statutory audit of bank branches – under core banking system
DESCRIPTION
Friday, 18 th March 2011. Statutory Audit of Bank Branches – under Core Banking System. A presentation by CA. GOPAL KRISHNA RAJU, Assurance & Tax Partner, M/s. K. GOPAL RAO & Company , Chartered Accountants, Chennai for Calicut Branch of SIRC of ICAI. Disclaimer. - PowerPoint PPT PresentationTRANSCRIPT
Statutory Audit of Bank Branches – under Core Banking System
A presentation by CA. GOPAL KRISHNA RAJU, Assurance & Tax
Partner,
M/s. K. GOPAL RAO & Company, Chartered Accountants,
Chennai
for Calicut Branch of SIRC of ICAI
Friday, 18th March 2011
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Disclaimer
• These are my personal views and cannot be construed to be the views of the SIRC or its branches or K. GOPAL RAO & Co., Chartered Accountants
• No representation or warranties are made by the SIRC with regard to this presentation
• These views do not and shall not be considered as professional advice
• This presentation should not be reproduced in part or in whole, in any manner or form, without my or SIRC’s written permission
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Need for Branch Audit
• The strength of Indian Banking system is the audit and
reporting system of Chartered Accountants.
• Robots are not working in branches, its Humans there. To
err is Human, to forgive CBS…..!
• Until Human Beings are operating branches Branch Audit
will exist
• Together let’s bring quality in our reports. Let’s not give a
fell that Branch Audit is a custom but a necessity and need
based.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Need for Branch Audit…
• Even ICICI Bank prefers now to go back to
conventional Branch Audit for many expediency
reasons they had earlier. The management
believes that the main reason for its fall/failure is
withdrawal of Branch Audit System.
• Until the leadership of ICAI is daring, dynamic,
effective in putting forth before the Ministry/RBI the
necessity of Branch Audit, it will never see sunset.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Need for Branch Audit…
• All the parameter settings are made at Branch.
Documentation is done at Branch. Documents are
maintained at Branch. Branch Audit should focus
more on facts with figures & Documents with
deeds.
• Branch Audit should focus more on facts, figures
and documents…
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Audit in a CBS environment
Primary Audit Steps
Key Audit Process
LFAR
Coverage
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Public Sector Bank Audits – Scenario at present
• Appointments of Statutory Central Auditors (done 4 months
ahead)
• Appointments of Statutory Branch Auditors (done 4 weeks
ahead)
• Closing instructions of the Bank (booklet, annual audit manual)
• Timelines given (April 15th perhaps!)
• Meeting with SCA’s, if organized by Bank (let us network)
• Conduct of audit within given timelines (of course with
necessary resources )
• Submission of Reports (ASAP)
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Normal Audit Process
o Popularly known as Balance Sheet Audit
o Why?
o Even if an Auditor wants to conduct detailed audit,
he is precluded from doing so, due to
• Delayed appointments
• Early Finalization deadlines
• Race of management to publish Balance Sheet (congrats to CAs..some banks publish before 30th April)
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Audit is hence, limited to
o Review of Balance Sheet & Profit & Loss Account
o Arithmetical accuracy of annual financial
statements (Thing of Past)
o Review of Fresh Advances (Take help of Concurrent Audit
Report)
o Review of application of Income Recognition Norms
o Review of application of Provisioning Norms
o Review of Expenditure
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Audit is hence, limited to…
• Verification of information filled in the various
formats prescribed by Bank’s H.O.
• Noting & confirming certain areas that are under
direct control of and monitored by H.O.
e.g. Purchase & record of fixed assets, depreciation, information for tax provision etc.
• Certification as required by regulatory authorities
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
First and Last
Anxiety is because facts & figures is not in our
control
o Understanding of facts & figures is first
o Application of law is last
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
CBS plus points
• Getting reports for clarity on operation & for sample
selection
• Parameter settings – Adequate controls over
parameter settings, authorization, modification is to
be exercised at branch level. Most of the
parameters are set-based or paper based
authorization.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
CBS myths
• Requires system literacy for audit
• No data can be made available in the branch
except what is given by the branch suo-moto.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
What do banks inform us
We have a core banking solution
All transactions are captured and processed
seamlessly
All calculations are automated
Statements are generated from the CBS
Absolutely no issues in completing audit within the
given timeline
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Can we rely on this information?
• Yes, provided we are
satisfied of the adequacy of the C I A
Principle within this computerized system
and environment
aware of the control mechanisms of
computer systems and environment in
the branch
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
CIA Principle
Confidentiality
• Assurance that information / data is shared only amongst authorized persons or organizations
Integrity
• Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose
Availability
• Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Satisfaction about CIA Principle
• Existence of controls in the computer systems
• Review of their implementation in the branch
processes
Auditor has to remove the myth of not being “IT Smart”
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Audit in a CBS environment
Primary Audit Steps
Key Audit Process
LFAR
Coverage
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Audit steps in CBS environment
• Firstly, have a chat with the Systems in Charge at the Branch &
Branch Manager
• Then execute key audit processes
• Next discuss findings
• Lastly, form audit opinion
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
CBS environment - Infrastructure
• Core [Centre, Central Part, Hub, Nucleus, Middle, Interior, Mainstay,
Heart]
• May or May not have Branch Server depending on
CBS Software FINACLE – No Branch Server
Flexcube, Bancs24 – Need Branch Server
• Network Connectivity Primary Links & Secondary Links (alternate routes) – Connectivity
Topology
• Power Supply UPS and / or Generator
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Interact with System Executive
• Obtain an overview of the systems• Software
– Core application as well as all other applications
• Hardware
– Server as well as other machines
• Network configurations
• Ask about his / her perception of CIA principle
implementation in branch
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Issue 1: Audit Manual – Not available/ given
• Audit Manual / System Manual copy for your
reference – Not Available should be brought as a
note in LFAR.
Check Point:
• Verify BCP document
• Familiarity with procedure
• Availability of Emergency Reports
• Incident Handling/Management System - Instances
of Resorting to BCP available on record
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Issue 2: Management Representation Letter
• Standards on Auditing (SA) 580 – “Representations my
Management” requires that in case management does
not provide management representation letter, the
auditor should himself prepare a letter in writing and
sent it to the management with a request to
acknowledge and confirm that his understanding of the
representations are correct.
• If the management refuses to acknowledge or
confirm the letter sent by the auditor, this will
constitute a limitation on the scope of his
examination.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Questions about CBS & Branch
• How is the SOD activity handled?
• Whether officials other than those of the branch
have authority to record transactions in branch
books?
• If so, when does the branch becomes aware of it? Immediately / At pre-defined intervals / EOD / SOD
• If so, what is the branch manager’s authority
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Questions about CBS & Branch…
• Communication systems downtime• What happens when communication lines are down?
• Are there offline periods?
• How are transactions in these offline periods recorded?
• Who is responsible for • Downloading pre-defined reports at SOD?
• Distributing the reports within the branch as per the
distribution schedule
• How is the EOD activity handled?• Are there frequent delays in EOD procedures?
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Questions about CBS & Branch…
• Whether CBS is designed to apply IRAC norms ?
• Whether the card rates of interest and other
charges are correctly parameterized?
• Inquire about• Access control norms and adherence thereto
• Modality of year-end process
• Whether branch was subject to a system audit?• Inquire of management action on audit findings
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Questions about CBS & Branch…
• What are SE’s views on LFAR questions?
• Take written / oral assurances thatSystem is implemented as designed
No modifications are made to the system
All problems faced during implementation & thereafter are resolved
Problems faced have not affected the confidentiality, integrity & availability of data
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Interaction with Branch Manager
• Obtain his confirmation / view on the information
obtained from the SE
• Discuss BM’s methodology in • EOD / SOD processes
• Report sign-offs
• Fulfilling additional responsibilities as a result of CBS and its effect on branch business
• Discuss your reservations / opinion of the CBS
environment
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Audit in a CBS environment
Primary Audit Steps
Key Audit Process
LFAR
Coverage
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Access Controls
• Peruse Access Control Matrix
• Match the matrix with the users in the branch
• Inquire whether logs of unauthorized access are
available at branch / data centerReview management action on the same
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Migration Controls
i. If migration process has been undertaken in the
supervision of controlling office team, to check &
comment whether Certificate of Verification of
Integrity and Consistency of data migrated has
been preserved on branch records.
ii. If branch has undergone an independent
Migration Audit, to check whether all irregularities
and recommendations have been duly attended /
followed.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Migration Controls
iii. To check from print copies of reports held on
branch records whether migrated data has been
verified by the branch for integrity and consistency
and the procedures undertaken by the branch
have been supervised and documented
adequately. In case of inadequacy /
ineffectiveness of procedures carried out, an
independent Migration Audit may be
recommended.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Day-End Controls
• Various control reports are generated to ensure
integrity of the transactions and also to ensure
whether transactions are in conformity with the
Bank’s guidelines/system of authorizations (maker-
checker).
• These reports reveal the exceptions and anomalies
encountered during the day.
• Vital amongst these reports are:
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
EOD reports
a. Exceptional report (parking/ proxy/ unprocessed/ to-do/ error/
withhold)
b. List of users (to be matched with attendance registers)
c. Access Log
d. Rejected/Cancelled entries
e. Over-limits/TOD Report
f. GL affected Balances Report
g. Report on large cash transactions / KYC Anti Money
Laundering etc.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Report as per MITRA Committee Recommendations
• To be reported by a CA if we have come across any
matter / transaction that is
Susceptible to be a fraud (How do we know as
Auditors!)
Susceptible to be a fraudulent activity (Quite a
broad spectrum of responsibilities tagged here!)
Foul Play (unclean / stinking / polluted / tainted /
soiled / fetid)
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Report as per MITRA Committee Recommendations
Amount of transactions Rs: 100 Lakhs and above
Amount of transactions below Rs: 100 Lakhs
The Statutory auditor is
expected to report the
same to:
Central Office
Dept of Banking Supervision
RBI, WTC,
Cuffe Parade, Mumbai - 5
The Statutory auditor is
expected to report the
same to:
Regional Director
RO, Dept of Banking Supervision
RBI, Nrupathunga Road,
Bangalore – 1
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Day-End Controls – Suggested Audit Check-point
i. To obtain list of such reports generated by the
system.
ii. To check whether all the mandatory reports are
taken daily including on Sundays and holidays, as
ATM transactions are carried out on these days
also, and are scrutinized adequately and to
comment whether exceptions / anomalies, if
encountered during the day, have been duly noted
and disposed of.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Control over Proxy/Parking Transactions – Suggested Audit Check-point
• In normal course of business, some transactions
might not be verified and may remain in entered
(un-posted) status.
• But, since day end process could not be
suspended for next day, hence, these transactions
are posted in a pre-designated account called
Proxy/Parking Account. These transactions,
generally, are of two types:
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Control over Proxy/Parking Transactions – Suggested Audit Check-point• System Generated: Transactions which take place during
various system runs. For instance: Execution of SI
(Standing Instruction) by the Data Centre on last day of the
month and SOL being closed on that day. This entry may
not be posted and will remain in entered status and will be
posted in Proxy Account.
• User-Generated: Transactions which are initiated by the
user, but owing to certain reasons may not be
posted/authorised and kept in proxy/parking transactions
account. For instance: Depositing RD installment in excess
of the cumulative installments. This entry may not be
posted in RD Account and posted in Proxy/parking
transactions account and reversed subsequently.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Control over Proxy/Parking Transactions – Suggested Audit Check-point
• To check whether report on such transactions is
taken as a part of EOD process and scrutinised for
prompt reversal.
• To check and comment specifically on old
outstanding entries and reasons for non-reversal of
the same.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Read Alone Access
• Ask for a read-alone access to view the branch
data If access cannot be given, decide whether it
needs to be reported in Audit Report / LFAR
• Use assistance of SE to run queries If SE is not able to help then decide whether it
needs to be reported in Audit Report / LFAR
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Transaction Logs
• Serial Control over all transactions• Number to be allotted by the system
• No manual intervention allowed
• Peruse transaction logs of heavy days• Typically after multiple holidays
• Review Exception Transactions Reports• And also action taken thereon
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Income - interest
• Interest rate parameters are controlled centrally
• Obtain list of transactions where interest rate has
been entered by branch management
• Ensure that such entry and authorization is as per
the Access Control Rules
• Review process of interest rate modifications in
similar manner
• Test check a few interest calculations
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
There is no need of checking all the accounts. It is enough if at
least one account of all the account types is checked for
accuracy of interest application.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Reports that can give leads
• List of cases where stock statements are not
furnished on or after 28th February 2011
• List of cases where fresh limits were santioned
For the whole year from 1st April 2010 to 31st March 2011
For 4th Quarter period from 1st Jan 2011 to 31st Mar 2011
For 3rd Quarter period from 1st Oct 2010 to 31st Dec 2010
For 2nd Quarter period from 1st Jul 2010 to 30th Sep 2010
For 1st Quarter period from 1st Apr 2010 to 30th Jun 2010
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Reports that can give leads…
• List of overdue accounts i.e. outstanding amount >
Sanctioned amount.
• List of manual entries viz. Interest Reversals
• Recognition of Interest in NPA
• Debit to HO account
• List of unchecked transactions (Accounts master)
• Standing Instructions
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Reports that can give leads……
• Temporary OD – beyond time limit
• Time bound DPN
• Large cash transactions – list of it viz. above Rs: 10
lakhs cash deposits
• Operations in in-operative accounts
These reports are backbone of the system.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
CS 1: Core Banking Solution
• A bank in the process of implementing CBS had a central
support team at the CPPD. These users were allowed
unrestricted remote access to the branches. One
employee used this facility to transfer funds from in-
operative accounts of branches to a particular account of
her relative. The money was subsequently withdrawn.
• This came to light during regular concurrent audit when
auditor noted that there was movement in the in-operative
account.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
CS 2: Vulnerability in Account Mapping
• A fraud was committed due to vulnerability in mapping of
accounts in a CBS. Mapping of accounts is done only in
one place which is at the CCD. In the present scenario, the
GL heads were created and access given to the branches
in such a way that any GL head could be debited or
credited. One employee utilized this feature to debit a GL
which had accumulated unreconciled debit balances and
credited his personal account.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Income - charges
• As in case of interest rate, parameters for other charges are
controlled centrally
• Ensure that the software relates the transaction with the
income to be applied• Bank Guarantee / LC and its Commission / Charges
• ATM / Credit Card charges
• Charges for miscellaneous transactions
– Number of debits
– Note counting
• Review transactions where branch has an authority to deviate
from the set parameters
• Test check a few transactions
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Advances
• Verify data entry of new sanctions into the CBS• Rate of Interest
• Date of sanction
• Inquire whether loan documentation is controlled
through the system• If so, whether system prompts for the same
• Whether system prompts for renewals
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Identification of NPAs
• Inquire whether system identifies NPAs and
reverses income
• Obtain report of cases of Defaults in excess of 90 days principal repayment
Interest not fully serviced
• Potential NPA Audit list of defaults nearing but not
exceeding 90 days
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Identification of NPAs
• Peruse list of customers / accounts with high
credits within last week / fortnight of March
• Identify whether there are heavy withdrawals in first
week / fortnight of April of customers / accounts in
this list
• Trace whether these credits are from advances
sanctioned at some other branch or in some other
group account• This is possible if access is available to data other than that of the
branch
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Deposit and Interest Expenditure
• Ensure proper parameterization of deposit
schemes and interest thereon
• Trace a sample of transactions
• Verify calculations of interest expenditure in few
cases
• Review process of pre-mandated transactions and
whether they have happened as per the mandate– Auto sweep account
– Cumulative deposits
– Recurring deposits
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Office Accounts
• Review various office accounts• Suspense
• Sundry Deposits
• Inter branch
• ATM Suspense
• Cash Management
• Audit list of outstanding items
• Inquire whether frauds have occurred using these
office accounts
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Control over Impersonal/Office Accounts
• To check whether these accounts have been
mapped to correct GL Sub head and entries in the
accounts have been done correctly. For instance:
• Postings in sundry credit accounts and sundry
deposit accounts have been duly verified by the
branch.
• Deposit from public and Deposit from Banks
have been shown correctly in appropriate GL
Subheads.
• Credit balances in Loan accounts have not been
shown in sundry deposit account.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Office Accounts
• To check whether these accounts have been mapped to correct GL Sub head and entries in the accounts have been done correctly. For instance:
• Postings in sundry credit accounts and sundry deposit accounts have been duly verified by the branch.
• Deposit from public and Deposit from Banks have been shown correctly in appropriate GL Subheads.
• Credit balances in Loan accounts have not been shown in sundry deposit account.
• To check whether these transactions are scrutinised by the branch for correctness and for prompt adjustment.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Audit Conclusions
• Document findings & conclusions
• Discuss them
• Take written and oral representations
• Formulate Audit Opinion
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Audit in a CBS environment
Primary Audit Steps
Key Audit Process
LFAR
Coverage
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR – General points
• Study the LFAR Questionnaire thoroughly• Plan the LFAR work along with the statutory audit right
from day one• Complete & submit the Main Audit Report as well as
the LFAR simultaneously• There should be no vague/ general comments wherever
possible elaborate i.e. the answers should not be only Yes/ No/ Not Applicable
• Give instances of shortcomings/ weaknesses in the LFAR
• Do not make the current year’s LFAR a replica of the previous year’s LFAR
• The branch LFAR should be addressed to the Bank’s Chairman and a copy thereof sent to the Central Statutory Auditor
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR – General points
• The Main Audit Report and LFAR are two separate reports.
• Many times the comments in LFAR are qualificatory in nature but are not included in the Main Audit Report. Include the Audit Qualifications in the Main Audit Report and not in the LFAR. In deciding whether a qualification in the main report is necessary, the auditor should use his discretion in the facts and circumstances of each case
• The Main Audit Report should be a self–contained document and should contain no reference of any point made in the LFAR
• The LFAR should be sufficiently detailed and quantified so that not only can it be expeditiously consolidated by the bank but even help the bank in rectifying the identified problems immediately on conclusion of audit
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR – Contents
• Assets – 6 items
• Liabilities – 3 items
• Profit and Loss Account – 5 items
• General – 6 items
• Questionnaire applicable to specialized branches
• Annexure to LFAR – (large / irregular / critical
advance accounts)
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR
• Whether hard copies of accounts are
printed regularly?Inquire about the Bank’s instructions of
taking print-outs
Note down the frequency of taking hard copies of accounts
Compare with Concurrent & System Audit Reports
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR…
• Understand the non-computerized areas (viz. Fixed
Asset Register, Denomination of Cash)
• Indicate the extent of computerization and the
areas of operation covered.
Obtain data of areas of operation computerized during the year
Note down the effective date
Compare with Concurrent & Systems Audit Reports
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR…
• Are the access and data security measures
and other internal controls adequate?Entire gamut of logical & physical access
controls apply
It is not confined to passwords alone
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR…
• Whether regular back-ups of accounts and
off-site storage are maintained as per the
guidelines of the controlling authorities of
the bank?
• Ascertain the Guidelines
• Whether the Bank is aware of them
• Ask and see how they are implemented
• Audit the documents maintained
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR…
• Backup & Restoration of Data & Software Significant only in Branch Server
• Check Point Following Backup Routine
Rotating & Preserving Media
Managing Backup Media
Offsite Storage of Backups
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR…
• Whether adequate contingency and disaster recovery
plans in place for loss / encryption of data? Inquire whether the Branch is aware of the BCP / DRP
Inquire whether the Branch has a copy of the BCP / DRP
Review documents relating to above
Inquire about encryption standards implemented
Who is in control of encryption
Whether branch is aware of encryption standards applied
How is the control made effective
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR…
• Do you have any suggestions for the
improvement in the system with regard to
computerized operations of the branch?Give suggestions, if any.
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
LFAR…
• For each area one needs to:-Inquire about Bank’s policy
Level of understanding of the policy and its implication
Evidence of compliance with that policy at branch
Peruse action taken on Concurrent & System audit findings
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
MITRA Committee Recommendations
JILANI Committee Recommendations
GHOSH Committee Recommendations
Committee Recommendations
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Comparisons
• Mitra – Report (not counter signed by Branch
Manager) – suggested to get counter signed
• Ghosh & Jilani – Certificate (counter signed by
Branch Manager)
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Certificate as per JILANI and GHOSH Committee Recommendations
Certificate (not a report). We certify that the
information is correct
• Two dimensional (YES and NO) certificate
Jilani - 10 items
Ghosh - 53 items
• Jilani – Relating to Internal Control and Inspection /
Audit system in banks which are to be compulsorily
implemented by banks
• Ghosh – Relating to frauds malpractices in Banks -
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
JILANI Committee Recommendations
1. Concurrent Audit – Follow-up (ensure that comments are not
repeated in the monthly report)
2. 4 months window time – For Rectifying irregularities brought to
the notice
3. Irregularities rectified during the audit –
4. Plug gaps – Check the list of all irregularities that are plugged during
the year
5. Prevention Methods – New Methods' adopted by the Banks during
the year
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
JILANI Committee Recommendations
6. Testing carried out – Test check for ensuring the
Integrity of transactions
7. EDP under scrutiny of inspection & audit -
8. Change Management Practices – Is it
documented?
9. Speedy enquiry to deter others from perpetuating
fraud – Ensure whether such process is in place
10. Regular checking – Cash Check, ATM Checking
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Ghosh Committee Recommendations
• Group A – Part I – 9 items
• Group A – Part II – 44 items
K.GOPAL RAO & CO, Chennai CALICUT Branch of SIRC of ICAI CA. GOPAL KRISHNA RAJU
Area is too wide to be covered as part of Branch Statutory Audit if
it is to be done diligently
Reflections ??