Assessment of Inherent and Control Risks :
The nature of banking operations is such that the auditors may not be able to reduce audit risk to an acceptably low level by the performance of
substantive procedures alone. This is because of factors such as the following:
The extensive use of IT and EFT systems, which means that much of the audit evidence is available only in electronic form and is produced by the
bank’s own IT systems.
The high volume of transactions processed by banks, which makes reliance on substantive procedures alone impracticable.
The geographic spread of banks’ operations.
Complex trading transactions.
In most situations, the auditors’ ability to reduce audit risk to an acceptably low level would be affected by the internal control systems established by the management that allow the auditors to be able to assess the level of inherent and control risks as less than high. The auditors obtain sufficient appropriate audit evidence to assess the level of inherent and control risks.
The auditor’s procedures would need to be adapted as the circumstances warrant and in respect of each account, different procedures may
be necessary. An illustrative checklist on audit considerations in a CIS environment is given as Annexure A to this Chapter. Further, an illustrative checklist on Bank Audit in computerised environment, which is divided in two parts, viz., Part I, Bank Audit in computerised environment and Part II, automatic teller machines is given as Annexure B to this Chapter.
The principal objective of the auditor in undertaking an audit in a CIS environment is to evaluate the effectiveness of controls. In simple words, controls are those policies and procedures which the organisation implements to minimise the events and circumstances whose occurrence could result in a loss / misstatement. There are mainly four types of controls.
A. Deterrent controls – Deterrent Controls are designed to deter people, internal as well as external, from doing undesirable activities. For example, written policies including the punitive measures may deter people from doing undesired activities.
B. Preventive Controls – Preventive Controls prevent the cause of exposure from occurring or at least minimise the probability of unlawful event taking place. For example, security controls at various levels like hardware, software, application software, database, network, etc.
C. Detective Controls – When a cause of exposure has occurred, detective controls report its existence in an effort to arrest the damage further or
minimise the extent of the damage. Thus, detective controls limit the losses if an unlawful event has occurred.
D. Corrective Controls – Corrective Controls are designed to recover from a loss situation. For example, Business Continuity Planning is a corrective control. Without corrective controls in place, the bank has risk of loss of business and other losses due to its inability to recover essential IT based services, information and other resources after the disaster has taken place.
The auditor should obtain a preliminary understanding of the IT environment and various controls put in place by the management, including
entity-level controls and then test and evaluate whether the controls are operating effectively. The auditor should discuss the methodology adopted by the bank in implementing controls and their monitoring with the Head of the IT department and the Head of the audit department. These discussions will enable the auditor to get a view on the manner in which the bank has implemented controls. Based on these discussions, the auditor could interact with the various officials of the bank to determine whether they are sensitised to the control expectations of the management considering the technology deployed. If this sensitisation level is low, the auditor may need to perform more extensive audit procedures.