34259 V. 2 THE CONSULTATIVE GROUP TO ASSIST THE POOREST [A MICROFINANCE PROGRAM] External Audits of Microfinance Institutions A Handbook Volume 2 For External Auditors Technical Tool Series No. 3 December 1998 Contents Foreword ix Acknowledgments x Acronyms and Abbreviations xi Chapter 1 Introduction 1 1.1 Audiences and uses for this handbook 3 1.2 Limitations of this handbook 4 1.3 Organization of this volume 4 Chapter 2 Auditing Microfinance Institutions: An Overview 5 2.1 Scope of services 5 2.1.1 Annual financial statement audits 5 2.1.2 Agreed-upon procedures 6 2.1.3 Special purpose audits 6 2.2 The contracting process 7 2.3 Auditing standards and accounting standards 7 2.4 Stages of the audit process 8 Chapter 3 Understanding the Microfinance Industry 9 3.1 Background and history of microfinance 9 3.2 Microfinance lending methodologies 10 3.2.1 Differences between microfinance and conventional lending 10 3.2.2 Types of microfinance lending methodologies 11 3.3 Types of institutions providing microfinance 13 3.4 Decentralized operations and internal controls 15 3.5 Fraud issues 15 Chapter 4 Planning the Audit 19 4.1 Gaining knowledge of the business 19 4.1.1 Meetings 19 4.1.2 Visits 21 4.1.3 Review of reports and documents 21 4.2 Understanding accounting standards and methods 21 4.2.1 Accounting standards 21 4.2.2 Accounting methods 21 4.2.3 Financial institution or nonprofit? 22 iii iv EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 4.3 Understanding accounting systems and internal control systems 22 4.3.1 Accounting systems 22 4.3.2 Internal control systems 24 4.4 Assessing audit risk 24 4.4.1 Inherent risk 24 4.4.2 Control risk 25 4.4.3 Detection risk 25 4.5 Defining materiality 25 4.6 Assessing and establishing relationships with internal auditors 27 Chapter 5 Obtaining Audit Evidence: An Overview 29 5.1 Key account balances 29 5.2 Identifying potential errors for each account balance 30 5.3 Identifying business risks for each account balance 30 5.4 Identifying audit risks for each account balance 31 5.5 Performing tests of control 32 5.6 Performing substantive procedures 32 5.7 Determining samples 33 5.7.1 Sampling for tests of control 33 5.7.2 Sampling for substantive procedures 33 5.8 Obtaining management representations 35 Chapter 6 Obtaining Audit Evidence: The Loan Portfolio 37 6.1 What makes MFI portfolios unique? 37 6.2 Business risks 39 6.2.1 Credit risk 39 6.2.2 Fraud risk 40 6.2.3 Interest and exchange rate risk 41 6.3 Audit risk 41 6.4 Tests of control 41 6.4.1 Tests of control at the head office 42 6.4.2 Tests of control at retail outlets 45 6.4.3 Tests of control through client visits 47 6.5 Substantive procedures 47 6.5.1 Tests of detail 48 6.5.2 Analytical procedures 50 6.6 Tests for interest receivable and interest income 51 6.6.1 Interest accrual 51 6.6.2 Interest income testing 51 6.7 Agreed-upon procedures for the loan portfolio 53 Chapter 7 Obtaining Audit Evidence: Loan Loss Provisions and Write-offs 55 7.1 The importance of loan loss provisions 55 CONTENTS v 7.2 The need for loan write-offs 57 7.3 Tests of control 58 7.3.1 Report accuracy 59 7.3.2 Noncash paydown issues 59 7.3.3 Loan loss provisioning 60 7.4 Substantive procedures 61 7.4.1 Tests of detail 61 7.4.2 Analytical procedures 61 7.5 Compliance with laws and regulations 62 Chapter 8 Obtaining Audit Evidence: Cash and Equivalents 63 8.1 Potential business risks 63 8.1.1 Liquidity risk 63 8.1.2 Fraud risk 64 8.2 Potential audit risks 64 8.3 Tests of control 65 8.3.1 Test for segregation of duties 65 8.3.2 Test the movement of cash within the organization 65 8.3.3 Test bank reconciliation procedures 65 8.4 Substantive procedures 66 Chapter 9 Obtaining Audit Evidence: Capital Accounts 67 9.1 Potential business risks 68 9.1.1 Fiduciary risk 68 9.1.2 Regulatory risk 68 9.2 Tests of control 68 9.3 Substantive procedures 69 Chapter 10 Obtaining Audit Evidence: Payables and Accrued Expenses 71 10.1 Tests of control 72 10.1.1 For payables 72 10.1.2 For accrued expenses 72 10.2 Substantive procedures 72 10.2.1 Tests of detail 72 10.2.2 Analytical procedures 73 Chapter 11 Obtaining Audit Evidence: Savings and Deposits 75 11.1 Potential business risks 76 11.2 Tests of control 76 11.3 Substantive procedures 76 11.3.1 Tests of detail 76 11.3.2 Analytical procedures 76 vi EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 Chapter 12 Obtaining Audit Evidence: Revenue and Expenses 77 12.1 Potential risks 77 12.2 Tests of control 78 12.3 Substantive procedures 78 Chapter 13 Reporting 79 13.1 The audit report 79 13.1.1 Unqualified opinion 80 13.1.2 Unqualified opinion with an emphasis of matter 81 13.1.3 Qualified opinion 81 13.1.4 Disclaimer of opinion 82 13.1.5 Adverse opinion 83 13.2 The management letter 84 Boxes 4.1 Summary of ISA 400 on accounting systems and internal control systems 23 4.2 Summary of ISA 400 on inherent risk and control risk 24 4.3 Example of control risk in an MFI 25 4.4 Summary of ISA 320 on materiality 26 4.5 Example of a calculation of materiality for an MFI 27 4.6 Example of using internal auditing work 28 5.1 Summary of ISA 400 on detection risk 31 5.2 Summary of ISA 400 on tests of control 32 5.3 Summary of ISA 520 on analytical procedures 33 5.4 Summary of ISA 530 on audit sampling 34 6.1 Examples of MFI experiences with fraud 40 6.2 Possible elements of an MFI's credit policy 43 6.3 Illustrative loan file elements to be tested 46 6.4 Illustrative issues for client interviews 48 6.5 Example of sample size determination for client visits 49 13.1 Example of an auditor's report expressing an unqualified opinion 80 13.2 Example of an emphasis of matter paragraph 81 13.3 Example of an emphasis of matter paragraph relating to a going concern 81 13.4 Example of a qualified opinion due to a limitation on scope 82 13.5 Example of a qualified opinion due to a disagreement on accounting policies (inappropriate accounting method) 82 13.6 Example of a disclaimer of opinion due to a limitation on scope 83 13.7 Example of an adverse opinion due to a disagreement on accounting policies (inadequate disclosure) 83 Figure 4.1 Ideal reporting lines for internal auditing 28 CONTENTS vii Tables 4.1 Initial considerations in planning an MFI audit 20 4.2 Examples of materiality levels 26 4.3 Working with internal auditors in an MFI 27 5.1 Examples of potential errors in account balances 30 7.1 An illustrative loan aging schedule and corresponding loss provisions 56 Foreword Microfinance is the provision of banking services for the poor. Over the past 20 years the field has been revolutionized as dozens of microfinance institutions (MFIs) have demonstratedthefeasibilityofdeliveringsuchservicesonafinanciallysustainablebasis. Havingdevelopedservicesthatcanberunprofitablywithcommercialsourcesoffunds, these institutions are positioned to expand their outreach to the poor far beyond the limitsofscarcedonorandgovernmentfunding.Inthiscontext,manyMFIsaredevot- ing increased attention to financial management and financial reporting. TheConsultativeGrouptoAssistthePoorest(CGAP)isamultidonorconsortium dedicatedtotheadvanceofsustainablemicrofinanceworldwide.Webelievethatexter- nal audits can be an important tool for improving the quality and credibility of MFIs' financial reporting and management. At the same time, we have observed that MFIs, donors, and auditors often invest major effort and expense in audits without getting an appropriate return in terms of the transparency and reliability of the audited informa- tion. Audits often do a reasonable job of tracking the uses of donor funds, but far less often produce a meaningful picture of the health of an MFI's financial service business. CGAP has produced this handbook to help audit customers--meaning the boards of directors and managers of MFIs, donors, creditors, and investors-- contract for audits that are more responsive to their needs, and to help audit firms deal with some of the unique issues presented by microfinance operations. Microfinance differs in crucial respects from commercial banking and other businesses with which auditors are more familiar. Because this handbook is breaking new ground, we are sure that experience with its use will suggest many areas for improvement. Thus we are anxious to hear from the staff of audit firms, MFIs, and donors who have put it to the test of prac- tical use. These busy people may not find it easy to free up time to offer comments about their experience with this handbook. Still, we know that many of them share our belief in the immense human worth of microfinance efforts, and hope that they will be motivated to help improve this tool in subsequent editions. PleasecommunicateanycommentsandsuggestionstoRichardRosenberg(rrosen- berg@worldbank.org) or Jennifer Isern (jisern@worldbank.org). CGAP's telephone numberis+1202-473-9594,itsfaxnumberis+1202-522-3744,anditsmailingaddress is World Bank, Room Q 4-023, 1818 H Street NW, Washington, D.C. 20433, USA. Mohini Malhotra General Manager Consultative Group to Assist the Poorest December 1998 ix Acknowledgments The handbook was prepared with the assistance of Deloitte Touche Tohmatsu International. Robert Peck Christen and Richard Rosenberg of CGAP wrote parts of the handbook and revised all of it. Jennifer Isern and Ira Lieberman of CGAP reviewed the handbook and provided useful comments. The handbook was edited by Paul Holtz, laid out by Garrett Cruce, and proofread by Daphne Levitas, all of Communications Development Incorporated. Special thanks are due to the management and staff of the MFIs that were visited during the preparation of thishandbook--PRODEMandFIEinBolivia,FINCAandCERUDEBinUganda, and BRAC and Buro Tangail in Bangladesh--as well as the audit firms consulted during this process. x Acronyms and Abbreviations CGAP Consultative Group to Assist the Poorest GAAP generally accepted accounting principles IAS International Accounting Standards ISA International Standards on Auditing MIS management information system MFI microfinance institution NGO nongovernmental organization xi CHAPTER 1 Introduction This brief chapter discusses the need for this handbook, offers sugges- tions for its use, and underscores its limitations. Microfinance--the provision of banking services for the poor--has been a growth industry for the past 20 years. In 1997 an estimated 7,000 microfi- nance institutions (MFIs) around the world were offering tiny loans to microen- terprises, deposit services tailored to the needs of poor households, and other financial services such as transfers. To date most of these institutions have been nonprofit, nongovernmental organizations (NGOs). But many credit External audits often unions, especially in Africa, are offering microfinance services, and a few fail to produce an licensed finance companies and commercial banks are beginning to enter the market. adequate review At present most microfinance is funded by donors and governments. But of an MFI's financial stronger MFIs are realizing that the demand for their services far outstrips the limited supply of donor and government funds. At the same time, they have shown position--especially its that they can provide microfinance on a financially sustainable basis: customers loan portfolio find MFIs so valuable that they are willing to pay the full cost of their services. When an MFI becomes financially sustainable, it can begin funding its loans with deposits and other commercial sources of capital. In doing so it escapes the lim- itations inherent in donor funding, while providing a safe and convenient savings service to its customers. In this context, boards of directors and managers of MFIs, as well as the donors that fund them, are focusing more closely on MFIs' financial reports. External audits have traditionally been the principal means of assuring the accuracy and meaningfulness of those reports. But experience has shown that external audits often fail to produce an adequate review of an MFI's financial position and inter- nal controls--especially when it comes to information on its loan portfolio. There are three main reasons external audits often fall short: · Customers requesting external audits--boards, managers, and donors--often do not understand what audits can and cannot be expected to do. Nor do they understand what special procedures, beyond the scope of a normal statutory 1 2 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 audit, may be needed to address certain issues, or how to craft terms of refer- ence that communicate their needs to the auditor. · Donors often provide terms of reference for external audits, but these usually focus on compliance with the donors' loan or grant agreements and on track- ing the specific uses of the donors' funds, rather than on the financial health of the audited institution's microfinance business. · Few external auditors have much experience with microfinance. Thus they seldom understand the unique features of the microfinance business, which Typical financial call for different audit procedures than those used in conventional financial businesses. statement audit procedures are not A further problem with audits of MFIs is that they often absorb too much time of auditors and MFI staff with issues that are not especially material to the main well-suited to risks inherent in the microfinance business. Audit firms tend to assign junior staff detecting some to MFI audits, and these staff often focus on checking compliance with detailed common deficiencies lists of accounting and operational prescriptions--not all of which are highly rel- evant to the basic soundness of the MFI's financial reporting or the security and of microfinance efficiency of its operations. For this reason, this handbook emphasizes a "risk- portfolios based" audit approach: the external auditor must evaluate the relative importance of various areas of risk and focus most of the audit work on those areas that are most material to the business being audited. For example, voluminous loan doc- umentation and multilevel approval procedures are standard in normal commer- cial banking but may be utterly impractical in a microcredit setting. Discriminating between important and less important issues requires an exercise of judgment that is possible only if the auditor understands the MFI's business. Most auditors will have to devote considerable time to learning this business, but this effort should be amply rewarded by saving time that would otherwise be devoted to elaborate testing of items that are in fact less material. Reference was made above to "unique features" of the microfinance busi- ness. Most of these features have to do with an MFI's loan portfolio. And it is precisely the loan portfolio that is the most common source of serious prob- lems that escape disclosure, or even management's attention--sometimes until it is too late to deal with them. Typical financial statement audit procedures are not well-suited to detecting some common deficiencies of microfinance port- folios. Thus the chapters in each volume dealing with procedures for review- ing loan portfolio systems are among the most important parts of this handbook. Those chapters, more than the rest of the handbook, contain material that is unlikely to be found elsewhere. Auditors and audit customers should review them especially closely. Readers will note that the handbook devotes much more attention to MFIs' loan operations than to their savings operations. This certainly does not reflect a view that credit is more important than deposit services for poor clients. If any- thing, the opposite is often true. Many MFIs want to become licensed financial institutions, not only to gain access to commercial funding but also to provide INTRODUCTION 3 savings services to their target clients. Savings services receive only brief treat- ment here, however, because few MFIs are licensed to take savings and because audits of MFIs' savings operations, unlike audits of their credit operations, can be quite similar to audits of commercial banks. Another key element of this handbook is annex A, which offers guidelines for the content and presentation of MFIs' financial statements. If these guidelines are followed, readers of audited financial statements will be much better able to judge whether an MFI has a business that can grow beyond the limited availabil- ity of subsidized donor funding. The handbook is divided into two 1.1 Audiences and uses for this handbook volumes, for two distinct audiences The handbook is divided into two volumes, for two distinct audiences. Volume 1 is primarily for clients of external audits--including boards, managers, and staff of MFIs, as well as outside investors, especially donors. Topics covered in volume 1 include: · What to expect--and what not to expect--from external audits · The relationship between internal and external audit functions · The different products that external auditors can be asked for, including spe- cial purpose audits and agreed-upon procedures · How to commission an audit, including writing terms of reference and select- ing the auditor · Special issues associated with MFIs' loan portfolios · How audits are conducted · How audit reports should be interpreted. Volume 2 is for external auditors. It provides an overview of the microfinance industry--general concepts that must be supplemented by a thorough education in the business and methodology of the MFI being audited. Volume 2 also pro- vides guidance on a range of audit issues that are specific to MFIs. External audi- tors should review volume 1 as well, especially chapter 4 (which guides clients in defining the scope of work they require) and chapter 5 (which describes the chal- lenges posed by microfinance portfolios). Both volumes may be of interest to government regulators and supervisors. As the microfinance industry grows, banking authorities in many countries are being forced to confront the issue of supervising MFIs. Experience has made it clear that efficientsupervisionofMFIsrequiressomeadjustmentintheregulationsandexam- ination procedures applied to more conventional financial intermediaries. This handbook is not an examination manual, but its contents might be useful in the preparation of such a manual. In any event, supervisors responsible for overseeing MFIs may wish to refer them and their auditors to this handbook. A set of annexes illustrates material in both volumes. 4 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 1.2 Limitations of this handbook This handbook is not an accounting manual. It provides little guidance on account- ingsystemsorinternalcontrols.MFIsshouldhavetheirownaccountingprocedures, manuals, and internal controls in place before commissioning an external audit. Nor is this handbook an audit manual. It should be used only to supple- ment authoritative audit standards and the audit firm's internal policies, in the context of the laws and regulations applicable to the entity being reviewed. Even though the handbook is not an authoritative audit manual, volume 1 sug- gests that an MFI commissioning an audit might use the handbook in its con- tracting process. Before contracting an audit, the client might well ask the auditor to review the handbook, and to note in writing and discuss with the client, any major elements of the handbook's guidance that the auditor does not believe should be implemented due to issues of practicality, cost, or conflicting authoritative guidance. Volume 2 is addressed to auditors of a wide range of MFIs in a wide variety of coun- tries. Because these auditors vary immensely in experience and sophistication, it has been difficult to provide a level of discussion that is appropriate for all readers. In particular, experienced auditors may have little use for material on general audit principles. It is hoped that such readers will understand the reason for including this material, and focus on matters that are more specific to the challenges of MFI audits. 1.3 Organization of this volume Chapters 2­5 of this volume provide an overview of MFI audits and background on the microfinance industry--including discussion of how MFIs differ from con- ventional financial institutions. These chapters also review the audit standards and procedures most relevant to an MFI audit. Auditors who are auditing an MFI for the first time, or whose countries do not have national auditing standards, should review chapters 2­5 carefully. More experienced auditors may already be familiar with some of the material they contain. Chapters 6­13 contain information that is likely to be useful to all MFI audi- tors. These chapters offer specific suggestions on obtaining audit evidence for key account balances in MFIs. CHAPTER 2 Auditing Microfinance Institutions: An Overview This chapter describes the scope of services that MFIs and donors can request from external auditors. It also outlines the MFI audit process, as a framework for the information in the chapters that follow. 2.1 Scope of services The "client" in an MFI audit may be the MFI itself or an outside investor such as a donor, creditor, or potential purchaser of shares. Donors commonly add spe- cial requirements to the audit terms of reference. An MFI audit engagement usually includes some combination of the follow- The auditor needs ing services: to ensure that client · An annual financial statement audit expectations are · Performance of agreed-upon procedures clarified before the · A special purpose audit. start of the engagement 2.1.1 Annual financial statement audits Auditing an MFI looks similar to auditing a conventional financial institution. MFIs make loans, have significant cash reserves, and typically have a low pro- portion of fixed assets. There are, however, important differences between the two types of audits. MFIs make and manage loans very differently from conven- tional banks. Many MFIs conduct their finance business within the legal struc- ture of a nonprofit nongovernmental organization (NGO), funded largely by donations and heavily subsidized loans. This unique blend of a financial business with an NGO structure creates important differences in MFIs' financial state- ments and the process of auditing them. MFIs and donors are often not aware of what a financial statement audit cov- ers, especially when an MFI is being audited for the first time. Thus the audi- tor needs to ensure that client expectations are clarified before the start of the engagement and clearly documented in the terms of reference or engagement agreement. (Given the guidance provided in volume 1 and the special circum- stances of MFIs, auditors should be prepared for detailed terms of reference in 5 6 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 audits of MFI financial statements; annex C provides an illustrative terms of ref- erence.) Because MFIs have varying levels of organizational development and finan- cial management capacity, the management letter can be a particularly useful audit output. Volume 1 advises that management letters always be requested in MFI audits. External auditors should pay close attention to this deliverable. Volume 1 encourages 2.1.2 Agreed-upon procedures Loan portfolio systems are the area of highest risk in an MFI's business, and cre- clients to focus on ate issues that are different from those in commercial bank loan portfolios. A tests of portfolio normal financial statement audit often fails to develop enough evidence to judge systems; some of these the quality of an MFI's portfolio systems and information. Conventional audit procedures may miss significant areas of risk stemming from inadequate port- may fall outside the folio information or deceptive practices. As a result the external auditor may scope of a normal not have a sound basis on which to gauge the adequacy of reported loan loss provisions. financial statement For this reason, volume 1 encourages MFI audit clients to focus special atten- audit tion on tests of portfolio systems. Some of the work necessary in this area may fall outside the scope of a financial statement audit, and thus should be incorpo- rated as additional agreed-upon procedures or as special purpose audits of man- agement information systems or internal controls. Annex C contains illustrative terms of reference for procedures to test loan portfolio systems and reporting. 2.1.3 Special purpose audits MFIs often request special purpose audits. In most cases these are required by a donor who wants to track the use of its funds and ensure compliance with the terms of its agreement with the MFI. (Chapter 4 of volume 1 encourages donors to limit such requirements to the extent possible.) The donor will often specify the terms of reference for such work.1 In other cases the MFI may request a special purpose audit of its internal con- trols or management information systems. (As noted, much of the work needed to justify an assurance about the value of an MFI's portfolio and the adequacy of its loan loss provisions consists of a review of management information systems and internal controls. A special purpose audit of these systems could be conducted when the client wants testing and analysis beyond what is required for a normal financial statement audit.) Volume 1 advises clients to seek help from their exter- nal auditors in defining the scope of work for these types of special audit. Donor requirements sometimes force MFIs into multiple audits, an approach that can be duplicative and inefficient. There is, however, some momentum among donors toward a "single-audit" approach, discussed in section 4.1 of volume 1. In cases where multiple audit requirements result in the use of more than one audit firm, coordination between the firms is essential. AUDITING MICROFINANCE INSTITUTIONS: AN OVERVIEW 7 2.2 The contracting process The contracting process for an MFI audit may be different from the process for other institutions. As noted, an MFI may never have been audited, or a donor may be involved in the contracting process. In addition, many MFIs seek a broader relationship with their external auditor, including assistance in internal auditing or in setting up accounting systems or other finance depart- ment activities. This relationship tends to be fluid and not particularly sus- ceptible to formal bidding arrangements. Moreover, it may require careful Many MFIs do structuring to minimize the potential conflict with the objectivity of the exter- not adhere to a nal audit. Given some MFIs' restricted budgets and pro bono orientation, they may specific reporting favor external audit firms that will donate part of their services or offer a higher framework implicit level of service than that included in the terms of reference. Some audit firms are motivated to accept an engagement on less lucrative terms because they want to support the MFI's humanitarian mission, or because they view the engagement as a way to gain a foothold in a rapidly growing industry. Auditors should consult chapter 4 of volume 1, which provides detailed sug- gestions for MFIs commissioning audits. For instance, clients are encouraged to request that potential auditors participate in a pre-proposal survey of the MFI and give an oral presentation of their audit proposal. In particular, clients are advised to ask the auditor to review this handbook before contracting the audit, and to indicate in writing any major elements of its guidance that the auditor does not believe should be implemented due to issues of practicality, cost, or conflicting authoritative guidance. Any significant proposed deviation should be discussed and resolved with the client. 2.3 Auditing standards and accounting standards In undertaking an MFI audit, the external auditor should be guided by the coun- try's national auditing standards. In countries that do not have such standards, the auditor should use the International Standards on Auditing (ISA) published by the International Federation of Accountants.1 In a financial statement audit the auditor is required to express an opinion on whether the financial statements present fairly, in all material respects, the MFI's financial position in conformity with a specific accepted reporting framework, such as national generally accepted accounting procedures or International Accounting Standards. But external auditors should be aware that many MFIs do not adhere to a specific reporting framework. Even when an MFI claims that it follows "generally accepted accounting principles," it is often unclear whether these principles refer to national standards, the principles of a Western country, or International Accounting Standards. Annex B provides further discussion of accounting and auditing standards. 8 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 2.4 Stages of the audit process Because of the small size of many MFIs, the unregulated nature of their business activities, and their small audit budgets, there may be a temptation to cut corners during MFI audits. External auditors should not, however, underestimate the com- plexity of these audits. MFIs' unconventional lending methodologies, their large number of loan transactions, and the geographic and operational decentralization External auditors of their operations can present audit challenges. These challenges may be com- should not pounded by weak internal controls in many MFIs and by the auditor's lack of expe- underestimate the rience with the microfinance industry. While each audit firm will have its own procedures, this volume provides MFI- complexity of specific guidance for the various phases of the audit process, following the ISA microfinance audits outline: · Understanding the microfinance industry (chapter 3) · Planning the audit (chapter 4) · Obtaining audit evidence (chapters 5­12) · Reporting (chapter 13). Note 1. ISAs can be obtained from the International Federation of Accountants, 535 Fifth Avenue, 26th floor, New York, NY 10017, USA; tel.: +1 212-286-9344; fax: +1 212-286- 9570; Web site: http://www.ifac.org CHAPTER 3 Understanding the Microfinance Industry This chapter provides an overview of the microfinance industry, includ- ing details on issues that are particularly relevant for auditors. Topics covered include background and history of microfinance, microfinance lending methodologies, types of institutions providing microfinance, decentralized operations and internal controls, and fraud issues. 3.1 Background and history of microfinance Microenterprises--tiny businesses employing from 1 to 10 people--are an impor- tant source of income and jobs for the poor. In many developing countries between 30 and 80 percent of the population work in such enterprises. Microentrepreneurs engage in production (such as farming or clothing manufacture), commerce Microfinance is (such as street vending), and services (such as food preparation). Microenterprises supporting the tend to share the following characteristics: income and welfare · They are informal--that is, they are not registered or licensed, and do not of tens of millions pay business taxes · They use traditional rather than modern technologies of customers · They are owner-operated · They do not keep formal books, and do not keep business and household income separate. Traditionally, microentrepreneurs have not had access to bank loans. The loans they need--anywhere from $25 to $1,000--are too small for conventional banks to handle economically. Because of their lack of collateral, bookkeeping methods, and informal status, most bankers have viewed microentrepreneurs as unaccept- able credit risks. As a result their sources of credit have mainly been limited to familymembers,suppliers,andinformalmoneylenderswhousuallychargeextremely high interest rates. But over the past 20 years a wide variety of institutions, mainly nonprofit social service organizations, have developed methods that allow them to deliver loans to microentrepreneurs and other poor clients at a manageable cost while main- taining high repayment rates. In many developing countries microfinance has grown dramatically: it is already supporting the income and welfare of tens of mil- lions of customers. 9 10 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 Leading MFIs have demonstrated that the provision of these services can be financially sustainable. Poor clients can use loan capital so productively that they are able and willing to pay interest rates that cover the full cost of the service. Several dozen MFIs already have operations that are profitable enough to permit exponen- tialgrowthbasedoncommercialfunding.Themicrofinancedepartmentofthestate- owned Bank Rakyat Indonesia serves almost 20 million customers and generates huge profits. Successful microfinance NGOs in Asia, Africa, and Latin America are converting into commercial banks or finance companies. And in several countries Some techniques the microfinance business is attracting private commercial banks. Today there are thousands of MFIs around the world. Few have achieved finan- that work well cial sustainability, but many hope to. Their motivation is still primarily social, but when auditing they believe that attaining profitability will allow them to expand their reach far beyond the limited donor or government funding that is available for their oper- traditional banks ations. This development is opening the prospect of reaching hundreds of mil- function poorly lions of poor borrowers. In this environment, MFIs and donors that fund them when applied to are placing increasing emphasis on financial performance and reporting. (For more information on microfinance, auditors may want to consult the reference MFIs, especially materials listed in annex I. MFIs and donors can provide additional references; in the area of the literature in microfinance is growing rapidly.) portfolio testing 3.2 Microfinance lending methodologies Microfinance institutions differ not only from banks, but also from each other. 3.2.1 Differences between microfinance and conventional lending Much of the success of microfinance can be credited to innovative lending method- ologies, developed to lower the cost of small unsecured loans to large numbers of poor clients, and to maintain high repayment rates. A number of proven lend- ing methodologies have evolved, each of which works well when properly matched with an MFI's clientele, working environment, and philosophy.1 These methodological innovations can, however, pose problems for auditors who are used to auditing traditional banks. Some techniques that work well when auditing traditional banks function poorly when applied to MFIs, especially in the area of portfolio testing. Traditional bank lending, especially in poor countries, tends to be based on assets, relying heavily on collateral and guarantees to secure repayment. Successful microfinance lending, on the other hand, tends to be based on character: loan evaluations focus more on the willingness and ability of clients to pay rather than on the assets that can be seized if they do not. Although some MFIs take collat- eral, it seldom forms the principal basis for their loan decisions. Thischaracter-basedfocusisimplementedinanumberofways.AlmostallMFIs rely on graduated loan sizes. The client's initial loan is small, keeping the MFI's risk UNDERSTANDING THE MICROFINANCE INDUSTRY 11 low. The client's timely repayment of earlier loans gives the MFI the assurance it needs to extend later, larger loans. Clients' motivation to repay lies mainly in an implicit contract for future services: that is, they expect a long-term relationship with the MFI in which future loans are not only dependable but also quick. (In this respect microfinance shows some similarity to the credit-card business.) To reinforce this repayment motivation, good MFIs take an aggressive atti- tude toward late payments, communicating a strong message to clients that nonpayment will result not only in loss of access to future services, but also in the trouble and embarrassment associated with vigorous collection efforts. To MFI auditors need those unfamiliar with the field, collection efforts in successful MFIs can appear to focus on policies, extreme, even to the point of harassment of overdue borrowers. But in most parts of the world this aggressiveness has proved necessary to maintain the ethos of practices, and systems contractual compliance that permits sustainable service to an unsecured group for managing and of clients. Successful MFIs convey this message even before clients run into repay- ment problems--most have training sessions for first-time clients to teach them reporting delinquency how the credit system works, and to underscore the expectation of prompt repayment. The strength of this repayment motivation makes it possible for good MFIs to maintain low delinquency rates. At the same time, the nature of this motiva- tion, and the absence of collateral, makes MFIs subject to outbreaks of serious delinquency if something undermines clients' confidence in the continuing avail- ability of future services. For instance, if an unanticipated delay in donor funds prevents an MFI from disbursing repeat loans on schedule, a delinquency prob- lem is likely. In many programs the motivation to repay also partly depends on peer pres- sure. When clients discover that other clients are not paying their loans, they are less likely to pay their own. Not only do they feel less peer pressure to pay, but the bad collection situation can undermine their confidence that they can depend on the MFI for future loans, regardless of whether they repay present ones. In the absence of a prompt and aggressive response, delinquency can spin out of con- trol much faster in an MFI than in a normal commercial bank. All these factors make prompt, dependable delinquency information and man- agement crucial to an MFI's viability. Not all MFIs are competent in this aspect of their business. In fact, delinquency destroys MFIs more than any other prob- lem. Delinquency reporting to outsiders is often misleading, sometimes inadver- tently and sometimes deliberately so. More important, internal information systems often leave MFI managers in the dark until a delinquency situation is out of con- trol. Thus MFI auditors need to focus particular attention on policies, practices, and systems for managing and reporting delinquency. 3.2.2 Types of microfinance lending methodologies Microfinance lending methodologies can be roughly divided into individual lend- ing models and group-based models. Many MFIs lend directly to individuals, 12 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 without any sort of group self-selection or guarantee. Individual loan method- ologies are more likely than group-based methodologies to take collateral--such as fixed assets, land and buildings, or household appliances taken in pawn--when it is available. Nevertheless, the legality or practicality of calling in this collateral is often suspect. In practice, most individual-lending MFIs rely mainly on the character-based techniques described above. Most MFIs use some form of group lending. One prevalent model requires clients to form themselves into small solidarity groups, often of four to six people Auditors are often who are neighbors or whose enterprises operate in the same neighborhood or line of business. Because members have to cross-guarantee each other's loans, surprised at the their self-selection adds to the MFI's confidence in their reliability, and group apparent informality members may help the MFI collect from a recalcitrant member. Village banks and self-help groups, which are more common in rural areas and of internal controls programs oriented to women, use much larger groups of 20 to 50 borrowers. The in MFIs MFI helps organize the group and teaches members how to operate their own "mini-bank." The MFI typically makes a single loan to the group, which distrib- utes it among its members. Later, the group collects from members and makes a combined payment to the MFI. These models often involve a compulsory sav- ings requirement. The accumulated savings of the group is sometimes used to capitalize an "internal account," which the group uses to fund additional lending to group members or outsiders.2 Here again, the group helps screen out bad loan risks and reinforce collection discipline. There are many group lending models. Most involve a less intimate relation- ship between borrowers and loan officers than in individual programs, permit- ting loan officers to handle a larger number of clients. In group lending, especially with larger groups, loan officers tend to do minimal analysis of individual clients' character or business. Rather, such analysis is implicitly delegated to other group members, who have more information about each other than loan officers are likely to be able to acquire. Some MFIs combine group lending and individual lending models. They offer group loans for newer, smaller clients, and individual loans for older clients who need larger amounts. All modern microcredit models rely on character-based risk evaluation. And all successful models have developed streamlined and decentralized pro- cedures to keep costs down, which is essential because of the very small loans they deal with. When auditors look at microlending techniques for the first time, they are often surprised at the apparent informality of internal controls. Loan documentation is extremely simple. Guarantee and collateral documents often have more symbolic than actual value. Financial analysis of the client's business is often rudimentary, undocumented, or nonexistent. Loans are approved at low levels of the organization's hierarchy. And the same loan offi- cer who approves loans is usually responsible for collecting them. These practices are essential to an MFI's efficiency, even though some of them cre- ate potential risk. UNDERSTANDING THE MICROFINANCE INDUSTRY 13 Thus MFI loan processes are different from those in banks. If traditional bank- ing procedures and controls were imposed indiscriminately on MFIs, costs would climb to an untenable level. Loan portfolio quality would decline rather than improve, because a cumbersome loan process would make the service much less valuable in clients' eyes, undermining the motivation to repay. 3.3 Types of institutions providing microfinance Most MFIs Microfinance is carried out in a variety of institutional structures. As noted, most are nonprofit MFIs are nonprofit NGOs. Some NGO MFIs were set up with the sole purpose of providing microfi- NGOs nance. In other cases NGOs that began by providing nonfinancial services decided to add microcredit to their programs. These institutions often continue to pro- vide both financial and nonfinancial services, without fully segregating the account- ing and administration of these diverse services. This setup does not necessarily pose a problem for the auditor in expressing an opinion on the MFI's financial statements. But it may be impossible for the reader of those financial statements to judge the health of microfinance operations unless unconsolidated statements are also presented that allocate income and costs between financial and nonfi- nancial services (see annex A). Nonfinancial NGOs that add a microcredit operation often find that, because of demand and other factors, the financial service comes to dominate their oper- ations. At that point the NGO may drop its nonfinancial services, or occasion- ally spin off its financial operations into a separate organization. In recent years some microfinance NGOs have become efficient and prof- itable enough to move part or all of their operations into a licensed financial institution that specializes in microfinance. The licensed institution usually takes the form of a corporation that is nominally for-profit. Even so, the licensed cor- poration retains its social motivation, and it is unlikely to have private shareholders who have invested major personal resources in its equity base. This absence of significant commercially motivated private capital has implications for the gov- ernance of the MFI that are discussed below. Microfinance is also offered by some credit unions (savings and loan cooper- atives). Like other microfinance entities, many credit unions were established by socially oriented groups to serve individuals with limited access to the formal financial sector. In poor countries credit union clients are typically lower-middle- class, but some are poorer. Some credit unions operate on self-generated capital: loans are financed by member savings rather than external sources. Other credit unions borrow funds from second-tier lenders and donors to augment their mobi- lized savings base. Credit unions, unlike NGOs, are member-owned. Each mem- ber has a single vote in electing the board of directors. Credit unions are typically licensed by a government agency; in poor countries this agency is usually respon- sible for all cooperatives, most of which are production or marketing coopera- 14 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 tives. Thus the oversight agency almost never has strong financial supervision capacity. Several countries, however, are moving credit unions under the author- ity of the banking superintendency. Some savings and loan mutuals include microfinance clients in their mem- bership. These mutuals are owned by their depositors. They are often supervised by government financial authorities, but this supervision is not always effective. A small but growing number of microfinance providers are departments of commercial banks, both state-owned banks and private for-profit banks. Most MFIs do not Most MFIs lack the kind of risk capital present in conventional private banks. Their equity capital, for the most part, is composed of: produce the kind of financial statements · Accumulated donations · Many small subordinated deposits by members expected in the · Investments by nonprofit organizations or international agencies for-profit world · Relatively small, socially motivated investments from private individuals · Retained earnings. Thus a common feature of almost all MFIs is that their governance structure is not dominated by investors with large amounts of personal capital at risk. MFI boards of directors may include experienced business people, but their motiva- tion is more philanthropic than commercial. Boards of MFIs are less likely than boards of profit-maximizing private businesses to insist on rigorous internal con- trols, efficient management information systems, and strong financial perfor- mance.Inpractice,manyMFIboardseffectivelydelegatemostoftheirresponsibility to management. Auditors need to consider this possibility and its consequences when assessing engagement risk. Because they lack risk capital and profit-maximizing owners, most MFIs do not produce the kind of financial statements expected in the for-profit world. In many cases their principal motivation for producing audited financial statements stems from government or donor requirements. Too many donors are interested in tracking uses of their funds and compliance with other terms of their agree- ment with the MFI, rather than in the MFI's overall financial performance and sustainability. MFIs often view audited financial statements as a formal require- ment to be dealt with as quickly and painlessly as possible, rather than as a val- ued internal management and oversight tool. As a result MFIs' accounting policies and financial statements often do not conform with generally accepted standards. In fact, many MFIs do not even pro- duce annual financial statements. Others rely on an auditor to produce these state- ments for external consumption. One of the primary challenges facing most MFI auditors is to understand the accounting basis and principles applied to different accounts. These are often not consistently applied across that entire chart of accounts. MFIs often account for income on a cash basis and for expenses on an accrual basis.3 They write off loans sporadically. Their loan loss provisioning policy--if they have one--may not be based on a sound analysis of their portfo- UNDERSTANDING THE MICROFINANCE INDUSTRY 15 lio's risk profile. Expenses are often classified in relation to donor agreements, rather than in accounts that are consistent with understanding the institution's overall financial performance. These shortcomings are not meant to paint too bleak a picture. An increas- ing number of MFIs are coming to understand that financial sustainability is an achievable goal, that reaching this goal will permit a massive expansion of their outreach to poor clients, and that this goal cannot be attained without ever-greater attention to accounting, information systems, and internal controls. To under- stand an individual MFI client, an auditor needs to form a notion of where the Some MFI managers MFI lies along the spectrum described here. underestimate the importance of internal 3.4 Decentralized operations and internal controls controls and financial MFIs handle large volumes of small transactions. In addition, MFIs that operate in reporting rural regions or across an entire country tend to have clients and branches spread out over wide areas--frequently including areas without easy access to banks and wire transfers. These features require a good deal of physical cash transfer. In addi- tion, communications between headquarters and branches may face limitations. In a typical decentralized branch the small number of staff may limit the extent to which duties can be segregated. Moreover, providing computers or connect- ing them to headquarters may be difficult, so branch staff may not have access to computerized accounting or portfolio systems, causing most branch-level pro- cessing to be done manually. Such circumstances complicate the design of inter- nal controls. Several other factors affect MFI internal controls: · To handle small transactions efficiently, MFIs feel great pressure to cut costs-- sometimes at the expense of effective internal controls, adequate management information systems, and sufficient general supervision. · Most MFI managers have had more training in social sciences than in busi- ness administration. Before coming to microfinance, their experience is more likely to have been in social welfare projects than in financial institutions. Thus their background may not have sensitized them to the need for internal con- trols or financial management and reporting. · Many MFIs are experiencing rapid growth, which often stretches systems and controls to the breaking point. Auditors should be aware of this dynamic when auditing fast-growing MFIs. 3.5 Fraud issues Many observers assume that MFIs with strong social motivation are relatively immune from fraud problems. But experience shows that this is not necessarily 16 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 true. Efficient microfinance services require considerable decentralization of authority and streamlined loan approval and management, which can increase the opportunity for employee fraud. Most MFIs encounter fraud problems within the first few years of their existence. The fraud may be a single large event or, more frequently, a series of smaller events. Clients may be tempted to overestimate the effectiveness of external audits in detecting and preventing fraud. External auditors focus on reviewing adminis- trative systems and financial reporting to determine whether they comply with The primary sources general accounting standards and the MFI's own policies and procedures. To the extent that fraud risk stems from failures in such compliance, the external audi- of fraud in microcredit tor's work can provide some level of fraud control. But noncompliance of this type operations include is not the source of most fraud and portfolio risk in microfinance operations. Even when auditors are diligent in checking that appropriate individuals have signed phantom loans, off on loans, that payments are duly recorded, and that the paper trail is in order, kickback schemes fraud in MFIs can easily go undetected. and other bribes, The primary sources of fraud in microcredit operations include phantom loans, kickback schemes and other bribes, and nonreporting of client payments. These and nonreporting of risks are increased by inappropriate refinancing policies. Such unethical behav- client payments ior is not effectively detected by audits of paper trails. This point can be illustrated with the example of phantom loans. Loan offi- cers can make loans to nonexistent businesses, to existing businesses that are act- ing as a "front," or to borrowers that offer substantial kickbacks (perhaps with the expectation that collection will not be vigorously enforced). In each case loan offi- cers capture a substantial part of the cash flow for their own use. This practice often continues as loan officers generate a pyramid of new phantom loans to repay old phantom loans, building a house of cards. Eventually the accumulated debt becomes too great for the loan officer to manipulate the payments, and the breakdown shows up in delinquency. The difficulty of detection lies in the fact that the loan officer alone is respon- sible for generating and following through on loans until they reach the point where they are late enough that someone else in the organization steps in. This can take weeks--or even months in an organization with a lax repayment culture. The only way to distinguish a fraudulent delinquency from a normal delinquency is for someone other than the loan officer to visit the client; at this point pressure to repay may reveal the true nature of the loan. The person doing this kind of monitoring needs the same client management skills as the loan officer. Traditional audit procedures, external or internal, are ill-equipped to detect this type of fraud because they usually do not involve extensive client visits. Traditional procedurestendtofocusontrackingthedocumentationofloanagreementsandcash payments. As long as phantom loans are being repaid, no evidence of fraud exists, even though the real overhang of unrecoverable debt is mounting. Once payments begin to fall overdue, pursuing them is initially the responsibility of the same loan officer who set up the fraudulent scheme in the first place. Eventually the loan is passed on to the collection department, but rarely to the internal auditor. UNDERSTANDING THE MICROFINANCE INDUSTRY 17 Fraud control measures built in at the operational level are often more effec- tive than an auditor's ex post review. For example, loan officers may collect and then steal clients' payments if operational procedures are lax. They simply fail to report payments they receive. Considerable time may pass before a supervi- sor learns that the payment is late and checks up personally with the client. On the other hand, when operating procedures impose tight controls on collec- tions, as in many village banking programs, this kind of fraud can be reduced to a minimum. For example, at the Association for Social Advancement (ASA), a village Even strong, banking program in Bangladesh, all the loan officers gather every morning and independent internal write on a blackboard the total to be collected during that day's client visits. After their visits, the loan officers gather again to write the total actually received. Any auditors are not discrepancy is noted by the group, and a follow-up visit is scheduled for the next always effective in day by the office coordinator. Immediate follow-up dramatically reduces the oppor- tunity for theft. Although ASA has internal auditors who double-check the controlling fraud record keeping, the primary internal control is carried out by operational staff in an MFI (see also section 3.2 in volume 1). Most MFIs do not have internal auditors. Where they do, the independence of the internal auditor is sometimes compromised by the organizational struc- ture. But even strong, independent internal auditors are not always effective in controlling fraud in an MFI, given their traditional accounting orientation. They usually work more as comptrollers, making sure that accounting standards are applied and that administrative procedures are correctly implemented. This is a valuable role, indeed an essential one. But internal auditors--or someone else in the organization--must go beyond this role to develop work plans and operating procedures that address situations like those discussed above. One approach is to organize a business risk department or operational audit unit. This unit would be staffed by people with loan officer or collections experience. They might visit all seriously delinquent clients, and make unannounced spot check visits to a certain percentage of other clients. Such a unit could deter and detect fraud, detect dangerous deviations from the MFI's methodology that need to be addressed in staff training, and identify other methodological "deviations" that are promising enough to be considered for incorporation into the MFI's prod- uct design. Of course, other approaches are possible. The essential point is that fraud (and portfolio) risk in MFIs needs to be addressed through operational systems, not just by traditional internal or external audit procedures. From a traditional audit perspective, MFIs may appear weak in their internal controls. They do not, and should not, develop the paper trails and hierarchical decisionmaking found in commercial banks. But successful MFIs do exert sub- stantial operational control on their loan officers and cashiers, who are the prin- cipal originators of fraud. While these controls may not have all the elements auditors are used to seeing, they have the advantage of being streamlined, and thus appropriate for tiny transactions. To steal a significant amount of money from 18 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 an MFI by retaining payments or generating phantom loans requires a long-stand- ing pattern of abuse that can normally be picked up by good internal operational controls before reaching material levels. Notes 1. More detailed information on lending methodologies can be found in Charles Waterfield and Ann Duval, CARE Savings and Credit Sourcebook (New York: PACT Publications, 1997). 2. Often the village bank as a whole, rather than its individual members, is treated as the client of the MFI for loan documentation and accounting purposes. Where this struc- ture prevails, auditors would not test internal transactions within the village bank. At the same time, some internal transactions can pose a risk of eventual default on the village bank's obligation to the MFI. For instance, large numbers of members may be failing to make their payments, but the MFI can be unaware of the problem for some time because the village bank is drawing down its internal account to make up the defaulted individual payments. By the time the internal account is exhausted, repayment discipline in the vil- lage bank may be damaged beyond repair. The auditor might investigate whether the MFI's loan officers are monitoring village banks' internal transactions well enough to be aware of such problems before they become too serious. Whether the risk involved is material enough to justify such an investigation will have to be determined based on the circum- stances of each MFI. 3. Treating income on a cash basis while accruing expenses is not necessarily inappro- priate for some MFIs. This practice may be motivated by sound conservatism, as well as by some MFIs' inability to track accrued interest. The point is that auditors cannot assume that the same accounting methods are applied to all MFI accounts--auditors must be sure they understand the treatment of each account. CHAPTER 4 Planning the Audit This chapter provides an overview of planning activities for an MFI audit. These include gaining knowledge of the business, understand- ing accounting standards and methods, understanding accounting and internal control systems, assessing audit risk, defining materiality, and assessing and establishing relationships with internal auditors. 4.1 Gaining knowledge of the business To gain understanding of an MFI's business, the external auditor should focus on management's key concerns about business objectives and strategies, the MFI's organizational structure and business processes, the MFI's operating results and ability to sustain itself, major transactions and other economic events that may In planning the audit, affect financial statements, accounting issues and changes in accounting policies, the auditor should and sources of financing. To obtain this information, the auditor should meet with managers of the MFI, meet with managers visit at least one branch, and review reports and other documents. of the MFI, visit at least one branch, and 4.1.1 Meetings review reports and The auditor should meet with senior managers of the MFI, including the execu- tive director, chief financial officer or finance director, director of lending and other documents operations, and head of information systems. This would also be the time for the external auditor to have initial discussions with internal audit personnel, board members, and major shareholders or donors if these individuals have concerns that need to be addressed through agreed- upon procedures or special purpose audits. During these meetings the auditor should keep in mind the considerations listed in table 4.1. After initial meetings the auditor should assess engagement risk. Engagement risk is largely a function of audit risk--that is, the risk that an auditor will give an inappropriate opinion when financial statements are materially misstated. For MFI audits the potential engagement risk can be quite high. This is because many MFIs are growing rapidly without adequate personnel, controls, and sys- tems to support the growth. In addition, many MFIs have low budgets for audit services, so auditors may find it difficult to perform all the necessary tests within the available budget. 19 20 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 TABLE 4.1 Initial considerations in planning an MFI audit Factors Audit considerations Internal factors Organizational structure · Who are the key decisionmakers (board of directors, executive director, donor, controller)? · What is their attitude toward the external audit? Objectives · What are the business objectives of the MFI? · What are the social objectives of the MFI? Operations · What are the main product lines, financial and nonfinancial? · How do lending functions operate? · How are financial and nonfinancial products linked? · How are processes within the MFI developed and monitored? Information systems · Are management information systems well developed, given the level of business? Finance · How is the finance function structured, and what commitment does the MFI have toward finance? · Who provides financial oversight to lending operations? · How is performance measured, and who is accountable to whom? Accounting · What are the main accounting policies? · Are they consistent with industry practice? · What basis of accounting is followed, and is it appropriate? Personnel · Does the MFI have excessive staff turnover? · Are staff qualified for their functions-- especially finance and accounting functions? · Is training of new staff adequate? External factors Industry · Who are the MFI's competitors, and how is management dealing with competition? Economy · To what extent is the MFI affected by or exposed to inflation, interest rate fluctuations, currency movements, and macroeconomic instabilities? Laws and regulations · Who regulates or supervises the MFI? · Has any new law or regulation affected the MFI? PLANNING THE AUDIT 21 When initial investigations reveal an unacceptable level of engagement risk, the auditor can provide a great service to the MFI and its funders by declining the engagement and explaining its reasons to all parties. 4.1.2 Visits The external auditor should visit several branches and regional offices to gain a better understanding of the MFI's operations and of decentralized responsibili- ties. Auditors may make some initial visits at the pre-engagement stage and more If engagement risk visits at the planning stage. is unacceptably high, the auditor should 4.1.3 Review of reports and documents decline the engagement The auditor should also review reports and other documents to gain a better under- standing of the business. If they are available, the following documents may be useful: and explain its reasons to the MFI and its · Previously issued audited or unaudited financial statements · Budgets and strategic plans founders · Monthly operating reports, including cash-flow statements, lending statis- tics, and arrears reports · Grant or loan agreements · Evaluations by donor agencies · Examination reports and correspondence from regulatory institutions. An extensive discussion of the reports that may be appropriate for an MFI-- depending on its size and age--can be found in Charles Waterfield and Nick Ramsing's Handbook for Management Information Systems for Microfinance Institutions; see annex I for details. 4.2 Understanding accounting standards and methods MFIs' accounting standards and methods may be unconventional, and thus require close attention from auditors. 4.2.1 Accounting standards The external auditor should determine which accounting standards the MFI uses. Many MFIs do not follow national or international standards. 4.2.2 Accounting methods During the pre-engagement phase the external auditor should ask the MFI's management what basis of accounting it uses. Sometimes the MFI's account- 22 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 ing department cannot answer this question. Many institutions have adopted the accrual basis of accounting, sometimes in a modified form. This basis of accounting is in accordance with standards set by most accounting bodies. Some institutions, however, remain on a cash basis of accounting. Auditors should be aware that it may be beneficial for small MFIs to account for their activity-- especially loan income--on a cash basis, with the external auditor proposing adjustments at the end of the year. In many MFIs the basis of accounting is not applied consistently across all account types, further complicating the audi- In many MFIs the tor's work. basis of accounting is not applied 4.2.3 Financial institution or nonprofit? Finally, the external auditor must consider the MFI's basic view of itself--as a consistently across financial institution or as a nonprofit entity. This view often has implications for all account types accounting. Most microfinance activities originate in social services efforts. Thus most MFIs start out as nonprofit entities. Compared with businesses, nonprofit organizations typically present financial reports that are less rigorous reflections of their financial performance. Some do not even produce annual financial state- ments. Most use cash accounting and do not apply depreciation, inflation adjust- ments, reserves for exchange rate risk, provisions for employee benefits, and the like. At the other end of the spectrum, some MFIs are moving toward licensed status. As regulated financial institutions these MFIs will have to comply not only with generally accepted accounting principles, but also with detailed regulations governing banking organizations. 4.3 Understanding accounting systems and internal control systems The external auditor should gain an understanding of the MFI's accounting and internal control systems through: · Discussions with managers and staff at various levels · Reference to documentation such as procedures manuals, job descriptions, and flow charts · Inspection of reports produced by the accounting department · Observation of the MFI's activities, including computer operations and loan processing at headquarters and branches (box 4.1). 4.3.1 Accounting systems MFIs' accounting operations are usually decentralized. Branch activity is often accounted for at the regional level, then transmitted periodically (usually monthly) to the head office. The head office is typically responsible for producing consoli- datedfinancialstatements.InotherMFIsallaccountingishandledattheheadoffice. PLANNING THE AUDIT 23 BOX 4.1 Summary of ISA 400 on accounting systems and internal control systems Accounting system The auditor should gain an understanding of the MFI's accounting system, includ- ing: · Major classes of transactions in the entity's operations · How such transactions are initiated (whether at branches or the head office) · Significant accounting records, supporting documents, and accounts in the finan- cial statements · The accounting and financial reporting process, from the initiation of significant transactions and other events to their inclusion in the financial statements. Internal control system Internal control system refers to all the policies and procedures adopted by the man- agers of an entity to help ensure, as far as is practical, the orderly and efficient conduct of its business. Internal controls promote adherence to management poli- cies, safeguarding of assets, prevention and detection of fraud and error, accuracy and completeness of accounting records, and timely preparation of reliable finan- cial information. The internal control system extends beyond matters relating directly to accounting system functions and comprises the control environment and control procedures. The control environment is the overall attitude, awareness, and actions of direc- tors and managers regarding the internal control system and its importance. The con- trol environment has an effect on specific control procedures. A strong control environment--for example, one with tight budget controls and an effective internal audit function--can significantly complement specific control procedures. But a strong environment does not, by itself, ensure the effectiveness of the internal control sys- tem. Factors reflected in the control environment include: · The function of the board of directors and its committees · Management's philosophy and operating style · The entity's organizational structure and methods of assigning authority and responsibility · Management's control system, including the internal audit function, personnel policies, and procedures, and segregation of duties. Control procedures are policies and procedures (in addition to the control envi- ronment) that management has established to achieve the entity's specific objectives. Control procedures include: · Reporting, reviewing, and approving reconciliations · Checking the mathematical accuracy of records · Controlling computer information systems by, for example, establishing controls over changes to computer programs and access to data files · Maintaining and reviewing control accounts and trial balances · Approving and controlling documents · Comparing internal data with external sources of information · Comparing cash, security, and inventory counts with accounting records · Limiting direct physical access to assets and records · Comparing financial results and budgeted amounts. 24 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 4.3.2 Internal control systems An MFI needs a strong internal control system to operate successfully. Most MFIs have significant weaknesses in their systems, however, so external auditors should pay close attention to assessing the control environment. Many MFI boards are passive, and corporate governance tends to be lax. Thus much of the control environment depends on the commitment and competence of the management. External 4.4 Assessing audit risk auditors should pay As in any other audit, the external auditor should explicitly assess audit risk--the close attention to possibility of rendering an incorrect opinion on the soundness of the MFI's financial statements--at both the financial statement level and the account bal- assessing the control ance level. environment Audit risk has three components: inherent risk, control risk, and detection risk. At the financial statement level, the main considerations are determining inherent risk and control risk (box 4.2). 4.4.1 Inherent risk Regardless of the internal control system, certain inherent risks derive from the nature of microfinance and the skills of management. For instance, in many MFIs: · Managers do not fully understand credit processes, because they have been trained in social work rather than in financial services. BOX 4.2 Summary of ISA 400 on inherent risk and control risk Inherent risk Inherent risk exists regardless of the nature of the internal control system. It is pri- marily a function of the nature of the business and the skills of management. Inherent risks can appear at both the financial statement level and the account balance level. At the financial statement level inherent risks include the integrity of management, the experience and competence of management, undue pressures that might predis- pose management to misstate financial statements, the nature of the business (tech- nology, geographic spread of operations), and economic and competitive conditions. At the account balance level inherent risks include the degree of judgment used in determining account balances, the susceptibility of assets (such as cash and fixed assets) to loss or misappropriation, and transactions that are not subjected to ordi- nary processing. Control risk The preliminary assessment of control risk for a financial statement assertion should be high unless the auditor can identify internal controls relevant to the assertion that are likely to prevent or detect and correct a material misstatement, and the auditor plans to perform tests of control to support the assessment. PLANNING THE AUDIT 25 · Accounting is done by staff with little experience in double-entry bookkeep- ing, international accounting standards, and so on. · Business operations are decentralized and geographically dispersed, often in remote regions with inadequate infrastructure. 4.4.2 Control risk Weak policies and procedures can create high control risk for MFI audits. Nevertheless, internal controls are crucial for MFIs. Where there are profound Weak policies and weaknesses in internal control, the MFI may be unauditable. If control risk is procedures can high, the external auditor must evaluate whether extensive substantive proce- dures can be employed, and whether this approach is economical for the MFI create high control (box 4.3). risk for MFI audits In addition to making a high-level assessment of internal controls, the exter- nal auditor must assess controls at the account balance (general ledger) level. Before testing controls, however, external auditors must document their under- standing and assessments of the systems using checklists, narratives, and flow- charts. (Tests of control are discussed in chapter 5.) 4.4.3 Detection risk Detection risk--the risk that material misstatements will not be detected by the auditor--should be determined for each account balance, and will depend on the assessment of inherent risk and control risk. This relationship is discussed fur- ther in chapter 5. 4.5 Defining materiality Establishing materiality levels is crucial in determining the nature, extent, and timing of audit procedures. A materiality level is a threshold above which poten- tial errors are considered problematic. If the aggregate of uncorrected misstate- ments identified during the audit exceeds the materiality level, the auditor may not be able to render an unqualified audit opinion (box 4.4). BOX 4.3 Example of control risk in an MFI An MFI's policy requires loan officers to obtain approval of the branch manager before a loan is granted. Audit evidence of this internal control is the branch manager's sig- nature on loan applications. The auditor discovers that a loan officer has made a sig- nificant number of loans without this approval. On further investigation, the auditor finds that new employees were not properly advised of the approval policy. Thus the auditor would conclude that there is a high level of control risk. 26 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 BOX 4.4 Summary of ISA 320 on materiality Information is material if its omission or misstatement could influence the economic decisions made by users on the basis of the financial statements. Materiality depends on the size of the item or error judged in the particular circumstances of its omission or misstatement. Thus materiality provides a threshold or cutoff point, rather than a primary qualitative characteristic that information must have if it is to be useful. The auditor needs to consider the possibility of misstatements or relatively small There are no amounts that, cumulatively, could have a material effect on the financial statements. For example, an error in a month-end procedure could indicate a potential material general standards misstatement if that error is repeated each month. for establishing The appropriate materiality level is inversely related to the level of audit risk. materiality levels If the audit risk--the combination of inherent, control, and detection risk--is for an MFI assessed to be high, the materiality level will be lower. That is, a lower level of uncorrected misstatements would be acceptable. The materiality level will depend on the critical components identified during the planning of the engagement. A critical component of the financial statements is one that reasonable users relying on the statements are likely to focus on, con- sidering the nature of the entity. Identifying critical components is a matter of professional judgment. Examples of critical components that can be used to determine materiality include net income, total assets, revenues, and stockholder equity (table 4.2). Materiality levels may range from 2 percent to 10 percent of a critical compo- nent. In the United States some external auditors use 2 percent of total assets as a base for materiality for a commercial bank. In an entity that has weak internal controls an auditor may lower the amount of acceptable misstatement to 1 per- cent of total assets. There are no general standards for establishing materiality levels for an MFI (box 4.5). Auditors of MFIs sometimes use total assets as a crit- ical component and set 2 percent as a materiality level. The auditor's assessment of materiality and audit risk when planning the audit may change after evaluating the results of the audit procedures. This could be because of a change in circumstances or because of a change in the auditor's knowledge as a result of the audit. For example, if the audit is planned prior to TABLE 4.2 Examples of materiality levels (percent) Strong internal control Weak internal control Critical component (low risk) (high risk) Net income 10 5 Total assets 2 1 Revenues 3 1 Stockholder equity 5 1 PLANNING THE AUDIT 27 BOX 4.5 Example of a calculation of materiality for an MFI The external auditor decides to use the MFI's total assets ($1,000,000) as the critical component. In addition, the auditor considers internal controls to be weak in light of the MFI's aggressive expansion. Thus the auditor uses 1 percent of total assets to determine the materiality level for the audit. Total assets $1,000,000 Materiality factor 1 percent Materiality level $10,000 The external auditor If during the audit process the auditor discovers that the aggregate of misstate- should consider the ments exceeds $10,000, he or she may conclude that the economic decisions of the users of the financial statements could be adversely affected by the misstatements. In activities of internal such a situation the auditor would not render an unqualified opinion. auditors when planning the audit the end of the fiscal year, the auditor will anticipate the results of operations and the financial position. If actual results are substantially different, the assessment of materiality and audit risk may change. 4.6 Assessing and establishing relationships with internal auditors The external auditor should consider the activities of internal auditors when plan- ning the audit. Internal auditors evaluate and monitor accounting and internal control systems. Internal auditing is an essential component of a sound system of internal control, as well as a useful tool in mitigating, detecting, and investigat- ing fraud (see section 3.5, including its argument that MFIs need a broader inter- nal audit than traditional procedures provide). The external auditor should assess internal auditing for two reasons: · A strong internal audit function provides reassurance about internal controls. · Internal auditors may help the external auditor conduct the audit (table 4.3). TABLE 4.3 Working with internal auditors in an MFI Key areas Possible internal auditor assistance to external auditors Cash Surprise cash counts Review of reconciliations throughout the year Loans Client visits on a rotation basis Review of documentation in loan files Debt Review of debt agreements Review of compliance with debt covenants Donor funds Check for segregation of funds Review of compliance with donor agreements 28 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 FIGURE 4.1 Ideal reporting lines for internal auditing Internal Board of audit directors department Where an internal audit function exists, Executive Director of director finance the external auditor Note: Some internal audit functions report to the director of finance for administrative matters should assess its such as staffing, payroll, and benefits. objectivity, scope, technical competency, Large MFIs should have their own internal auditors. Smaller MFIs may find it more economical to contract out this function (see section 3.1 in volume 1). But and diligence many MFIs lack any internal audit function--often because managers do not think it is necessary or believe that they cannot afford it. As MFIs grow and seek licens- ing, however, an internal audit function may be required by law or regulation. Where an internal audit function exists, the external auditor should assess its objectivity, scope, technical competency, and diligence. This assessment should include a review of the department's organization, staffing, focus, reports, and plans. Potential conflicts should be evaluated. For example, if the internal audit department reports to the department it is auditing, the objectivity of the inter- nal audit department's findings should be questioned. Such a situation can sig- nificantly diminish the value of the internal auditor's work for the external auditor. The ideal situation would be for the internal audit department to report directly to the board of directors or its audit committee, if one exists (figure 4.1). If the external auditor makes a preliminary assessment that the internal audit function can be relied on, he or she should test the internal audit work to con- firm this assessment. This is usually done by retesting a sample of the internal auditor's work (box 4.6). BOX 4.6 Example of using internal auditing work An MFI has an internal auditor who reports directly to the board of directors and is judged to be competent and reliable by the external auditor. At the beginning of the year the internal auditor, in consultation with the external auditor, decides to test 100 loan files and make client visits each quarter. Thus 400 loans will be tested during the fiscal year. At the end of the year the external auditor may decide to retest 20 percent of the internal auditor's work--80 loan files. If no exceptions are found, the external auditor would rely on the results of the tests for all 400 loans tested by the internal auditor during the year. CHAPTER 5 Obtaining Audit Evidence: An Overview This chapter provides a brief overview of the process for obtaining evi- dence on an MFI's key account balances. This process includes identi- fying potential errors for each account balance, identifying business risks for each account balance, identifying audit risks for each account bal- ance, performing tests of control, performing substantive procedures, determining samples, and obtaining management representations. The external auditor plans and performs tests to validate management's assertions in the financial statements. These explicit and implicit assertions can be catego- rized as follows: · Completeness--there are no unrecorded assets, liabilities, or transactions · Recording (referred to as "measurement" in ISAs)--transactions are recorded at the proper amount The loan portfolio · Validity (referred to as "existence" and "rights and obligations" in ISAs)-- and loan loss recorded transactions are valid · Cutoff (referred to as "occurrence" in ISAs)--transactions are recorded in the allowance are correct period the most important · Valuation--assets or liabilities are correctly valued · Presentation--items are described in accordance with the applicable financial account balances reporting framework. for MFIs The auditor should test these assertions for all the key account balances. 5.1 Key account balances When planning the engagement, the external auditor should identify key account balances for the MFI, which typically include the following: · The loan portfolio and loan loss allowance are the most important account balances for MFIs because they include most of the institutions' assets and are the source of the most serious risk of misstatement. · Cash and equivalents are important because MFIs often have on hand, or in transit, large amounts of cash that are handled somewhat informally. · Capital accounts (fund balance or shareholder equity) may require special atten- tion because most MFIs receive donor funding. 29 30 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 · Payables and accrued expenses are important because MFIs are exposed to pos- sible understatement in these accounts. · Savings and deposits may be an important account balance in some MFIs. · Revenues and expenses require attention because MFIs are often inconsistent in their treatment of them. Specific guidance on auditing each key account balance is provided in chapters 6­12. In addition to 5.2 Identifying potential errors for each account balance potential errors, the external auditor The external auditor should identify potential errors for each account balance. Potential errors correspond to the financial statement assertions categorized at should assess whether the beginning of this chapter (table 5.1). The potential errors for each key account any other factors balance are discussed in chapters 6­12. increase the risk of misstatement 5.3 Identifying business risks for each account balance In addition to the potential errors listed above, the external auditor should assess whether any other factors increase the risk of misstatement. Business risks of par- ticular importance to MFIs include: · Credit risk--the risk that a borrower will not settle an obligation for full value, either when due or any time thereafter · Interest rate risk--the risk of loss arising from the sensitivity of earnings to movements in interest rates · Liquidity risk--the risk of loss arising from the possibility that the MFI may not have sufficient funds to meet its obligations · Currency risk--the risk of loss arising from movements in exchange rates between domestic and foreign currencies TABLE 5.1 Examples of potential errors in account balances Assertion Potential error Completeness Assets, liabilities, transactions, or events are not recorded Recording Transactions or events are recorded inaccurately (wrong amount) Validity Recorded transactions are not valid, or the asset or liability does not belong to the entity Cutoff Transactions are recorded in the wrong period Valuation Assets or liabilities are valued incorrectly Presentation Account balances are presented in a misleading way OBTAINING AUDIT EVIDENCE: AN OVERVIEW 31 · Fiduciary risk--the risk of loss arising from factors such as failure to maintain safe custody or negligence in the management of assets on behalf of others (all the above risks are drawn from ISA 1006) · Fraud risk--the risk of loss due to internal or external fraud. The business risks associated with each key account balance are discussed in chap- ters 6­12. If control risk is 5.4 Identifying audit risks for each account balance assessed to be high, The auditor should identify audit risk at the account balance level. The starting the auditor should point is the inherent risk and control risk identified at the financial statement place less reliance level, as discussed in chapter 4. Once these risks have been assessed, the auditor should assess the control risk for each account balance. The auditor's assessment on tests of control of control risk will determine the extent to which tests of control or substantive procedures need to be performed. For example, if control risk is assessed to be high, the auditor should place less reliance on tests of control. Further, if control risk is high, the maximum acceptable level of detection risk--that is, the risk that substantive procedures will not identify misstatements; see box 5.1--is lower, and the auditor must perform more substantive procedures. On the other hand, if control risk is assessed to be low, the auditor can place more reliance on tests of control. With low control risk, a higher degree of detec- tion risk is acceptable, and substantive procedures would not be as extensive. In an MFI audit this relationship (between control risk and tests of control and substantive procedures) may lead to a dilemma. Because internal controls in an MFI are often weak, auditors may assess the control risk to be high and not BOX 5.1 Summary of ISA 400 on detection risk Detection risk is the risk that an auditor's substantive procedures will not detect a mis- statement that could be material. Substantive procedures need to be extensive enough to reduce detection risk, and therefore audit risk, to an acceptable level. But even if an auditor examines 100 percent of an account balance or a class of transactions, some detection risk is always present, because most audit evidence is persuasive rather than conclusive. There is an inverse relationship between detection risk and the combined level of inherent and control risks. (Inherent risk and control risk are defined in box 4.2.) For example, when inherent and control risks are high, an auditor should accept only a low level of detection risk, in order to reduce audit risk to an acceptable level. In aim- ing for a low level of detection risk, the auditor will need to perform more substan- tive procedures. On the other hand, when inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptable level. Thus fewer substantive procedures will be needed. 32 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 place much reliance on tests of control. In such a situation the auditor would want to rely on extensive substantive procedures. But if the MFI has a large loan portfolio, extensive substantive procedures may be both difficult for the auditor and prohibitively expensive for the MFI. 5.5 Performing tests of control The auditor should Tests of control are performed to determine whether the external auditor can rely on internal controls (box 5.2). The auditor should perform tests of control perform tests of for each key account balance to assess the design of accounting and internal con- control for each key trol systems (that is, whether they are suitably designed to prevent or correct mate- rial misstatements) and the actual operation of the controls throughout the period. account balance to Guidance on tests of control for each key account balance is provided in chapters assess the design 6­12. of accounting and internal control 5.6 Performing substantive procedures systems Substantive procedures are conducted to obtain direct audit evidence to support an account balance. The external auditor should perform substantive procedures for each key account balance. The two types of procedures are tests of details of transactions and balances, and analytical procedures. Tests of details are typically more effective and efficient for testing balance sheet items. Alternatively, analytical procedures tend to be preferred for income statement accounts because they effectively address most potential errors (box 5.3). The substantive procedures for each key account balance are discussed in chapters 6­12. BOX 5.2 Summary of ISA 400 on tests of control Tests of control include: · Inspection of documents, supporting transactions, and other events to gain audit evidence that internal controls have operated properly (for example, verifying that a transaction has been authorized) · Inquiries about, and observation of, internal controls that leave no audit trail (for example, determining who actually performs each function, not merely who is sup- posed to perform it) · Reperformance of internal controls (for example, reconciliation of bank accounts) to ensure that they were correctly performed by the entity. The auditor should obtain audit evidence through tests of control to support any assessment of control risk that is less than high. The lower the assessment of control risk, the more support the auditor should obtain that accounting and internal con- trol systems are designed suitably and operating effectively. OBTAINING AUDIT EVIDENCE: AN OVERVIEW 33 BOX 5.3 Summary of ISA 520 on analytical procedures Analytical procedures compare an entity's financial information with, for example: · Comparable information for prior periods · Anticipated results of the entity, such as budgets or forecasts, or expectations of the auditor, such as an estimation of depreciation · Similar industry information, such as a comparison of the entity's ratio of sales to accounts receivable with industry averages, or with the same ratio in comparable entities in the same industry. Auditors use sampling Analytical procedures also consider relationships: techniques because · Among elements of financial information that would be expected to conform to a it is not practical predictable pattern based on the entity's experience, such as gross margin per- centages to test the entire · Between financial information and relevant nonfinancial information, such as pay- roll costs and number of employees. population of items that flow into a 5.7 Determining samples financial statement Auditors use sampling techniques because it is not practical to perform tests of control or substantive procedures on the entire population of items that flow into a financial statement. Sampling techniques used for tests of control may differ from those used for substantive procedures. 5.7.1 Sampling for tests of control For tests of control, the external auditor usually does statistical sampling. Some firms use a two-step approach. The auditor first selects a predetermined number of transactions as the sample. If an error is detected in testing this first sample, another sample is taken. 5.7.2 Sampling for substantive procedures Determining the sample for substantive procedures involves two steps: defining the sample size and selecting the sample. The process can be statistical or nonstatistical. In statistical sampling the sample size is derived through a mathematical function that combines the level of materiality, the assessment of detection risk, and the size of the account balance. (Audit firms define the mathematical func- tion in different ways. Readers who want further information can consult audit and statistics textbooks. In addition, chapter 6 provides an example of sample size determination for an MFI loan portfolio.) Once the sample size has been deter- mined, the items to be tested should be selected statistically (if possible) to pro- vide a representative sample. Statistical selection methods--random, systematic, and haphazard--are discussed in box 5.4. 34 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 BOX 5.4 Summary of ISA 530 on audit sampling The three main considerations in audit sampling are sample size, sample selection, and evaluation of results. Determining the sample size When determining the sample size, the auditor should consider sampling risk, toler- able error, and expected error. · Sampling risk is the risk that the auditor's sample will yield a conclusion different from the conclusion that would be reached if the entire population were tested. The lower the sampling risk that the auditor is willing to accept, the larger the sample will need to be. · Tolerable error is the maximum error in the population that the auditor is willing to accept and still conclude that the result from the sample has achieved the audit objective. The tolerable error should be related to the auditor's judgment about materiality levels. The smaller the tolerable error, the larger the sample will need to be. · Expected error is the error the auditor expects to be present in a population. If the auditor expects an error, a larger sample should be taken to ensure that the actual error is not larger than the planned tolerable error. Selecting the sample The auditor should select a sample that is representative of the population. Common selection methods are: · Random selection. This method has the strongest statistical basis and should be used if possible. All items in the population have an equal chance of selection. · Systematic selection. This method selects items using a constant interval between selections--say, every 20th voucher. · Haphazard selection. This method is an alternative to random selection. Evaluating the results After performing tests of control and substantive procedures on one sample, the auditor should: · Analyze any errors detected in the sample · Project the errors to the population · Reassess sampling risk. As a result of this process, the auditor may consider extending audit procedures. Nonstatistical sampling is used when it is not possible to obtain a sample that can be evaluated statistically, and the auditor has considerable knowledge of the population. For example, a nonstatistical sample could be used if the auditor knows that for an account balance (say, accounts receivable) of 100 customers, 10 accounts cover 80 percent of the total value. The auditor would perform tests on the large accounts and examine only a few of the remaining accounts, on the grounds that the total value of the remaining accounts is not large enough to warrant statisti- cal sampling. Statistical sampling methods are not widely used in MFI audits. Many audi- tors rely on nonstatistical sampling or even less precise processes, and apply pro- OBTAINING AUDIT EVIDENCE: AN OVERVIEW 35 cedures to all items that have a particular characteristic--such as items greater than a certain dollar amount. Under ISA 530 this approach does not qualify as audit sampling, because the findings are not likely to be valid for the portion of the population examined or for the population as a whole. Such nonstandard tests may or may not detect material misstatements, but it is usually hard to jus- tify the selection criterion that has been used. Given MFIs' large number of loan transactions, audits of the loan portfolio should always use statistical sampling. Given MFIs' large 5.8 Obtaining management representations number of loan ISA 580 requires the external auditor to obtain an acknowledgment by MFI man- transactions, audits agers of their responsibilities in regard to the financial statements. Evidence of of the loan portfolio such responsibility may be provided through copies of board minutes, a signed copy of the financial statements, or a representation letter. should always use During an audit, managers will make many representations to the auditor, statistical sampling either unsolicited or in response to inquiries. The auditor should request written representation on matters that are material to the financial statements. Outside the financial reporting area, managers are responsible for policies and procedures regarding the identification, valuation, and recording of litigation, claims, and assessments. Managers are also responsible for ensuring compliance with applicable laws and regulations. MFI managers usually acknowledge their responsibility for the areas outlined above in a management representation letter to the auditor. This letter usually car- ries the same date as the audit report and is signed by the entity's top manage- ment. If management refuses any of the representations requested by auditors, the auditors should consider this a scope limitation and discuss with management whether they will be able to express an unqualified audit opinion. Annex F pro- vides an example of a management representation letter. CHAPTER 6 Obtaining Audit Evidence: The Loan Portfolio This chapter describes how the external auditor should obtain evi- dence on the loan portfolio--the most important account balance in an MFI. (Provisioning for loan losses, a crucial element of the portfolio account, is discussed in chapter 7.) [In addition to this chapter, the auditor is advised to review chapter 5 of volume 1. Some of the material in that chapter is repeated here, but substantial elements are not. In particular, the beginning and end of that chapter provide advice to clients that may seem controversial: clients are advised to pursue detailed discus- sions with their auditor to assure themselves that the testing of their loan port- folio will be sufficient to provide reliable confirmation of portfolio quality.] MFI loan operations have 6.1 What makes MFI portfolios unique? unique characteristics that external auditors The loan portfolio is one of the most important account balances in any lending institution. This portfolio usually accounts for most of the institution's assets, must understand and the potential for misstatement is great. MFIs are no different from other lend- ing institutions in this respect. MFI loan operations, however, have unique characteristics that external audi- tors must understand, because they affect the audit process. Many of these char- acteristics are discussed elsewhere in volumes 1 and 2, but the principal ones can be summarized as follows: · MFIs grant a large number of small loans, and so receive a very large number of tiny payments. Moreover, MFI operations are often dispersed over a wide area. Thus MFIs need streamlined and decentralized operating structures to be efficient. These factors make it a challenge to maintain effective portfolio information and management systems. · Decentralization implies that relatively few staff are involved in approving, disbursing, monitoring, and collecting each loan. This setup can increase the opportunity for deviation from approved policies, or for fraud. Decentralization can also increase the risk of error or manipulation when branches transfer information to headquarters. 37 38 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 · To handle small transactions efficiently, MFIs face great pressure to cut costs-- sometimes at the expense of adequate portfolio controls and information, as well as sufficient supervision of clients and loan officers. · Many MFI portfolios are growing rapidly. This growth puts pressure on sys- tems and can camouflage repayment problems. A rapidly growing portfolio has a larger percentage of loans in the early stages of repayment. Delinquency problems are more likely in the later stages of the repayment cycle. · MFIs generally dislike provisioning for problem loans or writing them off. Ideally, the loan They want to maintain a good image in the eyes of outsiders, especially donors. MFIs may feel--not always correctly--that they cannot write off a loan on tracking MIS should their books without sending a message that the client should stop trying to contain information pay, or that the loan officer should stop trying to collect. Also, most MFIs do not pay taxes, so provisioning produces no tax savings for them by reducing not only for current taxable income. loans, but for past · For reasons discussed below, MFIs' information systems for operational loan loans as well tracking are seldom integrated with their accounting systems. It is important to distinguish among three systems that influence an MFI's loan portfolio. The accounting system and the loan tracking management infor- mation system (MIS) produce information. The loan administration system con- sists of policies and procedures that govern loan operations. In practice these systems may overlap, but in theory they are separate. The accounting system receives information about individual loan transac- tions, but its purpose is to generate aggregate information that feeds into the finan- cial statements. The loan tracking MIS is focused on information about individual loans, including: · Identity of the client · Amount disbursed · Loan terms, such as interest rate, fee, maturity, and so on · Repayment schedule--amounts and timing · Amount and timing of payments received · Amount and aging of delinquency · Outstanding balance. Ideally, the loan tracking MIS should contain this information not only for current loans, but for past loans as well. In practice most MFIs do not maintain this information, at least in usable form, on loans that have been paid off or writ- ten off. This is a substantial deficiency. The main purpose of the loan tracking MIS is to provide information relevant to the administration of the portfolio, regardless of whether this information feeds into the financial statements. Some of the data captured by the loan tracking MIS are also captured directly by the accounting system--such as disbursements, payments, and OBTAINING AUDIT EVIDENCE: THE LOAN PORTFOLIO 39 accrued interest. (Note that the accounting system and the loan tracking MIS may capturesomeloandataatdifferenttimesandfromdifferentsources,resultinginocca- sional discrepancies between the two systems.) Some data from the loan tracking MIS flow only indirectly into the accounting system and financial statements--such as delinquency information from the loan tracking MIS that is used to estimate pro- visions in the accounting system. Other data from the loan tracking MIS never enter the accounting system--for example, client identity or payment schedules. The loan administration system is not an information system, but rather the policies and procedures, written or unwritten, that govern the MFI's loan oper- In practice, the loan ations, including: tracking MIS is · Loan marketing usually not fully · Client and loan evaluation integrated with the · Loan size and terms · Loan approval accounting system · Handling of disbursements and payments by loan officers and cashiers · Recording of disbursements and payments in the "back room" · Client supervision · Collection policies for delinquent loans · Rescheduling of delinquent loans · Internal controls, both operational and ex post. Ideally, the loan tracking MIS should be seamlessly integrated with the account- ingsystem.Inpracticethisisunusual.MFIscannotuseintegratedsoftwaredesigned for banks because their loan systems are too different from those of banks. Several integrated software packages have been designed for MFIs, but they sel- dom provide the immediate local technical support that is crucial in dealing with modifications and inevitable system crashes. As a result many MFIs find that a standard accounting system (computerized or manual) can be adjusted to fit their requirements, but that they need to custom-build their own loan tracking MIS (again, computerized or manual).1 6.2 Business risks The main business risks associated with an MFI's loan portfolio include credit risk, fraud risk, and interest and exchange rate risk. 6.2.1 Credit risk The risk that borrowers will fail to pay their loans in full is the most impor- tant risk for an MFI. Although many MFIs maintain low rates of delinquency and loss, their clients' repayment performance can be much more volatile than that of commercial bank customers. Payment problems can skyrocket from near 40 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 zero to unsustainable levels in a matter of months. Thus systems for manag- ing and monitoring repayment performance are at the heart of an MFI's business. MFIs are seldom exposed to the kind of credit concentration risk found in commercial banks. Given MFIs' large number of small loans, loans to a single borrower or to related borrowers rarely account for a dangerous percentage of portfolio or equity. But some MFIs encounter problems when they offer larger loans for which their original loan delivery methodology is unsuited. For instance, if an MFI whose methodology is designed for $500 loans starts making $10,000 Auditors should loans to first-time customers using the same methodology, serious problems are likely. identify control weaknesses that 6.2.2 Fraud risk increase opportunities Fraud risk is a serious threat in many MFIs (box 6.1; see also section 3.5). Lack for fraud of segregation of duties (for example, between cash disbursal and recording), other weak internal controls, geographically dispersed branches, and decentralized approval processes can all create opportunities for fraud. Nearly every MFI expe- riences portfolio-related fraud at some point. For most it does not reach epi- demic proportions. Others are not so lucky. External auditors should make sure their MFI clients understand that, while cases of fraud may be identified in the normal course of audit activities, detect- ing fraud is not the primary focus of the audit. Rather, auditors should identify control weaknesses that increase opportunities for fraud. Except for detecting cer- tain types of cashier window and treasury fraud typical for any banking institu- tion, external auditors are unlikely to be the primary source for detecting the type of fraud that MFIs normally encounter. For instance, MFIs often find that: BOX 6.1 Examples of MFI experiences with fraud One African MFI is still grappling with a fraud situation that it discovered more than two years ago. The MFI, created in 1994, is a solidarity group credit program oper- ating through branches in the capital and a distant region. The loan portfolio expanded quickly, growing to $670,000 in just 18 months. But in April 1996 an acting director (filling in for the director, who was on leave) and a new data management system revealed a scheme that had created fictitious borrowers. These "ghost" borrowers accounted for one-third of the MFI's clients. Management cited several factors to explain this crisis: uncontrolled growth, too much distance between credit staff oper- ating in the remote region and technical and managerial staff in the capital, and lax adherence to cash control measures and reporting requirements. Similarly, a large Latin American MFI is still sorting out a significant case of fraud it uncovered in 1995. In 1994 the entire staff of a regional office colluded with the MFI's internal auditor and commercial bank staff to divert $914,000 in loans to fic- titious clients. This scheme went undetected by auditors from a "big six" accounting firm and by an evaluation team that singled out the regional office as one of the MFI's best-performing units. OBTAINING AUDIT EVIDENCE: THE LOAN PORTFOLIO 41 · Loan payments are stolen before they are even registered · A loan officer creates fictitious groups or borrowers and makes disbursements to them · An MFI loan is valid, but part of the amount disbursed is returned to the loan officer as a kickback · Loans are made to friends or family of MFI employees. Given the huge volume of transactions, cases of such fraud can easily escape the external auditor's notice, especially when the audit does not include a large If tests of internal number of client visits. With an adequate number of client visits, an auditor might controls show that the be able to detect a pattern of fictitious borrowers or stolen payments. But iden- tifying other types of fraud may require extracting information that the client does auditor cannot rely not want to reveal; an external auditor is unlikely to be skilled at this task. on such controls, the auditor should 6.2.3 Interest and exchange rate risk immediately raise MFIs are susceptible to interest rate risk if they lock in interest rates on long- term loans and face increasing costs for funds over the short term. this issue with senior More commonly, MFIs face exchange rate risk. Many MFIs lend to their clients managers and the in domestic currency but fund their portfolio with donor loans denominated in board of directors foreign currency. If the domestic currency suffers a significant devaluation, the MFI may face a material financial cost it is not prepared to deal with. 6.3 Audit risk The loan portfolio is the area of highest audit risk in an MFI. Given the large num- ber of small loans to widely dispersed borrowers, extensive substantive testing may be difficult and expensive. Thus the audit needs to emphasize tests of control if possible. 6.4 Tests of control Tests of control for MFI loan balances are typically performed at the head office, at retail outlets (including branch offices but sometimes regional and head offices as well), and through client visits. The sections below illustrate tests at these three levels. The suggestions offered are not all-inclusive, and are no sub- stitute for the development of a detailed audit program for an individual MFI. Depending on the structure of the MFI, a procedure described in the retail outlet section below may need to be performed instead at the head office, and vice versa. If tests of internal controls show that the auditor cannot rely on such controls, the auditor should immediately raise this issue with senior managers of the MFI and the board of directors. Specific material weaknesses should be discussed, along 42 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 with the adjustments to the audit plan that will be necessary if the auditor is to continue the audit and render an opinion. 6.4.1 Tests of control at the head office Loan policies and procedures It is hard to overstate the importance of loan policies and procedures that are not If no one in the only clear but also actually implemented at all levels of an MFI's operations. In large MFIs these policies should usually be documented in manuals. But in all organization expects cases it is crucial that the policies be understood and practiced by all. the loan tracking MIS At the MFI's head office the auditor should review documentation and inter- view personnel to test for well-defined loan policies and procedures. Possible ele- to be 99 percent ments to analyze are listed in box 6.2. accurate, people tend to Some MFIs ask loan officers to follow up with their clients to ensure that loan let down their guard proceeds have been spent for their stated purposes. Many microfinance experts doubt the benefit of such attention to the use of proceeds. MFIs and auditors may want to consider this in deciding how much effort to invest in testing compliance with this kind of follow-up policy. Assuming that the auditor has clearly understood--and if necessary, docu- mented--the MFI's credit policies, compliance with these policies has to be tested, mainly at the level of retail outlets. Information systems As noted, MFIs have--in theory and usually in practice--two information sys- tems: an accounting system and a loan tracking MIS (see section 6.1). The two are usually not seamlessly integrated. Tests of control for an MFI's accounting system tend to be similar to such tests for otherfinancialinstitutions.AnMFI'sloantrackingMISrequiresmoreparticularatten- tion. Because substantive tests of detail for MFI portfolios are burdensome, auditors and managers need to be able to rely on the integrity of the loan tracking MIS. The loan tracking MIS must be credible to MFI managers and staff. If no one in the organization expects the loan tracking MIS to be 99 percent accurate, peo- ple tend to let down their guard. Situations and trends that ought to cause alarm are sometimes ignored on the assumption that they represent glitches in the infor- mation system rather than actual problems with portfolio quality. And when peo- ple think that most anomalies are likely to be MIS problems, fraud is more tempting because it is less likely to be detected promptly. Thus the loan tracking MIS needs to be checked for accuracy, security, and effectiveness. Testing accuracy implies checking the extent to which the loan tracking MIS correctly reflects loans disbursed, payments received, and current repayment sta- tus of outstanding balances. Much of this testing may take place at retail outlets. The auditor should also test the security of the loan tracking MIS. Where the system is computerized, the auditor should review elements such as the internal OBTAINING AUDIT EVIDENCE: THE LOAN PORTFOLIO 43 safety features of computer software, the external safety environment of computer hardware, security arrangements for levels of access to portfolio systems, attrib- utes for changing transactions data, backup procedures and compliance, and secu- rity arrangements for backup files. Where the loan tracking MIS is manual, the auditor should review internal control procedures related to preparation and ver- ification of transactions reports, the physical security of ledger card files, and conditions under which transactions can be modified. Even if information is accurate and secure, it is of little use unless people at all levels of the organization are receiving timely reports in an intelligible form and using the data they contain. Thus the auditor should also look at the effectiveness of BOX 6.2 Possible elements of an MFI's credit policy Client qualifications · Age · Number of years in business · Independence in business activity · No criminal record Repayment capacity · Method of establishing repayment capacity · Minimum levels of repayment capacity · Fluctuations in repayment capacity · Type of activity to be financed Credit history · Repayment history with the program · Repayment history with other programs · Repayment history with basic services such as water or electricity Size of the loan and size of regular loan payments relative to key business indicators such as: · Working capital · Total sales · Net income · Previous loans and loan payments · Collateral guarantee Credit delivery methodology · Number of members in solidarity or village banking groups · Relationships among members of groups · Rate of increase in loan amounts · Relationship between loan amounts and forced savings · Size of other clients' loans and payments (in solidarity groups) Interest and fee structure Loan approval procedures Follow-up procedures for delinquent loans Policies on refinancing or rescheduling delinquent loans 44 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 the loan tracking MIS, both at headquarters and at retail outlets. Are MFI employ- ees and clients getting the information they need, when they need it, in a form that highlights what they need, without drowning them in irrelevant detail? Are they using the reports being generated? The most common and dangerous problem with a loan tracking MIS occurs when loan officers and managers do not get delinquency information in a way that facilitates immediate follow-up on payment problems. An annual audit should pay some attention to the accuracy, security, and effectiveness of the loan tracking MIS. Volume 1 advises audit clients to request An annual audit comment on these topics as part of the management letter. But the degree of atten- tion will fall short of a thorough MIS review, especially with respect to security should pay some and effectiveness. A thorough review will require agreed-upon procedures or a attention to the separate MIS review by the auditor or another consultant. The auditor should look at several other MFI-specific issues when assessing accuracy, security, the loan tracking MIS. Where deficiencies are noted, they should be mentioned and effectiveness in the management letter. (For further detail on some of these issues, see section of the loan tracking 5.3 of volume 1, as well as the treatment of noncash paydown issues in section 7.3 of this volume.) MIS · Does the loan tracking MIS provide information on loan delinquency--includ- ing aging of delinquent balances--that adequately supports provisioning and write-off decisions? (This topic is treated in chapter 7.) · Does the loan tracking MIS maintain summary information on client's pay- ment performance after loans have been paid off? This feature is desirable for several reasons. It permits historical analysis of portfolio delinquency for pro- visioning analysis. It can influence decisions about making new loans to a client. And it can be important in testing for inappropriate refinancing practices. · If the MFI reschedules loans--that is, extends their terms--when clients have payment problems, does the delinquency report flag those loans and put them in a separate category? This should be done because rescheduled loans are at higher risk. (This item and the two below are irrelevant if the auditor is satisfied that the MFI never reschedules or makes new loans to delinquent borrowers.) · Does the loan tracking MIS actively flag cases of refinancing--that is, when clients' delinquent loans are paid off by issuing new loans? · Does the loan tracking MIS flag cases when parallel loans are made to clients who are delinquent on other loans? · If a loan has been brought current or paid off by a check, or by receipt of equip- ment or other collateral from the client, does the delinquency report con- tinue to show the loan as delinquent until the expected cash proceeds are realized? Does the loan tracking MIS flag such occurrences? Internal audit The auditor should review the MFI's internal audit function, if it has one, and conduct tests to determine its reliability. In particular, the auditor should look at whether the MFI has, or should have, an operational audit function of the sort OBTAINING AUDIT EVIDENCE: THE LOAN PORTFOLIO 45 described in section 3.5, bearing in mind the limitations of traditional internal audit procedures when applied to microfinance portfolios. Compensation policy The auditor should also examine how the MFI measures loan officer or branch performance in managing the loan portfolio, especially if incentive pay or pro- motions are tied to such measurement. For example, if heavy weight is given to increasing loan volume--especially where a compensating weight is not given to high repayment rates--the incentive structure may lead loan officers to make too The auditor, not many risky loans. management, should select the 6.4.2 Tests of control at retail outlets branches to visit The auditor should test loan portfolio controls at retail outlets, usually branches. (In some MFIs retail lending is also done at regional offices and the head office.) Retail outlets should be visited either annually or on a rotating basis. (As noted, the external auditor may choose to use some of the work done by internal audi- tors.) Such visits are crucial not only to test compliance with the MFI's loan poli- cies and procedures, but also to assess the control environment at this level.2 The auditor, not management, should select the branches to visit. Many MFIs have "model" branches that are far superior to other branches. Not sur- prisingly, visitors are usually taken to the model branches. The auditor should visit enough MFI retail outlets to obtain a truly repre- sentative sample. Some auditors visit just 5­10 percent of an MFI's branches in a fiscal year. The branches visited are often chosen for logistical convenience rather than to obtain a representative sample. In many cases the same branches are visited year after year. Even if auditors completely rotate their branch visits, visiting 10 percent of branches would mean total coverage only after 10 years-- hardly sufficient for sampling purposes. For MFIs with few branches, auditors should probably visit all branches every year. For MFIs with many branches, auditors should visit all branches within at least atwo-tothree-yeartimeframe.Ifaninternalauditfunctionexists,allbranchesshould probably be visited by either the external auditor or internal auditor each fiscal year. To the extent possible, these visits should be unannounced. This element of surprise makes it harder for branch or regional managers to cover up problems. At retail outlets, internal controls should be tested using a sample of loans. (Sampling methods are discussed in chapter 5.) The auditor should draw the sam- ple from a complete list of loans--one whose total reconciles to the general ledger. Again, the auditor--rather than management--should make this selection. Auditors should examine a statistically significant number of loans to recon- cile amounts disbursed, amounts received, payment dates, and current repay- ment status of loans. They should determine whether transactions have been recorded accurately on the dates they occur, whether the portfolio system cor- rectly distributes payments among relevant accounts, and whether the outstand- 46 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 ing balance shown for loans in the tracking system is correct in light of the terms of the MFI's loan documents and credit policies. Typically, the auditor should review transactions records and compare them to specific ledger accounts, to planned repayment schedules, to credit policy guide- lines, and to current delinquency reports generated by the loan tracking MIS. The auditor should test for appropriate approvals, unusually high levels of delinquency or write-offs among particular groups of loan officers, reschedulings, and excessive loan size increases on repeat loans. Throughout the Loan files should be reviewed for completeness and adherence to the MFI's policies and procedures. Box 6.3 illustrates some of the items that may be tested, testing at retail depending on the procedures of the MFI. outlets, the auditor Throughout the testing at retail outlets, the auditor should focus on whether the MFIs' loan policies and procedures are being complied with in practice. should focus on MFIs often experience "methodological drift," especially when staff training and whether loan policies supervision have not kept pace with rapid expansion. In a decentralized structure, and procedures are loan officers often start making credit decisions that run counter to the MFI's basic lending principles and techniques. For instance, loan amounts for new bor- being complied with rowers, as well as loan size increments for repeat borrowers, can creep to dan- gerous levels--especially when loan officers are under pressure to show a steadily growing portfolio. This situation creates credit risk by allowing clients to get too close to their repayment capacity limits too quickly. It is also common for the credit committee to become a mere formality, so that credits are not really discussed. When peer review becomes ineffective, poor loan decisions can increase credit risk. Some assessment should be made of compliance with loan methodology ele- mentssuchasgroupformationandsize,aswellasthenatureofrelationshipsbetween members of the groups. In addition, auditors must pay close attention to actual practice in follow-up on delinquent loans, such as prompt distribution of delinquency information to BOX 6.3 Illustrative loan file elements to be tested · An original application noting all parties involved in a loan (if other than individ- ual loans) along with any guarantors. · Information on the client and his or her business that indicates compliance with key elements of the MFI's loan policies. · Cash-flow analysis indicating sources from which repayment can reasonably be expected. (Where this item or the previous one involve calculations, the auditor should test the calculations.) · Approval by the loan officer and by the credit committee or supervisor. · A signed loan document (promissory note) stipulating repayment terms and interest rates. (Many MFIs keep original promissory notes in fireproof containers rather than in the client's loan file.) · The client's credit history. · Documentation of follow-up steps in the case of delinquent clients. OBTAINING AUDIT EVIDENCE: THE LOAN PORTFOLIO 47 loan officers and immediate visits to all delinquent borrowers. MFIs that fail to respond aggressively to delinquency seldom survive long. TheauditorshouldmakesureMFImanagementunderstandsthattheabovetests are being done as tests of control. Potential problems encountered during this lim- ited testing should be commented on in the management letter, and may dictate the need for more extensive substantive procedures than were originally planned. 6.4.3 Tests of control through client visits Client visits, even External auditors of commercial banks are used to mailing confirmations to bor- as part of tests of rowers. But many MFI clients are illiterate, and many more do not receive mail service. Thus external auditors of MFIs must locate and contact a sample of clients control, are an directly. Visits are intended to confirm that the client exists and that the loan integral part of details represented in the files are valid and accurate. Client visits, even as part of tests of control, are an integral part of an MFI an MFI audit audit. Depending on how (un)reliably the MFI's internal auditors or business risk department are performing this function, the need for client visits can add sig- nificantly to the effort and cost of the external audit. Client visits should be unannounced. Otherwise, loan officers may "coach" the clients to cover up problems. Issues that may be addressed during a client visit are listed in box 6.4. This list would need to be adjusted for each MFI's methodologies and policies. The auditor should avoid asking leading questions. For instance, auditors should not ask, "Are your monthly sales $50?" Rather, they should ask, "How much do you usually sell each month?" Then if the client's answer is substantially different from what is shown in the loan file, the discrepancy should be investigated. Many entrepreneurs in the informal sector are reluctant to discuss their income candidly with strangers. If auditors find discrepancies between the information they get from clients and the information recorded in the loan file, they will need to exercise judgment in deciding whether a substantial problem exists. Ideally, the first set of client visits would be done during the third quarter of the fiscal year, because their focus is testing internal controls. Later client visits will probably be required--as substantive procedures--after the end of the fiscal year, to confirm year-end balances. The sample size for the first set of visits is likely to be smaller than that for the second, and should be developed as for any other test of control. (Determining the sample size for substantive procedures confirming year-end balances is dis- cussed in section 6.5.1.) 6.5 Substantive procedures Substantive procedures test year-end loan account balances using tests of detail and analytical procedures. 48 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 BOX 6.4 Illustrative issues for client interviews · Confirm the client's identity. Ask to check identification if the client has it. · Ask the client for the personal information that is contained in the loan file, espe- cially items that bear heavily on loan approval. · Ask the client for the information about his or her business and other sources of cash flow that appears in the loan file to justify loan and payment size. · Ask whether the client has an outstanding loan with the MFI. · Ask for the client's understanding of the loan amount and terms, including tim- ing and amounts of payments that he or she is supposed to make. Include the details of any compulsory savings requirements. · Ask whether the client made any payments in connection with getting the loan, or any other payments (for example, to the loan officer). The purpose here is to test for fraud. · Ask for the client's understanding of his or her outstanding loan or savings balances. · Ask for the client's understanding of whether he or she is current on the loan and, if not, how long the loan has been delinquent. · Check the client's passbook, if applicable. The auditor should verify the entries in the passbook and later trace them back to the MFI's general ledger (as well as to the delinquency report, if the client is not current). · Ask the client what collateral or guarantee he or she provided for the loan. Ask to see--and perhaps photograph--physical collateral that remains in the possession of the client. · Determine whether the clients' previous loans were paid in full in cash--as opposed to being canceled using the proceeds of a new loan, payment by check, or deliv- ery of collateral. Check this information against what is recorded in the MFI's loan tracking MIS. · Ask whether any of the client's relatives have outstanding loans with the MFI. 6.5.1 Tests of detail Client visits and sampling To test the year-end balance for the loan account, the auditor tests a selection of loans. As with tests of control, the auditor rather than management should make the selection, drawing the sample from a loan list whose total reconciles to the general ledger. Here again, unannounced client visits are a crucial part of the tests of detail. As indicated in box 6.1, serious problems that should be detected during an annual audit will be missed if adequate client visits are not carried out. The sample size for client visits, for the purpose of testing year-end balances, will usually be larger than the sample size for tests of control (box 6.5). Some MFI auditors visit as many as 10 percent of active clients. There is, however, no universal guideline for the percentage of clients to be visited. The sample size depends on the materiality level established and on the auditor's conclusions about the reliability of internal controls (based on the ini- tial assessment of the control environment and on the results of the tests of con- trol performed at an earlier stage). If tests of control have revealed that the MFI OBTAINING AUDIT EVIDENCE: THE LOAN PORTFOLIO 49 BOX 6.5 Example of sample size determination for client visits The simplified example below illustrates how to define the sample size for testing the year-end loan balance through client visits. It is not meant to be normative in any sense. This example assumes statistical representative sampling. Audit and statistics texts should be consulted for further guidance. Assume that an MFI has total assets of $1,000,000, of which the gross loan port- folio balance is $900,000. The MFI has 3,000 clients, whose average outstanding bal- ance is $300. If a materiality factor of 1 percent is used and the critical component is total assets, then the materiality level is 1 percent of $1,000,000, or $10,000. The sample size could then be calculated by dividing the total account balance by the materiality level (or selection interval). In this case the sample size would be: Account balance $900,000 = = 90 selections (3.3 percent of the MFI's clients) Selection interval $10,000 Provided there is no loan larger than the $10,000 selection interval, the 90 selec- tions would equal 90 loans (3.3 percent of the MFI's clients). Thus the auditor would visit at least 90 clients. The determination of the materiality factor (or selection interval) should depend on the auditor's assessment of how much reliance he or she can place on internal con- trols. Audit firms have different approaches to this assessment. For example, if the auditor has high confidence in the MFI's internal controls, the materiality level could be raised to $12,000 (1.2 percent of total assets). The sample size would then be: Account balance $900,000 = = 75 selections (2.5 percent of the MFI's clients) Selection interval $12,000 A more likely situation in an MFI audit is that the auditor cannot place much reliance on the internal controls relating to the loan balance. Thus the materiality level might be lowered to $6,000 (0.6 percent of total assets), giving a larger sample size: Account balance $900,000 = = 150 selections (5.0 percent of the MFI's clients) Selection interval $6,000 If the auditor finds the MFI's internal controls to be highly unreliable, the mate- riality level might be adjusted to $4,500 (0.45 percent of total assets), giving a sam- ple size of: Account balance $900,000 = = 200 selections (6.7 percent of the MFI's clients) Selection interval $4,500 For MFIs with small numbers of clients, materiality levels may have to be set lower to yield the requisite degree of statistical confidence. In any event, there is inevitably a subjective element in assessing internal controls and choosing materiality levels, making it impossible to recommend specific sample sizes in this handbook. 50 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 has a well-developed internal operational audit function or business risk depart- ment (see section 3.5), the external auditor may be able to reduce the number of visits by relying on the work done by this unit. Reconciliation items MFIs process large numbers of loans and, as noted earlier, most loan tracking systems are not well integrated with general ledger systems. Thus it is not unusual to find reconciliation discrepancies. These discrepancies may or may not be wor- The external risome. For example, many microfinance programs have clients make loan repay- auditor should ments at banks for security reasons. Because banks typically wait several days decide whether before sending the documentation on the payments received, a program might insist that clients bring an extra copy of the payment deposit slip to the MFI the reconciliation for registry. Upon receiving this copy of the deposit slip, the loan tracking discrepancies MIS registers the payment. There will be a temporary discrepancy with the discovered accounting system, which picks up the transaction later, when the bank sends its copy of the deposit slip. But when the bank's deposit slips arrive, they may represent systematic be incomplete or assigned to an incorrect account, so that some payments stay weaknesses in suspense accounts until fully cleared. If over time a large number of trans- actions hang in suspense accounts that are not rigorously controlled, material distortions might arise, requiring that this weakness in the loan administration system be addressed. Another reconciliation problem arises when the loan tracking MIS automat- ically applies penalty interest for late payments, while in practice the MFI does not charge clients this amount. When the MFI calculates interest on a declining- balance basis, this difference often produces a small delinquent principal balance equal to the uncollected penalty interest. These differences may not be cleaned up until after the loan is paid off (without recovering the penalty interest) and taken off the loan tracking MIS. The external auditor should decide whether the reconciliation discrepancies discovered represent systematic weaknesses and a source of basic concern about internal controls, or whether they represent an acceptable (nonmaterial) level of mistakes inevitable in any large volume of transactions. If the discrepancies are large enough to be material, management should be required to explain them and reconcile the accounts in order for the audit to proceed. If management cannot do so, the auditor can- not issue a clean opinion. Even in cases where the discrepancies are not above the materiality threshold, they may suggest a serious inconsistency between systems that should be noted in the management letter. 6.5.2 Analytical procedures Because so much reliance is placed on an MFI's controls, substantive analytical procedures are important tests for the end of the reporting period. The external auditor should take the loan balance at the end of the reporting period and com- OBTAINING AUDIT EVIDENCE: THE LOAN PORTFOLIO 51 pare it with the loan balance that was subjected to tests of control. In addition, loan portfolio data for the current year should be compared with data for previ- ous years. Significant fluctuations should be discussed with management. The auditor should also consider segregating the loan portfolio into similar populations for trend and characteristic analysis. For instance, the portfolio may be segregated by loan product, client or business type, or geographic location. The comparison of these sub-populations and trends in their activity or balances can be analyzed. The more detailed the analysis is, the higher is the level of con- fidence that sampling has produced a representative picture of the portfolio, and The auditor should that no material misstatement exists. determine whether the MFI stops accrual 6.6 Tests for interest receivable and interest income of interest, and Because interest is an MFI's main source of income, it needs to be tested carefully. reverses previously accrued but unpaid 6.6.1 Interest accrual interest, on loans If the MFI is accruing interest for accounting purposes, the accrued interest receiv- that are unlikely able balances should be tested in conjunction with the loan balances. The exter- to be collected nal auditor should understand the MFI's accrual policies and evaluate their reasonableness. In particular, the auditor should determine whether the policy stops accrual of further interest, and reverses previously accrued but unpaid interest, on loans that have gone unpaid for so long that the recovery of amounts due is highly unlikely. If the accrual and reversal policy is determined to be rea- sonable, the auditor should test whether this policy is consistently applied to all loans. In the absence of a sound policy consistently applied, interest income can be materially overstated. 6.6.2 Interest income testing Interest income should also be evaluated when testing the loan portfolio, analyt- ically or by tests of detail. The preferable method is through analytical review, performed by develop- ing an independent expectation of income and comparing it with the actual bal- ances recorded by the client. One type of analytical review compares interest income from the current period with interest income from the previous period, taking into account identified changes in the portfolio--such as growth--between the periods. A more powerful procedure, which should be performed in almost all MFI audits, is a yield gap analysis, which compares actual interest receipts with an independent expectation of what the portfolio should be yielding, based on the loan terms and the average portfolio over the period. By analyzing the terms of an MFI's loan contracts, the auditor can develop a theoretical interest yield--that is, the amount of revenue the portfolio should 52 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 generate if all interest is paid on time and according to contract. (A method for calculating theoretical yields can be found in CGAP Occasional Paper 1, "Microcredit Interest Rates," which is available on the CGAP Web site-- http://www.worldbank.org/html/cgap/occ1.htm--or in English, French, or Spanish from CGAP, 1818 H Street N.W., Room Q 4022, Washington, D.C. 20433, USA.) This theoretical yield should be compared with the actual interest income booked each period. (Loan fees and commissions can be included along with interest income for this purpose, or can be treated separately. If the theoretical The contractual yield is different for different types of sizes of loans within the MFI, weighted averaging can produce an overall yield estimate. The comparison of actual with interest yield on the theoretical yield should be done on a monthly basis or, if it is done on an annual portfolio should be basis, should use a monthly average of the loan portfolio in the calculation.) This analysis frequently shows a large gap between what the MFI should be earn- compared with ing and what it is actually earning. For instance, an MFI that collects its loans in actual interest monthly payments may have an effective contractual rate of 2.5 percent of the income booked average portfolio a month, but its actual interest income received may only amount to 1.5 percent a month. Ideally, this yield gap analysis should be done for each loan product. But MFI information systems seldom permit analytical segregation of interest income from different products. Where such separate analysis is desired, it may be more prac- tical to accomplish it through tests of detail. This yield gap analysis should be done as part of the testing of revenue accounts. It is mentioned here because the most common cause of a yield gap is loan delin- quency, so this test serves as a cross-check on portfolio quality.3 Other situations may also contribute to a yield gap. If an MFI is growing very rapidly, its interest income may be lower than the theoretical yield because a large percentage of its portfolio is in new loans whose first payment has not yet fallen due. Sometimes a yield gap turns out to be due to an inaccurate loan port- folio balance in the accounting system. Errors made in previous years may get passed along undetected to later years when the loan portfolio balance is updated by adding disbursements and subtracting payments and write-offs, with no inde- pendent check. If the auditor is unable to develop an overall analytic estimate of expected income, the yield gap issue can be addressed through tests of detail. In this approach a sample of loans is selected and expected interest income for the period is recal- culated according to the terms of the loan contracts. This expected income is then traced through the system to confirm agreement with the trial balance. In cases where a substantial yield gap has been identified, such testing of detail may sometimes reveal its cause. If the auditor chooses to use tests of detail, the tests should cover the entire period under audit. Whenever a material yield gap appears, the auditor should track down and report on its cause. If the cause cannot be determined, this fact should be clearly indicated in the audit report or in a note to the financial statements. OBTAINING AUDIT EVIDENCE: THE LOAN PORTFOLIO 53 6.7 Agreed-upon procedures for the loan portfolio Annex D provides illustrative procedures for testing two critical elements of portfolio management: the delinquency report, and compliance with the MFI's loan policies and procedures. Some of the procedures illustrated in this annex could overlap with those that would be conducted in the course of a regular annual financial statement audit. Volume 1 advises clients considering such procedures to discuss with the auditor which of the procedures make sense for the MFI and the extent to which those that make sense will be included in the regular finan- After discussion cial statement audit. with the auditor, Once these points have been clarified, the client should decide whether it wants to contract for agreed-upon procedures beyond the scope of the financial state- the client should ment audit. Such procedures might be requested for three reasons: decide whether it · They may be desired by the client but do not fall within the scope of the wants agreed-upon financial statement audit. procedures for the · They may be carried out as part of the regular audit work, but the client wants the work to be done more intensively--for example, using a larger sample than loan portfolio the auditor would normally have selected. · They may be no different from what would be done as part of a regular audit, but the client wants written documentation of the specific tests performed and the results obtained, which are not normally provided in a financial statement audit report. Notes 1. MFIs that are planning to upgrade their MIS and are willing to invest major effort in doing so should consult Charles Waterfield and Nick Ramsing, Handbook for Management Information Systems for Microfinance Institutions (New York: Pact Publications, for CGAP, 1998). 2. Some of the tasks described in this section can be done more effectively by the MFI's internal auditors. Internal auditors generally know more about the issues involved, and their feedback will usually flow more directly into daily operations, loan officer train- ing, and product and system design. 3. For a method of calculating the impact of a given level of loan delinquency on an MFI's yield gap, see Martin Holtmann and Rochus Mommartz, Technical Guide for Analyzing the Efficiency of Credit-Granting Non-Governmental Organizations (NGOs) (Saarbrücken: Verlag für Entwicklungspolitik Saarbrücken GmbH, 1996). CHAPTER 7 Obtaining Audit Evidence: Loan Loss Provisions and Write-offs This chapter provides guidance on testing the adequacy of an MFI's provisions for loan losses. It also briefly discusses issues associated with writing off unrecoverable loans. It begins by providing background on both issues, then discusses appropriate tests of control and substantive procedures. 7.1 The importance of loan loss provisions The financial statements of MFIs often contain loan loss provisions that are mate- rially inadequate. Yet external auditors often give clean opinions on such state- mentswithoutsufficientdisclosure--letaloneevaluation--oftheMFI'sprovisioning policy. In 1996 Corposol, the largest MFI in Columbia, came to the brink of col- Every MFI audit lapse because of deterioration in portfolio quality that had been drastically under- should include stated in its annual audit by a "big six" auditing firm affiliate. The loan portfolio shown in Corposol's statements turned out to be overstated by millions of dollars. careful testing of Every MFI audit should include careful testing of loan loss provisions. Without loan loss provisions adequate allowance for likely losses, the loan account on the balance sheet can be materially misstated. Likewise, loss provisioning directly affects an MFI's prof- itability, because it flows through to the loan provision line item in the income statement. Finally, an accurate loan loss allowance on the balance sheet gives a good initial indication of the competence with which the MFI is managing the riskiest aspect of its business--loan delinquency. The bulk of the following discussion is devoted to "scientific" provisioning, based on an aging of the present portfolio and an analysis of the historical per- formance of portfolio cohorts in previous years. Small MFIs may be better served by a less elaborate system. Whatever the approach, what is important is to have a provisioning policy that is reasonably related both to historical loss experience and to the current status of the portfolio. A small MFI may simply provision a fixed percentage of its portfolio based on its overall loss experience in previous years. Sometimes a percentage of each loan is provisioned at the time of its disbursement. In such cases the MFI needs to check occasionally to make sure that the cumulative amount provisioned main- tains a reasonable relationship to the total outstanding portfolio. In other cases individual loans are not provisioned when made, but the provision on the over- all portfolio is adjusted periodically to keep it at an appropriate percentage. 55 56 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 When these simple methods are used, the percentage that is provisioned should be based on historical loss rates (at least in cases where the MFI is old enough to have historical data). Thus the auditor must look at how those loss rates have been determined. The provisioning percentage should be based on the amounts written off each previous year relative to the average outstanding portfolio dur- ing that year. As is discussed below, however, many MFIs do not write off loans aggressively or consistently. In such cases the percentage to be provisioned should be related not to accounting write-offs, but to the real portion of prior loans that have become unrecoverable. Once the historical loss rate has been roughly estimated, provisioning also has to take into account the situation of the present portfolio. If delinquency lev- els are higher today than they have been in the past, provisions should be set at a level that is higher than the historical loss rate. The same would be true if the MFI is aware of any other factor (such as an economic crisis) that will affect the likelihood of its collecting the present portfolio. The materiality of provisioning methods depends on the quality of the MFI's portfolio. If external auditors are satisfied that levels of default and delinquency have genuinely been very low, there is less need for detailed testing and fine- tuning of the MFI's provisioning percentage. TABLE 7.1 Large MFIs, or those that are preparing for massive growth, should consider An illustrative loan aging the more scientific approach to provisioning that is customary in the banking schedule and correspond- industry. This approach involves segmenting the loan portfolio into aging cate- ing loss provisions gories--that is, according to how many days late the most recent payment is-- and then assigning a different percentage to be provisioned for each category, Share provisioned depending on the perceived level of risk. Loan status (percent) The aging categories chosen should be related to the payment period of the loans (say, weekly or monthly) and also to critical points in the follow-up process Unrescheduled Current 0 for delinquent loans. For instance, if the branch manager intervenes in follow-up 1­30 days late 10 after 90 days, this should be a breaking point in the aging schedule. Loans should 31­90 days late 25 be separated out from the "current" category as soon as they are even one day 91­180 days late 50 late. An illustrative aging schedule, with provisioning percentages for each aging >180 days late 100 category, is shown in table 7.1. In using this schedule, the provisioning percentage Rescheduled Current 10 is applied to the entire outstanding balance of the loans in each category (portfolio at risk, 1­30 days late 25 or PAR), not just to the amount of the late payments. 31­90 days late 50 The provisioning percentage chosen for each aging category will determine >90 days late 100 the overall loan loss provision. In a licensed MFI the aging schedule and provi- sioning percentages will usually be prescribed by the regulatory authority, so the auditor only has to check to see whether the MFI's provisioning complies with the rules. In unlicensed MFIs the preferred method is to base the provisioning percent- ages on a historical analysis of how the portfolio has performed. Using this method, the MFI takes a cohort of loans from an earlier period, long enough ago so that it knows the ultimate outcome of almost all the loans in the cohort. This earlier cohort is segmented according to the same aging schedule used for the present OBTAINING AUDIT EVIDENCE: LOAN LOSS PROVISIONS AND WRITE-OFFS 57 portfolio. Then, for each aging category in the earlier cohort, the MFI determines what percentage of the loan amounts went unrecovered. These percentages are used to provision the present portfolio in the same aging categories, unless some change in circumstances in the present portfolio calls for different percentages.1 Most MFIs will not be able to provide this sort of historical analysis. The data on past loans may no longer exist, because many MFIs follow the unfortunate practice of eliminating loans from their MIS once they are paid off. Or, if the data exist, converting them into a usable format for analysis may be impossible. In such cases the MFI's provisioning percentages will usually be based on management's The best provisioning intuitive estimates. The auditor could test these provisioning percentages by tak- policy in the world ing a sample of older loans and seeing how well the amounts ultimately collected on those loans correspond to the predictions implicit in the provisioning per- will generate distorted centages the MFI is using. results if it is applied Where historical loss information is not available, MFIs occasionally estimate their loan loss provisions based on a "recovery rate" indicator that divides amounts actually to erroneous portfolio received during a period by amounts that fell due under the terms of the original loan information contract during the same period. It is tempting to assume that a recovery rate of 97 per- cent, for instance, translates into an annual loan loss rate of 3 percent of the portfolio. But this is a serious error, because it fails to recognize that the recovery rate is based on loan amounts disbursed, which can be almost double the outstanding portfolio appearing in the MFI's books; and that the amount of loss implied by the recovery rate occurs each loan cycle, not each year. For an MFI that provides three-month loans repaid weekly, a 97 per- cent current recovery rate translates into a loss of 22 percent of its average outstanding portfolio each year. Even if auditors are satisfied with the reasonableness of an MFI's provision- ing policy, they still need to examine whether it is being implemented consistently. More important, the best provisioning policy in the world will generate dis- torted results if it is applied to erroneous portfolio information. As discussed elsewhere, the auditor's basic starting point has to be assuring the correctness of the information in the loan tracking MIS, with respect to amounts and delin- quency status. 7.2 The need for loan write-offs Many MFIs do not have defined write-off policies. Write-offs are often done reluctantly and arbitrarily. An MFI may feel--not always justifiably--that for- mally recognizing a loan as a bad debt sends a message to its loan officers and clients that the institution is no longer interested in recovering that outstanding balance. Thus the MFI prefers to carry the nonperforming loan on its books. Because most MFIs are nonprofit organizations that pay no income tax, they have no tax incentive to write off loans. For example, one MFI in Guatemala carried all bad debts on its books for years and accumulated a portfolio-at-risk indicator of almost 15 percent. This means 58 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 that 15 percent of its outstanding balance was considered problem loans--of which 9 out of 10 were overdue by more than 180 days, and therefore very unlikely to be collected. Had the MFI written off all loans that were more than 180 days past due each year, its portfolio-at-risk rate would have been just 1.5 percent. However, the MFI was unwilling to correct this distortion because the correction would have involved a huge one-time loss on its income statement. Instead the MFI continued to avoid writing off its bad loans, thus overstating its income and assets, while mak- ing its present portfolio appear worse than it really was. If an MFI has no If an MFI has a policy on write-offs, the auditor should examine whether it is reasonable. If there is no policy, the auditor should suggest one. A write-off pol- policy on write-offs, icy needs to recognize that legal collection of tiny loans is not cost-effective in the auditor should most poor countries. MFIs can pursue delinquent clients through legal proceed- ings to set an example, but the legal costs usually exceed the amount collected, suggest one reducing the net recovery below zero. Loans should be written off when the prob- ability of recovery gets very low, which often happens long before legal remedies have been exhausted. Assuming that the MFI has a reasonable write-off policy, the next question is whether it is being consistently implemented. The external auditor of a normal commercial bank might conduct a detailed review of individual write-offs, check- ing each against policy and applicable regulations. Such an approach is probably not cost-effective when auditing an MFI, beyond testing a modest sample of loans written off. Some attention to the MFI's write-off practice should be expected in any finan- cial statement audit. However, the materiality of this issue, and the amount of effort devoted to reviewing it, will depend on the quality of the MFI's portfolio. In cases where loan default has been genuinely low, the write-off issue is less mate- rial in the context of the overall financial statements. Audited financial statements should always include a clear and precise expla- nation of the MFI's write-off and provisioning policy and practice (see annex A). Where there is no policy, or the auditor has concerns about its reasonableness, disclosure should be made in the appropriate place--in the management letter, the financial statements, or even the opinion letter, depending on the seriousness and materiality of the issue. 7.3 Tests of control The auditor should look closely at the accounting system and the loan tracking MIS to determine whether they are timely and accurate. Tests of control in this area should include: · The accuracy of the report showing delinquent loans · Noncash paydown issues--that is, the treatment of loans that are brought cur- rent through some means other than paying the cash that is due (for example, OBTAINING AUDIT EVIDENCE: LOAN LOSS PROVISIONS AND WRITE-OFFS 59 through refinancing, restructuring, issuance of a parallel loan, payment by check, or delivery of collateral) · The MFI's loan loss provisioning. 7.3.1 Report accuracy The external auditor must test the accuracy of the delinquency report, including the aging of arrears. Much of this work may have been done in connection with tests of control for the loan portfolio (see chapter 6). The auditor should Intestingthemathematicalaccuracyofthedelinquencyreport(includingaging), examine MFI policies manual calculation can be very time-intensive. If the MFI has a computer-gener- ated delinquency report, the auditor should consider testing it using a computer- and procedures for loan assisted audit technique. In this approach the contents of the report are loaded rescheduling into Lotus 1-2-3 or Microsoft Excel. By using Structured Query Language (SQL) software such as ACL or Easytrieve, the auditor can take the delinquency infor- mation and recalculate footings, re-age the report, and recalculate the required loan loss provisions. 7.3.2 Noncash paydown issues MFI delinquency reports often show loans as current, or treat them as having been paid off, when in fact clients have not come up with the cash needed to meet their obligations. (For more detailed treatment of these topics, see sections 5.2.4 and 5.2.5 of volume 1 and section 6.5.1 of this volume.) When a client falls behind on a loan, many MFIs will reschedule (restructure) the loan by adding unpaid interest to the principal balance and creating a new amortization schedule. The restructured loan may be shown as current in the delinquency report, which misrepresents its real risk level. Obviously, a loan that had to be rescheduled is at higher risk of nonpayment than a loan that is being paid promptly according to its original terms. The auditor should examine MFI policies and procedures for loan resched- uling. These should provide clear answers to the following questions: · What conditions must be present to qualify for rescheduling? · How many times can a customer reschedule a loan? · Who has the authority to approve a rescheduling? · How is a loan accounted for once it is rescheduled? · Is accrual of interest income discontinued until payments have been received subsequent to the rescheduling? · Is a rescheduled loan automatically aged in the "current" category, or does a separate category exist to reflect its higher risk? Some MFIs simply prohibit rescheduling. In MFIs that allow it, policies and procedures should be flexible enough to assist an occasional client in real need, 60 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 but conservative enough to prevent abuses. Many MFIs have serious delinquency problems that are hidden--deliberately or inadvertently--through heavy use of rescheduling. It is not uncommon to find cases where 15­20 percent (or more) of the portfolio has been rescheduled, while the MFI reports a very low delin- quency rate. The auditor should also test whether rescheduling policies and procedures are being complied with in practice. This is a fairly straightforward task if the delin- quency report segregates or otherwise flags loans that have been rescheduled, Testing is more because a suitable sample of rescheduled loans can easily be selected for testing. Testing is more difficult when the loan tracking MIS does not segregate resched- difficult when uled loans. In such cases the auditor can take a larger sample of loans shown as the loan tracking current and investigate their repayment history to identify cases of rescheduling. (More detailed procedures for this sort of testing are described in annex D.) MIS does not segregate Another common paydown issue occurs when a delinquent loan is paid down rescheduled loans through refinancing--that is, when a new loan is issued to the delinquent client to pay off the delinquent loan--or through issuance of a parallel loan whose proceeds areusedtobringthedelinquentloancurrent.Hereagain,testingisrelativelystraight- forward in the (unusual) case where the MFI's loan tracking MIS flags such occur- rences. Otherwise, the only way to test is to take a sample of loans shown as current and check the payment history on prior loans to the client. Where there was a pay- ment problem with a prior loan, or even a prepayment of a prior loan, the auditor may investigate to determine the circumstances. If the MFI does not maintain prior loan information in its MIS, such a process can be extremely burdensome. Loans are sometimes paid off by checks (including post-dated or third-party checks) or by delivery of physical collateral such as machinery. In either case the delinquency report may show the loan as current, even before the check or collat- eral is converted to cash. The amount in question disappears from the loan portfo- lio and shows up in another account--such as a miscellaneous receivable or a fixed asset account--where it may sit for a long time. The asset may never be converted into the cash that was needed to pay down the loan, but the delinquency or loan loss involved will not show up in the loan tracking MIS. This is particularly a problem with physical collateral like machinery, because it often has to be sold for less than its valuation as collateral. If the MIS does not flag such abnormal paydowns, testing for their presence involves complications similar to those noted above. 7.3.3 Loan loss provisioning The issues associated with loan loss provisioning were detailed in section 7.1. The auditor must clearly identify the MFI's policies and procedures (or absence thereof). Where policies are clear, the auditor should assess their reasonableness, includ- ing their consistency with the historical performance of the MFI's portfolio. After assessing the MFI's policy on provisioning, the auditor must test com- pliance with it by reviewing a sample of loans--usually in conjunction with the other testing of the loan portfolio discussed in chapter 6. OBTAINING AUDIT EVIDENCE: LOAN LOSS PROVISIONS AND WRITE-OFFS 61 7.4 Substantive procedures The auditor should subject the MFI's provisioning and write-offs to tests of detail and to analytical procedures. 7.4.1 Tests of detail At the end of the fiscal year the auditor should make a detailed selection of spe- cific loans using the materiality level defined for the MFI. This sample of loans The auditor should should be tested to confirm the year-end balance for loan loss allowance. If test a sample of loans tests of control have confirmed that the auditor cannot rely on the MFI's inter- nal controls on loan loss provisions, the sample for the substantive testing will to confirm the year-end need to be larger. In addition, the external auditor should look at a sample of balance for loan loss arrears from prior loans, or from the previous year, and determine how the arrears were resolved. allowance As part of substantive tests of detail, the auditor should test all components of the provisioning for loan losses, including: · Allowance for loan losses at the beginning of period · New provisions · Write-offs of loans · Allowance for loan losses at the end of period. When testing write-offs, the auditor should ask the following questions: · Why did the write-off occur? · Does the borrower have other loans with the MFI? · Who authorized the write-off? · Was the authorization in accordance with policy? · Was the write-off adequately reflected in the accounts? 7.4.2 Analytical procedures In a commercial bank audit, substantive analytical procedures lend themselves well to auditing provisions for loan losses. This may not be true for MFIs. Because MFI loans often have a maturity of less than one year and loan data may be unde- pendable, auditors often cannot rely on trend data for past periods to establish an expectation for the period under audit. If trend data can be relied on, trends and expectations can be developed for: · Write-offs as a percentage of loans · Subsequent recoveries of amounts written off, as a percentage of write-offs or of total loans 62 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 · Delinquency patterns, including delinquency broken down by age as a per- centage of the portfolio, or concentrations of delinquency (say, by branch, region, or loan product). Whether such analytical procedures are worth the effort must be determined for each MFI. 7.5 Compliance with laws and regulations Auditors of licensed MFIs should confirm whether loan loss provisions comply with the reserve percentages and other requirements of the regulatory authority. Where a regulatory institution requires specific reserve percentages, a corre- sponding restriction on capital may also be required. For example, certain bank superintendencies in Latin America require reserves for all loans more than 90 days past due, and impose a restriction on capital for the same amount. Note 1. For a discussion of loan loss provisioning and write-offs for MFIs, see section 2.2.2 of Robert Peck Christen, Banking Services for the Poor: Managing for Financial Success (Somerville, Mass.: Accion International, 1997). CHAPTER 8 Obtaining Audit Evidence: Cash and Equivalents MFIs often hold and transfer cash in a relatively informal manner, making cash and equivalents an important account balance in an exter- nal audit. This chapter provides guidance on auditing MFI practices related to the disbursal of cash and recording of cash transactions. Cash and equivalents includes cash held at banks as well as cash on hand at head- quartersandbranches.ManyMFIsmaintainrelativelylargecashbalancesatbranches because cash must be available to disburse a large number of small loans. If an MFI accepts savings, cash on hand at the branch must be sufficient to cover withdrawals. The lack of commercial banks in some areas, unavailability of wire transfers, and security problems in moving cash also contribute to high levels of cash on hand. Liquidity risk may The external auditor should pay close attention to the MFI's policies and proce- be higher for MFIs dures for handling and recording cash, particularly in cashier or teller operations. than for commercial banks or other 8.1 Potential business risks businesses In the area of cash and equivalents, the main business risks for an MFI are liq- uidity risk and fraud risk. 8.1.1 Liquidity risk Liquidity risk may be higher for MFIs than for commercial banks or other busi- nesses. In the absence of normal collateral and guarantees, MFI clients' motiva- tion to repay their loans is closely linked to their expectation that good repayment performance will be rewarded with easy access to repeat loans. When a liquidity crisis forces an MFI to defer repeat loans, word spreads quickly, often resulting in severe outbreaks of delinquency on other clients' outstanding loans. Most MFIs rely heavily on donor funding. The size and frequency of donor disbursements are not always well matched to MFIs' business needs. In addition, unanticipated delays in disbursement are common, making it harder for MFIs to plan cash flows. Most donors insist that their funds be managed in a bank account dedicated exclusively to their disbursements. Multiple donors, or even multiple projects from 63 64 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 the same donor, may force an MFI to maintain multiple bank accounts, further com- plicatingliquiditymanagement.ThusanMFImayfacealiquidityproblemevenwhen ithasfundsonhand,ifdonorrestrictionspreventthosefundsfrombeingusedtomeet the MFI's immediate needs. (Such difficulties can sometimes be overcome if the MFI uses a sophisticated fund accounting system similar to cost center accounting.) The information gap between MFI branches and the head office can also com- plicate liquidity management. Management must obtain timely financial infor- mation from branches to ensure that balances are appropriate and to monitor The auditor should unusual activity that needs to be investigated. To appraise liquidity risk, the auditor should evaluate whether the MFI is main- investigate whether taining prudent liquid balances (which may be proportionately higher than those the control needed in other businesses, for the reasons noted above) and whether the MFI has an adequate system for projecting its sources and uses of cash. If there are environment creates obvious weaknesses, these should be noted in the management letter. At the same opportunities for time, the MFI must understand that the auditor is not responsible for the accu- fraud or collusion racy of forward-looking projections. 8.1.2 Fraud risk Fraud--both internal and external--and robbery are significant risks for MFIs. Most MFI security systems are unsophisticated. The absence of guards or secu- rity cameras in branches makes MFIs susceptible to robbery. Once an MFI has been identified as an easy target, robberies may occur frequently until drastic safety measures are taken--measures that often force fundamental changes in pay- ment procedures. The external auditor should ask whether robbery has been a problem for the MFI. Internal fraud may include tellers "borrowing" funds from their cash draw- ers and misrepresenting their cash counts at the end of the day, sometimes in collusion with branch managers. MFIs that require loan officers to collect pay- ments need strict cash and physical controls to ensure that amounts collected are reported and turned over promptly. MFIs are also subject to external fraud-- for example, when someone impersonating a client uses a stolen passbook to withdraw cash. While the potential fraud from any one cash transaction is not large in an MFI, frequentoccurrencesofsucheventscancreatesignificantproblems.Frequentoccur- rences usually result from lax internal controls. The auditor should investigate whether the control environment creates opportunities for such fraud or collusion. If controls are inadequate, this should be noted in the management letter. 8.2 Potential audit risks A major cause of control risk is lack of proper segregation of duties for cash trans- actions. An employee who handles cash should not be responsible for recording OBTAINING AUDIT EVIDENCE: CASH AND EQUIVALENTS 65 or reconciling cash on the general ledger. Tellers can complete their own cash sheets, but at the end of every day an independent employee should count the cash to ensure that the recorded balances are correct. Many MFIs do not have enough branch staff to segregate these duties. In such cases an internal audit func- tion should regularly check branch-level transactions. 8.3 Tests of control The auditor should The auditor should conduct three tests of control for cash and equivalents. test for control processes on the 8.3.1 Test for segregation of duties movement of cash The auditor should examine segregation of duties or internal controls for cash transactions. This would include determining whether the handling and record- ing of cash--at both branches and the head office--are performed by different personnel. As noted, however, an MFI with resource constraints may have a sin- gle person responsible for both handling and recording cash. (This unique envi- ronment must be taken into account when testing not only cash transactions, but also the loan portfolio and deposit account balances.) If an MFI has internal auditors, their work should be considered when test- ing controls on cash. The internal audit department should routinely perform unannounced cash counts. Such counts should be examined and tested by the external auditor. If an internal audit function does not exist or if cash count pro- cedures are not being performed, the external auditor should conduct this pro- cedure, and the deficiency should be noted in the management letter. 8.3.2 Test the movement of cash within the organization The auditor should test for control processes on the movement of cash (includ- ing disbursements and receipts) within the MFI and among branches and the head office. In addition, MFIs use interbranch accounts that have "due to/due from" bal- ances for cash transfers between branches. The interbranch accounts should be reconciled, at least at the monthly close. The auditor should ensure that these activities are being performed, and test the reconciliations. 8.3.3 Test bank reconciliation procedures Finally, the auditor should test reconciliation procedures for the MFI's accounts with other financial institutions. The auditor should pay special attention to the review of approvals and clearing of large reconciling items, if any. Large recon- ciling items should usually not exist unless large cash transfers occur at the end of the period. 66 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 Typically, if branches are organized under regional offices, bank reconcilia- tions are performed by regional accountants and reviewed at the head office. The auditor should test controls on these reviews. 8.4 Substantive procedures It is difficult to perform analytical procedures for MFI cash accounts. The audi- The auditor should tor should perform tests of detail for cash in banks and cash on hand. For cash in banks, the auditor should ask the MFI to prepare standard bank perform tests of confirmations for all accounts maintained at other banks as of the end of the report- detail for cash in ing period. The confirmations should indicate the name and account number and confirm balance information as of the date indicated. All confirmations should banks and cash be sent and replies received directly by the external auditor. Each cash account on hand should be reconciled from the bank statement to the MFI's general ledger. All reconciling items should be explained and documentation should be requested when they are material. All bank statements from the end of the reporting period through the end of field work should be requested and subjected to testing. Testing the subsequent bank statements may identify unrecorded liabilities. For cash on hand, the external auditor should test documentation of the unan- nounced cash counts performed. At the end of the reporting period, cash on hand should be counted by personnel independent of the branch's day-to-day opera- tions. Interbranch transfers should be reviewed and reconciled to the general ledger. Any cash suspense accounts should also be reviewed for recurring use and aging of reconciling items or inability to reconcile to the cash accounts. After the cash balances have been audited, the external auditor should be satisfied that the cash has not been materially overstated and has been properly disclosed in the financial statements. Finally, if there is no segregation of duties and adequate internal controls do not exist, the auditor must expand testing to examine the record of late loan repay- ments and determine whether these were actually made (to the loan officer) by visiting late-paying clients and requesting information about their outstanding loan balance and payments made to date. These visits can be made at the same time as the visits used to test the loan portfolio balance (see chapter 6). CHAPTER 9 Obtaining Audit Evidence: Capital Accounts This chapter covers a few distinctive issues that may arise in the audit of an MFI's capital accounts. The composition of the equity section of an MFI's balance sheet will depend on the institution's legal structure. In an MFI organized as a nonprofit organization, the institution's net worth is usually treated as a fund balance, which conceptually is an aggregate of accumulated donations and retained earnings or losses. This fund balance is not available for distribution to private parties; laws or the orga- nization's charter define what happens to the fund balance in the event of disso- The MFI may lution. An MFI organized as a corporation will show a normal equity account, record a conditional reflecting shareholder claims on the business. Donor requirements may influence the treatment of the capital account. An grant as a liability unconditional grant simply increases the MFI's fund balance. But some donors until the potential provide conditional grants, which may require repayment if specific events occur. The MFI may record a conditional grant as a liability until the potential encum- encumbrance is brance is removed, either by the termination of the project agreement or by writ- removed ten notification from the donor that the funds are unencumbered. At this point the grant passes to the capital account. Some donor loans require that an MFI adjust its earnings downward to reflect the implicit subsidy provided by the donor in the form of a below-market inter- est rate. This means that the MFI would record an additional expense on the income statement, and a corresponding entry in a separate capital account that reflects the subsidy. Some MFIs voluntarily reflect this form of capitalization in their financial statements, and should be allowed to continue to do so if local standards permit. In many countries that have experienced high inflation, MFIs are required to use inflation-based accounting, which reduces income and retained earnings to reflect the loss of real value of financial assets due to inflation. In other countries some MFIs adopt such a practice voluntarily. If the MFI presents financial state- ments containing such adjustments, the auditor should verify their calculation. Some MFIs provide financial information to industry databases or rating agen- cies in a form that permits separation of the effects of inflation and various forms 67 68 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 of subsidy in their financial results. Donors are increasingly asking for similar information. External auditors should refer to annex A, which strongly recommends including this kind of information in MFI financial statements or notes. These adjust- ments are important for two reasons: · They permit meaningful comparison of performance of MFIs operating in different countries, or with different funding structures · They allow analysts to judge an MFI's potential ability to massify its opera- MFI financial tions using unsubsidized funds. statements should Where accounting standards do not permit the inclusion of these adjust- contain the information ments in the main body of the financial statements, they should be presented in the notes to the statements. Wherever the information is presented, the external needed to calculate auditor is responsible for verifying that it is free from material misstatement. inflation and subsidy adjustments 9.1 Potential business risks The two main business risks relating to MFIs' capital accounts are fiduciary risk and regulatory risk. 9.1.1 Fiduciary risk AnMFI'scapitalpresentsfiduciaryriskbecausedonorsoftenrequirethattheirfunds be segregated from the MFI's other funds and activities. For instance, if a donor restricts its funds to specific educational or lending programs, the MFI must seg- regate such funds in both its cash and capital accounts through an adequate fund accountingsystem.IftheMFIcomminglessuchdonorfunding,itriskslosingfuture funding, and may even be legally obligated to return funds already received. 9.1.2 Regulatory risk Regulatory risk related to capital is high for MFIs that are subject to regulation by financial authorities--usually MFIs that accept deposits. Almost all regulators set minimum capital levels and capital-asset ratios to promote safety and sound- ness. In addition, regulated intermediaries are often required to retain a certain percentage of their capital surplus (retained earnings). Failure to comply with these requirements can have drastic consequences, including closure of the MFI. 9.2 Tests of control When testing capital accounts in an MFI, the external auditor should examine controls regarding: OBTAINING AUDIT EVIDENCE: CAPITAL ACCOUNTS 69 · Authorization by the board of directors for all nonrecurring capital transactions · Classification of restricted and unrestricted fund balance activity · Compliance with other requirements of donor agreements · Adherence to laws and regulations surrounding issues of capital adequacy, including calculation of regulated capital requirements. 9.3 Substantive procedures When auditing the capital section of the financial statements, auditors should examine current-year earnings or losses recorded in retained earnings, and other capital contributions made by donors or shareholders. The external auditor should ask the MFI to prepare a schedule that begins with start-of-period capital balances and details all transactions during the year. The end-of-year balances on the schedule should agree with the balance sheet. Some MFIs record donations directly to capital without passing them through the income statement. In addition, many convert long-term loans from donors into equity without passing the transaction through the income statement. If local accounting principles allow these practices, the external auditor should make sure that this activity is disclosed and adequately explained in the notes to the financial statements. The external auditor should perform tests of detail for capital-related trans- actions. Because the capital account balance is so important, sampling techniques are usually not used: the entire population of transactions should be tested. CHAPTER 10 Obtaining Audit Evidence: Payables and Accrued Expenses MFIs are exposed to possible understatement in payables and accrued expense accounts because they often lack well-defined policies, apply policies inconsistently, and have decentralized operations. This chap- ter provides guidance on testing for misstatements in this area. Although payables and accrued expenses are not usually major risk areas for com- mercial banks, MFIs may be subject to greater risk because of poorly defined or inconsistently applied policies. Problems with payables occur because MFIs have decentralized operations. Communication or MIS problems may lead to a failure to record branch-level purchases in the proper reporting period, creating a "cutoff" problem. Problems with MFIs vary in their use of accrual accounting. Many use cash accounting. Others payables occur take the conservative approach of accruing expenses but not interest income. For accrued expenses, problems may occur with: because MFIs have decentralized · Accrued interest expense · Adjustment of interest expense for currency devaluations operations · Accrued payroll expense. Accrued interest expense usually relates to an MFI's commercial borrowing or to interest owed to depositors. In some MFIs accrued interest expense may not be calculated properly. For commercial borrowing the external auditor must deter- mine, based on the terms of the borrowing and stated rate, what is owed to lenders but not paid as of the end of the reporting period. Accrued interest on deposits can be harder to test. The auditor typically tests this by analytical means. If inad- equate data make analytical testing difficult, tests of detail for individual accounts may be more appropriate. For both borrowing and deposits, accrued interest expense is typically tested substantively. Some MFIs are exposed to volatile foreign currencies. Thus accrued interest expense may be understated due to currency devaluations. The auditor must track currency fluctuations during the reporting period and recognize their effects on accrued liabilities such as interest expense. The application and accuracy of such rates should be tested substantively. Finally, the auditor must verify that these adjustments are adequately disclosed in a note to the financial statements. 71 72 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 When testing accrued expenses, the auditor should pay particular attention to payroll expenses, which are proportionately high for MFIs. Many MFIs have an extra payroll obligation at the end of the calendar year that may not have been accrued. The expense of any employee days worked but not yet paid requires accrual. Both tests of control and substantive procedures should be applied to pay- roll expenses. Both tests of control 10.1 Tests of control and substantive procedures should 10.1.1 For payables Tests of control are applied to the validity of payables. The external auditor should be applied to payroll take a sample of disbursements and test for the following: expenses · Authenticity · Authorization · Proper recording in the proper period · Mathematical accuracy · Matching to purchase orders and bills of lading · Payment amount (as per checkbooks) · Segregation of duties. 10.1.2 For accrued expenses Accrued payroll expenses lend themselves to tests of control, including: · Authorization of hours worked · Authorization of bonuses and incentive pay · Total hours reported to payroll records by employees · Employee pay rates and appropriate authorization · Examining for "ghost" employees. 10.2 Substantive procedures 10.2.1 Tests of detail The external auditor should ask the MFI for a complete list of all checks written after the end of the reporting period through the end of the field work, along with a detailed payables subledger. The subledger should identify each invoice, the date the services were performed or received, and the amount of the payable. In addition, the auditor must understand the method used for each of the accrued expenses recorded as of the end of the reporting period. OBTAINING AUDIT EVIDENCE: PAYABLES AND ACCRUED EXPENSES 73 The auditor should test the payables balance for understatement, to see whether the MFI has accounted for all of its payables. This can be accomplished through a search for unrecorded liabilities. The auditor should also test a sample of check registers for the period subsequent to the end of the reporting period. For each selection the auditor should obtain supporting documentation and evaluate whether the invoice amount was properly included or excluded from the year-end payable or accrual balances. If the services were performed prior to the end of the report- ing period, the invoice should be traced to the payables listing provided by the MFI. Invoices for services performed after the end of the reporting period should Accrued interest be checked to confirm that the invoice was properly excluded from the MFI's expense and related payable or accrual detail. Any discrepancies with purchase orders or bills of lad- ing should be noted. currency adjustments Accrued interest expense and related currency adjustments should be sub- should be substantively stantively tested at the end of the reporting period. It is common for external audi- tors to combine these tests with those for borrowings and deposits. tested at the end of the reporting period 10.2.2 Analytical procedures Balances for accrued expenses may be based on estimates by management. In such cases the external auditor should develop an independent expectation of the accrued expenses and compare it with what the MFI has recorded. An independent expec- tation for payroll may be a percentage of the average payroll run obtained from an independent or reliable source. The payroll register may be relied on if tests of control have determined that the internal controls for payroll are effective. CHAPTER 11 Obtaining Audit Evidence: Savings and Deposits Many MFIs are starting to develop savings schemes. As guarantors of the public's money, such MFIs may be regulated. This chapter pro- vides guidance to external auditors on concerns associated with the unique characteristics of an MFI's savings account balance. Many MFIs provide only lending services and do not accept savings or other deposits from the public. Others condition their loans on compulsory savings requirements: borrowers must make a certain level of deposits before or during loans. Conceptually, such a system is not really a deposit service for the client. Rather, it should be thought of as an added cost of the loan service, in the form of a compensating balance. These deposits may be placed with a commercial The external bank, but more often they are held by the MFI. Even when the MFI holds the auditor should deposit, the client is a borrower who usually owes the MFI more than the MFI owes the client, so the client is not in a net at-risk position. Thus financial author- require a clear ities usually do not impose a licensing requirement on MFIs that take compul- indication of the sory savings. If compulsory savings are kept on deposit with the MFI, the external auditor rules for compulsory should require a clear indication of the rules for these accounts and test that they savings accounts are being properly applied. When these rules are ambiguous, it can lead to expro- priationofclientbalancestocoveroutstandingloanpaymentswithouttheexpressed consent of the client. This issue can be particularly complicated in group guar- antee schemes where the savings of one group member are used to cover the loan payment of another member. A small but growing number of MFIs are moving to capture voluntary savings from the general public, including clients who are not borrowers. Voluntary savings services can be extremely valuable to poor clients, who often lack access to deposit facilities suited to their needs. But MFIs that offer such services can put depositors at serious risk. Most MFIs do not have the systems or strong portfolio management required to provide safe, high-quality vol- untary savings services. Thus local laws usually require that an MFI be licensed and supervised by the financial authorities before it can take voluntary deposits. A licensed MFI needs sophisticated systems to deal with regulatory reporting requirements. 75 76 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 11.1 Potential business risks Accepting voluntary deposits creates regulatory and liquidity risks. Sophisticated cash management analysis needs to be performed regularly to ensure that the MFI can honor withdrawal requests promptly. 11.2 Tests of control Client visits are For the savings account balance, the auditor should perform tests of control for required to test the MFI's teller (cashier) operations and other cash handling activities. Of par- savings in MFIs ticular importance are teller processes, applications of deposits to individual accounts, and the segregation of deposits from loan payments. In addition, the with many small auditor must test for adherence to applicable laws and regulations. depositors 11.3 Substantive procedures 11.3.1 Tests of detail The traditional approach of sending confirmation letters to depositors is unlikely to be an effective test for savings in MFIs, except when MFIs have only a few deposi- tors with large balances. Client visits are required to test savings in MFIs with many small depositors. The auditor can conduct savings tests in conjunction with loan balance tests during client visits, at least for savings clients who are also borrowers. During visits the auditor should examine the client's passbook and check for dis- crepancieswithrecordedinformationaboutthesavingsaccount.Discrepanciesmust be investigated. The sample size for client visits should be based on the materiality level established during audit planning (see chapter 4). The sample size for savings will likely be smaller than the sample size for loans. For example, if the sample size for loans is 100, the sample size for savings may be 50 and the auditor may be able to obtain the 50 savings confirmations in the course of the 100 visits to borrow- ers (assuming that at least half the borrowers also have savings accounts). Auditors should be aware, however, that depositors selected in this way may not be repre- sentative of the universe of depositors. Selecting depositors at random will involve a larger number of visits. In deciding whether to use this approach, cost considerations need to be balanced against the greater reliability of the sample data. 11.3.2 Analytical procedures The external auditor should examine trend information in savings. Determining the average savings per member, by branch and in total, is a useful analytical exer- cise, as is recalculation of interest expense on total savings. CHAPTER 12 Obtaining Audit Evidence: Revenue and Expenses This chapter addresses special considerations in auditing revenue and expenses in an MFI. An MFI's operating income includes interest on loans, application and commit- ment fees, and interest on investments. In addition, some MFIs may record grant funds as income. The external auditor should ensure that grants are recorded in accordance with the grant agreement, that grant income is separated from oper- ating income on the income statement, and that proper disclosure is made in the notes to the financial statements. MFIs may calculate Some MFIs provide nonfinancial services--such as business or health train- or record interest ing--in addition to their financial services. Such MFIs may receive grants to sup- port the nonfinancial services. The income from such grants, and any expenses income in associated with them, should be carefully segregated from income and expenses unconventional ways related to financial services, either in the financial statements or the notes. Operating expenses include administrative and financial costs. Traditionally, administrative expenses--such as payroll, rent, utilities, travel, and depreciation-- account for a larger percentage of costs in an MFI than they do in a bank. In MFIs administrative expenses range from 10 percent to as much as 100 percent (or more) of the total portfolio. Classification of operating expenses among programs may be dictated by donors. In many MFIs the allocation of indirect or head office expenses to pro- grams is unsophisticated. The external auditor should pay particular attention to the presentation of theincomestatement.TheauditorshouldencouragetheMFItofollowInternational Accounting Standard 30: Disclosures in the Financial Statements of Banks and Similar Financial Institutions and annex A of this handbook. 12.1 Potential risks MFIs may calculate or record interest income in unconventional ways. When an MFI recognizes interest income on a cash basis of accounting, the auditor may 77 78 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 have to propose an adjustment at the end of the period. When making a loan, many MFIs capitalize the entire amount of interest to be paid into the loan port- folio account, along with the principal of the loan, without creating an offsetting interest receivable account. As noted in section 6.6, some MFIs continue to accrue interest on nonperforming loans long after payments have ceased and the recov- ery of the accrued amounts has become unlikely. MFIs often fail to properly depreciate fixed assets. Assets like computers or software are often expensed when they should be capitalized and depreciated. In MFIs often fail other cases donated equipment is passed directly to the balance sheet, so the real cost of its depreciation never appears in the income statement. Depending on to properly depreciate materiality levels, the auditor may need to do substantive tests of depreciation fixed assets method, useful lives, and mathematical accuracy of depreciation expense. Head office expenses may be inappropriately allocated among various activi- ties. In addition, employees are sometimes paid at rates different from those indi- cated in their personnel files. 12.2 Tests of control Tests of control for revenue and expenses are typically conducted in conjunction with testing of the account balances that cover operations. For example, tests of control for loans also cover interest and fee income account balances. See chap- ter 6 for details on tests of control for the loan portfolio. 12.3 Substantive procedures Revenue and expense account balances lend themselves to testing through sub- stantive procedures during the audit of asset or liability account balances. For example, analytical testing of interest income is discussed in the treatment of loan portfolio issues in chapter 6. Similarly, donations shown as income can be checked in the testing of the capital accounts (see chapter 9). Operating expenses can be tested analytically or by tests of detail. A detail approach would entail reviewing supporting documentation as well as canceled checks for recorded expenses. An analytical approach could include developing an expectation using independent data and comparing it to the expenses recorded by the MFI. For example, an expectation of depreciation expense can be deter- mined by comparing the average lives of select asset categories with average asset category balances from the previous year. If the external auditor's assumptions are correct, the actual expense should be within the predetermined range of expectation. The appropriateness of expense classifications can be tested analytically at dis- aggregated levels. For instance, a branch's percentage of operating expenses can be compared with the percentage of the loan portfolio it manages. CHAPTER 13 Reporting This chapter covers the audit report, including the audit opinion, and the management letter, a crucial part of reporting in an MFI audit. After all tests have been conducted and evaluated, and an assessment has been made of whether the financial statements have been prepared in accordance with an acceptable financial reporting framework, the external auditor should be able to render a written opinion on the financial statements taken as a whole. This opinion is the key part of the audit report. The management 13.1 The audit report letter is a crucial part of reporting ISA 700 provides the following outline for the auditor's report: in an MFI audit · Title · Addressee · Opening or introductory paragraph (containing an identification of financial statements audited and a statement of the responsibility of the entity's man- agement and of the auditor) · Scope paragraph (containing a reference to ISA or relevant national stan- dards or practices and a description of the work the auditor performed) · Opinion paragraph (containing an expression of opinion on the financial statements) · Auditor's signature · Date of the report · Auditor's address. The opinion paragraph is the crucial part of the audit report. An external audi- tor may render one of the following types of opinions: · Unqualified opinion · Unqualified opinion with an emphasis of matter 79 80 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 · Qualified opinion · Disclaimer of opinion · Adverse opinion. 13.1.1 Unqualified opinion An unqualified opinion indicates the auditor's satisfaction in all material respects with the following matters, in accordance with the auditor's terms of reference: · The financial information has been prepared using acceptable accounting poli- cies, which have been consistently applied · The financial information complies with relevant regulations and statutory requirements · The view presented by the financial information taken as a whole is consis- tent with the auditor's knowledge of the business of the entity · There is adequate disclosure of all material matters relevant to the proper pre- sentation of the financial information · Additional requirements that may have been requested in the terms of refer- ence have been met. See box 13.1 for an example of an unqualified opinion. BOX 13.1 Example of an auditor's report expressing an unqualified opinion Addressee WehaveauditedthebalancesheetoftheAspireMicrofinanceInstitutionasofDecember 31, 19XX, and the related statement of income and cash flows for the year then ended. These financial statements are the responsibility of the institution's management. Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with International Standards on Auditing. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstate- ment. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audit provides a reasonable basis for our opinion. In our opinion, the financial statements give a true and fair view of [or "present fairly, in all material respects"] the financial position of the institution as of December 31, 19XX, and of the results of its operations and cash flows for the year then ended in accordance with International Accounting Standards. Name Date Address REPORTING 81 BOX 13.2 Example of an emphasis of matter paragraph In our opinion ... [remainder of opinion paragraph] Without qualifying our opinion, we draw attention to Note X to the financial state- ments. The institution has entered into an agreement with the superintendency of banks to maintain a capital adequacy ratio of X%. 13.1.2 Unqualified opinion with an emphasis of matter An auditor's report may be modified by adding an "emphasis of matter" paragraph to highlight a circumstance affecting the financial statements. The addition of such a paragraph does not affect the auditor's opinion. The paragraph is usually included after the opinion paragraph and explicitly indicates that the auditor's opinion is not qualified in this respect. Box 13.2 provides an example of such a paragraph. An entity's continuance as a going concern for the foreseeable future is assumed in the preparation of financial statements. The "foreseeable future" is generally a period not to exceed one year after the closing date of the financial statements being audited. If this assumption is unjustified, the entity may not be able to real- ize its assets at the recorded amounts, and there may be changes in the amount and maturity dates of liabilities. In such cases the auditor should include an emphasis of matter paragraph relating to a going concern, provided there is adequate disclosure in the financial statements. Box 13.3 provides an example. (If adequate disclosure is not made, the auditor should express a qualified or adverse opinion; see below.) 13.1.3 Qualified opinion In certain circumstances the auditor may choose to render a qualified opinion. A qualification is typically made if there is a limitation on the scope of the auditor's work or a disagreement with management regarding the acceptability of account- ing treatment or the adequacy of financial statement disclosures. The auditor should be guided by ISA 700, which states that: BOX 13.3 Example of an emphasis of matter paragraph relating to a going concern In our opinion ... [remainder of opinion paragraph] Without qualifying our opinion, we draw attention to Note X in the financial state- ments. The institution incurred a net loss of XXX during the year ended December 31, 19XX and, as of that date, the institution's current liabilities exceeded its current assets by XXX and its total liabilities exceeded its total assets by XXX. These factors, along with other matters as set forth in Note X, raise substantial doubt that the MFI will be able to continue as a going concern. 82 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 A qualified opinion should be expressed when the auditor concludes that an unqual- ified opinion cannot be expressed, but the effect of any disagreement with manage- ment or limitation on scope is not so material and pervasive as to require an adverse opinion or a disclaimer of opinion. Boxes 13.4 and 13.5 illustrate two possible types of qualified opinions. 13.1.4 Disclaimer of opinion In some instances the auditor may disclaim an opinion. In such cases the auditor should be guided by ISA 700, which states that: A disclaimer of opinion should be expressed when the possible effect of a limitation on scope is so material and pervasive that the auditor has not been able to obtain sufficient appropriate audit evidence and accordingly is unable to express an opin- ion on the financial statements. For example, a disclaimer of opinion would be warranted if the auditor could not obtain sufficient audit evidence on loans, cash, or other accounts of such magnitude. Box 13.6 provides an example. BOX 13.4 Example of a qualified opinion due to a limitation on scope Except as discussed in the following paragraph, we conducted our audit in accor- dance with ... [remainder of scope paragraph] We did not observe the counting of the cash on hand as of December 31, 19XX, since that date was prior to the time we were engaged as auditors for the institution. Owing to the nature of the institution's records, we were unable to satisfy ourselves as to these quantities by other audit procedures. In our opinion, except for the effects of such adjustments, if any, as might have been determined to be necessary had we been able to satisfy ourselves as to the amount of cash on hand, the financial statements give a true and ... BOX 13.5 Example of a qualified opinion due to a disagreement on accounting policies (inappropriate accounting method) We conducted our audit in accordance with ... [remainder of scope paragraph] As discussed in Note X to the financial statements, fixed assets are not reflected in the financial statements. This practice, in our opinion, is not in accordance with International Accounting Standards. Fixed assets for the year ended December 31, 19XX, should be XXX. Accordingly, fixed assets should be established and the retained earnings should be increased by XXX. In our opinion, except for the effect on the financial statements of the matter referred to in the preceding paragraph, the financial statements give a true and ... REPORTING 83 BOX 13.6 Example of a disclaimer of opinion due to a limitation on scope We have audited the balance sheet of the Aspire Microfinance Institution as of December 31, 19XX, and the related statements of income and cash flows for the year then ended. These financial statements are the responsibility of the institu- tion's management. [The sentence stating the responsibility of the auditor is omit- ted.] [The paragraph discussing the scope of the audit is either omitted or amended according to the circumstances.] [A paragraph discussing the limitation on scope would be added as follows:] We were not able to confirm the existence of a significant number of the loans selected for testing, due to limitations placed on the scope of our work by the institution. Because of the significance of the matters discussed in the preceding paragraph, we do not express an opinion on the financial statements. If an MFI imposes serious limitations on the scope of the auditor's work dur- ing the planning stages of the audit, and if the auditor believes that such limita- tions would result in a disclaimer of opinion, the auditor should normally reject the audit engagement unless required by statute to accept it. 13.1.5 Adverse opinion ISA 700 states that, an adverse opinion: ...should be expressed when the effects of a disagreement are so material and per- vasive to the financial statements that the auditor concludes that a qualification of the report is not adequate to disclose the misleading or incomplete nature of the financial statements. An adverse opinion should be expressed if the basis of accounting is unac- ceptable and distorts the financial reporting of the MFI. Box 13.7 provides an example. BOX 13.7 Example of an adverse opinion due to a disagreement on accounting policies (inadequate disclosure) We conducted our audit in accordance with ... [remainder of scope paragraph] [Paragraph(s) discussing the disagreement] In our opinion, because of the effects of the matters discussed in the preceding paragraph(s), the financial statements do not give a true and fair view of [or "do not pre- sent fairly"] the financial position of the institution as of December 31, 19XX, and of the results of its operations and its cash flows for the year then ended, and do not comply with generally accepted accounting principles. 84 EXTERNAL AUDITS OF MICROFINANCE INSTITUTIONS: A HANDBOOK, VOLUME 2 13.2 The management letter A by-product of the external audit process is the identification of concerns or weaknesses that became apparent during the audit, and the provision of con- structive recommendations that management can use to better manage opera- tions or solidify internal controls. Auditors should communicate their findings to the board of directors or the audit committee of an MFI in the form of a man- agement letter. The external auditor should devote careful attention to preparing the man- agement letter. This letter is particularly important for MFIs because many have weak internal controls. Too often, management letters contain little but boiler- plate--general language that provides little illumination of specific problems in the MFI, and little concrete guidance to management in addressing those weak- nesses. Before submitting the final management letter, the auditor should solicit and consider management's comments on a draft. An example of a management let- ter is provided in annex H.