Bank Branch Statutory Audit


Published on

Auditing in the CBS Environment was never this easy. Anand Jangid gives an insight to the Indian Chartered Accountants regarding the correct approach and methodological concepts that is to be remembered while auditing any CBS Environment.

Published in: Business, Economy & Finance

Bank Branch Statutory Audit

  1. 1. Privileged and Confidential 1 Audit of Bank Under CBS Environment Presented By :- CA ANAND PRAKASH JANGID On :- 22th March, 2014 © 2014 This document contains information that is confidential and proprietary to Quadrisk Advisors. No part of it may be circulated, quoted, or reproduced for distribution without prior approval from Quadrisk Advisors.
  2. 2. Privileged and Confidential 2 Agenda • Check in • Bank and Risk • Key Provision applicable to Auditors • Understanding the CBS banking environment
  3. 3. Privileged and Confidential 3 Check In …. Lesson learned from Barings Bank The key questions are: • How were the massive losses incurred at a small branch? • Why was the true position not noticed earlier? Conclusion: The losses were incurred by reason of unauthorised and concealed activities within BFS. The true position was not noticed earlier by reason of a serious failure of controls and managerial confusion within Barings. The true position had not been detected prior to the collapse by the external auditors, supervisors or regulators of Barings. ------ AND NOW UBI……..
  4. 4. Privileged and Confidential 4 The January 2008 Société Générale lost approximately €4.9 billion The bank was founded in 1984 The Socgen example
  5. 5. Privileged and Confidential 5 The Man behind it Jérôme Kerviel (born January 11, 1977) is a French trader who has been charged in the January 2008 Société Générale trading loss incident, resulting in losses valued at approximately €4.9 billion
  6. 6. Privileged and Confidential 6 Trader used his experience of working in middle office roles to circumvent control processes Used other individuals passwords to cancel certain transactions Cause/contributory factor
  7. 7. Privileged and Confidential 7 He got a new employment Kerviel is now two weeks into a new job at information technology consulting firm LCA, which is based just outside Paris. What is Mr. Jerome doing now ?
  8. 8. Privileged and Confidential 8 • Stiff market competition • Innovative Products to meet customer needs • Increasing level of automation • Centralisation of many back office functions • Process changes • Pressure on margins / bottom line Lead to controls becoming potential first casualty! Risk Management , Internal Controls / Audit help Management to „manage‟ its risks better. In the current Banking scenario….
  9. 9. Privileged and Confidential 9 Importance of Risk Awareness No Business without Elements of Risks! Most Managers understand the relationship between risk and reward. But a second relationship is very important : The relationship between risk and awareness. Taking risk is not in itself a problem but the ignorance of the potential consequences is an entirely different matter. Professor Robert Simons
  10. 10. Privileged and Confidential 10 Risk mitigation Risk due to accident mitigated by wearing a head gear (helmet) Risk due to accident was not mitigated by wearing a head gear (helmet) – lead to fatal injury
  11. 11. Privileged and Confidential 11 Three Lines of Defense Third Line Audit Second Line Risk Management / Internal Control First Line Business owners (Branches, Support functions)
  12. 12. Privileged and Confidential 12 Risk Across the Bank •Fraud •Human error •Training gaps •Negligence •Audit compliance Risk •Booking error •Business process design •Confidentiality risk •Documentation Risk •Execution Risk •Information Security Risk •Methodology error •Model error •Money laundering •Product complexity •Settlement error •Security risks •Volume risks •Connectivity failure •System customisation risk •Telecom failure •Third party/vendor failure for non-IT outsourcing •Counter party risk •Credit appraisal •Exposure risk •Settlement – pre / maturity date •Recovery / Security realisation risk •Sector downturns •Country ( Sovereign) risk •Regulatory compliance •Reputation risk •Capital inadequacy risk •Disaster risk/Force majeure •External credit rating •Human Resources Management risk •Event risk, Group risk, Legal risk •Management risk, Organisation risk Other Risks Credit Risks Bank Wide Risk Liquidity Risk •Funding Risk •Market Conditions •Time Risk Forex Risk •FX rate volatility •Gap Risk Interest Rate Risk •Basis Risk •Prepayment Risk •Re-pricing Risk •Yield curve Risk Other Market Risks •Commodity Risk •Country Risk •Equity position Risk •Limits Risk •Price volatility Market Risks Operational &ITRisks
  13. 13. Privileged and Confidential 13 PROVISIONS APPLICABLE TO AUDITOR
  14. 14. Privileged and Confidential 14 KEY PROVISIONS – BANKING REGULATION ACT, 1949 Act Reference Description Banking Regulation Act, 1949 Section 30 (1) Audit of financial statements by a person duly qualified to be an auditor of companies. Section 30 (3) Auditor is required to state in report • Information provided is satisfactory or not. • Transactions made within the power or not. • Profit and loss account showing true balance or not., etc. Circular No. DBS.FGV.(F).No. BC/ 23.08.001/ 2001-02 dated May 3, 2002 Auditor is required to refer the matter to the regulator in case he finds any fraudulent activity or act of excess power or smell foul play in any transaction.
  15. 15. Privileged and Confidential 15 KEY PROVISIONS – COMPANIES ACT, 2013 Act Reference Description Companies Act, 2013 Section 143 (3) To report on Compliance of financial statement with accounting standards, adequacy and operating effectiveness of internal financial controls, etc. Section 143 (4) To state reasons for negative remarks or qualifications. Section 143 (8) Audit of branches of banking companies. Section 143 (9) Auditor shall comply with auditing standards. Section 143 (12) To report fraudulent activities to the Central Government within such time and in such manner as may be prescribed.
  16. 16. Privileged and Confidential 16 Other Regulations Act Description PCI DSS (Payment Card Industry Data Security Standards ) Information security for Cardholder information Intellectual Property Audit and Assurance Standards •SA300 •SA315 •SA330 IT ACT, 2000 Revised 2008 Collection and disclosure of customers‟ personal financial information by financial institutions
  17. 17. Privileged and Confidential 17 Overview of Bank Audit Audit Inside System Bank Audit comprises of “Audit Inside the System” and “Audit Outside the System” Audit Outside System • Application Controls • Segregation of duties, etc. • Physical Verification • Documentation, etc.
  18. 18. Privileged and Confidential 18 CORE BANKING SOLUTION
  19. 19. Privileged and Confidential 19 Why need to understand CBS ? To provide full assurance as a part of their work, an auditor needs to conduct audit inside system and outside the system as well. To conduct an audit inside the system, understanding of system i.e. CBS (Core Banking Solution) in case of banking industry is quite essential.
  20. 20. Privileged and Confidential 20 What is CBS ? CBS is the process which is completed in centralized environment i.e. under which the information is stored in the Central Server of the bank and available to all networked branches instead of branch server. The word CORE in CBS stands for Centralised Online Real-time Environment. Depending upon the size and needs of the bank, it could be for all or limited operations. The task is carried through an advance software by making use of services provided by specialized agents. “Finacle by Infosys” is most commonly used as CBS application in India.
  21. 21. Privileged and Confidential 21 How CBS Branch looks like ?
  22. 22. Privileged and Confidential 22 Core Banking Architecture Pure Core Architecture Core with Branch Servers Cluster Banking Architecture Heterogeneous Architecture
  23. 23. Privileged and Confidential 23 The Pillars of CBS “The Principal of CIA” which is compliant with all the rules & regulations are the pillars on which the CBS Platform is erected. Confidentiality :- Information is Shared amongst Authorised Personnel ONLY. Integrity :- Information is authentic, untampered and complete. Availability :- Information is accessible when it is needed.
  24. 24. Privileged and Confidential 24 Risks associated with CBS environment Locational Risks Outsourcing Risks IT Operational Risks Risk based on the geographical locations of the Branch & Server is located. Risk based on the services and operations outsourced by the bank. Using IT has its inherent risk as IT follows GIGO (Garbage In Garbage Out) Example :- Server located in earthquake prone area is big risk. Example :- Credit Card operations, Signature verification etc. Example :- Error Risk, Computer Fraud Risk, Interruption Risk etc.
  25. 25. Privileged and Confidential 25
  26. 26. Privileged and Confidential 26 Determine where Information resides/ where processing occurs? Where is it transmitted? Who owns it ? Who Controls it? Who has access to it? Distributed Distributed Processing/Databases DBA at every decentralised point -Branch level Ex. ISBS, FNS Centralised Centralised Database – Single point of presence – usually running Data Centres Centralised DBA Functions Users at Branch level Ex. Quartz, Finacle, Flex Cube,Temenos Automated Environment
  27. 27. Privileged and Confidential 27 Determining Right source of information Tracing audit trail Hardcopies of outputs Complexity – Co-operative Processing Tracking changes in parameter files Look out for the Balance Suspense Accounts ! Reconciliations still a critical issue Migration Issues Some audit Challenges
  28. 28. Privileged and Confidential 28 Planning your Audit
  29. 29. Privileged and Confidential 29 • Profile the Branch business and materiality • Financial Assertions and relevant automation levels • Gain Understanding of Automation levels and maturity – Extent of Automation • Compare growth/reduction in volumes under various heads • Insights into current Banking trends • Evaluate IT Risks and Controls • Understand the Control Environment • Design Audit Procedures and Assess the Reporting and Regulatory risk • Discuss, Form Opinions and Conclude Audit Approach
  30. 30. Privileged and Confidential 30 • Critical Business Processes • Transaction Authorisation Controls • Segregation of duties • Internal Controls o Governance Controls o Application Controls o IT General Controls • Monitoring & Internal Audit Controls Basic Principles
  31. 31. Privileged and Confidential 31 • Opening Meeting with Branch Mangement • Meeting with Key Officers including „Data Officer‟ • Tour of Branch – Accent on IT! • Internal Circulars and Directives • RBI Circulars and Directives • IS Audit Reports • Inspection and Concurrent Audit Reports Audit Risk Assessment - the Key!
  32. 32. Privileged and Confidential 32 • Interviews & Observation • Sampling • Advance Portfolio Sampling • Income Leakage • Major GL Heads • Manual Debits in Interest/Income Accounts • Standard Reports • Adhoc/Supplementary Reports • Excel or CAATs • Using PRN/TXT report files • Caution on Use of Audit Tools! • SQLs Audit Methods and Techniques
  33. 33. Privileged and Confidential 33 • Use of Regular Reports, Exception Reports and • Analytical Reviews Look for Systems Generated as well as Manual Records Transaction Review on terminal – Read/View only. Request Letter. Request for Exception Reports. Review History of Impacts due to IT on Business/IT Risks without impact Review of Logs, Trails and Reports  Daily Reports  Transaction/Operational Logs Internal Exception Reports Audit Trails Specific Audit Procedures
  34. 34. Privileged and Confidential 34 • Risk and Controls Assessment  Minutes of Meetings  Walkthrough Observations • Audit Plan • Audit Program and Procedures • Audit Environment Scope Restrictions • Evidence - Electronic • Key Submissions and certifications from Branch Management • How Opinion Formed • Call and Invite Attention of Central Stat. Auditor on • Key Issues Documentation
  35. 35. Privileged and Confidential 35 Audit Procedures
  36. 36. Privileged and Confidential 36 Audit Procedures • Procedures to testing general and IS controls • Evaluation of Risk Management Framework • Compliance Testing Transaction Audit – Procedures to test transaction controls – Application Controls & Other internal controls – Procedures to test transactions Audit Procedures
  37. 37. Privileged and Confidential 37 General Audit Procedure
  38. 38. Privileged and Confidential 38 A Gold Mine for the auditor Exception and AD-HOC reports
  39. 39. Privileged and Confidential 39 • Daily Transactions • Daily supplementaries • Balancing and progressive reports • New Account Transaction Report • DDs printed report • Cheques Issued Report • Inter Branch/Bank debit reports • Other Reports • Master data status reports • Dead Stock • FCNR Operations Report • Minors date Report Transaction Control Reports
  40. 40. Privileged and Confidential 40 • Deposits: • Value date Reports – FD Renewal etc • Duplicate FD Printing • List of deposit accounts exceeding limit with wrong interest • parameters • Wrongly linked FD accounts • NRE • Flagged Deposit accounts for safe custody • Lien Marked Deposits • Other Reports: • Late cash report • Account validation report Exception Reports – a Goldmine !
  41. 41. Privileged and Confidential 41 • Clearing • Clearing Exceptions – Returns, Errors • Clearing – Exception and Cheque Returned reports – Cases in which Schedule modifications allowed – IBD Cheque Numbers • ECS • Outstanding entries follow up • CRA - Reconciliation of Cash covers and Audit Rolls • Short/Excess Claims in Office Claims – O/s Entries • Bank Reconciliations • OCC Dishonour • TOD Report Clearing and Deposits
  42. 42. Privileged and Confidential 42 • Authorization and limit reports • In-operative/dormant account transaction reports • Transactions entered & authorised by same person • Change in GL Link Parameter Codes • GL Codes List with codes other than those in Reporting • Statement – Pointing Parameters for Nominal Accounts • Manual debits to interest paid account • Direct GL entry exception reports • Exceptional SL txns. • Exceptional Parameter Changes • EOD (End of Day) Exception Reports Exception Reports- a goldmine!
  43. 43. Privileged and Confidential 43 • Subsidiary-GL Balancing? • RTGS/SWIFT • ATM Switch Suspense/ATM Cash • Suspense • Clearing Suspense • All suspense and Parking Accounts • Inter Branch- Unmatched SOL Ids • ECS Batch Reconciliations
  44. 44. Privileged and Confidential 44 • Parameter Rate Variations – Customer/Account Level • Value Dating in Deposits • Interest Collection Flag • Anywhere banking charges • Credit Card Operations Charges • Ch. Ret., Stop Payment, SI, PO/DD/OCC Return • NRE/NRO Txns. • Penal Interest Application • Submission of Stock Statements • EMI Interest Application • Commitment Charges Application Tracking Income Leakage
  45. 45. Privileged and Confidential 45 Parameter File Updates 1. Reconciliations 2. Back End Entries 3. Unclaimed Deposits 4. ATM Cash Verification 5. Card & Pin Handling 6. Migration Controls 7. Outsourcing Risks 8. Controlling Returns 9. IT General Controls 10. Frauds – Indicators and 11. Reporting System IS Risk Assurance
  46. 46. Privileged and Confidential 46 1. IT General Controls 2. Version Control 3. Patch Releases – Systems 4. Software and Applications a) Anti Virus Updates b) Backups c) BCP & DRP d) Physical and Environmental e) Controls IS Risk Assurance
  47. 47. Privileged and Confidential 47 A. Access & Authorization controls B. Process level controls i. Input ii. Processing iii. Output C. Change Management D. Incident Management E. Disaster recovery planning F. Back up and Recovery G. Configuration control Area to concentrate on …
  48. 48. Privileged and Confidential 48 Bank audits are not the same and going forward will be much more different • Good Audit Planning is key to successful bank audit • Move from transaction audit to Risk based audit approach • Golden chance for converting challenges to opportunities • Gear up for the future…NOW! Ultimately
  49. 49. Privileged and Confidential 49 UNDERSTANDING OF PROCESS, RISK & CONTROL
  50. 50. Privileged and Confidential 50 Segregation and Rotation of Duties One of the fundamental features of an effective internal control system is the segregation and rotation of duties in a manner conducive to prevention and timely detection of occurrence of frauds and errors. In the case of banks, the following measures are usually adopted: Work of one staff member is invariably supervised / checked by another staff member, irrespective of the nature of work. Banks have a system of rotation of job amongst staff members, which reduces the possibility of frauds and is also useful in detection of frauds and errors. Also, most banks usually have a process of giving “block” leave to its staff members wherein the employee stays away from work for at least a continuous period of 2 weeks.
  51. 51. Privileged and Confidential 51 Authorisation of Transactions Authorisation may be general or it may be specific with reference to a single transaction. It is necessary to establish procedures which provide assurance that authorisations are issued by persons acting within the scope of their authority, and that the transactions conform fully to the terms of the authorisations. The following procedures are usually established in banks for this purpose:  The financial and administrative powers of each official/each position are fixed and communicated to all persons concerned.  All financial decisions at any level are required to be reported to the next higher level for confirmation.  Any deviation from the laid down procedures requires confirmation from/intimation to higher authorities.  Branch managers have to send periodic confirmation to their controlling authority on compliance of the laid down systems and procedures.
  52. 52. Privileged and Confidential 52 Maintenance of Adequate Records and Documents Accounting controls should ensure that the transactions are recorded at correct amount and in the accounting periods in which they are executed, and that they are classified in appropriate accounts. The procedures established in banks to achieve these objectives usually include the following:  All records are maintained in the prescribed books and registers only.  All branches of a bank have a unique code number which is circulated amongst all offices of the bank. This code number is required to be put on all important instruments.  All books are to be balanced periodically and it is to be confirmed by an official.  All inter-office transactions are to be reconciled within a specified time frame.
  53. 53. Privileged and Confidential 53 Accountability for and Safeguarding of Assets The accountability for assets starts at the time of their acquisition and continues till their disposal. To safeguard the assets, it is also necessary that access to assets is limited to authorised personnel. The following are some of the important controls implemented by banks in this regard:  The specimen signatures of all officers are maintained in a book which is available in all branches.  The instruments which are evidence of remittances of funds above a cut-off level are to be signed by more than one official.  Important financial messages, when transmitted electronically, are generally encrypted.  Sensitive items like currency, valuables, draft forms, term deposit receipts, traveller‟s cheques and other such security forms are in the custody of at least two officials of the branch.  All assets of the bank/charged to the bank are physically verified at specified intervals.
  54. 54. Privileged and Confidential 54 Independent Checks Independent checks involve a periodic or regular review of functioning of the system by independent persons to ascertain whether the control procedures are being performed properly. Banks have an elaborate system of various forms of internal audit covering virtually every aspect of their functioning.
  55. 55. Privileged and Confidential 55 TOOLS & TECHNIQUES TO AUDIT UNDER CBS
  56. 56. Privileged and Confidential 56 Few Techniques for Auditing under CBS Environment….Contd. Suppose the auditor want to test the KYC norms on current account customer master data. For testing the same the auditor need to request the IT Team to extract you the following data:- • Data Required :- Current account customer master information. • Period:- As of the date of audit. • Fields of reference :- Branch ID, Customer ID, Account ID, First Holder & Joint Holder‟s name, Address, PAN, Mobiles no. Residence No., Office No., Mode of Operation and Clear Balance. • Format of Data :- Text Form The IT department runs a SQL Query on the database and generates a text dump file which is saved in a secure folder with special access only to the auditors. The audit team imported the text file using the text report import option within GAS. Post import, the team used the „duplicate key‟ test within GAS to identify fictitious accounts opened with similar PAN or Mobile No. or Address or Office No. or Residence No. , but different Customer ID.
  57. 57. Privileged and Confidential 57 Few Techniques for Auditing under CBS Environment….Contd. The auditor then decided to check the integrity of loan data migrated from the Legacy application to the CBS. To test this objective, the auditor issued a data request to IT in the following format :- • Data required :- Cash Credit master information for large-scale branch X. • Period :- Data immediately post migration. • Fields of reference :- Customer ID, Sanction Limit, Drawing Power, and Rate of Interest. • Format of Data :- Text form. IT Team ran an SQL query on the production database and generated a text file dump which was saved in a secure folder with special access to the Audit Team only. The corresponding data from the legacy system immediately pre-migration was available with the Migration Team. The Auditor imported both the text files using the Text Report import option within the GAS. Post import, the Auditor linked the pre-migration and post-migration data through the Join function in the GAS. The two data files were linked, based on the Customer ID available in both the files. Post Join, three new fields were created by the Auditor containing differences in the Sanction Limit, Drawing Power and Rate of Interest in each field. Accounts where there was a difference in the masters migrated (non-zero data), were identified through the above approach.
  58. 58. Privileged and Confidential 58 UNDERSTANDING OF PROCESS, RISK & CONTROL
  59. 59. Privileged and Confidential 59 LONG FORM AUDIT REPORT Long Form Audit Report (LFAR) is a detailed questionnaire formulated by the RBI and auditors are liable to answer. It is not a substitute for the statutory report and should not deemed to be a part of the said report. Things to remember : 1. Study the LFAR questionnaire thoroughly. 2. Complete & submit the Auditor‟s report and LFAR simultaneously. 3. Comments in LFAR should be specific and not vague. 4. It should be sufficiently detailed and quantified.
  60. 60. Privileged and Confidential 60 CERTIFICATE ON JILANI COMMITTEE RECOMMENDATIONS The Recommendations are related to internal control and inspection/audit system in banks which are to be compulsorily implemented by banks. Things to remember : 1. Reply to made either „implemented‟ or „not-implemented‟ 2. The form broadly indicates the set up within banks where actions lie in respect of each of the 25 recommendations of the Jilani Committee. Banks can however modify it depending upon their organisation of the inspection/audit setup in their banks and the demarcation of responsibilities. Illustrative Checklist
  61. 61. Privileged and Confidential 61 CERTIFICATE ON GHOSH COMMITTEE RECOMMENDATIONS The Recommendations are related to frauds and malpractices in banks. RBI has divided all the recommendations into four groups as under : i. Group A – Recommendations to be implemented immediately by the banks. ii. Group B – Recommendations requiring RBI‟s approval. iii. Group C – Recommendations requiring approval of Government of India. iv. Group D – Recommendations requiring further examination. Answers to be given either in „yes‟ or „no‟. Illustrative Checklist
  62. 62. Privileged and Confidential 62 CASE STUDIES
  63. 63. Privileged and Confidential 63 Case Study - III Weakness in Internal Controls An employee of Yes Bank, who allegedly forged the signature of one of its clients, prepared a duplicate company seal, changed bank mandates with forged signatures and the seal, and redeemed money invested in mutual funds worth about $137,500, leading to a loss of about 34 lakh to the client. The employee worked as a Relationship Manager in the bank's wealth management division. A ICICI bank executive has been arrested for stealing almost Rs 50 lakh from the inactive account of an NRI who had died by breaking every rule of professional ethics, ferreting out customer information and manipulating safety procedures. Two of his accomplices were also held.
  64. 64. Privileged and Confidential 64 FACTS & FIGURES
  65. 65. Privileged and Confidential 65 Few Statistics
  66. 66. Privileged and Confidential 66 Average Time Taken to Detect Fraud 6 months 30% 6-12 months 30% 12-24 months 20% >24 months 3% Not disclosed 17%
  67. 67. Privileged and Confidential 67 Average Loss per fraud incident Indian banks lost as much as Rs 17,284 crore during 2012-13 due to fraud, in a near four-fold jump over the previous fiscal, ET has found out from information obtained through Right to Information Act.
  68. 68. Privileged and Confidential 68 Questions
  69. 69. Privileged and Confidential 69 Thank You Contact: CA Anand Prakash Jangid T: +91 96202 33516