Вы находитесь на странице: 1из 95

Control System And Bank Audit

INTRODUCTION
BANK AND CONTROL AUDITING BANK AUDIT

Control System And Bank Audit

INTRODUCTION TO BANK AND CONTROL SYSTEM


BANKING: Banking has been defined in section 5 of the act as the accepting, for the purpose of lending or investment, of deposits of money from the public, repayable on demand or otherwise, and withdraw able by cheque, draft, order or otherwise. A Banking company or a Bank means any company, which transacts the business of banking in India, and includes a foreign company, engaged in the business of banking in India. There are four types of banking institutions in India. These are: 1) Commercial banks Commercial banks are the most prevalent banking institutions in India. Commercial banks operating in India can be divided into two categories based on their ownership-public sector and private sector banks. 2) Regional rural banks (RRBs) RRBs have been established with a view to developing the rural economy by providing credit and other facilities, particularly to the farmers. 3) Co-operative Banks Co-operative banks are the banks in the Co-operative sector, which cater predominantly to the needs of the farming, and allied sectors. Co-operative banks include central Co-operative banks, state Co-operative banks, primary Co-operative banks and land development banks. 4) Development banks Development banks were started for providing only longterm finance for development purposes; they are also referred as Term-lending institutions.

Control System And Bank Audit

Important features Banks have the following characteristics, which distinguish them from most other commercial enterprises. 1. They have custody of large quantum of monetary items, Including cash and negotiable instruments, whose physical security has to be ensured This applies to both the storage and the transfer of monetary items and makes banks vulnerable to misappropriation and fraud. They, therefore, need to establish formal operating procedures, well-defined limits for individual discretion and rigorous systems of internal control 2. They engage in a large quantum and variety of transactions in terms of both number and value. This therefore requires complex accounting and internal control systems. 3. They generally operate through a wide network of branches and departments which are geographically dispersed. 4. Banks are regulated by governmental authorities and the resultant regulatory requirements often influence accounting and auditing practices in the banking sector. Regulatory framework There is an elaborate regulatory framework governing banks in India. The principal enactments which govern the functioning of various types of banks are: Banking Regulation Act, 1949 Banking Companies (Acquisition and Transfer of Undertakings) Act, 1970 Banking Companies (Acquisition and Transfer of Undertakings) Act, 1980 SBIAct, 1955 SBI (Subsidiary Banks) Act, 1959 Regional Rural Banks Act, 1976 Companies Act, 1956 Co-operative Societies Act, 1912 or the relevant state Co-operative Societies Act.

Control System And Bank Audit

INTRODUCTION-an overview of Auditing


Economic decisions in every society must be based upon the information available at the time the decision is made. For example, the decision of a bank to make a loan to a business is based upon previous financial relationships with that business, the financial condition of the company as reflected by its financial statements and other factors If decisions are to be consistent with the intention of the decision makers, the information used in the decision process must be reliable. Unreliable information can cause inefficient use of resources to the detriment of the society and to the decision makers themselves. In the lending decision example, assume that the bank makes the loan on the basis of misleading financial statements and the Borrower Company is ultimately unable to repay. As a result the bank has lost both the principal and the interest. In addition, another company that could have used the funds effectively was deprived of.the money. As a means of overcoming the problem of unreliable information, the decisionmaker must develop a method of assuring him that the information is sufficiently reliable for these decisions. In doing this he must weigh the cost of obtaining more reliable information against the expected benefits. A common way to obtain such reliable information is to have some type of verification (audit) performed by independent persons. The audited information is then used in the decision making process on the assumption that it is reasonably complete, accurate and unbiased. The word Audit is derived from the Latin word Audire which means to here. In olden days, whenever the owner of the business suspects the frauds, they appoint independent and impartial person who uses to hear the explanation given by the accountant. Such person was known as Auditor. Auditing may be defined as, A careful and critical examination of books of accounts by a properly qualified person on the basis of proper evidence so as to express an opinion (i.e. views) about the truth and fairness of financial statements.

Control System And Bank Audit

TYPES OF AUDIT The entire process of audit depends upon the type of audit. Type of audit to be conducted is to be selected carefully, keeping in mind the objects of audit in each and every case. Hence it is essential to study the various types of audit before laying down the programme for any audit work.

CHART SHOWING DIFFERENTCLASSES OF AUDIT

BASED ON AUTHORITY

BASED ON SCOPE

BASED ON TIME

BASED ON OBJECT

OTHER TYPES

Statutory Audit Y

Non-Statutory Audit

Internal Audit

Complete Audit

Partial Audit

Continuous Audit

Final Audit

Interim Audit

Special Audit

Cost Audit

Management Audit

Social Audit

Balance Sheet Audit

Occasional Audit

Audit In Depth

Cash Audit

Operational Audit 5

Control System And Bank Audit

BASED ON AUTHORITY: 1) Statutory Audit It is the audit, which is compulsory under the law*Appointment of auditors, removal, Remuneration, rights, duties, and liabilities are governed as per the provisions 'of the respective law applicable to the organisation. Scope of audit work and all other terms are as laid down by the law. It can be conducted only by a qualified Chartered Accountant. 2) Non-Statutory Audit Non-statutory audits are voluntary audits. These audits are not compulsory under any law. Terms and conditions of audit are determined as per the agreement made between the auditor and proprietor for e.g. financial audit of a sole trader or partnership firm. It also includes non-financial audits e.g. internal audit, management audit, Operational audit, Social audit, etc. a) Private Audit The audit which is done for the satisfaction of the owner Is called private audit. This type of audit is not compulsory at all. It may be conducted by sole proprietors, partnership firms, family trusts, private trusts, etc. The various types of private audit are i) Audit of Sole Proprietor Audit of accounts of a sole-proprietor is not compulsory. However, he may get his books audited for various reasons. Some of the reasons are: 1) For obtaining loan from bank and financial institutions. 2) For presenting authentic data to income tax and Sales tax authorities. 3) For his own satisfaction that his employees have written the books of accounts properly and that there are no frauds and errors. ii) Audit of partnership firms 1) Under partnership Act it is not compulsory to audit the accounts. However in actual practice it is not only advisable but even necessary to get them audited 2) It helps to prevent disputes among the partners. 3) It facilitates borrowing from banks 4) Audited accounts are preferred by income tax and sales tax departments. 5) Audited accounts can be helpful in case of litigation.

Control System And Bank Audit

3) Internal Audit This type of audit is also optional. It is conducted by the internal auditor who is appointed by the proprietor. Even the employee of the organisation may be appointed as an internal auditor to examine the books of accounts. All the terms and conditions of audit work are determined by the agreement. The basic purpose of internal audit is not only to examine the books of accounts but also to review the present working and make valuable suggestions to improve it. BASED ON SCOPE: 1) Complete Audit In complete audit the auditor have to check each and every transaction, voucher document etc. relating to the transactions of business. This types of audit is not possible in case of large business organizations. 2) Partial Audit Sometimes auditor may be called upon to audit few books and give his finding thereon. Sometimes he may be called upon to audit only the payment side of cashbook or receipts side only. This is called as Partial Audit. Auditor has to be very careful when he undertakes this type of audit. Usually this type of audit is called for when a fraud or misappropriation is" suspected. While submitting the report auditor should clearly mention -the scope and documents or books made available to him for his audit. Partial audit is not practical. Such an audits possible where audit is not a legal necessity.

BASED ON TIME: 1) CONTINUOUS AUDIT One where the auditor, or his staff, is constantly engaged in irregular intervals during the period. Continuous audit means an audit at regular intervals throughout the accounting year. Continuous audit, accounting and auditing work is done side by side. checking the accounts during the whole period or where the auditor or his staff attends at regular or

Control System And Bank Audit

(2) FINAL /ANNUAL /PERIODICAL / COMPLETED AUDIT: Periodic audit is also known as 'final or completed audit'. Final audit is carried out continuously until it is completed. It is a past accounts audit. In case of a final audit, the auditor gets hold of all the books of accounts and the vouchers for the, accounting Period. He is in possession of all the facts and figures relating to the accounting period for which the audit is being conducted. In case of this audit, the auditor visits the clients place only once and remains there till the audit is over. Generally this type of audit is appropriate for smaller business concerns. Generally majority of audits are in the nature of Final Audits. (3) INTERIM AUDIT: It is a kind of audit, which is conducted in between the annual or final audits. It is conducted to find out the interim profit and know the financial 'position at the end of a part of the accounting year. This is usually carried out at half yearly intervals. Hence, this is also called as half yearly audit. BASSED ON OBJECT : 1) SPECIAL AUDIT Under section 233 A of companies Act, the central government has power to direct special audit under following circumstances: a) When the affairs of any company are not managed as per the sound business principles. b) When the financial position of the company is such as to endanger its solvency. c) When company is being managed in a manner which is likely to cause serious injury or damage to the interest of trade or industry The auditor appointed by the government is required to report to the government. 2) COST AUDIT It is a type of audit, which involves verification of cost records maintained by the organisation. Under section 233 B of the companies Act, 1956 the central government may direct an audit of cost records by a person who is qualified. Appointment of auditor is done by the board of director subject to the approval of the central government. The auditors repot

Control System And Bank Audit

to the government, the copy of the report is send to the company. It has been defined as the verification of the correctness of cost accounts and of adherence to the cost accounting plan. 3) Management audit:'Management auditing is concerned with review of operations and performance of management to improve efficiency and effectiveness of the organisation. It is, thus, an extension of internal audit function. Some authors use the terms management auditing and operational auditing interchangeably because of the close resemblance of methodology employed. But it may be noted, although operational auditing is also concerned with review of operations of an entity, management auditing, in addition to it also includes review of managerial performance. Secondly, the frame of reference of a management audit is derived, generally, from the expectations of the external participants and not of organisation's management as in case of operational auditing. 4) Social audit Social audit is a recent development in the field of at it is based on the modern concept of social responsibility of business. Social audit examines to what extent the business is discharging the social responsibilities. It examines the contribution of the concern to the society at large. Other types: 1) Balance sheet Audit Balance Sheet audit is of a recent origin. It has acquired popularity in U.S.A. As the very name suggests, balance sheet audit consists of verification of all the items appearing in the balance sheet such as assets, capital, reserves and liabilities of the business. Under 'balance sheet audit, the auditor commences audit on the basis of the Balance sheet, and he works back to the books of original entry and other evidences. Though balance sheet audit concentrates mainly on balance sheet items, it also includes an examination of those transactions, which are appearing in the Profit and Loss Account because balance of Profit and Loss Account appears in the balance sheet. Thus, in balance sheet audit all the items contained in the balance sheet and other related or allied items are verified completely. The auditor' will check up general ledger also

Control System And Bank Audit

(2) Occasional audit: This type of audit is carried out occasionally as per the need of the business, T1V applicable to the proprietary concerns such as sole traders and partnerships, it is just a needbased audit. It is conducted at the desire of the owner of the business. This of audit is not possible in case of Joint Stock Company as the annual au; compulsory as provided in Companies Act, 1956.

(3) Audit in Depth Under this type of audit, the auditor examines thoroughly selected transactions right from their origin to the conclusion. All records and documents pertaining to the transactions are checked in detail. The basic purpose of this type of audit is to whether the system of internal check or control system is effective. This type of audit enables the auditor to suggest to the management a better procedure for recording the transactions to avoid any loopholes for committing frauds. 4) Cash Audit Here the auditor examines only cash transactions. He examines cash receipts and cash payments. Cash transactions are checked with the help of receipts and vouchers and other evidences. The receipts and payments may be capital or revenue in nature. 5) Operational Audit Operational audit goes beyond financial audit. It is conducted to see that the business operations are improved in future. It guides the management in achieving organizational objectives

10

Control System And Bank Audit

INTRODUCTION TO BANK AUDIT


Bank Audit is a time bound exercise and it is full of challenges and responsibilities. For those who approach this exercise with scientific methods and proper planning The auditor has very limited option as far as the availability of time is concerned, therefore, the only option he has is to carry out the audit in a very scientific manner so that he is able to conduct a purposeful audit in the limited time. Generally, the appointment letters are received in second or third week of March and the auditors are expected to commence the audit in the first week of April and to complete the audit, in one visit and in all respect, by the end of second week of April. Therefore, the time available for the completion of audit in all respects is generally in the range of 4-5 days to a maximum of a week or 10 days, irrespective of the size of the branch, volume of business and nature of activities. The banks are taking effective measures to address this issue and some banks have allowed the auditors of large and very large branches to visit the respective branches before the close of the year. Such visits help the auditors to gather lot of first hand information and insight about the branch and its business profile, performance, NPA profile, client profile, level of computerization, etc. Generally, banks circulate detailed closing instructions to the branches and the auditors well in advance. It is important to review the instructions and to incorporate the significant instructions in the audit plan/programme/checklist. With the latest information available at the touch of button, it is very important that to keep update about the significant developments in the banking sector and to incorporate all the significant developments in the audit programme/checklist. As the concept of Peer Review is already put in place, it is important that while carrying out the attest function due emphasis is given to Auditing & Assurance Standards and other pronouncements of the Institute while discharging the attest function. Apart from this, it is also important to preserve all the required documents/representations etc. for future reference.

11

Control System And Bank Audit

Appointment of Auditor The auditor of a banking company is to be appointed at the AGM of the shareholders, auditor of a nationalised bank is to be appointed by the bank concerned acting through its Board of Directors. In either case, approval of the Reserve Bank is required before the appointment is made. The auditors of the SBI are to be appointed by the RBI in consultation with the Central Government. The auditors of the subsidiaries of the SBI are to be appointed by the SBI. The auditors of RRB's are to be appointed by the bank concerned with the approval of the Central Government. As mentioned earlier, the SBI Act, 1955, specifically provides for appointment of two or more auditors. Besides, nationalised banks and subsidiaries of SBI also generally appoint two or more firms as joint auditors. Remuneration of Auditor The remuneration of auditor of a banking company is to be fixed in accordance with the provisions of section 224 of the Companies Act, 1956 \i.e., by the company in general meeting or in such manner as the company in general meeting may determine). (The remuneration of auditors of nationalised banks and SBI is to be fixed by the RBI in consultation with the Central Government. The remuneration of auditors of subsidiaries of SBI is to be fixed by the latter. In the case of RRB's, the auditors' remuneration is to be determined by the bank concerned with the approval of the Central Government/; Powers of Auditor: The auditor of a banking company or of a nationalised bank, SBI, a subsidiary of SBI/or a regional rural bank has the same powers as those of company auditor in the matter of access to the books, accounts, documents and voucher's. He is also entitled to require from the officers of the bank such information and explanations as he may think necessary for the performance of his duties. In the case of a banking company, he is entitled to receive notice relating to any general meeting. He is also entitled to attend any general meeting and to be heard there at on any part of the business, which concerns him as auditor It may be noted that the Regional Rural Banks Act, 1976, does not contain any provisions relating to audit of branches. Accordingly, in the case of such banks, audit of branches is also carried out by the auditors appointed for the bank as a whole.

12

Control System And Bank Audit

AUDIT (Legal provisions) The provisions of section 30 of the Banking Regulation Act relating to audit apply to the banking companies. Sub-section (1B), (1C) and (2) also apply to nationalized banks, regional rural banks and the State Bank of India and its subsidiaries. Section 30 reads as below: (1) The balance sheet and profit and loss account prepared in accordance with section 29 shall be audited by a person duly qualified under any law for the time being in force to be an auditor of companies. (1-A) Not withstanding anything contained in any law for the time being in force or in any contract to the contrary, every banking company shall, before appointing, reappointing or removing any auditors, obtain the previous approval of the Reserve Bank. (2) The auditor shall have the powers of, exercise the functions vested in, and discharge the duties and be subject to the liabilities and penalties imposed on, auditors of companies by section 227 of the Companies Act, 1956 and auditors, if any appointed by the law establishing constituting or forming the banking company concerned. (3) In addition to the matters, which under the aforesaid act the auditor, is required to state in his report, (a) (b) (c) (d) (e) Whether or not the information and explanations required by him have been found to be satisfactory; Whether or not the transactions of the company which have come to his notice have been within the powers of the company; Whether or not the returns received from branch offices of the company have been found adequate for the purposes of his audit; Whether the profit & loss account shows a true balance of profit or loss for the period covered by such account; Any other matter, which he considers, should be brought to the notice of the shareholders of the company.

13

Control System And Bank Audit

CONTROL SYSTEMS
BANKING REGULATION ACT, 1949 CORPORATE GOVERNANCE GOSH COMMITTEE RECOMMENDATIONS AUDITING & ASSUARANCE STANDARDS(AAS)XX

14

Control System And Bank Audit

Controls and Regulations (banking regulation act, 1949)


CAPITAL RESERVES Section 11 of the Banking Regulation Act lays down the requirements regarding the minimum paid-up share capital and reserves of banking companies. Similar requirements in the case of cooperative banks are laid down in section 56(h). These provisions are not applicable to rural banks, nationalised banks, and the State Bank Of India and its subsidiaries. Under section 12(1), the subscribed capital of a banking company should not be less than one-half of its authorized capital and the paid-up capital not less than one-half of the subscribed capital. If the capital is increased, it should comply with these conditions within a stipulated time period. Further, the capital of a banking company should consist of ordinary shares alone, the only exception being in the case of preference shares issued prior to July 1, 1944. These provisions do not apply to a banking company incorporated before January 15, 1937 or to a nationalised bank, a regional rural bank, a cooperative bank, and the State bank Of India and its subsidiaries. A banking company incorporated outside India is required to deposit with the Reserve bank in the form of cash and/or approved securities, (a) an amount not less than the minimum paid-up capital and reserves as prescribed under section 11(2) of the Banking Regulation Act (1949), and (b) an amount equal to 20 percent of its profits for each year in respect of all business transacted through its branches in India. However, the central government may, on the recommendation of the Reserve Bank, exempt a banking company from these requirements for a specified period having regard to the adequacy of the total amounts deposited by it with the Reserve Bank in relation to its deposit liabilities. Restriction on commission, brokerage, discount, etc. on sale of shares. Notwithstanding anything to the contrary contained in 3[Secs. 76 and 79 of the Companies Act, 1956 (1 of 1956)], no banking company shall pay out directly or indirectly by way of commission, brokerage, discount of remuneration in any form in respect of any shares, issued by it, any amount exceeding in the aggregate two and onehalf per cent. of the paid-up value of the said shares.

15

Control System And Bank Audit

Restrictions as to payment of dividend. 5[(1) No banking company shall pay any dividend on its shares until all its capitalised expenses (including preliminary expenses, Organization expenses, share-selling commission, brokerage, amounts of losses incurred and any other item of expenditure not represented by tangible assets) have been completely written off. 1[(2) Notwithstanding anything to the contrary contained in sub-section (1) or in the Companies Act, 1956 (1 of 1956), a banking company may pay dividends on its shares without writing off (i) The depreciation, if any, in the value of its investments in approved securities in any case where such depreciation has not actually been capitalized or otherwise accounted for as a loss; (ii) The depreciation, if any, in the value of its investments in shares, debenture or bonds (other than approved securities) in any case where adequate provision for such depreciation has been made to the satisfaction of the auditor of the banking company; (iii) The bad debts, if any, in any case where adequate provision for such debts has been made to the satisfaction of the auditor of the banking company.] Reserve Fund. (1) Every banking company incorporated in India shall create a reserve fund and shall, out of the balance of profit of each year as disclosed in the profit and loss account prepared under Sec. 29 and before any dividend is declared, transfer to the reserve fund a sum equivalent to not less than twenty per cent. of such profit. (2) Where a banking company appropriates any sum or sums from the reserve fund of the share premium account, it shall, within twenty-one days from the date of such appropriation, report the fact to the Reserve Bank explaining the circumstances relating to such appropriation Provided that the Reserve Bank may, in any particular case, extend the said period of twenty-one days by such period as it thinks fit or condone any delay in the making of such report.

16

Control System And Bank Audit

Cash reserve. Every banking company, not being a scheduled bank, shall maintain in India by way of cash reserve with itself or by way of balance in a current account with the Reserve Bank or by way of net balance in current accounts or in one or more of the aforesaid ways, a sum equivalent, to at least three percent Of the total of its demand and time liabilities in India as on the last Friday of the second preceding fortnight and shall submit to the Reserve Bank before the twentieth day of every month a return showing the amount so held on alternate Fridays during a month with particulars of its demand and time liabilities in India on such Fridays or if any such Friday is a public holiday under the Negotiable Instruments Act, 1881(26 of 1881), at the close of business on the preceding working day. Restrictions on loans and advances. (1) Notwithstanding anything to the contrary contained in Sec. 77 of the Companies Act, 1956 (1 of 1956), no banking company shall, (a) Grant any loans or advances on the security of its own shares, or (b) Enter into any commitment for granting any loan or advance or advance to or on behalf of (i) Any of its directors, (ii) Any firm in which any of its directors is interested as partner, manager, employee or guarantor, or (iii) Any company (not being a subsidiary of the banking company or a company registered under Sec. 25 of the Companies Act, 1956 (1 of 1956), or a Government company)] of which 2[or the subsidiary or the holding company of which] any of the directors of the banking company is a director, managing agent, manager, employee or guarantor or in which he holds substantial interest, or (iv) Any individual in respect of whom any of its directors is a partner or guarantor. (2) Where any loan or advance granted by a banking company is such that a commitment for granting it could not have been made if Cl.(b) of sub-section (1) had been in force on the date on which the loan or advance was made, or is granted by a banking company after the commencement of Sec. 5 of the Banking Laws (Amendment) Act, 1968 (58 of 1968), but in pursuance of a commencement of Sec. 5 of the Banking Laws (Amendment) Act, 1968(58 of 1968), but in pursuance of a commitment entered into before such 17

Control System And Bank Audit

commencement, steps shall be taken to recover the amounts due to the banking company on account of the loan or advance together with interest, if any, due thereon within the period stipulated at the time of the grant of the loan or advance, or where no such period has been stipulated, before the expiry of one year from the commencement of the said Sec. 5: (3) No loan or advance, referred to in sub-section (2), or any part thereof shall be remitted without the previous approval of the Reserve Bank, and any remission without such approval shall be void and of no effect. (4) Where any loan or advance referred to in sub-section (2), payable by any person, has not been repaid to the banking company within the period specified in that sub-section, then such person shall, if he is a director of such banking company on the date of the expiry of the said period, be deemed to have vacated his office as such on the said date. CONTROL OVER MANAGEMENT 36-AA. Power of Reserve Bank to remove managerial and other persons from office. (1) Where the Reserve Bank is satisfied that in the public interest or for preventing the affairs of a banking company being conducted in a manner detrimental to the interests of the depositors or for securing the proper management of any banking company it is necessary so to do, the Reserve Bank may, for reasons to be recorded in writing, by order remove from office, with effect from such date as may be specified in the order 3[any chairman, director,] chief executive officer (by whatever name called) or other officer or employee of the banking company. (2) No order under sub-section (1) shall be made 4[unless the chairman, director] or chief executive officer or other officer or employee concerned has been given a reasonable opportunity of making a representation to the Reserve Bank against the proposed order: Provided that if in the opinion of the Reserve Bank, any delay would be detrimental to the interests of the banking company or its depositors the Reserve Bank may, at the time of giving the opportunity aforesaid or at any time thereafter, by order direct, that pending the consideration of the representation aforesaid, if any 5[the chairman or, as the case maybe director or chief executive officer] or other officer or employee, shall not, with effect from the date of such order. (a) 6[act as such chairman or director] or chief executive officer or other officer or employee of the banking company; 18

Control System And Bank Audit

(b) in any way, whether directly or indirectly be concerned with, or take part in the management of, the banking company. (3) If any person in respect of whom an order is made by the Reserve Bank under subsection (1) or under the provison to sub-section (2) contravenes the provisions of this section, he shall be punishable with fine which may extend to two hundred and fifty rupees for each day during which such contravention continues. (4) Any person appointed as 1[chairman, director or chief executive officer] or other officer or employee under this section shall (a) Hold office during the pleasure of the Reserve Bank and subject thereto for a period not exceeding three years or such further periods not exceeding three years at a time as the Reserve Bank may specify; (b) Not incur any obligation or liability by reason only of his being a 5[chairman, director or chief executive officer] or other officer or employee or for anything done or omitted to be done in good faith in the execution of the duties of his office or in relation thereto. (5) Notwithstanding anything contained in any law or in any contract, memorandum or articles of association, on the removal of a person from office under this section that person shall not be entitled to claim any compensation the loss or termination of office. Power to inspect. (1) The Reserve Bank shall, on being directed so to do by the Central Government or by the High Court, cause an inspection to be made by one or more of its officers of a banking company which is being wound up and its books and accounts. (2) On such inspection, the Reserve Bank shall submit its report to the Central Government and the High Court. (3) If the Central Government, on consideration of the report of the Reserve Bank, is of opinion that there has been a substantial irregularity in the winding-up proceedings, it may bring such irregularity to the notice of the High Court for such action as the High Court may think fit.

19

Control System And Bank Audit

CORPORATE GOVERNANCE:
Good corporate governance is the only alternative available before the Indian corporate sectary and more particularly, banks both commercial and co-operative sector to come at par with international standards. But, some serious thought has to be given to bring certain amount of norm in governance of the countrys political system. Corporate Governance has been defined in different ways by different thinkers and experts. According to noble Laureate Milion Friedman "Corporate Governance is to conduct the business in accordance with owner or shareholders' desires, which generally will be to make as much money as possible, while conforming to the basic rules of the society embodied in law and local customs". This definition is narrow in scope as it gives more importance to the owners' stake. Over a period of time, with fast developments in the world, the .scope of the corporate governance has widened. It now encompasses the interest of not only the owners but also many other stakeholders. The OECD experts have defined, "Corporate Governance as the system by which corporations are directed and controlled. The corporate governance specifies the distribution of rights and responsibilities among different parties in the corporation, such as, the Board, managers, shareholders and other stakeholders, and spell out the rules and procedures for making decisions on corporate affairs. In simple words, corporate governance is not just profit making, but behaving responsibly, protecting environment, promoting healthy competition and preventing networth erosion. Corporate governance cannot be explained by a set of hard and fast rules or standards. The crux of corporate democracy lies in the accountable business leadership. Its main aim-is to maintain a balance between economic and social goals and between individual and commercial goals. According to Mr. J. Wclfensohn, President, World Bank, "Corporate Governance is about promoting corporate fairness, transparency and accountability".

20

Control System And Bank Audit

HISTORICAL BACKGROUND: The emergence of modern corporate governance is traced back to the Watergate Scandal in USA. At that time, on investigation, the U.S. regulatory and legislative bodies were able to highlight control failures that had allowed several major corporations to make illegal political contributions and to bribe government officials. As a consequence to this. Foreign and Corrupt Practices Act of 1977 was introduced in USA. that contained specific provisions regarding the establishment, maintenance and review of a system of internal controls. Thereafter, a number of other measures were initiated for internal financial controls and the most important was Headway Commission after the collapse of Savings and Loans in USA. The 'Headway Commission submitted its report in 1987 and stressed for the need for a proper control environment, independent audit committees and an objective Internal Audit Function. The corporate world in India cannot remain indifferent to the development around the world. The collapse of South East Asian economies in 1997 made corporate governance a very vital issue for corporate world. With the fast growth of economy, corruption is bound to emerge and it is considered as a part of growing economy. In developing countries, the resources have to be prioritized as required by the policy makers. Corruption and economic development cannot go hand in hand. If a country is considered to be corrupt, it may not attract foreign investment. Good corporate governance is important for running a business on sound ethical values. In the words of Mr. Deepak Parekh, ethics means, "Not doing a thing one would be ashamed of if it becomes public". The only good governance available in the banking sector was the ground rules and Code of Ethics known as G R A C E, indection of professional directors, redressal of custom complaints through Ombudsman and functioning of Audit committee of the Board. The banks enjoyed full protection. They were not exposed to any competition and there was hardly any concept of transparency and accountability. This became a breeding ground for malpractices and led to inefficiency due to economic compulsions and pressure, the Government of India compelled to open Indian economy and introduce prudential Accounting Norms, as suggested by Narasimham Committee in its report

21

Control System And Bank Audit

submitted to RBI in 1990. A new challenge emerged, which led to reform in the Indian banking system so as to bring it at par to international standards as required under BIS norms. CRITICAL ISSUES: Apart from the emerging challenges, a few issues having policy implications continue to remain shrouded in controversy. primarily, they relate to the following areas: a) Government Ownership: government ownership of the banking sector creates a number of problems for RBI as the regulator. The problems are particularly complex because the government often acts as quasi-regulator. Therefore, it is to be decides whether good governance is compatible with government ownership. b) Checks and Balances: in India, in most banks, the chairman and CEO positions are combined. This may create concentration of power in a single individual. It has been suggested that the roles of the Chairman and CEO be separated. c) RBI and Government nominee directors : whether RBI can effectively perform its role as supervisor, when it is also represented on the board through its nominee director, which may lead to conflict of interest with its regulatory function. More so, since the nominee of RBI and government are treated as superior to other directors. d) Sectoral representation: considering the current trend of liberalization, the reorientation given to various interest groups in the board for protection of there sectional economic interests, may have to be reviewed. e) Quality and proportion of non-executive director: only individuals of proven professional competence and experience and with special insight into specific economic activities may be appointed as non-executive directors. The optimum proportion of executive and non-executive directors continues to be a matter of debate. f) Delay in Filling up vacancies in the board: In many cases There is long delay in filling up the vacancies in the board, which cripples its efficient functioning. g) Ceiling on number of members in board : the size of the board should be too un wieldy so as hamper its cohesiveness. h) Disparities in remuneration of whole time directors : normally, the whole time directors of PSU banks are remunerated very poorly compared to there private

22

Control System And Bank Audit

sector counterparts. Proper framework should also be developed for remuneration of non-executive directors. SPECIAL PROVISIONS GOVERNING: NATIONALISED BANKS The fourteen nationalized banks (nationalized in 1970) are governed by the provisions of the Banking Companies (Acquisitions and Transfer of Undertakings) Act, 1970. This act provided for the nationalization of fourteen major banking companies. A similar Act was passed in 1980, which provided for the nationalization of another six banking companies. Many provisions of the Banking Regulation Act also apply to the nationalized banks.

REGIONAL RURAL BANKS Regional rural bank is set up under the sponsorship of an existing bank, by the central government. The sponsor bank implies to an existing bank, which agrees to subscribe to the share capital of the regional rural banks, recruit and train its personnel for the first five years, and provide managerial and financial assistance. The regional rural bank is a body corporate with perpetual succession and a common seal. CO-OPERATIVE BANKS Part V of the Banking Regulation Act (1949) specifies the extent to which this act is applicable to co-operative banks, i.e. co-operative societies carrying on the functions of the banking. Certain provisions of the Banking Regulation Act have been modified in their application to the co-operative banks, while certain others have been omitted. The third schedule to the act, which lays down the form of the balance sheet and profit & loss account for other banks, has been modified to a large extent in its application to the co-operative banks.

23

Control System And Bank Audit

GOSH COMMITTEE RECOMMENDATIONS


Rec. Recommendation as Action Points/Audit considerations No. summarized by RBI 1.2 Precautions against theft of cash - staff should not indulge in conversation/ answering queries, but direct such persons to Enquiry Counter only. Except large branches, enquiry counters are not established in the branches. Some banks may have a practice of allotting the duties of 'May I Help u' duties to one of the employees, other than cashier. What is expected is that the cashier functions only from his allotted cash cabin and not from any other open desk. The auditor during his stay may observe that the cashier do not indulge in conversation including staff while he is in cash counter and public are not approaching the cashier for enquiry. To prevent the violation of fiscal laws, RBI has advised the banks that the Pay Orders, Demand Drafts, MTs, TTs and Travelers cheques for Rs. 50,000/- and above should be issued only by debit to the account of the constituent and payment of such instruments should be by way of credit to the account of the constituent and cash transactions should not be allowed.

1.7

Precautions against misusing banking channels for tax evasion, POs/TCs in excess of Rs. 50,000/should be by way of debit to constituents account and not by cash. Doubtful cases should be r e p o r t e d to higher authorities. Periodical reporting of deposits/ withdrawals from currency chest to issue department of RBI

1.8

This recommendation is applicable to branches having currency chests attached to them. The Auditor should examine: (a) Deposits/withdrawals into currency chests are accounted on the same day. (b) These transactions are to be reported in the prescribed format (TE-II) to RBI on the same day.

24

Control System And Bank Audit

3.4

Precautions for averting frauds in areas of letters of credit, issue of guarantees and coacceptance facilities

The RBI vide its Cir. No. DBOD. No. GC. SIC. BC. 97/C.408(A)-83 date 26-11-1983 has advised the banks to follow the following precautions for opening LCs, issuing BGs and co-acceptance of Bills. (a) LCs, BGs facility should be given only to the customers having regular credit facilities and if the customers do not have regular credit facilities, the proposal should be appraised like any other credit proposal. (b) Before establishing LC, the bank should examine the financial position of the customer, his ability to meet the required funds for retirement of bills on presentation.

(c) The bank should obtain suitable margin and other security. (d) If the customer is enjoying credit facilities or having account with other banks, without reference and concurrence of such other bank, LC should not be opened. (e) LC should not be established on the guarantee of another bank. (f) For performance guarantee, the bank should examine the capacity and means to perform the obligation under guarantee. (g) With respect to co-acceptance of bills, the following guide-lines are given by RBI. i) The need for sanctioning such facility should be thoroughly examined and sanctioned only to the customers having other credit facilities. ii) Genuine trade bills only to be co-accepted, it should be ensured that the stocks covered bills are reflected in the stock statements of the customer. iii) Accommodation bills, house bills, bills of group concerns should not be co-accepted. iv) Proper records are to be maintained for recording the bills

25

Control System And Bank Audit

v)

co-accepted. The powers to co-accept bills, beyond certain limits must be exercised by two officers jointly.

8.14

Monthly certificate of assisted units and on stocks pledged/ hypothecated to bank.

The RBI vide its circular No. DBOD. No. Com. BC. 28/C.408(A)-81 dated 23-02-1981 has advised the banks to lay down a system of submitting periodical returns/certificates to the controlling offices, say monthly, containing the information to show name of the borrowers, limits sanctioned, short description and value of the securities charged to the bank, date of inspection thereof names and signatures of the officials who carried out the inspection as also serious defects if any, observed by the officials during such inspection. The auditor should examine whether the branch is submitting such return to the controlling office every month.

9.10

Fraud cases up to Rs. 25,000/-having involvement of an insider should not be reported to Police, where the recovery is not doubtful.

With a view to expedite cases and award of punishments, the Committee desired that where a fraud for an amount not exceeding Rs. 25,000/- involving an employee of the bank is detected, and the recovery of the amount is not in doubt, the matter should not be reported to the police.

26

Control System And Bank Audit

AUDITING AND ASSUARANCE STANDARD (AAS) XX:


The auditor should obtain an understanding of internal control relevant to the audit. The auditor uses the understanding of internal control to identify types of potential misstatements, consider factors that affect the risks of material misstatement, and design the nature, timing, and extent of further audit procedures. Internal control relevant to the audit is discussed below. Internal control, consists of the following components: (a) The control environment. (b) Control activities. (c) Monitoring of controls. Controls Relevant to the Audit 1) There is a direct relationship between an entity's objectives and the controls it implements to provide reasonable assurance about their achievement. The entity's objectives, and therefore controls, relate to financial reporting, operations and compliance; however, not all of these objectives and controls are relevant to the auditor's risk assessment. 2) Ordinarily, controls that are relevant to an audit pertain to the entity's objective of preparing financial statements for external purposes that give a true and fair view (or are presented fairly, in all material respects) in accordance with the applicable financial reporting framework and the management of risk that may give rise to a material misstatement in those financial statements. It is a matter of the auditor's professional judgment, subject to the requirements of this AAS, whether a control, individually or in combination with others, is relevant to the auditor's considerations in assessing the risks of material misstatement and designing and performing further procedures in response to assessed risks. In exercising that judgment, the auditor considers the circumstances, the applicable component and factors such as the following: The auditor's judgment about materiality. The size of the entity.

27

Control System And Bank Audit

The nature of the entity's business, including its organization and ownership characteristics.

The diversity and complexity of the entity's operations. Applicable legal and regulatory requirements. The nature and complexity of the systems that are part of the entity's internal control, including the use of service organizations. 3) Controls relating to operations and compliance objectives may, however, be relevant to an audit if they pertain to data the auditor evaluates or uses in applying audit procedures. For example, controls pertaining to non-financial data that the auditor uses in analytical procedures, such as production statistics, or controls pertaining to detecting non-compliance with laws and regulations that may have a direct and material effect on the financial statements, such as controls over compliance with income tax laws and regulations used to determine the income tax provision, may be relevant to an audit. 4) Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives. In obtaining an understanding of each of the components of internal control, the auditor's consideration of safeguarding controls is generally limited to those relevant to the reliability of financial reporting. For example, use of access controls, such as passwords, that limit access to the data and programs that process cash disbursements may be relevant to a financial statement audit. Conversely, controls to prevent the excessive use of materials in production generally are not relevant to a financial statement audit. Control Activities 1) The auditor should obtain a sufficient understanding of control activities to assess the risks of material mis-statement at the assertion level and to design further audit procedures responsive to assessed risks. Control activities are the policies and procedures that help ensure that management directives are carried out; for example, that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels. Examples of specific control activities include those relating to the following:

28

Control System And Bank Audit

Authorization, Performance reviews, formation processing, Physical controls, Segregation of duties 2) General IT-controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT-controls that maintain the integrity of information and security of data commonly include controls over the following: Data centre and network operations. System software acquisition, change and maintenance.

Access security. Application system acquisition, development, and maintenance. The auditor should document: The manner in which these matters are documented is for the auditor to determine using professional judgment. In particular, the results of the risk assessment may be documented separately, or may be documented as part of the auditor's documentation of further procedures. Examples of common techniques, used alone or in combination include narrative descriptions, questionnaires, check lists and flow charts. Such techniques may also be useful in documenting the auditor's assessment of the risks of material misstatement at the overall financial statement and assertions level. For example, documentation of the understanding of a complex information system in which a large volume of transactions are electronically initiated, recorded, processed, or reported may include flowcharts, questionnaires, or decision tables. For an information system making limited or no use of IT or for which few transactions are processed (say, long-term debt), documentation in the form of a memorandum may be sufficient. Ordinarily, the more complex the entity and the more extensive the audit procedures performed by the auditor, the more extensive the auditor's documentation will be. AAS 3, "Documentation" provides guidance regarding documentation in the context of the audit of financial statements. Effective Date This Auditing and Assurance Standards is effective for audits related to accounting periods beginning on or after 1st April, 2007.

29

Control System And Bank Audit

STATUTORY BANK AUDIT


PREPARATION AND PLANING FOR AUDIT AUDIT OF BALANCE SHEET & PROFIT AND LOSS AUDIT OF ADVANCES PRUDENTIAL NORMS
30

Control System And Bank Audit

PREPARATION AND PLANNING FOR AUDIT


The audit preparation and planning should start immediately on receipt of the appointment letter and the auditor should not wait until actual commencement of audit for the same. The various stages involved in audit preparation and planning and the other related issues have been discussed below in detail. STAGE I: AT THE OFFICE UNDERSTANDING THE BASIC SCOPE OF AUDIT: Broadly the scope of audit can be divided into three main parts: 1. Authentication of closing returns such as: a) Balance Sheet. b) Profit and Loss Account either for the full year or for two half years. c) Master Summary of advances containing asset classification. d) Statement of furniture/fixtures, computers, etc.and depreciation. e) Statement of Capital Adequacy. f) Statement of maturity pattern of loans & advances and deposits. g) Statement of maturity pattern of foreign currency assets and liabilities. h) Statement of maturity pattern of borrowings. i) Statement of cash and bank balance on twelve odd dates. j) Statement of lending to sensitive sectors. k) Statement of movements in NPA. 1) Statement of advances made by rural branches. 2. Issuance of certificates in relation to: a) Claim for PMRY subsidy. b) Refund of DICGC claim. c) Asset classification, income recognition and provisioning. d) Memorandum of Changes (MOC) for previous year. e) Investments, if any, held on behalf of Head office. 3. Issuance of reports including special purpose reports/certificates such as: a) Auditors Report. b) Long Form Audit Report. c) Tax Audit Report.

31

Control System And Bank Audit

d) Compliance certificate in respect of implementation of recommendations of Ghosh & Jilani Committees. The scope is illustrative and not exhaustive and it may differ from bank to bank. COMMUNICATION WITH THE BRANCH Generally, the appointment letter issued by the HO/CO also contains the details like complete postal address and contact numbers of the branch, name of the branch head, business portfolio of the branch, etc. If these details are not mentioned in the appointment letter, the same must be obtained. Depending upon the business profile of the branch, the auditor must issue written communication for all the audit requirements to the branch. PREPARATION OF AUDIT PROGRAMME 1. While preparing/updating audit programme due importance must be given to a) Auditing & Assurance Standards and other pronouncements of the Institute. b) Provisions of the governing statutes. c) Latest closing instructions. d) Latest business profile. e) Audited and un-audited financial statements. f) LFAR for the previous year. g) Guidelines and circulars issued by RBI. h) Past experience of bank audit. 2. Generally, the information about the closing returns to be signed and certificates and

reports to be issued is mentioned in the appointment letter and/or the closing instructions issued by the HO/CO. It must be ensured that all this information is properly updated/incorporated in the audit programme and all the related instructions for the closing returns, certificates, reports, etc., are incorporated in the audit checklist. 3. As most of the branches/operations are computerized, due emphasis must be given to the level of computerization at the branch level. The audit approach in case of a computerized branch is totally different from the one adopted in case of the branch maintaining manual records. 4. The audit programme must be flexible and have substantial scope for modification/revision during the course of audit.

32

Control System And Bank Audit

STANDARDIZATION OF WORKING PAPERS 1. As the scope of audit is very wide and the time available is very limited, there are (a) Critical/important areas are either completely omitted or not audited thoroughly by the team. (b) Proper noting of important issues observed is not made. (c) More time is devoted on insignificant matters/areas. 2. In order to avoid such possibilities, it is advisable that all the working papers including audit programme/checklist and audit memo/query sheet are standardized. STAGE II: AT THE BRANCH UNDERSTANDING THE EDP ENVIRONMENT 1. Before commencing the audit, it is very important to understand the EDP environment at the branch. The team must interact with the EDP department at the branch to gain an understanding of the overall EDP environment. 2. The team must review the report on System Audit, if any, conducted during the year. The team must also review the reports of concurrent auditors, RBI Inspectors and Internal Inspectors to understand the overall EDP environment at the branch. 3. The audit team must be properly briefed about (a) The approach of audit in the computerized environment. (b) The system of data processing and generation of various outputs at the branch. (c) The importance of proper understanding and verification of the output before placing reliance. (d) The basic differences between the Automated Ledger Posting Machine (ALPM) branches, Total Branch Mechanization (TBM) branches and branches under Core Banking Solutions (CBS). 4. At times, the branches continue to use old version of the software even though latest version is supplied. It must be ensured that the version being used by the branch is the latest version that is supplied by the controlling authorities. 5. The branches are required to maintain logbook for recording any disruption/corruption/breakdown that may arise in the software/ hardware at the branch. The logbook must be reviewed to understand the implication of the systemic issues on the overall presentation of the financial statements. chances that the

33

Control System And Bank Audit

EXECUTION OF AUDIT During execution of audit, following important aspects must be borne in mind: 1. 2. 4. The audit programme and the checklists must be suitably updated/ modified in the light of the understanding gathered about the overall functioning of the branch. The audit observations must be discussed on a daily basis. The documentation and proper filing must be given due importance. All the audit memos along with the supporting documents must be systematically filed on a daily basis. 5. The final issues affecting the true and fair view and other disclosures must be discussed with the branch management. COMPLETION OF AUDIT At the final stage, the following important aspects must be borne in mind: 1. 2. 3. 4. 5. 6. The auditor must ensure that all the audited closing returns, reports and certificates have been duly signed and stamped. It must be ensured that LFAR has also been prepared and discussed with the branch. Tax audit must also be completed during the course of statutory audit, as no separate visit is allowed for the same. The copies of the audited closing returns, reports and certificates are obtained for the purpose of filing. Necessary representation letter must be obtained from the branch management. In case the Bank requires Attendance Certificate to be submitted along with the bill, ensure that the same has been obtained in the prescribed format.

AUDIT OF BL. AND P&L: The statutory audit of banks and their branches is generally described as Balance Sheet Audit. The audit procedures followed in case of banks are to some extent different from those followed in case of other entities. The reason being the system of accounting followed and the nature of records maintained by the banks. Before we proceed with the Balance Sheet and the Profit & Loss Account, it is advisable to gain an understanding of accounting system and the nature of records of the branch.

34

Control System And Bank Audit

The suggested audit approach in respect of the various items of the Balance Sheet and the Profit & Loss Account is as follows: GENERAL APPROACH 1. It is advisable to (a) Compare figures in the manual formats/closing returns prepared by the branch with the system generated outputs of the trial balance and groupings. (b) Ensure completeness of the data/output provided before commencement of verification thereof. (c) Understand the nature of unusual accounts, the accounting entries thereof and the implication of balances appearing in those accounts. (d) Identify the accounts to be verified in detail. 2. Generally, the branches are instructed to generate the hard copies of ledgers and other records as per the specified periodicity. These records are available for the purpose of verification by the auditors. 3. Generally, the extract of significant accounting policies followed by the bank as a whole is provided to the branch and the branch auditor. In case it is not made available the same should be obtained. Many a times, the branch follows different accounting policy specially while recognizing guarantee commission, overdue interest on advances, discount on bills, accruing interest on overdue deposits, prepaid/unpaid expenses, etc. It must be ensured that the branch does not violate the significant accounting policies followed by the bank. 4. As the figures are inserted manually in the formats, it is important to ensure these are free from totalling errors. In case there is overwriting, cancellation, use of white ink, etc., in the formats, it must be ensured that the same are properly stamped and initialled by the branch and the auditor. 5. In respect of certain items of the balance sheet and profit and loss account that are expressed in foreign currency like FCNR deposits and interest thereon, Foreign letter of credit, Foreign currency loan and interest thereon, etc., it must be ensured that the year-end figures are revalued as per the prescribed procedures. In case there are no stated guidelines for the same, the procedure adopted by the branch for revaluation or the fact that no such revaluation is done as at the year-end must be stated in the audit report.

35

Control System And Bank Audit

SPECIFIC AUDIT APPROACH FOR MAJOR ITEMS OF BALANCE SHEET PART I: ASSETS 1. Cash a) Evaluate the effectiveness of internal controls being exercised by the branch by making enquiries about the daily verification of cash at the opening and the closing hours, maintenance of cash related registers and vault regi'ster, safety of cash cabin, dual custody of cash, safe keeping of vault and cash box keys, recording of movements of keys, dual custody of the keys, security arrangements for cash movements, decoy money, daily cash holding and retention limit, etc. b) Review the reports of the concurrent auditors to ascertain the level and effectiveness of internal controls and also ascertain the frequency of cash verification carried out by the concurrent auditors. c) Verify the closing cash balance at the branch and the extension counter/ATM center connected to the branch as on the last day of the year or as of any day during the course of audit in the presence of the cashier and the manager. 2. Balances with Reserve Bank of India, State Bank of India and other Banks Verify the balances as per the books with the balance confirmation certificates received from these banks.Ensure that the matters to be reported in LFAR have been duly verified and incorporated. 3. 4. 5. Money at call and short Notice Generally these assets are not held or dealt with at the branch level. Investments Generally these assets are not held or dealt with at the branch level. Advances The audit approach in respect of advances is covered in detail in audit of advances 6. Furnitures, fixtures, computers and office equipments a) Evaluate the effectiveness of internal controls over acquisition, recording, identification, safeguarding and periodic verification of these items. b) Verify the major additions and deletions/disposals with the related supporting documents such as invoices, challans, etc.

36

Control System And Bank Audit

7.

Other asset - Inter Office adjustments (NET) a) Understand the basic nature of such transactions, the relevance thereof for the overall presentation of financial statements and the procedure for recording such transactions. b) Ensure that the closing balance shown in the statement of the last day of the year tallies with the corresponding balance in General Ledger. c) Comment of very old and high value un-reconciled items.

8.

Other asset - Interest accrued Ascertain the system of accruing interest on advances in the computerized branch

in the light of RBI guidelines for monthly charging of interest. 9. Other asset - Suspense account a) Understand the guidelines issued by HO for operating suspense account. b) c) d) 10. Obtain the details of entries/items outstanding as at the year-end. Identify the provision to be made in respect of very old entries. Ensure that the matters to be reported in LFAR have been duly verified and

incorporated. Other asset - Stationery and stamps Evaluate the effectiveness of internal controls exercised by the branch for acquisition, recording, usage, physical verification, dual custody, access, etc., for stamps, deposit receipts, drafts, pay-orders, cheque books, traveller's cheques, gift cheques, etc. 12. Other asset - Miscellaneous debits in Government accounts Generally the balance outstanding in this account indicates the pending claims to be received from the Government towards pension, provident fund, etc., paid by the branch on behalf of the Government. 13. Other asset - Security deposits It relates to telephone deposit, mobile deposit, electricity deposit, deposit paid to the landlord for leased premises, etc. PART II: LIABILITIES 1. Deposits a) Ensure that the balances as per the subsidiary ledgers of various deposit accounts are duly balanced and tallied with the respective balances in the general ledger. Any difference in the balancing should be reported in the audit report.

37

Control System And Bank Audit

b) Understand the types of various deposits held by the branch and the salient features of those deposits with reference to the due dates for application, accrual, compounding and payment of interest. c) Ascertain that the branch has complied with the RBI guidelines related to opening and maintenance of deposit accounts including NRI deposit accounts. More emphasis should be given to KYC norms, operations in new accounts, heavy cash deposits and withdrawals, etc. Any serious discrepancy in this regard should be reported. 2. Borrowings Generally borrowings are not held or dealt with at the branch level. 3. Bills payable a) Generally bills payable relates to pay-order (PO), demand draft (DD), telegraphic transfer (TT) and mail transfer (MT) and banker's cheque issued by the branch. The balances in these accounts indicate progressive balance that is subject to reconciliation at HO level. b) Ensure that the details of lost demand drafts, if any, circulated by RO/HO is readily available with the branch. 4. 5. Inter-office adjustment (NET) For details refer item 7 of PART I. Interest accrued Ascertain the system of accruing interest on deposits in the computerized branch. Generally interest on deposits is accrued at the last day of the month and is reversed on the first day of the succeeding month. 7. Other liabilities - Rebate on Bills discounted a) Ascertain that the branch has complied with the related accounting policy and necessary accounting has been done in respect of discount received in advance for the un-expired period of the bills outstanding as at the year-end. b) In case the bill-wise details are not made available and the amount of rebate is material, report the fact in the audit report.

38

Control System And Bank Audit

8.

Other liabilities - Tax deducted at source `Normally tax is deducted at source as per the Income Tax Act, 1961 in respect of

interest on term deposit, staff salaries, rent, professional charges and payments made to the contractors, etc. 9. Other Liability - unrealized interest on NPA a) This account is also referred to as Interest Suspense, De-recognized Interest, etc. b) Generally the branches are required to maintain subsidiary ledger/register for recording account-wise details of unrealized interest. 10. Other liabilities Others a) This could include sundry deposits, staff security deposit, margin money and statutory dues such as deduction of professional tax, provident fund, ESI, etc. b) In respect of the statutory dues, ensure that proper reporting has been done in the Tax Audit Report.

PART III: CONTINGENT LIABILITY 1. Claims against the Bank not acknowledged as debts a) Generally this includes disputed amounts of lease rent, property tax, etc., in respect of premises taken on lease. b) Obtain suitable representation from the branch about the completeness of the disclosure of such contingent liabilities. 2. Guarantees and acceptances, endorsements & other obligations Obtain the list of un-expired guarantees and letters of credit. In case the list is not made available, report the fact in the audit report. PART IV: BILLS FOR COLLECTION (CONTRA ITEMS) a) b) Obtain the list of bills /or collection (inward and outward) outstanding as at the Ascertain that age of the outstanding bills and the reasons for old items. year-end and verify the same with the related registers maintained by the branch.

39

Control System And Bank Audit

SPECIFIC AUDIT APPROACH FOR MAJOR ITEMS OF PROFIT AND LOSS ACCOUNT PART I: INCOME 1. Interest/discount on advances/bills a) b) Evaluate the overall effectiveness of internal controls through the reports of Ascertain the nature and the extent of revenue leakage detected by the concurrent auditors and other agencies. concurrent auditors. c) Ascertain that the branch has complied with HO instructions for recognizing penal interest and overdue interest. 2. Other income - commission, exchange and brokerage a) It normally includes commission/exchange on letters of credit, guarantees, remittances and transfer of funds through DD, TT, MT, etc., bills for collection and Government business. b) 3. Ensure that the branch has complied with the provisions of Service Tax and other taxes applicable on services. Other income - profit on sale of fixed assets a) b) It normally includes profit or loss (net) on sale of motor vehicle, furniture and Ensure that proper accounting has been done for the depreciation till the date fixtures, computers and other fixed assets held by the branch. of disposal as per the accounting policy framed by the bank. 4. Other income - miscellaneous income a) b) It normally includes locker rent, recovery of godown rent, income from bank's In case locker rent is recovered in advance for a year or more, ensure that the property, security charges, etc. same is properly apportioned on time period basis or as per the accounting policy advised by HO. PART II: EXPENDITURE 1. Interest on deposits a) b) Evaluate the overall effectiveness of internal controls through the reports of Obtain copies of applicable interest rate circulars issued by HO and verify the concurrent auditors and other agencies. rate applied for certain deposit accounts. More emphasis should be given to changes 40

Control System And Bank Audit

in the rates, premature closures, back-dated renewals, high value deposits, shortterm deposits, staff deposits, special category of deposits, tax deduction at source, etc. 2. Salary & allowances to staff a) Generally monthly salary and allowances to staff are processed centrally either at RO or at any other main branches and the related records are also maintained there. The monthly salary sheets are then passed on to the respective branches and the payment is made by those branches. In such a situation, it must be ensured that the branch has properly accounted the payments for the entire year. 3. Rent a) Obtain the details of the rented premises used by the branch either for the branch operations or for the officers/managers and the copies of the rent agreements. b) In case the lessor has availed loan against the rent payable by the branch ensure that the rent is properly appropriated towards the loan outstanding. 4. Electricity a) b) 5. Obtain the details of connections that are used for the branch premises and for Ensure that the payment is made as per the original bills held by the branch. the staff premises.

Printing & stationery Generally HO or any centralised department of the bank ! supplies major

stationery items like security items, etc., to the branches. At branch level, these items are recorded in the memorandum registers for the purpose of internal control. In case these items are recorded in the main books, ensure that the same are properly accounted as per the advices received from the HO. 6. Depreciation a) Ensure that the depreciation has been charged as per the rates and the method prescribed in the HO instructions especially with reference to additions and deletions during the year. More emphasis should be given to inter branch transfer of assets and the depreciation thereon. 41

Control System And Bank Audit

b) Generally the branches commit mistakes in identifying revenue and capital expenditure. In case such mistakes are observed during the course of audit, it is advisable to identify the corresponding impact on the depreciation. 7. Legal charges Ensure that these payments are made on the basis of the bills and other supporting documents. More emphasis should be given to the approval/sanction of higher authorities required for making such payments. 8. Postage, telegram & telephone a) c) 9. Obtain the list of telephone connections used in the branch premises and Ensure that the payments are made as per the original bills held by the branch. residential premises of the staff, as per the policy of the bank.

Repairs & Maintenance Normally it includes expenditure incurred on repairs and maintenance of vehicles,

furniture, fixtures, premises, etc., and annual maintenance contracts (AMC) for computers, air conditioners, etc. 10. Insurance a) Normally it includes expenditure incurred on insurance of office equipments installed at the branch like computers, air conditioners, etc. d) Obtain the details of insurance policies, if any, held by the branch. 11. Other expenditure It includes all other expenditure including professional charges, concurrent audit fees, etc., that is not included in any of the specific heads.

42

Control System And Bank Audit

AUDIT OF ADVANCES PART I: INTRODUCTION Loans and advances constitute major portion of the assets of any branch and interest thereon is the major source of revenue for any branch. In view of the significance attached to this item, it is important for the auditor to thoroughly understand the scope of the audit and the reporting requirements. It is advisable to standardise the basic format of the scope of audit and also the notes to be prepared by the team at every stage of the verification. While verifying the advances it is important to keep in mind the requirements of LFAR, recommendations of Ghosh and Jilani Committees, Prudential Norms of RBI and various certificates to be issued. PART II: AUDIT PROCEDURE (Account level) 1. It is advisable to cover the following important aspects while verifying advances: (a) Compliance with terms and conditions as per the sanction letter. (b) Regular submission of stock and book-debt statements, QIS/ MSOD and audited and un-audited financial statements. (c) Adequacy of insurance coverage. (d) Adequacy of security coverage. (e) Quality of credit monitoring. (f) Regular renewal/review of limits. 2. It is advisable to review the following records/documents: (a) Latest sanction letter. (b) Latest correspondence files. (c) Stock & book-debt statements. (d) Latest audited and un-audited financial statements. (e) Insurance policies. (f) Latest valuation reports. (g) Latest stock-audit report, wherever applicable. (h) Legal documents. (i) Latest inspection reports. (j) Minutes of consortium meetings, wherever applicable. (k) Review/Renewal proposal, if any, for expired limits.

43

Control System And Bank Audit

PART III: IMPORTANT ASPECTS OF PRUDENTIAL NORMS While verifying compliance of the prudential norms issued by RBI give more emphasis on: a) b) c) d) e) f) g) h) j) Operations in the accounts of the borrower. Possibility of window dressing in the account. Reversal of unrealised interest. Identification of the date of NPA. Valuation of security. Accounts upgraded from NPA category to standard category. Potential NPA. Standard accounts with lowest credit rating Asset classification by the other consortium members.

i) Standard accounts with negative net worth/under BIFR.

PRUDENTIAL NORMS ON ASSET CLASSIFICATION, INCOME RECOGNITION AND PROVISIONING I. VERIFICATION OF COMPUTERIZED CLOSING RETURNS a) Presently many of the banks are using customised software for generation of master summary and account-wise report on asset classification, income recognition and provisioning. Such software facilitates more accuracy and consistency in compilation of data on prudential norms, provided the same are thoroughly tested and approved. b) As regards the system generated returns it is important to note that these returns do not substitute the normal audit procedures that are to be performed by the auditor. These returns only facilitate the audit to certain extent and hence the same must be accepted after performing normal audit procedures. c) Generally the system-generated returns contain lot of information that may be relevant only for the purpose of management information. As this information is not to be audited, it is advisable to state the fact in the relevant return that is to be certified. II. 1. SALIENT FEATURES Non-performing Assets :

44

Control System And Bank Audit

a) An asset, including a leased asset, becomes non-performing when it ceases to generate income for the bank. In other words, a non-performing asset (NPA) shall be a loan or an advance where; I) Interest and/ or installments of principal remain overdue for a period of more than 90 days in respect of a term loan; II) The account remains 'out of order' as indicated below, in respect of an Overdraft/Cash Credit (OD/CC); III) The bill remains overdue for a period of more than 90 days in the case of bills purchased and discounted; IV) Interest and/or installment of principal remains overdue for two harvest seasons but for a period not exceeding two half years in the case of an advance granted for agricultural purposes; and V) Any amount to be received remains overdue for a period of more than 90 days in respect of other accounts. e) The credit facilities backed by guarantee of the Central Government though overdue may be treated as NPA only when the Government repudiates its guarantee when invoked. f) An account where the regular/ad hoc credit limits have not been reviewed/renewed within 180 days from the due date/ date of ad hoc sanction will be treated as NPA. d) In respect of accounts where there is potential threat of recovery due to erosion in the value of security or no availability of security and existence of other factors, say, fraud committed by the borrower, etc., the account should be classified as doubtful asset or loss asset as appropriate, irrespective of the period for which it remained as NPA. 2. Out of order An account should be treated as 'out of order' if the outstanding balance remains continuously in excess of the sanctioned limit/ drawing power. In cases where the outstanding balance in the principal operating account is less than the sanctioned limit/ drawing power, but there are no credits continuously for 90 days as on the date of Balance Sheet or credits are not enough to cover the interest debited during the same period, these accounts should be treated as 'out of order'.

45

Control System And Bank Audit

3.

Asset Classification Banks are required to classify non-performing assets into the following three

categories based on the period for which the asset has remained non-performing and the realisability of the dues: a) Sub-standard Assets b) Doubtful Assets c)Loss Assets a) Sub-standard Asset: A sub-standard asset is one, which has remained NPA for a period less than or equal to 18 months. With effect from 31 March 2005, a sub-standard asset would be one, which has remained NPA for a period less than or equal to 12 months. b) Doubtful Asset: A loan classified as doubtful has all the weaknesses inherent in assets that were classified as sub-standard, with the added characteristic that the weaknesses make collection or liquidation in full, on the basis of currently known facts, conditions and values, highly questionable and improbable. An asset is to be classified as doubtful, if it has remained NPA for a period exceeding 18 months. With effect from March 31, 2005, an asset would be classified as doubtful if it remained in the sub-standard category for 12 months. c) Loss Asset: A loss asset is one where the bank or internal or external auditors or the RBI Inspectors have identified loss but the amount has not been written off wholly. In other words, such an asset is considered uncollectible and of such little value that its continuance as a bankable asset is not warranted although there may be some salvage or recovery value. 4. Income Recognition a) If any advance, including bills purchased and discounted, becomes NPA as at the close of any year, interest accrued and credited to income account in the corresponding previous year, should be reversed or provided for if the same is not realised. This will apply to Government guaranteed accounts also. b) In respect of NPA, fees, commission and similar income that have accrued should cease to accrue in the current period and should be reversed or provided for with respect to past periods, if uncollected. 46

Control System And Bank Audit

c) There is no objection to the banks using their own discretion in debiting interest to an NPA account taking the same to Interest Suspense Account or maintaining only a record of such interest in memorandum accounts. 5. Provisioning Minimum Provision a) Standard Asset: The banks should make a general provision of a minimum of 0.25 per cent on standard assets on global loan portfolio basis. b) Sub-standard Asset: A general provision of 10 per cent on total outstanding should be made without making any allowance for DICGC/ECGC guarantee cover and securities available. The 'unsecured exposures' that are identified as 'substandard' would attract additional provision of 10 per cent, i.e., a total of 20 per cent on the outstanding balance. Unsecured exposure is defined, as an exposure where the realisable value of the security, as assessed by the bank/ approved valuers/Reserve Bank's Inspecting Officers, is not more than 10 per cent, ab-initio, of the outstanding exposure. 'Exposure' shall include all funded and non-funded exposures (including underwriting and similar commitments). c) Doubtful Asset: i) 100 per cent of the extent to which the advance is not covered by the realisable value of the security to which the bank has a valid recourse and the realisable value is estimated on a realistic basis. ii) In respect of the secured portion, provision has to be made on the following basis at the rates ranging from 20 per cent to 100 per cent of the secured portion depending upon the period for which the asset has remained doubtful.

47

Control System And Bank Audit

Period for the asset has remained in Provision to be made (%) doubtful category Up to 1 year (Dl category) category) More than 3 years (D3 category) 31/03/2004 50 (as on 31/03/2004) 75 with effect from 31/03/2006 100 with effect from 31/03/2007 b) Classified in D3 category on or after 100 with effect from 31/03/2005 1/04/2004 iii) Banks are permitted to phase the additional provisioning consequent upon the reduction in the transition period from sub-standard to doubtful asset from 18 to 12 months over a four-year period commencing from the year ending March 31, 2005, with a minimum of 20 % each year. Floating Provision Some of the banks make a 'floating provision' over and above the specific provisions made in respect of accounts identified as NPA. The floating provisions, wherever available, could be set-off against minimum provisions as per above stated provisioning guidelines. Considering that higher loan loss provisioning adds to the overall financial strength of the banks and the stability of the financial sector, banks are urged to voluntarily set apart provisions much above the minimum prudential levels as a desirable practice. Treatment of Interest Suspense Account Amounts held in Interest Suspense Account should not be reckoned as part of provisions. Amounts lying in the Interest Suspense Account should be deducted from the relative advances and thereafter, provisioning as per the norms, should be made on the balances after such deduction. Advances Covered By ECGC In the case of advances guaranteed by ECGC, provision should be made only for the balance in excess of the amount guaranteed by ECGC. Further, while arriving at the provision required to be made for doubtful assets, realisable value of the securities should a) Outstanding in D3 category as on 60 with effect from 31/03/2005 20

More than 1 year but less than 3 years (D2 30

48

Control System And Bank Audit

first be deducted from the outstanding balance in respect of the amount guaranteed by ECGC and then provision made. IMPORTANT ASPECTS 1. Advances under consortium arrangement Asset classification of accounts under consortium should be based on the record of recovery of the individual member banks and other aspects having a bearing on the recoverability of the advances. The banks participating in the consortium should, therefore, arrange to get their share of recovery transferred from the lead bank or get an express consent from the lead bank for the transfer of their share of recovery, to ensure proper asset classification in their respective books. 2. Accounts where there is erosion in the value of security i) An NPA need not go through the various stages of classification in cases of serious credit impairment and such assets should be straightaway classified as doubtful or loss asset as appropriate. Erosion in the value of security can be reckoned as significant when the realisable value of the security is less than 50 per cent of the value assessed by the bank or accepted by RBI at the time of last inspection, as the case may be. Such NPA may be straightaway classified under doubtful category and provisioning should be made as applicable to doubtful assets. ii) If the realisable value of the security, as assessed by the bank/ approved valuers/RBI is less than 10 per cent of the outstanding in the accounts, the existence of security should be ignored and the asset should be straightaway classified as loss asset. It may be either written off or fully provided for by the bank. 3. Loans with moratorium for payment of interest In the case of housing loan or similar advances granted to staff members where interest is payable after recovery of principal, interest need not be considered as overdue from the first quarter onwards. Such loans/advances should be classified as NPA only when there is a default in repayment of installment of principal or payment of interest on the respective due dates. 4. Agricultural advances A loan granted for short duration crops will be treated as NPA, if the installment of principal or interest thereon remains overdue for two crop seasons. A loan granted for long duration crops will be treated as NPA, if the installment of principal or interest thereon remains overdue for one crop season. 49

Control System And Bank Audit

TECHNOLOGY IN BANK AUDIT


AUDITING IN COMPUTERISED ENVIRONMENT SYSTEM AUDIT USE OF CAAT TOOLS : IDEA 2004
50

Control System And Bank Audit

AUDITING IN COMPUTERISED ENVIRONMENT


Technology and its progress has often been linked to progress of civilization. From the time man learnt to control fire to the iron and Bronze Age, we have noted that the control over inventions like guns and cannons have given certain civilizations the upper hand over the ones they conquered. It is not necessary for the inventions and progress to be restricted to the field of military or defence. Progress in Banking is an equal parameter of the cultural development of a civilization and like any other field; this sector is not spared from the technical revolution, which has taken over other sectors. This delves into the necessity of value added APPROACH to the traditional audit and not solely dependent on the system auditors. These approaches are general and can be applied to any environment whether LAN Branch or a core banking situation.

Is the burden shifted to the system auditor? There is unlikely any professional who will take this stand of shifting the burden to the other auditor. There are a few checks you can do without undergoing intensive training and examination! Please note that the computer system environment referred to here is a minimum of LAN (Local Area Network) or even a Core system where the data hub is at a Central Location and the branches/offices are connected to this data hub despite being many cities away. Apart from the large corporations and multinationals, many Banks, even large co-operative Banks have taken this option. Even the branch auditor, thus, has to take certain precautions to ensure he gives justice to his work.

51

Control System And Bank Audit

PHYSICAL ACCESS CONTROL

In case the site is a LAN, the Server should be secure since the software and data is located in this device. Access to the Server room should be restricted and only senior management should permit 'outsiders' like software and hardware vendors to enter the server room. Many of the frauds that have already occurred in India would have been prevented only if this access was closely monitored.

ENVIRONMENTAL Apart from protecting the server from bad intentioned SECURITY persons, we have to ensure it is protected from accidents of fire and water by installation of smoke alarms in the server room and extinguishers outside the server room. In case of core banking, the devices used for communication should be accorded the status of protection of the server. SAFEGUARDING OF ASSETS -UPS Computers require electrical power for working and when the environment is live, work comes to a standstill unless power is provided though a UPS (Uninterrupted Power Supply) This has battery bank and is activated immediately when the power fails providing a continuous power without any interruption. These machines heat when generating power and if proper ventilation is not provided, these UPS will provide service for shorter durations not only compromising the work but also wasting the investment of the company. Simple rules of maintenance should also be followed and monitored. While all pay attention to the application software access, many forget to police the access to the operating system. File copy, deletion even data manipulation (especially under database environments) etc. are some potential disasters that are possible unless controlled. You will have to ensure that the company holds the original license for using the operating system software. Ensure whether the original Operating System Media supplied by the vendor is available in the Company. This is necessary to ensure reloading in case of accidental corruption. Only if the company has the system can it be loaded without waiting for the vendor's representative. The application developed for the company should be encoded and not left in a manner that can be re-programmed by the user. This will enable any person knowing a bit of programming of that language to design trapdoors for fraud and these are later very difficult to identify. Over here, 'Prevention is easier than the cure'.

OPERATING SYSTEM CONTROLS

APPLICATION SYSTEM CONTROL

52

Control System And Bank Audit

PASSWORD ACCESS CONTROL

AND Password control is the 'logical' access to the computer. The system should have passwords and these should be demanded by the system to changed frequently ensuring that the last password is not accepted, (not accepting last 12 is the least) Along with this, the 'internal control' should be ensured by the system ensuring that the person creating the voucher should not be permitted to authorize the voucher and without authorization, no voucher (other than system generated vouchers) should be accepted by the system. The corollary of this requirement is to ensure (check) that each user has only one identity in the system otherwise one person will take the identity of the clerk and with a change in short name take another identity of an officer thus effectively compromising the system.

Checklist for Audit of Computerized Operations ENVIRONMENT 1. Securing the The machines should be locked at the end of the day. Ensure that computers either the furniture, which is adjusted for locking, is locked or that the hardware lock of the computer is used. This is a simple point often ignored. Unlocked computer means any one can start it and the only hurdle after that is the password. Poor password maintenance further compounds risk of unlocked computers. Securing During computer operations especially during service hours, it is during not uncommon for the operator to leave his/her seat. The operator operations and thus you as an auditor should ensure that the operator either exits form the system or leaves it at a point where it cannot proceed without a password.

2.

Password Password is a key to something more valuable than cash - data No. Check for 1, Password allotment register Discussion on checkpoint When a password is allotted, entry is made in this register. This is similar to the key register where entries are made at time of giving keys. Check here whether the password level is also specified. Authority to give password is to the branch manager and those who hold supervisor password.

2.

Password Change register

3.

Where software does not control change in password (where not only warnings are given but user is disabled unless the password is changed after specified date) a register has to be shown to you with dates of change of password. In absence of this register, you do not have evidence that the passwords are changed frequently. Two to Supervisor password level permits the holder of this password three unlimited access. Ensure there are a minimum of two and a supervisors maximum of three such holders. Check the systems and procedure only manual of the Bank in case they specify a different figure. 53

Control System And Bank Audit

Cheque related transactions No. Check for Discussion on checkpoint 1. Audit trail listing cheques out of range Audit trail for date Minimum balance charges Check if chequebooks issued are updated to the customer's master on the same and a record of the same is maintained. Ensure that stop payment instructions are updated immediately on receipt of the instruction. Audit trail will give date of entry of such a stop payment. Verify with date of receipt written on the letter of the account holder. It should be the same day. Accounts having chequebook facility (savings/current) require having a specified minimum balance. Ensure minimum balance charges are levied in case the balance falls below the minimum level. In good systems, this information is asked in the 'parameter' file and thus the charges are correctly levied either every month or every quarter.

2.

3.

System audit framework


Need of Systems Audit: Since computer is so important for survival and progress of any organisation, it is necessary to have suitable controls and regular checks on Computer Resources and Data Processing Activities. System audit attempts to achieve this objective. System audit does not deal with the computer system alone but it deals with the audit of the system as a whole. It is felt necessary because a computer system is an integral part of the total business system. System audit attempts to link computer systems and manual systems in the overall system. It is particularly relevant for our country because we have a business environment, which is combination of computer system and manual system.

54

Control System And Bank Audit

OBJECTIVES OF SYSTEMS AUDIT The basic objectives of Systems Audit are to ensure: a) The assets are safeguarded in the system b) Data integrity is maintained throughout the system c) Organisational goals are effectively achieved by the system d) Resources in the system are being consumed efficiently Computer System Vs. Manual System Any system, manual or computerised, must have some internal controls. These internal controls ensure Asset Safeguarding, Data Integrity, Achievement of Organisational Goals and Efficient Consumption of Resources within the Organisation. However, nature of these internal controls and their implementation may vary widely in Manual System and Computerised System, for the following factors: a) Separation of duties b)Authority and responsibility c) Dependable and skilled personnel d) Authorisation e) Availability of documents and records f) Custody of assets and records g)Management by supervisio h)Verification of performance Assessment of Controls : In any system, controls play a very important role. They reduce possible losses by reducing probabilities of component failure and also by reducing the amount of losses, if component fails at all. Auditor's task in a computerised system is complex because number and range of controls are increased. A systems auditor should assess the following controls:

55

Control System And Bank Audit

CONTROL a) Authenticity b) Accuracy c) Completes d) Redundancy e) Privacy f) Audit Trail g) Existences Safeguarding h) Effectiveness

CONTROL FUNCTIONS To ensure correct identification of objects

(e.g. the users, programs) by the system To ensure correctness of data and accurate processing in the system To ensure protection against missing data or incomplete processing To ensure protection against entering or processing same data more than once To ensure protection against careless, accidental Or unauthorised disclosure of data To ensure safe keeping of log of all activities in chronological order To ensure availability of all system resources at all the time 56

Control System And Bank Audit

To ensure achievement of goal of a system Effectively i) Efficiently To ensure optimum utilisation of resources by the system for achievement of its goal

TOOLS AND TECHNIQUES For evaluation of the computerised system, auditors must collect evidences. Various tools and techniques are available to assist the auditors to collect evidences. Out of the following tools and techniques, auditors must know the technique best suitable for a particular computerised system. Generalised Audit Software Other Audit Softwares Concurrent Audit Techniques Manual Techniques

By using generalised audit softwares auditors can gain access to the data maintained in computer media. This enables the auditors to assess the quality of records in the system. This tool is mostly used by the external auditors who confront various computer environments of diverse characteristics. Following functions are available in generalised audit softwares: File Access File reorganisation Selection Arithmetic Stratification and frequency analysis File creation and updating Reporting

By carefully combining the above functional capabilities, the following audit tasks can be accomplished: i) Examination of the quality of data ii) Examination of the quality of system processing

57

Control System And Bank Audit

iii) Examination of the existence of the entities the data purports to represent iv) Analytical review Limitations of Generalised Audit Softwares The limitations of generalised audit softwares may be listed as under : It is suitable for ex-post auditing only It has very limited capability to verify processing logic which may, however, be overcome by parallel simulation. It has limited capability to determine the system's ability to cope with Change -Purchase of Generalised Audit Software: Most of the generalised audit softwares cost around $2000. Some of them may offer certain optional modules like interfaces to different database management systems, against additional payments. Finally, there may be some ongoing license fee. Although the price of these softwares are low, users must select the same with lot of care, as selection of wrong one may cause ongoing opportunity costs due to lack of effectiveness and efficiency of auditing.

58

Control System And Bank Audit

Some of the commonly used generalised audit software are: ACL Plus, APPLAUD-Audit, CARS, IDEA, PROSPECTOR, PC/ FOCAUDIT, PANAUDIT Plus Workstation, and so on. Other Softwares : Apart from generalised audit software there are some. Other softwares, which may be used by auditors for the purpose of evidence collection: i) ii) iii) iv) vi) Spreadsheet Audit Software High-level Languages System Software Specialised Audit Software Decision Support Software

i) Spreadsheet Audit Software Several organisations incurred huge losses due to decisions based on erroneous spreadsheet models. It was, therefore, necessary to develop spreadsheet audit softwares to test the spreadsheet model independently (e.g. all parameter values, absolute value, logic, documentation and so on). However, all spreadsheet packages cannot be accessed by the spreadsheet audit software. ii) High-level Languages Recently, many systems auditors are using micro-computers and fourth generation languages. With suitable utility software, they may download a copy of the data required. With the help of currently available highly powerful statistical packages, data may be manipulated as desired and reports may be prepared. iii) System Software Auditors may decide to make use of system software utilities for the following reasons : Generalised audit software may not be available Functions of generalised audit Generalised audit software may not be efficient (i.e. it may consume more resources software may be limited than acceptable) - Utility softwares may present the data produced by one machine in suitable form for use of the same by another machine 59

Control System And Bank Audit

iv) Specialised Audit Software Specialised audit software is developed keeping a specific audit tasks in view. Specialised audit softwares are costlier than generalised ones. However, groups of internal and external auditors are now engaged in developing libraries of specialised audit software mainly for the following reasons: Alternative software may not be available Functions of the alternative software may be limited Alternative softwares may not run efficiently Auditors may understand the system better in course of development of a specialised software Once auditors develop their own software, they are no longer dependent on others. This increases confidence level of the auditors. v) Decision Support Software Decision support software may assist auditors to take decision regarding evidence collection and evidence evaluation. By undertaking sensitivity analysis with the software, internal control points critical to overall reliability of the system may be determined. Thereafter, the auditors may decide where they should concentrate for evidence collection efforts. However, use of such software is not widespread. Control of Audit Software The independence of audit is preserved only when auditors have full control over the audit software. The audit software must be protected against unauthorised modification. Independently controlled library may be a good protection against such hazard. However, maintenance of library may not be always practicable. In such case, auditors may adopt blueprint approach, hash total approach or test data approach to ensure that the software was not modified unauthorisedly. , Concurrent Auditing Although most of the time auditors collect evidences and evaluate them much after the occurrence of the events, at times they need to identify the problems in the computerised system by collecting evidences at the same time when processing occurs. The techniques developed to achieve this objective is known as concurrent auditing techniques. There may be two ways for collection of audit evidences: i) A special audit module may be embedded in system software or application systems to collect, process and print audit evidences, ii) Special audit records may be stored on application system files or on a separate audit file, to enable the auditors to examine this evidence at a later stage.

60

Control System And Bank Audit

It must be clear that although the evidence collection should be concurrent with processing, the timing of reporting may be done later. In case a critical error is identified, reports indicating errors may be generated immediately by embedded audit routines. Concurrent auditing techniques are felt necessary for the following purposes: Continuous Monitoring Difficulties of Performing Walkthroughs Presence of Entropy in the System

In advanced systems, subsystems may be tightly coupled by sharing the same database. In such a system, erroneous update process in one sub-system may cause whole lot of wrong processing for other sub-systems, resulting in incorrect decisions and heavy losses. By embedding audit routines and records into application systems, evidences can be collected to enable the auditors to examine such evidences at a later stage. The following techniques are available for concurrent auditing: i) Snapshots/Extended Records ii) System Control Audit Review File (SCARF) iii) Continuous and Intermittent Simulation (CIS) i) Snapshots/Extended Records By using this technique, a part of computer memory can be printed out to show the data upon which a decision is made. This enables auditors to review the contents of computer memory as transactions are processed, by using software routines which are embedded at different points in the application system. Before-image and after-image pictures are taken when a transaction flows through the system. A snapshot transaction is first tagged by the auditors to enable the software routine to identify on which transaction the audit trail will be printed. ii) System Control Audit Review File (SCARF) SCARF is the most complex concurrent auditing technique. Audit software modules are embedded within a host application system, which monitor the system's transactions continuously. The information collected are written on to a special file, called SCARF master file. The auditors examine this information from time to time. The following types of information may be captured by SCARF: Application System Errors Policy and Procedural Variances System Exceptions

61

Control System And Bank Audit

Statistical Samples Snapshots and Extended Records Performance Measurement

The auditors should determine the structure of the SCARF reporting system based on the following decisions: How the SCARF file will be updated Sort codes and report formats to be used The timing of report preparation This is a variation of SCARF technique, which instead of embedding the audit program in the application system involves modification of the database management system used by the application system. When database management system is invoked by the application system, CIS decides whether to examine the transaction further. If decided so, CIS can replicate application system processing on the line of parallel simulation program, to detect any discrepancy. If discrepancy exists, CIS may either prevent updation of the database or note the exception and allow continuation of the processing. Exceptions are noted by CIS in a log file for further action by the auditors. Manual Techniques: Apart from Computer Assisted Audit Techniques, evidences can also be collected manually as always done in a manual system. Manual techniques are suitable for evaluation of management controls in particular. There are three major manual techniques i) Interviews ii) Questionnaires iii) Control Flowcharts i) Interviews Auditors may interview various people for various reasons. Analysts may be interviewed for having a better understanding of functions and controls within the system. When interviewed, clerks may indicate certain problems regarding data submission. Users of the system may provide feedback regarding impact of the system on quality of their working life. By interviewing operators, auditors may be able to identify abnormal consumption of resources at the time of system run. Identification of critical system within the organisation may be possible by interviewing the controller. Finally, if any fraud is discovered, personnel may be interviewed for zeroing in the person who perpetrated the fraud.

iii) Continuous and Intermittent Simulation (CIS)

62

Control System And Bank Audit

ii) Questionnaires: Traditionally, questionnaires are used to evaluate controls within systems. Major aspects of questionnaire design are: Design of the questions Design of the response scale Design of the layout and structure of the questionnaire Design of questions should depend on the respondent group, nature of information sought and administration of the questionnaire. The response scale chosen usually depends on the nature of question asked. If factual questions are asked, response may be checked in form of 'yes' or 'no', or certain piece of information like make of a machine, may be inserted. Certain questions, say system effectiveness, may be responded in seven-point scale (i.e. from 'low' to 'high'). Auditors should know when to use the questionnaire, how to use it and what the responses mean. If auditors themselves are to complete the questionnaire, they should be trained to fill it up. If many questionnaires are available, auditors must be able to evaluate the need and choose the best one suitable for the purpose. Questionnaires should never be administered in hurry, which increases the likelihood of errors. Finally, auditors should know how the questionnaire responses and scores should be interpreted. iii) Control Flowcharts Control flowcharts indicate controls existing in the system and also the locations of such controls. Auditors may use them for better understanding of the system and controls in the system, strengths and weaknesses of controls, and for communication regarding their understanding of the system with others. Types of Flowcharts Document Flowchart Data Flow Diagram Flowchart Program Flowchart Purpose Used to show controls over the flow of documents through the manual components of a computer system. Used to show the controls exercised over the data flows through a system. Used to show the controls exercised at the physical or resource level in a system. Used to show the controls exercised internally to a program.

63

Control System And Bank Audit

Use of CAAT Tools-Idea 2004: Some Advance Features


IDEA - Interactive Data Extraction and Analysis is a data analysis software developed by a team of the Canadian Institute of Chartered Accountants and Auditors General of Canada in the mid eighties. IDEA has seen several versions since inception - with the DOS version making way for the GUI based Windows technology. The product was also transferred to professionals from "Caseware" whose single focus was to provide cutting edge business intelligence software for accountants and auditors. Using core windows technology, the DOS version was changed into the user-friendly Windows platform. IDEA pioneered the use of the intuitive graphical interfaces, wizards, HTML Help and guides to execute tasks in audit tools. Automate Audit Routines IDEA Script, a Visual BASIC compatible programming language, enriched with IDEA'S functionality, allows the development of almost any type of application. IDEAScript can be generated by the Record mode or by converting the history (log) into an IDEAScript. You can re-run all the tasks conducted on a file by converting the history into an IDEAScript, and you can run it against another file. You can also customize it in order to interact with the user. Since IDEAScript is compatible with Visual Basic, users can incorporate all of the objects from Visual Basic into their scripts. An example usable in any industry is given in the Exhibit IDEA Scripts can be compiled and run from Windows Explorer, or put into your Windows Scheduling tasks to run a script on a specific time or run it repetitively at regular intervals. IDEA Script has significantly enhanced features with over 400 methods and tools including a language browser, debug mode and dialog editor, as well as comprehensive context sensitive help. Number of auditors in Insurance, Banking, Manufacturing and Retail Sector with audit locations spread across the country have used automated audit routines to not only assure standard audit performance but also reduce the travel cost of auditors and improve quality of audit time at locations.

64

Control System And Bank Audit

Implement Benford's Law Bedfords Law is a method of analysis within "Digital Analysis". It is a Exhibit: Screenshots from automated routines

procedure, which analyses digits in numerical data. This procedure helps to identify 'irregularities' in a data range. In this context, irregularities are defined as numbers, which,

65

Control System And Bank Audit

for example, may have been created through the (systematic) manipulation of data. An 'irregularity' is measured based on the scale of digit distribution in a 'natural' population corresponding to the empirical legalities of Bedfords Law. The first digit frequency is given in the table: Exhibit: 1st digit frequency First Digit . Frequency % 1 30.1 2 17.6 3 12.5 4 9.7 5 7.9 6 6.7 7 5.8 8 5.1 9 4.6 IDEA allows the user to analyze simultaneously the first, two first, three first, and the second digits. Items that are beyond the bounds established need to be analysed for possible irregularities. An illustrative exhibit as run in a retail supermarket on collections on different cash tills is shown in the graph.

Wide Range of data access IDEA can natively read time fields from Excel, Access, ODBC, and all other file formats.

66

Control System And Bank Audit

IDEA provides Import components in order to import Small and Mid-Size Accounting packages like Simply Accounting, ACC-PAC, Smart Stream, Great Plains, Sage, QuickBooks, and many more. New import components are constantly under development. Greater analysis capabilities - Search and Action Fields One can search for text or numeric values across selected fields in multiple databases, using standard search functionality like case sensitivity and whole word plus advanced techniques such as using Boolean expressions, wildcards, multiple characters and proximity. Search is a powerful tool for fraud detection. Action field type allows you to set up relationships across multiple files; for example, create an action field on "Customer Number" in a customer database to link to related invoices.

67

Control System And Bank Audit

FRAUD DETECTION
COMPUTERISED BANKING ENVIRONMENT ALERT SIGNALS WINDOW OF OPPORTUNITY OCCURRENCE OF FRAUDS FRAUD PREVENTIVE MEASURES
68

Control System And Bank Audit

FRAUD DETECTION AND AUDIT IN BANKS


Vigilance and Fraud share a peculiar relationship. Whichever works faster and better makes the difference. In the case of frauds in the financial sector, there is no limit as to how bad things can get. Maladies in any organisation are more due to non-adherence of internal control mechanism rather than the absence of it. Fraud is considered as a white-collar crime. In a most common modus operandi of committing the fraud the fraudster studies the procedures and processes adopted by a commercial entity for putting financial and funds transactions, ascertains the loopholes in the systems and then exploits it to the advantage in such a way that it does not come to light immediately. However, it is only a question of time before it is detected. In the matter of preventing fraud, internal audit has an advantage over the external audit in the sense that it has an understanding of how the system works so as to initiate quick steps. Internal audit would be privy to the dynamics of decision-making and the process behind them in an organization. A vigilant internal audit team would be able to bring in the requisite transparency and through this, proper accountability.

Computerised Banking Environment:


The basic purpose of computerising and mechanisation of more and more business is to contain the occurrence of frauds due to manual intervention, besides improving overall efficiency for ensuring better customer service. But, over dependence on the staff of computer vendors and laxity coupled with lack of IT knowledge paved way for occurrence of frauds. Some of the frauds and the modus operandi of the same are summarized below: O Significant exposure of the banking activities to the employee of a software vendor, while later is providing the maintenance service. O At the time of half-yearly crediting of interest in the huge operative savings bank account, substantial amount may be credited by inflating interest paid on deposit account by erasing genuine debits/fraudulent credits in the relative accounts. O Misappropriation of cash received at Single Window counter due to the absence of scroll/control mechanism, normally. O Even after years of computerisation, important functions like password secrecy, maintenance, printing of reports, exceptional reporting, checking of the output/reports, monitoring system generated entries, etc. are not performed as per the laid down guidelines.

69

Control System And Bank Audit

Alert Signals Normally certain alert signals are thrown by the system if the environment is fraud-prone, and it is better to capture and catch them so that at least the impact is minimized, if not brought to nil. Some such signals are detailed herein below: Scrutinise various reports such as Internal Inspection, Concurrent Audit, Statutory Audit, Long Form Audit, Branch Audit, Supervisory/Regulatory inspection, etc., meant to throw light on the weakness in the system and vulnerable areas and ensure that the shortcomings are duly attended to/rectified. immediately Deep probing of any abnormality of movement, transactions, data before it becomes too late for any action. Non-rotation of jobs and some gaining roots in to the functioning of certain business oriented functional departments. No individual is bigger than the institution and while keeping faith on people working on the systems there should be no. relaxation and compromise on the systems and procedures. Window of opportunity for perpetration of fraud In banking sector, frauds are perpetrated basically by three classes of people: (1) Employees, (2) Customers and (3) outsiders or strangers. It is a common knowledge that no fraud can take place without a window of opportunity for the same. Let us examine the window of opportunity and the environment because of which fraud takes place in banks. Banks, particularly the public sector ones, have to handle huge rush of customers during the first week or 10 days in a month. With long queues and rush indiscipline, there is a tendency to overlook certain procedural aspects and overall control systems get automatically relaxed. Creation/storage of surrogate specimen signatures in some of the benami/fraudster's/collat-eral security in the system with an intention to pass fraudulent financial transactions. With large scale of computerisation, ordinary bank employees and customers are under the impression that mere computerisation is sufficient security, not fully appreciating the attendant vulnerabilities.

70

Control System And Bank Audit

Gaining access to operating systems, database systems, application software by unauthorised persons would make a number of business and administrative areas fraud-prone.

Many frauds come to light only when the customer concerned brings the same to the notice of the bank. Pigmy/daily deposit collectors from small vendors and household sectors for the reason that the control exercised by banks on these is not adequate. Improper appraiser of Jewels pledged to banks with the connivance of the Jewel Appraiser.

In the past one and a half decade, India has seen a number of scams relating to financial deal in general and capital market in particular as could be noticed from the alleged deals of Harshad Mehta, M S Shoes, CRB, Ketan Parekh, etc. Occurrence of frauds: Some of the large value frauds that occurred in Indian banking environment revealed that the following led to the occurrence of frauds. Opening fictitious account for crediting proceeds of forged/unauthorised cheque for withdrawal immediately. Allowing frequent overdrawing in the current or operative limits and not reporting to the higher authorities and not getting it regularised. Availing loans on the strength of forged documents/title deeds After availing loans, the proceeds of the asset procured out of the loan not being deposited back to the bank or being routed through other banks for siphoning the funds. Release of the securities in an unauthorised manner before ensuring liquidation of direct or indirect liability of a borrower/guarantor. Encashment of forged/ stolen instruments such as cheque, demand draft, Credit Advice etc. Entertaining accommodation of Bill of Exchange transactions and wrongful encashment of loan proceeds through unauthorised withdrawal.

71

Control System And Bank Audit

Fraud preventive measures Proper security in the computer systems can be achieved by exercising series of regulations such as 'physical access controls', 'logical access controls' and environment controls, etc., This is because, perpetration of fraud in computerised environment happens mainly by breaking any one or more or all of these Access Control Mechanisms. Full adherence to all the security and control standards prescribed. Branches should be careful while issuing chequebooks on the basis of authorisation letters to avoid fraudulent usage of the same. Proper verification is required Implementation of segregation of duties, roles and responsibilities in the computerised environment. Job rotation among the staff and availment of leave by the employees should be ensured. No one should have complete access to the entire operating cycle of any financial transactions and it should necessary pass through more than two or three officials. That is, four-eye principle should be adopted. Checking and balancing of books should never be entrusted to the same person at any point of time. Newly opened accounts needs to be put under close watch for any unusual and large volume of transactions. Stipulated audit exercises such as credit audit, legal audit, stock audit, current asset audit should invariably be completed with different set of people. Conclusion: In the words of Mahatma Gandhi, there is enough in the world for every one's need, but not for one's greed. Law by itself cannot put a full stop to corruption and fraud. According to the prevailing guidelines, cases of fraud of the value of below Rs 1.00 cr would be handed over to the local police. However, reference of such cases to Central Bureau of Investigation (CBI) would be necessary only if a bank official is suspected to be involved. Other cases would be referred to CBI The Banking Securities and Fraud Cell at Delhi, Mumbai, Bangalore and Kolkata would handle information/compliance of amount of alleged bank frauds in excess of Rs. 5 crore. If the amount of the alleged fraud ranges between Rs. 1 crore to Rs. 5 crore, the information would be handled/investigated by the branch of CBI having territorial jurisdiction over the area.

72

Control System And Bank Audit

TAX AUDIT
AUDIT REPORT AND FORMAT CLAUSES

73

Control System And Bank Audit

Issues in Tax Audit of Bank Branches


Under section 44AB of the Income Tax Act, the entities, whose turnover or gross receipts exceed Rs. 40 lacs during a financial year, are required to get their accounts audited from a Chartered Accountant. This audit is generally known as "Tax Audit". This topic focuses on various issues involved in the Tax Audit of Bank Branches. Since generally the gross receipts of all the banks exceed Rs.40 lacs during a previous year, the statutory auditors of all the branches of such banks which are under audit, are generally appointed to carry out the tax audit assignment in respect thereof and submit their report in the prescribed format. Audit Report & Format Form 3CA In this form, the auditor expresses his opinion on the correctness of the particulars given in Form3CD. Form 3CD Part A It consists of 6 clauses relating to name, address, etc. which are all selfexplanatory. PartB It consists of 26 clauses. Of these, there are about 12 clauses, which are generally not applicable at the branch level, as follows: Clause - 7- pertaining to a firm or AOP Clause - 10 - pertaining to profit on presumptive basis Clause - 12 - pertaining to valuation of closing stock Clause-15-pertaining to amounts admissible under section 33AB, 33ABA, etc. Clause-19- pertaining to amounts deemed to be profits u/s 33AB etc. Clause - 23 - pertaining to details of amount borrowed on hundi Clause - 25 - pertaining to brought forward loss or depreciation allowance Clause - 26 - pertaining to details of deductions admissible under chapter VIA Clause - 28 - pertaining to quantitative details of goods in case of trading concerns Clause - 29 - pertaining to details of tax on distributed pro fits u/s 115O

74

Control System And Bank Audit

Clause - 30 - pertaining to cost audit Clause - 31 - pertaining to audit under Central Excise Act, 1944 Clause-32- pertaining to accounting ratios some of the clauses that need to be attended to are as follows: Clause11: Method of accounting Though the banks generally follow mercantile system of accounting, there are a number of items in the bank which may be on cash basis income on NPA accounts, commission, exchange, leave encashment benefits, safe deposit vault rent, etc. The method of accounting employed in the previous year refers to cash or mercantile system of accounting. What is to be reported in clause 11 (b) is change in accounting method, i.e. cash or mercantile and not a change in accounting policy. Clause-13: Amounts not credited to Profit & Loss account Generally, at the branch level, there are no items to be reported under this clause. Clause14: Particulars of depreciation allowable Generally the only details provided by the branch are in sub-clause (d) regarding additions/ deductions during the year. Generally, fixed assets are controlled by the head office of the bank. Hence, the details of opening balance as per Income Tax Act are not available at the branch level. The auditor, therefore, may state that as the details are not maintained at branch level the same are not filled in here. Thus, information required in sub-clause (a), (b), (c), (e) and (f) have to be filled up at the head office level only. Clause-16 Particulars of bonus, commission & contribution to provident fund Sub-clause (a) regarding certain Payments to employees are generally not applicable at branch level. In sub-clause (b), the particulars of amount deducted by the branch from salary of staff members towards employees' contribution to Provident Fund has to be given, with details such as date of deduction, amount deducted, due date and actual date of remittance. Clause-17: Details of expenses debited to P & L account that may be disallowed There are sub-clauses under clause 17. Sub-clause (a) is regarding capital expenditure debited to Profit & Loss account. Normal principles differentiating between capital and revenue expenditure should be applied while reporting under this clause.

75

Control System And Bank Audit

Items like new fire or security alarms, computers, printers, fire extinguisher, electric fans, cell phones are of capital nature and need to be capitalised. On the other hand, all repairs, maintenance, replacements, modifications and improvements to existing assets are revenue in nature and need not be capitalized for e.g. re-wiring of branch, re-flooring, re-painting, re-polishing etc. All such expenses, including the professional fees paid to architect, interior decorators for this purpose are considered revenue expenditure nature. Petty items like calculators, briefcases, etc. are not of durable nature and should be treated as revenue expenditure. Sub-clause (b) is regarding expenditure of personal nature debited to profit and loss account. These personal expenses exclude those which are payable to the employee under contractual obligation. Thus, LFC, leave encashment, medical aid, telephone bill of residence, etc. paid under contractual obligation should not be reported here. Sub-clause (d) refers to expenditure incurred at clubs. Expenses incurred in respect of service organisations like Bankers club, Giants, Rotary, Jaycees, Lions, etc., which are for business development are not covered by this clause. Sub-clause (h) refers to expenditure exceeding Rs. 20,000/-incurred otherwise than by way of crossed cheque or crossed bank draft, which is inadmissible under section 40A(3) read with rule 6DD. Generally, in a bank, such payments are never made in cash. Clause-20: Profit chargeable to tax under section 41 Bad debts written off in the previous years and now recovered get covered under this clause. Clause~21: Deductions requiring actual payment under section 43B Certain types of expenditure like tax, duty, cess, fees, etc. payable under any law are allowed as a deduction in computing the total income only in the year in which it is actually paid. Similarly, interest provision on any loan or borrowing from any financial institution/ cor poration is allowed as deduction, only if it is actually paid. Clause-24: Acceptance/repayment of deposits in cash exceeding specified limits Sub-clause (a) relating to acceptance of loan or deposit exceeding Rs.20,000/- is not applicable to banking company. Clause-27: Delay in deposit of TDS Generally, banks have to deduct tax at source from payment of salaries, interest on deposits, rent, professional fees, payment to contractors, etc. and deposit it with the Central Government within the stipulated period.

76

Control System And Bank Audit

CONCURRENT AUDIT
SCOPE ITEMS OF COVERAGE

77

Control System And Bank Audit

Concurrent Audit
Concurrent audit, as the name suggests, is an audit or verification of transactions or activities of an organization concurrently as the transaction/activity takes place. It is not a pre-audit. The concept in this audit is to verify the authenticity of the transaction/activity within the shortest possible time after the same takes place. It is akin to internal audit which is a concept recognized under the Companies Act with the view of the complexities of economic activities it is now well recognized that there must be a system of someone, other than the person involved in the operations, verifying the authenticity of the transaction/activity on a regular basis so that any deviation from the laid down procedures can be noticed in the shortest possible time and remedial action can be taken. Scope of Concurrent Audit: The guidelines issued by the RBI cover all the important areas of activities of the branch, which is under concurrent audit. Most banks have prepared an Audit Manual for this purpose. Broadly stated, the following areas are covered by these guidelines: a) .Daily cash transactions with particular reference to any abnormal receipts and payments. This include currency chest transactions, major expenses incurred by cash payments and high value cash receipts and disbursements. b) Purchase and sale of shares, securities, c) Physical verification of investments and verification of rates at which transactions are entered into. Similarly, examination of capital expenditure on purchase of capital assets as well as sales of such assets. This will include verification of relevant documents and authorization. d) Verification of procedure and documentation for opening new current, savings, term deposit accounts, etc. If there are any unusual operations in these new accounts the same should be examined thoroughly and unusual-features should be reported. e) f) Verification of Advances-Overdrafts, TOD, CC Accounts, Term Loans, Bills Purchase, L.C., Guarantees, Over dues, devolvement, and L.C./Guarantee, etc) Verification of statements, H.O. Returns, statutory returns, calculation of capital adequacy ratio, and compliance with requirements of government business (collection of tax and disbursements).

78

Control System And Bank Audit

g) Study of RBI and internal inspection reports, statutory auditor's report, LFAR relating to branch, etc. and compliance thereto. h) Whether clients' complaints are dealt with promptly. SUGGESTED ITEMS OF COVERAGE: (A) Cash I. Daily cash transactions with particular reference to any abnormal receipts and payments. II. Proper accounting of inward and outward cash remittances. III. Proper accounting of currency chest transactions, its prompt reporting to the RBI. IV. Expenses incurred by cash payment involving sizeable amount. (B) Investment I. Ensure that in respect of purchase and sale of securities the branch has acted within its delegated power having regard to its HO instructions. II. Ensure that the securities held in the books of the branch are physically held by it. III. Ensure that the branch is complying with the RBI/HO guidelines regarding BRs, SQL forms, delivery of scripts, documentation and accounting. IV. Ensure that the sale or purchase transactions are done at rates beneficial to the (C) Deposits I. II. III. Check the transactions about deposits received and repaid. Percentage check of interest paid on deposits may be made including calculation of Interest on large deposits. Check new accounts opened particularly current accounts. Operations in new Current/SB accounts may be verified in the initial periods to see whether there are any unusual operations. (D) Foreign Exchange transactions 1.Check foreign bills negotiated under letters of credit. 2.Check FCNR and other non-resident accounts whether the debits and credits are permissible under rules. 3. Check whether inward/outward remittance have been correctly accounted for. 4. Examine extension and cancellation of forward contracts for purchase and sale 79 Bank.

Control System And Bank Audit

of foreign currency. Ensure that they are duly authorized and necessary charges have been recovered. 5. Ensure that balances in Nostro accounts in different foreign currencies are within the limit as prescribed by the bank. 6.Ensure that the over bought/oversold position maintained in different currencies is reasonable taking into account the foreign exchange operations. 7. Ensure adherence to the guidelines issued by RBI/HO of the bank about dealing room operations. 8.Ensure verification/reconciliation of Nostro and Vostro a/c transactions/balances.

80

Control System And Bank Audit

FOREX AUDIT
FOREX MARKET PRODUCTS NUTS AND BOLTS NOSTRO/VOSTRO CORPORATE GOVERNANCE

81

Control System And Bank Audit

AUDIT OF FOREX OPERATIONS- A challenging task Internal audit in banks and financial institutions is one area wherein there are numerous challenges emerging from the liberalisation in areas viz., financial, economic, trade and exchange control. With it the philosophy of autonomy in management in general and forex management in special had been in process of shaping and stabilization..

Forex Audit - Nuts and Bolts The auditor in work situation has to give special attention to operations, internal control, segregation of function of front and backup/accounting functionaries, infrastructure, experience and skill of persons in handling derivative products, settlement of funds, counterparty confirmations empanelment and ethical conduct of brokers, documentation and supporting evidences. Mid office has also to play a due role in scrutiny of exchange control and other compliances and risk management functions. Nostro/Vostro - Monitoring and Control To put through the transactions the banks have accounts in foreign currencies with other banks. Such accounts are known as nostro accounts. Reconciliation of nostro and agewise analysis of unreconciled transactions is an essential control function. The rupee account of overseas correspondent bank maintained by the bank in India is known as "Vostro" (Rupee) accounts. The exchange control require a close monitoring of the funds flow in vostro so as to ensure transactions as permitted in the control and funding in lines with agency agreement/ volume of business. . 82

Control System And Bank Audit

Corporate Governance and Internal Controls In establishing a system of internal control, the Board of Directors consider among other things, the following: Governance processes that directly affect control such as establishing policies, plans and ethical values; Management process such as risk identification and assessment, strategic planning and communication; Monitoring and learning processes such as continuous improvement and internal audit; Delegated authorities are documented and communicated; Setting and implementation of compliance standards.

83

Control System And Bank Audit

STATUTORY AUDIT OF BANK TREASURY


TYPES OF TRADE CRR & SLR EVALUATION OF INTERNAL EDP CONTROL

84

Control System And Bank Audit

Statutory Audit Of Bank Treasury


Audit of an integrated treasury is a complex task requiring high level of skills, knowledge of market practices and the relevant regulatory environment. Treasury income constitutes a significant portion of a bank's income, many a time equal to the entire income received from advances and the extensive branch network of banks. This paper makes an attempt to highlight the products and market practices in vogue, which an auditor of an integrated bank treasury operation will have to be aware of. Types of trades: Customer trades: These are deals between the bank and its customers, predominantly in foreign exchange. The profit or loss to the bank is the spread between its inter-bank buying rate and the selling rate to the customer. For example, a customer may place an order to buy USD 100,000. The Bank buys @ Rs.47.98 in the market and sells @ Rs.48.00 to the customer, making a profit of Re.0.02. Proprietary trades: These are trades by the bank for its own account. They could be in the domestic or overseas market. Buying G-Sec for trading portfolio, in the expectation that price will go up (i.e., interest rates will fall) is an example of a proprietary trade in the domestic market. Buying US dollars and selling Japanese Yen is a cross-currency trade to profit from US dollar appreciation. Proprietary trades are done in the inter bank market. Over-the-counter (OTC): Deals are struck with counter parties on phone and the same is later confirmed in writing. Forex trading is not centralized on an exchange, as in the case of stocks and futures markets. The forex market is considered an over the counter (OTC) or Inter bank market, since transactions are conducted between two counter parties over the telephone or via an electronic network. Channels: Transactions could be directly with a counter party or through an intermediary, involving intermediation fees. SLR: Recognising the need to maintain the confidence of the public in the banking system, the Banking Regulation Act stipulates that every bank shall maintain in cash, gold or unencumbered approved securities, an amount which shall not, at the close of business on any business day, be less than 25% of its 'Demand and Time Liabilities' in India as on the last Friday of the second preceding fortnight.

85

Control System And Bank Audit

CRR: Cash reserve by way of balance in a current account with RBI or by way of net balance in current accounts a sum equivalent to 5% of its 'Demand and Time Liabilities' in India as on the last Friday of the second preceding fortnight to be maintained by every bank. Evaluation of internal control: The existence of an effective system of internal control is a sine qua non for efficient treasury operations. It is important that operations of a treasury are effectively segregated among: Front office: Dealing in the financial markets for lending and borrowing funds, buying and selling in financial instruments. Back office: Settlement, delivery, accounting, custody and reconciliation Mid office: Risk monitoring and control. An audit of Treasury includes an audit of all the three offices.

EDP controls (AAS 29): The extent of computerization is usually extensive in treasuries. This calls for strict controls in such an environment. Robust software covering the entire gamut of functionality required for smooth functioning of treasury, a proper security environment, controls in place to prevent unauthorized usage of files, systems, etc, start/end-of-the day process, business continuity and disaster recovery plans, well documented user and technical manuals, audit trails in the software, exception reports, complete trail of all back end changes made are a must.

86

Control System And Bank Audit

10

LIST OF RBI CIRCULARS/GUIDANCE/DIRECTIVES RELEVANT FOR BANK AUDIT:


S.No. Circular No/Date 1. DBOD.NO.BP.BC.37/21. 040141/2004-2005 dated 2/9/2004 2. 3. 4. 5. 6. 7. 8 9. 10. 11. 12. DBS.ARS.NO.BC. 4/08.91.001/2004-05 dated 27/8/2004 DBOD NO DIR.BC. 32/13.07.05/2004-2005 dated 17/8/2004. DBS.FRMC.BC.NO. 2/23.04.001/2004-05 dated 7/8/2004. DBODNOREFBC. 23/12.01.001/2004-05 DBOD.DIR.BC.20/13.0 3.00/2004-2005 dated 30/7/2004. DEOD NO DIRBC. 18/13.03.00/2004-2005 dated 23/7/2004. Contents Prudential Norms for Classification Of Investment Portfolio by Banks Terms and condition for appointment Of statutory/ concurrent/internal auditors. Dematerialization of banks' investment in equity. Fraud- Classification and Reporting. Master Circular on CRR & SLR Master circular Loans and AdvancesStatutory and Other Restrictions. Master circular on Guarantees and Co acceptances.

DBOD NO DIR.BC. Master Circular-Exposure Norms 14/13.03.00/2004-2005 dated 2 1/7/2004 DBOD NO.BP.BC. 12/2 1.0 1.002 /2004-2005 dated 19/07/2004 DBOD DIR BC 9/13.03.00/2004-05 dated 16/07/2004 DBOD NO DIR.BC.8/13.03.00/2004 -05 dated 14/07/2004 DBOD DIR BC 6/13.03.00/2004 -05 dated 8/7/2004 Master Circular- Prudential Norms on Capital Adequacy. Master Circular on Interest Rates on NRO & NRE Accounts Master Circular on Interest Rates on FCNR(B) Accounts Master Circular on Interest Rates on Advances.

87

Control System And Bank Audit

13.

14.

DBOD NO. BP. BC. 1 1/21.04.141/2004 Mater Circular on Prudential Norms -05, dated 17-7-2004 for Classification, Valuation and Operation of Investment Portfolio by Banks DBOD NO.BP.BC. Master Circulars on Prudential Norms on 10/21.04.048/2004-05, dated 17-7-2004 Income Recognition, Asset Classification and Provisioning pertaining to Advances DBOD BP.BC. 89/21.02.043/2003-04, Dated 9-6-2004 SO 666 (E), dated 7-6-2004 UBD. NO. PCB. 49/12.05.03/2003-04, Dated 1-6-2004 DBOD.NO.BP.BC. 80/21. 02.067/2003-04, dated 23-4-2004 DBOD NO BP BC 82/21.04.018/200304 Dated 30/4/2004 DBOD NO.BP.BC 66/2 1 .04. 1 1 7/2003-04, dated 05-2-2004 Amalgamation/Merger of non-banking finance companies with banks Section 53 of the Banking Regulation Act, 1949-Power to exempt in certain cases Income Recognition, Asset Classification and Provisioning Norms Declaration of Dividend by Banks Guidelines on compliance with Accounting Standards by banks Revised Guidelines for Compromise Settlement of Chronic Non-Performing Assets of Public Sectors bank up to 10 crore Master Circular Activities on Para banking

15

16 17 18 19. 20

21 22 23 24 25 26

DBOD.FSC.NO. 56/24.01.001/2003-04, dated 12- 12-2003 DBOD.NO.BP.BC. 53/21.04. 141/2003-04, dated 10-12-2003 DBOD.BP.BC.44/21.0 4.141 2003-04, dated 12- 11 -2003 DBOD.NO.FSC.BC.27/24. 01. 018/2003-04, dated 22-9-2003 DBOD NO.BP.BC 93/21. 04.018/2002-03, dated 8-4-2003 DBOD NO.BP.BC. 89/ 21-04.018/2002-03, dated 29-3-2003

Prudential Guidelines on Banks' Investment in Non-SLR securities Prudential Guidelines on banks' Investment in Non-SLR securities Entry of banks into Insurance Business Revised A/S 1 1 on Accounting for Effects of Changes in Foreign Exchange Rates Guidelines on Compliance Accounting Standards by Banks with

88

Control System And Bank Audit

CASE LAW

11

Negotiable Instruments Act. 1881 - Sections 138 and 142 - Limitation period for filing complaint regarding dishonour of cheque - Starting of limitation period notice by fax - whether permissible Legal Decisions Affecting Bankers Sil Import, U.S.A. Vs. Exim Aides Silk Exporters, Bangalore, AIR 1999 SC 1609; (1999) 4 SCC 567 Principle In the case of dishonour of cheque, where notice under provision (b) of section 138 of the Negotiable Instruments Act has been served more than once, the period of limitation for filing complaint under section 142 (a) of the Act commences from the date of receipt of the first notice by the drawer and not from the date of receipt of the latter notice. It is permissible for the drawer to send notice by fax. Facts In this case, the respondent was an exporter of silk goods. The appellant, a company based in U.S.A. owed certain amount to the respondent by way of sale consideration towards goods imported by it. Two cheques, which were issued by the appellants in favour of the respondent, were dishonoured on the ground "no sufficient funds". The respondent then sent a notice to the appellant by fax on 11.6.1996, which was received by the appellant on the same day. On the next day after sending the fax, the respondent again sent the same notice by registered post, which was served on the appellant on 25.6.1996. The respondent filed a complaint before the Magistrate on 8.8.1996 in respect of the dishonour of cheques. The question before the Magistrate was whether the petition had been filed within the period of limitation prescribed under section 138 of the Negotiable Instruments Act. As the complaint was filed within 45 days from the date of receipt of acknowledgement of the notice sent by registered post, the Karnataka High Court held that the complaint was within the period of limitation. The appellant contested that the cause of action had arisen on the expiry of 15 days from the date of receipt of the fax (namely on 26.6.1996) and hence the complaint was not within the stipulated time.

89

Control System And Bank Audit

Observations of the Court Section 142 of the Negotiable Instruments Act prohibits the Court from taking cognizance of an offence unless the complaint is filed within one month of the date on which cause of action arises. Completion of offence is the requires the payee, who receives the information regarding the return of the cheque unpaid, to make a demand for payment "by giving notice in writing to the drawer of the cheque". Nowhere is it said that such notice must be sent by registered post or that it should be dispatched through a messenger.Chapter XVII of the Act, (Sections 138 to 142), was inserted in the Act as per the Banking, Public Financial Institutions and Negotiable Instruments Laws (Amendment) Act, 1988. When the legislature contemplated that notice in writing should be given to the drawer of the cheque, the legislature must be presumed to have been aware of the modern devices and equipment already in vogue and also in store for future. If the court were to interpret the words 'giving notice in writing" in the section as restricted to the customary mode of sending notice through postal service or even by personal delivery, the interpretative process would fail to cope up with the change of time. Facsimile (or fax ) is a way of sending handwritten or printed or typed material as well as pictures by wire or radio. The High Court's view that the sender of the notice must know the date when it was received by the sendee, for otherwise he would not be in a position to count the period in order to ascertain the date when cause of action had arisen is erroneous in as much as it erases the starting date of the period of 15 days envisaged in provision (e) to Section 138. If a different interpretation is given the absolute prohibition incorporated in Section 142 of the Act would become superfluous. Hence, on the date when the notice sent by fax reached the drawer of the cheque the period of 1 5 days (within which he has to make the payment) had started running and on the expiry of that period the offence was completed unless the amount had been paid in the meantime. If no complaint was filed within one month there from the payee would stand forbidden from launching a prosecution thereafter, due to the clear interdict contained in Section 142 of the Act. In the instant case, the appellant has admitted that a written notice was sent by fax and was received by him on the same day. The respondent has no case that fax did not reach the appellant on the same date (11.6.1996). Although the fast day when the respondent could have filed the complaint was 26.7.1996, the complaint was filed only on 8.8.1996. Hence, the Magistrate had no jurisdiction to take cognizance of the offence on the said complaint. Decision The appeal was allowed accordingly. 90

Control System And Bank Audit

12

BANK SCAM
It is now just under a decade from April 1992, when news broke that State Bank of India had asked Mehta to return Rs.500 crores he had illegally put to work on the stock markets ANZ Grindlays bank's (now Standard Chartered Grindlays) Ram Narayan Popli was another key player in the Mehta game. On one occasion in February 1991, he diverted a Canara Bank banker's cheque worth Rs.5.05 crores favouring Grindlays Bank to Mehta's account. On March 18 and April 24 that year, he pulled off the same trick, this time with banker's cheques worth Rs.10.84 crores and Rs.7.62 crores. Both UCO Bank and ANZ Grindlays suffered separately. That a few employees of these banks could routinely siphon off their employer's cash says not a little about the abysmal state of their supervisory apparatus. The scam is still chasing the bank is clear from Mr. N. Kantha Kumar, Executive Director (canara bank) words: "If you consider banks in our peer group, you will see that we are the last major player to enter the market for raising capital. This is despite our large presence and stature. This was indeed a long wait. We were actually waiting to sort out certain Canfina-related issues." It seems, the banks had not learned much since their infamous liaison with Harshad Mehta in 1992. This time too, it was with the connivance of banks only that Ketan Parekh perpetrate such a huge scam. Madhavpura Mercantile Co-operative Bank (MMCB) regularly issued him credit against his overpriced stocks. MMCB threw every canon of prudent banking by the wayside when it violated RBI regulations to provide about Rs.840 crores to Parekh's companies. Banks such as GTB and Standard Chartered had also given Parekh an over-draft facility, which he used to recycle funds in the market. SEBI's investigations reveal that by the end of March, Ketan Parekh had access to almost Rs.2, 000 crores of funds, primarily from banks.

91

Control System And Bank Audit

13

Conclusion.. A Final Word

The Bank Audit is a vast area. In addition, there are number of seminars conducted. Apart from the sources of knowledge made available, the auditor has to understand the purpose of audit, conduct the audit with logical thinking and application of knowledge. The report has to be drafted in such a manner that it should stand on the test of contents, clarity and utility. To my mind the best test of audit is - "Whether the report had added any value to the branch in smoothening the operations?' If the answer is' Yes', then the job is done. A well conceived audit policy put to practice by those who are expected to discharge the onerous responsibility in the bank would depict that the audit operations is not mere ritual but a critical operation and need to be dealt with beyond numbers. Experienced audit committee in bank do make sense and value edition when audit function is given a direction and indeed great comfort to all concerned with the bank.

92

Control System And Bank Audit

ANNEXURE Auditors Report of HDFC Bank:


(i) The nature of the Corporations business/activities during the year is such that clauses (ii), (viii) and (xiii) of CARO, 2003 are not applicable. (ii) In respect of its fixed assets: (a) The Corporation has maintained proper records showing full particulars, including quantitative details and situation of fixed assets. (b) Some of the fixed assets were physically verified during the year by the Management in accordance with a programme of verification, which in our opinion provides for physical verification of all the fixed assets at reasonable intervals. There is also a system of periodic physical verification of leased assets by the Management, the frequency of which is reasonable. According to the information and explanations given to us no material discrepancies were noticed on such verification. (iii) In respect of loans, secured or unsecured, granted by the Corporation to companies, firms or other parties covered in the Register maintained under Section 301 of the Companies Act, 1956, (iv) In respect of loans, secured or unsecured, taken by the Corporation from companies, firms or other parties covered in the Register maintained under Section 301 of the Companies Act, 1956, according to the information and explanations given to us: The Corporation has taken loans from 19 parties. At the yearend, the outstanding balances of such loans taken aggregated to Rs. 2,53,94,095 and the maximum amount involved during the year was Rs. 2,55,36,967. (v) In our opinion and according to the information and explanations given to us, there are adequate internal control procedures commensurate with the size of the Corporation and the nature of its business for the purchase of fixed assets and for the sale of services and we have not observed any continuing failure to correct major weaknesses in such internal controls. (vi) In our opinion and according to the information and explanations given to us, the Corporation has complied with the provisions of Sections 58 and 58AA of the Companies Act, 1956 and the Housing Finance Companies (NHB) Directions, 2001, with regard to the deposits accepted from the public.

93

Control System And Bank Audit

(vii) In our opinion, the internal audit functions carried out during the year by firms of Chartered Accountants appointed by the Management have been commensurate with the size of the Corporation and the nature of its business. (viii) According to the information and explanations given to us, in respect of statutory dues: (a) The Corporation has generally been regular in depositing undisputed statutory dues including Provident Fund, Investor Education and Protection Fund, Incometax, Sales-tax, Wealth Tax, Service Tax, cess and any other material statutory dues with the appropriate authorities during the year. (b) There are no undisputed amounts outstanding as at March 31, 2005 for a period of more than six months from the date they became payable. (c) Details of disputed Sales-tax, Wealth Tax and Interest on lease tax which have not been deposited as on 31st March, 2005 on account of any dispute are given below:

(ix) In our opinion, the Corporation is not dealing in or trading in shares, securities, debentures and other investments. Accordingly, the provisions of clause 4(xiv) of the CARO, 2003 are not applicable to the Corporation. (x) Based on the maturity profile of assets and liabilities with a residual maturity of one year, as given in the Asset Liability Management report, the liabilities are in excess of assets by Rs.1042 crores which is within the approved gap limit. As explained to us, the liabilities are generally renewed on maturity and consequently the excess stated above does not reflect a mismatch in application of funds. For S. B. BILLIMORIA & CO. Chartered Accountants P. R. Ramesh MUMBAI Partner May 5, 2005 (Membership No. 70928)

94

Control System And Bank Audit

Regulatory and Other measures Other Items

Date of Publish: Nov 22, 2004

Selected circulars issued by the Reserve Bank of India during September 2004 reproduced below: Ref. No.PCB.Cir.16/16.20.00/2004-05 dated September 2, 2004 The Chief Executive Officers of All Primary (Urban) Co-operative Banks INVESTMENT PORTFOLIO OF URBAN CO-OPERATIVE BANKS CLASSIFICATION AND VALUATION OF INVESTMENTS Please refer to the Master Circular on Investments by Primary (Urban) Co-operative Banks, forwarded with our letter UBD.BPD.(PCB) MC.No. 4/ 16.20.00/ 2003-04 dated 23 December 2003 (available on website rbi.org.in). 2. Representations have been received from banks, Federation/Association of urban co-operative banks that the existing guidelines of classification of investments should be reviewed with a view to bringing them in alignment with international practices and current state of risk management practices in India, taking into account the unique requirement of maintenance of statutory reserve requirement of 25 per cent of the Net demand and time liabilities (NDTL) under Section 24 of Banking Regulations Act 1949. Consequently, the Reserve Bank of India is setting up an Internal Group to review the existing guidelines and Report of the Group will be discussed in the Standing Committee on Financial Regulation. In the meantime, it has been decided as under: (i) Banks may exceed the present limit of 25 per cent of a banks total investments under HTM category a) the excess comprises only of SLR securities, provided. and

b) the total SLR securities held in the HTM category is not more than 25 per cent of their NDTL as on the last Friday of the second preceding fortnight. (ii) To enable the above, as a one-time measure, banks may shift SLR securities to the HTM category any time, once more, during the current accounting year. Ref. No. UBD.PCB.Cir. 17 /13.04.00/2004-05 dated September 4, 2004 The Chief Executive Officers of All Primary (Urban) Cooperative banks.

95