It has become a complex task, but digitization is helping:
The crisis that Indian banks faced recently in the wake of insurmountable NPAs not only revealed weaknesses in risk management, control and governance processes, but highlighted the need to improve the quality of external audits. Bank auditors have the responsibility of reviewing the procedures and certifying the accuracy and legitimacy of the figures presented. The auditing procedure, a strenuous experience, is one of the most important procedures that must be completed periodically.
In general, auditing in banks involve examination of the banks’ key areas of operations, their systems, possible risk of fraud or misstatement, the various streams of earning and the mechanisms of record keeping. The auditors also examine expense streams, including regulatory expenses, and the recording mechanisms. They are also expected to look at possible errors of human judgment like provision for bad debts or asset capitalization and at key assets and liabilities.
How can complexities that have come up in the concurrent audit, internal audit and statutory audit processes in banks be explained? According to Varghese T.A., senior vice-president and internal auditor at Federal Bank, the challenge for bank auditors now is to ensure that they are no longer auditing the past but are identifying deficiencies in systems/ processes/ controls that may result in a loss (financial or non-financial) to the banks. “Updating the auditors with the latest regulatory / statutory requirements on a real time basis, ensuring they are equipped with requisite skill sets are very important to ensure that the audits meet the expectations,” he adds.
He points out that the traditional banking methods, products and procedures are making way for digital banking and structured financial products. The balance sheet size and complexity of financial statements of the banks are also increasing and at the same time, the number of regulations governing the banking industry is also on the rise and regulators have strengthened their control and surveillance in the context of compliance gaps reported in some of the banks. “As the audit function, at large, is expected to provide independent assurance to the stakeholders (both to the shareholders and to the top management), there is a need for the audit function to streamline its procedures and processes to ensure that audits are contemporary and pro-active and is capable for delivering value to the stakeholders,” says he.
CYBERSECURITY IS PRIME
A spokesperson for Aditya Birla Sun Life AMC feels with the growing digitization of the businesses, cybersecurity emerges as one of the prime considerations in designing of the audit plan. “Fulfillment of regulatory expectations with ever-growing changes in the requirements by the regulator is another area where the auditor’s focus has increased of late. And, to minimize and keep cost at optimal level, organizations are increasingly adopting outsourcing model which has led to emergence of risks associated with thirdparty relationship’” he adds.
“We are slowly moving from sample based audit to 100% audit and continuous monitoring of control rather than on relying on periodic testing of control. Also, with the elimination of physical records and movement of all data on ePlatform keeping confidentiality of data by the outsourced partners including auditors is another challenge faced by the organizations,” he says.
Varghese mentions the various types of audit that banks undertake. “There is risk-based internal audit, information system audit, credit audit, concurrent audit etc. Each type of audit has a different approach and focusses on different areas. Considering the complexity in huge data every bank is handling, more thrust is given for audits on data security/ system upkeep consequent on implementation of the Cyber Security Framework in banks mooted by RBI. Apart from these, offsite surveillance (audit through the system) is done centrally, based on the MIS reports and thematic audits are also conducted for constantly reviewing the end-to-end processes involved in various activities for identifying gaps, suggesting improvements etc.”
He adds: “The audit management solution used in Federal Bank for internal audits has, to a great extent, reduced manual work by providing a central repository of the risks and controls to be examined by the auditors. The automated audit planning based on risk prioritization facilitates generation of customized audit reports, preservation of working papers etc. In the case of statutory audit, we have introduced a utility facilitating centralized data collection with respect to audit report, LFAR, tax audit etc, automated generation of various
reports and follow up of the audit comments through certain audit tools. This has saved considerable time and helped us in collating error-free data for auditors.”
LFAR IS KEY PROCESS
Varghese also explains a distinguishing feature of bank audit, which is LFAR, or Long Form Audit Report. He says it is a detailed questionnaire formulated by the RBI, which is to be answered by the statutory auditors of the bank in addition to the normal statutory audit report. LFAR has gained more significance in the background of computerization and increase in the number of branches and it is a vital tool available to auditors through which they can express their opinion on the operational efficiency of the bank. “This report covers almost all the areas of banking and the compliance with respect to various statutory and regulatory guidelines. This gives a 360-degree view of the entire bank to the regulator,” says he.
Varghese says a structured process is being followed for the appointment (both branch and central auditors) where auditors proposed to be appointed are recommended by the audit committee and the board of directors. Prior approval of RBI is taken before making the appointment, as required under Banking Regulation Act.
“The Enforcement Action Framework in respect of statutory auditors brought about by RBI recently, further acts as an enabler for RBI for denying permission for appointing audit firms as statutory auditors, if material lapses are identified in the statutory audit of commercial banks,” says he.
For AMCs, however, the regulator’s approval is not required for the appointment of a statutory auditor, says the spokesperson for Aditya Birla Sun Life AMC. “Auditors are appointed by the board of trustees of the asset management company,” says he.
He also says statutory auditors are primarily responsible for validating adherence to the SEBI regulations and circulars and the process and procedures to contain risk are largely reviewed by the internal auditors who in case of any findings recommend remedial measures to mitigate the risk.
Varghese says statutory auditors are required to express an opinion on the financial statements, which also require them to evaluate the risk factors. “As per the provisions of section 143(3)(i) of the Companies Act, the Auditor Report shall state whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls. This requires the auditor to perform procedures to obtain an understanding of internal financial controls over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal controls based on the assessed risk. The primary responsibility on initiating remedial measures for the risks identified is of the Bank management. However, auditors can supplement the remedial measures taken by the bank with their suggestions,” he adds.
To what level auditing procedures are digitized?
Says Varghese: “Audit can be divided in to two as far as digitization is concerned. First is the audit through the system, where the auditor relies completely on data available in the system and analyzes them with the help of Computer Aided Audit Techniques (CAAT). Second, is the audit performed with a mix of review of Core Banking System/ other MIS where transaction data is stored and audit of the physical documents/ files. Reporting for internal and statutory audits has been centralized. In Federal Bank, for internal audits, we use the software ‘Pentana’, developed by UK-bsed firm Ideagen. Pentana focuses on a process-based audit, which involves assessing the effectiveness of controls designed to mitigate the risks involved in various processes/ activities. The significant functional advantages include standardization of audit process through central repository of checklists, automation of activities associated with audit (audit planning, risk rating etc), Improved scope for analytics based on audit observations etc.
For statutory audit, an online module specifically designed for this purpose, called Saral eAudit is being used, which is a software developed by Relyon Softech. It facilitates centralized data collection with respect to audit report, LFAR, tax audit etc.”
BIG DATA, ANALYTICS
Has big data and analytics impacted the audit process?
Varghese says big data and analytics are crucial in the audit planning phase. Analytics, he says, can indicate trends/ patterns in transactions and this can, to a great extent, help in prioritizing audit resources. However, filtering auditrelevant data from the huge population of data available is a challenge and steps are being explored to address these.
“It is expected that in future, many of the audit procedures, which are repetitive in nature, can be automated and more focus can be given on areas where auditors can exercise their judgment. Also, the present practice of transaction testing on the samples can be replaced with auditing the entire population, using advanced analytical tools,” he emphasizes.
According to the spokesperson of Aditya Birla Sun Life AMC, big data being huge data sets, has its own challenges. However, he is confident at the same time it provides opportunities to use such data for predictive analysis, user behavior analysis etc. “The same is true for audit process also. Adoption of a scientific sampling methodology on the big data and analytics helps in carving out trends, patterns, early warning signals etc. as well as interpretation of the exceptions generated as part of audit,” he adds.
Varghese T.A explains LFAR, a questionnaire framed byRBI, responses to which give a 360-degree view of the bank
Data analytics has become a key tool in auditing in banks