Summary on Guidance Note on bank audit 2018

Come March and the words about bank audits goes buzzing… This year it is louder than ever before due to the MODI GATE which has shaken the very foundation of Trust. The role of an auditor calls for a resonance, more fervent than ever before. In the backdrop of Cabinet approving the forming of NFRA (National Financial Reporting Authority) as a regulating agency, it's but apparent that our Audit Report should sound our presence.

The Auditing and Assurance Standard Board has issued 'Guidance Note on Bank Audit' on 11.03.2018. The link is https://resource.cdn.icai.org/49205icai-aasb-gnabanks2018.pdf

The most important areas covered are summarized below:

Scope of Assignment

This includes any special reports or certificates to be given by the SCAs in addition to the main report. Presently, the SCAs have to furnish the following reports/certificates in addition to their main audit report:

a) Report on adequacy and operating effectiveness of Internal Controls over Financial Reporting in case of banks which are registered as companies under the Companies Act in terms of Section 143(3)(i) of the Guidance Note on Audit of Banks (Revised 2018),Companies Act, 2013 which is normally to be given as an Annexure tothe main audit report as per the Guidance Note on Audit of Internal Financial Controls over Financial Reporting issued by the ICAI.

b) Long form audit report.

c) Report on compliance with SLR requirements.

d) Report on whether the treasury operations of the bank have been conducted in accordance with the instructions issued by the RBI from time to time.

e) Certificate on reconciliation of securities by the bank (both on its own investment account as well as PMS Banks' account).

f) Certificate on compliance by the bank in key areas of prudential and other guidelines relating to such transactions issued by the RBI.

g) Report on whether the income recognition, asset classification and provisioning have been made as per the guidelines issued by the RBI from time to time.

h) Report on whether any serious irregularity was noticed in the working of the bank which requires immediate attention.

i) Certificate in respect of custody of unused Bank Receipt forms and their utilization.

j) Authentication of capital adequacy ratio, including disclosure requirements and other ratios reported in the notes to accounts.

k) Certificate in respect of DICGC claims.

l) Report on status of the compliance by the bank with regard to the implementation of recommendations of the Ghosh Committee relating to frauds and malpractices and of the recommendations of Jilani Committee on internal control and inspection/credit system.

m) Report on instances of adverse credit-deposit ratio in the rural areas.

n) Asset liability management.

o) Certificate on Corporate Governance in case of banks listed on Stock Exchange. In some banks this certification may not be offered to the central auditors.

p) Certification on claim of various interest subsidies and interest subvention.

Assessment of Engagement Risk

The assessment of engagement risk is a critical part of the audit process and should be done prior to the acceptance of an audit engagement since it affects the decision of accepting the engagement and also in planning decisions if the audit is accepted.

Planning

SA 300, 'Planning an Audit of Financial Statements' requires that the auditor shall undertake the following activities prior to starting an initial audit:

(a) Performing procedures required by SA 220, 'Quality Control for an Audit of Financial Statements' regarding the acceptance of the client relationship and the specific audit engagement; and

(b) Establish understanding of terms of engagement as per SA 210, 'Agreeing the Terms of Audit Engagements'.

Identifying and Assessing the Risks of Material Misstatements

Standard on Auditing (SA) 315, 'Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment' requires the auditor to identify and assess the risks of material misstatement at the financial statement level and the assertion level for classes of transactions,

account balances, and disclosures and paragraph 26 of SA 315 provides a basis for designing and performing further audit procedures.

Observing various existing Audit Reports:

Call for the following audit reports, if bank have them, and review the report and the observations of the auditors, if any:

Internal Audit Report

The internal audit function constitutes a separate component of internal control with the objective of determining whether other internal controls are well designed and properly operating.

Revenue Audit Report

Revenue audit is usually conducted depending on size and volume of branches and is aimed at identifying cases of leakage of revenue due to wrong computation of interest, non-application of interest on time, incorrect rates of interest/exchange/commission, non-application of penal interest, non-recovery or short-recovery of service charges on guarantees and letters of credit, etc. This type of revenue audit is also known as 'income and expenditure audit' or 'income leakage audit'.

Branch Inspection Report

Such inspection is much broader in scope than revenue audit, and covers all important areas of functioning of the branch, including efficacy of systems and procedures, compliance with head office directions, customer service, maintenance of books and records, etc. Most banks have a fixed schedule of branch inspection.

Concurrent Audit Report

A system of concurrent audit at large and other selected branches has been in vogue in most of the banks for quite long.

Systems Audit Report

The bank carries out a systems audit periodically to assess the effectiveness of the hardware, software and operations to identify any changes required therein based on the guidelines mentioned in the RBI, vide its circular no. DBS.CO.OSMOS.BC/11/33.01.029/2003-04 dated April 30, 2004 on 'Information System Audit - A review of Policies and Practices'.

Understand the Bank's Accounting Process

The accounting process produces financial and operational information for management's use and it also contributes to the bank's internal control. Thus, understanding of the accounting process is necessary to identify and assess the risks of material misstatement whether due to fraud or not, and to design and

perform further audit procedures. In obtaining an understanding of the accounting process, the auditor may seek to identify the significant flow of the transactions and significant application systems that are relevant to the accounting process.

When obtaining an understanding of the accounting process, the auditors, ordinarily, focus only on such processes that relate to the effectiveness and efficiency of operations and compliance with laws and regulations and impact the financial statements or their audit procedures. While obtaining the understanding of the significant flow of the transactions, the auditor should also obtain an understanding of the process of recording and processing of journal entries, and should also make inquiries about inappropriate or unusual activity relating to the processing of journal entries and other adjustments, Transactions flow automated across CBS, digital banking, payments and settlement systems, card operations etc. and their integration with external systems such as NPCI, international payment gateways, SWIFT and INFINET etc. (SWIFT INSIGHT :IN 1973 global finance saw a back-room revolution when a group of banks formed a co-operative to offer those moving money across borders a slick alternative to the clunky old telex. Today the electronic financial-messaging system of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) transmits more than 5 billion bank-to-bank messages each year. In 2013 it oiled the transfer of trillions of dollars globally by the 10,500 banks, asset managers and firms that are its members. SWIFT does not initiate transfers, hold customers' money, or clear or settle payments. Rather, it provides a template that helps international transfers flow smoothly and be tracked.

Without SWIFT, global trade and investment would be slower, costlier and less reliable.)

Structure of Internal Control Procedures in a Bank

The specific internal control procedures to be followed in an enterprise depend on the nature, volume and complexities of its operations and the management's attitude towards control. As in the case of other enterprises, the internal control procedures relevant to assertions made in the financial statements of bank generally fall under the following categories:

I. Delegation of Powers

Banks have detailed policy on delegation of powers. The financial and administrative powers of each committee/each official/each position are fixed and communicated to all persons concerned. This policy on delegation of powers is approved either by Board of Directors or Executive Committee.

II. Authorization of Transactions

Authorization may be general (i.e., it may relate to all transactions that conform to prescribed conditions referred to as routine transactions) or it may be specific with reference to a single transaction (non-routine transactions and accounting estimates).

III. Segregation and Rotation of Duties

A fundamental feature of an effective internal control system is the segregation and rotation of duties in a manner conducive to prevention and timely detection of occurrence of frauds and errors. Functions typically segregated are authorization of transactions; execution of transactions; physical custody of related assets; maintenance of records and documents etc.

IV. Maintenance of Adequate Records and Documents

Accounting controls should ensure that the transactions are recorded at correct amount and in the accounting periods in which they are executed, and that they are classified in appropriate accounts. Moreover, recording of transactions should be such as would facilitate maintaining the accountability for assets.

The procedures established in banks to achieve these objectives usually include the following:

• All records are maintained in the prescribed books and registers only. This ensures that all requisite particulars of a transaction are adequately recorded and also that the work of finalization of accounts is facilitated. For example, deal slips pertaining to purchase and sale of securities along with the respective counterparty confirmations for the deals are filed together in the deal register.

• All Bank branches have a unique code number which is circulated amongst all offices of the bank and is required to be put on all important instruments.

• All books are to be balanced periodically and it is to be confirmed by an official specifically assigned for the same. For example, in case of purchase and sale of security transactions, the banks periodically reconcile the security balance in the banks book vis-à-vis the balance in the custodian account (i.e., Subsidiary General Ledger or Demat Account). It may be noted that the RBI vide its Master Circular DBR No. BP. BC.6/21.04.141/2015-16 dated July 1, 2015, 'Prudential Norms for Classification, Valuation and Operation of Investment Portfolio by Banks' has also mandated that investment balances as per bank's book should be reconciled at quarterly intervals with the balances in the Public Debt Office's books. If the number of transactions warrant, such reconciliation should be undertaken more frequently, say on a monthly basis. This reconciliation should be periodically checked by the Internal Auditors.

• All inter-office transactions are to be reconciled at regular intervals within a specified time frame.

V. Accountability for and Safeguarding of Assets

The accountability for assets starts at the time of their acquisition and continues till their disposal.

The following are some of the important controls implemented by banks in this regard:

• Particulars of lost security forms which are immediately advised to branches to exercise caution.

• Specimen signatures of all officers are captured and scanned in the system and available for view/access in all branches which were earlier maintained in a book. The officials approving the payment of the instruments drawn on their branches by other branches are required to confirm the signatures on the instruments with reference to the specimen signatures. Likewise, the branches have on record the specimen signatures of the authorized officials of approved correspondent banks also.

• Instruments of fund remittances above a cut-off level are to be signed by more than one official.

• Important financial messages, when transmitted electronically, are generally encrypted.

• Negative lists like stop-payment cheques or stop payment instructions are kept, which may deal with the particular kind of transaction. There may be a caution list for advances also.

• Sensitive items like currency, valuables, draft forms, term deposit receipts, traveller's cheques and other such security forms are in the custody of at least two officials of the branch. (However, in the case of very small branches having only one official, single custody is also permitted.)

• All assets of the bank/charged to the bank are physically verified at specified intervals.

VI. System Configuration and Account Mapping

Information technology (IT) has played a major role in providing a competitive edge to banks in differentiating themselves in the market place and to deliver their services more effectively at a lower cost.

VII. Independent Checks

Independent checks involve a periodic or regular review of functioning of the system by independent persons to ascertain whether the control procedures are being performed properly. Banks have an elaborate system of various forms of independent checks covering virtually every key aspect of their functioning.

Understanding the Risk Management Process

Management develops controls and uses performance indicators to aid in managing key business and financial risks. An effective risk management system in a bank generally requires the following:

• Oversight and involvement in the control process by those charged with governance (TCWG): TCWG should approve the documented risk management policies.

• Identification, measurement and monitoring of risks: Risks that could significantly impact the achievement of bank's goals should be identified, measured and monitored against pre-approved limits and criteria in a Documented Risk Register.

• Control activities: A bank should have appropriate controls including embedded in IT System to manage its risks, including effective segregation of duties (particularly, between front and back offices), accurate measurement and reporting of positions, verification and approval of transactions, reconciliation of positions and results, setting of limits, reporting and approval of exceptions, physical security and contingency planning.

RBI has directed banks vide its Master Direction No. RBI/FMRD/2016-17/31 FMRD Master Direction No. 1/2016-17 on 'Risk Management and Interbank Dealings' dated July 5, 2016 (updated March 21, 2017), the risk management framework and reporting requirements with respect to certain categories of transactions such as, forward contracts and hedging transactions entered into by the bank with residents, managing of assets and liabilities of the bank and hedging the same, hedging of Tier I capital in case of foreign banks,etc.

For every bank in India, certain risk management limits such as, the Net Open Position ('NOP') Limit and Aggregate Gap Limit ('AGL') are approved by the RBI after making an assessment of each bank's overall risk appetite. Banks install checks in their daily processes to ensure that these limits are being adhered to at all times.

As part of regulatory reporting, banks are also required to report to the RBI a host of other risk management limits such as, single and group borrower limits (these limits give an indication of concentration risk), credit exposure for derivatives (this indicates the potential replacement cost of the derivative portfolio), capital market exposure of the bank, country risk exposure and exposure to sensitive sectors such as, real estate, etc.

Operating Framework for Identifying and Dealing with Frauds

All banks have policy and operating framework in place for detection, reporting and monitoring of frauds as also the surveillance/ oversight process in operation so as to prevent the perpetration of frauds. The RBI, vide its Circular No. DBS. CO.FrMC.BC.No.10/23.04.001/2010-11 dated 31st May 2011 had identified certain areas wherein frauds had shown occurrence or increasing trend in banks. These areas include:-

• loans/ advances against hypothecation of stocks.
• housing loans cases.
• submission of forged documents including letters of credit.
• escalation of overall cost of the property to obtain higher loan amount.
• over valuation of mortgaged properties at the time of sanction.
• grant of loans against forged FDRs.
• over-invoicing of export bills resulting in concessional bank finance, exemptions from various duties, etc.
• frauds stemming from housekeeping deficiencies.

Provisioning for Frauds

RBI has vide its circular RBI/2015-16/376 DBR.No.BP.BC.92/21.04.048/2015-16 dated 18th April, 2016, decided to amend the provisioning norms in respect of all cases of fraud, as under:

a. Banks should normally provide for the entire amount due to the bank or for which the bank is liable (including in case of deposit accounts), immediately upon a fraud being detected. While computing the provisioning requirement, banks may adjust financial collateral eligible under Basel III Capital Regulations - Capital Charge for Credit Risk (Standardised Approach), if any, available with them with regard to the accounts declared as fraud account;

b. However, to smoothen the effect of such provisioning on quarterly profit and loss, banks have the option to make the provisions over a period, not exceeding four quarters, commencing from the quarter in which the fraud has been detected;

c. Where the bank chooses to provide for the fraud over two to four quarters and this results in the full provisioning being made in more than one financial year, banks should debit 'other reserves' [i.e., reserves other than the one created in terms of Section 17(2) of the Banking Regulation Act

1949] by the amount remaining un-provided at the end of the financial year by credit to provisions. However, banks should proportionately reverse the debits to 'other reserves' and complete the provisioning by debiting profit and loss account, in the subsequent quarters of the next financial year;

d. Banks shall make suitable disclosures with regard to number of frauds reported, amount involved in such frauds, quantum of provision made during the year and quantum of unamortised provision debited from 'other reserves' as at the end of the year.

BASEL III Framework

The Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board (FSB) had undertaken an extensive review of the regulatory framework in the wake of the sub-prime crisis. In the document titled 'Basel III: A global regulatory framework for more resilient banks and banking systems', released by the BCBS in December 2010, it had inter alia proposed certain minimum set of criteria for inclusion of instruments in the new definition of regulatory capital. The RBI issued a circular no. DBOD.No.BP.BC.98 /21.06.201/2011-12 dated May 2, 2012 on the subject 'Guidelines on Implementation of Basel III Capital Regulations in India' and also Master Circular

No. DBR.No.BP.BC.1/21.06.201/2015-16 dated July 1, 2015 on 'Basel lII - Capital Regulations'. Vide these circulars the RBI has prescribed the final guidelines on Basel III capital regulations. The reader may refer to the chapter 1, 'Basel III' of Part VI of the Guidance Note for the detailed guidance on the New Capital Adequacy Framework, i.e., Basel III.

Annexure 1

Risks Associated with the Banking Activities

Risk is a function of probability or likelihood of occurrence and the significance of the impact. Risk implies vulnerability and threat. Risks associated with banking activities can be broadly categorised as follows:

a) Concentration Risk: Banking risks increase with the degree of concentration of a bank's exposure to any one customer, industry, geographic area or country. For example, a bank's loan portfolio may have large concentrations of loans or commitments to particular industries, and some, such as real estate, shipping and natural resources, may have highly specialized practices.

b) Country Risk: The risk of foreign customers and counterparties failing to settle their obligations because of economic, political and social factors of the counterparty's home country and external to the customer or counterparty.

c) Credit Risk: The risk that a customer or counterparty will not settle an obligation for full value, either when due or at any time thereafter.

d) Currency Risk: The risk of loss arising from future movements in the exchange rates applicable to foreign currency assets, liabilities, rights and obligations.

e) Fiduciary Risk: The risk of loss arising from factors such as failure to maintain safe custody or negligence in the management of assets on behalf Risk Assessment and Internal Control of other parties.

f) Interest Rate Risk: The risk that a movement in interest rates would have an adverse effect on the value of assets and liabilities or would affect interest cash flows.

g) Legal and Documentary Risk: The risk that contracts are documented incorrectly or are not legally enforceable in the relevant jurisdiction in which the contracts are to be enforced or where the counterparties operate.

h) Liquidity Risk: The risk of loss arising from the changes in the bank's ability to sell or dispose of an asset. The risk of liquidity risk turning into a solvency risk needs to be monitored as risk can swiftly move across the entity.

i) Modelling Risk: The risk associated with the imperfections and subjectivity of valuation models used to determine the values of assets or liabilities.

j) Operational Risk: The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.

k) Price Risk: The risk of loss arising from adverse changes in market prices, including interest rates, foreign exchange rates, equity and commodity prices and from movements in the market prices of investments.

l) Regulatory Risk: The risk of loss arising from failure to comply with regulatory or legal requirements in the relevant jurisdiction in which the bank operates. It also includes any loss that could arise from changes in regulatory requirements. For example, money laundering risk is a Regulatoryrisk. (The circular - DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on 'Compliance Function in Banks' which lays down detailed requirements in respect of compliance related aspects such as compliance risk, responsibility of the Board of Directors, responsibility of the senior management, compliance policy, compliance structure, compliance principles, process, procedures, compliance programme, etc. is relevant).

Security and Risk Mitigation Measures for Electronic Payment Transactions

Electronic Payments effected through alternate products/channels are becoming popular among the customers with more and more banks providing such facilities to their customers. One such initiative by RBI is mandating additional factor of authentication for all Card Not Present (CNP) transactions. Banks have also to put in place mechanisms and validation checks for facilitating on-line funds transfer, such as: (i) enrolling customer for internet/mobile banking; (ii) addition of beneficiary by the customer; (iii) velocity checks on transactions.

The dependence of banks on mobile banking service providers may place knowledge of bank systems and customers in a public domain. Mobile banking system may also make the banks dependent on small firms (i.e., mobile banking service providers) with high employee turnover. It is therefore imperative that sensitive customer data, and security and integrity of transactions are protected. It is necessary that the mobile banking servers at the bank's end or at the mobile banking service provider's end, if any, should be certified by an accredited external agency. In addition, banks should conduct regular information security audits on the mobile banking systems to ensure complete security.

Transactions up to Rs. 5000/- can be facilitated by banks without end-to-end encryption. The risk aspects involved in such transactions may be addressed by the banks through adequate security measures. (Circular DPSS.CO.No.2502/02.23.02/ 2010-11 dated May 4, 2011)

RBI Circular dated 4th December 2014 on Mobile Banking Transactions in India - Operative Guidelines for Banks has felt the need for greater degree of standardization in procedures relating to on-boarding of customers for mobile banking (new customers, existing account holders whose mobile numbers are available with the bank but not registered for mobile banking, and existing account holders where mobile number is not available with the bank), as also the subsequent processes for authentication, including accessible options for generation of MPIN by customers.

Where banks are providing E-Wallet facility, auditor should evaluate proper controls and checking of transactions through E-Wallets and presentation of the balances of E-Wallet in the financial statements based on underlying arrangement for providing such facility.

Financing Housing Projects

During the recent period, housing sector has emerged one of the biggest loan portfolios of banks. The focus of the RBI, therefore, is to ensure orderly growth of this portfolio. The Master Circular No.DBR.No.DIR.BC.13/08.12.001/2015-16 dated July 1, 2015 on Housing Finance provides guidance in respect of the housing finance provided by the banks. Banks could deploy their funds under the housing finance allocation in any of the three categories as per the norms provided in the Master Circular, i.e.

• Direct Finance.
• Indirect Finance.
• Investment in Bonds of NHB/HUDCO, or combination thereof.

Loan to Value (LTV) ratio

In order to prevent excessive leveraging, the LTV ratio and risk weight and standard as set provisioning in respect of individual housing loans have been prescribed. Vide RBI circular dated June 7, 2017 revised LTV ratio is applicable for all loan sanctioned post June 7, 2017 is as under.

The LTV ratios, Risk Weights and Standard Asset Provision set out in the circular DBR.BP.BC.No.44/08.12.015/ 2015-16 dated October 8, 2015, on the captioned subject, shall continue to apply to loans sanctioned up to June 6, 2017.

2. 169 The LTV ratio should not exceed the prescribed ceiling in all fresh cases of sanction. In case the LTV ratio is currently above the ceiling prescribed for any reasons, efforts should be made to bring it within limits.

Relief for MSME borrowers registered under GST

The RBI has issued a circular dated February 07, 2018 granting relief for MSME Borrowers registered under GST, thus, the auditors needs to be vigilant as regards the applicability of the said circular and eligibility of the borrower. This circular applies only to borrowers which are classified as micro, small and medium enterprise under the MSMED Act, 2006. The exposure of banks to such borrowers would be classified as standard assets subject to conditions specified in the circular:

1. The borrower is registered under the GST regime as on January 31,2018;

2. The aggregate exposure including non-fund-based facilities of banks and NBFCs, to the borrower does not exceed Rs. 25 crores as on January 31, 2018.

Thus, the overall exposure of the borrower (including that of multiple banking, consortium banking) as on January 31, 2018 should not exceed Rs. 25 crores, i.e. the overall exposure of the borrower to banks

and NBFCs combined should not exceed the cap of Rs. 25 crores. Further, it is to be noted that as per RBI Master Circular on Exposure Norms - 'Exposure' shall include credit exposure (funded and non-funded credit limits) and investment exposure (including underwriting and similar commitments). The sanctioned limits or outstandings, whichever are higher, shall be reckoned for arriving at the exposure limit. However, in the case of fully drawn term loans, where there is no scope for re-drawal of any portion of the sanctioned limit, banks may reckon the outstanding as the exposure.

3. The borrower's account should be standard account as on August 31,2017. It would be pertinent to note that some banks may be following a system of marking of accounts as NPA in the system as at quarter-end instead of marking the accounts on on-going basis. However, the borrower account needs to be tested for classification purpose as on August 31, 2017 and in case if such account is a NPA account as per the extant of IRAC norms specified by RBI as on August 31, 2017, irrespective of the account being marked or not by the bank, such accounts will not be eligible for relief granted by this circular;

4. The amount from the borrower, overdue as on September 01, 2017 and payments from the borrower due between September 01, 2017 and January 31, 2018 are paid not later than 180 days from their respective original due date.

As per para 2.3 of Master Circular of RBI on IRAC norms - 'any amount due to the bank under any credit facility is 'overdue' if it is not paid on the due date fixed by the bank'. Thus, the extension period of 180 days granted for the repayment of the overdue amount as on September 01,2017 as well as the amounts due between the specified period is restricted to the extent of 180 days from the respective 'due date'. The words 'overdue' as well as 'due date' mentioned in the said clause are significant, since both are applicable in case of facilities other than CC/OD like Term Loan, Bill Discounting, etc. only and thus, are not relevant as far as CC/OD facilities are concerned as CC/OD accounts per se do not have the concept of 'overdue' but have concept of 'overdrawn' and, there is no 'due date' concept w.r.t. CC/OD account.

Further, it is to be noted that a CC/OD account would qualify to be a NPA if the account remains 'out of order' as indicated in para 2.2 of the Master Circular of the RBI on IRAC Norms. Thus, the said extension granted is confined to the facilities which are other than CC/OD.

5. A provision of 5% shall be made against such exposures which are not classified as NPA (due to the relaxation as provided above), which otherwise would have been classified as NPA as per usual IRAC norms(of accounts overdue beyond 90 days period).

6. The additional time provided is for the purpose of asset classification only and not for income recognition. Thus, if an account is otherwise eligible to be classified as NPA as per usual IRAC norms (of accounts overdue beyond 90 days period) but is classified as PA based on the above-mentioned relaxation granted, the income is required to be recognized on realization basis and not on accrual basis.

Corporate Social Responsibility (CSR)

As per Section 135 of the Companies Act, 2013 a CSR committee has been formed by the Company. The funds are utilized throughout the year on the activities which are specified in Schedule VII of the aforesaid Act. Gross Amount required to be spent by the company during the year - XX crores.

Disclosure Requirements in Financial Statements in the areas of CSR activities and contributions made thereto are as follows -

Particulars In cash Yet to be paid in Cash Total

Amount spent during the year on -

1) Construction/ Acquisition of any assets

2) For purposes other than (1) above:

(Specify)

For detail guidance, refer 'Guidance Note on Accounting for Expenditure on Corporate Social Responsibility Activities', issued by ICAI in May, 2015.

Questionnaire Applicable to Specialized Branches

A. For Branches dealing in Foreign Exchange Transactions

It should be noted that certain branches do not deal in foreign exchange transactions but foreign currency accounts are maintained there and all records of account opening documentation are held at these

branches. In such cases, checking and reporting should be done of the account opening documentation and commented upon in this section of LFAR.

1. Are there any material adverse features pointed out in the reports of concurrent auditors, internal auditors and/ or the Reserve Bank of India's inspection report which continue to persist in relation to NRE/ NRO/ NRNR/ FCNR-B/ EEFC/ RFC and other similar deposit accounts If so, furnish the

particulars of such adverse features.

The auditor should make a written request to the branch Management for furnishing him the latest available reports of the statutory auditors and of the concurrent auditor or stock auditor or internal auditors, as also of the RBI where inspection or special audit has taken place for the branch. The auditor

should scrutinise the contents of such reports in relation to NRE/ NRO/ NRNR/ FCNR-B/ EEFC/ RFC and other similar deposit accounts and take a note of relevant major adverse comments. In case adverse features are observed to persist at the branch or where no remedial action has been initiated or taken by the branch Management, he should report the same.

2. Whether the Branch has followed the instructions and guidelines of the Controlling Authorities of the bank with regard to the following in relation to the foreign exchange and, if not, state the irregularities.

(a) deposits
(b) advances
(c) export bills
(d) bills for collection
(e) any other area

The auditor also has to make himself familiar with the relevant aspects of the Exchange Control Manual and its compliance. The auditor should verify whether the instruction and guidelines of the Controlling

Authorities of the bank in relation to the foreign exchange have been followed by the branch in respect of these areas. If any irregularity is observed the same should be reported with details. Auditor to verify proper filing of BEF & Long Form Audit Report in Case of Bank Branches

3. XOS returns -

Obtain a list of all NOSTRO Accounts maintained/ operated by the Branch from the branch Management.

The auditor should obtain a list of all NOSTRO Accounts for the purpose of verification from the branch Management.

(a) Are the NOSTRO Accounts regularly operated?

The auditor should verify whether the NOSTRO Accounts are being regularly operated. If not give the list of NOSTRO Accounts with balances outstanding, which are not operated regularly, the date of last transaction, etc. The auditor should specifically comment on overdrafts in NOSTRO accounts, if any.

(b) Are periodic balance confirmations obtained from all concerned overseas branches/ correspondents?

The auditor should verify whether the balance confirmation from all concerned overseas branches/ correspondents have been obtained on a periodic basis. He should report the names of the bank and the period wise outstanding balances, which remain unconfirmed.

(c) Are these accounts duly reconciled periodically? Your observations on the reconciliation may be reported.

While examining the transaction in foreign exchange, the auditor should also pay attention to reconciliation of NOSTRO Accounts with the respective mirror account. The amount in the NOSTRO account is stock of foreign currency in the form of bank accounts with the overseas branches and correspondents. Un-reconciled NOSTRO Accounts, on an examination, may reveal unauthorized payments from the foreign currency account, unauthorized withdrawals, and unauthorized debit to mirror account.

The auditor should also evaluate the internal control with regard to inward/ outward messages. The inward/outward messages should be properly authenticated and discrepancies noticed should be properly dealt with in the books of accounts. In case balance confirmation certificate have been received but the same have not been reconciled, the auditor should report, in respect of each bank, the balances as per books maintained by the branch and the balance as per the relevant balances confirmation certificate, stating in either case whether the balance is debit or credit.

(d) Whether the branch is following HO guidelines for reporting requirements under Foreign Account Tax Compliance Act (FATCA) and Common Guidance Note on Audit of Banks (Revised 2018)

4. Does the Branch follow the prescribed procedures in relation to maintenance of VOSTRO Accounts?

The auditor should verify whether prescribed procedure in relation to interbank confirmation in the VOSTRO account is followed or not. In case balance confirmation certificate have been received but the same have not been reconciled, or where confirmation has not been received the same should be reported, in respect of each VOSTRO Account. The RBI has also issued the Master Directions FED Master Direction No.2 /2015-16 dated January 01, 2016 (updated on May 19, 2017) on 'Opening and Maintenance of Rupee/Foreign Currency VOSTRO Accounts of Non-resident Exchange Houses'.

Role of Auditors of Banks

Based on RBI appointment letter, the external auditors of the bank are required to provide a certification on the capital adequacy ratio computation. The auditor needs to understand more comprehensively the approach and mechanism adopted by the bank, and accordingly certify the computation.

Considering the intricacies involved in the computation itself further supplemented by enhanced judgement factor, it would be prudent for the certifying auditor to obtain an adequate understanding of the Basel III norms as prescribed by RBI and also deploy more senior members of its staff to audit the capital adequacy computations.

Further, some banks may also avail services of their external auditors to review the quality .of internal controls and systems, and assess the scope and adequacy of the internal audit function

Role of the Reserve Bank of India as the Central Bank

The Reserve Bank of India (hereinafter referred to as RBI) acts as the monetary authority and the central bank of the country. In an effort to bring greater coordination among financial regulators, the Government of India has constituted an over-arching body - the Financial Stability and Development Council ('FSDC' or 'Council') in December 2010. The Council is headed by the Honorable Finance Minister and composed of the Governor of the RBI, the chairs of the SEBI, the IRDA and the PFRDA, and other Ministry of Finance ('MoF') officials. It envisages strengthening and institutionalizing the mechanism of maintaining financial stability, financial sector development, inter-regulatory coordination along with monitoring macro-prudential regulation of the Indian economy. On February 20, 2015 the RBI and Government signed the Monetary Policy Framework Agreement. In addition to it after amendment in RBI Act, the Monetary Policy Committee (MPC) headed by Governor was setup. The MPC is entrusted with the task of fixing the benchmark policy interest rate (repo rate) to contain inflation within the target level. The RBI is the central bank of our country. As such, RBI is responsible for development and supervision of the constituents of the Indian financial system (which comprises banks and non-banking financial institutions) as well as for determining, in conjunction with the Central Government, the monetary and credit policies keeping in with the need of the hour. Among its important functions are issuance of currency; regulation of currency issue; acting as banker to the central and state governments; and acting as banker to commercial and other types of banks including term-lending institutions. Besides, RBI has also been entrusted with the responsibility of regulating the activities of commercial and other banks.

Banks can commence business by opening the branches as per branch opening policy of RBI. The RBI also has the power to inspect any bank. The Banking Regulation Act, 1949 provides the legal framework for regulation and supervision of banks. This statute, together with some provisions in the Reserve Bank of India Act, 1934, State Bank of India Act, 1955, State Bank of India (Subsidiary Banks) Act, 1959 and Banking Companies (Acquisition and Transfer of Undertakings) Acts, 1970 & 1980, empowers the RBI to prescribe standards and Guidance Note on Audit of Banks (Revised 2018)monitor liquidity, solvency and soundness of banks, so as to ensure that depositors' interests are protected at all times.

Periodic inspections of banks under section 35 of the Banking Regulation Act, 1949 are undertaken as a follow-up of the bank licensing regulation and objectives as laid down in section 22 of the Banking Regulation Act, 1949. The substantive objective of the statutory inspections has been to verify whether the

conditions subject to which the bank has been issued license to undertake banking business in terms of sub-section (3) of section 22 [including sub-section(3A) for foreign banks] continue to be fulfilled by it. The conditions include:

(a) the bank 'is or will be in a position to pay its present or future depositors in full as their claims accrue' (i.e. it is solvent and has adequate liquidity);

(b) the bank 'has adequate capital structure and earning prospects';

(c) 'the affairs of the (banking) company are not being, or are not likely to be, conducted in a manner detrimental to the interests of its present or future depositors'; and

(d) 'the general character of the management of the bank is not prejudicial to the public interest or the interest of its depositors' (i.e. it has sound operational systems and adequate controls operated by a prudent management). Section 22(4) of the Banking Regulation Act, 1949 authorizes the RBI to cancel the banking license 'if at any time, any of the conditions referred to in sub-section (3) and sub-section (3A) is not fulfilled'.

Based on the recommendations of a High Level Steering Committee (HLSC) for Review of Supervisory Processes of Commercial Banks, the Reserve Bank of India had in September 2012, introduced a Supervisory Program for Assessment of Risk and Capital (SPARC) for commercial banks. This Risk Based Supervision (RBS) approach, helps the regulator in focusing on evaluating both present and future risks, identifying incipient issues and facilitating prompt intervention/ early corrective action - as against the earlier compliance-based and transaction testing approach (CAMELS) which was more in the nature of a 'point in time' assessment. The RBS approach also benefits the regulator by optimizing its use of supervisory resources and assisting the regulated entities in improving their risk management systems, oversight and controls.

RBI is empowered under section 21 of the Banking Regulation Act, 1949, to control advances by banks in general or by any bank in particular. Among the measures that the RBI can adopt for this purpose are to prescribe purposes and extent of advances, margin requirements, maximum exposure to a single Banking in India borrower, rate of interest and other terms and conditions, etc. Besides these measures (which are usually called 'selective credit control' measures), RBI also controls the total volume of bank credit by varying bank rate through open market operations or by varying cash reserve and similar requirements.

Bank rate refers to the rate of interest at which the RBI re-discounts the first class bills of exchange or other eligible instruments from banks. Variations in bank rate affect the interest rates charged by banks - generally, interest rates of banks move up or down in tandem with movements in bank rate.

Under Base Rate system which came into effect from July 1, 2010, all categories of domestic rupee loans of banks are priced only with reference to the Base Rate, subject to certain conditions. For monetary transmission to occur, lending rates have to be sensitive to the policy rate. At present, banks follow

different methodologies for computing their Base Rate like average cost of funds method, marginal cost of funds, blended cost of funds (liabilities) etc.

Open market operations involve sale or purchase of government securities in the open market. When RBI buys government securities from banks in the open market, the funds in the hands of selling banks increase, enabling them to expand credit, and vice versa. Banks are required to maintain at least a prescribed minimum percentage of their demand and time liabilities in India in the form of cash and/or current account balances with the RBI (called 'cash reserve ratio'). Additionally, they are required to maintain a further percentage in the form of cash and/or other liquid assets (called 'statutory liquidity ratio'). Varying the cash reserve ratio and/or statutory liquidity ratio enables the RBI to increase or decrease (as the case may be) the funds available to banks for lending and other similar purposes.

A major development that has implications for banks throughout the world is the 'International Convergence of Capital Measurement and Capital Standards' generally known as the Basel Accord. Basel III ensures better quality of capital and robust liquidity risk management.

The smooth functioning of the payment and settlement systems is a prerequisite for stability of the financial system. In order to have focused attention on payment and settlement systems, a Board for Regulation and Supervision of Payment Systems (BPSS) was set up in March, 2005. The launch of the Real

Time Gross Settlement System (RTGS) and NEFT (National Electronic Funds Transfer) has led to a reduction of settlement risk in large-value payments in the country. Similarly, IMPS (Inter bank Mobile Payment Service/Immediate Payment Service) is a mobile based payment mechanism introduced by the National

Payments Corporation of India to allow customers to transfer money instantly, facilitating instant remittance across multiple platforms. The setting up of NSDL Guidance Note on Audit of Banks (Revised 2018) and CDSL for the capital market settlements and CCIL for G-sec, forex and money market settlements have improved efficiency in market transactions and settlement processes. A series of legal reforms to enhance the stability of the payment systems have been carried out. With the introduction of the Payments and Settlement Act in 2008, the Reserve Bank has the legislative authority to regulate and supervise payment and settlement systems in the country.

In India, deposit insurance is provided by the Deposit Insurance and Credit Guarantee Corporation (DICGC), a wholly owned subsidiary of the Reserve Bank of India. Deposit insurance in India is mandatory for all banks (commercial/cooperative/ RRBs/LABs). It covers all kinds of deposits except those of foreign governments, Central/State Governments, inter-bank, deposits received abroad and those specifically exempted by DICGC with prior approval of the Reserve Bank. The premium charged for deposit insurance is on a flat rate basis, which is currently 10 paise per Rs.100 of assessable deposits with a statutory ceiling on premium at 15 paise. The premia to be paid by the insured banks are computed on the basis of their assessable deposits. Insured banks pay advance insurance premia to the Corporation semi-annually within two months from the beginning of each financial half year, based on their deposits as at the end of previous half year. The amount of coverage is presently limited to Rs.1 lakh per depositor and extends to deposits held in the same right and in the same capacity.

Banks and financial institutions (FIs) have also been advised by RBI to follow certain customer identification procedure for opening of accounts and monitor transactions of suspicious nature for the purpose of reporting the same to appropriate authority. These 'Know Your Customer' (KYC) guidelines have been revisited in the context of the recommendations made by the Financial Action Task Force (FATF) on Anti Money Laundering (AML) standards and on Combating Financing of Terrorism (CFT). Detailed guidelines based on the recommendations of FATF and the paper issued on Customer Due Diligence (CDD) for banks by the Basel Committee on Banking Supervision (BCBS), with suggestions wherever considered necessary, have been issued. Banks/FIs have been advised by RBI to ensure that a proper policy framework on 'Know Your Customer' and Anti-Money Laundering measures is formulated and put in place with the approval of their Boards. The objective of KYC/AML/CFT guidelines is to prevent banks/FIs from being used, intentionally or unintentionally, by criminal elements for money laundering or terrorist financing activities. KYC procedures also enable banks/FIs to know/understand their customers and their financial dealings better and manage their risks prudently. Foreign Account Tax Compliance Act (FATCA) is a US law, which was enacted in March 2010 by the US Government which was aimed at preventing tax evasion through off shore assets by US citizens and US residents. Foreign Financial Institutions (FFIs)Banking in India such as the Bank that enter into a FATCA FFI agreement with the US government are required to conduct certain due-diligence to identify its US clients(individual and entity) and report on their accounts to the US Internal Revenue Service (IRS).

India has signed the Inter-Governmental Agreement (IGA) with USA for improving international tax compliance and implementing the Foreign Account Tax Compliance Act (FATCA). India has also signed a multilateral agreement on June 3, 2015, to automatically exchange information based on Article 6 of the Convention on Mutual Administrative Assistance in Tax Matters under the Common Reporting Standard (CRS), formally referred to as the Standard for Automatic Exchange of Financial Account Information (AEoI).

65. Apart from directions relating to operational matters, RBI also issues, from time to time, guidelines on accounting matters to be followed by banks. These guidelines have a profound effect on annual accounts of banks. The text of the notifications/circulars/guidelines, etc., issued by RBI are normally also available on its website www.rbi.org.in.

Prompt Corrective Action (PCA) framework for NPAs

Reserve Bank of India under its supervisory frame work uses various measures/ tools to maintain sound financial health of the bank. PCA frame work is one of such supervisory tools which involve monitoring of certain performance indicators of the banks as early warning exercise and is initiated once such thresh holds as relating to capital, asset quality etc. are breached.

Its objective is to facilitate the banks to take corrective measures including those prescribed by RBI, in a timely manner to realize financial health of the bank.

PCA frame work is in operations

Since December 2002 & the guidelines have been issued from time to time and recently on 13th April 2017, revised frame work has been issued by the Bank.

RBI has come up with a notification titled 'Revised Prompt Corrective Action (PCA) framework for banks.'

The revised framework would apply to all banks operating in India including small and foreign banks. The new set of provisions will be effective from April 1 based on the financials of banks as of March 2017.

The revised framework will override the existing PCA framework. The revised framework will be again reviewed after three years.

Need for revised framework

RBI had promised to revise the PCA framework at its first monetary policy review of the current fiscal held on April 6, as the bad loans including those Guidance Note on Audit of Banks (Revised 2018) already restructured reached USD 80 billion or 15% of the system as of March 2017.

Salient guidelines of revised PCA

Capital, Asset Quality and profitability would be the basis on which the banks would be monitored. Banks would be placed under PCA framework depending upon the audited annual financial results and RBI's supervisory assessment. RBI may also impose PCA on any bank including migration from one threshold to another if circumstances so warrants. RBI has defined three kinds of risk thresholds and the PCA will depend upon the type of risk threshold that was breached

If a bank breaches the risk threshold, then mandatory actions include the restriction on dividend payment/remittance of profits, restriction on branch expansion, higher provisions, restriction on management compensation and director's fees. Specifically, the breach of 'Risk Threshold 3' of CET1 (common equity tier 1) by a bank would call for resolution through tools like amalgamation, reconstruction, winding up among others.

RBI in its discretion can also carry out the following actions:

• Recommend the bank owner be it government/promoters/parent of foreign bank branch to bring in new management/board.

• Advise bank's board to activate the recovery plan as approved by the supervisor.

• Advise bank's board to carry out a detailed review of business model, the profitability of business lines and activities, assessment of medium and long term viability, balance sheet projections among others.

• Review short term strategies and medium-term business plans and carry out any other corrective actions like the removal of officials and supersession or suppression of the board.

The information on bank audit is vast and it is not possible to cover all of it here but I hope that the information provided here shall make you aware of the most important areas in bank audit.