CBS: Audit Considerations Subhash Chandra Arora MSC,CAIIB,ACMA,FCS,CISA.
35
CBS: Audit Considerations Subhash Chandra Arora MSC,CAIIB,ACMA,FCS,CISA
-
Upload
ashlie-flynn -
Category
Documents
-
view
217 -
download
1
Transcript of CBS: Audit Considerations Subhash Chandra Arora MSC,CAIIB,ACMA,FCS,CISA.
CBS: Audit Considerations
Subhash Chandra AroraMSC,CAIIB,ACMA,FCS,CISA
Agenda : CBS Audit
• Objective• Challenges of CBS Audit• Engagement Risk• Sources of material mis-statement • Internal Controls to protect from Risks in CBS• Assessment of Internal Controls
– Access Rights– Interfaces, outsourcing– MIS: Exception Reports– Data Gathering
CBS Audit: ObjectiveReduce audit risk to an appropriately low level
Material Mis-statement
Really Exists Doesn’t Exist
Auditor’s opinion
ThatMis-statement
ExistsResult:Monitorable Action Plan
OKReport Leads to Rectification
False Positive(Discomfort)Requires Better documentation of Control Existence
OK – No ConflictEvery One is Happy
Doesn’t Exist Audit / Detection Risk False Negative – Inversely related to evidence from substantive procedures
Reduce Audit Risk: ChallengeIn most situations, the auditor will not be able to reduce audit risk to an acceptably low level unless management has instituted an internal control system that allows the auditor to be able to assess the level of inherent and control risks as less than high. The auditor obtains sufficient appropriate audit evidence to assess the level of inherent and control risks.
Guidance Note: Internal Control
• Internal control makes the right things happen the first time
• Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and governing bodies/ committees
CBS Audit: Engagement Risk
Engagement Risk• The auditor would ordinarily need to document the assessment of
engagement risk, factors identified as increasing engagement risk… (Para1.28 of Guidance Note)
• Assessment • Even before accepting Audit Assignment• Risk is still within the firm’s pre-determined appetite for risk
• Objective: Whether any factors require special response• Affects: Preliminary Audit Plan
Review in the light of additional information during EngagementDocument considerations for readjustment
Rule of Bureaucracy : Not to inform the reader, but to To protect the writer
Engagement Team Discussion • Errors that may be more likely to occur;• The method by which fraud might be perpetrated by
bank personnel or others within particular account balances and/or disclosures;
• Audit responses to Engagement Risk, Pervasive Risks, and Specific Risks;
• The need to maintain professional skepticism throughout the audit engagement; and
• The need to alert for information or other conditions that indicates that a material misstatement may have occurred (e.g., the bank’s application of accounting policies in the given facts and circumstances).
Challenges of CBS Audit• No access to the overall IT policy, processes, controls and
accounting procedures implemented by the bank. • Complex trading transactions• Unfamiliar Workflows• Undetected errors in Business Rules in system• Lack of Visible Evidence• Mammoth EOD Reports• Huge Online MIS : ‘clock lost in hay’ analogy • Bugs and frauds hidden in labyrinth of data• Anxiety: Does the CBS generate reliable & accurate financial
statements & reports? • Judgment of Value• Independent IT audit of the branch. CBS
CBS Audit: Guidance Note• Part II – Risk Assessment and Internal Control
deals with audit procedures to be followed under the two risk based Standards,
• SA 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Environment including Internal Control” , and
• SA 330, “.... Responses to Assessed Risks”
CBS: Audit Procedures -The procedures selected depend upon the auditor’s judgement
• Including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error.
Assertion level Risk Assessment• Identify risks throughout the process• Pinpoint each risk to one or more assertions
relating to account balances or disclosures. • Consider whether the risks are of a magnitude
that could result in a material misstatement of the financial statements.
• Document the identified and assessed risks of material misstatement at the assertion level.
Risk of material misstatement at assertion level has two components:• Inherent Risk (IR), which is the susceptibility of an
assertion to a material misstatement, assuming that there are no related controls. Inherent risk is greater for some assertions and related account balances, classes of transactions, and disclosures than for others.
• Control Risk (CR), which is the risk that a material misstatement that could occur in an assertion will not be prevented or detected by the entity’s internal control on a timely basis. Control risk is a function of the effectiveness of the design and operation of the entity’s internal control.
Dimensions of CBS Audit
• CBSDeposits Advances
TradeFinance
Inc / EXP
Misc A/L
Risks
Controls
Control Risk
Inherent Risk
Management is responsible for design, implementation and maintenance of internal control relevant to the preparation of the financial statements that are free from material misstatement, whether due to fraud or error.
Interfaces
Guidance Note: Internal Control
• Internal control makes the right things happen the first time
• Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and governing bodies/ committees
CBS Audit: Key Determine source of likely potential misstatement:
• Fraud • Internal, or• External
• Assets: Classification, Income Recognition & NPA Provisions• Asset Valuations
Look for evidence that controls have been identified, communicated and are monitorable
Test controls specifically intended to prevent or detect fraud
CBS Audit: Strategy• Options :
– Evaluate & Test controls, and /or (may be Centralized)– Perform substantive tests – often inefficient
• Perform Substantive tests, when control– does not address inherent risk– addresses IR, but not to the extent that further review
and testing of control efficient– addresses IR sufficiently to warrant testing, but not
efficient to do so, e.g. very few transactions• A substantive test “substantiates “ the integrity of
actual transaction processing.
Financial Audit: Control Evaluation
Q1: Can learning application menus help? • Perhaps for performing substantive tests. More
important to understand how transactions are processed, what are built in preventive / detective / corrective controls. What are compensating controls?
Q2: How to start?• Abrahm’s Advice: When eating an elephant take one
bit a time. Evaluate each control relevant to audit.
Audit : Prioritise – Risk Matrix
Audit strategy: Based on Control Risk Assessment
In respect of each category of Txn
Maximum
Below Maximum
Low
All assurances will be derived from substantive tests
•Identify preventive / detective controls•Evaluate effectiveness of controls•Test Existence of controls•Document Record of application / monitoring control • Perform efficient substantive tests•Use analytical procedures Test application and IT controls only when:•Favourable control environment•Prior experience of control -> Effectiveness•Volumes of Txns are high •Complex and integrated systems
Controls: AttributesIdentification and documentation :
• Organization should identify the controls to minimize the occurrence of unlawful events.
Implementation:
• Identified controls should be implemented.
Existence:
• Sometimes it happens that controls have been implemented, but in reality they do not exist due to various reasons. For example, passwords change policy; existence of the controls is equally important.
Adequacy:
• Verify controls are adequate to cover all possible threats.
Guidance note on Test of Controls
• Access to primary and subsidiary records is provided and use of data analysis tools is allowed at central and branch level.
• Test of controls and substantive checking of sample transactions is carried out at the central level and the results are shared with the branch auditors, if required.
Risk Assessment : Worksheet• Risk Area :• Risk Description :• Inherent Risk – Size of the Risk Area • Control objective – relevant to audit• What ensures that Control Objective is achieved• Control Risk Assessment
– Type of control : Preventive / Detective / Corrective– Whether Control Depends upon another control for its
effectiveness– Whether Control Exists– Whether control is implemented
Illustrative list of controls•Access Control Matrix - E/P/V•Segregation of duties in high risk areas•Standard Operating Procedures•EOD/BOD/Monthly Control Reports
•List of TODs Granted•Transgression of powers•Debits to income heads•Manual debits to office A/cs like •Customer debits without cheque
•Customer Risk Categorisation
Example MIS :FDs• List of deposits with wrong interest codes and either
closed fully or partially before maturity during the month. Check Interest / verify
• Details of Value Dated Deposits opened during the month. Check Authorisation / verify
• List of Term Deposit accounts opened and closed during the month within 15 days and interest paid. Check Interest Computation/ verify
• List of deposit accounts where TDS exemption flag is 'Yes' at account level as on the date of the report. Check supporting evidence/ verify
• FFD- CustID mismatch. Check appropriate linking.
CBS Audit: Inquiries to be done
• System of MIS verification and Risk Audit.
• Make inquiries of management, internal auditor, and others within the bank, as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the bank.
Audit: Sample Size
• Does not depend on population (npq≥5)
• where 1.96 signifies 95% lavel of confidence. For 99% level of confidence replace 1.96 with 2.58.
d=0.20p Values of p
POPULATION
50% 25% 10% 5% 2.50% 1.00%
10 9 10 10 10 10 10
25 20 23 24 25 25 25
50 34 43 47 49 49 50
75 43 60 69 72 74 74
100 50 75 90 95 98 99
2
2 )1()96.1(
d
ppn
1.96 Values of p0.5 0.25 0.1 0.05 0.025
Values of d 0.5 4
0.25 15 12
0.1 96 72 35
0.05 384 288 138 73
0.025 1537 1152 553 292 150
)1(4)1(
)1(42 ppdN
pNpn
Substantive Test: Hypothesis N=150 Case A Case B
No of Errors observed in the sample
3 4
Proportion of errors in the sample p
0.02 0.026666667
Standard Deviation of the sample
0.011430952 0.013154354
Projection of sample proportion on the population = p+1.96
4.24% 5.24%
Tolerable error 5% 5%
Accept the hypothesis Yes No
n
pp )1(
Example Features
• Integrity: Unauthorised Debit • No Cheque or debit authority• No application for FD• FD Value Dated (-4days) • Sign on Loan Doc forged• No Resolution to borrow• Loan signatories not authorised• Loan at 0% Margin
C1/A1 C3/
A3 C2/A2
FD/A1
LN/A1
Susp
250L50L
150L
450L
29 Mar
Vdt 25 Mar
Example: Continued31/03 02/04
Exp/Int FD
Inc/ Int
Loan
22192(6days)
14792
No TDS
08/04
Exp/Int FD
Inc/ Int
Loan
TDS/ Prkg
DD/A1
7397
6643
754
4931
FD/A1
450L
DD/A1
Exp/Int Fd
DD/ITO
3679
754
9112
9866
Cancelled on 11/07
Learnings from the example• Management is often in the best position to
perpetrate fraud - use professional judgment • Focus on areas with high risk & high
probability that controls are not in place or are weak e.g. – Large value debits without cheque– Large value loans against FDs – Loans against FDs at lower / zero margins– Misuse of suspense accounts
• Don’t forget positive risks – opportunities!
Compute Loan outstanding
• Use the IPMT function to find the balance of a loan using the following formula =IPMT(rate,per,nper,PV)/rate
Prd Principle interest Repayment NetAMtUsing Formula
1 100000 833.3333 2124.7 98708.63 1000002 98708.63 822.5719 2124.7 97406.51 98708.63
13 83773.24 698.1104 2124.7 82346.65 83773.1914 82346.65 686.2221 2124.7 80908.18 82346.5924 67410.28 561.7524 2124.7 65847.34 67410.1725 65847.34 548.7278 2124.7 64271.36 65847.2226 64271.36 535.5947 2124.7 62682.26 64271.24
Compute interest Income During Prd
• Use the IPMT worksheet function to calculate • Interest on Loan during some period• =SUM(IPMT(rate,ROW(A1:A12),nper,-Amt))
Factors influencing Risk
• Past misstatements strongly indicate about the likely occurrence of future misstatements;
• Unreliable application systems e.g. Asset classification SW/module
• Non-systematically processed transactions• The incidence of misstatements is greater in transactions
relating to accounting estimates and adjustments at or near to the end of an accounting period (i.e., cut-offs and accruals); and
• Incidence of misstatements associated with unusual or complex transactions.
Role and responsibilities of branch auditors
• To the extent possible, data analysis tools are used for better and effective audit.
• Test of controls and substantive checking of sample transactions is carried out at the branch level and the results are shared with the central auditor, if required.
• Significant observations having bearing on the true and fair view are reported to central auditor.
• Any other limitations on audit which are required to be reported to the central auditor.
• Thank you
