LESSON 2: AUDIT OF BANKS PART 2

I. Description

This module introduces the audit banking industry, its concepts, principles and standards affecting
the engagement. Learners will be able to apply the different principles, techniques, procedures
and standards in the audit of financial statements of banks.

II. Objectives

After completing the module, the students are expected to:

• Identify the objective of the audit of banking institutions.

• Learn about the contents of the audit engagement letter
• Learn about the concepts of audit planning in bank audit
• List and identify the different banking risks
• Know the internal control consideration of bank audit
• Learn how to perform substantive audit procedures for bank audit
• Learn about the independent auditor’s report on bank audit

III. Duration
Start: Week 2
End: Week 4

IV. Learning Contents

A. What is Philippine Auditing Practice Statements (PAPS) 1006?

Philippine Auditing Practice Statements (PAPSs or Statements) are issued by the Philippine
Auditing Standards and Practices Council (ASPC) to provide practical assistance to auditors in
implementing the Philippine Standards on Auditing (PSAs) or to promote good practice.
Statements do not have the authority of PSAs.

This Statement is based on IAPS 1006, issued in December 2001 by the International Auditing
Practices Committee (IAPC) of the International Federation of Accountants. The IAPC bank audit
sub-committee included observers from the Basel Committee on Banking Supervision (the Basel
Committee).
This Statement does not establish any new basic principles or essential procedures; its purpose
is to assist auditors, and to develop good practice, by providing guidance on the application of
the PSAs to the audits of the financial statements of banks. The auditor exercises professional
judgment to determine the extent to which any of the audit procedures described in this
Statement may be appropriate in the light of the requirements of the PSAs and the bank’s
particular circumstances.

This PAPS shall be effective for audits of financial statements for periods ending on or after
December 31, 2003. Earlier application is encouraged. This PAPS supersedes “Audit Manual for
Commercial Banks” issued by the Auditing Standards and Practices Council.
B. Audit Objectives

PSA 200, “Objective and General Principles Governing an Audit of Financial Statements,” states:

The objective of an audit of financial statements is to enable the auditor to express an

opinion whether the financial statements are prepared, in all material respects, in
accordance with generally accepted accounting principles in the Philippines.

The objective of the audit of a bank’s financial statements conducted in accordance with PSAs is,
therefore, to enable the auditor to express an opinion on the bank’s financial statements, which
are prepared in accordance with accounting principles generally accepted in the Philippines.

The auditor’s report indicates that accounting principles generally accepted in the Philippines have
been used to prepare the bank’s financial statements. When reporting on financial statements of
a bank prepared specifically for use in a country other than the Philippines, the auditor considers
whether the financial statements contain appropriate disclosures about the financial reporting
framework used.

C. Agreeing the Terms of the Engagement

As stated in PSA 210, “Terms of Audit Engagements”:

The engagement letter documents and confirms the auditor’s acceptance of the appointment, the
objective and scope of the audit, the extent of the auditor’s responsibilities to the client and the
form of any reports.

In considering the objective and scope of the audit and the extent of the responsibilities, the
auditor considers his own skills and competence and those of his assistants to conduct the
engagement. In doing so, the auditor considers the following factors:

• the need for sufficient expertise in the aspects of banking relevant to the audit of the bank’s
business activities;

• the need for expertise in the context of the IT systems and communication networks the bank
uses; and

• the adequacy of resources or inter-firm arrangements to carry out the work necessary at the
number of domestic and international locations of the bank at which audit procedures may
be required.

In addition to the general factors set out in PSA 210, the auditor considers including comments
on the following when issuing an engagement letter.

• The use and source of specialized accounting principles, with particular reference to:

• any requirements contained in the law or regulations applicable to banks;

• pronouncements of the BSP and other regulatory authorities (e.g., the Philippine
Deposit Insurance Commission); or pronouncements of relevant professional
accounting bodies, for example, the Philippine Accounting Standards Council;
 • pronouncements of the Basel Committee on Banking Supervision; and of industry
practice
• The contents and form of the auditor’s report on the financial statements and any special
purpose reports required from the auditor in addition to the report on the financial statements.
This includes whether such reports refer to the application of regulatory or other special
purpose accounting principles or describe procedures undertaken specially to meet regulatory
requirements.

• The nature of any special communication requirements or protocols that may exist between
the auditor and the BSP and other regulatory authorities (e.g., the Philippine Deposit
Insurance Commission, SEC).

• The access that the BSP will be granted to the auditor’s working papers, and the bank’s
advance consent to this access.

D. Audit Planning

The audit plan includes:

1. Obtaining a sufficient knowledge of the entity’s business and governance structure, and
a sufficient understanding of the accounting and internal control systems, including risk
management and internal audit functions.

2. Considering the expected assessments of inherent and control risks, being the risk
that material misstatements occur (inherent risk) and the risk that the bank’s system of
internal control does not prevent or detect and correct such misstatements on a timely
basis (control risk);

3. Determining the nature, timing and extent of the audit procedures to be performed;
and considering the going concern assumption regarding the entity’s ability to continue
in operation for the foreseeable future, which will be the period used by management in
 making its assessment under generally accepted accounting principles in the Philippines.
This period will

4. ordinarily be for a period of at least one year after the balance sheet date.

Obtaining a Knowledge of the Business

Obtaining a knowledge of the bank’s business requires the auditor to understand:

• the bank’s corporate governance structure;

• the economic and regulatory environment in which the bank operates; and
• the market conditions existing in each of the significant sectors in which the bank operates.

Corporate governance plays a particularly important role in banks; the BSP sets out
requirements for banks to have effective corporate governance structures. Accordingly, the
auditor obtains an understanding of the bank’s corporate governance structure and how those
charged with governance discharge their responsibilities for the supervision, control and direction
of the bank.

The auditor obtains and maintains a good working knowledge of the products and services
offered by the bank. In obtaining and maintaining that knowledge, the auditor is aware of the
many variations in the basic deposit, loan and treasury services that are offered and continue to
be developed by banks in response to market conditions. The auditor obtains an understanding
of the nature of services rendered through instruments such as letters of credit, acceptances,
interest rate futures, forward and swap contracts, options and other similar instruments in order
to understand the inherent risks and the auditing, accounting and disclosure implications thereof.

Service Organizations

If the bank uses service organizations to provide core services or activities, such as cash and
securities settlement, the responsibility for compliance with rules and regulations and sound
internal controls remains with those charged with governance and the management of the
outsourcing bank. The auditor considers legal and regulatory restrictions, and obtains an
understanding of how the management and those charged with governance monitor that the
system of internal control (including internal audit) operates effectively. PSA 402, “Audit
Considerations Relating to Entities Using Service Organizations” gives further guidance on this
subject.

Understanding the nature of banking risks

Country risk the risk of foreign customers and counterparties failing to settle their
obligations because of economic, political and social factors of the
counterparty’s home country and external to the customer or counterparty
Credit risk the risk that a customer or counterparty will not settle an obligation for full
value, either when due or at any time thereafter. Credit risk, particularly from
commercial lending, may be considered the most important risk in banking
operations. Credit risk arises from lending to individuals, companies, banks
and governments. It also exists in assets other than loans, such as
investments, balances due from other banks and in offbalance sheet
commitments. Credit risk also includes country risk, transfer
 risk, replacement risk and settlement risk.
Currency risk the risk of loss arising from future movements in the exchange rates applicable
to foreign currency assets, liabilities, rights and obligations.
Fiduciary risk the risk of loss arising from factors such as failure to maintain safe custody or
negligence in the management of assets on behalf of other parties.
Interest rate the risk that a movement in interest rates would have an adverse effect on
risk the value of assets and liabilities or would affect interest cash flows.
Legal and the risk that contracts are documented incorrectly or are not legally
documentary enforceable in the relevant jurisdiction in which the contracts are to be
risk enforced or where the counterparties operate.

This can include the risk that assets will turn out to be worth lesser; liabilities
will turn out to be greater than expected because of inadequate or incorrect
legal advice or documentation. In addition, existing laws may fail to resolve
legal issues involving a bank; a court case involving a particular bank may
have wider implications for the banking business and involve costs to it and
many or all other banks; and laws affecting banks or other commercial
enterprises may change. Banks are particularly susceptible to legal risks when
entering into new types of transactions and when the legal right of
counterparty to enter into a transaction is not established.
Liquidity risk the risk of loss arising from the changes in the bank’s ability to sell or dispose
of an asset.
Modeling risk the risk associated with the imperfections and subjectivity of valuation models
used to determine the values of assets or liabilities.
Operational the risk of direct or indirect loss resulting from inadequate or failed internal
risk processes, people and systems or from external events.
Price risk the risk of loss arising from adverse changes in market prices, including
interest rates, foreign exchange rates, equity and commodity prices and from
movements in the market prices of investments.
Regulatory risk the risk of loss arising from failure to comply with regulatory or legal
requirements in the relevant jurisdiction in which the bank operates. It also
includes any loss that could arise from changes in regulatory requirements
Replacement (sometimes called performance risk) the risk of failure of a customer or
risk counterparty to perform the terms of a contract. This failure creates the need
to replace the failed transaction with another at the current market price. This
may result in a loss to the bank equivalent to the difference between the
contract price and the current market price.
Reputational the risk of losing business because of negative public opinion and
risk consequential damage to the bank’s reputation arising from failure to properly
manage some of the above risks, or from involvement in improper
 or illegal activities by the bank or its senior management, such as money
laundering or attempts to cover up losses.
Settlement risk the risk that one side of a transaction will be settled without value being
received from the customer or counterparty. This will generally result in the
loss to the bank of the full principal amount.
Solvency risk the risk of loss arising from the possibility of the bank not having sufficient
funds to meet its obligations, or from the bank’s inability to access capital
markets to raise required funds.
Transfer risk the risk of loss arising when a counterparty’s obligation is not denominated in
the counterparty’s home currency. The counterparty may be unable to obtain
the currency of the obligation irrespective of the counterparty’s particular
financial condition.

Banking risks increase with the degree of concentration of a bank’s exposure to any one customer,
industry, geographic area, or country.

For example, a bank’s loan portfolio may have large concentrations of loans or commitments to
industries, and some, such as real estate, shipping and natural resources, may have highly
specialized practices. Assessing the relevant risks relating to loans to entities in those industries
may require a knowledge of these industries, including their business, operational and reporting
practices.

Most transactions involve more than one of the risks identified above. Furthermore, the individual
risks set out above may be correlated with one another.

For example, a bank’s credit exposure in a securities transaction may increase as a result of an
increase in the market price of the securities concerned. Similarly, non-payment or settlement
failure can have consequences for a bank’s liquidity position. The auditor therefore considers
these and other risk correlations when analyzing the risks to which a bank is exposed.

Banks may be subject to risks arising from the nature of their ownership.

For example, a bank’s owner or a group of owners might try to influence the allocation of credit.
In a closely held bank, the owners may have significant influence on the bank’s management
affecting their independence and judgment. The auditor considers such risks.

Operational Risks Factors in a Bank:

1. The need to process high volumes of transactions accurately within a short time. This
need is almost always met through the large-scale use of IT, with the resultant risks of:
a. failure to carry out executed transactions within the required time, causing an
inability to receive or make payments for those transactions;
b. failure to carry out complex transactions properly;
c. wide-scale misstatements arising from a breakdown in internal control;
d. loss of data arising from systems’ failure; o corruption of data arising from
unauthorized interference with the systems; and
e. exposure to market risks arising from lack of reliable up-to-date information.

2. The need to use electronic funds transfer (EFT) or other telecommunications systems to
transfer ownership of large sums of money, with the resultant risk of exposure to loss
arising from payments to incorrect parties through fraud or error.
 3. The conduct of operations in many locations with a resultant geographic dispersion of
transaction processing and internal controls. As a result:

a. there is a risk that the bank’s worldwide exposure by customer and by product
may not be adequately aggregated and monitored; and
b. control breakdowns may occur and remain undetected or uncorrected because of
the physical separation between management and those who handle the
transactions.

4. The need to monitor and manage significant exposures that can arise over short
timeframes. The process of clearing transactions may cause a significant build-up of
receivables and payables during a day, most of which are settled by the end of the day.
This is ordinarily referred to as intra-day payment risk. These exposures arise from
transactions with customers and counterparties and may include interest rate, currency,
and market risks.

5. The handling of large volumes of monetary items, including cash, negotiable instruments
and transferable customer balances, with the resultant risk of loss arising from theft and
fraud by employees or other parties.

6. The inherent complexity and volatility of the environment in which banks operate, resulting
in the risk of inappropriate risk management strategies or accounting treatments in
relation to such matters as the development of new products and services.

7. Operating restrictions may be imposed as a result of the failure to adhere to laws and
regulations. Overseas operations are subject to the laws and regulations of the countries
in which they are based as well as those of the country in which the parent entity has its
headquarters. This may result in the need to adhere to differing requirements and a risk
that operating procedures that comply with regulations in some jurisdictions do not meet
the requirements of others.

PSA 240, “Fraud and Error,”

Fraudulent activities may take place within a bank by, or with the knowing involvement of,
management or personnel of the bank. Such frauds may include fraudulent financial reporting
without the motive of personal gain, (for example, to conceal trading losses), or the
misappropriation of the bank’s assets for personal gain that may or may not involve the
falsification of records. Alternatively, fraud may be perpetrated on a bank without the knowledge
or complicity of the bank’s employees.

PSA 240, “Fraud and Error,” gives more guidance on the nature of the auditor’s responsibilities
with respect to fraud. Although many areas of a bank’s operations are susceptible to fraudulent
activities, the most common take place in the lending, deposit-taking, and dealing functions.

Republic Act No. 9160, “The Anti- Money Laundering Act of 2001” (AMLA)

By the nature of their business, banks are ready targets for those engaged in money laundering
activities by which the proceeds of crime are converted into funds that appear to have a legitimate
source. In recent years drug traffickers in particular have greatly added to the scale of money
laundering that takes place within the banking industry.
AMLA requires banks to establish policies, procedures and controls to deter and to recognize and
report money laundering activities. These policies, procedures and controls commonly extend to
the following.

• A requirement to obtain customer identification (“know your client”).

• Staff screening.
• A requirement to know the purpose for which an account is to be used.
• The maintenance of transaction records.
• The reporting to the authorities of suspicious transactions or of all transactions of a
particular type, for example, cash transactions over a certain amount.
• The education of staff to assist them in identifying suspicious transactions.

PSA 250, "Consideration of Laws and Regulations in an Audit of Financial Statements"

gives guidance when an auditor discovers a possible instance of noncompliance with laws or
regulations considers the implications for the financial statements and the audit opinion thereon.

Understanding the risk management process

An effective risk management system in a bank generally requires the following:

1. Oversight and involvement in the control process by those charged with governance
2. Identification, measurement and monitoring of risks
3. Control activities
4. Monitoring activities
5. Reliable information systems

Oversight and involvement in the control process by those charged with governance

Those charged with governance should approve written risk management policies. The policies
should be consistent with the bank’s business strategies, capital strength, management expertise,
regulatory requirements and the types and amounts of risk it regards as acceptable.

Those charged with governance are also responsible for establishing a culture within the bank
that emphasizes their commitment to internal controls and high ethical standards, and often
establish special committees to help discharge their functions.

Management is responsible for implementing the strategies and policies set by those charged with
governance and for ensuring that an adequate and effective system of internal control is
established and maintained.

Identification, measurement and monitoring of risks

Risks that could significantly impact the achievement of the bank’s goals should be identified,
measured, and monitored against pre-approved limits and criteria.

This function may be conducted by an independent risk management unit, which is also
responsible for validating and stress testing the pricing and valuation models used by the front
and back offices. Banks ordinarily have a risk management unit that monitors risk management
activities and evaluates the effectiveness of risk management models, methodologies and
assumptions used. In such situations, the auditor considers whether and how to use the work of
that unit.

Control activities

A bank should have appropriate controls to manage its risks, including effective segregation of
duties (particularly between front and back offices), accurate measurement and reporting of
positions, verification and approval of transactions, reconciliations of positions and results, setting
of limits, reporting and approval of exceptions to limits, physical security and contingency
planning.

Monitoring activities

Risk management models, methodologies and assumptions used to measure and manage risk
should be regularly assessed and updated.

This function may be conducted by an independent risk management unit. Internal auditing
should test the risk management process periodically to check whether management policies and
procedures are complied with and whether the operational controls are effective. Both the risk
management unit and internal auditing should have a reporting line to those charged with
governance and management that is independent of those on whom they are reporting.

Reliable information systems

Risk management models, methodologies and assumptions used to measure and manage risk
should be regularly assessed and updated. This function may be conducted by an independent
risk management unit. Internal auditing should test the risk management process periodically to
check whether management polices and procedures are complied with and whether the
operational controls are effective. Both the risk management unit and internal auditing should
have a reporting line to those charged with governance and management that is independent of
those on whom they are reporting

Development of an Overall Audit Plan

In developing an overall plan for the audit of the financial statements of a bank, the auditor gives
particular attention to:

1. the complexity of the transactions undertaken by the bank and the documentation in respect
thereof;
2. the extent to which any core activities are provided by service organizations;
3. contingent liabilities and off-balance sheet items;
4. regulatory considerations;
5. the extent of IT and other systems used by the bank;
6. the expected assessments of inherent and control risks;
7. the work of internal auditing;
PSA 610, “Considering the Work of Internal Auditing.”
8. the assessment of audit risk;
The three (3) components if Audit Risk.
9. the assessment of materiality;
In reference to PSA 320, “Audit Materiality,”
10. management’s representations;
PSA 580, “Management Representations” regarding significant changes
in the bank’s business and its risk profile.
11. the involvement of other auditors;
PSA 600, “Using the Work of Another Auditor”
12. the geographic spread of the bank’s operations and the co-ordination of work between different
audit teams;
a. The work to be performed by:
• experts;
• assistants;
• other offices of the auditor’s firm; and
• other audit firms.

b. The extent to which it is planned to use the work of internal auditing.

c. Required reporting dates to shareholders and the regulatory authorities.
d. Any special analyses and other documentation to be provided by bank management.
13. the existence of related party transactions; and
IAS 24 – Related Party Disclosures
14. going concern considerations. PSA
570, “Going Concern”
The BSP may require the auditor to disclose concerns that the auditor may have about the bank’s
ability to continue as a going concern

Banks typically have a wide diversity of activities, which means that it is

sometimes difficult for an auditor to fully understand the implications of
particular transactions.
Banks undertake transactions that have complex and important underlying features that may
not be apparent from the documentation that is used to process the transactions and to enter
them into the bank’s accounting records.
This results in the risk that all aspects of a transaction may not be fully or correctly recorded
or accounted for, with the resultant risks of:
• loss due to the failure to take timely corrective action;
• failure to make adequate provisions for loss on a timely basis; and
• inadequate or improper disclosure in the financial statements and other reports.

Banks also typically engage in transactions that:

• have a low fee revenue or profit element as a percentage of the underlying asset or liability;
• local regulations may not require to be disclosed in the balance sheet, or even in the notes
to the financial statements;
• are recorded only in memorandum accounts; or
 • involve securitizing and selling assets so that they no longer appear in the bank’s financial
statements.
Examples of such transactions are safe custody services, guarantees, comfort letters and
letters of credit, interest rate and currency swaps and commitments and options to purchase
and sell foreign exchange.

The auditor reviews the bank’s sources of revenue, and obtains sufficient
appropriate audit evidence regarding the following:
• The accuracy and completeness of the accounting records relating such transactions;
• The existence of proper controls to limit the banking risks arising from such transactions;
• The adequacy of any provisions for loss which may be required; and
• The adequacy of any financial statement disclosures which may be required.

E. Internal Control

The Basel Committee on Banking Supervision has issued a policy paper, "Framework for
Internal Control Systems in Banking Organizations" (September 1998), which provides
banking supervisors with a framework for evaluating banks’ internal control systems. This
framework is used by many banking supervisors and may be used during supervisory discussions
with individual banking organizations. Auditors of banks’ financial statements may find a
knowledge of this framework useful in understanding the various elements of a bank’s internal
control system.

The auditor obtains an understanding of the accounting and internal control systems sufficient to
plan the audit and develop an effective audit approach. After obtaining the understanding, the
auditor considers the assessment of inherent and control risks so as to determine the appropriate
detection risk to accept for the financial statement assertions and to determine the nature, timing,
and extent of substantive procedures for such assertions.

Where the auditor assesses control risk at less than high, substantive procedures are ordinarily
less extensive than are otherwise required and may also differ in their nature and timing.

Identifying, Documenting and Testing Control Procedures

PSA 400, "Risk Assessments and Internal Control" indicates that internal controls relating to the
accounting system are concerned with achieving objectives such as the following.

• Transactions are executed in accordance with management’s general or specific

authorization
• All transactions and other events are promptly recorded at the correct amount, in the
appropriate accounts and in the proper accounting period so as to permit preparation of
financial statements in accordance with accepted principles generally accepted in the
Philippines
• Access to assets is permitted only in accordance with management’s authorization
• Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken regarding any differences.

In the case of banks, a further objective of internal controls is to ensure that the bank adequately
fulfils its regulatory and fiduciary responsibilities arising out of its trustee activities. The auditor is
not directly concerned with these objectives except to the extent that any failure to comply with
such responsibilities might have led to the financial statements being material misstated.
The overall responsibility for the system of internal control in a bank rests with those charged
with governance, who are responsible for governing the bank’s operations. However, since banks’
operations are generally large and dispersed, decision-making functions need to be decentralized
and the authority to commit the bank to material transactions is ordinarily dispersed and
delegated among the various levels of management and staff.

Inherent Limitations of Internal Control

PSA 400 "Risk Assessments and Internal Control" describes the procedures to be followed by the
auditor in identifying, documenting and testing internal controls. In doing so, the auditor is aware
of the inherent limitations of internal control.

The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need
for the auditor to perform any substantive procedures. Irrespective of the assessed levels of
inherent and control risks, the auditor performs some substantive procedures for material account
balances and classes of transactions.

Considering the Influence of Environmental Factors

• The organizational structure of the bank and the manner in which it provides for the
delegation of authority and responsibilities.
• The quality of management supervision.
• The extent and effectiveness of internal auditing.
• The extent and effectiveness of the risk management and compliance systems
• The skills, competence and integrity of key personnel.
• The nature and extent of inspection by supervisory authorities.

F. Performing Substantive Procedures

As a result of the assessment of the level of inherent and control risks, the auditor determines
the nature, timing and extent of the substantive tests to be performed on individual account
balances and classes of transactions.
Tests of the completeness assertion are particularly important in the audit of bank’s financial
statements particularly in respect of liabilities. Much of the audit work on liabilities of other
commercial entities can be carried out by substantive procedures on a reciprocal population.
Banking transactions do not have the same type of regular trading cycle, and reciprocal
populations are not always immediately in evidence. Large assets and liabilities can be created
and realized very quickly and, if not captured by the systems, may be overlooked. Third party
confirmations and the reliability of controls become important in these circumstances.

In designing substantive tests, the auditor considers the risks and factors that served to shape
the bank’s systems of internal control. In addition, there are a number of audit considerations
significant to these risk areas to which the auditor directs attention.

PSA 500, "Audit Evidence" lists the assertions embodied in the financial statements as:
• existence,
• rights and obligations,
• occurrence,
• completeness,
• valuation,
• measurement, and
 • presentation and disclosure.
Tests of the completeness assertion are particularly important in the audit of bank’s financial
statements particularly in respect of liabilities.

To address the assertions, the following procedures may be performed:

• Inspection
• Observation
• Inquiry and confirmation
• Computation
• Analytical procedures

In the context of the audit of a bank’s financial statements, inspection, inquiry and
confirmation, computation and analytical procedures require particular attention and are
discussed in the following paragraphs.

Inspection
Inspection consists of examining records, documents, or tangible assets. The auditor inspects in
order to:
• be satisfied as to the physical existence of material negotiable assets that the bank holds;
and
• obtain the necessary understanding of the terms and conditions of
agreements (including master agreements) that are significant individually or in the
aggregate in order to:
1. consider their enforceability; and
2. assess the appropriateness of the accounting treatment they have been given.

Examples of areas where inspection is used as an audit procedure are:

• securities;
• loan agreements;
• collateral; and
• commitment agreements, such as asset sales, repurchases, and guarantees.
In carrying out inspection procedures, the auditor remains alert to the possibility that some of
the assets the bank holds may be held on behalf of third parties rather than for the bank’s own
benefit. The auditor considers whether adequate internal controls exist for the proper
segregation of such assets from those that are the property of the bank and, where such assets
are held, considers the implications for the financial statements.

Inquiry and Confirmation

Inquiry consists of seeking information of knowledgeable persons inside or
outside the entity. Confirmation consists of the response to an inquiry to
corroborate information contained in the accounting records. The auditor inquires and confirms
in order to:
• obtain evidence of the operation of internal controls;
• obtain evidence of the recognition by the bank’s customers and counterparties of amounts,
terms and conditions of certain transactions; and
• obtain information not directly available from the bank’s accounting
records
A bank has significant amounts of monetary assets and liabilities, and of off-balance-sheet
commitments. External confirmation may be an effective method of determining the existence
and completeness of the amounts of assets and liabilities disclosed in the financial statements.

Examples of areas for which the auditor may use confirmation are:
• Collateral
 • Verifying or obtaining independent confirmation of, the value of assets
and liabilities that are not traded or are traded only on over-the-counter
markets.
• Asset, liability and forward purchase and sale positions with customers
and counterparties such as outstanding derivative transactions, nostro and vostro account
holders, securities held by third parties, loan accounts, deposit accounts, guarantees, and
letters of credit.
• Legal opinions on the validity of a bank’s claims.

Computation
Computation consists of checking the arithmetical accuracy of source documents and
accounting records or of performing independent calculations. In the context of the audit of
a bank’s financial statements, computation is a useful procedure for checking the consistent
application of valuation models.

Analytical Procedures
Analytical procedures consist of the analysis of significant ratios and trends including the resulting
investigation of fluctuations and relationships that are inconsistent with other relevant information
or deviate from predicted amounts.
A bank invariably has individual assets that are of such a size that the auditor considers them
individually. However, for most items, analytical procedures may be effective for the following
reasons:
• Ordinarily two of the most important elements in the determination of a
bank’s earnings are interest income and interest expense. These have
direct relationships to interest bearing assets and interest bearing liabilities, respectively. To
establish the reasonableness of these relationships, the auditor can examine the degree to
which the reported income and expense vary from the amounts calculated on the basis of
average balances outstanding and the bank’s stated rates during the year.
• The accurate processing of the high volume of transactions entered into by a bank, and the
auditor’s assessment of the bank’s internal controls, may benefit from the review of ratios
and trends and of the extent to which they vary from previous periods, budgets and the
results of other similar entities.
• By using analytical procedures, the auditor may detect circumstances that call into question
the appropriateness of the going concern assumption, such as undue concentration of risk in
particular industries or geographic areas and potential exposure to interest rate, currency
and maturity mismatches.
• There is a wide range of statistical and financial information available
from regulatory and other sources that the auditor can use to conduct an in depth analytical
review of trends and peer group analyses.
A useful starting point in considering appropriate analytical procedures is to consider what
information and performance or risk indicators management use in monitoring the bank’s
activities.

G. Reporting on the Financial Statements

In expressing an opinion on the bank’s financial statements, the auditor:

• adheres to any specific formats and terminology specified by the law, the regulatory
authorities, professional bodies and industry practice; and

• determines whether adjustments have been made to the accounts of foreign branches
and subsidiaries that are included in the consolidated financial statements of the bank to
 bring them into conformity with generally accepted accounting principles in the Philippines.
This is particularly relevant in the case of banks with foreign branches and subsidiaries
because most countries local regulations prescribe specialized accounting principles
applicable primarily to banks. This may lead to a greater divergence in the accounting
principles followed by branches and subsidiaries, than is the case in respect of other
commercial entities.

The financial statements of banks are prepared in the context of the legal and regulatory
requirements and accounting policies are influenced by such regulations.

• The BSP regulatory accounting principles for banks (RAP) may differ materially from
generally accepted accounting principles (GAAP).

• When the bank is required to prepare a single set of financial statements that comply with
both frameworks (i.e., RAP and GAAP), the auditor may express a totally unqualified
opinion only if the financial statements have been prepared in accordance with both
frameworks. If the financial statements are in accordance with only one of the frameworks,
the auditor expresses an unqualified opinion in respect of compliance with that framework
and a qualified or adverse opinion in respect of compliance with the other framework.

• When the bank is required to comply with RAP instead of GAAP, the auditor considers the
need to refer to this fact in an emphasis of matter paragraph.

Banks often present additional information in annual reports that also contain audited financial
statements. This information frequently contains details of the bank’s risk adjusted capital, and
other information relating to the bank’s stability, in addition to any disclosures in the financial
statements.

PSA 720, “Other Information in Documents Containing Audited Financial Statements” provides
guidance on the procedures to be undertaken in respect of such additional information.

V. References

• Philippine Auditing Practice Statement 1006 AUDITS OF THE FINANCIAL STATEMENTS OF

BANKS