Au­dit­ing prac­tices

It has be­come a com­plex task, but dig­i­ti­za­tion is help­ing:

Banking Frontiers - - News - Mo­[email protected]­ingfron­tiers.com

The cri­sis that In­dian banks faced re­cently in the wake of in­sur­mount­able NPAs not only re­vealed weak­nesses in risk man­age­ment, con­trol and gov­er­nance pro­cesses, but high­lighted the need to im­prove the quality of ex­ter­nal au­dits. Bank au­di­tors have the re­spon­si­bil­ity of re­view­ing the pro­ce­dures and cer­ti­fy­ing the ac­cu­racy and le­git­i­macy of the fig­ures pre­sented. The au­dit­ing pro­ce­dure, a stren­u­ous ex­pe­ri­ence, is one of the most im­por­tant pro­ce­dures that must be com­pleted pe­ri­od­i­cally.

In gen­eral, au­dit­ing in banks in­volve ex­am­i­na­tion of the banks’ key ar­eas of op­er­a­tions, their sys­tems, pos­si­ble risk of fraud or mis­state­ment, the var­i­ous streams of earn­ing and the mech­a­nisms of record keep­ing. The au­di­tors also ex­am­ine ex­pense streams, in­clud­ing reg­u­la­tory ex­penses, and the record­ing mech­a­nisms. They are also ex­pected to look at pos­si­ble er­rors of hu­man judg­ment like pro­vi­sion for bad debts or as­set cap­i­tal­iza­tion and at key as­sets and li­a­bil­i­ties.

COMPEXITIES EX­PLAINED

How can com­plex­i­ties that have come up in the con­cur­rent au­dit, in­ter­nal au­dit and statu­tory au­dit pro­cesses in banks be ex­plained? Ac­cord­ing to Vargh­ese T.A., se­nior vice-pres­i­dent and in­ter­nal au­di­tor at Fed­eral Bank, the chal­lenge for bank au­di­tors now is to en­sure that they are no longer au­dit­ing the past but are iden­ti­fy­ing de­fi­cien­cies in sys­tems/ pro­cesses/ con­trols that may re­sult in a loss (fi­nan­cial or non-fi­nan­cial) to the banks. “Up­dat­ing the au­di­tors with the lat­est reg­u­la­tory / statu­tory re­quire­ments on a real time ba­sis, en­sur­ing they are equipped with req­ui­site skill sets are very im­por­tant to en­sure that the au­dits meet the ex­pec­ta­tions,” he adds.

He points out that the tra­di­tional banking meth­ods, prod­ucts and pro­ce­dures are mak­ing way for dig­i­tal banking and struc­tured fi­nan­cial prod­ucts. The bal­ance sheet size and com­plex­ity of fi­nan­cial state­ments of the banks are also in­creas­ing and at the same time, the num­ber of reg­u­la­tions gov­ern­ing the banking in­dus­try is also on the rise and reg­u­la­tors have strength­ened their con­trol and sur­veil­lance in the con­text of com­pli­ance gaps re­ported in some of the banks. “As the au­dit func­tion, at large, is ex­pected to pro­vide in­de­pen­dent as­sur­ance to the stake­hold­ers (both to the share­hold­ers and to the top man­age­ment), there is a need for the au­dit func­tion to stream­line its pro­ce­dures and pro­cesses to en­sure that au­dits are con­tem­po­rary and pro-ac­tive and is ca­pa­ble for de­liv­er­ing value to the stake­hold­ers,” says he.

CY­BER­SE­CU­RITY IS PRIME

A spokesper­son for Aditya Birla Sun Life AMC feels with the grow­ing dig­i­ti­za­tion of the busi­nesses, cy­ber­se­cu­rity emerges as one of the prime con­sid­er­a­tions in de­sign­ing of the au­dit plan. “Ful­fill­ment of reg­u­la­tory ex­pec­ta­tions with ever-grow­ing changes in the re­quire­ments by the reg­u­la­tor is an­other area where the au­di­tor’s fo­cus has in­creased of late. And, to min­i­mize and keep cost at op­ti­mal level, or­ga­ni­za­tions are in­creas­ingly adopt­ing out­sourc­ing model which has led to emer­gence of risks as­so­ci­ated with third­party re­la­tion­ship’” he adds.

“We are slowly mov­ing from sam­ple based au­dit to 100% au­dit and con­tin­u­ous mon­i­tor­ing of con­trol rather than on re­ly­ing on pe­ri­odic test­ing of con­trol. Also, with the elim­i­na­tion of phys­i­cal records and move­ment of all data on ePlat­form keep­ing con­fi­den­tial­ity of data by the out­sourced part­ners in­clud­ing au­di­tors is an­other chal­lenge faced by the or­ga­ni­za­tions,” he says.

SEV­ERAL PRO­CE­DURES

Vargh­ese men­tions the var­i­ous types of au­dit that banks un­der­take. “There is risk-based in­ter­nal au­dit, in­for­ma­tion sys­tem au­dit, credit au­dit, con­cur­rent au­dit etc. Each type of au­dit has a dif­fer­ent ap­proach and fo­cusses on dif­fer­ent ar­eas. Con­sid­er­ing the com­plex­ity in huge data ev­ery bank is han­dling, more thrust is given for au­dits on data se­cu­rity/ sys­tem up­keep con­se­quent on im­ple­men­ta­tion of the Cy­ber Se­cu­rity Frame­work in banks mooted by RBI. Apart from these, off­site sur­veil­lance (au­dit through the sys­tem) is done cen­trally, based on the MIS re­ports and the­matic au­dits are also con­ducted for con­stantly re­view­ing the end-to-end pro­cesses in­volved in var­i­ous ac­tiv­i­ties for iden­ti­fy­ing gaps, sug­gest­ing im­prove­ments etc.”

He adds: “The au­dit man­age­ment so­lu­tion used in Fed­eral Bank for in­ter­nal au­dits has, to a great ex­tent, re­duced man­ual work by pro­vid­ing a cen­tral repos­i­tory of the risks and con­trols to be ex­am­ined by the au­di­tors. The au­to­mated au­dit plan­ning based on risk pri­or­i­ti­za­tion fa­cil­i­tates gen­er­a­tion of cus­tom­ized au­dit re­ports, preser­va­tion of work­ing papers etc. In the case of statu­tory au­dit, we have in­tro­duced a util­ity fa­cil­i­tat­ing cen­tral­ized data col­lec­tion with re­spect to au­dit re­port, LFAR, tax au­dit etc, au­to­mated gen­er­a­tion of var­i­ous

re­ports and fol­low up of the au­dit com­ments through cer­tain au­dit tools. This has saved con­sid­er­able time and helped us in col­lat­ing er­ror-free data for au­di­tors.”

LFAR IS KEY PROCESS

Vargh­ese also ex­plains a dis­tin­guish­ing fea­ture of bank au­dit, which is LFAR, or Long Form Au­dit Re­port. He says it is a de­tailed ques­tion­naire for­mu­lated by the RBI, which is to be an­swered by the statu­tory au­di­tors of the bank in ad­di­tion to the nor­mal statu­tory au­dit re­port. LFAR has gained more sig­nif­i­cance in the back­ground of com­put­er­i­za­tion and in­crease in the num­ber of branches and it is a vi­tal tool avail­able to au­di­tors through which they can ex­press their opin­ion on the op­er­a­tional ef­fi­ciency of the bank. “This re­port cov­ers al­most all the ar­eas of banking and the com­pli­ance with re­spect to var­i­ous statu­tory and reg­u­la­tory guide­lines. This gives a 360-de­gree view of the en­tire bank to the reg­u­la­tor,” says he.

Vargh­ese says a struc­tured process is be­ing fol­lowed for the ap­point­ment (both branch and cen­tral au­di­tors) where au­di­tors pro­posed to be ap­pointed are rec­om­mended by the au­dit com­mit­tee and the board of di­rec­tors. Prior ap­proval of RBI is taken be­fore mak­ing the ap­point­ment, as re­quired un­der Banking Reg­u­la­tion Act.

“The En­force­ment Ac­tion Frame­work in re­spect of statu­tory au­di­tors brought about by RBI re­cently, fur­ther acts as an en­abler for RBI for deny­ing per­mis­sion for ap­point­ing au­dit firms as statu­tory au­di­tors, if ma­te­rial lapses are iden­ti­fied in the statu­tory au­dit of com­mer­cial banks,” says he.

For AMCs, how­ever, the reg­u­la­tor’s ap­proval is not re­quired for the ap­point­ment of a statu­tory au­di­tor, says the spokesper­son for Aditya Birla Sun Life AMC. “Au­di­tors are ap­pointed by the board of trus­tees of the as­set man­age­ment com­pany,” says he.

RISK CON­TAIN­MENT

He also says statu­tory au­di­tors are pri­mar­ily re­spon­si­ble for val­i­dat­ing ad­her­ence to the SEBI reg­u­la­tions and cir­cu­lars and the process and pro­ce­dures to con­tain risk are largely re­viewed by the in­ter­nal au­di­tors who in case of any find­ings rec­om­mend re­me­dial mea­sures to mit­i­gate the risk.

Vargh­ese says statu­tory au­di­tors are re­quired to ex­press an opin­ion on the fi­nan­cial state­ments, which also re­quire them to eval­u­ate the risk fac­tors. “As per the pro­vi­sions of sec­tion 143(3)(i) of the Com­pa­nies Act, the Au­di­tor Re­port shall state whether the com­pany has ad­e­quate in­ter­nal fi­nan­cial con­trols sys­tem in place and the op­er­at­ing ef­fec­tive­ness of such con­trols. This re­quires the au­di­tor to per­form pro­ce­dures to ob­tain an un­der­stand­ing of in­ter­nal fi­nan­cial con­trols over fi­nan­cial re­port­ing, as­sess­ing the risk that a ma­te­rial weak­ness ex­ists, and test­ing and eval­u­at­ing the de­sign and op­er­at­ing ef­fec­tive­ness of in­ter­nal con­trols based on the as­sessed risk. The pri­mary re­spon­si­bil­ity on ini­ti­at­ing re­me­dial mea­sures for the risks iden­ti­fied is of the Bank man­age­ment. How­ever, au­di­tors can sup­ple­ment the re­me­dial mea­sures taken by the bank with their sug­ges­tions,” he adds.

DIG­I­TI­ZA­TION

To what level au­dit­ing pro­ce­dures are dig­i­tized?

Says Vargh­ese: “Au­dit can be di­vided in to two as far as dig­i­ti­za­tion is con­cerned. First is the au­dit through the sys­tem, where the au­di­tor re­lies com­pletely on data avail­able in the sys­tem and an­a­lyzes them with the help of Com­puter Aided Au­dit Tech­niques (CAAT). Sec­ond, is the au­dit per­formed with a mix of re­view of Core Banking Sys­tem/ other MIS where trans­ac­tion data is stored and au­dit of the phys­i­cal doc­u­ments/ files. Re­port­ing for in­ter­nal and statu­tory au­dits has been cen­tral­ized. In Fed­eral Bank, for in­ter­nal au­dits, we use the soft­ware ‘Pen­tana’, de­vel­oped by UK-bsed firm Ideagen. Pen­tana fo­cuses on a process-based au­dit, which in­volves as­sess­ing the ef­fec­tive­ness of con­trols de­signed to mit­i­gate the risks in­volved in var­i­ous pro­cesses/ ac­tiv­i­ties. The sig­nif­i­cant func­tional ad­van­tages in­clude stan­dard­iza­tion of au­dit process through cen­tral repos­i­tory of check­lists, au­toma­tion of ac­tiv­i­ties as­so­ci­ated with au­dit (au­dit plan­ning, risk rat­ing etc), Im­proved scope for an­a­lyt­ics based on au­dit ob­ser­va­tions etc.

For statu­tory au­dit, an on­line mod­ule specif­i­cally de­signed for this pur­pose, called Saral eAu­dit is be­ing used, which is a soft­ware de­vel­oped by Re­lyon Softech. It fa­cil­i­tates cen­tral­ized data col­lec­tion with re­spect to au­dit re­port, LFAR, tax au­dit etc.”

BIG DATA, AN­A­LYT­ICS

Has big data and an­a­lyt­ics im­pacted the au­dit process?

Vargh­ese says big data and an­a­lyt­ics are cru­cial in the au­dit plan­ning phase. An­a­lyt­ics, he says, can in­di­cate trends/ pat­terns in trans­ac­tions and this can, to a great ex­tent, help in pri­or­i­tiz­ing au­dit re­sources. How­ever, filtering au­ditrel­e­vant data from the huge pop­u­la­tion of data avail­able is a chal­lenge and steps are be­ing ex­plored to ad­dress these.

“It is ex­pected that in fu­ture, many of the au­dit pro­ce­dures, which are repet­i­tive in na­ture, can be au­to­mated and more fo­cus can be given on ar­eas where au­di­tors can ex­er­cise their judg­ment. Also, the present prac­tice of trans­ac­tion test­ing on the sam­ples can be re­placed with au­dit­ing the en­tire pop­u­la­tion, us­ing ad­vanced an­a­lyt­i­cal tools,” he em­pha­sizes.

Ac­cord­ing to the spokesper­son of Aditya Birla Sun Life AMC, big data be­ing huge data sets, has its own chal­lenges. How­ever, he is con­fi­dent at the same time it pro­vides op­por­tu­ni­ties to use such data for pre­dic­tive anal­y­sis, user be­hav­ior anal­y­sis etc. “The same is true for au­dit process also. Adop­tion of a sci­en­tific sam­pling method­ol­ogy on the big data and an­a­lyt­ics helps in carv­ing out trends, pat­terns, early warn­ing sig­nals etc. as well as in­ter­pre­ta­tion of the ex­cep­tions gen­er­ated as part of au­dit,” he adds.

Vargh­ese T.A ex­plains LFAR, a ques­tion­naire framed byRBI, re­sponses to which give a 360-de­gree view of the bank

Data an­a­lyt­ics has be­come a key tool in au­dit­ing in banks

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.