ICICI Bank, one of India’s large private sector banks with global operations, had a requirement for an end to end Integrated Enterprise Technology Solution for Risk and Audit Management. The bank implemented Pentana Audit Works System (PAWS), Retain Resource Management, and appointed Claptek for consulting and implementation services, successfully achieved their requirements adding substantial value and benefits to their initiatives.
Increased regulatory compliance requirements and accountability require that the auditors need to perform large number of audits, risk reviews, and compliance activities. These need to be repeatable yet qualitative and value-oriented; managing workflow manually makes this task increasingly difficult, and often not cost-effective.
The audit department at ICICI Bank used manual processes and spreadsheets in executing audits and maintaining audit results. Spreadsheets provide flexibility of use but are susceptible to issues relating to security and access, making them often highly unreliable for storing audit results. It also creates complexities in relation to managing versions of the spreadsheets. The requirement at ICICI Bank was to implement an integrated solution for managing audit and risk reviews, providing the audit team an effective system to plan prioritise execute audits and reviews, knowledge management, work paper management, issue tracking, reporting, and providing various dashboards to the management on the audit and risk review results.
Challenges centered around mapping and incorporating the processes followed by their internal audit department, their primary requirement to view and report on results by way of consolidating splitting, and providing comparative analysis for both the banking business domain structures and against relevant processes, Areas, Risks and Controls. Further to this how effectively could they streamline and improve the diverse and complex processes followed for managing risk based internal audits and risk reviews, while maintaining and replicating intricacies involved in their existing manual audit workflow, augmenting existing approaches with a technology solutions to drastically simplifying the auditors tasks at hand, adding value to it for producing better and uncomplicated results.
Considerable time was spent on administrative tasks for resource management and setting up of audits. Report creations was an arduous and time consuming process for the audit team as they would have to spend a lot of time collating and presenting the audit findings in draft reports and final reports, as well as meeting managements ad-hoc reporting requirement. Extrapolating information from issues, analysing data and trends is difficult in risk audits and compliance initiatives that are managed manually and through spreadsheets.
A well-defined risk and audit universe structure is created to include all business domains, processes, units, functions, all types of audits and risk reviews, incorporating perspectives pertinent to the internal audit department for performing their activities. Scalable and flexible composition created to manage dynamic changes in business structures. Implemented a practical and relevant mechanism that provides an efficient, effective & streamlined workflow for managing audit and risk reviews, standardised approach to assessments for all domains with standard checklists & assessment guidance, with work paper manager. Segregation of auditor duties within the audit team are instituted through user groups within the system managing the access rights appropriately.
Enabled an effective approach to audit prioritization, enabling auditors to concentrate on high risk areas, reduce efforts on mundane tasks, increase frequency, repeatability and reduce costs. Standardised checklist framework enabled enhanced hierarchical presentation of processes, risk, controls & tests. Implemented an enhanced risk scoring method for better depiction & analysis. Enabled a mechanism to archive & maintain checklists bringing about effective knowledge management. Established internal controls over reporting and mapping of processes, risk and control mapping with relevant accounts and assertions. Established an integrated audit resource planning & timesheet management system, enabling instantaneous analysis on resource availability and utilization. Built a simplified extensive issue and action closure processes, with issue categorisation, recording recommendations, action plans and enabled real time and online traceability. Enabled instantaneous reporting for impromptu management and audit committee requirements, with automation in reporting. Providing various monitoring mechanisms & dashboards, enterprise wide risk dashboards.
- Increased efficiency and effectiveness in risk-based internal audits and assessments.
- Risk-based audit planning with real-time information on patterns & trends in risks.
- Boost in productivity of auditors by 30%.
- Achieved significant cost savings.
- Eliminated gaps and 40 % duplication in coverage.
- Improved visibility, enterprise-wide risk, and audit landscape.
- Report automation with extensive comparative real-time reporting catering to requirements of ad-hoc, management, and audit committee reporting.
- Online real-time issue closure cycle and traceability.
- Established a foundation for relevant GRC convergence.
- Quantitative score based rating system with a qualitative dimension of risk analysis.
- Adoption of best practices and adherence to RBI guidelines.