(PAPS 1004)

-6-

16. The auditor designs audit procedures to reduce to an acceptably low level the risk
of giving an inappropriate audit opinion when the financial statements are
materially misstated. The auditor assesses the inherent risk of material
misstatements occurring (inherent risk) and the risk that the entity’s accounting
and internal control systems will not prevent or detect and correct material
misstatements on a timely basis (control risk). The auditor assesses control risk as
being high unless the auditor is able to identify controls that are likely to prevent
or detect and correct a material misstatement and conducts tests of the controls
that support a lower assessment of control risk. Based on the assessment of
inherent and control risk, the auditor carries out substantive procedures to reduce
the overall audit risk to an acceptably low level.

17. The auditor considers how the financial statements might be materially misstated
and considers whether fraud risk factors are present that indicate the possibility of
fraudulent financial reporting or misappropriation of assets. The auditor designs
audit procedures to reduce to an acceptably low level the risk that misstatements
arising from fraud and error that are material to the financial statements taken as a
whole are not detected. PSA 240, “The Auditor’s Responsibility to Consider
Fraud and Error in an Audit of Financial Statements” lists fraud risk factors
whose presence may alert the auditor to the possibility of fraud existing. When
the auditor determines that evidence of fraud exists, the auditor is required to
disclose this information to the BSP (see paragraph 27)5.

18. In carrying out the audit of a bank’s financial statements, the external auditor
recognizes that banks have the following characteristics that generally distinguish
them from most other commercial enterprises, and which the auditor takes into
account in assessing the level of inherent risk.

• They have custody of large amounts of monetary items, including cash

and negotiable instruments, whose physical security has to be safeguarded
during transfer and while being stored. They also have custody and
control of negotiable instruments and other assets that are readily
transferable in electronic form. The liquidity characteristics of these items
make banks vulnerable to misappropriation and fraud. Banks therefore
need to establish formal operating procedures, well-defined limits for
individual discretion and rigorous systems of internal control.

5
Required under BSP Circular No. 245, Series of 2000, dated May 25, 2000, as amended by BSP Circular
No. 318. Series of 2002.
 (PAPS 1004)

-7-

• They often engage in transactions that are initiated in one jurisdiction,

recorded in a different jurisdiction and managed in yet another
jurisdiction.

• They operate with very high leverage (that is, the ratio of capital to total
assets is low), which increases banks’ vulnerability to adverse economic
events and increases the risk of failure.

• They have assets that can rapidly change in value and whose value is often
difficult to determine. Consequentially a relatively small decrease in asset
values may have a significant effect on their capital and potentially on
their regulatory solvency.

• They generally derive a significant amount of their funding from short-

term deposits (either insured or uninsured). A loss of confidence by
depositors in a bank’s solvency can quickly result in a liquidity crisis.

• They have fiduciary duties in respect of the assets they hold that belong to
other persons. This may give rise to liabilities for breach of trust. Banks
therefore need to establish operating procedures and internal controls
designed to ensure that they deal with such assets only in accordance with
the terms on which the assets were transferred to the bank.

• They engage in a large volume and variety of transactions whose value

may be significant. This necessarily requires complex accounting and
internal control systems and widespread use of information technology
(IT).

• They ordinarily operate through a network of branches and departments

that are geographically dispersed. This necessarily involves a greater
decentralization of authority and dispersal of accounting and control
functions with consequential difficulties in maintaining uniform operating
practices and accounting systems, particularly when the branch network
transcends national boundaries.

• Transactions can often be directly initiated and completed by the customer

without any intervention by the bank’s employees, for example over the
Internet or through automatic teller machines (ATMs).
 (PAPS 1004)

-8-

• They often assume significant commitments without any initial transfer of

funds other than, in some cases, the payment of fees. These commitments
may involve only memorandum accounting entries. Consequently their
existence may be difficult to detect.

• They are regulated by governmental authorities whose regulatory

requirements often influence the accounting principles that banks follow.
Non-compliance with regulatory requirements, for example, capital
adequacy requirements, could have implications for the bank’s financial
statements or the disclosures therein.

• Customer relationships that the auditor, assistants, or the audit firm may
have with the bank might affect the auditor’s independence in a way that
customer relationships with other organizations would not.

• They generally have exclusive access to clearing and settlement systems

for checks and fund transfers, foreign exchange transactions, etc. They are
an integral part of, or are linked to, national and international settlement
systems and consequently could pose a systemic risk to the countries in
which they operate.

• They may issue and trade in complex financial instruments, some of which
may need to be recorded at fair value in the financial statements. They
therefore need to establish appropriate valuation and risk management
procedures. The effectiveness of these procedures depends on the
appropriateness of the methodologies and mathematical models selected,
access to reliable current and historical market information, and the
maintenance of data integrity.

19. A detailed audit of all transactions of a bank would be not only time-consuming
and expensive but also impracticable. The external auditor therefore bases the
audit on the assessment of the inherent risk of material misstatement, the
assessment of control risk and testing of the internal controls designed to prevent
or detect and correct material misstatements, and on substantive procedures
performed on a test basis. Such procedures comprise one or more of the
following: inspection, observation, inquiry and confirmation, computation and
analytical procedures. In particular, the external auditor is concerned about the
recoverability and consequently the carrying value of loans, investments and other
assets shown in the financial statements and about the identification and adequate
disclosure in the financial statements of all material commitments and liabilities,
contingent or otherwise.