Historically, the audit system in banks has been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports and adherence to legal and regulatory requirements. However, in the changing scenario such testing by itself would not be sufficient. There is a need for widening as well as redirecting the scope of audit to evaluate the adequacy and effectiveness of risk management procedures and internal control systems in banks. To achieve these objectives, one needs to adopt risk-based audit which will include, in addition to selective transaction testing, an evaluation of the risk management systems and control procedures prevailing in various areas of a bank’s operations.
A risk-based audit approach is designed to be used throughout the audit to efficiently and effectively focus the nature, timing and extent of audit procedures to those areas that have the most potential for causing material misstatement(s) in the financial report. The risk-based audit approach requires the auditor to first understand the bank and its environment in order to identify risks that may result in material
misstatement of the financial report. Thereafter, the auditor performs an assessment of those risks at both the financial report and assertion levels. The assessment involves considering a number of factors such as the nature of the risks, relevant internal controls and the required level of audit evidence.
SA 315 – Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment and SA 330 – The Auditor’s Responses to Assessed Risks are auditing standards that specifically require auditors to use the risk-based audit approach along with other auditing standards containing specific risk related principles and procedures. This would warrant them, to make risk assessments of the material misstatements at the financial statement and assertion levels, based on an appropriate understanding of the entity and its environment, including internal controls.
The implementation of risk-based audit would mean that greater emphasis is placed on the auditor’s role in mitigating risks. While focusing on effective risk management and controls, in addition to appropriate transaction testing, the risk based audit would not only offer suggestions for mitigating current risks but also anticipate areas of potential risks.
Types of Risks:
In case of bank audits, the following risks need to be considered:
- Financial statement risk has two components –i) Inherent risk and ii) Control risk.
Inherent risk: The susceptibility of an assertion about a class of transactions, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming there are no related internal controls. Factors that may be considered for determination of inherent risk are complexity of the transaction, volumes, estimation, etc.
Control risk: The risk that a misstatement, which could occur in an assertion about a class of transactions, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the bank’s internal control.
- Detection risk: The risk that the audit procedures performed will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
- Audit risk: The risk of expressing an inappropriate audit opinion, for example, expressing an unmodified opinion when the financial statements are materially misstated. The audit risk matrix can be depicted as follows:
Audit risk = Inherent risk x Control risk x Detection risk
The audit risk matrix demonstrates the relationship between inherent risk and control risk and the level of detection risk. Hence, the higher the inherent and control risks, the higher could be the audit risk. The
Objective of an audit is to limit audit risk to an acceptably low level.
- Significant risk: An inherent risk with both a higher likelihood of occurrence and a higher magnitude of effect should it occur and which requires special audit consideration. Significant risks are a subset of inherent risks. All fraud risks are considered as significant risks.
- Business risk: A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.
Understanding the bank’s framework:
The auditor should obtain an appropriate understanding of the bank and the environment (including internal control) in which it operates. While understanding the bank, the auditor shall obtain an understanding and document information relating to the following:
- Industry and environment – Competitors, Economic and political scenarios.
- Governance and ownership structure – Board of Directors, Audit Committee, management
oversight, branch reporting, management reporting, authority matrix.
- Applicable regulatory framework – Different guideline/pronouncement issued by Reserve Bank of India, Banking Regulation Act, Companies Act, Direct and Indirect taxes, etc.
- Internal control environment – Transaction processing including system controls, internal audit, exception reporting, concurrent audit and systems audit.
- Key financial reporting processes – Financial statements, regulatory returns.
Information is obtained through enquiry of relevant persons, observation and inspection of processes and documentation, and performing analytical procedures on key financial and non-financial information. Further, the auditor could refer to various analysts’ reports on the banking industry, publications by Reserve Bank of India, banking surveys published by various newspapers in order to get relevant information about banks and their comparative strategies. Examples of financial information are non-performing assets ratio, net interest margin, capital adequacy ratio, provision coverage ratio, etc.
The control framework assists auditors to focus on obtaining an understanding of the bank’s internal controls as follows:
- Bank’s own risk assessment process: how the bank identifies, assesses and responds to its own business risks and frauds.
- Information systems relevant to the financial reporting: Those systems related to the capture of significant transactions, events or accounting estimates, reconciliations of sub ledgers to the general ledger, systems audit, system access and change management, disaster recovery and business continuity plans and reporting in the financial report.
- Control activities relevant to audit (including entity level controls): Those policies and procedures that help ensure that management directives are carried out. Examples of control activities include those relating to governance, management oversight, authorisation, performance reviews, information processing, physical controls and segregation of duties.
- Monitoring of control activities: Those activities the bank uses to monitor control activities over financial reporting, as well as how it takes action to address any identified deficiencies.
Gaining this detailed understanding, will enable the auditor to identify:
- What relevant controls (if any) are in place to test
- Whether the absence of controls creates risk
- How or when to combine controls testing with substantive testing
- How to test the operating effectiveness of controls
- Extent of reliance that can be placed on internal controls
Identifying and assessing risks pertaining to banks
The risk assessment would cover identification of risks at various levels (corporate and branch; the portfolio and individual transactions) as also the processes in place to identify, measure, monitor and control the risks. The auditor should devise the risk assessment methodology keeping in view the size and complexity of the business undertaken by the bank. Further, the auditor is required to use considerable professional judgment and skill to identify such risks as well as their potentially impact on the recognition, measurement, presentation and disclosure in the financial report or the valuation, allocation, occurrence, completeness, accuracy, cut-off, classification, existence, or rights and obligations
at the assertion level.
The risk assessment process should include the following:
- Identification of inherent business risks in various activities undertaken by the bank
- Evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities
- Drawing up a risk matrix for taking into account both the factors viz., inherent risks and control risks
The initial risk assessment is performed at the audit planning stage, with it being reassessed and revised if new risks are identified during the audit. Both quantitative and qualitative approaches may be considered for this assessment. Risks indicate the intrinsic risk in a particular area/activity of the bank/branch and could be grouped into low, medium and high categories depending on the severity of risk.
Some of the parameters that can be used to determine the risk level and audit strategy of a branch are:
- Size of a branch: Branch with higher assets, liabilities, revenue shall warrant a higher risk rating.
- Loan Losses and Overdue Debts: Number and amounts of loan overdue for more than specific number of days, restructured and non-performing assets.
- Regulatory compliance: Branches in violation of regulatory requirements should be considered for risk plan.
- Service Issues: The auditor should review the customer complaints and their resolutions where there are higher numbers of service issues as it implies a weakness in processes and controls.
- Cash shortages and operational errors: Instances and amounts of cash shortage or operational errors should be considered by the auditor to evaluate the risk.
- Compliance with Know Your Customer (‘KYC’) statutes: Number of account opening/ KYC non-compliances should be considered as a measure of risk.
- Prior Audit Rating: Prior internal audit rating would determine the risk and scope of audit.
- Fraud occurrences and losses: Higher fraud occurrences and losses in the branch, higher the risk
- Centralisation of operations and Systems infrastructure: In many cases, certain processes are centralised at one location which needs to consider for audit plan and scope out. Also, for reliance and testing on information technology control, IT infrastructure are at centralised location which need to be considered for planning and communication to central statutory auditor.
The risk assessment determines the nature, timing and extent of audit procedures to respond to identified risk appropriately. It is critical to properly assess risks so that audit time and effort is spent efficiently and effectively in testing significant risks.
Risk assessment procedures provide a basis for designing and executing audit procedures to respond to the assessed risks of material misstatement. Risk assessment procedures do not provide sufficient appropriate audit evidence for the audit opinion and the auditor needs to perform tests of controls and substantive procedures to obtain sufficient appropriate audit evidence to conclude whether the financial statements are presented fairly, in all material respects.
Responding to risks identified and planning the audit:
As stated in paragraph 3 of SA 315, the objective of the auditor is to obtain sufficient appropriate audit evidence about the assessed risks of material misstatement, through designing and implementing appropriate responses to those risks.
Risks of material misstatement at the financial statement level
Risks of material misstatement at the financial statement level refer to risks that relate pervasively
to the financial statements as a whole and potentially affect many assertions. Such risks represent circumstances that may increase the risks of material misstatement across many assertions and are not associated with specific assertions.
Risk of material misstatement at the assertion level
Assessment of risks of material misstatement at the assertion level will assist in determining the nature, timing and extent of any additional audit procedures at the assertion level that are necessary to obtain sufficient appropriate audit evidence. Risks of material misstatement at the assertion level consist of inherent risk and control risk. Therefore, the combined risk assessments represent our assessed risks of material misstatement at the assertion level. The nature, timing and extent of the audit procedures are a
direct result of the combined risk assessments. Making the appropriate combined risk assessments and then reflecting them in our audit strategy contributes significantly to executing an effective and efficient audit.
An auditor should design responses to assessed risks based on the following:
- Overall effect the identified risk may have on the financial report (i.e., overstatement or understatement of material account balances)
- Effect that the identified risk has at the assertion level for each class of transactions, account balance or disclosure.
- Expected test results in terms of whether they will meet the test objectives
The design of the audit programme to address identified risks involves:
- Determining the materiality thresholds for the audit of the bank.
- Identifying the significant accounts for the bank considering the materiality thresholds – Interim account caption balances could be considered for this evaluation. Accounts wherein significant judgment and estimation is required, susceptible to identified fraud/ significant risks should be independently evaluated.
- Mapping and document the various significant processes and related IT applications.
- Setting the test objectives i.e. what assertions are to be tested and why
- Identifying when to address the risk–interim and/or year end.
- Determining, where applicable, whether previous audit evidence can be used or updated for the current period.
- Identifying relevant controls to test
- Identifying the use of experts/specialists in respect of account balances relating to provision for retirement benefits, derivative valuation, etc.
- Specifying the type of testing for areas with normal risk and those with significant risk – i.e. whether substantive testing alone or a combination of substantive and controls testing is required.
- Determining the extent of reliance on the test results
- Specifying additional audit procedures to be followed if the testing identifies discrepancies.
In addition to the above, the following aspects too should be considered by the auditor in order to determine the audit plan:
- Use of internal audit function existing with the bank and leverage on the reviews conducted by the internal auditors during the year.
- Place reliance on the report issued by auditors of service organisations providing services and carrying out operations for the bank.
- Use the work performed by experts such as actuaries for making estimates relating to retirement benefits, provision for reward points, etc.
In designing audit work programme steps to respond to normal risk, it is important to remember that controls testing need only be performed when the auditor’s substantive work depends on, or assumes, the operating effectiveness of that control or the auditor believes that substantive testing alone doesn’t provide sufficient appropriate audit evidence. The auditor’s substantive testing involves the test of details
and/or substantive analytical procedures such as cut-offs, reconciliations, third party balance confirmations, etc.
Concluding on areas of risk
Once audit procedures have been performed to address assessed risks, the auditor needs to evaluate the evidence obtained to determine whether the initial risk assessment at the assertion level remains appropriate and whether there is reasonable assurance that a material misstatement does not exist.
Evidence must be persuasive for each material financial report assertion, otherwise further audit procedures must be performed to obtain such evidence. If such evidence is unable to be obtained, a qualified or disclaimer of opinion in the auditor’s report is required. When sufficient appropriate evidence has been obtained, the auditor is able to conclude on the overall risk of material misstatement to the financial report as a whole.