The increasing digitalisation of banking services has facilitated auditing, but has thrown up complex challenges
The issue on hand assumes a much larger dimension as the deposit holders and public at large expect a meticulous review to detect and protect the institution.
By Ashvin Parekh
Whenever we see a media report on some fraud or cases of NPAs arising out of funds siphoning by borrowers, or a disruption in the services of the banking companies, the first thought that crosses our minds is whether the assurance function of the banks is sound. The issue on hand assumes a much larger dimension as the deposit holders and public at large expect a meticulous review to detect and protect the institution.
Assurance and audit practices have acquired a new shape in the last two years, thanks to the pandemic and the need for ‘work from home’. As financial services—particularly the banking services—are becoming increasingly digitalised, audit practices need to be fine-tuned further and become high-performing. Audit practices, both the internal and the statutorily-required, are changing very fast. There are three major trends emerging from the new challenges.
The first major change in the approach is the higher order of involvement of business and operation executives in the evaluation of the process-control and its efficacy. Self-identification of the weaknesses and non-compliance, by business executives, is now insisted upon. Most progressive banks judge their risk management culture by the participation of business executives, i.e., those who make various decisions in the corporate or institutional business, retail banking and treasury, and are involved in the day-to-day conduct of business to assess the process-control efficacy. If the first line of defence performs, then the bank will not be required to entirely depend on the assurance function to detect non-compliance or fraud. If one studies the consultative papers on self-assessment of process-controls by people who conduct banking transactions in Basel accords, attention to and emphasis on strengthening the first line of defence is adequately covered. The papers and the accord attempt to quantify the assessment in determining the capital to be set aside by banking companies in Pillar One for operational risks. The assessment goes as far as examining several operational risks, including internal and external fraud and examining near-misses in operational failures.
The second major trend is to encourage and require the executives to digitalise and record the essential evidence collected during their decision-making process. The emphasis is on digitalising all possible evidence provided by the customers or borrowers so that the transaction flow recorded for purpose of evaluation and authorisation of decisions and transactions (with trails) is available for review. Imagine an internal audit or a statutory audit professional examining the evidence with a view to evaluate the performance of controls without having the supporting evidence! This is particularly critical now, in the context of the auditor having to spot the evidence working from his home or from a distant location. The staff at various working points must scan documents and collect evidence in an organised way to enable tracking of workflow and authorisation of various decisions and transactions.
The third major trend in the audit practice is the increased use of analytical tools and technology solutions to study by mining immense quantas of data and then form a view. The auditor will find himself struggling to take a view on the efficacy and performance of process-controls. There are several pieces of evidence required to support his assessment, including the time and location of a transaction gettinig triggered by a customer or a banking staff. One major area that requires use of tools is the evaluation of the maker and checker of transactions and the control on devices used by the authorised personnel in the conduct of such transactions. The second aspect here is authentication through devices used by the customers when they conduct the transactions. Most progressive banks have invested in analytical tools and solutions to equip the auditors in viewing the data from several perspectives at the same time. The system-access trails are now examined by the auditors in all progressive banking companies using such frameworks, tools and mechanisms.
This trend has also led to the growth of a vast number of fintech solutions that not only support the banking services in their digital product and service development but also create an audit trail for review. With enhanced distribution partners, several fintech solutions holding and processing transactions, dedicated APIs and multiple devices used by the staff and customers, the task of assurance becomes more complex. Then again, the customer expectations have become much more acute and the regulations are changing too often. Thus, the complexity is growing exponentially.
In conclusion, I observe that the recent changes in the environment have made the banking companies invest sizeable resources and technology, and evolve sharper practices in the conduct of audit. However, we all know that in this journey of digitalisation, the systems are more vulnerable to misuse. The banking companies will have to make relentless effort to strengthen their review and audit mechanisms. If the assurance function has to stand up for the incontestable truth, they must sharpen their skills to meet the requirements of the reality of today.
The author is Managing partner, Ashvin Parekh Advisory Services LLP
Views are personal