490 likes | 1.04k Views
Bank Audit Auidit of Banks. Agenda. Types of Audits of Banks Audit of Risks in Banks Audit of Financial Position & Results of Operations of Banks Audit of IT Computer Systems in Banks Future of Bank Auditing. 1. Types of Audits of Banks. 1.1. Internal Audit 1.2. External Audit.
E N D
Agenda • Types of Audits of Banks • Audit of Risks in Banks • Audit of Financial Position & Results of Operations of Banks • Audit of IT Computer Systems in Banks • Future of Bank Auditing
1. Types of Audits of Banks • 1.1. Internal Audit • 1.2. External Audit Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Externalaudit is an audit conducted by an individual or firm that is independent of the company being audited. Independent auditors audit the books of a company generally once per year after the completion of the company’s fiscal year. Their role is to give an opinion of the financials statements reflection of the status and operations of the company being audited.Based on what they witness during the audit they will also produce, for management and board utilization, a management letter. Although a financial statement audit is the most common type of external audit, external auditors may also conduct special purpose audits which might include; performing specific tests and procedures and reporting on the results, a less intensive review, and compilations
1.1. Internal Audit Roles and Responsibilities Internal audit departments mainly function to provide assurance to senior management of the Bank and stakeholders for the activities of the Bank’s whole departments, branches and subisidiaries on their consistency with the Banking Law, BRSA Regulations, banking legislation, Bank strategies, policies and procedures and for the adequacy of internal control and risk management system. Besides, it is responsible for establishing and maintaining effective internal audit system to minimize the effects of the operational risks. • Some of the audit functions are: • Evaluating the adequacy and effectiveness of risk management, control and governance processes of the Bank. • Assessing compliance with regulations of Legislative Bodies and the Bank’s procedures. • Providing recommendations for improving the operations of the Bank in terms of efficient and effective performance. • Assisting the detection of fraud. • For those purposes the Department conducts audits at the branches, departments andsubsidiaries of the Bank throughout Turkey and abroad. All business systems, applications, processes, operations, functions and activities within the Bank are subject to the audits.
1.1. Internal Audit The BRSA Supervision on Internal Audit • The BRSA regulatesand supervises also HR issues of IAD and audit studies performed. • Some of the issues are mentioned below: • The number and professional quality of internal auditors in IAD should be sufficient, • All audit plans and annual results must be reported to the BRSA, • Manuals should be written, • The charter, working papers must contain the minimum requirements asked by the BRSA, • The BRSA, in its regulations, refers to the IIA’s standards on those issues.
1.1. Internal Audit RISK BASED AUDITING PRINCIPLE • Identification • Sourcing • Assessment • Prioritization RISK AUDIT PLANS Audit Universe & Coverage All of the activities in the head office departments, subsidiaries and Branches are subject to audit. Although all financial subsidiarieshave Internal Audit / Internal Control Units, Internal AuditDepartment of Garanti also performs audits in thosesubsidiaries. Working Methodology Audit manuals are established to provide guidance on specific audits. Manuals are prepared about procedures of on-site engagements that the auditors may perform.
1.1. Internal Audit Risk Mapping and Audit Plan Branch Regional Credit Granting Offices Head Office Departments BRSA Internal Audit Department Audit Committee Board of Directors The Bank’s Risk Matrix Importance Level Audit Period AUDIT PLAN Risk Level of Bank’s Activities Credit Extension Retail Banking Operations Commercial Banking Operations Deposit Collection and Investment Products Treasury Management Financial Investments and Placement Management of Customer Funds Safe Keeping Insurance Services Agency Services Payment Systems IT Systems Human Resource Legal Proceedings New Technologies Risk Indicators Risk Indicators Risk Assessment Subsidiaries Risk Assessment Risk Matrices of Subsidiaries AUDIT PLAN PROCESS
1.1. Internal Audit Organizational Structure of Internal Audit Department INTERNAL AUDIT DEPARTMENT DIRECTOR OPERATION SERVICE ASS.DIRECTOR H/O Departments & Subsidiaries & IT Audits & Risk Management Audits & Financial Accounting Audits & Trainings & Human Resources Mng. ASS.DIRECTOR Branch Audits & Central Audits & Internal Fraud & Investigations SUPERVISOR Financial Accounting Audits SUPERVISOR IT Audit SUPERVISOR H/O Departments &Subsidiaries SUPERVISOR Branch Audits SUPERVISOR Branch Audits SUPERVISOR Central Computerized Audit & Central Fraud Detection SUPERVISOR Fraud Investigation SUPERVISOR H/O Departments & Subsidiaries & Training SUPERVISOR H/O Departments &Subsidiaries & Risk Management Risk Management Audit Team IT Audit Team Auditors/Assistant Auditors
1.1. Internal Audit Audit Types Audit Activities • On-Site Audits • Branch Audits • H/O and Subsidiary Audits • Central Audits • Audits of Operations and Transactions • Process Audits • Internal Fraud Detection • Information Technologies Audits • IT Processes • Banking Applications • Subsidiary IT Audits • Risk Management Audits • Operational Audits • Financial Audits • IT Audits • Performance Audits • Managerial Audits • Compliance Audits • InternalFraud Detection • Governance Audits
1.1. Internal Audit Specific techniques USED to obtain information Executing the audits Confirmation Interviewing Statistical Sampling Observation & Inspection Detailed Testing Analytical Procedures Recomputing
1.2. External Audit • Taking into account opinion of the Audit Committee, the Board of Directors selects the authorized audit company, which conducts audit engagement in periods determined by legislation, and submits the company to approval of the General Assembly. • The authorized external audit company is evaluated quarterly by the Audit Committee during the service period and the results must be submitted to the Board of Directors. • Deloitte, KPMG, PWC, Ernst & Young as external audit companiesare authorized by Banking Regulation and Supervision Agency (BRSA) for financial audit in banks. • In addition; banks quoted to Istanbul Stock Exchange are also subject to external audit in accordance to Capital Markets Board’s regulations. • The External Audit Companiesgenerally offerthe services below; • Audits of the financial statements, • Audits of the Information Technology Systems. • Actions which will be taken by banks regarding External Audit Company’s IT audit findings are presented to and approved by Board of Directors and are sent to BRSAtwice a year.
2. Audit of Risks in Banks • What is Risk ? • Pronounced as “risco” in Italian, “Risiko” in German and “risk” in English, this concept has been used as “riziko ” formerly, and later has been used as “ risk ” . • Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss or undesirable outcome. • The concept has been used as a synonym with “ danger ”, and used for the situations which is predicted to appear in the future but which at the same time is unknown whether or not it is going to happen. • The two fundamental components (R) of the Risk are the probability of that the loss will occur (p) and the magnitude of the potential loss (L). Ri=Lip(Li)
2. Audit of Risks in Banks Types of Risks Share Risk Interest Rate Risk Exchange Rate Risk Commodity Risk SpecificRisk Transaction Risk Market Risk General Market Risk Structural Interest Rate Risk Credit Risk Liquidity Risk Financial Risks Counterparty Credit Risk Operational Risk Transaction & Business Risk Issuer Risk Concentration Risk Reputation Risk Issuing Risk Business & StrategicRisks
2. Audit of Risks in Banks Benefits of Risk Management Enhancing the communication between units Enhancing the business plan and the strategical planning Reinforcement of the effective usage of resources Quick understanding and capturing new opportunities Encouraging continuous renewal and improvement Supporting the internatl audit program to focus Giving assurance to shareholders Less shocks and unexpected surprises Potential Benefits
2. Audit of Risks in Banks Capital Requirement Calculation Methods
2. Audit of Risks in Banks Calculation of Minimum Capital Requirement Total Capital ≥ %8 Credit Risk Market Risk Operational Risk + +
2. Audit of Risks in Banks In the past, the stability of a bank was generally measured purely on the sum of its capital tiers divided by its Risk Weighted Assets. With the Basel III, the capital rules have been strengthened and all the components operating together has been taken as a complete framework. LCR: Liquidity Coverage Ratio NSFR: Net Stable Funding Ratio
2. Audit of Risks in Banks • According to the Basel Committee on Banking Supervision, the Basel 3 proposals have two main objectives, • To strengthen global capital and liquidity regulations with the goal of promoting a more resilient banking sector; and • To improve the banking sector's ability to absorb shocks arising from financial and economic stress. • To achieve these objectives, the main proposal the BCBS Basel 3 has developed are: • Capital reform (including quality and quantity of capital), complete risk coverage, leverage ratio; and • Liquidity reform (short term and long term ratios).
2. Audit of Risks in Banks In view of preserving core Tier 1, the Committee introduced two new "buffers. A Capital Conservation Buffer should allow banks to absorb shocks in periods of stress without breaching core Tier 1. And a more discretionary Countercyclical Buffer to compensate for increased systemic risks in times of excessive credit growth. In terms of quantity, total Tier 1 Capital is now required at 6%, up 2% from Basel II . Furthermore, a new leverage ratio will make part of banking regulatory framework. Banks will be required to maintain a leverage ratio of 3 percent or more (33 times its capital). The unweighted assets include provisions, loans, off-balance sheet items with full conversion, and all derivatives. The main purpose of this ratio is to constrain leverage in the banking sector, while also helping to safeguard against model risk and measurement errors. In addition to the capital banks must hold against risk weighted assets, financial institutions now have two new ratios to comply with: Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio. LCR is designed to promote the short-term resilience of a bank's liquidity risk profile by ensuring that it has sufficient high-quality liquid assets to survive a significant stress scenario lasting for 30 calendar days; and the NSFR aims at promoting longer-term resilience by requiring banks to have capital or longer term high-quality funding which can survive over a one year period of less severe stress.
2. Audit of Risks in Banks Risk Management Audit and Internal Auditors • Internal Auditors should; • Focus on risks related to a possible recession (reputation, liquidity, labor force reduction...) • Audit the effectiveness of risk management and corporate governance processes. • Conduct the re-evaluation of risks and identify the risks associated with each other. • Undertake a teaching role on risk management. • Improve the relations with other governance, risk and checkpoints within the organization. • Expand the studies related with Fraud on the audit plans. • Also; • Auditors should be in close contact with the senior management and the audit committee. • More flexible inspection plans that can be changed during the period should be used. • Information about the organization and business should be improved. • In order to conduct more effective audits, the audit reports should be prepared in shorter times and intensive technology should be used.
3. Audit of Financial Position / Results of Operations of Banks Audit of Assets • Audit operations for assets; • Cash and Cash Equivalents • Financial Investments • Derivative Financial Assests and Liabilities • Loans • Tangible and Intangible Fixed Assets • Other Various Assets and Liabilities • Investments Held as for Sale
3. Audit of Financial Position / Results of Operations of Banks Audit of Assets First of all,auditor has to audit current assets whether these are recorded correct or not. • Reconciliation is done by auditor to reach equity of trial balance-MIS-balance sheet. • Back-dated bank reciepts are examined. • Reconciliation is done for all bank accounts. • Nominal values of securities are verified. • Conformity of the data is examined which was used for valuation of securities. • Income and expense is examined which was obtained by derivative operations. • Valuations of derivative products is examined. • Current credit balance of bank is compared with past periods to examine difference. • Rediscount calculation of loans is examined to be certain of accuracy. • Depreciation accounting of bank is examined to verify accuracy. • Current and past period is compared to examine differences. • Accounting records are examined which put into operation with the defination of ‘Other’. • Market value of bank is examined.
3. Audit of Financial Position / Results of Operations of Banks Audit of Liabilities • Audit operations for liabilities; • Deposit and Other Liabilities • Credits Obtained • Reserves • Tax Liabilities on Profit • Shareholders Equity
3. Audit of Financial Position / Results of Operations of Banks Audit of Liabilities • Reconciliation is done by auditor to reach equity of trial balance-MIS-balance sheet. • Current deposits and other liabilities of bank are compared with past periods to examine difference. • Current obtained credits of bank are compared with past periods to examine difference. • Rediscounts of interest for obtained credits are examined to be certain of accuracy. • Collateral accounts are examined to be certain of accuracy. • Tax calculation of bank is examined. • For shareholders equity, capital movements in a period is examined.
3. Audit of Financial Position / Results of Operations of Banks Audit of Income Statement • Interest income • Interest expense • Service and commission income/expense • Personnel expense • Income and expense of other activities • Other income and expenses • Rediscount and evaluation transactions
3. Audit of Financial Position / Results of Operations of Banks Audit of Income Statement An income statement audit can help auditor to isolate mathematical errors and ledger discrepancies. • Reconciliation is done by auditor to reach equity of trial balance-MIS-balance sheet for related accounts. • Change in trend of interest income and expense is examined to determine possible reverse entries. • Change in trend of commission income and expense is examined. • Possible correction records related to commission income and expense are examined to be certain of accuracy. • Current personnel payments are compared to past periods. • Conformity of the subsidiary records to the trial balance is examined.
3. Audit of Financial Position / Results of Operations of Banks Audit of Off-Balance Sheet Items • Liabilities are examined to understand their origin. • Nominal amounts of securities are examied to confirm their assets on off-balance sheet. • Reconciliation is done related to deposits which is given or taken.
4. Audit of IT Computer Systems in Banks • The computerized environment provides advantages over manual system in termsof accuracy and uniform processing of transactions. But at the same timeit poses certain challenges before the auditor in terms of audit risk due to peculiarnature and characteristics of Computerized Information System (CIS) environment,where potential for fraud is much more and can be more easily hidden in the digital data. • Computer fraud and abuse can have a detrimental effect on an organization. Periodic surveysundertaken by organizations such as the NCC(National Computing Centre) and the AuditCommission indicate the following common instancesof computer fraud and abuse: • Unauthorised disclosure of confidential information • Unavailability of key IT systems • Unauthorised modification/destruction of software • Unauthorised modification/destruction of data • Theft of IT hardware and software • Use of IT facilities for personal business
4. Audit of IT Computer Systems in Banks Computer Security Audit “A computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited”. Symantec • Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies- the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer: • Are passwords difficult to crack? • Are there access control lists (ACLs) in place on network devices to control who has access to shared data? • Are there audit logs to record who accesses data? • Are the audit logs reviewed? • Have all unnecessary applications and computer services been eliminated for each system? • Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
4. Audit of IT Computer Systems in Banks Information Technologies Audit – Risk Assessment Step 1: Determination of Risk Assessment Participators Step 2: Interviews & Surveys Step 3: Risk Prioritization Step 4: Evaluation by the Internal Audit Mng. Step 5: EstablishRiskBasedAuditPlan • For the risk assessment of IT Processes, initially interviews with business unit managers and Garanti Technology senior management are performed. • IT Risk Assessment surveys are filled by the said managers, to determine the risky IT processes. The results of surveys are evaluated in terms of vulnerability and impact of IT processes. • Applications and Subsidiaries are assessed based on the international Risk Assessment methodologies of ISACA (Information Systems Audit & Control Association). • Annual audit plans are formed based on the prioritization resulted from the risk assessments. • Risk assessment is performed annually.
4. Audit of IT Computer Systems in Banks Technical Competence, Information, Standards and Tools Used Standards • BRSA Regulations • COBIT • ITIL • ISO 27001, BS 25999 • CMMI, PMBOK, NIST… Technical Information Audit Competences • Operating Systems • Databases • Software Development • Network Infrastructure • Comp.Engineering Background • Continuous Pro. Education INFORMATION TECHNOLOGIES AUDIT • CISA,CEH,PMP,CISM,CRISC • Process Audit Methodology • Sampling Methodology • Evidence Gathering Method. • IT Audit Methodology Tools • Data Mining/ Query Tools (Oracle, ISQL..) • Monitoring Tools (MS MOM/ SCOM/SMS) • Security Test Tools • MBSA • Nessus • Penetration Tools (Wireshark, Paros, Developer Tools…)
4. Audit of IT Computer Systems in Banks Information Technologies Audit - Scope Banking Applications 27 Audit Areas Subsidiary IT Audits 18 Audit Areas IT Processes 22 Audit Areas • IT Governance Audits • ( IT Governance, IT Strategy & Source Planning ) • Security Audits • ( Network/ Info. Security,...) • General Process Audits • ( Software Development, Change Management... ) • Infrastructure Audits • ( Database Management,, System Software Manag... ) • Disaster Recovery Audits • Internet Banking • Telephone Banking • Securities & Treasury Applications • Commercial Loans • ATM • Credit CardsSystem • Core Banking (Deposits) • Consumer Loans • Accountancy • ....... • GarantiBank Int. NV. • GarantiBank SA. • Garanti Pension & Life Insurance • Garanti Leasing • Garanti Securities • Garanti Factoring • Garanti Asset Man. • Garanti Bank Moscow • Garanti Mortgage • ….. • In IT Process audits, general controls in the processes are evaluated, based on COBIT, ISO 27001, ITIL, CMMI control objectives, ISACA checklists, BRSA regulations and various technical control lists. • In Banking Application audits, application controls including data creation/ authorization, input/ output, data processing, mining, limit, compliance, workflow, efficiency, security controls are evaluated. • In IT Audits of Subsidiaries, general and application controls of Subsidiaries’ current IT and financial processes are evaluated based on the same standards used in IT Process & Application audits.
5. Future of Bank Auditing With the developments in banking sector, classical audit practices changed to modern audit methodologies. Traditional Methods Modern Methods Focused in finding errors Focused in system, process and risk Issue Prevention Focused to past Focused to future Financial losses Efficiency Labor intensive System intensive Based on problem Based on solution
5. Future of Bank Auditing Qualificationswhichauditorsmusthave; • Abilitytoidentifytherisks • Professional competency • Negotiant, researcher, leader • Strongcommunicationskills Auditfieldswhichwillgainimportance in thefuture • Information systems • Risk of legislationandreputation • Process of makingfinancialstatements • Determinationmethods of fraud