Bank audits require special considerations due to several unique factors related to the banking sector. The particular nature of risks associated with financial transactions, the voluminous scale of banking operations, and the significant exposures banks face all contribute to this complexity. Banks also rely extensively on information technology for transaction processing. Various statutory and regulatory requirements apply to banks, which demand strict compliance. Furthermore, the continual development of new products, services, and banking practices often outpaces the concurrent evolution of accounting principles and auditing methods. The rapid evolution of technology, especially services through the internet and mobile banking, exposes banks to substantial operational and financial risks.
The audit of bank accounts and the appointment of auditors are governed by the Banking Regulation Act. Section 30(1) mandates that the balance sheet and profit and loss account of a banking company must be audited by a person duly qualified to be an auditor of companies. Typically, banks appoint multiple firms of chartered accountants to act jointly as statutory central auditors. The appointment letter outlines important details such as the period of appointment, particulars of other central auditors, information about previous auditors, procedural requirements for accepting the assignment, division of work, and review and reporting responsibilities among joint auditors, especially in the case of nationalized banks. The scope of the assignment includes any special reports or certificates that statutory central auditors must provide in addition to the main audit report.
The authority responsible for appointing auditors varies by type of bank. For banking companies, auditors are appointed at the annual general meeting of shareholders with approval from the central bank regulator. Auditors of nationalized banks are appointed by the concerned bank through its board of directors, subject to regulatoryapproval. The auditors of the State Bank of India are appointed by the Comptroller and Auditor General in consultation with the central government. Regional rural banks appoint auditors with the approval of the central government.
Conducting a Bank Audit
Conducting a bank audit involves several well-defined stages that help ensure comprehensive coverage and effective evaluation. The first stage involves initial considerations that include acceptance and continuance of the audit, declaration of indebtedness, internal assignments in banks by statutory auditors, terms of audit engagements, communication with previous auditors, and establishment of the engagement team. This stage sets the foundation for the audit engagement and ensures clarity on scope, responsibilities, and coordination among auditors.
The second stage requires the auditor to develop a thorough understanding of the bank’s business operations. This includes gaining insight into the bank’s environment, internal control systems, and accounting processes. It also involves understanding the risk management process of the bank, which is essential to evaluate whether the bank’s risk management policies and controls are effective and aligned with the bank’s business objectives and regulatory requirements. Risk management systems in banks typically involve oversight by the board or the top governing body to ensure policies are consistent with capital strength, management expertise, and acceptable risk levels. Identification, measurement, and monitoring of risks that may affect the achievement of the bank’s goals are crucial components. The auditor must assess whether the bank has effective control activities such as segregation of duties, transaction verification, setting of limits, and exception reporting. Monitoring activities by a dedicated risk management unit is also important. Reliable information systems that provide timely and consistent financial, operational, and compliance data to management and the board must be evaluated.
The third stage involves risk assessment, where auditors identify and assess risks of material misstatements in the financial statements. This includes risks of fraud, such as money laundering, and other specific risks associated with the bank’s operations. Additionally, risks related to outsourcing activities must be considered. Risk assessment enables auditors to design appropriate audit responses and allocate resources effectively.
The execution stage encompasses detailed audit procedures based on the assessed risks. This involves discussions within the audit engagement team, responding to the identified risks, establishing an overall audit strategy, preparing an audit planning memorandum, determining audit materiality, and evaluating the appropriateness of the going concern assumption for the bank. Execution focuses on gathering sufficient and appropriate audit evidence to form an opinion on the financial statements.
The final stage of the audit is reporting. Auditors issue the main audit report along with any other required reports or certificates. Reporting must comply with statutory and regulatory requirements and communicate audit findings clearly to stakeholders.
Special Considerations in the Core Banking System Environment
Banks rely heavily on complex information technology environments, often operating on core banking systems (CBS). Auditors need to obtain detailed information about the bank’s overall IT policies, structure, and system environment. This includes understanding data processing and data interfaces across various systems, data integrity and security measures, business continuity plans, and disaster recovery plans. The accounting manual and critical accounting entries must be examined to verify accuracy and proper controls. Controls over booking expenses, identifying overdue accounts, recording e-banking and internet banking transactions, and generating management information system (MIS) reports are important areas of review. Auditors should assess how exception reports are generated and reviewed, and the processes for generating disclosures in the financial statements.
A review of the IT environment is generally conducted at the head office level, as branch auditors often do not have direct access to IT policies and processes. Based on guidance from statutory central auditors, branch auditors are responsible for data review and analysis through the CBS and conducting tests of controls and substantive procedures at the branch level. Results must be communicated to statutory central auditors.
Key security control aspects that auditors must consider include ensuring that data processed is authorized, accurate, and complete. Systems should be capable of restarting after interruptions without data loss or distortion. Controls must prevent unauthorized program changes and provide appropriate access rights. Segregation of duties in system access must be enforced. Changes to parameters or user levels should be properly authenticated. Exceptional transaction reports require authorization and verification. Master accounts and balances should not be modified except by authorized personnel. Finally, auditors must verify that balances in the general ledger reconcile with subsidiary records.
Risk-based Internal Audit
The internal audit function in banks increasingly follows a risk-based approach. This approach involves assessing inherent business risks associated with various branch activities and evaluating the effectiveness of controls to manage those risks. Risk assessment includes analyzing the level and direction of risk across different areas, such as credit, operational, market, and compliance risks. The process typically involves drawing up a risk matrix that considers the relative risk of each branch or business segment.
Risk-based internal audits focus audit resources on high-risk areas to provide better assurance on the bank’s overall risk management framework. This method helps identify potential weaknesses early and improves the efficiency and effectiveness of the internal audit function.
Internal Control Procedures in Banks
Internal control procedures are fundamental to safeguarding assets, ensuring the accuracy of financial records, and promoting operational efficiency within banks. General controls include measures such as frequently rotating staff and officers to different positions without prior notice. This practice reduces the risk of fraud and collusion. The work of one individual should be checked by another to maintain accountability. Responsible officers must be entrusted with the custody of demand drafts, cheque books, and other critical documents. Signature books, which contain specimen signatures for verification purposes, should be securely held by designated responsible officers. Insurance policies should be maintained to protect the bank against losses arising from employee dishonesty or infidelity. The management structure of the bank must be clearly defined so that roles, rights, and responsibilities are well understood throughout the organization.
Cash handling controls require that cash be kept under the joint custody of at least two responsible officers. Surprise cash checks should be conducted regularly to detect discrepancies early. Cashiers should not have access to customer ledger accounts or day books to prevent unauthorized adjustments. Payments should only be made after vouchers have been duly authorized by appropriate officers. Receipt and payment records maintained by the cashier must be independently compared with cash columns in the daybook to ensure consistency. Limits on the payment authority of tellers should be established and strictly enforced.
Cheque clearing procedures have evolved with the introduction of the Cheque Truncation System, which allows electronic images of cheques to be transmitted to the paying branch, along with relevant information from the MICR band and other details. This system significantly reduces the cost and time associated with the physical movement of cheques. Inward cheques for amounts exceeding a specified threshold require the bank to contact the customer either by phone or email according to regulatory guidelines. Staff must verify the drawer’s signature on cheques. Unpaid cheques received through outward clearing should be returned to customers or made available for collection at the branch promptly.
Procedures for bills for collection include ensuring that all accompanying documents are received and entered in the register by responsible officers. Credit to the principals’ accounts should only occur upon realization of the bill. It is important to confirm that bills sent between branches are not recorded twice in the balance sheet.
Bills purchased by the bank must be supported by proper documentation, including valid assignment of title documents. Adequate margins should be maintained when purchasing or discounting bills. Irregular outstanding accounts must be reported periodically to the head office. Income recognition for outstanding bills should be proportionate to the period outstanding.
Loans and Advances Verification
Verification of loans and advances requires careful audit procedures to confirm the accuracy, completeness, and proper classification of these accounts. Advances should be granted only after thorough evaluation of the borrower’s creditworthiness and approval by authorized personnel. Loan documents must be executed before any disbursement. Adequate margins should be maintained against securities provided as collateral. Custody of securities must be jointly held by responsible officers, and securities requiring registration must be duly registered in the bank’s name.
Auditors should verify that the market values of pledged goods are determined through personal inquiries. Adjustments to drawing power must be made for any changes in the value of securities. Irregular accounts need to be regularly reported to the head office. Each advance account should be reviewed at least annually. Post-disbursement supervision and follow-up procedures must be in place. Classification and disclosure of advances must comply with regulatory guidelines. Additionally, the use of disbursed funds should be monitored to ensure they are applied only for their intended purposes.
Demand drafts require strict controls. The signatures on demand drafts must be verified against the signature book. Every issued demand draft should be immediately confirmed by advice sent to the paying branch. If confirmation or credit is not received promptly, immediate steps must be taken to investigate the discrepancy.
Credit card operations require effective screening of applicants based on credit assessments. Controls over card storage and issuance must be strict. Merchants should confirm the unutilized credit limit of cardholders before accepting payments exceeding specified percentages of the total limits. Merchants must promptly report all settlements made through credit cards. Reimbursements to merchants must only occur after verification of the validity of the transactions. Customer accounts should be immediately charged for such reimbursements. Customers must receive regular and timely statements. Monitoring and follow-up procedures should ensure timely customer payments. Accounts with overdue balances must be identified and managed carefully. Periodic reviews of credit card holder accounts allow banks to adjust credit limits as necessary.
Verification of Statutory Liquidity Ratio
Statutory central auditors must verify compliance with the statutory liquidity ratio (SLR) on multiple dates throughout the financial year. The verification involves checking the accuracy of the Demand and Time Liabilities figure and ensuring that the prescribed percentage of liquid assets is maintained.
Auditors should obtain and understand relevant regulatory circulars to determine which items are included in the Demand and Time Liabilities. Branch auditors verify the correctness of trial balances and examine cash balances on specified dates. Auditors at the head office examine consolidations prepared from branch returns, test the DTL position, and ensure the inclusion of all branch information. Balances in branch adjustment accounts of foreign branches require special scrutiny. To improve efficiency, information from branches may be consolidated at the regional level and verified by regional auditors. The central auditor applies audit procedures to these consolidated figures and discloses reliance on unaudited branch returns.
Certain items are excluded from Demand and Time Liabilities, including paid-up capital, reserves, credit balances in profit and loss accounts, certain loans and refinance amounts, bills discounted with eligible financial institutions, provisions for income tax, insurance claim receipts, unrealized gains or losses on derivatives, income received in advance, liabilities arising from banker’s acceptance facilities, partial recoveries on bad debts, and unadjusted deposits held for agency business. Items to be included in DTL consist of net credit balances in branch adjustment accounts, accrued interest on deposits, cash collaterals, borrowings from abroad, and reconciliation of Nostro accounts to identify unaccounted inward remittances.
Some categories are exempted by regulatory circulars, such as minimum eligible credits and outstanding long-term bonds for infrastructure financing, certain foreign currency deposits, and prescribed currency conversion rates for foreign exchange assets and liabilities.
Verification of Investments
The verification of investments in banks involves thorough audit procedures to ensure compliance with regulatory guidelines and the accuracy of reported investment holdings. The auditor must evaluate the internal controls surrounding investment activities and review the bank’s investment policy to confirm it aligns with the central bank’s directives. It is important to examine whether the bank maintains separate accounts for investments made on its behalf and those managed on behalf of portfolio management services clients. Regulatory requirements often mandate that banks have these separate investments audited by external auditors to prevent the commingling of funds.
Physical verification of investment securities is essential and should be conducted at the close of business on the balance sheet date. Investments held with public debt offices, custodians, and depositories must be verified against statements of holdings. Independent confirmation requests can be sent to third parties to corroborate the existence and ownership of securities. In cases where bank receipts issued by other banks are held, auditors should obtain confirmations from the issuing banks. The classification of the investment portfolio into held-to-maturity, held-for-trading, and available-for-sale categories must be reviewed carefully. Any shifting of securities between these categories requires board approval and adherence to regulatory norms.
Special-purpose certificates related to investments are often required by regulators. These include certificates confirming reconciliation of securities on the bank’s own account and portfolio management services accounts. Certificates on compliance with prudential and other relevant guidelines issued by the central bank also form part of statutory audit requirements. These certificates provide additional assurance about the bank’s adherence to regulatory standards in investment activities.
Banks should undertake half-yearly reviews of their investment portfolios, typically as of September 30 and March 31. These reviews cover operational aspects of the portfolio, any amendments to the investment policy, and certify compliance with internal policies and regulatory guidelines. Internal auditors conduct concurrent audits of treasury transactions, and their reports are regularly presented to the bank’s top management.
Income recognition norms for investments require that income on performing investments can be recorded on an accrual basis if the interest rates are predetermined. For non-performing investments, income should be recognized only upon realization. Dividends on shares can be booked on an accrual basis if declared by the annual general meeting and the shareholder’s right to receive payment is established. Income from mutual fund units is accounted for on a cash basis.
Verification of Advances
Verification of advances is a critical area in bank audits. Auditors focus on obtaining evidence that the amounts recorded as advances on the balance sheet are valid, accurately recorded, and appropriately valued. It is necessary to confirm that loan documents support the advances and that no unrecorded advances exist. Advances must be properly classified and disclosed according to recognized accounting policies, and appropriate provisions must be made as per regulatory norms.
Evaluation of internal controls over advances includes reviewing the credit appraisal process to ensure loans are sanctioned according to delegated authority. All loan documentation must be executed before disbursement. Auditors verify compliance with the terms of the sanction and ensure funds are used for their intended purposes. The existence and valuation of securities taken as collateral must be confirmed. Reviewing the operations of advance accounts helps identify any adverse conditions or irregularities. Procedures for review and renewal of advances must be followed strictly. Drawing power calculations are checked for accuracy, and compliance with both the bank’s loan policies and regulatory prudential norms is essential.
Audit of Specific Areas in Advances
The auditor should review the system for post-disbursement supervision and follow-up to ensure continued compliance with loan terms and early detection of potential defaults. Advances must be classified as per regulatory guidelines to identify performing and non-performing assets correctly. The use of funds must be monitored to avoid diversion from approved purposes.
Audit Procedures for Demand Drafts and Credit Cards
In auditing demand drafts, the auditor ensures that signatures are verified against the signature book and that all issued drafts are confirmed promptly to paying branches. Investigations are required if confirmations or credits are not received timely manner.
Credit card operations require audit attention to screening procedures for applicants, control over card storage and issuance, merchant settlement verification, and prompt reporting of transactions. Customer accounts must be charged accurately, and statements sent regularly. The auditor should review monitoring and follow-up systems for customer payments and controls for overdue items. Periodic review of cardholder accounts enables timely adjustments to credit limits.
Verification of Statutory Liquidity Ratio Compliance
Statutory central auditors play a critical role in verifying banks’ compliance with the statutory liquidity ratio (SLR). This involves examining whether banks maintain the prescribed percentage of liquid assets against their net demand and time liabilities on specified dates throughout the financial year. Auditors must confirm the accuracy of the demand and time liabilities figures reported by banks and ensure that liquid assets such as cash, government securities, and other approved investments meet regulatory requirements.
To perform this verification, auditors must understand relevant regulatory circulars and guidelines defining items to be included or excluded from demand and time liabilities. They review branch-level trial balances and cash balances, test consolidations prepared at the head office, and reconcile balances in branch adjustment accounts, including those of foreign branches. Where branch data is unaudited, auditors indicate reliance on branch returns and specify the number of such branches in their reports.
The auditors pay close attention to the exclusion of certain items from demand and time liabilities, such as paid-up capital, reserves, credit balances in profit and loss accounts, specific types of loans, provisions for taxes, insurance claim amounts, unrealized gains or losses on derivatives, and various other specified deposits and liabilities. Similarly, auditors confirm the inclusion of other items such as net credit balances in branch adjustment accounts, accrued interest on deposits, cash collaterals, borrowings from abroad, and proper reconciliation of Nostro accounts.
Auditors also ensure compliance with exempted categories under regulatory circulars, such as minimum eligible credits and bonds related to infrastructure financing, certain foreign currency deposits, and the use of prescribed currency conversion rates. This comprehensive approach assures regulators and stakeholders that banks adhere to mandated liquidity norms essential for financial stability.
Review of Investment Portfolios and Income Recognition
Banks conduct regular half-yearly reviews of their investment portfolios, which auditors examine for operational compliance and adherence to internal investment policies and regulatory guidelines. These reviews cover amendments to investment policies and certify conformity with prudential norms.
Internal auditors conduct concurrent audits of treasury transactions, and their findings are presented periodically to senior management. Auditors verify income recognition related to investments, ensuring that income from performing investments is booked on an accrual basis when interest rates are predetermined. Income on non-performing investments is recognized only upon realization. Dividends from corporate shares are accounted for on an accrual basis if declared and rights to receive payments are established. Income from mutual fund units is recorded on a cash basis.
Advanced Verification and Audit Procedures
The verification of advances is a crucial audit area where auditors confirm the validity and accuracy of loan balances. They ensure advances are supported by proper documentation, correctly classified, and adequately provisioned. Evaluation of internal controls focuses on credit appraisal processes, authorization, loan documentation, compliance with sanction terms, and monitoring of fund utilization.
Auditors examine the enforceability and valuation of securities held as collateral and assess whether review and renewal processes for advances are followed. They verify drawing power calculations and compliance with the bank’s loan policy and regulatory prudential norms. Regular reporting of irregular accounts to the head office and effective post-disbursement supervision are essential control aspects that auditors review.
Audit of Demand Drafts and Credit Card Operations
In demand draft audits, verification of signatures against authorized specimen books is critical. Auditors ensure that all issued drafts are promptly confirmed to paying branches. Any failure to receive confirmation triggers immediate investigation.
Credit card audits assess applicant screening, card issuance controls, merchant settlement processes, and the accuracy of customer account charges. The auditor examines the timeliness and accuracy of customer statements, monitoring systems for customer payments, management of overdue items, and periodic reviews of credit card holder accounts to adjust credit limits when necessary.
Conclusion
Bank audits require specialized knowledge and procedures due to the complexity and regulatory nature of the banking industry. Auditors must pay close attention to internal controls, IT environments, risk assessment, statutory compliance, and detailed verification of advances, investments, demand drafts, and credit card operations. Adhering to established audit stages from initial considerations through risk assessment, execution, and reporting ensures that auditors deliver comprehensive evaluations that support the safety, soundness, and transparency of banking institutions.