F. No. 7/124/2012-BOA
Government of India
Ministry of Finance
Department of Financial Services
*******
Jeevan Deep Building, Sansad Marg
New Delhi, dated the 26th September, 2012
To,
The Chief Executives of all Public Sector Banks.
Subject : Master Circular on Audit Systems.
Dear Sir,
The Government of India has issued guidelines / instructions to banks on Audit
Systems. In order to have these guidelines / instructions at one place for ready reference,
a Master Circular incorporating the existing guidelines / instructions issued by the
Government on the subject has been prepared.
2. All CEOs are requested to acknowledge receipt and ensure compliance of the
above guidelines in their PSBs and Regional Rural Banks (RRBs) sponsored by their
banks.
3. This issues with the approval of Secretary (FS).
Yours faithfully,
Sd-
(Pravin Rawal )
Deputy Secretary (BOA)
Encl: As above
1. Guidelines on Internal Audit, Information Systems Audit and Concurrent Audit
Systems.
Introduction
It has been observed that there is a multiplicity of overlapping audits in the
Public Sector Banks (PSBs). While the audit is essential for the health of the PSBs,
it has been observed that multiple overlapping audits throughout the year engage a
lot of attention, resources and time of the PSBs. It has also been observed that
there is a need to revamp the audit system in PSBs in the wake of increasing
computerization and shifting of operations on I.T. based system. The present audit
system is lagging behind the technological advancement achieved by PSBs.
Area of concern
In the above background the Government of India has constituted a
Committee under the Chairmanship of Shri Basant Seth, ex-CMD of Syndicate Bank
which has submitted its report. The Committee has identified certain areas of
concern in the PSBs namely:
i. Effective Internal Audit (IA) should work as a strong deterrent and
preventive mechanism for frauds.
ii. A strong audit system should be well supported by the Offsite Monitoring
Unit (OMU) through System generated reports/ MIS.
iii. Multiplicity of Audits is resulting in Audit fatigue. There is a need to stream
line the number of Audits by strengthening the Internal Audit and
Concurrent Audits.
iv. Strengthening the IA by converting it into a stronger Risk Based Internal
Audit (RBIA) function and also strengthening the Concurrent Audit by
bringing Risk focus into the CA could reduce some of the other Audits in
the Branches wherein RBIA, CA are conducted.
v. Banks should give adequate attention to IS Audit as many of the frauds are
IT related which have shown substantial increase in the recent times.
vi. Currently 70% of business of banks is covered under Concurrent Audit
System and yet the irregularities / frauds could not be controlled. The basic
reason for the poor quality of work done by the Concurrent Auditors is on
account of low fees structures and lopsided empanelment and
appointment procedure followed by Banks. The Committee feels that there
is urgent need to rectify the position in order to make the Concurrent Audit
System effective.
vii. Statutory Branch Audit has become routine and not much effective post
implementation of CBS in PSBs.
viii. In many Banks all the Inspection Reports are put to ACB directly, which is
diluting the focus of ACB on High Risk Areas / Branches.
In the light of the above areas of concern identified by the committee, it was
felt that the following guiding principles on Internal, I.S., Concurrent and Branch
Statutory Audit should be followed by all the PSBs after suitably adapting them to the
need of their organization.
I. General Guiding Principles
1. Need to stream line the number of Audits by strengthening the Internal Audit and
Concurrent Audits and making them risk based.
2. The model policies contained in the draft manual attached may be adapted by the
PSBs.
3. All the PSBs should form Audit Committee of Executives (ACE) headed by the
Head of Audit (IA&A), GM (Risk) and other two GMs as Members. Zonal Audit
Committee of Executives (ZACE) with similar composition at lower level be
constituted by large banks.
4. ACE/ ZACE should meet minimum six times in a year. The ACE & ZACE will
work under the guidance of ACB and all the minutes of ACE & ZACE should be
put up to ACB
5. High Risk Audit Reports should be put up to ACB and in case of large banks Very
High Risk Audit Reports- Critical Findings (Below 40% marks) may be put up to
ACB. (Banks having Local Board may consider forming local ACB for reviewing
High Risk Audit Reports- Critical Findings at Zonal Level, the minutes be put up
to ACB at Central Level. However, closure of such reports can be done by CGMInspection/
Audit Department.
6. Banks should set-up proper off-site monitoring cell in the Audit Department or put
in place suitable similar structure. Such cell/ structure to review the MIS on
critical items and sensitise the Controlling Offices and Branches / Departments
for corrective action on a daily basis. The OSM cell should also apprise Top
Management of serious irregularities, if any, immediately
7. Banks while selecting the branches should consider, material changes that took
place in overall risk profile/ its updation, risk involvement in new products/
processes at branch level, business growth.
8. Inspection/ Audit Department should critically analyse the high frequency low
severity as well as low frequency high severity areas.
9. The Banks should move to Software based Audit process.
10. In order to attract good talent into Audit function, HR policies have to be properly
modified making it mandatory a minimum two year term of working in Internal
Audit Department for consideration to promotion DGM & above.
11. Inspection & Internal Audit department should be strengthened with adequate
man power having requisite experience. - The team should consists of a proper
mix of audit officers / Chartered Accountants / Cost Accountants/ CISA Qualified /
Seniors having experience in all the Banking functions/ Juniors having basic
knowledge of various banking functions
12. Bank should provide suitable training programs to all the auditors associated with
Internal Audit and Concurrent Audit functions.
13. All the Audit team members should be made to sign Do’s & Don’ts given in the
manual attached.
II. Guiding Principles on Risk Based Internal Audit (RBIA):
1. RBI team should also carry out IS compliance audit as part of their audit
routine for small & low rated branches as well as follow up work for non
compliance issues of the branch in IS audit areas.
2. Conflict of interest between Audit team member and Auditee should be
avoided.
3. The frequency of Audits under Risk based system should be uniformly fixed at
9-12 months for Extremely High/ High Risk Branches, 12-15 months for
medium Risk Branches and 15-18 months of low Risk Branches.
4. Risk Assessment matrix for Branches / Departments given in the manual
under the suggested RBIA Policy may be adopted by banks.
5. Audit team should guide the branches on spot rectification of the deficiencies
to the extent possible.
6. It is advised that all the Audit qualifications should be rectified within 90 days
of submission of Audit Report and to be closed not later than 120 days.
III. Guiding Principles on Information Systems (IS)Audit:
1. The Banks should form separate IS Audit teams with persons having
adequate IT experience and suitably CISA qualified Professionals. The IS
Audit should be carried out on a continuous basis adopting Risk based
Approach as per the IS Audit policy.
2. Continuous IS Audit should be introduced in critical areas in a phased
manner.
3. Assessment of Internal Audit resource involvement at appropriate levels
should be done.
4. I S Audit should become essential part of Internal Audit in the post CBS
scenario.
5. Branch managers should submit compliance of Do’s and Don’ts regarding IS
Audit Key Areas, on monthly basis.
IV. Guiding Principles on Concurrent Audit:
1. For Concurrent Audit Chartered Accountant Firms should be appointed from
the RBI panel as per the gradation based on the size of the Branch. The
remuneration of Concurrent Auditors may be enhanced suitably based on the
coverage of audit, quality of the audit, skill sets required, number of staff
required etc. The focus should be on substantive checking of the High Risk
areas like
Credit Risk
Regulatory/Statutory Compliance Risk
Fraud Risk
Revenue Risk
2. Some of the High Risk Branches, specialized branches viz., Agri, SME, Mid
Corporate, Infrastructure, Large Corporate, CPU, retail assets, portfolio
management, forex, back office etc. should also be covered under the
Concurrent Audit
3. Banks’ Internal Audit Department should interact with the Concurrent Auditors
at least once in a quarter
4. The Banks should make it mandatory giving feedback to Concurrent Auditors
on the frauds involving the Branch audited by them.
5. The performance of Concurrent Auditor should be reviewed on Annual basis
6. To avoid conflict of interest, an undertaking should be taken from the
Concurrent Auditors that they will not have any professional or commercial
relationship with the borrowers of the Branch / Department which they are
auditing.
7. The Auditor should sign on the Do’s & Don’ts statement in order to have
proper arms length relationship with the Branch / Department which they are
conducting Audit
8. Suitable deterring provisions should be incorporated in the Concurrent
Auditors engagement for delayed submission of Reports and unsatisfactory
performance
9. The functions performed by the statutory auditor should be transferred to
Concurrent Auditors. Concurrent Auditors should be advised to provide
various Certifications done presently by Branch Statutory Auditors, covering
NPA provisioning, Insurance coverage, P & L Account, ALM, CRAR, DICGC,
LFAR etc., similarly, Certification regarding Tax Audit may also be taken from
the Concurrent Auditors.
10. With regard to other Branches not covered under Concurrent Audit but is
covered under the Branch Statutory Audit the threshold limit of advances
should be enhanced suitably, ensuring adequate coverage of Urban, Semi-
Urban and Rural branches keeping in view the inflation over time, on the
following lines:
11. All the branches not subjected to concurrent audit but covered under the
Branch Statutory Audit, with the enhanced threshold limit of advances and
1/5th of remaining branches should be subjected to certification by external
Chartered Accountants under Branch Statutory Audit System in the banks,
where the CBS is not stabilized, for a maximum period of two years.
12. However, in case of banks where the CBS is stabilized and running well, the
certification as per the above norms should be done at central level by the
Central Statutory Auditor.
13. The above aspect of Annual Certifications should be kept in view while
revising Fees of Concurrent Auditors as suggested earlier. This is expected to
result in reduction in overall cost to the Banks and improvement in quality of
CA on adopting this suggestion
14. Thus, going forward the existing Branch Statutory Auditor appointment system
gets phased out, in view of the above suggested guiding principles.
*****
Circulars on Audit Systems :
S.no. Circular / Letter No. Date Subject
1 F.No. 7/112/2011-
BOA
28.06.2012 Guidelines on Internal Audit,
Information Systems Audit and
Concurrent Audit Systems
CAclubindia
