1 / 79

Statutory Audit of Bank Branches – under Core Banking System

Friday, 18 th March 2011. Statutory Audit of Bank Branches – under Core Banking System. A presentation by CA. GOPAL KRISHNA RAJU, Assurance & Tax Partner, M/s. K. GOPAL RAO & Company , Chartered Accountants, Chennai for Calicut Branch of SIRC of ICAI. Disclaimer.

sheena
Télécharger la présentation

Statutory Audit of Bank Branches – under Core Banking System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Friday, 18th March 2011 Statutory Audit of Bank Branches – under Core Banking System A presentation by CA. GOPAL KRISHNA RAJU, Assurance & Tax Partner, M/s. K. GOPAL RAO & Company, Chartered Accountants, Chennai for Calicut Branch of SIRC of ICAI

  2. Disclaimer • These are my personal views and cannot be construed to be the views of the SIRC or its branches or K. GOPAL RAO & Co., Chartered Accountants • No representation or warranties are made by the SIRC with regard to this presentation • These views do not and shall not be considered as professional advice • This presentation should not be reproduced in part or in whole, in any manner or form, without my or SIRC’s written permission

  3. Need for Branch Audit • The strength of Indian Banking system is the audit and reporting system of Chartered Accountants. • Robots are not working in branches, its Humans there. To err is Human, to forgive CBS…..! • Until Human Beings are operating branches Branch Audit will exist • Together let’s bring quality in our reports. Let’s not give a fell that Branch Audit is a custom but a necessity and need based.

  4. Need for Branch Audit… • Even ICICI Bank prefers now to go back to conventional Branch Audit for many expediency reasons they had earlier. The management believes that the main reason for its fall/failure is withdrawal of Branch Audit System. • Until the leadership of ICAI is daring, dynamic, effective in putting forth before the Ministry/RBI the necessity of Branch Audit, it will never see sunset.

  5. Need for Branch Audit… • All the parameter settings are made at Branch. Documentation is done at Branch. Documents are maintained at Branch. Branch Audit should focus more on facts with figures & Documents with deeds. • Branch Audit should focus more on facts, figures and documents…

  6. Coverage

  7. Public Sector Bank Audits – Scenario at present Appointments of Statutory Central Auditors (done 4 months ahead) Appointments of Statutory Branch Auditors (done 4 weeks ahead) Closing instructions of the Bank (booklet, annual audit manual) Timelines given (April 15th perhaps!) Meeting with SCA’s, if organized by Bank (let us network) Conduct of audit within given timelines (of course with necessary resources ) Submission of Reports (ASAP)

  8. Normal Audit Process Popularly known as Balance Sheet Audit Why? Even if an Auditor wants to conduct detailed audit, he is precluded from doing so, due to Delayed appointments Early Finalization deadlines Race of management to publish Balance Sheet (congrats to CAs..some banks publish before 30th April)

  9. Audit is hence, limited to Review of Balance Sheet & Profit & Loss Account Arithmetical accuracy of annual financial statements (Thing of Past) Review of Fresh Advances (Take help of Concurrent Audit Report) Review of application of Income Recognition Norms Review of application of Provisioning Norms Review of Expenditure

  10. Audit is hence, limited to… Verification of information filled in the various formats prescribed by Bank’s H.O. Noting & confirming certain areas that are under direct control of and monitored by H.O. e.g. Purchase & record of fixed assets, depreciation, information for tax provision etc. Certification as required by regulatory authorities

  11. First and Last Anxiety is because facts & figures is not in our control Understanding of facts & figures is first Application of law is last

  12. CBS plus points Getting reports for clarity on operation & for sample selection Parameter settings – Adequate controls over parameter settings, authorization, modification is to be exercised at branch level. Most of the parameters are set-based or paper based authorization.

  13. CBS myths Requires system literacy for audit No data can be made available in the branch except what is given by the branch suo-moto.

  14. What do banks inform us We have a core banking solution All transactions are captured and processed seamlessly All calculations are automated Statements are generated from the CBS Absolutely no issues in completing audit within the given timeline

  15. Can we rely on this information? Yes, provided we are satisfied of the adequacy of the C I A Principle within this computerized system and environment aware of the control mechanisms of computer systems and environment in the branch

  16. CIA Principle Confidentiality Assurance that information / data is shared only amongst authorized persons or organizations Integrity Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose Availability Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them

  17. Satisfaction about CIA Principle Existence of controls in the computer systems Review of their implementation in the branch processes Auditor has to remove the myth of not being “IT Smart”

  18. Coverage

  19. Audit steps in CBS environment Firstly, have a chat with the Systems in Charge at the Branch & Branch Manager Then execute key audit processes Next discuss findings Lastly, form audit opinion

  20. CBS environment - Infrastructure Core [Centre, Central Part, Hub, Nucleus, Middle, Interior, Mainstay, Heart] May or May not have Branch Server depending on CBS Software FINACLE – No Branch Server Flexcube, Bancs24 – Need Branch Server Network Connectivity Primary Links & Secondary Links (alternate routes) – Connectivity Topology Power Supply UPS and / or Generator

  21. Interact with System Executive Obtain an overview of the systems Software Core application as well as all other applications Hardware Server as well as other machines Network configurations Ask about his / her perception of CIA principle implementation in branch

  22. Issue 1: Audit Manual – Not available/ given Audit Manual / System Manual copy for your reference – Not Available should be brought as a note in LFAR. Check Point: Verify BCP document Familiarity with procedure Availability of Emergency Reports Incident Handling/Management System - Instances of Resorting to BCP available on record

  23. Issue 2: Management Representation Letter Standards on Auditing (SA) 580 – “Representations my Management” requires that in case management does not provide management representation letter, the auditor should himself prepare a letter in writing and sent it to the management with a request to acknowledge and confirm that his understanding of the representations are correct. If the management refuses to acknowledge or confirm the letter sent by the auditor, this will constitute a limitation on the scope of his examination.

  24. Questions about CBS & Branch How is the SOD activity handled? Whether officials other than those of the branch have authority to record transactions in branch books? If so, when does the branch becomes aware of it? Immediately / At pre-defined intervals / EOD / SOD If so, what is the branch manager’s authority

  25. Questions about CBS & Branch… Communication systems downtime What happens when communication lines are down? Are there offline periods? How are transactions in these offline periods recorded? Who is responsible for Downloading pre-defined reports at SOD? Distributing the reports within the branch as per the distribution schedule How is the EOD activity handled? Are there frequent delays in EOD procedures?

  26. Questions about CBS & Branch… Whether CBS is designed to apply IRAC norms ? Whether the card rates of interest and other charges are correctly parameterized? Inquire about Access control norms and adherence thereto Modality of year-end process Whether branch was subject to a system audit? Inquire of management action on audit findings

  27. Questions about CBS & Branch… What are SE’s views on LFAR questions? Take written / oral assurances that System is implemented as designed No modifications are made to the system All problems faced during implementation & thereafter are resolved Problems faced have not affected the confidentiality, integrity & availability of data

  28. Interaction with Branch Manager Obtain his confirmation / view on the information obtained from the SE Discuss BM’s methodology in EOD / SOD processes Report sign-offs Fulfilling additional responsibilities as a result of CBS and its effect on branch business Discuss your reservations / opinion of the CBS environment

  29. Coverage

  30. Access Controls Peruse Access Control Matrix Match the matrix with the users in the branch Inquire whether logs of unauthorized access are available at branch / data center Review management action on the same

  31. Migration Controls If migration process has been undertaken in the supervision of controlling office team, to check & comment whether Certificate of Verification of Integrity and Consistency of data migrated has been preserved on branch records. If branch has undergone an independent Migration Audit, to check whether all irregularities and recommendations have been duly attended / followed.

  32. Migration Controls To check from print copies of reports held on branch records whether migrated data has been verified by the branch for integrity and consistency and the procedures undertaken by the branch have been supervised and documented adequately. In case of inadequacy / ineffectiveness of procedures carried out, an independent Migration Audit may be recommended.

  33. Day-End Controls Various control reports are generated to ensure integrity of the transactions and also to ensure whether transactions are in conformity with the Bank’s guidelines/system of authorizations (maker-checker). These reports reveal the exceptions and anomalies encountered during the day. Vital amongst these reports are:

  34. EOD reports Exceptional report (parking/ proxy/ unprocessed/ to-do/ error/ withhold) List of users (to be matched with attendance registers) Access Log Rejected/Cancelled entries Over-limits/TOD Report GL affected Balances Report Report on large cash transactions / KYC Anti Money Laundering etc.

  35. Report as per MITRA Committee Recommendations To be reported by a CA if we have come across any matter / transaction that is Susceptible to be a fraud (How do we know as Auditors!) Susceptible to be a fraudulent activity (Quite a broad spectrum of responsibilities tagged here!) Foul Play (unclean / stinking / polluted / tainted / soiled / fetid)

  36. Report as per MITRA Committee Recommendations

  37. Day-End Controls – Suggested Audit Check-point To obtain list of such reports generated by the system. To check whether all the mandatory reports are taken daily including on Sundays and holidays, as ATM transactions are carried out on these days also, and are scrutinized adequately and to comment whether exceptions / anomalies, if encountered during the day, have been duly noted and disposed of.

  38. Control over Proxy/Parking Transactions– Suggested Audit Check-point In normal course of business, some transactions might not be verified and may remain in entered (un-posted) status. But, since day end process could not be suspended for next day, hence, these transactions are posted in a pre-designated account called Proxy/Parking Account. These transactions, generally, are of two types:

  39. Control over Proxy/Parking Transactions– Suggested Audit Check-point System Generated: Transactions which take place during various system runs. For instance: Execution of SI (Standing Instruction) by the Data Centre on last day of the month and SOL being closed on that day. This entry may not be posted and will remain in entered status and will be posted in Proxy Account. User-Generated: Transactions which are initiated by the user, but owing to certain reasons may not be posted/authorised and kept in proxy/parking transactions account. For instance: Depositing RD installment in excess of the cumulative installments. This entry may not be posted in RD Account and posted in Proxy/parking transactions account and reversed subsequently.

  40. Control over Proxy/Parking Transactions– Suggested Audit Check-point To check whether report on such transactions is taken as a part of EOD process and scrutinised for prompt reversal. To check and comment specifically on old outstanding entries and reasons for non-reversal of the same.

  41. Read Alone Access Ask for a read-alone access to view the branch data If access cannot be given, decide whether it needs to be reported in Audit Report / LFAR Use assistance of SE to run queries If SE is not able to help then decide whether it needs to be reported in Audit Report / LFAR

  42. Transaction Logs Serial Control over all transactions Number to be allotted by the system No manual intervention allowed Peruse transaction logs of heavy days Typically after multiple holidays Review Exception Transactions Reports And also action taken thereon

  43. Income - interest Interest rate parameters are controlled centrally Obtain list of transactions where interest rate has been entered by branch management Ensure that such entry and authorization is as per the Access Control Rules Review process of interest rate modifications in similar manner Test check a few interest calculations

  44. There is no need of checking all the accounts. It is enough if at least one account of all the account types is checked for accuracy of interest application.

  45. Reports that can give leads List of cases where stock statements are not furnished on or after 28th February 2011 List of cases where fresh limits were santioned For the whole year from 1st April 2010 to 31st March 2011 For 4th Quarter period from 1st Jan 2011 to 31st Mar 2011 For 3rd Quarter period from 1st Oct 2010 to 31st Dec 2010 For 2nd Quarter period from 1st Jul 2010 to 30th Sep 2010 For 1st Quarter period from 1st Apr 2010 to 30th Jun 2010

  46. Reports that can give leads… List of overdue accounts i.e. outstanding amount > Sanctioned amount. List of manual entries viz. Interest Reversals Recognition of Interest in NPA Debit to HO account List of unchecked transactions (Accounts master) Standing Instructions

  47. Reports that can give leads…… Temporary OD – beyond time limit Time bound DPN Large cash transactions – list of it viz. above Rs: 10 lakhs cash deposits Operations in in-operative accounts These reports are backbone of the system.

  48. CS 1: Core Banking Solution A bank in the process of implementing CBS had a central support team at the CPPD. These users were allowed unrestricted remote access to the branches. One employee used this facility to transfer funds from in-operative accounts of branches to a particular account of her relative. The money was subsequently withdrawn. This came to light during regular concurrent audit when auditor noted that there was movement in the in-operative account.

  49. CS 2: Vulnerability in Account Mapping A fraud was committed due to vulnerability in mapping of accounts in a CBS. Mapping of accounts is done only in one place which is at the CCD. In the present scenario, the GL heads were created and access given to the branches in such a way that any GL head could be debited or credited. One employee utilized this feature to debit a GL which had accumulated unreconciled debit balances and credited his personal account.

  50. Income - charges As in case of interest rate, parameters for other charges are controlled centrally Ensure that the software relates the transaction with the income to be applied Bank Guarantee / LC and its Commission / Charges ATM / Credit Card charges Charges for miscellaneous transactions Number of debits Note counting Review transactions where branch has an authority to deviate from the set parameters Test check a few transactions

More Related