mentioned earlier of this

Griffiths, David M. 2006. Risk Base Internal Auditing an Introduction. Internet Version: 2.0.3, 15 March. Committee of Sponsoring Organizations of the Treadway Commission. 1992. Internal control integrated framework (COSO Banking Regulatory and Policy Department (BRPD). 2007. Implementation of New Capital Accord (Basel II) in Bangladesh. Basel Committee on Banking Supervision. 1998. Framework for Evaluation of Internal Control Systems. Bank for international Basel Committee on Banking Supervision. 2005. Enhancing Corporate Governance for Banking Organizations. Bank for Cirtin, A.1982. Risk Analysis of Internal Control Procedures. The Internal Auditor (June): 33-35. Levit, A. 2002. Take on the Street. New York: Pantheon Books. Capio, G. Jr and Levine, R. 2002. Corporate Governance of Banks: Concepts and International Observations, Paper presented in Niekerk, Riaan Van. 2005. The Role of Internal Auditor in Enhancing Control and Performance. Ernst &Young Ministry of Finance of Republic of Turkey. the Global Corporate Governance Forum Research Network Meeting, 5 April. General Directorate of Internal Audit. 2005. Internal Audit Practices: Twining Project Kick-off Meeting. Dedeman Hotel: FOOTNOTES 1. 2. 3. 4. 5. 6. 7. 8. 9. international settlement in Basel. settlement in Basel. BRPD # 14, 30 December. Dhaka: Bangladesh Bank. report). New York: COSO. Web:www.internalaudit.biz

Paragraph 3 of International Standards on Auditing (ISA) 610: Considering the Work of Internal Auditing. Institute of Internal Auditors, USA, 2002 Committee on Sponsoring Organization Traditional process or system based audit is driven by actual systems in place and controls that are related to those. It Banking Regulatory and Policy Department. The Central Bank of Bangladesh. Institute of Internal Auditors.

confirms internal controls are operating and recommend improving efficiency.

The risk and audit universe is an extension of managements risk register and is best kept as a database.

10. Risk managed organization is one where enterprise wide approach to risk management is developed and communicated. compiled lists of risks instead of a complete risk register.

where there is a complete risk register

Risk enabled organization is one where risk management and internal control are fully embedded into the operation, and

11. Risk defined organization is one where strategies and policies in place and communicated, and most managers have

The Bangladesh Accountant/July - September 2008

76