Audit of Banking | Commerce & Accountancy Optional Notes for UPSC PDF Download

Introduction

• After acquiring a foundational understanding of auditing and its related concepts in the preceding chapters, it is now time to apply this knowledge to the specific task of auditing banks.
• In modern times, many transactions that were once conducted in person, such as shopping, ticket booking, and bill payment, are now carried out online, often facilitated through bank accounts. The advent of technology has made online payments accessible 24/7, eliminating the need for physical queues and enabling convenient financial transactions.
• Banking operations involve various complexities, from transaction processing to regulatory compliance and monitoring. Given the strategic significance of the banking sector, regulation and oversight are critical to maintaining economic stability and public trust.
• The banking sector is not only a cornerstone of economic growth but also a custodian of significant public funds, making it highly susceptible to reputational risks. Like any other economic activity, the banking sector is exposed to various risks, necessitating a robust framework to ensure its health and stability. Reliable financial information, supported by high-quality bank audits, is crucial for maintaining a sound banking sector.

In India, there are several types of banking institutions, each serving different purposes and catering to specific segments of the economy. These include:

• Public sector banks
• Private sector banks
• Foreign banks
• Regional rural banks
• Cooperative banks
• Small finance banks
• Payments banks

Each type of bank has its own unique characteristics and regulatory requirements, making auditing a specialized and intricate process that requires a deep understanding of the sector's intricacies.

• Commercial banks, the most widespread banking institutions in India, offer a plethora of products and services to the general public and various segments of the economy, with two primary functions: (a) accepting deposits and (b) granting advances.
• Regional Rural Banks (RRBs) are financial entities established in rural areas across different states of the country to meet the basic banking and financial requirements of rural communities. Examples include Punjab Gramin Bank, Tripura Gramin Bank, Allahabad UP Gramin Bank, Andhra Pradesh Grameen Vikas Bank, among others.
• Co-operative Banks, similar to Commercial Banks in function, are founded on Cooperative Principles and registered under the Cooperative Societies Act or the Multistate Cooperative Societies Act. Typically, they cater to the agricultural and rural sectors. Examples include The Gujarat State Co-operative Bank Ltd., Chhatisgarh Rajya Sahakari Bank Maryadit, among others.
• Payments Banks, a new category introduced by the RBI, are permitted to accept limited deposits but are prohibited from issuing loans and credit cards. However, they offer Current & Savings accounts, as well as ATM cum Debit cards, Internet banking, and Mobile banking. Examples include Airtel Payments Bank, India Post Payments Bank, Paytm Payments Bank, among others.
• Development Banks are designed to provide financial support for essential infrastructural facilities crucial for the nation's economic growth. Examples include Industrial Finance Corporation of India (IFCI), Industrial Development Bank of India (IDBI), Small Industries Development Bank of India (SIDBI), among others.
• Small Finance Banks, established by the RBI, aim to provide basic financial and banking services to underserved and unorganized sectors like small marginal farmers, small & micro business units, etc. Examples include Equitas Small Finance Bank, AU Small Finance Bank, among others.

Reserve Bank of India

The banking industry in India is overseen by the Reserve Bank of India (RBI), which serves as the nation's Central Bank. The RBI's responsibilities include:

• Developing and supervising the Indian financial system, consisting of banks and non-banking financial institutions.
• Collaborating with the Central Government to determine monetary and credit policies as per the current needs.
• Regulating the operations of commercial and other banks.

Key functions of the RBI include:

• Issuing currency.
• Regulating currency issuance.
• Serving as the banker to the central and state governments, as well as to commercial and other banks, including term-lending institutions.

Additionally, the RBI is tasked with regulating the activities of commercial and other banks. Banks must obtain a license from the RBI before commencing banking operations or opening new branches. The RBI also has the authority to inspect any bank. Independent audits of banks' financial statements are crucial for maintaining a healthy, safe, and sound banking system.

Banking operations are typically carried out exclusively at branches, while other offices serve as administrative centers responsible for setting policies, systems, and internal control procedures. These administrative offices also delegate powers, assign responsibilities, and ensure compliance with statutory/regulatory requirements and accepted accounting principles and practices. They play a vital role in supervising, monitoring, and controlling business activities and operations, ensuring compliance with the bank's policies, procedures, and controls, and addressing any deviations from these standards.

Regulatory Framework

In addition to the above-mentioned statutes, the Reserve Bank of India Act, 1934, (RBI Act) also significantly impacts the operations of banks. This Act grants extensive powers to the RBI, enabling it to issue directives to banks that have a substantial impact on their operations.

• There are several peculiarities involved in the functioning of banks, including:
• High volumes and complexity of transactions.
• Extensive geographical spread of banks' networks.
• Diverse range of products and services offered.
• Extensive use of technology.
• Close monitoring by the banking regulator.

Types of Bank Audit Reports Typically Issued:

At present, Statutory Central Auditors (SCAs) are required to submit the following reports in addition to their primary audit report:

• A report on the adequacy and effectiveness of internal controls over financial reporting, for banks registered as companies under the Companies Act, under Section 143(3)(i) of the Companies Act, 2013. This report is usually provided as an annexure to the main audit report, as per the ICAI's Guidance Note on Audit of Internal Financial Controls over Financial Reporting.
• A Long Form Audit Report (LFAR).
• A report on compliance with Statutory Liquidity Ratio (SLR) requirements.
• A report on whether the bank's treasury operations were conducted in accordance with RBI instructions.
• A report on whether the bank's income recognition, asset classification, and provisioning were made in line with RBI guidelines.
• A report on any serious irregularities observed in the bank's operations that require immediate attention.
• A report on the bank's compliance status with the recommendations of the Ghosh Committee on frauds and malpractices, as well as the recommendations of the Jilani Committee on internal control and inspection/credit systems.
• Report on instances of adverse credit-deposit ratio in the rural areas.

Understanding of accounting system in banks

The banking industry has undergone a significant transformation due to advancements in technology, allowing customers to access banking services anytime and anywhere. This transformation has been made possible by the continuous evolution of technology, enabling banks to provide a wide range of innovative products and services to their customers. The use of Core banking technology has played a crucial role in this transformation, facilitating the efficient handling of voluminous transactions and ensuring the integrity of information and data throughout the recording, transmission, and storage processes. Despite the challenges posed by technology, bank managements strive to maintain robust, secure, and convenient internal control systems for their customers.

Banks can be categorized based on their level of computerization:

• Non-computerized banks: Transactions are conducted manually at bank branches during working hours using paper and pen.
• Partially computerized banks: Some transactions are computerized, while others remain non-computerized.
• Fully computerized banks: Core banking technology allows inter-connectivity between branches, enabling customers to operate their accounts and access banking services from any branch of the bank over the network.

In a computerized environment, auditors must ensure that all norms and parameters specified in the latest applicable RBI guidelines are incorporated into the system that generates information affecting classification, provisions, and income recognition. Auditors should not assume that system-generated information is accurate and reliable without evidence demonstrating compliance with required parameters. They should exercise professional skepticism and prudence, conducting manual checks when necessary to verify the authenticity and consistency of information obtained from systems, and documenting the results of such activities.

Bank Audit Approach

• Creating an Audit Plan: An audit plan should be formulated based on the following factors: the nature and scope of operations, any unfavorable features, previous compliance levels, and audit risks stemming from internal control inadequacies or breaches, as well as the familiarization exercise conducted.
• Bank's Control Environment: A bank should have suitable controls to mitigate risks, including proper segregation of duties (particularly between front and back offices), precise measurement and reporting of positions, validation and approval of transactions, reconciliation of positions and results, establishment of limits, reporting and approval of exceptions, physical security, and contingency planning. The following are certain common questions/steps to be considered or answered during the execution/performance of control activities:

• Engagement Team Conversations: All staff involved in an engagement, including external experts engaged by the firm, form the "Engagement Team". This team should engage in discussions to enhance their understanding of the bank and its operational environment, focusing on internal controls and the potential for significant misstatements in the financial statements. These discussions must be properly documented for future reference. The dialogue between the engagement team members and the audit engagement partner should specifically address the susceptibility of the bank's branch financial statements to material misstatements. These conversations usually occur during the audit planning phase.

The engagement team typically discusses the following topics:

• Errors that are more likely to occur;
• Errors identified in previous years;
• Methods by which fraud might be perpetrated by bank personnel or others within specific account balances and/or disclosures;
• Audit responses to Engagement Risk, Pervasive Risks, and Specific Risks;
• The need to maintain professional skepticism throughout the audit engagement;
• The need to be alert for information or other conditions that indicate a material misstatement may have occurred (e.g., the bank's application of accounting policies in the given facts and circumstances).

Advantages of such a discussion include:

• Providing specific emphasis on the susceptibility of the bank's financial statements to material misstatement due to fraud, enabling the engagement team to consider an appropriate response to fraud risks, including those related to engagement risk, pervasive risks, and specific risks.
• Enabling the audit engagement partner to delegate work to experienced engagement team members and determine the procedures to be followed when fraud is identified.
• Reviewing the need to involve specialists to address issues related to fraud.

Income Recognition Policy

The income recognition policy should be objective and based on actual recovery rather than subjective considerations. Income from nonperforming assets (NPA) is not recognized on an accrual basis but is recorded as income only upon receipt. (This is detailed further below)

Form and Content of Financial Statements

• Sections 29(1) and 29(2) of the Banking Regulations Act, 1949, outline the form and content of financial statements for banking companies, as well as their authentication. These provisions also apply to nationalized banks, the State Bank of India, subsidiaries of the State Bank of India, and Regional Rural Banks.
• Every banking company must prepare a Balance Sheet and a Profit and Loss Account in the forms set out in the Third Schedule to the Act, or as close to them as circumstances permit. Form A of the Third Schedule contains the Balance Sheet format, while Form B contains the Profit and Loss Account format.
• Banking companies must also adhere to the disclosure requirements of various Accounting Standards, as specified under Section 133 of the Companies Act, 2013, in conjunction with Rule 7 of the Companies (Accounts) Rules 2014, to the extent they apply to banking companies, or the Accounting Standards issued by the Institute of Chartered Accountants of India (ICAI).

Audit of Accounts

Section 30(1) of the Banking Regulations Act, 1949, mandates that the balance sheet and profit and loss account of a banking company must be audited by a person duly qualified under any law in force at the time to be an auditor of companies.

Appointment of Auditor

As per relevant enactments:

• The auditor of a banking company is appointed at the annual general meeting of shareholders.
• The auditor of a nationalized bank is appointed by the bank's Board of Directors (with approval from the Reserve Bank of India).
• The auditors of the State Bank of India are appointed by the Comptroller and Auditor General of India, in consultation with the Central Government.
• The auditors of the subsidiaries of the State Bank of India are appointed by the State Bank of India.
• The auditors of regional rural banks are appointed by the bank concerned with the Central Government's approval.

Remuneration of Auditor

(a) The auditor's remuneration for a banking company is to be determined in accordance with Section 142 of the Companies Act, 2013, either at the general meeting or as determined by the general meeting. (b) The remuneration of auditors for nationalized banks and the State Bank of India is to be fixed by the Reserve Bank of India in consultation with the Central Government.

Powers of Auditor

The auditor of a banking company, nationalized bank, State Bank of India, subsidiary of the State Bank of India, or regional rural bank has the same powers as a company's auditor regarding access to books, accounts, documents, and vouchers.

Auditor's Report

For nationalized banks, the auditor must report to the Central Government, stating:

• Whether, in their opinion, the financial statements present a true and fair view of the bank's affairs, and if any explanation or information requested has been provided satisfactorily;
• Whether the bank's transactions, to their knowledge, have been within its powers;
• Whether the returns from the bank's offices and branches are adequate for the audit's purpose;
• Any other relevant matters.

The report of auditors for the State Bank of India is also submitted to the Central Government and is similar to the auditor's report for a nationalized bank.

Long Form Audit Report

• Apart from the statutory audit report discussed earlier, the terms of appointment for auditors of public sector banks, private sector banks, and foreign banks (as well as their branches) also require them to provide a long form audit report (LFAR). The Reserve Bank of India has specified the areas that auditors need to address in the LFAR.
• The LFAR must be submitted by June 30th each year. To ensure timely submission, proper planning for completing the LFAR is necessary. Although the LFAR format does not mandate an executive summary, it may be beneficial for members to include one to highlight the key observations.

Reporting to RBI

• The RBI issued a Circular concerning the implementation of the recommendations of the Committee on Legal Aspects of Bank Frauds, which is applicable to all scheduled commercial banks (excluding Regional Rural Banks). The circular states: "If an accounting professional, during internal or external audit, or institutional audit, discovers anything indicative of fraud, fraudulent activity, abuse of power, or any suspicious activity in a transaction, they should report it to the regulator. Any deliberate failure by the auditor to do so would make them liable for action."
• In accordance with this requirement, members must report such matters to the RBI. Additionally, auditors should consider the provisions of SA 250, "Consideration of Laws and Regulations in an Audit of Financial Statements," which states that the duty of confidentiality is overridden by statute, law, or court order. SA 240, "The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements," states that auditors conducting an audit in accordance with SAs are responsible for obtaining reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error.
• It is important to note that auditors are not expected to scrutinize each transaction individually but rather evaluate the system as a whole. Therefore, if auditors come across any instances while performing their regular duties, they should report them to the RBI and the Chairman/Managing Director/Chief Executive of the concerned bank.

Obligation to Report Fraud under the Companies Act, 2013

In accordance with sub-section 12 of section 143 of the Companies Act, 2013, if an auditor of a company, while performing their duties as auditor, has reason to believe that a fraud involving an amount or amounts as prescribed by law, has been or is being committed in the company by its officers or employees, the auditor must report the matter to the Central Government within the specified timeframe and following the prescribed procedure. For further details, students are encouraged to review Chapter 5 - Fraud and Responsibilities of the Auditor for a comprehensive understanding.

Conducting an Audit

The audit of banks or their branches involves the following stages:

• Initial Consideration by the Statutory Auditor
  • Declaration of Indebtedness: Before appointing their statutory central/branch auditors, banks should obtain a declaration of indebtedness, which means owing money to the bank in any form.
  • Internal Assignments in Banks by Statutory Auditors: Audit firms should not undertake statutory audit assignments while associated with internal assignments in the bank during the same year, like concurrent audits (internal audit of banks conducted monthly during the year).
  • Planning: The auditor should perform procedures required by Standard on Auditing (SA) 220, "Quality Control for Audit Work," regarding the acceptance of the client relationship and the specific audit engagement. They should also establish an understanding of the terms of engagement as per SA 210, "Agreeing the Terms of Audit Engagements."
  • Communication with Previous Auditor: A Chartered Accountant in practice should not accept a position as an auditor previously held by another Chartered Accountant without first communicating with them in writing. They should obtain a No Objection Certificate (NOC) from the previous auditor to ensure there are no objections to the appointment.
  • Terms of Audit Engagements: The auditor should agree on the terms of the audit engagement with the bank before beginning significant portions of fieldwork. It is crucial to document the terms of the engagement to avoid any confusion.
  • Initial Engagements: The auditor needs to perform audit procedures as mentioned in SA 510, "Initial Audit Engagements-Opening Balances." If they conclude that the opening balances contain misstatements that materially affect the financial statements and are not properly accounted for and adequately disclosed, they should express a qualified or adverse opinion.
  • Assessment of Engagement Risk: The assessment of engagement risk is critical and should be done before accepting an audit engagement. It affects the decision of accepting the engagement and planning decisions if the audit is accepted.
  • Establish the Engagement Team: The assignment of qualified and experienced professionals is essential for managing engagement risk. The size and composition of the engagement team depend on the size, nature, and complexity of the bank’s operations.
  • Understanding the Bank and its Environment: The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements and to design and perform further audit procedures.
• Identifying and Assessing the Risks of Material Misstatements: The auditor should identify and assess the risks of material misstatement at the financial statement level and the assertion level for classes of transactions, account balances, and disclosures to provide a basis for designing and performing further audit procedures.
• Understanding the Bank and Its Environment including Internal Control: An understanding of the bank and its environment, including its internal control, enables the auditor to identify and assess risk, develop an audit plan, determine the operating effectiveness of the controls, and address specific risks.
• Understanding the Bank’s Accounting Process: Understanding the accounting process is necessary to identify and assess the risks of material misstatement and design and perform further audit procedures.
• Understanding the Risk Management Process: An effective risk management system in a bank requires oversight and involvement in the control process by those charged with governance, identification, measurement, and monitoring of risks, control activities, monitoring activities, and reliable information systems.
• Engagement Team Discussions: The engagement team should hold discussions to gain a better understanding of the bank and its environment, including internal control, and assess the potential for material misstatements of the financial statements.
• Establish the Overall Audit Strategy: The audit engagement partner should establish the overall audit strategy before the commencement of an audit and involve key engagement team members and other appropriate specialists.
• Develop the Audit Plan: The auditor should involve all key members of the engagement team while planning an audit and summarize the audit plan by preparing an audit planning memorandum.
• Audit Planning Memorandum: The auditor should describe the expected scope and extent of the audit procedures, highlight all significant issues and risks, and provide evidence that they have planned the audit engagement appropriately.
• Determine Audit Materiality: The auditor should consider the relationship between the audit materiality and audit risk when conducting an audit and determine the audit materiality based on professional judgment, knowledge of the bank, assessment of engagement risk, and reporting requirements.
• Consider Going Concern: The auditor should consider whether there are events and conditions that may cast significant doubt on the bank’s ability to continue as a going concern.
• Assess the Risk of Fraud including Money Laundering: The auditor's objective is to identify and assess the risks of material misstatement in the financial statements due to fraud, obtain sufficient appropriate audit evidence, and respond appropriately. The auditor should maintain professional skepticism to recognize the possibility of misstatements due to fraud.
• Assess Specific Risks: The auditor should identify and assess the risks of material misstatement at the financial statement level, which relate pervasively to the financial statements as a whole and potentially affect many assertions.
• Risk Associated with Outsourcing of Activities: The auditor should effectively manage the risks associated with outsourcing activities by banks.
• Response to the Assessed Risks: The auditor should design and implement overall responses to address the assessed risks of material misstatement at the financial statement level and design and perform further audit procedures based on the assessed risks at the assertion level.
• Basel III Framework: The Basel Committee on Banking Supervision and the Financial Stability Board have proposed certain minimum criteria for the inclusion of instruments in the new definition of regulatory capital.
• Reliance on / Review of Other Reports: The auditor should review reports such as previous year’s audit reports, internal inspection reports of bank officials, Reserve Bank’s latest inspection report, concurrent/internal audit report, and other internal reports related to particular accounts. The statutory central auditors must review the Annual Financial Inspection report of RBI relating to the bank and ensure that variations in provisions, etc. reported by RBI have been properly considered by the bank management.