Statutory Audit of Bank Branches – under Core Banking System

Statutory Audit of Bank Branches – under Core Banking System

A presentation by CA. GOPAL KRISHNA RAJU, Assurance & Tax

Partner,

M/s. K. GOPAL RAO & Company, Chartered Accountants,

Chennai

for Calicut Branch of SIRC of ICAI

Friday, 18th March 2011

K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU

Disclaimer

• These are my personal views and cannot be construed to be the views of the SIRC or its branches or K. GOPAL RAO & Co., Chartered Accountants

• No representation or warranties are made by the SIRC with regard to this presentation

• These views do not and shall not be considered as professional advice

• This presentation should not be reproduced in part or in whole, in any manner or form, without my or SIRC’s written permission


Need for Branch Audit

• The strength of Indian Banking system is the audit and

reporting system of Chartered Accountants.

• Robots are not working in branches, its Humans there. To

err is Human, to forgive CBS…..!

• Until Human Beings are operating branches Branch Audit

will exist

• Together let’s bring quality in our reports. Let’s not give a

fell that Branch Audit is a custom but a necessity and need

based.


Need for Branch Audit…

• Even ICICI Bank prefers now to go back to

conventional Branch Audit for many expediency

reasons they had earlier. The management

believes that the main reason for its fall/failure is

withdrawal of Branch Audit System.

• Until the leadership of ICAI is daring, dynamic,

effective in putting forth before the Ministry/RBI the

necessity of Branch Audit, it will never see sunset.


Need for Branch Audit…

• All the parameter settings are made at Branch.

Documentation is done at Branch. Documents are

maintained at Branch. Branch Audit should focus

more on facts with figures & Documents with

deeds.

• Branch Audit should focus more on facts, figures

and documents…


Audit in a CBS environment

Primary Audit Steps

Key Audit Process

LFAR

Coverage


Public Sector Bank Audits – Scenario at present

• Appointments of Statutory Central Auditors (done 4 months

ahead)

• Appointments of Statutory Branch Auditors (done 4 weeks

ahead)

• Closing instructions of the Bank (booklet, annual audit manual)

• Timelines given (April 15th perhaps!)

• Meeting with SCA’s, if organized by Bank (let us network)

• Conduct of audit within given timelines (of course with

necessary resources )

• Submission of Reports (ASAP)


Normal Audit Process

o Popularly known as Balance Sheet Audit

o Why?

o Even if an Auditor wants to conduct detailed audit,

he is precluded from doing so, due to

• Delayed appointments

• Early Finalization deadlines

• Race of management to publish Balance Sheet (congrats to CAs..some banks publish before 30th April)


Audit is hence, limited to

o Review of Balance Sheet & Profit & Loss Account

o Arithmetical accuracy of annual financial

statements (Thing of Past)

o Review of Fresh Advances (Take help of Concurrent Audit

Report)

o Review of application of Income Recognition Norms

o Review of application of Provisioning Norms

o Review of Expenditure


Audit is hence, limited to…

• Verification of information filled in the various

formats prescribed by Bank’s H.O.

• Noting & confirming certain areas that are under

direct control of and monitored by H.O.

e.g. Purchase & record of fixed assets, depreciation, information for tax provision etc.

• Certification as required by regulatory authorities


First and Last

Anxiety is because facts & figures is not in our

control

o Understanding of facts & figures is first

o Application of law is last


CBS plus points

• Getting reports for clarity on operation & for sample

selection

• Parameter settings – Adequate controls over

parameter settings, authorization, modification is to

be exercised at branch level. Most of the

parameters are set-based or paper based

authorization.


CBS myths

• Requires system literacy for audit

• No data can be made available in the branch

except what is given by the branch suo-moto.


What do banks inform us

We have a core banking solution

All transactions are captured and processed

seamlessly

All calculations are automated

Statements are generated from the CBS

Absolutely no issues in completing audit within the

given timeline


Can we rely on this information?

• Yes, provided we are

satisfied of the adequacy of the C I A

Principle within this computerized system

and environment

aware of the control mechanisms of

computer systems and environment in

the branch


CIA Principle

Confidentiality

• Assurance that information / data is shared only amongst authorized persons or organizations

Integrity

• Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose

Availability

• Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them


Satisfaction about CIA Principle

• Existence of controls in the computer systems

• Review of their implementation in the branch

processes

Auditor has to remove the myth of not being “IT Smart”



Primary Audit Steps

Key Audit Process

LFAR

Coverage


Audit steps in CBS environment

• Firstly, have a chat with the Systems in Charge at the Branch &

Branch Manager

• Then execute key audit processes

• Next discuss findings

• Lastly, form audit opinion


CBS environment - Infrastructure

• Core [Centre, Central Part, Hub, Nucleus, Middle, Interior, Mainstay,

Heart]

• May or May not have Branch Server depending on

CBS Software FINACLE – No Branch Server

Flexcube, Bancs24 – Need Branch Server

• Network Connectivity Primary Links & Secondary Links (alternate routes) – Connectivity

Topology

• Power Supply UPS and / or Generator


Interact with System Executive

• Obtain an overview of the systems• Software

– Core application as well as all other applications

• Hardware

– Server as well as other machines

• Network configurations

• Ask about his / her perception of CIA principle

implementation in branch


Issue 1: Audit Manual – Not available/ given

• Audit Manual / System Manual copy for your

reference – Not Available should be brought as a

note in LFAR.

Check Point:

• Verify BCP document

• Familiarity with procedure

• Availability of Emergency Reports

• Incident Handling/Management System - Instances

of Resorting to BCP available on record


Issue 2: Management Representation Letter

• Standards on Auditing (SA) 580 – “Representations my

Management” requires that in case management does

not provide management representation letter, the

auditor should himself prepare a letter in writing and

sent it to the management with a request to

acknowledge and confirm that his understanding of the

representations are correct.

• If the management refuses to acknowledge or

confirm the letter sent by the auditor, this will

constitute a limitation on the scope of his

examination.


Questions about CBS & Branch

• How is the SOD activity handled?

• Whether officials other than those of the branch

have authority to record transactions in branch

books?

• If so, when does the branch becomes aware of it? Immediately / At pre-defined intervals / EOD / SOD

• If so, what is the branch manager’s authority


Questions about CBS & Branch…

• Communication systems downtime• What happens when communication lines are down?

• Are there offline periods?

• How are transactions in these offline periods recorded?

• Who is responsible for • Downloading pre-defined reports at SOD?

• Distributing the reports within the branch as per the

distribution schedule

• How is the EOD activity handled?• Are there frequent delays in EOD procedures?



• Whether CBS is designed to apply IRAC norms ?

• Whether the card rates of interest and other

charges are correctly parameterized?

• Inquire about• Access control norms and adherence thereto

• Modality of year-end process

• Whether branch was subject to a system audit?• Inquire of management action on audit findings



• What are SE’s views on LFAR questions?

• Take written / oral assurances thatSystem is implemented as designed

No modifications are made to the system

All problems faced during implementation & thereafter are resolved

Problems faced have not affected the confidentiality, integrity & availability of data


Interaction with Branch Manager

• Obtain his confirmation / view on the information

obtained from the SE

• Discuss BM’s methodology in • EOD / SOD processes

• Report sign-offs

• Fulfilling additional responsibilities as a result of CBS and its effect on branch business

• Discuss your reservations / opinion of the CBS

environment



Primary Audit Steps

Key Audit Process

LFAR

Coverage


Access Controls

• Peruse Access Control Matrix

• Match the matrix with the users in the branch

• Inquire whether logs of unauthorized access are

available at branch / data centerReview management action on the same


Migration Controls

i. If migration process has been undertaken in the

supervision of controlling office team, to check &

comment whether Certificate of Verification of

Integrity and Consistency of data migrated has

been preserved on branch records.

ii. If branch has undergone an independent

Migration Audit, to check whether all irregularities

and recommendations have been duly attended /

followed.


Migration Controls

iii. To check from print copies of reports held on

branch records whether migrated data has been

verified by the branch for integrity and consistency

and the procedures undertaken by the branch

have been supervised and documented

adequately. In case of inadequacy /

ineffectiveness of procedures carried out, an

independent Migration Audit may be

recommended.


Day-End Controls

• Various control reports are generated to ensure

integrity of the transactions and also to ensure

whether transactions are in conformity with the

Bank’s guidelines/system of authorizations (maker-

checker).

• These reports reveal the exceptions and anomalies

encountered during the day.

• Vital amongst these reports are:


EOD reports

a. Exceptional report (parking/ proxy/ unprocessed/ to-do/ error/

withhold)

b. List of users (to be matched with attendance registers)

c. Access Log

d. Rejected/Cancelled entries

e. Over-limits/TOD Report

f. GL affected Balances Report

g. Report on large cash transactions / KYC Anti Money

Laundering etc.


Report as per MITRA Committee Recommendations

• To be reported by a CA if we have come across any

matter / transaction that is

Susceptible to be a fraud (How do we know as

Auditors!)

Susceptible to be a fraudulent activity (Quite a

broad spectrum of responsibilities tagged here!)

Foul Play (unclean / stinking / polluted / tainted /

soiled / fetid)


Report as per MITRA Committee Recommendations

Amount of transactions Rs: 100 Lakhs and above

Amount of transactions below Rs: 100 Lakhs

The Statutory auditor is

expected to report the

same to:

Central Office

Dept of Banking Supervision

RBI, WTC,

Cuffe Parade, Mumbai - 5

The Statutory auditor is

expected to report the

same to:

Regional Director

RO, Dept of Banking Supervision

RBI, Nrupathunga Road,

Bangalore – 1


Day-End Controls – Suggested Audit Check-point

i. To obtain list of such reports generated by the

system.

ii. To check whether all the mandatory reports are

taken daily including on Sundays and holidays, as

ATM transactions are carried out on these days

also, and are scrutinized adequately and to

comment whether exceptions / anomalies, if

encountered during the day, have been duly noted

and disposed of.


Control over Proxy/Parking Transactions – Suggested Audit Check-point

• In normal course of business, some transactions

might not be verified and may remain in entered

(un-posted) status.

• But, since day end process could not be

suspended for next day, hence, these transactions

are posted in a pre-designated account called

Proxy/Parking Account. These transactions,

generally, are of two types:


Control over Proxy/Parking Transactions – Suggested Audit Check-point• System Generated: Transactions which take place during

various system runs. For instance: Execution of SI

(Standing Instruction) by the Data Centre on last day of the

month and SOL being closed on that day. This entry may

not be posted and will remain in entered status and will be

posted in Proxy Account.

• User-Generated: Transactions which are initiated by the

user, but owing to certain reasons may not be

posted/authorised and kept in proxy/parking transactions

account. For instance: Depositing RD installment in excess

of the cumulative installments. This entry may not be

posted in RD Account and posted in Proxy/parking

transactions account and reversed subsequently.


Control over Proxy/Parking Transactions – Suggested Audit Check-point

• To check whether report on such transactions is

taken as a part of EOD process and scrutinised for

prompt reversal.

• To check and comment specifically on old

outstanding entries and reasons for non-reversal of

the same.


Read Alone Access

• Ask for a read-alone access to view the branch

data If access cannot be given, decide whether it

needs to be reported in Audit Report / LFAR

• Use assistance of SE to run queries If SE is not able to help then decide whether it

needs to be reported in Audit Report / LFAR


Transaction Logs

• Serial Control over all transactions• Number to be allotted by the system

• No manual intervention allowed

• Peruse transaction logs of heavy days• Typically after multiple holidays

• Review Exception Transactions Reports• And also action taken thereon


Income - interest

• Interest rate parameters are controlled centrally

• Obtain list of transactions where interest rate has

been entered by branch management

• Ensure that such entry and authorization is as per

the Access Control Rules

• Review process of interest rate modifications in

similar manner

• Test check a few interest calculations


There is no need of checking all the accounts. It is enough if at

least one account of all the account types is checked for

accuracy of interest application.


Reports that can give leads

• List of cases where stock statements are not

furnished on or after 28th February 2011

• List of cases where fresh limits were santioned

For the whole year from 1st April 2010 to 31st March 2011

For 4th Quarter period from 1st Jan 2011 to 31st Mar 2011

For 3rd Quarter period from 1st Oct 2010 to 31st Dec 2010

For 2nd Quarter period from 1st Jul 2010 to 30th Sep 2010

For 1st Quarter period from 1st Apr 2010 to 30th Jun 2010


Reports that can give leads…

• List of overdue accounts i.e. outstanding amount >

Sanctioned amount.

• List of manual entries viz. Interest Reversals

• Recognition of Interest in NPA

• Debit to HO account

• List of unchecked transactions (Accounts master)

• Standing Instructions


Reports that can give leads……

• Temporary OD – beyond time limit

• Time bound DPN

• Large cash transactions – list of it viz. above Rs: 10

lakhs cash deposits

• Operations in in-operative accounts

These reports are backbone of the system.


CS 1: Core Banking Solution

• A bank in the process of implementing CBS had a central

support team at the CPPD. These users were allowed

unrestricted remote access to the branches. One

employee used this facility to transfer funds from in-

operative accounts of branches to a particular account of

her relative. The money was subsequently withdrawn.

• This came to light during regular concurrent audit when

auditor noted that there was movement in the in-operative

account.


CS 2: Vulnerability in Account Mapping

• A fraud was committed due to vulnerability in mapping of

accounts in a CBS. Mapping of accounts is done only in

one place which is at the CCD. In the present scenario, the

GL heads were created and access given to the branches

in such a way that any GL head could be debited or

credited. One employee utilized this feature to debit a GL

which had accumulated unreconciled debit balances and

credited his personal account.


Income - charges

• As in case of interest rate, parameters for other charges are

controlled centrally

• Ensure that the software relates the transaction with the

income to be applied• Bank Guarantee / LC and its Commission / Charges

• ATM / Credit Card charges

• Charges for miscellaneous transactions

– Number of debits

– Note counting

• Review transactions where branch has an authority to deviate

from the set parameters

• Test check a few transactions


Advances

• Verify data entry of new sanctions into the CBS• Rate of Interest

• Date of sanction

• Inquire whether loan documentation is controlled

through the system• If so, whether system prompts for the same

• Whether system prompts for renewals


Identification of NPAs

• Inquire whether system identifies NPAs and

reverses income

• Obtain report of cases of Defaults in excess of 90 days principal repayment

Interest not fully serviced

• Potential NPA Audit list of defaults nearing but not

exceeding 90 days


Identification of NPAs

• Peruse list of customers / accounts with high

credits within last week / fortnight of March

• Identify whether there are heavy withdrawals in first

week / fortnight of April of customers / accounts in

this list

• Trace whether these credits are from advances

sanctioned at some other branch or in some other

group account• This is possible if access is available to data other than that of the

branch


Deposit and Interest Expenditure

• Ensure proper parameterization of deposit

schemes and interest thereon

• Trace a sample of transactions

• Verify calculations of interest expenditure in few

cases

• Review process of pre-mandated transactions and

whether they have happened as per the mandate– Auto sweep account

– Cumulative deposits

– Recurring deposits


Office Accounts

• Review various office accounts• Suspense

• Sundry Deposits

• Inter branch

• ATM Suspense

• Cash Management

• Audit list of outstanding items

• Inquire whether frauds have occurred using these

office accounts


Control over Impersonal/Office Accounts

• To check whether these accounts have been

mapped to correct GL Sub head and entries in the

accounts have been done correctly. For instance:

• Postings in sundry credit accounts and sundry

deposit accounts have been duly verified by the

branch.

• Deposit from public and Deposit from Banks

have been shown correctly in appropriate GL

Subheads.

• Credit balances in Loan accounts have not been

shown in sundry deposit account.


Office Accounts

• To check whether these accounts have been mapped to correct GL Sub head and entries in the accounts have been done correctly. For instance:

• Postings in sundry credit accounts and sundry deposit accounts have been duly verified by the branch.

• Deposit from public and Deposit from Banks have been shown correctly in appropriate GL Subheads.

• Credit balances in Loan accounts have not been shown in sundry deposit account.

• To check whether these transactions are scrutinised by the branch for correctness and for prompt adjustment.


Audit Conclusions

• Document findings & conclusions

• Discuss them

• Take written and oral representations

• Formulate Audit Opinion



Primary Audit Steps

Key Audit Process

LFAR

Coverage


LFAR – General points

• Study the LFAR Questionnaire thoroughly• Plan the LFAR work along with the statutory audit right

from day one• Complete & submit the Main Audit Report as well as

the LFAR simultaneously• There should be no vague/ general comments wherever

possible elaborate i.e. the answers should not be only Yes/ No/ Not Applicable

• Give instances of shortcomings/ weaknesses in the LFAR

• Do not make the current year’s LFAR a replica of the previous year’s LFAR

• The branch LFAR should be addressed to the Bank’s Chairman and a copy thereof sent to the Central Statutory Auditor


LFAR – General points

• The Main Audit Report and LFAR are two separate reports.

• Many times the comments in LFAR are qualificatory in nature but are not included in the Main Audit Report. Include the Audit Qualifications in the Main Audit Report and not in the LFAR. In deciding whether a qualification in the main report is necessary, the auditor should use his discretion in the facts and circumstances of each case

• The Main Audit Report should be a self–contained document and should contain no reference of any point made in the LFAR

• The LFAR should be sufficiently detailed and quantified so that not only can it be expeditiously consolidated by the bank but even help the bank in rectifying the identified problems immediately on conclusion of audit


LFAR – Contents

• Assets – 6 items

• Liabilities – 3 items

• Profit and Loss Account – 5 items

• General – 6 items

• Questionnaire applicable to specialized branches

• Annexure to LFAR – (large / irregular / critical

advance accounts)


LFAR

• Whether hard copies of accounts are

printed regularly?Inquire about the Bank’s instructions of

taking print-outs

Note down the frequency of taking hard copies of accounts

Compare with Concurrent & System Audit Reports


LFAR…

• Understand the non-computerized areas (viz. Fixed

Asset Register, Denomination of Cash)

• Indicate the extent of computerization and the

areas of operation covered.

Obtain data of areas of operation computerized during the year

Note down the effective date

Compare with Concurrent & Systems Audit Reports


LFAR…

• Are the access and data security measures

and other internal controls adequate?Entire gamut of logical & physical access

controls apply

It is not confined to passwords alone


LFAR…

• Whether regular back-ups of accounts and

off-site storage are maintained as per the

guidelines of the controlling authorities of

the bank?

• Ascertain the Guidelines

• Whether the Bank is aware of them

• Ask and see how they are implemented

• Audit the documents maintained


LFAR…

• Backup & Restoration of Data & Software Significant only in Branch Server

• Check Point Following Backup Routine

Rotating & Preserving Media

Managing Backup Media

Offsite Storage of Backups


LFAR…

• Whether adequate contingency and disaster recovery

plans in place for loss / encryption of data? Inquire whether the Branch is aware of the BCP / DRP

Inquire whether the Branch has a copy of the BCP / DRP

Review documents relating to above

Inquire about encryption standards implemented

Who is in control of encryption

Whether branch is aware of encryption standards applied

How is the control made effective


LFAR…

• Do you have any suggestions for the

improvement in the system with regard to

computerized operations of the branch?Give suggestions, if any.


LFAR…

• For each area one needs to:-Inquire about Bank’s policy

Level of understanding of the policy and its implication

Evidence of compliance with that policy at branch

Peruse action taken on Concurrent & System audit findings


MITRA Committee Recommendations

JILANI Committee Recommendations

GHOSH Committee Recommendations

Committee Recommendations


Comparisons

• Mitra – Report (not counter signed by Branch

Manager) – suggested to get counter signed

• Ghosh & Jilani – Certificate (counter signed by

Branch Manager)


Certificate as per JILANI and GHOSH Committee Recommendations

Certificate (not a report). We certify that the

information is correct

• Two dimensional (YES and NO) certificate

Jilani - 10 items

Ghosh - 53 items

• Jilani – Relating to Internal Control and Inspection /

Audit system in banks which are to be compulsorily

implemented by banks

• Ghosh – Relating to frauds malpractices in Banks -



1. Concurrent Audit – Follow-up (ensure that comments are not

repeated in the monthly report)

2. 4 months window time – For Rectifying irregularities brought to

the notice

3. Irregularities rectified during the audit –

4. Plug gaps – Check the list of all irregularities that are plugged during

the year

5. Prevention Methods – New Methods' adopted by the Banks during

the year



6. Testing carried out – Test check for ensuring the

Integrity of transactions

7. EDP under scrutiny of inspection & audit -

8. Change Management Practices – Is it

documented?

9. Speedy enquiry to deter others from perpetuating

fraud – Ensure whether such process is in place

10. Regular checking – Cash Check, ATM Checking


Ghosh Committee Recommendations

• Group A – Part I – 9 items

• Group A – Part II – 44 items


Area is too wide to be covered as part of Branch Statutory Audit if

it is to be done diligently

Reflections ??

[email protected]

Statutory Audit of Bank Branches – under Core Banking System

Documents

Transcript of Statutory Audit of Bank Branches – under Core Banking System