Risks in Bank Audits CA Abhijit Sanzgiri What

Risks in Bank Audits CA Abhijit Sanzgiri

What is Risk • • • What can go wrong - objectives not being met What we don’t see coming Function of impact & probability Risk Tolerance – Appetite Risk Register – Universe – Library TARA – Transfer – Avoid – Reduce - Acept

Issues • • • Structured approach to risk Risk communication Risk training Risk based audit – prioritization Risk reward ratio – risk function Insurance cover

Post PMC – Yes Bk increased scrutiny • Need to develop trust • Independent audit plays a big assurance & confidence boosting role - • Timely detection of issues – escalation – resolution • Concurrent audit – Expectations • Volume – Exposure – Activity –

Risk profiling • Credit - Operational - Regulatory - ML – IT – Legal – HR – Reputational – Market – Interest rate – Liquidity (ALM) all having financial impact • • Cyber security risk Fraud risk – collusion, circumvention Banking risk Audit detection risk

Independent testing of controls – control effectiveness index – • Design of controls – operational effectiveness – • Manual – automated – pro-active, re-active, collaborative, deterrent, detective controls – • Cost of controls – • Independent testing of controls – • Cost of controls < Financial impact of risks

Independent testing of controls – • Maker checker - Job rotations – reconciliations – authorization – balance confirmations – physical verification - ratification - authorization – audits – reviews, renewals – documentation – MIS – SOP – trainings – mandatory leaves –

BH discussions • Risk rating – Identification – Controls – Gaps – Risk owners – Deadlines • Audit report closure of High risk issues • Compliance with Standards of Auditing • Root cause - WHY -

Key areas – • • Revenue leakage NPA AML - KYC - STR IT general controls BCP - DR MIS – all about masters RBI returns Suspense

Key areas – • • • Cash Reconciliations Interoffice Fixed assets House keeping Open audit issues Frauds Policy & Regulatory compliance Complaints Best practices

Need smart audit • • • Exception reports - parameters Audit – BH need to be on same page – active co-operation Closure meetings with branch head - Trend analysis Issues raised by Internal & Concurrent audit Ask for support - help whenever needed –

Hindsight - Insight - Foresight • Data – Information – knowledge – wisdom • Hindsight – Insight - Foresight • Audit as a de-risker – last line of defence • If you know your why, you will manage it anyhow

Representations • • • Does the Bank have an updated risk – anti fraud policy Is the policy available at the branch & employees access the policy Have all the employees read the policy – understood the policy Is the policy mapped to any frame work – COSO / ISO 31000 Do the employees know their rights & duties as per the policy Is their a sign -off on Do’s & Don’ts

Representations • Has the branch done a risk profiling – is it updated – maturity curve • Has the branch done a risk - fraud scenario analysis • Have they independently tested controls & mapped controls to risks / frauds • Is there a Gap which is identified for closure with deadlines / riskowner • Is there periodic training – sensitization of all employees on risks / frauds • Has bank a clear cut policy on how to deal with conflicts of interests

Representations • • • Has the bank a policy of job rotations – mandatory leaves Is this actually followed Is Bank monitoring EWS / RFA for possible frauds – May 7 th 2105 Is concurrent audit as per RBIA approach – 2002 circular Has bank identified processes where manual reactive controls are in place • How robust is the system of lodging complaints

Representations • Are whistle blower hotlines in place • Is any transaction failure noted for root cause analysis of process gap • Is staff accountability examined in case of a fraud • Does Bank consider fund diversion - inflation of stock statements as frauds • Is there a process to identify wilful defaulters , siphoning of funds • How is divergence of stocks, debtors, Creditors as per SS & books treated

Auditors duty • • Requirements of SA 315 – SA 330 Documentation – Minutes of discussions with BH Be safe than sorry – scepticism Discussions with Concurrent auditor – SA Discussions with SCA – peer CA Audit evidence – original evidence Reporting actuals – factual – comprehensive – What we did, why, how & extent