Professional Documents
Culture Documents
…2
-2-
the revised RBIA policy, we have taken into account the relevant issues/
suggestions/observations made by Risk Management Department, Head Office vide
their IOMs No.RMD:RGK:2005-06:107 dated 27.04.2006 and No.RMD:RGK:2005-
06:218 dated 29.05.2006 and suitably addressed them in appropriate places.
EXECUTIVE SUMMARY
1. Preamble
1.1. The internal audit system which is in vogue is mainly transaction oriented
and is carried out to verify whether the various transactions undertaken by
the branches are correctly recorded and whether the stipulated
procedures have been adhered to. In this system of audit, the auditors
are not analysing the level of risk to which the branch is exposed. In the
backdrop of Basel Committee’s Recommendation on Banking
Supervision, Risk Based Internal Audit which is essentially an integral part
of Risk Based Supervision, was to be introduced in the Banks and the
audit system should be revamped so as to have focus mainly on the risk
perception rather than the mere transactions testing which should be
carried out to the extent of risk exposure under various parameters.
1.2. Accordingly, in terms of RBI guidelines, policy for Risk Based Internal
Audit (RBIA) was approved by Audit Committee of the Board on
30.01.2003 and was introduced in our Bank in April, 2003. In the first
phase, branches of Exceptionally Large, Very Large, Large and
Specialised categories were brought under the purview of RBIA during
2003-04. Then, it was extended to cover all the branches of Medium and
Small categories during 2004-05. With some minor modifications, the
policy was reviewed and the review was approved by ACB on29.03.2005.
From the year 2005-06, RBIA is being carried out in all the branches on an
ongoing basis either as a separate exercise or along with the existing
regular internal audit which is mainly transaction based, as per the
applicable audit cycle in accordance with the approved policy.
Cash
Deposits
Foreign Exchange/Dealing Room
Credit
Investments
Bills
Remittances
Government Business
Non-Fund Based Business
Staff & Establishment
Estate & Premises
Computer
Inter-Bank and Inter-Branch reconciliation
Other Miscellaneous Services
3. Approach
While carrying out the Regular Internal Audit, the auditors are scrutinizing the
transactions/conduct of the accounts, verifying the security documents executed,
ascertaining whether the sanction is within the delegated authority or not, verifying
the compliance with the terms of sanction and also scrutinizing other operational
areas. Based on the observations, the auditors are pointing out the
irregularities/deficiencies existing at the branches; besides they are pointing out the
revenue leakage, if any.
In RBIA, the auditors, besides carrying out the same function as mentioned above at
the prescribed level in the policy, record their observations in all the areas viz,
Advances, Deposits, Profitability, Business Development, Adherence to KYC/KYB
norms, Cash Management, Sensitive Stationery Movement, Delegation of Power,
Computer Systems Management etc. under positive and negative factors and
assess the risk level taking into consideration the overall impact of these positive
and negative factors. The negative factors are called risk factors. Based on the risk
factors, Monitorable Action Plan (MAP) for mitigating risks under various
parameters is suggested by the auditors in the audit report. Different types of audit
reports are prepared for General Banking Branches, Asset Recovery Branches and
Service Branches and risks are assessed under applicable parameters for these
branches
Transactions testing/checking is not completely dispensed with under RBIA, but,
restricted to the level spelt out in the policy
As per the extant policy guidelines, issue of Special Letters (for serious irregularities
noticed in accounts with sanctioned limit/exposure limit of Rs.10 lakh and above and
also for revenue leakage detected exceeding Rs.10 lakh per branch) and also
Special Observation Report (for serious irregularities noticed in accounts having
exposure/sanctioned limit of above Rs.2 lakh but not exceeding Rs.10 lakh per
account and revenue leakage detected Rs.20,000/- and over per account or revenue
leakage detected for more than Rs.2 lakh but not exceeding Rs.10 lakh per branch)
is proposed to be continued under amalgamated RBIA system
Under RBIA, the Risk Profile of the branch is prepared based on the audit findings
and the Risk Profile reveals the risk level of the branch under various parameters in
a nutshell form.
As per the RBIA policy, Risk Profiles of branches will be updated off-site as per the
following intervals based on all the relevant records such as MIS data with regard to
Deposits, Advances, Profitability etc. and also the compliance of previous/latest
reports of Concurrent Audit, IS Audit, Regular Internal Audit, RBIA, RBI Inspection
etc. which are available at ZO. MAP is suggested in this case also. Risk Profiles
thus prepared will be sent to the Branch/ZO for effective implementation of MAP by
drawing suitable action points and initiating necessary measures on that. The
reports of Risk Profiles of the branches will be closed by the respective ZM within 3
months of the date of Risk Profile. Zonal Audit Committee will also be apprised of
the Risk Profiles of branches and also closure of the same by ZM
Risk level of the branches are assessed under Business Category and
Control Category
Business Risk of the branches are assessed under Credit Risk, Earnings
Risk, Business Strategy Risk & Operational Risk parameters
Control Risk is assessed under Internal Control Risk and Compliance Risk
parameters.
Base Level Risk under each parameter is assessed under ‘Low, Medium
& High’ levels as per the marks obtained furnished as under:
Risk Matrix
Inherent Business Risks
High A B C Very
High Risk High Risk
Extremely
High Risk
Mediu D E F Very
m Medium Risk High Risk High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risks
Control Risk
Variation of marks in the same category upto + 5% or – 5% is considered as
STABLE. Variation of marks in the same category more than +5% or –5% is
considered as DECREASING/ INCREASING as the case may be.
5. Periodicity of Audit
With regard to transaction testing in credit segment, it is proposed that all new
accounts (irrespective of sanctioned limits) and also the following percentage of
accounts existing (preferably those accounts not covered under previous audit)
prior to current audit are to be covered in the current audit.
(In Percentage)
Total Sanctioned Limit or Size of Branch
Outstanding per borrower Small Medium Large Very Exceptionally
whichever is more Large Large
(Rs.)
Upto Rs.50,000 10 10 5 5 5
Above Rs.50,000/- up to Rs.2 30 25 20 10 10
lakh
Above Rs.2 lakh up to Rs.5 100 75 50 25 20
lakh
Above Rs.5 lakh up to Rs.10 100 100 75 75 50
lakh
Above Rs.10 lakh 100 100 100 100 100
Note: The above level of transaction testing is as per the existing policy and we
propose to continue the same
Size Percentage of
of accounts/transactions
the
Bra
nch
Small 40
Medium 50
Large 100
Very Large 100
Exceptionally Large 100
Large, Medium, Small & Within 2 months from the Within 3 months from the
Specialised (Small & date of audit report date of audit report at ZAC
Medium category) for branches with
branches Composite Risk Rating as
High (*in the case of both
Business Risk and Control
Risk are Medium) , Medium
& Low Risk and by
GM(I&A) for branches
under High (#in the case of
any one of Business Risk or
Control Risk is High and the
other is Low)Extremely
High / Very High Risk
Within 3 months from the Within 4 months from the
Exceptionally Large, Very date of audit report date of audit report at ZAC
Large & Specialised (other for branches under High
than Small & Medium (*as above), Medium & Low
category) branches Risk and by GM(I&A) for
branches under High (# as
above) Extremely High/
Very High Risk
8. Selection of Auditors
1. Definition
The Risk Based Internal Audit is a process which helps broaden the
perspective of internal audit that includes the verification through usage of risk
management techniques and efficacy of internal control system under various
areas / parameters.
2. Scope
2.1 The scope of Risk Based Internal Audit will be to provide reasonable assurance
to the Board and Top Management, which includes:
(a) The audit function should provide high quality counsel to management on the
effectiveness of risk management and internal controls under various parameters
including regulatory compliance.
(b) The internal control system is in consonance with the organisational structure.
The controls should be in-built in the operating functions to be cost effective.
(c) Each control should be reviewed and analysed in terms of its costs and
benefits. It would also be seen whether the internal controls were in use
throughout the period of intended reliance i.e. period between the two
consecutive audits.
(a) Auditor would review the control system to ensure that all assets are
accounted for fully. He would also review the mitigants available and used for
safeguarding assets against the risks which may eventually be leading to
financial loss.
(b) In case of use of electronic data processing equipment, the physical and
system control on processing facilities as well as on data storage would be
examined and tested.
(c) He would also review the adequacy of insurance cover for the various risks
involved.
(d) He should check the verification system of assets at the branch.
(a) Internal auditor should check whether there is under staffing and over staffing
in various areas/ departments by examining the working of the branch as these
prevent optimum use of resources.
(b) The auditor would also evaluate resources utilisation, identifying the facilities,
which are under-utilised which may result in lesser/no income or loss. Such
instances may consist of under-utilised man, machine and matter of any kind.
(a) The auditor should report on proper recording and reporting of major
exceptions and excesses that lead to risk perception.
2.1.7 Review of the systems in compliance with money laundering identifying business
risks/ control risks
The auditor should review the systems in place at the branch for ensuring
compliance with money laundering controls, identifying potential inherent
business risks and control risks, if any.
2.1.8 The auditor should review/ report on :
(a) process by which risks are identified, analysed, measured and managed in
various
areas;
(b) the risk mitigating/control environment in various areas;
(c) gaps, if any, in control mechanism, which might lead to financial loss on
account of non-adherence to extant guidelines due to ignorance, negligence or
fraudulent acts and identification of fraud prone areas;
(d) budgetary control and performance reviews;
(e) monitoring compliance with the risk based internal audit report
(f) variation, if any, in the assessment of risks made during the profiling offsite
vis-à-vis risk based internal audit.
2.2 Inspection and audit will be risk based and the same is introduced at all branches
in a phased manner since April, 2003.
(Head Office Departments, Zonal Offices, Zonal Audit Offices, Regional Rural
Banks and Subsidiaries are brought under the ambit of Risk Based Management
Audit. A separate policy document is prepared for Risk Based Management
Audit)
3. Objective:
3.1 RBIA essentially entails the allocation of audit resources and monitoring
according to risk profile to minimise the impact of crisis situations. It involves
review and report on control environment as a whole, the process by which the
risks are identified, analysed, measured and managed, the line of control over
key processes, reliability of branch management function, safeguarding of assets
and compliance with rules and regulations and also external environment.
(a) To undertake allocation of audit resources in accordance with the risk profile
to minimise the impact of crisis situations i.e. to draw audit plans based on
risk assessment
(b) To ensure that the risks faced by the Bank in its efforts to meet its goals –
short term as well as long term are identified, risk is assessed and the
procedure followed for monitoring the risk is correct and fool proof.
(c) To answer the basic question about ‘what is’ as compared to ‘what should be’
the way the branch is managing risks.
(d) To evaluate the process, by which the risks are identified, analysed,
measured, monitored and managed by reviewing and reporting on the line of
control over key processes i.e. control environment as a whole instead of
identifying and testing controls.
(e) To test ‘how well all the risks perceived by the bank are managed’ rather than
finding out ‘whether the control over risks are adequate and effective’.
(f) To differentiate activities on the basis of risk assessment of each activity
during internal audit.
(g) To review and report on reliability of branch management function,
safeguarding of assets and compliance with rules and regulations.
4. Approach
4.1 The present internal audit is mainly transaction based and is carried out to verify
whether the various transactions undertaken by the branch are correctly
recorded and whether the prescribed procedures /guidelines issued by Head
Office/RBI/ Government of India have been observed/ complied with. Thus during
the course of audit, the extent of risk undertaken by the branches and the factors
available for mitigating the same under various areas is not assessed, which is a
vital component for the existence of the Bank.
4.2 The principal responsibility of managing the risks vests with the management, the
strategy of RBIA begins with independent risk analysis and allocation of audit
resources is planned on the level of risks identified. RBIA would mean that
greater emphasis is placed on role of mitigating risks. More attention will be paid
to high risk areas vis-à-vis medium and low risk areas.
4.3 Risk Based Internal Audit being a new exercise, a gradual but effective approach
would be necessary for its implementation. Since the internal audit system was
fairly deep-rooted, the risk based audit system is introduced in a phased manner.
Initially we conducted Risk Based Internal Audit of all branches under the
categories of Exceptionally Large, Very Large, Large and Specialised
(irrespective of their size) during 2003-04. As the staff started attaining
proficiency in the new system, the scope was extended to cover Medium and
Small branches also during 2004-05. Now, all the branches have got
accustomed to RBIA and hence RBIA is being carried out at the branches as per
the applicable audit cycle from 2005-06 on an ongoing basis. In terms of RBI
guidelines, the time has come now to merge the existing system of transaction
audit with Risk Based Audit with a view to have only one unified audit system
mainly focussing the risk perception on a larger way and restricting the
transaction checking to a limited extent and the unified system is proposed to be
made effective in 2006-07.
4.4 The pre-requisites for implementation of RBIA in the Bank would be:
5.1 Inspection & Audit will be conducted encompassing all the functional areas of the
branch in such a manner that it serves as an important tool of internal control.
Risk based audit will address audit coverage from risk management angle and it
will be planned on the basis of level of risks identified i.e. coverage will be
tapered according to level of identified risks with high risk areas getting priority
over low risk in allocation of audit resources. The audit will cover the adequacy
as well as implementation of various systems and procedures adopted in
identification, measurement and mitigation of different risks. It should cover
transactions during review period i.e. period between two consecutive audits.
The items of coverage during inspection/ audit of the branches are given in
Annexure-1.
5.2 The strategy of RBIA constitutes an independent risk analysis through proper
allocation of available audit resources i.e. allocating more resources for the
areas with higher risks. RBIA envisages branch-wise and business process-wise
risk assessment before on site auditing. The exercise will allow identification of
high risk areas and work prioritisation.
Areas to be looked into for Risk Analysis of various Departments/ Sections given
in Annexure - 2 covers different risks involved.
6 Risk Assessment:
6.1 The risk based internal audit undertakes risk assessment for the purpose of
formulating the risk based audit plan. The risk assessment would, as an
independent activity, cover risks at various levels (corporate and branch; the
portfolio and individual transactions, etc.) as also the processes in place to
identify, measure, monitor and control the risks.
Clarification: The risk based internal audit undertakes an independent risk
assessment solely for the purpose of formulating the risk based audit plan
keeping in view the inherent business risks of an activity/ location and the
effectiveness of the control systems for monitoring the inherent risks of the
business activity.
6.2 The assessment process would, inter alia, include the following:
Identification of inherent business risks in various activities undertaken by the
bank.
Evaluation of the effectiveness of the control systems for monitoring the
inherent risks of the business activities (‘Control risk’).
Setting up of rating norms with a view to determining the level of risk to which
the bank is exposed viz; low, medium or high and the direction of the risk to
which the bank is proceeding viz; increasing, decreasing or stable.
Mapping of business risk and control risk and the identification of the direction
of risk to enable to direct the resources to those areas of working which depict
higher risk. Drawing up a risk matrix for taking into account both the factors
viz. inherent business risks and control risks. The illustrative risk matrix
(level) and risk matrix(trend/direction) are shown below:
High A B C
High Risk Very High Risk Extremely
High Risk
Medium D E F
Medium Risk High Risk Very High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risks
Control Risks
6.3 The risk assessment may make use of both quantitative and qualitative
approaches. While the quantum of credit, market and operational risks could
largely be determined by quantitative assessment, the qualitative approach may
be adopted for assessing the quality of control in various business activities. In
order to focus attention on areas of greater risk to the bank, an activity-wise and
location-wise identification of risk would be undertaken.
6.4 The assessment methodology would include, inter alia, the following parameters:
6.5 While the interval for undertaking formal risk assessment may be one year, more
frequent formal risk assessments would be desirable if the overall risk to which a
branch is exposed, is perceived as high.
7. Audit Prioritisation
7.1 With a view to formally assess the degree of various business and control risks at
the branch in order to prioritise the risk based internal audit of the branch under
their jurisdiction and also to prepare the audit plan accordingly, each Zonal Audit
Office will prepare/update the risk profile of the branch as per Annexure-3 as
enumerated under para 13.3 well in advance and conduct the audit later on to
compare/find out whether the risk assessment as per the profile prepared before
audit turned out to be true, particularly areas identified as high risk did indeed
turn out to be high risk and vice versa for low risk. Format for obtaining/updating
the risk profile of the branch is as per Annexure-3.
7.2 On-site inspection covers actual Business Strategies adopted by the branch,
Review of compliance methodology, Adequacy of Internal Controls, Risk
Management controls, Business Environment- location, competition, clientele,
products and services, Quality of Customer Service, Awareness of staff
regarding systems and procedures, Futuristic View of Business Strategies, Know
Your Customers/Business norms.
8. Periodicity of Audit
8.1 Inspection and audit of branches will be conducted once every 18/15/12/9/6
Months depending on the composite risk rating of the branches assessed during
the preceding audit.
Note: All the newly opened branches should be audited immediately after
completion of six months of their opening.
10.1 Taking into consideration the norms for allotment of man days as stated under
item No.8 of the policy document, in the month of March every year, Annual Audit
Plan for the next financial year will be called for from all the Zonal Audit Offices
giving the number of branches/other offices to be audited along with the number
of man days required and the number of man days available. The annual audit
plan of all the Zonal Audit Offices will be consolidated at Head Office and the
consolidated Annual Audit Plan will be put up to the General Manager, Inspection
& Audit Department for approval by the end of March every year. Manpower
requirement for carrying out the Audit Plan is determined based upon 210 man
days per officer, after providing for holidays, leave, ‘shut period’, travel time etc.
Further, the audit exercise will be suspended during the ‘shut period’ i.e;
March/April and September/October for approximately 15 days each, so as to
facilitate the branches to concentrate on the Annual/Half-yearly closing work.
10.2 The prioritisation of Audit Resources will be determined by drawing Audit Plan
with the help of Risk Audit Matrix as provided in item No.15 of the policy
document by respective ZAOs and consolidated at HO, I&A which will be
approved by GM, I&A.
The broad criteria, which are indicative in nature, for selection of officers for Audit
are as under:
(a) The Officer should be in Scale II or III and should have completed rural/ semi
urban branch exposure of minimum 3 years.
(b) The Officer must have knowledge of/ exposure to Branch Banking in general.
(c) The Officer must possess knowledge in advances/ foreign exchange/
computer operations. Exposure to investment portfolio management will be
an added advantage.
(d) The Officer must have ‘A’ rating in Annual Performance Appraisal (APA) for
preceding 3 years.
(e) The tenure of Officers selected for posting in Audit will be for 3 years.
12.1 Under the risk based internal audit the main objectives being the assessment of
risks to which the bank is exposed to as well as evaluation of available internal
control mechanism the auditor, while evaluating the risk, has to keep in view the
following:
a) Previous Audit Reports- Internal, Concurrent, Statutory, RBI, IS Audit, etc.
and its compliance
b) proposed changes in business lines or change in focus
c) Significant change in management/ key personnel
d) Industry trend
e) Other Environmental factors including macro/micro economic environment
f) Time elapsed since last audit
g) Prior audit findings and actin taken on them
h) Volume of business taking into account the potentials available.
i) Internal Controls and Control Environment.
j) Quality and Experience of Management i.e. Manager and his deputies.
k) Complexities of business handled by the branch.
l) Deviation from Budget Plan
a) Interface with Branch Manager and other Officers and staff members.
c) Review of -
Mechanism for reporting compliance with policies and procedures.
Accuracy in reporting and its impact.
Adequacy of internal control and Risk Management Control.
Branch specifics- location, business environment, competition faced, etc.
Quality of Customer Service including Handling of Customer Complaints.
Level of Awareness of Bank’s systems, procedures, implementation,
products and services, pricing, etc. amongst staff at all levels.
Future Business Strategies in relation to the potentials available in the
area of operation
12.3 The auditor has to examine and evaluate every activity undertaken by the
branch. In the process he has to, interalia
13.2 Risk profile document which is the final output of the risk assessment exercise is
intended to be a dynamic document and hence all changes and developments
within and outside the bank that may have an impact on the risk profile are to be
tracked on an ongoing basis. That is, updation of risk profile will have to be
taken up periodically. However, considering the nature and volume of business
and other services handled at branches, the periodicity for updating the risk
profiles of branches of different class/category is proposed as under:
13.3 For updating the Risk Profiles of Branches (prepared off-site), the auditors can
utilise the following source of inputs which may be available at respective Zonal
Offices under whose jurisdiction the branches are functioning and they need not
visit the branches.
13.4 The Risk Profiles will be updated and sent to the branches by the Zonal Audit
Offices within a fortnight from the conclusion of the concerned period covered as
stipulated in 13.2 above with a copy to the respective Zonal Office for
compliance and follow-up (as enumerated in para 17.3 & 17.4)respectively.
14. Reporting Format
We have in place suitable formats for reporting the positive factors (the strength)
and the negative factors (weakness) observed during the conduct of RBIA at
different category of branches (General Banking Branches, Asset Recovery
Branches, Treasury Branch, Service/Drafts Paying Branches, Currency Chests)
considering mainly the risk perception under each area and also the transaction
testing to the limited extent as provided in the policy document along with the
suggestions of Monitorable Action Plan by the auditors for mitigating risk under
various parameters. The audit report formats for different category of branches
as specified above are provided in Annexure – 4.
14.2.1 If during the course of audit any serious irregularities (the nature of such
irregularities are listed in the Annexure-I) involving amount above Rs.10.00 lakh
(either sanctioned limit or outstanding whichever is more) per account / revenue
leakage detected exceeding Rs.10 lakh per branch, which may put bank’s
interest in jeopardy, are noticed by the Auditors, the same should be brought
to the notice of Chief Incumbent of the branch and thereafter to the respective
Zonal Audit Chief in the form of Special Letter as specified in the format as per
the Annex. In such cases where, the Branch Manager is himself involved in
the irregularities, which may be fraudulent in nature, such discussions with
him are not necessary. The Special Letter for reporting such irregularities will be
vetted by the Zonal Audit Chief before forwarding the same to the
Branch/Zonal Office with a copy to Inspection and Audit Department, Head
Office immediately.
14.2.2 If during the course of audit any serious irregularities (the nature of such
irregularities are listed in the Annexure-I) involving amount above Rs.2.00 lakh
(either sanctioned limit or outstanding whichever is more) and upto Rs.10.00
lakh (either sanctioned limit or outstanding whichever is more) per account/
revenue leakage detected Rs.20,000 and over per account or total revenue
leakage detected more than Rs.2.00 lakh but not exceeding Rs.10.00 per
Branch, are noticed by the Auditors, the same should be brought to the notice
of Chief Incumbent of the branch and thereafter to the respective Zonal Audit
Chief in the form of Special Observation Report as specified in the format as per
Annex. In such cases where, the Branch Manager is himself involved in the
irregularities, which may be fraudulent in nature, such discussions with him
are not necessary. The Special Observation Report for reporting such
irregularities will be vetted by the Zonal Audit Chief before forwarding the
same to the Branch/Zonal Office with a copy to Inspection and Audit Department,
Head Office immediately.
14.2.3 For other matters (the gist of such matters is provided in the Annexure-I), where
the quantification of amount involved is not possible, Special Letter or Special
Observation Report will be issued depending upon the nature and seriousness of
irregularity.
The audit rating of the branches will be done by the Audit team after conclusion
of the audit based on its performance in relation with the level of
control/mitigation of risks under various parameters observed during the course
of audit covering the period from the date of commencement of last audit till the
preceding date of commencement of the current audit as per applicable Annex-6.
The branches will be awarded rating separately under each parameter and rating
for consolidated performance under the parameters of Business Risk and Control
Risk based on which the Composite Risk or Aggregation of Risk of the branch as
per the matrix prescribed by RBI will be arrived at. There will be three basic level
risk ratings i.e. Low, Medium and High under each parameter. The
trend/direction viz., Increasing, Stable and Decreasing will also be indicated by
comparing the level of risk under each parameter at the time of previous
audit/latest updated profile with the level assessed during the current audit.
The probable reasons/ attributes and the meaning attached to each rating are
given in the following chart.
Sr Level and
Meaning for controlling
N Direction Probable Reasons/Attributes
o Authorities
of Risk
1 High - Deterioration to the large extent Controlling Authority to analyse
Increasing in risk management, operational the reasons (including the
efficiency, compliance and asset negative factors brought out by
quality and earning during review the auditors in the report) for
period. deterioration and initiate suitable
immediate action plan (besides
the Monitorable Action Plan
suggested by the auditors) for
improvement within a period of
one month and monitor the
branch performance on regular
basis
2 High – Status-quo-ante of perturbing Controlling Authority to initiate
Stable level in risk management, immediate action plan including
operational efficiency, the Monitorable Action Plan
compliance and asset quality suggested by the auditors for
coupled with stability in earnings improvement within the period
during review period. not exceeding two months
and monitor the branch
performance on regular basis.
3 High - Slight improvement in the Controlling Authority to initiate
Decreasing perturbing level of risk suitable action plan including the
management, operational Monitorable Action Plan
efficiency, compliance and asset suggested by the auditors for
quality and earning during review improvement in period not
period exceeding two months and
monitor the branch performance
on regular basis.
4 Medium - Increasing trend of inadequacy in Controlling Authority to analyse
Increasing risk management, operational the reasons for inadequate risk
efficiency, compliance & asset management, suggest suitable
quality and earnings during remedial action, monitor the
review period, which may be of performance and review the
temporary nature and can be progress from time to time.
corrected in period not exceeding
three months.
Magnitude of Risk
High High M High M High M
Low F Medium F High F
Mediu Medium M Medium M Medium M
m Low F Medium F High F
Low Low M Low M Low M
Low F Medium F High F
Low Medium High
Frequency of Risk
(In Percentage)
Total Sanctioned Limit or Size of Branch
Outstanding per borrower Small Medium Large Very Exceptionally
whichever is more Large Large
(Rs.)
Upto Rs.50,000 10 10 5 5 5
Above Rs.50,000/- up to Rs.2 30 25 20 10 10
lakh
Above Rs.2 lakh up to Rs.5 100 75 50 25 20
lakh
Above Rs.5 lakh up to Rs.10 100 100 75 75 50
lakh
Above Rs.10 lakh 100 100 100 100 100
In the case of checking the accounts in existence prior to current audit, audit
comments relating to compliance of irregularities pointed out in the last audit report,
review/documentation subsequent to last audit and further developments since last
audit are to be included.
17. Compliance and Follow-up for Compliance of Audit Report, Updated Risk
Profile
17.1 Compliance of Report – The primary responsibility for qualitative and timely
compliance i.e; attending to all the negative factors brought out in the audit report
conclusively and also initiating necessary measures by way of drawing suitable
action points (help of the Zonal Office may be availed, if required) for
implementing the Monitorable Action Plan suggested by the auditors and
furnishing the present status of compliance of the same will rest with the auditee
branch. The time limit for compliance will be two months from the date of
audit report for Large, Medium, Small & Specialised (Small and Medium
categories) Branches and three months for Exceptionally Large, Very Large
and Specialised (other than Small and Medium categories) Branches.
17.3 Compliance of Updated Risk Profile – Taking into consideration the negative
factors, the necessary measures initiated by the branch by way of drawing
suitable action points, (help of the Zonal Office may be availed, if required) for
implementing the Monitorable Action Plan suggested in the updated risk profile,
along with the present status of compliance thereof to be submitted by the
branch to the Zonal Office within two months of the date of the profile.
17.4 Follow-up for Compliance of Updated Profile - Follow-up Audit Cell of ZO should
follow-up with the branch for compliance of the Monitorable Action Plan. After
ensuring conclusive compliance, it should be submitted to the Zonal Manager for
closure within three months of the date of the profile and the concerned
branch should be advised accordingly.
17.5 Compliance with Monitorable Action Plan suggested with respect to the updated
Risk Profile of branches to be taken up for review during Zonal Audit Committee
meetings.
18.1 Risk Based Internal Audit Reports: The audit reports of the branches will be
submitted for Noting / Closure at Zonal Audit Committee meeting / to GM,
I&A,H.O. after ensuring conclusive compliance of the negative factors and the
Monitorable Action Plan brought out in the reports. The audit reports of Large,
Medium, Small & Specialised (Small and Medium categories) branches
should be closed within three months from the date of the report and four
months in the case of Exceptionally Large, Very Large and Specialised
(other than Small and Medium categories) branches at Zonal Audit
Committee/GM, I&A, H.O. level as per the authority specified as under. In
the case of audit report of DPO, the report should be closed within one
month from the date of report by ZAC.
-----------------------------------------------------------------------------------------------------------
Level of Assessment of Conclusive Compliance Level of Authority
Composite Risk of ensured by for closure of
Branches RBIA
-----------------------------------------------------------------------------------------------------------
Extremely High/I,S,D Zonal Manager & Zonal General Manager
Audit Chief I&A, H.O
.
Very High/I,S,D Zonal Manager & Zonal General Manager
Audit Chief I&A, H.O.
High/I,S,D
(on a/c of one of the Zonal Manager & Zonal General Manager
parameters is High Audit Chief I&A, H.O.
and the other is Low)
18.2. Special Letters: The Zonal Office will prepare and submit a detailed point-wise
conclusive compliance of the irregularities pointed out in the special letter (after
receipt of branch compliance) along with the staff accountability aspect to the
Zonal Audit Chief and upon the later getting satisfied with the compliance, the
joint recommendations of the Zonal Manager and Zonal Audit Chief will be
forwarded to Head Office, Inspection & Audit Department. The General Manager
(I&A), upon satisfying about the adequacy of the compliance and also the action
on staff accountability aspect, will accord approval for closure of the special
letters with specific time-bound action plan for compliance of pending
irregularities, wherever deemed necessary, within three months of the date of
the Special Letter. However, Action Take Report on the Special Letter
should be apprised to GM(I&A) within 15 days from the date of receipt of
the Special Letter by the Zonal Office.
18.3 Special Observation Reports: Special Observation Reports are closed at Zonal
Audit Committee after ensuring point-wise conclusive compliance of the
irregularities pointed out in the special observation report (after receipt of branch
compliance) along with the staff accountability aspect wherever required. In
respect of Revenue Leakage exceeding Rs.1.00 lakh per account, on recovery of
the revenue leakage detected, the Zonal Office should furnish the details on Staff
Accountability to General Manager, Head Office, Inspection & Audit Department
through the Zonal Audit Office, recommending the action to be taken in this
regard. The General Manager, Inspection & Audit Department, Head Office, will
convey his decision to the Zonal Office/Zonal Audit Office with regard to the staff
accountability aspect. The SOR (both on serious irregularities and/or revenue
leakage) will be closed at Zonal Audit Committee within three months of the
date of the Special Observation Report.
18.4 The Updated Risk Profiles: The updated Risk Profiles will be closed by the
respective Zonal Managers within two/three months of the date of the profile
as the case be as mentioned in para 17.3 & 17.4 after ensuring conclusive
compliance on the negative factors and Monitorable Action Plan pointed out in
the Profiles and the branch should be advised accordingly.. However,
compliance with Monitorable Action Plan suggested with respect to the updated
Risk Profile of branches to be taken up for review during Zonal Audit Committee
meetings.
19. Zonal Audit Committee:
19.1 With a view to channelising efforts for proper follow-up action on various audit
reports, Special Letters, Special Observation Reports and Updated Risk Profiles
and their subsequent closure, Zonal Audit Committee has been set up at each
Zone. The meeting of the Committee will be attended by the Zonal Manager
(Chairman), the Zonal Audit Chief (Convenor), the senior most Zonal Executive,
the Officer in charge of Follow-up Audit Cell of the Zonal Office (Members).
19.2 The Zonal Audit Committee has to meet at least 6 times in a year and the
interval between the two meetings, should not, normally exceed 3 months. The
meetings will be fixed by the Zonal Audit Chief in consultation with the respective
Zonal Manager and other members of the Committee and the meetings will be
held at Zonal Head Quarters.
19.3 The Zonal Audit Chief being convenor, will attend all the meetings of Zonal Audit
Committee in respect of Zones under his jurisdiction. In the absence of Zonal
Audit Chief, the official holding charge shall attend such meetings. The General
Manager/Deputy General Manager/Assistant General Manager of Inspection
& Audit Department, Head Office shall attend the Zonal Audit Committee
Meeting to oversee its functioning at periodical intervals.
19.5 The committee will formulate a time bound action plan for clearance of pending
audit reports, special letters, special observation reports, recovery of revenue
leakage and updated risk profiles and review the progress in its implementation
for mitigating risk under various parameters in subsequent meetings till
conclusive compliance of the same.
19.6 The committee will review the compliance of Monitorable Action Plan suggested
with respect to the updated of Risk Profiles of branches as and when they are
closed by the Zonal Manager.
All Zonal Audit Offices should report on monthly basis as at the end of every
month to HO, I&A as to the details of number of branches falling due for RBIA
during the month as per the approved audit plan, number of branches wherein
audit is completed along with risk rating, the names of the branch whose
composite risk rating is assessed as ‘Extremely High/Very High’ and also the
details of risk rating as at the end of the month in the format provided in
Annexure-A and Annexure-B. Also, all ZAOs should report on monthly basis the
details of total number of branches in their jurisdiction under different risk ratings
along with the particulars of names of the branches whose composite risk rating
is assessed as ‘Extremely High/Very High’ in the format provided in Annexure-C.
Further, all ZAOs will report on monthly basis the position of pending audit
reports (for closure) as at the end of every month in Annexure-D
23.1 Summarized position of RBIA reports of H.O.Depts, Zonal Offices, Zonal Audit
Offices, MDI, ZTCs, and Bank’s Subsidiaries closed at Head Office (Audit)
Sub-Committee will be submitted to Audit Committee of the Board for noting
(no other RBIA reports are closed at HOASC).
24. Any modification in the reporting format, either addition or deletion of any
item necessitated due to change in policy of the Bank or change in
operational guidelines, may be approved by GM (I&A), provided it does not
envisage any change in the audit policy guidelines already approved by the
Audit Committee of the Board.
Annexure –1
2) Audit of Investments portfolio (HTM, AFS & HFT) with reference to adherence to
laid down policies, Head Office specific prescriptions, liquidity of the investment
from two angles i.e. maturity and marketability, physical verification of
investments, receipt of dividend / interest on investments, etc. It will also involve
audit of Funds Management, Asset Liability Management, etc.
5) Accounts with other Banks including reconciliation, long outstanding entries and
follow-up for clearance of these entries.
9) Checking of Profit & Loss Analysis Book including balancing from time to time and
analysis of income and expenditure and judicious exercise of powers by the
delegatees.
11) Safe Deposit Vault – Balancing of keys, recovery of rental, drilling open of lockers
where rent is overdue for long.
12) Safe Custody – Verification of safe custody accounts more particularly opened
after previous audit.
13) Premises (including flats for officers, warehouse premises, if any) – Execution of
lease, payment of rental, verification of title deeds, ambience etc.
15) Insurance – Coverage of insurance policy for all items such as assets including
computers, etc.
17) Telegraphic Transfers – Maintenance of Test Keys and safe custody thereof,
verification of use of TT arrangement by the branches to weed out branches where
TT key may not be required, Missing variables and follow-up for the same.
18) Inward Remittances – Verification of time taken for crediting proceeds of inward
remittances.
19) Staff & Establishment – Verification of all aspects like attendance register, leave
record, salary, allowances, Leave Fare Concessions, Travel & Transportation,
recruitment of staff, job rotation, training, Medical Aid to Staff – Records of
payment of medical aid to staff as per policy.
20) Test Check – Verification of conduct of test checks as per laid down policy and
maintenance of records thereof.
22) Authorised Signatories book – Verification of the book with reference to updating,
safe custody, etc.
23) Old Records – Verification of maintenance of old records and its destruction from
time to time as per policy.
24) Inward Bills for Collection – Physical verification of bills for collection, balancing
from time to time, position of overdue bills, follow-up for disposal, recovery of
service charges, VPL charges etc.
25) Outward Bills for Collection – Verification of bills for collection, balancing from time
to time, overdue bills follow-up for realisation of overdue bills, recovery of service
charges, etc.
32) Dealing Room – Audit of dealing room / back up section operation with reference
to organisational policy guidelines relating to adherence to currency wise Daylight
and Overnight limits, Stop loss limits, infrastructure in dealing room, and its use,
vacation by dealers, rotation of staff, panel of brokers, routing of business through
brokers, maintenance of dealers pad, dealers slip, etc. as per policy.
33) Bills negotiated under L/C – Verification of register, overdue bills and follow-up for
recovery.
34) Bills receivable under L/C - Verification of register, overdue bills and follow-up.
Physical verification of bills receivable under L/C.
Annexure - 2
A. Areas to be looked into by the Audit Team under Risk Based Internal Audit
1 Credit Risk
A ( Under Business Category )
1 Trend of growth in loans and advances including forex
business
2 Trend in priority sector advances
3 Trend of growth in off balance sheet items.
4 Exposure to sensitive sectors
5 Composition of off balance sheet exposure
6 Credit concentration
7 Percentage of advances in a/cs. with limits Rs.1 crore
8 Trend of breaching exposure ceiling norm
9 Standard category advances
10 NPA Management and Recovery of NPA – NPA Movement
11 Arresting of slippages
12 Improvement in Cash Recovery
13 Improvement in upgradation
14 Percentage of accounts written off and amount involved
15 Reduction of NPAs (including upgradation, restructuring,
recovery)
16 Trend of devolvement on account of off balance sheet
exposures.
17 Proper provisions
18 Credit Quality improving
19 AAA / AA / A rated a/cs.
20 B rated a/cs.
21 Movement of assets
22 Increase in standard assets
23 Decrease in Doubtful / Loss assets
24 Adherence to Credit Policy norms
25 Adherence to exposure (credit limits with branch and
elsewhere) norms for single borrower, group, industry
group and country.
Miscellaneous Aspects :
1.Periodical review of adequacy of man power and rotation of staff are undertaken;
2.Prompt submission of ‘R’ Returns and other periodical statements;
3.Proper keeping and exercising adequate control of ‘test-key’ for authentication of
messages;
4.Effecting of payments through SWIFT and proper monitoring of messages;
5.Compliance of guidelines of RBI/FEDAI
2. TREASURY OPERATIONS
I INVESTMENT MANAGEMENT –
A) Ready Forward Deals :
1 Violation of directives/guidelines in Double Ready Forward transactions in
Dated Govt./Approved Securities as well as Treasury Bills.
2 Violation of directives/guideline in Ready Forward/Double Ready Forward
in other securities/PSU Bonds/Units.
3 Violation of directives/guideline on deals undertaken on behalf of PMS
clients’ Accounts/other clients.
B) Transactions in Govt./Approved Securities:
a) SGL Transactions:
1 Ensuring non-return of SGL form issued to other Bank for want of funds.
2 Returning of SGL forms received by the Branch for want of funds and
reporting thereof.
3 Maintenance of record of authorised signatories of SGL issuing
banks/institutions.
4 Direct handing over of SGL.
5 Compliance of RBI guidelines and DVP system for settlement.
6 Reconciling SGL balances on monthly basis.
7 Checking of periodical reconciliation of SGL balances by concurrent
auditor.
8 Ensuring direct payment only after receipt of SGL transfer in the case of
purchase of securities.
G) NPA Management :
1 Proper classification of Investment Assets
2 Proper reporting of NPA.
3 Ensuring enforceability of documents of NPA.
4 Reporting of NPA position to trustees.
5 Follow-up of NPA accounts with BIFR.
6 Recovery of sale of assets in NPA accounts is reported to Senior
Management.
7 Review of NPA accounts periodically.
H) Delegation of Powers and Reporting System :
1 Investment decisions are taken as per delegation of powers.
2 Authorisation of deal/transaction entered into by the Dealer
3 Dealer transacts only with the approved counter party bank/broker subject
to the exposure limit
4 Periodical submission of statements on the performance of Investment
Portfolio to the Management
II Money Market Operations :
1 All Inter-bank deals and Repo deals are with authorised players.
2 Correct application of rates in money market credit lines.
3 Entering into Rupee/USD Swaps deals only when swap yields are at least
on par with call money rates.
4 Profitable squaring off position taken in the intra-day dealings
5 Justification of net borrowing position.
a) Inter-Bank participation Certificates (IBPCs) :
1 Obtention of approval for issue of IBPC.
2 Strict adherence of norms in the case of IBPC with risk sharing
3 Strict adherence of norms in the case of IBPC without risk sharing
b) Money Market Credit Lines to Indian and Foreign Banks :
1 Sanction / review of credit line at appropriate level
2 Recovery of commitment fees
3 Repayment in accordance with the relative agreement
4 Timely renewal of period of validity of the credit line
5 Segregation of credit limits
c) Call Money Operations :
1 Lending within the approved exposure limits
2 Adherence of ceiling in Money market transactions
3 Maintenance of levels of liquidity mismatches in the short term
III Cash Management
a) Remittance of funds to and From Branches
1 Delay in collection / payment of funds
2 Proper control over inter branch funds transfer
3 Strict adherence to norms in the case of remittance of funds to
branches
4 Adherence to norms for remittance of funds from branches
5 Reconciliation of remittances of funds
b) Reconciliation – Accounts with RBI/SBI
1 Necessary follow-up for entries appearing in the statement of
accounts
2 Proper reporting of wrong credit
c) Internal Control System
1 Monitoring of money market back up / investment back up section
for CRR, SLR,Refinance,CLGFB, IBPC, Reconciliation
2 Monitoring of cash management dept. for various functions
d) Funds Management – FCNR Funds Management
1 Revaluation of FCNR Deposits and Foreign Currency loans on
fortnightly basis
2 Correct application of interest rates
3 Crediting FCNR funds to the designated Deposit A/c.
4 Proper extension of Foreign Currency loans
5 Submission of prescribed statements
6 Obtention of proper clearance from CMD for ALCO Decisions
7 Calculation of average cost of yield on FCNR funds from time to time
8 Working out of liquidity and interest rate sensitivity of FCNR funds
from time to time
9 FRA/Interest Rate Swaps have been used for managing interest rate
risk and reducing the gaps.
10 Ensuring that residual interest rate sensitivity gaps are within the
permissible limits
11 Proper revaluation of Foreign Currency Assets and liability on
fortnightly basis.
12 Working out of sources and uses of Foreign Currency funds from
time to time
e) Asset-Liability Management
1 Renewal of Asset-Liability Management Policy
2 Keeping record of minutes of ALCO meeting and follow-up action
3 Regular agenda includes Short Term Dynamic Liquidity Statement,
impact of major policy changes and interest rate outlook.
4 Submission of Structural Liquidity and Interest Rate Sensitivity
Statements within 2 months from the close of the quarter.
5 Periodical submission of statements of Structural Liquidity, Interest
Rate Sensitivity and Short Term Dynamic Liquidity to ALCO.
6 Conveying of decisions of ALM to other departments for
implementation
7 Decisions of ALCO cleared by CMD are submitted to the Board for
information.
3. DERIVATIVES
FORWARD RATE AGREEMENTS (FRA) AND INTEREST RATE SWAPS(IRS)
1.Appropriate infrastructure and risk management systems are in place;
2.Functions relating to hedging and market making are clearly separated
between the Front and Back Offices;
3.Proper Internal Control System for trading, settlement, monitoring, control and
accounting activities;
4.Individual deal is confirmed by Back Office in normal course;
5.Exposure on account of FRA/IRS is within the prescribed limit;
6.Obtention of declaration from Corporates/Mutual Funds for FRA/IRS;
7.Adherence of prudential limits on Swap positions;
8.Adherence of risk management norms prescribed by ALCO in respect of
FRA/IRS for hedging ;
9.Submission of Policy Document to MPD/RBI;
10.Separate recording of transactions for hedging and market making purposes;
11.Proper revaluation of FRA/IRS for trading purposes;
12.Obtention of Confirmation Note and ISDA agreement;
13.Net Open Position within the prescribed ceiling;
14.Meticulous follow-up of prudential limits for various currencies and counter-
parties;
15.Credit exposure to banks are within the approved limits;
16.Appropriate sanction of credit exposure to Corporates;
17.Reporting of FRA/IRS to MPD/RBI;
18.Monthly reporting of details of transactions to Senior Management;
19.Quarterly reporting of details of transactions to Board.
B. The methodology and the parameters used for assessing the risk rating of
Branches
a) Methodology:
As per the guidelines provided by RBI and our Risk Based Internal Audit
Policy approved by ACB on 30.01.2003, quantitative and qualitative
approaches are adopted while assessing risks under Business category
and Control category. Under the quantitative approach, volume of the
business of the branch under credit and deposits area, other services and
products, quantum of income and expenditure, availability of operational
tools etc. are analysed for their trend and business strategies adopted by
the branch for achieving the set goals. Under qualitative approach,
application of compliance methodology, adequacy of controls, Risk
Management Controls, business environment-location/competition, quality
of clientelebase/products/services, quality of customer service, awareness
of staff regarding systems and procedures, futuristic view of business
strategies, adherence to Know Your Customer/Business Principles are
analysed and deficiencies observed on these are brought out as risk
perception. To perceive the things in proper perspective and to carry out
the risk assessment, besides on-site inspection, previous internal audit
reports and compliance, proposed changes in business lines or change
in focus, significant change in management/key personnel, results of latest
regulatory examination report, reports of external auditors, industry trends
and other environmental factors, time lapsed since last audit are also
considered by the auditors.
The risk assessment under each parameter and the risk rating of the
Branch are arrived at as follows:
Risk Matrix
Control Risk
Control Risk
In the case of the branches other than the General Banking Branches as
specified in b) above, the risk assessment will be made in applicable parameters
only as enumerated in the Reporting Format of the respective class of branch.
Annexure-3
TABLE OF CONTENTS
I Background
I. BACKGROUND
In the context of having effective RBS in the Bank, the Risk Profile of
…………………….. Branch is prepared in line with the Corporate Risk Profile keeping in
mind the various risk factors under Business and Control areas that are observed at the
branch level. The underlying objective is to :
Categorise the Branches as having composite risk rating low, medium, high, very
high and extremely high
Identify the direction of risk namely increasing/ stable /decreasing
BUSINESS PROFILE
of which
Wholesale/Institution
al
NRI
3. Advances
AFD
of which
Indirect Adv.
SSI
of which
Advances under
CGFTSI Scheme
OPS
of which
Retail Trade
Small Business
SRTO
Prof.& Self-
Employed
Education
Housing
A. BUSINESS RISK:
Previous Assessment Present Assessment
1. Credit Risk: Level/Direction:
Credit
Composition &
Concentration
Credit quality
NPA Movement
Adequacy of
provisions
Previous Assessment Present Assessment
2. Earnings Risk : Level/Direction:
Interest Income
Non-Interest
Income
Interest Expenses
Control over
expenses
Revenue Leakage
Recovery in
written-off
accounts, UCI/URI
etc.
3. Business Strategy & Environment Risk:
Level/Direction:
Business Initiative/
Strategy adopted for
new
products/services
Quality of customer
service
Budgeted
performance
Adequacy of
computer systems in
tune with the volume
of business and
business requirement
4. Operational Risk :
Level/Direction:
Adherence to
manual of
instructions/
circulars/Guidelines
Litigation / claims
against the bank
Reputation of the
bank /customer
service/ redressal of
customer
complaints/grievanc
es
Preparedness for
tackling any
unanticipated
natural/ manmade
calamities/ events
B. CONTROL RISK:
Level/Direction:
Reconciliation
(inter-bank and inter-
branch)
Submission of MIS
returns/control
returns-
Timeliness/quality
Cash Management
Prevention of frauds
Judicious exercise of
Delegations of
Powers
Branch security
aspects
Adherence to KYC/
KYB and Anti-Money
Laundering norms
Earnings
Business
Strategy
Operational
Control Risk
Internal Control
Compliance
2.EARNINGS
RISK
3.BUSINESS
STRATEGY
RISK
4.OPERATIONAL
RISK
5.INTERNAL
CONTROL
RISK
6.COMPLIANCE
RISK
Annexure-4
Weekly Off:
Extension Counter attached : YES/NO
Holiday Home attached : YES/NO
Currency Chest : YES/NO
Branch under Concurrent Audit : YES/NO
Previous Present
From To From To
Control Risk
Composite
Risk
A. BUSINESS RISK
1. CREDIT RISK
Please attach the details of accounts selected as per the policy guidelines on
transactions testing as to name of the account, type of advance, sanction authority/date,
sanctioned limit, present outstanding. The number of accounts to be selected should
cover the maximum exposure (either sanctioned limit or outstanding whichever is more
per borrower) involving all sectors/segments as well as accounts not covered under the
last audit:
(Rs. in lakh)
Year before Last Last Year as on Current Year as
1. Growth as on 31.03.200 on
(New/Additional Advances 31.03.200 (lastest
sanctioned) quarter/month)
……………..
No. Amount No. Amount No. Amount
Fund-Based Advances
of which
Advances against TDR
Staff Advances
Non-Fund Based (I &F)
Letter of Credits
Bank Guarantees
Other Contingent
Liabilities
Offer comments on
Items Positive Factors Negative Factors
Obtention of application for
advance facility in the
prescribed format and
conduct of pre-sanction
inspection for
identification/verification of
antecedents of borrowers in
all the new advances
Obtention and scrutiny of
CBD-23 with documentary
evidence, wealth tax
returns, income-tax returns,
status report, CIBIL report,
RBI’s defaulters list, ECGC
caution list, no dues
certificate, IE Code No. in
the case of Imports/Exports
business, ascertaining of
non-listing of goods to be
exported by the applicant
exporter from the Negative
List
Obtention/ scrutiny of
financial statements (CMA,
QIS,MSOD,Balance Sheet,
Trading/ Manufacturing
Account, P&L account etc)
Preparation of proposals in
the prescribed format with
proper assessment of credit
needs including Non-Fund
Based facilities along with
proper credit rating
exercise
Observance of proper
procedure in the case of
accounts taken over from
other banks/financial
institutions
Size-wise concentration of
advances within
manageable limit and also
in tune with the available
infrastructure
Periodical Review of
advances with proper
analysis of financial
statements
Post-disbursement
monitoring of advances,
maintenance of record/
registers/ledgers
Monitoring of advances
under watch list
Ensuring customer
compliance with terms of
sanction
Conduct of consortium
advance accounts including
joint appraisal, inspection of
securities, strict adherence
to the terms of consortium
etc.
Ensuring no Kite-flying,
routing of sale proceeds
through borrowal accounts
Concentration of NPAs in
different sectors/segments
and the trend in absolute
terms in the respective
areas
Proper provisioning
Periodical inspection of
assets of NPA accounts to
ensure that there is no
deterioration of realisable
value of security
Ensuring insurance of
assets of NPA accounts
wherever possible
Availability of coverage
under ECGC, CGF for
Small Industries, Govt.
Guarantee etc. in NPA
accounts
Trend of devolvement of
L/Cs and the time taken
for payment of devolved
L/Cs
Availability of security
coverage to Guarantees
Issued including the
stipulated margin/
Collaterals
Trend of invocation of
Guarantees and the time
taken for payment of
invoked Guarantees
Items Positive Factors Negative Factors
Follow-up for expired
guarantees and reversal of
liability in the case of
expired guarantees
Frequency of default in
reimbursement in the case
of crystallisation of
liabilities under
Acceptances/
Endorsements/Deferred
Payment Guarantees etc.
Other contingent liabilities
Maintenance of record of
documents/evidence seen
for booking forward
exchange contract, follow-
up for utilisation/
cancellation of outstanding
contracts, contracts in
permitted currencies, non-
reimbursement of
crystallised forex contracts
etc.
2. EARNINGS RISK
(Rs. in lakh)
Year before Last Year as on Current Year
Last as on as on latest
31.03.200 31.03.200
(quarter/month)
……………
A – Income
Interest Income (Excl. TPM)
Non interest Income
of which
Recovery in written-off
accounts vis-à-vis the target ( ) ( ) ( )
(Amount outstanding in written-
off accounts)
Total Income
Yield on fund based limits (%)
(based on fortnightly average
advances)
Cost of Deposits (%)
(based on fortnightly average
deposits)
Spread
B – Expenses
Interest expenses (Excl. TPM)
Staff Cost
Other Expenses
of which
i) Controllable Expenses
Total Expenses
C – Profit/Loss Budget Actual Budget Actual Budget Actual
Operating Profit/Loss before
application of TPM .
Net Transfer Price Mechanism
Net Profit/Loss
Profit per employee
Unrealised Interest
Uncharged Interest
Recovery of unrealised
interest and uncharged
interest, trend of additions
etc.
4. Misc. Services
a) Safe Custody
(No. of a/cs.)
b) SDV
(No. of lockers
occupied and No.
of total lockers)
c) Card Products
(No. of cards
issued
& No. of Mes
enrolled)
d) Govt. Business
(Turnover)
e) Third Party
Products
(No. of products
& income earned )
Achievement of budgets
monthly/half-yearly/annual
basis and reasons for non-
achievement, if any
Availability of competent
staff to handle the nature
of business that the
branch is undertaking
and/or proposed to
undertake
Adequacy of IT systems
with business needs,
especially in the
circumstances where the
customers are technical
savvy and/or the
competitors of our bank
have already put in place
adequate IT systems to
serve the customers in an
effective way
4. OPERATIONAL RISK:
Proper allocation/rotation
of job (for both
Supervisory and Clerical)
wherever applicable
Recommendation for
renewal of Cards on due
dates
Opening of Deposit
accounts as per the extant
guidelines
NSC/KVP/TDR/Monies
under Life Insurance
Policy, Shares, Other
Govt. Securities
pledged/assigned as
security in advance
accounts and
matured/fallen due for
payment but proceeds not
claimed/realised/credited
to the borrowal accounts
Non-conversion of foreign
currency liability into rupee
liability in cases where
exporter is unable to fulfil
his obligations or where
export has not taken place
within 360 days
Effecting remittances as
per the extant guidelines
Items Positive Factors Negative Factors
Opening and monitoring of
SDV and Safe Custody
accounts as per the
prevailing guidelines
Handling/Record
maintenance of card
products like obtention of
proper application,
scrutiny, issue etc. of
Credit Cards/ATM Cards
etc.
Obtention of lawyer’s
opinion about title deeds in
cases where mortgage is
stipulated to ascertain the
validity of creation of
mortgage, obtention of
search report, obtention of
valuation certificate from
the approved Architect
along with the photograph
of the property, periodical
updation of valuation of
the property
Proper obtention of correct
documents in advance
accounts, proper
execution of security
documents such as filling
in completely, duly signed
by the borrowers/
guarantors in the proper
way, adequately stamped
as per the applicable
Stamp Act, properly
defaced
Mortgage creation/
extension, registration/
noting of charges with
appropriate authorities,
noting/registering of
bank’s lien/charges/
assignment with RTO,
Related Depts. Of Govt.
Offices/Undertakings
Conduct of CPA-1,2 and
closure thereof in big
eligible advances, vetting
of documents and also
conduct of CPA in
personal loan accounts
and other small loan
accounts as per the extant
guidelines
Ensuring adequate
insurance to the assets
charged to the bank and
keeping record of policies
and also renewing the
policies on due dates
Note: With regard to irregularities in documentation and other areas, the details of such
irregularities accounts-wise that have been audited should to be submitted in the format
provided in Annexure-IRR (a) and overall summary sheet in Annexure-IRR (b).
B. CONTROL RISK
Periodical balancing of
entries in G/L a/c Security
Deposits, Sundry
Deposits, Sundry Credits,
Suspense Accounts (Dr.),
Subsidy Reserve Fund, Int
Pay, Interest Receivables
Follow-up for early wiping/
adjustment of outstanding
entries in Sundry
Deposits, Sundry Credits,
Subsidy Reserve Fund, Int
Pay, Interest Receivables,
Proxy (in the case of
Finacle branches),
Clearing Difference
(Receivable & Payable)
Items Positive Factors Negative Factors
Weekly Reconciliation of
account with SBI/Other
Banks; obtention of
monthly balance
confirmation certificate;
weekly reconciliation of
Clearing Difference
Adjustment a/c, Net Clear,
Home Clearing
Maintenance of records for
receipt of reports of Inter
Branch Reconciliation
from H.O; raising query
memorandum/follow-up for
unreconciled entries with
the concerned branches;
replying to the query
memorandum received
from other branches
Maintenance of Nostro/
Vostro accounts;
reconciliation of entries
2. Compliance Risk
Adherence to RBI’s
currency note policy (non-
stapling of currency notes,
issue of numbered and
signed receipt in the case
of detection of forged/fake
currency note etc.)
Conducting periodical
customer meetings,
customer service meetings
and sending the reports to
the controlling authorities,
conducting periodical
customer service audit
and sending reports to the
controlling authorities,
implementation of
Goiporia’s Committee
recommendations
Adherence to Fair
Practices Code on
Lender’s Liability
Remittance of income-tax,
service-tax deducted at
source within the
stipulated time to the
credit of Govt. account,
payment of various
applicable taxes/charges
in time such as property
tax, tax under Shops &
Establishment Act
wherever applicable,
electricity/ telephone
charges, professional tax,
BCT tax etc.
Issue of TDS certificates
wherever taxes are
deducted, filing of annual
returns (Form-24,24-A,26
etc.) to the respective
authorities within the
stipulated time and
maintenance of proper
records for the same
RBI License, License
under Shops and
Establishment Act
(wherever applicable)
Conclusive compliance
with the previous audit
reports, compliance with
Monitorable Action Plan
suggested in the previous
Risk Based Audit Report
and/or Updated Risk
Profiles, compliance with
special
instructions/guidance etc.
provided by the controlling
authorities, Govt. Bodies,
LDM etc.
Parameter Risk
Level/
Direction Action Plan suggested for the purpose of drawing
assesse necessary action points and
d during implementation/monitoring of the same by
the audit Branch/Zonal Office respectively
1.CREDIT RISK
2.EARNINGS
RISK
3.BUSINESS
STRATEGY
RISK
4.OPERATIONAL
RISK
5.INTERNAL
CONTROL
RISK
6.COMPLIANCE
RISK
* The composite risk will be arrived at with the help of the following risk matrix
Risk Matrix
Inherent Business Risks
High A B Very
C
High Risk High Risk
Extremely
High Risk
Mediu D E F Very
m Medium Risk High Risk High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risks
Control Risk
Variation of marks in the same category upto + 5% or – 5% is considered as
STABLE. Variation in the same category of more than +5% or –5% is considered
as DECREASING/ INCREASING as the case may be.
Branch : ____________________
Exit Meeting held on _______________
-------------------------------------------------
1. Date of Meeting :
5. a) Highlights of performance
Advances
-of which
Priority Sector
Govt.Sponsored Prog.
NPA reduction
Operating Profit
House-Keeping
b) Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the
branch).
6. SWOT analysis on functioning of the branch :
Strength
Weakness
Opportunity
Threat
Copy received.
Place:
Date:
Annexure-6
MARK SHEET
Decreasing 6
Stagnant 4
Increasing 2
22. NPA concentration is
Correctly provided 6
Excess-provided 4
Under-provided 2
26. Periodical inspection of securities in NPA accounts
involving amount of
> 95% total NPA advances 10
Between 90% and 95% 6
< 90% 3
27. Insurance level of securities including collaterals in
NPA Accounts involving amount of
< 2 years 6
Between 2 and 5 years 4
> 5 years and above 2
> 2.5% 4
Between 0% to 2.5% 2
Negative 0
2. Non-Interest Income
< 1% 4
Between 1% and 3% 2
> 3% 0
4. Recovery in written-off accounts
Nothing noticed. 2
Noticed in the current audit and in the last audit 1
Noticed in the current audit and also in the last 2 0
audits
9. Recovery of UCI/URI
Achieved 4
Achievement falling short by < 10% 2
Achievement falling short by > 10% 1
11. Trend of profit per employee compared with the
position
of the last half-year
Increasing 3
Stagnant/Decreasing very nominally due to change 2
of staff strength
Decreasing significantly 0
III. BUSINESS STRATEGY & ENVIRONMENT RISK 40
1. Exploitation/usage of geographical/locational
advantage for growth of business
Maximum 4
Moderate 2
Insignificant/Nil 1
2. Availability of business potentials other than the
poverty
alleviation schemes such as SHG, PMRY,
MPBCDC,
THADCO etc. in the area of operation of the branch 4
2
Plenty 0
A limited extent
No potentials
Increasing 4
Stagnant 2
Decreasing 0
4. Knowledge of the branch officials about the bank’s
products vis-à-vis market condition as regard to
available potentials
Fully aware of 4
Partially aware of 2
Not aware of 0
5. Knowledge of SWOT analysis for the branch as well
as for the competitors
Full knowledge 4
Some knowledge 2
No knowledge 0
6. Rating of customer service
Excellent 4
Satisfactory 2
Poor 0
7. Achievement of Deposits and Advances at the
Budgeted level
Nothing noticed 4
Noticed on a very few occasions 2
Noticed on many occasions 0
5. Access to server room/UPS room etc.
Always 4
Sometimes 2
Never 0
7. Maintenance of records for allotment of user level
code, control over changing of user level as per the
requirement
Strictly implemented 4
Sometime 2
Never 0
8. Awareness/monitoring the lapses in workflow/lapses
leading to operational problems (like keeping
cheque books on counters, not-logging out of the
computer system when not in use or when the
operator leaves the terminal etc.)
Nothing noticed 4
Very rarely noticed 2
Lapses noticed on many occasions 0
9. Awareness of Disaster Recovery Plan/Business
Continuity Plan
Never occurred 4
Some times occurred 2
Very frequently occurred 0
11. Processing of request of customers in the areas of
deposits, advances and other misc. services
Nothing observed 4
Noticed on a very few occasions 2
Noticed on many occasions 0
14. Defects-free documentation including creation of
Mortgage/registration of charges in the accounts
Involving
No suit is filed
Suit/s filed against the branch but settled without any 4
loss or very nominal loss to the branch 2
Suit/s pending against the branch or suit/s settled
with a substantial loss to the branch 0
23. Customer perception of the branch, quality of
customer service, quick redressal of customer
complaints
Good 6
Satisfactory 4
Unsatisfactory 2
Always reported 4
Reported on very few occasions 2
Never reported 0
No report/s pending 4
Report/s pending for less than one month 2
Report/s pending for more than one month 0
Always 6
Not found on one or two occasions 3
Not found always 0
11 Holding average cash (for the period covered under
audit)
Strictly maintained 4
Not maintained on one or two occasions but no 2
damage done
Not maintained always 0
14. Dual Control and periodical balancing of jewel/gold
Packets, maintenance of proper records for
movement of jewel packets
Always adhered 6
Mostly adhered , but no damage done so far 3
Never adhered to 0
15. Control over safe custody accounts, safe deposit
lockers and other miscellaneous services including
proper records maintenance of India Cards, ATM
Cards etc. received from HO, safe keeping of Cards,
destruction of long pending cards as per the extant
guidelines
Good 4
Just satisfactory 2
Poor 0
Always maintained 6
Kept under single custody only 3
No custody available 0
18. Maintenance of updated movement register for
sensitive stationery items in the prescribed form
whenever such items are put on use and also
maintenance of movement register for other security
documents
Very good 4
Satisfactory 2
Unsatisfactory 0
27. Security aspects of cash movement within the
branch, while effecting cash remittance/withdrawal
to/from currency chest/other branch/bank as per the
extant guidelines
Strictly enforced 4
Enforced with some deviation 2
Not implemented 0
Strictly enforced 4
Lopsided implementation 2
Gross violation 0
19. Compliance with FEMA provisions
Strictly adhered to 4
Adherence with some minor deviation 2
Adherence with major deviations or non-adherence 1
20. Obtention/periodical renewal of License under Shops
& Establishment Act wherever applicable
License under S&E Act obtained/renewed 4
periodically
License overdue for renewal 1
License not at all obtained 0
21. Compliance of audit reports
* The composite risk will be arrived at with the help of the following risk matrix
Risk Matrix
Inherent Business Risks
High A B C Very
High Risk High Risk
Extremely
High Risk
Mediu D E F Very
m Medium Risk High Risk High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risks
Control Risk
Annexure-I
A. Advances:
18. Purchase or discount of ‘clean bills’ under sanction of ‘DP/DA’ bills limit.
19. Non-transfer of large number/amount of overdue bills to ‘G/L a/c.Past Due Bills’.
20. Securities (paper securities such as TDR, NSCs, KVPS, LIC Policies etc.) and/or
security documents missing/non-traceable
B. OTHER AREAS:
Note: The above list is only illustrative and not exhaustive. The Auditor may write a
Special Letter/Special Observation Report on any irregularity/malpractice which is grave
enough and warrants writing of such SL/SOR to protect the Bank’s interest However,
before writing a SL/SOR, it should be checked that the irregularity proposed to be
covered in the SL/SOR had not been reported to the Controlling Office earlier by branch
itself even before the audit. In case where such reporting has been made by the branch
but no action was initiated/no confirmation was accorded by the controlling authority, an
SL/SOR may be sent to Zonal Authorities.
Annexure-IRR(a)
Annexure-IRR(b)
dated 15th January, 2007 bringing out revised Risk Based Internal Audit Policy for
approval.
Progress made in implementation of Risk Based Internal Audit in the current audit
year upto the end of ……………….., 20
Total
Annexure-B
Names of the Branches (Zonewise) rated under ‘Very High Risk/Extremely High Risk’ during
the current audit year as at the end of
………………………., 20
Sr. Name of the Branch Audit Report Name of the Zone Risk Ra
No. Date
(Signature of the ZAO Chief)
Annexure-3
RISK PROFILE OF ASSET RECOVERY BRANCH
…………………………….. ZONE
Position as at ……………………
Ref. No. Date:
TABLE OF CONTENTS
I Background
I. BACKGROUND
In the context of having effective RBS in the Bank, the Risk Profile of
…………………….. Branch is prepared in line with the Corporate Risk Profile keeping in
mind the various risk factors under Business and Control areas that are observed at the
branch level. The underlying objective is to :
Categorise the Branches as having composite risk rating low, medium, high, very high
and extremely high
Identify the direction of risk namely increasing/ stable /decreasing
2. Advances
AFD
OPS
SSI
Wholesale
Trade/Business
Medium
Large Industries
Housing Loan (other
than priority sector)
Star Mortgage Loan
Total Advances
NPA Classification:
Sub-Standard
Doubtful
Loss
Total NPAs
A. BUSINESS RISK:
Previous Assessment Present Assessment
Credit Risk: Level/Direction:
Adequacy of
provisions
Quality of
securities
available and their
RVS
Interest Income
(Unrealised/Uncha
rged interest)
Non-Interest
Income
(Written-off
account recovery)
Control over
expenses (only
under controllable
items)
Previous Assessment Present Assessment
3. Operational Risk : Level/Direction:
Documentation
including time-
barred documents
Litigation/claims
against the bank
Preparedness for
tackling any
unanticipated
natural/ manmade
calamities/ events
Submission of MIS
returns/control
returns-
timeliness/quality
Earnings
Operational
Control Risk
Internal Control
Compliance
V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:
Parameter Risk Level/ Action Plan suggested for the purpose of
Direction drawing necessary action points and
implementation/monitoring of the same by
Branch/Zonal Office respectively
1. Credit Risk:
2. Earnings Risk:
3. Operational
Risk:
4. Internal
Control Risk:
5. Compliance
Risk:
From To From To
Control Risk
Composite
Risk
A. BUSINESS RISK
1. CREDIT RISK
(Outstanding Rs. in lakh)
1. NPA Composition & Year before Last Year Current Year
Concentration Last as on As on As on latest
31.03.200 31.03.200 (quarter/month)
…………….
Total Agricultural Advances
Review of accounts in
applicable cases
Concentration of NPAs in
different sectors/segments
against the chances for
recovery taking into
account the present
economic scenario in those
sectors/segments
Proper provisioning
Periodical inspection of
assets (wherever available)
to ensure that there is no
deterioration of realisable
value of security; reasons
for quick deterioration, if
any of RVS
2. EARNINGS RISK
Recovery in written-off
accounts
Monitoring over
controllable expenses
3. OPERATIONAL RISK:
Reporting of default to
ECGC within the
prescribed time limit and
lodgement of claims with
ECGC within the
prescribed time limit,
lodgement of claims in
respect of Central/State
Govt. Guarantee accounts
NSC/KVP/Monies under
Life Insurance Policy,
Shares, Other Govt.
Securities
pledged/assigned as
security in advance
accounts and
matured/fallen due for
payment but proceeds not
claimed/realised/credited
to the borrowal accounts
Execution/renewal of
lease deed of branch
premises
B. CONTROL RISK
2. Compliance Risk
Offer Comments on:
Remittance of income-tax,
service-tax deducted at
source within the
stipulated time to the
credit of Govt. account,
payment of various
applicable taxes/charges
in time such as property
tax, tax under Shops &
Establishment Act
wherever applicable,
electricity/ telephone
charges, professional tax
etc.
Conclusive compliance
with the previous audit
reports, compliance with
Monitorable Action Plan
suggested in the previous
Risk Based Audit Report,
compliance with special
instructions/guidance etc.
provided by the controlling
authorities, Govt. Bodies
etc.
2.EARNINGS
RISK
3.OPERATIONAL
RISK
4.INTERNAL
CONTROL
RISK
5.COMPLIANCE
RISK
Annexure -5
FORMAT OF EXIT MEETING REPORT
Branch : ____________________
Exit Meeting held on _______________
-------------------------------------------------
1. Date of Meeting :
4. Rating
Level/Trend of the last 2 assessments
Last Previous to Last
(Date (Date
) )
Business Risk
Control Risk
Composite Risk
5. a) Highlights of performance
UCI/URI Recovery
Recovery in written-
off accounts
Operating
Profit/Loss
House-Keeping
b) Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the
branch).
6. SWOT analysis on functioning of the branch :
Strength
Weakness
Opportunity
Threat
Copy received.
Annexure-6
MARK SHEET
Correctly provided 6
Excess-provided 4
Under-provided 2
8. Insurance level of securities including collaterals (in
applicable cases)
< 2 years 6
Between 2 and 5 years 4
> 5 years and above 2
< 1% 4
Between 1% and 3% 2
> 3% 0
2. Recovery in written-off accounts
Achieved 4
Achievement falling short by < 10% 2
Achievement falling short by > 10% 1
III. OPERATIONAL RISK 40
1. Positioning of staff in key areas (allocation of duties)
as per their competency
Good 4
Satisfactory 2
Poor 0
2. Imparting suitable training/guidance to staff for
acquiring updated knowledge in the field of recovery
and also operational matter under the computerised
environment from the risk perspective
Strictly implemented 2
Sometime 1
Never 0
5. Awareness of Disaster Recovery Plan/Business
Continuity Plan
No suit is filed 4
Suit/s filed against the branch but settled without any
loss or very nominal loss to the branch 2
Suit/s pending against the branch or suit/s settled
with a substantial loss to the branch 0
9. Inherent threat for the branch being situate in
earthquake prone, riot prone, naxalite/terrorist
infested, communal violence, flood prone area
Not applicable 4
Rarely 2
Frequently 0
10. In the case of any or more of the above threats
applicable, then contingency plan for tackling the
same is
Very good 4
Satisfactory 2
Unsatisfactory 0
Strictly adhered to 3
Some minor deviation/s noticed 2
Gross violation 0
Strictly enforced 4
Some minor deviation/s noticed; but no loss/penalty 2
incurred
Gross deviations noticed 0
Strictly enforced 3
Lopsided implementation 2
Gross violation 0
9. Obtention/periodical renewal of License under Shops
& Establishment Act wherever applicable
Maximum
Marks Risk Rating
Sr. No Category of Risk Marks Percentage
Awarded Level/Trend
Allowed
A BUSINESS RISK 140
1. Credit Risk 80
2. Earnings Risk 20
3. Operational Risk 40
B CONTROL RISK 80
1. Internal Control Risk 45
2. Compliance Risk 35
C COMPOSITE RISK*
* The composite risk will be arrived at with the help of the following risk matrix
Risk Matrix
Inherent Business Risks
High A B Very C
High Risk High Risk
Extremely
High Risk
Mediu D E F Very
m Medium Risk High Risk High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risks
Control Risk
TABLE OF CONTENTS
I Background
I. BACKGROUND
In the context of having effective RBS in the Bank, the Risk Profile of
…………………….. Branch is prepared in line with the Corporate Risk Profile keeping in
mind the various risk factors under Business and Control areas that are observed at the
branch level. The underlying objective is to :
Categorise the Branches as having composite risk rating low, medium, high, very high
and extremely high
Identify the direction of risk namely increasing/ stable /decreasing
Sundry Deposits
Drafts Payable < 3 years
Drafts Paid Without Advice
Payslips Issued
Sundry Credits
Clearing Difference – Payable
Net Clear
Current Account with RBI/SBI
Security Deposits
Clearing Difference –
Receivable
Suspense Accounts (Debit)
Furniture & Fixtures
Staff Cost
Miscellaneous Charges
Travelling Expenses
Lighting
Telephones & Telegrams
Stationery
Total Expenses
Profit & Loss Account Balance
A. BUSINESS RISK:
Previous Assessment Present Assessment
Earnings Risk : Level/Direction:
Control over
expenses
Adherence to
manual of
instructions/
circulars/Guidelines
Litigation/claims
against the bank
Preparedness for
tackling any
unanticipated
natural/ manmade
calamities/ events
B. CONTROL RISK: Previous Assessment Present Assessment
Reconciliation
(inter-bank and inter-
branch)
Submission of MIS
returns/control
returns-
Timeliness/quality
Prevention of frauds
Judicious exercise of
Delegations of
Powers
Branch security
aspects
Operational
Control Risk
Internal Control
Compliance
V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:
Parameter Risk Action Plan suggested for the purpose of drawing
Level/ necessary action points and
Direction implementation/monitoring of the same by
Branch/Zonal Office respectively
1.EARNINGS
RISK
2.OPERATIONAL
RISK
3.INTERNAL
CONTROL
RISK
4.COMPLIANCE
RISK
From To From To
Control Risk
Composite
Risk
A. BUSINESS RISK
1. Earnings Risk:
(Amount Rs. in Lakh)
Sundry Deposits
Drafts Payable < 3 years
Drafts Paid Without Advice
Payslips Issued
Sundry Credits
Clearing Difference – Payable
Net Clear
Current Account with RBI/SBI
Security Deposits
Clearing Difference –
Receivable
Suspense Accounts (Debit)
Furniture & Fixtures
Inter-Branch
Reconciliation Reports
(Non-Finacle
Branches)
Weekly reconciliation
of Net Clear/Clearing
Difference (Receivable/
Payable) and follow-up
for outstanding entries;
Weekly reconciliation
of accounts with
RBI/SBI; obtention of
periodic balance
confirmation
Items Positive Factors Negative Factors
Weekly reconciliation
and follow-up for
outstanding drafts and
also for Drafts Paid
Without Advice (for
Non-Finacle Branches)
Weekly reconciliation
of RTGS Mirror
account and follow-up
for unreconciled entries
Handling of D/Ws –
Proper record
maintenance, follow-up
etc.
Timely despatch of
instruments/cheques
etc. received in
clearing to respective
branches for
responding and also
proper handling of
returned unpaid
instruments; timely
advising the branches
about realisation of the
instruments (sending
the inbuilt CN of SCS)
Maintenance of
records for Inward and
Outward entries of
EFT, ECS, RTGS
transactions; follow-up
for unresponded/
missing/ incorrect
entries
Proper record
maintenance of
Payslips Issued and
follow-up for
outstanding entries
Control over Jet
Clearing, National
Clearing instruments
(both Inward and
Outward) for their
expeditious clearance
Items Positive Factors Negative Factors
Reconciliation and
follow-up for old
outstanding entries in
Sundry Credits,
Suspense Accounts
(Debit)
Control over sensitive
stationery items;
maintenance and
updation of records for
missing drafts, payslips
etc. of branches as
informed by H.O.
Exercising care for
prevention of payment
of forged/missed/fake
instruments to avoid
any fraud
Maintenance of
Furniture & Fixtures,
proper accounting,
numbering, physical
verification, insurance
etc.
Maintenance of Staff
Records for payment of
Salary, LFC, Medical
Aid etc.; maintenance
of leave records of staff
2. Compliance Risk:
2.OPERATIONAL
RISK
3.INTERNAL
CONTROL
RISK
4.COMPLIANCE
RISK
Annexure -5
FORMAT OF EXIT MEETING REPORT
Branch : ____________________
Exit Meeting held on _______________
-------------------------------------------------
1. Date of Meeting :
4. Rating
Level/Trend of the last 2 assessments
Last Previous to Last
(Date (Date
) )
Business Risk
Control Risk
Composite Risk
5. a) Highlights of performance
House-Keeping
b) Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the
branch).
6. SWOT analysis on functioning of the branch :
Strength
Weakness
Opportunity
Threat
Copy received.
Achieved 5
Achievement falling short by < 10% 2
Achievement falling short by > 10% 1
II. OPERATIONAL RISK 60
1. Positioning of staff in key areas (allocation of duties)
as per their competency
Good 4
Satisfactory 2
Poor 0
2. Periodical rotation of staff (wherever possible)
Nothing noticed 4
Noticed on a very few occasions 2
Noticed on many occasions 0
Sr. Parameters for awarding marks Maximum Marks
No. marks allowed awarded
5. Access to MBB server/UPS/ECS/EFT/RTGS etc.
Always 4
Sometimes 2
Never 0
7. Maintenance of records for allotment of user level
code, control over changing of user level as per the
requirement
Strictly implemented 4
Sometime 2
Never 0
8. Awareness/monitoring the lapses in workflow/lapses
leading to operational problems (not-logging out of
the computer system when not in use or when the
operator leaves the terminal etc.)
Nothing noticed 4
Very rarely noticed 2
Lapses noticed on many occasions 0
9. Awareness of Disaster Recovery Plan/Business
Continuity Plan
No suit is filed 4
Suit/s filed against the branch but settled without any 2
loss or very nominal loss to the branch
Suit/s pending against the branch or suit/s settled 0
with a Substantial loss to the branch
13. Inherent threat for the branch being situate in
earthquake prone, riot prone, naxalite/terrorist
infested, communal violence, flood prone area
Not applicable 4
Rarely 2
Frequently 0
14. In the case of any or more of the above threats
applicable, then contingency plan for tackling the
same is
Prepared and all the staff members are aware of the 4
same
Available in records; but some or most of the staff 2
members are not aware of the same
Not at all prepared 0
15. Execution/renewal of lease deed of the branch
premises
Very good 4
Satisfactory 2
Unsatisfactory 0
II. COMPLIANCE RISK 40
1. Submission of control returns (BPR,CA-23 etc.) and
also RBI fortnightly statement (RBI secondary
account balances) in time after ensuring accuracy
All the statements are submitted in time with 4
accuracy
Only a few statements are submitted in time and or 2
some minor discrepancies noticed
Delayed submission of statements or non- 0
submission and/or more discrepancies noticed
Strictly enforced 4
Some minor deviation/s noticed; but no loss/penalty 2
incurred
Gross deviations noticed 0
4. Remittance of TDS to the credit of Govt. account
Strictly enforced 4
Lopsided implementation 2
Gross violation 0
Maximum
Marks Risk Rating
Sr No Category of Risk Marks Percentage
Awarded Level/Trend
Allowed
A BUSINESS RISK 70
1. Earnings Risk 10
2. Operational Risk 60
B CONTROL RISK 110
1. Internal Control Risk 70
2. Compliance Risk 40
C COMPOSITE RISK*
* The composite risk will be arrived at with the help of the following risk matrix
Risk Matrix
Inherent Business Risks
High A B Very C
High Risk High Risk
Extremely
High Risk
Mediu D E F Very
m Medium Risk High Risk High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risks
Risk
Decreasing Stable Increasing
Control Risk
TABLE OF CONTENTS
I Background
I. BACKGROUND
In the context of having effective RBS in the Bank, the Risk Profile of
…………………….. Currency Chest is prepared in line with the Corporate Risk Profile
keeping in mind the various risk factors under Business and Control areas that are
observed at the Currency Chest level. The underlying objective is to :
Categorise the Currency Chests as having composite risk rating low, medium, high,
very high and extremely high
Identify the direction of risk namely increasing/ stable /decreasing
No. of Remittances For the period For the period For the period
covered under prior covered under Last covered under
to Last Audit Audit Present Audit
Inward
Outward
Nature of Inspections Date of Major Findings
conducted after the date of Inspection
Last Audit
III Assessment of the Risk Profile
A. BUSINESS RISK:
Adherence to
manual of
instructions/
circulars/Guidelines
with regard to
deposits/withdrawals
of cash to/from the
chest, remittance
to/from RBI/other
currency chest
Renewal of Lease
Deed of Currency
Chest premises;
preparedness for
tackling any
unanticipated
natural/ manmade
calamities/ events
Shortages in
currency chest
balances due to
pilferage/frauds or
otherwise and
inclusion of amounts
of safe custody
deposits in chest
balances on behalf
of Courts, Govt.
Depts. Etc; making
good the shortages;
B. CONTROL RISK:
Periodical surprise
verification of
currency chest
balances, periodical
disaffection of strong
room
Claim of admissible
expenses; recovery
of applicable service
charges from non-
chest branches of
other bank/s
Previous Assessment Present Assessment
Control Risk
Internal Control
Compliance
V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:
2.INTERNAL
CONTROL
RISK
3.COMPLIANCE
RISK
Annexure-4
From To From To
Control Risk
Composite
Risk
A. BUSINESS RISK
1. Operational Risk:
B. CONTROL RISK
1. Internal Control Risk:
Claiming of admissible
expenses (railway
fares of police escorts,
railway freight where
railway warrants or
Credit Notes are used)
from the concerned
RBI Issue Office;
claiming of service
charge at the rate
prescribed by RBI for
the cash received from
non-chest branches of
other bank/s
2. Compliance Risk:
Providing exchange
facility to Branches as
per RBI Note Refund
Rules
4. Rating
Level/Trend of the last 2 assessments
Last Previous to Last
(Date (Date
) )
Business Risk
Control Risk
Composite Risk
Strength
Weakness
Opportunity
Threat
Copy received.
Strictly enforced 5
Some minor deviation/s noticed; but no loss/penalty 3
incurred
Gross deviations noticed 1
Maximum
Marks Risk Rating
Sr No Category of Risk Marks Percentage
Awarded Level/Trend
Allowed
A BUSINESS RISK 50
1. Operational Risk 50
B CONTROL RISK 50
1. Internal Control Risk 25
2. Compliance Risk 25
C COMPOSITE RISK*
* The composite risk will be arrived at with the help of the following risk matrix
Risk Matrix
Inherent Business Risks
High A B Very C
High Risk High Risk
Extremely
High Risk
Mediu D E F Very
m Medium Risk High Risk High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risks
Control Risk
TABLE OF CONTENTS
I Background
I. BACKGROUND
In the context of having effective RBS in the Bank, the Risk Profile of
…………………….. D.P.O is prepared in line with the Corporate Risk Profile keeping in
mind the various risk factors under Business and Control areas that are observed at the
D.P.O. level. The underlying objective is to :
Categorise the D.P.Os as having composite risk rating low, medium, high, very high and
extremely high
Identify the direction of risk namely increasing/ stable /decreasing
A. BUSINESS RISK:
Previous Assessment Present Assessment
Earnings Risk : Level/Direction:
Control over
expenses
Recovery of
charges from the
clients as reported
by the branches
Adherence to
manual of
instructions/
circulars/SEBI
Guidelines
Litigation/claims
against the bank
Preparedness for
tackling any
unanticipated
natural/ manmade
calamities/ events
B. CONTROL RISK: Previous Assessment Present Assessment
Reconciliation
(demat / remat
requests received)
Submission of
returns/ control
returns-
Timeliness/quality
Prevention of frauds
Judicious exercise of
Delegations of
Powers
Operational
Control Risk
Internal Control
Compliance
V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:
Parameter Risk Action Plan suggested for the purpose of drawing
Level/ necessary action points and
Direction implementation/monitoring of the same by
D.P.O./Zonal Office respectively
1.EARNINGS
RISK
2.OPERATIONAL
RISK
3.INTERNAL
CONTROL
RISK
4.COMPLIANCE
RISK
…………………………. DPO
………………………….. ZONE
Previous Present
From To From To
Control Risk
Composite
Risk
BUSINESS PROFILE:
Offer comments on: (Please list out the lapses noticed item-wise and account-wise)
Offer comments on: (Please list out the lapses noticed item-wise and account-wise)
Modification of account
details (only after receipt of
letter/form duly signed by
the BOs and also after
collecting new proof of
address in the case of
change of address)
Acceptance/processing of
demat requests as per
procedures along with
inward date and stamp of
the DP within the stipulated
time
Processing of
Transmission-cum-demat
requests as per the
prescribed procedure
tems/Areas Positive Factors Negative Factors
Acceptance of Delivery
Instructions and also dating
and stamping of the same
including DIS received
beyond the deadline at
client’s risk
Execution of Delivery
Instructions as per the
extant guidelines (obtention
of DIS in the prescribed
format, due verification of
signature, verification of
DIS by two officials in case
of DIS with value of
securities over the limit
specified by
SEBI/Depository, ensuring
receipt of original
instructions within two days
in case fax instructions are
accepted, filling up of
column for cash transfer,
striking off blank columns,
execution on the same
day/before the settlement
deadline as the case may
be, etc.)
Closure of demat account
[receipt/scrutiny of Account
Closing Form (ACF),
sending confirmation for
closing of account to BO,
following the prescribed
procedure in the case of
BO wanting to close
account with pending
demat postion, following
the procedure for
transferring account from
one DP to another etc.]
Items/Areas Positive Factors Negative Factors
Carrying out
remat/repurchase /stock
lending transactions in
accordance with the
stipulated procedures
(obtention of RRF,
verification of the signature,
proper filling up of the form,
availability of the balance of
the security, forwarding
RRF to the Issuer/R&T
Agent etc.)
Freezing/Unfreezing of
transactions in accordance
with the stipulated
procedures
Dealing with pledging, un-
pledging and invocation of
pledge as per the stipulated
procedure (pledgor and
pledgee having account in
CDS to create a pledge,
security in demat form,
securities to be fully paid-
up, unencumbered and in
marketable lots, account of
pledgor and pledgee not
tagged for closure, non-
allowing part unpledging/
invocation under one PSN,
obtention of Pledge
Request Form (PRF)
countersigned by pledgee,
non-cancellation of pledge
by CDS without prior
concurrence of the
pledgee, obtention of URF
counter signed by the
pledgee for unpledging,
obtention of proper
Invocation Request Form
from the pledgee etc.)
Items/Areas Positive Factors Negative Factors
Dealing with the
transmission transaction in
accordance with the
stipulated procedure
(proper filling up the
Transmission Request
Form by the Transmittee,
ensuring that Transmittee is
having an account with
CDS, obtention of death
certificate of the deceased
BO, succession
certificate/letter of
administration/probate of
the will of the deceased,
letter of surety, letter of
indemnity etc.)
Regular upgradation of
back office operations
including website, daily
back up of data residing in
back office (or any data
maintained in electronic
from) with respect to DP
operations, off-site safe
keeping of back ups, using
the back office software for
the purpose of depository
related activities (data entry
with respect to account
opening, demat,
remat/repurchase,
settlement, pledge, stock
lending and borrowing,
statement of transactions
etc.), ensuring the formats
used by the DP are in
conformity with the
prescribed format of the
Depositories etc.
Number of persons
authorized to access CDAS
system and their training
experience, maintaining of
secrecy of passwords at all
levels, deletion of old
reports from the system
Items/Areas Positive Factors Negative Factors
Installation/upgradation of
Anti-virus software,
adequate protection of
CDAS in a secure area with
adequate power supply
(UPS or voltage stabilizer),
maintenance of DP terminal
(like database purging,
application of new releases
etc.) as per the extant
operating instructions and
Communiques of the
Depositories, connection of
CDAS to any other network
without approval of DOT
and/or the Depository
Execution/stamping of
agreement/ supplementary
agreement, letter of
confirmation etc. in
accordance with the
Depository’s prescribed
procedure, proper
execution/ notarizing Power
of Attorney (POA)
documents,
Maintaining adequate
documents for closure/
freezing/unfreezing of client
account (this includes the
procedure followed by the
Participant in respect of
accounts which did not
have balance at the time of
closing the account),
Availability of contingency
plan and successful test
checks of contingency plan
in the event of failure of
users hardware system/loss
of connectivity with the
Depository
Dealing with claims /
litigation against the Bank
B. CONTROL RISK
Offer comments on: (Please list out the lapses noticed item-wise and account-wise)
2. Compliance Risk:
Offer comments on: (Please list out the lapses noticed item-wise and account-wise)
Timely remittance of
service tax and also Annual
Tax returns to the
concerned authorities
SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:
Parameter Risk Action Plan suggested for the purpose of drawing
Level/ necessary action points and
Direction implementation/monitoring of the same by
D.P.O./Zonal Office respectively
1.EARNINGS
RISK
2.OPERATIONAL
RISK
3.INTERNAL
CONTROL
RISK
4.COMPLIANCE
RISK
Annexure -5
FORMAT OF EXIT MEETING REPORT
DPO : ____________________
Exit Meeting held on _______________
-------------------------------------------------
1. Date of Meeting :
4. Rating
Level/Trend of the last 2 assessments
Last Previous to Last
(Date (Date
) )
Business Risk
Control Risk
Composite Risk
5. a) Highlights of performance
b) Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the
DPO).
6. SWOT analysis on functioning of the DPO :
Strength
Weakness
Opportunity
Threat
Copy received.
Achieved 5
Achievement falling short by < 10% 2
Achievement falling short by > 10% 1
3. Levying of charges for various transactions as per
extant guidelines (i.e; detection of revenue leakage)
Levied in all transactions, no revenue leakage 6
detected
Revenue leakage detected to the extent of 4
Rs.10,000/-
Revenue leakage detected more than Rs.10,000/- 2
No complaint received 8
Very few complaints received; but redressed within
the stipulated time 4
Many complaints received/pending 2
Sr. Parameters for awarding marks Maximum Marks
No. marks allowed awarded
II. COMPLIANCE RISK 50
1. Submission of periodical reports such as Annual
Report, Audit Report, Grievances Report etc. to the
Depository/SEBI
All the statements/reports are submitted in time with
accuracy 10
Only a few statements are submitted in time and or
some minor discrepancies noticed 4
Delayed submission of statements or non-
submission and/or more discrepancies noticed 2
Strictly enforced 10
Some minor deviation/s noticed; but no loss/penalty
incurred 4
Gross deviations noticed 2
* The composite risk will be arrived at with the help of the following risk
matrix
Risk Matrix
Inherent Business Risks
High A B CVery
High Risk High Risk
Extremely
High Risk
Mediu D E F Very
m Medium Risk High Risk High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risks
Control Risk