The underlying purpose of Basel Accord is the protection of depositors by
prescriptive rules for measuring capital adequacy evolving a common language
to assess the quality of assets and liabilities of the banks and evolving methods of
determining regulatory capital and ensuring efficient use of capital.
The Basel committee of Banking Supervision released the final version of the new
Basel II Accord in June 2004. The new set of rules will replace the capital accord
of 1988 but will not come into effect until end 2006. It will be more risk-sensitive
than the current regime and will significantly reduce the incentive for capital
arbitrage. Higher risks will at least, in principle, result in higher risk weights and
thus higher capital requirements.
The New Capital Accord is founded on the following three pillars. In order to
evaluate the role of auditors under the accord, it is important to examine these
more closely :
A certain time-frame has been evolved under Basel II, under which, year 2006-
2007 is critical, when banks move up the ladder in sophistication. Initially the
Banks have to adopt the Standardized Approach for Credit Risk and Basic Indicator
Approach for Operational Risk. After adequate skills are developed, both
at the banks and also at supervisory levels, some banks may be allowed to migrate
to the Internal Rating Based Approach.
The auditor has a substantial role to play in the compliance with the Basel II
norms. His role would be primarily restricted to the Pillar I and would mainly
- Feasibility study and benchmarks as to the best approach to be adopted by the banks in order to monitor the Credit Risk, Operational Risk and Market Risk.
- Validation of benchmarks adopted by the management and interpretation
of benchmarks and stratification of major issues in the light of the industry knowledge and regulatory insight (e.g. issues expected to be subject to heavier regulatory scrutiny)
- Diagnostic / gap analysis prior to implementation of Basel II
- Periodic checks to ensure that the bank is on track.
- IT Systems Reviews for Market Risk Management
The external auditors may be called up to review the quality of internal controls
and systems and assess the internal audit function’s scope and adequacy.
Credit Risk is most simply defined as the potential for a borrower or a counterparty
to fail to meet its obligations in accordance with agreed terms. The goal of credit
risk management is to maximize a bank’s risk-adjusted rate of return by
maintaining credit risk exposure within acceptable parameters. Banks need to
manage the credit risk inherent in the entire portfolio as well as the risk in individual
There are three progressive approaches of calculating capital charges on credit
risk: the Standardized Approach, the Foundation Internal Risk Based (‘IRB’)
approach and the Advanced IRB Approach.
Under the Standardized Approach, risk weight would be applied to each asset
based on its external credit rating assigned by a rating agency. In each country,
the regulator would approve the rating agencies in the country and decide on
the applicable risk weight for each rating agency. The framework proposes four
risk weights – 20%, 50%, 100% and 150% for different grades of borrowers.
The auditor’s role in case of the standardized approach would be restricted to
verifying the correct assignment of the risk weights prescribed by the external
credit rating agencies to each asset.
The IRB Approach, comprising of the Foundation IRB Approach and Advance
IRB Approach, allows banks to use internal rating processes, i.e. their own
management and risk measurement methods, to calculate the regulatory capital
charge. To be recognized by the supervisors, these internal ratings must meet
various minimum quantitative and qualitative requirements. Certain qualifying
criteria are to ensure that, the rating system and rating process as well as risk
components are adequate for each bank.
The Advanced IRB approach explicitly requires banks to assess credit exposures
for each customer and for each credit facility using the following measure:
- Probability of Default (‘PD’) – the probability that a specific customer will default within the next 12 months.
- Loss Given Default (‘LGD’) – the percentage of each credit facility that will be lost if the customer defaults.
- Exposure at Default (‘EAD’) – the expected exposure for each credit facility in the event of a default.
In the Foundation IRB Approach, banks would internally estimate the PD for
each rating category. The estimate of LGD would be provided by the regulator.
The Framework provides a risk weight curve, which gives the risk weight for
each combination of PD and LGD. To be eligible for adopting the Foundation IRB
Approach, the bank would need to satisfy the following minimum requirements:
Existence of an independent group within the bank carrying out credit rating;
Separate assessment of default risk of borrower and transaction;
Minimum seven rating grades for performing and one grade for nonperforming
Specific rating criteria for distinguishing each rating grade;
Enough grades for avoiding undue concentrations of borrowers in a grade;
Minimum five years history of PD estimates; and
Exposures categorized into asset classes (corporate, sovereign, bank, retail
The auditor’s role in case of the Foundation IRB Approach would be to review
the policies and procedures followed by the Bank for the internal rating and risk
management process and the documentation and process manuals related to the
same. The auditor can also perform an independent review of the risk
measurement system. The auditor must review at least annually the bank’s rating
system and its operations, including the operations of the credit function and
estimation of PD’s.
The Advanced IRB Approach is similar to the Foundation IRB Approach. However,
under the Foundation IRB, the bank regulator provides the estimates of the value
used in establishing losses (i.e. LGD, EAD and Maturity (‘M’)). Under the
Advanced IRB Approach, the bank provides the PD, LGD, EAD and M. Another
major element of the IRB Approach pertains to the treatment of credit risk
mitigants, namely collaterals, guarantees and credit derivatives.
Under the Advanced IRB Approach, a bank with a sufficiently developed internal
capital allocation process would be permitted to use its own inputs for estimation
of potential future loss. Banks seeking to use this approach would need to have
LGD and EAD data history for at least seven years, in addition to meeting all the criteria stipulated for Foundation IRB Approach.
The auditor’s role in the case of the Advanced IRB Approach may be similar to
the Foundation IRB Approach except for the fact that auditor would have to
additionally verify the bank’s procedure for estimation of the LGD.
Operational risk is the risk of loss resulting from inadequate or failed internal
processes, people and systems or internal events (excluding strategic and
reputational risk). There are three approaches to operational risk i.e. Basic
Indicator Approach, Standardised Approach and Advanced Measurement
The Basic Indicator Approach sets the capital requirement for operational risk at
a fixed percentage (alpha factor of 15%) of the bank’s average annual gross income
over the previous three years. Years where annual gross income was negative or
zero are to be disregarded. The Basel Committee has defined gross income as net
interest income and has allowed each relevant national supervisor to define gross
income in accordance with the prevailing accounting practices. Accordingly many
regulators have defined gross income as Net profit (+) provisions and contingencies
(+) operating expenses (Schedule 16) (-) profit on sale of Held to Maturity (‘HTM’)
investments (-) income from insurance (-) extraordinary / irregular item of income
(+) loss on sale of HTM investments.
This is a very straight forward approach not requiring the auditor to perform
any other procedures than what he was already performing i.e. verifying that
the income was fairly stated and recognized in the financial statements.
Under the Standardised Approach the Bank’s activities are divided into eight
business lines. A capital charge is required for each one of these business lines.
This capital charge is a fixed percentage (beta factor) of the average annual gross
income (as defined in the Basic Indicator Approach above) of each business line over the previous three years. The annual total capital charge is calculated as a
three-year average by simply adding together the regulatory capital charges of
the individual business lines. As can be seen, the key for the Standardised Approach
is the recording of the total income between the various business lines and hence
it is essential for the auditor to verify the internal controls related to capturing of
financial and business information across the various business lines.
Banks world over are in the process of developing different methodologies for
measurement of operational risk capital charge. In view of this, the Basel
Committee has been less prescriptive in respect of the Advanced Measurement
Approaches which would be based on an estimate of operational risk derived
from a bank’s internal risk measurement system and are, therefore, expected to
be more risk sensitive than the other two approaches.
Under the AMA, each bank can use its own measurement method for operational
The key features of AMA are:- (i) it is based on the collection of loss data; (ii) the
characteristics of “low frequency/high severity” for each event type, in addition
to the business line, can be reflected. Each bank is to measure the required capital
based on its own loss data using the holding period and confidence interval
determined by the regulators.
From a corporate governance point of view, the banks would need to have the
following in place to follow AMA:
- Board and Senior Management oversight
- Independent enterprise-wide operational risk framework and function
- Policies and procedures for all aspects of the operational risk framework
- Independent testing and verification (e.g. audit)
- Lines of business responsible for day-to-day risk management
- Reporting of operational risk exposures, losses, risk indicators etc to Board and Senior Management
- Sound internal control environment
The auditor needs to verify the following in case the bank adopts the AMA
- The effectiveness of the bank’s risk management process and overall control
environment with respect to operational risk;
- The bank’s methods for monitoring and reporting its operational risk profile,
including data on operational losses and other indicators of potential
- The bank’s procedures for the timely and effective resolution of operational
risk events and vulnerabilities;
- The effectiveness of the bank’s operational risk mitigation efforts, such as
the use of insurance;
- The quality and comprehensiveness of the bank’s disaster recovery and
business continuity plans.
- To ensure that, where banks are part of a financial group, there are procedures
in place to ensure that operational risk is managed in an appropriate and
integrated manner across the group. In performing this assessment,
cooperation and exchange of information with other supervisors, in
accordance with established procedures, may be necessary.
- To verify how frequently Bank’s Manual of instructions are updated and
whether the guidelines are clear and disseminated to all levels in the Bank.
- To verify what punishment measures for intentional/deliberate mistakes/
frauds are in place and how effective they are.
Jurisdictions where banks are statutorily required to maintain liquid assets in the
form of cash and government/ approved securities (as in India - statutory liquidity
ratio) tend to cause the banks to expose themselves to market risk. A bank’s
investment portfolio is subject to volatility in the value of securities due to change
in their prices which, in turn, may be a result of changes in interest rates, currency
rates or changes in equity and commodity prices. Market risk is not covered under
Basel-II. Prior to Basel-II itself, two approaches to capital allocation for market
risk were outlined - standardised measurement method and internal models
approach. Reserve Bank of India (“RBI”) has recently issued guidelines for computation of capital for market risk based on the standardized measurement
method. This method involves computing capital based on the duration of the
Though there are no significant changes in the area of market risk measurement
and management in the past few years, the auditors role would be there in
reviewing the provisions arising out of risk weightages associated with different
financial assets/instruments. There is also embedded market risk in various deposit
and loan products where “put or call” options are made available to the customers.
Auditors will have to examine/review the determination of provisions arising
out of market conditions.
Pillar 3 refers to disclosure requirements and greater transparency. All over the
world, banking business is becoming more complicated by the day and concomitantly
more difficult for regulators to monitor. It is recognized that tracking signals
emanating from the market can assist supervisors in their monitoring function.
This pillar seeks to bring market discipline through greater transparency by
asking banks to make adequate disclosures for the benefit of shareholders/investors,
depositors, customers, rating agencies, government and policy makers and
of course for the regulators/ supervisors. Market discipline has two components—
(a) market signals, manifested from share price movement; banks’ lending and
borrowing rates etc.,
(b) Responsiveness of the bank as also the supervisor to the market signals. Pillar
III provides a comprehensive menu of public and regulatory disclosures related to the capital structure, capital adequacy, risk assessment and risk management processes to enhance transparency in banking operations.
The disclosure requirements increase as the banks move towards more advanced
The responsibility of adequate and appropriate disclosure is the responsibility of
the banks’ and the auditor’s role would be restricted to ensuring the overall fairness
of the disclosures.
The Basel Committee has produced extensive guidance on the roles of both the
external audit and internal audit and the way these can be factored into the
supervisory process. Market discipline is becoming a key element of supervisory
thinking and market discipline depends on prompt, accurate financial
information. External auditors help significantly in ensuring that financial
statements are reliable and useful to the marketplace. Periodic financial statements
of banking organizations are also used by regulators in its risk-focused supervision
programmes. These reports contribute to pre-examination planning, facilitate offsite
monitoring programs and ultimately help in determining the institution’s
financial condition. A strong external audit program assists regulators in moving
away from detailed, burdensome and invasive examinations.
Implementation of Basel II has been described as an interesting journey rather
than a destination by itself. Undoubtedly, it would require commitment of
substantial capital and human resources on the part of both banks and the
supervisors. As envisaged by the Basel Committee, the accounting profession too,
will walk the journey with the management and the boards of the banking
companies and will of course retain its independence all the same, during the