Add to collection(s) Add to saved
  1. Business
  2. Accounting

Audit of Banks

advertisement 
Bank Audit
Auidit of Banks
Agenda
1. Types of Audits of Banks
2. Audit of Risks in Banks
3. Audit of Financial Position & Results of Operations of Banks
4. Audit of IT Computer Systems in Banks
5. Future of Bank Auditing
Page 2
1. Types of Audits of Banks
1.1. Internal Audit
Internal auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.
1.2. External Audit
External audit is an audit conducted by an individual or firm that is independent of the
company being audited. Independent auditors audit the books of a company generally
once per year after the completion of the company’s fiscal year. Their role is to give an
opinion of the financials statements reflection of the status and operations of the
company being audited. Based on what they witness during the audit they will also
produce, for management and board utilization, a management letter. Although a
financial statement audit is the most common type of external audit, external auditors
may also conduct special purpose audits which might include; performing specific tests
and procedures and reporting on the results, a less intensive review, and compilations
Page 3
1.1. Internal Audit
Roles and Responsibilities
Internal audit departments mainly function to provide assurance to senior management
of the Bank and stakeholders for the activities of the Bank’s whole departments,
branches and subisidiaries on their consistency with the Banking Law, BRSA
Regulations, banking legislation, Bank strategies, policies and procedures and for the
adequacy of internal control and risk management system. Besides, it is responsible for
establishing and maintaining effective internal audit system to minimize the effects of the
operational risks.
Some of the audit functions are:
Evaluating
the adequacy and effectiveness of risk management, control and
governance processes of the Bank.
Assessing compliance with regulations of Legislative Bodies and the Bank’s
procedures.
Providing recommendations for improving the operations of the Bank in terms of
efficient and effective performance.
Assisting the detection of fraud.
For those purposes the Department conducts audits at the branches, departments and
subsidiaries of the Bank throughout Turkey and abroad. All business systems,
applications, processes, operations, functions and activities within the Bank are subject
to the audits.
Page 4
1.1. Internal Audit
The BRSA Supervision on Internal Audit
The BRSA regulates and supervises also HR issues of IAD and audit studies performed.
Some of the issues are mentioned below:




The number and professional quality of internal auditors in IAD should be
sufficient,
All audit plans and annual results must be reported to the BRSA,
Manuals should be written,
The charter, working papers must contain the minimum requirements asked by
the BRSA,
The BRSA, in its regulations, refers to the IIA’s standards on those issues.
Page 5
1.1. Internal Audit
Audit Universe & Coverage
All of the activities in the head office departments, subsidiaries and Branches are subject to audit.
Although all financial subsidiaries have Internal Audit / Internal Control Units, Internal Audit
Department of Garanti also performs audits in those subsidiaries.
Working Methodology
RISK BASED AUDITING PRINCIPLE
RISK
•Identification
•Sourcing
•Assessment
•Prioritization
AUDIT PLANS
Audit manuals are established to provide guidance on specific audits. Manuals are prepared about
procedures of on-site engagements that the auditors may perform.
Page 6
1.1. Internal Audit
The Bank’s Risk Matrix
Risk Mapping and Audit Plan
Risk Level of
Bank’s Activities
Risk
Indicators
Risk
Assessment
Head Office Departments
Subsidiaries
AUDIT PLAN
Regional Credit
Granting Offices
Audit Period
Risk Matrices of
Subsidiaries
Risk
Indicators
Importance Level
Credit Extension
Retail Banking Operations
Commercial Banking Operations
Deposit Collection and Investment Products
Treasury Management
Financial Investments and Placement
Management of Customer Funds
Safe Keeping
Insurance Services
Agency Services
Payment Systems
IT Systems
Human Resource
Legal Proceedings
New Technologies
Branch
Risk Assessment
AUDIT PLAN PROCESS
Internal Audit
Department
Audit Committee
Board of Directors
BRSA
Page 7
1.1. Internal Audit
Organizational Structure of Internal Audit Department
INTERNAL
AUDIT
DEPARTMENT
DIRECTOR
OPERATION
SERVICE
ASS.DIRECTOR
H/O Departments &
Subsidiaries &
IT Audits & Risk Management Audits
& Financial Accounting Audits &
Trainings & Human Resources Mng.
ASS.DIRECTOR
Branch Audits &
Central Audits &
Internal Fraud & Investigations
SUPERVISOR
Branch Audits
SUPERVISOR
Branch Audits
SUPERVISOR
Central
Computerized
Audit &
Central Fraud
Detection
SUPERVISOR
Fraud
Investigation
SUPERVISOR
H/O Departments
&Subsidiaries &
Risk Management
SUPERVISOR
H/O Departments &
Subsidiaries &
Training
SUPERVISOR
H/O
Departments
&Subsidiaries
Risk Management
Audit Team
SUPERVISOR
IT Audit
SUPERVISOR
Financial
Accounting
Audits
IT Audit Team
Auditors/Assistant Auditors
Page 8
1.1. Internal Audit




On-Site Audits
 Branch Audits
 H/O and Subsidiary Audits
Central Audits
 Audits of Operations and
Transactions
 Process Audits
 Internal Fraud Detection
Information Technologies
Audits
 IT Processes
 Banking Applications
 Subsidiary IT Audits

Operational Audits

Financial Audits

IT Audits

Performance Audits

Managerial Audits

Compliance Audits

Internal Fraud Detection

Governance Audits
Risk Management Audits
Page 9
1.1. Internal Audit
Identifying
Analyzing
Evaluation of
Information
Statistical
Sampling
Recomputing
Observation &
Inspection
Page 10
1.2. External Audit
Taking into account opinion of the Audit Committee, the Board of Directors selects the
authorized audit company, which conducts audit engagement in periods determined by
legislation, and submits the company to approval of the General Assembly.
The authorized external audit company is evaluated quarterly by the Audit Committee
during the service period and the results must be submitted to the Board of Directors.
Deloitte, KPMG, PWC, Ernst & Young as external audit companies are authorized by
Banking Regulation and Supervision Agency (BRSA) for financial audit in banks.
In addition; banks quoted to Istanbul Stock Exchange are also subject to external audit
in accordance to Capital Markets Board’s regulations.
The External Audit Companies generally offer the services below;
Audits of the financial statements,
Audits of the Information Technology Systems.
Actions which will be taken by banks regarding External Audit Company’s IT audit
findings are presented to and approved by Board of Directors and are sent to BRSA
twice a year.
Page 11
2. Audit of Risks in Banks
What is Risk ?
•Pronounced as “risco” in Italian, “Risiko” in German and “risk” in English, this concept
has been used as “riziko ” formerly, and later has been used as “ risk ” .
•Risk is the potential that a chosen action or activity (including the choice of inaction)
will lead to a loss or undesirable outcome.
•The concept has been used as a synonym with “ danger ”, and used for the situations
which is predicted to appear in the future but which at the same time is unknown
whether or not it is going to happen.
•The two fundamental components (R) of the Risk are the probability of that the loss will
occur (p) and the magnitude of the potential loss (L).
Ri=Lip(Li)
Page 12
2. Audit of Risks in Banks
Types of Risks
Share Risk
Market Risk
Transaction
Risk
Interest Rate Risk
Exchange Rate Risk
Credit Risk
Structural
Interest
Rate Risk
Specific
Risk
General
Market
Risk
Commodity Risk
Liquidity Risk
Financial
Risks
Counterparty
Credit Risk
Operational
Risk
Transaction &
Business Risk
Issuer Risk
Reputation
Risk
Business &
Strategic Risks
Concentration
Risk
Issuing
Risk
Page 13
2. Audit of Risks in Banks
Benefits of Risk Management
Enhancing the
business plan and
the strategical
planning
Quick
understanding and
capturing new
opportunities
Enhancing the
communication
between units
Potential
Benefits
Giving assurance
to shareholders
Less shocks and
unexpected
surprises
Reinforcement of
the effective usage
of resources
Encouraging
continuous renewal
and improvement
Supporting the
internatl audit
program to focus
Page 14
2. Audit of Risks in Banks
Capital Requirement Calculation Methods
Level of
Development
MARKET
RISK
SIMPLE
MEDIUM
ADVANCED
Standard
Approach
Value at Risk
(VAR) Approach
CREDIT
RISK
OPERATIONAL
RISK
Simplified
Standart
Approach
Basic Indicator
Approach
Standard
Approach
Basic Internal
Rating Approach
Advanced Internal
Rating Approach
Alternative Standard
Approach
Standard Approach
Advanced
Measurement
Approaches
Page 15
2. Audit of Risks in Banks
Calculation of Minimum Capital Requirement
Total Capital
≥ %8
Credit
Risk +
Market
+
Risk
Operational
Risk
Page 16
2. Audit of Risks in Banks
In the past, the stability of a bank was generally measured purely on the sum of its capital tiers
divided by its Risk Weighted Assets. With the Basel III, the capital rules have been
strengthened and all the components operating together has been taken as a complete
framework.
LCR: Liquidity Coverage Ratio
NSFR: Net Stable Funding Ratio
Page 17
2. Audit of Risks in Banks
According to the Basel Committee on Banking Supervision, the Basel 3 proposals have two
main objectives,
a)To strengthen global capital and liquidity regulations with the goal of promoting a more
resilient banking sector; and
a)To improve the banking sector's ability to absorb shocks arising from financial and economic
stress.
To achieve these objectives, the main proposal the BCBS Basel 3 has developed are:
a)Capital reform (including quality and quantity of capital), complete risk coverage, leverage
ratio; and
a)Liquidity reform (short term and long term ratios).
Page 18
2. Audit of Risks in Banks
In view of preserving core Tier 1, the Committee introduced two new "buffers. A Capital
Conservation Buffer should allow banks to absorb shocks in periods of stress without breaching
core Tier 1. And a more discretionary Countercyclical Buffer to compensate for increased
systemic risks in times of excessive credit growth.
In terms of quantity, total Tier 1 Capital is now required at 6%, up 2% from Basel II .
Furthermore, a new leverage ratio will make part of banking regulatory framework. Banks will
be required to maintain a leverage ratio of 3 percent or more (33 times its capital). The
unweighted assets include provisions, loans, off-balance sheet items with full conversion, and
all derivatives. The main purpose of this ratio is to constrain leverage in the banking sector,
while also helping to safeguard against model risk and measurement errors.
In addition to the capital banks must hold against risk weighted assets, financial institutions now
have two new ratios to comply with: Liquidity Coverage Ratio (LCR) and Net Stable Funding
Ratio. LCR is designed to promote the short-term resilience of a bank's liquidity risk profile by
ensuring that it has sufficient high-quality liquid assets to survive a significant stress scenario
lasting for 30 calendar days; and the NSFR aims at promoting longer-term resilience by
requiring banks to have capital or longer term high-quality funding which can survive over a one
year period of less severe stress.
Page 19
2. Audit of Risks in Banks
Risk Management Audit and Internal Auditors
Internal Auditors should;
1.Focus
on risks related to a possible recession (reputation, liquidity, labor force reduction...)
2.Audit the effectiveness of risk management and corporate governance processes.
3.Conduct the re-evaluation of risks and identify the risks associated with each other.
4.Undertake a teaching role on risk management.
5.Improve the relations with other governance, risk and checkpoints within the organization.
6.Expand the studies related with Fraud on the audit plans.
Also;
1.Auditors
should be in close contact with the senior management and the audit committee.
2.More flexible inspection plans that can be changed during the period should be used.
3.Information about the organization and business should be improved.
4.In order to conduct more effective audits, the audit reports should be prepared in shorter
times and intensive technology should be used.
Page 20
3. Audit of Financial Position / Results of Operations of Banks
Audit of Assets
Audit operations for assets;
•Cash and Cash Equivalents
•Financial Investments
•Derivative Financial Assests and Liabilities
•Loans
•Tangible and Intangible Fixed Assets
•Other Various Assets and Liabilities
•Investments Held as for Sale
Page 21
3. Audit of Financial Position / Results of Operations of Banks
Audit of Assets
First of all, auditor has to audit current assets whether these are recorded correct or
not.
• Reconciliation is done by auditor to reach equity of trial balance-MIS-balance sheet.
• Back-dated bank reciepts are examined.
• Reconciliation is done for all bank accounts.
• Nominal values of securities are verified.
• Conformity of the data is examined which was used for valuation of securities.
•
Income and expense is examined which was obtained by derivative operations.
•
Valuations of derivative products is examined.
•
Current credit balance of bank is compared with past periods to examine difference.
•
Rediscount calculation of loans is examined to be certain of accuracy.
• Depreciation accounting of bank is examined to verify accuracy.
• Current and past period is compared to examine differences.
• Accounting records are examined which put into operation with the defination of ‘Other’.
•Market value of bank is examined.
Page 22
3. Audit of Financial Position / Results of Operations of Banks
Audit of Liabilities
Audit operations for liabilities;
•Deposit and Other Liabilities
•Credits Obtained
•Reserves
•Tax Liabilities on Profit
•Shareholders Equity
Page 23
3. Audit of Financial Position / Results of Operations of Banks
Audit of Liabilities
•Reconciliation
is done by auditor to reach equity of trial balance-MIS-balance sheet.
•Current
deposits and other liabilities of bank are compared with past periods to examine
difference.
•Current
obtained credits of bank are compared with past periods to examine
•Rediscounts
•Collateral
difference.
of interest for obtained credits are examined to be certain of accuracy.
accounts are examined to be certain of accuracy.
•Tax
calculation of bank is examined.
•For
shareholders equity, capital movements in a period is examined.
Page 24
3. Audit of Financial Position / Results of Operations of Banks
Audit of Income Statement
•
Interest income
•
Interest expense
•
Service and commission income/expense
•
Personnel expense
•
Income and expense of other activities
•
Other income and expenses
•
Rediscount and evaluation transactions
Page 25
3. Audit of Financial Position / Results of Operations of Banks
Audit of Income Statement
An income statement audit can help auditor to isolate mathematical errors and ledger
discrepancies.
•
•
•
•
•
•
Reconciliation is done by auditor to reach equity of trial balance-MIS-balance sheet for
related accounts.
Change in trend of interest income and expense is examined to determine possible
reverse entries.
Change in trend of commission income and expense is examined.
Possible correction records related to commission income and expense are examined to
be certain of accuracy.
Current personnel payments are compared to past periods.
Conformity of the subsidiary records to the trial balance is examined.
Page 26
3. Audit of Financial Position / Results of Operations of Banks
Audit of Off-Balance Sheet Items
•
Liabilities are examined to understand their
origin.
•
Nominal amounts of securities are examied
to confirm their assets on off-balance sheet.
•
Reconciliation is done related to deposits
which is given or taken.
Page 27
4. Audit of IT Computer Systems in Banks
The computerized environment provides advantages over manual system in terms of
accuracy and uniform processing of transactions. But at the same time it poses certain
challenges before the auditor in terms of audit risk due to peculiar nature and
characteristics of Computerized Information System (CIS) environment, where potential
for fraud is much more and can be more easily hidden in the digital data.
Computer fraud and abuse can have a detrimental effect on an organization. Periodic
surveys undertaken by organizations such as the NCC (National Computing Centre) and
the Audit Commission indicate the following common instances of computer fraud and
abuse:
•Unauthorised disclosure of confidential information
•Unavailability of key IT systems
•Unauthorised modification/destruction of software
•Unauthorised modification/destruction of data
•Theft of IT hardware and software
•Use of IT facilities for personal business
Page 28
4. Audit of IT Computer Systems in Banks
Computer Security Audit
“A computer security audit is a systematic, measurable technical assessment of how the
organization's security policy is employed at a specific site. Computer security auditors
work with the full knowledge of the organization, at times with considerable inside
information, in order to understand the resources to be audited”.
Symantec
Computer security auditors perform their work though personal interviews, vulnerability
scans, examination of operating system settings, analyses of network shares, and
historical data. They are concerned primarily with how security policies- the foundation of
any effective organizational security strategy - are actually used. There are a number of
key questions that security audits should attempt to answer:
•Are passwords difficult to crack?
•Are there access control lists (ACLs) in place on network devices to control who has
access to shared data?
•Are there audit logs to record who accesses data?
•Are the audit logs reviewed?
•Have all unnecessary applications and computer services been eliminated for each
system?
•Is there a disaster recovery plan? Have the participants and stakeholders ever
rehearsed the disaster recovery plan?
Page 29
4. Audit of IT Computer Systems in Banks
Information Technologies Audit – Risk Assessment
Step 1:
Determination of
Risk Assessment
Participators
Step 2:
Interviews
&
Surveys
Step 3:
Risk
Prioritization
Step 4:
Evaluation
by the
Internal
Audit Mng.
Step 5:
Establish
Risk Based
Audit Plan

For the risk assessment of IT Processes, initially interviews with business unit
managers and Garanti Technology senior management are performed.

IT Risk Assessment surveys are filled by the said managers, to determine the risky IT
processes. The results of surveys are evaluated in terms of vulnerability and impact
of IT processes.

Applications and Subsidiaries are assessed based on the international Risk
Assessment methodologies of ISACA (Information Systems Audit & Control
Association).

Annual audit plans are formed based on the prioritization resulted from the risk
assessments.

Risk assessment is performed annually.
Page 30
4. Audit of IT Computer Systems in Banks
Technical Competence, Information, Standards and Tools Used
Standards
•BRSA Regulations
•COBIT
•ITIL
•ISO 27001, BS 25999
•CMMI, PMBOK, NIST…
Technical Information
Audit Competences
•CISA,CEH,PMP,CISM,CRISC
•Process Audit Methodology
•Sampling Methodology
•Evidence Gathering Method.
•IT Audit Methodology
•Operating Systems
•Databases
•Software Development
•Network Infrastructure
•Comp.Engineering Background
•Continuous Pro. Education
INFORMATION
TECHNOLOGIES
AUDIT
Tools
•Data Mining/ Query Tools (Oracle, ISQL..)
•Monitoring Tools (MS MOM/ SCOM/SMS)
•Security Test Tools
•MBSA
•Nessus
•Penetration
Tools
(Wireshark,
Paros,
Developer Tools…)
Page 31
4. Audit of IT Computer Systems in Banks
Information Technologies Audit - Scope
IT Processes
22 Audit Areas
• IT Governance Audits
( IT Governance, IT Strategy
& Source Planning )
• Security Audits
( Network/ Info. Security,...)
• General Process Audits
( Software Development,
Change Management... )
• Infrastructure Audits
( Database Management,,
System Software Manag... )
• Disaster Recovery Audits
Banking
Applications
27 Audit Areas
• Internet Banking
• Telephone Banking
• Securities & Treasury
Applications
• Commercial Loans
• ATM
• Credit CardsSystem
• Core Banking (Deposits)
• Consumer Loans
• Accountancy
.......
Subsidiary
IT Audits
18 Audit Areas
• GarantiBank Int. NV.
• GarantiBank SA.
• Garanti Pension & Life
Insurance
• Garanti Leasing
• Garanti Securities
• Garanti Factoring
• Garanti Asset Man.
• Garanti Bank Moscow
• Garanti Mortgage
…..
 In IT Process audits, general controls in the processes are evaluated, based on COBIT, ISO 27001, ITIL, CMMI control objectives, ISACA checklists,
BRSA regulations and various technical control lists.
 In Banking Application audits, application controls including data creation/ authorization, input/ output, data processing, mining, limit, compliance,
workflow, efficiency, security controls are evaluated.
 In IT Audits of Subsidiaries, general and application controls of Subsidiaries’ current IT and financial processes are evaluated based on the same
standards used in IT Process & Application audits.
32
Page 32
5. Future of Bank Auditing
With the developments in banking sector, classical audit practices changed to
modern audit methodologies.
Traditional Methods
Focused in finding errors
Issue
Focused to past
Financial losses
Labor intensive
Based on problem
Modern Methods
Focused in system, process and risk
Prevention
Focused to future
Efficiency
System intensive
Based on solution
Page 33
5. Future of Bank Auditing
Qualifications which auditors must have;




Ability to identify the risks
Professional competency
Negotiant, researcher, leader
Strong communication skills
Audit fields which will gain importance in the
future

Information systems
 Risk of legislation and reputation
 Process of making financial statements
 Determination methods of fraud
Page 34
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
KnowingWhatToExpectW..
KnowingWhatToExpectW..
NDSA Standards: Self-assessment a
NDSA Standards: Self-assessment a
TH INSTITUTE OF CHARTERED ACCOUNTANTS OF
TH INSTITUTE OF CHARTERED ACCOUNTANTS OF
Subcommittee on Internal and External Audits Activity Report
Subcommittee on Internal and External Audits Activity Report
Download
advertisement