Manual Risk Management Mining Sector
Uploaded by
d4575747Manual Risk Management Mining Sector
Uploaded by
d4575747Draft dated June 07, 2024
Manual on
Internal Audit of Risk Management
in the Mining Sector
Internal Audit and Assurance Standards Board
The Institute of Cost Accountants of India
(Statutory body under an Act of Parliament)
Headquarters: CMA Bhawan, 12 Sudder Street, Kolkata - 700016
Delhi Office: CMA Bhawan, 3 Institutional Area, Lodhi Road, New Delhi – 110003
June 2024
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
FORWARD OF THE PRESIDENT
INSTITUTE OF COST ACCOUNTANTS OF INDIA 2
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
FORWARD OF THE VICE-PRESIDENT
INSTITUTE OF COST ACCOUNTANTS OF INDIA 3
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
FORWARD OF THE CHAIRMAN
INSTITUTE OF COST ACCOUNTANTS OF INDIA 4
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CONTENTS
No. Title Page
List of Acronyms/ abbreviations used 9
1 INTRODUCTION 10-11
- Preface
- Internal Audit Standards
2 UNDERSTANDING INTERNAL AUDIT 12-24
- Definition
- What is an Internal Audit
- Key Concepts
- Overall Framework – Internal Audit
- Provisions under the Companies Act, 2013
- Types of Internal Audits
• Compliance Audit
• Internal Financial Audit
• Environmental Audit
• Technology/IT Audit
• Performance Audit
• Operational Audit
• Construction Audit
• Risk Audit
- Objectives of Internal Audit
- Internal Audit vs. External Audit
- Internal Audit Procedure
- Internal Audit Process
- Internal Audit Reports: The 5 C’s
- Importance of Internal Audit
- Contents of Internal Audit Report
3 UNDERSTANDING RISK MANAGEMENT 25-31
- Definition of Risk
- Understanding Risk Management
- Objectives of Risk Management
- Importance of Risk Management
- Regulatory Framework surrounding Risk Management
• SEBI (LODR) Regulations, 2015
• The Companies Act, 2013
• CPSE Guidelines on Corporate Governance
INSTITUTE OF COST ACCOUNTANTS OF INDIA 5
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
No. Title Page
4 INTERNAL AUDIT OF RISK MANAGEMENT 32-35
- Background
- Implementation
- Compliance
- Internal Control
- Advising Management
- Process Improvement
5 RISK MANAGEMENT AND RISK MITIGATION IN MINING 36-46
SECTOR
- Introduction
- Risk Management Framework
- Guiding Principles for the Risk Management Framework
- Risk Management Structure and Team
- Risk Management Culture
- Risk Identification
- Approach for Implementation
• Annual Risk Identification
• Concurrent Risk Identification
- Risk Management Process
- Risk Assessment
- Risk Prioritization
• Annual Risk Prioritization
• Concurrent Risk Prioritization
- Risk Reporting
- Risk Mitigation
- Risk Monitoring & Reporting
• Risk Monitoring
• Risk Reporting
6 EXTERNAL RISKS IN MINING SECTOR 47-54
- Why Mining Sector
- Environmental, Social & Governance (ESG) Issues
- Geopolitics
- Climate Change
- License to Operate (LTO)
- Productivity and Costs
- Supply Chain
- Workforce
- Capital
INSTITUTE OF COST ACCOUNTANTS OF INDIA 6
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
No. Title Page
- Digital Innovation
- New Business Models
- Risks of Unviable Mining
- Competition Risks
- Cyber Security Risks
- Credit Risks
- Operational Safety Risks
- Evacuation Risks
- Technology Risks
- Risks associated with Law & Order
- Community Health Risk
7 INTERNAL RISKS IN MINING SECTOR 55-74
- Safety Related Risks
- Significant Hazards in Underground Mining
• Mine Gases
• Mine Fires & Spontaneous Heating
• Explosives & Shot firing
• Rock Burst
• Subsidence
• Inundation
• Health Hazards
• Storage, Handling & Disposal of Hazardous Waste
- Manpower Related Risks
- Financing Related Risks
• Financing Risk
• Commodity Price Risk
• Currency Risk
- Management of the Internal Risks
• Measures to be taken to avoid the Mine Gases
• Measures against Mine fires/ spontaneous heating
• Measures against Fire damp explosion
• Measures against coal dust explosion in the coal mining
• Other Protection Measures
• Precautions at the surface of Mine
- Emergency Plan
- Disaster Management Plan
- Supporting Committees
- Occupational Health & Safety
INSTITUTE OF COST ACCOUNTANTS OF INDIA 7
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
No. Title Page
- General Precautions to be taken
- Mitigation of Financial Risks
- Management of Skilled Manpower related Risks
8 QUESTIONNAIRE 75-79
- Preparation of Questionnaire
9 INTERNAL AUDIT CHARTER 80-83
- Internal Audit Charter
- Structure: Three Lines Model
- Delivery
- Reporting Relationship
- Resourcing
- Investment (Cost)
10 INTERNAL AUDIT PROCESS 84-88
- Overview of Internal Audit Process
- Steps of Internal Audit Process
• Planning
• Opening Meeting
• Fieldwork
• Draft Report
• Management Response
• Closing Meeting
• Final Audit Report Preparation
ANNEXURE - DRAFT REPORT 89-94
- Background
- Audit Scope & Objectives
- Audit Approach
- Summary of Main Findings
- Action Plan
- Conclusions
- Acknowledgements
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 8
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
List of Acronyms/ abbreviations used
AI Artificial Intelligence
ATR Action Taken Report
BOD Board of Directors
CG Corporate Governance
CISO Chief Information Security Officer
CMA Cost & Management Accountant
CMD Chairman & Managing Director
CPCB Central Pollution Control Board
CPSE Central Public Sector Enterprise
CRO Chief Risk Officer
DGMS Directorate General of Mines Safety
DMP Disaster Management Plan
ECC Emergency Control Centre
ERM Enterprise Risk Management
ESG Environmental, Social & Governance
FTA Fault Tree Analysis
GHG Green House Gas
HoD Head of Department
HWM Hazardous Waste Management
IA Internal Audit
INR Indian Rupee
LCG Loss Control Group
LODR Listing Obligations & Disclosure Requirements
LTO License to Operate
OB Overburden
PRAT Proportional Risk Assessment Technique
RMC Risk Management Committee
RMC Risk Management Calendar
RMF Risk Management Framework
RMT Risk Management Team
ROI Return on Investment
RTM Risk That Matters
SEBI Securities & Exchange Board of India
SMP Site Management Plan
SMS Safety Management System
SMT Senior Management Team
TA Task Analysis
TAC Tariff Advisory Committee
TLV Threshold Limit Values
INSTITUTE OF COST ACCOUNTANTS OF INDIA 9
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 1: INTRODUCTION
PREFACE
There is a concomitant rise in the demand for good governance and the role played by the
stakeholders entrusted with the responsibility of ensuring good governance. Being one of the
stakeholders helping to strengthen and improve governance practices, the role of Internal Audit
is assuming significance in the context of the changing environment.
This manual is solely intended for the use by the Internal Auditors executing their internal
audit assignments in the Mining Sector. Wherever appropriate, references have been made to
various articles, studies, and internal auditing standards to corroborate the thought process
and/or elucidate the subject matter.
The objective is to guide and enable the organizations in setting up and effectively carrying
out the Internal Audit function. The governance remit of Internal Audit is being progressively
expanded laying down standards around the same. Internal Audit steadily needs to move up
the value chain to provide more dependable assurance to the Management and the Board.
INTERNAL AUDIT STANDARDS
Internal Audit & Assurance Standards (IAAS) are a set of principle-based minimum
requirements that are issued by and under the authority of any professional body. Internal
audit standards have been devised by the various institutes like the Institute of Cost
Accountants of India, or the Institute of Chartered Accountants of India or the Institute of
Internal Auditors.
Internal auditing is conducted in diverse legal environments for entities that vary in size,
complexity, nature, and structure. It may be performed by the entity’s own employees or
external firms. But conformance with these Standards is desirable in meeting the
responsibilities of internal auditor in performing the internal audit activities. Any internal
auditor should comply & conform while performing internal audit functions or services in any
entity, individually or as member of the team. These Standards also provide the basis to
evaluate responsibilities of the management in areas relating to internal audit and also the
performance of internal auditors.
Internal Auditors must stay connected with the internal auditing standards issued by the
appropriate authority(s) while rendering their services. The Internal Auditors should not
INSTITUTE OF COST ACCOUNTANTS OF INDIA 10
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
constrain or restrict their thought process but rather exercise prudence in elevating the maturity
level of this critical function over time to ensure its relevance for sustenance.
It is recommended that Internal Auditors should continuously refer to the Standards, Guidance
Notes and Manuals issued by the professional bodies/institutes to stay abreast of the
developments in detail and enhance their knowledge.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 11
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 2: UNDERSTANDING INTERNAL AUDIT
DEFINITION
“Internal auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organization's operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.” – As per Institute
of Internal Auditors, Inc.
Internal Audit has also been defined by other recognized Institutes and Organizations.
However, all the definitions visualize the Internal Audit activity harmoniously with the
aforementioned definition.
WHAT IS AN INTERNAL AUDIT?
Internal audits evaluate a company’s internal controls, including its corporate governance and
accounting processes. These types of audits ensure compliance with laws and regulations and
help to maintain accurate and timely financial reporting and data collection. These audits also
provide management with the tools necessary to attain operational efficiency by identifying
problems and correcting lapses before they are discovered in an external audit.
Internal auditors may be appointed from available resources or are hired by the companies
who work on behalf of their management teams.
KEY CONCEPTS
Governance: The processes and structures implemented by the Board to inform, direct,
monitor, and manage the activities of the organization toward the achievement of its
objectives. Examples: Code of Conduct; Whistle-blower Policy
Risk Management: A process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding the achievement of organization
objectives. Examples: Risk Identification, Risk Assessment, Risk Treatment
Control: The steps undertaken by the organization to manage risk and increase the
likelihood of achieving objectives. Examples: Standard Operating Procedures;
Segregation of Duties
INSTITUTE OF COST ACCOUNTANTS OF INDIA 12
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Internal Auditors must remember that the Board and Senior Management rely on the internal
audit function for ‘objective assurance’ and “insight’ into the effectiveness and efficiency of
governance, risk management, and control processes. Therefore, it is necessary for the Internal
Audit to ensure that the practice followed in the organization meets the widely accepted norms.
The ultimate goal should be to enhance and protect the organizational value.
OVERALL FRAMEWORK – INTERNAL AUDIT
Efficiency &
Governance
Effectiveness
INPUTS
IA Plan & Professional DPE
Resourcing Standards requirement
Internal Audit
Activity
OUTPUTS
Accountability Ethics &
Independent Assurance & Advice, Integrity
Value Add & Improvement,
Communicating & Reporting,
Monitoring
Legal & Regulatory
Compliance
The above diagram illustrates the essential elements of the Internal Audit activity in the
context of the organization.
• Governance: Internal Audit is an integral component of effective governance. A strong
and mature governance process helps internal audit activity to be effective in the
organization.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 13
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
• Accountability: Accountability for funding lies with the governing body and the finance
function. Internal audit must consider the effective use of the funds as part of the audit
plan and should consider controls in all the organizational processes to protect the
reliability and integrity of the financial information.
• Ethics & Integrity: The internal auditors must display the highest level of ethics and
integrity in their work to establish and maintain credibility with their internal and external
stakeholders.
• Legal & Regulatory: The internal auditors must be familiar with the laws, rules, and
regulations that govern the organization and consider all legal aspects while carrying out
their work.
• Efficiency & Effectiveness: The internal auditors must ensure that the results of their work
add value to the organization and all including external stakeholders.
PROVISIONS UNDER THE COMPANIES ACT, 2013
As per the Companies Act, 2013, “The Internal Audit is an independent management function,
which involves a continuous and critical appraisal of the functioning of an entity with a view
to suggest improvements thereto and add value to and strengthen the overall governance
mechanism of the entity including entity’s strategic risk management and internal control
system.”
It is further mentioned that Internal Controls are systematic measures (such as reviews, checks
and balances, balances, methods and procedures) procedures) instituted by an organization to
-
1. conduct its business in an orderly and efficient manner,
2. safeguard its assets and resources,
3. deter and detect errors, fraud, and theft,
4. ensure accuracy and completeness of its accounting data,
5. produce reliable and timely financial and management information, and
6. ensure adherence to its policies and plans.
Section – 138 of the Companies Act’2013 discusses the appointment of Internal Auditors
follows -
(1) Such class or classes of companies as may be prescribed shall be required to appoint an
internal auditor, who shall either be a chartered accountant or a cost accountant, or such
INSTITUTE OF COST ACCOUNTANTS OF INDIA 14
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
other professional as may be decided by the Board to conduct internal audit of the
functions and activities of the company.
(2) The Central Government may, by rules prescribe the manner and the intervals in which
the internal audit shall be conducted and reported to the Board. Nothing is provided under
the Act regarding removal of an Internal Auditor.
Provisions of section 138 of the Companies Act, 2013 read with rule 13 of the Companies
(Accounts) Rules, 2014 prescribes the internal audit in specified companies. Accordingly,
following companies are required to undertake internal audit –
• Every listed company;
• Every unlisted public company having,
o Turnover of two hundred crore rupees or more during the preceding financial
year; or
o paid-up share capital of fifty crore rupees or more during the preceding
financial year; or
o outstanding loans or borrowings from banks or public financial institutions
exceeding one hundred crore rupees or more at any point in time during the
preceding financial year; or
o outstanding deposits of twenty-five crore rupees or more at any point of time
during the preceding financial year; and
Every private company having,
turnover of two hundred crore rupees or more during the preceding financial
year; or
outstanding loans or borrowings from banks or public financial institutions
exceeding one hundred crore rupees or more at any point in time during the
preceding financial year:
Provided that an existing company covered under any of the above criteria shall comply with
the requirements of section 138 and this rule within six months of the commencement of such
section.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 15
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Section 134, sub-section 5, clause (f) also states that the Directors’ Responsibility Statement
includes that directors had devised proper systems to ensure compliance with the provisions
of all applicable laws and that such systems were adequate and operating effectively.
Companies (Auditor’s Report) Order, 2020 requires that the auditor’s report shall include a
statement about whether the company has an internal audit system commensurate with the size
and nature of its business; and whether the reports of the Internal Auditors for the period under
audit were considered by the statutory auditor.
In addition, the Companies (Cost Records and Audit) Rules, 2014 require the Cost Auditor to
certify whether the company has an adequate system of internal audit of cost records which is
commensurate to the nature and size of its business.
TYPES OF INTERNAL AUDITS
Compliance Audit
A company may be required to adhere to local laws, compliance needs, government
regulations, external policies, or other restrictions. To demonstrate compliance with these
rules, a company may task an internal auditor to review, compile appropriate information, and
provide an overall opinion on the status of the compliance requirement.
Internal Financial Audit
Public companies are required to perform certain levels of external financial auditing where a
completely independent third party provides an opinion on the company's financial records.
Companies may want to dive further into audit findings or perform an internal financial audit
in preparation for an external audit. Many of the tests between an internal or external auditor
may be similar; the nature of independence separates the two types of audits for financial
audits.
Environmental Audit
As companies become continually more environmentally conscious, some take the steps of
reviewing the business' impact on the planet. This results in an internal audit covering how a
company safely sources raw materials, minimizes greenhouse gases emissions during
production, utilizes eco-friendly distribution methods, and reduces energy consumption.
Companies leveraging triple bottom line reporting may perform internal environmental audits
as part of annual reporting.
Technology/IT Audit
INSTITUTE OF COST ACCOUNTANTS OF INDIA 16
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
An IT audit may have different objectives. The internal audit may be the result of an external
lawsuit, a company complaint, or a target to become more efficient. An internal audit focused
on technology reviews the controls, hardware, software, security, documentation, and
backup/recovery of systems. The goal is likely to assess general IT accuracy and processing
capabilities.
Performance Audit
An internal audit focused on performance pays less attention to the processes and more on the
final result. The company will have set performance objectives/ goals or metrics that may be
tied to performance bonuses or other incentives. As a result, an internal auditor assesses the
outcome of an objective that may not be easily quantifiable.
For example, a company may wish to have expanded its use of diverse suppliers; the internal
auditor, independent of any purchasing process, will be tasked with analysing how the
company's spending patterns have changed since this goal was set.
Operational Audit
An operational audit is most likely to occur when key personnel leaves or when new
management takes over an entity. The company may want to assess how things are done and
whether resources are being used more efficiently. During an operational internal audit, the
auditor will review whether current staff and processes fulfil the mission statement, value, and
objectives of the company.
Construction Audit
Development, operating, real estate, or construction companies may perform construction
audits to ensure not only appropriate physical development of a building but appropriate
project billing along the life of the project. This mostly includes adherence to contract terms
with the general contractor, sub-contractors, or standalone vendors as necessary.
This may also include ensuring the company has remitted the appropriate payments, collected
the appropriate payments, and internal project reports regarding project completion are correct.
Risk Audit
INSTITUTE OF COST ACCOUNTANTS OF INDIA 17
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
In addition to ensuring that a company complies with laws and regulations, internal audits also
provide a degree of risk management and safeguard against potential fraud, waste, or abuse.
The results of internal audits provide management with suggestions for improvements to
current processes not functioning as intended, which may include information technology
systems as well as supply-chain management
OBJECTIVES OF INTERNAL AUDIT
Proper Control: One of the main objectives of an internal audit is to keep stringent control
over all the activities of an organization. The management needs assurance of the authenticity
of the financial records and the efficiency of the operations of the firm. An internal audit helps
establish both.
Perfect Accounting System: An internal audit keeps a very close check on the accounting
system of an organization. It checks everything from the vouchers to the authority of
transactions to mathematical accuracy. All entries are verified against documents and other
proof. Chances of mistakes or frauds are greatly reduced.
Review of Business: The purpose of an internal audit is to keep a check on the financial and
operational aspects of a business. So as the current financial year is ongoing, internal audit can
point out the mistakes, weak points, and strengths of the business. This will allow an ongoing
review, instead of waiting till the year-end.
Asset Protection: In the process of internal audit, there is always a valuation and verification
of an asset. There is also a physical verification of the ownership and possession of the asset.
And in case of special transactions like sale, purchase or revaluation of the asset, the
authorization of this is also audited in an internal audit. Hence, the assets enjoy complete
protection.
Keeps a Check on Errors: In a financial audit, the auditor will be able to determine if any
mistakes were made in the financial records. But this only happens at the end of the financial
year. And the mistakes are corrected thereafter. But in case of an internal audit, the mistakes
are spotted as soon as they are made and corrected immediately.
Detection of Fraud: In case the company has an internal audit in place, the detection of fraud
becomes much easier. This is because there is a year-round check on the employees.
Understanding the risks and its mitigation: All companies / commercial organisations are
facing different types of risks which threaten their operation, profit, production and even
INSTITUTE OF COST ACCOUNTANTS OF INDIA 18
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
existence. Theses organisation, therefore, take necessary steps to understand the risks and
measures to mitigate them. Regular internal audit ensures that this work is being taken by the
concerned officials seriously to avoid any complications in future.
INTERNAL AUDIT VS. EXTERNAL AUDIT
Internal and external audits have the same objective. Both types of audits analyse an aspect of
a company to determine a specific opinion. However, there are many differences between the
two types of audits.
In an internal audit, the company is often able to select its own audit team. As such, the team
represents the interests of the company's management team. This may be advantageous to
specifically place certain employees with very niche experience on the team. In an external
audit, the company can often select the external audit firm; however, the company often does
not have a say in the specific employees put on their external audit.
There may be some requirements regarding the external auditor depending on the audit. For
example, in an external statutory cost auditor should be the member of The Institute of Cost
Accountants of India with certificate of practice. On the other hand, in an internal audit, there
may be no such requirement and any qualified and knowledgeable person can do the internal
audit; although the preferences are given to qualifications like CMA (Cost and Management
Accountancy) due to their efficiency, experience and audit related studies during acquiring
qualification.
The end goal of either audit is an audit report; however, audit reports are used for very different
reasons. An internal audit report is usually used by internal management to improve the
operations, processes, or policies of the company. An external audit report is often required for
an outside reason and is more often used heavier by stakeholders outside of the company.
Finally, the nature of the engagement will be very different. During an internal audit, the
employees of a company may often freely give advice, discuss unrelated matters with the
company, or may have a very fluid consulting agreement. During an external audit, a very
defined scope is often set, and the external auditor will often take great care to ensure they do
not exceed their audit boundaries.
INTERNAL AUDIT PROCEDURE
Normal Internal Audit procedure is as follows –
Proposal from Company & Acceptance from Internal Auditor.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 19
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Fixation of area/ scope of the Internal Audit assignment and remuneration duly approved
by the Board / Audit Committee.
Preparation of Internal Audit Plan & Strategy.
Execution of Internal Audit Plan & Strategy.
Escalate the matter of unnecessary interference in the Internal Audit work and non-
cooperation by the Auditee’s staff.
Preparation of Preliminary Report with observations, findings, & recommendations of
Internal Auditor.
Internal Auditor should report significant observations, suggestions/ recommendations
based on the policies, processes, risk, control and transactions processing.
Management Comments and Action Taken Report.
Submission of Final Report for the consideration of the Audit Committee/ Board of
Director/ Managing Director.
INTERNAL AUDIT PROCESS
The internal audit process entails planning the audit, performing the audit procedures,
compiling the audit report, and monitoring post-audit changes. Management may choose to
expand the scope of an audit at any point of the audit if findings during the audit cause the
scope to shift to a different direction.
Step wise Internal Audit Process
Step 1: Planning
Before any audit procedures are performed, the internal auditors often start by developing the
audit plan. This sets the audit requirements, objectives, timeline, schedule, and responsibilities
across audit team members. The audits may review prior audits to understand management
expectations for presentation and data collection.
The audit plan often has a checklist to ensure members of the team adhere to broad
expectations. The internal audit team may also pre-emptively plan to meet with management
throughout the audit to communicate the status and any struggles of the audit. The planning
INSTITUTE OF COST ACCOUNTANTS OF INDIA 20
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
stage often ends with a kick-off meeting that launches the audit and communicates the initial
information needed.
Step 2: Auditing
Many of the auditing procedures used by internal audits are the same as external auditors.
Some companies might use continuous audits to ensure ongoing oversight of company
practices. Assessment techniques ensure an internal auditor gathers a full understanding of the
internal control procedures and whether employees are complying with internal control
directives.
To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques,
such as reviewing flowcharts, manuals, departmental control policies, or other existing
documentation.
Auditing fieldwork procedures can include transaction matching, physical inventory count,
audit trail calculations, and account reconciliation as is required by law. Analysis techniques
may test random data or target specific data if an auditor believes an internal control process
needs to be improved.
The internal audit may have started with a defined scope; but as the internal audit team gathers
and analyses information, it may become necessary to redefine the purpose and extent of the
audit. This includes re-evaluating the original timeline or resources allocated to the audit.
Step 3: Reporting
Internal audit reporting includes a formal report and may include a preliminary or memo-style
interim report. An interim report typically includes sensitive or significant results, the auditor
thinks the board of directors needs to know right away. Like an interim financial statement, an
interim auditor communicates a partial set of information useful for laying the road for the
remaining portion.
Often, a company may deliver a draft copy of the final audit report and host a pre-close internal
audit meeting with management. This may allow management to provide rebuttals, additional
information that may change findings, or provide commentary on their feedback regarding the
audit findings.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 21
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
The final report includes a summary of the procedures and techniques used for completing the
audit, a description of audit findings, and suggestions for improvements to internal controls
and control procedures. The final report may also communicate next steps in terms of changes
to be implemented, future monitoring processes, and what future reviews will entail.
Step 4: Monitoring
After a designated amount of time, an internal audit may call for follow-up steps to make sure
the appropriate post-close audit changes were implemented. The details and process for these
monitoring and review steps is often agreed to at the delivery of the final audit.
For example, an internal financial audit may find severe internal control deficiencies that an
internal auditor believes will not pass an external financial audit. Management agreed to
implement changes within the next six weeks. After six weeks, the internal auditor may be
tasked with implementing a small-scope or limited review of the deficiency to see if the issue
still persists.
INTERNAL AUDIT REPORTS: THE 5 C's
Internal audit reports are often known for adhering to the 5 C's reporting requirement. A
complete, sufficient internal audit often ends with a summary report that communicates
answers to the following questions:
Criteria: What particular issue was identified, and why was the internal audit necessary?
Is the internal audit in preparation for a future external audit? Who requested the audit,
and why did this party request the audit?
Condition: How as the issue in relation to a company target or expectation? Does the
company have a policy that was broken, a benchmark that was not met, or other condition
that was not satisfied? Is the company confident no issue existing, or do they believe an
issue is at hand?
Cause: Why did the issue arise? Who was involved, what processes were broken, and how
could the issue have been avoided?
Consequence: What is the outcome of the problem? Are issues limited to internal matters,
or are there risks of external consequences? What are the financial implications of the
issue?
INSTITUTE OF COST ACCOUNTANTS OF INDIA 22
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Corrective Action: What can the company do fix the problem? What specific steps will
management take to resolve the issue, and what type of monitoring or review will occur
after solutions have been put in place to ensure a fix has been implemented?
IMPORTANCE OF INTERNAL AUDIT
Some may think internal audits are not as valuable as external audits. After all, a company may
hand-pick its own internal audits who do not have full independence from the company.
However, there are many ways internal audits provide value to the company and external
parties:
Management can be more efficient about what to explore. For example, while external
financial audits must test an entire financial system, a company may be concerned
about whether the cash management process is being fraudulently managed; therefore,
management can elect to have all audit procedures analyse cash processes.
Internal audits may save companies money. If a company's processes are very strong,
the external audit process may not be as long and as intensive, thereby reducing the
external audit fee and time spent supporting external auditors.
The company enhances its control environment. Even if the internal audit yields no
findings, employees may be aware that their work gets analysed and reported on,
thereby motivating adherence to company policy.
Internal audits may make companies more efficient. External audits often are not
intended to make processes better; they are meant to review whether processes are
accurate. This distinction is important because a company may be "just getting by"
with inefficient processes that meet very minimum requirements.
Internal audit reports give management a head start to make corrections. Instead of
having to scramble when an external audit finds a deficiency, management can take
longer to think through solutions, implement the solution with care, and review
whether the solution worked.
Certain departments may need enhanced oversight. Whether it is lack of expertise,
staffing shortages, or problem with current personnel, a company may benefit from
targeting a specific area and formally reviewing its workflow and processes.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 23
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CONTENT OF INTERNAL AUDIT REPORT
The Internal Audit Report should cover the following contents:
- Title
- Addressee
- Period of coverage of the Report
- Opening or introductory paragraph
- Objective paragraph
- Scope paragraph
- Documents / Records checked during internal audit
- Executive summary, highlighting the key material issues, observations, control,
weaknesses and exceptions
- Significant observations, findings and recommendations
- Management comments on respective observations, findings and recommendations
- Action Taken Report
- Date of Report
- Place of signature
- Internal Auditor’s signature with Membership No.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 24
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 3: UNDERSTANDING RISK MANAGEMENT
DEFINITION OF RISK
Risk is any event/non-event, the occurrence/non-occurrence of which can adversely affect
the objectives of the Company. These threats may be internal/ external to the Company,
may/may not be directly influenced by the Company and may arise out of routine/non-
routine actions of the Company.
UNDERSTANDING RISK MANAGEMENT
Risk Management is a structured, consistent and continuous process across the whole
organization for identifying, assessing, deciding on responses to and reporting on the
opportunities and threats that may affect the achievement of its objectives.
In recent years, all sectors of the economy have focused on risk management as the key
to making organizations successful in delivering their objectives, whilst protecting the
interests of their stakeholders. Risk may be defined as an event, action or inaction, the
outcome of which is uncertain and may have a bearing on the achievement of desired goals
and objectives.
The Company should realize the need to better understand, anticipate and mitigate
business risks in order to minimize the frequency and impact of risks and shall look for
greater assurance that there is a system in place, with well-documented, effective
mitigation plans and accountability, which provides relevant information for decision
making to the appropriate people in a timely manner.
Risk management is a holistic, integrated, structured and disciplined approach to
managing risks with the objective of maximizing shareholder value. It aligns strategy,
processes, people & culture, technology and governance with the purpose of evaluating
and managing the uncertainties faced by the organization while creating value.
Effective risk management allows an organization to –
o have increased confidence in achieving its desired goals and objectives;
o effectively limit threats to acceptable levels; and
o make informed decisions about exploiting opportunities.
Never before has effective management of business risks been so critical to achieve
INSTITUTE OF COST ACCOUNTANTS OF INDIA 25
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
positive results and to enhance corporate reputation, as it is today. It has been observed
that although significant risks are often known in some parts of the company, those risks
may not have come to the attention of the right people at the right time.
A robust risk management framework has therefore been developed which is
benchmarked with the leading global risk management standards and guidance available.
In doing so the focus has been to have a framework that is simple and practical, which:
o allows a clear and concise view of risks;
o prioritise risks that matter (‘RTM’) i.e. the ‘Top 15’ risks; and
o put in place appropriate mitigation plans to manage the RTMs.
This Framework will continue to evolve and mature as risk management is implemented
in the organization and experience is gained. It is expected to be reviewed and amended
on a regular basis to ensure its ongoing relevance and viability. The Board of Directors
/ Risk Management Committee shall have the discretion to modify the risk management
framework as per the most relevant business case as this framework is dynamic in nature
and evolves with time.
Risk management is everyone’s responsibility and needs to form part of every decision
making and monitoring process. The Risk Management and Risk Mitigation Strategy
(Risk Management Policy) thus aims at outlining the framework adopted to assess and
mitigate the impact of risks and report to the top management and the Board of Directors
on the risk assessment and minimization procedures.
Risk management is the process of identifying, assessing and controlling threats to an
organization's capital, earnings and operations. These risks stem from a variety of sources,
including financial uncertainties, legal liabilities, technology issues, strategic management
errors, accidents and natural disasters.
A successful risk management program helps an organization consider the full range of risks
it faces. Risk management also examines the relationship between different types of business
risks and the cascading impact they could have on an organization's strategic goals.
This holistic approach to managing risk is sometimes described as enterprise risk
management (ERM) because of its emphasis on anticipating and understanding risk across an
organization. In addition to a focus on internal and external risk threats, enterprise risk
management (ERM) emphasizes the importance of managing positive risk. Positive risks are
opportunities that could increase business value.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 26
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Indeed, the aim of any risk management program is not to eliminate all risk but to preserve
and add to overall enterprise value by making smart risk decisions. It is also a fact that all risks
can never be eliminated, they can be brushed aside for a limited period and this process of
brushing aside keeps on going with the normal business process. Any delay or casual approach
in this brushing aside of risks can be dangerous and fatal for the company.
Thus, a risk management program should be intertwined with organizational strategy. To link
them, risk management leaders must first define the organization's risk appetite, i.e., the
amount of risk it is willing to accept to realize its objectives. Some risks will fit within the risk
appetite and be accepted with no further action necessary. Others will be mitigated to reduce
the potential negative effects, shared with or transferred to another party, or avoided altogether.
Every organization faces the risk of unexpected, harmful events that can cost it money or
human life or, in the worst case, cause it to close.
OBJECTIVES OF RISK MANAGEMENT
The components of risk management are different for different companies and are defined
by the company’s business model and strategies, organizational structure, culture, risk
appetite and dedicated resources. It is not a standard “fit-all” solution. An effective risk
management framework requires consistent processes for assessment, mitigation,
monitoring and communication of risk issues across the organization. Essential to this
process is its alignment with corporate direction and objectives, specifically strategic
planning and annual business planning processes.
Risk management is a continuous and evolving process, which has to be integrated with
the culture of the organization over a period of time. It would then get embedded in the
strategy for attaining tactical and operational objectives such that each manager and
employee in the system is assigned responsibility for management of risk as a part of their
job description. It would then support accountability, performance measurement and
reward, and thus promote overall efficiency at all levels.
The framework will help in creating an environment in which risk management is
consistently practiced across the Company and where management can take informed
decisions to reduce the possibility of surprises.
The objectives of risk management are to:
Better understanding of the Company’s risk profile;
INSTITUTE OF COST ACCOUNTANTS OF INDIA 27
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Ensure that the Senior Management is in a position to make informed business
decisions based on risk assessment;
Sound business opportunities are identified and pursued without exposing the
business to an unacceptable level of risk;
Contribute to safeguard Company value and interest of shareholders; and
Improve compliance with good corporate governance guidelines and practices as
well as laws & regulations.
The Risk Management Policy aims at formalizing a process to deal with the most relevant
risks, building on existing management practices, knowledge and structures.
IMPORTANCE OF RISK MANAGEMENT
Risk management has perhaps never been more important than it is now. The risks that modern
organizations face have grown more complex, fuelled by the rapid pace of globalization. New
risks are constantly emerging, often related to and generated by the now-pervasive use of
digital technology or due to climate change which has been dubbed a "threat multiplier" by
risk experts.
A recent external risk that initially manifested itself as a supply chain issue at many companies
-- the COVID-19 pandemic -- quickly evolved into an existential threat, affecting the health
and safety of employees, the means of doing business, the ability to interact with customers
and corporate reputations. Businesses made rapid adjustments to the threats posed by the
pandemic. But, going forward, they started grappling with novel risks, including the issue of
how or whether to bring employees back to the office.
Similarly, after covid the commercial organisations started facing the critical questions like
that what can be done to make supply chains less vulnerable or how to tackle the inflation and
the business & economic effects of the war in Ukraine etc.
In many companies, business executives and the board of directors are now taking a fresh look
at their risk management programs. Organizations are reassessing their risk exposure,
examining risk processes and reconsidering who should be involved in risk management.
Companies that currently take a reactive approach to risk management -- guarding against past
risks and changing practices after a new risk causes harm -- are considering the competitive
advantages of a more proactive approach. There is heightened interest in supporting business
INSTITUTE OF COST ACCOUNTANTS OF INDIA 28
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
sustainability, resiliency and agility. Companies are also exploring how AI (Artificial
Intelligence) technologies and sophisticated GRC platforms can improve risk management.
REGULATORY FRAMEWORK SURROUNDING RISK MANAGEMENT
The SEBI (Listing Obligations & Disclosure Requirements) Regulations, 2015
In India, from a regulatory perspective, the SEBI (Listing Obligations & Disclosure
Requirements) Regulations, 2015 (“SEBI LODR”) has elaborately prescribed the role &
functions of the Board of Directors and Risk Management Committee with respect to the
domain of risk management. Relevant extracts are given below.
The Board of Directors shall constitute a Risk Management Committee. The Chairperson
of the Risk management committee shall be a member of the board of directors and senior
executives of the listed entity may be members of the committee. The risk management
committee shall meet at least twice in a year.
The Board of Directors shall define the role and responsibility of the Risk Management
Committee and may delegate monitoring and reviewing of the risk management plan to
the committee and such other functions as it may deem fit. Such functions shall specifically
cover cyber security.
The Risk Management Committee shall have powers to seek information from any
employee, obtain outside legal or other professional advice and secure attendance of
outsiders with relevant expertise, if it considers necessary.
The role of the Risk Management Committee shall, inter alia, include the following:
o To formulate a detailed risk management policy which shall include:
A framework for identification of internal and external risks specifically
faced by the listed entity, in particular including financial, operational,
sectoral, sustainability (particularly, ESG related risks), information,
cyber security risks or any other risk as may be determined by the
Committee.
Measures for risk mitigation including systems and processes for internal
control of identified risks.
Business continuity plan.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 29
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
o To ensure that appropriate methodology, processes and systems are in place to
monitor and evaluate risks associated with the business of the Company;
o To monitor and oversee implementation of the risk management policy, including
evaluating the adequacy of risk management systems;
o To periodically review the risk management policy, at least once in two years,
including by considering the changing industry dynamics and evolving
complexity;
o To keep the board of directors informed about the nature and content of its
discussions, recommendations and actions to be taken;
o The appointment, removal and terms of remuneration of the Chief Risk Officer (if
any) shall be subject to review by the Risk Management Committee.
Besides, the role of the audit committee shall include evaluation of internal financial
controls and risk management systems.
Further, the SEBI LODR, inter alia, requires the listed entity to lay down procedures to
inform members of Board of Directors about risk management and minimization
procedures [Regulation 17(9)(a)]. The Board of Directors shall be responsible for framing,
implementing and monitoring the risk management plan for the listed entity [Regulation
17(9)(b)].
Regulation 24(4) of SEBI LODR requires that the management of the unlisted subsidiary
shall periodically bring to the notice of the Board of Directors of the listed entity, a
statement of all significant transactions and arrangements entered into by the unlisted
subsidiary.
Regulation 30(9) of SEBI LODR requires the listed entity to disclose all events or
information with respect to subsidiaries which are material for the listed entity.
Regulation 16(1)(c) of SEBI LODR defines material subsidiary as – “material subsidiary”
shall mean a subsidiary, whose income or net worth exceeds ten percent of the
consolidated income or net worth respectively, of the listed entity and its subsidiaries in
the immediately preceding accounting year.” Further, the Explanation to Regulation 16
(1)(c) states that the listed entity shall formulate a policy for determining material
subsidiary.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 30
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
The Companies Act, 2013
The Companies Act, 2013, requires the Boards of Directors to present a statement
indicating development and implementation of a Risk Management Policy for the
company, including identification therein of elements of risk, if any, which in the opinion
of the Board may threaten the existence of the company [Section 134(3)(n)].
Further, the Audit Committee is also required, inter alia, to evaluate the risk management
systems of the Company [Section 177 (4) (vii)].
CPSE Guidelines on Corporate Governance
There exists Guidelines on Corporate Governance for Central Public Sector Enterprises
(“CPSEs CG Guidelines”), which are mandatory for all CPSEs vide Office Memorandum
No. 18(8)/2005-GM dated 14th May 2010. Para 3.6 (Risk Management) of the Guidelines on
Corporate Governance for CPSEs provides that Enterprise risk management helps
management in achieving CPSE’s performance and profitability targets. It helps to ensure
effective reporting and compliance with laws and regulations and helps avoid damage to the
entity’s reputation and associated consequences. Considering the significance of risk
management in the scheme of corporate management strategies, its oversight should be one of
the main responsibilities of the Board/ Management. The Board should ensure the integration
and alignment of the risk management system with the corporate and operational objectives
and also that risk management is undertaken as a part of normal business practice and not as a
separate task at set times.
Further, para 7.3 (Board Disclosures–Risk management) provides that the company shall lay
down procedures to inform Board members about the risk assessment and minimization
procedures, which shall be periodically reviewed to ensure that executive management
controls risk through means of a properly defined framework. Procedure will be laid down for
internal risk management also. It further says that Board should implement policies and
procedures which should include:
a) Staff responsibilities in relation to fraud prevention and identification.
b) Responsibility of fraud investigation once a fraud has been identified.
c) Process of reporting on fraud related matters to management.
d) Reporting and recording processes to be followed to record allegations of fraud.
e) Requirements of training to be conducted on fraud prevention and identification.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 31
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 4: INTERNAL AUDIT OF RISK MANAGEMENT
BACKGROUND
Internal auditors play a critical role in risk management without taking over the responsibilities
of risk management and compromising internal auditors' objectivity and independence. They
understand the potential risks that may impact the organization and analyse the modality,
framed by the company to mitigate these risks. They ensure that the organisation is following
the pre-decided risk mitigation policy holistically and any deviation is highlighted. They also
help the organization implement these measures seriously. Internal auditors help the
organization proactively manage its risks and reduce the likelihood of negative outcomes.
Internal auditors can reduce duplicate efforts and increase the effectiveness of overall risk
management by coordinating the internal audit reports with risk management team.
IMPLEMENTATION
Internal auditors can help the management on the implementation of the system of risk
management, by taking following steps -
Step 1: Understanding Risks: The first step in the risk management process is to identify
potential risks that may impact the organization. Internal auditors use various methods, such
as interviews, surveys, and analysis of historical data, to understand these risks.
Step 2: Assessing Risks: Once the risks have been identified & understood, the next step is
to assess their likelihood to take place and its impact. Internal auditors use a risk matrix to
evaluate the potential impact of each risk and prioritize them based on their likelihood and
impact.
Step 3: Recommend Mitigation Measures: Based on the assessment of the risks, internal
auditors then help in providing recommendations on how to mitigate these risks. For example,
they may recommend the implementation of controls, such as policies and procedures, to
minimize the likelihood of a risk occurring.
Step 4: Implement Mitigation Measures: After the recommendations have been made, the
internal auditors help the organization implement these measures. They monitor the
implementation process and provide feedback to management on the effectiveness of the
measures.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 32
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
COMPLIANCE
Internal auditors are also helpful for assuring that the organization complies with laws and
regulations. They review the policies and procedures of the company and assess their
effectiveness. They also monitor the company's compliance with regulations and provide
recommendations on how to improve compliance. They can help by taking following steps -
Step 1: Review Policies and Procedures: The first step in ensuring compliance is to review
the policies and procedures of the organization. Internal auditors assess these policies and
procedures to ensure that they are effective in achieving compliance.
Step 2: Monitor Compliance: Once the policies and procedures have been reviewed, the
internal auditors monitor the organization's compliance with laws and regulations. They use
various methods, such as testing and documentation review, to assess the organization's
compliance.
Step 3: Provide Recommendations: Based on their assessment of the organization's
compliance, internal auditors then provide recommendations on how to improve compliance.
For example, they may recommend changes to policies and procedures, or the implementation
of additional controls, to ensure compliance.
Step 4: Implement Recommendations: The internal auditors then help the organization
implement these recommendations and monitor the effectiveness of the changes. They also
provide ongoing support to management in ensuring ongoing compliance with laws and
regulations.
INTERNAL CONTROL
Internal auditors are also quite helpful for evaluating the internal controls of the organization.
They examine the processes and procedures that are in place to ensure the accuracy and
reliability of financial and operational information. They then provide recommendations on
how to improve these controls and help the organization maintain a strong internal control
environment-
Step 1: Evaluate Controls: The first step in evaluating internal controls is to examine the
processes and procedures that are in place to ensure the accuracy and reliability of financial
and operational information. Internal auditors use various methods, such as testing and
documentation review, to evaluate the internal controls of the organization.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 33
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Step 2: Provide Recommendations: Based on their evaluation of the internal controls,
internal auditors then provide recommendations on how to improve these controls. For
example, they may recommend changes to policies and procedures or the implementation of
additional controls to ensure the accuracy and reliability of information.
Step 3: Implement Recommendations: The internal auditors then help the organization
implement these recommendations and monitor the effectiveness of the changes. They also
provide ongoing support to management in maintaining a strong internal control environment.
Step 4: Continuous Monitoring: Internal auditors also engage in continuous monitoring of
the internal control environment. They review changes in the organization and assess the
impact on internal controls. They also assess the effectiveness of existing controls and provide
recommendations for improvement, as needed.
ADVISING MANAGEMENT
Internal auditors also act as advisors to management. They provide insights and perspectives
on various business processes and help management make informed decisions. They also help
management identify areas for improvement and provide recommendations on how to
optimize these processes. Following steps are important in this line -
Step 1: Provide Insights and Perspectives: Internal auditors provide valuable insights and
perspectives to management. They use their expertise to provide recommendations on various
business processes and help management make informed decisions.
Step 2: Identify Areas for Improvement: Internal auditors also help management identify
areas for improvement in the organization. They use their knowledge of best practices and
industry standards to provide recommendations on how to optimize processes.
Step 3: Provide Recommendations: Based on their analysis, internal auditors provide
recommendations on how to improve processes and optimize performance. They also assist
management in implementing these changes and monitor the results.
Step 4: Ongoing Support: Internal auditors provide ongoing support to management, helping
them navigate challenges and achieve their goals. They are a valuable resource for
management, providing expertise, guidance, and support.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 34
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
PROCESS IMPROVEMENT
Internal auditors are experts in process improvement. They identify areas for improvement in
the organization and provide recommendations on how to streamline processes. They also
assist in implementing these changes and monitor the results to ensure they are effective.
Following steps are important -
Step 1: Identify Areas for Improvement: The first step in process improvement is to identify
areas for improvement in the organization. Internal auditors use various methods, such as
process mapping, to identify these areas.
Step 2: Provide Recommendations: Based on their analysis, internal auditors provide
recommendations on how to streamline processes and optimize performance. They use their
expertise in process improvement to provide practical and effective recommendations.
Step 3: Implement Recommendations: The internal auditors then help the organization
implement these recommendations and monitor the results. They engage in continuous
monitoring of the process to ensure that the changes are effective and provide feedback to
management.
Step 4: Continuous Improvement: Internal auditors also engage in continuous improvement,
identifying new areas for improvement and providing recommendations for optimization.
They help the organization maintain a culture of continuous improvement, ensuring that
processes are optimized and performance is improved over time.
In fact, the role of internal auditors goes far beyond just providing assurance services. They
play a critical role in risk management, compliance, internal control, advising management,
and process improvement. Their expertise and insights help organizations achieve their goals
and succeed in an ever-changing business
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 35
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 5: RISK MANAGEMENT AND RISK MITIGATION IN MINING
COMPANIES
INTRODUCTION
The heart of risk management in mining is the identification of internal & external hazards,
assessment of their risk, and application of appropriate controls. Regardless of whether the
hazard is geological, environmental, process or human, they should all be addressed through
effective risk management.
While defining and developing a formalized risk assessment and mitigation process,
leading risk management standards and practices shall be considered. However, the focus
shall be to make the process relevant to business reality and to keep it pragmatic and
simple from an implementation and use perspective.
RISK MANAGEMENT FRAMEWORK
Mining Companies should establish a robust risk management framework to effectively
address and mitigate potential risks. The framework will encompass various mechanisms for
defining, prioritising, and formulating contingency strategies to tackle risks. It will outline the
roles, responsibilities, and duties of different authorities, committees, and the Board in
executing risk management procedures. A comprehensive Risk Management Calendar (RMC)
may be followed to ensure periodic monitoring and evaluation of risks.
GUIDING PRINCIPLES FOR THE RISK MANAGEMENT FRAMEWORK
The company’s attitude to risk shall be based on the following key principles:
i. Shareholder value based: Risk management will be focused on sustaining the creation
of shareholder value and protecting the same against erosion.
ii. Embedded: Risk management will be embedded in existing business processes to help
management of risks across processes on an ongoing basis.
iii. Supported and Assured: Risk management will provide support in setting up
appropriate processes to ensure that current risks are being managed appropriately and
assurance is provided to the relevant stakeholders over the effectiveness of these
processes.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 36
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
iv. Reviewed: The effectiveness of the risk management program will be reviewed on a
regular basis to ensure its relevancy in a dynamic and changing business
environment.
The Risk management framework outlines the series of activities and their enablers that
the Company proposes to deploy to assess mitigate and monitor risks across the
organization. The objective of Risk management framework shall be to formalize and
communicate the approach to the management of the risk. It will have the following
attributes:
Responds to the Executive management’s need for enhanced risk information and
improved governance.
Provides the ability to prioritize, manage and monitor the increasingly complex risks
in the business.
Provides an explicit, comprehensive process to satisfy the regulators and other
stakeholders, that significant risks are being effectively managed.
The Risk Management Framework shall comprise essentially of following two elements:
o Risk management structure
o Risk Management Process
RISK MANAGEMENT STRUCTURE AND TEAM
The risk management process has to be supported by a risk management structure which
primarily shall comprise of the following:
Risk Management and Oversight Structure
Risk Policies and Procedures
Risk Management Activity Calendar
A specialised subcommittee of the Board of Directors that forms the Risk Management
Committee (RMC) should be formed first. The Chief Risk Officer (CRO), supported by a
competent team, should operate under the guidance of the Risk Management Committee
(RMC).
INSTITUTE OF COST ACCOUNTANTS OF INDIA 37
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
The RMC will provide strategic direction and evaluates the effectiveness of the Risk
Management Framework. Risk assessment, identification, and mitigation measures should be
thoroughly discussed during the bi-annual Risk Management Committee meetings.
Review of the effectiveness of Risk Management Framework is essential as an integral part of
the strategic planning process. By adhering to a comprehensive risk management framework,
the aim is to proactively address potential risks, safeguard the operations, and ensure
sustainable growth. the risk landscape and formulates prioritised risk mitigation plans for
overseeing its implementation across the organisation. The RMC provides strategic direction
and evaluates the effectiveness of the Risk Management Framework
RISK MANAGEMENT CULTURE
Significant steps should be taken to foster a strong risk management culture in the company.
The Board should approve a Risk Management Charter and Risk Register to effectively
address risks and align it with the internal goals and objectives. The identification of Risk That
Matters (RTM), should be carried out, and dedicated Risk Owners and Risk Mitigation Plan
Owners should be appointed to ensure continuous monitoring and mitigation efforts. Risk
assessment, identification, and mitigation measures should be thoroughly discussed during the
bi-annual Risk Management Committee meetings. Consistently review of the effectiveness of
the Risk Management Framework as an integral part of the strategic planning process is very
much essential. By adhering to a comprehensive risk management framework, the aim should
be to proactively address potential risks, safeguard the operations, and ensure sustainable
growth.
RISKS IDENTIFICATION
In order to manage risks an organization needs to know what risks it faces. Risk
identification captures the significant risks that may have an adverse impact on the
organization’s objectives and is the first step in building the organization’s risk profile. In
this regard, the focus should be on strategic / business risks that may have an impact on
the ability of the company to achieve its planned targets. In stating risks, care should be
taken:
To avoid stating impacts which may arise as being the risks themselves; and
To avoid stating risks which do not have an impact on the objectives.
Equal care should be taken to avoid defining risks with statements, which are simply the
converse of the objectives. A statement of a risk should encompass the cause of the impact,
INSTITUTE OF COST ACCOUNTANTS OF INDIA 38
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
and the impact to the objective, which might arise.
APPROACH FOR IMPLEMENTATION
Risk identification will be done by involving personnel at the senior and middle
management level of all the key functions to achieve a holistic view of risks. The entire
activity of risk identification shall be managed by the respective functional departments.
The frequency for conducting risk identification will be as follows:
Annual risk identification
On an annual basis, a risk profile for the business/functional department is prepared based
on discussions with key management personnel. Existing risk libraries and management
reports serve as a baseline for this exercise. This risk profile/library is revisited on a
quarterly basis by the Functional Directors for their respective functions, to identify any
new risk event that can adversely impact business objectives.
Risks that are identified are documented in a standard template. The risk library details the
risk, its classification, its potential area of impact and functions that may play a role in
managing it. The Company shall use a ‘Risk Classification Framework’ to create a
common understanding of risks and to differentiate between the risk, its causes and
eventual effects.
The quality and completeness of the risk identification is the responsibility of the
Functional Director for the respective functional department. While the Risk Management
Committee plays an active role in facilitating the annual risk exercise, the Functional
Director / Risk Management Coordinator (delegated by Functional Director) for the
functional department plays a predominant role in coordinating the quarterly risk
assessment and reporting.
Concurrent risk identification
The occurrence of risks can never be predicted. However, it is imperative for the success
of risk management that any risk which has emerged post the annual risk identification
exercise is flagged off to the Risk Management Committee and senior management team
for deliberation and initiation of action in line with the risk management process. This risk
can be identified across the organization through the emerging Risk Log feature and this
activity may be carried out once a quarter. The identified risks shall be mapped to the
appropriate risk category in the risk classification framework.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 39
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Under the leadership of the Chief Risk Officer (CRO) and with the involvement of the
concerned Heads of Departments (HoDs), a dedicated Risk Management team should
implement the governance processes outlined in the Risk Management Framework. This
includes formulating Risk Mitigation plans for the prioritised risks and addressing the Risks
That Matters (RTM). The potential impacts of each identified risk on operations are required
to be carefully assessed. Subsequently, a comprehensive mitigation plan should be devised to
manage and minimise the potential adverse effects of these risks. Through this systematic
approach, the aim is to enhance the risk management practices and ensure the smooth
functioning of the operations.
RISK MANAGEMENT PROCESS
An effective risk management process shall consist of 4 broad level steps:
- Establish Context: Essential for defining objectives.
- Assess: Risk identification and prioritization.
- Risk Management Competence Scan: Assessment of the existing
organizational capabilities in managing and mitigating the risks.
- Mitigate and Monitor: Developing the mitigation plans for identified risks that
matters (RTM) and monitoring the effectiveness on a periodic basis.
Whether risks are external or internal to the Company, or can be directly influenced/
managed or not, these all shall be managed through a common set of processes.
This process shall be scheduled to be performed annually along with the business
planning exercise or at any point of time on account of significant changes in internal
business conduct or external business environment. Where the business seeks to undertake
a non-routine transaction (such as an acquisition, entering into a new line of business etc.),
the risk management process is activated as a part of the proposal for undertaking such a
transaction.
The overall risk management process covers:
- Risk Assessment and Reporting
- Risk Mitigation
- Risk Monitoring and Assurance
INSTITUTE OF COST ACCOUNTANTS OF INDIA 40
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
RISK
ASSESSMENT
Risk assessment is defined as the process of identification, prioritization and analysis of
risks. An effective risk assessment requires a common risk language and a continuous
process for identifying and measuring risks. These elements need to be applied
consistently across the organization to understand the nature of the prioritized risks and
their impact on business objectives, strategies and performance.
While assessing consider the potential ‘impact of risks’ and ‘strength of the control
environment’. Thereafter, a residual risk matrix could be prepared with the strength of controls
on the x-axis and the impact of risk factors on the y-axis. Based on residual risk rating, the
processes could be categorized into Tier 1, Tier 2, and Tier 3 as given in the figure below.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 41
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Tier I (Processes) – Review once in a year
Tier II (Processes) – Review once in 2 years
Tier III (Processes) – Review once in 3 years
Risk assessment is an on-going systematic process to be carried out at periodic intervals.
It consists of the following activities:
Setting the context: This step is focused on laying down the objectives that the Company
seeks to achieve and safeguard. Risks are identified and prioritized in the context of these
objectives.
Identifying and prioritising risks: Risk identification and prioritization comprises of the
following:
o Risk identification and definition – Focused on identifying relevant risks that can
adversely affect the achievement of the objectives. It seeks at creating/updating risk
definitions to ensure undisputed understanding of the potential threat.
o Risk classification – Focused at understanding the various impacts of risks and the
level of influence that the Company has on their root causes.
o Risk prioritisation – Focused at determining risk priority. This involves
assessment of the various impacts taking into consideration the risk appetite of the
Company.
Managing risks: It comprises of,
o Risk mitigation – Focused at addressing critical risks to restrict their impact(s) to
an acceptable level (i.e. – within the defined risk appetite). This involves
performing a risk competence scan to identify ongoing mitigation actions and any
improvements required. This involves definition of ownership, responsibilities and
milestones for the risk response plan of the Company.
o Risk reporting and monitoring – Focused at providing to the Board of Directors,
CMD, Risk Management Committee, and Line Management periodic information
on the risk profile and effectiveness of implementation of the mitigation plans.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 42
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
RISK PRIORITIZATION
Risk prioritization is the process of rating the risks in order to identify those risks which
may have the most significant impact on the achievement of the stated goals and
objectives of the business. The identified risks shall be prioritized based on the following
parameters:
Inherent risk rating – It highlights the intrinsic nature of the risk to the business in the
current environment irrespective of the existence or effectiveness of plans to mitigate
it. Inherent risk is derived based on the rating of the impact the risk can have on the
stated business objectives and the probability of its occurrence.
Mitigation plan effectiveness rating – It is the rating assigned to the existing mitigation
plans based on their operational efficiency in reducing either the impact of the risk or
the probability of its occurrence.
Approach for implementation – Risk prioritization shall be done by involving
personnel at the senior and middle management level of all key functions, to get an
overall view of the criticality of the risk as well as the effectiveness of the existing
plans to mitigate the risk. The entire activity of risk prioritization shall be managed by
the RMC.
The frequency for prioritizing risks will be as follows and this step involves identifying
and selecting critical risks from the risk library:
Annual risk prioritization
In this process the finalized list of risks will be voted on by the identified personnel to
determine their inherent risk rating and the effectiveness of the current mitigation plans.
This activity shall be carried out after the annual risk identification exercise. Annual
prioritization of the entity level risks would be done by the Risk Management Coordinator.
Post compilation and analysis of the voting results the Risk Management Committee shall
compile the list of risk in order of priority, clearly identifying the RTMs.
Concurrent risk prioritization
If new risks are identified as part of the quarterly risk review meetings, the participants
shall vote on the risks to determine their inherent risk and the current effectiveness of the
mitigation plans. The activity related to the compilation and analysis of voting result will
be done by individual functional department, who shall then seek the approval of the Risk
INSTITUTE OF COST ACCOUNTANTS OF INDIA 43
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Management Committee before including the new risk in the existing list of RTMs.
RISK REPORTING
Reporting is an integral part of any process and critical from a monitoring perspective.
Results of risk assessment need to be reported to all relevant stake holders for review,
input and monitoring.
The Risk Management Committee may be required to prepare on a quarterly basis a report
detailing the following:
- List of applicable risks for the business;
- Highlighting the new risks identified, if any and the action taken w.r.t the new
risks;
- Prioritized list of risks highlighting the ‘Risk That Matter’’ (RTM);
- Root causes and mitigation plans for the RTMs; and
- Status of effectiveness of implementation of mitigation plans for the RTMs for
all the risks till date through the self-assessment process (see below).
The Corporate Risk Management Committee may be required to report to the Board
of Directors on a quarterly basis the following:
- An overview of the risk management process in place;
- Key observations on the status of risk management activities in the quarter,
including any new risks identified and action taken w.r.t these risks.
- Status of effectiveness of implementation of the mitigation plan for RTMs
RISK MITIGATION
The process of Risk mitigation involves preparing the risk response plan for managing the
RTMs and restricting the impact to a tolerable level. The entire process shall be broken
down into the following activities:
Root cause analysis to identify the reasons/drivers for existence of the risk;
Development of mitigation plans with defined ownership and implementation
timelines;
INSTITUTE OF COST ACCOUNTANTS OF INDIA 44
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Assessing the existing processes and activities presently undertaken to address the
risks;
In view of the root causes, identifying any gaps in the existing controls
environment;
Designing additional mitigation strategies to address the risk; and
Documenting a mitigation plan with timelines and responsibilities (including
existing and proposed activities).
RISK MONITORING & REPORTING
This step involves reviewing the results of the risk management framework to assess if
risks are well controlled. The risk monitoring and reporting process helps in evaluating
any new Risks That Matter which can adversely impact the business.
Risk Monitoring
On a quarterly basis, the status of risk management shall be reviewed. While assessing the
risk, the following shall be taken care:
Assesses if any additional risk has emerged that is already not considered in the risk
profile;
Assesses if a new risk/another risk that is already documented in the risk profiled
should be considered as a RTM;
Nominates a Risk Owner for a new RTM and oversees the development of
mitigation plans;
For the RTM, assesses the performance of the business in managing the risk;
Reviews the extent to which the mitigation plans have been implemented; and
Based on quantifiable data (where possible), assess if the mitigation plans have
delivered the right results in terms of risk management. To facilitate the above
exercise, the following personnel shall provide the information.
- Risk Owner: The designated Risk Owner provides a self-assessment on the
extent of risk mitigation. This assessment is based on feedback on
implementation of the mitigation plans and review of data (where applicable)
INSTITUTE OF COST ACCOUNTANTS OF INDIA 45
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
with respect to risk performance.
- Mitigation Plan Owner: The Mitigation Plan Owners indicates to the risk
owners, the extent to which they have been able to implement the mitigation
strategies. They also provide a qualitative assessment of the efficacy of the
mitigation plans.
Risk Reporting
The results of the risk assessment are compiled in a risk reporting pack for each functional
department by the respective Risk Management Coordinator for the functional
department. These risk reporting packs shall be presented to the Risk Management
Committee for its review and appraisal.
On an annual basis, the Risk Management Committee makes a formal presentation on the
Risk Management Activities to the Board of Directors. This shall include:
An overview of the risk management process in place;
Summary of the Risks That Matter across the Company; and
Results of Risk Management.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 46
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 6: EXTERNAL RISKS IN THE MINING SECTOR
WHY MINING SECTOR
Mining is always considered a risky business. External Risks, which are beyond the control of
mining companies, play a crucial rule in smooth operation of mining sectors. Generally, these
risks cannot be mitigated at the companies’ level and support of the Government and its
agencies are very much required.
Mining Companies should identify the external risks, associated with them and make strategies
to reduce its impact upon them. Usually, External Risks are not within the controlling
capabilities of the companies. These risks arrive due to change in the economic, legal, political,
social, environmental environments. Companies can reduce the impact of these risks by
maintaining good relations with the Government, bureaucrats, law enforcing agencies etc and
by taking the help of strategists.
Strategists of the companies shall keep close eye on the external factors of risks and advice the
management to mitigate them with strategic management and strategic planning. Companies
should hire experts like Cost and Management Accountants (CMAs) or MBAs from top-grade
B-schools as Strategic Managers for the purpose.
Strategic planning is the art of creating specific business strategies, implementing them, and
evaluating the results of executing the plan, in regard to a company’s overall long-term goals
or desires. The strategic planning process requires considerable thought and planning on the
part of a company’s upper-level management. Before settling on a plan of action and then
determining how to strategically implement it, executives may consider many possible
options. In the end, a company’s management will, hopefully, settle on a strategy that is most
likely to produce positive results (usually defined as improving the company’s bottom line)
and that can be executed in a cost-efficient manner with a high likelihood of success, while
avoiding undue financial risk.
Now a days, following external risks are generally being faced by the mining sector and mining
companies (The list is indicative, not exhaustive)-
ENVIRONMENTAL, SOCIAL AND GOVERNANCE (ESG) ISSUES
ESG remains the top risk for mining in recent years. The issue is now firmly integrated within
corporate strategies due to its impact on almost every aspect of operations. Although some of
INSTITUTE OF COST ACCOUNTANTS OF INDIA 47
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
the greatest areas for ESG improvement are not new — improving diversity, equity and
inclusion is still a major challenge, and mine closures and rehabilitation require a longer-term,
more strategic view.
But ESG is evolving, requiring miners to consider different issues and broaden their
capabilities to manage them effectively.
For example, water stewardship and biodiversity are fast becoming urgent priorities amid a
changing climate. Stakeholders expect miners to better assess risks and opportunities, and
articulate these through transparent, outcome-based measurement and assurance. In fact, more
rigorous reporting will become critical if companies are to meet growing stakeholder
expectations and avoid accusations of “greenwashing.” Miners that achieve this can get an
edge on competitors in many ways, from accessing capital to securing license to operate and
attracting talent.
GEOPOLITICS
War among many nations, terrorist attacks and many other geopolitical factors, beyond the
control of mining companies, are increasing day by day and these factors are very difficult to
mitigate. Forging closer ties with government, increasing collaboration with stakeholders,
including trade and sector groups, and exploring the potential of government incentives and
co-investments may be the options of risk mitigation.
CLIMATE CHANGE
The whole world is talking about net – net zero situation, which refers to the balance
between the amount of greenhouse gas (GHG) that's produced and the amount that's
removed from the atmosphere. It can be achieved through a combination of emission
reduction and emission removal. Net-zero pathways are set, but achieving ambitions will
require a realistic and balanced strategy.
India is talking about ‘carbon neutral’ situation, which is used when referring to the
ambition to limit any increase in future carbon emissions, while using offsets to
neutralise existing emissions. An accelerated decarbonization agenda, and sharper focus on
reporting emissions, creates a new urgency around better mitigating climate change risk.
This is a challenge mining companies have become progressively better at managing, but there
are still opportunities to improve. For example, not enough miners are taking action to
INSTITUTE OF COST ACCOUNTANTS OF INDIA 48
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
minimize the physical risks of climate change, such as wildfires and flooding, which may
threaten operations.
Companies can explore a mix of options, including carbon offsets, partnering up and down the
value chain and collaborating with suppliers and vendors to monitor Scope 3 emissions and
can build a proactive strategy to address a risk that is likely to become even more complex.
LICENSE TO OPERATE (LTO)
The process of obtaining LTO is increasingly becoming a complex issue. National & local
politics, corruption in some part of bureaucracy, threat from anti-social elements, legal
activism, pressure from peer groups, issues of localisation, opposition from local ethnic groups
etc are making the process of obtaining LTO very cumbersome.
PRODUCTIVITY AND COSTS
Soaring inflation and talent costs are significantly increasing mining costs, squeezing
productivity and delaying expansion plans. But an existing focus on cost management and
productivity can pay off. There are empirical evidences that companies which take the help of
Cost and Management Accountants (CMAs) and use different tools of Cost and Management
Accounting, can effectively control or manage the cost to remain competitive in the business
world.
CMAs manage the cost of any business and commercial organisation with an eye on long-term
value, as well as short-term gains. Sustainable cost reduction measures include, for example,
switching to renewable energy, encouraging innovation to reduce costs in the longer term and
creating strategic joint ventures to optimize economies of scale.
SUPPLY CHAIN
Recent disruption creates new urgency to accelerate supply chain transformation. Supply chain
disruption is new to the ranking, amid recent pressures, but it’s an issue mining and metals
companies have long grappled with. Now organizations are intensifying efforts to transform
supply chains, to better weather current volatility and find new opportunities to boost
efficiency, resiliency and transparency.
Miners are considering more innovative, sophisticated approaches to mitigating supply chain
risk, including through stronger relationships with suppliers and collaborative contracting.
With the pandemic exposing weaknesses in the “just-in-time” model, we expect to see a mix
INSTITUTE OF COST ACCOUNTANTS OF INDIA 49
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
of “just-in-case” and “just-in-time” supply strategies as miners find a way to balance supply
chain resilience with costs.
WORKFORCE
Building a purposeful brand and a greater focus on re-skilling can help overcome talent
shortages. Mining companies usually face their greatest ever talent shortage following a
massive wave of retirements and resignations. Replacing these workers and finding talent with
critical skills will require a radical rethink of the sector’s approach to attracting, retaining and
nurturing talent. With younger workers deterred by mining’s image, companies must double
down on efforts to build a purposeful brand that aligns with today’s values.
Usual mining leaders recognize the need to re-skill and upskill workers, but few are embracing
this opportunity. A greater focus on training existing workers and sector newcomers in
different skills can fill talent gaps and build a more flexible, agile workforce
CAPITAL
Changing demand and investor expectations are shifting capital allocation strategies. Miners
are maintaining their focus on capital discipline, but also exploring how to invest in growth
and transformation. The energy transition is shifting demand, and companies are responding
through more investment in “future-facing” commodities, including copper and lithium, and
divesting coal assets.
Such decisions are not only motivated by a desire to adapt to an evolving market, but also to
meet investors’ expectations around ESG performance. Organizations’ access to capital is
increasingly linked to their ability to show how they create value beyond the bottom line. Cost
and Management Accountants (CMAs) can also help here the companies to take holistic
decisions.
DIGITAL INNOVATION
Investment in data capabilities will guide better, faster decisions. Digital innovation has
dropped down the ranking as miners build confidence and capabilities in this area. Companies
are reaping significant cost, productivity and safety gains from the implementation of new
technologies, including drones, remote operating centres and autonomous trucks.
But, despite encouraging progress, across the sector we still see a largely siloed approach to
digital and innovation. A more integrated strategy across the value chain would increase ROI
and help miners better tackle their most complex challenges, including ESG and productivity.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 50
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
NEW BUSINESS MODELS
Rationalize, grow, transform - miners are exploring potential future strategies to capture value.
With demand for certain commodities set to increase and sustainability becoming a bigger
focus, now is the time for organizations to rethink business models. We see miners analysing
where optimal value can be found, then designing their business models to capture this.
Whether companies decide to reshape models to rationalize, grow and transform or consider a
strategic blend of all three - those that act now to future-proof their business will best withstand
disruption, navigate changing commercial relationships and ultimately win competitive
advantage.
RISKS OF UNVIABLE MINING
The viability of mining operations is crucial for financial stability, operational efficiency, and
environmental sustainability. Unviable operations can lead to significant financial losses,
hinder long term growth, compromise safety standards, and result in wastage of valuable
resource.
To tackle and mitigate this risk, following steps may be taken –
Identify unviable coal mines on the basis of cost-benefit analysis, which is the very
essential step and only CMAs (Cost and Management Accountants) are qualified
enough to take this exercise.
Calculate balance mineable reserves.
Do technical assessments including safety and environmental concerns.
Make strategies for revival of unviable mines through loss reduction measures by
implementing new technology, re-orienting mining method and enhancing safety
standards. CMAs are only qualified professionals in our country to do this work
efficiently.
COMPETITION RISKS
Competition in the market and emphasis on renewable resources of energy pose a threat to
many mining industries. The demand for minerals as a feedstock for synthetic fuel production,
such as petrochemicals, coal gasification and coal bed methanol should be emphasised upon.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 51
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CYBER SECURITY RISKS
Cyber security risks pose potential threats to the information systems, data, and operations.
Mining companies handle sensitive and confidential information related to the operations,
employees, customers, and stakeholders. A cyber-attack or breach could lead to significant
financial losses, reputational damage, disruption of operations, and compromise critical data.
Different cyber security measures must be implemented. A dedicated Cyber Crisis
Management Group should be formed and to oversee and coordinate information security
practices, senior officials should be designated as the Chief Information Security Officer
(CISO). The CISO is responsible for implementing and monitoring information security
measures. He can conduct regular security awareness programmes for end-users to enhance
their understanding of cyber threats and promote best practices. These programmes include
expert talks, email campaigns, and display boards to educate employees about potential risks
and ways to mitigate them.
CREDIT RISKS
The credit risks of receivables from customers directly impact the financial health and liquidity
of the organisation. Disputed and undisputed receivables from customers can pose challenges
in terms of delayed payments, potential write-offs, and cash flow constraints. Companies
should prioritise addressing credit risks in order to maintain the cash flow and the overall
financial health of the organisation. In cases where commercial disputes cannot be resolved
bilaterally, the help of Arbitration. Conciliation etc may be taken.
OPERATIONAL SAFETY RISKS
Operational safety risks may have a potential impact on the well-being of workers and the
overall operational efficiency. Failure to comply with safety regulations and implementation
of safety measures may lead to unsustainable and irresponsible functioning of the mining
industry. To ensure operational safety and generate a safe working environment Site
Management Plans (SMP) for each mine may be created. These plans clearly outline the roles
and responsibilities of officials involved in mining operations, ensuring accountability and
adherence to regulations. The SMPs have been diligently prepared in accordance with the
guidelines set by the Directorate General of Mines Safety (DGMS) and have been submitted
for review and approval.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 52
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
EVACUATION RISKS
Efficient evacuation of minerals is crucial for the smooth off-take of production. Limitations
or bottlenecks in the evacuation infrastructure, can result in delays, congestion, and increased
costs of moving minerals. To address evacuation risks for off-take, rail and road infrastructure
is required to strengthen. Usually, without the help of the Government, it is not possible. The
irony of fate is that the rail and road projects involve a huge cash outflow and long time to
develop. Companies should not leave any stone unturned to convince the Government and
Government authorities to improve infrastructure. Joint ventures with state governments and
the railways may be additional solutions.
TECHNOLOGY RISKS
Upgrading technology and ensuring optimal utilisation of Heavy Mining Machinery can help
in remaining competitive, maximise resource extraction, and meet market demands. Failure to
address these risks could result in reduced operational efficiency, increased costs, and lower
profitability.
Revision of equipment specifications to incorporate latest technologies such as electrical drive,
fuel-efficient engines, and health/productivity monitoring systems is essential. Procurement of
high-capacity Machines guaranteed availability of spares and consumables and regular review
and early recommissioning of long breakdown are key factors to mitigate this risk. Premature
survey of obsolete and irreparable equipment, monitoring and follow-up for survey
of/grounding of equipment that has completed its lifecycle etc are also important.
RISKS ASSOCIATED WITH LAW & ORDER
Starting a greenfield project is not an easy task in our country. External factors like,
bureaucracy, politics, legal environment, safety and security etc affect the prospects.
Moreover, it is also a very difficult task to run a brownfield project in our country due to many
issues related with law and order. We have to always keep in our mind that mining is a typical
business. Usually in any other industry, the companies are to work hard to obtain the land
clearance, pollution clearance, environment clearance etc only once, twice or thrice in their
life time to establish manufacturing facilities like factories; but mining companies have to do
all these activities again and again i.e. every year because their mines (i.e. factories) have
limited mineral reserves & lives and regular exercise has to be taken place to find out and start
new mines for sustainability.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 53
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
COMMUNITY HEALTH RISK
Community health is another major priority. Mining of many minerals, like opencast mining
of coal etc create health issues in nearby area. Mines are typically the prime employer – in
many cases, the only employer in their region – and have a duty to nurture a healthy
community. From a pure business perspective, a local workforce suffering from conditions
such as AIDS, tuberculosis, and malaria is also less productive, with the added threat of legal
and regulatory action for low standards of healthcare. If mining companies don’t address the
issue, not only community health risk increases, but it also increases political risks as local
politicians may make unnecessary negative hue & cry in national and international media
against the company.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 54
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 7: INTERNAL RISKS IN MINING SECTOR
Apart from above, the mining companies face many internal risks. These risks may vary from
the company to company or from mineral to mineral, but their mitigation is very important.
Any lacuna in the mitigation of internal risks make the management responsible and attract
the ire of different agencies of the Government. Any failure to mitigate these internal risks
may be harmful not only for the property of the mining company but force the companies to
face the wrath of politicians and legal courts also.
This chapter deals with those risk with their suggested mitigation plan also.
SAFETY RELATED RISKS
Safety related risks are the core risks of mining sector. A worker in a mine should be able to
work under conditions which are adequately safe and healthy. At the same time, the
environmental conditions should be such as not to impair his working efficiency. This is
possible only when there is adequate safety in mines.
A Safety Management System (SMS) consists of comprehensive sets of policies, procedures
and practices designed to ensure that barriers to unwanted incidents are in place, in use and
are effective.
SMS minimize adverse effects of the risk, to which the workers are exposed in execution of
different activities. Risk management involves the entire staff in the realization of safety
improvement programme with responsibility and accountability sharing proportionately with
the decision-making authority. System Study and Safety Audit for the purpose of eliminating
the Risk of Accidents & Dangerous Occurrences are also undertaken.
The major characteristics of SMS are:
It is the principal vehicle for day-to-day management of all aspects of safety in the
operations.
Its focus is not only on personnel safety, but also ensuring operational integrity
It lists a set of performance indicators to monitor the integrity of the safety critical
activities being undertaken correctly and according to schedule.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 55
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
It outlines an auditing and feedback regime for management control of hazards. It should
be recognized that without a formal well-defined SMS, followed by adequate training,
implementation and monitoring, major hazards are impossible to manage of a PE system.
Safety Management System (SMS) includes -
Identify the hazard
Dissect each activity to as smallest node as possible,
Assess risk by considering the exposure, probability and consequence
Prioritise and implement control measures
Find out the residual risk, if any and procedures for handling of situations
Continual improvement by adopting new methods and procedures
SIGNIFICANT HAZARDS IN UNDERGROUND MINING
Underground mining of any mineral, specially of coal, is very difficult and is full of risks
which needs special discussion. Some significant hazards in underground mining may be
summarised as follows -
o Mine gases
o Mine fires and spontaneous heating
o Explosions in the Mine
o Rock burst
o Subsidence
o Inundation
o Roof fall
Mine Gases
Mines gases are common features in many mines, especially in coal mines. The following
gases are found in underground coal mines:
Carbon monoxide (CO)
Carbon-dioxide (CO2)
Methane (CH4)
Hydrogen Sulphide (H2S)
Sulphur dioxide (SO2)
INSTITUTE OF COST ACCOUNTANTS OF INDIA 56
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
The production of these noxious and inflammable gases beyond tolerable limits in
underground mines creates environmental hazards. The factors, which are responsible for the
production of these noxious and inflammable gases, are as follows:
Exhalation by man
Blasting and explosion
Underground fire
Spontaneous combustion
Coal dust explosion
Decay of timber
Bacterial action
Slow oxidation of coal
Distillation of coal
Mine Fires and Spontaneous Heating
Various factors governing mine fire and spontaneous heating in underground mines are as
follows-
Chemical composition of minerals
Friability
Presence of Iron Pyrite
Nature of adjoining strata
Depth of the seam
Thickness of the seam
Geological disturbances
Explosives and Shot firing
The main danger from explosives in underground mine is the ignition of firedamp. It may take
place in the following ways:
o By incompletely detonated explosive: Such explosive may continue, to burn like an
ordinary combustible material.
o By incandescent particles coming out of the shot hole after blasting and contact with
coal dust or gas.
o By the flame and hot gases.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 57
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
o By the compression wave of the blast, this may compress the gases in the cracks
connected with the shot hole and raise the temperature of the compressed gas to such
an extent as to ignite it.
An explosion is a sudden process of combustion of great intensity accompanied by
spontaneous release of large amount of heat energy and in which the original gas or solid
substance like coal dust in case of coal mining is instantaneously converted into gaseous
products. An explosion is invariably accompanied by violence on a large scale.
Firedamp has been the cause of explosion in mines, especially coal mines due to moisture in
dangerous proportion with the result that in every mine adequate step is taken to prevent a
firedamp explosion. Possible causes of explosion can be attributed to the following factors -
(1) Flames naked lights, damaged flame safety lamps and contrabands.
(2) Heated surface – overheated lamp gauges, electrically heated wires, heated rock
surface, incandescent coal, overheated broken blocks, un-lubricated haulage rollers,
rope friction, conveyor troughs rubbing against its support,
(3) Sparks – Electric sparks and arcs, static sparks from compressed air pipes, friction
sparks from iron pyrites, friction spark from light metal alloys, and
(4) Explosives – Resulting into flame and hot gases, compressive wage set up by
explosives, especially in a break adjacent to the shot hole, incandescent particles
ejecting from the shot hole, incompletely detonated explosives, etc.
Rock Burst
A rock burst or bump in a mine is a sudden and violent failure or collapse of the rock in situ
under stresses greater than it can normally withstand and on a scale sufficient to cause material
damage to endanger the safety of the workers.
Subsidence
Subsidence is an important aspect of underground mining activity. Underground mining
operations can give rise to undesirable effect, such as –
(1) Damage to surface installations like buildings, railways, roads, pipelines for water
supply, power line, etc.,
INSTITUTE OF COST ACCOUNTANTS OF INDIA 58
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
(2) Produce fractures in another coal seam, immediately above the one being currently
exploited,
(3) Cause fractures, on the surface, which may in turn cause flooding of the underground
working by drawing water from the sources on the surface.
(4) Cause damage to other mining installations as well as affect roots of the vegetation.
Inundation
An inundation is an eruption of water or other liquid matter or any wet material that likely to
follow from workings of the same mine or of an adjoining mine. Many accidents and loss of
lives have been recorded in many countries, including India due to inundation.
Health Hazards
Occupational safety and health are very closely related to productivity and good employer –
employee relationship.
Some of the measures, proposed for occupational safety and health from time to time, have
been listed below –
Effective dust removal system in the crusher house
Provision of wet drilling
Provision of rest shelters for mine workers with amenities like drinking water, fans,
toilets etc.
Provision of personal protection devices to the workers.
Rotation of workers, if necessary, exposed to noise to reduce exposure time
Closed control room in crusher house with proper ventilation.
Dust suppression of haul road and dumps.
First - Aid facilities in the mining area.
Provision of communication network between pit working areas and the manager.
Provision of alarm system at working areas.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 59
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Training of personnel including contract workmen in Mines Vocational Training
Centres to inculcate safety consciousness through modules, video clippings, slogans
and posters and introduction of safety awards.
Safe design of height, width and slope of working benches of OB & coal, overall pit
slope kept less than 33°.
Safe design for formation of overburden, over all dump slopes kept at 26 degrees.
Safe design of haul roads.
Provision of firefighting equipment.
Safe storage of explosives and other inflammable substances.
Regular / periodical monitoring of mine environment to ensure the efficacy of various
protective measures.
Initial and Periodical medical examination for the employees.
Storage, Handling and Disposal of Hazardous Waste
Hazardous waste generated such as used oil, waste oil, empty oil drums, batteries, nonferrous
scrap etc. Explosives, HSD oil, Hydraulic oils should be handled, stored, disposed, transported
as per Hazardous Waste (Management, Handling and Transboundary Movement) Rules, 2016
and CPCB guidelines, like-
The waste generated shall be disposed as per HWM rules within 90 days from date of
generation to authorized recycler.
The handling, transport and storage of explosives shall be as per Indian Explosive Act.
Transportation and storage of explosive shall be as per the approved code of practice.
Flammable, ignitable, reactive and non-compatible wastes shall be stored separately
and never stored in the same storage shed.
Adequate storage capacity (i.e. 50 % of the annual capacity of the hazardous waste
incinerator) shall be provided in the premises.
Storage area shall be provided with the flameproof electrical fittings and strictly
adhered to.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 60
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Adequate firefighting systems shall be provided for the storage area, along with the
areas in the facility.
There should be at least 15-meter distance between the storage sheds.
Loading and unloading of wastes in storage sheds shall only be done under the
supervision of the well trained and experienced staff.
Fire break of at least 4 meters between two blocks of stacked drums shall be provided
in the storage shed. One block of drum should not exceed 300 MT of waste.
Minimum of 1-meter clear space shall be left between two adjacent rows of pallets in
pair for inspection.
The storage and handling shall have at least two routes to escape in the event of any
fire in the area.
In order to have appropriate measures to prevent percolation of spills, leaks etc. to the
soil and ground water, the storage area should be provided with concrete floor.
Measures shall be taken to prevent entry of runoff into the storage area. The storage
area shall be designed in such a way that the floor level is at least 150 mm above the
maximum flood level.
The storage area floor should be provided with secondary containment such as proper
slopes as well as collection pit so as to collect leakages / spills etc.
All the storage yards should be provided with proper peripheral drainage system
connected with the sump so as to collect any accidental spills in roads or within the
storage yards as well as accidental flow due to firefighting.
The stacking of drums in the storage area should be restricted to three heights on
pallets (wooden frames). Necessary precautionary measures should be taken so as to
avoid stack collapse. However, for waste having flash point less than 65.5°C, the
drums shall not be stacked more than one height.
Drums containing wastes stored in the storage area shall be labelled properly
indicating mainly type, characteristics, source and date of storing etc.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 61
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
The storage areas shall be inspected daily for detecting any signs of leaks or
deterioration if any. Leaking or deteriorated containers should be removed and ensured
that such contents are transferred to a sound container.
In case of spills / leaks / dry adsorbents / cotton should be used for cleaning instead of
water.
Proper slope with collection pits shall be provided in the storage area so as to collect
the spills / leakages.
Proper records with type of waste received, characteristics as well as the location of
the wastes that have been stored in the facility need to be maintained.
MANPOWER RELATED RISKS
Mining is a specialised job. Key manpower issues faced are rising labour costs, manpower
rules and regulations, as well as attracting and retaining younger workers.
Mining is a risky business also. Moreover, mining activities are undertaken in remote areas
where basic facilities, like proper residence, shopping, schooling, entertainment etc, are not
available. Therefore, it always remains a challenge for mining companies to retain their
manpower remote places. Given an opportunity, the quality manpower does not hesitate in
switching the jobs. Retaining quality manpower, providing them all basic amenities and keep
them motivated is tough job and therefore labour turnover is very high.
In their quest to extract ever-larger volumes, many mining companies have put enormous
pressure on their capital equipment and geological assets, which have consequently
experienced excessive wear and tear. This ‘sweating of assets’ means that mining equipment
(drills, dozers, motor-graders, dumper trucks, shovels, excavators, water sprinklers, mobile
cranes, mobile light towers, explosive vans, mobile crushers and weighbridges) needs constant
repair and maintenance to remain productive and avoid accidents. High-level, engineering
skills are required to keep this equipment running, yet the demand for such resources coincides
with the departure through retirement of an ageing workforce. The newer, younger recruits do
not possess sufficient understanding, experience or judgment to bring assets back into use
quickly, or to predict future technical problems. This leaves mines with a significant
knowledge gap that could impair its ability to achieve planned output quotas. The traditional,
production-driven culture has also reduced the influence of the technical services function
INSTITUTE OF COST ACCOUNTANTS OF INDIA 62
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
responsible for getting the most out of geology and capital equipment. In some cases, technical
services are actually part of the wider production team, and therefore, lack an independent
perspective to challenge decisions at the executive committee level. In such an environment,
where output is everything, the longer- term management of assets takes second place, which
could make the mine vulnerable to shutdowns, failures and safety incidents.
This manpower related risk results in increased cost of production.
FINANCING RELATED RISKS
Financial risks, that mining companies are exposed to –
- Financing risks
- Commodity price risk
- Currency risk
Financing risks
The ability to raise finance and decisions around how that new or additional finance should be
structured is critical to the success of any mining project. Funding is needed not only to
construct the mine and build up the associated infrastructure; but also to undertake the agreed
exploration and development work programmes.
Depending on the risk profile of the mining company and prevailing economic or market
conditions the financing needed may not be available to the company on sensible commercial
terms.
For example, in order to bring in new investors, additional equity financing may only be
available at a lower price than the current share price. This means that the ownership stake of
existing shareholders in the company will be diluted and reduce the overall value of their
investment.
Debt financing brings its own risks: these include restrictive covenants being imposed on the
company by the lender which could impact operating activities. Or the funds may only be
released once certain (possibly onerous), conditions are satisfied.
In the event that the company is unable to raise additional finance, the scope of its operational
activity may be reduced and production could slow or stop. This could potentially result in its
interest in the licence or project being diluted and even terminated.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 63
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Consequently, the company may be unable to deliver the exploration and development
programme within the timescale set out in the business case. Ultimately, the lack of suitable
financing options will drive down the share price of the company.
Commodity price risk
Significant changes in the market prices for commodities will have an impact on the cash flows
generated by a mine. This is arguably the single biggest factor affecting the profitability of
mining companies.
Market prices for commodities are sensitive to changes in a range of political, environmental
and macro-economic factors. Any of these can impact the supply and demand of the resource
and as a consequence can led to substantial price fluctuations.
For example, changes in demand caused by changes in fashion can impact the use of gold,
silver or platinum in jewellery. Strategic decisions by central banks to increase or decrease
their holdings in gold reserves can also impact the price of gold and other precious metals.
War or adverse weather can cause disruption to supply chains; technological innovation in the
motor industry, particularly demand for electric cars, means an increase in the need for lithium
used in the batteries that power those cars. All of these factors can lead to unexpected
movements in commodity prices.
Where the market price of a commodity falls below the expected cost of production over an
extended period of time, then the production company will need to consider suspending (or
abandoning) its mining operations.
Alternatively, it will be required to issue further cash calls on investors to sustain ongoing
losses. Either way, the effect on the company’s share price could be quite detrimental.
Currency risk
Currency fluctuations can affect the financial performance of any company but particularly
mining companies where revenue is derived from commodity sales; as many commodities are
denominated or priced in US dollars (gold in particular) and an increase in the value of the US
dollar can lead to a fall in demand of the associated commodity.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 64
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
MANAGEMENT OF THE INTERNAL RISKS
Management of the mining companies are supposed to take concrete measure on regular basis
to check the internal risks. Some of the measures, for the example, may be summarised as
follows -
Measures to be taken to avoid the mine gases
- The quantity of inflammable gas given out in each ventilation district is determined at least
once in a month and similarly borehole samples once in a quarter.
- The quantity of air sent into each district is such as to keep the percentage of inflammable
gases in the district return airway below a percentage of 0.75 to 1.25 at any place in the
mine.
- Flameproof apparatus has to be installed at each and every working face to monitor the
weather in the area of development or depillaring in each and every discontinued gallery
as also in all other places, where the percentage of CH4 in the general body exceeds 0.2%.
- Flame safety lamps; air sampling and analysis should continuously monitor the state of
atmosphere near the stopping.
- There is strict adherence to latest safety manuals and statutory acts.
- A suitable mechanical ventilator installed on the surface should ventilate working.
- Approved types of stone dust barriers are provided at the specified places.
- A ventilation officer in each and every operative area should assist the Manager.
- Adequate quantity of air is coursed to well within meters of the working face,
- Air samples are frequently collected of the roof of the working face and analysed timely
for the presence of CH4.
Measures against mine fires / spontaneous heating
- Adequate size coal pillars are being maintained in trunk roads.
- Panels are planned to extract within the incubation period.
- Continuous monitoring of CH4, CO2, CO at goaf edge and other strategic points.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 65
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
- Flushing of Nitrogen / CO2 in the goaf, if needed.
- Filling of subsidence cracks on the surface by soil etc.
Measures against Fire damp explosion
- For avoiding dangerous accumulation of firedamp, it will be ensured to keep it below its
lower limit of explosibility.
- Avoiding sources of ignition, which may cause the firedamp to explode.
- Proper ventilation of the mine is the main to prevent dangerous build-up of firedamp.
- Besides this, regular inspection of places where firedamp may accumulate is very essential
in addition to making provision of proper ventilation.
- The motors, switch gears and transformers will be provided with flameproof enclosures.
Measures against coal dust explosion in the coal mining
- Reducing the formation of coal dust in the working faces, haulage roads etc. - Preventing
its spread.
- Rendering the coal dust harmless by wetting it with water or mixing the same with inert
stone dust.
- Making provision of stone dust barriers or water barriers.
- Water spraying at loading points, transfer points as also over the loaded coal tubs help in
reducing the dissemination of coal dust. Dust at the transfer points is being collected with
use of dust extractor.
In addition, by providing proper ventilation system, especially in underground mines, risks
that may arise due to mine gases, fires, explosions may be minimised. The working
environment in underground mines is one of the important aspects associated with mining
operations. Every mine ventilation system will be planned, established and maintained for
creating safe and comfortable environment in mine workings for all work persons during all
stages of mining operations. Ventilation system of a mine is required to satisfy the following
basic needs in addition to comply the statutory requirements -
- To ensure at least 19% of O2 and below 0.5% of CO2 in the air circulated at the workplace.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 66
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
- To dilute noxious and inflammable gases so as to render it harmless.
- To remove or dissipate the coal or rock dust produced in the mine.
- To prevent excessive rise of temperature and humidity.
- In addition to the basic requirements, ventilation system of every underground mine is
designed and planned by considering the following important parameters for an optimum
and efficient ventilation system:
- Circulating sufficient quantity of fresh air to all mine workings including Plant &
Machinery.
- Air power requirements of the mine should be as minimum as possible.
- System should have Optimum Energy Efficiency.
For extraction of minerals by underground operations, entries to the coal seams will be made
from surface in the form of Tunnels and Shafts. Ventilation system is established through these
entries by continuously circulating fresh air through some of the entries called as downcast
and taken to surface through other entries called upcast. This intake air is circulated through
all the required workplaces to take care of the basic requirements for maintaining safe and
comfortable working environment.
This system is established by operating a Fan called Main Mechanical Ventilator installed at
surface over one (or multiple) of the entries and operated continuously as long as the mine is
in operation. Capacity of the said fan in respect of air flow rate, pressure and power are pre-
determined as per the ventilation requirements at various stages of mining activity and installed
accordingly.
For mines having deep workings with heavy mechanisation and in needy mines, Air cooling
systems are also being installed for improving the comfort at workplaces. Consultancy
services and guidance is also taken from reputed scientific institutions of India and abroad for
the mines in introduction of advanced systems in respect of underground mining environment.
Various modelling software is being procured and used for different applications related to
mine ventilation and underground environment.
Other Protection Measures
- Float alarm system should be provided and maintained in proper working order.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 67
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
- River guards may be engaged for monitoring of water level of adjoining rives during
monsoon period, in three shifts.
- River Guards should be provided with cell phone to know the water levels and to inform
the mine authorities.
- Mock rehearsals may be conducted periodically and record is being maintained at the
mine.
- Escape routes must be displayed in underground at conspicuous places and duty card is
issued to all concerned for easy withdrawal of persons from underground, in case of
emergency.
Precautions at the surface of mines
- All entries should be planned above the HFL zone to avoid danger of inundation.
- Filling up of the subsidence cracks, if any, with overburden or any other material is being
practiced.
Underground Precautions
- The galleries in the panels may be designed, rising towards the boundary of property so as
to have self-drainage of water.
- The panels may be planned to be extracted from boundary of mine, this ensures the water
would flow through drains into the sump and avoiding the risk of water to other panels.
Adequate capacity of main sump and auxiliary sumps with pumps has been provided.
EMERGENCY PLAN
Manager must plan of action for use in case of fire, explosion or other emergency occurs. The
plan should outline the duties and responsibilities of each mine official and key men including
telephone operators. All officials and key men should be thoroughly instructed in their duties
to avoid contradictory orders and confusion. The emergency plan may provide for mock
rehearsals at regular intervals.
DISASTER MANAGEMENT PLAN
Disaster Management Plan (DMP) is a general plan of action for use in the event of inundation,
fire, high wall failure, dump failure or any other dangerous occurrence or in the time of
emergency. The DMP will have three stages: -
INSTITUTE OF COST ACCOUNTANTS OF INDIA 68
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
1. Information Stage
2. Assessment Stage
3. Action Stage
SUPPORTING COMMITTEES
Management should form some supporting committees which will assist the mining officials
of the company during emergency. Some of the important committees may be - Public
Relations Committee
1. Catering Committee
2. Medical Committee
3. Men Management Committee
4. Material Management Committee
5. Transport Committee
6. Survey Committee
7. Casualty Committee
8. Security Committee
9. Cash Committee
10. Accommodation Committee
OCCUPATIONAL HEALTH AND SAFETY
Occupational health needs attention both during construction & erection and operation &
maintenance phases. However, the problem varies both in magnitude and variety in the above
phases. The occupational health problems envisaged at this stage can mainly be due to
constructional accident and noise.
The problem of occupational health, in the operation and maintenance phase is due to
Respirable dust and noise. With suitable engineering controls the exposures can be reduced to
less than TLV limits and proper personnel protective devices should be given to employees.
The working personnel should be given the following appropriate personnel protective
devices, like -
Crash Helmets
Zero power goggles with cut type filters on both sides and blue colour glasses
Chemical goggles
Welders’ protective equipment for eye & face protection
INSTITUTE OF COST ACCOUNTANTS OF INDIA 69
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Cylindrical type earplug
Earmuffs
Dust masks
Canister Gas mask
Self-contained breathing apparatus
Leather apron
Aluminized fibre glass fix proximity suit with hood and gloves
Leather hand gloves
Asbestos hand gloves
Acid/Alkali proof rubberized hand gloves
Canvas cum leather hand gloves with leather palm
Electrically tested electrical resistance hand gloves
Industrial safety shoes with steel toe
Rubber boots (alkali resistant)
Electrical safety shoes without steel toe and gum boots
Full-fledged hospital facilities should be made available round the clock for attending
emergency arising out of accidents, if any.
All the working personnel shall be medically examined as per Statute i.e. Mines Rules, and
related circulars.
GENERAL PRECAUTIONS TO BE TAKEN
Based on the Risk Management process, the recommended controls and precautions to be
taken at the mine for the identified hazards to prevent accidents may be as follows:
To allocate sufficient resources to maintain safe and healthy conditions at work;
To take steps to ensure that all known safety factors are taken into account in the
design, construction, operation and maintenance of plants, machinery and equipment;
To ensure that adequate safety instructions are given to all employees;
To provide wherever necessary protective equipment, safety appliances and clothing,
and to ensure their proper use;
To inform employees about materials, equipment or processes used in their work
which are known to be potentially hazardous to health or safety;
INSTITUTE OF COST ACCOUNTANTS OF INDIA 70
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
To keep all operations and methods of work under regular review for making
necessary changes from the point of view of safety in the light of experience and up
to date knowledge;
To provide appropriate facilities for first aid and prompt treatment of injuries and
illness at work;
To provide appropriate instructions, training, refresher programmes and supervision
to employees in health and safety, first aid and to ensure that adequate publicity is
given to these matters;
To ensure proper implementation of fire prevention methods and an appropriate
firefighting service together with training facilities for personnel involved in this
service.
Ensure fire pumps in operating conditions and instructs pump house operator to ready
for any emergency with standby arrangement, like to guides the firefighting crew i.e.
firemen, trained plant personnel and security staff, to organizes shifting the
firefighting facilities to the emergency site, if required and to directs the security staff
to the incident site to take part in the emergency operations under his guidance and
supervision.
Emergency Coordinator-Medical, Mutual Aid should be there so that in the event of
failure of electric supply and thereby internal telephones, sets up communication point
and establishes contact with the Emergency Control Centre (ECC), to organizes
medical treatment to the injured and if necessary, will shift the injured to nearby
hospitals and to make sure that all safety equipment’s are made available to the
emergency team.
Locations of assembly points, depending upon the plant layout and location would be
identified wherein employees who are not directly connected with the disaster
management would be assembled for safety and rescue. Emergency breathing
apparatus, first aid and minimum facilities like water etc. would be organized.
Plant facilities would be connected to Diesel Generator and would be placed in auto
mode. Thus, water pumps, plants lighting and emergency control centre,
administrative building and other auxiliary services need to be connected to
INSTITUTE OF COST ACCOUNTANTS OF INDIA 71
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
emergency power supply. In all the blocks flame proof type emergency lamps would
be provided.
First Aid, Firefighting equipment’s suitable for emergency should be maintained in
coal storage and reject area. This would be as per statutory requirements as per TAC
Regulations. However, fire hydrant line covering major areas would be laid. Fire
alarms would be located in the bulk storage areas.
An ambulance with driver shall be available in all the shifts. Emergency shift vehicle
would be ensured and maintained to transport the injured or affected persons. A
Number of persons would be trained in first aid so that, in every shift first aid
personnel would be available.
At the end of an emergency, after discussing with Incident Controllers and Emergency
Co-ordinators, the Incident Controller orders an all-clear signal. When it becomes
essential, the Incident Controller communicates to the District Emergency Authority,
Police, and Fire Service personnel regarding help required or development of the
situation into an Off-Site Emergency.
It may be mentioned here that all above mentioned are indicative, not exhaustive. Each
Mining Company is required to identify its own risks and make a plan to mitigate them.
Internal Auditor will ensure that risk mitigation plan is working, and deviation will be reported
to the higher management.
MITIGATION OF FINANCIAL RISKS
An effective project management controls framework enables frequent monitoring of the main
risk indicators – in particular, delays and cost overruns – and spots any unfavourable trends
early enough to respond. Periodic project reviews can assess that staff are complying with
policies and procedures and ensure that suppliers are adhering to the contract terms. This
should create a flow of reliable information to the individuals and committees that oversee the
project, with five principal areas of focus:
1 Strategy, organization and administration - Projects should have a clear strategy, with
a formal approval process prior to entering into contracts and committing company
funds. Policies and procedures for all associated processes need to be regularly reviewed
and updated, with the right people put in place, with defined roles and responsibilities.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 72
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
2 Cost management - A standard budgeting process ensures that all expenditures are
subject to a consistent level of scrutiny, and makes it easier to monitor spending.
Similarly, formalized reviews of payments and approvals help to control costs throughout
the project, with all authorizations documented. Taking help of a Cost and Management
Accountant may be extremely fruitful to the business.
3 Procurement management - A single, organization-wide sourcing process fosters
strong business relationships with reputable firms and encourages a reputation for
fairness. Contracts can be open to radically differing interpretations, and a standard
contract template – created with the help of legal specialists – avoids ambiguity, with
common, clear language.
4 Project controls - Mining projects change constantly, and owners need a formal,
documented process for agreeing and approving any variations. A robust risk
management framework does not just consider immediate project risks, but also
encompasses wider business, regulatory and political risks, such as resource nationalism
or environmental opposition. Many mining companies have multiple regions and
business units and need to aggregate all the various risks to gain a top-level view.
5 Schedule management - By agreeing on schedule development standards, project
managers can take a broad view of every major activity, compare the progress of different
projects, and make informed decisions on schedule changes caused by factors such as
weather, materials delivery, staff availability and budget limitations. Despite the best
efforts, problems can occur, so organizations should be prepared to take urgent action,
including more frequent status reporting, closer observation of contractors in the field
and a detailed study of supplier performance against contract. When contemplating any
remedies, it is wise to seek legal advice. Ultimately, controls are only as good as the
people that use them, and every effort should be made to establish a risk-aware culture,
with risk performance integrated into appraisals and incentives.
MANAGEMENT OF SKILLED MANPOWER RELATED RISKS
By placing a higher priority on skilled manpower, mining company Boards can help shift the
culture from pure volume to longer-term value. An independent, executive-level technical
services committee could aid this process, giving technical personnel a bigger voice with
senior management, as a counterpoint to the production agenda. Learning and knowledge
transfer should be an integral part of resource planning, so that essential skills are not lost to
the organization when individuals leave or retire. All appropriate staff should receive training
INSTITUTE OF COST ACCOUNTANTS OF INDIA 73
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
in technical and diagnostic problem-solving, while retiring workers could be incentivized to
remain on a part- time basis or be employed as advisors. Geological complexity is one of the
biggest challenges facing the industry, and requires a joint effort by management, workers and
unions to agree on the necessary technical, information technology (IT) and
telecommunications infrastructure, as well as training and health and safety measures. The
technical services, Human Resources (HR), health and safety and production functions have
to coordinate closely, to ensure that the organization can maintain agreed output levels without
sacrificing safety or overstretching the capacity of equipment or individuals.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 74
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 8: QUESTIONNAIRE
PREPARATION OF QUESTIONNAIRE
Internal Auditor has to first understand the risks of a mining company. Since he / she (Internal
Auditor) may not be an expert of mining industry, he / she has to prepare a questionnaire to
understand the nitty gritty of the risk management process of the company. Answer of these
questionnaire is to be obtained from the management of the company / unit at the time of the
audit.
After obtaining the answers of these questions, the Internal Auditor will verify its genuineness
and then will make necessary comments for improvement. It is to be kept in the mind that
since internal auditor may be an outsider, the answers of these questions is very crucial for
further audit and ultimately for the final audit report.
Many Companies discuss about their risk management in its annual report. The Auditor should
obtain one copy of that report also. Answers of many questions may be available from that
report itself.
A list of probable questions of the questionnaire have been given below. This list is indicative,
not exhaustive and Auditors can add / reduce the questions to understand the system -
1. What internal and external risks have been identified by the management in relation to
auditee company? Please explain with some brief.
a.
b.
c.
d.
(May be added more points)
2. Please submit previous internal audit report on the risk management of the company.
3. Does the company any Manual or discussion paper sort of thing on risk management? If
yes, provide a copy.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 75
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
4. Does the company / unit have a Risk Management Framework? If yes, explain it in brief.
____________________________________________________________
____________________________________________________________
____________________________________________________________
5. Does the company / unit have a Risk Management Team (RMT)? If yes, explain in brief
with names of the members with contact number and email ids, including that of Chief
Risk Officer.
____________________________________________________________
____________________________________________________________
____________________________________________________________
6. Does the meeting of RMT take place regularly? If yes, give the dates and issues discussed
during the last three meetings.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
7. Please enclosed or discuss Action taken Report (ATR) on the issues discussed in the last
three meetings of RMT.
______________________________________________________________
________________________________________________________________
_________________________________________________________________
8. Has RMT presented any report to the higher management / Board of Directors (BOD)
recently? If yes, explain the brief of the last report with the dates of the submission of the
report. If possible, provide a copy.
_________________________________________________________________
_________________________________________________________________
INSTITUTE OF COST ACCOUNTANTS OF INDIA 76
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
_________________________________________________________________
9. What is the communication system to explain the Risks and Risk Mitigation System to the
middle and lower-level management of the company? Explain in brief.
________________________________________________________________
________________________________________________________________
________________________________________________________________
10. Please comment on the “Risk Management Culture” of the organisation.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
11. Is company guided by any statutory risk mitigation plan, like mines act etc. If yes, give
the details with steps taken –
(i) __________________________________________________________
(ii) __________________________________________________________
(iii) __________________________________________________________
(More points may be added)
12. Please give the details of the programmes organised to communicate the Risk Management
Framework to the each and every level of the hierarchy -
(i) __________________________________________________________
(ii) __________________________________________________________
(iii) __________________________________________________________
(More points may be added)
13. Details of literature distributed among all levels of the management and workers to make
them aware of the Risk Management Framework. Samples of literature may be attached.
___________________________________________________________________
INSTITUTE OF COST ACCOUNTANTS OF INDIA 77
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
___________________________________________________________________
___________________________________________________________________
14. Has the Risk Management Framework has been discussed in detail in the Annual Report
of the Company? If yes, copy of the report may be enclosed.
15. Has company suffered any financial, commercial or human loss due to Risks in past ten
years? If yes, the details may be provided in separate sheets.
16. Who is accountable to the Boards for quality, risk and assurance disclosures.
____________________________________________________________________
17. Who is aligning strategy with regulatory requirements and obligations.
____________________________________________________________________
____________________________________________________________________
18. Provide a brief as separate sheet(s) on Managing stakeholder relationships and meeting
multiple demands.
19. Are Project teams have sufficient and appropriate skills and expertise to manage the
project?
20. Are Project risks are fully understood or vetted prior to project approval?
21. Comment on the Project delays during planning and approval result in compressed
schedule milestones and unrealistic completion targets set by management.
22. Is there any Major business interruption or inefficiency, due to ineffective asset
management? Provide the details.
23. Comment on Escalating cost of resources of major projects in separate sheet(s).
24. Comment on lack of key Labor-skill and industrial relations.
25. Comment on impact of Evolving environmental laws and regulations.
26. Comment on relationships with regulators.
27. Comment on increasingly complex regulatory environment.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 78
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
28. Provide the status of health and safety of employees, especially those who are engaged in
mining activities.
29. Provide the figures of last three years of fraudulent financial reporting, payment fraud,
bribery and corruption, theft, anti-competitive behaviour, Market rigging etc
30. Is there any system of hedging against potential royalty rate rises.
31. Steps taken to avoid disputes over transfer pricing.
32. Do Board sub-committees monitor risk and assurance activities effectively?
33. Is management safeguarding the key drivers of value?
34. Is risk and assurance simplified – and aligned with the way the business operates?
35. Is assurance coverage optimal and cost efficient and directed where the business needs it
most?
36. Explain the HR policy of the company. What is the labour turnover ratio of the company
and its cost of last three years? Has it been compared with similar types of the companies?
37. A brief is required on the financing and financial resources of the company.
38. Is company covered under the mandatory maintenance of cost records and cost audit? If
yes, was it complied?
39. What are the major observation of lead Financial Auditors, Cost Auditors and Secretarial
Auditors of the company during the period of last three years?
40. Brief of any other point which management desires to share with the Internal Auditor.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 79
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 9: INTERNAL AUDIT CHARTER
INTERNAL AUDIT CHARTER
A formal, documented, and approved charter should be prepared and put in place considering
it is a foundational element of internal audit activity.
The purpose, authority, and responsibility of internal activity must be defined in the charter.
The Internal Auditor (Head of Internal Audit) must review the charter periodically and present
it to the senior management and the Board Committee for approval. In case of CPSEs. the
charter should be also aligned with any requirements laid out by the Department of Public
Enterprise (DPE).
It should,
• Establish and define the position and its status within the organization so as to improve
the chances of contributing effectively to achieve the organization’s objectives.
• Establish a functional reporting relationship with the Board.
• Empower the function with unlimited access to records, personnel, and equipment relevant
to performing the engagements.
• Define the scope of internal audit activities that should cover every part of the
organization’s operations and functions.
STRUCTURE: THREE LINES MODEL
The organization should adopt the model (presented below) so as to facilitate and identify the
distinct responsibilities of the Board, Management, and Internal Audit to best achieve the
organization’s objectives.
Internal Audit, in its third-line role, will provide independent and objective assurance and
advice on all matters or responsibilities assigned. Internal Audits may coordinate with the
activities of the second line but should not be performing or making management decisions
INSTITUTE OF COST ACCOUNTANTS OF INDIA 80
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
around the role of the second line. The Internal Auditor will ensure that the charter is aligned
with the model.
Board/Audit
Committee
Senior Management*
First Line Second Line Third Line
Operations Compliance, Information Internal Audit
(Procurement, Security, Quality, Financial
Production, Sales, Control, Risk
Accounting, etc.) Management
• Provide oversight, guidance, & • Independent assurance on
• Operational Management & support to fist line design & operating
Staff responsible for day-to- • Establish policies, procedures to effectiveness of control for
day activities ensure effective risk risk management
• Owners of risk for ensuring management • Independently test controls
controls are in place & • Monitor & assess control implemented by first two
functioning effectively effectiveness implemented by lines & provide unbiased
first line, carry out control report
enhancements
Risk & Control Ownership Assurance Ownership
* A committee comprising of senior personnel representing Finance, Operations, IT, HR,
and Legal/Compliance is recommended.
The roles and responsibilities of each line should be established, documented, understood, and
communicated across all levels of the organization to ensure alignment.
DELIVERY
Considering that the scope of Internal Audit today extends beyond the financial audit and
requires skillsets beyond financial discipline, the delivery model chosen must have multi-
disciplinary skills and should be aligned to the audit plan so as to meet the audit objectives.
There are several types of internal audit. For example, Financial Audit; Operational Audit;
Information Systems Audit; Environmental Audit, Compliance Audit, etc.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 81
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Three options are provided for the delivery of the internal audit services. The Board and
Management, after carefully assessing the needs of the organization, should decide on the
model that will serve the purpose of the organization. The indicative factors that may be
considered for evaluation are Budget, Resource availability, Maturity, Operating environment,
and Competency.
In-House: Establishing and resourcing in-house function within the organization.
Co-sourcing: Establishing in-house function and supplementing it with internal audit
services if there is a need for specialized or additional resources.
Outsourcing: Contracting the internal audit activity to an external service provider. The
service provider must be accountable to senior management personnel in the organization
having adequate knowledge of the subject.
Individuals transferred from other functions to carry out internal audits should refrain from
auditing the areas for which the individual was previously responsible.
REPORTING RELATIONSHIP
The reporting must be to an appropriate level within the organization for the Internal Audit to
fulfil its responsibilities.
Functionally, Internal Audit should be reporting to the Board/Board Committee. In the absence
of a Board/Board Committee, the reporting should be to the head of the organization.
Administratively, the reporting should be to senior management personnel (maybe to the
Director of Finance/ General Manager of Finance).
The primary responsibility and accountability for the internal audit activities, including that of
the external service providers, shall rest with the head of the internal audit function.
Internal Auditors must conform to the Board/Board Committee about the independence of the
function, at least, annually.
RESOURCING
The function should have people from diverse backgrounds and with different levels of
experience. The function should also consider the budget allocated for the function.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 82
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
The function should collectively possess the knowledge, skill, and other competencies to fulfill
its responsibilities and range of services that are approved for delivery.
The function should consult the Board/Board Committee and senior management about the
adequacy of the resources for rendering the services.
(Recommended that a co-sourced model be put in place. In-house team may comprise of a
Chief Internal Auditor having around 10 to 12 years of experience supported by two junior
resources having 2 to 4 years of experience. Preferably, from financial background with
knowledge in IT systems)
INVESTMENT (COST)
Internal Audit has to be cost-efficient but that should not be the “end-all, be-all” when it comes
to good governance.
Nevertheless, with the increasing complexity of the function and the digital capability required
to generate value, the organization should think and recalibrate its existing approach.
The organization should not dither to invest in building the requisite capability. An objective
evaluation of the budget requirement, every year, should form the basis for addressing the
need.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 83
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
CHAPTER 10: INTERNAL AUDIT PROCESS
OVERVIEW OF INTERNAL AUDIT PROCESS
A diagrammatic representation of the overall process has been depicted below for visualization
of the internal audit activity.
Assess organizational- Prepare an annual Plan an audit
Plan
level and process- audit plan based on engagement based on
level risks this assessment the audit plan
Execute
Perform the audit engagement
Report on the results of the engagement to
Report
concerned functional head/s, Senior
management & Board Committee as required
Follow-up
Close the engagement and follow-up on
implementation of corrective actions
Quality Assurance and Continuous Improvement
STEPS OF INTERNAL AUDIT PROCESS
General Steps of the internal audit process has been discussed in Chapter-1 of this Manual.
Based on that, the internal audit with take following steps during the audit work (This list is
indicative, not exhaustive).
INSTITUTE OF COST ACCOUNTANTS OF INDIA 84
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Step 1: Planning
The Internal Auditor (IA), after receiving the audit order, will plan the whole audit process.
This will include the following -
- IA should go through the Annual Report of the company to understand the internal /
external risks of the concerned company and/or the units.
- IA will make a plan and programme to visit the sight.
- IA programme will be conveyed to the Auditee for receiving the confirmation and making
all arrangements for the visit like accommodation, conveyance etc.
- The auditor will review such audits of prior period, if any and related professional
literature.
Step 2: Opening Meeting
- The Internal Auditor will visit the sight / office and will have opening meeting with the
auditee.
- In this meeting, the auditor will also give the Questionnaire, as mentioned in Chapter 7
with a request to submit it back with the answers within next 15 days.
- All officials, related with risk assessment and mitigation in the company / unit will also be
invited in the meeting.
Step 3: Fieldwork
After this the IA will start the field- work of Audit with his team –
- He will visit the site and try to understand the internal and external risks.
- He will try to understand the risk mitigation plan of the company
- The replies of the questionnaire by the management will be compared with the actual
ground reality and deviation will be noted down.
- IA will talk to workers and other officials, working at the site to know their understanding
about the risks.
- Test checking of the internal risk mitigation plan may be done.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 85
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
- For external risk assessment and mitigation, the IA ill talk to all concerned senior officials
to understand their preparations and steps taken.
- Special meeting will be arranged between Internal Auditor and Chief Risk Officer (CRO)
along with other members of the Risk Management Committee (RMC) to assess the Risk
Management Framework
- Related portion of the minutes of meeting of BOD / Risk Management Committee should
be shared with the Internal Auditor. It is the duty of the management.
- Action Taken Report (ATR) on the decisions of the management on risks and mitigation.
- IA will also obtain the related rules and regulations of regulatory body, if any, and its
guidelines for risk assessment and measures to be taken.
- IA may use following techniques for risk assessment
(a) Qualitative Techniques
Checklists
Safety Audits
Task Analysis (TA)
(b) Quantitative Techniques
The proportional risk-assessment (PRAT) technique: This technique uses a proportional
formula for calculating the quantified risk due to hazard. The risk is calculated considering the
potential consequences of an accident, the exposure factor and the probability factor.
R = P*S*F
Where,
R: the Risk;
P: the Probability Factor;
S: the Severity of Harm Factor;
F: the Frequency (or the Exposure) Factor
(c) Hybrid Techniques
Fault-tree analysis (FTA): It is a deductive technique focusing on one particular accident
event and providing a method for determining causes of that event. In other words, FTA is an
INSTITUTE OF COST ACCOUNTANTS OF INDIA 86
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
analysis technique that visually models how logical relationships between equipment failures,
human errors, and external events can combine to cause specific accidents.
- Internal Auditor should go through this Manual carefully, which will help in understanding
the general external and internal risks, being faced by the company / unit. It will also help
in ensuring that the management has not missed any type risk which needs to be discussed
with the IA.
- Sometimes, the middle and junior level employees of the company adopt casual approach
and they undermine the impact of any risk, resulting in not following the suggested
guidelines and not developing any sort of its mitigation plan. But when that risk takes
place, the management finds itself in unguarded position and company suffers huge loss
of human beings, resources, production and finance. IA should, therefore, try to find and
highlight any such risk to enforce the management to develop a mitigation plan of that risk
also.
Step 4: Draft Report
IA will prepare a draft report within one month of the start of the work which will cover the
following points / comments on –
- Main external and internal risk being faced by the company / unit
- Any other potential risk(s) which have not been estimated by the concerned company /
unit
- Risk Management Framework of the company / unit
- Working of Risk Management Committee
- Communication from top management about risks and risk mitigation to lower levels.
- Frequency of this communication
- Sensitivity of the management and employees about Risk Management Framework
- Comments on the rules and regulations of regulatory body, if any, and its guidelines for
risk assessment and measures taken by the company / unit.
- Training programmes of the company on risks involved and steps taken for the employees
and all concerned at different levels.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 87
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
- Comments on the decisions of the BOD / higher management on Risk Management
Framework and Action taken by the concerned officials. If deviation is found, that should
be highlighted specifically.
- Comments on adequacy or inadequacy of the Risk Management Framework of the
company / unit
- The risk / risks which have been undermined or missed by the management.
- Comments on the replies of the Management of the questions of the Questionnaire, as
advised in this manual.
- Suggestions for the further improvements.
Step 5: Management Response
The above draft report will be submitted to the management and its comments will be invited
within next fifteen days.
Step 6: Closing Meeting
After receiving comments from the management, the Internal Auditor may have final meeting
with the management and other concerned officials.
Step 7: Final Audit Report Preparation
The Internal Auditor will submit the final Audit Report within three months of the start of the
work.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 88
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Annexure
DRAFT REPORT
This Internal Audit report on risk management is only indicative. The actual report may vary
in points, figures, facts, contents, annexures and details.
Internal Audit Report
Department: _____________________
Review of the Risk Management Framework
Index
Sno. Headings Page
1 Background
2 Audit Scope & Objectives
3 Audit Approach
4 Summary of main findings
5 Action Plan
6 Conclusion
7 Acknowledgments
BACKGROUND
This report has been prepared as a result of the Internal Audit review of Risk Management as
part of the _____ (year) Internal Audit Plan.
A review was carried out in ------- (year) covering the management’s approach to Risk
Management and the establishment of a framework. A report was prepared that recommended
certain actions be taken by management that would embed a framework for Risk Management
within the departments of the Company. Given the importance of ensuring that there is ongoing
progress of the framework, it is considered prudent to establish whether agreed actions by
management are being progressed and where possible to further assist with framework
development. In order to establish the progress made by management to date, following three
areas were included for this review –
To establish whether the recommendations from the ---------- (year) report have been
implemented.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 89
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Risk management arrangements are sufficiently developed to provide an effective
operational management tool.
Whether departmental loss control groups have set up operational and strategic risk
registers within a set timescale.
As a result of our audit work, findings were generated. These findings were subsequently
discussed with management and where appropriate included in the action plan for future
implementation.
AUDIT SCOPE AND OBJECTIVES
The broad objective of the audit is to evaluate whether there is a Risk Management Framework
(RMF) in place which can enable the risk management process to be carried out and developed
in a comprehensive manner, whereby all significant risks are identified, evaluated, controlled,
monitored and reported in accordance with best practice.
The adequacy of the arrangements to meet the objective has been assessed using a grading of
one to 5 points. Five points indicate good arrangements and one-point inadequate
arrangements are in place. The assessment is set out in figure 1. The assessment has been made
by considering the value and significance of the findings and recommendations.
AUDIT APPROACH
The following approach was used to satisfy the objectives of the audit:
Discussions were held initially with the Head of _____________ and the Governance
and Risk Manager for background to risk management procedures and development
in the Company and its relationship with promoting the principles of Best Value within
the Council.
Internal Audit prepared and requested the completion of a questionnaire by
management to assist in addressing the above objective.
Tests were devised and conducted as part of the exercise, and relevant evidence of
progress made was requested and reviewed.
Any problem areas were highlighted and brought to the attention of management via
a draft report and their comments were incorporated into this report where appropriate.
A final report was prepared for the attention of the Board of Director of _________.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 90
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
SUMMARY OF MAIN FINDINGS
Internal Audit in the course of the audit found through testing that a number of key steps have
been achieved in implementing recommendations from the -------- (year) Risk Management
Framework report. However, a few areas remain to be fully progressed to conclusion.
Risk management procedures need to be finalised and issued to departments. The procedures
will provide the Loss Control Groups (LCGs) with a formal operating framework. This should
then be presented to the Audit Committee for approval.
The SMT has presently reviewed and approved the Company Risk Register. A quarterly report
is prepared for the SMT and Audit Committee on risk management. This could be enhanced
with a list of high-level risks gathered from departments on a quarterly basis. This will provide
evidence to the SMT and Audit Committee that high risks have been identified and
management is aware and assessed these risks.
In addition, the quarterly report to the SMT and Audit Committee should include perceived
departmental benefit outcomes of embedding the risk management process within the Council.
It was found that the Risk & Corporate Governance Manager did not have a formal record of
DMT minutes delegating authority to LCGs. It is therefore recommended that a copy of each
DMT delegated authority should be passed to the Risk & Governance Manager to be
incorporated within the risk management procedures and operating framework document.
ACTION PLAN
The action plan attached at Appendix has been compiled with the cooperation and agreement
of the Head of Democratic Services and Governance.
Internal Audit considers that, in an effort to improve the quality of information, monitoring
and control, the recommendations should be implemented in accordance with the agreed action
plan. Management have set achievable implementation dates and will be required to provide
reasons to the Audit Committee for failure to implement within the agreed timescale. Where
management decides not to implement recommendations it must evaluate and accept the risks
associated with that decision.
A system of grading audit findings, which have resulted in an action, has been adopted in order
that the significance of the findings can be ascertained. Each finding is classified as
fundamental, material or minor. The definitions of each classification are set out below: -
INSTITUTE OF COST ACCOUNTANTS OF INDIA 91
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Fundamental - major observations on high level controls and other important internal
controls. Significant matters relating to factors critical to the success of the objectives of the
system. The weakness may therefore give rise to loss or error.
Material - observations on less important internal controls, improvements to the efficiency
and effectiveness of controls which will assist in meeting the objectives of the system and
items which could be significant in the future. The weakness is not necessarily great, but the
risk of error would be significantly reduced it if were rectified.
Minor - minor recommendations to improve the efficiency and effectiveness of controls, one-
off items subsequently corrected. The weakness does not appear to affect the ability of the
system to meet its objectives in any significant way.
CONCLUSIONS
It is the opinion of Internal Audit that good progress has been made by the Company to address
the requirements of introducing a Risk Management framework.
However, during the course of the audit, some areas were identified as requiring further
development and therefore recommendations have been made. These have been discussed with
management and an action plan agreed. (Any issues not accepted by management are done so
with their knowledge and acceptance of risk and control weakness.)
Figure one below sets out a summary of the overall conclusions arising from the audit in terms
of the specific objectives detailed above.
Figure 1: Summary of overall conclusions
Specific Objectives Assessment
To establish whether the recommendations from the 2006/07 report have
been implemented.
Risk management arrangements are sufficiently developed to provide an
effective operational management tool.
Whether departmental loss control groups have set up risk registers within a
set timescale.
INSTITUTE OF COST ACCOUNTANTS OF INDIA 92
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
ACKNOWLEDGEMENTS
Thanks are due to Head of _______________ and his staff for their co-operation and assistance
during the audit and the preparation of the report and action plan. Thanks, are also due to
_____________ and staff along with Audit Scotland who provided comment on the relevance
of the proposed model.
Internal audit department of ___________ has prepared this report. Its work was limited to the
scope mentioned above in this report. It cannot be held responsible or liable if information
material to our task was withheld or concealed or misrepresented.
This report is private and confidential for the Company’s information only and is solely for
use in the provision of an internal audit service to the Council. The report is not to be copied,
quoted or referred to, in whole or in part, without prior written consent.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 93
MANUAL ON INTERNAL AUDIT OF RISK MANAGEMENT IN THE MINING SECTOR
Appendix
ACTION PLAN
Action Para Grade Weakness identified Agreed Action Responsible Date of
Plan Officer Implementation
No.
1 2.3 Material Operating procedures This is close to
are to be finalised and completion as
issued to departments. the necessary
This will also offer an documents have
operating framework been prepared
for departmental LCGs and will go to
and present to the Audit the next RMG
Committee for approval for review and
approval.
2 2.1 Material The quarterly report to The quarterly
the SMT and Audit report will in
Committee does not future include
include a list of high- these issues
level departmental risks
and any perceived
benefits resultant from
embedding the risk
management
framework.
*****
INSTITUTE OF COST ACCOUNTANTS OF INDIA 94
You might also like
- Internal Controls in Philippine Mining IndustryNo ratings yetInternal Controls in Philippine Mining Industry6 pages
- The Role of Internal Audit in Risk ManagementNo ratings yetThe Role of Internal Audit in Risk Management3 pages
- Gui Ideonr Risk Bas Sed Inte Ernal Au Udit Pla N: Discl AimerNo ratings yetGui Ideonr Risk Bas Sed Inte Ernal Au Udit Pla N: Discl Aimer205 pages
- A1 40 - Audit - Work - (1) - Risk-Based - Planning - by - Koen - AlbersNo ratings yetA1 40 - Audit - Work - (1) - Risk-Based - Planning - by - Koen - Albers79 pages
- Yapeim Job Opportunities and Risk ManagementNo ratings yetYapeim Job Opportunities and Risk Management50 pages
- COSO Internal Control Framework OverviewNo ratings yetCOSO Internal Control Framework Overview2 pages
- OM and CourseMaterial of CertificateProgramme On Internal AuditNo ratings yetOM and CourseMaterial of CertificateProgramme On Internal Audit404 pages
- Guide On Risk Based Internal Audit Plan04!06!15No ratings yetGuide On Risk Based Internal Audit Plan04!06!1515 pages
- Internal Audit Guidance for Power IndustryNo ratings yetInternal Audit Guidance for Power Industry151 pages
- Internal Audit Services for Risk ManagementNo ratings yetInternal Audit Services for Risk Management5 pages
- Internal Audit Standards on Risk ManagementNo ratings yetInternal Audit Standards on Risk Management6 pages
- Internal Audit: Roles and Frameworks ExplainedNo ratings yetInternal Audit: Roles and Frameworks Explained5 pages
- Audit Risk Assessment and Internal ControlNo ratings yetAudit Risk Assessment and Internal Control26 pages
- Introduction to Internal Auditing BasicsNo ratings yetIntroduction to Internal Auditing Basics13 pages
- Rwanda Internal Audit Procedures ManualNo ratings yetRwanda Internal Audit Procedures Manual89 pages
- Internal Audit Standard SIA 130: Risk ManagementNo ratings yetInternal Audit Standard SIA 130: Risk Management9 pages
- Internal Audit Manual: Office of The Accountant General (Gssa) Kerala, ThiruvananthapuramNo ratings yetInternal Audit Manual: Office of The Accountant General (Gssa) Kerala, Thiruvananthapuram143 pages
- SOX's Top 10 Impacts on Internal AuditingNo ratings yetSOX's Top 10 Impacts on Internal Auditing16 pages
- Lesson 3 - Elements of Internal Controls - COSO FrameworkNo ratings yetLesson 3 - Elements of Internal Controls - COSO Framework14 pages
- Role of Internal Audit in Risk ManagementNo ratings yetRole of Internal Audit in Risk Management29 pages
- Auditor's Role in Going Concern AssessmentNo ratings yetAuditor's Role in Going Concern Assessment10 pages
- Tax Assessment and Settlement GuidelinesNo ratings yetTax Assessment and Settlement Guidelines27 pages
- ISO 45001:2018 Audit Report for PT United EquipmentNo ratings yetISO 45001:2018 Audit Report for PT United Equipment14 pages
- CSD Internal Audit Guidelines and ProceduresNo ratings yetCSD Internal Audit Guidelines and Procedures74 pages
- Control of Non-Conformity & Corrective Action89% (9)Control of Non-Conformity & Corrective Action5 pages
- Chapter 7 - Audit Planning and DocumentationNo ratings yetChapter 7 - Audit Planning and Documentation18 pages
- Test Bank Financial Accounting and Reporting TheoryNo ratings yetTest Bank Financial Accounting and Reporting Theory58 pages
