Contents
Sl. No.
Particulars
Page #
Section I
1.
2.
ERM Framework
3.
4.
14
1.
22
2.
29
3.
32
4.
37
5.
40
Section II
Page 2
Risk Management
Control
Governance
Risk:
Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a
loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome
sometimes exists (or existed).
Internal Control:
Internal Control is a process, effected by an entitys board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of its objectives
(Operational, Reporting & Compliance).
Page 4
Clause 49
Companies Act,
1956 (Section
224)
Page 5
Page 7
Page 8
Adobe Acrobat
Document
Page 10
Title of Standard
1010 Recognition of the definition of Internal Auditing, the Code of Ethics, and the Standards in
the Internal Audit Charter
1210 - Proficiency
10
11
12
13
14
15
Page 13
IA Process Overview
1. Define
1.1
Define objectives of
analysis
1.2
Gain an understanding
1.3
Define data
requirements
2. Validate
3. Execute
2.1
Request and receive
Data
3.1
Execute audit steps
2.2
Validate Control
Totals
2.3
Perform data quality
Assessment
3.2
Identify discrepancies
3.3
Discuss discrepancies
with stakeholders and
validate errors
3.4
Assess impact on
objectives
Page 15
4. Retain
4.1
Document process
reproduce data
4.2
Document Retention
Understand
the Process
Control
Testing
Develop
Test Plan
Sampling or
CAATs
Testing
Develop
Test Plan
Sampling or
CAATs
Testing
Substantive
Testing
Formulate
Findings
Page 16
Reassess Scope
Control
Evaluation
Assess
Root
Cause
Prioritize
Evaluate
Consider
Substantive
Testing
Agree Action
Plan with the
Management
Evaluation Process
Control Objective
Risk
Is a
Control in
Place?
Yes
NO
Microsoft Office
Excel 97-2003 Worksheet
Is
there a
mitigating
NO
Control
? And in the appropriate
timeframe?
Yes
Assess Mitigation
Does
the control
address the
e.g. Are all relevant
risk?
attributes covered
NO
Yes
Determination on Adequacy of Control Design
Page 17
Missing Controls
Missing /
Mitigated Controls
Inadequate Controls
Sub
Process/
Activity
1 Client Quantity
Billing Assessment
(Invoicin & Work
g&
Collectio
n)
Page 18
What Can Go
Wrong (Risk)
Control Description
Test Procedures
Documents to be
Referred for Test
Procedures
Conclusion
(Effective /
Ineffective)
Page 19
Elements of a Finding
Criteria:
Provides a context for evaluating evidence and understanding the findings (Control Objectives)
Policies & Procedures (Expectations of what should exist)
Contracts & Agreements
Laws & Regulations
Standards & Benchmarks
Defined business practices or measures which performance is compared or evaluated against
Condition:
Condition is a situation that exists or what was occurring when the control weakness was identified
i.e. The Exception or Deficiency
Cause:
Identifies the reason for the condition or the factor(s) responsible for the difference between the
situation that exists (condition) and the required or desired state (criteria), Common factors
include; poorly designed policies, procedures, or criteria, inconsistent, incomplete, or incorrect
implementation, segregation of duties or business conditions.
Recommendations
Should address the root cause not just the symptoms
Be relevant and practical
Compare the benefits to costs
More than 1 recommendation may be required to completely address an issue
Use best practices as a source for creative insight, adapting to the needs of the
organization
Example:
Audit Objective:
Risk/Control Objective:
Sample Selection:
Documents Obtained:
Exceptions noted:
Page 21
Monitoring:
Monthly reviews of performance reports
Internal audit function
MONITORING
INFORMATION AND
COMMUNICATION
Control Activities:
Credit limits
Approvals
Security
Block Codes /
policies
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
Control Environment:
Tone from the top
Corporate Policies
Organizational
authority
Page 24
Control Techniques
Prevention techniques are designed to provide reasonable assurance that only valid
transactions are recognized, approved and submitted for processing. Therefore, many of
the preventive techniques are applied before the processing activity occurs. In most
situations, preventive techniques are likely to be more effective in a strong control
environment, when management authorization criteria are well-defined and properly
communicated.
Control type definitions:
Preventive - Manual
Preventive - System
Examples of preventive controls include:
Segregation of duties (Preventive-Manual)
Business systems integrity and continuity controls, e.g., application design standards,
change controls, security controls, systems backup and recovery (Preventive System)
Physical safeguard and access restriction controls (human, financial, physical and
information assets) (Preventive-Manual)
Effective "whistle blowing" processes (Preventive-Manual)
Page 25
Control Techniques
Detection techniques are designed to provide reasonable assurance that errors and
irregularities are discovered and corrected on a timely basis. Detection techniques normally
are performed after processing has been completed. They are particularly important in an
environment that has relatively weak preventive techniques. That is, when front-end
approval and processing techniques do not provide reasonable assurance that unacceptable
transactions are prevented from being processed or do not assure that all approved
transactions are processed accurately. In this case, after-the-fact techniques become more
important in detecting and correcting processing errors.
Control type definitions:
Detective - Manual
Detective - System
Examples of detection techniques include:
Reconciliation of batch balance reports to control logs maintained by originating
departments. (Detective Manual)
Review and approval of reference file maintenance (was-is) reports. (Detective
Manual)
Reconciliation of interface amounts exiting one system and entering another.
(Detective System)
Review of on-line access and transaction logs. (Detective System)
Page 26
Risk Analysis
Risk Analysis
Risk
Assessment
Risk
Management
Risk
Monitoring
Identification
Control It
Process
Level
Measurement
Share or
Transfer It
Activity
Level
Prioritization
Diversify or
Avoid It
Entity Level
Page 27
Page 28
Sampling
Population:
The entire set of universe from which a sample is selected & reviewed, and about which the auditor
wishes to draw conclusions.
Systematic selection:
A systematic approach is used by the auditor to select items, to minimize any potential human
judgment or bias. Every nth item within the population is selected in accordance with a defined
sampling interval.
Haphazard selection:
The auditor, without any conscious bias, selects sample items randomly, i.e., without any special
reason for including or omitting items from the sample
Stratification:
Prior to carrying out analytical procedures, it is important to stratify / classify the data into
separate logical sections. This classification would not only help in analyzing trends unique to that
particular category but would also help in assessing materiality while selecting a sample.
Page 30
Sampling
Perform Analytical procedures:
Analytical procedure is defined as an evaluation of financial information made by a study of
plausible relationships among both financial and non-financial data
Page 31
Page 33
IF
IF in combination with AND
IF in Combination with AND & OR
CountIF and SUMIF
SUMIFS
VLOOKUP
Pivot Table Function
Setting Filters
Formula Auditing
Page 34
COUNT
COUNTA
AVERAGE
Sums the numbers in a range and divides the total by the number
of numbers
MEDIAN
MODE
VLOOKUP
PIVOT
Page 35
Page 36
Page 38
Priority
Issue
Risk
Performance
Improvement
Observation
Management
Response
Responsibility
/ Timelines
High
Incorrect
credit
limit offered to
customer leading
to increased credit
risk exposure for
the
Company,
which
may
eventually lead to
higher
delinquencies.
Risk Team
Possibility
of
Revenue leakage
for
LPC
and
Customer
dissatisfaction
/
negative
impact
on
brand
/
reputation
Business
should
evaluate
the
possibility
of
Implementing
continuous control
mechanism
through
data
analytics tools and
System
Audit
should be carried
out.
The implementation of
the revised LPC tier
from Rs.700 to Rs.750
was delayed by ~40
days due to set up
miss, later identified
by pricing team and
rectified
on
12th
November 2012.
Marketing
Team
High
Page 39
March 2013
March 2013
Code of conduct
Ethics policy
Gifts and hospitality
Agents
Facilitation payments
Policy
Page 41
Page 42
Thank You
Page 43