Risk Analysis framework for Compliance Audit in SAI India XV Meeting of Compliance Audit Sub-Committee Luxembourg 9-10 October 2018 Office of Comptroller & Auditor General of India

Presentation Schedule Audit Mandate of SAI India Features of risk analysis framework Parameters for inherent risk Parameters for control risk Computation of overall risk index Challenges in development and maintenance of risk analysis framework

Audit mandate of SAI India India - a Union of 29 states with 1.2 billion people Comptroller & Auditor General of India has audit mandate for both union government and the state governments Audit conducted in accordance with C&AG’s Auditing Standards issued in 2017 Compliance Auditing Guidelines issued in 2016 adapting the ISSAI Guidelines Audited entities classified as apex auditable entity, audit unit and implementing units. Audit unit based on devolution of powers, functional autonomy and operational significance. The number of entities audited is around 56,000 consisting of 17,000 entities of union government and 39,000 entities of state governments

Risk categorisation of audited entities Audited entities categorised as high, medium and low risk based traditionally on budget and expenditure levels Large scale digitisation of government activities and development of detailed database of expenditure of government in SAI facilitated review of existing risk analysis framework in 2017-18 New framework used for risk categorisation of audit universe for preparation of annual audit plan and for identifying sectoral and non sectoral risk areas for focused audit

Assessment of inherent risk Expenditure is categorised in the accounts of all entities under 70 different primary heads of expenditure like salaries, travel expenses etc. by all audited entities. 70 primary heads of expenditure in accounts is regrouped under 7 broad classes. Slide 9 Expenditure of each audited entity is identified and assessed against 7 risk parameters on a 1-5 scale including a parameter on vacancies in the entity.#10. Slide 10 Based on Inherent Risk score of each class of primary head of expenditure under the entity, Total Inherent Risk Value of the entity worked out by aggregating the Inherent Risk Value of all the classes of primary expenditure of that entity and multiplying the same by actual expenditure.#11. Slide 11

Assessment of control risk Entities having weak control environment will have higher control risk Control risk assessed through four parametersSlide 12 Expenditure and related controls Technology related controls Internal and external audit outputs Other factors

Risk Value and Categorisation of entities After computation of Inherent and Control Risks, the risk score of the audited entity can be determined as given below: Risk score of the entity = (Total Inherent Risk score of the entity in monetary value) X (Control Risk score of the entity)Risk categorisation of audited entity Audited entities categorised as high, medium and low risk based on the risk score Periodicity of audit and composition of audit team decided on the basis of level of risk categorisation

Challenges in development and maintenance of risk analysis framework Collection of data from large number of audited entities Revision of data for entities not audited annually Need for exercising professional judgment leading to subjectivity in scoring

Primary heads of account included Category Name of category Primary heads of account included Class 1 Personnel Services and benefits Salary , Wages, DA, Grant in aid(salary), Pension, Medical expenses Class 2 Administrative expenses Travelling expenses, Office expenses, Electricity , Water charges, Rent, publication Class 3 Contractual services and supplies Goods and supplies, Professional & special services, Maintenance of vehicles and Petrol & Oil, Advertisement, Minor construction works, maintenance, Drugs and consumables Class 4 Grants Grant in aid(non-salary), Scholarships , subsidy, Grant in aidifor creation of capital infrastructure Class 5 Other expenditure Interest/Dividend, Suspense, other expenditure Class 6 Acquisition of Capital Assets and other Capital Expenditure Major construction works, Machineries and fixtures/tools and plants, Investments/debts, procurement of computer hardware and software, Purchase of motor vehicles Class 7 Accounting adjustments Direction, Bad debts/losses, Transfer entries

Sl. No. Inherent Risk Factor Remarks Risk Score (1 – 5) 1 Estimation Transactions and decisions involving estimation have higher inherent risk 2 Discretion Transactions involving discretionary powers have inherent risk of misuse of such powers. 3 Complexity in the transaction Transactions like capital acquisitions, project execution, etc. involve complexity and, therefore, have higher level of inherent risk. 4 Transfer of funds Some entities only transfer funds to implementing agencies and do not implement projects/programmes and hence have low risk. 5 Involvement of private agencies Private agencies involved in programme delivery may have interests which lead to higher inherent risk. 6 Human Resources Adequate due-diligence may suffer in entities having acute shortage of manpower leading to higher inherent risk. 7 Direct public dealing Entities having direct public dealings have relatively higher inherent risk on account of external influence, etc. Inherent risk for primary expenditure Total Risk Score/35

Class of primary expenditure Name of the Class of primary head of expenditure Inherent Risk score Actual Expenditure Risk-weighted expenditure I Personnel services and benefits R1 E1 R1*E1 II Administrative expenses R2 E2 R2*E2 III Contractual services and supplies R3 E3 R3*E3 IV Grants R4 E4 R4*E4 V Other expenditure R5 E5 R5*E5 VI Acquisition of capital assets R6 E6 R6*E6 VII Accounting adjustments R7 E7 R7*E7 Inherent Risk value = Grand Total

Control Risk Factor Risk Score (1 – 5) Risk Score (1 – 5) Expenditure and related controls Internal/external Audit Budget procedure and control Internal Audit / inspection Increase in expenditure Quality of Record maintenance Reported cases of Fraud etc. Audit observations Idling of funds / Pending Utilisation Certificates Assessment from Performance Audit Reports and evaluations Technology related controls Other factors Direct transfer of benefits to beneficiaries Assessment based on data analytics Linking of beneficiaries to unique ID Quality Control Mechanism Use of e-tendering in procurement Manpower shortage Online monitoring of programme Media Reports Online delivery of services/Automation of functions Control Risk = Total control risk score / 100 Public Financial Management System Use of remote sensing/GIS IT Controls-assessment based on IT audit

Risk categorisation of audited entity Sl.No Categorisation Ceiling Risk Value in RS Ceiling risk in US$ 1. High risk 250 million 3.5 million 2. Medium risk 5 million to 250 million 70,000 to 3.5 million 3. Low risk Below 5 million Below 70,000

Thanks!