Is LFAR a Vital Tool available for Auditors?
Here is a walk-through on what LFAR (Long Form Audit Report) is and how eTHIC meets the requirements for LFAR.
The overall objective of the Long Form Audit Report (LFAR) should be to identify and assess the gaps and vulnerable areas in the business operations, risk management, compliance and the efficacy of internal audit and provide an independent opinion on the same to the Board of the bank and to concerned stakeholders. This may also involve commenting on various risks to which the bank is exposed like credit, market, operational and liquidity risk and risk management efficacy, assessment of the appropriateness of procedures for preparation of supervisory returns, KYC/AML/CFT issues, cyber security, business performance, business strategy including very high growth / high ROE accompanied with high risks, etc.
Some of the matters to be dealt with by the SCA (Statutory Central Auditor) in their LFARs will be based on the LFARs received from the branches. In dealing with such matters, the SCA is expected to exercise their own judgement to make their observations based on the review of branch auditors’ LFARs. While deciding their audit strategy, the auditors may factor in all material issues which are considered critical by looking at the size and complexity of the business operation, business strategy/models, internal controls including the control culture of the bank, structure and complexity of the IT systems. The scope and coverage of Statutory Audit and LFAR will broadly be as per the given format. However, if the SCA feels a need for some material additions, etc. This may be done by giving specific justification and with the prior intimation to the Audit Committee Board of the banks.
Coverage in the Long Form Audit Report (LFAR)
A. CREDIT RISK AREAS
1. Loan Policy: The observations should broadly cover the sufficiency and effectiveness of the loan policy along with the compliance to instructions issued by RBI like exposure norms, interest rates, statutory and other restrictions, updation of the policy, and the system of monitoring and business strategy
2. Credit Assessment: Adequacy of the credit assessment process to capture the risk as also the adequacy of information/data available with the bank.
3. Sanctioning / Disbursement: Policy relating to delegation of powers, appropriateness of checks and balances and complying with terms and conditions of disbursal be examined.
4. Documentation: The entire process, including the system of ensuring execution of appropriate documents as per the type and terms of sanction, compliance to RBI and Bank’s Policy. Review and monitoring of exposures, the effectiveness of the system of identifying and reporting of Red Flagged Accounts, EarlyWarning System (EWS), System of periodic physical verification of stocks, review/renewal of advances
5. Restructuring/Resolution of Stressed Accounts: Comments on restructured accounts/stressed accounts regarding compliance with regulatory guidelines and the board-approved policies and conditions, among others.
6. Asset Quality: Special emphasis should be given to continuous monitoring of the classification of accounts into Standard, SMA, Sub-standard, Doubtful, or loss as per IRAC Norms by the system, preferably without manual intervention, correct recognition of income and adequacy of provision thereof.
7. Recovery Policy: The existence and effectiveness of the recovery policy, along with regular updates, manner of appropriation of recovery and instances wherein the appropriation was not as per the recovery policy be examined and commented upon.
8. Large Advances: Comment on adverse features considered significant in the top 50 standard large advances and the accounts which need management’s attention to be provided. In respect of advances below the threshold, the process needs to be checked and commented upon, based on sample testing.
9. Audit Reports: Major adverse features observed in the reports of all audits/inspections, internal or external, carried out at the credit department during the financial year should be suitably incorporated in the LFAR, if found persisting.
10. Recovery Records: Recovery from all the written-off accounts during the finance year should be examined and commented upon.
11. Wilful Defaulter: The system of identifying and reporting wilful defaulters should be examined and commented upon.
B. MARKET RISK AREAS
1. Investments including Derivatives: The focus should be on the merit of investment policy and adherence to RBI guidelines. Any deviations to the RBI directives and guidelines issued by FIMMDA / FIBIL / FEDAI should be suitably highlighted. Special focus should be given to a system of purchase and sale of investments, the delegation of powers, reporting systems, segregation of back, middle and front office functions and efficacy of control over investments. Special focus should be given to compliance to exposure norms, classification of investments into HTM / AFS / HFT category and inter-category shifting of securities, compliance to valuation, asset classification and provisioning norms, along with deviation from accounting and disclosure norms, among others.
In respect of investment held at foreign branches, valuation mode, regulatory reserve requirements, liquidity, etc. should be examined. Comments should also be made on the composition of the investment portfolio as per RBI. System of recording of income from investments, income accrued and due but not received, monitoring of mature investments and their timely encashment, etc. The internal control system, including all audits and inspections, IT and software being used by the bank for investment operations be examined in detail.
2. SLR/CRR Requirements: Any discrepancies in the process of compilation and calculation of NDTL by the bank should be highlighted in the report.
3. Asset Liability Management: The existence of a Policy on Asset-Liability Management and monitoring thereof, along with compliance with RBI guidelines and the functioning of the Asset Liability Management Committee should be examined.
C. GOVERNANCE, ASSURANCE FUNCTIONS AND OPERATIONAL RISK AREAS
1. Governance and Assurance Functions Observations on governance, policy and implementation of business strategy and its adequacy vis-à-vis the risk appetite statement of the bank, the effectiveness of assurance functions (risk management, compliance and internal audit) should be examined and suitably incorporated in the LFAR. Adequacy of risk awareness, risk-taking and risk-management, risk and compliance culture in itself, compliance testing, including the sustenance of the compliance, as also a system of branch inspection, frequency, scope/coverage internal audits.
2. Balancing of Books/Reconciliation of control and subsidiary records: Special focus should be given to the system of control for internal accounts along with the effectiveness of the system of monitoring the position of balancing of books/reconciliation of control and subsidiary records,
3. Inter-branch Reconciliation: The effectiveness of the system of inter-branch / interoffice reconciliation for each type of entry, along with the sufficiency of the audit trail should be examined and commented upon with age-wise analysis of unreconciled entries
4. Frauds / Vigilance: Appropriateness of fraud risk management system and processes for early detection, timely reporting to RBI and investigation of frauds as also adequacy of provisioning for reported frauds and deviations observed in compliance with directives issued by RBI should be examined and commented upon.
5. Suspense Accounts, Sundry Deposits, etc.: The system of clearance of items debited/credited to suspense / sundry accounts should be examined with a focus on the audit trail, along with age-wise analysis of un-cleared entries of suspense accounts, sundry deposits, etc.
6. KYC / AML: It should be examined whether the bank has duly updated and approved KYC and AML policies in synchronization with RBI circulars/guidelines and whether the said policies are effectively implemented by the bank.
7. Cash and other security items: System of monitoring of cash at branches and management of cash through currency chest operations, including the adequacy of insurance cover, system and procedure for physical custody of cash, systems and controls for procurement, issue and custody of valued stationery items
8. Para-Banking Activity: It should be examined whether the bank has an effective internal control system for para-banking activities undertaken by the bank.
9. Management Information System: Existence and adequacy of management information system, method of compilation and accuracy of the information, appropriateness of procedures for preparation of supervisory returns and its reliability under the Off-Site Surveillance System of the RBI, reliability of information flow for the internal risk management system should be commented.
10. Any Other comments relating to People, Process and System Risks: Any other concerns relating to people, process and system risks may be commented upon
D. CAPITAL ADEQUACY
A copy of the capital adequacy certificate be provided along with comments as to whether the bank has an effective system of calculation of capital adequacy as per the directives of RBI. Whether the Stress test is done as per RBI stress test Guidelines. Whether assumptions made in the ICAAP document are realistic, encompassing all relevant risks.
E. GOING CONCERNED AND LIQUIDITY RISK ASSESSMENT
The auditor should comment on whether the going concern basis of preparation of financial statements is appropriate; and the auditor’s evaluation of the bank’s assessment of its ability to continue to meet its obligations for the foreseeable future (for at least 12 months) with reasonable assurance for the same.
1. Profitability: Analysis of variation in major items of income and expenditure compared to the previous year should be carried out along with important ratios such as RoA, RoE, etc.
2. Liquidity Assessment: the auditor should also consider the robustness of the bank’s liquidity risk management systems and controls for managing liquidity, any external indicators that reveal liquidity or funding concerns, the availability of short-term liquidity support and compliance with norms relating to Liquidity Coverage Ratio (LCR) and Net Stability Funding Ratio (NSFR- as and when applicable) among others.
F. INFORMATION SYSTEMS
Auditor’s comments on the robustness of IT systems covering all the software used by the bank along with functions thereof, interlinkage/interface between different IT Systems, ATM network and its security, payment system products and services, the software used by the bank were subjected to Information System & Security Audit, Application function testing and any other audit mandated by RBI. Cyber security systems and banks’ compliance with the findings of those audits should be commented upon. IT Security and IS Policy: Auditors should comment on whether the bank has duly updated and approved IT Security and IS Policy and its compliance as per RBI advisory/directives
G. OTHER MATTERS
Comments on accounting policies including comments on changes in accounting policies made during the period, adequacy of provisions made for statutory liabilities such as Income Tax, Gratuity, Pension, Provident Fund, off-balance sheet exposures and other claims against the bank. Procedure for revaluation of NOSTRO accounts and outstanding forward exchange contracts. Any other matter, which the auditor considers should be brought to the notice of the management.
eTHIC LFAR APPLICATION
eTHIC is a web-based Audit Application that enables banks to carry out their audit in a digital environment. Our LFAR (Statutory Audit) Module is intended for use by the Bank’s Statutory Auditors. Covers the Complete Life Cycle of the LFAR Audit starting from Identification, Audit Planning, Auditor Engagement, Acceptance and Audit Scheduling as the Pre-commencement stage. In post Commencement, provision for Observation to comment on Bank’s Balance Sheet, Profit & Loss account, Prudential Norms, Process gaps in operations and other Branch Statutory Audit-related issues. Issue tracking includes Auditee response, Follow up and Closure. LFAR audit is already implemented in PSBs.