Audit Project Report 2013

Audit Project Report

Audit Project Report of HBL (Habib Bank Limited)

Neelam Hassan
MBA 5th ISP Multan

2013
Institute of Southern Punjab Multan 1

Audit Project Report 2013

Habib Bank Limited

Institute of Southern Punjab Multan 2

Audit Project Report 2013

Sr# 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15

Topic Dedication Acknowledgment History of HBL Audit of Bank Legal Provisions Relating to Audit
APPROACH TO BANK AUDIT

Audit Procedure Internal Control Over Financial Reporting Audit Evidence Substantive procedure WRAPPING-UP AUDITORS OPINION
EVALUATING THE RESULTS OF THE AUDIT OF FINANCIAL STATEMENTS

Page # 4 5 6 7 8 9 11 16 19 21 24 27 27 27 28

Preparation and Submission of Audit Report Statement of Internal Control HBL Auditors Report To the members - Consolidated

Institute of Southern Punjab Multan 3

Audit Project Report 2013

Dedication

I dedicate my efforts to my beloved parents, to Habib Bank Limited and especially to my instructor Sir.Imran Farooq whose kind and constant assistance helps me in each possible way towards the completion of the report.

Institute of Southern Punjab Multan 4

Audit Project Report 2013

Acknowledgment
This dissertation would not have been possible without the guidance and the help of several individuals who in one way or another contributed and extended their valuable assistance in the preparation and completion of this study. First and foremost, we all are thankful to ALMIGHTY ALLAH, for responding our prayers for giving us the strength to plod on despite our constitution wanting to give up and throw in the towel. Secondly I highly grateful to Mr.Imran Farooq whose sincerity and encouragement help me in every possible way and encourage me in the completion of the report. He encourages me at every stage of my Project entitled Audit Procedure of HBL and its Analysis. Due to his encouragement I am able to write this Project.

Institute of Southern Punjab Multan 5

Audit Project Report 2013

History of HBL
HBL was the first commercial bank to be established in Pakistan in 1947. Over the years, HBL has grown its branch network and become the largest private sector bank with over 1,500 branches and 1,000 ATMs across the country and a customer base exceeding five million relationships. The Government of Pakistan privatized HBL in 2004 through which AKFED acquired 51% of the Bank's shareholding and management control. HBL is majority owned (51%) by the Aga Khan Fund for Economic Development, 42.5% of the shareholding is retained by the Government of Pakistan (GOP), whilst 7.5% is owned by the general public i.e. over 170,000 shareholders following the public listing that took place in July 2007. With presence in 25 countries, subsidiaries in Hong Kong and the UK, affiliates in Nepal, Kenya and Kyrgyzstan and rep offices in Iran and China, HBL is also the largest domestic multinational. The Bank is expanding its presence in principal international markets including the UK, UAE, South and Central Asia, Africa and the Far East. Key areas of operations encompass product offerings and services in Retail and Consumer Banking. HBL has the largest Corporate Banking portfolio in the country with an active Investment Banking arm. SME and Agriculture lending programs and banking services are offered in urban and rural centers.

Rating:
HBL is currently rated AAA (Long term) and A-1+ (Short term) with 'Stable' outlook and has a balance sheet size of USD 13.82 billion. It is the first Pakistani bank to raise Tier II Capital from exit.

Institute of Southern Punjab Multan 6

Audit Project Report 2013

Audit of Banks
Introduction:
A well-organized and efficient banking system is a prerequisite for economic growth. Banks play an important role in the functioning of organized money markets. They act as a conduit for mobilizing funds and channelizing them for productive purposes. The Indian banking system, like the banking system in other countries, has played a significant role in the economic growth of the country. In order to meet the banking needs of various sections of the society, a large network of bank branches has been established. The volume of operations and the geographical spread of banks in India are steadily on the rise.

Legislation Relevant to Audit of Bank:

Different legislative Acts are relevant to audit of different types of banks. An auditor should know the specific provisions of the Act(s) applicable to the type of bank under audit. Following are the important Acts relevant for bank audit: i. Nationalized banks are governed by the provisions of the relevant Banking Companies (Acquisition and transfer of Undertakings) Act. Certain provisions of the Banking Regulation Act, 1949 also apply to nationalized banks. The non-nationalized banking companies are governed by the provisions of the Banking Regulation Act, 1949 and provisions of the Companies Act, 1956, which are not inconsistent with the provisions of the Banking Regulation Act, 1949. The Co-operative Societies Act, 1912, or the Cooperative Societies Act of the state in which they are situated, as well as Part V of the Banking Regulation Act, 1949, governs co-operative banks.

ii.

iii.

Institute of Southern Punjab Multan 7

Audit Project Report 2013

Legal Provisions Relating to Audit

The legal provisions relating to bank auditors are as follows:

Appointment of Auditors:
The auditor of a bank has to be a person who is duly qualified under law to be an auditor of a company. So, Section 226 of the Companies Act applies in case of appointment of an auditor of a bank. Previous approval of RBI is required for appointment of an auditor of a bank. The following are the appointing authorities of auditors of banks:
BANK APPOINTING AUTHORITY

1. Nationalized Banks 2. Banking Companies 3. State Bank of India 4. Subsidiaries of State Bank of India 5. Regional Rural Banks

Board of Directors Shareholders in AGM RBI in consultation with Central Government State Bank of India Concerned Bank with the approval of Central Government

Qualifications of Auditors:
The auditors of public and private company which is the subsidy of the public company must be a chartered accountant within the meaning of Chartered Accountant rdinance,1961 However a firm whereof all the partners practicing in Pakistan are chartered accountant may be appointed as auditor of the company in its firm name. Under the Companies Ordinance ,1984 following persons are ineligible for the appointment as auditors of a company: a) Who, at any time during the preceding three years was, a director, other officer or employee of the company; b) a body corporate c) a director, officer or employee of a company d) a spouse of a director e) a person indebted to a company f) partner or employees of any person mentioned in (c) above; and g) person disqualified to be an auditor of any other company in the group due to any of the grounds mentioned above:

Institute of Southern Punjab Multan 8

Audit Project Report 2013

APPROACH TO BANK AUDIT

Banks have the following characteristics, which distinguish them from most other commercial enterprises: i. Rigorous Internal Control System: They have custody of large volumes of monetary items, including cash and negotiable instruments, whose physical security has to be ensured. This applies to both the storage and the transfer of monetary items and makes banks vulnerable to misappropriation and fraud. They, therefore, need to establish formal operating procedures and well-defined limits for individual discretion and rigorous systems of internal control. Complex Accounting System: They engage in a large volume variety of transactions in terms of both number and value. This necessarily requires complex accounting and internal system.

ii.

Audit Strategy:
The auditor should establish an overall audit strategy that sets the scope, timing, and direction of the audit and guides the development of the audit plan. In establishing the overall audit strategy, the auditor should take into account: a. The reporting objectives of the engagement and the nature of the communications required by PCAOB standards, b. The factors that are significant in directing the activities of the engagement team c. The results of preliminary engagement activities9 and the auditor's evaluation of the important matters in accordance with paragraph 7 of this standard, and d. The nature, timing, and extent of resources necessary to perform the engagement.

Audit Plan:
The auditor should develop and document an audit plan that includes a description of a. The planned nature, timing, and extent of the risk assessment procedures; b. The planned nature, timing, and extent of tests of controls and substantive procedures; and Other planned audit procedures required to be performed so that the engagement complies with PCAOB standards.

BANK AUDIT REPORT

The bank auditor has to make his report directly to the bank. The contents of the auditor's report in the case of different types of banks are somewhat different. The report of the auditor of a nationalized bank is to be verified, signed and transmitted to the Central Government. The auditor has also to forward a copy of the audit report to the bank concerned and to RBI. In addition to the matters, which the auditor is required to state in his report under the Companies Act, the auditor of a bank has also to state the following in his report:

Institute of Southern Punjab Multan 9

Audit Project Report 2013

In Case of Banking Companies:

The auditor should include in his report: Whether or not the information and explanations required by him have been found to be satisfactory; Whether or not the transactions of the company, which have come to the notice have been within the powers of the company;

AUDITOR'S REPORT AND TRUE AND FAIR VIEW:

The Companies Act, 1956 has introduced the words true and fair in place of the words true and correct as appearing in the Companies Act, 1913. This is an important change and has far reaching effects. The phrase true and correct means that the financial statements are arithmetically correct and that they correspond to the figures in the books of accounts. But it does not specifically mean that the financial statements are representing the actual state of affairs and actual working results. In fact, at present the auditor is supposed to verify whether the books of accounts show a true and fair view of the state of affairs of the company as well as the true and fair view of the financial result of the company.

MODIFIED REPORTS:
An auditor's report is considered to be modified when it includes: Matters that do not affect the auditor's opinion Matters that do affect the auditor's opinion

MATTERS THAT DO NOT AFFECT THE AUDITOR'S OPINION:

In certain circumstances, an auditor's report may be modified by adding an emphasis of matter paragraph to highlight a matter affecting the financial statements, which is included in a note to the financial statements that more extensively discusses the matter. The addition of such an emphasis of matter paragraph does not affect the auditor's opinion.

MATTERS THAT DO AFFECT THE AUDITOR'S OPINION:

An auditor may not be able to express an unqualified opinion when either of the following two circumstances exists and in the auditor's judgment, the effect of the matter is or may be material to the financial statements: there is a limitation on the scope of the auditor's work; or there is a disagreement with management regarding the acceptability of the accounting policies selected, the method of their application or the adequacy of financial statement disclosures.
Institute of Southern Punjab Multan 10

i. ii.

Audit Project Report 2013

The circumstances described in (a) above could lead to a qualified opinion or a disclaimer of opinion. The circumstances described in (b) above could lead to a qualified opinion or an adverse opinion.

TYPES OF AUDITOR'S REPORT

Auditor's report can be of the following types:

Clean Report:
An audit report is clean, where there is no qualified or adverse opinion or disclaimer of opinion in the report. A clean report indicates that the auditor is satisfied with all the points required to be stated in his report and states them in the affirmative, adding no reservation anywhere.

Qualified Report:
When an auditor expresses an opinion in his report with a reservation or states anything in the negative, but its nature is such that it does not materially affect the true and fair picture shown by the accounts, then the auditor's report is said to be a qualified report.

Adverse Report:
When the auditor expresses an adverse or negative opinion in his report about the principal point in the report for which audit is mainly intended, the report is called an adverse report.

Audit Procedure
Banks adopt the following procedure of audit 1)Planning 2)Internal control 3)Substantive procedure 4)Review 5)FINAL REVIEW 6)REPORTING

PLANNING AN AUDIT:
The auditor should properly plan the audit. This standard describes the auditor's responsibilities for properly planning the audit. Planning the audit includes establishing the overall audit strategy for the engagement and developing an audit plan, which includes, in particular, planned risk assessment procedures and planned responses to the risks of material misstatement. Planning is not a discrete phase of an audit but, rather, a continual and iterative process that might begin shortly after (or in connection with) the completion of the previous audit and continues until the completion of the current audit.

Requesting Documents:
Institute of Southern Punjab Multan 11

Audit Project Report 2013

After notifying the organization of the upcoming audit, the auditor typically requests documents listed on an audit preliminary checklist. These documents may include a copy of the previous audit report, original bank statements, receipts and ledgers. In addition, the auditor may request organizational charts, along with copies of board and committee minutes and copies of bylaws and standing rules.

Planning Activities:
The nature and extent of planning activities that are necessary depend on the size and complexity of the company, the auditor's previous experience with the company, and changes in circumstances that occur during the audit. When developing the audit strategy and audit plan, as discussed in paragraphs 8-10, the auditor should evaluate whether the following matters are important to the company's financial statements and internal control over financial reporting and, if so, how they will affect the auditor's procedures:

Knowledge of the company's internal control over financial reporting obtained during other engagements performed by the auditor; Matters affecting the industry in which the company operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes; Matters relating to the company's business, including its organization, operating characteristics, and capital structure; The extent of recent changes, if any, in the company, its operations, or its internal control over financial reporting; The auditor's preliminary judgments about materiality risk, and, in integrated audits, other factors relating to the determination of material weaknesses; Control deficiencies previously communicated to the audit committee or management; Legal or regulatory matters of which the company is aware; The type and extent of available evidence related to the effectiveness of the company's internal control over financial reporting; Preliminary judgments about the effectiveness of internal control over financial reporting;

Audit Risk:
OBJECTIVE:
The objective of the auditor is to conduct the audit of financial
Institute of Southern Punjab Multan 12

Audit Project Report 2013

statements in a manner that reduces audit risk to an appropriately low level.

AUDIT RISK
To form an appropriate basis for expressing an opinion on the financial statements, the auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement due to error or fraud. Reasonable assurance is obtained by reducing audit risk to an appropriately low level through applying due professional care, including obtaining sufficient appropriate audit evidence. In an audit of financial statements, audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated, i.e., the financial statements are not presented fairly in conformity with the applicable financial reporting framework. Audit risk is a function of the risk of material misstatement and detection risk. In HBL following audit risk are involved:

Risk of Material Misstatement:

The auditor should assess the risks of material misstatement at two levels: (1) at the financial statement level (2) at the assertion level 1. Risks of material misstatement at the financial statement level relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the financial statement level may be especially relevant to the auditor's consideration of the risk of material misstatement due to fraud. For example, an ineffective control environment, a lack of sufficient capital to continue operations, and declining conditions affecting the company's industry might create pressures or opportunities for management to manipulate the financial statements, leading to higher risk of material misstatement.
Institute of Southern Punjab Multan 13

Audit Project Report 2013

2. Risk of material misstatement at the assertion level consists of the following components: a. Inherent risk, which refers to the susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls. b. Control risk, which is the risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company's internal control. Control risk is a function of the effectiveness of the design and operation of internal control. Inherent risk and control risk are related to the company, its environment, and its internal control, and the auditor assesses those risks based on evidence he or she obtains. The auditor assesses inherent risk using information obtained from performing risk assessment procedures and considering the characteristics of the accounts and disclosures in the financial statements. The auditor assesses control risk using evidence obtained from tests of controls (if the auditor plans to rely on those controls to assess control risk at less than maximum) and from other sources

Detection Risk:
In an audit of financial statements, detection risk is the risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, individually or in combination with other misstatements. Detection risk is affected by

(1) the effectiveness of the substantive procedures and (2) Their application by the auditor, i.e., whether the procedures were performed with due professional care. The auditor uses the assessed risk of material misstatement to determine the appropriate level of detection risk for a financial statement assertion. The higher the risk of material misstatement, the lower the level of detection risk needs to be in order to reduce audit risk to an appropriately low level. The auditor reduces the level of detection risk through the nature, timing, and extent of the substantive procedures performed. As the appropriate level of detection risk decreases, the evidence from substantive procedures that the auditor should obtain increase

Identifying and Assessing Risks of Material Misstatement:

OBJECTIVE:
The objective of the auditor is to identify and appropriately assess the risks of material
Institute of Southern Punjab Multan 14

Audit Project Report 2013

misstatement, thereby providing a basis for designing and implementing responses to the risks of material misstatement.

PERFORMING RISK ASSESSMENT PROCEDURES:

The auditor should perform risk assessment procedures that are sufficient to provide a reasonable basis for identifying and assessing the risks of material misstatement, whether due to error or fraud,3/ and designing further audit procedures. Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company's industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to, e.g., personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors.

IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT:

The auditor should identify and assess the risks of material misstatement at the financial statement level and the assertion level. In identifying and assessing risks of material misstatement, the auditor should: Identify risks of misstatement using information obtained from performing risk assessment procedures (as discussed in paragraphs 4-58) and considering the characteristics of the accounts and disclosures in the financial statements. Note: Factors relevant to identifying fraud risks are discussed in paragraphs 65-69 of this standard. Evaluate whether the identified risks relate pervasively to the financial statements as a whole and potentially affect many assertions. Evaluate the types of potential misstatements that could result from the identified risks and the accounts, disclosures, and assertions that could be affected. Note: In identifying and assessing risks at the assertion level, the auditor should evaluate how risks at the financial statement level could affect risks of misstatement at the assertion level. Assess the likelihood of misstatement, including the possibility of multiple misstatements, and the magnitude of potential misstatement to assess the possibility that the risk could result in material misstatement of the financial statements. Note: In assessing the likelihood and magnitude of potential misstatement, the auditor may take into account the planned degree of reliance on controls selected to test.

Institute of Southern Punjab Multan 15

Audit Project Report

2013

Identify significant accounts and disclosures and their relevant assertions Determine whether any of the identified and assessed risks of material misstatement are significant risks.

Internal Control:
Internal control in its broader sense is defined as a process affected by an organizations board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of reporting Compliance with applicable rules, laws and regulations Internal Control components include Control Environment, Risk Assessment, Control Activities, Information and Communication and Monitoring. Most of the time the emphasis is on common control activities which may include the following: Segregation of functional responsibilities to create a system of checks and balances. A system of authorization and record procedures adequate to provide reasonable accounting control over assets, liabilities, revenues, and expenditures. Development of policies and procedures for prescribing and documenting the business and control processes. This should consist of a well thought out strategy and be reviewed and adjusted periodically to reflect changes in the business and control environment.

An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
INTRODUCTION:
Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective The auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting. Because a company's internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance/ about whether material weaknesses exist as of the date specified in management's assessment. A material weakness in internal control over financial reporting may exist even when financial statements are not materially misstated.

Institute of Southern Punjab Multan 16

Audit Project Report

2013

The general standards are applicable to an audit of internal control over financial reporting. Those standards require technical training and proficiency as an auditor, independence, and the exercise of due professional care, including professional skepticism. This standard establishes the fieldwork and reporting standards applicable to an audit of internal control over financial reporting. The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting.

Integrating the Audits:

The audit of internal control over financial reporting should be integrated with the audit of the financial statements. The objectives of the audits are not identical, however, and the auditor must plan and perform the work to achieve the objectives of both audits. In an integrated audit of internal control over financial reporting and the financial statements, the auditor should design his or her testing of controls to accomplish the objectives of both audits simultaneously To obtain sufficient evidence to support the auditor's opinion on internal control over financial reporting as of year-end, and To obtain sufficient evidence to support the auditor's control risk assessments for purposes of the audit of financial statements. 8. Obtaining sufficient evidence to support control risk assessments of low for purposes of the financial statement audit ordinarily allows the auditor to reduce the amount of audit work that otherwise would have been necessary to opine on the financial statements. (See Appendix B for additional direction on integration.) Note: In some circumstances, particularly in some audits of smaller and less complex companies, the auditor might choose not to assess control risk as low for purposes of the audit of the financial statements. In such circumstances, the auditor's tests of the operating effectiveness of controls would be performed Principally for the purpose of supporting his or her opinion on whether the company's internal control over financial reporting is effective as of year-end. The results of the auditor's financial statement auditing procedures also should inform his or her risk assessments in determining the testing necessary to conclude on the effectiveness of a control Internal control over financial reporting can be described as consisting of the following components: The control environment, The company's risk assessment process, Information and communication, Control activities, and Monitoring of controls.

Institute of Southern Punjab Multan 17

Audit Project Report

2013

Management might use an internal control framework with components that differ from the components identified in the preceding paragraph when establishing and maintaining the company's internal control over financial reporting. In evaluating the design of controls and determining whether they have been implemented in an audit of financial statements only, the auditor may use the framework used by management or another suitable, recognized framework. For integrated audits, Auditing Standard No. 5, states, "The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting." f the auditor uses a suitable, recognized internal control framework with components that differ from those listed in the preceding paragraph, the auditor should adapt the requirements in paragraphs 23-36 of this standard to conform to the components in the framework used.

Control Environment:
The auditor should obtain an understanding of the company's control environment, including the policies and actions of management, the board, and the audit committee concerning the company's control environment. Obtaining an understanding of the control environment includes assessing: Whether management's philosophy and operating style promote effective internal control over financial reporting; Whether sound integrity and ethical values, particularly of top management, are developed and understood; and Whether the board or audit committee understands and exercises oversight responsibility over financial reporting and internal control. Note: In an audit of financial statements only, this assessment may be based on the evidence obtained in understanding the control environment, in accordance with paragraph 23, and the other relevant knowledge possessed by the auditor. In an integrated audit of financial statements and internal control over financial reporting, Auditing Standard No. 5/ describes the auditor's responsibility for evaluating the control environment. If the auditor identifies a control deficiency/ in the company's control environment, the auditor should evaluate the extent to which this control deficiency is indicative of a fraud risk factor, as discussed in paragraphs 65-66 of this standard.

The Bank Risk Assessment Process:

Institute of Southern Punjab Multan 18

Audit Project Report 2013

The auditor should obtain an understanding of management's process for: a. Identifying risks relevant to financial reporting objectives, including risks of material misstatement due to fraud ("fraud risks"); b. Assessing the likelihood and significance of misstatements resulting from those risks; and c. Deciding about actions to address those risks. Obtaining an understanding of the company's risk assessment process includes obtaining an understanding of the risks of material misstatement identified and assessed by management and the actions taken to address those risks.

Control Activities:
The auditor should obtain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement and to design further audit procedures, as described in paragraph 18 of this standard. As the auditor obtains an understanding of the other components of internal control over financial reporting, he or she is also likely to obtain knowledge about some control activities. The auditor should use his or her knowledge about the presence or absence of control activities obtained from the understanding of the other components of internal control over financial reporting in determining the extent to which it is necessary to devote additional attention to obtaining an understanding of control activities to assess the factors that affect the risks of material misstatement and to design further audit procedures.

Monitoring of Controls:
The auditor should obtain an understanding of the major types of activities that the company uses to monitor the effectiveness of its internal control over financial reporting and how the company initiates corrective actions related to its controls. An understanding of the company's monitoring activities includes understanding the source of the information used in the monitoring activities.

Audit Evidence:
To form an appropriate basis for expressing an opinion on the financial statements, the auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement due to error or fraud. Reasonable assurance is obtained by reducing audit risk to an appropriately low level through applying due professional care, including obtaining sufficient appropriate audit evidence. As part of evaluating audit results, the auditor must conclude on whether sufficient appropriate audit evidence has been obtained to support his or her opinion on the financial statements.

Institute of Southern Punjab Multan 19

Audit Project Report

2013

Factors that are relevant to the conclusion on whether sufficient appropriate audit evidence has been obtained include the following: The significance of uncorrected misstatements and the likelihood of their having a material effect, individually or in combination, on the financial statements, considering the possibility of further undetected misstatement (paragraphs 14 and 17-19 of this standard). The results of audit procedures performed in the audit of financial statements, including whether the evidence obtained supports or contradicts management's assertions and whether such audit procedures identified specific instances of fraud (paragraphs 20-23 and 28-29 of this standard). The auditor's risk assessments (paragraph 36 of this standard). The results of audit procedures performed in the audit of internal control over financial reporting, if the audit is an integrated audit. The appropriateness (i.e., the relevance and reliability) of the audit evidence obtained.20/ If the auditor has not obtained sufficient appropriate audit evidence about a relevant assertion or has substantial doubt about a relevant assertion, the auditor should perform procedures to obtain further audit evidence to address the matter. If the auditor is unable to obtain sufficient appropriate audit evidence to have a reasonable basis to conclude about whether the financial statements as a whole are free of material misstatement, evaluating the Appropriateness of Risk Assessments. As part of the evaluation of whether sufficient appropriate audit evidence has been obtained, the auditor should evaluate whether the assessments of the risks of material misstatement at the assertion level remain appropriate and whether the audit procedures need to be modified or additional procedures need to be performed as a result of any changes in the risk assessments. For example, the re-evaluation of the auditor's risk assessments could result in the identification of relevant assertions or significant risks that were not identified previously and for which the auditor should perform additional audit procedures.

Institute of Southern Punjab Multan 20

Audit Project Report 2013

Relationship of Risk to the Evidence to be Obtained:

For each control selected for testing, the evidence necessary to persuade the auditor that the control is effective depends upon the risk associated with the control. The risk associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result. As the risk associated with the control being tested increases, the evidence that the auditor should obtain also increases. Factors that affect the risk associated with a control include The nature and materiality of misstatements that the control is intended to prevent or detect; The inherent risk associated with the related account(s) and assertion(s); Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness; Whether the account has a history of errors; The effectiveness of entity-level controls, especially controls that monitor other controls; The nature of the control and the frequency with which it operates; The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls); The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance; Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective); and Note: A less complex company or business unit with simple business processes and centralized accounting operations might have relatively simple information systems that make greater use of off-the-shelf packaged software without modification. In the areas in which off-the-shelf software is used, the auditor's testing of information technology controls might focus on the application controls built into the pre-packaged software that management relies on to achieve its control objectives and the IT general controls that are important to the effective operation of those application controls. The complexity of the control and the significance of the judgments that must be made in connection with its operation.

Substantive procedure
Is intended to create evidence that an auditor assembles to support the assertion that there are no material misstatements in regard to the completeness, validity, and accuracy of the financial records of an entity. Thus, substantive procedures are performed by an auditor to detect whether there are any material misstatements in accounting transactions. They are of two categories for example, analysis of particulars of transactions and balances and study of noteworthy ratios and trends together with the consequential inquiry of unusual fluctuation and items. It is the function of examining documentation indicating that a procedure was performed in case of Inquiring and observing the occurred financial transactions during the period of time.
Institute of Southern Punjab Multan 21

Audit Project Report 2013

By using Substantive procedures, the auditor is trying to obtain evidence as to the existence, completeness, measurement, rights, obligations occurrence, valuation and presentation and disclosure of transactions and balances. A substantive test looks at a figure in the financial statements and seeks how that figures and amount could be directly verified ignoring the existence of controls. Therefore, for a cash balance a substantive test would be looking at the bank certificate and reconciling this with the balance sheet figure. Some common types of substantive procedures: Bank reconciliation statement inspection Observation of fixed assets schedule Examine physical inventory in hand and on site Analyze accounts receivable and customer invoices Examine accounts payable supporting documents Analytical analysis of assets, liabilities, revenue, and expenses Performing analytical procedures, the auditors examine both financial data and non financial data for example, the number of employees. Before starting their analytical procedures, auditors estimate the expected value before calculating the actual value so that the expected results are estimated based on preliminary discussions with the clients. Substantive procedures consist of two activities as follows: 1) Analytical Substantive Procedures (simply known as analytical procedures or analytical review) 2) Test of Details, which is sub-divided into: a) Test of transactions [i.e. test of income statement figures] AND b) Test of account balances [i.e. test of statement of financial position figures]). Analytical Procedures (ISA 520): Analytical procedures have been defined as the relationship between financial data and non-financial data of the same period (month by month) or different periods (year by year) to highlight significant differences. Analytical procedures also include assessment of relevant accounting ratios and trends and investigation into unexpected variances. Application of Analytical Procedure: Analytical procedures are applied by the auditor, throughout the stages of audit as follows: 1) At the planning stage: This is a requirement by ISA 520 and helps auditors to identify areas of significant fluctuations. Auditors then focus their test of controls and substantive procedures on transactions and balances that indicate significant variances. Auditors at this stage compare current year with previous years financial statements to identify significant variances. 2) Substantive test stage: During the course of the audit, analytical procedures such as year by year comparison and proof in total can be used to confirm assertions completeness and accuracy

Institute of Southern Punjab Multan 22

Audit Project Report 2013

respectively. 3) Final stage: The ISA 520 requires auditors to apply analytical procedures during audit completion activities. The method used is to compare current years audited figures with previous year. Additional substantive audit procedures must be performed to address any material unexpected variances. Substantive Procedures & Test of controls: Substantive procedures are performed after test of controls. The level of substantive procedures is influenced by the result of test of controls. If test of controls indicates that internal controls are weak, then more substantive procedures will be performed to confirm any material misstatements, and vice versa. Substantive Procedures & Sources of Audit Evidence: There are seven sources of audit evidence (ISA 500) including observation, inquiry and recalculation. These sources of audit evidence indicate how auditors derive information and also represent audit procedures. An auditor may observe a companys revenue system (test of control) to confirm effectiveness of controls. However, it is inappropriate to observe revenue income ($), as a form of substantive test. For revenue income auditors preferred procedures include recalculation of sales invoice total and sales journals. Thus audit procedures must be relevant to auditors objective. Substantive Procedures & Financial Statement Assertions: Auditors substantive procedures are designed in a manner to confirm financial statements assertions (aka assertions). Assertions are the representations or claims made by financial statements. For instance, a set of income statements maintain to presuppose specific characteristics (assertions) of financial information reported such as completeness, accuracy, occurrence and cut-off. It is worthy to note that as financial statements are prepared by directors, assertions are also directors representations. Consider this question: Briefly explain directors representations embodied in the receivables balance of $45,000. Substantive procedures are therefore designed to confirm specific assertions claimed by financial statements. An effective approach to substantive procedures is to consider relevant assertions and to identify audit procedures needed to confirm such assertions.

EVALUATING IDENTIFIED DEFICIENCIES:

The auditor must evaluate the severity of each control deficiency that comes to his or her attention to determine whether the deficiencies, individually or in combination, are material weaknesses as of the date of management's assessment. In planning and performing the audit, however, the auditor is not required to search for deficiencies that, individually or in combination, are less severe than a material weakness. The severity of a deficiency depends on Whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement of an account balance or disclosure; and The magnitude of the potential misstatement resulting from the deficiency or deficiencies. The severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement. Risk factors affect whether there is a reasonable possibility that a deficiency, or a combination of deficiencies, will result in a misstatement of an account balance or disclosure. The factors

Institute of Southern Punjab Multan 23

Audit Project Report 2013

include, but are not limited to, the following The nature of the financial statement accounts, disclosures, and assertions involved; The susceptibility of the related asset or liability to loss or fraud; The subjectivity, complexity, or extent of judgment required to determine the amount involved; The interaction or relationship of the control with other controls, including whether they are interdependent or redundant; The interaction of the deficiencies; and The possible future consequences of the deficiency. . Factors that affect the magnitude of the misstatement that might result from a deficiency or deficiencies in controls include, but are not limited to, the following The financial statement amounts or total of transactions exposed to the deficiency; and The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods. In evaluating the magnitude of the potential misstatement, the maximum amount that an account balance or total of transactions can be overstated is generally the recorded amount, while understatements could be larger. Also, in many cases, the probability of a small misstatement will be greater than the probability of a large misstatement. . The auditor should evaluate the effect of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness. To have a mitigating effect, the compensating control should operate at a level of precision that would prevent or detect a misstatement that could be material.

Indicators of Material Weaknesses:

Indicators of material weaknesses in internal control over financial reporting include Identification of fraud, whether or not material, on the part of senior management; Restatement of previously issued financial statements to reflect the correction of a material misstatement; Identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the company's internal control over financial reporting; and Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee. When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally

Institute of Southern Punjab Multan 24

Audit Project Report 2013

accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.

WRAPPING-UP AUDITORS OPINION

Forming an Opinion:
The auditor should form an opinion on the effectiveness of internal control over financial reporting by evaluating evidence obtained from all sources, including the auditor's testing of controls, misstatements detected during the financial statement audit, and any identified control deficiencies. As part of this evaluation, the auditor should review reports issued during the year by internal audit (or similar functions) that address controls related to internal control over financial reporting and evaluate control deficiencies identified in those reports. After forming an opinion on the effectiveness of the company's internal control over financial reporting, the auditor should evaluate the presentation of the elements that management is required, under the SEC's rules, to present in its annual report on internal control over financial reporting. If the auditor determines that any required elements of management's annual report on internal control over financial reporting are incomplete or improperly presented, the auditor should follow the direction in paragraph C2. The auditor may form an opinion on the effectiveness of internal control over financial reporting only when there have been no restrictions on the scope of the auditor's work. A scope limitation requires the auditor to disclaim an opinion or withdraw from the engagement

REPORTING ON INTERNAL CONTROL:

The auditor's report on the audit of internal control over financial reporting must include the following elements A title that includes the word independent ; A statement that management is responsible for maintaining effective internal control over financial reporting and for assessing the effectiveness of internal control over financial reporting; An identification of management's report on internal control; A statement that the auditor's responsibility is to express an opinion on the company's internal control over financial reporting based on his or her audit; A definition of internal control over financial reporting as stated in paragraph A5; A statement that the audit was conducted in accordance with the standards of the Public Company Accounting Oversight Board (United States);

Institute of Southern Punjab Multan 25

Audit Project Report

2013

A statement that the standards of the Public Company Accounting Oversight Board require that the auditor plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects; A statement that an audit includes obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as the auditor considered necessary in the circumstances; A statement that the auditor believes the audit provides a reasonable basis for his or her opinion; A paragraph stating that, because of inherent limitations, internal control over financial reporting may not prevent or detect misstatements and that projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate; The auditor's opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date, based on the control criteria; The manual or printed signature of the auditor's firm; The city and state (or city and country, in the case of non-U.S. auditors) from which the auditor's report has been issued; and The date of the audit report. Final opinion

In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of HBL as of December 31, 2011 and 2012, and the results of its operations and its cash flows for each of the years in the three-year period ended December 31, 2012 in conformity with accounting principles generally accepted in the United States of America. Also in our opinion, HBL maintained, in all material respects, effective internal control over financial reporting as of December 31, 2011, based on [ Identify control criteria [ Signature ] [ City and State or Country ] [ Date ]
Institute of Southern Punjab Multan 26

Audit Project Report 2013

Report Date:
. The auditor should date the audit report no earlier than the date on which the auditor has obtained sufficient appropriate evidence to support the auditor's opinion. Because the auditor cannot audit internal control over financial reporting without also auditing the financial statements, the reports should be dated the same.

Weaknesses in Report:
If there are deficiencies that, individually or in combination, result in one or more material weaknesses, the auditor must express an adverse opinion on the company's internal control over financial reporting, unless there is a restriction on the scope of the engagement. / When expressing an adverse opinion on internal control over financial reporting because of a material weakness, the auditor's report must include The definition of a material weakness, as provided in paragraph A7. A statement that a material weakness has been identified and an identification of the material weakness described in management's assessment. If the material weakness has not been included in management's assessment, the report should be modified to state that a material weakness has been identified but not included in management's assessment. Additionally, the auditor's report should include a description of the material weakness, which should provide the users of the audit report with specific information about the nature of the material weakness and its actual and potential effect on the presentation of the company's financial statements issued during the existence of the weakness. In this case, the auditor also should communicate in writing to the audit committee that the material weakness was not disclosed or identified as a material weakness in management's assessment. If the material weakness has been included in management's assessment but the auditor concludes that the disclosure of the material weakness is not fairly presented in all material respects, the auditor's report should describe this conclusion as well as the information necessary to fairly describe the material weakness. . The auditor should determine the effect his or her adverse opinion on internal control has on his or her opinion on the financial statements. Additionally, the auditor should disclose whether his or her opinion on the financial statements was affected by the adverse opinion on internal control over financial reporting.

Institute of Southern Punjab Multan 27

Audit Project Report 2013

EVALUATING THE RESULTS OF THE AUDIT OF FINANCIAL STATEMENTS:

In forming an opinion on whether the financial statements are presented fairly, in all material respects, in conformity with the applicable financial reporting framework, the auditor should take into account all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements. In the audit of financial statements, the auditor's evaluation of audit results should include evaluation of the following: a. The results of analytical procedures performed in the overall review of the financial statements ("overall review"); b. Misstatements accumulated during the audit, including, in particular, uncorrected misstatements c. The qualitative aspects of the company's accounting practices; d. Conditions identified during the audit that relate to the assessment of the risk of material misstatement due to fraud ("fraud risk"); e. The presentation of the financial statements, including the disclosures; and c. The sufficiency and appropriateness of the audit evidence obtained

PREPARATION AND SUBMISSION OF AUDIT REPORT:

The audit report is the end product of the audit. It is through the medium of the audit report that the auditor conveys his observations/comments on the financial statements. The form and content of the audit report should be determined by the auditor taking into account his terms of engagement and applicable statutory, regulatory and professional

Statement of Internal Control HBL

The system of internal control is based on an ongoing process designed to identify the principal risks to the achievements of the Banks policies, aims and objectives, to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically. Management assumes the responsibility of establishing and maintaining adequate internal controls and
Institute of Southern Punjab Multan 28

Audit Project Report 2013

procedures under the policies approved by the Board. In this connection the Bank has documented Procedures and Manuals, which incorporates the internal controls applicable while conducting any banking transactions. These procedures are revised and updated as and when required. The Internal Audit Group (IAG) of the Bank reviews the adequacy and implementation of internal controls on a regular basis and deficiencies if any are followed up until they are rectified. Quarterly updates on unresolved significant issues highlighted by the IAG are reviewed by the Audit Committee of the Board of Directors together with the recommendations for improvements. The system of internal control is designed to minimize the risk of failure to achieve the organizations policies, aims and objectives; it can therefore, only provide reasonable and not absolute assurance against material misstatements or loss. The system of internal controls being followed by the Bank is considered adequate and sound in design and is being effectively implemented and monitored. HBL is in compliance with the requirements and timelines of Staged Roadmap for implementation of the State Bank of Pakistan (SBP) Internal Control Guidelines. The Bank has adopted internationally accepted COSO Internal Control Integrated Framework for overall set of Internal Controls and is submitting quarterly status report on the progress of the Banks compliance with the Internal Controls over Financial Reporting (ICFR) based on the road map issued vides BSD Circular dated February 24, 2009. There is a formal process of approval by the Board audit committee on a quarterly basis as required under BSD Circular dated January 16, 2012. The External Auditors of the Bank has completed the Long Form Report on the Banks internal controls as of September 30, 2012 which has been submitted to SBP.

Auditors Report To the members - Consolidated

We have audited the annexed consolidated financial statements comprising consolidated statement of financial position of Habib Bank Limited (the Bank) and its subsidiary companies as at 31 December 2012 and the related consolidated profit and loss account, consolidated statement of comprehensive income, consolidated statement of changes in equity and consolidated cash flows statement together with the notes forming part thereof, for the year then ended. We have also expressed separate opinions / conclusions on the financial statements of Habib Bank Limited and its subsidiary companies namely HBL Asset Management Limited, First Habib Bank Moradabad and HBL Currency Exchange (Private) Limited. The financial statements of remaining subsidiary companies were audited / reviewed by other firms of Chartered Accountants whose reports have been furnished

Institute of Southern Punjab Multan 29

Audit Project Report 2013

to us and our opinion in so far as it relates to the amounts included for such companies, is based solely on the reports of such other auditors. These consolidated financial statements are the responsibility of the Banks management. Our responsibility is to express an opinion on these consolidated financial statements based on our audit. Our audit was conducted in accordance with the International Standards on Auditing and accordingly included such tests of accounting records and such other auditing procedures as we considered necessary in the circumstances. In our opinion, the consolidated financial statements present fairly the financial position of Habib Bank Limited and its subsidiary companies as at 31 December 2012 and the results of their operations for the year then ended.

Ernst & Young Ford Rhodes Sidat Hyder Chartered Accountants Audit Engagement Partner: Omer Chughtai Date: February 12, 2013 Karachi

Institute of Southern Punjab Multan 30