NEPAL AUDITING PRACTICE STATEMENTS

NAPS 101

AUDITS OF THE FINANCIAL STATEMENTS OF BANKS

Auditing Standards Board, Nepal

2006
NAPS 101

NEPAL AUDITING PRACTICE STATEMENT

AUDITS OF THE FINANCIAL STATEMENTS OF BANKS

CONTENTS
Paragraphs

Introduction 1-8
Audit Objectives 9-11
Agreeing the Terms of the Engagement 12-14
Planning the Audit 15-55
Internal Control 56-70
Performing Substantive Procedures 71-100
Reporting on the Financial Statements 101-103
Compliance with International Auditing Practice Statement 104
Effective Date 105

Appendix 1: Risks and Issues in Respect of Fraud and Illegal acts

Appendix 2: Examples of Internal Control Considerations and Substantive Procedures
for Two Areas of a Bank’s Operations
Appendix 3: Examples of Financial Information, Ratios and Indicators Commonly
Used in the Analysis of a Bank’s Financial Condition and Performance
Appendix 4: Risks and Issues in Securities Underwriting and Securities Brokerage
Appendix 5: Risks and Issues in Private Banking and Asset Management

Glossary and References

This NAPS is applicable in all material respects to Public Sector also.

1
 Nepal Auditing Practice Statement NAPS 101, “Audits of the Financial Statements of
Banks” should be read in the context of the “Preface to Nepal Standards on Auditing
and also the International Standards on Quality Control, Auditing, Assurance and
Related Services,” *

Professional accountants should be aware of and consider Practice Statements

applicable to the engagement. A professional accountant who does not consider and
apply the guidance included in this Practice Statement should be prepared to explain
how the basic principles and essential procedures addressed by this Practice Statement
have been compiled with.

Introduction

1. The purpose of this Statement is to provide practical assistance to auditors and to

promote good practice in applying Nepal Standards on Auditing (NSAs) to the
audit of banks’ financial statements. It is not, however, intended to be an
exhaustive listing of the procedures and practices to be used in such an audit. In
conducting an audit in accordance with NSAs the auditor complies with all the
requirements of all the NSAs.

2. Banking supervisors require that the auditor report certain events to the regulators
or make regular reports to them in addition to the audit report on the banks’
financial statements. This Statement does not deal with such reports, the
requirements for which often vary significantly. IAPS 1004, “The Relationship
Between Banking Supervisors and Bank’s External Auditors” discusses that
subject in more detail.

* International Auditing Practice Statement IAPS 1006, “Audits of the Financial

Statements of Banks” should be read in the context of the “Preface to the International
Standards on Quality Control, Auditing, Assurance and Related Services,” which sets
out the application and authority of IAPSs. This Statement has been prepared by the
International Auditing Practices Committee (IAPC) of the International Federation of
Accountants. The IAPC bank audit sub-committee included observers from the Basel
Committee on Banking Supervision (the Basel Committee). The document was
approved for publication by the IAPC at its meeting in October 2001. It is based on
ISAs extant at 1 October 2001.

The Basel Committee on Banking Supervision is a committee of banking and supervisory

authorities that was established by the central bank governors of ten countries in 1975. It
consists of senior representatives of bank supervisory authorities and central banks from
Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, Sweden,
Switzerland, the United Kingdom and the United States. It usually meets at the Bank for
International Settlements in Basel, where its permanent secretariat is located.

2
3. For the purpose of this Statement, a bank is a type of financial institution whose
principal activity is the taking of deposits and borrowing for the purpose of
lending and investing and that is recognised as a bank by the regulatory
authorities in the country. There are a number of other types of entity that carry
out similar functions, for example, cooperative societies, savings and loan
associations, NGOs and INGOs. The guidance in this Statement is applicable to
audits of financial statements that cover the banking activities carried out by those
entities. It also applies to the audits of consolidated financial statements that
include the results of banking activities carried out by any group member. This
Statement addresses the assertions made in respect of banking activities in the
entity’s financial statements and so indicates which assertions in a bank’s
financial statements cause particular difficulties and why they do so. This
necessitates an approach based on the elements of the financial statements.
However, when obtaining audit evidence to support the financial statement
assertions, the auditor often carries out procedures based on the types of activities
the entity carries out and the way in which those activities affect the financial
statement assertions.

4. Banks commonly undertake a wide range of activities. However, most banks

continue to have in common the basic activities of deposit taking, borrowing,
lending, settlement, trading and treasury operations. This Statement’s primary
purpose is the provision of guidance on the audit implications of such activities.
In addition, this Statement provides limited guidance in respect of securities
underwriting and brokerage, and asset management, which are activities that
auditors of banks’ financial statements frequently encounter. Banks typically
undertake activities involving derivative financial instruments. This Statement
gives guidance on the audit implications of such activities when they are part of
the bank’s trading and treasury operations. IAPS 1012, “Auditing Derivative
Financial Instruments” gives guidance on such activities when the bank holds
derivatives as an end user.

5. This Statement is intended to highlight those risks that are unique to banking
activities. There are many audit-related matters that banks share with other
commercial entities. The auditor is expected to have a sufficient understanding of
such matters and so, although those matters may affect the audit approach or may
have a material affect on the bank’s financial statements, this Statement does not
discuss them. This Statement describes in general terms aspects of banking
operations with which an auditor becomes familiar before undertaking the audit of
a bank’s financial statements: it is not intended to describe banking operations.
Consequently, this Statement on its own does not provide an auditor with
sufficient background knowledge to undertake the audit of a bank’s financial
statements. However, it does point out areas where that background knowledge is
required. Auditors will supplement the guidance in this Statement with
appropriate reference material and by reference to the work of experts as required.

3
6. Banks have the following characteristics that generally distinguish them from
most other commercial enterprises:

• They have custody of large amounts of monetary items, including cash

and negotiable instruments, whose physical security has to be safeguarded
during transfer and while being stored. They also have custody and control
of negotiable instruments and other assets that are readily transferable in
electronic form. The liquidity characteristics of these items make banks
vulnerable to misappropriation and fraud. Banks therefore need to
establish formal operating procedures, well-defined limits for individual
discretion and rigorous systems of internal control.

• They often engage in transactions that are initiated in one jurisdiction,

recorded in a different jurisdiction and managed in yet another
jurisdiction.

• They operate with very high leverage (that is, the ratio of capital to total
assets is low), which increases banks’ vulnerability to adverse economic
events and increases the risk of failure.

• They have assets that can rapidly change in value and whose value is often
difficult to determine. Consequentially a relatively small decrease in asset
values may have a significant effect on their capital and potentially on
their regulatory solvency.

• They generally derive a significant amount of their funding from short-

term deposits (either insured or uninsured). A loss of confidence by
depositors in a bank’s solvency may quickly result in a liquidity crisis.

• They have fiduciary duties in respect of the assets they hold that belong to
other persons. This may give rise to liabilities for breach of trust. They
therefore need to establish operating procedures and internal controls
designed to ensure that they deal with such assets only in accordance with
the terms on which the assets were transferred to the bank.

• They engage in a large volume and variety of transactions whose value

may be significant. This ordinarily requires complex accounting and
internal control systems and widespread use of information technology
(IT).

• They ordinarily operate through networks of branches and departments

that are geographically dispersed. This necessarily involves a greater
decentralisation of authority and dispersal of accounting and control
functions, with consequential difficulties in maintaining uniform operating
practices and accounting systems, particularly when the branch network
transcends national boundaries.

4
 • Transactions can often be directly initiated and completed by the customer
without any intervention by the bank’s employees, for example over the
Internet or through automatic teller machines (ATMs).

• They often assume significant commitments without any initial transfer of

funds other than, in some cases, the payment of fees. These commitments
may involve only memorandum accounting entries. Consequently their
existence may be difficult to detect.

• They are regulated by governmental authorities, whose regulatory

requirements often influence the accounting principles that banks follow.
Non-compliance with regulatory requirements, for example, capital
adequacy requirements, could have implications for the bank’s financial
statements or the disclosures therein.

• Customer relationships that the auditor, assistants, or the audit firm may
have with the bank might affect the auditor’s independence in a way that
customer relationships with other organisations would not.

• They generally have exclusive access to clearing and settlement systems

for cheques, fund transfers, foreign exchange transactions, etc.

• They are an integral part of, or are linked to, national and international
settlement systems and consequently could pose a systemic risk to the
countries in which they operate.

• They may issue and trade in complex financial instruments, some of which
may need to be recorded at fair values in the financial statements. They
therefore need to establish appropriate valuation and risk management
procedures. The effectiveness of these procedures depends on the
appropriateness of the methodologies and mathematical models selected,
access to reliable current and historical market information, and the
maintenance of data integrity.

7. Special audit considerations arise in the audits of banks because of matters such
as the following:

• The particular nature of the risks associated with the transactions

undertaken by banks.

• The scale of banking operations and the resultant significant exposures

that may arise in a short period.

• The extensive dependence on IT to process transactions.

5
 • The effect of the regulations in the various jurisdictions in which they
operate.

• The continuing development of new products and banking practices that

may not be matched by the concurrent development of accounting
principles or internal controls.

8. This Statement is organised into a discussion of the various aspects of the audit of
a bank with emphasis being given to those matters that are either peculiar to, or of
particular importance in, such an audit. Included for illustrative purposes are
appendices that contain examples of:

(a) Typical warning signs of fraud in banking operations;

(b) Typical internal controls, tests of control and substantive audit procedures
for two of the major operational areas of a bank: treasury and trading
operations and lending activities;

(c) Financial ratios commonly used in the analysis of a bank’s financial

condition and performance; and

(d) Risks and issues in securities operations, private banking and asset
management.

Audit Objectives

9. NSA 01, “Objective and General Principles Governing an Audit of Financial

Statements” states:

The objective of an audit of financial statements is to enable the auditor to express

an opinion whether the financial statements are prepared, in all material respects,
in accordance with an identified financial reporting framework.

10. The objective of the audit of a bank’s financial statements conducted in

accordance with NSAs is, therefore, to enable the auditor to express an opinion on
the bank’s financial statements, which are prepared in accordance with an
identified financial reporting framework.

11. The auditor’s report indicates the financial reporting framework that has been
used to prepare the bank’s financial statements (including identifying the country
of origin of the financial reporting framework when the framework used is not
International Accounting Standards). When reporting on financial statements of a
bank prepared specifically for use in a country other than that under whose rules it
is established, the auditor considers whether the financial statements contain
appropriate disclosures about the financial reporting framework used. Paragraphs
101–103 of this Statement discuss the auditor’s report in more detail.

6
Agreeing the Terms of the Engagement

12. As stated in NSA 02, “Terms of Audit Engagements:” The engagement letter
documents and confirms the auditor’s acceptance of the appointment, the
objective and scope of the audit, the extent of the auditor’s responsibilities to the
client and the form of any reports.

13. Paragraph 6 lists some of the characteristics that are unique to banks and indicates
the areas where the auditor and assistants may require specialist skills. In
considering the objective and scope of the audit and the extent of the
responsibilities, the auditor considers his own skills and competence and those of
his assistants to conduct the engagement. In doing so, the auditor considers the
following factors:

• The need for sufficient expertise in the aspects of banking relevant to the
audit of the bank’s business activities.

• The need for expertise in the context of the IT systems and communication
networks the bank uses.

• The adequacy of resources or inter-firm arrangements to carry out the

work necessary at the number of domestic and international locations of
the bank at which audit procedures may be required.

14. In addition to the general factors set out in NSA 02, the auditor considers
including comments on the following when issuing an engagement letter:

• The use and source of specialised accounting principles, with particular

reference to:
AUDITING
. Any requirements contained in the law or regulations applicable to
banks;

. Pronouncements of the banking supervisory and other regulatory

authorities;

. Pronouncements of relevant professional accounting bodies, for

example, the Nepal Accounting Standards Board;

. Pronouncements of the Basel Committee on Banking Supervision

if made applicable by the regulatory authorities; and

. Industry practice.

• The contents and form of the auditor’s report on the financial statements
and any special-purpose reports required from the auditor in addition to

7
 the report on the financial statements. This includes whether such reports
refer to the application of regulatory or other special purpose accounting
principles or describe procedures undertaken especially to meet regulatory
requirements.

• The nature of any special communication requirements or protocols that

may exist between the auditor and the banking supervisory and other
regulatory authorities.

• The access that bank supervisors will be granted to the auditor’s working
papers when such access is required by law, and the bank’s advance
consent to this access.

Planning the Audit

Introduction

15. The audit plan includes, among other things:

• Obtaining a sufficient knowledge of the entity’s business and governance

structure, and a sufficient understanding of the accounting and internal
control systems, including risk management and internal audit functions;

• Considering the expected assessments of inherent and control risks, being

the risk that material misstatements occur (inherent risk) and the risk that
the bank’s system of internal control does not prevent or detect and correct
such misstatements on a timely basis (control risk);

• Determining the nature, timing and extent of the audit procedures to be

performed; and

• Considering the going concern assumption regarding the entity’s ability to

continue in operation for the foreseeable future, which will be the period
used by management in making its assessment under the financial
reporting framework. This period will ordinarily be for a period of at least
one year after the balance sheet date.

Obtaining a Knowledge of the Business

16. Obtaining a knowledge of the bank’s business requires the auditor to understand:

• The bank’s corporate governance structure;

• The economic and regulatory environment prevailing for the principal

countries in which the bank operates; and

8
 • The market conditions existing in each of the significant sectors in which
the bank operates.

17. Corporate governance plays a particularly important role in banks; many

regulators set out requirements for banks to have effective corporate governance
structures. Accordingly the auditor obtains an understanding of the bank’s
corporate governance structure and how those charged with governance discharge
their responsibilities for the supervision, control and direction of the bank.

18. Similarly the auditor obtains and maintains a good working knowledge of the
products and services offered by the bank. In obtaining and maintaining that
knowledge, the auditor is aware of the many variations in the basic deposit, loan
and treasury services that are offered and continue to be developed by banks in
response to market conditions. The auditor obtains an understanding of the nature
of services rendered through instruments such as letters of credit, acceptances,
interest rate futures, forward and swap contracts, options and other similar
instruments in order to understand the inherent risks and the auditing, accounting
and disclosure implications thereof.

19. If the bank uses service organisations to provide core services or activities, such
as cash and securities settlement, back office activities or internal audit services,
the responsibility for compliance with rules and regulations and sound internal
controls remains with those charged with governance and the management of the
outsourcing bank. The auditor considers legal and regulatory restrictions, and
obtains an understanding of how the management and those charged with
governance monitor that the system of internal control (including internal audit)
operates effectively. ISA 402, “Audit Considerations Relating to Entities Using
Service Organisations” gives further guidance on this subject.

20. There are a number of risks associated with banking activities that, while not
unique to banking, are important in that they serve to shape banking operations.
The auditor obtains an understanding of the nature of these risks and how the
bank manages them. This understanding allows the auditor to assess the levels of
inherent and control risks associated with different aspects of a bank’s operations
and to determine the nature, timing and extent of the audit procedures.

Understanding the Nature of Banking Risks

21. The risks associated with banking activities may broadly be categorised as:

Country risk: The risk of foreign customers and counterparties

failing to settle their obligations because of economic,
political and social factors of the counterparty’s home
country and external to the customer or counterparty;

Credit risk: The risk that a customer or counterparty will not settle

9
 an obligation for full value, either when due or at any
time thereafter. Credit risk, particularly from
commercial lending, may be considered the most
important risk in banking operations. Credit risk arises
from lending to individuals, companies, banks and
governments. It also exists in assets other than loans,
such as investments, balances due from other banks
and in off-balance sheet commitments. Credit risk also
includes country risk, transfer risk, replacement risk
and settlement risk.

Currency risk: The risk of loss arising from future movements in the
exchange rates applicable to foreign currency assets,
liabilities, rights and obligations.

Fiduciary risk: The risk of loss arising from factors such as failure to
maintain safe custody or negligence in the
management of assets on behalf of other parties.

Interest rate risk: The risk that a movement in interest rates would have
an adverse effect on the value of assets and liabilities
or would affect interest cash flows.

Legal and documentary The risk that contracts are documented incorrectly or
risk: are not legally enforceable in the relevant jurisdiction
in which the contracts are to be enforced or where the
counterparties operate. This can include the risk that
assets will turn out to be worth less or liabilities will
turn out to be greater than expected because of
inadequate or incorrect legal advice or documentation.
In addition, existing laws may fail to resolve legal
issues involving a bank; a court case involving a
particular bank may have wider implications for the
banking business and involve costs to it and many or
all other banks; and laws affecting banks or other
commercial enterprises may change. Banks are
particularly susceptible to legal risks when entering
into new types of transactions and when the legal right
of a counterparty to enter into a transaction is not
established.

Liquidity risk: The risk of loss arising from the changes in the bank’s
ability to sell or dispose of an asset.

Modeling risk: The risk associated with the imperfections and

subjectivity of valuation models used to determine the

10
 values of assets or liabilities.

Operational risk: The risk of direct or indirect loss resulting from

inadequate or failed internal processes, people and
systems or from external events

Price risk: The risk of loss arising from adverse changes in

market prices, including interest rates, foreign
exchange rates, equity and commodity prices and from
movements in the market prices of investments.

Regulatory risk: The risk of loss arising from failure to comply with
regulatory or legal requirements in the relevant
jurisdiction in which the bank operates. It also
includes any loss that could arise from changes in
regulatory requirements.

Replacement risk: (Sometimes called performance risk) The risk of

failure of a customer or counterparty to perform the
terms of a contract. This failure creates the need to
replace the failed transaction with another at the
current market price. This may result in a loss to the
bank equivalent to the difference between the contract
price and the current market price.

Reputational risk: The risk of losing business because of negative public

opinion and consequential damage to the bank’s
reputation arising from failure to properly manage
some of the above risks, or from involvement in
improper or illegal activities by the bank or its senior
management, such as money laundering or attempts to
cover up losses.

Settlement risk: The risk that one side of a transaction will be settled
without value being received from the customer or
counterparty. This will generally result in the loss to
the bank of the full principal amount.

Solvency risk: The risk of loss arising from the possibility of the bank
not having sufficient funds to meet its obligations, or
from the bank’s inability to access capital markets to
raise required funds.

Transfer risk: The risk of loss arising when a counterparty’s

obligation is not denominated in the counterparty’s
home currency. The counterparty may be unable to

11
 obtain the currency of the obligation irrespective of the
counterparty’s particular financial condition.

22. Banking risks increase with the degree of concentration of a bank’s exposure to
any one customer, industry, geographic area or country. For example, a bank’s
loan portfolio may have large concentrations of loans or commitments to
particular industries, and some, such as real estate, shipping and natural resources,
may have highly specialised practices. Assessing the relevant risks relating to
loans to entities in those industries may require a knowledge of these industries,
including their business, operational and reporting practices.

23. Most transactions involve more than one of the risks identified above.
Furthermore, the individual risks set out above may be correlated with one
another. For example, a bank’s credit exposure in a securities transaction may
increase as a result of an increase in the market price of the securities concerned.
Similarly, non-payment or settlement failure can have consequences for a bank’s
liquidity position. The auditor therefore considers these and other risk correlations
when analysing the risks to which a bank is exposed.

24. Banks may be subject to risks arising from the nature of their ownership. For
example, a bank’s owner or a group of owners might try to influence the
allocation of credit. In a closely held bank, the owners may have significant
influence on the bank’s management affecting their independence and judgement.
The auditor considers such risks.

25. In addition to understanding the external factors that could indicate increased risk,
the auditor considers the nature of risks arising from the bank’s operations.
Factors that contribute significantly to operational risk include the following:

(a) The need to process high volumes of transactions accurately within a short
time. This need is almost always met through the large-scale use of IT,
with the resultant risks of:

(i) Failure to carry out executed transactions within the required time,
causing an inability to receive or make payments for those
transactions;

(ii) Failure to carry out complex transactions properly;

(iii) Wide-scale misstatements arising from a breakdown in internal

control;

(iv) Loss of data arising from systems’ failure;

12
 (v) Corruption of data arising from unauthorised interference with the
systems; and

(vi) Exposure to market risks arising from lack of reliable up-todate

information.

(b) The need to use electronic funds transfer (EFT) or other

telecommunications systems to transfer ownership of large sums of
money, with the resultant risk of exposure to loss arising from payments to
incorrect parties through fraud or error.

(c) The conduct of operations in many locations with a resultant geographic

dispersion of transaction processing and internal controls. As a result:

(i) There is a risk that the bank’s worldwide exposure by customer

and by product may not be adequately aggregated and monitored;
and

(ii) Control breakdowns may occur and remain undetected or

uncorrected because of the physical separation between
management and those who handle the transactions.

(d) The need to monitor and manage significant exposures that can arise over
short time-frames. The process of clearing transactions may cause a
significant build-up of receivables and payables during a day, most of
which are settled by the end of the day. This is ordinarily referred to as
intra-day payment risk. These exposures arise from transactions with
customers and counterparties and may include interest rate, currency and
market risks.

(e) The handling of large volumes of monetary items, including cash,

negotiable instruments and transferable customer balances, with the
resultant risk of loss arising from theft and fraud by employees or other
parties.

(f) The inherent complexity and volatility of the environment in which banks
operate, resulting in the risk of inappropriate risk management strategies
or accounting treatments in relation to such matters as the development of
new products and services.

(g) Operating restrictions may be imposed as a result of the failure to adhere

to laws and regulations. Overseas operations are subject to the laws and
regulations of the countries in which they are based as well as those of the
country in which the parent entity has its headquarters. This may result in
the need to adhere to differing requirements and a risk that operating

13
 procedures that comply with regulations in some jurisdictions do not meet
the requirements of others.

26. Fraudulent activities may take place within a bank by, or with the knowing
involvement of, management or personnel of the bank. Such frauds may include
fraudulent financial reporting without the motive of personal gain, (for example,
to conceal trading losses), or the misappropriation of the bank’s assets for
personal gain that may or may not involve the falsification of records.
Alternatively, fraud may be perpetrated on a bank without the knowledge or
complicity of the bank’s employees. NSA 05, “The Auditor’s Responsibility to
Consider Fraud and Error in an Audit of Financial Statements” gives more
guidance on the nature of the auditor’s responsibilities with respect to fraud.
Although many areas of a bank’s operations are susceptible to fraudulent
activities, the most common take place in the lending, deposit-taking and dealing
functions. The methods commonly used to perpetrate fraud and a selection of the
fraud risk factors that indicate that a fraud may have occurred are set out in
Appendix 1.

27. By the nature of their business, banks are ready targets for those engaged in
money laundering activities by which the proceeds of crime are converted into
funds that appear to have a legitimate source. In recent years drug traffickers in
particular have greatly added to the scale of money laundering that takes place
within the banking industry. In many jurisdictions, legislation requires banks to
establish policies, procedures and controls to deter and to recognise and report
money laundering activities. These policies, procedures and controls commonly
extend to the following:

• A requirement to obtain customer identification (“know your client”).

• Staff screening.

• A requirement to know the purpose for which an account is to be used.

• The maintenance of transaction records.

• The reporting to the authorities of suspicious transactions or of all

transactions of a particular type, for example, cash transactions over a
certain amount.

• The education of staff to assist them in identifying suspicious transactions.

In some jurisdictions, auditors may have an express obligation to report to the

authorities certain types of transactions that come to their attention. Even where
no such obligation exists, an auditor who discovers a possible instance of
noncompliance with laws or regulations considers the implications for the
financial statements and the audit opinion thereon. NSA 15, “Consideration of

14
 Laws and Regulations in an Audit of Financial Statements” gives further guidance
on this matter.

Understanding the Risk Management Process

28. Management develops controls and uses performance indicators to aid in

managing key business and financial risks. An effective risk management system
in a bank generally requires the following:

• Oversight and involvement in the control process by those charged with

governance

Those charged with governance should approve written risk management

policies. The policies should be consistent with the bank’s business
strategies, capital strength, management expertise, regulatory requirements
and the types and amounts of risk it regards as acceptable. Those charged
with governance are also responsible for establishing a culture within the
bank that emphasises their commitment to internal controls and high
ethical standards, and often establish special committees to help discharge
their functions. Management is responsible for implementing the strategies
and policies set by those charged with governance and for ensuring that an
adequate and effective system of internal control is established and
maintained.

• Identification, measurement and monitoring of risks

Risks that could significantly impact the achievement of the bank’s goals
should be identified, measured and monitored against pre-approved limits
and criteria. This function may be conducted by an independent risk
management unit, which is also responsible for validating and stress
testing the pricing and valuation models used by the front and back
offices. Banks ordinarily have a risk management unit that monitors risk
management activities and evaluates the effectiveness of risk management
models, methodologies and assumptions used. In such situations, the
auditor considers whether and how to use the work of that unit. ING

• Control activities

A bank should have appropriate controls to manage its risks, including

effective segregation of duties (particularly between front and back
offices), accurate measurement and reporting of positions, verification and
approval of transactions, reconciliations of positions and results, setting of
limits, reporting and approval of exceptions to limits, physical security and
contingency planning.

15
 • Monitoring activities

Risk management models, methodologies and assumptions used to

measure and manage risk should be regularly assessed and updated. This
function may be conducted by an independent risk management unit.
Internal auditing should test the risk management process periodically to
check whether management polices and procedures are complied with and
whether the operational controls are effective. Both the risk management
unit and internal auditing should have a reporting line to those charged
with governance and management that is independent of those on whom
they are reporting.

• Reliable information systems

Banks require reliable information systems that provide adequate

financial, operational and compliance information on a timely and
consistent basis. Those charged with governance and management require
risk management information that is easily understood and that enables
them to assess the changing nature of the bank’s risk profile.

Development of an Overall Audit Plan

29. In developing an overall plan for the audit of the financial statements of a bank,
the auditor gives particular attention to:

• The complexity of the transactions undertaken by the bank and the

documentation in respect thereof;

• The extent to which any core activities are provided by service

organisations;

• Contingent liabilities and off-balance sheet items;

• Regulatory considerations;

• The extent of IT and other systems used by the bank;

• The expected assessments of inherent and control risks;

• The work of internal auditing;

• The assessment of audit risk;

• The assessment of materiality;

• Management’s representations;

16
 • The involvement of other auditors;

• The geographic spread of the bank’s operations and the co-ordination of

work between different audit teams;

• The existence of related party transactions; and

• Going concern considerations.

These matters are discussed in subsequent paragraphs.

The Complexity of Transactions Undertaken

30. Banks typically have a wide diversity of activities, which means that it is
sometimes difficult for an auditor to fully understand the implications of
particular transactions. The transactions may be so complex that management
itself fails to analyse properly the risks of new products and services. The wide
geographic spread of a bank’s activities can also lead to difficulties. Banks
undertake transactions that have complex and important underlying features that
may not be apparent from the documentation that is used to process the
transactions and to enter them into the bank’s accounting records. This results in
the risk that all aspects of a transaction may not be fully or correctly recorded or
accounted for, with the resultant risks of:

• Loss due to the failure to take timely corrective action;

• Failure to make adequate provisions for loss on a timely basis; and

• Inadequate or improper disclosure in the financial statements and other

reports.

The auditor obtains an understanding of the bank’s activities and the transactions
it undertakes sufficient to enable the auditor to identify and understand the events,
transactions and practices that, in the auditor’s judgement, may have a significant
effect on the financial statements or on the examination or audit report.

31. Many of the amounts to be recorded or disclosures made in the financial

statements involve the exercise of judgement by management, for example, loan
loss provisions, and provisions against financial instruments such as liquidity risk
provision, modeling risk provision and reserve for operational risk. The greater
the judgement required, the greater the inherent risk and the greater the
professional judgement required by the auditor. Similarly, there may be other
significant items in the financial statements that involve accounting estimates.
The auditor considers the guidance set out in NSA 23, “Audit of Accounting
Estimates.” AUDITING

17
The Extent to Which any Core Activities are Provided by Service Organisations

32. In principle, the considerations when a bank uses service organisations are no
different from the considerations when any other entity uses them. However,
banks sometimes use service organisations to perform parts of their core
activities, such as credit and cash management. When the bank uses service
organisations for such activities, the auditor may find it difficult to obtain
sufficient appropriate audit evidence without the cooperation of the service
organisation. ISA 402, “Audit Considerations Relating to Entities Using Service
Organisations” provides further guidance on the auditing considerations and the
types of reports that auditors of service organisations provide to the organisation’s
clients.

Contingent Liabilities and Off-Balance Sheet Items

33. Banks also typically engage in transactions that:

• Have a low fee revenue or profit element as a percentage of the underlying

asset or liability;

• Regulations may not require to be disclosed in the balance sheet, or even

in the notes to the financial statements;

• Are recorded only in memorandum accounts; or

• Involve securitising and selling assets so that they no longer appear in the
bank’s financial statements.

Examples of such transactions are safe custody services, guarantees, comfort

letters and letters of credit, interest rate and currency swaps and commitments and
options to purchase and sell foreign exchange.

34. The auditor reviews the bank’s sources of revenue, and obtains sufficient
appropriate audit evidence regarding the following:

(a) The accuracy and completeness of the accounting records relating to such
transactions.

(b) The existence of proper controls to limit the banking risks arising from
such transactions.

(c) The adequacy of any provisions for loss which may be required.

(d) The adequacy of any financial statement disclosures which may be

required.

18
Regulatory Considerations

35. The International Auditing Practices Statement 1004 provides information and
guidance on the relationship between bank auditors and banking supervisors. The
Basel Committee has issued supervisory guidance regarding sound banking
practices for managing risks, internal control systems, loan accounting and
disclosure, other disclosures and for other areas of bank activities. In addition, the
Basel Committee has issued guidance on the assessment of capital adequacy and
other important supervision topics. This guidance is available to the auditor and to
the public on the internet web site of the Bank for International Settlements (BIS).

36. In accordance with NSA 14, the auditor considers whether the assertions in the
financial statements are consistent with the auditor’s knowledge of the business.
In many regulatory frameworks, the level and types of business a bank is allowed
to undertake depend upon the level of its assets and liabilities and the types and
perceived risks attached to those assets and liabilities (a risk-weighted capital
framework). In such circumstances there are greater pressures for management to
engage in fraudulent financial reporting by miscategorising assets and liabilities
or by describing them as being less risky than they actually are, particularly when
the bank is operating at, or close to, the minimum required capital levels.

37. There are many procedures that both auditors and bank supervisors perform,
including:

• The performance of analytical procedures;

• Obtaining evidence regarding the operation of the internal control system;

and

• The review of the quality of a bank’s assets and the assessment of banking
risks.

The auditor therefore finds it advantageous to interact with the supervisors and to
have access to communications that the supervisors may have addressed to the
bank management on the results of their work. The assessment made by the
supervisors in important areas such as the adequacy of risk management practices
and provisions for loan losses, and the prudential ratios used by the supervisors
can be of assistance to the auditor in performing analytical procedures and in
focusing attention on specific areas of supervisory concern.

The Extent of IT and Other Systems

38. The high volume of transactions and the short times in which they must be
processed typically result in most banks making extensive use of IT, EFT and
other telecommunications systems. The control concerns arising from the use of
IT by a bank are similar to those arising when IT is used by other organisations.

19
 However, the matters that are of particular concern to the auditor of a bank
include the following:
AUDITING
• The use of IT to calculate and record substantially all of the interest
income and interest expense, which are ordinarily two of the most
important elements in the determination of a bank’s earnings.

• The use of IT and telecommunications systems to determine the foreign

exchange security and derivative trading positions, and to calculate and
record the gains and losses arising from them.

• The extensive, and in some cases almost total, dependence on the records
produced by IT because they represent the only readily accessible source
of detailed up-to-date information on the bank’s assets and liability
positions, such as customer loan and deposit balances.

• The use of complex valuation models incorporated in the IT systems.

• The models used to value assets and the data used by those models are
often kept in spreadsheets prepared by individuals on personal computers
not linked to the bank’s main IT systems and not subject to the same
controls as applications on those systems. IAPS 1001, “IT
Environments—Stand-Alone Personal Computers” provides guidance to
auditors in respect of these applications.

• The use of different IT systems resulting in the risk of loss of audit trail
and incompatibility of different systems.

EFT systems are used by banks both internally (for example, for transfers
between branches and between automated banking machines and the
computerised files that record account activity) and externally between the bank
and other financial institutions (for example, through the SWIFT network) and
also between the bank and its customers through the internet or other electronic
commerce media.

39. The auditor obtains an understanding of the core IT, EFT and telecommunication
applications and the links between those applications. The auditor relates this
understanding to the major business processes or balance sheet positions in order
to identify the risk factors for the organisation and therefore for the audit. In
addition, it is important to identify the extent of the use of self-developed
applications or integrated systems, which will have a direct effect on the audit
approach. (Self-developed systems require the auditor to focus more extensively
on the program change controls.)

40. When auditing in a distributed IT environment, the auditor obtains an

understanding of where the core IT applications are located. If the bank’s wide

20
 area network (WAN) is dispersed over several countries, specific legislative rules
might apply to cross-border data processing. In such an environment, audit work
on the access control system, especially on the access violation system, is an
important part of the audit.

41. An electronic commerce environment changes significantly the way the bank
conducts its business. Electronic commerce presents new aspects of risk and other
considerations that the auditor addresses. For example, the auditor considers the
following:

• The business risks the bank’s e-commerce strategy presents.

• The risks inherent in the technology the bank has chosen to implement its
electronic commerce strategy.

• Management’s responses to the risks identified, including control

considerations regarding:

. Compliance with legal and regulatory requirements in respect of

cross-border transactions;

. The security and privacy of transmissions across the Internet; and

. The completion, accuracy, timeliness and authorisation of Internet

transactions as they are recorded in the bank’s accounting system.

• The level of IT and electronic commerce skill and competence the auditor
and assistants possess.

42. An organisation may outsource IT or EFT related activities to an external service

provider. The auditor gains an understanding of the outsourced services and the
system of internal controls within the outsourcing bank and the vendor of the
services, in order to determine the nature, extent and timing of substantive
procedures. ISA 402 gives further guidance on this subject.

Expected Assessment of Inherent and Control Risks

43. The nature of banking operations is such that the auditor may not be able to
reduce audit risk to an acceptably low level by the performance of substantive
procedures alone. This is because of factors such as the following:

• The extensive use of IT and EFT systems, which means that much of the
audit evidence is available only in electronic form and is produced by the
entity’s own IT systems.

21
 • The high volume of transactions entered into by banks, which makes
reliance on substantive procedures alone impracticable.

• The geographic dispersion of banks’ operations, which makes obtaining

sufficient coverage extremely difficult.

• The difficulty in devising effective substantive procedures to audit

complex trading transactions.

In most situations the auditor will not be able to reduce audit risk to an acceptably
low level unless management has instituted an internal control system that allows
the auditor to be able to assess the level of inherent and control risks as less than
high. The auditor obtains sufficient appropriate audit evidence to support the
assessment of inherent and control risks. Paragraphs 56-70 discuss matters
relating to internal control in more detail.

The Work of Internal Auditing

44. The scope and objectives of internal auditing may vary widely depending upon
the size and structure of the bank and the requirements of management and those
charged with governance. However, the role of internal auditing ordinarily
includes the review of the accounting system and related internal controls,
monitoring their operation and recommending improvements to them. It also
generally includes a review of the means used to identify, measure and report
financial and operating information and specific enquiry into individual items
including detailed testing of transactions, balances and procedures. The factors
referred to in this paragraph also often lead the auditor to use the work of internal
auditing. This is especially relevant in the case of banks that have a large
geographic dispersion of branches. Often, as a part of the internal audit
department or as a separate component, a bank has a loan review department that
reports to management on the quality of loans and the adherence to established
procedures in respect thereof. In either case, the auditor often considers making
use of the work of the loan review department after an appropriate review of the
department and its work. Guidance on the use of the work of internal auditing is
provided in NSA 19, “Considering the Work of Internal Auditing.”

Audit Risk

45. The three components of audit risk are:

(a) Inherent risk (the risk that material misstatements occur);

(b) Control risk (the risk that the bank’s system of internal control does not
prevent or detect and correct such misstatements on a timely basis); and

22
 (c) Detection risk (the risk that the auditor will not detect any remaining
material misstatements).

Inherent and control risks exist independently of the audit of financial information
and the auditor cannot influence them. The nature of risks associated with
banking activities, which are discussed in paragraphs 21-25 indicate that the
assessed level of inherent risk in many areas will be high. It is therefore necessary
for a bank to have an adequate system of internal control if the levels of inherent
and control risks are to be less than high. The auditor assesses these risks and
designs substantive procedures so as to reduce audit risk to an acceptably low
level.

Materiality

46. In making an assessment of materiality, in addition to the considerations set out in

NSA 06, “Audit Materiality,” the auditor considers the following factors:

• Because of high leverage, relatively small misstatements may have a

significant effect on the results for the period and on capital, even though
they may have an insignificant effect on total assets.

• A bank’s earnings are low when compared to its total assets and liabilities
and its off-balance sheet commitments. Therefore, misstatements that
relate only to assets, liabilities and commitments may be less significant
than those that may also relate to the statement of earnings.

• Banks are often subject to regulatory requirements, such as the

requirement to maintain minimum levels of capital. A breach of these
requirements could call into question the appropriateness of management’s
use of the going concern assumption. The auditor therefore establishes a
materiality level so as to identify misstatements that, if uncorrected, would
result in a significant contravention of such regulatory requirements.

• The appropriateness of the going concern assumption often depends upon

matters related to the bank’s reputation as a sound financial institution and
actions by regulators. Because of this, related party transactions and other
matters that would not be material to entities other than banks may
become material to a bank’s financial statements if they might affect the
bank’s reputation or actions by regulators.

Management’s Representations

47. Management’s representations are relevant in the context of a bank audit to assist
the auditor in determining whether the information and evidence obtained is
complete for the purposes of the audit. This is particularly true of the bank’s
transactions that may not ordinarily be reflected in the financial statements (off-

23
 balance sheet items), but which may be evidenced by other records of which the
auditor may not be aware. It is often also necessary for the auditor to obtain from
management representations regarding significant changes in the bank’s business
and its risk profile. It may also be necessary for the auditor to identify areas of a
bank’s operations where audit evidence likely to be obtained may need to be
supplemented by management’s representations, for example, loan loss provisions
and the completeness of correspondence with regulators. NSA 11, “Management
Representations” provides guidance as to the use of management representations
as audit evidence, the procedures that the auditor applies in evaluating and
documenting them, and the circumstances in which representations should be
obtained in writing.

Involvement of Other Auditors

48. As a result of the wide geographic dispersion of offices in most banks, it is often
necessary for the auditor to use the work of other auditors in many of the
locations in which the bank operates. This may be achieved by using other offices
of the auditor’s firm or by using other auditing firms in those locations.

49. Before using the work of another auditor, the auditor:

• Considers the independence of those auditors and their competence to

undertake the necessary work (including their knowledge of banking and
applicable regulatory requirements);

• Considers whether the terms of the engagement, the accounting principles

to be applied and the reporting arrangements are clearly communicated;
and

• Performs procedures to obtain sufficient appropriate audit evidence that

the work performed by the other auditor is adequate for this purpose by
discussion with the other auditor, by a review of a written summary of the
procedures applied and findings, by a review of the working papers of the
other auditor, or in any other manner appropriate to the circumstances.

NSA 18, “Using the Work of Another Auditor” provides further guidance on the
issues to be addressed and procedures to be performed in such situations.

Co-ordinating the Work to be Performed

50. Given the size and geographic dispersion of most banks, co-ordinating the work
to be performed is important to achieve an efficient and effective audit. The co-
ordination required takes into account factors such as the following:

• The work to be performed by:

24
 . Experts;

. Assistants;

. Other offices of the auditor’s firm; and

. Other audit firms.

• The extent to which it is planned to use the work of internal auditing.

• Required reporting dates to shareholders and the regulatory authorities.

• Any special analyses and other documentation to be provided by bank

management.

51. The best level of co-ordination between assistants can often be achieved by
regular audit-status meetings. However, given the number of assistants and the
number of locations at which they will be involved, the auditor ordinarily
communicates all or relevant portions of the audit plan in writing. When setting
out the requirements in writing, the auditor considers including commentary on
the following matters:

• The financial statements and other information that are to be audited (and
if considered necessary, the legal or other mandate for the audit).

• Details of any additional information requested by the auditor, for

example, information on certain loans, portfolio composition, narrative
commentary on the audit work to be performed (especially on the areas of
risk described in paragraphs 21-25 which are important to the bank) and
on the results of the audit work, potential points for inclusion in letters to
management on internal control, local regulatory concerns, and if relevant,
the forms of any required reports.

• That the audit is to be conducted in accordance with NSAs and any

regulatory requirements (and, if considered necessary, information on
those requirements).

• The relevant accounting principles to be followed in the preparation of the

financial statements and other information (and, if considered necessary,
the details of those principles).

• Interim audit status reporting requirements and deadlines.

• Particulars of the entity’s officials to be contacted.

• Fee and billing arrangements.

25
 • Any other concerns of a regulatory, internal control, accounting or audit
nature of which those conducting the audit should be aware.

Related Party Transactions

52. The auditor remains alert for related party transactions during the course of the
audit, particularly in the lending and investment areas. Procedures performed
during the planning phase of the audit, including obtaining an understanding of
the bank and the banking industry, may be helpful in identifying related parties. In
some jurisdictions, related party transactions may be subject to quantitative or
qualitative restrictions. The auditor determines the extent of any such restrictions.
AUDITING
Going Concern Considerations

53. NSA 10, “Going Concern” provides guidance as to the auditor’s consideration of
the appropriateness of management’s use of the going concern assumption. In
addition to matters identified in that NSA, events or conditions such as the
following may also cast significant doubt on the bank’s ability to continue as a
going concern:

• Rapid increases in levels of trading in derivatives. This may indicate that

the bank is carrying out trading activities without the necessary controls in
place.

• Profitability performance or forecasts that suggest a serious decline in

profitability, particularly if the bank is at or near its minimum regulatory
capital or liquidity levels.

• Rates of interest being paid on money market and depositor liabilities that
are higher than normal market rates. This may indicate that the bank is
viewed as a higher risk.

• Significant decreases in deposits from other banks or other forms of short

term money market funding. This may indicate that other market
participants lack confidence in the bank.

• Actions taken or threatened by regulators that may have an adverse effect

on the bank’s ability to continue as a going concern.

• Increased amounts due to central banks, which may indicate that the bank
was unable to obtain liquidity from normal market sources.

• High concentrations of exposures to borrowers or to sources of funding.

54. NSA 10 also provides guidance to auditors when an event or condition that may
cast significant doubt on the bank’s ability to continue as a going concern has

26
 been identified. The NSA indicates a number of procedures that may be relevant,
and in addition to those, the following procedures may also be relevant:

• Reviewing correspondence with regulators.

• Reviewing reports issued by regulators as a result of regulatory

inspections.

• Discussing the results of any inspections currently in process.

55. The regulatory regime under which the bank operates may require the auditor to
disclose to the regulator any intention to issue a modified opinion or any concerns
that the auditor may have about the bank’s ability to continue as a going concern.
IAPS 1004 provides further discussion of the relationship between the auditor and
the banking supervisor.

Internal Control

Introduction

56. The Basel Committee on Banking Supervision has issued a policy paper,
“Framework for Internal Control Systems in Banking Organisations” (September
1998), which provides banking supervisors with a framework for evaluating
banks’ internal control systems. This framework is used by many banking
supervisors, and may be used during supervisory discussions with individual
banking organisations. Auditors of banks’ financial statements may find a
knowledge of this framework useful in understanding the various elements of a
bank’s internal control system.

57. Management’s responsibilities include the maintenance of an adequate accounting

system and internal control system, the selection and application of accounting
policies, and the safeguarding of the assets of the entity. The auditor obtains an
understanding of the accounting and internal control systems sufficient to plan the
audit and develop an effective audit approach. After obtaining the understanding,
the auditor considers the assessment of inherent and control risks so as to
determine the appropriate detection risk to accept for the financial statement
assertions and to determine the nature, timing and extent of substantive
procedures for such assertions. Where the auditor assesses control risk at less than
high, substantive procedures are ordinarily less extensive than are otherwise
required and may also differ in their nature and timing.

Identifying, Documenting and Testing Control Procedures

58. NSA 12, “Risk Assessments and Internal Control” indicates that internal controls
relating to the accounting system are concerned with achieving objectives such as
the following:

27
 • Transactions are executed in accordance with management’s general or
specific authorisation (paragraphs 59–61).

• All transactions and other events are promptly recorded at the correct
amount, in the appropriate accounts and in the proper accounting period so
as to permit preparation of financial statements in accordance with an
identified financial reporting framework (paragraphs 62 and 63).

• Access to assets is permitted only in accordance with management’s

authorisation (paragraphs 64 and 65).

• Recorded assets are compared with the existing assets at reasonable

intervals and appropriate action is taken regarding any differences
(paragraphs 66 and 67).
AUDITING
The audit considerations in relation to each of these objectives are discussed in
the subsequent paragraphs.

In the case of banks, a further objective of internal controls is to ensure that the
bank adequately fulfills its regulatory and fiduciary responsibilities arising out of
its trustee activities. The auditor is not directly concerned with these objectives
except to the extent that any failure to comply with such responsibilities might
have led to the financial statements being material misstated.

Transactions are Executed in Accordance With Management’s General or Specific

Authorisation

59. The overall responsibility for the system of internal control in a bank rests with
those charged with governance, who are responsible for governing the bank’s
operations. However, since banks’ operations are generally large and dispersed,
decision-making functions need to be decentralised and the authority to commit
the bank to material transactions is ordinarily dispersed and delegated among the
various levels of management and staff. Such dispersion and delegation will
almost always be found in the lending, treasury and funds transfer functions,
where, for example, payment instructions are sent via a secure message. This
feature of banking operations creates the need for a structured system of
delegation of authority, resulting in the formal identification and documentation
of:

(a) Those who may authorise specific transactions;

(b) Procedures to be followed in granting that authorisation; and

(c) Limits on the amounts that can be authorised, by individual employee or

by staff level, as well as any requirements that may exist for concurring
authorisation.

28
 Those charged with governance also need to ensure that appropriate procedures
exist for monitoring the level of exposures. This will ordinarily involve the
aggregation of exposures, not only within, but also across, the different activities,
departments and branches of the bank.

60. An examination of the authorisation controls will be important to the auditor in

considering whether transactions have been entered into in accordance with the
bank’s policies and, for example, in the case of the lending function, that they
have been subject to appropriate credit assessment procedures prior to the
disbursement of funds. The auditor will typically find that limits for levels of
exposures exist in respect of various transaction types. When performing tests of
controls, the auditor considers whether these limits are being adhered to and
whether positions in excess of these limits are reported to the appropriate level of
management on a timely basis.

61. From an audit perspective, the proper functioning of a bank’s authorisation

controls is particularly important in respect of transactions entered into at or near
the date of the financial statements. This is because aspects of the transaction have
yet to be fulfilled, or there may be a lack of evidence with which to assess the
value of the asset acquired or liability incurred. Examples of such transactions are
commitments to purchase or sell specific securities after the period-end and loans,
where principal and interest payments from the borrower have yet to be made.

All Transactions and Other Events are Promptly Recorded at the Correct Amount, in the
Appropriate Accounts and in the Proper Accounting Period so as to Permit Preparation
of Financial Statements in Accordance with an Identified Financial Reporting
Framework

62. In considering the internal controls that management use to ensure that all
transactions and other events are properly recorded, the auditor takes into account
a number of factors that are especially important in a banking environment. These
include the following:

• Banks deal in large volumes of transactions that can individually or

cumulatively involve large sums of money. Accordingly, the bank needs
to have balancing and reconciliation procedures that are carried out within
a time-frame that allows the detection of errors and discrepancies so that
they can be investigated and corrected with minimal loss to the bank. Such
procedures may be carried out hourly, daily, weekly, or monthly,
depending on the volume and nature of the transaction, level of risk, and
transactions settlement time-frame. The purpose of these reconciliations is
often to ensure the completeness of transaction processing across highly
complex integrated IT systems and the reconciliations themselves are
normally automatically generated by these systems.

29
 • Many of the transactions entered into by banks are subject to specialised
accounting rules. Banks should have control procedures in place to ensure
those rules are applied in the preparation of appropriate financial
information for management and external reporting. Examples of such
control procedures are those that result in the market revaluation of
foreign exchange and security purchase and sale commitments so as to
ensure that all unrealised profits and losses are recorded.

• Some of the transactions entered into by banks may not be required to be

disclosed in the financial statements (for example, transactions that the
accounting framework allows to be regarded as off balance sheet items).
Accordingly, control procedures must be in place to ensure that such
transactions are recorded and monitored in a manner that provides
management with the required degree of control over them and that allows
for the prompt determination of any change in their status that needs to
result in the recording of a profit or loss.

• Banks are constantly developing new financial products and services. The
auditor considers whether the necessary revisions are made in accounting
procedures and related internal controls.

• End of day balances may reflect the volume of transactions processed

through the systems or of the maximum exposure to loss during the course
of a business day. This is particularly relevant in executing and processing
foreign exchange and securities transactions. The assessment of controls in
these areas takes into account the ability to maintain control during the
period of maximum volumes or maximum financial exposure.

• The majority of banking transactions must be recorded in a manner that is

capable of being verified both internally and by the bank’s customers and
counterparties. The level of detail to be recorded and maintained on
individual transactions must allow the bank’s management, transaction
counterparties, and customers to verify the accuracy of the amounts and
terms. An example of such a control is the continuous verification of
foreign exchange trade tickets by having an employee not involved in the
transaction match the tickets to incoming confirmations from
counterparties.

63. The extensive use of IT and EFT systems has a significant effect on how the
auditor evaluates a bank’s accounting system and related internal controls. NSA
12, “Risk Assessments and Internal Control,” ISA 401, “Auditing in a Computer
Information Systems Environment,” and IAPS 1008, “Risk Assessments and
Internal Control—CIS Characteristics and Considerations,” provide guidance on
the IT aspects of such an evaluation, as do other IAPSs dealing with information
technology. The audit procedures include an assessment of those controls that
affect system development and modifications, system access and data entry, the

30
 security of communications networks, and contingency planning. Similar
considerations apply to EFT operations within the bank. To the extent that EFT
and other transaction systems are external to the bank, the auditor gives additional
emphasis to the assessment of the integrity of pre-transaction supervisory controls
and post-transaction confirmation and reconciliation procedures. Reports from the
auditors of service organisations may be of use here, and ISA 402 gives guidance
on the auditor’s consideration of such reports.

Access to Assets is Permitted Only In Accordance With Management’s Authorisation

64. A bank’s assets are often readily transferable, of high value and in a form that
cannot be safeguarded solely by physical procedures. In order to ensure that
access to assets is permitted only in accordance with management’s authorisation,
a bank generally uses controls such as the following:

• Passwords and joint access arrangements to limit IT and EFT system

access to authorised employees.

• Segregation of the record-keeping and custody functions (including the

use of computer generated transaction confirmation reports available
immediately and only to the employee in charge of the record-keeping
functions).

• Frequent third-party confirmation and reconciliation of asset positions by

an independent employee.

65. The auditor considers whether each of these controls is operating effectively.
However, given the materiality and transferability of the amounts involved, the
auditor also ordinarily reviews the confirmation and reconciliation procedures that
occur in connection with the preparation of the year-end financial statements and
may carry out confirmation procedures himself.

Recorded Assets are Compared With the Existing Assets at Reasonable Intervals and
Appropriate Action is Taken Regarding Any Differences

66. The large amounts of assets handled by banks, the volumes of transactions
undertaken, the potential for changes in the value of those assets due to
fluctuations in market prices and the importance of confirming the continued
operation of access and authorisation controls necessitates the frequent operation
of reconciliation controls. This is particularly important for:

(a) Assets in negotiable form, such as cash, bearer securities and assets in the
form of deposit and security positions with other institutions where failure
to detect errors and discrepancies quickly (which may mean daily where
money market transactions are involved) could lead to an irrecoverable

31
 loss: reconciliation procedures used to achieve this control objective will
ordinarily be based on physical counting and third party confirmation;

(b) Assets whose value is determined with reference to valuation models or

external market prices, such as securities and foreign exchange contracts;
and

(c) Assets held on behalf of clients.

67. In designing an audit plan to assess the effectiveness of a bank’s reconciliation

controls, the auditor considers factors such as the following:

• Because of the number of accounts requiring reconciliation and the

frequency with which these reconciliations need to be performed:
AUDITING
. Much of the audit effort is directed to the documentation, testing
and evaluation of the reconciliation controls; and

. The work of the internal auditor will also be similarly directed. The
auditor therefore can ordinarily use the work of internal auditing.

• Since reconciliations are cumulative in their effect, most reconciliations

can be satisfactorily audited at the year-end date, assuming that they are
prepared as of that date, soon enough for the auditor to use and that the
auditor is satisfied that the reconciliation control procedures are effective.

• In examining a reconciliation, the auditor considers whether items have

not been improperly transferred to other accounts that are not subject to
reconciliation and investigation at the same time.

Examples of Controls

68. Appendix 2 to this Statement contains examples of controls over authorisation,

recording, access and reconciliation ordinarily found in the treasury and trading
and lending operations of a bank.

Inherent Limitations of Internal Control

69. NSA 12 “Risk Assessments and Internal Control” describes the procedures to be
followed by the auditor in identifying, documenting and testing internal controls.
In doing so, the auditor is aware of the inherent limitations of internal control. The
assessed levels of inherent and control risks cannot be sufficiently low to
eliminate the need for the auditor to perform any substantive procedures.
Irrespective of the assessed levels of inherent and control risks, the auditor
performs some substantive procedures for material account balances and classes
of transactions.

32
Considering the Influence of Environmental Factors

70. In assessing the effectiveness of specific control procedures, the auditor considers
the environment in which internal control operates. Some of the factors that may
be considered include the following:

• The organisational structure of the bank and the manner in which it

provides for the delegation of authority and responsibilities.

• The quality of management supervision.

• The extent and effectiveness of internal auditing.

• The extent and effectiveness of the risk management and compliance

systems

• The skills, competence and integrity of key personnel.

• The nature and extent of inspection by supervisory authorities.

Performing Substantive Procedures

Introduction

71. As a result of the assessment of the level of inherent and control risks, the auditor
determines the nature, timing and extent of the substantive tests to be performed
on individual account balances and classes of transactions. In designing these
substantive tests, the auditor considers the risks and factors that served to shape
the bank’s systems of internal control. In addition, there are a number of audit
considerations significant to these risk areas to which the auditor directs attention.
These are discussed in subsequent paragraphs.

72. NSA 04, “Audit Evidence” lists the assertions embodied in the financial
statements as: existence, rights and obligations, occurrence, completeness,
valuation, measurement, and presentation and disclosure. Tests of the
completeness assertion are particularly important in the audit of bank’s financial
statements particularly in respect of liabilities. Much of the audit work on
liabilities of other commercial entities can be carried out by substantive
procedures on a reciprocal population. Banking transactions do not have the same
type of regular trading cycle, and reciprocal populations are not always
immediately in evidence. Large assets and liabilities can be created and realised
very quickly and, if not captured by the systems, may be overlooked. Third party
confirmations and the reliability of controls become important in these
circumstances.

33
Audit Procedures

73. To address the assertions discussed above, the auditor may perform the following
procedures:

(a) Inspection.

(b) Observation.

(c) Enquiry and confirmation.

(d) Computation.

(e) Analytical procedures.

In the context of the audit of a bank’s financial statements, inspection, enquiry

and confirmation, computation and analytical procedures require particular
attention and are discussed in the following paragraphs.
AUDITING
Inspection

74. Inspection consists of examining records, documents, or tangible assets. The

auditor inspects in order to:

• Be satisfied as to the physical existence of material negotiable assets that

the bank holds; and

• Obtain the necessary understanding of the terms and conditions of

agreements (including master agreements) that are significant individually
or in the aggregate in order to:

. Consider their enforceability; and

. Assess the appropriateness of the accounting treatment they have

been given.

75. Examples of areas where inspection is used as an audit procedure are:

• Securities;

• Loan agreements;

• Collateral; and

• Commitment agreements, such as:

34
 . Asset sales and repurchases

. Guarantees.

76. In carrying out inspection procedures, the auditor remains alert to the possibility
that some of the assets the bank holds may be held on behalf of third parties rather
than for the bank’s own benefit. The auditor considers whether adequate internal
controls exist for the proper segregation of such assets from those that are the
property of the bank and, where such assets are held, considers the implications
for the financial statements. As noted in paragraph 58 the auditor is concerned
with the existence of third party assets only to the extent that the bank’s failure to
comply with its obligations may lead to the financial statements being materially
misstated.

Enquiry and Confirmation

77. Enquiry consists of seeking information of knowledgeable persons inside or

outside the entity. Confirmation consists of the response to an enquiry to
corroborate information contained in the accounting records. The auditor enquires
and confirms in order to:

• Obtain evidence of the operation of internal controls;

• Obtain evidence of the recognition by the bank’s customers and

counterparties of amounts, terms and conditions of certain transactions;
and

• Obtain information not directly available from the bank’s accounting

records.

A bank has significant amounts of monetary assets and liabilities, and of off-
balance-sheet commitments. External confirmation may an effective method of
determining the existence and completeness of the amounts of assets and
liabilities disclosed in the financial statements. In deciding the nature and extent
of external confirmation procedures that the auditor will perform, the auditor
considers any external confirmation procedures undertaken by internal auditing.
NSA 17, “External Confirmations” provides guidance on the external
confirmation process.

78. Examples of areas for which the auditor may use confirmation including the
following:

• Collateral.

35
 • Verifying or obtaining independent confirmation of, the value of assets
and liabilities that are not traded or are traded only on over-the-counter
markets.

• Asset, liability and forward purchase and sale positions with customers
and counterparties such as:

. Outstanding derivative transactions;

. Nostro and vostro account holders;

. Securities held by third parties;

. Loan accounts;

. Deposit accounts;

. Guarantees; and

. Letters of credit.

• Legal opinions on the validity of a bank’s claims.

Computation

79. Computation consists of checking the arithmetical accuracy of source documents

and accounting records or of performing independent calculations. In the context
of the audit of a bank’s financial statements, computation is a useful procedure for
checking the consistent application of valuation models.

Analytical Procedures

80. Analytical procedures consist of the analysis of significant ratios and trends
including the resulting investigation of fluctuations and relationships that are
inconsistent with other relevant information or deviate from predicted amounts.
ISA 520, “Analytical Procedures” provides guidance on the auditor’s use of this
technique.

81. A bank invariably has individual assets (for example, loans and, possibly,
investments) that are of such a size that the auditor considers them individually.
However, for most items, analytical procedures may be effective for the following
reasons:

• Ordinarily two of the most important elements in the determination of a

bank’s earnings are interest income and interest expense. These have
direct relationships to interest bearing assets and interest bearing

36
 liabilities, respectively. To establish the reasonableness of these
relationships, the auditor can examine the degree to which the reported
income and expense vary from the amounts calculated on the basis of
average balances outstanding and the bank’s stated rates during the year.
This examination is ordinarily made in respect of the categories of assets
and liabilities used by the bank in the management of its business. Such an
examination could, for example, highlight the existence of significant
amounts of non-performing loans or unrecorded deposits. In addition, the
auditor may also consider the reasonableness of the bank’s stated rates to
those prevailing in the market during the year for similar classes of loans
and deposits. In the case of loan assets, evidence of rates charged or
allowed above market rates may indicate the existence of excessive risk.
In the case of deposit liabilities, such evidence may indicate liquidity or
funding difficulties. Similarly, fee income, which is also a large
component of a bank’s earnings, often bears a direct relationship to the
volume of obligations on which the fees have been earned.

• The accurate processing of the high volume of transactions entered into by

a bank, and the auditor’s assessment of the bank’s internal controls, may
benefit from the review of ratios and trends and of the extent to which they
vary from previous periods, budgets and the results of other similar
entities.

• By using analytical procedures, the auditor may detect circumstances that

call into question the appropriateness of the going concern assumption,
such as undue concentration of risk in particular industries or geographic
areas and potential exposure to interest rate, currency and maturity
mismatches.

• There is a wide range of statistical and financial information available

from regulatory and other sources that the auditor can use to conduct an
in-depth analytical review of trends and peer group analyses.

A useful starting point in considering appropriate analytical procedures is to

consider what information and performance or risk indicators management use in
monitoring the bank’s activities. Appendix 3 to this Statement contains examples
of the most frequently used ratios in the banking industry.

Specific Procedures in Respect of Particular Items in the Financial Statements

82. Paragraphs 83-100 identify the assertions that are ordinarily of particular
importance in relation to the typical items in a bank’s financial statements. They
also describe some of the audit considerations that help the auditor to plan
substantive procedures and suggest some of the techniques that could be used in
relation to the items selected by the auditor for testing. The procedures do not

37
 represent an exhaustive list of procedures that it is possible to perform, nor do
they represent a minimum requirement that should always be performed.

Financial Statement Financial Statement Assertions of Particular Importance

Item

83. BALANCES WITH OTHER BANKS

Existence

The auditor considers third party confirmations of the

balance. Where the balances held with other banks are the
result of large volumes of transactions, the receipt of
confirmations from those other banks is likely to provide
more cogent evidence as to the existence of the transactions
and of the resultant inter-bank balances than is the testing of
the related internal controls. Guidance on inter-bank
confirmation procedures, including terminology and the
content of confirmation requests, can be found in the IAPS
1000, “Inter-Bank Confirmation Procedures.”

Valuation

The auditor considers whether to assess the collectability of

the deposit in light of the creditworthiness of the depository
bank. The procedures required in such an assessment are
similar to those used in the audit of loan valuation,
discussed later.

Presentation and Disclosure

The auditor considers whether the balances with other banks

as at the date of the financial statements represent bona fide
commercial transactions or whether any significant variation
from normal or expected levels reflects transactions entered
into primarily to give a misleading impression of the
financial position of the bank or to improve liquidity and
asset ratios (often known as “window-dressing”).

Where window-dressing occurs in a magnitude which may

distort the true and fair view of the financial statements, the
auditor requests management to adjust the balances shown
in the financial statements, or make additional disclosure in
the notes. If management fails to do so, the auditor
considers whether to modify the audit report.

38
84. MONEY MARKET INSTRUMENTS

Existence

The auditor considers the need for physical inspection or

confirmation with external custodians and the reconciliation
of the related amounts with the accounting records.

Rights and Obligations

The auditor considers the feasibility of checking for receipt

of the related income as a means of establishing ownership.
The auditor pays particular attention to establishing the
ownership of instruments held in bearer form. The auditor
also considers whether there are any encumbrances on the
title to the instruments.

The auditor tests for the existence of sale and forward

repurchase agreements for evidence of unrecorded liabilities
and losses.

Valuation

The auditor considers the appropriateness of the valuation

techniques employed in light of the creditworthiness of the
issuer.

Measurement

The auditor considers whether there is a need to test for the

proper accrual of income earned on money market
instruments, which in some cases is through the
amortisation of a purchase discount.

The auditor also considers whether:

• The relationship between the types of securities

owned and the related income is reasonable; and

• All significant gains and losses from sales and

revaluations have been reported in accordance with
the financial reporting framework (for example,
where gains and losses on trading securities are
treated differently from those on investment
securities).

39
85. SECURITIES HELD FOR TRADING PURPOSES

Appendix 2 gives further examples of internal control

considerations and audit procedures in respect of trading
operations.

Existence

The auditor considers physical inspection of securities or

confirmation with external custodians and the reconciliation
of the amounts with the accounting records.

Rights and Obligations

The auditor considers the feasibility of checking for receipt

of the related income as a means of establishing ownership.
The auditor pays particular attention to establishing the
ownership of securities held in bearer form. The auditor also
considers whether there are any encumbrances on the title to
the securities.

The auditor tests for the existence of sale and forward

repurchase agreements for evidence of unrecorded liabilities
and losses.

Valuation

Financial reporting frameworks often prescribe different

valuation bases for securities depending on whether they are
held for trading purposes, held as portfolio investments, or
held for hedging purposes. For example, a financial
reporting framework might require trading securities to be
carried at market value, portfolio investments at historic cost
subject to impairment reviews, and hedging securities on the
same basis as the underlying assets they hedge.
Management’s intentions determine whether any particular
security is held for a given purpose, and hence the valuation
basis to be used. If management’s intentions change, the
valuation basis changes too. Accordingly, when securities
have been transferred from one category to another, the
auditor obtains sufficient appropriate audit evidence to
support management’s assertions as to their revised
intentions. The possibility of changing an asset’s
categorisation provides management with an opportunity for
fraudulent financial reporting, as it would be possible to
recognise a profit or avoid recognising a loss by changing

40
 the categorisation of particular securities.

When securities held for trading purposes are carried at

market value, the auditor considers whether securities
whose market value has increased have been arbitrarily
transferred from Portfolio Investments (see paragraph 87)
primarily so that an unrealised gain can be taken into
income.

The auditor also considers whether to reperform the

valuation calculations and the extent of tests of the controls
over the bank’s valuation procedures.
Measurement

The auditor also considers whether:

• The relationship between the types of securities

owned and the related income is reasonable; and

• All significant gains and losses from sales and

revaluations have been reported in accordance with
the financial reporting framework (for example,
where gains and losses on trading securities are
treated differently from those on investment
securities).

86. (Those OTHER FINANCIAL ASSETS

involving
current Rights and Obligations
investment of
funds, for The auditor examines the underlying documentation
example, supporting the purchase of such assets in order to determine
blocks of loans whether all rights and obligations, such as warranties and
purchased for options, have been properly accounted for.
resale,
purchases of Valuation
securitised The auditor considers the appropriateness of the valuation
assets) techniques employed. Since there may not be established
markets for such assets, it may be difficult to obtain
independent evidence of value. Additionally, even where
such evidence exists, there may be a question as to whether
there is sufficient depth to existing markets to rely on
quoted values for the asset in question and for any related
offsetting hedge transactions that the bank has entered into
in those markets. The auditor also considers the nature and
extent of any impairment reviews that management has

41
 carried out and whether their results are reflected in the
assets’ valuations.

87. PORTFOLIO INVESTMENTS

In many cases the audit of a bank’s portfolio investments

does not differ from the audit of portfolio investments held
by any other entity. However, there are some special aspects
that pose particular problems in respect of banking
operations.

Valuation
The auditor considers the value of the assets supporting the
security value, particularly in respect of securities that are
not readily marketable. The auditor also considers the nature
and extent of any impairment reviews that management has
carried out and whether their results are reflected in the
assets’ valuations.

Measurement

As discussed in paragraph 85, financial reporting

frameworks frequently allow different valuation bases for
securities held for different purposes. Where securities have
been transferred from the Trading Account, the auditor
determines whether any unrealised losses in market value
are recorded if so required by relevant financial reporting
framework. When the financial reporting framework does
not require the recording of unrealised losses, the auditor
considers whether the transfer was made to avoid the need
to recognise reductions in the securities’ market value.

The auditor also considers whether:

• The relationship between the types of securities

owned and the related income is reasonable; and

• All significant gains and losses from sales and

revaluations have been reported in accordance with
the financial reporting framework (for example,
where gains and losses on trading securities are
treated differently from those on investment
securities).

42
88. INVESTMENTS IN SUBSIDIARIES AND ASSOCIATED
ENTITIES

In many cases the audit of a bank’s investments in

subsidiaries and associated entities does not differ from the
audit of such investments held by any other entity.
However, there are some special aspects that pose particular
problems in respect of banking operations.

Valuation

The auditor considers the implications of any legal or

practical requirement for the bank to provide future
financial support to ensure the maintenance of operations
(and hence the value of the investment) of subsidiaries and
associated companies. The auditor considers whether the
related financial obligations are recorded as liabilities of the
bank.

The auditor determines whether appropriate adjustments are

made when the accounting policies of companies accounted
for on an equity basis or consolidated do not conform to
those of the bank.

89.lfdfk(Comprising LOANS
advances, bills of
exchange, letters Existence
of credit,
acceptances, The auditor considers the need for external confirmation of
guarantees, and all the existence of loans.
other lines of
credit extended to Valuation
customers,
including those in The auditor considers the appropriateness of the provision
connection with for loan losses. The auditor understands the laws and
foreign regulations that may influence the amounts determined by
exchange and management. The Basel Committee has published a set of
money market Sound Practices for Loan Accounting and Disclosure, which
activities) provides guidance to banks and banking supervisors on
• Personal recognition and measurement of loans, establishment of
loan loss provisions, credit risk disclosure and related
• Commercial matters. It sets out banking supervisors’ views on sound
loan accounting and disclosure practices for banks and so
• Government may influence the financial reporting framework within
which a bank prepares its financial statements. However, the
• Domestic bank’s financial statements are prepared in accordance with

43
 a specified financial reporting framework, and the loan loss
• Foreign provision must be made in accordance with that framework.

Appendix 2 gives further information on the auditor’s

consideration of loans.

The major audit concern is the adequacy of the recorded

provision for loan losses. In establishing the nature, extent
and timing of the work to be performed, the auditor
considers the following factors:

• The degree of reliance it is reasonable to place on the

bank’s system of loan quality classification, on its
procedures for ensuring that all documentation is
properly completed, on its internal loan review
procedures and on the work of internal auditing.

• Given the relative importance of foreign lending, the

auditor ordinarily examines:

. The information on the basis of which the

bank assesses and monitors the country risk
and the criteria (for example, specific
classifications and valuation ratios) it uses
for this purpose; and

. Whether and, if so, by whom credit limits are

set for, what the limits are and the extent to
which they have been reached.

• The composition of the loan portfolio, with particular

attention to:

The concentration of loans to specific:

. Borrowers and parties connected to them

(including the procedures in place to identify
such connections);

. Commercial and industrial sectors;

. Geographic regions; and

. As required by regulatory authorities;

. The size of individual credit exposures (few

44
 large loans versus numerous small loans);

. The trends in loan volume by major cat-

egories, especially categories having
exhibited rapid growth, and in
delinquencies, non-accrual and restructured
loans; and

. Related party lending.

Identified potential non-performing loans, with

particular attention to:

. The previous loss and recovery experience,

including the adequacy and timeliness of
provisions and charge-offs; and

. Results of regulatory examinations.

National and international economic and environmental

conditions, including restrictions on the transfer of foreign
currency that may affect the repayment of loans by
borrowers.

In addition to those non-performing loans identified by

management and, where applicable, by bank regulators, the
auditor considers additional sources of information to
determine those loans that may not have been so identified.
These include:

• Various internally generated listings, such as “watch-

list” loans, past due loans, loans on nonaccrual
status, loans by risk classification, loans to insiders
(including directors and officers), and loans in
excess of approved limits;

• Historical loss experience by type of loan; and

• Those loan files lacking current information on

borrowers, guarantors or collateral.

Presentation and Disclosure

Banks are often subject to particular disclosure requirements

concerning their loans and provisions for loan losses. The
auditor considers whether the information disclosed is in

45
 accordance with the applicable financial or regulatory
reporting framework.

90. ACCOUNTS WITH DEPOSITORS

(a) General deposits Completeness

The auditor assesses the system of internal control over

accounts with depositors. The auditor also considers
performing confirmation and analytical procedures on
average balances and on interest expense to assess the
reasonableness of the recorded deposit balances.

Presentation and Disclosure

The auditor determines whether deposit liabilities are

classified in accordance with regulations and relevant
accounting principles.

Where deposit liabilities have been secured by specific

assets, the auditor considers the need for appropriate
disclosure.

The auditor also considers the need for disclosure where the
bank has a risk due to economic dependence on a few large
depositors or where there is an excessive concentration of
deposits due within a specific time.

(b) Items in transit Existence

The auditor determines whether items in transit between

branches, between the bank and its consolidated
subsidiaries, and between the bank and counterparties, are
eliminated and that reconciling items have been
appropriately addressed and accounted for.

Additionally, the auditor examines individual items

comprising the balance that have not been cleared within a
reasonable time period and also considers whether the
related internal control procedures are adequate to ensure
that such items have not been temporarily transferred to
other accounts in order to avoid their detection.

91. CAPITAL AND RESERVES

Banking regulators pay close attention to a bank’s capital

46
 and reserves in monitoring the level of a bank’s activities
and in determining the extent of a bank’s operations. Small
changes in capital or reserves may have a large effect on a
bank’s ability to continue operating, particularly if it is near
to its permitted minimum capital ratios. In such
circumstances there are greater pressures for management to
engage in fraudulent financial reporting by miscategorising
assets and liabilities or by describing them as being less
risky than they actually are.

Presentation and Disclosure

The auditor considers whether capital and reserves are

adequate for regulatory purposes (for example, to meet
capital adequacy requirements), the disclosures have been
appropriately calculated and that the disclosures are both
appropriate and in accordance with the applicable financial
reporting framework. In many jurisdictions auditors are
required to report on a wide range of disclosures about the
bank’s capital and its capital ratios, either because that
information is included in the financial statements or
because there is requirement to make a separate report to
banking supervisors.

In addition, where applicable regulations provide for

restrictions on the distribution of retained earnings, the
auditor considers whether the restrictions are adequately
disclosed.

The auditor also determines whether the requirements of the

applicable financial reporting framework with respect to the
disclosure of hidden reserves have been complied with (see
also paragraph 103).NG

92. (For example, PROVISIONS, CONTINGENT ASSETS AND

commitments to CONTINGENT LIABILITIES (OTHER THAN
lend funds and to DERIVATIVES AND OFF-BALANCE SHEET
guarantee FINANCIAL INSTRUMENTS)
repayment of Completeness
funds by
customers to third Many contingent assets and liabilities are recorded without
parties) there being a corresponding liability or asset (memorandum
items). The auditor therefore:

• Identifies those activities that have the potential to

generate contingent assets or liabilities (for

47
 example, securitisations);

• Considers whether the bank’s system of internal

control is adequate to ensure that contingent assets
or liabilities arising out of such activities are
properly identified and recorded and that evidence
is retained of the customer’s agreement to the
related terms and conditions;

• Performs substantive procedures to test the

completeness of the recorded assets and liabilities.
Such procedures may include confirmation
procedures as well as examination of related fee
income in respect of such activities and are
determined having regard to the degree of risk
attached to the particular type of contingency being
considered;

• Reviews the reasonableness of the period-end

contingent asset and liability figures in the light of
the auditor’s experience and knowledge of the
current year’s activities; and

• Obtains representation from management that all

contingent assets and liabilities have been recorded
and disclosed as required by the financial reporting
framework.

Valuation

Many of these transactions are either credit substitutes or

depend for their completion on the credit-worthiness of the
counterparty. The risks associated with such transactions are
in principle no different from those associated with “Loans.”
The audit objectives and considerations of particular
importance discussed in paragraph 89 is equally relevant in
respect of these transactions.

Presentation and Disclosure

Where assets or liabilities have been securitised or

otherwise qualify for an accounting treatment that removes
them from the bank’s balance sheet, the auditor considers
the appropriateness of the accounting treatment and whether
appropriate provisions have been made. Similarly, where the
bank is a counterparty to a transaction that allows a client

48
 entity to remove an asset or liability from the client’s
balance sheet, the auditor considers whether there is any
asset or liability that the financial reporting framework
requires to be shown in the balance sheet or in the notes to
the financial statements.

Although the relevant financial reporting framework

ordinarily requires disclosure of such obligations in the
notes to the financial statements rather than in the balance
sheet, the auditor nevertheless considers the potential
financial impact on the bank’s capital, funding and
profitability of the need to honor such obligations and
whether this needs to be specifically disclosed in the
financial statements. DITING

93. (For example, DERIVATIVES AND OFF-BALANCE SHEET

foreign exchange FINANCIAL STATEMENTS
contracts, interest
rate and currency Many of these instruments are dealt with as part of the
swaps, futures, bank’s treasury and trading activities. Appendix 2 gives
options, and more information on the auditor’s consideration of treasury
forward rate and trading activities. For transactions involving derivatives
agreements) that the bank enters into as an end user, IAPS 1012 provides
further guidance.

Rights and Obligations

The auditor examines the underlying documentation

supporting such transactions in order to determine whether
all rights and obligations, such as warranties and options,
have been properly accounted for.

Existence

The auditor considers the need for third party confirmations

of outstanding balances, which are selected from back office
records of open transactions and from lists of approved
counterparties, brokers and exchanges. It may be necessary
to perform confirmation tests separately on the various
products as the systems may not facilitate a combined
selection of all transactions with any given counterparty.

Completeness

Due to the continuing development of new financial

instruments, there may be a lack of established procedures

49
between participants and within the bank. The auditor
therefore assesses the adequacy of the system of internal
control, particularly with respect to:

• The adequacy of the procedures and the division of

duties regarding the matching of documentation
received from counterparties and reconciliation of
accounts with counterparties; and

• The adequacy of internal audit review.

The auditor considers assessing the adequacy of the related

system of internal control, including regular profit and loss
account reconciliations at appropriate intervals and period-
end reconciliation procedures, particularly in respect of the
completeness and accuracy of the recording of outstanding
positions as at the period end. (This requires the auditor to
be familiar with standard inter-bank transaction
confirmation procedures);

The auditor may also find it useful to examine post period-

end transactions for evidence of items that should have been
recorded in the year-end financial statements. NSA 16,
“Subsequent Events” provides further guidance on the
auditor’s consideration of events occurring after the period
end.

Valuation

Similar considerations arise here as arise for Other Financial

Assets above. However, the following further considerations
also arise.

Derivatives and off-balance sheet financial instruments are

ordinarily valued at market or fair value, except that, in
some financial reporting frameworks, hedging instruments
are valued on the same basis as the underlying item being
hedged. The applicable financial reporting framework may
not require financial instruments to be shown on the balance
sheet, or may require them to be to be valued at cost. In such
instances, there may be an obligation to disclose the market
or fair values of derivatives or off-balance sheet instruments
in the notes to the financial statements.

If the instrument is traded on an investment exchange, the

value may be determined through independent sources. If

50
the transaction is not traded, independent experts may be
required to assess the value.

Additionally, the auditor considers the need for and

adequacy of fair value adjustments to financial instruments,
such as a liquidity risk provision, a modeling risk provision
and a provision for operational risk. The auditor considers
matters such as the following:

• The appropriateness of the exchange rates, interest

rates or other underlying market rates used at the
financial statement date to calculate unrealised
gains and losses.

• The appropriateness of the valuation models and

assumptions used to determine the fair value of
financial instruments outstanding as at the financial
statement date. In addition, the auditor considers
whether details of individual contracts, valuation
rates and assumptions used are appropriately
entered into the models.

• The appropriateness of the accounting policies used

having regard to relevant accounting principles
particularly with regard to the distinction between
realised and unrealised profits and losses.

When market values need to be considered, but are not

available, the auditor considers whether appropriate
alternative valuation techniques have been employed, based,
where appropriate, on current interest or foreign exchange
rates.

As some of these instruments have been developed only

recently, the auditor examines their valuation with a special
degree of caution, and in doing so bears in mind the
following factors:

• There may be no legal precedents concerning the

terms of the underlying agreements. This makes it
difficult to assess the enforceability of those terms.

• There may be a relatively small number of manage-

ment personnel who are familiar with the inherent
risks of these instruments. This may lead to a higher
risk of misstatements occurring and a greater

51
 difficulty in establishing controls that would prevent
misstatements or detect and correct them on a
timely basis.

• Some of these instruments have not existed through

a full economic cycle (bull and bear markets, high
and low interest rates, high and low trading and
price volatility) and it may therefore be more
difficult to assess their value with the same degree
of certainty as for more established instruments.
Similarly, it may be difficult to predict with a
sufficient degree of certainty the price correlation
with other offsetting instruments used by the bank
to hedge its positions.

• The models used for valuing such instruments may

not operate properly in abnormal market conditions.

Measurement

The auditor considers the purpose for which the transaction

resulting in the instrument was entered into, in particular
whether the transaction was a trading transaction or a
hedging one. The bank may have been dealing as principal
to create a dealing position or to hedge another asset, or it
may have been dealing as an intermediary or broker. The
purpose may determine the appropriate accounting
treatment.

Since settlement of such transactions is at a future date, the

auditor considers whether a profit or loss has arisen by the
period end that is required to be recorded in the financial
statements.

The auditor considers whether there has been a

reclassification of hedging and trading transactions/positions
that may have been made primarily with a view to taking
advantage of differences in the timing of profit and loss
recognition.

Presentation and Disclosure

In some financial reporting frameworks, the relevant

accounting principles require the recording of accrued gains
and losses on open positions, whether or not these positions
are recorded on the balance sheet. In other financial

52
 reporting frameworks there is only an obligation to disclose
the commitment. Where the latter is the case, the auditor
considers whether the unrecorded amounts are of such
significance as to require a disclosure in the financial
statements or qualification in the audit report.

The following additional considerations may arise:

• The auditor considers the appropriate accounting

treatment and presentation of such transactions in
accordance with relevant financial reporting
requirements. Where those requirements have
different treatments for transactions that are entered
into for hedging purposes, the auditor considers
whether transactions have been appropriately
identified and treated.

• Some financial reporting frameworks require the

disclosure of the potential risk arising from open
positions, as for example, the credit risk equivalent
and replacement value of outstanding off-balance
sheet instruments.

94. INTEREST INCOME AND INTEREST EXPENSE

Measurement

Interest income and expense ordinarily comprise two of the

main items in a bank’s income statement. The auditor
considers:

• Whether satisfactory procedures exist for the proper

accounting of accrued income and expenditure at
the year-end;

• Assessing the adequacy of the related system of

internal control; and

• Using analytical procedures in assessing the

reasonableness of the reported amounts. Such
techniques include comparison of reported interest
yields in percentage terms:

. To market rates;

. To central bank rates;

53
 . To advertised rates (by type of loan or
deposit); and

. Between portfolios.

In making such comparisons, average rates in effect (for

example, by month) are used in order to avoid distortions
caused by changes in interest rates.

The auditor considers the reasonableness of the policy

applied to income recognition on non-performing loans,
especially where such income is not being received on a
current basis. The auditor also considers whether income
recognition on non-performing loans complies with the
policy of the bank, as well as the requirements of the
applicable financial reporting framework and directives
issued by the Central Bank / Nepal Rashtra Bank.

95. PROVISIONS FOR LOAN LOSSES

Measurement

The major audit concerns in this area are discussed above

under “Loans.” Usually, provisions take two forms, namely
specific provisions in respect of identified losses on
individual loans and general provisions to cover losses that
are thought to exist but have not been specifically identified.
The auditor assesses the adequacy of such provisions based
on such factors as past experience and other relevant
information and considers whether the specific and general
provisions are adequate to absorb estimated credit losses
associated with the loan portfolio. Appendix 2 to this
Statement contains examples of substantive procedures for
the evaluation of loan loss provisions. The levels of general
provisions are prescribed by the regulations. The auditor
determines whether the reported provision expense is
calculated in accordance with such regulations. The auditor
also considers the adequacy of the disclosures in the
financial statements and, when the provisions are not
adequate, the implications for the audit report.

96. FEE AND COMMISSION INCOME

Completeness

54
 The auditor considers whether the amount recorded is
complete (that is, all individual items have been recorded).
In this respect, the auditor considers using analytical
procedures in assessing the reasonableness of the reported
amounts.

Measurement

The auditor considers matters such as the following:

• Whether the income relates to the period covered by

the financial statements and that those amounts
relating to future periods have been deferred.

• Whether the income is collectible (this is considered

as part of the loan review audit procedures where
the fee has been added to a loan balance
outstanding).

• Whether the income is accounted for in accordance

with the applicable financial reporting framework.

97. PROVISION FOR TAXES ON INCOME

Measurement

The auditor becomes familiar with the special taxation rules

applicable to banks. The auditor also considers whether any
auditors on whose work it is intended to rely in respect of
the bank’s foreign operations are similarly familiar with the
rules in their jurisdiction. The auditor is aware of the
taxation treaties between the various jurisdictions in which
the bank operates.

98. RELATED PARTY TRANSACTIONS

Presentation and Disclosure

Financial reporting frameworks often require the disclosure

of the existence of related parties and of transactions with
them. Related party transactions may occur in the ordinary
course of a bank’s business. For example, a bank may
extend credit to its officers or directors or to entities that are
owned or controlled by officers or directors. The auditor
remains aware of the risk that where such lending
transactions with related parties exist, normal measures of

55
banking prudence, such as credit assessment and collateral
requirements, may not be exercised properly. The auditor
becomes familiar with the applicable regulatory
requirements for lending to related parties and performs
procedures to identify the bank’s controls over related party
lending, including approval of related party credit
extensions and monitoring of performance of related party
loans.

Other related party transactions that may occur in the

ordinary course of a bank’s business include deposit and
other transactions with directors, officers, or affiliated
entities. A bank may also guarantee loans to, or the financial
performance of, an affiliated entity. The guarantee may be
formalised in a written agreement or the guarantee may be
informal. Informal guarantees may be oral agreements,
“understood” agreements based on the affiliate’s historical
performance, or the result of the business culture in which
the bank operates. Such agreements, whether formal or
informal, are of particular concern when the guarantee
relates to an unconsolidated affiliate, as the guarantee is not
disclosed in the bank’s consolidated financial statements.
The auditor makes enquiries of management and reviews
the minutes of the board of directors to determine if such
guarantees exist and whether there is appropriate disclosure
of the guarantees in the bank’s financial statements.

Valuation

Related party transactions may also result from

management’s attempts to avoid adverse circumstances. For
example, a bank’s management may transfer problem assets
to an unconsolidated affiliated entity at or near the period
end, or prior to a regulatory examination, to avoid a
deficiency in the provision for loan losses or to avoid
criticism about asset quality. The auditor considers
reviewing transactions involving related parties that have
been accounted for as sales transactions to determine
whether there are unrecorded recourse obligations involved.

Representations from management or others are often

required to understand the business purpose of a particular
transaction. Such representations are evaluated in the light
of apparent motives and other audit evidence. In order to
obtain a complete understanding of a transaction, certain
circumstances may warrant a discussion with the related

56
 party, their auditor, or other parties such as legal counsel,
who are familiar with the transaction. NSA 11,
“Management Representations” gives further guidance on
the use of management representations.

99. FIDUCIARY ACTIVITIES

Completeness

The auditor considers whether all the bank’s income from

such activities has been recorded and is fairly stated in the
bank’s financial statements. The auditor also considers
whether the bank has incurred any material undisclosed
liability from a breach of its fiduciary duties, including the
safekeeping of assets.

Presentation and Disclosure

The auditor considers whether the financial reporting

framework requires disclosure of the nature and extent of its
fiduciary activities in the notes to its financial statements,
and whether the required disclosures have been made.

100. (Including, where NOTES TO THE FINANCIAL STATEMENTS

applicable, a
Statement of Presentation and Disclosure
Accounting
Policies) The auditor determines whether the notes to the bank’s
financial statements are in accordance with the applicable
financial reporting framework. AUDITING

Reporting on the Financial Statements

101. In expressing an opinion on the bank’s financial statements, the auditor:

• Adheres to any specific formats and terminology specified by the law, the
regulatory authorities, professional bodies and industry practice; and

• Determines whether adjustments have been made to the accounts of

foreign branches and subsidiaries that are included in the consolidated
financial statements of the bank to bring them into conformity with the
financial reporting framework under which the bank is reporting. This is
particularly relevant in the case of banks because of the large number of
countries in which such branches and subsidiaries may be located and the
fact that in most countries local regulations prescribe specialised
accounting principles applicable primarily to banks. This may lead to a

57
 greater divergence in the accounting principles followed by branches and
subsidiaries, than is the case in respect of other commercial entities.

102. The financial statements of banks are prepared in the context of the legal and
regulatory requirements prevailing in the country, and accounting policies are
influenced by such regulations. The financial reporting framework for banks (the
banking framework) differs materially from the financial reporting framework for
other entities (the general framework). When the bank is required to prepare a
single set of financial statements that comply with both frameworks, the auditor
may express a totally unqualified opinion only if the financial statements have
been prepared in accordance with both frameworks. If the financial statements are
in accordance with only one of the frameworks, the auditor expresses an
unqualified opinion in respect of compliance with that framework and a qualified
or adverse opinion in respect of compliance with the other framework. When the
bank is required to comply with the banking framework instead of the general
framework, the auditor considers the need to refer to this fact in an emphasis of
matter paragraph.

103. Banks often present additional information in annual reports that also contain
audited financial statements. This information frequently contains details of the
bank’s risk adjusted capital, and other information relating to the bank’s stability,
in addition to any disclosures in the financial statements. NSA 22, “Other
Information in Documents Containing Audited Financial Statements” provides
guidance on the procedures to be undertaken in respect of such additional
information.

Compliance with International Standards on Auditing

104. Compliance with this NAPS ensures compliance in all material respects with
IAPS 1006 (Audits of the Financial Statements of Banks).

Effective Date

105. This Nepal Auditing Practice Statement becomes operative for the audit
commencing on or after (as notified). Earlier application is encouraged.

58
Appendix 1

Risks and Issues in Respect of Fraud and Illegal Acts

(relating to paragraph 26)

Paragraph 26 of this Statement indicates some of the general considerations in respect of

fraud. These are also discussed in more detail in NSA 05, “The Auditor’s Responsibility
to Consider Fraud and Error in an Audit of Financial Statements.” NSA 05 requires the
auditor to consider whether fraud risk factors are present that indicate the possibility of
either fraudulent financial reporting or misappropriation of assets. Appendix 1 to the
NSA gives an indication of general fraud risk factors: this appendix gives examples of
fraud risk factors applicable to banks.

The risk of fraudulent activities or illegal acts arises at banks both from within the
institution and from outsiders. Among the many fraudulent activities and illegal acts that
banks may face are cheque-writing fraud, fraudulent lending and trading arrangements,
money laundering and misappropriation of banking assets. Fraudulent activities may
involve collusion by management of banks and their clients. Those perpetrating
fraudulent activities may prepare false and misleading records to justify inappropriate
transactions and hide illegal activities. Fraudulent financial reporting is another serious
concern.

In addition, banks face an ongoing threat of computer fraud. Computer hackers, and
others who may gain unauthorised access to banks computer systems and information
databases, can misapply funds to personal accounts and steal private information about
the institution and its customers. Also, as is the case for all businesses, fraud and criminal
activity perpetrated by authorised users inside banks is a particular concern.

Fraud is more likely to be perpetrated at banks that have serious deficiencies in corporate
governance and internal control. Significant losses from fraud may arise from the
following categories of breakdowns in corporate governance and internal control:

• Lack of adequate management oversight and accountability, and failure to

develop a strong control culture within the bank. Major losses due to fraud often
arise as a consequence of management's lack of attention to, and laxity in, the
control culture of the bank, insufficient guidance and oversight by those charged
with governance and management, and a lack of clear management accountability
through the assignment of roles and responsibilities. These situations also may
involve a lack of appropriate incentives for management to carry out strong line
supervision and maintain a high level of control consciousness within business
areas.

• Inadequate recognition and assessment of the risk of certain banking activities,

whether on- or off-balance sheet. When the risks of new products and activities
are not adequately assessed and when control systems that function well for

59
 simpler traditional products are not updated to address newer complex products, a
bank may be exposed to a greater risk of loss from fraud.

• The absence or failure of key control structures and activities, such as segregation
of duties, approvals, verifications, reconciliations, and reviews of operating
performance. In particular, the lack of a segregation of duties has played a major
role in fraudulent activities that resulted in significant losses at banks.

• Inadequate communication of information between levels of management within

the bank, especially in the upward communication of problems. When policies
and procedures are not appropriately communicated to all personnel involved in
an activity, an environment is created that may foster fraudulent activities. In
addition, fraud may go undetected when information about inappropriate activities
that should be brought to the attention of higher level management is not
communicated to the appropriate level until the problems become severe.

• Inadequate or ineffective internal audit programs and monitoring activities. When

internal auditing or other monitoring activities are not sufficiently rigorous to
identify and report control weaknesses, fraud may go undetected at banks. When
adequate mechanisms are not in place to ensure that management corrects
deficiencies reported by auditors, fraud may continue unabated.

The following table and discussion in this appendix provide examples of fraud risk
factors.

Deposit Taking Dealing Lending

Management & Depositors’ Off-market rings Loans to fictitious

Employee Fraud camouflage Related party borrowers
Unrecorded deals Use of nominee
deposits Broker kickbacks companies
Theft of False deals Deposit
customer Unrecorded deals transformation
deposits or Delayed deal Transactions with
investments, allocations connected
particularly from Misuse of companies
dormant accounts discretionary Kickbacks and
accounts inducements
Exploiting Use of parallel
weaknesses in organisations
matching Funds
procedures transformation
Mismarking of Selling recovered
book collateral at below
Collusion in market prices
providing Bribes to obtain

60
 valuations the release of
(Valuation rings) security or to
Theft or misuse reduce the amount
of collateral held claimed
as security Theft or misuse of
collateral held as
security

External Fraud Money Fraudulent Impersonation

laundering custodial sales and false
Fraudulent False information information on
instructions or documents loan applications
Counterfeit regarding and subsequently
currency or counterparties provided
drafts documents
Fraudulent use of Double-pledging
Cheque float of collateral
periods (Cheque Fraudulent
kiting) valuations (Land
flips)
Forged or
valueless
collateral
Misappropriation
of loan funds by
agents/ customers
Unauthorised sale
of collateral

Fraud Risk Factors in Respect of the Deposit Taking Cycle

Depositors’ Camouflage

(Hiding the identity of a depositor, possibly in connection with funds transformation or

money laundering.)

• Similar or like-sounding names across various accounts.

• Offshore company depositors with no clearly defined business or about which

there are few details.

Unrecorded Deposits

• Any evidence of deposit-taking by any other company of which there are details
on the premises, whether part of the bank or not.

61
• Documentation held in management offices that it is claimed has no connection
with the business of the bank or evasive replies regarding such documents.

Theft of Customer Deposits/Investments

• Customers with hold-mail arrangements who only have very occasional contact
with the bank.

• No independent resolution of customer complaints or review of hold-mail

accounts.

Fraud Risk Factors in Respect of the Dealing Cycle

Off-Market Rings/Related Party Deals

• No spot cheques on the prices at which deals are transacted.

• Unusual levels of activity with particular counterparties.

Broker Kickbacks

• High levels of business with a particular broker.

• Unusual trends in broker commissions.

False Deals

• A significant number of cancelled deals.

• Unusually high value of unsettled transactions.

Unrecorded Deals

• High levels of profit by particular dealers in relation to stated dealing strategy.

• Significant number of unmatched counterparty confirmations.

Delayed Deal Allocations

• No time stamping of deal tickets or a review of the time of booking.

• Alterations to or overwriting of details on deal sheets.

Misuse of Discretionary Accounts

• Unusual trends on particular discretionary accounts.

62
• Special arrangements for preparation and issue of statements.

Mismarking of the Book

• No detailed valuation policies and guidelines.

• Unusual trends in the value of particular books.

Fraud Risk Factors in Respect of the Lending Cycle

Loans to Fictitious Borrowers/Transactions with Connected Companies

• “Thin” loan files with sketchy, incomplete financial information, poor

documentation or management claim the borrower is wealthy and undoubtedly
creditworthy.

• Valuations which seem high, valuers used from outside the usually permitted area
or the same valuer used on numerous applications.

• Generous extensions or revised terms when the borrower defaults.

Deposit Transformation or Back-to-Back Lending

A bank deposit is made by another bank, which is then used to secure a loan to a
beneficiary nominated by the fraudulent staff member of the first bank, who hides the
fact that the deposit is pledged.

• Pledges over deposits (disclosed by confirmations which have specifically

requested such pledges to be disclosed).
AUDITING
• Documentation of files held in directors’ or senior managers’ offices outside the
usual filing areas; deposits continually rolled over or made even when liquidity is
tight.

Use of Nominee Companies/Transactions with Connected Companies

• Complex structures which are shrouded in secrecy.

• Several customers with sole contact, that is, handled exclusively by one member
of staff.

• Limited liability partnerships without full disclosure of ownership or with

complex common ownership structures.

63
Kickbacks and Inducements

• Excessive amounts of business generated by particular loan officers.

• Strong recommendation by director or lending officer but missing data or

documentation on credit file.

• Indications of week documentation controls, for example providing funding

before documentation is complete.

Use of Parallel Organisations

(Companies under the common control of directors/shareholders)

• Unexpected settlement of problem loans shortly before the period end or prior to
an audit visit or unexpected new lending close to the period end.

• Changes in the pattern of business with related organisations.

Funds Transformation

(Methods used to conceal the use of bank funds to make apparent loan repayments)

• Loans which suddenly become performing shortly before the period end or prior
to an audit visit.

• Transactions with companies within a group or with its associated companies

where the business purpose is unclear.

• Lack of cash flow analysis that supports the income generation and repayment
ability of the borrower.

Impersonation and False Information on Loan Applications/Double-Pledging of

Collateral/Fraudulent Valuations/Forged or Valueless Collateral

• No on-site appraisal of or visit by the borrower.

• Difficulty in obtaining corroboration of the individual’s credentials, inconsistent

or missing documentation and inconsistencies in personal details.

• Valuer from outside the area in which the property is situated.

• Valuation is ordered and received by the borrower rather than the lender.

• Lack of verification of liens to substantiate lien positions and priorities

64
• Lack of physical control of collateral that requires physical possession to secure a
loan (for example, jewelry, bearer bonds and art work).

65
Appendix 2

Examples of Internal Control Considerations and Substantive Procedures for Two

Areas of a Bank’s Operations
(relating to paragraphs 68 and 95)

1. The internal controls and substantive procedures listed below represent neither an
exhaustive list of controls and procedures that should be undertaken, nor do they
represent any minimum requirement that should be satisfied. Rather, they provide
guidance on the controls and procedures that the auditor may consider in dealing
with the following areas:

(a) Treasury and trading operations; and

(b) Loans and advances.

Treasury and Trading Operations

Introduction

2. Treasury operations, in this context, represent all activities relating to the

purchase, sale, borrowing and lending of financial instruments. Financial
instruments may be securities, money market instruments or derivative
instruments. Banks usually enter into such transactions for their own use (for
example, for the purpose of hedging risk exposures) or for meeting customers’
needs. They also carry out, to a larger or smaller extent, trading activities. Trading
may be defined as the purchase and sale (or origination and closing) of financial
instruments (including derivatives) with the intention of deriving a gain from the
change in market price parameters (for example, foreign exchange rates, interest
rates, equity prices) over time. Banks manage and control their treasury activities
on the basis of the various risks involved rather than on the basis of the particular
type of financial instrument dealt with. The auditor ordinarily adopts the same
approach when obtaining audit evidence. IAPS 1012 gives guidance on the audit
implications of derivatives acquired by the bank as an end user.

Internal Control Considerations

3. Generally, treasury operations involve transactions that are recorded by IT

systems. The risk of processing error in such transactions is ordinarily low
provided they are processed by reliable systems. Consequently, the auditor tests
whether key processing controls and procedures are operating effectively before
assessing the level of inherent and control risks as low. Typical controls in a
treasury environment are listed below. These include controls that address
business risks of banks and do not necessarily represent controls that address audit
risks and that are tested by the auditor in order to assess the levels of inherent and
control risks.

66
Typical Control Questions

Strategic controls

4. Have those charged with governance established a formal policy for the bank’s
treasury business that sets out:

• The authorised activities and products the bank can trade on its own or a
third party’s behalf, ideally broken down by product or risk group;

• The markets in which trading activities take place: these could be regional
markets, or Over-the-Counter (“OTC”) versus Exchange markets;

• The procedures for measuring, analysing, supervising and controlling

risks;

• The extent of risk positions permissible, after taking into account the risk
they regard as acceptable;

• The appropriate limits and procedures covering excesses over defined

limits;

• The procedures, including documentation, that must be complied with

before new products or activities are introduced;

• The type and frequency of reports to those charged with governance; and

• The schedule and frequency with which the policy is reviewed, updated
and approved?

Operational controls

5. Is there appropriate segregation of duties between the front office and back
office?

6. Are the following activities conducted independently of the front office/business

unit:

• Confirmation of trades;

• Recording and reconciliation of positions and results;

• Valuation of trades or independent verification of market prices; and

• Settlement of trades?

67
7. Are trade tickets pre-numbered (if not automatically generated)?

8. Does the bank have a code of conduct for its dealers that addresses the following:

• Prohibiting dealers from trading on their own account;

AUDITING
• Restricting acceptance of gifts and entertainment activities;

• Confidentiality of customer information;

• Identification of approved counterparties; and

• Procedures for the review of dealers’ activities by management?

9. Are remuneration policies structured to avoid encouraging excessive risk taking?

10. Are new products introduced only after appropriate approvals are obtained and
adequate procedures and risk control systems are in place?

Limits and Trading Activity

11. Does the bank have a comprehensive set of limits in place to control the market,
credit and liquidity risks for the whole institution, business units and individual
dealers? Some commonly used limits are notional or volume limits (by currency
or counterparty), stop loss limits, gap or maturity limits, settlement limits and
value-at-risk limits (for both market and credit risks).

12. Are limits allocated to risks in line with the overall limits of the bank?

13. Do all dealers know their limits and the use thereof? Does every new transaction
reduce the available limit immediately?

14. Are procedures in place that cover excesses over limits?

Risk Measurement and Management

15. Is there an independent risk management function (sometimes referred to as

Middle Office) for measuring, monitoring and controlling risk? Does it report
directly to those charged with governance and senior management?

16. Which method is employed to measure the risk arising from trading activities (for
example, position limits, sensitivity limits, value at risk limits, etc.)?

17. Are the risk control and management systems adequately equipped to handle the
volume, complexity and risk of treasury activities?

68
18. Does the risk measurement system cover all portfolios, all products and all risks?

19. Is appropriate documentation in place for all elements of the risk system
(methodology, calculations, parameters)?

20. Are all trading portfolios revalued and risk exposures calculated regularly, at least
daily for active dealing operations?

21. Are risk management models, methodologies and assumptions used to measure
risk and to limit exposures regularly assessed, documented and updated
continuously to take account of altered parameters, etc?

22. Are stress situations analysed and “worst case” scenarios (which take into account
adverse market events such as unusual changes in prices or volatilities, market
illiquidity or default of a major counterparty) conducted and tested?

23. Does management receive timely and meaningful reports?

Confirmations

24. Does the bank have written procedures in use:

• For the independent dispatch of pre-numbered outward confirmations to

counterparties for all trades entered into by the dealers;

• For the independent receipt of all incoming confirmations and their

matching to pre-numbered copies of internal trade tickets;

• For independent comparison of signatures on incoming confirmations to

specimen signatures;

• For the independent confirmation of all deals for which no inward

confirmation has been received; and

• For the independent follow-up of discrepancies on confirmations

received?

Settlement of Transactions

25. Are settlement instructions exchanged in writing with counterparties by the use of
inward and outward confirmations?

26. Are settlement instructions compared to the contracts?

69
27. Are settlements made only by appropriate authorised employees independent of
the initiation and recording of transactions and only on the basis of authorised,
written instructions?

28. Are all scheduled settlements (receipts and payments) notified daily in writing to
the settlement department so that duplicate requests and failures to receive
payments can be promptly detected and followed-up?

29. Are accounting entries either prepared from or checked to supporting

documentation by operational employees, other than those who maintain records
of uncompleted contracts or perform cash functions?

Recording

30. Are exception reports generated for excesses in limits; sudden increases in trading
volume by any one trader, customer or counterparty; transactions at unusual
contract rates, etc? Are these monitored promptly and independently of the
dealers?

31. Does the bank have written procedures that require:

• The accounting for all used and unused trade tickets;

• The prompt recording into the accounting records by an independent party

of all transactions, including procedures to identify and correct rejected
transactions;

• The daily reconciliation of dealer’s positions and profits with the

accounting records and the prompt investigation of all differences; and

• Regular reports to management in appropriate detail to allow the

monitoring of the limits referred to above?

32. Are all nostro and vostro account reconciliations performed frequently and by
employees independent of the settlement function?

33. Are suspense accounts regularly reviewed?

34. Does the bank have an accounting system that allows it to prepare reports that
show its spot, forward, net open and overall positions for the different types of
products, for example:

• By purchase and sale, by currency;

• By maturity dates, by currency; and

70
 • By counterparty, by currency?

35. Are open positions revalued periodically (for example, daily) to current values
based on quoted rates or rates obtained directly from independent sources?

General Audit Procedures

36. Certain audit procedures apply to the environment in which treasury activities are
carried out. To understand this environment, the auditor initially obtains an
understanding of the:

• Scale, volume, complexity and risk of treasury activities;

• Importance of treasury activities relative to other business of the bank;

• Framework within which treasury activities take place; and

• Organisational integration of the treasury activities.

37. Once the auditor has obtained this understanding and has performed tests of
controls with satisfactory results, the auditor ordinarily assesses:

• The accuracy of the recording of transactions entered into during the

period and related profits and losses, by reference to deal tickets and
confirmation slips;

• The completeness of transactions and proper reconciliation between the

front office and accounting systems of open positions at the period end;

• The existence of outstanding positions by means of third party

confirmations at an interim date or at the period end;

• The appropriateness of the exchange rates, interest rates or other

underlying market rates used at the year end date to calculate unrealised
gains and losses;

• The appropriateness of the valuation models and assumptions used to

determine the fair value of financial instruments outstanding as at the
period end; and

• The appropriateness of the accounting policies used particularly around

income recognition and the distinction between hedged and trading
instruments.

38. Relevant aspects of treasury operations that generally pose increased audit risks
are addressed below:

71
Changes in Products or Activities

39. Particular risks often arise where new products or activities are introduced. To
address such risks the auditor initially seeks to confirm that predefined procedures
are in place for these cases. Generally, the bank should commence such activities
only when the smooth flow of the new transactions through the controls system is
ensured, the relevant IT systems are fully in place (or where adequate interim
system support is in place) and the relevant procedures are properly documented.
Newly traded instruments are ordinarily subject to careful review by the auditor,
who initially obtains a list of all new products introduced during the period (or a
full list of all instruments transacted). Based on this information, the auditor
establishes the associated risk profile and seeks to confirm the reliability of the
internal control and accounting systems.

Reliance on Computer Experts

40. Due to the volume of transactions, virtually all banks support the treasury
transactions cycle using IT systems. Due to the complexity of systems in use and
the procedures involved, the auditor ordinarily seeks the assistance of IT experts
to supply appropriate skills and knowledge in the testing of systems and relevant
account balances.
AUDITING
Purpose for Which Transactions are Undertaken

41. The auditor considers whether the bank holds speculative positions in financial
instruments or hedges them against other transactions. The purpose for entering
such transactions, whether hedging or trading, should be identified at the dealing
stage in order for the correct accounting treatment to be applied. Where
transactions are entered for hedging purposes, the auditor considers the
appropriate accounting treatment and presentation of such transactions and the
matched assets/liabilities, in accordance with relevant accounting requirements.

Valuation Procedures

42. Off-balance sheet financial instruments are ordinarily valued at market or fair
value, except for instruments used for hedging purposes, which, under many
financial reporting frameworks, are valued on the same basis as the underlying
item being hedged. Where market prices are not readily available for an
instrument, financial models that are widely used by the banking industry may be
used to determine the fair value. In addition to disclosure of the notional amounts
of open positions, several countries require the disclosure of the potential risk
arising, as for example, the credit risk equivalent and replacement value of such
outstanding instruments.

43. The auditor ordinarily tests the valuation models used, including the controls
surrounding their operation, and considers whether details of individual contracts,

72
 valuation rates and assumptions are appropriately entered into such models. As
many of these instruments have been developed only recently, the auditor pays
particular attention to their valuation, and in doing so bears in mind the following
factors:

• There may be no legal precedents concerning the terms of the underlying

agreements. This makes it difficult to assess the enforceability of those
terms.

• There may be a relatively small number of management personnel who are

familiar with the inherent risks of these instruments. This may lead to a
higher risk of misstatements occurring and a greater difficulty in
establishing controls that would prevent misstatements or detect and
correct them on a timely basis.

• Some of these instruments have not existed through a full economic cycle
(bull and bear markets, high and low interest rates, high and low trading
and price volatility) and it may therefore be more difficult to assess their
value with the same degree of certainty as for more established
instruments. Similarly, it may be difficult to predict with a sufficient
degree of certainty the price correlation with other offsetting instruments
used by the bank to hedge its positions.

• The models used for valuing such instruments may not operate properly in
abnormal market conditions.

44. In addition, the auditor considers the need for, and adequacy of, provisions
against financial instruments, such as liquidity risk provision, modeling risk
provision and reserve for operational risk. The complexity of certain instruments
requires specialist knowledge. If the auditor does not have the professional
competence to perform the necessary audit procedures, advice is sought from
appropriate experts.

45. A further issue of particular interest to the auditor is transactions entered into at
rates outside the prevailing market rates; these often involve the risk of hidden
losses or fraudulent activity. As a result, the bank ordinarily provides mechanisms
that are capable of detecting transactions out of line with market conditions. The
auditor obtains sufficient appropriate audit evidence concerning the reliability of
the function performing this task. The auditor also considers reviewing a sample
of the identified transactions.

73
Loans and Advances

Introduction

46. According to a consultative paper, “Principles for the Management of Credit

Risk,” issued by the Basel Committee on Banking Supervision, credit risk is most
simply defined as the potential that a bank borrower or counterparty will fail to
meet its obligations in accordance with agreed terms.

47. Loans and advances are the primary source of credit risk for most banks, because
they usually are a bank’s most significant assets and generate the largest portion
of revenues. The overriding factor in making a loan is the amount of credit risk
associated with the lending process. For individual loans, credit risk pertains to
the borrower’s ability and willingness to pay. Aside from loans, other sources of
credit risk include acceptances, interbank transactions, trade financing, foreign
exchange transactions, financial futures, swaps, bonds, equities, options, and in
the extension of commitments and guarantees, and the settlement of transactions.

48. Credit risk represents a major cause of serious banking problems, and is directly
related to lax credit standards for borrowers and counterparties, lack of qualified
lending expertise, poor portfolio risk management, and a lack of attention to
changes in economic or other circumstances that may lead to a deterioration in the
credit standing of a bank’s counterparties. Effective credit risk management is a
critical component of a comprehensive approach to risk management and essential
to the long-term success of any banking organisation. In managing credit risk,
banks should consider the level of risk inherent in both individual credits or
transactions and in the entire asset portfolio. Banks also need to analyse the risk
between credit risk and other risks.

Typical Control Questions

49. Credit risks arise from characteristics of the borrower and from the nature of the
exposure. The creditworthiness, place of operation and nature of borrower’s
business affect the degree of credit risk. Similarly, the credit risk is influenced by
the purpose and security for the exposure.

50. The credit function may conveniently be divided into the following categories:

(a) Origination and disbursement.

(b) Monitoring.

(c) Collection.

(d) Periodic review and evaluation.

74
Origination and Disbursement

51. Does the bank obtain complete and informative loan applications, including
financial statements of the borrower, the source of the loan repayment and the
intended use of proceeds?

52. Does the bank have written guidelines as to the criteria to be used in assessing
loan applications (for example, interest coverage, margin requirements, debt-to-
equity ratios)?

53. Does the bank obtain credit reports or have independent investigations conducted
on prospective borrowers?

54. Does the bank have procedures in use to ensure that related party lending has been
identified?

55. Is there an appropriate analysis of customer credit information, including

projected sources of loan servicing and repayments?

56. Are loan approval limits based on the lending officer’s expertise?

57. Is appropriate lending committee or board of director approval required for loans
exceeding prescribed limits?

58. Is there appropriate segregation of duties between the loan approval function and
the loan disbursement monitoring, collection and review functions?

59. Is the ownership of loan collateral and priority of the security interest verified?

60. Does the bank ensure that the borrower signs a legally enforceable document as
evidence of an obligation to repay the loan?

61. Are guarantees examined to ensure that they are legally enforceable?

62. Is the documentation supporting the loan application reviewed and approved by
an employee independent of the lending officer?

63. Is there a control to ensure the appropriate registration of security (for example,
recording of liens with governmental authorities)?

64. Is there adequate physical protection of notes, collateral and supporting

documents?

65. Is there a control to ensure that loan disbursements are recorded immediately?

75
66. Is there a control to ensure that to the extent possible, loan proceeds are used by
the borrower for the intended purpose?

Monitoring

67. Are trial balances prepared and reconciled with control accounts by employees
who do not process or record loan transactions?

68. Are reports prepared on a timely basis of loans on which principal or interest
payments are in arrears?

69. Are these reports reviewed by employees independent of the lending function?

70. Are there procedures in use to monitor the borrower’s compliance with any loan
restrictions (for example, covenants) and requirements to supply information to
the bank?

71. Are there procedures in place that require the periodic reassessment of collateral
values?

72. Are there procedures in place to ensure that the borrower’s financial position and
results of operations are reviewed on a regular basis?

73. Are there procedures in place to ensure that key administrative dates, such as the
renewal of security registrations, are accurately recorded and acted upon as they
arise?

Collection

74. Are the records of principal and interest collections and the updating of loan
account balances maintained by employees independent of the credit granting
function?

75. Is there a control to ensure that loans in arrears are followed up for payment on a
timely basis?
AUDITING
76. Are there written procedures in place to define the bank’s policy for recovering
outstanding principal and interest through legal proceedings, such as foreclosure
or repossession?

77. Are there procedures in place to provide for the regular confirmation of loan
balances by direct written communication with the borrower by employees
independent of the credit granting and loan recording functions, as well as the
independent investigation of reported differences?

76
Periodic Review and Evaluation

78. Are there procedures in place for the independent review of all loans on a regular
basis, including:

• The review of the results of the monitoring procedures referred to above;

and

• The review of current issues affecting borrowers in relevant geographic

and industrial sectors?

79. Are there appropriate written policies in effect to establish the criteria for:

• The establishment of loan loss provisions;

• The cessation of interest accruals (or the establishment of offsetting

provisions);

• The valuation of collateral security for loss provisioning purposes;

• The reversals of previously established provisions;

• The resumption of interest accruals; and

• The writing off of loans?

80. Are there procedures in place to ensure that all required provisions are entered
into the accounting records on a timely basis?

General Audit Procedures

81. The following audit procedures are intended to allow the auditor to discover the
operating standards and processes that the bank has established and to consider
whether controls regarding credit risk management are adequate.

Planning

82. The auditor obtains a knowledge and understanding of the bank’s method of
controlling credit risk. This includes matters such as the following:

• The bank’s exposure monitoring process, and its system for ensuring that
all connected party lending has been identified and aggregated.

• The bank’s method for appraising the value of exposure collateral and for
identifying potential and definite losses.

77
 • The bank’s lending practices and customer base.

83. The auditor considers whether the exposure review program ensures
independence from the lending functions including whether the frequency is
sufficient to provide timely information concerning emerging trends in the
portfolio and general economic conditions and whether the frequency is increased
for identified problem credits.

84. The auditor considers the qualifications of the personnel involved in the credit
review function. The industry is changing rapidly and fundamentally creating a
lack of qualified lending expertise. The auditor considers whether credit review
personnel possess the knowledge and skills necessary to manage and evaluate
lending activities.

85. The auditor considers, through information previously generated, the causes of
existing problems or weaknesses within the system. The auditor considers
whether these problems or weaknesses present the potential for future problems.

86. The auditor reviews management reports and considers whether they are
sufficiently detailed to evaluate risk factors.

87. Note that defining and auditing related party lending transactions are difficult
because the transactions with related parties are not easily identifiable. Reliance is
primarily upon management to identify all related parties and related-party
transactions and such transactions may not be easily detected by the bank’s
internal control systems.

Tests of Control

88. The auditor obtains a knowledge and understanding of the bank’s method of
controlling credit risk. This includes matters such as:

• The exposure portfolio and the various features and characteristics of the
exposures;

• The exposure documentation used by the bank;

• What constitutes appropriate exposure documentation for different types

of exposures; and

• The bank’s procedures and authority levels for granting an exposure.

89. The auditor reviews the lending policies and considers:

78
 • Whether the policies are reviewed and updated periodically to ensure they
are relevant with changing market conditions and new business lines of
the bank; and
AUDITING
• Whether those charged with governance have approved the policies and
whether the bank is in compliance.
90. The auditor examines the exposure review reporting system, including credit file
memoranda and an annual schedule or exposure review plan, and considers
whether it is thorough, accurate and timely and whether it will provide sufficient
information to allow management to both identify and control risk. Do the reports
include:

• Identification of problem credits;

• Current information regarding portfolio risk; and

• Information concerning emerging trends in the portfolio and lending

areas?

91. The auditor considers the nature and extent of the scope of the exposure review,
including the following:

• Method of exposure selection.

• Manner in which exposures are reviewed including:

o An analysis of the current financial condition of the borrower

which addresses repayment ability, and

o Tests for documentation exceptions, policy exceptions,

noncompliance with internal procedures, and violations of laws
and regulations

92. The auditor considers the effectiveness of the credit administration and portfolio
management by examining the following:

• Management’s general lending philosophy in such a manner as to elicit

management responses.

• The effect of credits not supported by current and complete financial

information and analysis of repayment ability.

• The effect of credits for which exposure and collateral documentation are
deficient

79
 • The volume of exposures improperly structured, for example, where the
repayment schedule does not match exposure purpose.

• The volume and nature of concentrations of credit, including

concentrations of classified and criticised credits.

• The appropriateness of transfers of low quality credits to or from another

affiliated office.

• The accuracy and completeness of reports.

• Competency of senior management, exposure officers and credit

administration personnel.

Substantive Procedures

93. The auditor considers the extent of management’s knowledge of the bank’s own
credit exposure problems through selective exposure file reviews. Selection
criteria include the following:

• Accounts with an outstanding balance equal to or greater than a specified

amount.

• Accounts on a “Watch List” with an outstanding balance in excess of a

specified amount.

• Accounts with a provision in excess of a specified amount.

• Accounts that are handled by the department that manages the bank’s
problem or higher risk accounts.

• Accounts where principal or interest of more than a specified amount is in

arrears for more than a specified period.

• Accounts where the amount outstanding is in excess of the authorised

credit line.

• Accounts with entities operating in industries or countries that the

auditor’s own general economic knowledge indicates could be at risk.

• Problem accounts identified by the bank regulatory authorities and

problem accounts selected in the prior year.

• The extent of exposure to other financial institutions on inter-bank lines.

80
94. In addition, where the bank’s personnel have been requested to summarise
characteristics of all exposures over a specified size grouped on a connection
basis, the auditor reviews the summaries. Exposures with the following
characteristics may indicate a need for a more detailed review:

• Large operating loss in the most recent fiscal year.

• Sustained operating losses (for example, 2 or more years).

• A high debt/equity ratio (for example, in excess of 2:1—the ratio will vary
by industry).

• Failure to comply with terms of agreement on covenants.

• Modified audit report.

• Information provided not current or complete.

• Advances significantly unsecured or secured substantially by a guarantee.

• Accounts where reviews not performed by bank management on a timely

basis.

95. The auditor selects the exposures for detailed review from the exposure listings
above using the sample selection criteria determined above and obtains the
documents necessary to consider the collectability of the exposures. These may
include the following:

• The exposure and security documentation files.

• Arrears listings or reports.

• Activity summaries.

• Previous doubtful accounts listings.

• The non-current exposure report.

• Financial statements of the borrower.

• Security valuation reports.

96. Using the exposure documentation file, the auditor:

• Ascertains the exposure type, interest rate, maturity date, repayment terms,
security and stated purpose of the exposure;

81
 • Considers whether security documents bear evidence of registration as
appropriate, and that the bank has receive appropriate legal advice about
the security’s legal enforceability;

• Considers whether the fair value of the security appears adequate

(particularly for those exposures where a provision may be required) to
secure the exposure and that where applicable, the security has been
properly insured. Critically evaluates the collateral appraisals, including
the appraiser’s methods and assumptions;

• Evaluates the collectability of the exposure and considers the need for a
provision against the account;

• Determines whether the appropriate authority levels within the bank have
approved the exposure application or renewal;

• Reviews periodic financial statements of the borrower and notes

significant amounts and operating ratios (that is, working capital, earnings,
shareholders’ equity and debt-to-equity ratios); and

• Reviews any notes and correspondence contained in the exposure review

file. Notes the frequency of review performed by the bank’s staff and
considers whether it is within bank guidelines.

97. The auditor considers whether policies and procedures exist for problem and
workout exposures, including the following:

• A periodic review of individual problem credits.

• Guidelines for collecting or strengthening the exposure, including

requirements for updating collateral values and lien positions,
documentation review, officer call reports.

• Volume and trend of past due and non-accrual credits.

• Qualified officers handling problem exposures.

• Guidelines on proper accounting for problem exposures, for example, non-

accrual policy, specific reserve policy.

98. In addition to assessing the adequacy of the provisions against individual

exposures, the auditor considers whether any additional provisions need to be
established against particular categories or classes of exposures (for example,
credit card exposures and country risk exposures) and assesses the adequacy of
any provisions that the bank may have established through discussions with
management. AUDITING

82
Appendix 3

Examples of Financial Information, Ratios and Indicators Commonly Used in the

Analysis of a Bank’s Financial Condition and Performance
(relating to paragraph 81)

There are a large number of financial ratios that are used to analyse a bank’s financial
condition and performance. While these ratios vary somewhat between banks, their basic
purpose tends to remain the same, that is, to provide measures of performance in relation
to prior years, to budget and to other banks. The auditor considers the ratios obtained by
one bank in the context of similar ratios achieved by other banks for which the auditor
has, or may obtain, sufficient information.

These ratios generally fall into the following categories:

• Asset quality.

• Liquidity.

• Earnings.

• Capital adequacy.

• Market risk.

• Funding risk.

Set out below are those overall ratios that the auditor is likely to encounter. Many other,
more detailed ratios are ordinarily prepared by management to assist in the analysis of the
condition and performance of the bank and its various categories of assets and liabilities,
departments and market segments.

(a) Asset quality ratios:

• Loan losses to total loans

• Non-performing loans to total loans

• Loan loss provisions to non-performing loans

• Earnings coverage to loan losses

• Increase in loan loss provisions to gross income

• Size, credit risk concentration, provisioning

83
(b) Liquidity ratios:

• Cash and liquid securities (for example, those due within 30 days) to total
assets

• Cash, liquid securities and highly marketable securities to total assets

• Inter-bank and money market deposit liabilities to total assets

(c) Earnings ratios:

• Return on average total assets

• Return on average total equity

• Net interest margin as a percentage of average total assets and average

earning assets

• Interest income as a percentage of average interest bearing assets

• Interest expense as a percentage of average interest bearing liabilities

• Non-interest income as a percentage of average commitments

• Non-interest income as a percentage of average total assets

• Non-interest expense as a percentage of average total assets

• Non-interest expense as a percentage of operating income

(d) Capital adequacy ratios:

• Equity as a percentage of total assets

• Tier 1 capital as a percentage of risk-weighted assets

• Total capital as a percentage of risk-weighted assets

(e) Market risk:

• Concentration of risk of particular industries or geographic areas

• Value at risk

• Gap and duration analysis (basically a maturity analysis and the effect of
changes in interest rates on the bank’s earnings or own funds)

84
 • Relative size of engagements and liabilities

• Effect of changes in interest rates on the bank’s earnings or own funds

(f) Funding risk:

• Clients’ funding to total funding (clients’ plus interbank)

• Maturities

• Average borrowing rate

AUDITING

85
Appendix 4

Risks and Issues in Securities Underwriting and Securities Brokerage

Securities Underwriting

Many banks provide such financial services as underwriting publicly offered securities or
assisting in the private placement of securities. Banks engaging in these activities may be
exposed to substantial risks that have audit implications. These activities and the risks
associated with them are quite complex, and consideration is given to consulting with
experts in such matters.

The type of security being underwritten, as well as the structure of the offering, influence
the risks present in securities underwriting activities. Depending upon how a security
offering is structured, an underwriter may be required to buy a portion of the positions
offered. This creates the need to finance the unsold portions, and exposes the entity to the
market risk of ownership.

There is also a significant element of legal and regulatory risk that is driven by the
jurisdiction in which the security offering is taking place. Examples of legal and
regulatory risk areas include an underwriter’s exposure for material misstatements
included in a securities registration or offering statement and local regulations governing
the distribution and trading in public offerings. Also included are risks arising from
insider trading and market manipulation by management or the bank’s staff. Private
placements are ordinarily conducted on an agency basis and therefore result in less risk
than that associated with a public offering of securities. However, the auditor considers
local regulations covering private placements.

Securities Brokerage

Many banks also are involved in securities brokerage activities that include facilitating
customers’ securities transactions. As with securities underwriting, banks engaging in
these activities (as a broker, dealer, or both) may be exposed to substantial risks that have
audit implications. These activities and the risks associated with them are quite complex,
and consideration is given to consulting with experts in such matters.

The types of services offered to customers and the methods used to deliver them
determine the type and extent of risks present in securities brokerage activities. The
number of securities exchanges on which the bank conducts business and executes trades
for its customers also influences the risk profile. One service often offered is the
extension of credit to customers who have bought securities on margin, resulting in credit
risk to the bank. Another common service is acting as a depository for securities owned
by customers. Entities are also exposed to liquidity risks associated with funding
securities brokerage operations. The related audit risk factors are similar to those set out
in Appendix 5, “Risks and Issues in Private Banking and Asset Management.”

86
There is also a significant element of legal and regulatory risk that is driven by the
jurisdiction in which the security brokerage activities are taking place. This may be a
consideration for regulatory reporting by the bank, reports directly by the auditor to
regulators and also from the point of view of reputation and financial risk that may occur
in the event of regulatory breaches by the bank.
AUDITING

87
Appendix 5

Risks and Issues in Private Banking and Asset Management

(relating to Appendix 4)

Private Banking

Provision of superior levels of banking services to individuals, typically people with high
net worth, is commonly known as private banking. Such individuals may often be
domiciled in a country different from that of the bank. Before auditing private banking
activities, the auditor understands the basic controls over these activities. The auditor
considers the extent of the entity’s ability to recognise and manage the potential
reputational and legal risks that may be associated with inadequate knowledge and
understanding of its clients’ personal and business backgrounds, sources of wealth, and
uses of private banking accounts. The auditor considers the following:

• Whether management oversight over private banking activities includes the

creation of an appropriate corporate culture. Additionally, high levels of
management should set goals and objectives and senior management must
actively seek compliance with corporate policies and procedures.

• Policies and procedures over private banking activities should be in writing and
should include sufficient guidance to ensure there is adequate knowledge of the
entity’s customers. For example, the policies and procedures should require that
the entity obtain identification and basic background information on their clients,
describe the clients' source of wealth and lines of business, request references,
handle referrals, and identify suspicious transactions. The entity should also have
adequate written credit policies and procedures that address, among other things,
money laundering related issues, such as lending secured by cash collateral.

• Risk management practices and monitoring systems should stress the importance
of the acquisition and retention of documentation relating to clients, and the
importance of due diligence in obtaining follow-up information where needed to
verify or corroborate information provided by a customer or his or her
representative. Inherent in sound private banking operations is the need to comply
with any customer identification requirements. The information systems should be
capable of monitoring all aspects of an entity's private banking activities. These
include systems that provide management with timely information necessary to
analyse and effectively manage the private banking business, and systems that
enable management to monitor accounts for suspicious transactions and to report
any such instances to law enforcement authorities and banking supervisors as
required by regulations or laws.

The auditor considers the assessed levels of inherent and control risk related to private
banking activities when determining the nature, timing and extent of substantive
procedures. The following list identifies many of the common audit risk factors to

88
consider when determining the nature, timing and extent of procedures to be performed.
Since private banking frequently involves asset management activities the audit risk
factors associated with asset management activities are also included below.

• Compliance with regulatory requirements. Private banking is highly regulated in

many countries. This may be a consideration for regulatory reporting by the
client, reports directly by the auditor to regulators and also from the point of view
of the reputation and financial risk that may occur in the event of regulatory
breaches by the bank. Also, the nature of private banking activities may increase
the bank’s susceptibility to money laundering, and thus may have increased
operational, regulatory, and reputational risks, which may have audit implications.

• Confidentiality. This is generally a feature of private banking. In addition to the

normal secrecy which most countries accord bank/client relationships, many
jurisdictions where private banking is common have additional banking secrecy
legislation which may reduce the ability of regulators, taxing authorities or police,
from their own or other jurisdictions, to access client information. A bank may
seek to impose restrictions on an auditor’s access to the names of the bank’s
private clients, affecting the auditor’s ability to identify related party transactions.
A related issue is that the bank may be requested by a client not to send
correspondence, including account statements (“hold mail accounts”). This may
reduce the auditor’s ability to gain evidence as to completeness and accuracy and,
in the absence of adequate alternative procedures, the auditor considers the
implications of this for the auditor’s report.

• Management fraud. The tight confidentiality and personal nature of private

banking relationships may reduce the effectiveness of internal controls that
provide supervision and oversight over staff who deal with private clients’ affairs.
The high degree of personal trust that may exist between a client and their private
banker may add to the risk in that many private bankers are given some degree of
autonomy over the management of their clients’ affairs. This risk is exacerbated
to the extent private clients may not be in a position to verify their affairs on a
regular basis as explained above.

• Services designed to legally transfer some degree of ownership/control of assets

to third parties, including trusts and other similar legal arrangements. Such
arrangements are not confined to private banking relationships, however, they are
commonly present in them. For the bank, the risk is that the terms of the trust or
other legal arrangement are not complied with or do not comply with the
applicable law. This exposes the bank to possible liability to the beneficiaries.
Controls in this area are particularly important, given that errors are often
identified only when the trust or other arrangement is wound up, possibly decades
after its creation. Private bankers often are also involved in preparing wills or
other testamentary documents, and act as executors. Improper drafting of a will
may carry financial consequences to the bank. Controls should exist in this area
and in the area of monitoring executor activity. The auditor considers whether

89
 there are any undisclosed liabilities in respect of such services. Confidentiality
requirements may affect the auditor’s ability to obtain sufficient appropriate audit
evidence, and if so, the auditor considers the implications for the auditor’s report.
Finally, trust and similar arrangements provided by private banks are often
outsourced to third parties. The auditor considers what audit risk factors remain
for outsourced services, the procedures needed to understand the risks and
relationships and assess the controls over and within the outsourced service
provider.

• Credit risk. Credit risk is often more complex when private banking services are
provided because of the nature of their customers’ borrowing requirements. The
following services often make credit risk difficult to judge: structured facilities
(credit transactions with multiple objectives which address client requirements in
areas such as tax, regulation, hedging, etc.); unusual assets pledged as security
(for example, art collections, not readily saleable properties, intangible assets
whose value is reliant on future cash flows); and reliance placed on personal
guarantees (“name lending”).

• Custody. Private banks may offer custodial services to clients for physical
investment assets or valuables. The related audit risk factors are similar to those
set out below under Asset Management.

Asset Management

The following risk factors are provided as considerations in planning the strategy and
execution of the audit of a bank’s asset management activities. Included in this area are
fund management, pension management, vehicles designed to legally transfer some
degree of ownership/control of assets to third parties such as trusts or other similar
arrangements etc. This list is not exhaustive as the financial services industry is a rapidly
changing industry.

• When both the asset manager and the assets themselves are not both audited by
the same audit firm. The performance of an asset manager and the assets
themselves generally are closely linked. It is easier to identify and understand the
implications of an issue arising in one entity on the financial statements of the
other if both are audited by the same firm, or if arrangements have been made to
permit an appropriate exchange of information between two audit firms. Where
there is no requirement for both the assets and the asset manager to be audited, or
where appropriate access to the other audit firm is not possible, the auditor
considers whether he is in a position to form a complete view.

• Fiduciary responsibility to third parties. Mismanagement of third party funds

may have a financial or reputational effect on an asset manager. Matters falling
into this category may include:

. Improper record keeping;

90
 . Inadequate controls over the protection and valuation of assets;

. Inadequate controls to prevent fund manager fraud;

. Inappropriate physical and/or legal segregation of client funds from the

manager’s funds or other clients’ funds (often a regulated aspect);

. Inappropriate segregation of client investments from the manager’s own

investments (either personal or corporate or both) or other clients’
investments;

. Inappropriate segregation of bank staff engaged in asset management

duties and those engaged in other operations;

. Non-compliance with mandates from clients or the investment policy

under which funds were supposed to be managed; and

. Failure to comply with reporting requirements (contractual or regulatory)

to clients.

• Consideration is given to the policies and controls over client acceptance;

investment decisions; compliance with client instructions; conflicts of interest;
compliance with regulations; segregation and safeguarding of funds and proper
reporting of client assets and transactions.

• Fund manager remuneration. There is a heightened potential for fund managers

to make imprudent or illegal business decisions based upon a desire for personal
gain through a bonus or incentive arrangement.

• Technology. Technology is critical to the operation of most asset management

companies therefore an examination is made of the security, completeness and
accuracy of data and data input where computer controls are being relied on for
audit purposes, as well as the overall computer control environment.
Consideration is given as to whether appropriate controls exist to ensure
transactions on behalf of clients are separately recorded from the bank’s own
transactions.

• Globalisation and international diversification. These are features of many asset

managers and this may give rise to additional risks due to the diversity of practice
among different countries regarding matters such as pricing and custody rules,
regulations, legal systems, market practices, disclosure rules and accounting
standards.
AUDITING

91
Glossary of Terms

Hidden Reserves Some financial reporting frameworks allow banks to

manipulate their reported income by transferring amounts to
non-disclosed reserves in years when they make large profits
and transferring amounts from those reserves when they make
losses or small profits. The reported income is the amount
after such transfers. The practice served to make the bank
appear more stable by reducing the volatility of its earnings,
and would help to prevent a loss of confidence in the bank by
reducing the occasions on which it would report low earnings.

Nostros Accounts held in the bank’s name with a correspondent bank.

(Appendix 2 Paragraph 32)
Provision An adjustment to the carrying value of an asset to take
account of factors that might reduce the asset’s worth to the
entity. Sometimes called an allowance.

Prudential Ratios Ratios used by regulators to determine the types and amounts
of lending a bank can undertake.

Stress Testing Testing a valuation model by using assumptions and initial

data outside normal market circumstances and assessing
whether the model’s predictions are still reliable.

Vostros Accounts held by the bank in the name of a correspondent

bank. (Appendix 2 paragraph 32)

92
Reference Material

The following is a list of material that auditors of banks’ financial statements may find
helpful.

Basel Committee on Banking Supervision:.

Publication 30: Core Principles for Effective Banking Supervision. Basel, 1997.

Publication 33: Framework for Internal Control Systems in Banking Organisations.

Basel, 1998.

Publication 55: Sound Practices for Loan Accounting and Disclosure. Basel, 1999.

Publication 56: Enhancing Corporate Governance in Banking Organisations. Basel, 1999.

Publication 72: Internal Audit in Banking Organisations and the Relationship of the
Supervisory Authorities with Internal and External Auditors. Basel, 2000

Publication 75: Principles for the Management of Credit Risk. Basel, 2000.

Publication 77: Customer Due Diligence for Banks. Basel, 2001.

Publication 82: Risk Management Principles for Electronic Banking. Basel, 2001.

Publications of the Basel Committee on Banking Supervision can be downloaded from

the web site of the Bank for International Settlements: http://www.bis.org.

International Accounting Standards Board:

IAS 30: Disclosures in the Financial Statements of Banks and Similar Financial
Institutions. London, 1999.

IAS 32: Financial Instruments: Disclosure and Presentation. London, 2000.

IAS 37: Provisions, Contingent Liabilities and Contingent Assets. London, 1998.

IAS 39: Financial Instruments: Recognition and Measurement. London, 2000.

In addition a number of IFAC member bodies have issued reference and guidance
material on banks and the audits of the financial statements of banks.

AUDITING

93