DOS AND DONTS FOR CONCURRENT AUDITORS (CA FIRMS) Dos: 1.

Pre concurrent audit study of the branch/ department should be done getting all relevant information and off site surveillance reports of the auditee as stated in the engagement letter. 2. Prepare proper audit plan based on 1 above, covering all the areas of the scope, keeping in the view the time lines 3. Have a structured introductory meeting with the auditee and seek all the information required in advance with proper time schedule. Introduce the audit team to the auditee officials. 4. Audit team should accompanied by senior and experienced members as required. 5. Auditors to display team spirit and avoid misunderstandings/

arguments in the presence of auditees. 6. Discuss his findings with branch officials on daily basis and try to rectify the defects then and there itself. 7. Give auditees a chance to express their opinion while discussing the issues. Getting proper explanation in a co-operative atmosphere will save precious time. 8. In case of difference of opinion with auditee, the auditor should first discuss with the leader of his team. Further discussion on a higher level may be made, if required. 9. In case, auditor comes across any information which causes him to suspect any element of fraud, gross negligence, gross incompetence or similar unfavorable actions or tendencies, he should report the matter to the leader of the team immediately. 10.Auditor should keep utmost secrecy of the observations/ issues etc. relating to the auditee. information/ audit

11.Be courteous, cooperative and professional. Don'ts: 1. Auditor should not have any professional or commercial relationship either direct or indirect with borrowers/ beneficiaries of the branch / department which they are auditing and also will not have in future as far as possible for a minimum period of three years. 2. Auditor should not take advantage of his association as concurrent auditor with the branch/ department of the bank and canvas for any client/ business with the bank either directly or indirectly. 3. Auditor should not represent on behalf of any client/ customer of the bank for a minimum period of as far as possible three years after the completion of term of the audit. 4. Auditor should not share/ pass on/ discuss any audit related observations/ issues/ findings with any one other than concerned in the bank. 5. Auditor need not act overly reserved or unfriendly in order to maintain his independence as an auditing officer. A forbidding attitude on his part may well cause others to adopt the same attitude towards him. This can adversely affect the work entrusted to the inspecting officer. 6. Auditor should not get involved in heated argument with auditee. 7. Auditor should not give orders to auditee and seek requirements from the officer assigned to assist him on a particular job. The concerned officer would issue the necessary orders to their employees if he accepts inspectors suggestions and recommendations. 8. Auditor should not delay the submission of audit report

-- :: --

REPORT ON BRANCH PROFILE & EXECUTIVE SUMMARY

1. Branch Details Branch ZO Date of Opening of the Branch Category Region Area Code Rural / Semi-urban / Urban / Metro

Small /Medium / Large /Very Large / ELB / IFB/ SSI /Others..

Name/s of EC/ Sub-office/ Satellite offices attached Designated for FX business (Yes/ No) Branch Mechanisation (ALPM/ TBM/ CBS)
Rating Last Year Present Year

2. Incumbents during the period under review: Designation Name Branch Manager Asst. Br. Manager In-Charge (Credit) 3) Other Staff:

Grade

From

To

SN 1 2 3

Category Officers Clerks Attenders Total

Current

Previous

4. Details of Inspecting Officers: Sl. No. Name

Designation

Period Covered : From : Date of Commencement: Mandays utilised: Present Audit:

To: Date of Completion: Previous Audit:

Executive Summary Important positive/ negative features noticed during Audit to be furnished in brief under the following parameters RO Parameter - Performance of the branch Advances Deposit NPA 2. Major findings of the inspections ZO Auditors Finding

Branch Sr. No 1.

3.

House Keeping

4.

Customer Service

5.

Statutory Compliance

6.

Systemic weakness

7.

Persisting irregularities

8.

Suggestions for improvement

Data Sheet A) Advances: 1. Sector wise Classification Sector Agriculture MSME Retail loans - Housing Loan - Personal Loan - Others Corporate Loans Others Sensitive Sectors: a) Real estate sector b) Capital Market sector c) Commodities sector 2. Individual Exposure ( list Top five/ten individual borrower) Name of the borrower Sector Limit O/s % of total exposure to total advances of the branch

Limits

As on O/s Overdue

Limits

As on O/s Overdue

Limits

O/s

Overdue

Limits

O/s

Overdue

3. Group Exposure ( list Top five/ten group borrower) Name of the Group Limit O/s

% of total exposure to total advances of the branch

4. Industry wise Classification (relevant for corporate branches) Sl. No. 1 2 3 Industry Textiles Paper & Paper Products Chemicals & Chemical Products - Fertilizer - Drugs & Pharmaceuticals - Petrochemicals& others Iron & Steel All Engineering Limit O/s % of o/s to total gross exposure

4 5

6 7 8

9 10 11 12

Gems & Jewellery Construction Infrastructure - Power - Telecommunication - Roads & Ports - Others Petroleum Cement & Cement Products NBFCs including MFIs Film Industry

5. Secured / Unsecured Advances Particulars 1 Total Secured Exposure 2 Total unsecured Exposure Total Exposure % of unsecured exposure to total exposure 6. Non fund based business:

Limit

O/s

Overdue

% to total exposure

Limit LC BG Other Total non Fund based exposure Particulars BG Issued during the review period Total Turnover of BG issued LC issued during the review period Total turnover of LC Issued BG invoked LC devolved % of BG invoked to total Turnover of BG % of LC devolved to Total Turnover of LC % of BG invoked to O/s of BG % of LC devolved to O/s of LC

O/s

% of exposure to total exposure

No

Amount

7. a) b) c)

Time barred debts. Total no. of AODs are pending for obtention as on Amount involved in Pending AODs as on date of inspection Total no. of AOD and amount involved is pending at the time of previous inspection d) No of cases where documents are expiring within next 3/6 months e) % of time barred debt to Total NPA. 8. Rating wise Clarification of Advances. a. Internal rating wise Rating grade As on Limit O/s No of Rating grade borrower FB NFB FB
1 2 3 4 5 6 7 8 9 10 Total Total Low Risk Total Medium Risk Total High Risk

As on.. % of No of Exposure O/s composi borro NF FB NFB FB B tion wer

% of compositi NFB on

b) Report on borrower not rated by approved external rating agencies (in applicable cases only) No of unrated borrower Limits O/s % of exposure to unrated borrower to total advances. Total c) Not caring out internal rating based on latest financials in applicable cases No of unrated borrower Exposure to unrated borrower % of exposure to unrated borrower to total advances.

9. Income Leakage: Details of seepage of income detected in various audits since last RBIA Particulars Detected in Seepage other various of income % to total Total seepage inspection detected detected Applicable ROI is not charged Prescribed processing, inspection charges and other service charges are not collected Penal interest / additional interest is not charged for - Overdue loans - Stock statements, QIS, financial statements, - Delay in submission of renewal proposal - Non creation of mortgage, adhoc limit etc Processing charges are not collected at the time of annual review/ renewal Income Leakage in Forex Business ROI on Deposit Other Total Seepage Detected % of seepage of income detected to total business Total seepage of income detected in previous inspection/ review period. Increasing / decreasing B) 1) NPA Management As on Amount % to Gross NPA As on Amount % to Gross NPA

Seepage of income pending for Recovery

Increase/ Decrease Amount %

a) b) c) d) e)

Standard Assets Special Mention ( out of A) Substandard Assets Doubtful Assets - up to 1 year Doubtful Assets - 1 to 3 years

f) g) h) i) j) k) l) m) n) o) p) q) r) 1. 2. 3. s) t) C) D) E) u) 1.

2. v) 1. 2. w) 1. 2. x)

Doubtful Assets - above three years Loss Assets Total NPAs ( Gross) % of NPAs to Total Advances Provisions made for NPAs Understatement of provisions % of provision to Gross NPA Net NPA % of Net NPA to Total Advances. NPA more than 2 years (Chronic) % of chronic NPA to total NPA % of SMA to total Standard Advances Fresh NPAs added & Quick Mortality Fresh NPAs added- Number & amount involved Out Fresh NPA- Quick mortality casesN umber and amount. % of quick mortality cases to sanctions made during the review period. Recovery of NPA Accounts covered under SARFESI Act No of accounts where notices issued under SARFESI Act No of cases where notice issued , possession not taken No of cases where possession taken but not auctioned. Up gradation of NPA to Standard No. of accounts upgraded to Standard Assets and Amount involved during the review period. % of up gradation to total NPA Written Off accounts and its recovery No. of Written of Accounts and amount involved. Amount of written off accounts Restructured Accounts/CDR No. of accounts restructured Amount involved in restructure OTS

1. No of cases and amount involved in OTS 2. Amount of waiver. 3. % of waiver to Total amount. 4. No. of account where payments of OTS is not forthcoming as per term of OTS. y) Other 2) Sectoral Concentration of NPA a) Product wise. Sector Agriculture Limits MSME Retail loans - Housing Loan - Personal Loan - Others Corporate Loans Others Limits Sensitive Sectors: a) Real estate sector b) Capital Market sector c) Commodities sector C) Deposits As on. No of a/c 1. 2. 3. 4. 5. 6. 7. 8. SB CA Term liabilities Total Low Cost Deposits % of low cost deposit to total deposits Inoperative account Risk categorization of customers - Low Risk - Medium Risk - High Risk Amount As on.. No of a/c Amount

As on O/s Overdue

Limits

As on O/s Overdue

O/s

Overdue

Limits

O/s

Overdue

D) Non Interest Income: As on a) Non-interest Income

Processing charges and upfront fees Commission, exchange and brokerage Service charges Income from forex transaction Income from govt. business Other income

As on

b) % increase/ decrease over previous year c) % of non interest income in total Income E) Frauds As on No. Amount a) Frauds detected during the review period b) Nature of fraud 1. Miss appropriation and Criminal Breach of trust. 2. Fraudulent Encashment 3. Loan related frauds 4. Unauthorized Credit facilities for reward/gratification 5. Negligence and cash shortages 6. Cheating and forgery 7. Irregularities in Foreign Exchange Transactions. 8. Other. Total c) Predator- wise 1. Staff 2. Customer 3. Outsiders 4. Staff and customer 5. Customer and outsider 6. Staff, Customer & outsider. d) Detection 1. Within 3 months 2. Within 6 months 3. Within 12 months 4. After 1 year

% -

No.

As on . Amount

% -

e) Whether staff accountability examined.

F) Impersonal Accounts
Head of A/c Upto 1 month
No. of Entries Amt

1 months to less than 3 months

No. of Entries Amt

3 months to less than 6 year

No. of Entries Amt

above 6 months
No. of Entries Amt

Total

Suspense A/c Parking GL End Point Branch Adjustment/ inter branch transfer etc Sundry deposits/assets Capital Expenditure Adjustment Accounts with other bank un reconciliation items TT paid/ payable account Other Total

G) Inspections conducted during the review period: Date/ month of Closure time SL Inspection type of report (as Submiss Rectifi No Audit per guidelines) ion cation 1 2 3 4 5 6 7 8 Previous RBIA Concurrent audit (month) Credit Audit I S Audit (ALPM/TBM/CBS) RBIA RBI inspection Statutory Audit Other

Closure

Remark on delay in rectification, level of rectification etc.

H) Complaints During previous inspection review period No. % to total No of complaints received Nature of complaints - Deficiency in service - Loans related - Rude behaviour of Manager/staff - Alleged wrongful debits to their accounts - Charging excess interest /commission/service charges - Alleged wrongful dishonour of cheques - Disputed ATM transactions - Others Total During present inspection review period No % to total

SGR 1 2 3 4 5 6 7 8

Related Department

OFFSITE SURVEILLANCE REPORT / SYSTEM GENERATED REPORTS Area of Section/ Operations Audit Frequency Report OMU* Daily Days on which cash retention limit has been exceeded Accounts Dept Cash Inspection Cash CA** Weekly Accounts in which there were more than 10 cash deposits during Dept/AML the week Inspection Dept Cash CA Weekly Cash Deposits between Rs. 40000 and Rs. 50000 /KYC Accounts Dept Deposit CA Monthly Dormant account which need to be transferred to CO Accounts Dept Deposit Acs CA Daily Dormant Accounts where transactions have taken place Control OMU Monthly List of long pending items in Sensitive and Reconciliation General Accounts Dept Heads Remittance CA Weekly DD/PO issued against deposit of cash - arranged according to the Accounts Dept name of the purchaser Department of IT OMU Weekly List of unsuccessful logins Information Technology IT OMU Daily List of staff members who are on leave but under whose log in ID Department of transactions have been input/verified Information Technology/ Human Resource Department Credit CA Daily New advances accounts are not opened properly in the system . All fields in the customer master is input and the sanctioned limit is input correctly New deposit accounts opened, category wise (Current, Savings, FD, RD with NRE/NRO/FCRA account marked)). Also indicate fields in account master left blank All manual debits to expenses accounts All manual debits to Income accounts Current Accounts and Savings Accounts without OD limit in which TODs were permitted more than three times during the quarter, including TOD, if any , outstanding (Separate Reports for Current and Savings accounts) Debit transactions in NO Frill Accounts exceeding Rs. 10000 in a month Credit transactions in NO FRILL a/cs exceeding Rs. 100000 in a year Debits in inactive accounts

10

Department of Information Technology/ RO 11 Department of Information Technology/ RO 12 Inspection Dept 13 Inspection Dept 14 Inspection Dept/ RO

Deposit Acs

CA

Daily

Control Control Credit

CA CA OMU

Weekly Weekly Weekly

15 Inspection Dept/ Deposit RO 16 Deposit Inspection Dept 17 Inspection Dept/ Accounts Dept / RO 18 Inspection Dept/ RO 19 Inspection Dept 20 Inspection Dept 21 Inspection Dept 22 23 24 25 26 Deposit Acs

OMU OMU CA

Monthly Yearly Weekly

Deposit Acs Transactions Transactions Transactions

CA CA CA CA OMU OMU CA OMU CA

Weekly Weekly Daily Weekly Daily Daily Weekly Monthly Weekly

Debit balances in Savings / Current accounts Entries reversed Transactions with value date prior to date of transaction List of all high value transactions - Cash, Clearing, Transferseperately List of staff accounts with unusual or high value transactions List of credit to NEFT/RTGS suspense outstanding beyond a day Accounts which were upgraded from substandard to standard status List of accounts which should have been marked as NPA but has not been done List of all new gurantees issued

Inspection Dept Controls Control Accounts Dept Recovery Dept Recovery Dept RO- Credit Monitoring Cell Credit NPA Credit

SGR 27

Related Department

Area Operations Credit

of Section/ Audit OMU

Frequency Daily

RO- Credit Monitoring Cell 28 29 30 RO- Credit Monitoring Cell RO- Credit Monitoring Cell Risk Management Dept/ RO- RMC Risk Management Dept/ RO- RMC RO- Credit Monitoring Cell RO- Credit Monitoring Cell Risk Management Dept / RO RO 36 RO 37 38 39 40 41 42 RO- Credit Monitoring Cell RO- Credit Monitoring Cell Inspection Dept/ RO Inspection Dept RO- Credit Monitoring Cell Special Mention Account Dept/RO RO- Credit Monitoring Cell RO- Credit Monitoring Cell RO- Credit Monitoring Cell RO-RMC RO-RMC RO- Credit Monitoring Cell RO- Credit Monitoring Cell Inspection Dept Inspection Dept Inspection Dept/ RO Credit Credit Credit OMU OMU OMU Monthly Daily Weekly

Report Cash Credit /Overdraft/Bill Purchase/Packing Credit/Guarantees/LC accounts in which balance exceeded the drawing limit (Separate report for each type of account to be generated) Exceeding in Sanctioned Limits Advances accounts (OD, CC, Loan, BP, BD, BN, PC and Cheque Purchase) irregular/overdue. Guarantees expired

31

Credit

OMU

Weekly

Guarantees invoked

32 33 34

Credit Credit Credit

OMU OMU OMU

Monthly Weekly Monthly

Accounts in which stock statements / uploading of drawing limit is overdue, arranged age wise Credit Accounts in which limits have expired List showing unusual growth in advances (numbers of accounts and amount ) Spurt in advances Cheques/DDs/Bills purchased returned unpaid

35

Cheque OMU Collection/Purc hase Cheque CA Collection/Purc hase Credit OMU Credit Credit Credit Credit Credit OMU CA OMU OMU OMU

Monthly

Monthly

List of all cheque purchases (Inland/Foreign seperately)

Weekly Weekly Monthly Weekly Weekly Monthly

Cash Credit accounts with turnover during the quarter less than the sanctioned limit Cash credit accounts with cash withdrawals in excess of 10% of the sanctioned limit List of new /renewed credit accounts in which proposal processing charges have not been recovered Advances accounts in which interest rate code is "0" Credit accounts in which insurance has expired Loan accounts in which installments are falling due within the next 15 days Loans granted against FDs

43

Credit

CA

Monthly

44 45 46 47 48 49 50 51 52

Credit Credit Credit Credit Credit Credit Credit Credit Deposit

CA CA CA CA CA CA CA CA OMU

Weekly Monthly Weekly Weekly Weekly Weekly Weekly Monthly Weekly

New advances accounts opened, category wise List of all fresh Packing Credits disbursed FD accounts from which Lien Marking has been removed FDs matured but Lien Marking continues Accounts in which date of expiry of insurance has been changed Accounts in which drawing limit has been changed Accounts in which rate of interest has been changed Drawing limits entered with back value Current Accounts without OD limit and debit balance (TOD) outstanding for more than 15 days at the close of the month

SGR 53 54

Related Department

Area Operations

of Section/ Audit OMU OMU

55 56 57 58 59 60 61

Inspection Dept Deposit Department of Deposit Information Technology AML Cell Deposit Deposit AML Cell Inspection Dept Inspection Dept RO-RMC RO-Planning Dept Risk Management Dept/ RO- RMC Inspection Dept Treasury- Non Resident Deposit Cell Treasury- Non Resident Deposit Cell RO- Credit Monitoring Cell RO- Credit Monitoring Cell RO- Credit Monitoring Cell Treasury Treasury Treasury Treasury RO-RMC Treasury Inspection Dept. Deposit/Credit Deposit Acs Deposit Acs Deposit Acs Forex

Frequency Weekly Weekly

Report Overdue FDs Savings/Current Accounts/Cash Credit in which signature has not been scanned Deposit accounts opened and closed within 6 months Savings and Current accounts which were opened less than six months ago in which there are high value transactions Deposit and Advances Accounts in which interest rate has been modified (separate for deposits and advances) Savings/Current/Advances accounts with blank Interest flag List of Accounts of MINORs who have attained majoriy during the month List of welcome kit accounts activated with name of customer left blank LCs devolved

OMU OMU OMU OMU CA CA OMU

Weekly Daily Monthly Weekly Weekly Weekly Weekly

62 63

Forex Forex

CA OMU

Weekly Weekly

Charges collected on LC/BG/Bills in branches designated for Foreign Exchange Transactions FCNR deposits renewed after 14 days after maturity

64

Forex

CA

Weekly

Debits and Credits in NRE, NRO and FCNR accounts

65 66 67 68 69 70 71 72 73 74

Forex Forex Forex Forex Forex Forex Forex Forex Forex Remittance

CA CA CA CA CA CA CA CA CA CA

Weekly Weekly Weekly Weekly Weekly Weekly Weekly Weekly Weekly Weekly

List of all new LCs issued (Inland/Foreign seperately) List of all Bills Purchased/Discounted/Negotiated (Inland/Foreign seperately) List of LCs advised List of foreign outward remittances List of Foreign Inward remittances List of export Bills on collection/purchase/negotiation List of import bills List of LC opened List of EEFC transactions List of DD/PO/RTGS/NEFT/cheque purchase/Bills/LCs/Gurantees in which charges collected are less than the charges calculated by the system More than 5 DDs/Pos issued to the same purchaser Duplicate FD Receipts printed Duplicate DD/PO printed List of credit limits newly created/ enhanced/ modofied with its validity List of high value deposits of Rs 50 lacs and above having different rate of interest than card rate Opening balance and debits to the account in all TAX accounts TDS, Service Tax etc FDs with TDS exempt flag both at Account level and Customer Master level (seperately)

75 Inspection Dept. Remittance 76 77 78 79 80 81 RO-RMC RO-RMC RO- Credit Monitoring Cell Inspection Dept Tax Cell Tax Cell Remittance Remittance Credit Deposit Acs

OMU CA CA CA OMU

Weekly Weekly Weekly Weekly Weekly Weekly Weekly

Statutory Compli CA Tax compliance CA

* Off Site Monitoring Unit ** To be used by Concurrent Auditor

Weekly Concurrent Audit Report

To be submitted to the Branch Manager as soon as the weekly audit is over.

Concurrent Audit
Weekly Report for the period Department ____________ to ____________

Branch:
Date of report:____________ Branch Comment Date&Sign

Irregularity/Deficiency Observed

To be submitted to the Controlling Office by the 15th of the next month

Concurrent Audit

Branch:

Monthly Report of pending irregularities/deficiencies observed during the month ended ____________ Date of report:____________ Department Irregularity/Deficiency Observed Branch Comment Date & Sign

Certificate We confirm having audited all the areas/processes/activities marked as High Risk in the audit check list. We also confirm that we have adhered to the periodicity and coverage indicated in your instructions to us. A copy of the report has been handed over to the Branch Manager for taking necessary action.

Signature

To be submitted to the Controlling Office within 15 days of the close of the quarter.

Concurrent Audit
Quarterly Report of recurring irregularities for the period Department Irregularity/Deficiency Observed

Branch:
____________ to ____________Date of report:____________ Action Recommended Action Initiated (To be filled in by CO)

Key Audit Findings and Monitorable Action Plan

(Not more than 10 comments for Credit,NPA Managent, Forex and not more than 5 comments for other areas.It is not necessary to have Key Audit Findings in each of the areas. This being a report for the use of Senior Management only very serious irregulariti KEY AUDIT FINDINGS Amt involved Rs. Crores % to Credit Portfolio MONITORABLE ACTION PLAN RECOMMENDED

A 1 2 3 4 5 6 7 8 9 10 B 1 2 3 4 5 6 7 8

CREDIT

NPA MANAGEMENT

9 10 C 1 2 3 4 5 D 1 2 3 CASH MANAGEMENT DEPOSITS

E 1 2 3

REMITTANCE

Etc

Check List to IT Procedure SL ASSESSMENT AREA NO 1 A IT ENVIRONMENT RISK LEGAL RISK Systems do not have any unauthorized software Records in electronic and paper based format are Branch is in a position to furnish the historical data of a customer for legal purposes at times of need Necessary archival is maintained in a secure media and preserved (CD Cutting of Ledger reports in respect of ALPM/TBM modules). ORGANISATION RISK All the staff in the Branch are formally trained in CBS operations.(If not, furnish the list of employees not trained) Jobs assigned to staff have been properly defined and segregated Second in line trained System Administrator is available in the branch to take up the duty of System Administrator in the absence of the assigned System Administrator C ENVIRONMENTAL SECURITY Server room is not prone to risks like water seepage, flood, fire or magnetic interference Branch Server is being maintained in a dust free and temperature controlled environment Systems are maintained neatly/ dust-free Eatables and drinks are prohibited in the server room Photography/video equipment and mobile phones are prohibited in the server room Server room is kept rodent free Terminal/nodes outside the server room are switched off when persons are not working Physical access to server room is restricted to authorized persons/identified vendor personnel Physical access to server room is closely monitored Server room is kept locked before the branch personnel leave the Office in the evening Server is housed sufficiently away from UPS room/Batteries but close enough to be monitored by System Administrator D ELECTRICAL LINES Electrical wiring is concealed and is not hanging from ceilings or nodes Power supply to the computer systems is provided through UPS only

SL ASSESSMENT AREA NO Power supply to Access control equipment of server room is provided through UPS only DATA CABLING AND CONNECTIVITY Electric cable and data cable do not cross each other Leased line connecting cable to the Branch Server is secure and protected from tampering Data Cables are properly labeled for identification Data cabling is secure and no loose data cables are observed Redundant communication lines like ISDN is provided Connectivity is automatically switched over to ISDN in case of Leased Line failure FIRE PROTECTION

SL ASSESSMENT AREA NO Fire-extinguishers are fitted at strategic points viz server room and UPS room Refilling of fire extinguishers is done before the expiry date Branch personnel are aware of the fire extinguisher usage procedures Smoke detectors are installed in the business hall and server room Smoke detectors are tested for their satisfactory working 2 IT OPERATIONS RISK A SYSTEMS SECURITY The stock of hardware has been reconciled Hardware noted in Asset Register All hardware are covered under Warranty/ Annual Maintenance Contract Floppy drive is disabled in server USB drive/s is disabled in server and nodes Devices such as Printer, Modem, Scanner etc are not connected to the Server Server/ Nodes in CBS LAN are not connected to external networks / other networks Boot sequence is changed to Hard Disk only in Server and nodes No unnecessary shared drives/ folders are present in the server No unnecessary users/ Groups are present in the server and nodes Guest and ILS_ANONYMOUS_USER users are disabled in server and nodes Screen saver is set with password option in server and nodes Screen savers provided by Microsoft/DIT only are used All the Operating System Software patches are applied in server, nodes and Stand alone PCs Sufficient free space is available in all disk partitions in the server and other PCs. IP Messaging, Dbase, MS Office, Other applications relating to clearing, Ret2ABCD etc do not exist in server Developer 2000 and SQL Navigator are not installed in server and nodes. Remote desktop sharing is disabled in server and nodes. Usage of Net Meeting is recorded with particulars like purpose, duration, to whom given etc.

SL ASSESSMENT AREA NO Branch Managers authorization is obtained before the usage of Net Meeting. Network components like Switch/Router etc are kept securely. Dial up modems are not connected in the network. IP addresses used are in the range specified by DIT. Only one node in a branch is entitled to route the IP messages to Data Center/ Help Desk/DIT/ other branches. Quarterly back up of IP message log of the node used for routing messages is taken. ANTI VIRUS Anti-Virus solution is implemented in CBS server, nodes and Stand alone PCs Antivirus solution is updated in CBS server, nodes and Stand alone PCs Automatic Full scanning for virus is scheduled in CBS server, nodes and Stand alone PCs BACKUP/ DISASTER RECOVERY PROCEDURES

INTERNAL AUDIT POLICY Chapter Details 1 2 3 4 5 Preamble Risk Based Supervision Risk Based Internal Audit (RBIA) Offsite Monitoring Cell/ Similar Structure at Bank Risk Based Internal Audit Policy 5.1 Functional Independence 5.2 Objectives of risk based internal audit 5.3 Organisation Structure of inspection system 5.4 Roles & Responsibilities 5.5 Types of Internal-Audit 5.6 Coverage & Areas of Audit 5.7 Objectivity 5.8 Staffing 5.9 Selection of staff for audit system 6 Risk Based Internal Audit Strategy 6.1Pre Audit requisite for auditor 6.2 Indexing of Products and Processes 6.3 Identification of Risk 6.4 Indication of Risk Level 6.5 Implementation of the Audit Plan based on Risk levels 7 Using the RBIA Methodology 7.1 At the annual audit planning stage 7.2 At the start of individual audits 7.3 At the end of the audit 22 19 Page No. 3 7 7 8 11

The mechanics of Risk Assessment Module (RAM) 8.1 Guiding factors and information for development of a RAM 8.2 Developing the Risk Assessment Module (RAM) 8.3 Developing a scoring model based on the RAM 8.4 Distribution of total points 8.5 Weightages assigned to risk grading 8.6 Maximum achievable Risk scores

24

Rating under Risk Based Internal Audit 9.8 Branch Audit Rating under the RBIA Strategy. 9.9 Mapping of branch audit rating to risk level (control risk)

27

10 11 12 13 14 15 16

Identification of branch business risk Audit Risk Matrix (ARM) Audit Periodicity Measures for Improvement Corrective Action Plan CAP (indicative steps) Scope and Extent of Checking Audit reporting and follow up 16.3 Reporting Pattern 16.4 Structure of the Internal Audit Report 16.5 Grading 16.6 Spot Rectification 16.7 Follow up and compliance

29 30 30 31 31 32 33

17 18 19 20 A

Performance Evaluation Resources strategy Standards for Internal Auditors Appendices: Appendix-A: Guidance on Risk definitions

40 40

Outsourcing of Audit assignments under RBIA 40 41 44 2

RISK BASED INTERNAL AUDIT POLICY 1. Preamble Deregulation and globalization of financial services, together with the growing sophistication of financial technology, are making the activities of the bank and thus their risk profiles i.e the level of risk across the firms activities / risk categories more complex. Developing banking practices suggest that there can be substantial risks the banks have to address other than credit risk, interest rate risk and market risks. However, efficiency of every bank depends on how effectively it is managing the risks. For this, it is essential to have in place effective risk management and internal control systems, which are crucial to the conduct of banking business not only to lead the bank more profitably but also in compliance of prudential guidelines, for which a professional approach in risk management is a prerequisite. Some of the growing risks faced by the banks would be like technology risks, risks associated with mergers and acquisitions, legal risk, outsourcing risk, etc. These diverse risks can be grouped under the heading of operational risk. The Basel Committee has defined the operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The Committee recognizes that the exact approach for operational risk management chosen by an individual bank will depend upon a range of factors including its size and sophistication and nature of complexity of its activities. Clear strategies and oversight by the Board of Directors and Senior Management, a strong operational risk culture and internal control culture are all crucial elements of effective operational risk management. The Basel Committee (1988) while setting out comprehensive core principles for effective banking supervision spelt out the need for effective internal controls and internal audit. Thus the purpose of the internal controls is to ensure that the business of a bank is conducted in a prudent manner in accordance with the policies and strategies established by the Banks Board of Directors and the management is able to identify, assess, manage and control the risks associated with the business. 3

These controls must be supplemented by an effective audit function that independently evaluates the adequacy, completeness, operational effectiveness and efficiency of the control systems within the organization. Consequently the internal auditor must have the appropriate status within and adequate reporting lines designed to safeguard his / her independence. The external audit can provide a crosscheck on the effectiveness of this process. Banking supervisors must be satisfied that effective policies and practices are in place and the management takes appropriate corrective action in response to the internal control weakness identified by internal / external auditors. The Basel Committee in their Framework for the evaluation of internal control systems described the essential elements of sound internal controls system. There is a need to reorient transaction based internal audit to risk focused internal audit, which should conduct risk assessment of every activity & location of the Bank, including risk management function, which has assumed greater importance. Keeping in view the importance of the risk management and the role internal auditors have to play in ensuring proper risk management to safeguard the interest of the organization and ensuring better corporate governance. Under risk-based internal audit, the focus will shift from the system of fullscale transaction testing to risk identification, prioritization of audit areas and allocation of audit resources in accordance with the risk assessment. Banks will, therefore, need to develop a well defined policy, duly approved by the Board, for undertaking risk-based internal audit. The policy should include the risk assessment methodology for identifying the risk areas based on which the audit plan would be formulated. Risk based policy to focus on frequency, prioritizing, extent of checking, risk-assessment/ profiling of activities/ functions/ products and their updating, broadening the risk classifications etc. during audit process. 4

Internal auditing - overview

Summary of the audit process

2. Risk Based Supervision Reserve Bank of India in its Monetary and Credit Policy for 2000-01 stated that they would be developing an overall plan for moving towards Riskbased Supervision (RBS). Subsequently in August 2001, RBI came out with discussion paper on moving towards RBS in which they spelt out the line of action contemplated in this dated regard 13th (Circular 2001). No. This DBS. RBS is /RBS/58/36.01.002/2001-02 August

essentially to entail the allocation of supervisory resources and paying supervisory attention with the risk profile. The frequency of supervisory inspection would depend upon the risk profile of the bank. As one of component under this approach, RBI suggested adoption of risk focused internal audit by banks. Under the proposed RBS approach, the supervisory process would seek to leverage the work done by internal auditors of banks. 3. Risk Based Internal Audit (RBIA)

RBI vide it's circular no. DBS.CO.PP.BC.10/11.01.005/2002-03 dated December 27, 2002 provided a guidance note on Risk Based Internal Audit. RBI advised the banks to initiate necessary steps to review their current internal audit systems and prepare for transition to a risk-based internal audit system in a phased manner, keeping in view their risk management practices, business requirements, manpower availability etc. In the eyes of RBI, a sound internal audit function plays an important role in contributing to the effectiveness of the internal control system. The audit function should provide high quality counsel to management on the effectiveness of risk management and internal controls including regulatory compliance by the bank. Historically, the internal audit system in banks has been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, integrity, reliability and timeliness of control reports, and adherence to legal and regulatory requirements. However, in the changing scenario, such testing by itself would not be sufficient. There is a need for widening as well as redirecting the scope of internal audit to evaluate the adequacy and effectiveness of risk management procedures and internal control systems in the banks. To achieve these objectives, RBI advised the Banks to gradually move towards risk-based internal audit which will include, in addition to selective 7

transaction testing, an evaluation of the risk management systems and control procedures prevailing in various areas of a banks operations. The implementation of risk-based internal audit would mean that greater emphasis is placed on the internal auditor's role in mitigating risks. While focusing on effective risk management and controls, in addition to appropriate transaction testing, the risk-based internal audit would not only offer suggestions for mitigating current risks but also anticipate areas of potential risks and play an important role in protecting the bank from various risks. The risk-based internal audit, on the other hand, undertakes an independent risk assessment solely for the purpose of formulating the risk-based audit plan keeping in view the inherent business risks of an activity/location and the effectiveness of the control systems for monitoring the inherent risks of the business activity. It needs to be emphasized that while formulating the audit plan, every activity/location of the bank, including the risk management function, should be subjected to risk assessment by the risk-based internal audit. Banks were, therefore, advised to develop a well-defined policy, duly approved, for undertaking risk-based internal audit. The policy should include the risk assessment methodology for identifying the risk areas based on which the audit plan would be formulated. The policy should also lay down the maximum time period beyond which even the low risk business activities/locations should not remain unaudited. There are certain benefits expected to accrue from the risk based audit approach to the organizations due to the shift in the approach to audit. Generally expected changes compared to the traditional approach are tabled below to add clarity in understanding the RBIA approach recommended by Regulators all over. 4. Off Site Monitoring Cell/ Similar Structure at Bank Banks should set-up proper off-site monitoring cell in the Audit Department or similar structure, the cell/ structure should review the structured MIS on critical items and sensitise the Controlling Offices and Branches / Departments for corrective action on a daily basis. The cell should also

sensitise Top Management on serious irregularities, if any on spot basis. To make optimum use of technology, Bank should consider various system generated reports for monitoring / controlling operations of the branches. 8

Frequency of these reports may be looked into on daily, weekly, monthly, quarterly basis. 4.1 Variance between traditional method of audit and risked based internal audit: Audit Area Audit Sphere Traditional Method Primarily areas involving with regulations, operations Audit objective Confirm internal Provide assurance on risk controls are operating. management and that risks are Improve efficiency being mitigated to acceptable levels through internal controls that is adequate and that works. Annual plan Cyclical plan of audits, Audits prioritized on risk ranking not dependent levels Involvement the organisation Staff plan Time budgets Minimal. May approve Involved at all stages of of the rest of the audit plan and be planning and the audit, since involved at the end of they own the risks and must an audit to agree the provide points found one or more staff Easy to set since the Difficult to set. May be a firstaudit has usually been time done before testing programme, audit, the or one where has systems have changed organisation where identified all its risks, and is assurance to the stakeholders necessarily on risk but laws also and and Risk based Audit financial All activities of the business compliance

One audit allocated to More risk focused.

Fieldwork and Based on a set work Ensures

there may be no clear controlling them objective set, just test 9

to carry out Report Confirms and reports internal A kind of assurance to controls are operating management that its risks are where being kept within the accepted levels or mitigated to acceptable levels, and reports if they are not Annual Audit Committee report Confirms completed, that the Provides assurances risks that the the to the Board / audit plan has been significant across they are not

and organisation are being mitigated

highlights controls not to acceptable levels and reports operating. Cannot give where they are not. Can give an any indication as to indication as to the proportion of the proportion of risks covered. risks persons Risk appreciation skills a must. and weak links, evaluate the controls in place and anticipate the Selfstaff senior likelihood of occurrence. motivated, used to experienced working with significant covered

Staffing

Usually and

by

having filed knowledge Should be able to identify the experience professional auditors.

management. May be specialists who are not accountants, and may be seconded. Direction indicators Generally each audit Since assignment risk based process audit and is a the Gives to the

is continuous

considered on isolated direction of risk is always one of basis except for listing the out the evaluating criteria. persisting significant importance

deficiencies from the direction of risk that is a pointer past reports towards the effectiveness of risk management put in place. 10

5. Risk based internal audit policy The Bank has been following the risk-oriented approach for internal audit purpose. The observations are classified under low, medium and high risk. The ratings are based on the risk levels. Risk based policy will focus on frequency, prioritizing, extent of checking, risk-assessment/ profiling of activities/ functions/ products and their updating, broadening the risk classifications etc. during audit process. The basic rationale behind the suggested policy guidelines enshrined hereunder would be to ensure that high-risk areas are looked into more frequently and with wider examination than low risk areas. It is akin to ABC analysis approach in inventory control. 5.1 Functional Independence 5.1.1 As envisaged in the guidelines issued by Reserve Bank of India, the Internal Audit Department should be independent from the internal control process in order to avoid any conflict of interest and should be given the appropriate standing within the bank to carry out the assignments. Such independence would also be maintained by the department while carrying out the audits under Risk Based approach as well. 5.2 Objectives of Risk Based Internal Audit: 5.2.1 To contribute to Banks responsibilities in preparing itself for move towards Risk Based Supervision (RBS) in so far as adoption of Risk focused Internal Audit is concerned. 5.2.2 Putting in place a risk assessment methodology which, amongst other things, would enable development of independent risk assessments, capture the applications and effectiveness of risk management procedures and assist critical evaluation of internal control systems for formulation of a risk based audit plan and ensuring deployment of audit resources according to risk profiles of the auditee units. 5.2.3 Provide basis for risk audit scoring of the auditee units based on evaluation of their risk profiles, risk management and control procedures and results of any substantive audit tests / procedures performed by the auditor. 11

5.2.4 To enable the internal audit to serve as an independent, objective assurance and consulting activity. 5.2.5 To define and design the suitable risk based internal audit strategy commensurate with the underlying risks, organizational structure and needs for implementation. The scope of internal audit shall encompass the examination and evaluation of the adequacy and effectiveness of the Banks system of internal control and the quality of performance in carrying out assigned responsibilities.

5.3 Organization Structure of Inspection System: 5.3.1 Internal audit shall be independent of the activities they audit. Independence permits internal auditors to render impartial and unbiased judgments essential to the proper conduct of audits. This independence shall be achieved through organizational status and objectivity. 5.3.2 The organizational status of the internal audit department shall be sufficient to permit the accomplishments of its audit responsibilities 5.3.3 Ideal organization structure for inspection system comprises Audit Committee of the Board (ACB), Audit of Committee of Executives (ACE) and Inspection/ Audit Department (IAD). 5.4 Roles and Responsibilities: a) Audit Committee of Board : It oversees overall Internal Audit function of the bank. The committee will guide in developing effective internal audit, concurrent audit, IS audit and all other inspection & audit functions for protecting the assets of the bank. The committee will monitor the functioning of the Audit Committee of Executives and inspection/ audit department in the bank. b) Audit Committee of the Executives (ACE)/ Zonal Audit Committee of the Executives (ZACE) i. The Committee suggests that all the PSBs should form Audit Committee of Executives (ACE) headed by the Head of Audit (IA&A), General Manager (Risk) and other two General Managers as Members. Large banks with many branches can have Zonal Audit Committee of 12

Executives

(ZACE)

with

similar

composition

at

lower

level;

the

composition of which would be approved by CMD. If so required, officers of the auditee verticals / departments and other officers in IAD shall attend the ACE meetings for selected agenda items. ii. ACE/ ZACE should meet minimum six times in a year, at least once in a quarter with a minimum quorum of four members. The ACE & ZACE will work under the guidance of ACB and all the minutes of ACE & ZACE should be put up to ACB. iii. The ACE is authorized and empowered to approve/ratify changes/amendment in the scoring pattern, rating parameters and reporting formats. iv. All Very High Risk Audit Reports Critical Findings (Below 40% marks) should be put up to ACB. Banks may also consider putting up to the ACB reports of High Risk branches (at least the critical findings in reports of High Risk Branches). Other reports should be put up the ACE & ZACE. However, closure of such reports can be done by CGM- Inspection/ Audit Department. The responsibilities of the ACE shall include: Reviewing the scope and nature of the work of the IAD and review internal audit reports and compliances thereof; Review of the significant findings arising from all internal audit reports, including concurrent and Information System (IS) audit reports; Review and recommend Annual Risk based Audit Plan of the Bank to ACB for consideration and approval; Review the progress of Audits vis--vis scheduled audits as per the approved Annual Audit plan; Review and revision of existing Risk Assessment Models (RAM), and adoption of new RAM for different verticals; Review coverage/ area of various types. Review of audit report/ checklist Review of various audit policies To report the significant findings of audit reports and also other matters as required for consideration of ACB. c) Inspection/ Audit Department (IAD) 13

i.

Policy formulation in respect of inspection function keeping in view - Reserve Bank of India/Government of India guidelines - Observations made by the RBI Inspectors during their inspection of the Bank.

ii. iii.

Placing notes before the Top Management and Audit Committee of the Board on periodic basis. Drawing up of Annual Action Plan for inspection of branches and functional departments and placing the same for approval to ACE and ACB. Regular monitoring of Annual Action Plan and ensure that the audits are conducted as per its periodicity specified in the audit policy. To study that requisite number of internal staff for carrying out / fulfilling the Annual Action plan of audit plan and required infrastructure, necessary arrangements are made. Selection of internal staff for Audit/ inspection and appointment of concurrent auditor and review of their performance. To evaluate internal audit system/ Concurrent Audit system. Monitoring the inspections conducted at various branches/offices by the RBI u/s 35 of Banking Regulation Act and FEMA. Review of audit report and initiating necessary action Monitoring of pending inspection/ audit reports and ensuring timely closure. Undertaking investigations covering staff accountability in the case of complicated fraud cases, credit irregularities, transgression of powers, etc. and appraising the findings to the Competent Authority. Provide necessary guidelines for conducting inspection of various offices/ locations of the Bank and ensure proper implementation of these guidelines. Updating of structured formats for inspection/audit. Updating Inspection Manual/Kit for use of the Inspecting officials. Issuing guidelines / instructions from time to time on preventive aspects of irregularities and risk mitigation measures Arranging internal and institutional training needs of the personnel Maintaining data on the Branch risk carry out rating migration analysis and initiating of necessary action.

iv. v.

vi. vii. viii. ix. x. xi.

xii.

xiii. xiv. xv. xvi. xvii.

14

xviii.

Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify and report such information. To this end internal auditors shall examine information systems and ascertain whether: (a) Financial and operating records and reports contain accurate, reliable, timely, complete and useful information; (b) Controls over record keeping and reporting are adequate and effective.

5.4.1 Internal auditors shall also be responsible for: (i) assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of control, commensurate with the extent of the potential exposure / risk in the various segments of the Banks operations. In carrying out this responsibility internal auditors shall determine whether: (a) The organizational environment fosters control consciousness; (b) Appropriate authorization policies for transactions are established and maintained; (d) Communication channels provide management with adequate and reliable information; (e) Recommendations need to be made for the establishment of costeffective controls to help deter fraud. (ii) Reviewing operations or programmes to ascertain whether results are consistent with established objectives and goals and whether the operations or programmes are being carried out as planned. (iii) Identifying all risk areas within the Bank and determining whether effective and adequate control systems exist in these areas. (iv)Planning and conducting the audit assignments subject to supervisory review and approval. 5.4.2 Supervision by Head-Audit Supervision shall be a continuing process, beginning with planning and ending with the conclusion of the audit assignment. Supervision shall include: The Head-Audit shall be responsible for providing appropriate audit supervision. (i) providing suitable instructions to subordinates at the outset of the audit; (ii) ensuring that the approved audit program is carried out unless deviations are justified and authorized; 15

(iii) determining that audit working papers adequately support the audit findings, conclusions and reports; (iv) ensure that the audit reports are accurate, objective, clear, concise, constructive and timely; and (v) determining that audit objectives are being met. 5.6.3 All internal auditing assignments, whether performed by or for the internal auditing department, shall remain the responsibility of the Head-Audit. 5.4.3 General guidelines The Board of Directors (BOD) / Management of the Bank shall have the general responsibility for taking such steps as are reasonably available to them to safeguard the assets of the Bank and to prevent irregularities and fraud. The BOD / Management shall maintain effective systems of control including an internal audit function. The internal audit function shall be carried out by Internal Audit Department of the Bank and will function under those policies, which have been established by the management and approved by the ACB / Board. It shall be an independent appraisal function established to examine and evaluate the Banks activities. 5.5 Types of Internal Audit The Internal Audit Department shall undertake audits as per Risk Based Internal Audit Plan as approved by the Audit Committee of the Board on annual basis. The Audit Plan shall comprise mainly the Internal Audit, Information System Audit, Concurrent Audit, Credit Audit and Snap Audit. IAD shall develop suitable Audit Manual for such audits. IS Audit policy and Concurrent Audit Policy shall form part of this policy and be taken to ACB for review and approval on annual basis. Snap audit of newly opened branches shall be undertaken generally within six months of their opening. However, under certain circumstances like staff shortage, excess work pressure on available man-power, etc., Head-Audit could consider granting extension of 3 months in such cases. Significant findings be reported to ACE/ACB on quarterly basis.

16

5.6 Coverage/ areas of audit 5.6.1 To have effective audit, there is a need to clearly define the scope of audit, depth of verification etc for branches covered under concurrent audits. 5.6.2 The concurrent audit is being conducted at selected branches on ongoing basis i.e on monthly basis, whereas internal audit is to be conducted periodically depending on risk / business involved. - In view of moving to Risk Based Concurrent Audit, the committee has devised single check list and separate report formats for concurrent audit and internal audit. However, committee suggests bifurcating audit areas as High Risk, medium risk and low risk accordingly, Individual banks, based on their risk profile may classify the areas and coverage can be fixed under both internal and concurrent audit. However, all areas forming part of check list to be verified under Internal Audit by inspectors. For defining quantum of verification, business of the branches and risk involved in internal control of the branches/ risk profile of the branches are to be considered. Observations made under Loan Review Mechanism (LRM) also may be considered by the inspector while undertaking Internal Audit. Depth of verification to be specified for various areas like 100% verification, sample size and selection of sample etc Banks should also consider the coverage of other audits while fixing the depth/ quantum of verification to avoid duplicity of audit work. Wherever verification is less than 100%, auditor can use the technique of sample selection. It is expected that, on each aspect, the auditor should select a sample that would be representative enough to sufficiently bring out the criticality involved. Sample should be selected in such a way that, they constitute fairly representative picture of the portfolio. The sample size would depend on the size of the branch and the importance of the business function in the overall portfolio of the branch operations. While featuring, the size of the sample and the proportion of the sample in which the deficiency was observed should be indicated. 17

5.7

Objectivity Objectivity is an independent mental attitude. They shall not be involved in performing functions like drafting procedures for systems, and designing, installing and operating systems as these activities would impair their objectivity.

5.7.1 The internal auditors shall be objective in performance of their duties.

5.7.2 Internal auditors shall audit in such a manner that they can have an honest belief in their work product and that no significant and quality compromises are made. They shall not be placed in situations in which they feel unable to make objective professional judgments. 5.7.3 Internal auditors assignments shall be made in such a way that potential and actual conflicts of interest and bias are avoided. The Head-Audit shall periodically obtain from the staff information concerning potential conflicts of interest and bias. 5.7.4 Internal auditors shall report to the Head-Audit any situations in which a conflict of interest and bias are present or may reasonably be inferred. The Head-Audit shall then reassign such auditors to other assignments. 5.7.5 Internal auditors shall not be permitted to work in a particular department over long periods of time. so. 5.7.6 Internal auditors shall not assume operating responsibilities. However, if on occasion, management directs internal auditors to assume operating responsibilities, it shall be understood that they are not functioning as internal auditors. 5.7.7 Internal auditors shall not audit any activity for which they have authority or responsibility. 5.7.8 Persons transferred to or temporarily engaged by the Internal Audit Department shall not be assigned those activities they previously performed until a period of at least six months has elapsed. 5.8 Staffing 5.8.1 The Head-Audit shall be supported with requisite number of Deputy General Managers (DGMs), Assistant General Managers (AGMs) and 18 Assignments of internal auditors shall be rotated periodically whenever it is practicable to do

other officers in different grades. He shall establish suitable criteria of education and experience for filling vacancies in the internal audit department giving due consideration to scope of work and level of responsibility. 5.8.2 Internal auditors, whenever necessary, shall be drawn from within the Bank from other line and staff functions. 5.9 Selection of staff for audit system

Bank shall clearly define the guidelines for selecting internal staff for Inspection/ Audit work. The guidelines may include the following Minimum experience in the bank Minimum exposure to various functions of the bank Educational qualification Minimum tenor in the department Auditor should not have worked as reporting junior to the auditee branch head 6. Risk Based Internal Audit Strategy Risk Based Internal Audit has following 4 dimensions (i) Pre Audit requisite for auditor (ii) Indexing of Products, Services, Processes (iii) Identification of risks (iv) Indication of level of risk (v) Implementation of Audit Plan based on Risk level. For the sake of convenience a suggestive list of different type of risks is given at Appendix-A to this policy document. 6.1 Pre Audit requisite for auditor To carry out effective audit and accomplish audit objectives, auditor needs to plan his audit assignment. However, meaningful plan can be drawn only after understanding major issues and areas to be focused rigorously. This understanding will come if auditor has enough background about overall risk profile of the branch. There is a need to provide relevant information to auditor before commencement of the audit. The controlling office should have a system of maintaining and updating branch profile which includes ongoing issues at the branch and system

19

generated reports. This information to be made available well in advance to the auditor as pre-audit requisite, to plan and undertake audit assignment 6.2 Indexing of products and processes (i) This primarily means compiling of Audit Universe, so that risk focused audit is a comprehensive exercise covering all the activities within the bank; (ii) This should cover All Products, Services, Processes; (iii) Audit Universe must be reviewed periodically for addition, substitution or modification; (iv) Head-Audit is responsible for ensuring the comprehensiveness of the Audit Universe. To achieve this objective, Heads of line functions / products should keep Internal Audit informed of all the changes in products, designs, controls, processes and the product/ process manuals / programs for evaluating risk and designing necessary changes in audit programs. (v) Review needs to be completed latest by April every year. 6.3 Identification of risk The objective of this process is to identify risks to which the organization is exposed, and to develop a logical, well-defined methodology to assess, quantify and classify risks. This enables Internal Audit to effectively determine resource requirements, and decide upon their appropriate allocation. The goal is to provide an evaluation of the risks associated with the auditable entities from a business perspective, and to develop a basis for preparing the annual audit plan. (i) Risk evaluation to be done for both Inherent Business risk and Control risk. (ii) The evaluation process is captured in Risk Assessment Module (RAM). (iii) When new products and processes are introduced, RAM exercise would be undertaken for their risk evaluation. (iv) RAM will be revisited for Changes in Processes, Products and services (v) Head- Audit is overall responsible for the process of identification of risks either through group processes, delegation of assignment within department or within the bank and in case of need can solicit / avail the 20

assistance of specialists wherever considered necessary and expedient. (vi) Review needs to be completed latest by April every year. 6.4 Indication of Risk Level (i) This is an important step in the risk based internal audit as it takes the inputs of risks, from the identification process and would lead to the implementation process. (ii) Audit team would indicate the level of risk at Branches or at functional units based on their findings and judgment about the risk grade (e.g. High, Medium, Low). (iii) The risk indication process involves auditing and resultant grading of risk. This grading will be an assessment of control risks. While carrying out the risk indication, auditors need to take into account the status of laid down control mechanisms and also the compensatory controls that units might be putting in place in lieu of or in addition to the prescribed internal controls to serve the objectivity of the exercise. (iv) Grading would indicate the chances or probability of risk envisaged in the identification process, being crystallized in to actual threat. (v) It is a pointer towards vulnerability of the branch/unit towards potential loss. Hence, needed to be precisely assessed to the extent possible. (vi) The Corrective Action Plan (CAP) of the controller would depend upon the audit rating based on control risk. (vii) The direction of the risk increasing, stable & decreasing, should also be identified 6.5 Implementation of the Audit Plan based on Risk Levels: (i) Head Audit is responsible for smooth implementation of the audit plan. Based on the risks assessed and the status of the internal controls he had to draw and design Risk based internal audit plan and submit before the Audit Committee for approval. (ii) Audit Planning should encompass Scheduling, Prioritizing, and Determination of scope and extent of checking. (iii) Audit Planning should essentially consider the Vulnerability and Volume of business. 21

(iv) For scheduling, the Audit Risk Matrix (ARM) be prepared, in which inherent Business risk and control risks are mapped. The risk assessments (inherent and control risks) would be based on a threepoint risk grading namely high, medium and low. The substantive audit tests / procedures would be carried out by auditor(s), based on the assessed Control risk. The Audit Risk Matrix (ARM) arrived at after consideration of the inherent and control risks, would be based on a fivepoint risk grading namely Extremely High, Very High, High, Medium and Low. (v) As bank has adopted functional approach as organizational structure/philosophy viz; Corporate (ICG, LCG, MCG), Retail (Personal Banking, SME, Agri), Operations, Transaction Banking, the branches would be put in respective risk buckets for each functional area. This needs to be periodically reviewed keeping in view the changes in reporting lines, organization structure etc. (vi) Business Risk may primarily indicate / rest on the volume of business, Business mix, growth rate and/or profits/ losses either in isolation or in relative terms to the total volume of banks business would be considered for deciding the inherent business risks. (vii) In the initial phase, the volume of business would be taken as core criteria of business at risk. Going forward, the composition of various products and their inherent risks in the business mix would be considered by assigning suitable scores for each product for arriving at weighted business at risk. 7. Using the RBIA methodology The methodology is to be used on a number of occasions during the audit cycle: 7.1 At the annual audit planning stage 7.1.1 Once an audit is completed a copy of the completed & updated risk assessment should be filed for access at the time of the annual audit plan. The risk assessment methodology should include, inter alia, the following parameters: (i) Pervious internal audit reports; 22

(ii) Proposed changes in business lines or change in focus; (iii) Significant changes in management/key personnel; (iv) Result of the latest regulatory examination reports; (v) Reports of the external auditors; (vi) Industry trends and other environmental factors; (vii) Time lapsed since last audit; (viii) Volume of business and complexity of activities; (ix) Substantial performance variations from the budgets. At this time, the risk assessment should also be updated to take into account the changes in business environment, activities and work processes etc. 7.1.2 Audit plan needs to be approved by the Audit Committee of the Board. It should include the schedule and the rationale for audit work planned. It should also include all risk areas and their prioritization based on level and direction of risk. 7.2 At the start of the individual audits 7.2.1 At the planning stage for ongoing audits, the team leader / sole auditor will obtain the latest version of the relevant risk assessment and review the assessment in the current context. This will normally involve no more than internal discussion, and meetings with management responsible for the area in question, unless the auditor is - or becomes - aware of major changes within the area. At this stage, the risk assessment will form the start of the detailed audit planning, during which inherent risks of the area will be reviewed in much greater detail; control objectives will be established and an audit programme (plan) will be established. 7.2.2 Documentation will show the trail for this process, and allow any subsequent review to see how the audit programme matches and covers the risks and control objectives of the area in question. 7.3 At the end of the audit The methodology will also be reviewed at the end of the audit, and the area in question will be given a risk assessment again. This 23

assessment is likely to be the most important (and accurate) in the audit cycle, coming at a time when internal audit has first-hand, upto-date information on which to make the assessment. 8. The mechanics of Risk Assessment Module (RAM) 8.1 Guiding factors and information for development of a RAM Important factors like process reengineering and certain controlled information must be considered appropriately for purposes of risk assessment and risk grading of the auditee entity. Some of such factors / controlled information would include but not limited to: (i) Centralized functioning of activities / processes viz. Central / Regional Processing units, Retail Assets operations etc. (ii) Functioning of centralized controlling units within the organization viz. Credit administration for corporate / retail assets, Corporate and Retail risk etc. (iii) Functioning of concurrent audit at branches / Corporate office units (iv) Availability of data from information systems that could be used for performance of effective off site procedures (v) Automated processes viz. interest application in accounts, cheque return charges etc. (vi) Incidence Reporting system for Operations Risk, data from CORE and the discussion papers in Operational Risk Committee, Zonal Operations (CMO) review reports and Branch head Compliance Certificates (BHCC), Reports of RBI under AFI or any other form of inspection by whatever name called etc. (vii) Various MIS and regulatory returns submitted that might capture exceptions and major impact e.g. fraud reports (FMRs) submitted to RBI etc. The auditor would evaluate the quality of information available from these channels and place effective reliance on them for the purpose of risk assessments and subsequent substantive audit tests / procedures. Other sources of information on which reliance is proposed to be placed can be individually discussed and concurred upon with Head-Audit on a case-to-case basis. 24

8.2. Developing the Risk Assessment Module (RAM) A RAM would be developed for each significant auditee unit viz. business, division, product, support area or a branch location and broken down into relevant parts (i.e. products, processes etc) to address the auditee units activities and related risk profile comprehensively. Each of the parts would be divided into sub parts and further into detailed activities to ensure audit coverage of all-important aspects within a particular part. Inherent risk would be identified and documented for each activity under the sub parts / parts of the RAM. The inherent risks would then be graded on a three-point scale of high, medium or low. Against each identified inherent risk, existing control procedures (risk mitigants) that provide higher level of assurances to the auditor would be noted. Implementation of the RAM and its continuous assessment for any refinements, would be a primary responsibility of the concerned product / process owners within the Internal Audit department. 8.3 Developing a scoring model based on the RAM Each RAM would have an accompanying scoring model. The scoring model would have a Total Score (TS). These TS points would be distributed amongst various parts, and further allocated internally to sub parts and finally to various activities within each sub part. Audit Committee of Executives (ACE) shall review all type of risk assessment models every year while considering the annual audit plan and may amend the model keeping in view the changes in organizational products/processes etc. 8.4 Distribution of total points: 8.4.1 Each part (i.e. the product or process) should be assigned a percentage weight depending on the significance of the part to the auditee unit(s) total activities. For e.g. in respect of a Retail branch location, there could be three parts viz. i) Retail Products (Assets and Liabilities), ii) Retail services (Remittances, Cheque collections, Cash Management Services, Depository services and Third Party 25

Distribution) and iii) Branch operations. The TS thus gets allocated to each of the parts based on the percentage weight allocated. 8.4.2 Each sub part within a part would be assigned parameter weights such that the sum of parameter weights of all the sub parts must total to the assigned score for the applicable part. The parameter weights should be assigned depending on the significance of the sub part within the applicable part. 8.4.3 Each activity within a sub part would be assigned a rating score (depending upon the significance / controls designed) such that the sum of rating scores of all the activities put together total to the assigned parameter weight of the applicable sub part. The rating scores should be assigned to each activity depending on its inherent risk grading and other factors including but not limited to past history of the inherent risk crystallizing into a loss or a liability for the organization. 8.5 Weight-ages assigned to risk grading Weights would be assigned to respective risk grading viz. Very Low, Low, Medium, High, Very High as may be decided by Head- Audit. The very low indicates the lowest probability or unlikelihood of the risk occurrence while the very high indicating the highest probability or certainty of risk crystallization. The present weight-ages would be 100 %, 80%, 50%, 20%, 0% or in decimal terms 1,0.8,0.5,0.2, 0. 8.6 Maximum achievable Risk scores 8.6.1 For each activity, there would be a maximum achievable score based on the product of i) weight assigned to the highest Risk grading and ii) rating score. Sum of the maximum scores for all the activities under a sub part would provide the maximum achievable Risk score for that sub part and sum of maximum scores for all sub parts taken together would provide the maximum achievable Risk score for the applicable part. Sum of maximum achievable Risk scores for all parts put together would provide the maximum achievable Risk score for the auditee unit(s). 8.6.2 In case any part or sub part of the risk assessment module is not 26

applicable for any particular unit the same would be excluded while arriving at the risk profile of the units. Hence the total points would stand calibrated based on the applicable scores and the scores obtained. This is to ensure that the unit is neither penalized nor given undue credit for the activities not carried out by them. 9. Rating under Risk Based Internal Audit 9.1 All the branches and audit units would be awarded an Audit Rating based on the risk based internal audit carried out during the year. The rating would primarily focus on the controls and compliance level at the branch assessed for each risk parameter that are predetermined as stated above. 9.2 Approval of the ACE would be obtained whenever rating model needs a change and it would be reviewed on yearly basis to avoid measuring of branch performances in two different platforms thus making them not comparable. 9.3 The bank may develop any rating mechanism either on grading basis or attributes for any other units or activity of the banks. Wherever no comparable units exist, the bank would not award ratings eg. different products, only one centralised unit, activities carried out are not similar, Head Office (HO) departments, Management audits etc. 9.4 Head- Audit (or any other senior officer designated by Head-Audit) would convey the rating awarded to the branches to them in writing. He may also choose to withhold the rating for any particular reason, if considered necessary and keep Top Management informed of the same. He may also convey the areas where the branch has to focus attention in order to strengthen controls. 9.5 The rating awarded is normally for a period till the next audit is carried out. The rating awarded would not provide assurance or guarantee to the branch or to the controllers against any frauds committed / that may be committed and hence should not be construed as insurance against frauds. The rating in successive audits need not be in step-bystep approach but depending upon the improvements/ deterioration the ratings may be accelerated one. 9.6 Head- Audit to inform ACE/ACB the migration of the ratings of branches 27

on Annual basis. 9.7 Keeping in view the organizational structure, the rating would be awarded function wise in case of major mixed branches where each activity is significantly visible. 9.8 Branch audit rating under Risk Based Internal Audit Strategy Less than 40% 41% 50% 51%65% 66%79% 80%+ Very Good Good - Moderate Poor Controls are basically weak & highly vulnerable to risk. Controls are not commensurate with required level. Vulnerable to risk. Satisfactory Basic controls in place but needs strengthening. Else there are fair chances for risk crystallization. Generally good controls with room for

improvement & fine-tuning. Else the growth in volume may impact controls. Sound & good control environment. Needs to be maintained with the growth in business

9.9 Mapping of branch audit rating to risk level i.e. control risk Poor Moderate MEDIUM Satisfactory Good Very Good LOW HIGH RISK

28

10. Identification of branch business risk Business Level High Deposit Total of the Bank Advances of the Bank Combined Business Total of the Bank Profitability [post Pricing Mechanism (TPM)] Growth Rate (Aggregate business) Minimum 50% Min. & Business of business Other Featuresas decided by Head-Audit Based on past experience, Huge volume of transactions, time lapsed since last audit, change in management/ regulatory/ out, or key other other personnel, latest Not 0.5% banks 30% & Agg. Residual agg. Business not less than Transfer 5% and above >2% but less than 5% 2%< to Business 2.5%& above >1% & less than Less 1% than to 4% & above >1 & less than 4% Less 1% than Total Advances to 4% & above deposits Share to Banks Business Medium >1 & less than 4% Low Less 1% than

less than 1%

investigations

carried

critical inputs & visible control failures

29

11. Audit Risk Matrix (ARM) - Mapping of Business risk Vs Control risk Inherent Business risk High Medium Low Control risk 12. Audit Periodicity 12.1 The overall risk category referred above in the audit risk matrix will determine the audit intervals. Overall Risk Category Audit Intervals Extension permissible by Head-Audit A Low B Medium C Extremely High / High 18-15 months 1215 months 9-12 months 3 month 2 month 1 month High Very High Extremely High

Medium High Low Low Medium

Very High High

Medium High

12.1.1 For any unavoidable circumstance or for reasons beyond the control of the Bank (e.g Riots, natural calamities etc), Executive Director should be approached for concurrence for extending for further period. 12.1.2 In case of A& B categories, where on-site visit audit is more than 12 months, off-site review of important parameters may be carried out at the end of 9-12 months respectively. 12.1.3 In case of low risk activities/ locations other than the branch activity, the maximum time period beyond which such activity/ location should not remain unaudited would be 27 months (extendable by 3 months by Head-Audit in concurrence with Executive Director).

30

13. Measures for Improvement Branch category Level Poor Moderate Satisfactory Good Very Good Immediate Urgent Priority Normal Normal By Top Level (ED / Group Head) Department (CGM/GM) Regional Head Regional Head Branch Head Aim at Revamping Improvement improve Strengthen consolidate Fine-tune Sustain and for total rating Corrective Action Required

Head Arrest deterioration and

14. Corrective Action Plan -- CAP (indicative steps) 14.1 Based on the findings during Risk Based Internal Audit of the branches / units, the Bank would take one or more of the following steps for corrective action: (i) Change in the Branch / unit Management, Strengthening team etc; (ii) Withholding the Delegated powers; (iii) Step-up visits by the Controllers and submission of specific status report; (iv) Reporting the developments in the Poor Rated Branches to the Audit Committee; (v) Calling for Special progress report from the branches in addition to the normal Branch Head Monthly Compliance Certificate. For this purpose Controllers shall prepare Monitor-able Action Plan with recommendations and time frame for bringing desirable improvements; (vi) Introduction of Concurrent Audit wherever necessary; (vii) Restricting or Suspending the branch/ unit to deal with certain products and services till the position improves or requisite skills / expertise is achieved; 31

(viii) Building suitable additional parameters in the performance appraisal system; (ix) Quick Audit of critical issues, if any, at branches to review the progress of rectification and strengthening of control processes and will be re-rated based on on-site verification. (x) Any other steps that may be deemed fit and considered necessary. These are only suggestive and illustrative steps and hence the actual steps may be in variance with the above as well. 15. Scope and Extent of Checking 15.1.1 Transaction testing would continue to remain an essential aspect of risk-based internal audit. The extent of transaction testing will have to be determined based on the risk assessment. The precise scope of risk-based internal audit would be determined by Head-Audit for low, medium, high, very high and extremely high-risk areas. However, at the minimum, the following would be reviewed / reported on: (i) Process by which risks are identified and managed in various areas; (ii) The control environment in various areas; (iii) Gaps, if any, in control mechanism that might lead to frauds, identification of fraud prone areas; (iv) Data integrity, reliability and integrity of MIS; (v) Internal, regulatory and statutory compliance esp. Know Your Customer (KYC), Anti Money Laundering (AML) etc. (vi) Budgetary control and performance reviews; (vii) Transaction testing/verification of assets to the extent considered necessary (viii) Monitoring compliance with the previous risk-based internal audit report (ix) Variation, if any, in the assessment of risks under the audit plan vis--vis the risk-based internal audit. 15.1.2 A low Audit risk for a particular activity within a sub part or a part (i.e. a product or a process), would require minimal level of substantive procedures to be performed whereas an extensive checking of details might be warranted under situations where the control risk 32

is graded to be high. Substantive procedures applicable to each business / division / product / support area / branch location would be decided by Head- Audit and the same need to be documented. The same would be subjected to an annual review (April or October as may be decided by Head Audit). The extent of checking would be in line with RBI guidelines from time to time. 16. Audit reporting and follow up 16.1 For reporting purposes, existing Audit report formats may be revised suitably to bring it in line with the risk assessment modules so as to assist the auditors to input the control risks into the scoring model to be used for completion of the risk profile and rating of the Auditee unit(s). 16.2 The audit reports would be marked to the concerned Controllers as done hitherto. Controllers if needed draw up a Monitor-able Action Plan (MAP) to address the control weaknesses and irregularities reported under the audit and follow up with the units/ branches compliance levels. Audit would follow up with the controllers on the steps taken on the report and consider closure of the reports within 4 months of the date of the report as done hitherto. 16.3 Reporting Pattern 16.3.1 Internal auditors shall report the results of their audit work to the Head-Audit through their respective supervisors. A written report shall be issued after the audit examination is completed. informally. 16.3.2 Interim reports may be used to communicate information, which requires immediate attention, to communicate a change in audit scope for the activity under review, or to keep management informed of audit progress when audits extend over a large period. The use of interim reports shall not diminish or eliminate the need for a final report. 16.3.3 Summary reports highlighting audit results may be forwarded to the appropriate levels of management above the head of the audited unit. They may be issued separately from or in conjunction with the final 33 Interim reports may be written or oral and may be communicated formally or

report. 16.3.4 The internal auditor shall discuss conclusions and recommendations at appropriate levels of management before issuing final written report. Discussions of conclusions and recommendations shall usually be done by auditors and/or Head-Audit (or any other officer as delegated by Head-Audit viz. GM/DGM/AGM etc) during the course of the audit and / or at post audit meetings. These discussions shall ensure that there have been no misunderstandings or misinterpretations of fact by providing the opportunity for the Auditee to clarify specific items and to express views of the findings, conclusions and recommendations. 16.4 Structure of the Internal Audit Report 16.4.1 The reports issued by the internal auditors shall have: (i) a purpose statement which shall describe the audit objectives and shall explain the rationale for conducting the audit; (ii) a scope statement identifying the audited activities and shall include, where appropriate, supportive information. Related activities not audited shall be identified, if necessary, to delineate the boundaries of the audit. The nature and extent of audit work performed shall also be described; (iii) findings and conclusions; (iv) recommendations of for potential improvements and and acknowledgment actions; (v) Auditee accomplishments, in terms of improvements since the last audit or the establishment of a well controlled operation. This information may be necessary to fairly represent the existing conditions and to provide a proper perspective and appropriately balance the audit report; (vi)Auditees views about audit findings, conclusion and recommendations. 16.4.2 The reports issued by the internal auditors shall: (i) be objective, factual, unbiased and free from distortion. Findings, conclusions and recommendations shall be included without 34 satisfactory performance corrective

prejudice (ii) be easily understood and logical (iii) be free from unnecessary technical language and provide supportive information (iv) be to the point and avoid unnecessary detail (v) be constructive in their content and tone, thereby helping the Auditee and the organisation to make improvements where needed (vi) be issued without undue delay and enable prompt effective action (vii) present the purpose, scope and results of the audit and, where appropriate, contain an expression of the audits opinion (viii) include background information and summaries. Background information shall identify the Banks units and functions reviewed and provide relevant explanatory information. It shall also include the status of findings, conclusions and recommendations from prior reports. The report shall also indicate whether it covers a Summaries, if scheduled audit or the response to a request.

included, shall be balanced representations of the audit report content. 16.4.3 Reports shall be approved and signed by the Head-Audit or by an Auditor designated by Head-Audit. 16.4.3 Inspection/ Audit Department will be given authority to further fine tune and modify the audit report and scores of the branch if required. Care has to be taken by the bank that, report to modified by other that branch auditor. 16.4.4 The final audit report shall be distributed to the Head of the audited unit and their controllers and vertical heads. If the conditions being reported involve senior management, report distribution shall be restricted to ACB / the Board. 16.4.5 If it is determined that a final report contains an error, Head-Audit shall consider the need to issue an amended report which identifies the information being corrected. 16.5 Grading 16.5.1 General (i) The internal auditors shall assign a grade at the end of every audit 35

according to the audit findings and the existing internal controls of the department / operation audited. (ii) Grading shall facilitate a common approach and appropriate management action with a view to improve the internal control systems of the Bank as a whole. (iii) As a result three grades have been designed to: a. provide early warning signals to improve upon the weaknesses identified in the internal control systems of the Bank b. establish clear cut accountability. 16.5.2 High Risk (i) The audit report shall be graded as high risk where the audit findings highlight significant matters requiring urgent management action. (ii) Audit findings of the following nature shall result in the internal auditors grading a particular department / operation as high risk: (a) A weakness in the internal control system which presents a significant risk of error that may have a material impact on the financial statements of the Bank; (b) A weakness where the risk of error, though less likely, involves amounts which may have a major impact on the financial statements; (c) A weakness which puts the assets of the Bank at risk; and / or (d) A fraud or suspicion of a fraud. 16.5.3 Medium Risk (i) The audit report shall be graded as medium risk where the audit findings highlight less significant matters requiring management action. (ii) Audit findings of the following nature shall result in the internal auditors grading a particular department / operation as medium risk: (a) A weakness in the internal control system which presents a significant risk of error but will not have a material impact on the financial statements (b) Constructive suggestions which might result improvement in efficiency or reduction in cost 36 in significant

(c) improvement relating to the prevailing regulatory environment or procedures which are necessary to avoid minor or technical breaches 16.5.4 (i) Low Risk The audit report shall be graded as low risk where the audit findings highlight trivial matters which require to be brought to the attention of the management but do not warrant any action. (ii) Audit findings of the following nature shall result in the internal auditors grading a particular department / operation as low risk: (a) sundry omissions in complying with prescribed policies and procedures of the Bank which do not have a material impact on the internal control environment (b) isolated errors (c) sundry regulatory related errors which have been rectified and which are unlikely to cause criticism from the regulatory authorities, shareholders and customers (d) general suggestions relating to efficiency of staff or activity. 16.6 Spot Rectification 16.6.1 As a part of rectification to the audit observation more emphasis to be given for spot rectification to the maximum extent possible during the audit itself

16.7

Follow up and compliance taken in response to reported audit findings. Head-Audit shall be

16.7.1 Management is responsible for deciding the appropriate action to be responsible for assessing such management action for the timely resolution of the matters reported as audit findings. 16.7.2 Management may decide to assume the risk of not correcting the reported conditions because of cost or other considerations. The ACB shall be informed of managements decisions on all significant audit findings. 16.7.3 The following factors shall be considered by Head-Audit in 37 determining the nature, timing and extent of follow up actions:

(i) the significance of the reported findings; (ii) the degree of effort and cost needed to rectify the reported condition; (iii) the complexity of the corrective action; (iv) the risks that may occur should the corrective action fail; (v) the time period involved. 16.7.4 Head-Audit shall be responsible for establishing procedures to include the following: (i) A time frame within which managements response to the audit findings is required (ii) An evaluation of the managements response (iii) verification of the response (if appropriate) (iv) follow-up audit (if appropriate). 16.7.5 Time for completion of audit of branches: Audit of any branch should not be continued for a period exceeding 45 days. Head- Audit may permit further extension upto 25 days. 16.7.6 Time for submission of Audit Reports by Inspecting Officials: Inspecting Official should submit the report within 3 weeks from the completion of the Audit. HeadAudit, may permit any extension of time by another two weeks. 16.7.7 Bank shall clearly define timeline for rectification of the inspection report. However prioritization for timely compliance to be given for high risk items than low risk items 16.7.8 Individual banks shall clearly specify that quantum of required compliance before closure of audit report. Banks to ensure that, compliance to the audit observations are submitted within the specified time line and strict actions to be initiated for non rectification/ compliance to the audit observations. 16.7.9 In case of closure of report with open items, timeline to be specified for rectifying/ complying the open items 16.7.10 Review of the audit report Timeline for reviewing the audit report and reviewing authority should be 38

specified as part of policy guidelines 16.7.11 Closure of audit cycle The compliance on the Internal Audit report should be submitted by the concerned units within one month from the receipt of audit report. The Final Audit Compliance cum- Closure Certificate (FACC) should be submitted before three months thereafter. The format for FACC may be prescribed by Head-Audit from time to time. The formal closure of the report to be done within one month of the receipt of duly filled in FACC. The details of the backlog, if any, in submission of the responses, FACC or formal closure to be reported to Audit Committee of Executives on quarterly basis. ACE shall be the final authority for closure of the audit cycle. 16.7.12Internal auditors may also assume responsibility for following up findings made by the external auditors. 16.7.13 Special Audit Bank shall have provision for undertaking special audit under critical circumstances. Special audits can be of areas considered to be of higher risk encompassing more than one branch/ location also like KYC non compliance, irregular lending, exposures to Corporate Sector, Credit exposures to capital market, accounts mobilisation campaign, untallied accounts, group of potential unsatisfactory branches, verification of amounts under debt relief, write off etc. Special audits also be conducted based on signals from offsite risk assessment, specific requests from controlling offices/Departments, Serious issues/ malpractices/ frauds noticed during other audits or based on information from other sources 16.7.14 Migration Analysis for branch ratings Bank to undertake migration analysis of branch risk rating on annual basis in order to study the reasons for abnormal variation/ fall in the 39

ratings for taking corrective steps. Detailed report to be placed before the Audit Committee of the Board for review 17. Performance Evaluation The Head Audit should conduct periodical reviews, annually or more frequently, of the risk-based internal audit undertaken by it vis--vis the approved audit plan. The performance review should also include an evaluation of the effectiveness of risk-based internal auditors suggesting and mitigating identified risks. The Audit Committee of Board (ACB) would periodically monitor the progress and assess the performance of the risk-based internal audit for reliability, accuracy and objectivity. Variations, if any, in the risk profile as revealed by the risk-based internal audit vis--vis the risk profile as documented in the audit plan should also be looked into to evaluate the reasonableness of risk assessment methodology of the Internal Audit Department. 18. Resources a) The Internal Audit Department should be provided with adequate and appropriate resources and staff to achieve its objectives under the risk-based internal audit system. The staff possessing the requisite skills should be assigned the job of undertaking risk-based internal audit. They should also be trained periodically to enable them to understand the banks business activities, operating procedures, risk management and control systems, MIS, etc. Head-Audit may solicit assistance within or from external sources where specific skills are required, keeping confidentiality and objectivity in view. Audit firms engaged by banks for audit work should have qualified Information System Auditor (CISA/DISA) with necessary exposure to systems audit since all banks are fully computerized and IS audit should form an integral part of audit of banks in the circumstance.

19. Outsourcing of Audit assignments under RBIA strategy The risk based internal audits can be carried out either through the internal staff or through the outsourced agencies as and when 40

required. However, individual banks may take decision of the same after due approval from their board. The Annual Audit plan placed before the ACB should indicate the areas/ units/ branches that are slotted for such outsourcing. Audit Committee is authorized to approve / issue and review the broad guidelines from time to time for such outsourcing. The individual assignments for outsourcing would be however be decided / considered by the Head- Audit as per the delegation of powers. Executive Director and ACB should be kept informed of such outsourcing assignments considered. Head- Audit to ensure and take due care while engaging the services of outsourced agencies in terms of confidentiality, professional approach, capability and ethical practices to be followed by them. He shall be guided by the principles as enshrined in the Internal Audit Policy and the framework of RBI for the Risk based internal audit as detailed out in the circular dated 27th December 2002 or other circulars issued from time to time. 20. Standards for Internal Auditors (The following may be adopted in tune with banks internal philosophy and synchronising with the guidelines with ICAI) 20.1.1 Introduction The standards set forth in this section shall be binding on all persons employed in the Internal Audit Department and are in addition to the guidelines laid down in section 5 of this policy relating to the internal audit policy of the Bank. 20.1.2 Purpose The objective of laying down standards for the internal auditors is to enable all persons employed within Internal Audit Department to discharge their functions and duties in the most effective and responsible manner. 20.1.3 Standards The following standards shall be applicable to the staff employed in the internal audit department of the Bank. The staff shall: (i) exercise objectivity, honesty, independence, diligence and 41

professionalism responsibilities.

in

the

performance

of

their

duties

and

(ii) display loyalty in all matters pertaining to the Bank, particularly when providing services on a consultative basis on behalf of the Bank. Staff shall knowingly not be a party to any illegal or improper activities (iii) advise their line Managers of any areas where, through friendship or family relationship, a conflict of interest may arise (iv) refrain from entering into any activity which may prejudice their ability to carry out their duties and responsibilities objectively (v) not accept gifts, services or hospitality in circumstances that would be likely to compromise independence or impair their professional judgment (vi) continually strive for improvement in the proficiency, effectiveness and quality of their service to the Bank and, in that regard, should keep abreast of internal standards and be familiar with the most up-to-date standards for the practice of internal auditing generally. themselves apprised Additionally, staff shall endeavor to keep of procedural, product and technical

innovations within the Bank and be aware of developments in the external environment that may impact upon the industry in general and the Bank in particular (vii) (viii) at not all times be guided in by the principles or activities of integrity, which are confidentiality, professionalism, loyalty and legality knowingly engage acts discreditable to the Bank (ix) be prudent in the use of information acquired in the course of their duties. They shall not use confidential information for any personal gain nor in any manner which would be contrary to law or detrimental to the Bank (x) shall reveal all material facts known to them, which if not revealed could either distort reports under review or conceal unlawful practices.

42

20.1.4 Code of ethics The auditors carrying out the audits including the one under Risk based internal audit strategy are expected to apply the principles of integrity, objectivity, confidentiality and competency while carrying out the assignments. They should respect and contribute to the They should legitimate and ethical objectives of the organisation.

continually improve their proficiency and the effectiveness and quality of their services. They should maintain the audit evidences/ work papers / documents obtained during the audit assignment and retain them for the period that may be required or till the next assignment of that particular unit/ branch / activity is carried out.

43

Appendix-A Guidance on Risk definitions (Suggestive list) 1. Credit / Counter party Risks Credit Risk is the loss as a result from non-recovery of funds lent to a client including loss from extension of credit for overdraft and/or intra-day exposures up to the nominal amounts. Credit risk could also include default of off-balance sheet products, such as swaps or options where the credit exposure is a function of the prevailing market prices. Counter party risk would include default on transactions in the process of being settled wherein the value (including interest on principal lent) has been delivered to the counter party but not yet received return. 2. Industry / Country Risk Industry risk is defined as the risk that firms of specific industry groups cannot repay loans. Country risks, on the other hand include the risk that the firm will not recover funds lent to all clients with legal residence in any one particular country i.e. credit risk quantified not in terms of a particular client but that of a particular country. It should be noted that settlement risk with clients residing in a foreign country is not considered a country risk. 3. Advisory Risk Risk of loss resulting from the bank influencing the customer with specific recommendations to buy or sell certain products. Regulations always require the bank to inform investors about risks involved. Additionally, the bank should obtain an acknowledgement of the same from the investor on appropriate forms. Lack of non-adherence to the aforementioned rules or false and / or misleading recommendations could result in compensatory reimbursements by the bank. 4. Foreign Exchange Risk Adverse effects of movement in foreign exchange rates, with the primary area of concern being the trading positions entered into by FX dealers is 44

defined as a Foreign Exchange Risk. Adverse effects of movement in FX rates include, outright changes in the exchange rate volatility and changes to the value of profits raised abroad on conversion to base currency. 5. Interest Rate Risk It is the risk that a movement in interest rates will adversely affect the bank. This includes a lost opportunity to minimise or maximise a gain. The risk of changes in interest rate volatility, in shape of the yield curve (steeping or flattening) and interest rate spreads has to be considered. Equally the banks exposure towards specific product in terms of fixed / floating interest and its respective funding arrangement have to be taken into account. Repayment of principal prior to maturity for fixed rate exposures may result in an interest rate exposure for the bank. 6. Position The risk of inaccurate hedging and non-hedging of individual positions in each business area resulting in unwanted / unexpected positions is defined as position risk. 7. Price Risk The price risk is the loss resulting for incorrect pricing of risk assets. Borrowers credit risk rating and complexity of the credit facilities should be reflected in the pricing of risk assets. 8. Funding Risk The risk that the bank cannot meet its obligations to pay out funds involving repayment to depositors holding current accounts, time deposits (long term or short term) and all other borrowed money. (Also see liquidity risk) 9. Market Liquidity Risk It is the lack of market liquidity preventing quick or effective liquidation of marketable collateral taken to secure credit facilities such as shares, properties, inventories, etc. Effective liquidation could be hindered as a result of not being able to dispose off collateral at market price due to enblock sales and depressed stock and property market. 45

10. Operational Risks Operational risks can be further categorised as follows: (i) Transaction Risks Errors in processing transactions would include errors in execution of transactions, errors resulting from the complexity of products and inability of existing systems and processes to cater for them. Deficiencies in monitoring receipt of collateral, documentation represent further risks. (ii) Operational Control Risks Breakdowns in controls around the front, middle and back office activities. Unidentified limit excesses, unauthorised trading by individual traders, fraudulent practices related to trading and processing activities, including false accounting and forgery, money laundering, unauthorised access to systems or models, dependency on a limited number of personnel and lack of controls around the processing of transaction are some of the major risks relating to Operations. 11. System Risks Errors or failures in system support, including errors in development of computer programmes, errors in formulae of mathematical models, errors in calculation of mark to market amounts, inadequate or untimely management information, failure in one or more systems required to support business activities, failure in network or telecommunication channels and inadequate or non-existent contingency planning in the case of system or telecommunication failure are some of the system risks. 12. Settlement Risks It is the risk involved, if the counterparty does not settle the deal, after the bank has already provided settlement in accordance with the contract. This risk should not be confused with credit risk, because settlement arises out of a trading transaction where the two parties have not settled the deal. 13. Contingency Risks The risk is associated with a lack of a business contingency plan in place that ensures alternative courses of action or solutions to ensure continuity of day-to-day business. A contingency plan also includes alternative 46

replacement solutions that would trigger in the event of failure of technical equipment, systems, etc. Disaster related risks would include natural disasters, war or the collapse or suspension of financial markets. 14. Reputation / Standing / Image Risk It is the risk that the bank suffers damage to its reputation. The bank maintains an image with clients, potential clients, market participants, regulatory authorities, stockholders (current and potential), employees etc. 15. Custodian / Trustee Risk The highest risks derive from mistakes or insufficient execution of tasks required by the legislator or a shortfall to mutually agreed tasks to be performed by the bank. 16. Compliance Risk The risks related to compliance are substantiated in the fact that all activities of the bank should be in compliance with the respective laws and guidelines for the protection of the investor. The bank should ensure that the customers interest has priority in the event of a conflict of interest. 17. Accounting Risks The risk that the firm loses accounting control over the general and subsidiary ledgers, financial control over the legal entity reporting, and management control over profitability reporting, which could be by client, product or profit / cost center. 18. Taxation Risk Risks related to changes in tax laws or unanticipated taxation. 19. Regulatory Risk It is the risk of loss arising from the inability to meet regulatory requirements, including breach of existing capital requirements and failure to anticipate forthcoming regulatory requirements.

47

20. Legal Risk Breach of legal requirements in the effective jurisdiction, including business law or contract law is defined as legal risk. The Risk definition, interpretation and application would be in tune with the guidelines / circulars issued by Reserve Bank of India from time to time. Incase of any contrary views expressed, the regulatory guidelines would prevail and to that extent the expression in the manual would stand auto-corrected. == xx ==

48

CONCURRENT AUDIT POLICY MODEL INDEX Sl No 1 2 3 4 5 6 7 8 9

Preamble Regulatory Requirement Concurrent Audit Coverage Branch Audit Selection of the Branches and other offices for Concurrent Audit Selection of the audit firms for conducting concurrent audit Appointment of Concurrent Auditors, their fees and other conditions Conduct and follow up of concurrent audits Review of Concurrent Audit System

Particulars

Page No 2 2 2 2 3 4 5 7 8

MODEL CONCURRENT AUDIT POLICY

1. Preamble: The Bank should put in place an effective concurrent audit system to comply with the RBI guidelines as also to supplement the efforts of the internal audit department to strengthen the internal control system. The concurrent audit system will be a part of Bank's early-warning system to detect irregularities and lapses, which helps checking repeated / recurring violations of the internal and regulatory guidelines, controlling risks and in preventing fraudulent transactions. 2. Regulatory Requirement: The RBI requirement regarding coverage of not less than 50% of deposits as well as not less than 50% of credit and other risk exposure of the Bank under concurrent audit to be ensured on an on-going basis. Similarly the RBI requirement that the Department at the Head Office dealing with Treasury functions is to be subjected to concurrent audit will also be complied with. The RBI guidelines as indicated under circular No.DOS.No.B.C.16/08-91/021/96 dated August 14, 1996 to be taken into consideration while implementing the concurrent audit systems in the Bank. 3. Concurrent Audit Coverage: The concurrent audit shall cover 70% of deposits and 70% of advances of the Bank as against RBIs stipulation for coverage at minimum of 50% of deposits and 50% of advances. A large number of activities / operations are being carried out in a centralized manner at various units set up for that purpose and the scale of transactions / operations undertaken at these units is large. With a view to ensuring that the functioning of these units is as per the internal as well as regulatory guidelines and mitigating the risk associated with large-scale operations, such non-branch units shall also be subjected to concurrent audit. 4. Branch Audit: The Concurrent Auditors should certify all the reports under Branch Statutory Audit System wherever Concurrent Audits are conducted by external Chartered Accountants. Such Concurrent Auditors should be advised to provide various

Certifications done earlier by Branch Statutory Auditors, covering NPA provisioning, Insurance coverage, P & L Account, ALM, CRAR, DICGC, LFAR etc., similarly, Certification regarding Tax Audit may also be taken from the Concurrent Auditors. It is pertinent to note that the Concurrent Auditors are carrying out all the verifications on a continuous basis which the Branch Statutory Auditors are supposed to do annually for giving these Certificates. Concurrent auditor should also undertake stock audit function for which they may be suitably remunerated. Further, enhancing the role of Concurrent Auditors should not be a problem as the Concurrent Auditors will, henceforth, be appointed from the RBI panel based on the Branch Gradation System with suitable upward revision in the remuneration. 5. Selection of the Branches and other offices for Concurrent Audit:

ACE/ZACE may identify the branches and other units / offices for concurrent audit from time to time. Audit Committee of Board should be kept informed of the developments / progress on half yearly basis. However, while selecting the branches for concurrent audit, the risk profile of the branches also needs to be considered. It is important for the bank that the branches with high risk are subjected to concurrent audit irrespective of their business size, some of the High Risk Branches, specialized branches viz., Agri, SME, Mid Corporate, Infrastructure, Large Corporate, CPU, retail assets, portfolio management, forex, back office etc may also be covered under the Concurrent Audit, in case already not covered under Concurrent Audit. The concurrent audit assignments may be undertaken internally by Bank's officers and also outsourced to external audit firms. In view of moving to Risk Based Concurrent Audit, the committee has devised single check list and separate report formats for concurrent audit and internal audit. However, committee suggests bifurcating audit areas as High Risk, medium risk and low risk accordingly, Individual banks, based on their risk profile may classify the areas and coverage can be fixed under both internal and concurrent audit. However, all areas forming part of check list to be verified under Internal Audit by inspectors.

6. Selection of the audit firms for conducting concurrent audit: The following basic criteria should be kept in mind while selecting a firm for concurrent audit assignments: a) It should be a partnership firm of Chartered Accountants. b) The firm should be selected from the RBI panel as per gradation suggested for Branch Statutory Auditor appointment. c) Audit firms engaged by banks for audit work should have qualified Information System Auditor (CISA/DISA) with necessary exposure to systems audit since all banks are fully computerized and IS audit should form an integral part of audit of banks in the circumstance. d) Weightage to be given to the firms where the partners themselves were ex-bankers or the firm has got tie-up with ex-bankers with requisite experience and exposure. e) It is to be ensured that the audit firm or any sister / associate concern / network firm is not conducting the statutory audit of the Bank or any of its branches. f) Weightage to be given to a firm having exposure in conducting concurrent audit of the Bank branches for a few public sector / major private sector banks. g) The firm should have necessary office set up and adequate personnel to ensure proper deployment and timely completion of the assignments. h) The firm should execute undertaking of fidelity and secrecy on its letterhead in the format prescribed by the Bank. i) The assignment should be carried out in a professional manner and in case of any misconduct & negligence the Bank is free to report the matter to ICAI / RBI under the guidelines from time to time. This will be in addition to the disengagement from the assignment. j) The firm should not sub-contract the audit work assigned to any outside firm or other persons even though such persons are qualified chartered

accountants. k) A declaration to be furnished by the firm that credit facilities availed by the firm or partners or firms in which they are partners or directors including any facility availed by a third party for which the firm or its partners are guarantor/s have not turned or are existing as nonperforming assets as per the prudential norms of RBI. In case the declaration is found incorrect, the assignment would get terminated besides the firm being liable for any action under ICAI / RBI guidelines. l) Any other terms and conditions of the assignment would be decided by the Bank on a case-to-case basis. 7. Appointment conditions: a) The appointment of the concurrent auditors for various concurrent audit assignments needs to be approved by ACB from the RBI panel as per the gradation based on the size of the Branch. Suitable firms would be identified for each assignment and would be approved taking into account their experience and exposure, similar activity carried out for the Bank or other banks, availability of adequate trained resources, location of the audit unit etc. The monthly fees payable to the auditors will be approved by the delegated authority taking into consideration the nature of assignment and within the maximum fees approved by Audit Committee of Board. b) The tenure of the concurrent audit would be initially for one year and would be extended for a further period of two years (overall three years), based on the performance of the auditor in the first year. c) After completion of specific period, the firms may be considered for audit assignment in other locations or areas. Cooling period of two years would be observed for a firm to become eligible for appointment in the same audit unit. This will be purely at the discretion of the Bank and no rights whatsoever accrue to the firm for such appointment. d) At any one point of time, not more than one audit assignment would be of Concurrent Auditors, their fees and other

awarded to any single firm.

An audit assignment that needs to be

carried out across the branches / units at different locations would be considered as a single assignment for this purpose. e) The concurrent auditor should adhere to the audit coverage strictly as per the scope as may be decided by the Bank from time to time. f) The concurrent auditors should not undertake any other activities / assignment on behalf of the branch or unit without obtaining the concurrence of the audit department in writing. g) No out of pocket expenses or traveling allowance / halting allowance would be paid to the concurrent audit firms for carrying out the assignment. However, the service tax, education cess etc. would be paid as applicable from time to time in addition to the basic fees. The concurrent auditors may be reimbursed actual out of pocket expenses incurred in connection with travel involved for conducting stock audits. The payment to the concurrent auditors would be subject to deduction of tax at source at appropriate rates. h) All the necessary certificates that need to be given as a part of the concurrent audit assignment (Bills of Entry verification, A1/A2 Forms etc.) would be given by the audit firm under its letterhead without any additional certification fee. i) There is a need to transform the present concurrent audit system to Risk based concurrent audit. Therefore, the concurrent auditors would give rating or grade either numerical or phrased one for the audit entity. This rating should be based on his observations about branch functioning. j) A detailed checklist and other operating guidelines will be provided to the concurrent auditors. Necessary training / consultation required would be provided to them for enhancing the quality of the audit. They would be made aware of the guidelines and circulars issued subsequent to commencement of assignment and having impact on the concurrent audit, to keep them abreast of the changes in the operational and regulatory guidelines.

k) Necessary arrangement should be made for providing space, workstation and access to systems (viewing rights only) to the concurrent auditors for ensuring smooth conduct of audit assignment. This would be the responsibility of the controller of the audit unit / Branch Head. l) The Bank will prescribe structured formats for the audit reports and also stipulate the time limits for submission of the reports. Suitable penal provisions may be prescribed for delayed submission of audit reports. m) The audit formats would be reviewed on an annual basis. The firms

should strictly adhere to the format and the time limit. Bank may prescribe different periodicity for different reports within the same audit unit. 8. Conduct and follow up of concurrent audits: a) Each branch / audit unit should identify nodal officer/s as a single point contact for coordinating the concurrent audit work. The audit units should ensure rectification of the deficiencies without any loss of time so as to achieve the very purpose of concurrent audit. b) The bank should provide the concurrent auditor with requisite initial induction to the branch activities and further support the auditor with the MIS generated from the CBS system. c) Head-Audit to put in place necessary systems to initiate follow up on the concurrent audit reports with the respective branches / units under intimation to the controllers of the functions. However the Controllers will be responsible for further follow up with the branches / units to ensure compliance. d) A formal wrap-up discussion with the branches and non-branch segments along with the concurrent auditors will be held once in six months for the more important branches in each region. Initially the focus would be on those branches having significant corporate exposure including critical non-branch segments. e) At present significant findings on concurrent audit reports are reported to Audit Committee of Executives and thereafter to Audit Committee of

Board on quarterly basis. f) In line with RBIs directive it is now proposed to formally close the audit reports once a quarter. g) The pending issues of the previous reports need to be mentioned as a persisting irregularity / deficiency in the subsequent reports h) Audit department should ensure that the deficiencies pointed out in the concurrent audit are closed within a reasonable period. i) Significant observations of the concurrent audit reports would be placed before the Audit Committee of Executives on a quarterly basis. Any serious observation requiring attention of Audit Committee of Board needs to be placed before them at the first available opportunity. j) While carrying out internal audits, the quality of compliance with the concurrent audit report would be covered and commented upon by the Internal Auditors. 9. Review of the Concurrent Audit System: The concurrent audit system should be subjected to annual review as prescribed under RBI guidelines. Such review would be carried out by June end every year.

INFORMATION SYSTEM (IS) AUDIT POLICY

INDEX Sl No INTRODUCTION 1 2 3 4 5 6 7 8 9 10 11 12 13 IS AUDIT POLICY AUTHORITY ACCOUNTABILITY COMMUNICATION WITH AUDITEES QUALITY ASSURANCE PROCESS IS AUDIT ORGANISATION STRUCTURE IS AUDIT PLANNING PERFORMANCE OF AUDIT WORK FREQUENCY OF AUDITS COMPLIANCE & CLOSURE OF AUDIT CYCLE AUDIT DOCUMENTATION RESTRICTION OF SCOPE VALIDITY OF THE POLICY APPENDIX I) Audit Approach II) Audit Methodology III) Audit consideration for irregularities IV) Audit evidence /information 16 19 22 25 Particulars Page No 1 1 7 9 9 9 10 10 11 15 16 16 16 16

INFORMATION SYSTEM (IS) AUDIT POLICY

INTRODUCTION The Banks have chosen technology as a differentiating factor to achieve desired goals. The banks also have a wide customer base, wide product base and several delivery channels. As a result of this, technology is a prime factor that encompasses all areas of the organisation including regulatory compliance, customer service levels and reputation. IS Audit function therefore becomes an important tool in the hands of management to review all aspects of technology, its business impacts and risks associated with the technologies on an on-going basis. Considering the importance of the IS Audit function, this Audit Policy has been prepared keeping in view the current status of the organisation and its readiness in terms of existing systems and procedures. This Audit Policy covers

Essential features like Mission and Objective Statement of IS Audit Policy. Functions and scope of IS Audit and the relationship with Auditees IS Audit policy defines management mandate and gives an operative framework of IS Audit. The IS Audit Policy is a subset of Bank's Audit Policy. Hence, various organisational aspects which are not covered by the IS Audit policy shall be governed by Bank's overall Audit policy and practices. The Audit Department shall prepare a separate document to cover the operational and procedural aspects of the IS audit function. 1. IS AUDIT POLICY 1.1 Definition:

This Audit policy defines the responsibility, authority and accountability of the Information Systems audit function, both internal and external, in a documented form, from which IS Audit gets its mandate from the organisation to perform its function. This also assists the IS audit function to determine how to achieve the implementation of applicable IS audit standards, use professional judgment in their application and justify any departure therefrom under specific constraints. Reporting on IT governance in the organisation could involve auditing at the highest level in the organisation and may cross divisional, functional or departmental boundaries. The Audit policy for the IS Audit function includes IT governance of the organisation, including its Information Systems and technology, together with the reporting line to be used, where IT governance issues are identified. IS Audit is an internal function of an organisation and is a part of overall Bank's Audit function. IS Audit policy, by itself, does not cover certain general aspects of Auditing such 2

as reporting to external agencies, legal aspects of Audit, reporting to Audit Committee or dealing with high level irregularities. IS Audit policy, hence, would also be governed by the Bank's Audit Policy in totality. 1.2 Responsibilities of Management:

Management is responsible to give due recognition to the needs of IS Audit function, to review and implement the recommendations given by IS Audit. 1.3 Mission Statement:

To give reasonable assurance to the Board / Top Management that Information Systems and Infrastructure deployed in the organisation together with the business/ operational processes are able to accomplish Information System goals effectively and that the risks built-in during the process of building such systems are addressed adequately or are within acceptable limits. 1.4 Aims/ Goals: 1. To ensure that data integrity and financial integrity across various systems is maintained. 2. To assess the impact on customers due to system changes/ procedural changes proposed. 3. To assess the project planning and execution methodology 4. To evaluate impact on business due to various changes in systems. 5. To ensure that all system changes/ developments are in alignment with business and IT strategic objectives. 6. To have timely triggers on various IS/ technical risks 7. To ensure compliance of Information Technology (IT) Act 2000, Information Technology (Amendment) Act 2008 and other information system related guidelines 8. To follow risk based approach in all areas 1.5 Scope of IS Audit:

The scope of IS Audit covers all Information Systems used by the Bank in related activities viz. system planning, organisation, acquisition, implementation, delivery and support to 3

end-users. The scope also covers monitoring of implementation in terms of its process effectiveness, input/ output controls and accomplishment of system goals. The IS Audit includes the relevant processes for planning and organising the information systems activity and the processes for monitoring that activity. The scope of the audit will also include the adequacy and effectiveness of internal control system(s) for the use and protection of the information and the Information Systems, as under : a) Data b) Application systems c) Technology in terms of the standardisation, risks, investments and returns. in terms of infrastructure, maintenance and security. in terms of establishing segregation of duties and organizational structure, adequacy and competence. 1.6 Objectives: in terms of its representativeness of business and its integrity. in terms of its functionality, controls and change management

d) Facilities e) People

IS Audit shall be required to carry out several assignments. Accordingly, the objectives of all assignments shall be derived based on mission statement and goals of IS Audit. The individual assignments and reports shall carry out the specific objectives of the assignments as applicable. 1.7 Independence:

IS Audit, like any other Audit function, is an independent function by itself. IS decision making, IS operations, project planning, execution and implementation shall be carried out by process controllers with set processes and norms. Similarly, business process owners shall utilise various information systems and the resources to achieve business objectives. IS Audit is an independent tool to evaluate whether the processes are getting executed as per set norms, internal controls are maintained and the risk mitigation mechanisms are in place. 1.8 Relationship with External Auditors (outsourcing):

Internal Audit Department may engage External Auditors for various purposes such as: getting additional assistance. carrying out special assignments or in areas requiring special expertise. covering broader areas/ geographical boundaries 4

In all such events, there shall be a formal document of engagement of external auditors defining the activity in its totality including commercial terms/ conditions, within the framework of the Bank's outsourcing policy with the approval of Audit Committee of Board or any other competent authority depending upon the merit of the case. The external auditors, shall be accountable to the Internal Audit Department in all such cases. Whenever External Auditor is engaged for IS Audit purpose through the Audit Department, following shall be covered for effective communication: a) Describe the service, its scope, its availability and timeliness of delivery.
[

b) Describe problems and possible resolutions for them. c) Providing adequate and readily accessible facilities for effective communication d) Determining the relationship between the service offered and the needs of the Auditee. 1.9 Relationship with internal Auditors :

IS Audit is a part of the Internal Audit Department. In specialised areas of Audit requiring multi-disciplinary specialisation, all Auditors shall work jointly to ensure that effectiveness of controls are built into overall systems. It is the prerogative of Head-Audit, to effectively utilise Internal Audit resources, including IS Audit. 1.10 Relationship with System Users: IS Audit is an Internal Audit function and needs to closely work with various departments and branches of the organisation. Hence, Auditee's requirements shall be discussed and agreed upon mutually. In case of differences, Head Audit shall resolve them with the appropriate authorities. 1.11 Relationship with Outsourced Service Providers: In terms of RBI's guidelines on outsourcing, subsidiaries are to be treated on par with third parties where services have been outsourced. Banks entire IT function has been outsourced to a third party, which, in turn, has outsourced various activities. In accordance with the above-mentioned RBI policy, IS Audit is mandated to audit the activities of all the outsourced service providers to ensure that Banks interests and assets are protected at all times and that all risks arising out of outsourcing are adequately mitigated or the risks are within acceptable limits. With this end in view, IS Audit shall cover all assets belonging to 5

Bank, whether it be data, hardware, software, connectivity, facilities, policies, processes & procedures, HR in so far as it relates to the services provided to Bank, service delivery, processes and procedures followed for procurement and deployment of IS assets for and on behalf of Bank. Where any assets, including those belonging to the Bank, are used by any mandated third party for providing services to external customers, whether they be subsidiaries or otherwise, IS Audit shall audit all assets, processes, procedures, connectivity, and any other related areas in as much as they intrude into or access Banks assets or network or pose a risk to the Bank. To this extent, the service provider shall satisfy IS Audit that such use of assets does not pose a risk to the Bank and its assets. At the same time, the service provider shall not allow any of its customers (including subsidiaries or third parties) or their agents to audit the assets of the Bank without written permission from Head-Audit IS Audit shall audit the services of all service providers to ensure that they adhere to the contracted levels of service set out in the Service Level Agreements entered into / to be entered into with the Bank. IS Audit shall audit the compliances by the service providers to various regulatory and statutory requirements to ensure that Bank is not unduly exposed to any risk on account of acts of commission / omission by them. All service providers shall, at all times, provide IS Audit with all necessary support, including data, information, compliances, etc. Disputes, if any, shall be resolved by Head-Audit, with the appropriate authority of the service provider. 1.12 Critical success factors: The Information Systems encompass a wide variety of activities through-out the organisation. The embedded risks during the computerization process are very high and the evolution of business needs keep on increasing the expectations from IS Audit. Practically, it is also not always possible for IS Audit to involve itself in all areas/ systems of organisation. It is therefore, critical for the success for IS Audit, that strong internal processes and procedures get continuously evolved with/ without involvement of IS Audit and with strong support of Management. It is also expected that Management gives suitable recognition to IS Audit function and vests with it requisite independent power to enable it to execute its function with a closed feedback system. Though the objective of IS Audit would be to pursue COBIT (Control OBjectives for Information & related Technologies) and other widely accepted best practices and standards, it may not be possible to achieve all objectives due to various people/ systems/ organisation limitations. The achievement of detailed objectives also depends on readiness of the organisation, 6

manpower, budgetary constraints, and other external factors. improvements and enhancements.

However, IS Audit would

exert itself to achieve the standards and best practices in a phased manner with continued

IS Audit cannot guarantee that irregularities will be detected. Even when an audit is appropriately planned and performed, irregularities could go undetected e.g. if there is collusion between employees/ collusion between employees and outsiders. It is widely known fact that technological world is full of contradictions, non-compatibles, evolving external threats, hidden system errors/ bugs. It is also a fact that with the evolvement of new technologies, tools and spreading of education, technological systems tend to become vulnerable. IS Audit shall spare no efforts to identify risks as also adverse impact of such events and sensitise Auditee and Management to such events. Audit sign-off shall normally be given after carrying out detailed analysis of technological, business environments within organsational business constraints. However, it does not necessarily mean that all the risks can be addressed all the time. 2. AUTHORITY : 2.1 Risk Assessment : IS Auditor shall be empowered towards a complete risk assessment. 2.2 Right to Access Information : IS Auditor shall have right of access to information, personnel, locations and systems relevant to the performance of audit. IS Audit shall have complete right to examine/ evaluate all manual/ system related records, documents and any other evidence covered under organisational activities from employees and outsourced persons and organisations at all levels. IS Audit shall have a query access to various systems/ sub-systems that are implemented in the organisation. 2.3 Scope or any limitations of scope : Business/ product decisions shall not be subjected to IS Audit. However, impact of business/ product decisions on systems could be assessed by IS Audit as and when necessary.

2.4 Functions to be audited : IS Audit shall cover different functions, such as various application systems/ subsystems/ components for data/ design/ infrastructures/ users/ procedures/ data integrity/ efficiency and effectiveness and any other area communicated by various staff members or arising out of any other report, with prior approval of Head Audit 2.5 Auditee's expectations : Being an internal function, Auditors and Auditees shall have close interactions and expectations of each other shall be set through a participative process. 2.6 Reporting relationship: IS Audit function shall report to Head-Audit. Head-Audit shall report to Audit Committee of Board through proper channel of the Bank. 2.7 IS Audit skills: The IS Auditors shall meet the following technical proficiency requirements on an overall basis, such as : i) Hands-on experience on various aspects of computerisation process with generic as well as specific skills. ii) Ability to review and evaluate IS internal controls. iii) Understanding of the Information Systems design and operations. iv) Knowledge of programming languages and techniques and the ability to apply computer assisted audit tools and to assess their results. v) Knowledge of computer operating systems and software. vi) Ability to identify and reconcile problems with the client data file format and structure. vii) Ability to bridge the communication gap between the Auditor and the IS professional, providing support and advice to the Management of the organisation. viii) Preferably, IS Auditor should acquire qualification such as Certified Information System Auditor (CISA) or equivalent qualification from a reputed organisation. ix) Knowledge of when to seek the assistance of an external IS professional.

3. ACCOUNTABILITY: The accountability of IS Auditors shall be governed by the extant policies of the Bank with regard to all audit staff. 4. COMMUNICATION WITH AUDITEES: Considering the fact that this IS Audit function is primarily an internal process, the communication with Auditees is primarily through close interactions. All facilities internally provided by the organisation in terms of E-mail, chat, Inter-office Memos shall be used for the purpose of establishing effective communication. for communication with the auditee for both communication with Auditees shall cover findings 5. QUALITY ASSURANCE PROCESS: The IS Auditor shall establish a quality assurance process through Auditees by creating standards of execution and implementation and setting expectations relevant to the IS Audit function. For this purpose, a set of standards, practices and procedures shall require to be worked out for adoption by the IT group in the Bank regarding each and every aspect of computerization including, among others, networking, applications, databases, security features, audit and accounting features. The standards will require to be generic, open and minimal. These standards, practices and procedures shall ensure that the IS Audit and inspection can be carried out in a more comprehensive and elaborate manner, keeping in view the basic principles in which the computers, networks, databases, applications and security provisions operate in a computerized environment. The guidelines shall require to provide for sufficient safeguards to be built in the Information Systems to ensure systemic ruggedness to reduce the risk of cyber and digital crimes like unauthorised access and destruction or manipulation of the information and the information systems, hacking, spamming, etc. IS Audit shall faciliate building of such standards, enhance the standards and review the standards on a periodic basis. The Quality assurance process will also include interviews, customer satisfaction / performance surveys to understand the expectations relevant to the function. The audit policy shall form the basis internal/ external audits. A total

a) Submitting the report on findings/

recommendations. b) Response to Auditee's compliance c) Agreement / resolution of

6. IS AUDIT ORGANISATION STRUCTURE: IS Audit organisation structure shall be headed by Head-Internal Audit and the composition of the IS Audit team shall be decided by him from time to time. 7. IS AUDIT PLANNING: 7.1 Risk based audit The IS auditors shall assess the risks to any IS asset by evaluating the probability of an untoward event occurring and its impact on business and rate the assets accordingly. IS audit shall then prepare a risk matrix of risk vs. impact and plan audits using this matrix. The risk matrix shall normally be updated based on past incidents, their impact on business and severity of audit observations and its compliance. This revised matrix shall then be used to plan the current years audit. However, in case any significant incident occurs that considerably impacts business, the IS asset in question shall be rerated and be subject to immediate audit. The risk assessment methodology shall include system definition, threat identification, vulnerability identification, control analysis, probability, Impact analysis and risk determination. A scoring system will be put in place, which will also consider following risk factors: Adequacy of internal controls Business criticality Regulatory requirements
[

Amount / value & Number of transactions processed Customer facing systems Financial loss potential Technical competence Technical and process complexity Stability of application Number of interfaces Availability of documentation Extent of dependence on the IT system Confidentiality requirements, Major changes carried out Previous audit observations and senior management oversight. IS Auditors will periodically review results of internal control processes and analyse financial or operational data for any impact on risk assessment or scoring. 10

Defining the IS Audit Universe : An Audit Universe is an outcome of the risk assessment process. It will define audit areas to be covered. It will include all areas related to IT including resources, processes, applications, data, technology, networking, data center etc. Scoping for IS Audit : The scope of audit includes the identification of controls and activities to be tested for assessing effectiveness. The scope of audit may vary depending on the area to be audited. The scope will be decided based on risk assessment. While scoping the audit, the factors like control objectives, materiality and fraud risk will be considered in addition to other requirements. IS Audits shall also cover large branches to assess areas such as control of passwords / user-ids, operating system security, maker-checker, physical security, BCP policy etc. Documenting the Audit Plan : IS Audit Plan will be a formal document to be prepared as part of overall internal audit plan. The plan will be approved by the Audit Committee initially and for any subsequent major changes. The components of audit plan shall include subject, nature, period and scope of audit. Audit approach, audit methodology, audit consideration for irregularities and audit evidence / information is given in Appendix. 8. PERFORMANCE OF AUDIT WORK 8.1 Review of system strategies. System strategies shall be reviewed by analysing 1. Minutes of meeting of the Board of Directors for audit information relating to the consideration of the matters concerning the information systems and their control and the supporting materials for any such items. 2. Minutes of the meetings of the Audit Committee reporting to the Board of Directors for audit information relating to the consideration of the matters concerning the information systems and their control and the supporting materials for any such items. 11

3. IS mission statement and agreed goals and objectives for information systems activities. 4. Assessment of the risks associated with the organisations use of the information systems and approach to managing those risks. 5. IS strategy, plans to implement the strategy and monitoring of progress against those plans. 6. IS budgets and monitoring of variance. 7. High level policies for IS use and the protection and monitoring of compliance with these policies. 8. Major contract approval and monitoring of suppliers performance. 9. Monitoring of performance against service level agreements. 10.Acquisition of major systems and decisions on implementation. 11.Impact of external influences on IS such as Internet, merger of suppliers or liquidation etc. 12. Business Continuity Planning, contingency planning, testing thereof and test results.

8.2 Review of system related policies/ compliance : The IS auditor will consider whether the system related policies cover all of the

appropriate areas for which board-level direction is necessary in order to provide reasonable assurance that the business objectives are met. Such policies on Board level direction will require to be documented and such documented policies shall, among others, include the following : a) Security Policy b) Data Ownership Policy c) End-user Computing Policy d) Copyright Policy e) Data Retention Policy f) System Acquisition and Implementation Policy g) Outsourcing Policy: Wherever the policies are not existing, the IS Auditor shall draw the attention of concerned persons/ management and hasten the action to ensure that these policies are put in place. 12

8.3

Organization and Administration :

Efficiency in computerized operations is dependent on the efficiency of the personnel using the computer resources. IT personnel should do their work completely, timely, accurately and that too, with minimum resources. They should deliver more output quantitatively and qualitatively. Proper placement of the IT personnel on the basis of their aptitude, skill, knowledge and experience is very important. IT personnel should be used effectively and efficiently with proper security for the organisation to reap maximum advantages. IS Audit shall check for segregation of duties, dual control aspect in performing important operations, level of training imparted to staff, availability of skilled personnel to run critical operations with suitable back-up arrangement, maintenance of records for work assigned to staff, rotation, and other aspects critical to smooth operation of all systems. 8.4 Review of system responsibilities of owners of business process: The IS auditor will require to review the responsibilities of the business process owners, as under and assess whether these are appropriate to support the policies and goals of the Bank. a) Assessment of whether the business process owners have the skills, experience and resources necessary to fulfill this role. b) Review of the information received by the business process owners and to assess whether it is appropriate to enable them to discharge their responsibilities and to monitor compliance with the policies. Information that may be considered appropriate include i) Reports of attempted access to the systems supporting business processes and follow-up action taken. ii) Reports of changes to user access rights, including new users and those whose access rights have been removed. iii) Reports of the results of business continuity tests and follow-up action taken. iii) Reports on the results of feasibility studies and tendering processes for systems acquisition. v) Reports of the results of user acceptance testing of new systems or changes to the existing systems. 13

vi) Reports on performance against agreed service levels. vii) Statistics on the availability, number of failures, number of system changes requested and implemented etc. viii) Status of system changes in progress. ix) Reports of changes to corporate data dictionary entries. x) Reports on input control/ process control features. c) Assessment of the system which produces the above information and its reliability, integrity and potential for management override. d) Where the organisation has internal audit resources, which is an important element of the corporate governance process, assessment whether the appropriate level of the involvement of the internal audit resources has been provided. 8.4 Consideration of External Factors :

Corporate governance of the information systems involves directing as well as controlling. The industry in which the organisation operates, trends in the IS industry and the social and political changes may influence the benefits, which the organisation can obtain from the use of the information systems. The IS auditor will require to verify that the organization has put in place the procedures to monitor the external factors, which are relevant to the organization. The IS auditor will require to also verify whether all material issues are under active consideration at the appropriate level. The organisation has to plan appropriate actions to avoid the potential material adverse effects of such issues. In case such issues are not being actively considered at the appropriate level in the organisation, the IS auditor will require to promptly report this matter to the designated authority in the organisation. 8.5 Materiality :

During the performance of IS Audit, the concept of materiality will play a vital role. Weakness in control is material if the fact or the potential effect could influence the decisions of the users of the IS system. Materiality depends upon various characteristics such as size, circumstances, location, culture, political climate, type of users, errors, omissions, irregularities and illegal acts. The definitions of significant deficiency and material weakness also contain aggregation concepts: a control deficiency, or combination of control deficiencies, can represent a significant deficiency or material weakness. The IS 14

auditor's assessment of materiality and audit risk may vary from time to time, depending upon the circumstances and the changing environment. In case of systems that do not process financial transactions, criteria such as criticality of business processes supported by system, cost of system, potential cost of error, number of accesses per period, etc. shall be considered while determining materiality. 8.6 Participation of IS Audit function in different projects :

Various project steering committees will be formed within the Bank for execution of various projects. IS Audit shall participate in important meetings of these project committees in which objectives, milestones will be reviewed. IS Audit function will have full access to project documents/ reports/ plans that may be prepared for off-site review. 9. FREQUENCY OF AUDITS

1. IT systems will be divided into high, medium and low criticality systems based on risk matrix. 2. Frequency of system audits shall be as follows: Criticality Audit intervals Extension permissible by Head-Audit

A High B Medium C Low

12 months 18 months 36 months

1 months 2 months 2 months

3. New IT systems or those systems, which have undergone major changes, shall be audited within 6 months of implementation. 4. All the systems, domains and processes irrespective of their risk levels shall be covered within a period of three years 5. IS audit of critical branches will be carried out on sample basis. 6. Notwithstanding the above, IT governance, information security governance, data center, IT processes, critical business applications and MIS systems shall be subjected to audit at least once a year. 7. Continuous auditing shall be introduced in critical areas in a phased manner. 15

10.

COMPLIANCE AND CLOSURE OF AUDIT CYCLE :

The auditee shall be required to send comments/ compliance within a month from the date of issue of the final audit report. The report, along with compliance, if received, shall be placed before the Audit Committee of Executives (ACE). Based on the recommendation of the ACE, the report may, if required, be placed before the Audit Committee of the Board. The compliance shall normally be completed within 3 months from the date of the report. Any area remaining to be complied shall be addressed within a defined time frame, which shall be fixed in consultation with Audit, and such timeline shall form part of the audit compliance. The audit cycle shall be deemed to be closed after verification by audit that all major observations have been complied with. 11. AUDIT DOCUMENTATION:

Audit evidence/information gathered by the IS auditor would be appropriately documented and organized to support the IS auditors findings and conclusions. Following documents would form a part of Audit documentation: a. Test reports b. Snapshot reports c. E-mail correspondence d. Audit Committee reports. 12. RESTRICTION OF SCOPE:

In the event the IS auditor has reason to believe that sufficient audit evidence/information cannot be obtained, the IS auditor shall disclose this fact in a manner consistent with the audit policy and the guidelines laid out herein for communication of audit results. 13. VALIDITY OF THE POLICY:

This IS Audit policy would be put into force after approval of Audit Committee Board and shall be reviewed annually to keep it current with regulatory and business requirements. Revision in the policy other than as stated herein shall be done only in case of any major changes in the IT control environment. APPENDIX I AUDIT APPROACH I-1 Audit Phases IS audit follows a three-phase process. The first phase is the audit planning phase, followed by the test of controls phase and finally, the substantive testing phase. In the planning or first phase, an IS auditor must identify the various risks and exposures and the security controls, which provide safeguards against these exposures. 16

The tests, which need to be conducted to make the second phase of the audit effective, are also planned in detail in the first phase. In the second phase, the security controls are tested. Control activities in an organization are the policies and procedures used to ensure that appropriate actions are taken to deal with the organisations identified risks. One of the primary areas of IS audit is to check the effectiveness of these security controls. Control activities, in turn, are divided into two major areas System Controls and Physical Controls. Within System Controls and the security controls are the general controls and the application controls. General controls pertain to area-wise concerns such as controls over the data center, organizational databases, systems development and program maintenance. Application controls ensure the integrity of specific application software. Physical Controls include access control, transaction authorization, segregation of duties, supervision, accounting records and independent verification. In the third or the Substantive Testing Phase, individual transactions are tested. The IS audit substantive tests extensively use computer assisted audit tools and techniques. Audit of Information Systems is a very challenging job, specially in the light of the fast changing pace of Information Technology including Communication Systems. phases will be implicit in nature and would get reflected only through Audit report. I-2 Deciding the right approach: Considering the vast scope of various activities falling under purview of IS Audit and inherent risks built in, we need to formulate an approach for the Audit. Accordingly, we can adapt, any of the following approaches : 1.Auditing around computers 2.Auditing through computers 3.Auditing with computers I-2.1 Criteria for Auditing around computers: When an application system or change to an application system is simple, logic is straightforward and clear audit trail exists, this approach would be adopted. The process generates the audit trails such as the generation of exception reports along with the main reports. Such systems have very low inherent risk i.e. they are unlikely to be susceptible to material errors or irregularities or to be associated with significant ineffectiveness or inefficiencies in operations. Input transactions in such systems is in batch mode and 17 All these

control is maintained using traditional methods like the separation of duties and management supervision. Further, the task environment in such systems is relatively constant and the system itself is rarely modified. This approach may be used when an application system uses a generalized package that is well tested and used by many users as its software platform. If the package has been provided by a reputed vendor, has received wide-spread use and appears error free, the auditors may decide to adopt this approach. Auditors should ensure that the organization has not modified the package and adequate controls exist over the source code and documentation to prevent unauthorized modification of the package. When high reliance is placed on the users rather than the computer controls to safeguard the assets, maintain data integrity and attain effectiveness and efficiency objectives, this approach can be adopted. The primary focus of such Audit would be to review input/ output/ batch control processes, operational procedures, user access controls, database/ network/ security controls, adherence to various policies defined, linkages to other systems/ subsystems, version controls and alignment with organisational goals. I-2.2 Criteria for Auditing through computers : The IS auditors would use computer to test logic and controls existing within the system and also records produced by the system. This approach increases the IS auditors confidence in the reliability and applicability of the evidence/information collected and evaluated. This approach is time consuming, as it needs understanding of the internal working of an application system. The depth to which IS Auditing can be done through the computers depends on the complexity of the system, standardisation of platforms and development process and IS Auditors own perception of the environment. IS Auditor would review the E-R diagrams, data dictionaries, table design, code standardisation, script development process, business and system specifications, test data preparation and testing approach. I-2.3 Auditing with computers: Under this approach, the computer system and its programs are used as tools in the audit process. The objective is to perform substantive tests using the computers and its programs. The data from the auditee's computer system are retrieved to an independent environment. Audit interrogation and query is carried out on such data, using special programs designed for the purpose. This method is used where : a) Application system consists of a large volume of inputs, producing large volume of outputs and where the 18

direct examination of the inputs/outputs is difficult. b) Logic of the system is complex. c) There are substantial gaps in the visible trails. Entire Audit approach will be implicit for an assignment and would get reflected in IS Audit report. I-3 Change control management: Considering the fact that business runs in on-going basis, most of the application systems, network systems and various components thereof, constantly undergo changes. It is essential, therefore, that these changes take place in a controlled manner, in a controlled environment and processes have to exist for the same. IS Auditor would review changes made to all the systems on a need/ perception of risk or on routine basis. fixed component of the IS Audit function. I-4 IS Audit at Branches: concurrent Auditors can use them at branches. 2. If special IS Audits need to be carried out at branches for evaluating data/ procedural integrity/ security or any such IS activity, the same would be outsourced with prior approval of appropriate authority through Head - Audit. 3. Visits to branches on routine/ surprise basis may be planned to have overall effectiveness. 4. Branch IS Audit reports compiled across branches would help IS Audit to carry out further planning. During the branch rating exercise, the IS Audit observation will get appropriate weightage. I-5 Overall Assessment: Based on various system documents, key discussions, risk assessment and evaluation of internal controls, IS Audit would do an overall assessment of the subject. II AUDIT METHODOLOGY This would be a

1. IS Audit from time to time may issue checklists for branches so that internal/

II-1 Testing methodology Audit activity is broadly divided into 5 major steps for the convenience and effective conduct of audit. a) Planning IS Audit b) Tests of Controls c) Tests of Transactions d) Tests of Balances e) Completion of Audit a) Planning IS audit Planning IS audit includes understanding of the objectives to be accomplished in the audit, collecting background information, assigning appropriate 19

staff keeping in mind skills, aptitude etc. and identifying the areas of risk. Risk analysis of the operational system is carried out to identify the system with highest risks, considering the critical nature of the information processed through such system as well as the number and the value of the transactions processed. This is to identify the systems having the highest risk and to decide on the extent of the detailed analysis and testing to be conducted on those systems. Risk assessment is done through review of previous audit reports/papers, interview/interaction with the management and Information Systems personnel, observation of activities carried out within the Information Systems function and review of Information Systems documentation. b) Tests of Controls As IS Auditor is participating into various activities, and in touch with employees, Internal Controls are tested to evaluate whether they operate effectively in an on-going basis. This includes testing of management controls and application controls. The objective is to evaluate the reliability of the controls and find out weaknesses of the controls for meeting the IS audit objectives. IS auditor would make recommendations to rectify the weaknesses, observed during the course of an IS audit. While carrying out tests of controls, the IS auditors should satisfy themselves regarding the following aspects of controls. Test of controls is to be conducted right from pre-design stage to post-implementation stage. These are for Identification, Implementation, Existence, Adequacy, Documentation, Maintenance and Monitoring. c) Tests of Transactions: Tests of Transactions are used to evaluate whether erroneous transactions have led to a material misstatement of the financial information and whether the transactions have been handled effectively and efficiently. The objective is to evaluate data integrity. Some of such tests include the tracing of journal entries to their source documents, the examination of the price files, the testing of computational accuracy, the study of the transaction log etc. These tests are used to indicate the database systems effectiveness. CAATs or any other system are quite useful to perform these tests. d) Tests of Balances In test of balances, judgment is made on the extent of the losses or account misstatement that occur when Information Systems fail to safeguard assets, maintain data integrity and achieve system effectiveness and efficiency goals. As regards the safeguarding of assets and data integrity objectives, the typical substantive tests used are confirmation of the receivables, physical 20

verification of inventory and recalculation of depreciation on the fixed assets. Regarding the system effectiveness and system efficiency objectives, the tests to be conducted are in the process of evolution. e) Completion of Audit This is the final stage of IS audit. For an internal Audit

function, marking such stage is difficult. However, in day-to-day life, IS auditor can give a "partial" or "full" sign-off at various stages of any project. IS Auditors would be required to form their opinion, clearly indicating their findings, analysis and recommendations. Potential IS audit findings would be discussed with the appropriate/authorised personnel throughout the course of IS auditing. Preliminary conclusions and the audit findings would be presented to the auditee during closure of the project. All potential findings with sufficient merits and preliminary IS audit recommendations should be included for discussion. Many a times, tasks/ projects get extended over a period of time. In such cases an intermediate report can be prepared to keep the auditees and Head-Audit informed on the progress and which can be escalated to the management on need basis. The exit meeting should document and include the auditee's comments and questions concerning the preliminary IS audit recommendations. Work papers used in the auditing should be well organized, clearly written and address all the areas included in IS audit. IS audit work papers should contain sufficient evidence/information of the tasks performed and the conclusions reached, including the results achieved, issues identified and authorized signatures approving the final opinion. A typical audit report will include, among others, an introduction to the audit objectives, scope, general approach employed, summary of the critical findings, the data to support the critical findings, potential consequences of the weaknesses, auditee's responses and recommendations to rectify the weaknesses. It is difficult to frame one common model which will apply to all system audits due to heterogeneous nature of IT systems. However, audit rating of IS Audits shall be attempted based on the criteria such as confidentiality, integrity, availability, reliability, performance etc. II-2 Sub-system factoring: Most of the IS systems are huge and highly complex in nature, encompassing various activities, procedures and people. Hence, it may not be possible to have comprehensive coverage of activities at any given point of time. Typically, we would require to divide an organisation requirement into management system and application system. These systems can also be further factored into various subsystems, based on inherent cohesiveness and 21

interdependencies. Each factored subsystem can then be evaluated for Audit purpose. II-3 Control through IS procedural definitions: The IS environment control, infrastructural controls, data integrity control and operational control form a fundamental basis of governing various activities happening in the organisation. IS Audit would therefore, lay a great emphasis on IS procedural manuals covering these topics. IS Audit would review these manuals for continuous enhancement and compliance. II-4 Network and Security Audit: All areas of Network including Wide Area Network, Local Area Network, Data center management, security architecture shall fall under the purview of IS Audit. carries out its function effectively and shares its concerns/ It is also and important that IS Security function of the Bank is self sufficient to assess security risks and observations implementation with IS Audit on regular basis. The IS Audit representatives will by default be members of Information System Security Committee meetings for this purpose. II-5 Checklists: Various checklists shall be used by IS Audit, which would be upgraded on an on-going basis. However, in practice, Audit function shall also include on-the-field assessment and co-relating with business environment to perform an objective assessment of the audit object. III. AUDIT CONSIDERATIONS FOR IRREGULARITIES: Due professional care and the observance of the internationally accepted professional auditing standards would be exercised by the IS auditor in all aspects of IS auditing. The Information Systems Auditor will plan the information systems audit work to address the audit objectives and to comply with internationally accepted professional auditing standards. Further, during the course of IS auditing, the Information Systems Auditor would obtain sufficient, reliable, relevant and useful evidence/information to achieve the audit objectives effectively. In addition, the audit findings and conclusions have to be supported by appropriate analysis and interpretation of this evidence/information by the IS auditor. The Information Systems Auditor will provide a report in an appropriate form to the Head- Audit upon the completion of the audit work. The audit report shall, among others, state the scope, objectives, period of coverage and the nature and extent of the 22

audit work performed. The report shall identify the vertical heads in the organization to whom it is circulated and also restrictions, if any on the circulation. In addition, the report shall also state the findings, conclusions, recommendations and any reservations or qualifications that the IS auditor has with respect to the audit. Some irregularities may be considered fraudulent activities. The determination of the fraudulent activities depends on the legal definition of fraud. Irregularities include, but are not limited to, the deliberate circumvention of controls with the intent to conceal the perpetuation of fraud, the unauthorised use of the assets or services etc. and the abetting or helping to conceal these types of activities. Non-fraudulent irregularities should, among others, include as under: a) Intentional violations of the established management policy. b) Intentional violations of the regulatory requirements. c) Deliberate misstatements or omissions of information concerning the area under audit or the organisation as a whole.d) Gross negligence. e) Unintentional illegal acts. The IS auditor would consider how to achieve the implementation of the internationally accepted Standards in this regard, use professional judgment in their application to IS auditing and be prepared to justify departure, if any, therefrom. The reporting of irregularity that IS Audit comes across would be routed to the management through Head Audit and governed by the Bank's Audit Policy Manual. The IS auditor would assess the risk of the occurrence of the irregularities, connected with the area under audit. In preparing this assessment, the IS auditor should consider the undernoted factors : a) Organisational structure, adequacy of supervision, compensation and reward structures, the extent of corporate performance pressures. b) Recent changes in operations or IS systems. c) Types of assets held or services offered and their susceptibility to irregularities. d) Strength of the relevant controls. e) Applicable regulatory or legal requirements. f) History of audit findings from previous audits. g) The industry and the competitive environment in which the organisation operates. h) Findings of reviews, carried out outside the scope of audit, such as the findings from the consultants, quality assurance teams or specific management investigations. i) Findings which have arisen during the day-to-day course of business. j) The technical sophistication and complexity of the information system(s) supporting the area under audit. k) Existence of in-house developed/maintained application systems, as compared with the packaged software for core business systems. In planning the audit work, appropriate for the nature of the audit assignment, the IS auditor would use the results of the risk assessment to determine the nature, timing and extent of the testing required in order to obtain sufficient audit evidence/information to provide reasonable assurance that the irregularities, which could have a material effect on 23

the area under audit or on the organisation as a whole, will be identified and that the control weaknesses, which would fail to prevent or detect material irregularities, will be identified. If irregularities have been detected, the IS auditor would assess the effect of these activities on the audit object and on the reliability of the audit evidence. In such event, IS auditor shall act on the advice of Head - Audit. If the audit evidence/information indicates that the irregularities could have occurred, the IS auditor shall recommend to the management of the Bank that the matter requires to be investigated in detail. If the audit evidence/information indicates that an irregularity could involve an illegal act, the IS auditor shall consider recommending seeking legal advice. The detection of the The internal irregularities would be communicated promptly to Head Audit. Head-Audit shall report to AUDIT COMMITEE OF BOARD through the Executive Director of the bank. distribution of the reports of irregularities would be carefully considered. The occurrence and the effect of irregularities is a sensitive issue and reporting them carries its own risks including further abuse of the control weaknesses as a result of publishing details of them, loss of customers, suppliers and investors when disclosure (authorised or unauthorised) occurs outside the organisation and the loss of key staff and management in the organisation, including those not involved in the irregularity, as the confidence in the management and the future of the organisation falls. In view of the above, the IS auditor would consider reporting the irregularity separately from any other audit issues, if this would assist in controlling the distribution of the report. External reporting under legal or regulatory obligation would be routed through Head Audit and governed by the Audit Policy. The IS auditor, with the approval of audit management, would submit the report Where the audit scope has been restricted, the IS to Head - Audit on a timely basis.

auditor would include an explanation of the nature and the effect of this restriction in the audit report. Such restrictions may occur on account of the following : a) The IS auditor has been unable to carry out further work, as considered necessary to fulfill the original audit objectives and to support the audit conclusions due to unreliable audit evidence/ information, lack of resources or restrictions placed on the audit activities by the management of the organisation. b) Management has not carried out the investigations, as recommended by the IS auditor.

24

IV. AUDIT EVIDENCE/INFORMATION: IV-1 Considerations under Audit Evidence: When planning the IS audit work, the IS auditor would take into account the type of audit evidence/information to be gathered, its use as audit evidence/ information to meet the audit objectives and its varying levels of reliability. Among the things to be considered are the independence and qualifications of the provider of the audit evidence/information. For example, corroborative audit evidence/information from an independent third party can be more reliable than the audit evidence/information from the organization being audited. Physical audit evidence/information is generally more reliable than the representations of an individual. The various types of audit evidence/information, which the IS auditor should consider using include as under : a) Observed processes and existence of physical items b) Documentary audit evidence/information c) Representations d) Analysis Observed processes and existence of physical items can include observations of activities, property and functions of the information systems such as: a) Inventory of media in an offsite storage location b) Computer room security system in operation extraction b) Records of transactions c) Program listings d) System development documentation Written or oral statements Documentary audit evidence/information, recorded on paper or other media, can include: a) Results of data Invoices e) Activity and control logs f) Representations of those being

audited can be audit evidence/information such as: a) Written policies and procedures b) System flowcharts c) The results of analyzing information through comparisons, simulations, calculations and reasoning can also be used as audit evidence/information. Examples include: a) Benchmarking IS performance against other organizations or previous periods. b) Comparison of error rates between the application transactions and the Users. IV-2 Availability of Audit Evidence/Information : The IS auditor should consider the time during which the evidence/information exists or is available in determining the nature, timing and extent of Substantive Testing and if applicable, Compliance Testing. For example, the audit evidence/ information processed by Electronic Data Interchange (EDI), Document Image Processing (DIP) and dynamic systems such as spreadsheets etc. may not be retrievable after a specified period of time, if changes to the files are not controlled or the files are not backed up. Since it is not possible for an internal Auditor to make multiple copies of system documents, IS auditor would sign various documents produced for the purpose of Audit and would advise Auditees to preserve these documents for further reference. 25

IV-3 Selection of Audit Evidence/Information : The IS auditor would plan to use the best audit evidence/information attainable, consistent with the importance of the audit objective and the time and effort involved in obtaining the audit evidence/information. Where the audit evidence/ information, obtained in the form of oral representations, is critical to the audit opinion or conclusion, the IS auditor would consider obtaining documentary confirmation of the representations, either on paper or on other media. IV-4 Nature of Audit Evidence/Information : Audit evidence/information should be sufficient, reliable, relevant and useful in order to form an opinion or support the IS auditors findings and conclusions. If in the IS auditors judgment, the audit evidence/information obtained does not meet these criteria, the IS auditor should obtain additional audit evidence/ information. For example, a program listing may not be adequate audit evidence/ information until other audit evidence/information has been gathered to verify that it represents the actual program used in the production process. IV-5 Gathering Audit Evidence/Information : There are different procedures used to gather audit evidence/information vary depending on the information systems being audited. The IS auditor would select the most appropriate procedure for the audit objective. The following procedures should be considered: a) Inquiry b) Observation c) Inspection d) Confirmation e) Re-performance f) Monitoring The above can be applied through the use of Manual Audit Procedures, Computer-Assisted Audit Techniques or a combination of both. For example, a system, which uses manual control tools to balance data entry operations, might provide audit evidence/information that the control procedure is in place by way of an appropriately reconciled and annotated report. The IS auditor should obtain audit evidence/information by reviewing and testing this report. Detailed transaction records may be available in machine-readable format requiring the IS auditor to obtain audit evidence/information, using Computer Assisted Audit Techniques. Many a time, system records, design documents, system flow charts, system manuals and notes also form a part of Audit evidences. It is, however, not possible to duplicate these records only for the purpose of Audit. In all such events, Audit would send a communication to Auditees to preserve a set of documents as a part of Audit Evidence.

26

DOS AND DONTS FOR INSPECTION / INTERNAL AUDITORS Dos: The Inspecting / Internal Auditors should 1. Pre-inspection study of the branch by going through the auditee related off site surveillance reports and pre requisites documents. 2. Prepare proper audit plan based on 1 above. 3. To maintain utmost secrecy with regard to inspection program and its findings 4. Auditors to display team spirit and avoid misunderstandings/

arguments in the presence of auditees. 5. Inspection of the branch has to be commenced before commencement of business hours to verify the physical cash, security arrangements etc. 6. To act in a normal friendly fashion and help to improve normal working of the branch. 7. Discuss his findings with branch officials on daily basis and try to rectify the defects then and there itself 8. Give auditees a chance to express their opinion while discussing the issues. Getting proper explanation in a co-operative atmosphere will save precious time. 9. In case of difference of opinion with auditee, the auditor should first discuss with the leader of his team. Further discussion on a higher level if required, may be made. 10.If the inspecting officer comes across any information which causes him to suspect any element of fraud, gross negligence, gross incompetence or similar unfavorable actions or tendencies, he should report the matter to the leader of the team immediately 11.The members of the team should keep continuous dialogue with the leader of the team on important findings and be guided by his advice 12.Auditor should maintain a neat appearance and a courteous manner

Donts: 1. Auditor need not act overly reserved or unfriendly in order to maintain his independence as an inspecting officer. A forbidding attitude on his part may well cause others to adopt the same attitude towards him. This can adversely affect the work entrusted to the inspecting officer. 2. Auditor should not get involved in heated argument with auditee. 3. Auditor should not give orders to auditee and seek requirements from the officer assigned to assist him on a particular job. The concerned officer would issue the necessary orders to their employees if he accepts inspectors suggestions and recommendations. 4. Auditor should not delay the submission of audit report 5. Auditor should not discuss sensitive matters of the auditee with others -- :: --