Preface :
George is a Director — Analytics, with Control Analytics Inc. Control Analytics Inc. are market leaders in the field of governance, risk management and control analytics for the last decade and pioneers in the implementation of audit process tools. In a short span of time this bell weather firm has managed to establish a footprint in the accounting and finance segment which was the erstwhile arena for large accounting and audit majors. This fast paced growth was fuelled by a group of professionals who delivered consistent value propositions to all their clients by riding on the backbone of contemporary assurance technology.
Control Analytics Inc. leveraged audit technology like general audit softwares, data mining tools, work paper administration tools, reporting applications and enterprise risk management applications to deliver value-added, high-return results to all the clients from retail, to manufacturing, to information technology and healthcare.
Control Analytics Inc. was solely responsible for overseeing all data analytic projects, and applied research projects for the firm.
In a recent banking conclave, George was presenting on the role of ‘Compliance Reviews through CAATs’.
Introduction :
The importance of internal control in banks cannot be over-emphasised. Banks deal primarily with cash and readily encashable documents. It is essential that they take every precaution to guard themselves against errors and frauds committed by their constituents or by its own employees.
The following are the main principles of internal control in a bank :
- Every transaction should be checked and authorised by authorised persons before it actually takes place.
- Every transaction should be entered in the books before the next transaction is authorised.
- The routine procedure should be such as to prevent and detect errors and frauds in the normal course and before interests of the bank are adversely affected.
- There should be a regular as well as surprise checks by inspectors and internal auditors who should constantly review the working of all departments.
The Statement on Standard Auditing Practices (SAP) 1, Basic Principles Governing an Audit, issued by the Institute of Chartered Accountants of India, states (paragraphs 19-20) :
“The auditor should gain an understanding of the accounting system and related internal controls and should study and evaluate the operation of those internal controls upon which he wishes to rely in determining the nature, timing and extent of other audit procedures. Where the auditor concludes that he can rely on certain internal controls, his substantive procedures would normally be less extensive than would otherwise be required and may also differ as to their nature and timing.”
Internal control evaluation is a key phase in Compliance Audits. In the case of audit of banks, it assumes even greater importance due to the enormous volume of transactions entered into by banks. Evaluation of the design and operation of internal control system enables the auditor of a bank to perform more effective audits. Therefore, the auditor of a bank should study and evaluate the design and operation of internal controls. This would assist him in determining the nature, timing and extent of substantive procedures in various mainstream bank areas, depending upon whether the internal controls are adequate and observed in practice.
CAATs facilitate the internal control evaluation through deployment of comprehensive analytical routines to detect control failures and missing controls.
Presentation on compliance review of controls in Banks through CAATs :
George wanted to drive home the efficacy of general audit tools to the conclave of banking participants comprising auditors, investigators, risk managers, IT security professionals and more. He decided to help the participants visualise the utility of audit tools (GAS) through a few live banking case studies and discussions. These case studies served as a primer for a general awareness and appreciation amongst the participants.
Banking case studies presented were :
Introduction of current accounts by an account-holder other than current :
Account maintenance procedures require a current account-holder to be introduced by another current account-holder from the same bank.
In this case the ‘Retail Liability Account Master’ file was taken up for scrutiny within the GAS.
Here George juxtaposed the introducer customer number, corresponding account number/s, and product type/s to the primary current account and product type through file join operations.
He then performed an ‘extraction-query’ with the condition ‘Introducer product type is not a current account and the introduced account product type is a current account’.
George was able to cull out a number of current accounts introduced by a savings account holder and also some accounts introduced by staff members from the branch.
Non-resident saving accounts where a resident Indian is a joint-holder :
Account maintenance procedures mandate through statutory regulation that a non-resident savings account-holder cannot have a resident Indian as a joint account holder.
Here George took up the ‘Joint Holder Account Master’ file as the base file for monitoring within the GAS.
He performed a ‘summarisation – consolidation’ on the constituent member product types for the non-resident saving account-holders. Based on the summarisation result George filtered out queried product types containing the sub-string character representation ‘Resident’.
This exercise yielded negative non-compliances.
Incorrect interest application on premature closure of term deposits:
Revenue charge procedures stipulate that in case of premature closure of term deposits, the Core Banking System must apply the Rate of Interest (ROI) for the deposit tenor actually run, less the penalty rate as decided by the Bank. The penalty rate is generally metered as 1% or 2%.
In this control assertion the ‘Term Deposit Account Master File’ was imported into the GAS.
The ROI applicable on the deposit for the contracted tenor is readily available in the master file. ROI applicable on premature withdrawal is a variable/ system computed field which varies from case-to-case depending on the tenor of the deposit run.
This data is normally not available as a ready native field within the database. This field may be computed through Database Query Logic like SQL and provided for further analysis along with the native fields.
Premature deposits are term deposits where the maturity date of the deposit is greater than the system date and account closure date is before the deposit maturity date.
George wrote a ‘Criteria – Query’ within the GAS to identify specific premature instances where the contracted ROI was paid in place of the actual ROI. A few premature withdrawal instances were identified where incorrect interest i.e., contracted ROI was applied and paid. In some of the cases, the term deposit was closed within 15 days of opening and contracted ROI was still paid. Based on George’s representation/findings, the branch accepted the error in interest application which was due to over-sight. The excess interest paid was reversed through a manual interest adjustment entry.
Tax Deducted at Source (TDS) not deducted in respect of interest payments/accruals above Rs. 10,000 per annum:
The Income Tax Rules stipulate that interest accruals/payments on term deposits exceeding Rs. 10,000 This test revealed specific loan and loan collaterals per annum per customer should attract TDS. The which had not been insured.
Rules also lay down that TDS should not be deducted where the deposit holder submits either Form l5G or Form ISH for a given previous year.
Here the ‘Term Deposit Ledger’ File was captured within the GAS.
Then the file was summarised by ‘interest debits’, customer number wise through the ‘Summarisation-consolidation’ function.
From the above summarisation result, all customer numbers having sum of interest debits greater than Rs.10,000 for a given financial year were extracted through ‘Data Extraction – Query’.
The file generated above was joined with the ‘Tax Waiver File’ i.e., File for Form l5G/15H submissions using the ‘Join File’ utility within the tool.
Finally, all term deposits where the tax waiver flag was not enabled (non-waiver cases) were matched with the ‘TDS Ledger File’ using the ‘Join File’ utility within the tool. ‘Records with no Secondary Match’ were selected and specific customers were culled out where interest debits were more than Rs. 10,000 per annum for which TDS had not be deducted at all.
The test revealed certain deviations which were primarily on account of non-updation of the submit-ted Form l5G/Form ISH Certificates within the Core Banking System.
Loans have collateral security where insurance not taken by borrower:
Retail assets are secured through collateral security like stock, plant and machinery, building, etc. These collateral securities need to be insured on an ongoing basis and the details of insurance coverage need to be submitted to the branch for updation within the ‘Collateral Security Insurance Master’ in the Core Banking System.
George imported the ‘Loan Collateral Insurance’ File into the GAS.
He detected missing insurance policy numbers in the ‘Loan Collateral Insurance file’ for specific loans and loan collaterals using the ‘Extraction-Query’ command in the GAS.
This test revealed specific loan and loan collaterals which had not been insured.
This control condition breach presents a clear and present risk for the bank in case of any untoward incident on the secured collateral.
George also concluded that at times the collateral is insured but not in time and not within the grace period for premium payment. He recognised that breaks in insurance coverage could be as perilous as non-insurance coverage.
He set out identifying instances of break in insurance from the ‘Loan Collateral Insurance’ file. George added an additional field to the file upon import. In this field he extracted the date component from the ‘Maturity Date’ for example ’25’ was extracted into a new field from ‘25.06.2009’.
With dates available for the same loan collateral for a period of 5 years, George was able to successfully pull out unique instances of ‘Same Collateral Different Date’. In one such instance a ‘Special Watch Borrower’ having multiple credit facilities had delayed the renewal of insurance on a cache of 5 collaterals. The delay coincided with a natural calamity which fully damaged the collateral. This situation posed a common threat to the Branch leading to material financial exposures.
Conclusion:
George culminated his presentation by reiterating that general audit tools are time-tested, stable, robust, powerful, internationally acclaimed and user-friendly applications designed by auditors for auditors. He added that no tool is a ready substitute for the Auditors’ acumen and judgment, but is a powerful, cost-effective facilitator. He encouraged all the bank auditors present to embrace tools and reap the benefits of an idea whose time has come. He closed his presentation with a parting remark Reserve Bank of India’s Department of Banking Supervision also uses audit tools in their banking supervisory role and we should draw inspiration from the regulator themselves in this matter’.
