Banking sector: The IT saga in Indian banking commenced from the mid-eighties of the twentieth century when the RESERVE BANK took itself the task of promoting automation in banking to improve customer service, book keeping, MIS and productivity.
This role played by the reserve bank had continued for years….
Introduction of MICR based cheques processing- a first for the region during the years 1986-1988.
BANKING SECTOR DEVELOPMENTS (COMPUTERISATION OF BANKS):
Computerisation of branches of banks- in the late eighties with the introduction of ledger posting machines (LPMs), advanced ledger posting machines (ALPMs) which have paved the way for installation of Core banking develpoments……
The computerised environment provides advantages over manual system in terms of arithmetic accuracy and uniform processing of transactions. But at the same time it poses certain challenges before the Auditor in terms of audit risk due to peculiar nature and characteristics of Computerised Information System (CIS) environment, where potential for fraud is much more and can be more easily hidden in the digital data. The overall objective and scope of an audit does not change in a CIS environment, nevertheless, the use of a computer changes the processing, storage, retrieval and communication of financial information and may affect the accounting and internal control systems employed by the bank.
There has been a phenomenal growth in the number of banks who have computerised most of the businesses of their branches.
New entrants in the banking business have augmented the competition. The customer is now well aware of the choices and products available to them. All this has necessitated access to information and state of the art technologies to serve the customer efficiently and effectively.
In this ever-changing banking environment, members who are involved in auditing of banks require to equip themselves with the IT knowledge to meet new challenges and adopt a different approach and methodology for bank audit under computerised environment.
Auditors need to test the accuracy of output by some test cases, and once it is established, their focus should be shifted to the areas, which have become vulnerable because of the computerized environment.
♠ Massive computerisation is taking place in all the banks. The approach and methodology to be followed in audit of any computerised branch needs to be understood correctly in the light of the fast-paced technological changes taking place. Information Technology makes it imperative that internal controls and systems get integrated in IT and are not apparent as a manual system.
The computerised branches may be divided into two categories:
In the first category come the branches where partial computerisation has taken place. These branches are called ALPMs or PCs or PBA.
The second category of computerised branches includes those branches that are fully computerised. These are called TBA (Total Branch Automation) branches. These branches work under LAN (Local Area Network) environment connected with a server in the branch.
The totally computerised branch may further be classified into two types:
Standalone Computerised Branch:
These bank branches are not connected online with other banks or the head office. The transactions take place in the server at the branch level and at the end of the day it is consolidated and sent to Regional/Head office for further consolidation.
Total Computerization with Central Database:
These bank branches are connected online with other branches or the central database. In the Core Banking Solutions (CBS), banks maintain a central database and all transactions that take place in various branches are updated in the central server online. People also can transact business from any of the branches of the bank.
After the AAS 29 on Auditing in a Computerised Information Systems (CIS) environment became operative for all audits related to accounting periods beginning on or after 1st April 2003, the responsibility of the bank branch auditor has increased manifold. As per AAS 29, the overall objective and scope of an audit does not change in a CIS environment, however, the use of a computer changes the processing, storage, retrieval and communication of financial information and may affect the accounting and internal control systems employed by the entity. Therefore, an auditor needs to check the various controls implemented throughout the system and their existence. A CIS Environment may affect:
Understanding of the CIS Environment
Before the auditors commences the audit, it is imperative that he has a thorough understanding of the CIS environment prevalent, each application software used at all points of time during the year as well as interfaces established between several sub systems of the bank. Without a proper understanding of the functioning of each item of software, the auditor would not be in a position to gear up for an effective audit of banks operating in a computerised environment. Accordingly, the auditor needs to carry out the following tasks: –
Nature of Risks and Internal Control Prevalent:
Lack of Transaction Trails:
Some CIS are designed so that a comprehensive transaction trail that is normally useful for audit may exist only for a short period of time or only in computer readable form. Several accounting entries passed and its impact on general ledger are system generated, based upon logic in built in the computer programs. Accordingly, errors in the programming logic may not be detected by merely manual procedures.
Uniform Processing Transactions:
Computers handle uniformly transactions with the same processing instructions. But, It may also happen that the programming instructions may not take care of all business intricacies and situation.
Lack of Segregation:
Many control procedures that would ordinarily be performed by different individuals in manual systems may become concentrated in a CIS environment. Thus, an individual, who has access to computer programs, processing or data may be in a position to perform incompatible functions.
Dependence of Other Controls Over Computer Processing:
Computer processing may produce reports and outputs that are used as a base for audit. The effectiveness of audit shall depend to a considerable extent on the accuracy, correctness and completeness of the reports generated by the computer system.
It is quite likely that some of the reports generated by the computer system are wrong either due to faulty logic, inaccurate functionality or even by manual intervention by the bank staff before handing over this report to the auditor. It is quite possible that reports on computer are downloaded to excel where certain values are altered before being handed over to the auditors.
Potential for the Use of Computer for AUDIT:
Assisted Audit Techniques:
a. Adequate procedures exist to ensure that data is transmitted correctly.
b. Cross-verification of records, reconciliation statements and control systems between primary and subsidiary ledgers do exist and are operative. There should be no assumed accuracy of computerised records.
♠ The auditor should also document the audit plan, the nature, timing and extent of audit procedures performed and the conclusions drawn from the evidence obtained. All audit evidence which is in electronic form should be properly and safely stored and are to be retrieved in its entirety as and when required.
“As required by the AAS 29, “The auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required
Hereby, concluding my presentation with a statement that under CIS envt. Bank Audits has become very efficient and more reliable but on the other side it increases several types of risks. So. It must be carried out with more diligence, care and after careful study of the risk factors involved.
(For any queries in the above mentioned article, the author can be contacted at firstname.lastname@example.org.)