Audit of Banks
Audit of Banks
Audit of Banks
CONTENTS
Paragraph
Introduction ................................................................................................. 1–8
Audit Objectives ......................................................................................... 9–11
Agreeing the Terms of the Engagement ...................................................... 12–14
Planning the Audit ...................................................................................... 15–55
Internal Control ........................................................................................... 56–70
Performing Substantive Procedures ............................................................ 71–100
Reporting on the Financial Statements ....................................................... 101–103
Appendix 1: Risks and Issues in Respect of Fraud and Illegal Acts
Appendix 2: Examples of Internal Control Considerations and Substantive
Procedures for Two Areas of a Bank’s Operations
Appendix 3: Examples of Financial Information, Ratios and Indicators
Commonly Used in the Analysis of a Bank’s Financial
Condition and Performance
Appendix 4: Risks and Issues in Securities Underwriting and Securities
Brokerage
Appendix 5: Risks and Issues in Private Banking and Asset Management
Glossary and References
IAPS 1006 58
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
* The Basel Committee on Banking Supervision is a committee of banking and supervisory authorities that
was established by the central bank governors of ten countries in 1975. It consists of senior representatives
of bank supervisory authorities and central banks from Belgium, Canada, France, Germany, Italy, Japan,
Luxembourg, the Netherlands, Sweden, Switzerland, the United Kingdom and the United States. It usually
meets at the Bank for International Settlements in Basel, where its permanent secretariat is located.
59 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Introduction
1. The purpose of this Statement is to provide practical assistance to auditors and
to promote good practice in applying International Standards on Auditing
(ISAs) to the audit of banks’ financial statements. It is not, however, intended to
be an exhaustive listing of the procedures and practices to be used in such an
audit. In conducting an audit in accordance with ISAs the auditor complies with
all the requirements of all the ISAs.
2. In many countries, banking supervisors require that the auditor report certain
events to the regulators or make regular reports to them in addition to the audit
report on the banks’ financial statements. This Statement does not deal with
such reports, the requirements for which often vary significantly between
countries. IAPS 1004, “The Relationship Between Banking Supervisors and
Bank’s External Auditors” discusses that subject in more detail.
3. For the purpose of this Statement, a bank is a type of financial institution whose
principal activity is the taking of deposits and borrowing for the purpose of
lending and investing and that is recognized as a bank by the regulatory
authorities in any countries in which it operates. There are a number of other
types of entity that carry out similar functions, for example, building societies,
credit unions, friendly societies, savings and loan associations and thrift
institutions. The guidance in this Statement is applicable to audits of financial
statements that cover the banking activities carried out by those entities. It also
applies to the audits of consolidated financial statements that include the results
of banking activities carried out by any group member. This Statement
addresses the assertions made in respect of banking activities in the entity’s
financial statements and so indicates which assertions in a bank’s financial
statements cause particular difficulties and why they do so. This necessitates an
approach based on the elements of the financial statements. However, when
obtaining audit evidence to support the financial statement assertions, the
auditor often carries out procedures based on the types of activities the entity
carries out and the way in which those activities affect the financial statement
assertions.
4. Banks commonly undertake a wide range of activities. However, most banks
continue to have in common the basic activities of deposit taking, borrowing,
lending, settlement, trading and treasury operations. This Statement’s primary
purpose is the provision of guidance on the audit implications of such activities.
In addition, this Statement provides limited guidance in respect of securities
underwriting and brokerage, and asset management, which are activities that
auditors of banks’ financial statements frequently encounter. Banks typically
undertake activities involving derivative financial instruments. This Statement
gives guidance on the audit implications of such activities when they are part of
the bank’s trading and treasury operations. IAPS 1012, “Auditing Derivative
IAPS 1006 60
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Financial Instruments” gives guidance on such activities when the bank holds
derivatives as an end user.
5. This Statement is intended to highlight those risks that are unique to
banking activities. There are many audit-related matters that banks share
with other commercial entities. The auditor is expected to have a sufficient
understanding of such matters and so, although those matters may affect the
audit approach or may have a material affect on the bank’s financial
statements, this Statement does not discuss them. This Statement describes
in general terms aspects of banking operations with which an auditor
becomes familiar before undertaking the audit of a bank’s financial
statements: it is not intended to describe banking operations. Consequently,
this Statement on its own does not provide an auditor with sufficient
background knowledge to undertake the audit of a bank’s financial
statements. However, it does point out areas where that background
knowledge is required. Auditors will supplement the guidance in this
Statement with appropriate reference material and by reference to the work
of experts as required.
6. Banks have the following characteristics that generally distinguish them
from most other commercial enterprises:
• They have custody of large amounts of monetary items, including cash
and negotiable instruments, whose physical security has to be
safeguarded during transfer and while being stored. They also have
custody and control of negotiable instruments and other assets that are
readily transferable in electronic form. The liquidity characteristics of
these items make banks vulnerable to misappropriation and fraud. Banks
therefore need to establish formal operating procedures, well-defined
limits for individual discretion and rigorous systems of internal control.
AUDITING
• They often engage in transactions that are initiated in one jurisdiction,
recorded in a different jurisdiction and managed in yet another
jurisdiction.
• They operate with very high leverage (that is, the ratio of capital to total
assets is low), which increases banks’ vulnerability to adverse economic
events and increases the risk of failure.
• They have assets that can rapidly change in value and whose value is
often difficult to determine. Consequentially a relatively small decrease
in asset values may have a significant effect on their capital and
potentially on their regulatory solvency.
• They generally derive a significant amount of their funding from short-
term deposits (either insured or uninsured). A loss of confidence by
depositors in a bank’s solvency may quickly result in a liquidity crisis.
61 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
• They have fiduciary duties in respect of the assets they hold that belong
to other persons. This may give rise to liabilities for breach of trust. They
therefore need to establish operating procedures and internal controls
designed to ensure that they deal with such assets only in accordance
with the terms on which the assets were transferred to the bank.
• They engage in a large volume and variety of transactions whose value
may be significant. This ordinarily requires complex accounting and
internal control systems and widespread use of information technology
(IT).
• They ordinarily operate through networks of branches and departments
that are geographically dispersed. This necessarily involves a greater
decentralization of authority and dispersal of accounting and control
functions, with consequential difficulties in maintaining uniform
operating practices and accounting systems, particularly when the branch
network transcends national boundaries.
• Transactions can often be directly initiated and completed by the
customer without any intervention by the bank’s employees, for example
over the Internet or through automatic teller machines (ATMs).
• They often assume significant commitments without any initial transfer
of funds other than, in some cases, the payment of fees. These
commitments may involve only memorandum accounting entries.
Consequently their existence may be difficult to detect.
• They are regulated by governmental authorities, whose regulatory
requirements often influence the accounting principles that banks follow.
Non-compliance with regulatory requirements, for example, capital
adequacy requirements, could have implications for the bank’s financial
statements or the disclosures therein.
• Customer relationships that the auditor, assistants, or the audit firm may
have with the bank might affect the auditor’s independence in a way that
customer relationships with other organizations would not.
• They generally have exclusive access to clearing and settlement systems
for checks, fund transfers, foreign exchange transactions, etc.
• They are an integral part of, or are linked to, national and international
settlement systems and consequently could pose a systemic risk to the
countries in which they operate.
• They may issue and trade in complex financial instruments, some of
which may need to be recorded at fair values in the financial statements.
They therefore need to establish appropriate valuation and risk
management procedures. The effectiveness of these procedures depends
on the appropriateness of the methodologies and mathematical models
IAPS 1006 62
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
(d) Risks and issues in securities operations, private banking and asset
management.
Audit Objectives
9. ISA 200, “Objective and General Principles Governing an Audit of Financial
Statements” states:
The objective of an audit of financial statements is to enable the
auditor to express an opinion whether the financial statements are
prepared, in all material respects, in accordance with an applicable
financial reporting framework.
10. The objective of the audit of a bank’s financial statements conducted in
accordance with ISAs is, therefore, to enable the auditor to express an opinion
on the bank’s financial statements, which are prepared in accordance with the
applicable financial reporting framework.
63 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
11. The auditor’s report indicates the financial reporting framework that has been
used to prepare the bank’s financial statements (including identifying the
country of origin of the financial reporting framework when the framework
used is not International Accounting Standards). When reporting on financial
statements of a bank prepared specifically for use in a country other than that
under whose rules it is established, the auditor considers whether the financial
statements contain appropriate disclosures about the financial reporting
framework used. Paragraphs 101–103 of this Statement discuss the auditor’s
report in more detail.
IAPS 1006 64
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
risk that the bank’s system of internal control does not prevent or detect
and correct such misstatements on a timely basis (control risk);
• Determining the nature, timing and extent of the audit procedures to
be performed; and
• Considering the going concern assumption regarding the entity’s
ability to continue in operation for the foreseeable future, which will
be the period used by management in making its assessment under
the financial reporting framework. This period will ordinarily be for
a period of at least one year after the balance sheet date.
65 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 66
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
Legal and The risk that contracts are documented incorrectly or
documentary risk: are not legally enforceable in the relevant jurisdiction
in which the contracts are to be enforced or where the
counterparties operate. This can include the risk that
assets will turn out to be worth less or liabilities will
turn out to be greater than expected because of
inadequate or incorrect legal advice or documentation.
In addition, existing laws may fail to resolve legal
issues involving a bank; a court case involving a
particular bank may have wider implications for the
banking business and involve costs to it and many or
all other banks; and laws affecting banks or other
commercial enterprises may change. Banks are
particularly susceptible to legal risks when entering
into new types of transactions and when the legal right
67 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 68
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
(a) The need to process high volumes of transactions accurately within a
short time. This need is almost always met through the large-scale use
of IT, with the resultant risks of:
(i) Failure to carry out executed transactions within the required
time, causing an inability to receive or make payments for those
transactions;
(ii) Failure to carry out complex transactions properly;
(iii) Wide-scale misstatements arising from a breakdown in
internal control;
(iv) Loss of data arising from systems’ failure;
(v) Corruption of data arising from unauthorized interference with
the systems; and
69 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 70
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
bank’s assets for personal gain that may or may not involve the falsification
of records. Alternatively, fraud may be perpetrated on a bank without the
knowledge or complicity of the bank’s employees. ISA 240, “The Auditor’s
Responsibility to Consider Fraud and Error in an Audit of Financial
Statements”1 gives more guidance on the nature of the auditor’s
responsibilities with respect to fraud. Although many areas of a bank’s
operations are susceptible to fraudulent activities, the most common take
place in the lending, deposit-taking and dealing functions. The methods
commonly used to perpetrate fraud and a selection of the fraud risk factors
that indicate that a fraud may have occurred are set out in Appendix 1.
27. By the nature of their business, banks are ready targets for those engaged in
money laundering activities by which the proceeds of crime are converted
into funds that appear to have a legitimate source. In recent years drug
traffickers in particular have greatly added to the scale of money laundering
that takes place within the banking industry. In many jurisdictions,
legislation requires banks to establish policies, procedures and controls to
deter and to recognize and report money laundering activities. These
policies, procedures and controls commonly extend to the following:
• A requirement to obtain customer identification (know your client).
• Staff screening.
• A requirement to know the purpose for which an account is to be
used.
• The maintenance of transaction records.
• The reporting to the authorities of suspicious transactions or of all
transactions of a particular type, for example, cash transactions over
a certain amount.
AUDITING
• The education of staff to assist them in identifying suspicious
transactions.
In some jurisdictions, auditors may have an express obligation to report to
the authorities certain types of transactions that come to their attention.
Even where no such obligation exists, an auditor who discovers a possible
instance of noncompliance with laws or regulations considers the
implications for the financial statements and the audit opinion thereon. ISA
250, “Consideration of Laws and Regulations in an Audit of Financial
Statements” gives further guidance on this matter.
1
ISA 240, “The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial
Statements” was withdrawn in December 2004 when the revised ISA 240, “The Auditor’s
Responsibility to Consider Fraud in an Audit of Financial Statements” became effective.
71 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 72
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
• The assessment of audit risk;
• The assessment of materiality;
• Management’s representations;
• The involvement of other auditors;
• The geographic spread of the bank’s operations and the co-ordination
of work between different audit teams;
• The existence of related party transactions; and
• Going concern considerations.
These matters are discussed in subsequent paragraphs.
73 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
The Extent to which any Core Activities are Provided by Service Organizations
32. In principle, the considerations when a bank uses service organizations are
no different from the considerations when any other entity uses them.
However, banks sometimes use service organizations to perform parts of
their core activities, such as credit and cash management. When the bank
uses service organizations for such activities, the auditor may find it
difficult to obtain sufficient appropriate audit evidence without the
cooperation of the service organization. ISA 402, “Audit Considerations
Relating to Entities Using Service Organizations” provides further guidance
on the auditing considerations and the types of reports that auditors of
service organizations provide to the organization’s clients.
IAPS 1006 74
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Regulatory Considerations
AUDITING
35. The International Auditing Practices Statement 1004 provides information and
guidance on the relationship between bank auditors and banking supervisors.
The Basel Committee has issued supervisory guidance regarding sound banking
practices for managing risks, internal control systems, loan accounting and
disclosure, other disclosures and for other areas of bank activities. In addition,
the Basel Committee has issued guidance on the assessment of capital adequacy
and other important supervision topics. This guidance is available to the auditor
and to the public on the internet website of the Bank for International
Settlements (BIS).
36. In accordance with ISA 310, “Knowledge of the Business”2 the auditor
considers whether the assertions in the financial statements are consistent with
2
ISA 310, “Knowledge of the Business” was withdrawn in December 2004 when ISA 315,
“Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”
became effective.
75 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 76
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
understanding of where the core IT applications are located. If the bank’s
wide area network (WAN) is dispersed over several countries, specific
legislative rules might apply to cross-border data processing. In such an
environment, audit work on the access control system, especially on the
access violation system, is an important part of the audit.
41. An electronic commerce environment changes significantly the way the bank
conducts its business. Electronic commerce presents new aspects of risk and
other considerations that the auditor addresses. For example, the auditor
considers the following:
• The business risks the bank’s e-commerce strategy presents.
• The risks inherent in the technology the bank has chosen to
implement its electronic commerce strategy.
3
IAPS 1001, “IT Environments—Stand-Alone Personal Computers” was withdrawn in December 2004.
77 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 78
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Audit Risk
45. The three components of audit risk are:
(a) Inherent risk (the risk that material misstatements occur);
(b) Control risk (the risk that the bank’s system of internal control does
not prevent or detect and correct such misstatements on a timely
basis); and
(c) Detection risk (the risk that the auditor will not detect any remaining
AUDITING
material misstatements).
Inherent and control risks exist independently of the audit of financial
information and the auditor cannot influence them. The nature of risks
associated with banking activities, which are discussed in paragraphs 21–25
indicate that the assessed level of inherent risk in many areas will be high. It
is therefore necessary for a bank to have an adequate system of internal
control if the levels of inherent and control risks are to be less than high.
The auditor assesses these risks and designs substantive procedures so as to
reduce audit risk to an acceptably low level.
Materiality
46. In making an assessment of materiality, in addition to the considerations set out
in ISA 320, “Audit Materiality,” the auditor considers the following factors:
79 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Management’s Representations
47. Management’s representations are relevant in the context of a bank audit to
assist the auditor in determining whether the information and evidence obtained
is complete for the purposes of the audit. This is particularly true of the bank’s
transactions that may not ordinarily be reflected in the financial statements (off-
balance sheet items), but which may be evidenced by other records of which the
auditor may not be aware. It is often also necessary for the auditor to obtain
from management representations regarding significant changes in the bank’s
business and its risk profile. It may also be necessary for the auditor to identify
areas of a bank’s operations where audit evidence likely to be obtained may
need to be supplemented by management’s representations, for example, loan
loss provisions and the completeness of correspondence with regulators. ISA
580, “Management Representations” provides guidance as to the use of
management representations as audit evidence, the procedures that the auditor
applies in evaluating and documenting them, and the circumstances in which
representations should be obtained in writing.
IAPS 1006 80
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
locations in which the bank operates. This may be achieved by using other
offices of the auditor’s firm or by using other auditing firms in those locations.
49. Before using the work of another auditor, the auditor:
• Considers the independence of those auditors and their competence to
undertake the necessary work (including their knowledge of banking and
applicable regulatory requirements);
• Considers whether the terms of the engagement, the accounting
principles to be applied and the reporting arrangements are clearly
communicated; and
• Performs procedures to obtain sufficient appropriate audit evidence that
the work performed by the other auditor is adequate for this purpose by
discussion with the other auditor, by a review of a written summary of
the procedures applied and findings, by a review of the working papers
of the other auditor, or in any other manner appropriate to the
circumstances.
ISA 600, “Using the Work of Another Auditor” provides further guidance on
the issues to be addressed and procedures to be performed in such situations.
AUDITING
○ Other offices of the auditor’s firm; and
○ Other audit firms.
• The extent to which it is planned to use the work of internal auditing.
• Required reporting dates to shareholders and the regulatory
authorities.
• Any special analyses and other documentation to be provided by
bank management.
51. The best level of co-ordination between assistants can often be achieved by
regular audit-status meetings. However, given the number of assistants and the
number of locations at which they will be involved, the auditor ordinarily
communicates all or relevant portions of the audit plan in writing. When setting
81 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 82
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
• Discussing the results of any inspections currently in process.
55. The regulatory regime under which the bank operates may require the
auditor to disclose to the regulator any intention to issue a modified opinion
or any concerns that the auditor may have about the bank’s ability to
continue as a going concern. IAPS 1004 provides further discussion of the
relationship between the auditor and the banking supervisor.
Internal Control
Introduction
56. The Basel Committee on Banking Supervision has issued a policy paper,
“Framework for Internal Control Systems in Banking Organisations”
(September 1998), which provides banking supervisors with a framework
for evaluating banks’ internal control systems. This framework is used by
many banking supervisors, and may be used during supervisory discussions
83 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
4
ISA 400, “Risk Assessments and Internal Control” was withdrawn in December 2004 when ISA 315,
“Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”
and ISA 330, “The Auditor’s Procedures in Response to Assessed Risks” became effective.
IAPS 1006 84
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
objectives except to the extent that any failure to comply with such
responsibilities might have led to the financial statements being material
misstated.
AUDITING
60. An examination of the authorization controls will be important to the auditor in
considering whether transactions have been entered into in accordance with the
bank’s policies and, for example, in the case of the lending function, that they
have been subject to appropriate credit assessment procedures prior to the
disbursement of funds. The auditor will typically find that limits for levels of
exposures exist in respect of various transaction types. When performing tests
of controls, the auditor considers whether these limits are being adhered to and
whether positions in excess of these limits are reported to the appropriate level
of management on a timely basis.
61. From an audit perspective, the proper functioning of a bank’s authorization
controls is particularly important in respect of transactions entered into at or
near the date of the financial statements. This is because aspects of the
transaction have yet to be fulfilled, or there may be a lack of evidence with
which to assess the value of the asset acquired or liability incurred.
Examples of such transactions are commitments to purchase or sell specific
85 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
securities after the period-end and loans, where principal and interest
payments from the borrower have yet to be made.
All Transactions and Other Events are Promptly Recorded at the Correct Amount, in
the Appropriate Accounts and in the Proper Accounting Period so as to Permit
Preparation of Financial Statements in Accordance with the Applicable Financial
Reporting Framework
62. In considering the internal controls that management use to ensure that all
transactions and other events are properly recorded, the auditor takes into
account a number of factors that are especially important in a banking
environment. These include the following:
• Banks deal in large volumes of transactions that can individually or
cumulatively involve large sums of money. Accordingly, the bank
needs to have balancing and reconciliation procedures that are
carried out within a time-frame that allows the detection of errors and
discrepancies so that they can be investigated and corrected with
minimal loss to the bank. Such procedures may be carried out hourly,
daily, weekly, or monthly, depending on the volume and nature of
the transaction, level of risk, and transactions settlement time-frame.
The purpose of these reconciliations is often to ensure the
completeness of transaction processing across highly complex
integrated IT systems and the reconciliations themselves are
normally automatically generated by these systems.
• Many of the transactions entered into by banks are subject to specialized
accounting rules. Banks should have control procedures in place to
ensure those rules are applied in the preparation of appropriate financial
information for management and external reporting. Examples of such
control procedures are those that result in the market revaluation of
foreign exchange and security purchase and sale commitments so as to
ensure that all unrealized profits and losses are recorded.
• Some of the transactions entered into by banks may not be required
to be disclosed in the financial statements (for example, transactions
that the accounting framework allows to be regarded as off balance
sheet items). Accordingly, control procedures must be in place to
ensure that such transactions are recorded and monitored in a manner
that provides management with the required degree of control over
them and that allows for the prompt determination of any change in
their status that needs to result in the recording of a profit or loss.
• Banks are constantly developing new financial products and services.
The auditor considers whether the necessary revisions are made in
accounting procedures and related internal controls.
IAPS 1006 86
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
transaction confirmation and reconciliation procedures. Reports from the
auditors of service organizations may be of use here, and ISA 402 gives
guidance on the auditor’s consideration of such reports.
5
ISA 400, “Risk Assessments and Internal Control,” ISA 401, “Auditing in a Computer Information
Systems Environment,” and IAPS 1008, “Risk Assessments and Internal Control—CIS
Characteristics and Considerations” were withdrawn in December 2004 when ISA 315,
“Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”
and ISA 330, “The Auditor’s Procedures in Response to Assessed Risks” became effective.
87 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Recorded Assets are Compared with the Existing Assets at Reasonable Intervals and
Appropriate Action is Taken Regarding Any Differences
66. The large amounts of assets handled by banks, the volumes of transactions
undertaken, the potential for changes in the value of those assets due to
fluctuations in market prices and the importance of confirming the continued
operation of access and authorization controls necessitates the frequent
operation of reconciliation controls. This is particularly important for:
(a) Assets in negotiable form, such as cash, bearer securities and assets in
the form of deposit and security positions with other institutions where
failure to detect errors and discrepancies quickly (which may mean
daily where money market transactions are involved) could lead to an
irrecoverable loss: reconciliation procedures used to achieve this control
objective will ordinarily be based on physical counting and third party
confirmation;
(b) Assets whose value is determined with reference to valuation models or
external market prices, such as securities and foreign exchange
contracts; and
(c) Assets held on behalf of clients.
67. In designing an audit plan to assess the effectiveness of a bank’s reconciliation
controls, the auditor considers factors such as the following.
• Because of the number of accounts requiring reconciliation and the
frequency with which these reconciliations need to be performed:
○ Much of the audit effort is directed to the documentation,
testing and evaluation of the reconciliation controls; and
IAPS 1006 88
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Examples of Controls
68. Appendix 2 to this Statement contains examples of controls over authorization,
recording, access and reconciliation ordinarily found in the treasury and trading
and lending operations of a bank.
AUDITING
70. In assessing the effectiveness of specific control procedures, the auditor
considers the environment in which internal control operates. Some of the
factors that may be considered include the following:
• The organizational structure of the bank and the manner in which it
provides for the delegation of authority and responsibilities.
• The quality of management supervision.
• The extent and effectiveness of internal auditing.
• The extent and effectiveness of the risk management and compliance
systems
• The skills, competence and integrity of key personnel.
• The nature and extent of inspection by supervisory authorities.
6
See footnote 4.
89 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Audit Procedures
73. To address the assertions discussed above, the auditor may perform the
following procedures:
(a) Inspection.
(b) Observation.
(c) Inquiry and confirmation.
(d) Computation.
(e) Analytical procedures.
In the context of the audit of a bank’s financial statements, inspection,
inquiry and confirmation, computation and analytical procedures require
particular attention and are discussed in the following paragraphs.
7
ISA 500, “Audit Evidence” was withdrawn in December 2004 when the revised ISA 500, “Audit
Evidence” became effective.
IAPS 1006 90
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Inspection
74. Inspection consists of examining records, documents, or tangible assets. The
auditor inspects in order to:
• Be satisfied as to the physical existence of material negotiable assets that
the bank holds; and
• Obtain the necessary understanding of the terms and conditions of
agreements (including master agreements) that are significant
individually or in the aggregate in order to:
○ Consider their enforceability; and
○ Assess the appropriateness of the accounting treatment they
have been given.
75. Examples of areas where inspection is used as an audit procedure are:
• Securities;
• Loan agreements;
• Collateral; and
• Commitment agreements, such as:
○ Asset sales and repurchases; and
○ Guarantees.
76. In carrying out inspection procedures, the auditor remains alert to the
possibility that some of the assets the bank holds may be held on behalf of
third parties rather than for the bank’s own benefit. The auditor considers
whether adequate internal controls exist for the proper segregation of such
assets from those that are the property of the bank and, where such assets
AUDITING
are held, considers the implications for the financial statements. As noted in
paragraph 58 the auditor is concerned with the existence of third party
assets only to the extent that the bank’s failure to comply with its
obligations may lead to the financial statements being materially misstated.
91 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Computation
79. Computation consists of checking the arithmetical accuracy of source
documents and accounting records or of performing independent calculations.
In the context of the audit of a bank’s financial statements, computation is a
useful procedure for checking the consistent application of valuation models.
Analytical Procedures
80. Analytical procedures consist of the analysis of significant ratios and trends
including the resulting investigation of fluctuations and relationships that
are inconsistent with other relevant information or deviate from predicted
IAPS 1006 92
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
may benefit from the review of ratios and trends and of the extent to
which they vary from previous periods, budgets and the results of other
similar entities.
• By using analytical procedures, the auditor may detect circumstances
that call into question the appropriateness of the going concern
assumption, such as undue concentration of risk in particular industries
or geographic areas and potential exposure to interest rate, currency and
maturity mismatches.
• In most countries there is a wide range of statistical and financial
information available from regulatory and other sources that the auditor
can use to conduct an in-depth analytical review of trends and peer group
analyses.
A useful starting point in considering appropriate analytical procedures is to
consider what information and performance or risk indicators management
93 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
of instruments held in bearer form. The auditor
also considers whether there are any
encumbrances on the title to the instruments.
The auditor tests for the existence of sale and
forward repurchase agreements for evidence of
unrecorded liabilities and losses.
Valuation
The auditor considers the appropriateness of the
valuation techniques employed in light of the
creditworthiness of the issuer.
Measurement
The auditor considers whether there is a need to
test for the proper accrual of income earned on
95 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 96
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
increased have been arbitrarily transferred from
Portfolio Investments (see paragraph 87)
primarily so that an unrealized gain can be taken
into income.
The auditor also considers whether to reperform
the valuation calculations and the extent of tests
of the controls over the bank’s valuation
procedures.
Measurement
The auditor also considers whether:
• The relationship between the types of
securities owned and the related income is
reasonable; and
97 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
IAPS 1006 98
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
• All significant gains and losses from sales and
revaluations have been reported in accordance
with the financial reporting framework (for
example, where gains and losses on trading
securities are treated differently from those on
investment securities).
88. INVESTMENTS IN SUBSIDIARIES AND
ASSOCIATED ENTITIES
In many cases the audit of a bank’s investments
in subsidiaries and associated entities does not
differ from the audit of such investments held by
any other entity. However, there are some special
aspects that pose particular problems in respect of
banking operations.
99 IAPS 1006
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
• The composition of the loan portfolio, with
particular attention to:
The concentration of loans to specific:
○ Borrowers and parties connected to
them (including the procedures in place
to identify such connections);
○ Commercial and industrial sectors;
○ Geographic regions; and
○ Countries;
○ The size of individual credit exposures
(few large loans versus numerous small
loans);
AUDITING
between branches, between the bank and its
consolidated subsidiaries, and between the bank
and counterparties, are eliminated and that
reconciling items have been appropriately
addressed and accounted for.
Additionally, the auditor examines individual
items comprising the balance that have not been
cleared within a reasonable time period and also
considers whether the related internal control
procedures are adequate to ensure that such items
have not been temporarily transferred to other
accounts in order to avoid their detection.
AUDITING
as examination of related fee income in
respect of such activities and are
determined having regard to the degree of
risk attached to the particular type of
contingency being considered;
• Reviews the reasonableness of the period-
end contingent asset and liability figures
in the light of the auditor’s experience
and knowledge of the current year’s
activities; and
• Obtains representation from management
that all contingent assets and liabilities
have been recorded and disclosed as
required by the financial reporting
framework.
AUDITING
transactions with any given counterparty.
Completeness
Due to the continuing development of new
financial instruments, there may be a lack of
established procedures between participants and
within the bank. The auditor therefore assesses
the adequacy of the system of internal control,
particularly with respect to:
• The adequacy of the procedures and the
division of duties regarding the matching of
documentation received from counterparties
and reconciliation of accounts with
counterparties; and
AUDITING
current interest or foreign exchange rates.
As some of these instruments have been developed
only recently, the auditor examines their valuation
with a special degree of caution, and in doing so
bears in mind the following factors:
• There may be no legal precedents concerning
the terms of the underlying agreements. This
makes it difficult to assess the enforceability
of those terms.
• There may be a relatively small number of
management personnel who are familiar with
the inherent risks of these instruments. This
may lead to a higher risk of misstatements
occurring and a greater difficulty in
establishing controls that would prevent
AUDITING
credit risk equivalent and replacement value
of outstanding off-balance sheet instruments.
AUDITING
considered as part of the loan review audit
procedures where the fee has been added to a
loan balance outstanding).
• Whether the income is accounted for in
accordance with the applicable financial
reporting framework.
AUDITING
complete understanding of a transaction, certain
circumstances may warrant a discussion with the
related party, their auditor, or other parties such as
legal counsel, who are familiar with the
transaction. ISA 580, “Management
Representations” gives further guidance on the
use of management representations.
Completeness
The auditor considers whether all the bank’s
income from such activities has been recorded
and is fairly stated in the bank’s financial
statements. The auditor also considers whether
the bank has incurred any material undisclosed
AUDITING
with the banking framework instead of the general framework, the auditor
considers the need to refer to this fact in an emphasis of matter paragraph.
103. Banks often present additional information in annual reports that also
contain audited financial statements. This information frequently contains
details of the bank’s risk adjusted capital, and other information relating to
the bank’s stability, in addition to any disclosures in the financial
statements. ISA 720, “Other Information in Documents Containing Audited
Financial Statements” provides guidance on the procedures to be
undertaken in respect of such additional information.
Appendix 1
8
See footnote 1.
simpler traditional products are not updated to address newer complex products,
a bank may be exposed to a greater risk of loss from fraud.
• The absence or failure of key control structures and activities, such as segregation
of duties, approvals, verifications, reconciliations, and reviews of operating
performance. In particular, the lack of a segregation of duties has played a major
role in fraudulent activities that resulted in significant losses at banks.
• Inadequate communication of information between levels of management within
the bank, especially in the upward communication of problems. When policies
and procedures are not appropriately communicated to all personnel involved in
an activity, an environment is created that may foster fraudulent activities. In
addition, fraud may go undetected when information about inappropriate activities
that should be brought to the attention of higher level management is not
communicated to the appropriate level until the problems become severe.
• Inadequate or ineffective internal audit programs and monitoring activities.
When internal auditing or other monitoring activities are not sufficiently
rigorous to identify and report control weaknesses, fraud may go undetected at
banks. When adequate mechanisms are not in place to ensure that management
corrects deficiencies reported by auditors, fraud may continue unabated.
The following table and discussion in this appendix provide examples of fraud risk
factors.
AUDITING
Broker kickbacks
Theft of Deposit
False deals
customer transformation
deposits or Unrecorded deals
Transactions with
investments,
Delayed deal connected
particularly from
allocations companies
dormant accounts
Misuse of Kickbacks and
discretionary inducements
accounts
Use of parallel
Exploiting organizations
weaknesses in
Funds
matching
transformation
procedures
Selling recovered
Unrecorded Deposits
• Any evidence of deposit-taking by any other company of which there are details
on the premises, whether part of the bank or not.
• Documentation held in management offices that it is claimed has no connection
with the business of the bank or evasive replies regarding such documents.
AUDITING
Broker Kickbacks
• High levels of business with a particular broker.
• Unusual trends in broker commissions.
False Deals
• A significant number of cancelled deals.
• Unusually high value of unsettled transactions.
Unrecorded Deals
• High levels of profit by particular dealers in relation to stated dealing strategy.
• Significant number of unmatched counterparty confirmations.
Funds Transformation
(Methods used to conceal the use of bank funds to make apparent loan repayments)
• Loans which suddenly become performing shortly before the period end or prior
to an audit visit.
• Transactions with companies within a group or with its associated companies
where the business purpose is unclear.
• Lack of cash flow analysis that supports the income generation and repayment
ability of the borrower.
AUDITING
No on-site appraisal of or visit by the borrower.
• Difficulty in obtaining corroboration of the individual’s credentials, inconsistent
or missing documentation and inconsistencies in personal details.
• Valuer from outside the area in which the property is situated.
• Valuation is ordered and received by the borrower rather than the lender.
• Lack of verification of liens to substantiate lien positions and priorities
• Lack of physical control of collateral that requires physical possession to secure
a loan (for example, jewelry, bearer bonds and art work).
Appendix 2
Operational Controls
5. Is there appropriate segregation of duties between the front office and back
office?
AUDITING
6. Are the following activities conducted independently of the front
office/business unit:
• Confirmation of trades;
• Recording and reconciliation of positions and results;
• Valuation of trades or independent verification of market prices; and
• Settlement of trades?
7. Are trade tickets pre-numbered (if not automatically generated)?
8. Does the bank have a code of conduct for its dealers that addresses the
following:
• Prohibiting dealers from trading on their own account;
• Restricting acceptance of gifts and entertainment activities;
22. Are stress situations analyzed and “worst case” scenarios (which take into
account adverse market events such as unusual changes in prices or
volatilities, market illiquidity or default of a major counterparty) conducted
and tested?
23. Does management receive timely and meaningful reports?
Confirmations
24. Does the bank have written procedures in use:
• For the independent dispatch of pre-numbered outward confirmations
to counterparties for all trades entered into by the dealers;
• For the independent receipt of all incoming confirmations and their
matching to pre-numbered copies of internal trade tickets;
• For independent comparison of signatures on incoming confirmations
to specimen signatures;
• For the independent confirmation of all deals for which no inward
confirmation has been received; and
• For the independent follow-up of discrepancies on confirmations
received?
Settlement of Transactions
25. Are settlement instructions exchanged in writing with counterparties by the
use of inward and outward confirmations?
26. Are settlement instructions compared to the contracts?
27. Are settlements made only by appropriate authorized employees
independent of the initiation and recording of transactions and only on the
AUDITING
basis of authorized, written instructions?
28. Are all scheduled settlements (receipts and payments) notified daily in
writing to the settlement department so that duplicate requests and failures
to receive payments can be promptly detected and followed-up?
29. Are accounting entries either prepared from or checked to supporting
documentation by operational employees, other than those who maintain
records of uncompleted contracts or perform cash functions?
Recording
30. Are exception reports generated for excesses in limits; sudden increases in
trading volume by any one trader, customer or counterparty; transactions at
unusual contract rates, etc? Are these monitored promptly and
independently of the dealers?
AUDITING
instruments transacted). Based on this information, the auditor establishes
the associated risk profile and seeks to confirm the reliability of the internal
control and accounting systems.
identified at the dealing stage in order for the correct accounting treatment
to be applied. Where transactions are entered for hedging purposes, the
auditor considers the appropriate accounting treatment and presentation of
such transactions and the matched assets/liabilities, in accordance with
relevant accounting requirements.
Valuation Procedures
42. Off-balance sheet financial instruments are ordinarily valued at market or
fair value, except for instruments used for hedging purposes, which, under
many financial reporting frameworks, are valued on the same basis as the
underlying item being hedged. Where market prices are not readily available
for an instrument, financial models that are widely used by the banking
industry may be used to determine the fair value. In addition to disclosure of
the notional amounts of open positions, several countries require the
disclosure of the potential risk arising, as for example, the credit risk
equivalent and replacement value of such outstanding instruments.
43. The auditor ordinarily tests the valuation models used, including the controls
surrounding their operation, and considers whether details of individual
contracts, valuation rates and assumptions are appropriately entered into
such models. As many of these instruments have been developed only
recently, the auditor pays particular attention to their valuation, and in doing
so bears in mind the following factors:
• There may be no legal precedents concerning the terms of the underlying
agreements. This makes it difficult to assess the enforceability of those
terms.
• There may be a relatively small number of management personnel who
are familiar with the inherent risks of these instruments. This may lead
to a higher risk of misstatements occurring and a greater difficulty in
establishing controls that would prevent misstatements or detect and
correct them on a timely basis.
• Some of these instruments have not existed through a full economic
cycle (bull and bear markets, high and low interest rates, high and low
trading and price volatility) and it may therefore be more difficult to
assess their value with the same degree of certainty as for more
established instruments. Similarly, it may be difficult to predict with a
sufficient degree of certainty the price correlation with other offsetting
instruments used by the bank to hedge its positions.
• The models used for valuing such instruments may not operate
properly in abnormal market conditions.
44. In addition, the auditor considers the need for, and adequacy of, provisions
against financial instruments, such as liquidity risk provision, modeling risk
AUDITING
48. Credit risk represents a major cause of serious banking problems, and is
directly related to lax credit standards for borrowers and counterparties, lack
of qualified lending expertise, poor portfolio risk management, and a lack of
attention to changes in economic or other circumstances that may lead to a
deterioration in the credit standing of a bank’s counterparties. Effective
credit risk management is a critical component of a comprehensive approach
to risk management and essential to the long-term success of any banking
organization. In managing credit risk, banks should consider the level of risk
inherent in both individual credits or transactions and in the entire asset
portfolio. Banks also need to analyze the risk between credit risk and other
risks.
borrower’s business affect the degree of credit risk. Similarly, the credit risk
is influenced by the purpose and security for the exposure.
50. The credit function may conveniently be divided into the following
categories:
(c) Origination and disbursement.
(d) Monitoring.
(e) Collection.
(f) Periodic review and evaluation.
Monitoring
67. Are trial balances prepared and reconciled with control accounts by
employees who do not process or record loan transactions?
68. Are reports prepared on a timely basis of loans on which principal or interest
payments are in arrears?
69. Are these reports reviewed by employees independent of the lending
function?
70. Are there procedures in use to monitor the borrower’s compliance with any
loan restrictions (for example, covenants) and requirements to supply
information to the bank?
71. Are there procedures in place that require the periodic reassessment of
collateral values?
72. Are there procedures in place to ensure that the borrower’s financial position
and results of operations are reviewed on a regular basis?
73. Are there procedures in place to ensure that key administrative dates, such
as the renewal of security registrations, are accurately recorded and acted
upon as they arise?
AUDITING
Collection
74. Are the records of principal and interest collections and the updating of loan
account balances maintained by employees independent of the credit
granting function?
75. Is there a control to ensure that loans in arrears are followed up for payment
on a timely basis?
76. Are there written procedures in place to define the bank’s policy for
recovering outstanding principal and interest through legal proceedings,
such as foreclosure or repossession?
77. Are there procedures in place to provide for the regular confirmation of loan
balances by direct written communication with the borrower by employees
independent of the credit granting and loan recording functions, as well as
the independent investigation of reported differences?
Planning
82. The auditor obtains a knowledge and understanding of the bank’s method of
controlling credit risk. This includes matters such as the following:
• The bank’s exposure monitoring process, and its system for ensuring
that all connected party lending has been identified and aggregated.
• The bank’s method for appraising the value of exposure collateral and
for identifying potential and definite losses.
• The bank’s lending practices and customer base.
83. The auditor considers whether the exposure review program ensures
independence from the lending functions including whether the frequency is
sufficient to provide timely information concerning emerging trends in the
portfolio and general economic conditions and whether the frequency is
increased for identified problem credits.
84. The auditor considers the qualifications of the personnel involved in the
credit review function. The industry is changing rapidly and fundamentally
creating a lack of qualified lending expertise. The auditor considers whether
credit review personnel possess the knowledge and skills necessary to
manage and evaluate lending activities.
85. The auditor considers, through information previously generated, the causes
of existing problems or weaknesses within the system. The auditor considers
whether these problems or weaknesses present the potential for future
problems.
86. The auditor reviews management reports and considers whether they are
sufficiently detailed to evaluate risk factors.
87. Note that defining and auditing related party lending transactions are
difficult because the transactions with related parties are not easily
identifiable. Reliance is primarily upon management to identify all related
parties and related-party transactions and such transactions may not be
easily detected by the bank’s internal control systems.
Tests of Control
88. The auditor obtains a knowledge and understanding of the bank’s method of
controlling credit risk. This includes matters such as:
• The exposure portfolio and the various features and characteristics of
the exposures;
• The exposure documentation used by the bank;
• What constitutes appropriate exposure documentation for different
types of exposures; and
•
AUDITING
The bank’s procedures and authority levels for granting an exposure.
89. The auditor reviews the lending policies and considers:
• Whether the policies are reviewed and updated periodically to ensure
they are relevant with changing market conditions and new business
lines of the bank; and
• Whether those charged with governance have approved the policies and
whether the bank is in compliance.
90. The auditor examines the exposure review reporting system, including credit
file memoranda and an annual schedule or exposure review plan, and
considers whether it is thorough, accurate and timely and whether it will
provide sufficient information to allow management to both identify and
control risk. Do the reports include:
• Identification of problem credits;
Substantive Procedures
93. The auditor considers the extent of management’s knowledge of the bank’s
own credit exposure problems through selective exposure file reviews.
Selection criteria include the following:
• Accounts with an outstanding balance equal to or greater than a specified
amount.
AUDITING
• Modified auditor’s report.
• Information provided not current or complete.
• Advances significantly unsecured or secured substantially by a
guarantee.
• Accounts where reviews not performed by bank management on a
timely basis.
95. The auditor selects the exposures for detailed review from the exposure
listings above using the sample selection criteria determined above and
obtains the documents necessary to consider the collectability of the
exposures. These may include the following:
• The exposure and security documentation files.
• Arrears listings or reports.
• Activity summaries.
• Previous doubtful accounts listings.
• The non-current exposure report.
• Financial statements of the borrower.
• Security valuation reports.
96. Using the exposure documentation file, the auditor:
• Ascertains the exposure type, interest rate, maturity date, repayment
terms, security and stated purpose of the exposure;
• Considers whether security documents bear evidence of registration as
appropriate, and that the bank has receive appropriate legal advice
about the security’s legal enforceability;
• Considers whether the fair value of the security appears adequate
(particularly for those exposures where a provision may be required) to
secure the exposure and that where applicable, the security has been
properly insured. Critically evaluates the collateral appraisals,
including the appraiser’s methods and assumptions;
• Evaluates the collectability of the exposure and considers the need for
a provision against the account;
• Determines whether the appropriate authority levels within the bank
have approved the exposure application or renewal;
• Reviews periodic financial statements of the borrower and notes
significant amounts and operating ratios (that is, working capital,
earnings, shareholders’ equity and debt-to-equity ratios); and
• Reviews any notes and correspondence contained in the exposure review
file. Notes the frequency of review performed by the bank’s staff and
considers whether it is within bank guidelines.
97. The auditor considers whether policies and procedures exist for problem and
workout exposures, including the following:
• A periodic review of individual problem credits.
• Guidelines for collecting or strengthening the exposure, including
requirements for updating collateral values and lien positions,
documentation review, officer call reports.
• Volume and trend of past due and non-accrual credits.
• Qualified officers handling problem exposures.
• Guidelines on proper accounting for problem exposures, for example,
non-accrual policy, specific reserve policy.
IAPS 1006 APPENDIX 138
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
AUDITING
Appendix 3
AUDITING
changes in interest rates on the bank’s earnings or own funds)
• Relative size of engagements and liabilities
• Effect of changes in interest rates on the bank’s earnings or own funds
(f) Funding risk:
• Clients’ funding to total funding (clients’ plus interbank)
• Maturities
• Average borrowing rate
Appendix 4
Securities Brokerage
Many banks also are involved in securities brokerage activities that include
facilitating customers’ securities transactions. As with securities underwriting, banks
engaging in these activities (as a broker, dealer, or both) may be exposed to
substantial risks that have audit implications. These activities and the risks associated
with them are quite complex, and consideration is given to consulting with experts in
such matters.
The types of services offered to customers and the methods used to deliver them
determine the type and extent of risks present in securities brokerage activities. The
number of securities exchanges on which the bank conducts business and executes
trades for its customers also influences the risk profile. One service often offered is
the extension of credit to customers who have bought securities on margin, resulting
in credit risk to the bank. Another common service is acting as a depository for
securities owned by customers. Entities are also exposed to liquidity risks associated
with funding securities brokerage operations. The related audit risk factors are
similar to those set out in Appendix 5, “Risks and Issues in Asset Management.”
There is also a significant element of legal and regulatory risk that is driven by the
jurisdiction in which the security brokerage activities are taking place. This may be a
consideration for regulatory reporting by the bank, reports directly by the auditor to
regulators and also from the point of view of reputation and financial risk that may
occur in the event of regulatory breaches by the bank.
AUDITING
Appendix 5
consider when determining the nature, timing and extent of procedures to be performed.
Since private banking frequently involves asset management activities the audit risk
factors associated with asset management activities are also included below.
• Compliance with regulatory requirements. Private banking is highly regulated
in many countries. This may be a consideration for regulatory reporting by the
client, reports directly by the auditor to regulators and also from the point of
view of the reputation and financial risk that may occur in the event of
regulatory breaches by the bank. Also, the nature of private banking activities
may increase the bank’s susceptibility to money laundering, and thus may have
increased operational, regulatory, and reputational risks, which may have audit
implications.
• Confidentiality. This is generally a feature of private banking. In addition to the
normal secrecy which most countries accord bank/client relationships, many
jurisdictions where private banking is common have additional banking secrecy
legislation which may reduce the ability of regulators, taxing authorities or
police, from their own or other jurisdictions, to access client information. A
bank may seek to impose restrictions on an auditor’s access to the names of the
bank’s private clients, affecting the auditor’s ability to identify related party
transactions. A related issue is that the bank may be requested by a client not to
send correspondence, including account statements (hold mail accounts). This
may reduce the auditor’s ability to gain evidence as to completeness and
accuracy and, in the absence of adequate alternative procedures, the auditor
considers the implications of this for the auditor’s report.
• Management fraud. The tight confidentiality and personal nature of private
banking relationships may reduce the effectiveness of internal controls that
provide supervision and oversight over staff who deal with private clients’
affairs. The high degree of personal trust that may exist between a client and
their private banker may add to the risk in that many private bankers are given
AUDITING
some degree of autonomy over the management of their clients’ affairs. This
risk is exacerbated to the extent private clients may not be in a position to verify
their affairs on a regular basis as explained above.
• Services designed to legally transfer some degree of ownership/control of assets
to third parties, including trusts and other similar legal arrangements. Such
arrangements are not confined to private banking relationships, however, they
are commonly present in them. For the bank, the risk is that the terms of the
trust or other legal arrangement are not complied with or do not comply with the
applicable law. This exposes the bank to possible liability to the beneficiaries.
Controls in this area are particularly important, given that errors are often
identified only when the trust or other arrangement is wound up, possibly
decades after its creation. Private bankers often are also involved in preparing
wills or other testamentary documents, and act as executors. Improper drafting
of a will may carry financial consequences to the bank. Controls should exist in
this area and in the area of monitoring executor activity. The auditor considers
145 IAPS 1006 APPENDIX
AUDITS OF THE FINANCIAL STATEMENTS OF BANKS
Asset Management
The following risk factors are provided as considerations in planning the strategy and
execution of the audit of a bank’s asset management activities. Included in this area
are fund management, pension management, vehicles designed to legally transfer
some degree of ownership/control of assets to third parties such as trusts or other
similar arrangements etc. This list is not exhaustive as the financial services industry
is a rapidly changing industry.
• When both the asset manager and the assets themselves are not both audited by
the same audit firm. The performance of an asset manager and the assets
themselves generally are closely linked. It is easier to identify and understand
the implications of an issue arising in one entity on the financial statements of
the other if both are audited by the same firm, or if arrangements have been
made to permit an appropriate exchange of information between two audit
firms. Where there is no requirement for both the assets and the asset manager
to be audited, or where appropriate access to the other audit firm is not possible,
the auditor considers whether he is in a position to form a complete view.
• Fiduciary responsibility to third parties. Mismanagement of third party funds
may have a financial or reputational effect on an asset manager. Matters falling
into this category may include:
o Improper record keeping;
o Inadequate controls over the protection and valuation of assets;
AUDITING
transactions.
• Globalization and international diversification. These are features of many asset
managers and this may give rise to additional risks due to the diversity of
practice among different countries regarding matters such as pricing and
custody rules, regulations, legal systems, market practices, disclosure rules and
accounting standards.
Glossary of Terms
Hidden Reserves Some financial reporting frameworks allow banks to manipulate
their reported income by transferring amounts to non-disclosed
reserves in years when they make large profits and transferring
amounts from those reserves when they make losses or small
profits. The reported income is the amount after such transfers.
The practice served to make the bank appear more stable by
reducing the volatility of its earnings, and would help to prevent
a loss of confidence in the bank by reducing the occasions on
which it would report low earnings.
Nostros Accounts held in the bank’s name with a correspondent bank.
Provision An adjustment to the carrying value of an asset to take account
of factors that might reduce the asset’s worth to the entity.
Sometimes called an allowance.
Prudential Ratios Ratios used by regulators to determine the types and amounts of
lending a bank can undertake.
Stress Testing Testing a valuation model by using assumptions and initial data
outside normal market circumstances and assessing whether the
model’s predictions are still reliable.
Vostros Accounts held by the bank in the name of a correspondent bank.
Reference Material
The following is a list of material that auditors of banks’ financial statements may find
helpful.
AUDITING
IAS 39: Financial Instruments: Recognition and Measurement. London, 2000.
In addition a number of IFAC member bodies have issued reference and guidance
material on banks and the audits of the financial statements of banks.