Welcome to Banking Quest

Introduction

• What is an Audit? 
• What is Inspection?
• Difference between Audit & Inspection 
• Security/System Audit
• CAMELS Approach
• RBS Approach

 What is Audit ?

• Auditing is defined as the on-site verification activity, such as inspection or examination, of a process or quality system, to ensure compliance to requirements. 
• ISO 19011:2018 defines an audit as a "systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [a set of policies, procedures or requirements] are fulfilled." 
• Therefore, an audit thoroughly examines all aspects of a business, product, or service. It is designed to assess the accuracy and efficiency of an entity's operations. 
• An audit may be conducted by an internal auditor or by an independent auditor hired by the company being audited. 
• An audit can apply to an entire organization or might be specific to a function, process, or production step. 
• Some audits have special administrative purposes, such as auditing documents, risk, or performance, or following up on completed corrective actions.
•  There are three main types of audits: process, product, and system.

1. Process Audit: This is also called a Compliances Audit. This type of audit verifies that processes are working within established limits. It evaluates an operation or method against predetermined instructions or standards to measure conformance to these standards and the effectiveness of the instructions. 

2. Product audit: This type of audit is an examination of a particular product or service, such as hardware, processed material, or software, to evaluate whether it conforms to requirements (i.e., specifications, performance standards, and customer requirements).

3. System audit: An audit conducted on a management system. It can be described as a documented activity performed to verify, by examination and evaluation of objective evidence, that applicable elements of the system are appropriate and effective and have been developed, documented, and implemented in accordance and in conjunction with specified requirements.

If we take banks and financial institutions, the audit process involved are mostly process or compliance audit.

• As per Office of the Comptroller and Auditor General of India, the objective of Compliance Audit is given below:

• As per Office of the Comptroller and Auditor General of India, the procedure to be followed for Compliance Audit is given below:

What is Audit ?

• Auditing is defined as the on-site verification activity, such as inspection or examination, of a process or quality system, to ensure compliance to requirements. 
• ISO 19011:2018 defines an audit as a "systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [a set of policies, procedures or requirements] are fulfilled." 
• Therefore, an audit thoroughly examines all aspects of a business, product, or service. It is designed to assess the accuracy and efficiency of an entity's operations. 
• An audit may be conducted by an internal auditor or by an independent auditor hired by the company being audited. 
• An audit can apply to an entire organization or might be specific to a function, process, or production step. 
• Some audits have special administrative purposes, such as auditing documents, risk, or performance, or following up on completed corrective actions.

 As per Office of the Comptroller and Auditor General of India, the requirement for grading of Inspection Reports  of Compliance Audit is given below

 What is an Inspection ?

• Formal definition for Inspection provided by ISO 9000:2015.
• 'determination of conformity to specified requirements'
• An inspection evaluates something (usually a piece of equipment, a work area, or a person) to determine if it meets some specified requirements.
• Inspections are often conducted by regulatory agencies such as the Food and Drug Administration or the Occupational Safety and Health Administration. 
• Internal staff members may also perform inspections. An inspection report is a record of everything that is observed during an inspection. 
• The report will often include details about the current state of the item being inspected and any issues found. The report may also include photographs or diagrams of the inspected object.

 Difference between Audit & Inspection

Audit and inspection are both processes of evaluating a business or product, but there are some key differences between the two.

1. Product vs Process:

The main difference between an audit and an inspection is the source. An audit usually looks at the processes within an entity, while an inspection usually focuses on the product or service being provided.

2. Depth of Review:

Another difference between audit and inspection is the depth of review. Inspection is typically limited to certain specified requirements. If the product or service meets those specified requirements, it is considered acceptable; if not, it is deemed rejected. On the other hand, an audit is typically a much deeper review of the product or process.

Audit and inspection are both processes of evaluating a business or product, but there are some key differences between the two.

3. Formal and Documented:

As you would have noted from the definitions of these two above, an audit is a much more formal and documented process than an inspection.

4. Purpose:

The primary purpose of an audit is to improve processes. On the other hand, inspection is typically used to determine whether the product or service meets specifications.

5. Time Frame:

Audits focus on the future by identifying weaknesses in the system and looking at opportunities to improve processes. On the other hand, inspections are focused on the past performance of the process.

RBI’s Supervision of Banks and FIs

• The Banking Regulation Act, 1949 empowers the Reserve Bank of India to inspect and supervise commercial banks. 
• These powers are exercised through:
  • On-site inspection and 
  • Off site surveillance, by procuring periodic information from the banks.
• Till 1993, regulatory as well as supervisory functions over commercial banks were performed by the Department of Banking Operations and Development (DBOD). 
• Subsequently, a new Department of Banking Supervision (DBS) was set up to take over the supervisory functions relating to the commercial banks from DBOD. 
• For dedicated and integrated supervision over all credit institutions, i.e., banks, development financial institutions and non-banking financial companies, the Board for Financial Supervision (BFS) was set up in November 1994 under the aegis of the Reserve Bank of India. 
• For focused attention in the area of supervision over non-banking finance companies, Department of Supervision was further bifurcated in August 1997 into:
  • Department of Banking Supervision (DBS) and 
  • Department of Non-Banking Supervision (DNBS). 
• These Departments now look after supervision over commercial banks & development financial institutions and non-banking financial companies, respectively. 
• Both these departments now function under the direction of the Board for Financial Supervision (BFS).
• The Board for Financial Supervision constituted an audit sub-committee in January 1995 with the Vice-Chairman of the Board as its Chairman and two non-official members of BFS as members. The sub-committee’s main focus is upgradation of the quality of the statutory audit and concurrent / internal audit functions in banks and development financial institutions.

 On site Inspection:

• On site inspection of banks is carried out on an annual basis. Besides the head office and controlling offices, certain specified branches are covered under inspection so as to ensure a minimum coverage of advances.
• The Annual Financial Inspection (AFI) focusses on statutorily mandated areas of solvency, liquidity and operational health of the bank. 
• It is based on internationally adopted CAMEL model modified as CAMELS, i.e.,:
  • Capital adequacy, 
  • Asset quality, 
  • Management, 
  • Earning, 
  • Liquidity and 
  • System and control/Sensitivity
• While the compliance to the inspection findings is followed up in the usual course, the top management of the Reserve Bank addresses supervisory letters to the top management of the banks highlighting the major areas of supervisory concern that need immediate rectification, holds supervisory discussions and draws up an action plan that can be monitored. 
• All these are followed up vigorously. 
• Indian commercial banks are rated as per supervisory rating model approved by the BFS which is based on ‘ CAMELS concept.

 Off-site Monitoring:

• As part of the new supervisory strategy, a focused off-site surveillance function was initiated in 1995 for domestic operations of banks. 
• The primary objective of the off site surveillance is to monitor the financial health of banks between two on-site inspections, identifying banks which show financial deterioration and would be a source for supervisory concerns. This acts as a trigger for timely remedial action.
• During December 1995 first tranche of off-site returns was introduced with five quarterly returns for all commercial banks operating in India and two half yearly returns one each on connected and related lending and profile of ownership, control and management for domestic banks. 
• The second tranche of four quarterly returns for monitoring asset-liability management covering liquidity and interest rate risk for domestic currency and foreign currencies were introduced in June, 1999. 
• The Reserve Bank intends to reduce this periodicity with effect from April 1,2000.

 Corporate Governance:

• With a view to strengthening the corporate governance and internal control function in the banks, several steps have been initiated and they are given below:
  • Introduction of concurrent audit system, 
  • Constitution of independent audit committee of board, 
  • Appointment of RBI nominees on boards of banks, 
  • Creation of a post of compliance officer.
• Besides, the Reserve Bank monitors the implementation of recommendations of Jilani Committee relating to internal control systems in banks on an on-going basis during the annual financial inspection of banks.

 Jilani Committee Recommendations (1995): 

• The Jilani Working Group reviewed the internal controls and inspection/audit systems in banks in order to focus on the deficiencies and suggest remedies. 
• Accordingly, the Working Group suggested various control measures to address the risks, including the need for a specialized system of EDP (Electronic Data Processing) audit and to bring the EDP system under the control and superintendence of the inspection and audit department.
• Electronic Data Processing (EDP) refers to the input, processing and output of information. 
• EDP is often called Information Services or Systems (IS) or Management Information Services (MIS). The information processed is used and evaluated during an audit.

RBI Circular Dt. 30/04/2004

Information System Audit - A review of Policies and Practices

Further, many banks are in the process of implementing an IS audit system in place of computer/ EDP audit. In this backdrop, we advise that

i) The banks may adopt an IS audit policy (if not done already) appropriate to its level of computerization and review the same at regular intervals in tune with the industry best practices and guidelines issued by RBI from time to time

ii) Banks may adopt appropriate system and practices for conducting IS audit on annual basis covering all the critically important branches (in terms of nature and volume of business)

iii) Such audits should be preferably undertaken prior to the statutory audit so that the IS audit reports are available to the statutory auditors well in time for examination and incorporating comments, if any, in the audit reports

iv) The IS audit reports should be placed before the top management and the compliance should be ensured within the time frame as outlined in the audit policy.

RBI’s Supervision of Banks and FIs

 RBI Circular Dt. 13/08/2001:

Please refer to paragraph 76 of our Governor's statement on 'Monetary and Credit Policy for the year 2000-2001' wherein it has been stated that the Reserve Bank would be developing an overall plan for moving towards Risk-based Supervision (RBS) with the assistance of international consultants. 

• Accordingly, Pricewaterhouse Coopers (PwC), a firm of consultants based in London, were engaged to undertake a review of the current regulatory and supervisory regime and prepare the blue print for the transition to a more sophisticated system of RBS incorporating international best practices. 
• A discussion paper on the 'Move towards Risk-based Supervision of banks' has been prepared summarizing the recommendations of the consultants and is enclosed.RBI Circular Dt. 13/08/2001:
• It may be observed from the discussion paper that the Reserve Bank would focus its supervisory attention on the banks in accordance with the risk each bank poses to itself as well as to the system. 
• The risk profile of each bank would determine the supervisory program comprising:
  • Off-site surveillance, 
  • Targeted on-site inspections, 
  • Structured meetings with banks, 
  • Commissioned external audits, 
  • Specific supervisory directions and 
  • New policy notices in conjunction with close monitoring through a Monitorable Action Plan (MAP) followed by enforcement action, as warranted. 

The successful implementation of the process of RBS entails adequate preparation, both on the part of the Reserve Bank and the commercial banks.

• The introduction of RBS would require the banks to reorient their organizational set up towards RBS and put in place:
  • An efficient risk management architecture, 
  • Adopt risk focused internal audit, 
  • Strengthen the management information system, and 
  • Set up compliance units.
• The banks would also be required to address HRD issues like manpower planning, selection and deployment of staff and their training in risk management and risk based audit. 
• It is evident that change management is a key element in RBS and the banks should have clearly defined standards of corporate governance, well documented policies and efficient practices in place so as to clearly demarcate the lines of responsibility and accountability so that they align themselves to meet the requirements of RBS.

 RBI’s Risk-Based Supervision (RBS)

• Considering the growing diversities and complexities of banking business, the spate of product innovation with complex risk phenomena, the contagion effects that a crisis can spread and the consequential pressures on supervisory resources, the RBS approach, the foundation of which would be based on the CAMELS based approach, would be more appropriate. 
• By optimizing the synergies from the different activities, including the regulatory and supervisory functions, the overall efficiency and effectiveness of the supervisory process can be substantially enhanced.

 Objectives of RBS:

• The RBS approach essentially entails the allocation of supervisory resources and paying supervisory attention in accordance with the risk profile of each institution.
• The approach is expected to optimize utilization of supervisory resources and minimize the impact of crisis situation in the financial system. 
• The RBS process essentially involves continuous monitoring and evaluation of the risk profiles of the supervised institutions in relation to their business strategy and exposures. This assessment will be facilitated by the construction of a Risk matrix for each institution.
• The instruments of RBS will be by way of enhancement as well as refining of the supervisory tools over those traditionally employed under the CAMELS approach viz. on-site examination and off-site monitoring. 
• The RBS processes and the outcome will be forward looking beyond focusing attention on the rectification of deficiencies with reference to the on-site inspection date. The extent of on-site inspection would be largely determined by the quality and reliability of off-site data, and the reliability of the risk profile built up by banks.
• The effectiveness of the RBS would clearly depend on banks' preparedness in certain critical areas, such as:
  • quality and reliability of data, 
  • soundness of systems and technology, 
  • appropriateness of risk control mechanism, 
  • supporting human resources and 
  • organizational back-up.

The key components of the risk profile document of RBS would be the following:

• • CAMELS rating with trends
  • Narrative description of key risk features captured under each CAMELS component
  • Summary of key business risks including volatility of trends in key business risk factors
  • Monitorable action plan and bank’s progress to date
  • Strength, Weaknesses, Opportunities, Threats (SWOT) analysis
  • Sensitivity analysis

Supervisory cycle

The supervisory process would commence with the preparation of the bank risk profile (based on data furnished by banks to the DBS of RBI, besides data from other sources).

• The supervision cycle will vary according to risk profile of each bank, the principle being the higher the risk the shorter will be the cycle. 
• The supervision cycle will remain at 12 months in the short-term and will be extended beyond 12 months for low risk banks at a suitable stage. 
• In cases where more frequent application of supervisory process will be necessary, the cycle could even be lesser than 12 months.

Supervisory program:

• RBI would prepare a bank specific supervisory program which will set out the detailed work plan for the bank. 
• The scope and objectives of the inspection program will derive from analysis of risk profile.
• The supervisory program would be tailored to individual banks and would focus on the highest risk areas as well as specify the need for further investigation in identified problem areas. 
• The supervisory program would be prepared at the beginning of the supervisory cycle and would yet be flexible enough to permit amendments warranted by subsequent major developments. 
• The supervisory program would also identify the package of supervisory tools to be deployed from a range consisting of:
  • greater off-site surveillance
  • targeted on-site inspection
  • structured meetings with banks
  • commissioned external audits
  • specific supervisory directions
  • new policy notices (i.e. new policy directions to banks emanating from individual bank level concerns which are relevant for the industry)

Inspection process: 

• The risk assessment of individual banks would be performed in advance of on-site supervisory activities. 
• The risk assessment process would highlight both the strengths and vulnerabilities of an institution and would provide a foundation from which to determine the procedures to be conducted during the inspection. 
• The current full-scope on-site inspections, which are carried out annually cover a substantive asset evaluation. 
• The inspections under the new approach would be largely systems based rather than laying emphasis on underlying transactions and asset valuations. 
• The inspection would target identified high-risk areas from the supervisory perspective and would focus on the effectiveness of mechanism in capturing, measuring, monitoring and controlling various risks. 
• The inspection procedure would continue to include transaction testing and evaluation the extent of which will depend on the materiality of an activity and the integrity of the risk management system and the control process.

Monitorable Action Plan (MAP): 

• The aim of supervisory follow-up would be to ensure that banks take corrective action in time to remedy or mitigate any significant risks that have been identified during the supervisory process. 
• The major device in this respect would be the MAP. MAPs are already used by RBI to set out the improvements required in the areas identified during the current on-site and off-site supervisory process. However, MAPs would be made more robust in a number of ways. 
• MAPs will in many cases include directions to banks on actions to be taken. The remedial actions that would be outlined, would be tied explicitly to the areas of high risks identified in the risk profiling as well as the supervisory process and should lead to improvements in the systems and controls environment at the bank. 
• Key individuals at the bank would have to be made accountable for each of the action points. If actions and timetables set out in the MAP are not met, RBI would consider issuing further directions to the defaulting banks and even impose sanctions and penalties.

Role of external auditors in banking supervision:

• The use of specialist third parties, such as external auditors can be of significant aid to the bank supervisors. 
• In some countries, external auditors are required to perform an early warning function and inform supervisors without delay of information material to the supervisor. 
• The Basel consultative paper ‘Internal audit in banks and the relationship of the supervisory authorities with internal and external auditors’ discusses the commonality of focus and concern of external auditors and bank supervisors. 
• The supervisory process instead of duplicating the efforts of the external and internal auditors in some areas should seek to leverage off the work done by these agencies. 
• Towards the achievement of this goal, the LFAR (Long Form Audit Report) format, would be brought into use at the earliest. 
• RBI would look forward to making more use of external auditors as a supervisory tool by widening the range of tasks and activities which external auditors perform at present.

Setting up of Compliance Unit:

• Banks are required to take corrective action to remedy or mitigate any significant risks which have been identified in the earlier part of the supervisory cycle and which have been incorporated into the current risk profile. 
• RBI will issue bank specific MAP which will include directions to banks on actions to be taken. If the actions and timetable set out in the MAP fail to be met, RBI may issue further directions or impose sanctions or take mandatory and discretionary actions, if deficiencies continue to persist. 
• It is therefore necessary for banks to set up a dedicated compliance unit to coordinate various actions of the bank for compliance and for periodical reporting to RBI, and ensure the completion of compliance action within the time period indicated in the MAP. 
• The compliance unit should be headed by a Chief Compliance Officer of the rank of not less than a General Manager who will be responsible and accountable for timeliness and accuracy of the compliance.