Banks - Controls to be tested sitting on branches 1464

  • My bank has more than 800 retail branches accross country. All the branch manager has authority to approve new loan origination and journal entries are input in the branches. Controls in back office are deemed reletively not strong enough to compensate the risks when not testing the relevent controls in branches.
    Q1. Should the controls related to loan origination in branches be tested?
    Q2. How could we rationalize for that when not testing branch controls?

  • Hi and welcome to the forums 🙂 I’m more of an IT person, but I’ll share an idea below.
    As noted, you can’t practically test contols in all 800 branches. However, I’m wondering if random spot-checking of some branches might be some good middle ground on this? For example, you might set up a program to randomly check ‘x’ number of banks each period. This gives you a health check to better meet the SOX testing and going a little beyond requirements can be beneficial.
    You may also want to evaluate current workflows with a focus on autonomy levels and separation of duties to see if the controls can be enhanced. However, you don’t want to truly impact the business side or customer service needs in creating a lot of red tape.
    I’d work closely with audit in establishing this testing framework.

  • To build on the response above, banks usually have very tight controls due to the regulatory environment in which they operate. I would certainly try to leverage the internal audit staff in testing SOX controls when they perform audits of other controls in your branch offices.

  • The best strategy is to:%0AAudit all significant Branches(contributing to 5% of Assets and 5% of Revenue) through onsite visits so as to cover a reasonable amount of control assurance%0ADevelop Control Self Assessment for branches not visited for Audits. These CSA’s can be performed by staff other than the control owner so as to assure requisite objectivity (personnel from the nearest branch performing the same activity can be the best suitable to perform assessments). %0APlease note that all important SOX related processes such as Entity Level Controls and Financial Statement Close Process can be centralized and tested at the Corporate Level or Division?Hub Level%0AI hope that this helps.%0AChhers

Log in to reply