Auditing in the CBS Environment was never this easy. Anand Jangid gives an insight to the Indian Chartered Accountants regarding the correct approach and methodological concepts that is to be remembered while auditing any CBS Environment.
2. Privileged and Confidential 2
Agenda
• Check in
• Bank and Risk
• Key Provision applicable to Auditors
• Understanding the CBS banking environment
3. Privileged and Confidential 3
Check In …. Lesson learned from Barings Bank
The key questions are:
• How were the massive losses incurred at a small branch?
• Why was the true position not noticed earlier?
Conclusion: The losses were incurred by reason of unauthorised and concealed activities
within BFS.
The true position was not noticed earlier by reason of a serious failure of controls and
managerial confusion within Barings.
The true position had not been detected prior to the collapse by the external auditors,
supervisors or regulators of Barings.
------ AND NOW UBI……..
4. Privileged and Confidential 4
The January 2008 Société
Générale lost
approximately €4.9 billion
The bank was founded in
1984
The Socgen example
5. Privileged and Confidential 5
The Man behind it
Jérôme Kerviel (born
January 11, 1977) is a
French trader who has
been charged in the
January 2008 Société
Générale trading loss
incident, resulting in
losses valued at
approximately €4.9
billion
6. Privileged and Confidential 6
Trader used his experience of working in middle office roles to circumvent control processes
Used other individuals passwords to cancel certain transactions
Cause/contributory factor
7. Privileged and Confidential 7
He got a new employment
Kerviel is now two weeks into a new job at information technology consulting
firm LCA, which is based just outside Paris.
What is Mr. Jerome doing now ?
8. Privileged and Confidential 8
• Stiff market competition
• Innovative Products to meet customer needs
• Increasing level of automation
• Centralisation of many back office functions
• Process changes
• Pressure on margins / bottom line
Lead to controls becoming potential first casualty!
Risk Management , Internal Controls / Audit help Management to „manage‟ its risks better.
In the current Banking scenario….
9. Privileged and Confidential 9
Importance of Risk Awareness
No Business without Elements of Risks!
Most Managers understand the relationship between risk and reward.
But a second relationship is very important :
The relationship between risk and awareness.
Taking risk is not in itself a problem but the ignorance of the potential consequences is an
entirely different matter.
Professor Robert Simons
10. Privileged and Confidential 10
Risk mitigation
Risk due to accident mitigated
by wearing a head gear (helmet)
Risk due to accident was not
mitigated by wearing a head
gear (helmet) – lead to fatal
injury
11. Privileged and Confidential 11
Three Lines of Defense
Third Line
Audit
Second Line
Risk Management / Internal Control
First Line
Business owners (Branches, Support functions)
14. Privileged and Confidential 14
KEY PROVISIONS – BANKING REGULATION ACT, 1949
Act Reference Description
Banking Regulation Act,
1949
Section 30 (1) Audit of financial statements by a person duly qualified to be
an auditor of companies.
Section 30 (3) Auditor is required to state in report
• Information provided is satisfactory or not.
• Transactions made within the power or not.
• Profit and loss account showing true balance or not., etc.
Circular No.
DBS.FGV.(F).No.
BC/ 23.08.001/
2001-02
dated May 3, 2002
Auditor is required to refer the matter to the regulator in case
he finds any fraudulent activity or act of excess power or
smell foul play in any transaction.
15. Privileged and Confidential 15
KEY PROVISIONS – COMPANIES ACT, 2013
Act Reference Description
Companies Act, 2013 Section 143 (3) To report on Compliance of financial statement with
accounting standards, adequacy and operating effectiveness
of internal financial controls, etc.
Section 143 (4) To state reasons for negative remarks or qualifications.
Section 143 (8) Audit of branches of banking companies.
Section 143 (9) Auditor shall comply with auditing standards.
Section 143 (12) To report fraudulent activities to the Central Government
within such time and in such manner as may be prescribed.
16. Privileged and Confidential 16
Other Regulations
Act Description
PCI DSS (Payment Card Industry Data
Security Standards )
Information security for Cardholder
information Intellectual Property
Audit and Assurance Standards •SA300
•SA315
•SA330
IT ACT, 2000 Revised 2008 Collection and disclosure of customers‟
personal financial information by financial
institutions
17. Privileged and Confidential 17
Overview of Bank Audit
Audit Inside System
Bank Audit comprises of “Audit Inside the System” and “Audit Outside the System”
Audit Outside System
• Application Controls
• Segregation of duties, etc.
• Physical Verification
• Documentation, etc.
19. Privileged and Confidential 19
Why need to understand CBS ?
To provide full assurance as a part
of their work, an auditor needs to
conduct audit inside system and
outside the system as well.
To conduct an audit inside the
system, understanding of system
i.e. CBS (Core Banking Solution) in
case of banking industry is quite
essential.
20. Privileged and Confidential 20
What is CBS ?
CBS is the process which is completed in centralized environment i.e. under which the
information is stored in the Central Server of the bank and available to all networked branches
instead of branch server.
The word CORE in CBS stands for Centralised Online Real-time Environment.
Depending upon the size and needs of the bank, it could be for all or limited operations. The
task is carried through an advance software by making use of services provided by specialized
agents.
“Finacle by Infosys” is most commonly used as CBS application in India.
22. Privileged and Confidential 22
Core Banking Architecture
Pure Core
Architecture
Core with Branch
Servers
Cluster Banking
Architecture
Heterogeneous
Architecture
23. Privileged and Confidential 23
The Pillars of CBS
“The Principal of CIA” which is compliant with all the rules & regulations are the pillars
on which the CBS Platform is erected.
Confidentiality :- Information is Shared amongst Authorised Personnel ONLY.
Integrity :- Information is authentic, untampered and complete.
Availability :- Information is accessible when it is needed.
24. Privileged and Confidential 24
Risks associated with CBS environment
Locational Risks Outsourcing Risks IT Operational Risks
Risk based on the
geographical locations of the
Branch & Server is located.
Risk based on the services
and operations outsourced
by the bank.
Using IT has its inherent risk
as IT follows GIGO
(Garbage In Garbage Out)
Example :- Server located in
earthquake prone area is big
risk.
Example :- Credit Card
operations, Signature
verification etc.
Example :- Error Risk,
Computer Fraud Risk,
Interruption Risk etc.
26. Privileged and Confidential 26
Determine where Information resides/ where processing occurs? Where is it transmitted? Who
owns it ? Who Controls it? Who has access to it?
Distributed
Distributed Processing/Databases
DBA at every decentralised point -Branch level
Ex. ISBS, FNS
Centralised
Centralised Database – Single point of presence – usually running Data Centres
Centralised DBA Functions
Users at Branch level
Ex. Quartz, Finacle, Flex Cube,Temenos
Automated Environment
27. Privileged and Confidential 27
Determining Right source of information
Tracing audit trail
Hardcopies of outputs
Complexity – Co-operative Processing
Tracking changes in parameter files
Look out for the Balance Suspense Accounts !
Reconciliations still a critical issue
Migration Issues
Some audit Challenges
29. Privileged and Confidential 29
• Profile the Branch business and materiality
• Financial Assertions and relevant automation levels
• Gain Understanding of Automation levels and maturity – Extent of Automation
• Compare growth/reduction in volumes under various heads
• Insights into current Banking trends
• Evaluate IT Risks and Controls
• Understand the Control Environment
• Design Audit Procedures and Assess the Reporting and Regulatory risk
• Discuss, Form Opinions and Conclude
Audit Approach
30. Privileged and Confidential 30
• Critical Business Processes
• Transaction Authorisation Controls
• Segregation of duties
• Internal Controls
o Governance Controls
o Application Controls
o IT General Controls
• Monitoring & Internal Audit Controls
Basic Principles
31. Privileged and Confidential 31
• Opening Meeting with Branch Mangement
• Meeting with Key Officers including „Data Officer‟
• Tour of Branch – Accent on IT!
• Internal Circulars and Directives
• RBI Circulars and Directives
• IS Audit Reports
• Inspection and Concurrent Audit Reports
Audit Risk Assessment - the Key!
32. Privileged and Confidential 32
• Interviews & Observation
• Sampling
• Advance Portfolio Sampling
• Income Leakage
• Major GL Heads
• Manual Debits in Interest/Income Accounts
• Standard Reports
• Adhoc/Supplementary Reports
• Excel or CAATs
• Using PRN/TXT report files
• Caution on Use of Audit Tools!
• SQLs
Audit Methods and Techniques
33. Privileged and Confidential 33
• Use of Regular Reports, Exception Reports and
• Analytical Reviews
Look for Systems Generated as well as Manual Records
Transaction Review on terminal – Read/View only.
Request Letter. Request for Exception Reports.
Review History of Impacts due to IT on Business/IT
Risks without impact
Review of Logs, Trails and Reports
Daily Reports
Transaction/Operational Logs
Internal Exception Reports
Audit Trails
Specific Audit Procedures
34. Privileged and Confidential 34
• Risk and Controls Assessment
Minutes of Meetings
Walkthrough Observations
• Audit Plan
• Audit Program and Procedures
• Audit Environment Scope Restrictions
• Evidence - Electronic
• Key Submissions and certifications from Branch Management
• How Opinion Formed
• Call and Invite Attention of Central Stat. Auditor on
• Key Issues
Documentation
36. Privileged and Confidential 36
Audit Procedures
• Procedures to testing general and IS controls
• Evaluation of Risk Management Framework
• Compliance Testing
Transaction Audit
– Procedures to test transaction controls – Application Controls & Other internal controls
– Procedures to test transactions
Audit Procedures
39. Privileged and Confidential 39
• Daily Transactions
• Daily supplementaries
• Balancing and progressive reports
• New Account Transaction Report
• DDs printed report
• Cheques Issued Report
• Inter Branch/Bank debit reports
• Other Reports
• Master data status reports
• Dead Stock
• FCNR Operations Report
• Minors date Report
Transaction Control Reports
40. Privileged and Confidential 40
• Deposits:
• Value date Reports – FD Renewal etc
• Duplicate FD Printing
• List of deposit accounts exceeding limit with wrong interest
• parameters
• Wrongly linked FD accounts
• NRE
• Flagged Deposit accounts for safe custody
• Lien Marked Deposits
• Other Reports:
• Late cash report
• Account validation report
Exception Reports – a Goldmine !
41. Privileged and Confidential 41
• Clearing
• Clearing Exceptions – Returns, Errors
• Clearing
– Exception and Cheque Returned reports
– Cases in which Schedule modifications allowed
– IBD Cheque Numbers
• ECS
• Outstanding entries follow up
• CRA - Reconciliation of Cash covers and Audit Rolls
• Short/Excess Claims in Office Claims – O/s Entries
• Bank Reconciliations
• OCC Dishonour
• TOD Report
Clearing and Deposits
42. Privileged and Confidential 42
• Authorization and limit reports
• In-operative/dormant account transaction reports
• Transactions entered & authorised by same person
• Change in GL Link Parameter Codes
• GL Codes List with codes other than those in Reporting
• Statement – Pointing Parameters for Nominal Accounts
• Manual debits to interest paid account
• Direct GL entry exception reports
• Exceptional SL txns.
• Exceptional Parameter Changes
• EOD (End of Day) Exception Reports
Exception Reports- a goldmine!
43. Privileged and Confidential 43
• Subsidiary-GL Balancing?
• RTGS/SWIFT
• ATM Switch Suspense/ATM Cash
• Suspense
• Clearing Suspense
• All suspense and Parking Accounts
• Inter Branch- Unmatched SOL Ids
• ECS Batch
Reconciliations
44. Privileged and Confidential 44
• Parameter Rate Variations – Customer/Account Level
• Value Dating in Deposits
• Interest Collection Flag
• Anywhere banking charges
• Credit Card Operations Charges
• Ch. Ret., Stop Payment, SI, PO/DD/OCC Return
• NRE/NRO Txns.
• Penal Interest Application
• Submission of Stock Statements
• EMI Interest Application
• Commitment Charges Application
Tracking Income Leakage
45. Privileged and Confidential 45
Parameter File Updates
1. Reconciliations
2. Back End Entries
3. Unclaimed Deposits
4. ATM Cash Verification
5. Card & Pin Handling
6. Migration Controls
7. Outsourcing Risks
8. Controlling Returns
9. IT General Controls
10. Frauds – Indicators and
11. Reporting System
IS Risk Assurance
46. Privileged and Confidential 46
1. IT General Controls
2. Version Control
3. Patch Releases – Systems
4. Software and Applications
a) Anti Virus Updates
b) Backups
c) BCP & DRP
d) Physical and Environmental
e) Controls
IS Risk Assurance
47. Privileged and Confidential 47
A. Access & Authorization controls
B. Process level controls
i. Input
ii. Processing
iii. Output
C. Change Management
D. Incident Management
E. Disaster recovery planning
F. Back up and Recovery
G. Configuration control
Area to concentrate on …
48. Privileged and Confidential 48
Bank audits are not the same and going forward will be much more different
• Good Audit Planning is key to successful bank audit
• Move from transaction audit to Risk based audit approach
• Golden chance for converting challenges to opportunities
• Gear up for the future…NOW!
Ultimately
50. Privileged and Confidential 50
Segregation and Rotation of Duties
One of the fundamental features of an effective internal control system is the segregation and
rotation of duties in a manner conducive to prevention and timely detection of occurrence of
frauds and errors.
In the case of banks, the following measures are usually adopted:
Work of one staff member is invariably supervised / checked by another staff member,
irrespective of the nature of work.
Banks have a system of rotation of job amongst staff members, which reduces the possibility of
frauds and is also useful in detection of frauds and errors. Also, most banks usually have a
process of giving “block” leave to its staff members wherein the employee stays away from work
for at least a continuous period of 2 weeks.
51. Privileged and Confidential 51
Authorisation of Transactions
Authorisation may be general or it may be specific with reference to a single transaction. It is
necessary to establish procedures which provide assurance that authorisations are issued by
persons acting within the scope of their authority, and that the transactions conform fully to the
terms of the authorisations. The following procedures are usually established in banks for this
purpose:
The financial and administrative powers of each official/each position are fixed and communicated to all
persons concerned.
All financial decisions at any level are required to be reported to the next higher level for confirmation.
Any deviation from the laid down procedures requires confirmation from/intimation to higher authorities.
Branch managers have to send periodic confirmation to their controlling authority on compliance of the laid
down systems and procedures.
52. Privileged and Confidential 52
Maintenance of Adequate Records and Documents
Accounting controls should ensure that the transactions are recorded at correct amount and in
the accounting periods in which they are executed, and that they are classified in appropriate
accounts.
The procedures established in banks to achieve these objectives usually include the following:
All records are maintained in the prescribed books and registers only.
All branches of a bank have a unique code number which is circulated amongst all offices of the bank. This
code number is required to be put on all important instruments.
All books are to be balanced periodically and it is to be confirmed by an official.
All inter-office transactions are to be reconciled within a specified time frame.
53. Privileged and Confidential 53
Accountability for and Safeguarding of Assets
The accountability for assets starts at the time of their acquisition and continues till their
disposal. To safeguard the assets, it is also necessary that access to assets is limited to
authorised personnel.
The following are some of the important controls implemented by banks in this regard:
The specimen signatures of all officers are maintained in a book which is available in all branches.
The instruments which are evidence of remittances of funds above a cut-off level are to be signed by more
than one official.
Important financial messages, when transmitted electronically, are generally encrypted.
Sensitive items like currency, valuables, draft forms, term deposit receipts, traveller‟s cheques and other
such security forms are in the custody of at least two officials of the branch.
All assets of the bank/charged to the bank are physically verified at specified intervals.
54. Privileged and Confidential 54
Independent Checks
Independent checks involve a periodic or regular review of functioning of the system by
independent persons to ascertain whether the control procedures are being performed
properly. Banks have an elaborate system of various forms of internal audit covering virtually
every aspect of their functioning.
56. Privileged and Confidential 56
Few Techniques for Auditing under CBS Environment….Contd.
Suppose the auditor want to test the KYC norms on current account customer master data. For testing the same the
auditor need to request the IT Team to extract you the following data:-
• Data Required :- Current account customer master information.
• Period:- As of the date of audit.
• Fields of reference :- Branch ID, Customer ID, Account ID, First Holder & Joint Holder‟s name, Address, PAN,
Mobiles no. Residence No., Office No., Mode of Operation and Clear Balance.
• Format of Data :- Text Form
The IT department runs a SQL Query on the database and generates a text dump file which is saved in a secure
folder with special access only to the auditors. The audit team imported the text file using the text report import option
within GAS. Post import, the team used the „duplicate key‟ test within GAS to identify fictitious accounts opened with
similar PAN or Mobile No. or Address or Office No. or Residence No. , but different Customer ID.
57. Privileged and Confidential 57
Few Techniques for Auditing under CBS Environment….Contd.
The auditor then decided to check the integrity of loan data migrated from the Legacy application to the CBS. To test this
objective, the auditor issued a data request to IT in the following format :-
• Data required :- Cash Credit master information for large-scale branch X.
• Period :- Data immediately post migration.
• Fields of reference :- Customer ID, Sanction Limit, Drawing Power, and Rate of Interest.
• Format of Data :- Text form.
IT Team ran an SQL query on the production database and generated a text file dump which was saved in a secure folder with
special access to the Audit Team only. The corresponding data from the legacy system immediately pre-migration was available
with the Migration Team.
The Auditor imported both the text files using the Text Report import option within the GAS.
Post import, the Auditor linked the pre-migration and post-migration data through the Join function in the GAS. The two data files
were linked, based on the Customer ID available in both the files. Post Join, three new fields were created by the Auditor
containing differences in the Sanction Limit, Drawing Power and Rate of Interest in each field.
Accounts where there was a difference in the masters migrated (non-zero data), were identified through the above approach.
59. Privileged and Confidential 59
LONG FORM AUDIT REPORT
Long Form Audit Report (LFAR) is a detailed questionnaire formulated by the RBI and auditors
are liable to answer. It is not a substitute for the statutory report and should not deemed to be a
part of the said report.
Things to remember :
1. Study the LFAR questionnaire thoroughly.
2. Complete & submit the Auditor‟s report and LFAR simultaneously.
3. Comments in LFAR should be specific and not vague.
4. It should be sufficiently detailed and quantified.
60. Privileged and Confidential 60
CERTIFICATE ON JILANI COMMITTEE RECOMMENDATIONS
The Recommendations are related to internal control and inspection/audit system in banks
which are to be compulsorily implemented by banks.
Things to remember :
1. Reply to made either „implemented‟ or „not-implemented‟
2. The form broadly indicates the set up within banks where actions lie in respect of each of
the 25 recommendations of the Jilani Committee. Banks can however modify it depending
upon their organisation of the inspection/audit setup in their banks and the demarcation of
responsibilities.
Illustrative Checklist
61. Privileged and Confidential 61
CERTIFICATE ON GHOSH COMMITTEE RECOMMENDATIONS
The Recommendations are related to frauds and malpractices in banks.
RBI has divided all the recommendations into four groups as under :
i. Group A – Recommendations to be implemented immediately by the banks.
ii. Group B – Recommendations requiring RBI‟s approval.
iii. Group C – Recommendations requiring approval of Government of India.
iv. Group D – Recommendations requiring further examination.
Answers to be given either in „yes‟ or „no‟.
Illustrative Checklist
63. Privileged and Confidential 63
Case Study - III
Weakness in Internal Controls
An employee of Yes Bank, who allegedly forged the signature of one of its
clients, prepared a duplicate company seal, changed bank mandates with
forged signatures and the seal, and redeemed money invested in mutual
funds worth about $137,500, leading to a loss of about 34 lakh to the client.
The employee worked as a Relationship Manager in the bank's wealth
management division.
A ICICI bank executive has been arrested for stealing almost Rs 50 lakh from
the inactive account of an NRI who had died by breaking every rule of
professional ethics, ferreting out customer information and manipulating
safety procedures. Two of his accomplices were also held.
66. Privileged and Confidential 66
Average Time Taken to Detect Fraud
6 months
30%
6-12
months
30%
12-24
months
20%
>24
months
3%
Not
disclosed
17%
67. Privileged and Confidential 67
Average Loss per fraud incident
Indian banks lost as much as Rs 17,284 crore during 2012-13 due to fraud, in a near four-fold
jump over the previous fiscal, ET has found out from information obtained through Right to
Information Act.
