Add to collection(s) Add to saved
  1. Business
  2. Finance

Auditing Behind Computers

advertisement 
CBS: Audit Considerations
Subhash Chandra Arora
MSC,CAIIB,ACMA,FCS,CISA
Agenda : CBS Audit
•
•
•
•
•
•
Objective
Challenges of CBS Audit
Engagement Risk
Sources of material mis-statement
Internal Controls to protect from Risks in CBS
Assessment of Internal Controls
–
–
–
–
Access Rights
Interfaces, outsourcing
MIS: Exception Reports
Data Gathering
CBS Audit: Objective
Reduce audit risk to an
appropriately low level
Auditor’s
Exists
Result:
Monitorable
Action Plan
Material Mis-statement
Really Exists
Doesn’t Exist
OK
Report Leads to
Rectification
False Positive
(Discomfort)
Requires Better
documentation of
Control Existence
opinion
That
OK – No Conflict
Every One is
Happy
Mis-statement
Doesn’t Exist
Audit / Detection Risk
False Negative –
Inversely related to
evidence from
substantive procedures
Reduce Audit Risk: Challenge
In most situations, the auditor will not be able
to reduce audit risk to an acceptably low level
unless management has instituted an internal
control system that allows the auditor to be
able to assess the level of inherent and control
risks as less than high. The auditor obtains
sufficient appropriate audit evidence to assess
the level of inherent and control risks.
Guidance Note: Internal Control
• Internal control makes the right things happen
the first time
• Internal control can be expected to
provide only reasonable assurance, not
absolute assurance, to an entity's
management and governing bodies/
committees
CBS Audit: Engagement Risk
Rule of Bureaucracy : Not to inform the
reader, but to To protect the writer
Engagement Risk
• The auditor would ordinarily need to document the assessment of
engagement risk, factors identified as increasing engagement risk…
(Para1.28 of Guidance Note)
• Assessment
• Even before accepting Audit Assignment
• Risk is still within the firm’s pre-determined appetite for risk
• Objective: Whether any factors require special response
• Affects: Preliminary Audit Plan
Review in the light of additional information during Engagement
Document considerations for readjustment
Engagement Team Discussion
• Errors that may be more likely to occur;
• The method by which fraud might be perpetrated
by bank personnel or others within particular
account balances and/or disclosures;
• Audit responses to Engagement Risk, Pervasive
Risks, and Specific Risks;
• The need to maintain professional skepticism
throughout the audit engagement; and
• The need to alert for information or other
conditions that indicates that a material
misstatement may have occurred (e.g., the bank’s
application of accounting policies in the given
facts and circumstances).
Challenges of CBS Audit
• No access to the overall IT policy, processes, controls and
accounting procedures implemented by the bank.
• Complex trading transactions
• Unfamiliar Workflows
• Undetected errors in Business Rules in system
• Lack of Visible Evidence
• Mammoth EOD Reports
• Huge Online MIS : ‘clock lost in hay’ analogy
• Bugs and frauds hidden in labyrinth of data
• Anxiety: Does the CBS generate reliable & accurate
financial statements & reports?
• Judgment of Value
• Independent IT audit of the branch.
CBS
CBS Audit: Guidance Note
• Part II – Risk Assessment and Internal Control
deals with audit procedures to be followed
under the two risk based Standards,
• SA 315, “Identifying and Assessing the Risks of
Material Misstatement Through
Understanding the Entity and Environment
including Internal Control” , and
• SA 330, “.... Responses to Assessed Risks”
CBS: Audit Procedures The procedures selected depend
upon the auditor’s judgement
•Including the assessment of
the risks of material
misstatement of the financial
statements, whether due to
fraud or error.
Assertion level Risk Assessment
• Identify risks throughout the process
• Pinpoint each risk to one or more assertions
relating to account balances or disclosures.
• Consider whether the risks are of a magnitude
that could result in a material misstatement of
the financial statements.
• Document the identified and assessed risks of
material misstatement at the assertion level.
Risk of material misstatement at assertion
level has two components:
• Inherent Risk (IR), which is the susceptibility of an
assertion to a material misstatement, assuming that
there are no related controls. Inherent risk is greater
for some assertions and related account balances,
classes of transactions, and disclosures than for
others.
• Control Risk (CR), which is the risk that a material
misstatement that could occur in an assertion will not
be prevented or detected by the entity’s internal
control on a timely basis. Control risk is a function of
the effectiveness of the design and operation of the
entity’s internal control.
Dimensions of CBS Audit
Control Risk
Inherent Risk
Deposits
Advances
• CBS
Inc /
EXP
Trade
Finance
Misc A/L
Interfaces
Management is
responsible for design,
implementation and
maintenance of internal
control relevant to the
preparation of the
financial statements that
are free from material
misstatement, whether
due to fraud or error.
Guidance Note: Internal Control
• Internal control makes the right things happen
the first time
• Internal control can be expected to
provide only reasonable assurance, not
absolute assurance, to an entity's
management and governing bodies/
committees
CBS Audit: Key
Determine source of likely potential misstatement:
• Fraud
• Internal, or
• External
• Assets: Classification, Income Recognition & NPA Provisions
• Asset Valuations
Look for evidence that controls have been identified,
communicated and are monitorable
Test controls specifically intended to prevent or detect fraud
CBS Audit: Strategy
• Options :
– Evaluate & Test controls, and /or (may be Centralized)
– Perform substantive tests – often inefficient
• Perform Substantive tests, when control
– does not address inherent risk
– addresses IR, but not to the extent that further review
and testing of control efficient
– addresses IR sufficiently to warrant testing, but not
efficient to do so, e.g. very few transactions
• A substantive test “substantiates “ the integrity of
actual transaction processing.
Financial Audit: Control Evaluation
Q1: Can learning application menus help?
• Perhaps for performing substantive tests. More
important to understand how transactions are
processed, what are built in preventive / detective /
corrective controls. What are compensating
controls?
Q2: How to start?
• Abrahm’s Advice: When eating an elephant take one
bit a time. Evaluate each control relevant to audit.
Audit : Prioritise – Risk Matrix
Audit strategy:
Based on Control Risk Assessment
In respect of each category of Txn
Maximum
Below
Maximum
Low
All assurances will be derived from
substantive tests
•Identify preventive / detective controls
•Evaluate effectiveness of controls
•Test Existence of controls
•Document Record of application / monitoring
control
• Perform efficient substantive tests
•Use analytical procedures
Test application and IT controls only when:
•Favourable control environment
•Prior experience of control -> Effectiveness
•Volumes of Txns are high
•Complex and integrated systems
Controls: Attributes
Identification and documentation :
• Organization should identify the controls to minimize the occurrence of
unlawful events.
Implementation:
• Identified controls should be implemented.
Existence:
• Sometimes it happens that controls have been implemented, but in
reality they do not exist due to various reasons. For example, passwords
change policy; existence of the controls is equally important.
Adequacy:
• Verify controls are adequate to cover all possible threats.
Guidance note on Test of Controls
• Access to primary and subsidiary records
is provided and use of data analysis tools
is allowed at central and branch level.
• Test of controls and substantive checking
of sample transactions is carried out at
the central level and the results are
shared with the branch auditors, if
required.
Risk Assessment : Worksheet
•
•
•
•
•
•
Risk Area :
Risk Description :
Inherent Risk – Size of the Risk Area
Control objective – relevant to audit
What ensures that Control Objective is achieved
Control Risk Assessment
– Type of control : Preventive / Detective / Corrective
– Whether Control Depends upon another control for its
effectiveness
– Whether Control Exists
– Whether control is implemented
Illustrative list of controls
•Access Control Matrix - E/P/V
•Segregation of duties in high risk areas
•Standard Operating Procedures
•EOD/BOD/Monthly Control Reports
•List of TODs Granted
•Transgression of powers
•Debits to income heads
•Manual debits to office A/cs like
•Customer debits without cheque
•Customer Risk Categorisation
Example MIS :FDs
• List of deposits with wrong interest codes and
either closed fully or partially before maturity
during the month. Check Interest / verify
• Details of Value Dated Deposits opened during
the month. Check Authorisation / verify
• List of Term Deposit accounts opened and closed
during the month within 15 days and interest
paid. Check Interest Computation/ verify
• List of deposit accounts where TDS exemption
flag is 'Yes' at account level as on the date of the
report. Check supporting evidence/ verify
• FFD- CustID mismatch. Check appropriate linking.
CBS Audit: Inquiries to be done
• System of MIS verification and Risk
Audit.
• Make inquiries of management,
internal auditor, and others within
the bank, as appropriate, to
determine whether they have
knowledge of any actual, suspected,
or alleged fraud affecting the bank.
Audit: Sample Size
(1.96) 2 p (1  p )
n
d2
Does not depend on
population (npq≥5)
Values of d
• where 1.96 signifies 95% lavel of
confidence. For 99% level of
1.96
Values
of p with
confidence
replace
1.96
0.5
0.25
0.1
0.05 0.025
2.58. 0.5
4
0.25
15
12
0.1
96
72
35
0.05
384
288
138
0.025
1537
1152
553
73
292
d=0.20p
POPULATION
•
4 Np(1  p)
n
( N  1)d 2  4 p(1  p)
Values of p
50%
25%
10%
5%
2.50%
1.00%
10
9
10
10
10
10
10
25
20
23
24
25
25
25
50
34
43
47
49
49
50
75
43
60
69
72
74
74
100
50
75
90
95
98
99
150
Substantive Test: Hypothesis
N=150
Case A
Case B
No of Errors observed in the
sample
3
4
Proportion of errors in the
sample p
0.02
0.026666667
Standard Deviation of the
sample   p(1  p)
0.011430952
0.013154354
Projection
of
sample
proportion on the population
= p+1.96
Tolerable error
4.24%
5.24%
5%
5%
Yes
No
n
Accept the hypothesis
Example
29 Mar
C1/
A1
C3/
A3
250L
50L
Susp
Features
C2/
A2
150L
450L
FD/
A1
LN/
A1
Vdt 25 Mar
•
•
•
•
•
•
•
•
Integrity: Unauthorised Debit
No Cheque or debit authority
No application for FD
FD Value Dated (-4days)
Sign on Loan Doc forged
No Resolution to borrow
Loan signatories not authorised
Loan at 0% Margin
Example: Continued
02/04
31/03
Exp/
Int
FD
22192(6days)
No TDS
7397
754
Inc/
Int
3679
Exp/
Int
Fd
DD/
ITO
4931
450L
FD/
A1
Cancelled on 11/07
9866
9112
Loan
14792
08/04
TDS/
Prkg
6643
Loan
Inc/
Int
DD/
A1
Exp/
Int
FD
DD/
A1
754
Learnings from the example
• Management is often in the best position to
perpetrate fraud - use professional judgment
• Focus on areas with high risk & high
probability that controls are not in place or
are weak e.g.
– Large value debits without cheque
– Large value loans against FDs
– Loans against FDs at lower / zero margins
– Misuse of suspense accounts
• Don’t forget positive risks – opportunities!
Compute Loan outstanding
• Use the IPMT function to find the balance of a
loan using the following formula
=IPMT(rate,per,nper,PV)/rate
Using
Prd Principle
interest
Repayment NetAMt
Formula
1
100000
833.3333
2124.7 98708.63
100000
2
98708.63
822.5719
2124.7 97406.51 98708.63
13
83773.24
698.1104
2124.7 82346.65 83773.19
14
82346.65
686.2221
2124.7 80908.18 82346.59
24
67410.28
561.7524
2124.7 65847.34 67410.17
25
65847.34
548.7278
2124.7 64271.36 65847.22
26
64271.36
535.5947
2124.7 62682.26 64271.24
Compute interest Income During Prd
• Use the IPMT worksheet function to calculate
• Interest on Loan during some period
• =SUM(IPMT(rate,ROW(A1:A12),nper,-Amt))
Factors influencing Risk
• Past misstatements strongly indicate about the likely
occurrence of future misstatements;
• Unreliable application systems e.g. Asset classification
SW/module
• Non-systematically processed transactions
• The incidence of misstatements is greater in
transactions relating to accounting estimates and
adjustments at or near to the end of an accounting
period (i.e., cut-offs and accruals); and
• Incidence of misstatements associated with unusual or
complex transactions.
Role and responsibilities of branch
auditors
• To the extent possible, data analysis tools are
used for better and effective audit.
• Test of controls and substantive checking of
sample transactions is carried out at the branch
level and the results are shared with the central
auditor, if required.
• Significant observations having bearing on the
true and fair view are reported to central auditor.
• Any other limitations on audit which are required
to be reported to the central auditor.
• Thank you
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Internal Auditor Job Description
Internal Auditor Job Description
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Senior Financial and Operational Auditor
Senior Financial and Operational Auditor
Download
advertisement