Hoda Vasi

Chowdhury & Co
Chartered Accountants
Amendments to the Bank Company Act, 1991 -
Implications on External Audit of Bank
Sabbir Ahmed, FCA
Banking is such a unique industry where you do
not want your competitor to fail.
Banks play a central role in the economy. They
hold the savings of the public, provide a means
of payment for goods and services and finance
the development of business and trade.
Banks must command the confidence of the
public and those with whom they do business.
The stability of the banking system, both
nationally and internationally, has therefore
come to be recognized as a matter of general
public interest.
Background
As a result, naturally, stakeholders expectation
from external or statutory auditors of a bank is
much higher than audit of another entity.
From local view points, a number of high profile
fraud/scam took place in recent years involving a
number of Banks in Bangladesh.
Many such fraud/scams took place due to the
absence of a robust risk management, internal
control and internal audit function in those banks.
In some cases, although these functions were
present but it failed to operate effectively.
Background
Following changed made through the Bank
Company (Amendment) Act, 2013.
As per these new requirements inserted in Clause
39, Sub Clause 3, an auditor of Bank Company is
required to report on the following matters:
Adequacy of internal audit, internal control and
risk management related process followed and if
necessary recommendation for improvement; and
Any fraud/forgery or irregularities or
administrative error or anything harmful for the
Bank Company committed by the officer-staff of
the bank or its associated entity came to the
attention of the auditor.
New Amendments in Bank Company Act
Also a new Clause is inserted requiring the auditor
to confirm that all subsidiaries of the Bank have
been duly consolidated in the consolidated
financial statements of the Bank.
In addition, a new sub section 5 has been added
whereby an Auditor cannot be involved on any
other matters or provide any other services to the
Bank Company except audit services as specified
in clause 39 or except anything instructed by
Bangladesh Bank. This new sub-clause will
effectively restrict an auditor from providing any
non-audit services (i.e. tax compliance, advisory)
to a Bank during the audit period.
New Amendments
Clause Cha Cha
Report on adequacy of internal audit, internal
control and risk management related process:
No mention of whose responsibility to ensure
adequacy of internal audit, internal control and
risk management functions of the Bank and
whether responsible party has made their own
assessment first on adequacy.
Under SOX Sec 404, the auditor is not reporting on
adequacy of internal control on financial reporting
but s/he is reporting on the internal control
assessment made by the management of the
issuer.
Critical analysis of new amendments
Critical analysis of new amendments
An auditor shall only assess and evaluate those
internal controls that are relevant to financial
reporting not all controls but it requires
comment on whole internal control.
No Framework has been specified to assess
adequacy of internal audit, internal control and
risk management functions of Bank (i.e. COSO).
No mention has been made whether auditors
report on adequacy of internal audit, internal
control and risk management are, as of date or
for the full year. In SOX Sec 404 it is required to
be as of the end of the most recent fiscal year.
Critical analysis of new amendments
Clause Cha Cha Cha
Any fraud/forgery, irregularities or administrative
error or anything harmful for the Bank committed
by the officer-staff of the bank or its associated
entity came to the attention of the auditor.
No concept of materiality has been incorporated
and hence it would be very contentious issues. As
per BSA 240, auditor shall consider risk of fraud
but even then due to inherent limitation following
those procedures may not necessarily bring to
light all instances of fraud and error. Accordingly,
imposing such reporting requirement is very
onerous and contentious issue.
Response from ICAB
ICAB duly recognised higher expectations from
the wider stakeholders and wholeheartedly
supported the spirit of increased reporting
obligations imposed on the auditors of the Bank.
Hence objective of ICAB was not to be critical of
regulation but to find a way out in a professional
manner.
Under the Managements Responsibility for the
paragraph new sentence added.
Response from ICAB
Under Other Legal and Regulatory Requirements
caption of Auditors Report two new paragraphs
added.
For those Banks who has a subsidiary another
additional paragraph added.
Banks were also advised to make disclosure on
Disclosures on Internal Control and Compliance, FX
Risk, Credit Risk, Asset Liability Management Risk,
Money Laundering Risk, ICT Risk and Internal
Audit.
Additional risk factors for Bank audit
- Custody of large amount of monetary items
- Assets that can rapidly change in value
- Operate with high leverage (capital to assets)
- Short term deposit, solvency, liquidity issue
- Complex accounting and IT systems
- Assume significant commitments
- Wide spread of branches and departments
- Highly regulated with strict enforcement
- Cross border involvement and FX issue
Assessment of Risk Management
BSA 315 requires an auditor to perform risk
assessment procedures to provide a basis for the
identification and assessment of risks of material
misstatement at the financial statement and
assertion levels.
Bangladesh Bank Department of Off-site
Supervision (DOS) has issued Circular No. 02
dated 15 February 2012 on Risk Management
Guidelines for Banks, instructed all scheduled
banks operating in Bangladesh to follow these
Guidelines for managing various risks in a
prudent manner.
Assessment of Risk Management
In addition Bangladesh Bank has also issued
guidelines on risk based capital adequacy, stress
testing and managing the banking risks in the
following six core areas:
Internal Control and Compliance Risk
Foreign Exchange Risk
Credit Risk
Asset Liability Management Risk
Money Laundering Risk
ICT Security Risk
An auditor of a Bank need to review compliance
of these guidelines by that Bank.
Assessment of Internal Control
- Appropriate in relation to type and level of risks
- Clear lines of authority and responsibility
- Sufficient independence of control function
- Segregation of duties
- Reliability, accuracy and timeliness
- Procedures for regulatory compliance
- Information systems, IT and its usage
- Monitoring and remediation of weakness
Assessment of internal audit
BSA 610 requires the auditor to obtain an
understanding of the nature of the internal audit
functions responsibilities, its organizational
status, and the activities performed, or to be
performed
The independence of internal audit as well as
coverage of the internal audit shall be assessed.
Competency of internal audit function including
assessing their educational background and
professional expertise as well as existence of
subject matter expert (IT, Treasury) with the
internal audit team shall be considered.
Assessment of Fraud
As per BSA 240, the primary responsibility for the
prevention and detection of fraud rests with both
those charged with governance of the Bank
(Board) and management. They should place
strong emphasis on fraud prevention and
commitment to creating a culture of honesty and
ethical behaviour by an active oversight by Board.
The auditor shall make inquiries of those charged
with governance (the Board or its Committees)
management, and others within the entity as
appropriate, to determine whether they have
knowledge of any actual, suspected or alleged
fraud affecting the entity.
Assessment of Fraud (cont)
As per BSA 240, revenue recognition presumed fraud risk
so interest income accrual on classified loans, recognising
fair value gain from unquoted investments, etc.
Many frauds are committed through journal entries at the
very last minute to escape auditors scrutiny and hence
journal entries and other adjustments shall be tested.
Review accounting estimates for biases and evaluate
whether the circumstances producing the bias, if any,
represent a risk of material misstatement due to fraud.
For example, loan loss provisioning is a very subjective
area where management/Board can take very aggressive
view (for example recent controversy in relation to BRPD
Circulars 14 and 15 issued in December 2013 for
rescheduling of loans on the basis of banker-customer
relationship).
Effective audit
It is very important to note the fact that the
quality of the external auditors opinion would
also be influenced by multiple elements, notable
amongst those are the proper observance of
various roles and responsibilities of not only
external auditors but the following parties as
well:
- the Banks Board of Directors;
-the Banks Management; and
- the supervisor (i.e. B Bank) and other regulators
Therefore, commitments from all stakeholders
required.
Conclusion Quality has a cost
USD CHF GBP INR PKR
Total
assets
516,542 1,317,247 798,494 5,367,946 1,371,718
Net profit 4,414 7,836 3,015 83,255 5,307
Audit fee 14 59 15 167 106
Audit fee
% of total
assets 0.003% 0.004% 0.002% 0.003% 0.008%
Audit fee
as a % of
net profit 0.3% 0.7% 0.5% 0.2% 2%
Conclusion Quality has a cost
BDT Million Bank A Bank B Bank C Bank D
Total assets 549,979 158,163 245,521 642,276
Net profit 5,055 2,535 2,289 1,166
Audit fee 2.1 0.9 1. 6 2.1
Audit fee as a % of
total assets 0.0004 0.0006 0.0007 0.0003
Audit fee as a % of
net profit 0.04% 0.04% 0.07% 0.02%
Applying the lowest
% (0.002%) on total
assets
11 3 5 13
Applying the lowest
% (0.2%) on net
profit
10 5 5 2.3
Floor Discussions
Questions and
Answers Sessions