Secure e-bank confirmations make life easier for auditors, preparers and banks, and bring Malaysia up-to-speed with current developments in e-auditing.
By Nazatul Izma
Online confirmations are now the preferred method for confirming client information in jurisdictions such as the United States of America, the United Kingdom and Australia. In Malaysia, online confirmations are currently being used in a limited manner for confirmations with some foreign banks.
To keep abreast of the latest market developments, MIA is championing the development of an Industry-wide Electronic Bank Confirmation Platform. ‘This is the world’s first industry-wide platform for bank confirmation in any country,’ said MIA CEO Dr. Nurmazilah Dato’ Mahzan.
‘Electronic bank confirmations will eliminate duplications and provide authentication and authorisation procedures to detect fraud and deter fraudsters. This is a progressive step in auditing that will not only save time and resources but bring Malaysia up-to-speed with developments in leading markets,” she explained. Dr. Nurmazilah thanked Bank Negara Malaysia (BNM), the Association of Banks in Malaysia (ABM), banking institutions especially Maybank, local audit firms particularly PwC, and other stakeholders for supporting the Platform.
Below are some FAQs on the new initiative:
Why is MIA championing the Industry-Wide Electronic Bank Confirmation Platform? How is the project progressing?
Under the International Standard on Auditing (ISA) 505 External Confirmations, reliable audit evidence can be obtained in documentary form from a third party such as a bank, whether on paper, electronically or in another medium. Presently, electronic confirmations are used in a limited manner in Malaysia. Many bank confirmation letters are sent to banks annually by auditors to request for confirmation of their clients’ bank balances and arrangements. This traditional process is slow and time-consuming, and delays could impact the timeliness of financial statements being approved by the Board of Directors after clearance by auditors.
To facilitate electronic confirmations by Malaysian auditors in order to enhance the efficiency and security of the external confirmation process, MIA conceived a plan several years ago to develop an industry-wide electronic bank confirmation platform, which will eliminate the need for paper-based confirmation requests and replies. The plan was supported by the Association of Banks in Malaysia (ABM) and some local banks and audit firms, particularly Maybank and PwC, that agreed to be the first pilot testing bank and audit firm in spearheading this initiative jointly with the MIA and the ABM.
MIA then set up an Online Bank Confirmation Task Force (OBCTF) in 2017 – chaired by MIA Council Member Dato’ Mohammad Faiz Azmi and comprising representatives from ABM, Maybank and audit firms – to look into the implementation of the said plan. As at 20 October 2017, the OBCTF finalised the evaluation of vendors via an open tender process. Extol Corporation Sdn Bhd (Extol) was eventually awarded the tender to develop an industry-wide electronic bank confirmation platform, with a much more economical usage fee compared to the current fee charged by an international service provider.
How will stakeholders’ benefit from the Platform?
Several fraud cases have revealed the inherent weaknesses in paper-based confirmations. In contrast to a paper-based process, electronic confirmations use additional security mechanisms to ensure that only appropriate personnel from a bank can respond to a bank confirmation request. For audit clients, it reduces the risk of fraud which may potentially go undetected by auditors and at the same time protects the interest of stakeholders that rely on audited financial statements.
In addition, auditors and their clients can achieve greater efficiency by minimising manual processes, eliminating duplications and lost confirmations, and expediting confirmation replies to the auditors.
For banks, the Platform removes duplication, provides a more secure way to send out customer information, saves time and minimises human error while providing a more secure process to confirm balances and arrangements.
For the capital market, it reduces delays in clearance of audited financial statements.
In addition, it mitigates the risk of confidential information being wrongly sent to other parties through postal services. Accountability is enhanced because the system trails the date and time a confirmation is requested and the date and time a confirmation reply is sent and received.
How does the Platform work?
Tentative Workflow of the Proposed Platform
How do members gain access to the Platform? What are the expected fees and costs?
Members will log on to a secured web-based Platform which is currently under development by Extol. The usage fee to be charged is RM15 per confirmation. MIA’s preferred method is for banks to direct debit bank customers’ account and reimburse Extol since it is more efficient for reconciliation to be done by Extol with a smaller number of banks as compared to Extol having to reconcile with more than 1,400 audit firms.
Who should use the Platform?
All auditors who require bank confirmation from all conventional commercial banks in Malaysia are urged to use this Platform. In the next phase, the Platform will be opened to other types of financial institutions such as the Islamic banks and Development Financial Institutions.
How is the security of the Platform and the data assured?
Verification of Users
For the registration process, applicants must be associated with the audit firm’s details as recorded in MIA’s membership database. They will be verified with online and offline mechanisms to confirm their identity. Besides User ID and password, all applicants must provide authentic emails and mobile numbers for a 2-factor authentication process in order to validate their registration.
For bank users, registration will be through the bank’s email account which will subsequently be used for a 2-factor authentication on the Platform.
All users must verify the pre-set security image and phrase during user authentication process to prevent phishing.
Storage of data and the encryption
The data will be stored at Extol’s servers located in Malaysia.
All the sensitive data will be encrypted via HSM (FIPS 140-2 L3) and all PDFs received will be encrypted using the Steganography method in AES-256.
The Platform provides an audit trail system that logs all the activities conducted on the Platform, including submissions and downloads. It can be used to assist with any suspicious fraud or forensics investigation when required.
The Platform will also observe BNM’s IT security standards and guidelines where necessary.
Platform Process Control Assurance Examination
To provide assurance about the security controls and processing integrity, the Platform shall be certified with Service Organization Control (SOC) examinations or other equivalent standards conducted by an independent auditor appointed by MIA.
Now that bank confirmations have become more efficient, what other areas of auditing and accounting is MIA looking at to leverage technology to enhance the profession?
A natural progression is the usage of the Platform for legal and other confirmations. Data analytics is another area that MIA is looking at to leverage technology to enhance the profession.