Audit Strategy Analysis for Solid Bank Plc - Case Study Example

Audit Strategy Analysis for Solid Bank Plc Table of Contents: Introduction: This paper presents the audit strategy report for SOLID Bank Plc. The paper is presented in two parts – relevance of assignment with relevant guidelines of ISA (UK and Ireland) that are ISA 300, ISA 315 & ISA 330 and internal controls to be assessed. It is proposed that before we present this strategy report to the Customer, we complete the procedures pertaining to continuity of our relationship with client, evaluate & present compliance with ethical requirements and sign the terms of engagement with the customer (ISA 220 and 210). Any misunderstanding in our terms with client or integrity issues among those charged with governance & management that may potentially compromise the independence of the auditors should prevent us from proceeding with this audit assignment. The Audit Strategy The proposed audit shall be conducted after closure of financial year on 31st December 2009. The objective of this audit is to assess the risks to the Bank given the current economic environment in UK & the performance of the Bank and report to the board of directors. This audit strategy is first hand presentation and may be subject to change/modifications if deemed necessary during the audit process (proposed in accordance with the guidelines of ISA 300). This plan & all subsequent changes shall be documented & shared with all members of the customer charged with governance & management. The focus of the audit shall be on the following: (a) General understanding of the legal & regulatory framework of the Bank from the perspective of the Board. (b) Identification & Assessment of the documents & records of the Bank pertaining to Legal & Statutory compliance. (c) Identification of Bank Account statements, operating expenses & income, profit before & after tax, assets & liabilities held by the bank, share holder’s equity, cash flows & equivalents, loans & advances to the customers, Collaterals, non-performing assets, and any other area that may be identified during the audit process. (d) The audit shall be carried out in full on all the accounting statements and balance sheets. Parts of the statements shall be sampled to assess compliance to internal & regulatory procedures. If non-compliances are evident then the sample sizes shall be increased at the relevant areas. (e) The Risk Management System of the Bank shall be assessed and the identified risks shall be analyzed with respect to the threats & vulnerabilities (exposures) and criticality at which the risks are logged. The risk management of material misstatements in the accounting statements shall be a part of this assessment in accordance with ISA 315. Further to this, the mitigation actions (planned as well as accomplished) against identified risks shall be assessed for their effectiveness in reducing the risk values. Wherever the controls & mitigation actions are perceived by auditors to be insufficient, the auditors shall enhance the audit scope & procedures & determine the overall responses to address the risks of material misstatement in accounting statements. The nature, timing & extent of further audit procedures shall be determined & communicated to the board of directors (ISA 330). (f) The underlying technology infrastructure maintaining the samples selected for audit shall be assessed from the perspective of access control, assignment & control of roles & privileges, cryptography or other controls used, activity logging, systems monitoring, data protection procedures (like backups, recovery testing, data consistency tests, management of storage media), administrative privileges, segregation from other systems of the Bank and transfer of data from live systems to internal auditing & anti-fraud systems. This scope will comprise as part of risk assessment of material misstatement of accounting (ISA 330) may be enhanced based on on-site experiences on the audit and discussions with the audit partners and board. The proposed schedule for auditing is the following: Audit Area Auditees Required Audit Records Proposed time to Audit General understanding of the Bank & its internal environment All members charged for governance & management of the Bank. Nil – it would be general round table discussion. 2 Man-Days Risk Management and Governance system Risk and Compliance Manager, Internal Audit Team, randomly selected Risk Management team members. Risk management Governance, Risk Review by Management, Risk Approval process, Risk Mitigation Process, Control Effectiveness Measurement process, Internal Audit process, Corrective Action process, and Preventive Actions process. 10 Man-Days Technology Risks, Business Risks, Finance Risks, Economic Risks, Audit Risks, Customer Service Risks (under Operations Risks) and Business Risks Risk and Compliance Manager, Internal Audit Team, randomly selected Risk Management team members. Risk assessment & management procedure in all these areas, Risk Analysis sheets, Approved Risk Acceptance documents, Risk Mitigation Plan, Control Effectiveness Measurement sheets, Internal Audit reports, Corrective Actions taken, Preventive Actions Taken. 10 Man Days Banks records pertaining to Net Interest Income, Net Operating Income, All operating expenses, tax payments, Assets & Liabilities, Cash Reserve (including contingency funds), Cash equivalents, Shareholder’s equity, secured & unsecured lending (retail as well as corporate), and Collaterals & their current valuations Business Leadership team, transaction executives selected through sampling, loan approval executives All evidences in the form of transactions, documents, Logsheets, loan applicant assessments, loan approvals, returns, asset masters, general ledger, bank statements, expense statements, Profit & Loss accounting, Collateral papers (like property papers, mortgage papers, etc.), Internal Audit reports, Corrective & Preventive Actions Taken. 30 Man-Days Fraud and Money Laundering detection and prevention Fraud Control Manager, Money Laundering Control Management, randomly selected team members Standard Operating Procedures, Process Maps, Logsheets, Checkpoints, Incident Management system, Internal Audit reports, Corrective Actions taken, Preventive Actions Taken. 10 Man-Days Non-Performing Assets Chief Financial Officer and the randomly selected Financial Controllers. NPA reports being submitted to government, existing P&L, Future Hypothecations based on trend analysis and current scenarios, Internal Audit reports, Corrective Actions taken, Preventive Actions Taken. 10 Man-Days Total proposed time to Audit 72 Man-Days The audit team shall comprise of a Team Leader & two members. One representative from Customer side shall be required to be with the audit team throughout the process except some internal meetings of the audit team. The Audit methodology would involve planning & preparation of checklist of samples to be collected, on-site sampling, physical visits, verification of papers & electronic records and interviewing. If the auditors detect serious risks, they would be included in the scope detailing the nature & extent and request for increase of Man-days shall be put forward (ISA 330). The final report would be submitted within 15 working days from the last day of the audit. Proposed internal business controls to be audited & tested The audit team should focus on the following areas of the Customer that may be subject to high risks due to the current market dynamics and given the fact that the Bank is already facing reduction of net profits compared to the last year: (a) Loans & Advances to Customers – It is a huge sum of £516008 millions as compared to £452170 millions in 2007 although the profit has reduced. This indicates that the non-performing assets have increased in 2008. (b) The liabilities of the Bank totals to £773656 millions [majority of them being customer accounts (£291865 millions) and debt securities (£247824 millions)] although the cash reserves (including cash equivalents) are £5609 millions which again have reduced from last year’s reserve of £9829 millions amidst increase in operating expenses. Again, loans & advances to Banks comprise of £4336 millions which again is exposed to risks in current market conditions. In nutshell, in the event of a sudden increase in loan defaults, as is evident to be high risk given current market turmoil, the Bank will be in serious difficulties. (c) The Bank has £282925 millions worth of home mortgages which is a serious concern given the dropping property prices in the market. (d) The two areas where the auditors should seek in depth information are derivative assets of £16969 millions and investment securities £155260 millions to verify how they are performing in current market conditions. (e) A substantial amount of collaterals valued at £108622 millions are pertaining to non-UK residents that will need to be assessed in-depth. (f) It is proposed that the auditors should ask for detailed evidences against the cash flow statements, loan approval process, non-performing assets, securitization process, mortgage process, and the process of accounting collaterals of non-UK residents. (g) The loans are pooled to form Special Purpose Vehicles (SPVs) that are sold to investors through market linked conduits through the process of securitization. The risk assessment then is carried out based on the historical data about SPVs which is not sufficient because the fundamentals of the SPVs/Conduits are lying outside the banking system forcing the risks assessors to operate upon unreliable data/information. Further to this, the investors in SPVs are protected with backup lines of credits by the same bank. Hence, it is further proposed that the auditors should assess the historical data elements based on which the Credit & Liquidity Risk assessment is carried out by the Bank. [Clerc, Laurent. 2008. pp1-4] Conclusion: The Audit strategy is hereby proposed to carry out more in-depth analysis of the Customer’s financial condition thus raising timely alerts to take corrective actions before the Bank faces turmoil of loan defaults. The audit strategy has been formed in accordance with ISA 300, 315 and 330. Although mortgage is a trap which cannot be broken before any loan default but the Bank can at least force foreclosures of loans where the defaults have started happening and sell the mortgaged properties. In nutshell, corrective & preventive actions will evolve in the process of assessing actual evidences that have been proposed to be verified. Reference List: Clerc, Laurent. A Primer on the Sub-Prime crisis. Financial Stability Directorate. Occasional Papers – Banque De France. 2008. pp1-4. ISA (UK & Ireland) 300. Retrieved on 18 March 2009. Available at www.frc.org.uk/APB. ISA (UK & Ireland) 315. Retrieved on 18 March 2009. Available at www.frc.org.uk/APB. ISA (UK & Ireland) 330. Retrieved on 18 March 2009. Available at www.frc.org.uk/APB. End of Document Read More