By Zubin F. Billimoria
Chartered Accountant
INTRODUCTION
The Long Form Audit Report (LFAR) has for long been used as a tool by the RBI through the Statutory Auditors to identify and assess gaps and vulnerable areas in the working of banks. According to the RBI, the objective of the LFAR is to identify and assess the gaps and vulnerable areas in the business operations, risk management, compliance and efficacy of internal audit and provide an independent opinion on the same to the Board of the bank.
As recently as on 5th September, 2020, RBI notified a revised format of the LFAR, applicable from the financial year 2020-21, which repeals the earlier format and other instructions issued on 17th April, 2002. Whilst almost all the earlier requirements have been retained, there have been several specific matters which have been included for reporting keeping in mind the large-scale changes in the size, complexities, risks and business models related to banking operations in the last two decades.
The LFAR is an integral part of the statutory audit of banks which needs to be factored right from the planning to the reporting stage of the audit process. In designing the audit strategy and plan, the auditor should consider the LFAR requirements and conduct need-based limited transaction testing.
The following are the main sources of information for the purpose of compiling the information for LFAR reporting:
a) Audited financial statements and the related groupings, trial balances and account analysis / schedules;
b) Minutes of the meetings of the Board and the various committees;
c) Internal and concurrent and other audit reports;
d) RBI inspection reports;
e) Other supporting MIS data / information produced by the entity which should be verified for accuracy /completeness as per the normally accepted audit procedures in terms of the SAs;
f) Policies and procedures laid down by the management.
This article attempts to provide an overview of the major changes in the reporting so as to sensitise both the Central Statutory Auditors and the Branch Auditors.
COVERAGE
As was the case with the earlier format, the indicative areas of coverage are separately indicated for the Central Statutory Auditors and the Branch Auditors. However, in cases where there is only one Statutory Auditor, which is generally the case with private sector banks or the branches of foreign banks, the auditors should ensure that the contents under both the sections are read harmoniously such that nothing significant is missed out. Since the areas to be covered are only indicative, the RBI in its Circular has made it clear that any material additions / changes in the scope may be done by giving specific justification and with prior intimation to the Audit Committee. Accordingly, the auditors should not adopt a boilerplate approach.
Major changes in the indicative content are discussed and analysed in the subsequent sections.
FOR CENTRAL STATUTORY AUDITORS
Credit Risk areas
Credit Risk in the context of banking refers to the risk of default or non-payment or non-adherence to contractual obligations by a borrower. The revenue of banks comes primarily from interest on loans and thus loans form a major source of credit risk. Whilst the basic reporting requirements are the same as before, there are several additional areas which need to be reported / commented upon and which can be broadly categorised as under:
|
Area
|
Additional areas to be
commented / reported upon
be commented / reported
upon
|
|
Loan policy
|
Specific observations are required regarding the business model /
business strategy as per the policy as against the actual business / income
flow of the bank
|
|
Review / monitoring / post-sanction follow-up / supervision
|
The following are some of the additional matters requiring
specific comments / reporting:
• Comments on the overall effectiveness of
credit monitoring system covering both on-balance sheet and off-balance
sheet exposures, along with the quality of reporting both within the bank and
to outside agencies (like RBI, CRILC,
CIBIL), etc.
•
Comments on the functioning and effectiveness of the system of
identifying and reporting of Red-Flagged Accounts based on Early
Warning System (EWS) indicators for which reference should be made to the
Master Directions on Frauds-Classification and Reporting dated 1st
July, 2016 issued by the RBI (also applicable to Branch Auditors)
|
|
Restructuring / resolution of stressed accounts
|
This is an entirely new section which has been introduced
keeping in mind the emphasis on restructuring in the backdrop of the enhanced
level of stressed assets in the banking system. The specific matters on which
comments are required are summarised hereunder:
•
Deviations observed in restructured accounts / stressed accounts under
resolution with reference to internal / RBI guidelines
•
Special emphasis should be given on the stance of the bank with
respect to the following matters:
a)
formulation of board-approved policies including timelines for resolution;
b) the
manner in which decisions are taken during review period;
c)
board-approved policies regarding recovery, compromise settlements,
exit of exposure through sale of stressed assets, mechanism of deciding
whether a concession granted to a borrower would have to be treated as
restructuring or not, implementation of resolution in accordance with the
laid-down conditions, among others;
Special attention would have to be paid in the current financial
year regarding the relaxations and concessions provided as a result of
COVID-19
|
|
Asset quality (also applicable to branch auditors)
|
This is also an entirely new section given the emphasis
on asset classification and the consequential provisioning and attempts by banks
and borrowers to subvert the same. The specific matters on which comments are
required are summarised as below:
•
Continuous monitoring of classification of accounts into Standard,
SMA, Sub-standard, Doubtful or Loss as per the Income Recognition and Asset
Classification Norms by the system, preferably without manual intervention,
determining the effectiveness of identifying the consequential NPAs and the
appropriate income recognition and provisioning thereof;
|
|
Asset quality (continued)
|
• Procedure followed by the bank in
upgradation of NPAs, updation of the value of securities with reference to
RBI regulations and compliance by the bank with divergences observed during
earlier RBI inspection(s) with requisite examples of deviations, if any
It is imperative for the auditors to thoroughly review the
latest RBI Guidelines and Circulars and also read the latest RBI inspection
reports since greater granularity in reporting is now expected vis-a-vis
the earlier reporting requirements
|
|
Recovery policy (also applicable to branch auditors)
|
The following are some of the additional matters requiring
specific comments / reporting dealing with the Insolvency and Bankruptcy
Resolution Process:
•
System of monitoring accounts under Insolvency and Bankruptcy Code,
2016 (IBC)
•
Verifying the list of accounts where insolvency proceedings had been
initiated under IBC, but subsequently were taken out of insolvency u/s 12A of
the
IBC by the Adjudicating Authority based
on the approval of 90% of the creditors.
The auditors may satisfy themselves regarding the reasons of the creditors,
especially the bank concerned, to agree to exiting the insolvency resolution
process, and may comment upon deficiencies observed, if any
|
|
Large advances
|
The Guidelines now specifically require comments on adverse
features considered significant in top 50 standard large advances and the
accounts which need management’s attention. In respect of advances below
the threshold, the process needs to be checked and commented upon, based on a
sample testing. This is a very onerous responsibility which has been
cast on the auditors and needs to be factored in whilst selecting their
sample for testing. Earlier there was no specific quantitative threshold laid
down for reporting. Care should be taken to ensure that the sample which is
selected also covers cases beyond the top 50 standard accounts. Further, it
appears that this threshold is for the bank as a whole
(Attention is also invited to the reporting requirements for
Branch Auditors discussed subsequently wherein different quantitative
thresholds are specified for individual branches)
|
|
Audit reports
|
Major adverse features observed in the reports of all audits / inspections,
internal or external, carried out at the credit department during the
financial year should be suitably incorporated in the LFAR, if found
persisting
|
Market risk areas
Market risk mostly occurs from a
bank’s activities in capital markets, commodities markets and dealings in foreign currencies. This is due to the unpredictability of equity markets, movement of exchange and interest rates, commodity prices and credit spreads. The major components of a bank’s market risk include interest rate risk, equity risk, commodity price risk and foreign exchange risk.
This section covers reporting on investments and derivatives (the latter being specifically added) apart from CRR / SLR and ALM reporting requirements. Some of the specific additional areas requiring comments / reporting are as under:
• Merit of investment policy and adherence to the RBI guidelines.
• Deviations from the RBI directives and guidelines issued by FIMMDA / FIBIL / FEDAI which primarily deal with valuation of investments and foreign exchange exposures should be suitably highlighted.
• With respect to the RBI directives, special focus should be placed on compliance with exposure norms, classification of investments into HTM / AFS / HFT category and inter-category shifting of securities.
• Veracity of liquidity characteristics of different investments in the books, as claimed by the bank in different regulatory / statutory statements.
• The internal control system, including all audits and inspections, IT and software being used by the bank for investment operations should be examined in detail.
Since there is a lot of emphasis on compliance with the RBI guidelines, it is important for auditors to be aware of the relevant guidelines dealing with investments and derivatives, the important ones being as under:
• Master Circular – Prudential Norms for Classification, Valuation and Operation of Investment Portfolio by Banks dated 1st July, 2015 and other related matters.
• General Guidelines for Derivative Transactions vide RBI Circulars dated 20th April, 2007, 2nd August, 2011 and 2nd November, 2011 together with specific operational guidelines for Currency Option, Exchange Traded Interest Rate Futures, Interest Rate Options and Commodity Hedging vide separate Master Directions.
• Guidelines for Inter-Bank Foreign Exchange Dealings vide Master Directions on Risk Management and Inter-Bank Dealings dated 5th July, 2016.
Governance, assurance functions and operational risk areas
This is a new section introduced in place of the existing section on Internal Controls. Whilst the basic reporting requirements are the same as before, there are several additional areas which need to be reported / commented upon and which can be broadly categorised as under:
|
Area
|
Additional areas to be commented /
reported upon
|
|
Governance and assurance functions
|
This is an entirely new section given the emphasis on
proper and robust governance and risk management keeping in mind the large-scale
changes in the business model of banks. The specific matters on which
comments are required are summarised hereunder:
•
Observations on governance, policy and implementation of
business strategy and its adequacy vis-à-vis the risk
appetite statement of the bank
•
Comments on the effectiveness of assurance functions (risk management,
compliance and internal audit)
•
Comments on the adequacy of risk-awareness, risk-taking and
risk-management, risk and compliance culture
The following are some of the specific matters which are
relevant for an effective governance, assurance and risk management system in
a bank:
a) Oversight
and involvement in the control process by the Board, Audit Committee and
Those Charged With Governance, some of which are specifically mandated
by the RBI, like framing of policies on specific areas,
constitution of specific Board Level Committees and undertaking calendar of
reviews.
b) Mandatory
Risk Based Internal Audit vide RBI Circular Ref: DBS.CO.PP.BC.
10/11.01.005/2002-03, 27th December, 2002.
c) Mandatory
Concurrent Audit vide RBI Circular Ref: DBS.CO.ARS. No. BC.
2/08.91.021/2015-16 dated 16th July, 2015
|
|
Balancing of books / Reconciliation of control and subsidiary
records
|
Item-wise details of system-generated transitory accounts not
nullified at the year-end should be given separately with ageing of such
items
|
|
Inter-branch reconciliation, suspense accounts, sundry deposits,
etc.
|
The following are some of the additional matters requiring
specific comments / reporting:
•
Sufficiency of audit trail with respect to entries in such accounts
•
Age-wise analysis of unreconciled entries for each type of entry as on
balance sheet date along with subsequent clearance thereof, if any, should be
provided
|
|
Frauds / vigilance (also applicable to branch auditors)
|
Special focus should be given to the potential risk areas which
might lead to perpetuation of fraud. For this purpose, reference should be
made to Early Warning System (EWS) indicators as per the Master Directions
on Frauds-Classification and Reporting dated 1st July, 2016 issued
by the RBI
|
|
KYC / AML requirements (also applicable to branch auditors)
|
This is also an entirely new section given the need and
importance for banks to comply with various AML regulations and also
regulations countering the financing of terrorism and to prevent them from
becoming involved with criminal or terrorist activity. The specific matters on
which comments are required are summarised hereunder:
•
Whether the bank has duly updated and approved KYC and AML policies in
synchronisation with RBI circulars / guidelines.
•
Whether the said policies are effectively implemented by the bank.
•
Assessment of the effectiveness of provisions for preventing money
laundering and terrorist financing.
The KYC and AML Guidelines are prescribed in the Master
Directions on KYC dated 8th December, 2016 as amended from time to
time issued by the RBI.
As per the directions, all banks are required to frame a KYC
policy which must contain at least the following key elements as laid down in
the Master Directions:
a)
Customer Acceptance Policy.
b) Risk
Management.
c) Customer Identification Procedures.
d)
Monitoring of Transactions.
e)
Maintenance of Records under the PML Act.
f)
Reporting Requirements to Financial Intelligence Unit – India and
sharing of information.
|
|
Para-banking activities
|
There is now a separate section which has been included in
respect of such activities which are specifically permitted to be undertaken
by the RBI, either departmentally or through subsidiaries. These activities
are generally non-fund based and are a major source of revenue for banks. The
specific matters on which comments are required are summarised hereunder:
•
Whether the bank has an effective internal control system with respect
to para-banking activities undertaken by it.
• A
list of such para-banking activities undertaken by the bank should also be
provided.
The RBI has issued a Master Circular dated 1st July,
2015 as amended from time to time on such activities. Some of the main
para-banking activities which banks are permitted to undertake either
departmentally or through subsidiaries in terms of the aforesaid Circular are
Equipment Leasing, Hire Purchase and Factoring, Primary
|
|
Para-banking activities (continued)
|
Dealership Business, Mutual Fund Business, Insurance Business,
etc.
|
CAPITAL ADEQUACY
Whilst the existing requirement of attaching the Capital Adequacy computation certificate in accordance with the BASEL III guidelines along with the comments on the effectiveness of the system of calculating the same and reporting of any concerns relating thereto are retained, there is now an additional requirement to give certain comments with regard to the International Capital Adequacy Assessment Process (ICAAP) Document, which is briefly discussed hereunder.
ICAAP Document
ICAAP is a process which needs to be undertaken by banks in terms of BASEL III under Pillar 2 Supervisory Review Process (SRP), which envisages the establishment of suitable risk management systems in banks and their review by the RBI. One of the principles under SRP envisages that the RBI would review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with the regulatory capital ratios which gets reflected in the ICAAP document, which is required to be submitted to the Board of Directors for review and then forwarded to the RBI based on which it would take appropriate supervisory action if they are not satisfied with the result of this process. In this context, the following matters are required to be specifically commented upon:
• Whether stress test is done as per RBI Guidelines;
• Whether assumptions made in the document are realistic, encompassing all relevant risks;
• Whether the banks’ strategies are aligned with their Board-approved Risk Appetite Statement.
The ICAAP requirements are part of the BASEL III Guidelines as prescribed in the Master Circular dated 1st July, 2015 as amended from time to time issued by the RBI.
GOING CONCERN AND LIQUIDITY RISK ASSESSMENT
Going concern assessment
This is an entirely new section which has been introduced keeping in mind the specific reporting responsibilities and considerations under the SAs. The matters which need to be commented upon are as under:
• Whether the going concern basis of preparation of financial statements is appropriate;
• Evaluation of the bank’s assessment of its ability to continue to meet its obligations for the foreseeable future (for at least 12 months after the date of the financial statements) with reasonable assurance for the same;
• Any material uncertainties relating to going concern.
For considering the above matters the auditors should consider the guidance in SA-570 (Revised), Going Concern, issued by the ICAI. Further, an important indicator to assess the Going Concern assumption is whether the bank has been placed under the Prompt Corrective Action (PCA) framework as laid down under the RBI guidelines vide RBI Circular Ref: RBI/2016-17/276 DBS.CO.PPD.BC. No. 8/11.01.005/2016-17 dated 13th April, 2017 which gets triggered on breach of certain thresholds on Capital Adequacy, Profitability and Leverage Ratio. The auditors should verify the correspondence with the RBI and other documentary evidence to ensure / identify the status of the supervisory actions indicated / initiated by the RBI, as per the above-referred Circular.
Liquidity assessment
This is also an entirely new section which has been introduced considering its linkage with the going concern assessment and the recent guidelines framed by the RBI relating to Liquidity Coverage Ratio (LCR) and Net Stability Funding Ratio (NSFR). The matters which need to be commented upon are as under:
• As a part of the assessment of the bank on going concern basis, the auditor should consider the robustness of the bank’s liquidity risk management systems and controls for managing liquidity;
• Identifying any external indicators that reveal liquidity or funding concerns;
• Availability of short-term liquidity support;
• Compliance with norms relating to LCR and NSFR (as and when applicable).
The RBI has issued Guidelines for Maintenance of LCR vide RBI Circular Ref: RBI/2013-14/635 DBOD.BP.BC. No. 120 / 21.04.098/2013-14 dated 9th June, 2014 and related Circulars in terms of which banks are required to maintain an LCR, computed as the ratio of HIGH QUALITY LIQUID ASSETS TO THE NET CASH OUTFLOW OVER THE NEXT 30 DAYS which should be >= 100% effective 1st January, 2019.
INFORMATION SYSTEMS
The reporting under this section has been modified to include comments and reporting on certain specific matters, in addition to the existing requirements. These are briefly indicated hereunder:
Robustness of IT Systems:
• Whether the software used by the bank were subjected to Information System & Security Audit, Application Function testing and any other audit mandated by RBI.
• Adequacy of IS Audit, migration audit (as and where applicable) and any other audit relating to IT and the cyber security system.
• Compliance with the findings of the above audits.
The following are the main RBI Circulars which are relevant in the context of the above reporting:
• RBI Circular Ref: DBS.CO.OS MOS.BC. /11/33.01.029 / 2003-04 dated 30th April, 2004 on Information System Audit;
• RBI Circular Ref: DBS.CO.ITC.BC. No. 6/31.02.008/2010-11 dated 29th April, 2011 Guidelines for IS Audit.
IT Security Policy (Including Cyber Security Policy)
• Whether the bank has a duly updated and approved IT Security and IS Policy;
• Whether the bank has complied with the RBI advisory / directives relating to IS environment / cyber security issued from time to time.
The following are the main RBI Circulars which are relevant in the context of the above reporting:
• RBI Circular Ref: DBS.CO.ITC.BC. No. 6/31.02.008/2010-11 dated 29th April, 2011 (covering the IT Security Framework);
• RBI Circular Ref: RBI/2015-16/418 DBS.CO/CSITE/BC. 11/33.01.001/2015-16 dated 2nd June, 2016 (covering the Cyber Security Framework).
Critical systems / processes
• Whether there is an effective system of inter-linkage including seamless flow of data under Straight Through Process (STP) amongst various software / packages deployed.
• Outsourced activities – Special emphasis has been placed on outsourced activities and bank’s control over them, including bank’s own internal policy for outsourced activities. In determining the reporting obligations in respect of outsourcing activities, the auditors should refer to the RBI Circular Ref: RBI/2006/167 DBOD.NO.BP. 40/ 21.04.158/ 2006-07 dated 3rd November, 2006. The said Circular requires the bank to put in place a comprehensive outsourcing policy, duly approved by the Board, which needs to cover the following aspects:
a) Selection of activities;
b) To ensure that core management functions including Internal Audit, Compliance function and decision-making functions like determining compliance with KYC norms for opening deposit accounts, according sanction for loans (including retail loans) and management of investment portfolio are not outsourced;
c) Selection of service providers;
d) Parameters for defining material outsourcing;
e) Delegation of authority depending on risks and materiality;
f) Systems to monitor and review the operations.
OTHER MATTERS
The specific additional areas requiring comments / reporting are as under:
Depositor Education and Awareness Fund (DEAF) Scheme 2014
Specific comments are required on the system related to compliance with the DEAF norms, which are laid down in the RBI Circular Ref: DBOD. DEAF Cell. BC. No. 101/ 30.01.002/2013-14 dated 21st March, 2014 the salient features of which are as under:
(a) Under the provisions of section 26A of the Banking Regulation Act, 1949 the amount to the credit of any account in India with any bank which has not been operated upon for a period of ten years or any deposit or any amount remaining unclaimed for more than ten years shall be credited to the Fund, within a period of three months from the expiry of the said period of ten years;
(b) The Fund shall be utilised for promotion of depositors’ interests and for such other purposes which may be necessary for the promotion of depositors’ interests as specified by RBI from time to time;
(c) The depositor would, however, be entitled to claim from the bank the deposit or any other unclaimed amount or operate the account after the expiry of ten years, even after such amount has been transferred to the Fund;
(d) The bank would be liable to pay the amount to the depositor / claimant and claim refund of such amount from the Fund.
Customer Services
Specific comments are required on business conduct including customer service by the bank describing instances, if any, of wrong debit of charges from customer accounts (also applicable to Branch Auditors), mis-selling, ineffective complaint disposal mechanism, etc. In this context, reference should be made to the RBI Master Circular on Customer Service in Banks dated 1st July, 2015 in terms of which banks are required to have a proper Customer Services Governance Framework coupled with Board Approved Customer Service Policies on specific aspects like Deposits, Cheque Collection, Customer Compensation, Grievance Redressal, amongst others.
In respect of all the above matters, involving compliance with the specific RBI guidelines, it is imperative for the auditors to thoroughly review the latest RBI Guidelines and Master Circulars / Directions and also read the latest RBI Inspection reports since greater granularity in reporting is now expected vis-a-vis the earlier reporting requirements.
FOR BRANCH AUDITORS
Whilst the basic reporting requirements are similar to those before, there are several additional areas which need to be reported / commented upon which can be broadly categorised as under:
|
Area
|
Additional areas to be commented /
reported upon
|
|
Cash, balances with the RBI, SBI and other banks
|
•
Reconciliation of the balance in the branch books in respect of cash
with its ATMs with the respective ATMs, based on the year-end scrolls
generated and differences, if any
•
Bank Reconciliation entries remaining unresponded for more than 15
days
•
Unresponded entries with respect to currency chest operations
|
|
Large advances
|
•
Details in the specified format for all outstanding advances in
excess of 10% (earlier 5%) of outstanding aggregate balance of fund-based
and non-fund-based advances of the branch or Rs. 10 crores (earlier Rs. 2
crores), whichever is less
•
Comment on adverse features considered significant in top 5
standard large advances and which need management’s attention
|
|
Credit appraisal
|
•
Cases of quick mortality in accounts, where the facility became
non-performing within a period of 12 months from the date of first sanction;
•
Whether the applicable rate of interest is correctly fed into the
system;
|
|
Credit appraisal (continued)
|
•
Whether the interest rate is reviewed periodically as per the
guidelines applicable to floating rate loans linked to MCLR / EBLR
(External Benchmark Lending Rate). [Refer to RBI Circular Ref: RBI
/2019-20/53 DBR. DIR. BC. No. 14/13.03.00/2019-20 dated 4th September,
2019 for Benchmark-Based Lending].
•
Whether correct and valid credit rating,
if available, of the credit facilities of
bank’s borrowers from RBI accredited Credit Rating Agencies has been fed into
the system
|
|
Deposits
|
•
Whether the scheme of automatic renewal of deposits applies to FCNR(B)
deposits;
•
Where such deposits have been renewed, whether the branch has
satisfied itself as to the ‘non-resident status’ of the depositor and whether
the renewal is made as per the applicable regulatory guidelines and the
original receipts / soft copy have been dispatched
|
|
Gold / bullion
|
• Does
the system ensure that gold / bullion is in effective joint custody of two or
more officials, as per the instructions of the controlling authorities;
|
|
Gold / bullion (continued)
|
• Does
the branch maintain adequate and regular records for receipts, issues and
balances of gold / bullion.
• Does
the periodic verification reveal
any excess / shortage of stocks as
compared to book records which have been promptly reported to the controlling
authorities
|
|
Books and records
|
•
Details of any software / systems (manual or otherwise) used at the branch which are not
integrated with the CBS;
• Any
adverse feature in the IS audit having an impact on the branch accounts;
•
Prompt generation and expeditious
clearance of entries in the exception reports generated
|
CONCLUSION
The amendments / additional reporting requirements seem to reflect the mindset of the regulators to place enhanced responsibilities and expectations on the auditors in the already existing long list of reporting requirements in the LFAR which has become longer and more onerous with correspondingly longer sleepless nights!
Neediness: The need to be approved by others highlights thefact that you do not approve of yourself – Strategic Revolt
We don’t control our body, property, reputation, position,
and, in a word, everything not of our own doing
– Epictetus
