Internal Audit is a very critical function in the overall risk management system. However, it also need s to be appreciated that while Internal Audit is a critical function and a necessary department to manage risk it is not sufficient to just have the Internal Audit department manage all risks. Many MFIs have this misplaced opinion that by having an internal audit department one has managed most of its risk. However with all the discussions above we can now fully appreciate that this is not true and risk management or overall internal control is a much larger job and internal Audits are only a part of it.
What is Internal Audit and what are its Functions?
An internal audit is an independent check on the performance of the MFI. Here it is very important to understand the meanings of ‘independent’. Internal audit has to be completely independent function free from operations. Independence is ensured by having a completely separate staff team and the department reporting directly either to the Board of Directors or to the organization’s head.
For an objective assessment of the organization, it is important to keep the audit department independent. Independence and Objectivity, therefore, are keys to this function. The idea behind Internal Audit is not just to catch frauds or malpractices but more constructive, i.e. to add value and efficiency within the organization by mitigating the possibilities of malpractices. Internal Audit is done by a specialized Internal Audit team who should be very well versed with the organization’s policies and procedures.
Major objectives of the Internal Audit function are:
To detect any fraud or misappropriation irrespective of its size, magnitude other staff involved in it
To detect any malpractice, collusion or action on part of employees that is against the organizational policies/culture or can bring disrepute to the institution
To see if operational policies/processes are being adhered to all levels and to detect deviations
To check unethical staff behavior and to get a sense of organizational image as perceived by clients
To check the accuracy of reports, MIS and Accounting, the accuracy of records maintained through verification against evidence such as receipts, including records maintained at client level in the form of passbook
To provide feedback/opinion related to operational risks such as staff dissatisfaction, competition inappropriate policies or areas of potential conflict
Scope of Audit
It is a common feeling that audit means just checking of books of accounts and vouchers. Rather, internal audit has a much larger scope, which is also evident from the objectives (mentioned above) that the function has to achieve. Internal audit should broadly cover the following
- Financial reports and records receipts, vouchers, cashbooks, ledgers, client passbooks, MFIs bank passbooks, cash balances.
- Loan documents: Loan applications, promissory notes, and other documents required as per policy-related data entered in Excel spreadsheets or software.
- Client visits: check meeting discipline – timing, conduct, staff, and client discipline, check passbooks interact with clients can also check loan utilization.
- Other observation: staff discipline, hygiene, file arrangements, and cataloging
We see that the Internal audit has a wide scope to cover and to cross-check various reports. The basic idea is to check any kind of policy deviation or identify any situation, which can be a risk for the organization.
The audit process is guided by an Internal Audit policy that the organization has. The policy clearly lays down the frequency of audit, objectives of the audit, the scope of the audit, audit process, formats to be use and format, and frequency of reports.
Internal Audit Manager is supposed to prepare a quarterly, six-monthly or manual audit plan. The plan discloses how the department will go about carrying the audit exercise. It tells which branch will be audited when, resource allocation, number of days of audit, and tentative date of submission of the report. The audit plan is a confidential document and shared only with the Board of Directors or the Head of the organization.
As it is not possible to check all transactions or meet all clients, the internal audit has to depend on sampling. Auditors have to sample out the transactions, records, and reports to be checked and clients to be visited. While sampling, the following things have to be considered.
- The sample should be representative of the entire portfolio and should be able to cover all products, different geographic locations, and all field staff
- The sample should put more emphasis on the vulnerable areas like cash handling, groups having repayment problems
- Different samples can be obtained for different aspects like 20% of all the passbooks will be check, 15% entries in the cash book will be checked 2% of the borrowers will be visited, etc.
Most of the organization prepare auditing formats and have a standardized auditing process. The auditors generally follow these formats for various kinds of checks and cross-checks. However, the auditors have to take care that they do not mechanically fill the forms.
They have to be proactive, inquisitive, observant, and smart to identify any anomaly, contradiction, or conflicts in reports, data, or even statements made of staff. As has been said that auditing is basically an exercise to find out policy deviations and hence it goes without saying that policy deviations can be adjudged only when there are standard policies in the first place. Hence, the audit process can only be effective if the MFI has detailed operational policies and procedures in place.
Reporting and Follow Up
Internal Audit is the most important outcome of the audit process. The auditors have to ensure that the audit report is completely objective and reports all observations and findings. The auditors should not be judgmental of finding and take decisions, as it is not in their prerogative to do so. The audit department has to simply report findings and it is the job of the management to take decisions on those findings. A good audit report should have the following features.
- The report should contain an executive summary, which should highlight key observations and recommendations
- Sample used in the audit should be mentioned
- Detailed observations should be reported as the main text. Statements or clarifications given by the staff concerned should also be put.
- Annexure can have details of cause observed and the deviations found.
The audit report is presented to the Board of Directors and to the organization head. The report must be discussed in the board meeting as well as in the Audit Committee meetings. It is the responsibility of the management to see that the findings are followed up properly and required actions are initiated. Audit reports are also shared with the Branch so that they can know of their shortcomings and improve them. The auditors in the next auditing must verify if the shortcomings reported in the last report have been addressed or not. If not, then it should be mentioned in the report that no action has been taken despite mention in an audit report last time.
Internal audit plays a very important role in managing the risk of an MFI and acting as a way for providing direct feedback to the top management. An effective and well-designed internal audit can considerably control an MFIs risk and is therefore an indispensable function.