Professional Documents
Culture Documents
Risk Assessment in Automobile Industry
Risk Assessment in Automobile Industry
Risk Assessment
5.1 Risk assessment is vital to the internal audit methodology. Post
identification of the audit universe and obtaining the base data for the
transactions, the internal auditor may evaluate the criticality of risks involved
in the transactions and the audit areas, preferably sub-activity wise. The
auditor could seek management inputs in identification of the parameters that
impact the criticality of risks in the area and thereafter, based on the same,
identify the critical risks in the area.
5.2 The following parameters may be considered for risk evaluation and
assessment by the internal auditor:
(a) Critical to Business Objective: The risk associated with an activity/ sub-
process would be determined based on criticality of the same with the
business and the management’s strategy; i.e., the more critical the activity is
to the business objective, the higher risk is involved in the same. Some of the
critical activities (illustrative) in the auto and auto component sector based on
the criticality to business objective are as follows:
Process Sub-process Activity
Manufacturing Assembly and Costing
Operations Inspection Final Inspection
Maintenance of production
facilities
Process capability/ Line
balancing
Production planning and
scheduling
Quality/ Productivity in
manufacturing
Maintenance of BOM for Regular
Models
Rework and rectification
Quality in manufacturing (Incl
Rework and rectification in
manufacturing area and final
Risk Assessment
35
Process Sub-process Activity
Issue and Liquidation of Hundi
Logistic Invoice Verification and
Payment Processing
Payment Processing for Imported
Material
Price amendment, approval and
update
Provision for Retrospective Price
Amendments and materials w/o
GR.
Quality of vendor parts/Quality
Validation
Receipt, acknowledgment and
storage of materials at stores
Supplementary Payment
Vendor Evaluation and Quality
Rating
Capital Asset Verification Asset Identification and
Expenditure verification
Asset Master Maintenance
Information Logical Access Creation & maintenance of user
technology & IT Control to master (Application Systems) -
Security application SAP (modules), CRM, SRM,
systems PLM, Remedy etc.
Network Security Network security - Vulnerability
assessment/ penetration testing
Inventory Direct Materials Inventory Analysis
Management Verification and reconciliation of
sub-contracted materials
Physical verification and
inventory adjustments
(c) Volume at Risk: The volume involved in an activity is the number of
transactions impacted by the activity in the review period. The propensity of
errors increases in high number of transactions; therefore, the risk involved
in activities with higher transactions tends to increase. An illustrative list of
high risk transactions based on the volume is provided below:
Process Sub-process Activity
Procurement to Materials Recording of receipt of materials
Pay and storage
Logistic Invoice Verification and
Payment Processing
Payment Processing/ Liability
recording and supplementary
invoices
Price amendment, approval and
update
Quality of vendor parts/ Quality
Validation
Vendor Evaluation and Quality
Rating
Order to Vehicle sales Dispatch controls and invoicing
Collections
Manufacturing Warranties Warranty expenses- Claim
settlement
Treasury Treasury Bank operations and
functions Reconciliations
Borrowings
Cash Verification
Foreign Exchange Transaction
Insurance and Investments
Loans and Advances (Supplier
financing and Vehicle financing)
Accounting Book Close procedures
Contingent Liabilities and
Deferred Tax
Inventory Valuations, Provisions
and Accruals
Related Party Transactions
Process Sub-process Activity
Capital Assets Procured/ Capex Appraisal/ Approval and
expenditures Leased Procurement Procedures
Capitalization, Commissioning
And Cenvat Availment
Leased Assets ( Non IT)
Ordering/ Liquidated Damage
(LD) Clause, Performance Bank
Guarantee
Post Implementation Monitoring
Post transfer issues - Capital
items
Tooling Assistance
(d) Maturity Level of System: The maturity levels of the ERP in the
company determine how strong is the control framework within the company.
The maturity level of the ERP can be assessed by assessing the number of
manual vs. automated controls in the company. As a thumb rule, higher the
automation in systems, the lesser is the risk involved. Additionally, in the
event that the company does not have transaction level controls (for
instance, maker-checker controls for transaction recording or auto linkages of
the subsidiary accounts to the control accounts) the risk implication shall be
increased.
It may be added that companies, generally, have manual controls for the
following processes:
Vendor evaluation and assessment
Assessment of credit limits for customers
Price master maintenance
Purchase negotiations
Compliances to service level agreements
Dealership operations
Discount scheme and claim verifications
Manufacturing process and finished goods generation recording
Granting logical access to systems
Hazardous waste management
Compliance framework and regulatory monitoring
Quality assessment procedures
Safety and security
Patents and Licenses
Disaster recovery and business continuity
The maturity of ERP and automated controls framework within the company
would impact the reliability levels of the data received based on the source of
data, the number of filters/ categories used for extracting reports from the
system and the manual intervention in extraction of the data from the system.
It is advisable to review the maturity of the system based on system
extracted reports and matching the same with the MIS presented to the
management for periodic review/ published financials in order to determine
financial accuracy of the data extracted from the system.
(e) Regulatory and Ethical Issues: Fraud risks (ethical issues) are a major
component of the inherent risk in any activity. The higher the propensity of
fraud in a transaction, the higher would be the potential risk implication in the
activity. An illustrative list of the key fraud risk areas in the auto and auto
component sector is as follows:
Process Sub-process Sub-Process
Treasury Cash Access to cash and cash
Management records
Procurement to Procurement Negotiations and price
Pay process finalizations
One time purchase orders
including open market
purchase
Allocation of share of business
and execution
Advance to vendors for
materials
Recovery against debit note
Receipt process Receipt, acknowledgment and
storage of materials at stores
Acknowledgement of services
receipt
Employee expenses and
Process Sub-process Sub-Process
reimbursements
Repairs and maintenance of
building, plant & machinery and
inventory
Order to Disposals Disposal of old stocks and
Collections metal scrap
Collections Receivables/ Sales Realization/
(Channel Financing/ Cash
Sales)
Schemes Incentives and discounts to
dealers
Sales processes Sales to Govt agencies/
Institutional sales
Inventory Direct Materials Verification and reconciliation
Management of subcontracted materials
Direct Materials Inventory Analysis
Capital Assets Procured/ Estimate Sheet Preparation
Expenditure Lease
Assets Made In- Make/ Buy Analysis
house
Fully Built Fully Built Selection of Recon agents and
Vehicles & Re- Vehicles Franchise operation
conditioning
For feasibility of the risk assessment and evaluation, the auditor may develop
a checklist for each process and identify the risk areas in the same.
Following sample questionnaires have been given as appendices to this
chapter:
(i) Sample questionnaire for risk assessment of procurement process
(ii) Sample questionnaire for risk assessment of sale process
(iii) Sample questionnaire for risk assessment of production process
(iv) Sample questionnaire for risk assessment of inventory process
(iv) Sample questionnaire for risk assessment of fixed assets process.
Based on the risk assessment, the internal auditor would be able to identify
the High, Medium and Low Risk areas. A comprehensive internal audit plan
is to be prepared by the auditor and the classification of all activities in
scope, based on the criticality of risk areas shall assist the auditor in
planning for the audit with respect to timelines, level of documentation and
analysis required for the audit and the skill-set required for execution of the
audit.
Industry Trends
5.3 Automotive industry is constantly adapting to the regulatory and
innovative changes in the market segment. In addition, there has been a
significant increase in the latent demand for commercial as well as
passenger vehicles in the country, as well as on a global level. On account of
the same, the companies in the auto and the auto component sector will
undergo vast changes with respect to
Shift of fuel sources to unconventional methods (electricity, solar
power, etc.).
Increase in capacity and sales
Higher controls over emission norms and pollution control systems
Increased focus on fuel efficiency
Organic growth in the business
Increase in global reach and market penetration strategies
Shift towards environment-friendly technologies, specifically in
passenger vehicle segments
Need of innovation in optimizing the Internal Combustible Engine (ICE)
Focus on increasing vehicle lifespan
Consumer focus on ergonomics and comfort
Safety innovations.
As a result of the same, the following aspects need to be considered with the
purview of strategy and growth risks:
New product design
Research and development
Capital expansions/ payback calculations
Sales (For analysis of market penetration strategies).
Internal Financial Control (IFC) Documentation
5.4 The Companies Act, 2013, has mandated documentation of the
Internal Financial Controls for each company. Key risk areas are identified by
the management in the IFC documentation and the same are tested by the
statutory auditors. Based on the same, and the qualifications in the statutory
audit report w.r.t. the controls framework to identify the control framework
developed by the management and the effectiveness of the key controls, the
key risks areas and controls in the processes may be identified. The same
would enable the internal auditor to identify and evaluate the criticality of
processes defined and the level of details required for review of each sub-
process and activity.