Module 5

5.1 Introduction

The purpose of this Statement is to provide practical assistance to auditors and to promote good practice in applying
Philippine Standards on Auditing (PSAs) to the
audit of banks’ financial statements. It is not, however, intended to be an exhaustive listing of the procedures and
practices to be used in such an audit. In conducting an audit in accordance with PSAs the auditor complies with all the
requirements of all the PSAs.
The Bangko Sentral ng Pilipinas (BSP) requires that the auditor report certain events to them or make regular reports to
them in addition to the audit report on
the banks’ financial statements. This Statement does not deal with such reports. PAPS 1004, “The Relationship
Between Bangko Sentral ng Pilipinas (BSP) and
Bank’s External Auditors” discusses that subject in more detail.
For the purpose of this Statement, a bank is a type of financial institution whose principal activity is the taking of
deposits and borrowing for the purpose of
lending and investing and that is recognized as a bank by the BSP. The guidance in this Statement is applicable to
audits of financial statements that cover the
banking activities carried out by those entities. It also applies to the audits of consolidated financial statements that
include the results of banking activities
carried out by any group member. This Statement addresses the assertions made in respect of banking activities in the
entity’s financial statements and so indicates
which assertions in a bank’s financial statements cause particular difficulties and why they do so. This necessitates an
approach based on the elements of the
financial statements. However, when obtaining audit evidence to support the financial statement assertions, the auditor
often carries out procedures based on
the types of activities the entity carries out and the way in which those activities affect the financial statement assertions.
Banks commonly undertake a wide range of activities. However, most banks continue to have in common the basic
activities of deposit taking, borrowing,
lending, settlement, trading and treasury operations. This Statement’s primary purpose is the provision of guidance on
the audit implications of such activities.
In addition, this Statement provides limited guidance in respect of securities underwriting and brokerage, and asset
management, which are activities that auditors of banks’ financial statements frequently encounter. Banks typically
undertake activities involving derivative financial instruments. This Statement
gives guidance on the audit implications of such activities when they are part of the bank’s trading and treasury
operations. PAPS 1012, “Auditing Derivative
Financial Instruments” gives guidance on such activities when the bank holds derivatives as an end user.
This Statement is intended to highlight those risks that are unique to banking activities. There are many audit-related
matters that banks share with other
commercial entities. The auditor is expected to have a sufficient understanding of such matters and so, although those
matters may affect the audit approach or may
have a material effect on the bank’s financial statements, this Statement does not discuss them. This Statement
describes in general terms aspects of banking
operations with which an auditor becomes familiar before undertaking the audit of a bank’s financial statements: it is not
intended to describe banking operations.
Consequently, this Statement on its own does not provide an auditor with sufficient background knowledge to undertake
the audit of a bank’s financial
statements. However, it does point out areas where that background knowledge is required. Auditors will supplement
the guidance in this Statement with
appropriate reference material and by reference to the work of experts as required.

5.1.1 Characteristics that Differentiate Banks

Banks have the following characteristics that generally distinguish them from most other commercial enterprises:

 They have custody of large amounts of monetary items, including cash and negotiable instruments, whose physical
security has to be safeguarded during transfer and while being stored. They also have custody and control of
negotiable instruments and other assets that are readily transferable in electronic form. The liquidity characteristics
of these items make banks vulnerable to misappropriation and fraud. Banks therefore need to establish formal
operating procedures, well-defined limits for individual discretion and rigorous systems of internal control.
 They often engage in transactions that are initiated in one jurisdiction, recorded in a different jurisdiction and
managed in yet another jurisdiction.
 They operate with very high leverage (that is, the ratio of capital to total assets is low), which increases banks’
vulnerability to adverse economic events and increases the risk of failure.
 They have assets that can rapidly change in value and whose value is often difficult to determine. Consequentially,
a relatively small decrease in asset values may have a significant effect on their capital and potentially on their
regulatory solvency. They generally derive a significant amount of their funding from short term
deposits (either insured or uninsured). A loss of confidence by depositors in a bank’s solvency may quickly result in
a liquidity crisis.
 They have fiduciary duties in respect of the assets they hold that belong to other persons. This may give rise to
liabilities for breach of trust. They therefore need to establish operating procedures and internal controls designed to
ensure that they deal with such assets only in accordance with the terms on which the assets were transferred to
the bank.
 They engage in a large volume and variety of transactions whose value may be significant. This ordinarily requires
complex accounting and internal control systems and widespread use of Information Technology (IT).
 They ordinarily operate through networks of branches and departments that are geographically dispersed. This
necessarily involves a greater decentralization of authority and dispersal of accounting and control functions, with
consequential difficulties in maintaining uniform operating practices and accounting systems, particularly when the
branch network transcends national boundaries.
 Transactions can often be directly initiated and completed by the customer without any intervention by the bank’s
employees, for example over the
Internet or through automatic teller machines (ATMs).
 They often assume significant commitments without any initial transfer of funds other than, in some cases, the
payment of fees. These commitments
may involve only memorandum accounting entries. Consequently, their existence may be difficult to detect.
 They are regulated by the BSP, whose regulatory requirements often influence the accounting principles that banks
follow. Non-compliance with regulatory requirements, for example, capital adequacy requirements, could have
implications for the bank’s financial statements or the disclosures therein.
 Customer relationships that the auditor, assistants, or the audit firm may have with the bank might affect the
auditor’s independence in a way that customer relationships with other organizations would not.
 They generally have exclusive access to clearing and settlement systems for checks, fund transfers, foreign
exchange transactions, etc.
 They are an integral part of, or are linked to, national and international settlement systems and consequently could
pose a systemic risk to the countries in which they operate.
 They may issue and trade in complex financial instruments, some of which may need to be recorded at fair values
in the financial statements. They therefore need to establish appropriate valuation and risk management
procedures. The effectiveness of these procedures depends on the appropriateness of the methodologies and
mathematical models selected, access to reliable current and historical market information, and the maintenance of
data integrity.

5.1.2 Special Audit Considerations

Special audit considerations arise in the audits of banks because of matters such as the following:
• The particular nature of the risks associated with the transactions undertaken by banks.
• The scale of banking operations and the resultant significant exposures that may arise in a short period.
• The extensive dependence on IT to process transactions.
• The effect of the regulations in the various jurisdictions in which they operate.
• The continuing development of new products and banking practices that may not be matched by the concurrent
development of accounting principles or internal controls.

5.2 Audit Objectives

PSA 200, “Objective and General Principles Governing an Audit of Financial Statements,” states:
The objective of an audit of financial statements is to enable the auditor to express an opinion whether the financial
statements are prepared, in all material respects, in accordance with generally accepted accounting principles in the
Philippines.
The objective of the audit of a bank’s financial statements conducted in accordance with PSAs is, therefore, to enable
the auditor to express an opinion on the bank’s financial statements, which are prepared in accordance with accounting
principles generally accepted in the Philippines.

The auditor’s report indicates that accounting principles generally accepted in the Philippines have been used to
prepare the bank’s financial statements. When
reporting on financial statements of a bank prepared specifically for use in a country other than the Philippines, the
auditor considers whether the financial
statements contain appropriate disclosures about the financial reporting framework used. 

5.3 Agreeing the terms of Engagement

As stated in PSA 210, “Terms of Audit Engagements”:

The engagement letter documents and confirms the auditor’s acceptance of the appointment, the objective and scope of
the audit, the extent of the auditor’s responsibilities to the client and the form of any reports.
Paragraph 6 lists some of the characteristics that are unique to banks and indicates the areas where the auditor and
assistants may require specialist skills. In
considering the objective and scope of the audit and the extent of the responsibilities, the auditor considers his own
skills and competence and those of
his assistants to conduct the engagement. In doing so, the auditor considers the following factors:

 the need for sufficient expertise in the aspects of banking relevant to the audit of the bank’s business activities;
 the need for expertise in the context of the IT systems and communication networks the bank uses; an
 the adequacy of resources or inter-firm arrangements to carry out the work necessary at the number of domestic
and international locations of the bank at which audit procedures may be required.

In addition to the general factors set out in PSA 210, the auditor considers including comments on the following when
issuing an engagement letter.'
• The use and source of specialized accounting principles, with particular reference to:

o any requirements contained in the law or regulations applicable to banks;

o pronouncements of the BSP and other regulatory authorities (e.g., the Philippine Deposit Insurance Commission);
o pronouncements of relevant professional accounting bodies, for example, the Philippine Accounting Standards
Council;
o pronouncements of the Basel Committee on Banking Supervision; and
o industry practice.

 The contents and form of the auditor’s report on the financial statements and any special-purpose reports required
from the auditor in addition to the report on the financial statements. This includes whether such reports refer to the
application of regulatory or other special purpose accounting principles or describe procedures undertaken
especially to meet regulatory requirements.
 The nature of any special communication requirements or protocols that may exist between the auditor and the BSP
and other regulatory authorities (e.g., the Philippine Deposit Insurance Commission, SEC).
 The access that the BSP will be granted to the auditor’s working papers, and the bank’s advance consent to this
access.

5.4 Planning the Audit

The audit plan includes, among other things:

• obtaining a sufficient knowledge of the entity’s business and governance structure, and a sufficient understanding of
the accounting and internal control systems, including risk management and internal audit functions;
• considering the expected assessments of inherent and control risks, being the risk that material misstatements occur
(inherent risk) and the risk that the bank’s system of internal control does not prevent or detect and correct such
misstatements on a timely basis (control risk);
• determining the nature, timing and extent of the audit procedures to be performed; and considering the going concern
assumption regarding the entity’s ability to continue in operation for the foreseeable future, which will be the period used
by management in making its assessment under generally accepted accounting principles in the Philippines. This period
will ordinarily be for a period of at least one year after the balance sheet date.

5.4.1 Obtaining a Knowledge of the Business

Obtaining a knowledge of the bank’s business requires the auditor to understand:

• the bank’s corporate governance structure;
• the economic and regulatory environment in which the bank operates; and
• the market conditions existing in each of the significant sectors in which the bank operates.
Corporate governance plays a particularly important role in banks; the BSP sets out requirements for banks to have
effective corporate governance structures.
Accordingly, the auditor obtains an understanding of the bank’s corporate governance structure and how those charged
with governance discharge their responsibilities for the supervision, control and direction of the bank.
Similarly the auditor obtains and maintains a good working knowledge of the products and services offered by the bank.
In obtaining and maintaining that knowledge, the auditor is aware of the many variations in the basic deposit, loan and
treasury services that are offered and continue to be developed by banks in response to market conditions. The auditor
obtains an understanding of the nature of services rendered through instruments such as letters of credit, acceptances,
interest rate futures, forward and swap contracts, options and other similar instruments in order to understand the
inherent risks and the auditing, accounting and disclosure implications thereof.
If the bank uses service organizations to provide core services or activities, such as cash and securities settlement, the
responsibility for compliance with rules and
regulations and sound internal controls remains with those charged with governance and the management of the
outsourcing bank. The auditor considers
legal and regulatory restrictions, and obtains an understanding of how the management and those charged with
governance monitor that the system of internal control (including internal audit) operates effectively. PSA 402, “Audit
Considerations Relating to Entities Using Service Organizations” gives further guidance on this subject.
There are a number of risks associated with banking activities that, while not unique to banking, are important in that
they serve to shape banking operations.
The auditor obtains an understanding of the nature of these risks and how the bank manages them. This understanding
allows the auditor to assess the levels of
inherent and control risks associated with different aspects of a bank’s operations and to determine the nature, timing
and extent of the audit procedures.

5.4.1.1 Understanding the nature of banking risks

The risks associated with banking activities may broadly be categorized as:
Country risk: the risk of foreign customers and counterparties failing to settle their obligations because of economic,
political and social factors of the counterparty’s home country and external to the customer or counterparty;
Credit risk: the risk that a customer or counterparty will not settle an obligation for full value, either when due or at any
time thereafter. Credit risk, particularly from
commercial lending, may be considered the most important risk in banking operations. Credit risk arises from lending to
individuals, companies, banks and governments. It also exists in assets other than loans, such as investments,
balances due from other banks and in off-balance sheet commitments. Credit risk also includes country risk, transfer
risk, replacement risk and settlement risk.

Currency risk: the risk of loss arising from future movements in the exchange rates applicable to foreign currency
assets, liabilities, rights and obligations.

Fiduciary risk: the risk of loss arising from factors such as failure to maintain safe custody or negligence in the
management of assets on behalf of other parties.
Interest rate risk: the risk that a movement in interest rates would have an adverse effect on the value of assets and
liabilities or would affect interest cash flows.
the risk that contracts are documented incorrectly or are not legally enforceable in the relevant jurisdiction in which the
contracts are to be enforced or where the
counterparties operate. This can include the risk that assets will turn out to be worth lesser, liabilities will turn out to be
greater than expected because of inadequate or incorrect legal advice or documentation. In addition, existing laws may
fail to resolve legal issues involving a bank; a court case involving a particular bank may have wider implications for the
banking business and involve costs to it and many or all other banks; and laws affecting banks or other commercial
enterprises may
change. Banks are particularly susceptible to legal risks when entering into new types of transactions and when the
legal right of a counterparty to enter into a transaction is not established.

Liquidity risk: the risk of loss arising from the changes in the bank’s ability to sell or dispose of an asset.
Modeling risk: the risk associated with the imperfections and subjectivity of valuation models used to determine the
values of assets or liabilities.
Operational risk: the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and
systems or from external events.
Legal and documentary risk: the risk that contracts are documented incorrectly or are not legally enforceable in the
relevant jurisdiction in which the contracts are to be enforced or where the counterparties operate. This can include the
risk that assets will turn out to be worth lesser, liabilities will turn out to be greater than expected because of inadequate
or incorrect legal advice or documentation. In addition, existing laws may fail to resolve legal issues involving a bank; a
court case
involving a particular bank may have wider implications for the banking business and involve costs to it and many or all
other banks; and laws affecting banks or other commercial enterprises may change. Banks are particularly susceptible
to legal risks when entering into new types of transactions and when the legal right of a counterparty to enter into a
transaction is not established.

Liquidity risk: the risk of loss arising from the changes in the bank’s ability to sell or dispose of an asset.

Modeling risk: the risk associated with the imperfections and subjectivity of valuation models used to determine the
values of assets or liabilities.

Operational risk: the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and
systems or from external events.
Price risk: the risk of loss arising from adverse changes in market prices, including interest rates, foreign exchange
rates, equity and commodity prices and
from movements in the market prices of investments.
Regulatory risk: the risk of loss arising from failure to comply with regulatory or legal requirements in the relevant
jurisdiction in which the bank operates. It also
includes any loss that could arise from changes in regulatory requirements.
Replacement risk: (sometimes called performance risk) the risk of failure of a customer or counterparty to perform the
terms of a contract. This failure creates the need to replace the failed transaction with another at the current market
price. This may result in a loss to the bank equivalent to the difference between the contract price and the current
market price.
Reputational risk: the risk of losing business because of negative public opinion and consequential damage to the
bank’s reputation arising from failure to properly manage some of the above risks, or from involvement in improper or
illegal activities by the bank or its senior management, such as money laundering or attempts to
cover up losses.
Settlement risk: the risk that one side of a transaction will be settled without value being received from the customer or
counterparty. This will generally result in the loss to the bank of the full principal amount.

Solvency risk: the risk of loss arising from the possibility of the bank not having sufficient funds to meet its obligations, or
from the bank’s inability to access capital markets to raise required funds.

Transfer risk: the risk of loss arising when a counterparty’s obligation is not denominated in the counterparty’s home
currency. The counterparty may be unable to obtain the currency of the obligation irrespective of the counterparty’s
particular financial condition.

5.4.1.2 Understanding the risk management process

Management develops controls and uses performance indicators to aid in managing key business and financial risks.
An effective risk management system in a bank generally requires the following:
• Oversight and involvement in the control process by those charged with governance
Those charged with governance should approve written risk management policies. The policies should be consistent
with the bank’s business strategies, capital strength, management expertise, regulatory requirements and the types and
amounts of risk it regards as acceptable. Those charged with governance are also responsible for establishing a culture
within the bank that emphasizes their commitment to internal controls and high ethical standards, and often establish
special committees to help discharge their functions. Management is responsible for implementing the strategies and
policies set by those charged with governance and for ensuring that an adequate and effective system of internal control
is established and maintained.
•Identification, measurement and monitoring of risks
Risks that could significantly impact the achievement of the bank’s goal should be identified, measured and monitored
against pre-approved limits and criteria. This function may be conducted by an independent risk management unit,
which is also responsible for validating and stress testing the pricing and valuation models used by the front and back
offices. Banks ordinarily have a risk management unit that monitors risk management activities and evaluates the
effectiveness of risk management models, methodologies and assumptions used. In such situations, the auditor
considers whether and how to use the work of that unit.
• Control activities
A bank should have appropriate controls to manage its risks, including effective segregation of duties (particularly
between front and back offices), accurate measurement and reporting of positions, verification and approval of
transactions, reconciliations of positions and results, setting of limits, reporting and approval of exceptions to limits,
physical security and contingency planning.
• Monitoring activities
Risk management models, methodologies and assumptions used to measure and manage risk should be regularly
assessed and updated. This function may be conducted by an independent risk management unit. Internal auditing
should test the risk management process periodically to check whether management polices and procedures are
complied with and whether the operational controls are effective. Both the risk management unit and internal auditing
should have a reporting line to those charged with governance and management that is independent of those on whom
they are reporting.
•Reliable information systems
Banks require reliable information systems that provide adequate financial, operational and compliance information on a
timely and consistent basis.
Those charged with governance and management require risk management information that is easily understood and
that enables them to assess the
changing nature of the bank’s risk profile.

5.4.2 Development of an Overall Audit Plan

In developing an overall plan for the audit of the financial statements of a bank, the auditor gives particular attention to:
• the complexity of the transactions undertaken by the bank and the documentation in respect thereof;
• the extent to which any core activities are provided by service organizations;
• contingent liabilities and off-balance sheet items;
• regulatory considerations;
• the extent of IT and other systems used by the bank;
• the expected assessments of inherent and control risks;
• the work of internal auditing;
• the assessment of audit risk;
• the assessment of materiality;
• management’s representations;
• the involvement of other auditors;
• the geographic spread of the bank’s operations and the co-ordination of work between different audit teams;
• the existence of related party transactions; and
• going concern considerations.