Scribd Logo
Upload

Welcome to Scribd!

  • 56 views

    Risk Based Audit Model Presentation (Final) Audit Risk Assessment

    Uploaded by

    Mudassar Patel
    This document outlines a risk-based internal audit model. It describes the selection criteria for auditing information systems, which includes both mandatory and secondary criteria. The mandatory criteria focus on critical, financially risky, or fraudulent systems. The secondary criteria rank systems based on risk scores from an internal risk assessment. The document also discusses risk levels and frequencies for auditing management functions based on factors like volumes, regulations, complexity, and previous audit findings.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    Risk Based Audit Model Presentation (Final) Audit Risk Assessment

    Uploaded by

    Mudassar Patel
    56 views8 pages
    This document outlines a risk-based internal audit model. It describes the selection criteria for auditing information systems, which includes both mandatory and secondary criteria. The mandatory criteria focus on critical, financially risky, or fraudulent systems. The secondary criteria rank systems based on risk scores from an internal risk assessment. The document also discusses risk levels and frequencies for auditing management functions based on factors like volumes, regulations, complexity, and previous audit findings.

    Original Description:

    Original Title

    Risk Based Audit Model Presentation (Final) Audit risk assessment

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document outlines a risk-based internal audit model. It describes the selection criteria for auditing information systems, which includes both mandatory and secondary criteria. The mandatory criteria focus on critical, financially risky, or fraudulent systems. The secondary criteria rank systems based on risk scores from an internal risk assessment. The document also discusses risk levels and frequencies for auditing management functions based on factors like volumes, regulations, complexity, and previous audit findings.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    56 views8 pages

    Risk Based Audit Model Presentation (Final) Audit Risk Assessment

    Uploaded by

    Mudassar Patel
    This document outlines a risk-based internal audit model. It describes the selection criteria for auditing information systems, which includes both mandatory and secondary criteria. The mandatory criteria focus on critical, financially risky, or fraudulent systems. The secondary criteria rank systems based on risk scores from an internal risk assessment. The document also discusses risk levels and frequencies for auditing management functions based on factors like volumes, regulations, complexity, and previous audit findings.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 8

    RISK BASED INTERNAL

    AUDIT MODEL
    Presented by Mr. Tahir Khurshid
    RISK BASED INTERNAL AUDIT MODEL – Info System SELECTION

    Mandatory Selection Criteria Secondary Selection Criteria

    Risk Appetite
    Application and IT’ Selection for
    RBIA on the basis of their
    individual risk profiling
    RISK BASED INTERNAL AUDIT MODEL – Info System SELECTION

    COVERAGE: Audit of all the critical Information Systems are done every year
    [Every application to be audited at least once in every 03 years]

    MANDATORY SELECTION:

    a) Information Systems that are declared critical by BCP and ITD:

    b) Information System that inherit financially Risks.

    c) Applications with incidences of fraud / forgery (highlighted after annual audit).

    d) Applications that were Signed Off in preceding year (i.e. Jan-Dec 2018).

    e) All Systems or changes to legacy systems done in 2018 shall be audited in 2019.

    f) CUARM (Centralized User Access Management) department is Audited every year.

    g) IT and Network infrastructure and Operations is audited every year.

    h) Datacenters are audited every year.


    RISK BASED INTERNAL AUDIT MODEL – Info System SELECTION
    SECONDARY SELECTION:

    After Mandatory selection, remaining Info Systems would be selected in terms of:

    a) Ranking / prioritization on basis of Risk Scores assigned as per internally Risk


    Assessment

     Risk Score will be an aggregate of individual scores assigned against under


    mentioned factors which reflect operational/Reputational risk imbedded in overall
    operations. (including Public or Internal) stakeholders while ensuring coverage of
    Regulatory or any legal compliances.
    Internal Risk Assessment Critaria

    Measures Risk Weight

    Financial Risks 40%

    Operational Risks 25%

    Reputational Risks 35%


    Comparison of RBIA Plan FTY 2018 against 2019

    RBIA Plan 2017-18


    2018 2019
    Information System Services and Ops: General Banking Operations:
       
    1. Financial Services (40%) 1. Deposit Size (33%)
    2. Operational Services (25%) 2. No. of Vouchers (33%)
    3. Reputational Services (35%) 3. Operating Profit to Deposit Ratio (33%)
    1. Service & Availability Quality 1. Service & Availability Quality Ratings
    2. Fraud/ Forgeries 2. SBP Reviews
    3. Fraud/ Forgeries
    After calculating the Risk Based Scores of each After calculating the Risk Based Scores of each Info
    Info System as per the above criteria, Audit rating Systems as per the above criteria, Audit rating score was
    score was than added in order to get the total risk- then added in order to get the total risk-based score of
    based score of each branch. each branch.
    ‘Incident Management’ of Info System was also factored
    in, as a proxy to check the strength of Internal Controls of
    Applications and IT Ops and selection as per secondary
    clause.

    New Additions highlighted in Green Text


    RISK BASED INTERNAL AUDIT MODEL
    MANAGEMENT FUNCTIONS

    Entity Risk Assessment Factors for management functions includes:

    Rectification of High & Medium


    01 Risk Audit Findings

    02 Regulatory Requirements

    03 Complexity & Criticality

    04 Processes & Structures

    05 Changes in Systems
    RISK BASED INTERNAL AUDIT MODEL -
    MANAGEMENT FUNCTIONS

    Risk Levels assigned to the Management function:


    Three categories have been assigned for assignment of Risk levels to the individual
    management function:
     High
     Medium
     Low

    However, the risks were assigned to the respective functions, primarily, keeping in
    view:

     the involvement in regulatory matters


     Business volumes
     Criticality, nature and complexity involved
    ENTERPRISE RISK ASSESSMENT FRAMEWORK
    Risk Assigned Frequency Factors
     Material business volume
     Significant regulatory reporting
     Significant previous audit findings related to Control Environment
    HIGH 12 Months
     Nature of the operating environment/ transaction is complex
     Nature and significance of audit issues/ findings in previous audit
     Previous Audit Rating, if available

     Moderate business volume


     Medium to low level of regulatory reporting
     Insignificant previous audit findings related to Control Environment and
    MODERATE 18 Months
    Operations
     Operational Nature of work or automated or lessor Monetary Transaction
     Previous Audit Rating, if available
     Low business volume
     Medium to low level of regulatory reporting
     Insignificant previous audit findings related to Control Environment and
    LOW 24 Months
    Operations
     Operational Nature of work or automated or lessor Monetary Transaction
     Previous Audit Rating, if available

    Thematic Audits or other assignments are scheduled on need basis .

    You might also like