The Bangladesh Accountant/July - September 2008 73

Banking

Author is senior articled student of ACNABIN, Chartered Accountant.

Abstract:This study on risk based internal audit (RBIA) is an attemptto identify the importance of RBIA in banking sector forefficient implementation of BASEL II accord. Focus in thisstudy is given on the banking sector of Bangladesh, where thenew capital accord (BASEL II) will be implemented fromearly 2009. RBIA will act as an important tool by facilitatingmanagement in the development of risk database, which is anessential document to comply with Pillar-1(Minimum capitalrequirement) of BASEL II. Though there are some difficultiesor disadvantages in implementation of RBIA, earliest move tothis approach is recommended for the dual benefits: firstly,improved and effective way for conducting internal audit thatis required to tackle increased complexities resulted fromincreased use of information technology (IT), regulatoryrequirement and globalization in this regard and secondly,facilitate management in the development and up-gradationof risk database.

Keywords: Risk based internal audit (RBIA), BASEL IIAccord, Risk database, Risk, Internal control.

1.0 Introduction:Internal auditing means an appraisal activity establishedwithin an entity as a service to the entity1. The internal auditfunction is responsible for evaluating and commenting on theeffectiveness of risk assessment, internal control systems, andcorporate governance process. There is increasing pressure toadd value to the organization by addressing the exposure todifferent kinds of risk to which an organization may beexposed for various reasons including increased use ofinformation technology, and globalization. There are alsoregulatory requirements for assessment of risks in differentsectors like financial sector. In this context of value addition -

which is the demand of present time from internal auditor andregulatory requirements, a shift to the risk based internal audit(RBIA) approach is desirable.

2.0 Objective of the study:The objective of the study could be summarized using thefollowing bullet points:• To conceptualize RBIA approach.• To portray the importance of RBIA in banking sector in

the event of increased complexity of operational activitiesresulted from increased use of information technology(IT), regulatory requirements and globalization ofbusiness activities.

• To identify RBIA as an important tool for effectiveimplementation of BASEL II.

• To address difficulties in implementation of such anapproach.

3.0 Methodology of the study:The study has been conducted on the basis of secondaryinformation and experience gained as a team member of astatutory audit of financial statements of a commercial bankoperating in Bangladesh having a foreign branch and aforeign subsidiary. The experience gained at the time ofevaluating appropriateness of the work of internal auditor forstatutory (external) audit purposes. Some of the members ofthe internal audit team of the said bank have been interviewedin this respect.

4.0 Internal audit: conceptual issuesInternal auditing means an appraisal activity establishedwithin an entity as a service to the entity. It is an independentactivity established by management to examine and evaluatethe organization’s risk management process and systems ofcontrol and to make recommendations for the achievement of

Risk Based Internal Audit – Need for Such Approach in Banking Sector for Implementation of BASEL II Accord: Bangladesh Perspective

Anjan Kumer Roy

company objectives. Internal audit is an independent,objective assurance and consulting activity designed to addvalue and improve an organization’s operations2. In otherwords the internal audit function is responsible for evaluatingand commenting on the effectiveness of risk assessment,internal control systems, and corporate governance process.Thus, an understanding of internal audit requires anunderstanding on the following three areas:Risk assessment is the identification and analysis of risksassociated with the achievement of operations, financialreporting and compliance goals and objectives.Internal control systems (ICS) is a system, structure, orprocess, implemented by a firm’s board of directors,management, and other personnel, intended to providereasonable assurance about achieving control objectives inthe following categories: (a) effectiveness and efficiency ofoperations, (b) reliability of financial reporting, and (c)compliance with applicable laws and regulations (COSO3,1994).Corporate Governance (CG) is “the relationship between theinvestor, the management team and the board of directors of acompany” (Arther Levitt, 2002:209). CG is a system that tellsabout how a company will be directed and controlled. Aproperly functioning internal audit department is also a partof good CG. It is an important issue that requiresunderstanding by auditors because of their significant role ininternal and external audit.

Objective of internal audit is to advise management aboutwhether the organization has a sound ICS and functioningefficiently and effectively to protect the organization againstloss that would be resulted from various risks to which anorganization is exposed. Thus, internal auditors areresponsible to advise and make recommendations on internalcontrol and corporate governance.

Approaches of internal audit may take the following forms:(a) Traditional processes or systems based approach4 ofinternal audit; and (b) Risk based internal audit (RBIA).

Risks are all kinds of events or circumstances that mayprevent the organization from accomplishing its objectives.These are measured in terms of their frequency of occurrenceand the damage they will cause.

Risk based approach of internal audit is most recentdevelopment in the arena of internal audit. RBIA is driven by

risks and reports whether these are managed (David M.Griffiths, 2006). It is the contemporary expression oftransition from auditing focused on past activities tomanaging the future. The definition of RBIA requires that theorganization (a) knows all its significant inherent risks (b) hasevaluated these risks so that they can be prioritized in order ofthe threat they represent and (c) has defined its appetite suchthat inherent and residual risks can be evaluated to determinewhether these are above or below it.The effectiveness of RBIA revolves around a reliable riskregister – a database of organization’s risk. RBIA is based onthe following assumptions:• Audit resources are not infinite• Unit activities to be audited are subject to different risks• Unit activities to be audited have different degree of

importanceRBIA involves the following three steps: (a) confirm theorganization’s risk register is suitable for us to use as a basisfor planning; (b) select those risks on whose management weare to provide an opinion, and compile risk and audituniverse5; and (c) carryout the individual audit that willprovide the opinion.Preparation of an annual risk based (macro risk) audit planaims at: (a) determining audit priorities, and (b) mobilizingresources to prioritized areas.

5.0 BASEL II Accord: conceptual issuesBASEL II is the second BASEL Accord and representsrecommendations by bank supervisors and central bankersfrom the 13 countries making up the BASEL Committee onBanking Supervision to revise the international standards formeasuring the adequacy of a bank’s capital. The BASEL IIdeliberations began in January 2001.Framework of BASEL II consists of three pillars: Pillar-1 (Minimum capital requirement) provides approachesto the calculation of required capital charges considering thedifferent constituents of capital such as credit risk,operational risk and market risk. Capital charges in relation tooperational risk have been considered for the first timebecause of new complex financial products and strategies,specialized processing operations and reliance on rapidlyevolving technology, outsourcing and recent bank failures.Pillar-2 (Supervisory review) provides the framework toensure that each bank has sound internal processes to enableit to perform a through evaluation of its risks and therefore

The Bangladesh Accountant/July - September 2008 74

Banking

assess the required capital.Pillar-3 (Market disclosure) requires new disclosures toencourage market discipline. These disclosures addressmarket, credit and operational risks and supervisors arerequired to implement at least a minimum core set ofdisclosure requirements.Objectives of the Accord are: (a) to maintain safety andsoundness in the financial system (b) to enhance competitiveequality; (c) to introduce a more risk sensitive framework thatclosely aligns internal economic capital with regulatorycapital; and (d) to focus on internationally active banks.

6.0 Risk based internal audit – an important tool forimplementation of BASEL II: Bangladesh perspectiveBASEL II in banking sector of Bangladesh will beimplemented from early 2009 according to BRPD6 CircularNo. 14 (dated December 30, 2007) on “Implementation ofNew Capital Accord (BASEL II) in Bangladesh” promulgatedby Bangladesh Bank7 with the following specific approachesas initial steps:a. Standardized approach for calculating risk weighted

amount (RWA) against credit risk supported by externalcredit assessment institutions (ECAIs)

b. Standardized rule based approach for operational riskc. Basic indicator approach for market risk.After parallel run of present regulation (BASEL I) andBASEL II in the first year of adoption, the concerned bankshave to develop database for switching up to internal ratingbased (IRB) approach. The foundation IRB approach forcalculating minimum capital has to be implemented by 2012.Under foundation IRB approach, banks will derive figure fordetermining probability of default (PD) on the basis of owndatabase and seek figure on loss given to default (LGD),exposure at default (EAD) and maturity of credit exposure(MCE) from Bangladesh Bank. Under advanced IRBapproach, banks will derive all those components (LGD,EAD, and MCE) along with PD on the basis of their own lossdatabase and it will be a continuous effort. The RBIA, as preventive measures against risk, givesemphasis on identifying and categorizing of risk involved indifferent operational area. The implementation of RBIArequires that the organization has identified all the inherentrisks and has evaluated these risks to prioritize. On the otherhand bank management is responsible to develop database forswitching to IRB approach. If RBIA methodology is

implemented in the organization, the internal auditor (IA) willverify the risk register for its completeness and accuracy.Under RBIA it is auditor’s responsibility to form an opinionwhether they are properly managed. Thus, the internal auditorwill contribute to the development of a complete andeffective risk database, which is the fundamental documentfor calculating minimum required capital under IRB approachin BASEL II accord. The role of auditor under RBIA for the development of richand effective risk database will vary according to the level ofrisk maturity – the degree to which the organizationunderstands risk and has implemented risk management. TheIIA8, UK and Ireland, in a publication of RBIA defines 5(five) levels of risk maturity: risk enable, risk managed, riskdefined, risk aware and risk naïve. In a risk enabledorganization9, the RBIA will emphasize on whether the riskmanagement process is working properly, in particular, onwhether key risks are reported to the board and accordinglyenable the organization to enrich its risk database. Whereas ina risk-managed organization10 , it may facilitatemanagement’s proposed action where weaknesses are found.On the other hand, in risk defined organization11 the internalaudit activity will act as a consultant to facilitate thecompilation of a complete risk register from the list of risksalready complied by mangers. In a risk aware organization,the RBIA activity will act as a consultant to undertake a riskassessment in conjunction with management to determine thework required to implement a risk framework that will fulfillthe requirements of management to comply with Pillar-I ofBASEL II. As with the risk aware organization, in a risknaïve organization RBIA will promote and consult on theestablishment of a risk management framework.

7.0 Implementation of RBIA: difficultiesSome difficulties or disadvantages are associated with theimplementation of RBIA like, (a) auditor’s independence maybe compromised due to close relationship with management;(b) existing staffs may be required to be retrained; (c)stakeholder management is very important and takes time;and (d) some of the audits previously considered importantlike petty cash audit will disappear due to excessiveconcentration on audit of inherent risk.

8.0 Conclusion and recommendationAbove discussion leads to the conclusion that bankcompanies can derive dual benefits from the implementation

The Bangladesh Accountant/July - September 2008 75

Banking

of RBIA. Firstly, RBIA methodology is an improved andeffective approach over previous traditional process or systembased approach for conducting internal audit activities.Secondly, it will act as an important tool that will facilitatemanagement in the development and up-gradation of riskdatabase, which is an essential document to calculate

minimum required capital through the application of IRBapproach under BASEL II. Thus, bank companies in our country those still not adoptedRBIA methodology should switch to it at earliest convenienttime to capitalize the dual benefit mentioned earlier of thisparagraph. n

The Bangladesh Accountant/July - September 2008 76

Banking

REFERENCES:Griffiths, David M. 2006. Risk Base Internal Auditing – an Introduction. Internet Version: 2.0.3, 15 March.

Web:www.internalaudit.bizCommittee of Sponsoring Organizations of the Treadway Commission. 1992. Internal control – integrated framework (COSO

report). New York: COSO.Banking Regulatory and Policy Department (BRPD). 2007. Implementation of New Capital Accord (Basel II) in Bangladesh.

BRPD # 14, 30 December. Dhaka: Bangladesh Bank.Basel Committee on Banking Supervision. 1998. Framework for Evaluation of Internal Control Systems. Bank for international

settlement in Basel.Basel Committee on Banking Supervision. 2005. Enhancing Corporate Governance for Banking Organizations. Bank for

international settlement in Basel.Cirtin, A.1982. Risk Analysis of Internal Control Procedures. The Internal Auditor (June): 33-35.Levit, A. 2002. Take on the Street. New York: Pantheon Books.Capio, G. Jr and Levine, R. 2002. Corporate Governance of Banks: Concepts and International Observations, Paper presented in

the Global Corporate Governance Forum Research Network Meeting, 5 April.Niekerk, Riaan Van. 2005. The Role of Internal Auditor in Enhancing Control and Performance. Ernst &YoungGeneral Directorate of Internal Audit. 2005. Internal Audit Practices: Twining Project Kick-off Meeting. Dedeman Hotel:

Ministry of Finance of Republic of Turkey.

FOOTNOTES1. Paragraph – 3 of International Standards on Auditing (ISA) – 610: Considering the Work of Internal Auditing.2. Institute of Internal Auditors, USA, 20023. Committee on Sponsoring Organization4. Traditional process or system based audit is driven by actual systems in place and controls that are related to those. It

confirms internal controls are operating and recommend improving efficiency.5. The ‘risk and audit universe’ is an extension of management’s risk register and is best kept as a database.6. Banking Regulatory and Policy Department.7. The Central Bank of Bangladesh.8. Institute of Internal Auditors.9. Risk enabled organization is one where risk management and internal control are fully embedded into the operation, and

where there is a complete risk register10. Risk managed organization is one where enterprise wide approach to risk management is developed and communicated.11. Risk defined organization is one where strategies and policies in place and communicated, and most managers have

compiled lists of risks instead of a complete risk register.