Reserve bank of India
September 05, 2020
The Chairman / Managing Director / Chief Executive Officer
All Scheduled Commercial Banks (Excluding RRBs)
All Local Area Banks
All Small Finance Banks and
All Payment Banks
Madam /Dear Sir,
Long Form Audit Report (LFAR) – Review
Please refer to RBI circular No. DBS.CO.PP.BC.11/11.01.005/2001-2002 dated April 17, 2002 on revision of Long Form Audit Report (LFAR).
2. Keeping in view the large scale changes in the size, complexities, business model and risks in the banking operations, a review of the LFAR formats, in consultation with the stakeholders, including the Institute of Chartered Accountants of India (ICAI), was undertaken and it has been decided to make the following changes.
3. The format of LFAR, as mentioned below, have been revised:
The revised formats are enclosed.
4. The revised LFAR formats are required to be put into operation for the period covering FY 2020-21 and onwards. The mandate and scope of the audit will be as per this format and if the SCA feels the need of any material additions, etc., this may be done by giving specific justification by the SCA and with the prior intimation of the bank’s Audit Committee of Board (ACB).
5. Regarding other operational issues relating to submission of LFAR, we further advise as under:
a. Timely receipt of LFARs from the auditors should be ensured;
b. The LFAR on the bank, after due examination, should be placed before the ACB / Local Advisory Board of the bank indicating the action taken/proposed to be taken for rectification of the irregularities, if any, mentioned therein; and
c. A copy each of the LFAR (i.e. for the bank / all Indian Offices of foreign bank as a whole) and the relative agenda note, together with the Board’s views or directions, should be forwarded to the concerned Senior Supervisory Manager (SSM) in the Department of Supervision, Reserve Bank of India within 60 days of submission of the LFAR by the statutory auditors.
6. The LFAR format and other instructions issued vide RBI circular No. DBS.CO.PP.BC.11/11.01.005/2001-2002 dated April 17, 2002 stand repealed.
7. Please acknowledge receipt.
(Ajay Kumar Choudhary)
Chief General Manager
Encl: Annex I and II and III
i. The overall objective of the Long Form Audit Report (LFAR) should be to identify and assess the gaps and vulnerable areas in the business operations, risk management, compliance and the efficacy of internal audit and provide an independent opinion on the same to the Board of the bank and provide their observations.
ii. This may also involve commenting on various risks to which the banks are exposed to like credit, market, operational and liquidity risk and risk management efficacy, assessment of appropriateness of procedures for preparation of supervisory returns, KYC/AML/CFT issues, cyber security, business performance, business strategy including very high growth / high ROE accompanied with high risks, etc.
iii. Some of the matters to be dealt with by the SCA in their LFARs will be based on the LFARs received from the branches. In dealing with such matters, the SCA are expected to exercise their own judgement to make their observations on the basis of review of branch auditors’ LFARs.
iv. While deciding their audit strategy, the auditors may factor-in all material issues which are considered critical by looking at the size and complexity of the business operation, business strategy/models, internal controls including the control culture of the bank, structure and complexity of the IT systems, etc.
v. The scope and coverage of Statutory Audit and LFAR will broadly be as per the given format. However, if the SCA feels a need of some material additions, etc. in the scope, this may be done by giving specific justification and with the prior intimation to the Audit Committee of the Board of the bank.
vi. SCA may resort to need based limited transaction testing as hitherto.
vii. In deciding whether a qualification in the main report is necessary, the auditors should use their judgement based on the available evidences / facts and circumstances of each case.
I. CREDIT RISK AREAS
1. Loan Policy: The observations should broadly cover the sufficiency and effectiveness of the loan policy along with the compliance to instructions issued by RBI in areas like exposure norms, interest rates, statutory and other restrictions, among others. Other aspects relating to updation of the policy, system of monitoring and adherence thereto should also be commented upon. The observations should also comprise business model/business strategy as per the policy as against the actual business/income flow of the bank.
2. Credit Assessment: Whether the credit assessment process is sufficiently placed to capture the risk as also the adequacy of information/data available with the bank. The quick mortality cases be closely examined.
3. Sanctioning / Disbursement: Policy relating to delegation of powers at various levels, appropriateness of checks and balances, adherence to authorised limits, disbursal after complying with terms and conditions of disbursal be examined.
4. Documentation: The entire process, including the system of ensuring execution as per the terms of sanction, system of documentation in respect of joint/consortium advances, availability of relevant documents to ensure creation of charge in favor of banks when required, renewal of documents, should be examined. Defects observed along with compliance to RBI guidelines/bank’s internal policy in this regard be also examined.
5. Review / Monitoring / post sanction follow-up/Supervision: Extent of coverage and effectiveness of credit monitoring system covering both on balance sheet and off-balance sheet exposures, along with the quality of reporting both within the bank and outside agencies (like RBI CRILC, CIBIL, etc.) be examined along with adherence to RBI instructions/bank’s own policy be examined. Special focus be given on functioning and effectiveness of system of identifying and reporting of Red Flagged Accounts, Early-Warning System (EWS), receipt of periodic balance conformation / acknowledgement of debts, stock/book debt statements, balance-sheet, audited-accounts etc. System of scrutiny of the above information and follow-up by the bank should also be examined to identify process gaps. System of periodic physical verification or inspection of stocks, equipment, machinery, other securities etc. and review/renewal of advances including enhancement of limits, overall monitoring of advances through maturity/aging analysis should also be examined and suitably factored-in.
6. Restructuring/Resolution of Stressed Accounts: Comments on deviations observed in restructured accounts/stressed accounts under resolution with reference to Internal / RBI guidelines should be provided. Special emphasis should be given on the stance of the bank with respect to resolution of stressed accounts, specially covering compliance to regulatory guidelines, formulation of board approved policies including timelines for resolution, the manner in which decisions are taken during review period, board approved policies regarding recovery, compromise settlements, exit of exposure through sale of stressed assets, mechanism of deciding whether a concession granted to a borrower would have to be treated as restructuring or not, implementation of resolution in accordance with the laid down conditions, among others.
7. Asset Quality: Special emphasis should be given on continuous monitoring of classification of accounts into Standard, SMA, Sub-standard, Doubtful or loss as per IRAC Norms by the system, preferably without manual intervention, correct recognition of income, and adequacy of provision thereof. Effectiveness of the system for compiling data relating to NPA and their provision, data integrity, system of suspension of charging of interest and adherence thereto, should be examined and commented upon. Deviations observed, if any, should be provided along with requisite examples. Further, comments be provided on the procedure followed by the bank in upgradation of NPAs, updation of the value of securities with reference to RBI regulations and compliance by the bank with divergences observed during earlier RBI Inspection(s) with requisite examples of deviations, if any.
8. Recovery Policy: The existence and effectiveness of recovery policy, along with regular updates, manner of appropriation of recovery, instances wherein the appropriation was not as per the recovery policy be examined and commented upon. Instances observed / reported wherein the instructions of controlling authority related to legal action for recovery or recalling of advances is not acted upon, system of compromise settlements, system of monitoring accounts under Insolvency and Bankruptcy Code 2016 (IBC), write-off be specifically commented. In respect of compromise settlement, special emphasis should be given to the systems and processes relating to cases of recovery of Rs. 1.00 crore and above and also the cases wherein limits of sacrifice laid down in the recovery policy is breached. Further, the auditors should verify the list of accounts where insolvency proceedings had been initiated under IBC, but subsequently was taken out of insolvency under Section 12A of the IBC. The auditors may satisfy themselves regarding the reasons of the creditors, especially the bank concerned, to agree to exiting the insolvency resolution process, and may comment upon deficiencies observed, if any.
9. Large Advances: Comment on adverse features considered significant in top 50 standard large advances and the accounts which need management’s attention be provided. In respect of advances below the threshold, the process needs to be checked and commented upon, based on a sample testing.
10. Audit Reports: Major adverse features observed in the reports of all audits/inspections, internal or external, carried out at credit department during the financial year should be suitably incorporated in the LFAR, if found persisting.
11. Recovery Records: Recovery from all the written-off accounts during the finance year should be examined and commented upon.
12. Wilful Defaulter: System of identifying and reporting of wilful defaulter should be examined and commented upon.
II. MARKET RISK AREAS
1. Investments including Derivatives: The focus should be on the merit of investment policy and adherence to RBI guidelines. Any deviations to the RBI directives, and guidelines issued by FIMMDA / FIBIL / FEDAI should be suitably highlighted. Special focus should be given on system of purchase and sale of investments, delegation of powers, reporting systems, segregation of back, middle and front office functions, efficacy of control over investments, including periodic verification/reconciliation of investments with book records, valuation mode, changes in mode of valuation, system relating to inter-bank call money operations, system relating to unquoted investments in the portfolio, system of audit including periodic verification/verification of investment activities/portfolios, policies and systems for monitoring activities such as underwriting, derivatives, etc. among others. With respect to RBI directives, special focus should be given on compliance to exposure norms, classification of investments into HTM / AFS / HFT category and inter-category shifting of securities, compliance to valuation, asset classification and provisioning norms, along with deviation from accounting and disclosure norms, among others. In respect of investment held at foreign branches, valuation mode, regulatory reserve requirements, liquidity etc. should be examined. Comments should also be made on the composition of investment portfolio as per RBI guidelines and the depreciations on investments, if not provided for. System of recording of income from investments, income accrued and due but not received, monitoring of mature investments and their timely encashment etc. should be examined and commented. The auditor may also comment upon the veracity of liquidity characteristics of different investments in the books, as claimed by bank in different regulatory/statutory statements. The internal control system, including all audits and inspections, IT and software being used by the bank for investment operations be examined in detail.
2. SLR/CRR Requirements: Any discrepancies in the process of compilation and calculation of NDTL by the bank should be highlighted in the report. It should be specifically commented whether the bank has complied with CRR/SLR requirements, with the instances of non-compliance, thereof.
3. Asset Liability Management: Existence of Policy on Asset-Liability Management and monitoring thereof, along with compliance with RBI guidelines and functioning of Asset Liability Management Committee should be examined.
III. GOVERNANCE, ASSURANCE FUNCTIONS AND OPERATIONAL RISK AREAS
1. Governance and Assurance Functions: Observations on governance, policy and implementation of business strategy and its adequacy vis-à-vis the risk appetite statement of the bank, effectiveness of assurance functions (risk management, compliance and internal audit) should be examined and suitably incorporated in the LFAR. Adequacy of risk-awareness, risk-taking and risk-management, risk and compliance culture per se, compliance testing, including the sustenance of the compliance, as also system of branch inspection, frequency, scope/coverage of inspection/internal audit, concurrent audit or revenue audit should also be examined along with the system of follow-up of these reports, position of compliance, corrective action taken by the bank among others.
2. Balancing of Books/Reconciliation of control and subsidiary records: Special focus should be given on the system of control for internal accounts along with effectiveness of the system of monitoring the position of balancing of books/reconciliation of control and subsidiary records, with details of books not balanced, if any. The item wise details of system generated transitory accounts not nullified at the year-end should be given separately with ageing of such items.
3. Inter-branch Reconciliation: The effectiveness of the system of inter-branch / inter-office reconciliation with respect to each type of entries, along with sufficiency of audit trail should be examined and commented upon. Age-wise analysis of unreconciled entries for each type of entry covered under Inter-branch reconciliation, as on balance sheet date along with subsequent clearance, thereof if any should be provided. Any unusual entries observed in the reconciliation process along with procedure for auto and forced matching of entries should be commented. Compliance with RBI guidelines with respect to provisioning for old outstanding entries, should be factored in the observations.
4. Frauds / Vigilance: Appropriateness of fraud risk management system and processes for early detection , timely reporting to RBI, investigation of frauds as also adequacy of provisioning with respect to reported frauds and deviations observed in compliance with directives issued by RBI should be examined and commented upon. . Age-wise analysis of the cases/complaints investigated/under investigation of Vigilance Department along with observations on major frauds discovered during the year under audit be provided. Special focus should be given on the potential risk areas which might lead to perpetuation of fraud (e.g. falsification of accounts/false representation by the borrower; misappropriation of funds especially through related party / shell company transactions; forgery and fabrication of financial documents like invoices, debtor lists, stock statements, trade credit documents, shipping bills, work orders and encumbrance certificates and avail credit; Use of current accounts outside consortium where Trust and Retention Account (TRA) is maintained, to divert funds; List of Debtors/ Creditors were being fabricated and receivables were not followed up/ write off of debt of related parties; Fake export/shipping bill, etc.; Over statement of invoice amounts, stock statements, shipping bills, turnover; fly by night operations -including the cases where vendors, related/ associate parties, manufacturing units etc. aren’t available on the registered addresses; Round Tripping of funds, etc.).
5. Suspense Accounts, Sundry Deposits, etc.: System of clearance of items debited / credited to suspense / sundry accounts should be examined with the focus on audit trail, along with age-wise analysis of un-cleared entries of suspense account, sundry deposit, etc. as on balance sheet date along with subsequent clearance, thereof, if any. Any unusual entries observed in suspense account, sundry deposit etc. should be specifically commented. An examination of inactive/ inoperative accounts may also be carried out, as it is a fraud prone area. It should also be examined, whether the bank has made adequate provision with respect to un-cleared entries in suspense account, sundry deposits, etc. as per the RBI guidelines and to the satisfaction of the auditor.
6. KYC / AML: It should be examined whether the bank has duly updated and approved KYC and AML policies in synchronization with RBI circulars / guidelines and whether the said policies are effectively implemented by the bank. Assessment of the effectiveness of provisions for preventing money laundering and terrorist financing may be provided for.
7. Cash and other security items: System of monitoring of cash at branches, and management of cash through currency chest operations, including adequacy of insurance cover, system and procedure for physical custody of cash, systems and controls for procurement, issue and custody of valued stationary items such as Cheque Books, Demand Drafts, Pay Orders, Gold Coins etc. should be examined.
8. Para-Banking Activity: It should be examined whether the bank has effective internal control system with respect to para-banking activities undertaken by the bank. A list of such para-banking activities undertaken by the bank should be provided.
9. Management Information System: Existence and adequacy of management information system, method of compilation and accuracy of information, appropriateness of procedures for preparation of supervisory returns and its reliability under the Off Site Surveillance System of the RBI, reliability of information flow for the internal risk management system should be commented. Additionally, comment should also be provided on whether the bank has effective system of preparation and consolidation of branch returns and financial statements.
10. Any Other comments relating to People, Process and System Risks: Any other concerns relating to people, process and system risks may be commented upon.
IV. CAPITAL ADEQUACY
Capital Adequacy: A copy of the capital adequacy certificate be provided along with comments as to whether the bank has effective system of calculation of capital adequacy as per the directives of RBI. Any concerns which is considered material relating to the bank’s solvency and capital may be commented upon.
ICAAP Document: Whether Stress test is done as per RBI stress test Guidelines. Whether assumptions made in the document are realistic, encompassing all relevant risks. Also banks strategies are aligned with their Board approved Risk Appetite Statements.
V. GOING CONCERN AND LIQUIDITY RISK ASSESSMENT
1. Going Concern Assessment: The auditor should comment whether the going concern basis of preparation of financial statements is appropriate; and auditor’s evaluation of the bank’s assessment of its ability to continue to meet its obligations for the foreseeable future (for at least 12 months after the date of the financial statements) with reasonable assurance for the same. Any material uncertainties relating to going concern should be disclosed.
2. Profitability: Analysis of variation in major items of income and expenditure compared to previous year should be carried out along with important ratios such as RoA, RoE, etc.
3. Liquidity Assessment: As a part of assessment of the bank on going concern basis, the auditor should also consider the robustness of the bank’s liquidity risk management systems and controls for managing liquidity, , any external indicators that reveal liquidity or funding concerns, the availability of short-term liquidity support and compliance with norms relating to Liquidity Coverage Ratio (LCR) and Net Stability Funding Ratio (NSFR- as and when applicable) among others.
VI. INFORMATION SYSTEMS
1. Robustness of IT Systems: Auditors should comment on the robustness of IT systems covering all the software used by the bank along with functions thereof, inter-linkage/interface between different IT Systems, ATM network and its security, payment system products and services among others. Further, it should be examined whether the software used by the bank were subjected to Information System & Security Audit, Application function testing and any other audit mandated by RBI. Adequacy of IS Audit, migration audit (as and where applicable) and any other audit relating to IT and cyber security system and bank’s compliance to the findings of those audits should be commented upon.
2. IT Security and IS Policy: Auditors should comment whether the bank has duly updated and approved IT Security and IS Policy and whether the bank has complied with the RBI advisory/directives relating to IS environment/cyber security, issued from time-to-time.
3. Critical Systems / Processes: It should be examined whether there is an effective system of inter-linkage including seamless flow of data under Straight Through Process (STP) amongst various software / packages deployed. Special emphasis should be placed on outsourced activities and bank’s control over them, including bank’s own internal policy for outsourced activities.
VII. OTHER MATTERS
1. Comments on accounting policies including comments on changes in accounting policies made during the period.
2. Adequacy of provisions made for statutory liabilities such as Income Tax, Gratuity, Pension, Provident Fund, etc.
3. Adequacy of provisions made for off-balance sheet exposures and other claims against the bank.
4. Balances with other banks- observations on outstanding items in reconciliation statements.
5. Procedure for revaluation of NOSTRO accounts and outstanding forward exchange contracts.
6. Comment on system related to compliance with DEAF norms be provided.
7. Comment on compliance mechanism with regard to recommendations of specific committees appointed by RBI such as Ghosh, Jilani, Mitra, etc.
8. Observations on the working of subsidiaries/ associates/ joint ventures of the bank:
(a) reporting system to the holding bank and
(b) major losses of the subsidiary, if any.
9. Comment on business conduct including customer service by the bank describing instances, if any, of wrong debit of charges from customer accounts, mis-selling, ineffective complaint disposal mechanism, etc.
10. Any other matter, which the auditor considers should be brought to the notice of the management.