industry-wide electronic bank conﬁrmation platform · assessment over the platform performed by...

Copyright © September 2019 by the Malaysian Institute of Accountants (MIA). All rights reserved.

The Malaysian Institute of Accountants’ logo appearing on/in this publication is a registered trademark of MIA. No part of this publication, either in whole or in part, may be copied, reproduced, recorded, distributed, republished, downloaded, displayed, posted, stored or transmitted in any form (tangible or intangible) or by any means, including but not limited to electronic, mechanical, photocopying, scanning or audio/video recording, information storage or retrieval system for any purpose whatsoever without prior express written permission of MIA. Such request can be emailed to the Strategic Communication & Branding Unit at: [email protected]

Permission is however granted to any person to make copies of this publication provided that such copies are strictly for personal use or fair use in the academic classrooms. Such copies shall not be sold or disseminated, and each copy shall bear the following credit line – “Used with the permission of the Malaysian Institute of Accountants”.

Any unauthorised use of this publication and/or any creation of a derivative work therefrom in any form or by any means is strictly prohibited and may violate the relevant intellectual property laws. In the event of any violation or infringement of MIA’s copyright and/or logo, MIA will not hesitate to take legal action for such violation and/or infringement.

3 | Industry-wide Electronic Bank Confirmation Platform

INTRODUCTION

Online confirmations are now the preferred method for confirming client information in jurisdictions such as the United States of America, the United Kingdom and Australia. In Malaysia, online confirmations are currently being used in a limited manner for confirmations with some foreign banks.

To keep abreast of the latest market developments, MIA championed an industry-wide Electronic Bank Confirmation Platform which is now ready for roll-out.

Electronic bank confirmations will eliminate duplications and provide authentication and authorisation procedures to detect fraud and deter fraudsters. This is a progressive step in auditing that will not only save time and resources but bring Malaysia up-to-speed with developments in leading markets.

Dr. Nurmazilah Dato’ Mahzan, MIA CEO

MIA would like to accord its appreciation to Bank Negara Malaysia (BNM), TheAssociation of Banks in Malaysia (ABM),banking institution, local audit firms, and other stakeholders for supporting the Platform.

Why is MIA championing theindustry-wide Electronic Bank Confirmation Platform?


Under the International Standard on Auditing (ISA) 505 reliable audit evidence can be obtained in documentary form from a third party e.g. a bank, whether on paper, electronically or in another medium. Many bank confirmation request letters are sent to banks annually by auditors for confirmation of their clients' bank balances and arrangements. Presently, electronic confirmations are used in a limited manner in Malaysia.

Extol Corporation Sdn Bhd (Extol) was selected to develop an industry-wide electronic bank confirmation platform, with a very economical usage fee compared to the current fee charged by an international service provider.

Extol specialises in Information and Communications Technology (ICT) security and has significant experience in providing ICT services to financial institutions.

PRESENT

FUTURE

Where we are now

Where we want to go

•

•

•

• •

•

•

Sending bank confirmations manually has been in practice since the beginning of the audit profession.

Manual bank confirmations are ine�cient and time consuming

The process is slow and time-consuming, with an average turnaround time of 4 to 8 weeks.

Any delays a�ect clearance by auditors and could impact the timely approval of financial statements by the Board of Directors. The management of audit clients can conceal fraud by compromising the manual confirmation processes, making it di�cult for even the most experienced auditors to detect financial fraud.

Today, there is a far more e�cient and secure way torequest and receive bank confirmations minimising the risk of error or fraud going undetected, i.e. throughelectronic confirmation.This electronic platform:

Enhances the security of the bank confirmation process through verifications of the organisations and users, ensuring confirmations are only sent and received by registered auditors and banksReduces risks of fraud related to the bank confirmation process

Enhances e�ciency in the bank confirmation process

Saves valuable time and e�ort that can be diverted to other higher value-added work

A better way to obtain bank confirmations

•


REDUCING FRAUD RISKSeveral fraud cases have revealed the inherent weaknesses in paper-based confirmations, which can be prevented using new technologies, including electronic bank confirmations.


The influence of clients in the confirmation process

This appears to be one of the techniques used by Parmalat

executives to attempt to defraud the auditor, where they

manipulated the balances and contact details using a scanning machine. The improvement in

scanning and printing technology makes it much more di�cult to detect these types of activities.

False contact information

A dishonest client can create third-party credentials that resemble real credentials,

e.g. establishing and directing the auditor to a fake financial institution website to provide

false contact information.

REDUCING FRAUD RISK

AUDIT TRAIL


A properly designed and implemented electronic confirmation system could have prevented all of the above!

Unlike a paper-based process, electronic confirmations use additional security mechanisms to ensure that only appropriate personnel from a bank can respond to a bank confirmation request.

Signature forgery

The fake signature of a genuine bank employee was used by

Parmalat executives to confirm almost $5 billion in confirmation

fraud. Auditors do not have the resources to validate the

signature of the person responding to a confirmation

request.

Engagement with a co-conspirator

This happens when a fraudster provides the correct contact

information but has a co-conspirator within that organisation to respond to

the auditor’s request.

How reliable is the electronic confirmation?

Highly secure communication channel between the auditor

and the responder protects the transfer of information through

controls such as individual passwords, data encryption,

firewalls and intrusion detection and prevention systems.

SECURITY

VALIDATION ANDAUTHENTICATION

Authentication and validation are required to establish the identities of both the auditor making the request and the person responding to it. The auditor and the responding

entity will have the assurance that the identities of both parties

are authentic.

Users must be associated with an audit firm and their individual and firm details must match with MIA’s membership database.

Besides User ID and password, applicants must provide activation emails for a 2-factor authentication process in order to validate their registration.

For bank users, registration is conducted through the bank’s email account which will subsequently be used for 2-factor authentication on the Platform.

All users must verify the pre-set security image and phrase during the user authentication process to prevent phishing.

The data are stored at Extol’s servers located in Cyberjaya, Malaysia.

All the sensitive data and PDF attachments received are encrypted.

An audit trail system logs all the activities performed on the Platform, including submission of requests and download of responses.

The Platform observes the applicable IT security standards and guidelines.


A reliable and properly-designed electronic confirmation system has these features:

How reliable is the electronic confirmation?

Organisation risk and controls assessment over the Platform performed by an independent

third-party service auditor.

ASSURANCE

DIRECTCOMMUNICATION

The information is respondedto directly by the users in the

Platform.

Once the users in the Platform have been verified, direct communication is allowed between the auditor and responding party, which makes bank confirmation easier and faster via a secured channel.

An independent external auditor is appointed by MIA to conduct a service organisation risk and controls assessment annually over the Platform, through the issuance of a Service Organisation Control (SOC) 3 Report.


How does the electronic confirmation benefit you as a reporting entity?


As a reporting entity, you want a smooth and

successful annual audit without

potential problems arising from bank confirmation fraud

A smooth and successful audit

A higher response rate and lower

turnaround time using electronic confirmation can reduce your time

and costs on follow-up work

Save time ande�ort

Facilitate monitoring and meeting of deadlines

Monitoring is facilitated with a

system trail of the dates of a

confirmation is requested, replied and received. The

Platform would also expedite the

confirmation replies, enabling

you to meet reporting deadlines.

Enhanced security over bank

confirmation process

Only authorised personnel from a bank can respond

to a bank confirmation

request and the risk of

confidential information

being wrongly sent to other

parties through post is mitigated.

How other stakeholders will benefit from the Platform


Achieve greater e�ciency and transform bank confirmation into an e�cient and reliable process in the audit workflow. Auditors, reporting entities and banks can minimise manual processes, eliminate duplications and loss of confirmations and expedite confirmation replies to the auditors.

Reporting entities are able to reduce the risk of fraud which may potentially go undetected by auditors and simultaneously protect the interest of stakeholders that rely on audited financial statements.

Auditors and banks can eliminate duplication, save time and minimise human error while providing a more secure process to confirm balances and arrangements.

The capital market benefits from reduced delays in the clearance of audited financial statements.

It mitigates the risk of confidential information being wrongly sent to other parties through postal services. Accountability is enhanced because the system trails the confirmation status on a timely basis.

HOW DOES THE PLATFORM WORK?

Registration & Activation Process Flow


MIA DatabaseAll auditors mustbe verified withMIA database

SSL Encrypted

Audit Firm Verification & Admin Activation

Company KeyGeneration

Create Users

Start ConfirmationProcess

Company KeyActivation

Users Activation

AUDIT ADMIN

AUDIT USER

HOW DOES THE PLATFORM WORK?Bank Confirmation Process Flow

Add Client Profile Bank Receives Confirmation

Request

Bank Replies

AUDITOR BANK

Submit Bank Confirmation Request

Auditor Downloads Confirmation Reply

5 4

321


Bank Confirmation Request LetterAuthorised signature(s) in accordance to the mandate for the conduct of the customer’s bank account is still required on the hardcopy of the request letter. The sample of the Bank Confirmation Request Letter can be downloaded from the MIA website at www.mia.org.my.

6

ReconfirmationRequest

(Attach Bank ConfirmationRequest Letter )


What is the fee for using the Platform?The usage fee is RM15 per online submission of confirmation request and will only be charged upon the successful receipt of the confirmation.

How do auditors gain access to the Platform?

Auditors must log in via www.auditor.econfirm.my to access the secure web-based Platform.

Who should use the Platform?Any organisation that is required to perform a statutory audit as well as their auditors who require bank confirmations in Malaysia are urged to use this Platform.

The Platform is intended to all banks in Malaysia in stages. Please check www.econfirm.my for the list of participating banks.

FREQUENTLY ASKED


1. Does the fee charge per confirmation of RM15 include bank charges?

The Platform usage fee of RM15 per confirmation is on top of the bank charges on bank confirmation, which varies from bank to bank.

2. Is there a governing body for this Online Platform (to govern any issues that may arise)?

Since this is an industry-wide initiative, MIA will be the governing body to oversee compliance with regulations, data security and committed service level. An independent external auditor will be appointed by MIA to conduct a service organisation risk and controls assessment over the Platform, through the issuance of a Service Organisation Control (SOC) 3 Report.

3. Are all submissions and downloads traceable?

The Platform provides an audit trail system that logs all the activities conducted on the Platform, including submissions and downloads. It can be used to assist with any suspicious fraud or investigation forensics when required.

4. authorised signature(s) on the hardcopy of the bank confirmation request letter subsequent to the implementation of the Platform?

Yes, authorised signature(s) in accordance to the mandate for the conduct of the customer’s bank account is still required on the hardcopy of the request letter. Nevertheless, there will be a revised bank confirmation request letter, where the auditors will need to obtain consent from you on the usage of the Platform.

5. Is this Platform available as a mobile app?

Currently, there is no plan to build a mobile app.

6. Would I be able to access the Platform as well to extract my company’s bank confirmation for my own documentation purposes?

No, you would need to request a copy of the bank confirmation reply either from the auditor or directly from the bank.

Do I still need to provide

For enquiries, please contact:[email protected]

1-40-1, Menara Bangkok BankBerjaya Central ParkNo. 105 Jalan Ampang50450 Kuala Lumpur.

Head o�ceMalaysian Institute of Accountants (MIA)Dewan AkauntanUnit 33-01, Level 33, Tower A, The Vertical Avenue 3, Bangsar South City, No. 8, Jalan Kerinchi59200 Kuala Lumpur, Malaysia.

Governed by:

+603 2722 9000 +603 2722 [email protected]

industry-wide electronic bank conﬁrmation platform · assessment over the platform performed by...

Documents