Bank Audit Conducting Bank Branch Audit in CBS Environment

Bank branch audits are one of the significant segments of chartered accountants’ audit practice. The increased technology adoption by the banks during last decades has created both challenges and opportunities for the auditors. While the branch auditor cannot be expected to be an IT’s maestro, ignorance to the existence of IT system cannot be afforded too. To obtain understanding of bank’s IT system and controls, the auditor seeks assistance from system experts and designated bank officials. Then, he is also required to use computer assisted auditing tools to conduct the audit function efficiently. Further, computerised processing, although highly dependable and reliable, cannot be always considered as an assurance to accuracy. Auditor shall have to perform sufficient audit procedures and use his professional judgments for qualitative discharge of his professional duties. As the bank branch audits are approaching soon, the author, through this article aims to provide the reader an insight to the basic understanding of core banking system, the challenges before the auditor and the critical areas of focus while performing audit under CBS environment.

Introduction

Most of the banks have moved to CBS environment. What was earlier the prerogative of the private sector banks and large public sector banks is filtered down to the large co-operative banks, district level co-operative banks and small co-operative banks. Sometimes mere payment/clearing system of the clearing house becomes a trigger move to a CBS environment to ensure that electronic transfer by the clearing house automatically reaches the account holder. All persons exposed to the branch like its depositors, borrowers and the auditors are affected

Bank Audit

information technology implications should not

be seen only in isolation to report under Jilani
Committee Recommendations since technology is
all pervasive affecting the branch auditor’s opinion
in most critical manner.’’

the branch auditor can peruse the report to gain insight. He must ensure that any reliance on such report is only as per the guidelines given by the Institute of Chartered Accountants of India (ICAI) on dependence of work of an expert, because some system audits are known to be executed by non chartered accountant firms.

 

 

 

by this. Information technology implications should not be seen only in isolation to report under Jilani Committee Recommendations since technology is all pervasive affecting the branch auditor’s opinion in most critical manner.

Core Banking Defined

Core banking is a system in which a centrally shared database supports the entire banking application. In other words, instead of an individual server at each branch of the bank, there is one common server for all the branches. This server is kept at a location called the Data Centre (DC). However, there exists a risk of failure of the common server. A backup site is maintained to aid such failure and when this site is at distant location (another city), preferably in a different seismic zone, it is called the Disaster Recovery Centre (DRC). It is not uncommon to see the DRCs to be located in different continents in case of multinational banks. A lot of care, therefore, has to be taken at the data centre but that not being in the scope of the branch auditor, it is not a subject matter of discussion here. Traditionally, the networking was done by way of leased lines as the primary network. In case of failure of such network, the connection was automatically dialed up to the other back-up network i.e. dial up Integrated Services Digital Network (ISDN). Later, other modes such as wireless network (radio frequency), VSAT (Very Small Aperture Terminal), VPN (Virtual Private Network) over the internet and cloud, came into popularity.

Branch Statutory Auditor and System Auditor

The branch auditor is not expected to be a technical expert to understand the IT system or the software. But, it is a fact that most of the banking operations are done through the computer. Since CBS is the neurological network of the bank, the branch auditor can ill afford to ignore the existence of the system. On the contrary, if the auditor is able to use the system, he/she will be able to improve his/her own efficiency. If the branch has been subjected to a Systems Audit,

Critical Issues in CBS Branch Audit A Branch Auditor may be complacent at his own peril if he mistakes presence of computer or the brand of the application software for accuracy and the desired results, since the following issues have been noted:

  1. Final accounts may not be representative of the books of accounts:

An unbelievable alarming statement is unfortunately true. This issue would fall more into the realm of fundamental duty of the auditor. This issue is often neglected as the statutory auditor dives into the matters of Borrower classification and items of Long Form Audit Report (LFAR). Once this issue is revealed post audit, it would be quite difficult for any auditor to defend himself. This complex situation can be simplified on the basis of the plausible reasons, also being the areas that branch auditor should concentrate:

  • When all departments are not computerised: Where some departments are not computerised, the vouchers are manually fed into the core system. Such departments may range from Lockers to Treasury and Foreign Exchange. In such cases, the vouchers are entered at the end of the day. If any of the day’s vouchers are not entered resulting in a compensating error, no- one is wiser since the trial balance tallies.
  • When most departments are computerised but by different applications:

This is not an uncommon situation. But, different applications does not always mean problem. How the different applications feed their data into the core system is the crux of the issue. System auditors are better placed in the evaluation of such matters. Reference to the System Audit report is therefore recommended. Sometimes, the communication between the application and the core system is affected preventing entry upload. No warning is given even though it should be there. The books of that department show a figure quite different from that shown in