Telephone : + (94) 112 055318,+ (94) 112 058994
Fax : + (94) 112 338290, + (94) 112 320828
E-mail : apbsl@sltnet.lk



Ashvin Parekh & Manil Jayasinghe


The underlying purpose of Basel Accord is the protection of depositors by prescriptive rules for measuring capital adequacy evolving a common language to assess the quality of assets and liabilities of the banks and evolving methods of determining regulatory capital and ensuring efficient use of capital.

The Basel committee of Banking Supervision released the final version of the new Basel II Accord in June 2004. The new set of rules will replace the capital accord of 1988 but will not come into effect until end 2006. It will be more risk-sensitive than the current regime and will significantly reduce the incentive for capital arbitrage. Higher risks will at least, in principle, result in higher risk weights and thus higher capital requirements.

The New Capital Accord is founded on the following three pillars. In order to evaluate the role of auditors under the accord, it is important to examine these more closely :

A certain time-frame has been evolved under Basel II, under which, year 2006- 2007 is critical, when banks move up the ladder in sophistication. Initially the Banks have to adopt the Standardized Approach for Credit Risk and Basic Indicator Approach for Operational Risk. After adequate skills are developed, both at the banks and also at supervisory levels, some banks may be allowed to migrate to the Internal Rating Based Approach.

The auditor has a substantial role to play in the compliance with the Basel II norms. His role would be primarily restricted to the Pillar I and would mainly involve:

- Feasibility study and benchmarks as to the best approach to be adopted by the banks in order to monitor the Credit Risk, Operational Risk and Market Risk.
- Validation of benchmarks adopted by the management and interpretation of benchmarks and stratification of major issues in the light of the industry knowledge and regulatory insight (e.g. issues expected to be subject to heavier regulatory scrutiny)
- Diagnostic / gap analysis prior to implementation of Basel II
- Periodic checks to ensure that the bank is on track.
- IT Systems Reviews for Market Risk Management

The external auditors may be called up to review the quality of internal controls and systems and assess the internal audit function’s scope and adequacy.

Pillar 1 – Minimum Capital Charge

I. Credit Risk

Credit Risk is most simply defined as the potential for a borrower or a counterparty to fail to meet its obligations in accordance with agreed terms. The goal of credit risk management is to maximize a bank’s risk-adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual transactions.

There are three progressive approaches of calculating capital charges on credit risk: the Standardized Approach, the Foundation Internal Risk Based (‘IRB’) approach and the Advanced IRB Approach.

Standardized Approach

Under the Standardized Approach, risk weight would be applied to each asset based on its external credit rating assigned by a rating agency. In each country, the regulator would approve the rating agencies in the country and decide on the applicable risk weight for each rating agency. The framework proposes four risk weights – 20%, 50%, 100% and 150% for different grades of borrowers. The auditor’s role in case of the standardized approach would be restricted to verifying the correct assignment of the risk weights prescribed by the external
credit rating agencies to each asset.

IRB Approach

The IRB Approach, comprising of the Foundation IRB Approach and Advance IRB Approach, allows banks to use internal rating processes, i.e. their own management and risk measurement methods, to calculate the regulatory capital charge. To be recognized by the supervisors, these internal ratings must meet various minimum quantitative and qualitative requirements. Certain qualifying criteria are to ensure that, the rating system and rating process as well as risk components are adequate for each bank.

The Advanced IRB approach explicitly requires banks to assess credit exposures for each customer and for each credit facility using the following measure:

- Probability of Default (‘PD’) – the probability that a specific customer will default within the next 12 months.
- Loss Given Default (‘LGD’) – the percentage of each credit facility that will be lost if the customer defaults.
- Exposure at Default (‘EAD’) – the expected exposure for each credit facility in the event of a default.

Foundation IRB Approach

In the Foundation IRB Approach, banks would internally estimate the PD for each rating category. The estimate of LGD would be provided by the regulator.

The Framework provides a risk weight curve, which gives the risk weight for each combination of PD and LGD. To be eligible for adopting the Foundation IRB Approach, the bank would need to satisfy the following minimum requirements:

   Existence of an independent group within the bank carrying out credit rating;

   Separate assessment of default risk of borrower and transaction;

   Minimum seven rating grades for performing and one grade for nonperforming borrowers;

   Specific rating criteria for distinguishing each rating grade;

   Enough grades for avoiding undue concentrations of borrowers in a grade;

   Minimum five years history of PD estimates; and

   Exposures categorized into asset classes (corporate, sovereign, bank, retail and equity).

The auditor’s role in case of the Foundation IRB Approach would be to review the policies and procedures followed by the Bank for the internal rating and risk management process and the documentation and process manuals related to the same. The auditor can also perform an independent review of the risk measurement system. The auditor must review at least annually the bank’s rating system and its operations, including the operations of the credit function and estimation of PD’s.

Advanced IRB Approach

The Advanced IRB Approach is similar to the Foundation IRB Approach. However, under the Foundation IRB, the bank regulator provides the estimates of the value used in establishing losses (i.e. LGD, EAD and Maturity (‘M’)). Under the Advanced IRB Approach, the bank provides the PD, LGD, EAD and M. Another major element of the IRB Approach pertains to the treatment of credit risk mitigants, namely collaterals, guarantees and credit derivatives.
Under the Advanced IRB Approach, a bank with a sufficiently developed internal capital allocation process would be permitted to use its own inputs for estimation of potential future loss. Banks seeking to use this approach would need to have LGD and EAD data history for at least seven years, in addition to meeting all the criteria stipulated for Foundation IRB Approach.

The auditor’s role in the case of the Advanced IRB Approach may be similar to the Foundation IRB Approach except for the fact that auditor would have to additionally verify the bank’s procedure for estimation of the LGD.

2. Operational Risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or internal events (excluding strategic and reputational risk). There are three approaches to operational risk i.e. Basic Indicator Approach, Standardised Approach and Advanced Measurement Approach (‘AMA’).

Basic Indicator Approach

The Basic Indicator Approach sets the capital requirement for operational risk at a fixed percentage (alpha factor of 15%) of the bank’s average annual gross income over the previous three years. Years where annual gross income was negative or zero are to be disregarded. The Basel Committee has defined gross income as net interest income and has allowed each relevant national supervisor to define gross income in accordance with the prevailing accounting practices. Accordingly many regulators have defined gross income as Net profit (+) provisions and contingencies (+) operating expenses (Schedule 16) (-) profit on sale of Held to Maturity (‘HTM’) investments (-) income from insurance (-) extraordinary / irregular item of income (+) loss on sale of HTM investments.

This is a very straight forward approach not requiring the auditor to perform any other procedures than what he was already performing i.e. verifying that the income was fairly stated and recognized in the financial statements.

Standardised Approach

Under the Standardised Approach the Bank’s activities are divided into eight business lines. A capital charge is required for each one of these business lines. This capital charge is a fixed percentage (beta factor) of the average annual gross income (as defined in the Basic Indicator Approach above) of each business line over the previous three years. The annual total capital charge is calculated as a three-year average by simply adding together the regulatory capital charges of the individual business lines. As can be seen, the key for the Standardised Approach is the recording of the total income between the various business lines and hence it is essential for the auditor to verify the internal controls related to capturing of financial and business information across the various business lines.

Advanced Measurement Approach

Banks world over are in the process of developing different methodologies for measurement of operational risk capital charge. In view of this, the Basel Committee has been less prescriptive in respect of the Advanced Measurement Approaches which would be based on an estimate of operational risk derived from a bank’s internal risk measurement system and are, therefore, expected to be more risk sensitive than the other two approaches.

Under the AMA, each bank can use its own measurement method for operational risk.

The key features of AMA are:- (i) it is based on the collection of loss data; (ii) the characteristics of “low frequency/high severity” for each event type, in addition to the business line, can be reflected. Each bank is to measure the required capital based on its own loss data using the holding period and confidence interval determined by the regulators.

From a corporate governance point of view, the banks would need to have the following in place to follow AMA:

- Board and Senior Management oversight
- Independent enterprise-wide operational risk framework and function
- Policies and procedures for all aspects of the operational risk framework
- Independent testing and verification (e.g. audit)
- Lines of business responsible for day-to-day risk management
- Reporting of operational risk exposures, losses, risk indicators etc to Board and Senior Management
- Sound internal control environment

The auditor needs to verify the following in case the bank adopts the AMA approach:

- The effectiveness of the bank’s risk management process and overall control environment with respect to operational risk;
- The bank’s methods for monitoring and reporting its operational risk profile, including data on operational losses and other indicators of potential operational risk;
- The bank’s procedures for the timely and effective resolution of operational risk events and vulnerabilities;
- The effectiveness of the bank’s operational risk mitigation efforts, such as the use of insurance;
- The quality and comprehensiveness of the bank’s disaster recovery and business continuity plans.
- To ensure that, where banks are part of a financial group, there are procedures in place to ensure that operational risk is managed in an appropriate and integrated manner across the group. In performing this assessment, cooperation and exchange of information with other supervisors, in accordance with established procedures, may be necessary.
- To verify how frequently Bank’s Manual of instructions are updated and whether the guidelines are clear and disseminated to all levels in the Bank.
- To verify what punishment measures for intentional/deliberate mistakes/ frauds are in place and how effective they are.

Market Risk

Jurisdictions where banks are statutorily required to maintain liquid assets in the form of cash and government/ approved securities (as in India - statutory liquidity ratio) tend to cause the banks to expose themselves to market risk. A bank’s investment portfolio is subject to volatility in the value of securities due to change in their prices which, in turn, may be a result of changes in interest rates, currency rates or changes in equity and commodity prices. Market risk is not covered under Basel-II. Prior to Basel-II itself, two approaches to capital allocation for market risk were outlined - standardised measurement method and internal models approach. Reserve Bank of India (“RBI”) has recently issued guidelines for computation of capital for market risk based on the standardized measurement method. This method involves computing capital based on the duration of the portfolio.

Though there are no significant changes in the area of market risk measurement and management in the past few years, the auditors role would be there in reviewing the provisions arising out of risk weightages associated with different financial assets/instruments. There is also embedded market risk in various deposit and loan products where “put or call” options are made available to the customers. Auditors will have to examine/review the determination of provisions arising out of market conditions.

Pillar 3 – Market Discipline

Pillar 3 refers to disclosure requirements and greater transparency. All over the world, banking business is becoming more complicated by the day and concomitantly more difficult for regulators to monitor. It is recognized that tracking signals emanating from the market can assist supervisors in their monitoring function.

This pillar seeks to bring market discipline through greater transparency by asking banks to make adequate disclosures for the benefit of shareholders/investors, depositors, customers, rating agencies, government and policy makers and of course for the regulators/ supervisors. Market discipline has two components—

(a) market signals, manifested from share price movement; banks’ lending and
borrowing rates etc.,

(b) Responsiveness of the bank as also the supervisor to the market signals. Pillar III provides a comprehensive menu of public and regulatory disclosures related to the capital structure, capital adequacy, risk assessment and risk management processes to enhance transparency in banking operations.

The disclosure requirements increase as the banks move towards more advanced approaches.

The responsibility of adequate and appropriate disclosure is the responsibility of the banks’ and the auditor’s role would be restricted to ensuring the overall fairness of the disclosures.


The Basel Committee has produced extensive guidance on the roles of both the external audit and internal audit and the way these can be factored into the supervisory process. Market discipline is becoming a key element of supervisory thinking and market discipline depends on prompt, accurate financial information. External auditors help significantly in ensuring that financial statements are reliable and useful to the marketplace. Periodic financial statements
of banking organizations are also used by regulators in its risk-focused supervision programmes. These reports contribute to pre-examination planning, facilitate offsite monitoring programs and ultimately help in determining the institution’s financial condition. A strong external audit program assists regulators in moving away from detailed, burdensome and invasive examinations.

Implementation of Basel II has been described as an interesting journey rather than a destination by itself. Undoubtedly, it would require commitment of substantial capital and human resources on the part of both banks and the supervisors. As envisaged by the Basel Committee, the accounting profession too, will walk the journey with the management and the boards of the banking companies and will of course retain its independence all the same, during the journey.

Ashvin Parekh
Ashvin Parekh is a Partner – National Industry Leader – Financial Services at Ernst & Young Pvt Ltd, India. He has been an Executive Director at Deloitte Touche Tohmatsu India (Pvt) Ltd, a Senior Partner at Arthur Anderson India (Business Consulting), Head of Business Consulting - Price Waterhouse Coopers and also held overseas partnership positions at KPMG
(India). He has been a consultant to the Reserve Bank of India, Ministry of Finance and Central Bank of Poland, and several Banks in Asia including Bank of Ceylon.

Ashvin has as his acadamic and professional qualifications B.Com (Hons-
Mumbai), A.C.S. ( India), F.C.A. (India), and A.I.C.W.A. ( India).

  Manil Jayesinghe

Manil Jayesinghe is a Partner of Ernst & Young, which position he has held since 1993, working in Audit and Management Consultancy. He is also a Director/Partner of all its associate and subsidiary companies and a few other listed public companies.

He is a Fellow Member of the Chartered Institute of Management Accountants (UK) and an Associate Member of the Institute of Chartered Accountants of Sri Lanka.

Manil is a member of the Financial Reporting Faculty and the alternate Chairman of the Urgent Issues Task Force of the Institute of Chartered Accountants of Sri Lanka. He has presented papers on both Accounting and Auditing Standards at the Institute and has served as Group Leader at several National Conferences of the Institute of Chartered Accountants of Sri Lanka.

     Copyright © 2004 - 2013 by Concept & Development By
     Association of Professional Bankers - Sri Lanka I-WEB SOLUTIONS