Structure of overall internal control environment of a bank :
The auditor should obtain an understanding of the control environment sufficient to assess management’s attitudes, awareness and actions regarding internal control and their importance in the entity. Such an understanding would help to make a preliminary assessment of the adequacy of the accounting and internal control system as a basis for the preparation of the financial statements, and of the likely nature, timing and extent of audit procedures.
The overall control environment of a bank generally includes a mix of the following:
I. Board of Directors or senior management and its Committees
The organisational structure of a bank assists it in managing its responsibility of oversight and control. Banks usually have the following
committees:
Executive Committee – monitors the overall functioning of the bank and ensures compliance with laid down policies and procedures. This committee usually consists of the Chief Executive Officer, Chief Operating Officer and all business line heads.
Operations Committee – reviews potential operational risks.
Asset Liability Committee – monitors the capital and liquidity profile, maturity mismatches, core gap analysis, etc. of the bank.
Risk Committee – entity-wide risk assessment and risk management by formulating appropriate strategies to mitigate the identified risks.
Banks also have an Audit Committee, Corporate Governance Committee and, Shareholder Grievance Committee. Further, function specific
committees such as, the Investment Committee, Credit Committee, Information Technology Committee, CSR Committee, etc. also exist which report to the Board of Directors or the Executive Committee.
The Board of Directors or the Executive Committee of a bank is responsible for the strategic planning process of the bank such as identifying
goals and objectives, formulating the strategies to attain the objectives, assessing performance of the bank against approved budgets. Thus, it sets the tone and operating style at the top and weaves the entire control environment in the bank.
II. Internal Audit
The internal audit function constitutes a separate component of internal control with the objective of determining whether other internal controls are well designed and properly operating. Banks generally have a well-organised system of internal audit. The internal audit is usually carried out either by a separate department within the bank or at times by independent firms of chartered accountants. Apart from these, the inspectors of RBI also review the system and transactions of important branches.
RBI has advised banks to adopt a framework for Risk-Based Internal Audit to ensure that the internal audit is undertaken in the bank in a risk focused
manner. This would also facilitate in adoption of the Risk-based Supervision framework. Attention is invited to RBI circular DBS.CO.PP.BC.14 /11.01.005/ 2003-04, dated June 26, 2004 on “Risk Based Supervision – Follow up of Risk Management Systems in Banks”
As per section 138 of Companies Act, 2013 and Rules there under, the following classes of companies shall be required to appoint an internal auditor or a firm of internal auditors, who shall either be a chartered accountant or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company:-
(a) every listed company;
(b) every unlisted public company having-
(i) paid up share capital of fifty crore rupees or more during the preceding financial year; or
(ii) turnover of two hundred crore rupees or more during the preceding financial year; or
(iii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year; or
(iv) outstanding deposits of twenty five crore rupees or more at any point of time during the preceding financial year; and
(c) every private company having-
(i) turnover of two hundred crore rupees or more during the preceding financial year; or
(ii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year:
Provided that an existing company covered under any of the above criteria shall comply with the requirements of section 138 and this rule within six months of commencement of such section.
Explanation- For the purposes of this rule –
(i) the internal auditor may or may not be an employee of the company;
(ii) the term “Chartered Accountant shall mean ”Chartered Accountant whether engaged in practice or not.
The audit committee of the company or the Board shall, in consultation with the internal auditor, formulate the scope, functioning, periodicity and methodology for conducting the internal audit.
It should be noted that Internal Audit differs from Concurrent audit in certain ways. While Concurrent audit examines transactions close to the occurrence to find errors so as rectify the same and understand the process gaps so that the process gaps can be remediated so that the occurrence of errors will be eliminated. Though Concurrent audit has also become risk based, the movement is from the transactional gap to the control. Internal audit is predominantly risk and control based with focus on control assurance. For example, even if a design of a control is not in place, internal audit will highlight the same even if there is no transactional error.
RBI has issued circulars on risk based internal audit of banks where the focus is clearly on prioritizing the audit work based on the degree of the risk.
III. Revenue Audit
Revenue audit is usually conducted at large and medium-sized branches and is aimed at identifying cases of leakage of revenue due to wrong computation of interest, non-application of interest on time, application of incorrect rates of interest/exchange/commission, non-application of penal
interest, non-recovery or short-recovery of service charges on guarantees and letters of credit, etc. This type of audit is also known as ‘income and expenditure audit’ or ‘income leakage audit’.
IV. Branch Inspection
Such inspection is much broader in scope than revenue audit, and covers all important areas of functioning of the branch, including efficacy of
systems and procedures, compliance with head office directions, customer service, maintenance of books and records, etc. Most banks have a fixed schedule of branch inspection. This is typically in the nature of internal audit.
V. Head Office (HO) Inspection
The inspection at head office level is aimed at evaluating the functions being carried out at the head office and covers, inter alia, investment and other treasury functions, functioning of the central stationery department, fixed assets (if centralised), inter-branch reconciliation, etc.
HR is a key area of HO inspection with focus on employee engagement, training based on current and future job roles and skill set gaps, employee selection and screening methods, employee attrition etc. Another key area is the audit of the Risk Assessment process or the manner in which risks are identified and periodically reviewed by the bank, controls are designed in response to mitigate the risks, ongoing review of efficacy of the controls to identify residual risks and whether they are within the risk appetite of the Bank.
VI. Concurrent Audit
A system of concurrent audit at large and other selected branches has been in vogue in most of the banks for quite long. Recognising the importance of concurrent audit in the banking sector, the RBI, vide its Circular No. BC.182/16.13.100/93-94 dated October 11, 1993, addressed to all scheduled commercial banks (except regional rural banks) formally advised such banks to institute an appropriate system of concurrent audit. The RBI also specified the minimum extent of banking operations to be covered under concurrent audit within a defined time-frame, and also suggested the areas to be covered by concurrent audit. Subsequently, vide its circular no. DOS No. B.C. 16/08-91- 021/96 dated August 14, 1996, the RBI has made certain refinements in the scope of concurrent audit.
On July 16, 2015, RBI issued circular no. DBS.CO.ARS. No. 2/08.91.021/2015- 16 on Concurrent Audit System in Commercial Banks – Revision of RBI’s
Guidelines, which includes guidelines on scope of concurrent audit, coverage of business/branches, types of activities to be covered, appointment of auditors and accountability, facilities for effective concurrent audit, remuneration and reporting system. A minimum coverage of concurrent audit is listed in Annexure II forming part of the aforesaid Circular. This circular is available on the RBI’s website rbi.org.in.
VII. Systems Audit
The bank carries out a systems audit periodically to assess the effectiveness of the hardware, software and operations to identify any changes
required therein based on the guidelines mentioned in the RBI, vide its circular no. DBS.CO.OSMOS.BC/11/33.01.029/2003-04 dated April 30, 2004 on “Information System Audit – A review of Policies and Practices”. Also refer to the
guidelines relevant to Information System Audit in the circular no.
DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011.
The statutory auditor may interact with the Information Systems (IS) auditor to understand the scope and audit plans of the systems audit. These
audits should be preferably undertaken prior to the statutory audit so that the IS audit reports are available to the statutory auditors well in time, for examination and incorporating comments, if any, in the audit reports.
The report of RBI’s Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds has recommended implementation of good level of controls in areas of IT Governance, Information Security, IT Operations, IT Outsourcing, IS Audit, Cyber Fraud, Business Continuity Planning, Customer Education and Legal Issues.
VIII. Vigilance Function in banks
All banks have a vigilance department, though it may be assigned different names in different banks. Its functions include – to keep surveillance
over the suspect staff/transactions, to look into cases of frauds/misappropriation/ connivance, etc. leading to loss to the bank. In the case of large non-performing assets, the department may be required to investigate and find out the reasons for the account becoming non-performing. The nature of findings of the vigilance department is of relevance to the auditor, particularly in evaluating the efficacy of internal controls.
IX. RBI Inspection
The RBI carries out inspection of Head Office functions and departments as well as branches under section 35 of the Banking Regulation Act, 1949, to examine compliance by the bank of various policies and norms about credit and other functions laid down by the RBI from time to time. Besides, it also carries out inspection of currency chest branches to review chest balances and other functions being performed by the branch as an agent of the RBI. RBI inspections, however, are not in the nature of internal audit. RBI categories the issues noted in the course of the inspection into various actionable on the part of the bank as major or minor.