Banking sector: The IT saga in Indian banking commenced from the mid-eighties of the twentieth century when the RESERVE BANK took itself the task of promoting automation in banking to improve customer service, book keeping, MIS and productivity.
This role played by the reserve bank had continued for years….
Introduction of MICR based cheques processing- a first for the region during the years 1986-1988.
BANKING SECTOR DEVELOPMENTS (COMPUTERISATION OF BANKS):
Computerisation of branches of banks- in the late eighties with the introduction of ledger posting machines (LPMs), advanced ledger posting machines (ALPMs) which have paved the way for installation of Core banking develpoments……
The computerised environment provides advantages over manual system in terms of arithmetic accuracy and uniform processing of transactions. But at the same time it poses certain challenges before the Auditor in terms of audit risk due to peculiar nature and characteristics of Computerised Information System (CIS) environment, where potential for fraud is much more and can be more easily hidden in the digital data. The overall objective and scope of an audit does not change in a CIS environment, nevertheless, the use of a computer changes the processing, storage, retrieval and communication of financial information and may affect the accounting and internal control systems employed by the bank.
There has been a phenomenal growth in the number of banks who have computerised most of the businesses of their branches.
New entrants in the banking business have augmented the competition. The customer is now well aware of the choices and products available to them. All this has necessitated access to information and state of the art technologies to serve the customer efficiently and effectively.
In this ever-changing banking environment, members who are involved in auditing of banks require to equip themselves with the IT knowledge to meet new challenges and adopt a different approach and methodology for bank audit under computerised environment.
Auditors need to test the accuracy of output by some test cases, and once it is established, their focus should be shifted to the areas, which have become vulnerable because of the computerized environment.
Massive computerisation is taking place in all the banks. The approach and methodology to be followed in audit of any computerised branch needs to be understood correctly in the light of the fast-paced technological changes taking place. Information Technology makes it imperative that internal controls and systems get integrated in IT and are not apparent as a manual system.
The computerised branches may be divided into two categories:
In the first category come the branches where partial computerisation has taken place. These branches are called ALPMs or PCs or PBA.
The second category of computerised branches includes those branches that are fully computerised. These are called TBA (Total Branch Automation) branches. These branches work under LAN (Local Area Network) environment connected with a server in the branch.
The totally computerised branch may further be classified into two types:
Standalone Computerised Branch:
These bank branches are not connected online with other banks or the head office. The transactions take place in the server at the branch level and at the end of the day it is consolidated and sent to Regional/Head office for further consolidation.
Total Computerization with Central Database:
These bank branches are connected online with other branches or the central database. In the Core Banking Solutions (CBS), banks maintain a central database and all transactions that take place in various branches are updated in the central server online. People also can transact business from any of the branches of the bank.
After the AAS 29 on Auditing in a Computerised Information Systems (CIS) environment became operative for all audits related to accounting periods beginning on or after 1st April 2003, the responsibility of the bank branch auditor has increased manifold. As per AAS 29, the overall objective and scope of an audit does not change in a CIS environment, however, the use of a computer changes the processing, storage, retrieval and communication of financial information and may affect the accounting and internal control systems employed by the entity. Therefore, an auditor needs to check the various controls implemented throughout the system and their existence. A CIS Environment may affect:
• The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems.
• The auditor’s evaluation of inherent risk and control risk through which the auditor assesses the audit risk.
• The auditor’s design and performance of tests of control and substantive procedures appropriate to meet audit objective.
• Auditors need to be satisfied about existence adequate security control in the Computer System as also about implementation of these controls by the bank.
Understanding of the CIS Environment
Before the auditors commences the audit, it is imperative that he has a thorough understanding of the CIS environment prevalent, each application software used at all points of time during the year as well as interfaces established between several sub systems of the bank. Without a proper understanding of the functioning of each item of software, the auditor would not be in a position to gear up for an effective audit of banks operating in a computerised environment. Accordingly, the auditor needs to carry out the following tasks: -
• Obtain sufficient understanding of the CIS environment prevalent in the bank, the interfaces established between various sub systems, flow of data, validations, functionality of each item of software etc.
• Obtain sufficient understanding of the effect of CIS environment on internal control systems Flow of authorised, correct and complete data to the processing centre.
• Processing, analysis and reporting undertaken with the use of computer.
• The impact of computer based systems on the audit trail that could otherwise be expected to exist in an entirely manual system.
• Determine the effect of CIS environment on the assessment of overall audit risk and of risk at the account balance and class of transaction level.
• Design and perform appropriate tests of control and substantive procedures
Nature of Risks and Internal Control Prevalent:
Lack of Transaction Trails:
Some CIS are designed so that a comprehensive transaction trail that is normally useful for audit may exist only for a short period of time or only in computer readable form. Several accounting entries passed and its impact on general ledger are system generated, based upon logic in built in the computer programs. Accordingly, errors in the programming logic may not be detected by merely manual procedures.
Uniform Processing Transactions:
Computers handle uniformly transactions with the same processing instructions. But, It may also happen that the programming instructions may not take care of all business intricacies and situation.
Lack of Segregation:
Many control procedures that would ordinarily be performed by different individuals in manual systems may become concentrated in a CIS environment. Thus, an individual, who has access to computer programs, processing or data may be in a position to perform incompatible functions.
Dependence of Other Controls Over Computer Processing:
Computer processing may produce reports and outputs that are used as a base for audit. The effectiveness of audit shall depend to a considerable extent on the accuracy, correctness and completeness of the reports generated by the computer system.
It is quite likely that some of the reports generated by the computer system are wrong either due to faulty logic, inaccurate functionality or even by manual intervention by the bank staff before handing over this report to the auditor. It is quite possible that reports on computer are downloaded to excel where certain values are altered before being handed over to the auditors.
Potential for the Use of Computer for AUDIT:
Assisted Audit Techniques:
• While evaluating the reliability of accounting and internal control systems, the auditor would consider whether these systems are inter alia:
• Ensure that authorised, correct and complete data are made available for processing.Provide for timely detection and correction of errors.
• Ensure that in case of interruption in the working of the CIS environment due to power, mechanical or processing failures, the system restarts without distorting the completion of the entries and records.
• Ensure the accuracy and completeness of output.
• Provide adequate data security against fire and other calamities, wrong processing, frauds etc.
• Prevent unauthorised amendments to the programs.
• Provide for a safe custody of source code of application software and data files. Auditor should make enquiries and satisfy himself whether:
a. Adequate procedures exist to ensure that data is transmitted correctly.
b. Cross-verification of records, reconciliation statements and control systems between primary and subsidiary ledgers do exist and are operative. There should be no assumed accuracy of computerised records.
The auditor should also document the audit plan, the nature, timing and extent of audit procedures performed and the conclusions drawn from the evidence obtained. All audit evidence which is in electronic form should be properly and safely stored and are to be retrieved in its entirety as and when required.
• The computerised environment provides advantages over manual system in terms of arithmetic accuracy and uniform processing of transactions.
• That reduces the audit risk as there is no need to maintain and verify balancing ledgers and no need to verify postings if there is a fool proof computer system.
• Further, the system calculates interest automatically and chances of error are limited.
• The clerical errors ordinarily associated with manual processing are virtually eliminated.
• Many of the functions earlier carried out under manual system get automated and get eliminated under computer system.
• Many of the operations get redundant due to computerisation.
• The use of technology in banks also poses certain challenges before the auditor. A single person now performs many control procedures that were performed by different persons in manual system.
• Thus, it compromises some times, the basic principle of segregation of duties and allows performance of incompatible functions.
• The lack of transaction trail and audit evidence is the biggest challenge for auditors.
• Proper documentation is also a challenge, which auditors need to cope up with in the computerised environment.
• Some of the audit evidence may be in the electronic form, some of them are not capable of being retrieved again as they are generated once only.
• “As required by the AAS 29, “The auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required
Hereby, concluding my presentation with a statement that under CIS envt. Bank Audits has become very efficient and more reliable but on the other side it increases several types of risks. So. It must be carried out with more diligence, care and after careful study of the risk factors involved.