Auditing IT & EFT Systems in Banks

Questions and Answers

Which of the following IT controls is LEAST likely to be emphasized when auditing Electronic Funds Transfer (EFT) systems external to a bank?

• Evaluation of reconciliation procedures.
• Physical security measures for hardware. (correct)
• Review of post-transaction confirmation processes.
• Assessment of pre-transaction supervisory controls.

How might a bank auditor utilize reports from service organizations when assessing a bank's IT controls related to EFT?

• To solely focus on post-transaction confirmation and reconciliation procedures.
• To avoid assessing pre-transaction supervisory controls.
• To replace the need for direct testing of controls at the bank.
• To gain insights into the design and operating effectiveness of controls at the service organization. (correct)

In the context of auditing a bank, why is it crucial to assess controls related to system development and modifications?

• To verify alignment with shareholder expectations.
• To ensure compliance with marketing strategies.
• To prevent unauthorized changes that could compromise data integrity or security. (correct)
• To streamline customer service operations.

Why does an auditor prioritize reviewing confirmation and reconciliation procedures during year-end financial statement preparation?

To identify potential weaknesses in internal control over financial reporting. (C)

Which assertion is MOST directly addressed by frequent third-party confirmation and reconciliation of asset positions?

Existence. (C)

A bank uses passwords and joint access arrangements. What is the primary objective of these controls?

To limit IT and EFT system access to authorized employees. (B)

How does segregation of record-keeping and custody functions safeguard a bank's assets, particularly when using computer-generated reports?

It minimizes the risk of errors or fraud by requiring independent oversight. (A)

Why is it important for banks to have strong contingency planning in the context of IT and EFT systems?

To minimize disruptions to operations in the event of system failures or disasters. (B)

Which body is responsible for issuing Philippine Auditing Practice Statements (PAPSs)?

Philippine Auditing Standards and Practices Council (ASPC) (D)

What is the primary purpose of Philippine Auditing Practice Statements (PAPSs)?

To offer practical assistance to auditors in implementing PSAs and promote good practice. (B)

In the context of auditing banks, what is an auditor's initial responsibility after accepting an engagement?

Agree on the terms of the engagement with the bank's management. (D)

When planning an audit of a bank's financial statements, what is the significance of obtaining a thorough knowledge of the bank's business?

It helps in identifying areas of potential risks and developing appropriate audit procedures. (B)

According to PSA 400, what is a key consideration for auditors when dealing with internal controls?

To be aware of the inherent limitations of internal control. (C)

What is the auditor's responsibility regarding internal controls in a bank audit?

To identify, document, and test the control procedures to assess their effectiveness. (C)

When assessing the effectiveness of specific control procedures, which environmental factor would an auditor least likely consider?

The color of the office walls and their impact on employee morale. (A)

How should an auditor respond to a high assessment of inherent and control risks?

By increasing the nature, timing, and extent of substantive tests on account balances. (B)

Why is it important for an auditor to consider environmental factors when auditing a bank?

To assess the influence of the regulatory and economic environment on the bank's operations and financial risks. (B)

Which of the following is NOT an assertion embodied in financial statements, as listed in PSA 500?

Goodwill (C)

During substantive procedures for a bank audit, what is the auditor primarily trying to achieve?

To obtain sufficient appropriate audit evidence to detect material misstatements in the financial statements. (C)

What should an auditor do upon discovering suspected fraud or illegal acts during a bank audit?

Assess the implications for the financial statements and report the findings to the appropriate level of management and those charged with governance. (B)

What is the primary purpose of an auditor performing substantive procedures?

To detect material misstatements at assertion level. (B)

Which of the following is LEAST likely to be included in the details of information requested by an auditor?

Details of employee vacation schedules. (D)

Which factor would be least relevant when an auditor considers the environment in which internal control operates?

The bank's advertising strategy and market positioning. (A)

What is the most appropriate auditor action when the assessed levels of inherent and control risks are high for a material account balance?

Perform more extensive substantive procedures closer to the period-end. (C)

An auditor discovers a potential conflict between PSAs and local regulatory requirements. What is the auditor's MOST appropriate course of action?

Conduct the audit in accordance with both PSAs and any local regulatory requirements. (D)

An auditor identifies a deficiency in the bank's reconciliation process. How should this impact the planned audit procedures?

Modify the nature, timing, or extent of substantive procedures to address the identified risk. (C)

During the planning phase of a bank audit, which procedure would be MOST helpful in identifying related parties?

Obtaining an understanding of the bank and the banking industry. (B)

What is the primary focus of an auditor when considering 'going concern' issues for a bank?

The appropriateness of management’s use of the going concern assumption. (D)

According to the content, what is the auditor expected to do regarding related party transactions during an audit?

Actively remain alert for them, especially in lending and investment areas. (A)

An auditor notes 'Rapid increases in levels of trading in derivatives'. What concern should this raise?

The bank's ability to continue as a going concern. (D)

During an audit, if related party transactions are identified, what should the auditor determine regarding BSP (Bangko Sentral ng Pilipinas) regulations?

The auditor should determine the extent of any quantitative or qualitative restrictions. (C)

In the context of interim audit status reporting, what would be MOST important to communicate?

Areas of risk identified during the audit. (D)

Which scenario exemplifies reputational risk for a bank?

A bank facing public backlash and loss of customers due to involvement in a money laundering scandal. (A)

A bank executes a cross-border transaction. The bank settles its side of the deal, but the counterparty fails to deliver the agreed-upon assets. Which type of risk is the bank facing?

Settlement risk (B)

A bank's assets are largely denominated in a currency that has sharply declined in value. As a result, the bank struggles to meet its obligations, even though it is otherwise solvent. Which type of risk is the primary driver of this situation?

Solvency risk (A)

A bank extends a loan to a company based in a country with strict currency controls. The company is profitable but cannot convert its local currency earnings to U.S. dollars to repay the loan. Which risk is the bank primarily exposed to?

Transfer risk (B)

Why does a high concentration of a bank's loans within a specific industry, such as real estate, increase the bank's overall risk profile?

Industry-specific downturns can lead to widespread defaults, impacting a significant portion of the bank's portfolio. (A)

A bank's credit exposure to a securities transaction increases due to a rise in the market price of the securities. What concept does this scenario illustrate?

The correlation between market risk and credit risk. (B)

A bank faces a sudden wave of non-payment of loans, negatively impacting its liquidity position. Which of the following statements best describes this situation?

Non-payment can correlate with liquidity risk. (D)

When assessing risks associated with lending to specialized industries like shipping or natural resources, what is a crucial consideration for a bank?

Having knowledge of each industry's unique business, operational, and reporting practices. (A)

During audit planning, what is the primary reason for an auditor to gain a thorough understanding of a bank's corporate governance structure?

To evaluate how those charged with governance fulfill their responsibilities in supervising and directing the bank. (A)

How does an auditor's understanding of a bank's economic and regulatory environment MOST directly influence the audit plan?

It helps the auditor assess the risks associated with specific banking activities and related internal controls. (A)

When evaluating the 'going concern' assumption, what minimum period after the balance sheet date should the auditor typically consider, according to the guidelines?

One year (A)

An auditor identifies a high inherent risk related to loan valuation due to volatile market conditions. Which audit response is MOST appropriate?

Increase the sample size for loan file reviews and engage valuation specialists to independently assess loan values. (A)

What is the correct definition of control risk, according to the content?

The risk that a misstatement that could occur in an assertion about an account or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. (B)

A bank offers a complex derivative product to its clients. What should the auditor do to maintain a good working knowledge of this?

Engage a financial instrument specialist to understand the product's features, valuation, and associated risks. (A)

An auditor discovers that a bank's risk management function is understaffed. What is the MOST appropriate initial step for the auditor to take?

Communicate the deficiency to management and those charged with governance and assess the potential impact on the audit plan. (C)

During the audit, it's discovered that several related party transactions were not properly disclosed in the financial statements. What should the auditor consider?

The transactions point to material misstatements and require further investigation of management's integrity and their potential impact. (D)

Flashcards

Audit Plan

A plan that includes understanding the business, assessing risks, determining audit procedures, and considering going concern.

Inherent Risk

The risk that material misstatements occur in the financial statements.

Control Risk

The risk that a bank's internal controls fail to prevent or detect material misstatements.

Going Concern

The auditor's assumption that the entity will continue operating for the foreseeable future (usually at least one year).

Knowledge of Bank's Business

The bank's organizational structure, regulations and market conditions.

Corporate Governance

The structure by which a bank is directed and controlled.

Regulatory Environment

Rules and guidelines set by regulatory bodies like the BSP.

Market Conditions

External forces like competition and consumer demand.

Reputational Risk

Risk from negative public opinion; damage to reputation.

Settlement Risk

One side settles without getting value from the other.

Solvency Risk

Bank lacks funds to meet obligations or raise capital.

Transfer Risk

Counterparty can't get the currency to pay its obligation.

Concentration Risk

Risks increase when exposure is concentrated.

Risk Correlation

Correlated risks impact other risks.

Credit Risk & Market Price

A bank's credit exposure increases with the market price of securities.

Non-Payment & Liquidity

Failure to pay or settle impacts a banks liquidity.

Audit Mandate Details

Documents outlining the scope, standards, and requirements of the audit.

PSA and Regulatory Compliance

Ensuring the audit adheres to both PSA standards and any local regulations.

Accounting Principles

Specifying the accounting principles used in preparing the financial statements.

Related Party Transactions

Alertness for transactions with parties connected to the bank or its management.

Related Party Restrictions

Transactions are subject to quantitative or qualitative restrictions.

Going Concern Assessment

Evaluating if the bank can continue operating in the foreseeable future.

Rapid Increases in Derivatives Trading

Increased derivative trading might indicate higher risk or instability.

Interim Audit Reporting

How frequently and when audit progress should be reported.

IT Audit Procedures

Evaluates IT aspects like system development, access, network security, and contingency plans.

Auditing External EFT Systems

Used to assess if pre-transaction and post-transaction controls are reliable when systems are external.

PSA 402

Guidance on using reports from service organization auditors to assess controls.

Passwords and Joint Access

Restricts IT and EFT access to authorized personnel.

Segregation of Duties

Separates who records transactions from who manages the assets.

Third-Party Confirmation

Independent verification of balances with external parties.

Auditor Confirmation Procedures

Review and potentially re-perform confirmation and reconciliation at year-end.

Bank Asset Controls

Controls to limit both physical and system access; important for readily transferable, valuable assets.

Philippine Auditing Standards and Practices Council (ASPC)

A council that issues statements to help auditors implement Philippine Standards on Auditing (PSAs) and promote good practices.

Purpose of Philippine Auditing Practice Statements (PAPSs)

To provide practical help to auditors in using Philippine Standards on Auditing (PSAs) or encourage better auditing practices.

Philippine Auditing Practice Statement 1006

A document providing guidelines for auditing banks' financial statements, as issued by the ASPC.

Obtaining Knowledge of the Business (Bank)

Understanding the bank's operations, market, regulations, and internal controls.

Overall Audit Plan

A plan that outlines the audit strategy, scope, timing, and direction for auditing a bank.

Internal Control

Processes designed and implemented to provide reasonable assurance about the achievement of an entity's objectives.

Substantive Procedures

Detailed examination of specific transactions, balances, and disclosures to detect material misstatements.

Reporting on Financial Statements

The auditor's formal opinion on whether the bank's financial statements are presented fairly in accordance with the applicable financial reporting framework.

Bank Operation Controls

Controls over authorization, recording, access, and reconciliation in treasury, trading, and lending operations.

Limitations of Internal Control

Even with good internal controls, there's always a risk of error or fraud.

Substantive Procedures Required

The auditor still needs to perform some tests, even with strong internal controls.

Environmental Factors of Control

The bank's structure, management quality, internal audit, risk management, personnel skills, and regulatory oversight.

Purpose of Risk Assessment

To decide the nature, timing, and scope of audit tests.

Substantive Tests

The specific checks and tests the auditor performs to gather evidence about the accuracy of financial statements.

Financial Statement Assertions

Existence, rights and obligations, occurrence, completeness, valuation, measurement, presentation, and disclosure.

Auditor's Objective wrt Assertions

To ensure financial information is accurate, reliable, and fairly presented.

Study Notes

Philippine Auditing Practice Statement 1006

• Philippine Auditing Practice Statements (PAPSs) are issued by the Auditing Standards and Practices Council (ASPC) to help auditors implement the Philippine Standards on Auditing (PSAs) and promote good practice.
• PAPSs do not have the authority of PSAs.
• This statement is based on IAPS 1006, issued in December 2001 by the International Auditing Practices Committee (IAPC) of the International Federation of Accountants.
• It assists auditors and develops best practices by guiding the application of PSAs to bank financial statement audits.
• Auditors use professional judgment to determine the appropriateness of audit procedures in this statement, based on PSA requirements and bank circumstances.
• Purpose: Provide practical assistance to auditors, encourage best practices when applying PSAs for auditing bank financial statements, and is not a listing of all procedures and practices for the audit.
• The Bangko Sentral ng Pilipinas (BSP) requires additional reporting from auditors beyond the standard audit report, which is not covered in the statement.
• A bank is a financial institution mainly involved in deposit-taking, borrowing for lending, and investing, recognized as a bank by the BSP and the guidance applies to audits of financial statements covering banking activity carried out by those entities at groups.
• This statement provides guidelines on auditing financial assertion in banks financial statements and limited guidance on securities underwriting, brokerage, and asset management.

Characteristics of Banks

• Banks often engage in activities that involving derivative financial instruments.
• They have custody of large amount of monetary assets needing physical security and controls.
• They often engage in transactions conducted across different jurisdictions
• They operate with high leverage, making them more susceptible to economic downturn and increased risk of failure.
• They have assets with values that can change rapidly and are difficult to determine, impacting capital and solvency significantly.
• Banks derive significant funding from short-term deposits, so a loss of depositor confidence can cause a liquidity crisis.
• They have fiduciary responsibilities for others' assets, which requires specific operating procedures and internal controls to manage them.
• High transaction volumes and variety need complex accounting and IT systems.
• Networks of geographically dispersed branches require greater decentralization and make it difficult to maintain uniform practices.
• Transactions can be directly initiated and completed by customers through the internet or ATMs.
• Significant commitments are often made without funds transfer, often involving memorandum entries, making it difficult to detect.
• Banks are regulated by the BSP, whose regulatory requirements can affect accounting principles and financial statements.
• Customer relationships that the auditor may have with the bank may affect the auditor's independence.
• They generally have exclusive access to clearing and settlement systems.
• They are integral to national and international settlement systems, which can pose systemic risk.
• They may issue or trade in complex financial instruments needing fair value recording, requiring proper valuation procedures with reliable market data.

Special Audit Considerations

• The particular nature of the risks associated with bank transactions
• The scale of banking operations and exposures that result
• Extensive dependence on IT to process transactions
• The effect of regulations in various jurisdictions
• The development of new banking products and practices may outpace accounting or controls

Statement Organization

• A discussion of various facets of a bank audit is organized with emphasis towards matters that are of particular importance or specific to banking.
• Appendices include:
• Typical warning signs of banking operation fraud
• Examples for tests of control and processes for operational areas for treasury, trading and lending
• Financial ratios to analyze a banks financial condition
• Risks and issues in private banking, securities and asset management

Audit Objectives

• The objective of financial statement audit is to determine if the financial statements are fairly presented in compliance with the GAAP.
• The auditor reports regarding accounting principles used to prepare financial statements, accounting framework for foreign banks, the auditor reports based more detailed.

Engagement Terms

• The engagement letter outlines the purpose and scope of the audit between the auditor and client
• Considerations when setting terms:
• Assessing expertise needed to be the audit and its activites.
• Expertise of IT networks and communication
• Resourcing adequacy
• Use of specialists resources

Initial Comments on the Letter

• Reference to specialized account principles should be included:
• Regulations or laws that are applicable
• BSP statements of regulations
• Statements of accounting principles
• Base Committee on Banking Supervision
• Industry practice
• Report form -- Special purpose
• Protocol and communication requirements with the BSP.
• Auditor access that BSP could be granted

Planning the Audit

• The audit plan includes an entitys governance and business considerations, adequate control systems, and inherent risks analysis.
• The nature, extent, and timing of the audit will be decided plus the entitys ability to continue on a forseeable term with account principles under Philippine GAAP, for at least a period of one year after the balance sheet date.
• Knowledge of bank's operations
• Banking governance
• Economic and regulatory environment
• Market conditions

Corporate Bank governance

• Played an important part, BSP sets requirements for governance structures
• The auditor assesses the governance structure and how all charged work effectively.
• Risk assessment with banking will be classified as
• Country risk refers to foreign customers failing their obligation due to economic, political and country specific issues.
• Credit risk is the risk of a counterparty or customer failing its obligations on full value when at any time.

Types of Risks

• Currency: the risk that the exchange rates and currency fluctuate in value, rights and obligations.
• Fiduciary: Arises from failing safe custody or negligence for management on behalf of other parties assets.
• Legal and Document Risk: Contracts or documents incorrectly documented which cannot be enforced in relevant jurisdiction.
• Liquidity: The risk of an asset being changed with the banks ability to dispose o it.
• Modeling: Risk with imperfections with subjectivity regarding valuation models which determine total assets.
• Operational: Risk of loss with inadequate internal processes whether failed, external or people based.
• Price: The risk of market price changes which means interest rate or foreign exchange or equities.
• Regulatory: Risk of failure from compliance and legal requirements for the appropriate jurisdiction including changes in them.
• Revaluation: The risk of failure resulting in being required to market price, then can result in losses to contract price difference between banks and current.
• Reputational: Losing business from having negative impact or reputation loss due to being involved with misconduct.
• Settlement: Settlement risk exists if side of transaction are being settled without the customers consideration.
• Solvency: Possibility of insufficient funds and fund raising from market constraints.
• Transfer: Risk that counterparty obligations aren't denominated and cant get transferred due to particular financial condition.

Banking Operations

• The degree to which banking risks are concentrated and how it could impact any customer or area.
• Most operations involve more than one of the risks listed potentially with correlation.
• Risks in nature subject to ownership to influence direction and judgment.
• Increased risk from volume and IT systems.
• Not executing the transactions in time and potentially payment remittance issues.
• IT may be large scale and risks from unauthorized use.
• EFT and telecom system uses have risks of payments lost.

Fraudulent Activities

• Occur in any area from lending to deposit taking, with means and schemes in appendix 1.
• Banks are likely to ready for money laundering targets.
• Anti money laundering of 2001 enforces banking policies that will assist in deterring and reporting activities.
• Requirements of obtaining client IDs.
• The maintenance of transaction records.
• Authority of authorities and transactions beyond a certain amount.
• Educating staff of any instances.

Risk Management systems

• Management uses controls and metrics to manage key risks.
• Those in charge will oversee and involve the control processes.
• Policies need to be maintained that align with BSPs and strengths.
• Risks are monitored and compared to approved criteria
• Controls that prevent risks which segregate the controls and duties with verification.
• Models that are updated which internal audit should periodically check policies are complied with.

Reliable Information Systems

• These reliable system are needed for adequate and compliance for governance which assist in risks of profiling.
• Audit planning looks towards the the items below:
• Complexities of the undertakings
• Use of core and specialized services
• Any non statement sheet items
• Compliance with regulatory factors
• Using IT more and inherent control factors. -- Internal auditing quality
• Any material assessment and representatives

Undertaking Transactions

• Audit review considers the activities for the auditor to understand the effect on the statements overall.
• Judgement will needed with provisions or lending with risks like modeling or liquidity provision.
• In principle any audit service will look towards these core activities including cash credit.

Contingent Liabilities

• Guarantees and custody affect the financials with appropriate revenue evidence.
• The auditor gets evidence for the bank regarding record completeness.
• The regulatory considerations need information on external audit and sound banking for disclosures.

Key Audit processes

• Perform analytical procedures
• Obtain system information
• There may be pressure for financials engagements with proper categorizing and the auditor finds it helpful to stay in touch with communications regarding the banks performance assessment.

Extent of IT

• Transactions due to high volume uses extensive systems that auditor needs to focus on
• Calculation of gains and expenses
• System and determination
• System dependence presents risks in loss of audit trails.
• The auditor gains knowledge regarding application which can affect extent of what they rely on controls.

E Commerce

• The risks the strategy presents
• There is IT skill requirements and the auditor obtains understandings about where the application lives.
• It provides the auditor with insight into the extent of self developed integrated systems of direct.

Inherent Risks Assessment

• It needs to be on acceptance to have the extensive and EFT systems with high trade volumes
• Disperse nature and hard to cover.
• Complex trades difficult to audit
• Controls cannot help all processes and needs to assess the inherent factor with IT processes.

Internal Audit

• Scopes are objectives that lead to internal auditing being in sync with governance standards and the operational controls
• Financial reporting requirements
• Audit testing can depend on the size with the dispersion across branches with a reviewer to loan adherence review.

Materiality

• Relatively smaller statements that may not reflect the actual financial impact of capital even insignificantly.
• Regulations need to be satisfied with minimum capital maintenance which needs high materiality checks.
• Going processes affect the financial assessment matters which is why relationships and transactions are material.

Management Representations

• Help assist an audit to determine what is complete, true with a particularly financial audit
• There is often need for a auditor obtain management about changes in the business.

External Auditors

• Geographical dispersion which allows access to use from other external audits for competency.
• The auditor obtains and considers the level of the knowledge of others with independence to apply to the audit.

Coordinating Workload

The audit requires that there are experts and assistance across the teams.

• What it entails and mandates.
• The auditor must work within GAAP and regulation across the entity, they also need to comply with status reporting requirements.

Party Transactions

• Restrictions of parties will be observed in the audit with lending from the industry which will determine quantitative measures
• Auditors need guidance in the ability to continue as a matter of concern particularly if there are derivative losses.
• There needs to be capital and liquidity levels when banks are at their limits with rates on deposit and if it's shown that the bank is potentially of great risk
• BSP may implement conditions of concerns and disclosures for the BSP with communications and correspondence reviewed with regulatory aspects.

Internal Controls

• A framework controls for the bank in assessing systems that are very useful.
• Maintain an adequate accounting system
• It requires and effective approach and determining if there is substantive evidence to asses detection of risk for the statement.
• Less than high substantive procedures.
• Risk evaluation and control that can be achieved suchs that the below items are satisfied. - Execution of authorization - Transactions are correctly and promptly measured - Permission of assets - Recoding them at intervals

Objective: Fulfil Regulations

• In any failure to comply with the financial statement could have implications for the financial misstatement with the board as a system for how decisions can be maintained
• Procedures need to be followed for authorizing documentation to maintain limitations of exposures from each area.
• Audited needs to focus on compliance with policy and what has been measured with exposure to level to management .
• Aspects of that are in and close to area which is a particularly a area for the financial which needs to be presented.

High Volume

Banks are transacting in high volume so there's high balancing checks and accounts.

• Accounting needs to check these transactions.
• Balances often reflect the volume and is needed for foreign trades and transactions.
• It needs to allow how they verify and with information to maintain management and check transactions, it is of significance of the extensive IT used for a banks accounting system and controls.
• Assets can be high value which need controls like passwords or arrangements only accessible by authorized staff.
• This will be verified across both externally and internally.
• They must be revaluing this contracts with appropriate people

Limitations of Internal Control

• Auditor will be looking at the internal controls and what the audit is aware of and will depend on the inherent aspect of the factors.

• Auditor needs to understand the environment controls in place include

• Organisation and structure - Supervision.

• Substantive tests assess what is done for transactions on balances and classes

Description

Covers key considerations when auditing IT and Electronic Funds Transfer (EFT) systems in banks. Discusses control assessments, system development, modifications, and confirmation procedures. Highlights contingency planning and segregation of duties for financial statement preparation.