F. No. 7/124/2012-BOA
Government of India
Ministry of Finance
Department of Financial Services
Subject : Master Circular on Audit Systems.
The Government of India has issued guidelines / instructions to banks on Audit Systems. In order to have these guidelines / instructions at one place for ready reference, a Master Circular incorporating the existing guidelines / instructions issued by the Government on the subject has been prepared.
2. All CEOs are requested to acknowledge receipt and ensure compliance of the above guidelines in their PSBs and Regional Rural Banks (RRBs) sponsored by their banks.
3. This issues with the approval of Secretary (FS).
It has been observed that there is a multiplicity of overlapping audits in the Public Sector Banks (PSBs). While the audit is essential for the health of the PSBs, it has been observed that multiple overlapping audits throughout the year engage a lot of attention, resources and time of the PSBs. It has also been observed that there is a need to revamp the audit system in PSBs in the wake of increasing computerization and shifting of operations on I.T. based system. The present audit system is lagging behind the technological advancement achieved by PSBs.
Area of concern
In the above background the Government of India has constituted a Committee under the Chairmanship of Shri Basant Seth, ex-CMD of Syndicate Bank which has submitted its report. The Committee has identified certain areas of concern in the PSBs namely:
i. Effective Internal Audit (IA) should work as a strong deterrent and preventive mechanism for frauds.
ii. A strong audit system should be well supported by the Offsite Monitoring Unit (OMU) through System generated reports/ MIS.
iii. Multiplicity of Audits is resulting in Audit fatigue. There is a need to stream line the number of Audits by strengthening the Internal Audit and Concurrent Audits.
iv. Strengthening the IA by converting it into a stronger Risk Based Internal Audit (RBIA) function and also strengthening the Concurrent Audit by bringing Risk focus into the CA could reduce some of the other Audits in the Branches wherein RBIA, CA are conducted.
v. Banks should give adequate attention to IS Audit as many of the frauds are IT related which have shown substantial increase in the recent times.
vi. Currently 70% of business of banks is covered under Concurrent Audit System and yet the irregularities / frauds could not be controlled. The basic reason for the poor quality of work done by the Concurrent Auditors is on account of low fees structures and lopsided empanelment and appointment procedure followed by Banks. The Committee feels that there is urgent need to rectify the position in order to make the Concurrent Audit System effective.
vii. Statutory Branch Audit has become routine and not much effective post implementation of CBS in PSBs.
viii. In many Banks all the Inspection Reports are put to ACB directly, which is diluting the focus of ACB on High Risk Areas / Branches.
In the light of the above areas of concern identified by the committee, it was felt that the following guiding principles on Internal, I.S., Concurrent and Branch Statutory Audit should be followed by all the PSBs after suitably adapting them to the need of their organization.
I. General Guiding Principles
1. Need to stream line the number of Audits by strengthening the Internal Audit and Concurrent Audits and making them risk based.
2. The model policies contained in the draft manual attached may be adapted by the PSBs.
3. All the PSBs should form Audit Committee of Executives (ACE) headed by the Head of Audit (IA&A), GM (Risk) and other two GMs as Members. Zonal Audit Committee of Executives (ZACE) with similar composition at lower level be constituted by large banks.
4. ACE/ ZACE should meet minimum six times in a year. The ACE & ZACE will work under the guidance of ACB and all the minutes of ACE & ZACE should be put up to ACB
5. High Risk Audit Reports should be put up to ACB and in case of large banks Very High Risk Audit Reports- Critical Findings (Below 40% marks) may be put up to ACB. (Banks having Local Board may consider forming local ACB for reviewing High Risk Audit Reports- Critical Findings at Zonal Level, the minutes be put up to ACB at Central Level. However, closure of such reports can be done by CGM- Inspection/ Audit Department.
6. Banks should set-up proper off-site monitoring cell in the Audit Department or put in place suitable similar structure. Such cell/ structure to review the MIS on critical items and sensitise the Controlling Offices and Branches / Departments for corrective action on a daily basis. The OSM cell should also apprise Top Management of serious irregularities, if any, immediately
7. Banks while selecting the branches should consider, material changes that took place in overall risk profile/ its updation, risk involvement in new products/ processes at branch level, business growth.
8. Inspection/ Audit Department should critically analyse the high frequency low severity as well as low frequency high severity areas.
9. The Banks should move to Software based Audit process.
10. In order to attract good talent into Audit function, HR policies have to be properly modified making it mandatory a minimum two year term of working in Internal Audit Department for consideration to promotion DGM & above.
11. Inspection & Internal Audit department should be strengthened with adequate man power having requisite experience. – The team should consists of a proper mix of audit officers / Chartered Accountants / Cost Accountants/ CISA Qualified / Seniors having experience in all the Banking functions/ Juniors having basic knowledge of various banking functions
12. Bank should provide suitable training programs to all the auditors associated with Internal Audit and Concurrent Audit functions.
13. All the Audit team members should be made to sign Do’s & Don’ts given in the manual attached.
II. Guiding Principles on Risk Based Internal Audit (RBIA):
1. RBI team should also carry out IS compliance audit as part of their audit routine for small & low rated branches as well as follow up work for non compliance issues of the branch in IS audit areas.
2. Conflict of interest between Audit team member and Auditee should be avoided.
3. The frequency of Audits under Risk based system should be uniformly fixed at 9-12 months for Extremely High/ High Risk Branches, 12-15 months for medium Risk Branches and 15-18 months of low Risk Branches.
4. Risk Assessment matrix for Branches / Departments given in the manual under the suggested RBIA Policy may be adopted by banks.
5. Audit team should guide the branches on spot rectification of the deficiencies to the extent possible.
6. It is advised that all the Audit qualifications should be rectified within 90 days of submission of Audit Report and to be closed not later than 120 days.
III. Guiding Principles on Information Systems (IS)Audit:
1. The Banks should form separate IS Audit teams with persons having adequate IT experience and suitably CISA qualified Professionals. The IS Audit should be carried out on a continuous basis adopting Risk based Approach as per the IS Audit policy.
2. Continuous IS Audit should be introduced in critical areas in a phased manner.
3. Assessment of Internal Audit resource involvement at appropriate levels should be done.
4. I S Audit should become essential part of Internal Audit in the post CBS scenario.
5. Branch managers should submit compliance of Do’s and Don’ts regarding IS Audit Key Areas, on monthly basis.
IV. Guiding Principles on Concurrent Audit:
1. For Concurrent Audit Chartered Accountant Firms should be appointed from the RBI panel as per the gradation based on the size of the Branch. The remuneration of Concurrent Auditors may be enhanced suitably based on the coverage of audit, quality of the audit, skill sets required, number of staff required etc. The focus should be on substantive checking of the High Risk areas like
• Credit Risk
• Regulatory/Statutory Compliance Risk
• Fraud Risk
• Revenue Risk
2. Some of the High Risk Branches, specialized branches viz., Agri, SME, Mid Corporate, Infrastructure, Large Corporate, CPU, retail assets, portfolio management, forex, back office etc. should also be covered under the Concurrent Audit
3. BanksInternal Audit Department should interact with the Concurrent Auditors at least once in a quarter
4. The Banks should make it mandatory giving feedback to Concurrent Auditors on the frauds involving the Branch audited by them.
5. The performance of Concurrent Auditor should be reviewed on Annual basis
6. To avoid conflict of interest, an undertaking should be taken from the Concurrent Auditors that they will not have any professional or commercial relationship with the borrowers of the Branch / Department which they are auditing.
7. The Auditor should sign on the Do’s & Don’ts statemen n order to have proper arms length relationship with the Branch / Department which they are conducting Audit
8. Suitable deterring provisions should be incorporated in the Concurrent Auditors engagement for delayed submission of Reports and unsatisfactory performance
9. The functions performed by the statutory auditor should be transferred to Concurrent Auditors. Concurrent Auditors should be advised to provide various Certifications done presently by Branch Statutory Auditors, covering NPA provisioning, Insurance coverage, P & L Account, ALM, CRAR, DICGC, LFAR etc., similarly, Certification regarding Tax Audit may also be taken from the Concurrent Auditors.
10. With regard to other Branches not covered under Concurrent Audit but is covered under the Branch Statutory Audit the threshold limit of advances should be enhanced suitably, ensuring adequate coverage of Urban, Semi-Urban and Rural branches keeping in view the inflation over time, on the following lines:
11. All the branches not subjected to concurrent audit but covered under the Branch Statutory Audit, with the enhanced threshold limit of advances and 1/5th of remaining branches should be subjected to certification by external Chartered Accountants under Branch Statutory Audit System in the banks, where the CBS is not stabilized, for a maximum period of two years.
12. However, in case of banks where the CBS is stabilized and running well, the certification as per the above norms should be done at central level by the Central Statutory Auditor.
13. The above aspect of Annual Certifications should be kept in view while revising Fees of Concurrent Auditors as suggested earlier. This is expected to result in reduction in overall cost to the Banks and improvement in quality of CA on adopting this suggestion
14. Thus, going forward the existing Branch Statutory Auditor appointment system gets phased out, in view of the above suggested guiding principles.