Get documents about "Statutory Audit of Bank Branches - Core Banking Solution - PDF
Document Sample
Statutory Audit of Bank Branches
- Core Banking Solution
A presentation by M P Chitale & Co. for the WIRC of ICAI
Ashutosh Anagha Murtuza
Pednekar Thatte Vajihi
March 2009
Disclaimers
These are our personal views and can not be construed to
be the views of the WIRC or M. P. Chitale & Co., Chartered
Accountants
No representation or warranties are made by the WIRC with
regard to this presentation
These views do not and shall not be considered as
professional advice
This presentation should not be reproduced in part or in
whole, in any manner or form, without our or WIRC’s
written permission
M P Chitale & Co. 2
Coverage
Audit in a CBS Primary Audit
Environment Steps
Key Audit LFAR - 2003
Processes
M P Chitale & Co. 3
Public Sector Bank Audits
Appointments of Statutory Central Auditors
Appointments of Statutory Branch Auditors
Closing instructions of the Bank
Timelines given
Meeting with SCAs, if organized by Bank
Conduct of audit within given timelines
Submission of Reports
M P Chitale & Co. 4
Normal Audit Process
Popularly known as Balance Sheet Audit
Why ?
Even if an Auditor wants to conduct detailed
audit, he is precluded from doing so, due to
Delayed appointments
Early finalisation deadlines
Race of management to publish Balance Sheet
M P Chitale & Co. 5
Audit is hence, limited to
Review of Balance Sheet & Profit & Loss Account
Arithmetical accuracy of annual financial
statements
Review of Fresh Advances
Review of application of Income Recognition
Norms
Review of application of Provisioning Norms
Review of Expenditure
M P Chitale & Co. 6
Audit is hence, limited to…
Verification of information filled in the various
formats prescribed by Bank’s H.O.
Noting & confirming certain areas that are
under direct control of and monitored by H.O.
e.g. Purchase & record of fixed assets, depreciation,
information for tax provision etc.
Certification as required by regulatory
authorities
M P Chitale & Co. 7
What do banks’ inform us ?
We have a core banking solution
All transactions are captured and
processed seamlessly
All calculations are automated
Statements are generated from the CBS
Absolutely no issues in completing audit
within the given timeline
M P Chitale & Co. 8
Can we rely on this information ?
Yes, provided we are
satisfied of the adequacy of the C I A
Principle within this computerized system
and environment
aware of the control mechanisms of
computer systems and environment in the
branch
M P Chitale & Co. 9
CIA Principle
Confidentiality
Assurance that information / data is shared only
amongst authorized persons or organizations
Integrity
Assurance that the information is authentic and
complete. Ensuring that information can be relied upon
to be sufficiently accurate for its purpose
Availability
Assurance that the systems responsible for delivering,
storing and processing information are accessible when
needed, by those who need them
M P Chitale & Co. 10
Satisfaction about CIA Principle
Existence of controls in the computer
systems
Review of their implementation in the
branch processes
Auditor has to remove the bogey of
Auditor has to remove the bogey of
not being “IT Smart”
not being “IT Smart”
M P Chitale & Co. 11
Coverage
Audit in a CBS Primary Audit
Environment Steps
Key Audit
LFAR - 2003
Processes
M P Chitale & Co. 12
Audit steps in CBS Environment
Firstly, have a chat with the
Systems in Charge at the Branch &
Branch Manager
Then execute key audit processes
Next discuss findings
Lastly, form audit opinion
M P Chitale & Co. 13
Interact with System Executive
Obtain an overview of the systems
Software
Core application as well as all other applications
Hardware
Server as well as other machines
Network configurations
Ask about his / her perception of CIA
principle implementation in branch
M P Chitale & Co. 14
Questions about CBS & Branch
How is the SOD activity handled?
Whether officials other than those of the branch
have authority to record transactions in branch
books?
If so, when does the branch becomes aware of it?
Immediately / At pre-defined intervals / EOD / SOD
If so, what is the branch manager’s authority
M P Chitale & Co. 15
Questions about CBS & Branch…
How is the EOD activity handled?
Are there frequent delays in EOD procedures?
Communication systems downtime
What happens when communication lines are down?
Are there offline periods?
How are transactions in these offline periods
recorded?
Who is responsible for
Downloading pre-defined reports at SOD?
Distributing the reports within the branch as per the
distribution schedule
M P Chitale & Co. 16
Questions about CBS & Branch…
Whether CBS is designed to apply IRAC norms ?
Whether the card rates of interest and other
charges are correctly parameterized?
Inquire about
Access control norms and adherence thereto
Modality of year-end process
Whether branch was subject to a system audit?
Inquire of management action on audit findings
M P Chitale & Co. 17
Questions about CBS & Branch…
What are SE’s views on LFAR questions?
Take written / oral assurances that
System is implemented as designed
No modifications are made to the system
All problems faced during implementation
& thereafter are resolved
Problems faced have not affected the
confidentiality, integrity & availability of
data
M P Chitale & Co. 18
Interaction with Branch Manager
Obtain his confirmation / view on the
information obtained from the SE
Discuss BM’s methodology in
EOD / SOD processes
Report sign-offs
Fulfilling additional responsibilities as a result of
CBS and its effect on branch business
Discuss your reservations / opinion of the CBS
environment
M P Chitale & Co. 19
Coverage
Audit in a CBS Primary Audit
Environment Steps
Key Audit LFAR - 2003
Processes
M P Chitale & Co. 20
Access Controls
Peruse Access Control Matrix
Match the matrix with the users in the
branch
Inquire whether logs of unauthorized
access are available at branch / data
center
Review management action on the same
M P Chitale & Co. 21
Read Alone Access
Ask for a read-alone access to view the
branch data
If access cannot be given, decide whether it
needs to be reported in Audit Report /
LFAR
Use assistance of SE to run queries
If SE is not able to help then decide whether
it needs to be reported in Audit Report /
LFAR
M P Chitale & Co. 22
Transaction Logs
Serial Control over all transactions
Number to be allotted by the system
No manual intervention allowed
Peruse transaction logs of heavy days
Typically after multiple holidays
Review Exception Transactions Reports
And also action taken thereon
M P Chitale & Co. 23
Income – interest
Interest rate parameters are controlled centrally
Obtain list of transactions where interest rate
has been entered by branch management
Ensure that such entry and authorization is as
per the Access Control Rules
Review process of interest rate modifications in
similar manner
Test check a few interest calculations
M P Chitale & Co. 24
Income – charges
As in case of interest rate, parameters for other
charges are controlled centrally
Ensure that the software relates the transaction
with the income to be applied
Bank Guarantee / LC and its Commission / Charges
ATM / Credit Card charges
Charges for miscellaneous transactions
Number of debits
Note counting
Review transactions where branch has an
authority to deviate from the set parameters
Test check a few transactions
M P Chitale & Co. 25
Advances
Verify data entry of new sanctions into the CBS
Rate of Interest
Date of sanction
Inquire whether loan documentation is
controlled through the system
If so, whether system prompts for the same
Whether system prompts for renewals
M P Chitale & Co. 26
Identification of NPAs
Inquire whether system identifies NPAs and
reverses income
Obtain report of cases of
Defaults in excess of 90 days principal repayment
Interest not fully serviced
Potential NPA Audit list of defaults nearing
but not exceeding 90 days
M P Chitale & Co. 27
Identification of NPAs…
Peruse list of customers / accounts with high
credits within last week / fortnight of March
Identify whether there are heavy withdrawals in
first week / fortnight of April of customers /
accounts in this list
Trace whether these credits are from advances
sanctioned at some other branch or in some other
group account
This is possible if access is available to data other than
that of the branch
M P Chitale & Co. 28
Deposits & Interest Expenditure
Ensure proper parameterization of deposit
schemes and interest thereon
Trace a sample of transactions
Verify calculations of interest expenditure in few
cases
Review process of pre-mandated transactions
and whether they have happened as per the
mandate
Auto sweep account
Cumulative deposits
Recurring deposits
M P Chitale & Co. 29
Office Accounts
Review various office accounts
Suspense
Sundry Deposits
Inter branch
ATM Suspense
Cash Management
Audit list of outstanding items
Inquire whether frauds have occurred using
these office accounts
M P Chitale & Co. 30
Audit Conclusions
Document findings & conclusions
Discuss them
Take written and oral representations
Formulate Audit Opinion
M P Chitale & Co. 31
Coverage
Audit in a CBS Primary Audit
Environment Steps
Key Audit
LFAR - 2003
Processes
M P Chitale & Co. 32
LFAR - 2003
Whether hard copies of accounts are
printed regularly?
Inquire about the Bank’s instructions of
taking print-outs
Note down the frequency of taking hard
copies of accounts
Compare with Concurrent & System Audit
Reports
M P Chitale & Co. 33
LFAR – 2003 …
Indicate the extent of computerization and
the areas of operation covered.
Obtain data of areas of operation
computerized during the year
Note down the effective date
Compare with Concurrent & Systems Audit
Reports
M P Chitale & Co. 34
LFAR – 2003 …
Are the access and data security measures
and other internal controls adequate?
Entire gamut of logical & physical access
controls apply
It is not confined to passwords alone
M P Chitale & Co. 35
LFAR – 2003 …
Whether regular back-ups of accounts
and off-site storage are maintained as per
the guidelines of the controlling
authorities of the bank?
Ascertain the Guidelines
Whether the Bank is aware of them
Ask and see how they are implemented
Audit the documents maintained
M P Chitale & Co. 36
LFAR – 2003 …
Whether adequate contingency and disaster
recovery plans in place for loss / encryption of
data?
Inquire whether the Branch is aware of the BCP / DRP
Inquire whether the Branch has a copy of the BCP /
DRP
Review documents relating to above
Inquire about encryption standards implemented
Who is in control of encryption
Whether branch is aware of encryption standards
applied
How is the control made effective
M P Chitale & Co. 37
LFAR – 2003 …
Do you have any suggestions for the
improvement in the system with regard
to computerized operations of the
branch?
Give suggestions, if any.
M P Chitale & Co. 38
LFAR – 2003 …
For each area one needs to:-
Inquire about Bank’s policy
Level of understanding of the policy and its
implication
Evidence of compliance with that policy at branch
Peruse action taken on Concurrent & System audit
findings
Area is too wide to be covered as part of Branch
Area is too wide to be covered as part of Branch
Statutory Audit if it is to be done diligently
Statutory Audit if it is to be done diligently
M P Chitale & Co. 39
Thank you
: ashu01@mpchitale.com
M P Chitale & Co. 40
Related docs
