By Launce Moses
The turbulent situation in the Nigerian Banking sector raises several questions on corporate governance and risk management. One of the key departments in any organization is the Internal Audit and Control department and the unit has a key role to play in assessing the risk appetite of the business. This week we look at how to make these units more efficient using risk based auditing techniques.
Risk based auditing is an approach that enables the Audit department to focus on key risks to the business rather than auditing every unit for every risk with the same intensity. Assigning risk ratings to business offices or departments helps the auditor develop a focused approach in the limited time available to audit that area. Risk ratings also help to drive the frequency of reviews. E.g. â€˜Highâ€™ risk areas can be audited annually while â€˜Lowâ€™ risk areas can be audited once in every 2 or 3 years.
Traditionally, every business office (branch) is reviewed annually. Is that appropriate for an established branch vis-Ã -vis a start up branch? Clearly the risk levels are not the same in both these branches. Shouldnâ€™t there be more focus on branches with a higher incidence of fraud? Give a limited number of resources, where would we prefer to use them? This is where risk based auditing helps us to drive efficient usage of time and resources.
Some of the parameters that can be used to determine the risk level of a branch are:
Size of a branch
This is the most common yardstick that is used. A larger branch (in terms of assets, liabilities, revenue, and staff strength) will warrant a higher risk rating than that of a smaller branch.
Loan Losses and Overdue Debts (delinquency)
Normally, an average is taken of the bank wide delinquency and loan losses and any branch scoring above the average is a â€˜highâ€™ risk branch while those that are performing below average are â€˜Lowâ€™ risk rated.
Safety and Security
Branches that are less secure and more prone to robbery and environmental disasters are normally risk rated â€˜Highâ€™. While auditing such branches, special emphasis can be given to controls over safety and security. These specific areas can also be reviewed more frequently.
Regulatory compliance status
Branches that are found to be in violation of regulatory requirements should be audited at a higher frequency.
Branches with higher number of service issues imply a breakdown of processes and controls. These should be reviewed with a higher frequency.
Cash shortages and Operational Errors
Branches where there is always cash shortage or high incidences of operational errors again point to a breakdown of controls and should be reviewed more frequently.
Compliance with Know Your Customer (KYC) and Anti Money Laundering (AML) statutes
Account opening / KYC infractions are a good indicator of the level of segregation of duties between sales and operations.
If the infractions are high, they tend to point to issues with segregation of duties or reporting lines. In some instances, this could be just due to lack of adequate training and absence of a strong account opening checklist.
Similarly, AML exceptions review would throw up a number of transactions. The more suspicious transactions there are, the higher should be the risk rating.
In a decentralized model, where processing is done at the branch level, expense violations at the branch is again a good indicator of process failure. The more the exceptions, the higher should be the risk rating of the branch.
Deposit / Lending rate infractions and income leakage reviews
Deposit / lending rates are maintained on the system and any overrides should be approved by a duly authorised senior official of the bank. With the help of retrievals, data can be extracted from a central source to show overrides of maintained rates. Such data can then be used to risk rate the branch.
Are customers terminating their accounts with the branch? Trend analysis conducted over the branch network for a few months will be able to highlight those branches which have abnormal attrition rate. Attrition occurs for both voluntary as well as involuntary reasons. In some instances (loans not being paid) â€“ the bank wants to close the account and that is voluntary attrition from the bankâ€™s perspective.
Customers also leave the bank on their own due to poor customer service, products and services that do not meet their needs or sometimes due to personal circumstances (such as moving home). Involuntary attrition is a good indicator if there are problems in the branch that require attention.
Prior Audit Rating
The prior audit rating coupled with a review of the quality of staffing in the branch could help determine the frequency of audit. A stable branch management team which has successfully passed prior audits can be audited at a lesser frequency.
General Ledger Exception reviews
General Ledger reviews can be done centrally and those branches that have a higher exception rate (both in terms of amount and number of items) should be on the radar.
Fraud occurrences and losses
Clearly, if there is high fraud occurrences and losses in the branch, the higher the risk and frequency of review. The above list is by no means an exhaustive list and is meant to stimulate thinking on the above lines. As the banking industry analyses the reasons for failure, the audit and control departments is one area which should rise to the challenge and revamp its existing practices to focus on key risks to the business.
Launce Moses is the Group Director, Audit & Control, UBA Plc