Systems and Controls
The auditor is required to comment on systems and controls as under:
Existence of systems and procedures for concurrent and internal audits, inspections, EDP audit of computer systems/software, etc.; monitoring and follow – up on such reports;
Internal audit is an important constituent of the system of internal control in banks. Banks should generally have well organised system of audit. The internal audit is carried out either by separate departments within the bank or by firms of chartered accountants. The scope and frequency as also the form of various types of internal audits in different banks varies, and one of which is concurrent audit.
A system of concurrent audit at large and other selected branches has been in vogue in most banks for quite long. Recognising the importance the concurrent audit in the banking sector, the RBI, vide its circular no BC.182/16.13.108/93-94 dated October 11,1993 addressed to all scheduled commercial banks (except regional rural banks) formally advised such banks to institute an appropriate system of concurrent audit. It may be also noted that the RBI vide its circular no DOS. NO.8.C.16/08-91-021/96 dated August 14, 1996 has incorporated new guidelines for concurrent audit system in commercial banks. The system includes scope of concurrent audit, coverage of business/branches, types of activities covered, appointment of auditors, facilities for effective concurrent audit, remuneration and the reporting systems.
Concurrent audit is regarded as bank’s early-warning system to ensure timely detection of irregularities and lapses which helps in preventing fraudulent transactions. It also refers to examination of the transactions by an independent person not involved in its documentation. The emphasis is in favour of substantive checking in key areas rather than test checking.
The auditor should enquire whether the bank has a system of conducting concurrent and internal audit, inspections of various departments inside the bank, etc. either through its own staff or external auditors. The option to consider bank’s own staff or external auditors to undertake audit is at the discretion of the individual banks. The auditor is required to comment on the system in existence. The auditor should report whether the follow-up of the reports of internal and concurrent audits, etc. is carried out and relevant suggestions implemented timely.
Auditor should report whether there is a system of conducting Risk based audits – Auditor should comment on the system in place for closure of audit issue and to ensure that there are no repeat observations or there is a significant reduction in repeat audit issues. Auditor should examine whether there is a mechanism to remedy the underlying process gap by conducting Root- Cause analysis by testing the Control Process.
Existence of Management Information System; method of compilation and accuracy of information.
Reliability of regulatory reporting under the Off Site Surveillance System of the RBI.
The Management of banks requires database information for taking policy decisions as well as for taking other corrective measures. Banks operate their business through network of their branches spread over a vast geographical area. Thus, auditor should check that an effective Management information system exists which generates timely, accurate, reliable, relevant and complete information.