Blog article
See all stories »

What needs a relook - Internal processes or workforce in the audit department?

The recent instances of scams in public sector Banks make one admonish the audit processes and practices in many Banks. The number of fraudulent instances are rising and it has become a norm to highlight the deficiency in software systems rather than accepting internal flaws, recheck the internal controls, operational processes, audit, operational/credit risk processes implemented in many Banks.

With the extent of technology advancement, each and every business processes, regulations and compliances are expected to be available through the different software solutions which are implemented/deployed in Banks. These are the accounting software, business operation and process software, fraud/ risk based software, regulatory and compliance software, reporting software used by Banks/Financial institution. There are many vendors who have provided audit software to ease the audit mechanism and to enable digitization and documentation of audit processes. Additionally, analytic software is being provided to check the transaction trends, volumes, normal and abnormal behavior patterns, predictive and prescriptive analytics based on past transaction events. Most of the software within the ecosystem of Bank are integrated /connected to ensure that the data, operations and business processes are synchronous to view, monitor the relevant data or transaction using dashboards. The IT budgets and utilization in public sector Banks are seemingly very high and Banks are ready to invest /implement software for strengthening security and risk– cyber security, frauds, AML, operational and credit risk etc. With this situation prevailing, it is always debatable when one notices and reads about large failures in these areas. With strong regulatory framework and circulars/guidelines issued by the Central Bank for better control of operational processes periodically, there are enough and multiple reasons to feel circumspect when one goes deep into each of these incidents/scams.

The software that performs business operations and processes, contain inbuilt features such as maker-checker, deviation and routing mechanism /approvals, audit trail, user and role management, access restrictions and control, limit checks, inquiries and reports to strengthen internal audit and control.

Banks need to undergo multiple types of audit – internal audit, Audit by Certified firms of Chartered accountants, Central Bank audit etc. While internal audit is done periodically by inspection/audit officials of bank trying to ascertain the policy implementations, circulars followed, operational risk/control and processes followed, the external audit mostly audits the asset accounts and the Non -Performing Asset(NPA) norms followed and provisions done on NPA based on RBI guidelines. There are audit by Central Bank (RBI) to check on Forex regulations and controls, FEMA guideline checks, asset practices, NPA norms and procedures followed by Banks. The audit done by Central Bank is in addition to the frequent reports which has to be mandatorily submitted by Banks which provides a source of information on the extent of business done by Banks in various categories. When compared to internal audit, the extent of depth of audit done by external/RBI and frequency are limited and cater to specific areas. This makes the internal audit of the Bank more important and necessitates to be frequent.

The internal auditors/inspecting officials of the Bank are practitioner's knowing different domains, internal processes of Bank and regulations/guidelines of the Central Bank. They work with branch officials while auditing documents/reports /vouchers /audit reports to check and analyze various transactions conducted. Though these officials are expected to have basic knowledge of the various software being used, they may not be having expertise on the software making them dependent on branch officials to run queries, print reports etc. This makes them slightly vulnerable in the audit process which could otherwise have been done by gaining some software expertise. The knowledge of accounting to an audit staff is equally important considering that majority of the accounting is being done by software. Analysis of this accounting and the implications /impact should be known to the audit staff.

Audit is considered a non- glamorous job in the Indian banks and staff are considered impediment to business growth in the branch with repeated asks on compliance checks, processes/guidelines. The audit staff are typically involved in branch/credit/forex operations at the branch in the past and transferred to Audit/Inspection departments. This also is a reason for not keeping pace with the newer technologies and newer functionalities /developments implemented in the software.

When Banks selects a software, training is conducted for operation staff, Management staff and executives. Though the agenda on training may include audit, it is very unlikely to have exclusive training for audit staff and it is considered the last priority. The software knowledge is not considered important for an audit staff when compared to domain and operations. Though there are many risk certifications prevalent in the market, mandatory compliance is not adhered for staff or staff with relevant certifications are not recruited at the first place.

To conclude, audit is an important function and internal auditors can be the watchdog for security and operational process breaches in the system and audit staff need to have skills on

  • Domain
  • Operational and Risk processes in the Bank
  • Banking Regulations and Compliance-
  • Software (running queries, taking reports, search and inquiry)
  • Accounting principles ( Double entry , IAS/IFRS )

Moving towards technology /digitization is required for all Banks (Public/private) to keep pace with the emerging needs and business growth planned but it does not reduce responsibility on the Management to train the Bank staff on software/audit and the audit staff to gain expertise on software. Business processes need to be developed taking into account the risk elements/security/regulatory guidelines with control and monitoring mechanism. But none of these can underpin the experience, knowledge, intelligence of the Bank staff and technology elements alone will not be sufficient to prevent fraud/risk occurring in Banks. From a long term perspective processes/mechanism to prevent multiple Bank staff from colluding to create fraud need to be developed with/without technology elements.

There could also be a central team of auditors formed with knowledge of banking and software -common banking software run in many banks- from multiple Banks to ensure sharing of best practices/processes across banks and to inform a certain behavior or functionality used by one Bank which has proved to be successful. Processes can be laid out to avoid conflict of interest between banks and not to poach on their business improvement programs. The team can comprise of homogeneous set of staff skilled in a specific software which is running in multiple Bank in the market /geography. The governance mechanism and regulations to this effect can be implemented by Central bank by discussing with multiple Banks. 

11577

Comments: (0)