Auditor's reporting on internal controls is not a new requirement in India. The Companies Act, 2013 introduced section 143(3)(i) which required the auditors of companies, other than specified class of companies, to report whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls.
In the case of Banks, the guiding principles on objectives, strategy, scope and coverage of Long Form Audit Report ('LFAR') prescribed by the RBI requires the Statutory Central Auditors and the Statutory Branch Auditors to consider the Bank's internal control including the control culture of the bank, structure and complexity of the IT systems, etc. when determining the audit strategy and for reporting on various particulars of the Bank's operations in the LFAR. As such, reporting on internal controls in the case of Banks is not entirely new under the aforesaid advice of the RBI. Recently, the RBI vide its letter no. DOS. ARG No.6270 /08.91.001/2019-20 dated 17th March 2020 has directed the banks to advise their Statutory Central Auditors to report in their independent auditor's report, inter alia, whether the Bank has adequate internal financial controls system in place and the operating effectiveness of such controls.
Applicability to branches
The branches that are required to be covered for reporting on Internal Financial Control will be determined and scoped in by the Statutory Central Auditors. It is not necessary that all the branches of the Bank are covered for reporting on Internal Financial Control in Financial Reporting since the controls operating at the branches will be common controls. These controls are basically designed centrally at the Bank HO and operated at the branches.
What are common controls?
A common control is one that is centrally designed and intended to be performed consistently across different components or branches. Since the activities of the bank is generally done through branches and Zonal office level, it is important to determine the controls performed at the Head office level and branch level. The common controls could be performed through a shared service centre.
To determine the nature of controls as to whether they are common controls or not, the auditor has to take the following aspects into consideration:
Sl.No. |
Parameters to determine common control |
1. |
Whether the detailed description of controls is maintained centrally and the expectation regarding the performance of the control (What is to be performed at each branch/ component) is clearly specified. |
2. |
Whether the policies and procedures have been documented in writing and communicated to the control performers |
3. |
Whether training is provided to the individuals responsible for performing the control, and whether such training is consistent among the different components or locations at which the control is implemented. |
4. |
Whether the management at the branches / components where the control is to be implemented is permitted to make modification to the design of the control (as per the local requirement) for the operation of the control. |
5. |
Where are the documents / evidence for the performance of the control is created and maintained? |
6. |
What is the specified frequency with which the control should operate? |
7. |
Whether the controls are automated or done through manual intervention? |
Importance of Automated control
- It is important to analyse whether the application systems at the components or at the locations where are same and configuration are the same. In case there are different IT applications across the branches or components to meet the local needs, the automated controls may not be considered to be common control. Hence, in such situation the branch auditors may be required to test such controls.
- Similarly, it is also important to analyse whether the report generated from the IT application is same across the branches or components. In case the bank use Core Banking solutions (CBS) and they are configured across the branches without any changes, the auditor can conclude that it is a common control and these controls may be tested as per the instruction from the Statutory Central Auditors.
- It is also important to analyse the various IT platforms used by the components / branches. For example, for the extraction of a certain report like Ageing report if the component / branch used a separate IT system to extract the data instead of CBS which is used in Head office, the control may not be considered as common control and the branch auditor has to test these controls separately.
- Monitoring of control plays an important role to determine the testing by auditors. It is important to analyse whether the control is monitored from HO level, segment level or branch level. The exception report / deviation report is generated and analysed at the Corporate level, segment level or branch level.
- Internal audit function is conducted whether at the components and what frequency and what is the audit procedures performed and how is the reporting done.
Note: If the common controls are needed to the tested by the branch auditors, it is important that detailed instructions on testing of the controls is needed to be given to the branch auditors for testing by the Central Statutory Auditors. The instruction should also specify the sample to be tested at the branch or the branch is scoped for full testing of controls.
Financial closing and reporting process
It is a common practice that Head office issues year-end financial closing instructions to the branches based on which branches prepares their financial statements in the banks. These instructions are called 'Account Closing instructions'. These instructions will need to be identified separately. It is important for the auditor to review the instructions carefully and identify the controls which are exercised at the HO level, zonal level and branch level. A particular consideration has to be given to the compliance with the accounting policies which will result in appropriateness of preparation of the financial statements.
Timeline for testing of controls
Sl.No. |
Testing before the year end |
After the year end |
1. |
IT and the automated controls since the controls may be subjected to change after the year end |
Manual controls since the evidence of exercise of controls may be available after the year end |
2. |
Controls related to financial reporting process |
Reporting
The final step in the audit would be the evaluation of the control deficiencies. Based on the severity, the deficiencies identified can be categorized into:
- Material weakness:There is a reasonable possibility that a material misstatementof the bank's annual or interim financial statements will not beprevented or detected on a timely basis. One of the examples could be lack of proper segregation of duties with respect to financial reporting transactions.
- Significant deficiency: Significant deficiency is less severe than a materialweakness, yet important enough to merit attention by those responsible for oversight of the bank's financial reporting. One of the examples could be controls are not defined for a particular risk like the change management to the application program.
- Deficiency: Design or operation of a control does not allow managementor employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. It is less severe than a material weakness orsignificant deficiency.
Source: IFC of Public Sector Banks issued by ICAI