RISK BASED AUDIT OF BANKS

His­tor­i­cal­ly, the audit sys­tem in banks has been con­cen­trat­ing on trans­ac­tion test­ing, test­ing of accu­ra­cy and reli­a­bil­i­ty of account­ing records and finan­cial reports and adher­ence to legal and reg­u­la­to­ry require­ments. How­ev­er, in the chang­ing sce­nario such test­ing by itself would not be suf­fi­cient. There is a need for widen­ing as well as redi­rect­ing the scope of audit to eval­u­ate the ade­qua­cy and effec­tive­ness of risk man­age­ment pro­ce­dures and inter­nal con­trol sys­tems in banks. To achieve these objec­tives, one needs to adopt risk-based audit which will include, in addi­tion to selec­tive trans­ac­tion test­ing, an eval­u­a­tion of the risk man­age­ment sys­tems and con­trol pro­ce­dures pre­vail­ing in var­i­ous areas of a bank’s operations.

What is Risk Based Audit?

A risk-based audit approach is designed to be used through­out the audit to effi­cient­ly and effec­tive­ly focus the nature, tim­ing and extent of audit pro­ce­dures to those areas that have the most poten­tial for caus­ing mate­r­i­al misstatement(s) in the finan­cial report. The risk-based audit approach requires the audi­tor to first under­stand the bank and its envi­ron­ment in order to iden­ti­fy risks that may result in material

mis­state­ment of the finan­cial report. There­after, the audi­tor per­forms an assess­ment of those risks at both the finan­cial report and asser­tion lev­els. The assess­ment involves con­sid­er­ing a num­ber of fac­tors such as the nature of the risks, rel­e­vant inter­nal con­trols and the required lev­el of audit evidence.

SA 315 – Iden­ti­fy­ing and Assess­ing the Risks of Mate­r­i­al Mis­state­ment through Under­stand­ing the Enti­ty and its Envi­ron­ment and SA 330 — The Auditor’s Respons­es to Assessed Risks are audit­ing stan­dards that specif­i­cal­ly require audi­tors to use the risk-based audit approach along with oth­er audit­ing stan­dards con­tain­ing spe­cif­ic risk relat­ed prin­ci­ples and pro­ce­dures. This would war­rant them, to make risk assess­ments of the mate­r­i­al mis­state­ments at the finan­cial state­ment and asser­tion lev­els, based on an appro­pri­ate under­stand­ing of the enti­ty and its envi­ron­ment, includ­ing inter­nal controls.

The imple­men­ta­tion of risk-based audit would mean that greater empha­sis is placed on the auditor’s role in mit­i­gat­ing risks. While focus­ing on effec­tive risk man­age­ment and con­trols, in addi­tion to appro­pri­ate trans­ac­tion test­ing, the risk based audit would not only offer sug­ges­tions for mit­i­gat­ing cur­rent risks but also antic­i­pate areas of poten­tial risks.

Types of Risks:

In case of bank audits, the fol­low­ing risks need to be considered:

• Finan­cial state­ment risk has two com­po­nents –i) Inher­ent risk and ii) Con­trol risk.

Inher­ent risk: The sus­cep­ti­bil­i­ty of an asser­tion about a class of trans­ac­tions, account bal­ance or dis­clo­sure to a mis­state­ment that could be mate­r­i­al, either indi­vid­u­al­ly or when aggre­gat­ed with oth­er mis­state­ments, assum­ing there are no relat­ed inter­nal con­trols. Fac­tors that may be con­sid­ered for deter­mi­na­tion of inher­ent risk are com­plex­i­ty of the trans­ac­tion, vol­umes, esti­ma­tion, etc.

Con­trol risk: The risk that a mis­state­ment, which could occur in an asser­tion about a class of trans­ac­tions, account bal­ance or dis­clo­sure and that could be mate­r­i­al, either indi­vid­u­al­ly or when aggre­gat­ed with oth­er mis­state­ments, will not be pre­vent­ed, or detect­ed and cor­rect­ed, on a time­ly basis by the bank’s inter­nal control.

• Detec­tion risk: The risk that the audit pro­ce­dures per­formed will not detect a mis­state­ment that exists and that could be mate­r­i­al, either indi­vid­u­al­ly or when aggre­gat­ed with oth­er misstatements.

• Audit risk: The risk of express­ing an inap­pro­pri­ate audit opin­ion, for exam­ple, express­ing an unmod­i­fied opin­ion when the finan­cial state­ments are mate­ri­al­ly mis­stat­ed. The audit risk matrix can be depict­ed as follows:

Audit risk = Inher­ent risk x Con­trol risk x Detec­tion risk

The audit risk matrix demon­strates the rela­tion­ship between inher­ent risk and con­trol risk and the lev­el of detec­tion risk. Hence, the high­er the inher­ent and con­trol risks, the high­er could be the audit risk. The

Objec­tive of an audit is to lim­it audit risk to an accept­ably low level.

• Sig­nif­i­cant risk: An inher­ent risk with both a high­er like­li­hood of occur­rence and a high­er mag­ni­tude of effect should it occur and which requires spe­cial audit con­sid­er­a­tion. Sig­nif­i­cant risks are a sub­set of inher­ent risks. All fraud risks are con­sid­ered as sig­nif­i­cant risks.

• Busi­ness risk: A risk result­ing from sig­nif­i­cant con­di­tions, events, cir­cum­stances, actions or inac­tions that could adverse­ly affect an entity’s abil­i­ty to achieve its objec­tives and exe­cute its strate­gies, or from the set­ting of inap­pro­pri­ate objec­tives and strategies.

Under­stand­ing the bank’s framework:

The audi­tor should obtain an appro­pri­ate under­stand­ing of the bank and the envi­ron­ment (includ­ing inter­nal con­trol) in which it oper­ates. While under­stand­ing the bank, the audi­tor shall obtain an under­stand­ing and doc­u­ment infor­ma­tion relat­ing to the following:

• Indus­try and envi­ron­ment – Com­peti­tors, Eco­nom­ic and polit­i­cal scenarios.

• Gov­er­nance and own­er­ship struc­ture – Board of Direc­tors, Audit Com­mit­tee, management

over­sight, branch report­ing, man­age­ment report­ing, author­i­ty matrix.

• Applic­a­ble reg­u­la­to­ry frame­work – Dif­fer­ent guideline/pronouncement issued by Reserve Bank of India, Bank­ing Reg­u­la­tion Act, Com­pa­nies Act, Direct and Indi­rect tax­es, etc.
• Inter­nal con­trol envi­ron­ment – Trans­ac­tion pro­cess­ing includ­ing sys­tem con­trols, inter­nal audit, excep­tion report­ing, con­cur­rent audit and sys­tems audit.
• Key finan­cial report­ing process­es – Finan­cial state­ments, reg­u­la­to­ry returns.

Infor­ma­tion is obtained through enquiry of rel­e­vant per­sons, obser­va­tion and inspec­tion of process­es and doc­u­men­ta­tion, and per­form­ing ana­lyt­i­cal pro­ce­dures on key finan­cial and non-finan­cial infor­ma­tion. Fur­ther, the audi­tor could refer to var­i­ous ana­lysts’ reports on the bank­ing indus­try, pub­li­ca­tions by Reserve Bank of India, bank­ing sur­veys pub­lished by var­i­ous news­pa­pers in order to get rel­e­vant infor­ma­tion about banks and their com­par­a­tive strate­gies. Exam­ples of finan­cial infor­ma­tion are non-per­form­ing assets ratio, net inter­est mar­gin, cap­i­tal ade­qua­cy ratio, pro­vi­sion cov­er­age ratio, etc.

The con­trol frame­work assists audi­tors to focus on obtain­ing an under­stand­ing of the bank’s inter­nal con­trols as follows:

• Bank’s own risk assess­ment process: how the bank iden­ti­fies, assess­es and responds to its own busi­ness risks and frauds.

• Infor­ma­tion sys­tems rel­e­vant to the finan­cial report­ing: Those sys­tems relat­ed to the cap­ture of sig­nif­i­cant trans­ac­tions, events or account­ing esti­mates, rec­on­cil­i­a­tions of sub ledgers to the gen­er­al ledger, sys­tems audit, sys­tem access and change man­age­ment, dis­as­ter recov­ery and busi­ness con­ti­nu­ity plans and report­ing in the finan­cial report.

• Con­trol activ­i­ties rel­e­vant to audit (includ­ing enti­ty lev­el con­trols): Those poli­cies and pro­ce­dures that help ensure that man­age­ment direc­tives are car­ried out. Exam­ples of con­trol activ­i­ties include those relat­ing to gov­er­nance, man­age­ment over­sight, autho­ri­sa­tion, per­for­mance reviews, infor­ma­tion pro­cess­ing, phys­i­cal con­trols and seg­re­ga­tion of duties.

• Mon­i­tor­ing of con­trol activ­i­ties: Those activ­i­ties the bank uses to mon­i­tor con­trol activ­i­ties over finan­cial report­ing, as well as how it takes action to address any iden­ti­fied deficiencies.

Gain­ing this detailed under­stand­ing, will enable the audi­tor to identify:

• What rel­e­vant con­trols (if any) are in place to test

• Whether the absence of con­trols cre­ates risk

• How or when to com­bine con­trols test­ing with sub­stan­tive testing

• How to test the oper­at­ing effec­tive­ness of controls

• Extent of reliance that can be placed on inter­nal controls

Iden­ti­fy­ing and assess­ing risks per­tain­ing to banks

The risk assess­ment would cov­er iden­ti­fi­ca­tion of risks at var­i­ous lev­els (cor­po­rate and branch; the port­fo­lio and indi­vid­ual trans­ac­tions) as also the process­es in place to iden­ti­fy, mea­sure, mon­i­tor and con­trol the risks. The audi­tor should devise the risk assess­ment method­ol­o­gy keep­ing in view the size and com­plex­i­ty of the busi­ness under­tak­en by the bank. Fur­ther, the audi­tor is required to use con­sid­er­able pro­fes­sion­al judg­ment and skill to iden­ti­fy such risks as well as their poten­tial­ly impact on the recog­ni­tion, mea­sure­ment, pre­sen­ta­tion and dis­clo­sure in the finan­cial report or the val­u­a­tion, allo­ca­tion, occur­rence, com­plete­ness, accu­ra­cy, cut-off, clas­si­fi­ca­tion, exis­tence, or rights and obligations

at the asser­tion level.

The risk assess­ment process should include the following:

• Iden­ti­fi­ca­tion of inher­ent busi­ness risks in var­i­ous activ­i­ties under­tak­en by the bank
• Eval­u­a­tion of the effec­tive­ness of the con­trol sys­tems for mon­i­tor­ing the inher­ent risks of the busi­ness activities
• Draw­ing up a risk matrix for tak­ing into account both the fac­tors viz., inher­ent risks and con­trol risks

The ini­tial risk assess­ment is per­formed at the audit plan­ning stage, with it being reassessed and revised if new risks are iden­ti­fied dur­ing the audit. Both quan­ti­ta­tive and qual­i­ta­tive approach­es may be con­sid­ered for this assess­ment. Risks indi­cate the intrin­sic risk in a par­tic­u­lar area/activity of the bank/branch and could be grouped into low, medi­um and high cat­e­gories depend­ing on the sever­i­ty of risk.

Some of the para­me­ters that can be used to deter­mine the risk lev­el and audit strat­e­gy of a branch are:

• Size of a branch: Branch with high­er assets, lia­bil­i­ties, rev­enue shall war­rant a high­er risk rating.
• Loan Loss­es and Over­due Debts: Num­ber and amounts of loan over­due for more than spe­cif­ic num­ber of days, restruc­tured and non-per­form­ing assets.
• Reg­u­la­to­ry com­pli­ance: Branch­es in vio­la­tion of reg­u­la­to­ry require­ments should be con­sid­ered for risk plan.
• Ser­vice Issues: The audi­tor should review the cus­tomer com­plaints and their res­o­lu­tions where there are high­er num­bers of ser­vice issues as it implies a weak­ness in process­es and controls.
• Cash short­ages and oper­a­tional errors: Instances and amounts of cash short­age or oper­a­tional errors should be con­sid­ered by the audi­tor to eval­u­ate the risk.
• Com­pli­ance with Know Your Cus­tomer (‘KYC’) statutes: Num­ber of account opening/ KYC non-com­pli­ances should be con­sid­ered as a mea­sure of risk.
• Pri­or Audit Rat­ing: Pri­or inter­nal audit rat­ing would deter­mine the risk and scope of audit.
• Fraud occur­rences and loss­es: High­er fraud occur­rences and loss­es in the branch, high­er the risk
• Cen­tral­i­sa­tion of oper­a­tions and Sys­tems infra­struc­ture: In many cas­es, cer­tain process­es are cen­tralised at one loca­tion which needs to con­sid­er for audit plan and scope out. Also, for reliance and test­ing on infor­ma­tion tech­nol­o­gy con­trol, IT infra­struc­ture are at cen­tralised loca­tion which need to be con­sid­ered for plan­ning and com­mu­ni­ca­tion to cen­tral statu­to­ry auditor.

The risk assess­ment deter­mines the nature, tim­ing and extent of audit pro­ce­dures to respond to iden­ti­fied risk appro­pri­ate­ly. It is crit­i­cal to prop­er­ly assess risks so that audit time and effort is spent effi­cient­ly and effec­tive­ly in test­ing sig­nif­i­cant risks.

Risk assess­ment pro­ce­dures pro­vide a basis for design­ing and exe­cut­ing audit pro­ce­dures to respond to the assessed risks of mate­r­i­al mis­state­ment. Risk assess­ment pro­ce­dures do not pro­vide suf­fi­cient appro­pri­ate audit evi­dence for the audit opin­ion and the audi­tor needs to per­form tests of con­trols and sub­stan­tive pro­ce­dures to obtain suf­fi­cient appro­pri­ate audit evi­dence to con­clude whether the finan­cial state­ments are pre­sent­ed fair­ly, in all mate­r­i­al respects.

Respond­ing to risks iden­ti­fied and plan­ning the audit:

As stat­ed in para­graph 3 of SA 315, the objec­tive of the audi­tor is to obtain suf­fi­cient appro­pri­ate audit evi­dence about the assessed risks of mate­r­i­al mis­state­ment, through design­ing and imple­ment­ing appro­pri­ate respons­es to those risks.

Risks of mate­r­i­al mis­state­ment at the finan­cial state­ment level

Risks of mate­r­i­al mis­state­ment at the finan­cial state­ment lev­el refer to risks that relate pervasively

to the finan­cial state­ments as a whole and poten­tial­ly affect many asser­tions. Such risks rep­re­sent cir­cum­stances that may increase the risks of mate­r­i­al mis­state­ment across many asser­tions and are not asso­ci­at­ed with spe­cif­ic assertions.

Risk of mate­r­i­al mis­state­ment at the asser­tion level

Assess­ment of risks of mate­r­i­al mis­state­ment at the asser­tion lev­el will assist in deter­min­ing the nature, tim­ing and extent of any addi­tion­al audit pro­ce­dures at the asser­tion lev­el that are nec­es­sary to obtain suf­fi­cient appro­pri­ate audit evi­dence. Risks of mate­r­i­al mis­state­ment at the asser­tion lev­el con­sist of inher­ent risk and con­trol risk. There­fore, the com­bined risk assess­ments rep­re­sent our assessed risks of mate­r­i­al mis­state­ment at the asser­tion lev­el. The nature, tim­ing and extent of the audit pro­ce­dures are a

direct result of the com­bined risk assess­ments. Mak­ing the appro­pri­ate com­bined risk assess­ments and then reflect­ing them in our audit strat­e­gy con­tributes sig­nif­i­cant­ly to exe­cut­ing an effec­tive and effi­cient audit.

An audi­tor should design respons­es to assessed risks based on the following:

• Over­all effect the iden­ti­fied risk may have on the finan­cial report (i.e., over­state­ment or under­state­ment of mate­r­i­al account balances)
• Effect that the iden­ti­fied risk has at the asser­tion lev­el for each class of trans­ac­tions, account bal­ance or disclosure.
• Expect­ed test results in terms of whether they will meet the test objectives

The design of the audit pro­gramme to address iden­ti­fied risks involves:

• Deter­min­ing the mate­ri­al­i­ty thresh­olds for the audit of the bank.
• Iden­ti­fy­ing the sig­nif­i­cant accounts for the bank con­sid­er­ing the mate­ri­al­i­ty thresh­olds — Inter­im account cap­tion bal­ances could be con­sid­ered for this eval­u­a­tion. Accounts where­in sig­nif­i­cant judg­ment and esti­ma­tion is required, sus­cep­ti­ble to iden­ti­fied fraud/ sig­nif­i­cant risks should be inde­pen­dent­ly evaluated.
• Map­ping and doc­u­ment the var­i­ous sig­nif­i­cant process­es and relat­ed IT applications.
• Set­ting the test objec­tives i.e. what asser­tions are to be test­ed and why
• Iden­ti­fy­ing when to address the risk–interim and/or year end.
• Deter­min­ing, where applic­a­ble, whether pre­vi­ous audit evi­dence can be used or updat­ed for the cur­rent period.
• Iden­ti­fy­ing rel­e­vant con­trols to test
• Iden­ti­fy­ing the use of experts/specialists in respect of account bal­ances relat­ing to pro­vi­sion for retire­ment ben­e­fits, deriv­a­tive val­u­a­tion, etc.
• Spec­i­fy­ing the type of test­ing for areas with nor­mal risk and those with sig­nif­i­cant risk – i.e. whether sub­stan­tive test­ing alone or a com­bi­na­tion of sub­stan­tive and con­trols test­ing is required.

• Deter­min­ing the extent of reliance on the test results
• Spec­i­fy­ing addi­tion­al audit pro­ce­dures to be fol­lowed if the test­ing iden­ti­fies discrepancies.

In addi­tion to the above, the fol­low­ing aspects too should be con­sid­ered by the audi­tor in order to deter­mine the audit plan:

• Use of inter­nal audit func­tion exist­ing with the bank and lever­age on the reviews con­duct­ed by the inter­nal audi­tors dur­ing the year.
• Place reliance on the report issued by audi­tors of ser­vice organ­i­sa­tions pro­vid­ing ser­vices and car­ry­ing out oper­a­tions for the bank.
• Use the work per­formed by experts such as actu­ar­ies for mak­ing esti­mates relat­ing to retire­ment ben­e­fits, pro­vi­sion for reward points, etc.

In design­ing audit work pro­gramme steps to respond to nor­mal risk, it is impor­tant to remem­ber that con­trols test­ing need only be per­formed when the auditor’s sub­stan­tive work depends on, or assumes, the oper­at­ing effec­tive­ness of that con­trol or the audi­tor believes that sub­stan­tive test­ing alone doesn’t pro­vide suf­fi­cient appro­pri­ate audit evi­dence. The auditor’s sub­stan­tive test­ing involves the test of details

and/or sub­stan­tive ana­lyt­i­cal pro­ce­dures such as cut-offs, rec­on­cil­i­a­tions, third par­ty bal­ance con­fir­ma­tions, etc.

Con­clud­ing on areas of risk

Once audit pro­ce­dures have been per­formed to address assessed risks, the audi­tor needs to eval­u­ate the evi­dence obtained to deter­mine whether the ini­tial risk assess­ment at the asser­tion lev­el remains appro­pri­ate and whether there is rea­son­able assur­ance that a mate­r­i­al mis­state­ment does not exist.

Evi­dence must be per­sua­sive for each mate­r­i­al finan­cial report asser­tion, oth­er­wise fur­ther audit pro­ce­dures must be per­formed to obtain such evi­dence. If such evi­dence is unable to be obtained, a qual­i­fied or dis­claimer of opin­ion in the auditor’s report is required. When suf­fi­cient appro­pri­ate evi­dence has been obtained, the audi­tor is able to con­clude on the over­all risk of mate­r­i­al mis­state­ment to the finan­cial report as a whole.