Understanding the Bank and Its Environment including Internal Control
As per SA 315, the auditor’s objective is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. This will help the auditor to reduce the risk of material misstatement to an acceptably low level and enable him to issue his audit report based on his audit findings.
An understanding of the bank and its environment, including its internal control, enables the auditor:
to identify and assess risk;
to develop an audit plan so as to determine the operating effectiveness of the controls, and to address the specific risks. Further, documentation of the auditor’s understanding of the bank and its environment provides an effective mechanism for accumulating and sharing knowledge and experience and briefing the same to all the members of the engagement team, particularly in case of multi-location audit engagements.
to assist in issuing his report on internal financial controls in terms of Section 143(1)(i) of the Companies Act, 2013, wherever applicable1.
The audit engagement partner should appropriately be involved so as to achieve its basic objective of identifying and assessing the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels. The use of professional skepticism, and experience acquired during the course of other audits play a vital role in this process.
In addition to the considerations mentioned in paragraph 11 of SA 315, when obtaining an understanding of the bank and its environment, including its internal control, the auditor is required to:
Obtain an understanding of the bank’s accounting process relevant to financial reporting.
Obtain an understanding of the bank’s internal control relevant to the audit.
Management may prepare a variety of information so as to operate the business more effectively and efficiently. The auditor may consider to use this information in identifying risks of material misstatements. Such information may be internally generated (e.g., budgets and strategic plans, monthly financial and operating reports) or externally generated (e.g., trade periodicals, analysts’
reports on the banking industry or the bank).
While obtaining an understanding of the bank and its environment, including its internal control, the auditor should consider whether the information obtained during the course of audit indicates risks of material misstatement due to fraud. For this purpose, the following factors assume importance:
Understanding the bank’s corporate governance structure. RBI has laid down specific guidelines to be complied with by the banks, with regard to the formation of various committees and determination of their specific functions, extent of audit coverage, etc. Provisions of clause 49 of the Listing
Agreement also need to be complied by the listed banks.
Obtaining and maintaining a record of the understanding of the products and services offered by the bank. The auditor should be aware of the various deposit, loan and treasury products and services that are offered and continue to be developed and modified by the bank in response to market conditions and guidelines issued by the RBI from time to time. Similarly, the auditor should obtain an understanding of the nature of services rendered through off balance sheet and other similar instruments; inherent risks arising as a result thereof; and auditing, accounting and disclosure implications thereof.
Understanding the regulatory requirements of other regulatory authorities like SEBI, IRDA for other products like depository participants, insurance selling, mutual fund selling, etc. The same is important, as the bank mayface penal action in case of non-compliance with respective regulation.
The extent of use of service organisations needs to be evaluated, since it is the responsibility of the bank to ensure compliance with the rules and
regulations, as well as to ensure that the service organisations have adequate internal controls. The auditor may ask for report under SA 402 “Audit Considerations Relating to An Entity Using a Service Organisation.”
The auditor may decide to visit the significant operating units of the bank, especially, in case of multi-location bank. This would enhance the auditor’s understanding, and would also assist in the assessment of engagement risk, and identification of pervasive risks and specific risks. Such visits enable the auditor to interact with the local management and acquire understanding of their significant policies, and other relevant factors affecting the working of that particular operating unit.
In obtaining an understanding of the bank and its environment, the auditor, ordinarily, documents the following:
pervasive risks and specific risks that have been identified;
needs, expectations, and concerns of senior management and those charged with governance; and other relevant administrative matters.