Professional Documents
Culture Documents
A good place to start to obtain understanding of what the internal or external auditors (CPAs) and bank
examiners do would be to review the meaning of the word “auditor” and see if any of the dictionary
definitions would apply to the different types of auditors we will be meeting this week. According to
Webster’s dictionary, an auditor is one who hears or listens, or is authorized to examine and verify
accounts or “audits” a course of study or hears (as in a court case) in the capacity of a judge. It is
possible that all four definitions fit our current idea of an auditor in the following ways:
“one that hears or listens” – one technique used to gather valuable information by internal and
external auditors
“One authorized to examine and verify accounts” – important auditing technique, especially in
periodic examinations of a department or division, or during interim audits to determine with a
reasonable degree of assurance balances in a bank’s accounts.
“One that audits a course of study” – substitute the words “functions, services, systems, and
procedures” because the auditor must be exceptionally knowledgeable in the subject matter of
banking.
“One that hears (as a court case) in the capacity of a judge” – an auditor reviews, analyzes and
weighs the facts (hearing evidence), renders an opinion (makes a judgment, and recommends
corrective action where necessary (passes sentence).
We will be looking at the internal audit function, the external audit function (also identified as the CPA),
and the bank examiner activity from the perspectives of definition, purpose, and responsibilities. We will
then focus on the relationships among the three groups of auditors.
Internal audit is defined as an independent appraisal activity within an organization that reviews
accounting, financial and other operations as a basis for service to management by functioning as a
managerial control, which measures and evaluates other controls. Internal audit also encompasses the
examination and evaluation of the adequacy and effectiveness of the organization’s system of internal
control and the quality of management’s performance in carrying out its assigned responsibilities. To
function effectively, the internal audit activity must have an independent reporting relationship to
management or the Board of Directors.
The purpose of the internal audit function is to prevent and detect loss and to provide
management with assurance that it (management) can rely on accounting information to draw
conclusions about past performance and to make plans for future actions.
The responsibilities of the internal auditor (outlined by the Institute for Internal Auditors) include the
following:
Review the reliability and integrity of financial and operational information and the means used
to identify, measure, classify and report such information
Review the systems established to ensure compliance with those policies, plans, procedures,
laws, regulations, and contracts, which could have a significant impact on operations and
reports and should determine whether the organization is in compliance with laws and
regulations
Review the means of safeguarding assets and, as appropriate, verify the existence of such assets
Appraise the economy and efficiency with which resources are employed
Review operations or programs to ascertain whether results are consistent with established
objectives and goals and whether the operations or programs are being carried out as planned
Personal Standards – the auditor should be sufficiently trained and should maintain and
independent state of mind and exercise due care and respect the confidentiality of information
and not engage in activities that conflict with the interest of the organization and exercise due
professional care in the performance of duties and fulfillment of responsibilities
Performance Standards – the auditors should prepare formal audit plans covering all significant
organization activities over an appropriate cycle of time and that plan should include an
evaluation of controls within the system, and procedures should provide sufficient competent
evidential mater to support conclusions and proper supervision and review of the word should be
performed.
Communication Standards – the auditors should prepare a formal report in a timely fashion as to
the scope and results of each audit performed with an opinion on the adequacy, effectiveness
and efficiency of systems of control and quality of ongoing operations with periodic
summarizations of the audit activities to the board of directors and senior management and
external auditors and regulators
Based on these standards and to achieve its objectives, the internal auditors follow detailed audit plans
and programs and test data and interview employees. They then produce a report to be directed to the
examined area and the management unit to which the internal auditor reports (which should usually be
the audit committee of the board of directors) with an opinion as to the effectiveness and efficiency of
the operations reviewed, the reliability of the financial reporting, and compliance with applicable laws
and regulations.
As to Information Technology (IT) auditing, certain principles and standards are applicable as follows:
Proficiency – audits of banking activities or functions that are affected directly or indirectly by IT are to
be performed by a person with appropriate IT technical knowledge and proficiency as an auditor
Independence – able to perform required audit tests without the assistance of personal actually
engaged in the IT activity that is being reviewed
Scheduling – timeliness and orderliness of IT auditing procedures should be synchronized with normal
operations of the IT department
Internal control – evaluate existing internal controls and use the results as the basis for determining the
extent of other audit procedures and for recommending improved controls, if necessary
Reporting – findings and recommendation to be presented in writing along with any material variations
in the usual scope of the audit
The external audit function is an independent examination and appraisal activity of a set of financial
statements of the bank performed by qualified experts external to the organization.
The purpose of engaging the external auditor is to provide management with a report that contains an
independent opinion (unqualified or qualified or adverse or disclaimer) of the fairness of the bank’s
financial statements taken as a whole, prepared in accordance with generally accepted accounting
principles, after following generally accepted auditing standards. The external auditor or CPA is
interested in the financial soundness of the bank, the competence of its management, compliance with
applicable statutory laws and regulations, adequacy and effectiveness of the internal audit program, and
competency of the internal auditors.
The external auditor is responsible to the financial users who rely on the external auditor or CPA to add
credibility to the financial statements of the bank.
The procedures used by the external auditor to examine banks and savings institutions are detailed in
the AICPA Audit and Accounting Guide Depository and Lending Institutions: Banks and Saving
Institutions, Credit Unions, Finance Companies and Mortgage Companies. Essentially, the four phases of
the audit of the financial statements consists of the following:
Examples of the audit reports issued by the external auditors are found in Chapter 22 (Reporting
Considerations of the AICPA Audit and Accounting Guide Depository and Lending Institutions: banks and
Saving Institutions, Credit Unions, Finance Companies and Mortgage Companies). The reports can be an
unqualified opinion, unqualified opinion with explanatory language added to the auditor’s standard
report, unqualified opinion with explanatory language added to the auditor’s standard report,
unqualified opinion with emphasis of a matter, qualified opinion, adverse opinion, or disclaimer of
opinion.
Essentially, the CPA is forming an opinion, based on the evidence gathered and evaluated, as to the
assertions of management relative to the financial statements of the entity. These implied or expressed
management assertions are the following:
Existence (whether assets, obligations, and equities included in the balance sheet actually
existed on the balance sheet date)
Completeness (all transactions and accounts that should be presented in balance sheet actually
existed on the balance sheet date)
Completeness (all transactions and accounts that should be presented in the financial
statements are included)
Valuation or allocation (whether asset, liability, equity, revenue, and expense accounts have
been included in the financial statement at appropriate amounts)
Rights and obligations (whether components of the financial statements are properly combined
or separated, described, and disclosed)
For the CPA, there are six transaction-related audit objectives that are closely related to the
management assertions; and this is not surprising because the auditor’s primary responsibility is to
determine whether management’s assertions about financial statements are justified. The transaction-
related audit objectives are the following:
Accuracy (recorded transactions included in the client’s journals are properly classified)
Posting and summarization (recorded transactions are properly included in the master files and
are correctly summarized)
In addition, there are balance-related audit objectives, similar to the transaction-related objectives. They
too follow from the management assertions, and they provide a framework to help the auditor
accumulate sufficient competent evidence. These nine balance-related objectives are the following:
Existence (amounts included exist – whether the amounts included in the financial statements
should actually be included)
Completeness (existing amounts are included – whether all amounts that should be included
have actually been included)
Cutoff (transactions near the balance sheet date are recorded in proper period)
Detail tie-in (details in the account balance agree with related master file amounts, foot to the
total in the account balance, and agree with the total in the general ledger)
Rights and obligations (in addition to existing, assets must be owned by the entity being
examined before it is acceptable to include them in the financial statements, and liabilities must
the responsibility of the entity being examined)
Presentation and disclosure (account balances and related disclosure requirements are properly
presented in the financial statements)
Here too, these objectives must be met before the auditor can conclude that any given account
balance is fairly stated.
The ability of the client’s internal controls to generate reliable financial information and
safeguard assets and records is one of the most important and widely accepted concepts in the
theory and practice of auditing. To adequately plan how to obtain and evaluate the appropriate
audit evidence, generally accepted auditing standards require the auditor to gain an
understanding of the internal control in place at the entity being examined. After gaining an
understanding of internal control is in preventing and detecting errors and fraud. The audit
procedures the auditor puts in place to test the effectiveness of controls in order to support a
reduced assessed control risk are called tests of controls.
The auditors also evaluate the client’s recording of transactions by verifying the monetary amounts of
transactions. These substantive tests of transactions are audit procedures testing for monetary
misstatements to determine whether the six transaction-related audit objectives (outlined above) have
been satisfied for each class of transactions. Test of details of balances are audit procedures testing for
monetary misstatements to determine whether the nine balance-related audit objectives (outlined in
preceding paragraphs) have been satisfied for each significant account balance. The use of comparisons
and relationships to assess whether account balances or other data appear reasonable constitute
analytical procedures.
BANK EXAMINATIONS
Bank examinations are appraisal activities performed by regulatory experts external to the organization.
The regulatory organization in Ghana is the Bank of Ghana. Part VII of the Ghana Banking Act 2004
provides information on Bank supervision. The purpose of the regulators’ examination of a bank’s
operations is to provide an objective evaluation of a bank’s soundness and its compliance with banking
laws and regulations. In addition, the regulators appraise the quality of management and the Board of
Directors, and identify those areas where corrective action needs to be taken to strengthen the bank, to
improve the quality of its performance, and to enable the bank to comply with applicable laws, rules and
regulations.
The bank regulators have a responsibility to the public to ensure that the institution is being operated in
a safe and sound manner and in accordance with the applicable laws and regulations and to ensure that
risks taken by the institution have been properly evaluated. Some of the procedures used by the
regulators included the following: evaluation of the prudence of practices; adherence to laws and
regulations; adequacy of liquidity and capital; quality of assets and earnings; nature of operations;
adequacy of financial reports, internal controls, and audit programs. For more detailed information, you
can assess the websites of the regulatory agencies to view the examination and supervisory guidelines
followed by these regulators as they review the balance sheets and income statements of the banks.
There are definite similarities among internal auditors, external auditors, and bank examiners, and these
include the following: competency, objectivity in performing work and reporting results, use of a
methodology in performing the audit or examination (including planning and performing tests of
controls and substantive tests), use of a model, and materiality in deciding the extent of the tests and
evaluating results.
At the same time, there are differences among these three groups of auditors/examiners, namely
decisions as to risks and materiality may differ because external users, regulators, and management may
have different needs. In addition, the objectives of the internal auditors are usually broader than that of
the external auditors or bank examiners in order to provide flexibility for internal auditors to meet
company needs.
There is a definite need for close communication among internal and external auditors and bank
examiners as the work of the internal auditors impacts the extent of testing by the external auditors and
bank examiners, depending on the effectiveness or ineffectiveness of the internal auditors. The internal
auditors’ effectiveness can be measured by their independence of the operating units being evaluated,
their competency and training, and their actual performance of relevant audit tests of the internal
controls and the financial statements.
INTERNAL CONTROLS
To understand the role of auditors and what type of controls and audit tests need to be performed to
ensure the reliability of financial information, we need to have some idea as to what internal controls is
and why it is important in the auditing and accounting process. Internal control is especially important in
the banking industry because banking is not comparable to other industries since bank’s assets are not
totally its own. Banks use depositor’s funds to create assets, pay dividends to stockholders, and
reimburse suppliers.
The objectives of internal control are to keep the company on course toward profitability goals and
achievement of its mission and to minimize surprises along the way by enabling management to deal
with rapidly changing economic and competitive environments, shifting customer demands and
priorities, and restricting for the future. The five components of internal control are the following:
2. Risk assessment – enables the entity to face various external and internal sources of risk and to
safeguard assets
3. Control activities – policies and procedures to ensure management directives are carried out
In your readings and discussions, you will be coming across the phrase “control activities.” Control
activities are defined as the policies and procedures (including those in the five components of control
outlined in one of the preceding paragraphs) that help ensure that necessary actions are taken to
address risks in the achievement of the entity’s objectives.
The following is a list of basic control activities that can be used to set up the internal control
environment. Of course, not all of the activities are applicable to each type of operations. Use of the
activities is dependent upon the particular operations being performed.
These control activities, in turn, can be crafted for inclusion into any one of the following types or groups
of internal controls;
Accounting controls: general ledger design, closely related to organizational structure; control of
the debts and credits from all areas of the bank to the asset, liability, and capital accounts
(income and expense); data accurate and up-to-date so the data can be relied upon by users;
consisting of series of checks and balances between sending and receiving areas of the bank and
these areas to the general ledger with procedures spelled out in detail
Financial controls: products or end results of the bank’s accounting and control systems that are
used by management and others to monitor a bank’s progress in the market place and its
financial position, e.g. to know what the bank is earning on loans and profitability of various
bank services
Operating controls: dependent upon the nature and complexity of the system they are designed
to protect usually a mixture of accounting controls, managerial controls, and checks and
balances in an operating system designed to promote safe, accurate, and timely processing of
transactions, e.g., segregation of duties, dual control, joint custody, rotation of employees,
mandatory vacations, accrual accounting information technology (IT) controls: general controls
(relating to all aspects of the IT function, such as, segregation of IT duties, systems development
testing, physical and on-line security, back-up and contingency planning and hardware controls);
applications controls (relating to processing of individual transactions and specific to certain
software applications, such as, input controls, processing controls, and output controls)
Reliance on the functioning capabilities of hardware and software, such as the need for proper
physical protection from inappropriate use, sabotage, or environmental damage (such as fire,
heat, humidity, water)
Visibility of audit trail in that IT often reduces or eliminates source documents and controls need
to be in place to replace the traditional ability to compare output information with hard copy
Reduced human involvement in that employees who deal with initial processing of transactions
never see final results and there is a tendency to regard output generated though IT as “correct”
because computer produced it
Systematic versus random errors as the uniformity of computer processing increases risk of
systematic errors and risk heightened if system is not programmed to recognize unusual
transactions unusual transactions or when transaction audit trails are inadequate
Unauthorized access as without proper on-line restrictions (such as passwords, user IDs, etc.)
unauthorized access and activity may be initiated, resulting in improper changes to software
programs and master files
Loss of data because of the severe ramifications resulting from centralized storage of data lost
or destroyed
Reduced segregation of duties as computers perform many duties that were traditionally
segregated (authorization and recordkeeping) as key duties need to be appropriately segregated
in the IT environment
Need for IT expertise because the reliability of IT system and information generated depends on
the ability of the organization to employ personnel or hire consultants with appropriate
technology knowledge and experience.