PENGARUH GENDER DAN PENGALAMAN AUDIT TERHADAP AUDIT JUDGMENT
Audit Policy - Bandhan Bank
-
Upload
khangminh22 -
Category
Documents
-
view
3 -
download
0
Transcript of Audit Policy - Bandhan Bank
Audit Policy, Ver. 7 Page 2 of 102
Charter for the Internal Audit Department
and
Audit Policy
Document Owner: Chief Audit Executive, Bandhan Bank Limited. Version History:
Version Author Recommended by Approved
by
Date of
Approval
Effective date
Version 1 Head Internal
Audit
Board of
Directors
July 10, 2015 July 10, 2015
Version 2 Head Internal
Audit
Audit Committee
of the Board
Board of
Directors
May 11, 2016 May 11, 2016
Version 3 Chief Audit
Executive
Audit Committee
of the Board
Board of
Directors
April 26, 2017 April 26, 2017
Version 4 Chief Audit
Executive
Audit Committee
of the Board
Board of
Directors
July 7, 2018 July 7, 2018
Version 5 Chief Audit
Executive
Audit Committee
of the Board
Board of
Directors
June 14, 2019 June 14, 2019
Version 6 Chief Audit
Executive
Audit Committee
of the Board
Board of
Directors
October 12,
2020
October 12,
2020
Version 7 Chief Audit
Executive
Audit Committee
of the Board
Board of
Directors
May 6, 2021 May 6, 2021
VALIDITY OF THE POLICY
This Audit Policy would be put into force after approval of the Board.
POLICY UPDATION
This documents and processes described herein are subject to review by Authorities from time to
time as per the need of the Bank for the effective functioning of Internal Audit.
The Policy shall be subjected to review at least once annually to keep it current with regulatory /
statutory and business requirements. Revisions other than as stated herein shall be done only in
case of any major regulatory / environment changes, which shall be placed for ratification before
the ACB / Board.
Audit Policy, Ver. 7 Page 3 of 102
Contents of the Document
Part – I ............................................................................................................................................. 6
Charter for the Internal Audit Department .................................................................................... 6 1 Introduction ............................................................................................................................. 7 2 Authority ................................................................................................................................. 7 3 Audit Department ................................................................................................................... 8 4 Roles & Responsibilities .......................................................................................................... 9
4.1 Senior Management 4.2 Chief Audit Executive or Head of Internal Audit ................................................................. 9 4.3 Heads of General Banking Audit verticals and Micro Banking Audit verticals ............. 10 4.4 Offsite Audit Head ................................................................................................................... 10 4.5 Information System (IS) Audit Head .................................................................................... 11 4.6 Head Concurrent Audit .......................................................................................................... 11 4.7 Team Leaders of Audit verticals ............................................................................................ 11 4.8 Cluster Audit Heads of Banking Unit audits ....................................................................... 11
5 Selection and Recruitment for IA Department ...................................................................... 12 5.1 Qualification and Experience Profile of the Internal Auditor ........................................... 12 5.2 Age Profile................................................................................................................................. 12 5.3 Rotation ..................................................................................................................................... 13
6 Code of Ethics for Internal Auditor ....................................................................................... 13 6.1 Integrity, Objectivity & Independence of Internal Auditor ............................................... 13 6.2 Confidentiality .......................................................................................................................... 14 6.3 Proficiency and Due Professional Care ................................................................................. 14
7 Duties of the Internal Auditor ............................................................................................... 16 8 Limitations ............................................................................................................................. 16
Part – II ......................................................................................................................................... 18
Audit Policy .................................................................................................................................. 18 Preamble ....................................................................................................................................... 19 1 Risk Governance Model - Three Lines of Defence ................................................................ 19
1.1 Independence............................................................................................................................ 20 1.2 Reporting Structure ................................................................................................................. 21 1.3 Risk Based Internal Audit (RBIA) .......................................................................................... 21 1.4 Expectation Setting .................................................................................................................. 22
2 Risk Assessment Framework ................................................................................................ 23 2.1 Identification of Audit Universe ............................................................................................ 23 2.2 Risk assessment methodology ............................................................................................... 25
3 Risk Matrix for the Bank ........................................................................................................ 26 3.1 Measurement of impact of risk parameters .......................................................................... 27 3.2 Control Risk evaluation for a business group ...................................................................... 28 3.3 Risk Profiling of Auditable Units:.......................................................................................... 30 3.4 Direction of Risk: ...................................................................................................................... 30
4 Audit Planning ...................................................................................................................... 31 4.1 Training Needs Assessment ................................................................................................... 31
Audit Policy, Ver. 7 Page 4 of 102
4.2 Frequency of audits ................................................................................................................. 32 4.3 Frequency of Risk Based Internal Audit ............................................................................... 32 4.4 Audit Scope and Coverage ..................................................................................................... 33 4.5 Audit Report ............................................................................................................................. 33
5 Issue Assessment Framework, Reporting and Communication ........................................... 34 5.1 Escalation Matrix ...................................................................................................................... 36
6 Audit Ratings (Other than BU) .............................................................................................. 37 7 Compliance Report / Issue tracking Standards .................................................................... 37 8 Other relevant features of the audit policy ........................................................................... 39 9 Audit of Banking Units (BU) ................................................................................................. 39 10 Offsite Audit .......................................................................................................................... 41 11 Snap / Special audit .............................................................................................................. 43 12 Concurrent Audit .................................................................................................................. 44 13 Audit of Head Office (HO) Departments / Products & Processes ....................................... 44 14 Credit Audit ........................................................................................................................... 44 15 Audit Committee of Executives (ACE) ................................................................................. 45
15.1 Constitution of Audit Committee of Executives (ACE): .................................................... 45 15.2 The functions of the proposed ACE are listed below ......................................................... 46
Annexure I - Issue Assessment Framework for Audit of Branches: ............................................ 47 Annexure 3 - Issue Assessment Framework for Audit of Small Enterprise Loans (SEL) ............ 53 Annexure 4 - Issue Assessment Framework for Credit Audit ..................................................... 55 Annexure 5 - Issue Assessment Framework for Audit of Housing Finance ................................ 57 Annexure 6 - Concurrent Audit ................................................................................................... 60
Part III ........................................................................................................................................... 68
Information System Audit Policy ................................................................................................. 68 Preamble ....................................................................................................................................... 69 1 IS Audit Policy ....................................................................................................................... 69
1.1 Definition ................................................................................................................................... 69 1.2 Mission Statement .................................................................................................................... 69 1.3 Aims/Goals of IS Audit Policy .............................................................................................. 70 1.4 Scope of IS Audit ...................................................................................................................... 70 1.5 Objectives .................................................................................................................................. 71 1.6 Independence............................................................................................................................ 71 1.7 Relationship with external IS Auditors ................................................................................. 71 1.8 Relationship with Internal Auditors ..................................................................................... 72 1.9 Coverage of Outsourced Services .......................................................................................... 72 1.10 Critical Success Factors............................................................................................................ 72
2 Authority ............................................................................................................................... 73 2.1 Right to Access Information ................................................................................................... 73 2.2 Scope or any limitations of scope .......................................................................................... 73 2.3 Functions to be audited ........................................................................................................... 73 2.4 Reporting relationship ............................................................................................................. 73 2.5 IS Audit Skills ........................................................................................................................... 74
3 Accountability ....................................................................................................................... 74 4 IS Audit Planning .................................................................................................................. 74
Audit Policy, Ver. 7 Page 5 of 102
4.1 Risk Based Audit Approach ................................................................................................... 74 4.2 Defining the IS Audit Universe .............................................................................................. 75 4.3 Information System Risk Assessment methodology .......................................................... 75
4.3.1 Identification of inherent risks in Information system units ..................................... 76 4.3.2 Measurement of impact of risk parameters .................................................................. 77 4.3.3 Control Risk evaluation and rating of an IS System ................................................... 77 4.3.4 Risk Matrix for the Information Systems of the Bank ................................................. 78 4.3.5 Risk Profiling of Auditable Units ................................................................................... 79
4.4 Scoping for IS Audit ................................................................................................................ 79 4.5 Documenting the Audit Plan.................................................................................................. 80
5 Issue Assessment Framework ............................................................................................... 80 6 Performance of Audit Work .................................................................................................. 82
6.1 Review of System Strategies ................................................................................................... 82 6.2 Review of system related policies /compliance .................................................................. 82 6.3 Organization and Administration ......................................................................................... 82 6.4 Review of system responsibilities of owners of business process ..................................... 83
6.4.1 Consideration of external factors ................................................................................... 83 6.4.2 Materiality ......................................................................................................................... 83
7 Frequency of Audit ................................................................................................................ 84 8 Compliance and Closure of Audit Report ............................................................................. 84 9 Audit Documentation ............................................................................................................ 85 10 Restriction of Scope ............................................................................................................... 85 IS Annexure – I: Audit Approach ................................................................................................. 86 IS Annexure – II: Audit Methodology .......................................................................................... 88 IS Annexure - III: AUDIT CONSIDERATIONS FOR IRREGULARITIES .................................... 91 IS Annexure – IV: AUDIT EVIDENCE/INFORMATION ........................................................... 92 IS Annexure – V - Issue Assessment Illustrations ........................................................................ 95 Glossary ...................................................................................................................................... 100
Audit Policy, Ver. 7 Page 7 of 102
1 Introduction
“The Charter for the Internal Audit Department” is approved by the Audit Committee of
the Board and it defines the Internal Audit Department’s purpose, authority, stature,
responsibility and position within the organization.
The Audit Policy is prepared based on reference and best practises on Standards of
Auditing issued by ICAI, Guidelines issued by Basel Committee and Banking
Supervision (BSBA), Institute of Internal Auditors (IIA) and International Standard for
professional practices from time to time.
2 Authority
The internal audit activity, with strict accountability for confidentiality and safeguarding
of records and information, should be authorized full, free, and unrestricted access to any
and all of records, physical properties, and personnel pertinent to carrying out any
engagement. All employees of the Bank are expected to assist the Internal Audit activity
in fulfilling its roles and responsibilities.
Following are the facilities which needs to be ensured by the Bank to the Internal Audit
function:
i) The Internal Audit Department in the Head Office shall be provided a separate sitting
arrangement and sufficient record room to keep their audit records and files safe and
intact along with separate sets of computers and its peripherals and other
communications facility.
Additionally, the Internal Audit Department shall be provided with an access to a
separate server space or file server in the Bank. The access to the server space or file
server should be provided to all members of the internal audit department. This
server or storage space should be a common drive where all audit reports, audit
evidences & correspondences should be stored for record purposes and ready
retrieval.
ii) The Internal Auditor should have full & free access to all departments and all the
records. The Internal Audit is free to review and critically appraise any activity of the
Departments/authorities, but their review and appraisal does not in any way relieve
Audit Policy, Ver. 7 Page 8 of 102
the Executives and Line supervisors of their responsibilities as internal audit is an
advisory function
iii) The usefulness of the internal audit will depend much on the co-operation and
working facilities provided to the department.
iv) Head of Internal Audit would have power to split the yearly programme as approved
by the Audit Committee into detailed quarterly programme / monthly programme.
All tours and contingency will be planned accordingly.
v) Internal Audit department should not be involved in any operational activities like
tendering, hiring, etc.
vi) Due to large number of Departments/ Disciplines, it will not be possible to audit all
the Departments/ Disciplines each year. Therefore, selection of the Departments/
disciplines for audit should be in line with the Risk Based Audit Plan, where
preference should be given to those Departments/Disciplines which have been
identified as high risk areas as per audit policy or which by nature of their activities
and as revealed by past experience, are more sensitive. The functions selected for this
purpose should include those where lapses and inadequacy of internal control may
result into considerable financial losses.
3 Audit Department
The Internal Audit Department will be an independent department. Neither the Chief
Audit Executive nor any Internal Auditors shall have any reporting relationship with the
business verticals, shall not assume operational responsibilities and shall not be given
any business targets. Persons transferred to or temporarily engaged by the Internal Audit
department should not be assigned to audits of activities which they previously
performed until a reasonable period of time has elapsed.
The Audit Policy of the Bank depicts the proposed organization chart showing internal
audit set-up, their locations and area of activities. Based on strength available, the
preference shall be given to plan audits with the internal team. In absence of required
manpower strength or the requisite skillsets, specific Internal Audits can be outsourced
by the CAE in consultation with the MD & CEO, subject to the ACB being assured that
Audit Policy, Ver. 7 Page 9 of 102
such expertise does not exist within the audit function of the bank. However, the
ownership of the audit reports in all such cases shall rest with regular functionaries of the
internal audit function.
4 Roles & Responsibilities
The Duties and responsibilities of various functionaries of the bank including the internal
audit department are as under:
4.1 Role of Senior Management
i) Senior management shall be responsible for developing an adequate, effective and
efficient internal control framework that identifies, measures, monitors and
controls all risks faced by the bank.
ii) It should maintain an organisational structure that clearly assigns responsibility,
authority and reporting relationships and ensures that delegated responsibilities
are effectively carried out.
iii) Senior Management should inform the internal audit function of new
developments, initiatives, projects, products and operational changes and ensure
that all associated risks, known and anticipated, are identified and communicated
at an early stage.
iv) Senior management should be accountable for ensuring that timely and
appropriate actions are taken on all internal audit findings and recommendations.
v) Senior management should ensure that the head of internal audit has the necessary
resources viz. staffs, financial tools and otherwise, available to carry out his or her
duties commensurate with the annual internal audit plan, scope and budget
approved by the audit committee, thereby enabling the auditors to carry out their
assignments with objectivity.
4.2 Chief Audit Executive or Head of Internal Audit
The Head of Internal Audit, as defined in the RBI circular, will be designated as Chief
Audit Executive of the bank.
Audit Policy, Ver. 7 Page 10 of 102
i) To update the Audit Policy from time to time and place the same before the ACB for
approval.
To update the Audit Manuals and Audit Department’s organization chart from time
to time and get the same approved by the competent authority.
ii) To timely inform the Management about the findings of all the Internal Audits
undertaken by internal auditors along with the compliances given by Head of the
auditee units.
iii) To investigate in the matters assigned by the Audit Committee from time to time.
iv) Finalize the Audit plan for the Bank as a whole and obtain the approval from the
ACB.
v) Timely submission of MIS and inform MD & CEO and the ACB on all the matters
pertaining to Internal Audit Department.
vi) Design appropriate training programme for the executives in internal audit.
vii) To arrange for periodical internal audit in accordance with the audit plan.
viii) To arrange for a special audit as and when required and also as per the direction of
the management.
ix) To ensure prompt disposal of audit observations.
x) To update the checklist for audit at regular intervals based on the experience gained
during audit as well as based on changes in regulatory requirements or operations.
4.3 Heads of General Banking Audit verticals and Micro Banking Audit verticals
They shall be responsible for the audit plan of their respective audit verticals and shall
ensure smooth functioning of the audits under their respective vertical.
4.4 Offsite Audit Head
Bank has established an Offsite Audit vertical, headed by Head-Offsite Audit, within the
Internal Audit Department for offsite monitoring of certain transactions/activities at
branches/offices/BUs. The tasks for offsite monitoring team would be added/modified
based on new issues arising and based on feedback from field auditors.
For carrying out these tasks the Team will be provided with read only access to the MIS-
Audit Policy, Ver. 7 Page 11 of 102
databases and other systems to enable them to query the required data using tools like
SQL, etc.
The Offsite Audit Team will support on-field branch banking auditors and Banking Unit
auditors with the necessary reports/ inputs that may be required.
4.5 Information System (IS) Audit Head
Bank has established an IS Audit vertical, headed by Head-IS Audit, within the Internal
Audit Department. The scope of IS Audit covers all information systems used by the bank
in related activities viz. system planning, organization, acquisition, implementation,
delivery and support to end-users. The scope also covers monitoring of implementation
in terms of its process effectiveness, input/output controls and accomplishments of
system goals. The IS Audit scope includes testing on the processes for planning and
organizing the information systems activities and the processes for monitoring those
activities
4.6 Head Concurrent Audit
The Head of Concurrent Audit, along with the CAE and Advisor Concurrent Audit, will
be responsible for satisfactory implementation of the Concurrent Audit system of the
Bank, including review and reporting of observations noted during the audit and their
timely compliance.
4.7 Team Leaders of Audit verticals
They shall be responsible for execution of the audits as per the allotted work in
accordance with the audit programme of their respective audit verticals.
4.8 Cluster Audit Heads of Banking Unit audits
They shall be responsible for execution of the audit plans in their BU audit clusters by
optimum utilization of allocated auditors to him/her. The utilities and responsibilities of
the subordinates should be communicated to the Team Leader of the BU audit verticals.
Audit Policy, Ver. 7 Page 12 of 102
5 Selection and Recruitment for IA Department
The Bank should have a well-defined HR policy, including the recruitment process and
the same should be applicable for the Internal Audit Department.
5.1 Qualification, Experience and Competence of the Internal Auditor
The qualification and experience requirements of the internal auditors for the department
should be well defined. Adequate number of resources of the Internal Audit Department
should be professionally competent, qualified and/or experienced bankers to ensure
effectiveness of the bank's internal audit function. The desired areas of knowledge and
experience shall include banking operations, accounting, information technology, data
analytics and forensic investigation, among others. Bank shall ensure that internal audit
function has the requisite skills to audit all areas of the bank. Given below are some
indicative qualifications / experience required:
5.2 Age Profile
A conscious effort needs to be made to maintain a proper mix of people in the
Professionally Qualified Persons Or
Chartered Accountant/Cost Accountant/ CISA/ DISA/ CAIIB/ MBA
Experienced Persons from the Department Or
i. Persons promoted under departmental promotion process or persons with experience and knowledge in respective domain ii. Persons with technical qualifications and having field experience.
IS Auditor Appropriate number of CISA qualified and remaining should have required skills, knowledge and expertise.
Offsite Auditor Persons with knowledge and experience in banking sector in addition to experience in database querying and analysis
Branch Auditor Persons promoted or transferred through departmental action having the requisite experience in Branch Banking operations.
BU Auditor Persons promoted or transferred through the departmental action having the requisite experience in Micro Banking operations.
Support Staff Graduates or Persons laterally hired or transferred through departmental action.
Audit Policy, Ver. 7 Page 13 of 102
department. A constant review should be done of the age profile of the internal auditors
to ensure that there are adequate numbers of fresh and young people willing to undertake
intensive travel.
Age limit for retired staff engaged as internal / concurrent auditors shall be capped at 70
years.
5.3 Rotation
The bank has a separate and independent Audit team and hence any staffs posted in
Audit team (career internal auditor or otherwise) shall work in the Department for a
minimum period of three years. Post that permanent staff within the Internal Audit
Department may be transferred to other departments. Transfer of any staff from Internal
Audit before the stipulated three years’ period would require exception approval from
the CAE or Head-HR.
Vacancies so created can be fill up by way of recruitment of suitable resources possessing
specialized knowledge useful for the audit function from within the bank or outside to
ensure continuity and adequate skills for the staff in Audit Function.
Similarly, the maximum period for which an external concurrent auditor shall be allowed
to continue with a branch/business unit shall not be more than three years.
6 Code of Ethics for Internal Auditor
There are certain moral principles which the Internal Auditors should follow. These are
illustrative and not exhaustive; these provide the basic guidelines to the Internal Auditors
with regard to the moral hazards and conflicts which they may face while carrying out
Internal Audit assignments.
6.1 Integrity, Objectivity & Independence of Internal Auditor
i) Internal Auditor shall have an obligation to exercise honesty, objectivity, and
diligence in performance of their duties and responsibilities.
ii) Internal Auditors holding the trust of the Bank, shall exhibit loyalty in all matters
pertaining to the affairs of the Bank.
Audit Policy, Ver. 7 Page 14 of 102
iii) Internal Auditors shall refrain from entering into any activity which may be in conflict
with the interest of the Bank.
iv) Internal Auditors shall not accept a fee or a gift from an employee, a Contractor or a
supplier.
v) Internal Auditor must be fair and must not allow prejudice or bias to override his
objectivity. She/he should maintain an impartial attitude. The internal auditor should
not, therefore, to the extent possible, undertake activities, which are or might appear
to be incompatible with her/his independence and objectivity. For example, to avoid
any conflict of interest, the internal auditor should not review an activity for which
she/he was previously responsible.
vi) Internal Auditor should immediately bring any actual or apparent conflict of interest
to the attention of the appropriate level of management so that necessary corrective
action may be taken.
6.2 Confidentiality
i) Internal Auditor shall be prudent in the use of information acquired in the course of
their duties. She/he shall not use confidential information for any personal reason or
in a manner which would be detrimental to the interest of the Bank.
ii) Internal Auditor should not disclose any such information to a third party, including
employees of the entity, without specific authority of management/ client or unless
there is a legal or a professional responsibility to do so.
6.3 Proficiency and Due Professional Care
i) Internal Auditor should exercise due professional care in carrying out the work
entrusted to him in terms of deciding on aspects such as the extent of work required
to achieve the objectives of the engagement, relative complexity and materiality of the
matters subjected to internal audit, assessment of risk management, control and
governance processes and cost benefit analysis. Due professional care, however,
neither implies nor guarantees infallibility, nor does it require the internal auditor to
go beyond the scope of his engagement.
Audit Policy, Ver. 7 Page 15 of 102
ii) Internal Auditor should have obtained required skills and competence through
general education, technical knowledge obtained through study and formal courses,
as are necessary for the purpose of discharging his responsibilities.
iii) Internal Auditor shall also have a continuing responsibility to maintain professional
knowledge and skills at a level required to ensure that the Bank receives the
advantage of competent professional service based on the latest developments in the
profession, the economy, the relevant industry and legislation.
iv) in cases of serious acts of omission or commission noticed in the working of bank's
own staff or retired staff, working as concurrent auditors, the accountability action
would be fixed as per the extant process of the bank.
v) Ensure adherence to various Standards of Practice issued by Institute of Chartered
Accountants of India such as:
a) SA 230, Audit Documentation: The record of audit procedures performed,
relevant audit evidence obtained, and conclusions the auditor reached (b) Audit
file: One or more folders or other storage media, in physical or electronic form,
containing the records that comprise the audit documentation for a specific
engagement
b) SA 320, Materiality in Planning and Performing an Audit: The concept of
materiality is applied by the auditor both in planning and performing the audit,
and in evaluating the effect of identified misstatements on the audit and of
uncorrected misstatements.
c) SA 315, Identifying and Assessing the Risks of Material Misstatement
through understanding the Entity and its environment: The objective of the
auditor is to identify and assess the risks of material misstatement, whether due
to fraud or error, at the financial statement and assertion levels, through
understanding the entity and its environment, including the entity’s internal
control, thereby providing a basis for designing and implementing responses to
the assessed risks of material misstatement. This will help the auditor to reduce
the risk of material misstatement to an acceptably low level.
Audit Policy, Ver. 7 Page 16 of 102
d) SA 500, Audit Evidence: Information used by the auditor in arriving at the
collusions on which the auditor’s opinion is based. Audit evidence includes
both information contained in the accounting records underlying the financial
statements and information obtained from other sources. The auditor shall
design and perform audit procedures that are appropriate in the circumstances
for the purpose of obtaining sufficient appropriate audit evidence.
e) SA 530, Audit Sampling: When designing an audit sample, the auditor shall
con-sider the purpose of the audit procedure and the characteristics of the
population from which the sample will be drawn. The auditor shall determine
a sample size sufficient to reduce sampling risk to an acceptably low level.
7 Duties of the Internal Auditor
Key objectives of the internal auditor can be summarized as:
i) To obtain sufficient appropriate audit evidence regarding compliance with the
provisions of those laws and regulations generally recognized to have a direct effect
on the determination of material amounts and disclosures in the financial statements.
ii) To perform specified audit procedures to help identify instances of non-compliance
with other laws and regulations that may have a significant impact on the functioning
of the entity.
iii) To respond appropriately to non-compliance or suspected non-compliance with laws
and regulations identified during the internal audit.
8 Limitations
Owing to the inherent limitations of an internal audit, there is an unavoidable risk that
some non-compliance with laws and regulations and consequential material
misstatements in the financial statements may not be detected, even though the internal
audit is properly planned and performed in accordance with the SIAs. In the context of
laws and regulations, the potential effects of inherent limitations on the internal auditor’s
ability to detect non-compliance are greater for such reasons as the following:
Audit Policy, Ver. 7 Page 17 of 102
a) There are many laws and regulations, relating principally to the operating aspects of
an entity that typically do not affect the financial statements and are not captured by
the entity’s information systems relevant to financial reporting.
b) Non-compliance may involve conduct designed to conceal it, such as collusion,
forgery, deliberate failure to record transactions, management override of controls or
intentional misrepresentations being made to the internal auditor.
Whether an act constitutes non-compliance is ultimately a matter for legal determination
by a court of law. Ordinarily, certain non-compliance is from the events and transactions
captured or reflected in the entity’s information systems relevant to financial reporting,
the less likely the internal auditor is to become aware of it or to recognize the non-
compliance.
Audit Policy, Ver. 7 Page 19 of 102
Preamble
The role of internal audit is to provide independent assurance that an organization’s risk
management, governance and internal control processes are operating effectively. The
Bank will have a risk based Annual Internal Audit Plan, approved by the Audit
Committee of the Board. Relevant audits and reviews will be carried out by the Internal
Audit Department in accordance with the audit methodology defined in the Audit Policy.
Under risk-based internal audit, the focus is prioritization of audit areas and allocation
of audit resources in accordance with the risk assessment of all areas and functions of the
Bank. It is therefore essential for the Bank to have a well-defined policy, for undertaking
risk-based internal audit. The policy shall include the risk assessment methodology for
identifying the risk areas based on which the audit plan would be formulated. Risk based
policy to focus on frequency, prioritizing, extent of checking, risk-assessment/ profiling
of activities/ functions/ products and their updating, broadening the risk classifications
etc. during audit process.
This Audit Policy is formulated taking consideration of RBI requirements, best industry
practices and other factors as per the need of the Bank. It will come to effect immediately
on approval by the Board and will be in force until the same is revised.
1 Risk Governance Model - Three Lines of Defence
To manage different risks across various products and processes, the Bank has adopted
‘three lines of defence’ under Risk Governance model. The first line of defence role is the
line management, while second line of defence are the Risk Management, Compliance
and other Control Functions and Internal Audit Department (IAD) being the third line of
defence.
This model defines the following responsibilities at various levels:
i) FIRST LINE of DEFENCE: Primary accountability for identifying, assessing and
managing the various operational and compliance risks pertaining to their business
or area of operation (e.g. Branches, Treasury, Information Technology, etc.) rests with
Heads of Business Units and Departments.
Audit Policy, Ver. 7 Page 20 of 102
ii) SECOND LINE of DEFENCE: Risk Management, Compliance and other Control
Functions:
a) Have to coordinate, oversee and objectively challenge the execution of business
/ operations (keeping in mind the risk and control framework), management, etc.
b) Are independent of the management and personnel that originate or manage the
risk exposures
c) Have the power to escalate / veto high risk business activity
iii) THIRD LINE of DEFENCE: IAD is independent of both business and risk functions
and performs independent evaluation / assessments of the first two lines of defence.
IAD places reliance on review procedures conducted by the two lines of defence and
effectively uses the results in assessing and developing an audit approach which is a
judicious combination of various assurance practices that are in place. This approach
promotes the convergence between various monitoring, evaluation and assessment
procedures and aims at reducing redundancies (in terms of time, cost and effort).
1.1 Independence
The Internal Audit function shall be an independent function with ability to provide
independent assurance and consulting services designed to add value and improve the
Bank’s operations and also make appropriate recommendations for improving the
corporate governance, including ethics and values of the Bank. The Head of Internal
Audit shall be a Senior Executive having relevant experience with no operational or
business responsibilities, shall have the ability to exercise independent judgement and
shall be appointed for a reasonably long period, preferably for a period of three years.
The Board and Audit Committee of the Board shall be kept informed of any change in
Head of Internal Audit, as also reasons for the change in the incumbent. The name of
Head of Internal Audit and any change in incumbency shall be intimated to RBI, as &
when it takes place.
Audit Policy, Ver. 7 Page 21 of 102
1.2 Reporting Structure
The Chief Audit Executive (Head of Internal Audit) shall functionally report to the MD
& CEO of the bank. Audit Committee of Board shall meet the CAE (HIA) at least once in
a quarter, without the presence of the senior management, including the MD & CEO.
The ‘reviewing authority’ shall be with the ACB and the ‘accepting authority’ shall be
with the Board in matters of Performance Appraisal of the HIA.
All ACB directions will be monitored by the CAE.
Accordingly, the overall structure of the Internal Audit Department shall be as given
below:
1.3 Risk Based Internal Audit (RBIA)
RBI vide its circular no. DBS.CO.PP.BC.10/11.01.005/2002-03 dated December 27, 2002
provided a guidance note on Risk Based Internal Audit. RBI advised initiation of
Audit Policy, Ver. 7 Page 22 of 102
necessary steps to prepare a risk-based internal audit system in a phased manner,
keeping in view Bank’s risk management practices, business requirements, manpower
availability etc.
A sound internal audit function plays an important role in contributing to the
effectiveness of the internal control system. The audit function shall provide high quality
counsel to the management on the effectiveness of risk management and internal controls
including regulatory / statutory compliance by the bank.
1.4 Expectation Setting
This step facilitates the alignment of IAD resources with the Bank’s business objectives to
maximize the value delivered to business by IAD and hence it forms a key cornerstone of
IAD planning. This activity which requires extensive interaction between the IAD and
Top Management would be accomplished through workshops, facilitated sessions, one-
to-one interactions, or other forums considered appropriate by IAD.
The following are the key milestones of this activity:
i) Risk assessment: Risk Assessment is a critical and important part of Planning. It
includes the process of identifying the risks, assessing the risk, taking steps to
reduce the risks to acceptable levels, considering both probability and impact of
the risks. Risk Assessment allows the auditor to determine the scope of the audit
and nature, extent and timing of audit. Risk Assessment mainly implies Inherent
risk assessment, control risk assessment and the residual risk. The Auditor should
satisfy himself that the risk assessment procedure adequately covers the periodic
and timely assessment of all the risks.
ii) Prioritization of business objectives through identification of priority / focus
level of business areas: Priority should be given to the risk that has the potential
to cause significant impact and harm.
iii) Scope, coverage and management expectations from IAD: Coverage would
specify the extent of audit work to be conducted. Expectations of Management, is
the outcome of audit which would satisfy the objective and its requirement to all
Audit Policy, Ver. 7 Page 23 of 102
the stakeholders. In order that there is no confusion, the scope, coverage and
management expectation should be clearly defined and that should be integrated
as a part of the Planning exercise.
iv) Timelines with respect to completion and presentation of results to
management: Timeline is an essential milestone to measure the achievement of
objectives of audit. It defines the timeliness of delivery of required deliverables to
various stakeholders. Reports should be issued in a timely manner, to encourage
prompt corrective measures. When appropriate, the auditor should report
significant findings promptly to the concerned persons.
2 Risk Assessment Framework
The risk assessment framework would include the following:
i) Identification of Audit Universe
ii) Inherent Risk Assessment
iii) Control Risk Assessment
iv) Residual Risk Assessment.
All the activities will be reviewed annually along with the overall Policy.
2.1 Identification of Audit Universe
The first step in performing the risk assessment is to identify various business groups
and support functions within the Bank based on which the inherent risk profile would be
prepared and presented for each such groups. The groups shall be identified and updated
to remain aligned with the other prevailing frameworks for management oversight and
control of the business and operations. Thus the Audit Universe of the Bank, comprises
of the Business, Operation, Corporate Centre and other Support groups collectively
called “Business Groups”. Each Group is further broken up into auditable units/areas.
Based on the risk assessment process explained below, a risk matrix for the Bank,
comprising all the Business groups is drawn up. Further a risk matrix for each Business
Group comprising various auditable units/ areas, is also drawn up.
At the beginning of the year as a first step towards preparation of the RBAP (Risk Based
Audit Policy, Ver. 7 Page 24 of 102
Audit Plan), a list of all Business Groups and the auditable units/areas are drawn up.
This will consider and evaluate modifications during the financial year, required on
account of changes, if any in the control environment in the auditee units within the same
business / group.
The Audit Universe would cover the following units and activities:
• Branch Banking
• Micro Banking i.e., Banking Units (BUs)
• Central Processing Units (CPU) o Account Opening o Accounts Modification Unit o Collateral & Logistics Unit o Loan Processing Unit o Phone Banking Unit o Corporate Internet Banking Admin Function o EDC MID/TID processing o Aadhaar Enrolment and updation Operation
• Head Office Departments: (in alphabetical order) o Administration o Banking Operations & Customer Service o Business Intelligence Unit o Company Secretary o Compliance o Corporate Branding & Communication o Corporate Legal o Corporate Services o Finance & Accounts o Fraud containment and Monitoring Department o Human Resource o Information Security o Information Technology o Logistics & Purchase o Payments and Settlement system (as per NPCI guideline) o Retail Banking including Head, ZH, RH & CH o Risk o Third Party Products o Treasury o Vigilance o Wholesale Banking including the controlling offices at all places
• Products, Processes and Activities: o Outsourced Activities (including payment gateway service providers) o Following loan products at various Asset Centres:
Audit Policy, Ver. 7 Page 25 of 102
• Retail Assets (Housing Loans, Loans against Property, Personal Loans, Two wheeler Loans, Gold Loans etc.)
• Small Enterprises Loans (SEL) o SME Loans o Any other Loans & Advances (Funded or Non-funded) o Debit/ATM Cards and Credit cards o Merchant acquisition business o Forex & Trade Finance
2.2 Risk assessment methodology
The risk assessment process should, inter alia, include the following: -
Risk Assessment for Business Groups based in business model
i) Identification of inherent business risks in each Business Group in the bank;
ii) Evaluation of the effectiveness of the control systems for monitoring the inherent
risks of the business groups (`Control risk’);
iii) Drawing up a risk-matrix for taking into account both the factors viz., inherent and
control risks. As per illustrative risk-matrix above.
The steps to be followed is detailed hereunder:
i) The basis for determination of the inherent risk (high, medium, low) should be
clearly spelt out.
ii) The process of inherent risk assessment may make use of both quantitative and
qualitative approaches.
iii) Compare of the current residual risk of auditable units with that of the previous
audit to assess the effectiveness of the control environment and assess the direction
of risk.
While the quantum of credit, market, and operational risks could largely be determined
by quantitative assessment, a qualitative approach may be adopted for assessing the
regulatory and reputation risks in various business groups. In order to focus attention on
areas of greater risk to the bank, an activity-wise and location-wise identification of risk
Audit Policy, Ver. 7 Page 26 of 102
should be undertaken.
The risk assessment methodology will also include, inter alia, the following parameters:
• Previous internal audit reports and compliance
• Proposed changes in business lines or change in focus
• Significant change in management / key personnel
• Results of latest regulatory examination report
• Reports of external auditors
• Volume of business including quantum of cross selling and complexity of activities
• Substantial performance variations from the budget etc.
• Operational Risk, Credit and Market Risk parameters, like CTR/STR, NPA, etc.
• Number of Customer complaints
• Industry trends and other environmental factors
• Time elapsed since last audit
3 Risk Matrix for the Bank
Based on the Control Risk Score and the Inherent Risk Scores, a Risk Matrix for the Bank
is prepared comprising all Business Groups. Based on the Inherent Risk and Control Risk
for each group, the group will be placed in the Risk Matrix.
Inherent Risk
Inherent Business risks indicate the intrinsic risk in a particular area/activity of the Bank
and could be grouped into low, medium and high categories depending on the severity
of risk.
For ease of determination, all the primary risks will be grouped into six categories,
namely, credit risk, market risk, operation risk, regulatory risk, reputation risk, and
information technology risk. These may be further broken down into risk parameters as
under:
i) Operations Risk
a) Volume of transaction
b) Complexity
c) Documented process
d) Staff skills
ii) Market Risk
a) Risk from changes in
interest/exchange rates
b) Laid down system support
c) Availability of tools/models
Audit Policy, Ver. 7 Page 27 of 102
e) Frequent changes in process
f) System Support
d) Skill sets
iii) Reputation Risk
a) Impact of process on reputation of
Bank
b) Extent of customer interaction
c) Risk on account of outsourcing
d) Proper grievance handling
mechanism
iv) Credit Risk
a) Existence of proper credit appraisal
process
b) Complexity of products
c) Existence of strong Delegation of
Financial Power (DFP) System
d) Level of delinquencies
v) Regulatory Risk
a) Degree of regulation in process
b) Complexity of regulation
c) Existence of compliance risk
monitoring process
d) Regulatory findings
vi) IT Risk
e) Complexity of system
f) Vulnerability of system to cyber
attacks
g) Dependence on external vendor for
system support
h) Existence and effectiveness of
BCP/DRP
3.1 Measurement of impact of risk parameters
The risk parameters as defined above for all the primary risks are considered for arriving
at the score for Inherent Risk. A high, medium or low score is assigned to each parameter,
wherever applicable. Based on these scores for each risk parameter, an aggregate score
for that risk category is quantified and a score on the scale of 1 to 6 (High 5-6, Medium 3-
4 and Low 1-2) is awarded to each of the six primary risks listed above. Where a business
group is not exposed to a particular risk, a score of zero is given.
Thus the maximum Inherent Risk score would be 36 (aggregate of six primary risks) for
Audit Policy, Ver. 7 Page 28 of 102
any business group based on discussion and internal judgment, an inherent risk of up to
20% may be considered as “low”, between 21% to 50% may be considered as “medium”
and inherent risk greater than 50% may be considered as “high”.
3.2 Control Risk evaluation
The previous audit rating would indicate the level of control risk. Control risks arise out
of inadequate control systems, deficiencies/gaps or likely failures in the existing control
processes, incidents pointing to gaps in implementation of control processes etc. The
control risks could also be classified into low, medium and high categories. Control Risk
would be numerically indicated on a “0 to 100” scale, with a score of “0” being the ideal
score, which would indicate that the risks are fully covered by the existing controls.
In order to measure the extent to which the inherent risks are addressed by controls,
threshold limits i.e. three levels of threshold for measurement of Control Risk viz.,
“High”, “Medium” and “Low” have been defined. These would be expressed in terms of
percentage as under:
Control Risks Score
Low Less than 15%
Medium 15% to 30%
High Above 30%
The gaps observed in the control risks vis-à-vis, the inherent risks lead us to the residual
risk. The residual risks can be classified into Extremely High, Very High, High, Medium
and Low based on the following and accordingly fall in the respective cells in the Risk
Matrix (as under):
Risk Matrix
Inh
ere
nt
Bu
s
ines
s Ris
ks High “4” “2” “1”
Audit Policy, Ver. 7 Page 29 of 102
High Risk Very High Risk Extremely High Risk
Medium “7”
Medium Risk
“5”
High Risk
“3”
Very High Risk
Low “9”
Low Risk
“8”
Medium Risk
“6”
High Risk
Low Medium High
Control Risks
[ Inherent Risk: Low 0-7, Medium 8-18, High 19-36] Scale of 0 to 36 [ Control Risk: Low <15%, Medium 15%-30%, High >30%] Scale of 0 to 100
In the overall risk assessment both the inherent business risks and control risks should
be factored in. The overall risk assessment as reflected in each cell of the risk matrix is
explained below:
1 – Extremely High Risk – Both the inherent business risk and control risk are high which
makes this an Extremely High Risk area. This area would require immediate audit
attention, maximum allocation of audit resources besides ongoing monitoring by the
bank’s top management.
2 – Very High Risk- The business unit/area is perceived to have “high” inherent risk
coupled with medium control risk makes this a Very High Risk area
3 – Very High Risk – Although the inherent business risk is medium, this is a Very High
Risk area due to high control risk.
4 – High Risk- The business unit/area is perceived to have “high” inherent risk, but the
control risks as borne out by the previous audit ratings are weak (cells 4, 5, & 6).
5 – High Risk – Although the inherent business risk is medium this is a High Risk area
because of control risk also being medium.
6 – High Risk – Although the inherent business risk is low, due to high control risk this
becomes a High Risk area.
7 – Medium Risk – Although the control risk is low this is a Medium Risk area due to
Audit Policy, Ver. 7 Page 30 of 102
Medium inherent business risks.
8 – Medium Risk - The inherent business risk is low and the control risk is medium.
9 – Low Risk – Both the inherent business risk and control risk are low.
3.3 Risk Profiling of Auditable Units:
Where any Business group itself comprises of several independent auditable units with
different level of controls, like branch banking etc., the following approach will be taken:
A risk map of all the auditable units will be prepared taking the “inherent risk” of the
individual units to be the same as that of the group. The control risk of the individual
auditable units would be derived from the previous audit ratings as well as other factors
like any frauds detected etc.
3.4 Direction of Risk:
i) If the Current Control Risk Score is more than 3% of the previous Audit score, the
Direction of Risk would be considered as “Decreasing”
ii) If the Current Control Risk Score is in the range of +3% to – 3% of previous Audit
score, the Direction of Risk would be considered as “Stable”
iii) If the Current Control Risk Score is less than 3% of the previous Audit score, the
Direction of Risk would be considered as “Increasing”
In addition to the above, where the direction of risk is found to be increasing, the below
shall also be taken into consideration, for the limited purpose of deciding the frequency
of next audit, as under:
i) The difference in Control Risk score between previous audit and current audit is
greater than 5% but less than 10%, then 5% will be deducted from the current audit
score to arrive at the Control Risk score.
ii) The difference in Control Risk score between previous audit and current audit is
between 10% to 15%, then 7% will be deducted from the current audit score to arrive
at the Control Risk score.
Audit Policy, Ver. 7 Page 31 of 102
iii) The difference in Control Risk score between previous audit and current audit score
is more than 15%, then 10% will be deducted from the current audit to arrive at the
Control Risk score.
4 Audit Planning
An Audit plan defines the scope, coverage and resources, including time, required for
audit over a defined period. Adequate planning ensures that appropriate attention is
devoted to significant areas of audit, potential problems are identified, and that the skills
and time of the staff are appropriately utilised.
The Audit plan would be drawn up consistent with the goals and objectives of the
Internal Audit function as listed out in the Internal Audit charter as well as the goals and
objectives of the Bank.
All new branches shall be subjected to internal audit within six months of opening of the
branch.
A plan once prepared would be continuously reviewed by the IAD to identify any
modifications required to bring the same in line with the changes, if any, in the audit
environment. However, any major modification to the plan would be done in
consultation with the ACB.
4.1 Training Needs Assessment
At the beginning of every financial year, IAD shall examine and assess the training needs
of the internal auditors across all verticals, according to the skill-sets required to conduct
the audits of various entities - as per the approved Audit Plan. This shall be
communicated to the HR Department for arrangement of in-house, appropriate training
programmes or deputing the concerned auditor(s) to suitable institutes for imparting
relevant inputs.
The staffs in the Internal Audit department shall also appear for all mandatory and
functional e-learning courses hosted on the LMS from time to time. The current courses
relevant to audit team include KYC/AML, Operational Risk, Reading Financial
Statements, Fraud awareness etc.
Audit Policy, Ver. 7 Page 32 of 102
IAD will implement the process of rotation of auditors by transferring them to other
departments at regular intervals and fill up the gaps either by way of rotation or
recruitment of suitable resources from outside to ensure the quality of auditors.
4.2 Frequency of audits
The IAD carries out internal audits as a part of the overall audit assurance framework to
the Bank. The risk map of the auditable units so derived will decide the frequency of
audit of the respective units as under:
4.3 Frequency of Risk Based Internal Audit
Frequency of individual auditable unit would be based on the position of the individual
auditable unit in the Risk Matrix. All the auditable unit will be audited at least once in
two years.
Auditable units falling under cell “9” (i.e., Low Risk) would be audited once in two years.
Auditable units falling under cell “7 & 8” (i.e., Medium Risk) would be audited once in
eighteen months.
Auditable units falling under cell “4, 5 & 6” (i.e., High Risk) would be audited once in
twelve months.
Auditable units falling under cell “2 & 3” (i.e., Very High Risk) would be audited once in
nine months.
Auditable units falling under cell “1” (i.e., Extremely High Risk) would be audited once
in six months.
The above intervals between two internal audits is indicative and the interval is the outer
limit and the audit must be conducted within the quarter in which the audit becomes
due.
The internal audits of Bank Branches shall be conducted with an element of surprise; no
advance intimation shall be given to the branches. The audits may be conducted any time
within a period of three months prior to the outer limit.
Audit Policy, Ver. 7 Page 33 of 102
4.4 Audit Scope and Coverage
The scope of each audit shall be determined by respective Audit Team Lead and
approved by the Head of respective Audit vertical in consultation with the CAE.
However, at the minimum, the scope will cover the following areas:
i) Availability of approved product / process guidelines ii) The control environment in various areas iii) Data integrity, information security iv) Regulatory and Internal Compliance v) Adherence to KYC/AML Guidelines vi) Compliance with outsourcing guidelines vii) Customer Service Quality viii) Compliance to previous audit observations
The field work shall be conducted by the internal auditors at the branches (onsite) with
the audit checklist prepared by IAD. The audit checklist shall be revised by the audit
manager whenever there is any change in the underlying process and it shall be approved
by CAE.
4.5 Audit Report
At the end of the field work a draft report shall be prepared containing the executive
summary, the objective of the audit, the scope including limitations and exclusions,
sampling methodology (Annexure 7), audit rating and opinion. All the audit findings in
the audit reports shall be categorized and levelled as per the Issue Assessment
Framework. All the audit findings will be communicated to the respective groups and an
auditee response having the components- proposed actions, timelines for compliance and
responsibility will be obtained. The reports will be peer-reviewed, rated and circulated
as defined hereunder:
i) Bank Branches Report would be issued to the Branch Head and Cluster Head, copy
marked to the concerned controllers i.e. Regional Head, Head-Branch Banking.
ii) BUs (Refer Point No. 10 below for the defined process)
iii) Other reports: Rating would be done as per the Audit Policy; draft report would be
shared with the Head of the Department of the respective Department for
Audit Policy, Ver. 7 Page 34 of 102
management response. Final Report would be issued to the respective Department
Head.
iv) Sign-off, on the draft audit report from the respective auditee department, to be
obtained before release of the final report.
5 Issue Assessment Framework, Reporting and Communication
The process of issue assessment distinguishes between “Very High”, “High”, “Medium”
and “Low” Risk categorization of audit issues, where “Very High” is classified as “Level-
1” or L1, “High” as “Level-2” or L2, “Medium” as “Level-3” or L3 and “Low” as “Level-
4” or L4.
The categorization of issues as L1, L2, L3 or L4 is done on the basis of the estimated
likelihood and the potential impact of the control weakness as depicted hereunder:
Likelihood Impact
Less Likely Possible Most Likely
Very High L2 L1 L1
High L3 L2 L1
Medium L4 L3 L2
Low L4 L4 L3
The likelihood and the impact assessed would be broadly carried out taking into
consideration the following factors.
Likelihood:
Most Likely: Has happened in several instances or process gap exists.
Possible: Could happen in the foreseeable future.
Less Likely: Less likely to happen.
Impact:
The Impact assessment shall be based on various factors individually or in combination
of the below factors:
Audit Policy, Ver. 7 Page 35 of 102
Risk Customers Affected
Financial Impact
Brand & Reputation Impact
Systems / Services affected
Regulatory, Internal Policy and Legal implications
Information Security risk / System users impacted.
Very High
> 2% > Rs. 25 lacs
Coverage in high profile global/ national media which could lead to significant damage of brand
Poses any systemic risk. Critical business system / service is affected.
Non-compliance to regulatory guidelines / law having impact of possible penalty from regulatory / law enforcement bodies. Not complying with Statutory Audit or RBI Audit Observations
i) Potential loss of all information ii) > 5000 user affected. ii) Application Security testing / VAPT not conducted in case of public facing applications.
High 1 - 2% > Rs. 10 lacs and up to Rs. 25 lacs
Coverage in industry specific / local media which could lead to negative impact on brand
Poses any undefined or unexpected risks. Non- critical business systems / services are affected.
Non-compliance to regulatory guidelines / law not having direct impact of penalty. Non-Compliance of Bank’s Policy or PCMC approved process.
i) Potential loss of confidential information ii) 500-5000 users affected. iii) Application Security testing / VAPT not conducted in case of internal financial applications e.g. CBS, ITMS
Medium Up to 1%
> Rs. 5 lacs and up to Rs. 10 lacs
Negative Information limited to employees/ vendors
Only Support services are affected, but business can run as usual.
No violation of any regulatory gudelines / law. Partial non-compliance to the Policies / SOPs.
i) Potential loss of internal Information ii) < 500 users affected. iii) Application Security testing / VAPT not conducted in case of internal applications – non-financial but identified as critical e.g. AML, ALM.
Low No Customers affected
Upto Rs. 5 lacs
Negative Information in closed user group
No Systems / Services affected
No Implication i) Potential loss of public information ii) No users affected iii) Application Security testing / VAPT not conducted in case of non- critical internal applications.
Notwithstanding the above matrix for financial impact, instances of Revenue leakage shall be
classified based on the quantum of leakage / potential of leakage identified. Where gap is
identified in the process of recovery of revenue, which can potentially lead to a high revenue
leakage at bank level or quantum of leakage identified is Rs. 1 lac & above the same shall be
classified as Level 1, leakage below Rs. 1 lac and up to Rs. 10000, shall be classified as Level 2 and
any revenue leakage below Rs. 10000 shall be classified as L3 at a Unit level.
Audit Policy, Ver. 7 Page 36 of 102
Compliance to Audit Observation: Any submission of compliance to audit observation without
actual rectification of the audit observation is very high risk and shall be classified as Level 1
issue. Similarly repeat audit observation in more than 1 area coupled with an increased direction
of risk at the unit level shall be treated as Level 2 issue, where the direction of risk is stable the
same shall be classified as L3 issue and where the direction of Risk is decreasing the same shall
be classified as L4 issue.
The key findings of all the audit reports would be classified into four levels L1, L2, L3 &
L4, L1 being the highest level of importance.
While endeavour would be made to ensure that the audit issues would be classified as per the
framework, in the event the assessment framework requires any interpretation / clarity, the risk
can be upgraded /downgraded, as per direction of CAE.
Under the overall Issue Assessment Framework detailed above, an illustrative list of
specific audit issues identified at Branches, BUs, SEL, Credit Audit and HF (Housing
Finance Department) have been separately drawn up and the same is furnished in
Annexure 1 to 5 respectively.
5.1 Escalation Matrix
In order to enable the Audit Committee of the Board /Management get a more business
/ function -wide view of processes across the Bank and the key findings noted thereof,
including effectiveness of audit thereof, the IAD at the end of the audit cycle or at other
periodic intervals (as directed by Top Management and the ACB) would present the
aggregated audit findings and would also present the key reports / dashboards to the
Top Management and the Audit Committee of the Board.
The individual audit observations would be presented as under:
• Level 1: To be reported to MD & CEO and all levels below
• Level 2: To be issued to Business/Department Head and all levels below
Audit Policy, Ver. 7 Page 37 of 102
• Level 3: To be issued to Deputy Business/Deputy Department Head all levels below
• Level 4: To be issued to respective Unit Head
All the issues pertaining to Level 1, Level 2, Level 3 and Level 4 will be put up to the
Audit Committee of Executives (ACE).
All the issues pertaining to Level 1 & 2 and the Minutes of meeting of the ACE will be
put up to the Audit Committee of Board at their next meeting.
A summary of the high risk issues will be placed to the Board on a half yearly basis.
Apart from the above escalations, if there are any serious regulatory and other violations,
instances of suspected fraud or malpractices, those will be escalated to MD, and Senior
Management within ten working days from the date of detection of such incidents.
6 Audit Ratings (Other than BU)
All auditable units will be assigned an audit rating based on quantitative and qualitative
parameters. The ratings will be classified as per control score on a scale of 0 to 100 as
under:
Ratings Control Scores Audit Opinion Control Risk
A ≥ 85 Effective Low
B ≥ 75 ˂ 85 Meets Requirement Medium
C ≥ 70 ˂ 75 Partially Effective
D ≥ 65 ˂ 70 Improvement Needed High
E ˂ 65 Significant Improvement Needed
7 Compliance Report / Issue tracking Standards
At all levels, the Bank is subject to audits initiated both internally and externally via
regulatory / statutory institutions. It is important to monitor the findings raised during
audits as well as the progress made to resolve them. In order to make this process more
efficient and transparent, the IAD would follow a standard action tracking process which
would enable the business to keep track of the status of the issues with regard to resolving
them within the timelines agreed.
The Methodology to be used for action tracking and closure of the audit issues / reports
Audit Policy, Ver. 7 Page 38 of 102
would be as under:
Nature of the Audit Issue
Timelines for submission of the compliance by the Units
Timelines for IAD to assess the responses and consider closure of the issue.
Extremely High Risk / Very High Risk (L1)
15 working days 7 working days
High Risk (L2) 21 working days 7 working days
Medium Risk (L3) 30 working days 15 working days
Low Risk (L4) 30 working days 15 working days
i) The follow-up with auditee units would be undertaken on a regular basis, keeping
the H.O. Department / Competent Authority controlling the auditee units concerned
in the loop, to ensure closure of the audit issues within the stipulated time.
ii) The audit issues overdue for closure would be advised to H.O. Department /
Competent Authority controlling the auditee units concerned on monthly basis to
ensure closure of the issues at the earliest.
iii) The extension of timelines for closure of issues would be considered by the Internal
Audit Department based on the satisfactory recommendations received from the
Competent Authority controlling the auditee units concerned.
iv) The audit reports will need to be closed within an overall period of 45 days. The audit
reports would be considered for the closure after receipt of satisfactory compliances
of the audit issues. Issues where the concerned department has completed their
actionable shall be considered as satisfactory compliance for this purpose. Issues
where there is dependency on other departments / customers, shall be considered as
satisfactory compliance for the concerned department.
Audit reports, with any other open issues, would be considered for closure only in
exceptional cases with the approval of the Head of the Department. In such cases, the
overall resolution of the issue would be tracked centrally though ATR.
v) IAD will compile a report on issues pending for compliance on monthly basis and
present it to the Competent Authority controlling the auditee units concerned and on
quarterly basis to the ACB. The action tracking report will also provide information
Audit Policy, Ver. 7 Page 39 of 102
to Audit Committee of the Board, Senior Management and Line Management on the
status of overdue issues.
vi) Closure of Audit report at various levels would be based on Risk assessment which
would be based on the Audit Rating / Control Score as under:
Control Risk Audit Rating Control Score Closure Level
Low A >85% Team Leader / Vertical Head of the Audit Department at the level of AVP & above
Medium B & C 70 - 85% CAE
High D & E <70% CAE
vii) IAD will test the correctness of all compliances reported on a test check basis and a
report on the same will be placed to the ACB at half yearly intervals.
8 Other relevant features of the audit policy
While Risk Assessment Methodology, Audit Plan, Reporting, etc. have been enumerated
above, certain other features of the audit policy with regard to Information System Audit,
BU Audits, Snap/Special audits are furnished below.
9 Audit of Banking Units (BU)
There will be separate audit vertical as well as dedicated resources, having specific skill
sets, deployed to audit BUs. For better control, all BUs are to be divided into adequate
number of Audit Clusters by including a few Business Clusters in each Audit Cluster.
Each Audit Cluster is headed by an Audit Cluster-In Charge and there are internal
auditors in each Audit Cluster depending on the number of BUs of the respective Audit
Cluster. The Clusters-in-charge ensures the execution of the BU internal audit, through
the internal auditors, according to the approved audit plans.
With the introduction of onsite Concurrent Audit, it has been decided to bring 600 BUs
under the ambit of Concurrent Audit. As these BUs will be subjected to Concurrent
Audit, there will be only one annual Internal Audit. Each of the other BUs, not subjected
to concurrent audit, will be audited once in four months. Individual audit report of the
BU’s will be kept at the respective BU with a copy retained with the Audit Cluster -In
Audit Policy, Ver. 7 Page 40 of 102
Charge. The BU Head will be responsible for the compliance of the report and will submit
a compliance statement to Audit Cluster-In Charge, within the stipulated period.
Audit Cluster-In Charges are reportable to the Audit Team at Head Office. The Summary
of the findings of the BU’s audited in the month by the Internal Audit team, will be issued
in the form of a Monthly Report of BU Internal Audits to be submitted to the
Management.
During the BU internal audit, the internal auditor also attends Group Meetings. There is
a proper selection methodology, of the Group the internal auditor will visit. The basis is
given below
• He has to select each DBO's group
• He has to select Groups of different timings
• Groups in which number of overdue cases are more, would be prioritized
• Groups in which very high amount of loan jumping are noted, would be
prioritized
• Groups at remote location
Apart from Group visit, internal auditor also visits some borrower's houses. There is a
proper selection methodology, regarding the borrower's houses the internal auditor will
visit. Emphasis is given on visiting houses of Overdue borrowers, Deceased Borrowers,
Absentee borrowers etc.
The internal auditors use a uniform checklist during the BU audit. The Salient feature of
the checklist are to check compliance of previous internal audit report, Cash
management, cash retention limit, remittance to Bank Branch, Management of Keys, dual
custody of keys, Checking of Loan Forms, Checking of address proof and Id proof
attached with Loan Form, Handling of biometric device, Biometric capturing, adherence
with laid down process for Credit Bureau data sending, Death case settlement, Quality
of Monitoring of Cluster Head and the Cluster Team Members, BU staff administration
matters, IT infrastructure at BU, Books of accounts, Registers etc.
9.1 Audit Rating of Banking Unit:
Audit Policy, Ver. 7 Page 41 of 102
After the audit, each BU is to be given a Risk rating (High/Medium/Low) based on the control
assessment. Risk Rating for each BU is done based on a Risk Matrix (which covers maximum 100
marks) on the following basis:
Risk Category Control Score
High < 70
Medium > 70 – < 85
Low > 85
The summary audit report of the BUs shall be submitted to the Head MB. 10 Offsite Audit
10.1 Bank has established an Offsite Audit vertical within Internal Audit Department for
offsite monitoring of certain transactions/activities at branches/offices/BUs.
10.2 Apart from generating regular predetermined exception reports to support the
Field auditors, the Offsite Audit team also monitors the following activities e.g.,
• Transaction monitoring of specific products like BSBDA (521), BSBDA Small (501)
• Verification of correctness of TDS deduction in SB-NRO accounts from quarterly
interest credits
• Random verification of interest calculation of various loan products
• Random verification of interest application in SB accounts, every quarter
• Maintenance and updating of tables in separate database 'IARDB' with data culled
out from BBPRE and transaction data received from FIS
• Support by Offsite Audit team member to H.O Audit team in conducting audits,
whenever required
• Support to all units of IAD in understanding and analysis of the data provided
• Random check of NPA classification and interest application correctness in the
loan accounts in case of re-classification of accounts into standard asset.
The tasks for offsite monitoring team would be added/modified based on the new issues
arising and based on feedback from field auditors.
Audit Policy, Ver. 7 Page 42 of 102
10.3 For carrying out these tasks the Team will be provided with read only access to the
MIS-database, BBPRE and other systems like FIS Profile, Newgen OmniFlow
application etc., to enable them to query the required data using tools like SQL, etc.
10.4 The Offsite Audit Team will support on-field branch banking auditors with the
necessary reports/ inputs that may be required, prior to visit to auditee units, to
enable them to analyse the branch profile and to shortlist the tasks to be focused on
and to choose appropriate samples for checking on-site. Some of the reports
designed, for example, are:
i) Cash deposits above Rs.50000/- without PAN
ii) Deposit accounts without having PAN
iii) Debits in Income GLs
iv) Multiple CIFs with same PAN
v) Transactions in NRE/NRO accounts
vi) Cash deposits of Rs.10 lakhs and above (both individual and cumulative) etc.
In addition to above, Offsite Audit is assigned to provide inputs through reports to
auditors while on-site, wherever, exceptions are observed by them.
Support to BU auditors through various reports have also been put in place.
10.5 Further as newer products and newer processes are introduced, some of the
parameters become redundant and some parameters undergo a change. The team
regularly reviews such changes in the environment and accordingly the parameters
and / or the reports are suitably modified.
Such review will be carried out periodically, as and when necessitated and changes
/ additions / reductions, if any, would be carried out after the approval of the CAE.
A detailed review note will be prepared and put up to the ACB at half yearly
intervals. The review process will entail the following steps.
i) Respective audit vertical heads will review all the parameters and the
corresponding reports for applicability. In case of any modification and change in
the underlying parameters, the same will be proposed to the offsite monitoring
team Head.
Audit Policy, Ver. 7 Page 43 of 102
ii) The offsite monitoring Head will review the feasibility of the revision and
recommend the change to the CAE.
iii) The CAE will review the request and accord his approval.
iv) The new report will replace the old report.
v) This change will be documented in the ‘Report review register’
11 Snap / Special Thematic audits
Snap / Special Thematic audit at auditee units or specific segment of the bank would be
conducted as per the instructions of CAE / advices of Heads of Departments, Controllers
and ACB from time to time. Snap audit would be conducted in the following events:
i) An abnormal increase in business and / or risk levels in specific activities, product
or an area determined from the Offsite data analysis.
ii) In those units where frauds or financial irregularities are unearthed
iii) when there is breach of Risk Appetite by significant margin
iv) In case of substantial increase in overdue.
v) When there is a sudden significant increase in portfolio in one quarter as compared
to previous quarter.
In addition, the following will also trigger snap audits:
Branches:
i) Cash transactions in account not commensurate with customer profile.
ii) Non-submission of Control Returns
iii) Compliance of ROE/ ROM's observations, including CH's reports.
BUs:
i) Irregularities in monitoring;
ii) Non-maintenance of mandatory books and registers.
As regards snap audits of assets centres/clusters, the following will act as triggers:
i) Comparative analysis of delinquent status of loans quarter-wise
ii) List of SEL/Retail Asset (HL and LAP) which are quick mortality loans
Audit Policy, Ver. 7 Page 44 of 102
Further, Snap Audit will be taken up at various clusters whenever there is increase in
overdue levels breaching the Risk Appetite of the Bank.
12 Concurrent Audit
In line with RBI directions, a revised framework of onsite Concurrent Audit has been
drawn up for implementation at the BUs and Branches. The framework was approved by
the Board at its meeting held on Jan 10, 2020.
The extract of the Concurrent Audit Framework is appended as Annexure 6.
In addition to the board approved framework, all other regulatory requirement would
also be added under concurrent audit from time to time. Indicative list of other areas to
be covered are monitoring of transactions in new accounts/staff accounts, reporting of
CTR/STR, opening and periodic monitoring of Internal Office Accounts, verification of
Merchant Banking Business, verification of Credit Card / Debit card business, conduct
of employees, mis-selling of products, etc.
13 Audit of Head Office (HO) Departments / Products & Processes
All the HO Departments, as listed in the Audit Universe in Para No. 2 of this Policy are
subject to audit coverage. All the individual verticals and activities in each HO
Departments, products & processes also form part of the Audit Universe and are covered
in the Risk Based Annual Audit Plan, for determining the frequency of the audit. The
Risk Based Audit Plan forms the basis of the audit scope of each department / function
/ products etc., which documents the activities of the Department. The Risk Based Audit
Plan which is an addendum to the Audit Policy, also documents the scope of coverage of
all HO Audits.
14 Credit Audit
14.1 For all the credit exposures with an aggregate exposure of Rs.2 crores and above
(including exposure to credit derivative), Credit Audit shall be conducted within
six months of sanction / renewal & enhancement of limits.
The guidance notes on Credit Risk Management issued by Department of Banking
Audit Policy, Ver. 7 Page 45 of 102
and Operation, RBI Central Office, Mumbai has detailed guidance on Credit Risk
Management. One of the important features of credit audit as per RBI Guidelines
for Credit Audit is to examine Compliance with extant terms and conditions of
sanction and post sanction processes and procedures.
14.2 Scope of Credit Audit:
The broad Scope of Credit Audit will be to review the portfolio quality, compliance
with laid down policies including regulatory compliance, credit control, process of
appraisal and sanction, adequacy of documentation, rectification of audit
observation, violation of sanctioning powers, conduct and follow up of accounts,
evidence of early warning signals, staff accountability etc.
15 Audit Committee of Executives (ACE)
15.1 Constitution of Audit Committee of Executives (ACE):
The constitution of ACE is:
Members:
• Head - Human Resource – Chairman of the Committee
• Chief Audit Executive - Convener
• Chief Risk Officer
• Chief Compliance Officer
• Head - Operations & Technology Permanent invitees:
• Chief Financial Officer
• CIO
• Head – Legal
• Head – Business
• Head – BOCS
• Head - EEB
• Head - HF The quorum for the meeting would be three members.
The Audit Committee of Executives may invite Department Heads or any other
official(s), as it considers appropriate, to be present in the meeting of the Committee.
Audit Policy, Ver. 7 Page 46 of 102
15.2 The functions of the proposed ACE are listed below
i) To meet once every month to discuss and note all the issues pertaining to Level 1,
Level 2, Level 3 and Level 4 as per the “Escalation Matrix”
ii) To discuss and note synopses of audit reports of branches
iii) To discuss and note synopses of audit reports of BUs
iv) To discuss and note synopses of Head Office department audit reports, Product and
process audit reports, IS Audit reports and Offsite audit reports.
v) To take note of closure of audit reports approved by IAD
vi) To recommend for putting up summary of critical issues observed (pertaining to
Level 1 & Level 2 as per the “Escalation Matrix”) in the above mentioned synopses
of audit reports along with any other matter, which the Committee may consider
appropriate to be brought to the notice of the ACB.
vii) To put up Closure Note statistics to the ACB in respect of synopses approved by the
said Committee.
viii) To put up status of actual audits completed vs Board approved Audit Plan.
ix) To discuss status of Action Tracker Report.
Audit Policy, Ver. 7 Page 47 of 102
Annexure I - Issue Assessment Framework for Audit of Branches: Sr. No. Types Findings
Issue Assessment level : L-1 (Very High Risk)
1 Transaction & Internal Control
Cash: Cash found short, in cash-in-hand / vault / ATM, at the time of physical verification of cash and tallying with GL Balance, Cash Balance Register/ Vault Register.
2 Internal Control Keys: Cash / vault keys were shared by one of the joint custodians; Dual Custody policy not followed while operating cash vault or ATM Vault.
3 Compliance & Internal Control
Protective Arrangements: CCTV/ alarm system not working for more than 6 months.
4 Transaction Sharing of password observed.
5 Transaction & Internal Control
Gross violations in compliance to KYC / AML guidelines.
Fraudulent transactions detected during audit.
6 Compliance & Internal Control
Demand draft made above Rs. 50,000 in cash by single customer on same day.
7 Housekeeping & Internal Control
Physical balance of customer deliverables does not tally with system balance and stock registers.
8 Compliance PAN/Form 60 not collected for FD above Rs. 50,000 by single customer on same day or FDs aggregating to more than Rs 5 lakhs in a financial year.
Notices from statutory bodies e.g., IT/GST Authority not acted upon or acted with significant delay.
9 Transaction Cash remittance done above Rs. 50 lakhs without any armed guard by branch in more than one occasion.
10 Compliance False compliance / certification Issue Assessment level : L-2 (High Risk)
1 Housekeeping & Internal Control
Physical balance of other deliverables does not tally with system balance and stock registers.
2 Housekeeping & Internal Control
Branch had not updated Large cash transaction register for cash transactions above Rs. 10 lakhs.
3 Compliance & Internal Control
CCTV recording is not available for a period of 45 days out of stipulated period of 90 days.
4 Compliance Customer Complaint regarding Disputed transactions in ATM was not resolved within 7 days.
5 Internal Control Both set of keys of Cash safe/Strong Room held by same custodian at different point of time without CH approval taken.
6 Housekeeping & Internal Control
Deliverables: Stocks of Debit Card Pins and debit cards were held by same custodian (seals are not tampered with)
7 Housekeeping & Internal Control
Cash transactions in account not commensurate with customer profile.
Audit Policy, Ver. 7 Page 48 of 102
Sr. No. Types Findings
8 Internal Control Compliance of ROE/ROM's observations, including CH's reports.
Issue Assessment level : L-3 (Medium Risk)
1 Compliance Clean Note policy not followed by Branch ( Writing on the watermark portion by teller, non-issuable pre-2005 note mixed with issuable notes, soiled or mutilated notes mixed with issuable notes)
2 Housekeeping All mandatory notices as notified by BOCS & Compliance department not been displayed at the Branch & ATM.
3 Compliance Branch had not updated the TDS flag in CBS promptly on customer depositing 15G/15H.
4 Compliance & Internal Control
Death claims settled & payment not made within the stipulated time norm of accounts with survivor (s)/nominee, within 15 days & without survivor (s)/ nominee within 30 days from the date of receipt of the claim with completed requisite papers.
5 Transactions Payment of expenses approved by Branch Head beyond the limit as fixed by DOP and no approval taken from Cluster Head as per limit as fixed by DOP.
6 Compliance Personal loan was sanctioned where prescribed minimum Credit Bureau score (650) was not adhered to [or credit bureau score not verified] as stipulated by circular on personal loan.
7 Compliance & Internal Control
Non-Permissible credits in NRE accounts accepted by branch.
8 Important Oversight
Control Return not submitted by BH (as sanctioning authority) to Cluster Head, at monthly interval for personal loans sanctioned by him.
Issue Assessment level : L-4 (Low Risk)
1 Transaction Denomination-wise cash details on reverse of cheque, was not written by teller in cash payment.
2 Compliance Verification of cheques under UV lamp, signature verification not noted in cheques for cash or transfer payment.
3 Transaction Date and time of receipt of the request for stop payment of cheque was not recorded in the request letter.
4 Important Oversight
Custodian of vacant locker keys also handled the Master Key / allowed access to hirer.
Audit Policy, Ver. 7 Page 49 of 102
Annexure 2 - Issue Assessment Framework for Audit of Banking Units
S. N Subject Types Issue Classification
Issue Assessment level : L-1 (Very High Risk)
1 Financial Transaction Instalment amount or deposit amount of customers short deposited or not recorded in CBS
Any such incident regardless of amount.
Transaction Excess collection of Last Instalment / Prepayment amount of customers.
Transaction Borrower not traceable/identifiable where Loan Disbursed
Transaction Unauthorized withdrawal from customer's account
2 Loan Form / Master roll Checking
Housekeeping
BU Manager approval signature not available in loan form
10% or more of sample not approved
3 Cash in hand Transaction & Internal Control
Cash in hand is not tallied with Physical cash in cash vault, Cash Register and CBS balance
4 Cash deposit above Rs. 50,000
Compliance PAN/Form 60 not collected for cash deposit in excess of Rs.50,000 in cash by single customer on same day.
5 Deficit in Monitoring
Important Oversight
Deficit in Area Manager (AM) Monitoring
4 or more shortfalls in number of monitoring in audit period. (approval not obtained)
Important Oversight
Deficit in Divisional Manager (BU) [D.M.] Monitoring
No DM monitoring done in last 12 months.
6 Password Sharing
Transaction Password Sharing
7 Compliance Compliance False compliance / certification Issue Assessment level : L-2 (High Risk)
1 Key related irregularities
Transaction Irregularity regarding joint custody of vault keys (Both keys under one custodian)
2 Loan Form / Master roll Checking
Housekeeping
BU Manager approval signature not available in loan form
More than 5% (up to 10%) of sample not approved.
3 Group meeting
Transaction TAB machines not used during collection in group (without any reasonable cause)
Audit Policy, Ver. 7 Page 50 of 102
S. N Subject Types Issue Classification
Transaction Record Book not given to customer
Transaction Instalment / prepayment / withdrawal amount posting not done in Record Book
4 Deficit in Monitoring
Important Oversight
Deficit in Area Manager (AM) Monitoring
2 - 3 monitoring shortfall in audit period. (approval not obtained)
Important Oversight
Deficit in Divisional Manager (BU) [D.M.] Monitoring
No DM monitoring done in last 9 months.
5 Credit Bureau checking
Transaction Credit Bureau checking not done for loan disbursement
6 IT Housekeeping
CCTV backup not available for a period of 45 days out of the stipulated period of 90 days.
Issue Assessment level : L-3 (Medium Risk)
1 Loan Form / Master roll Checking
Housekeeping
BU Manager approval signature not available in loan form
Less than 5% of sample not approved
Housekeeping
BU Manager checking signature not available in loan form
Housekeeping
Document related Irregularities (KYC not attached with loan form)
Housekeeping
Master roll not updated (loan amount mismatch with CBS and Customer signature is missing)
Housekeeping
Customer signature is missing in Loan form
Housekeeping
DBO recommendation not available in loan form
2 Cash retention limit
Transaction Violation of Cash retention limit Retention Limit exceeded > 10 times in audit period, with at least one occasion for three consecutive days.
3 Group meeting
Housekeeping
DBO Group Register is not updated (collection/loan posting not done)
Housekeeping
Resolution Register is not properly updated
Audit Policy, Ver. 7 Page 51 of 102
S. N Subject Types Issue Classification
4 Deficit in Monitoring
Important Oversight
Deficit in Area Manager (AM) Monitoring
1 monitoring shortfall in audit period. (approval not obtained)
Important Oversight
Deficit in Divisional Manager (BU) [D.M.] Monitoring
No DM monitoring done in last 6 months.
5 Administrative Matter :
Housekeeping
Rent Agreement not Available / Expired
Compliance Notice Board not displayed at BU (like Help line No., Vernacular declaration, grievance redressal mechanism, RBI License etc.)
Compliance Complaint Box not there at BU
Compliance Bandhan Bank Signboard not displayed at BU
Compliance Trade License / Shop & Establishment License not available
Insurance/ Death case related
Death Cases not registered in BERP within 30 days or wrongly done.
6 Irregularities observed in IT hardware
Transaction Computer System not in working condition
Transaction One or more HHD at the BU not working
Compliance One or more CCTV cameras installed are not working
Compliance CCTV backup not available for period less than 45 days out of the last 90 days.
7 Key related irregularities
Compliance Irregularities for Duplicate set of keys are kept in linked bank branch / rotation of Keys
8 Cash Remittance from/to Bank Branch
Transaction Irregularities in Cash Remittance documentation (Slip not filled up/register not updated etc.)
9 Expenses related Approval
Transactions Payment of expenses approval not obtained from competent authority beyond the limit as fixed by DOP.
Issue Assessment level : L- 4 (Low Risk)
1 Key related Compliance Key register not maintained/not
Audit Policy, Ver. 7 Page 52 of 102
S. N Subject Types Issue Classification
irregularities updated regularly
Compliance Receipt Copy of acknowledgement Confirming deposit of Duplicate Keys in linked Bank Branch not preserved in BU
2 Cash retention limit
Transaction Non-adherence to Cash retention limit
3 Cash Remittance from / to Bank Branch
Transaction Approval is not obtained for remittance of cash.
4. Loan Form Housekeeping
Joint photograph not taken
5. Administrative Matter:
Housekeeping
Credit Bureau Report not held on record.25
Staff joining order, evidence of staff verification, guarantee bond etc. not held on record.
Audit Policy, Ver. 7 Page 53 of 102
Annexure 3 - Issue Assessment Framework for Audit of Small Enterprise Loans (SEL)
SL Subject Type of Risks involved
Findings
Issue Assessment level : L-1 (Very High Risk)
1 Operations and control
Operational Loan disbursed without approval of sanctioning authority
2 Operations and controls
Operational Loan sanctioned more than loan eligibility of the customer and the same has also been disbursed by LPU
3 Financial Credit and Operational
Loan sanctioned below the investment grade of the customer such as BB9-BB12. Loan proceeds not utilized as per sanction terms. Non-existent business entity, false field visit report etc.
4 Compliance and Controls
Operational Income documents and or other documents such as Salary slips, ITR , trade license etc., provided by the customer was forged/tampered
5 Operations and control
Operational Identity / Address / Income and other documents furnished are not verified as per process and are found to be forged / invalid.
6 Credit monitoring
Credit and Operational
Loan has been sanctioned without any CRIF report either consumer or commercial.
Issue Assessment level : L-2 (High Risk)
1 Financial Credit Risk and Operational Risk
Existing financial obligations not considered which makes the customer ineligible for loan.
2 Credit monitoring
Credit Risk and Operational Risk
Loan sanctioned when the Credit bureau score was less than benchmark limit mentioned in the process and policy
3 Compliance and internal controls
Credit Risk and Operational Risk
ITR furnished was invalid or electronically not verified even after 120 days of filing.
4 Credit Monitoring
Operational and Credit
Turnover in BERP is substantially higher than income documents against which proper justification not available
5 Compliance and internal controls
Operational Improper/incomplete execution of security documents.
6 Compliance and internal controls
Operational and Credit
Incorrect rate of interest applied in loan.
Issue Assessment level : L-3 (Medium Risk)
1 Compliance and internal controls
Regulatory Non-KYC / Income and other documents furnished are not verified as per process but are otherwise valid.
2 Compliance and Operational Residence stability proof and business vintage
Audit Policy, Ver. 7 Page 54 of 102
SL Subject Type of Risks involved
Findings
Controls proof not obtained as per laid down process
3 Compliance and controls
Operational Minor anomalies in security documentation.
4 Compliance and controls
Operational Commercial Credit Bureau Report not obtained observed
5 Financial and appraisal
Operational and Credit
Loan sanctioned for a tenure which is not in line with the internal process
6 Operation and controls
Operational Loan sanctioned without CA certified financials even though CA certified financials is mandatory as per laid down process observed
7 Credit monitoring
Operational and Credit
Banking Turnover mentioned in BERP, without obtaining Bank statement from customer thereby increasing the internal scoring of the borrower.
8 Operation and controls
Operational Non-submission of Control Return.
9 Operation and controls
Operational Non-availability of Handover and takeover certificate for movement of Credit Operation incharge in the asset centre.
Issue Assessment level : L-4 (Low Risk)
1 Operational monitoring
Operational Renewed Trade License not obtained
2 Operation and controls
Operational Charges mentioned in sanction letter not recovered
Audit Policy, Ver. 7 Page 55 of 102
Annexure 4 - Issue Assessment Framework for Credit Audit
SL Subject Type of Risks involved
Findings
Issue Assessment level : L-1 (Very High Risk)
1 Operations and control
Operational Loan sanctioned greater than limits given to Sanctioning authorities or use of discretion beyond approved matrix.
2 Operations and controls
Operational Primary / Collateral security as per terms of sanction not obtained.
3 Financial Credit and Operational
Loans declared as fraudulent.
4 Credit monitoring
Credit and Operational
Non-compliance with post disbursement terms and conditions.
5 Documentation Operational Improper and incomplete execution of security documents. Title deed not with the Bank, NOC not obtained in case of lease hold property.
6 Credit monitoring
Credit and Operational
Anomaly observed in post disbursement periodic submission like non-submission of stock statements, FFR1, FFR2, book debt statements etc.
7 Operations and control
Regulatory Non-Compliance
Any non-compliance to regulatory requirements like review/renewal pending for 180 days & above and customer not marked NPA, registration with ROC not done in line with regulatory/sanction terms etc.
Issue Assessment level : L-2 (High Risk)
1 Credit monitoring
Credit Risk and Operational Risk
Delay in submission of book debt statement/cash budget/stock statements beyond 15 days and penal interest not charged as per terms of sanction without obtaining waiver. Also delays observed is submission of other MIS/financial or other data as specified in the sanction terms.
2 Compliance and internal controls
Credit Risk and Operational Risk
Non-compliance of sanction terms regarding obtention of insurance on assets/inadequate insurance taken/Bank clause not mentioned in insurance policy
3 Credit Monitoring
Operational and Credit
Routing of transactions in Cash credit /OD/Current account not in line with the share of limits sanctioned. Fund diversion observed/end-use not in line with sanction terms
4 Compliance and internal
Regulatory Search not conducted before appraisal and sanction Registration with CERSAI not in line
Audit Policy, Ver. 7 Page 56 of 102
SL Subject Type of Risks involved
Findings
controls with regulatory guidelines/sanctioned terms.
5 Compliance and internal controls
Operational and Credit
Insurance Policy not assigned in the name of the Bank
6 Collateral Operational Exceptions/comments in the Valuation report not approved by relevant authority. Similarly, exceptions/ comments in the Legal audit report not approved by relevant authorities.
7 Credit monitoring
Operational Stock Audit not conducted/not initiated as per Credit Policy /and or sanction terms. Adverse observations mentioned in Stock Audit Report, previous audit reports etc. not actioned. Legal Audit not conducted/not initiated as per Credit Policy /and or RBI guideline
Issue Assessment level : L-3 (Medium Risk)
1 Compliance and internal controls
Statutory Registration with Registrar of Companies (ROC) not done in line with regulatory/sanction terms.
2 Compliance and controls
Operational External Rating not obtained as per terms of sanction.
3 Compliance and controls
Operational Inspection of the projects not done as per term of sanction.
4 Regulatory Operational Legal Entity Identifier (LEI) not obtained in line with RBI Directions
5 Credit monitoring
Operational and Credit
Review/renewal pending for more than 180 days and account not marked as NPA
6 Credit monitoring
Operational and Credit
Any adverse opinion observed in the Stock Audit Report on which corrective action/reporting to controlling authority not evident on record.
Issue Assessment level : L-4 (Low Risk)
1 Operational monitoring
Operational Valid Trade License not provided as per terms of sanction/delay in providing valid license
2 Operation and controls
Operational Unhedged Foreign currency exposure declaration not obtained/not filled up properly
Audit Policy, Ver. 7 Page 57 of 102
Annexure 5 - Issue Assessment Framework for Audit of Housing Finance
SL Subject Type of Risks involved
Findings
Issue Assessment level : L-1 (Very High Risk)
1 Operations and control
Operational Original property documents e.g. Sale deed, Share certificate, Gift deed, allotment letter etc. as stipulated by TSR/others etc. not obtained for primary security which would affect the creation of mortgage.
2 Operations and controls
Operational Documents like DCCD and MOE blank/ not filled up at all and signed by bank officials.
3 Compliance and Controls
Operational 1. Title deeds obtained are fake/tampered with. 2. ITR obtained is fake/tampered/invalid 3. Trade License is tampered/fake
4 Regulatory Operational Risk
Search in CERSAI Database not conducted or Registration with CERSAI not done where required.
5 Operations and Controls
Credit and Operational
Loan has been sanctioned without following laid down process such as loan has been sanctioned without obtaining Credit Bureau Report, all the owners of the property not taken as applicants/co-applicants, construction approval from competent authorities not taken
6 Operations and Controls
Operational Loan sanctioned without obtaining Title Search Reports and valuation reports
7 Operations and Controls
Operational Anomalies observed in appraisal leading improper sanction or sanction / disbursement of loans in excess of customer eligibility.
8 Operation and controls
Operational Leakage of income due to incorrect rate of interest applied
9 Operation and controls
Operational Delegation of power pertaining to sanctioning of loans exceeded.
10 Operation and controls
Operational Anomaly observed in Value of property.
Issue Assessment level : L-2 (High Risk)
1 Regulatory compliance
Regulatory Registration with CERSAI conducted after 30 days from the date of creation of mortgage.
2 Regulatory compliance
Statutory Registration with Registrar of Companies (ROC) conducted after 30 days from date of creation of mortgage
3 Compliance and internal controls
Credit Risk and Operational Risk
Property insurance expired as on date of audit. Anomaly observed in insurance policy etc.
Audit Policy, Ver. 7 Page 58 of 102
SL Subject Type of Risks involved
Findings
4 Compliance and internal controls
Operational Agreed Bank Clause not mentioned in insurance policy/insurance policy not obtained/not assigned in favour of the Bank.
5 Operation and controls
Operational ITR furnished was electronically not verified even after 120 days of filing. ITR obtained from customer were for multiple previous years but were filed within a gap of less than 6 months.
6 Compliance and controls
Operational Non-compliance of sanction terms such as closure proof of previous loans not obtained.
7 Regulatory Credit and Operational
Non-compliance of loan to value ratio
8 Operation and controls
Operational Credit bureau report not generated or Credit bureau report more than 30 days old from the date of sanction of loan.
9 Operation and controls
Operational Anomaly observed in other security documentation.
10 Credit monitoring
Credit and Operational
Legal, technical and re-appraisal not done as per laid down process
11 Credit monitoring
Operational and Credit
Field Verification report do not cover critical parameters of visit by Bank officials.
12 Operation and controls
Operational TSR conducted by lawyers or Valuation reports by valuers who are not empanelled.
Issue Assessment level : L-3 (Medium Risk)
1 Compliance and Controls
Operational Original search receipt not held in file.
2 Operation and controls
Operational Construction done more than permissible area
3 Operations and controls
Operational and Credit
Interview sheet not available / incorrectly filled.
4 Operation and controls
Operational Under-payment of stamp duty in loan / security documents such as Loan Agreement, Deed of Guarantee and other security documents
5 Operation and controls
Operational Construction stage property photograph not filed.
6 Operation and controls
Operational Non-submission of Control Return.
7 Operation and controls
Operational Non-availability of Handover and takeover certificate for movement of Credit Operation in Charge in the asset centre.
Audit Policy, Ver. 7 Page 59 of 102
SL Subject Type of Risks involved
Findings
Issue Assessment level : L-4 (Low Risk)
1 Operational monitoring
Operational Valid Trade License not provided as per terms of sanction/delay in providing valid license
2 Operational and controls
Operational Legal appraisal checklist has not been prepared and filed / incomplete / not signed by official.
3 Operation and controls
Operational Correction done in application form not counter-signed by the borrower.
4 Credit Monitoring
Operational Dockets/files not maintained properly.
Audit Policy, Ver. 7 Page 60 of 102
Annexure 6: Concurrent Audit Framework (without Annexures) 1 Background During the current RBS, vide an RMP item, the Bank was advised that an ‘onsite’ Concurrent Audit mechanism may be put in place, for regular monitoring of ‘transactional data’ instead of the system of offsite monitoring. It was also recommended that the Bank should cover at least 50% of its ‘assets’ and ‘liabilities’ as in the past. Accordingly, with the level of ’assets’ and ‘liabilities’ as on 30th November, 2019 as the base, the following Concurrent Audit Plan has been drawn up in line with extant RBI guidelines and as directed by RBI during the RBS meeting. 2 Scope of Concurrent Audit: In line with the Risk Based Internal Audit Policy, the following ‘business areas’, processes and products have been identified as having ‘Very High Risk’ and ‘High Risk’.
A. Assets B. Liability & Other High Risk areas
1. Micro Banking (BUs) 2. Retail Assets (Mortgage based) 3. Small Enterprise Loans (SEL) 4. SME (including NBFC MFI, LCs and
Guarantees)
1. Branch Banking 2. Central Processing Unit 3. Treasury Department 4. Nostro Account
A. Assets As on 30th November, 2019 the total Asset Book of the Bank was ₹65,199 Crs., of which the Micro Banking assets portfolio stood at approx. ₹40,656 crs, the Retail Assets (Mortgages) portfolio at ₹18,000 crs and other assets at ₹6,471 crs. Accordingly, in line with the regulatory expectations, it is proposed to subject all the 196 Retail Asset Centers of erstwhile Gruh, covering approx. ₹18,000 crs of Mortgage and Housing loan assets. It is also proposed to cover the entire SEL portfolio of approx. ₹1,700 crs across all the 54 Clusters, as well as SME loans (operations) including LCs & Guarantees (₹3,500 crs.), vide the concurrent audit of Corporate Banking Operations (CBO). Further, it is proposed to subject around 600 BUs having a total asset book size of approx. ₹12,000 crs. This will collectively cover approx. ₹35,200 crs of the total asset book i.e., 54%. A-1. Micro Banking (BUs) As indicated above, it is proposed to cover approx. ₹12,000 crs of Micro Banking loans under the ambit of Concurrent Audit. The number of BUs that would be brought under the ambit of concurrent audit has been based on the following criterion:
a) BUs rated High and Medium b) BUs with higher percentage of overdue c) BUs with high business volumes d) BUs where frauds and other financial and other irregularities have been observed.
In line with the above criteria, approx. 600 BUs have been identified for concurrent audit.
Audit Policy, Ver. 7 Page 61 of 102
The detailed concurrent audit process for BUs is enclosed as Annexure I in the Concurrent Audit Framework. A-2. Retail Assets (Mortgage based) It is proposed to cover the entire Rs. 18,000 crs approx. of retail assets (mortgages) portfolio of the Bank under the mechanism of concurrent audit. Majority of the portfolio comprises of the portfolio of the erstwhile Gruh Finance Limited, which merged into Bandhan Bank, effective October 17, 2019. Accordingly, all 196 branches have been identified for coverage under Concurrent Audit. The detailed audit process for Retail Assets is enclosed in Annexure II in the Concurrent Audit Framework. A-3. Small Enterprise Loans (SEL) It is also proposed to cover the entire portfolio of SEL of approx. ₹1,700 crs under concurrent audit. SEL loans are disbursed through Bank branches. The loans are sourced by ROs (Relationship Officers) who source the loan proposals and submit the same to Credit Managers posted in select branches also called as Asset Centers. The respective credit managers appraise and sanction the loans. Post documentation formalities, the sanction letter, loan application form, disbursement memo, etc. are uploaded to Newgen system for disbursement by LPU. All security documents are obtained and retained at the respective asset centers. Asset Centers are further grouped under ’Clusters’. The detailed audit process for SEL loans is enclosed as Annexure III in the Concurrent Audit Framework. Apart from the above ‘business units’, all centralized operational units listed hereunder will also be brought under the ambit of concurrent audit. A-4. SME (including NBFC MFI, LCs and Guarantees) Apart from the aforementioned asset books, the Bank also has a portfolio of SME assets, which have been booked at various branches across the country. In respect of these assets, including loans to NBFC / NBFC MFI, the CBO undertakes the following activities.
i) Issuance of sanction letter/loan documents/security documents ii) Creation of security iii) Compliance of pre-disbursement terms and conditions as per sanction terms iv) CERSAI entry v) Legal Audit vi) Post disbursement terms and conditions such as stock statements /DP updating
/FFR analysis, exchange of information, pending security creation, inspection and insurance
vii) Bank guarantee – documentation / limit maintenance. Amendment / reversal / closure
viii) Letter of Credit issuance/LC bill handling. The activities of the CBO will also be brought under the ambit of Concurrent audit. The detailed audit process for CBO is enclosed vide Annexure IV in the Concurrent Audit Framework.
Audit Policy, Ver. 7 Page 62 of 102
B. Liabilities and other areas As on 30th November, 2019 the total deposits of the Bank stood at ₹50435.06 cr. B-1. Branch Banking As advised by RBI during the current Supervisory meeting, it was decided to bring at least 50% of deposits under Concurrent Audit; accordingly, 140 branches covering around 55% of the Bank’s deposits are considered under the ambit of concurrent audit. The selection of branches has been done on the following criteria:
a) Large & exceptionally large size branches b) High risk branches c) Seven days working branches
The detailed concurrent audit process for Branch Banking is enclosed as Annexure V in the Concurrent Audit Framework. Apart from the above ‘business units’, all centralized operational units listed hereunder will also be brought under the ambit of concurrent audit. B–2. Central Processing Unit (CPU) In respect of back-end operations, currently Branches only source accounts and forward the scan copies of account opening forms along with the KYC documents to the CPU through the Newgen workflow software and account opening. The entire account opening process at the Bank is centralized at the CPU, which is currently also under onsite concurrent audit. The ambit of the concurrent audit is proposed to be enhanced in line with the Risk Based Audit approach proposed for Concurrent Audits. Activities at Loan Processing Unit (LPU), a unit of the CPU which takes care of creation and disbursement of Micro Home Loans, Overdraft against Term Deposits, Personal Loans, two wheeler loans, Next Gen Yuva loans and SEL will be brought under the ambit of concurrent audit. The CIF and account modification wing, being a part of CPU is also proposed for Concurrent Audit. The detailed concurrent audit process for CPU is enclosed as Annexure VI in the Concurrent Audit Framework. B–3. Treasury Department The Treasury Back Office, has also been identified for covering under concurrent audit. The concurrent audit system of Treasury has been in place since the beginning. Considering the fact that all Treasury deals are validated and accounted for by the Operations team at the Back Office, the Back Office and Mid Office function will be subject to regular concurrent audit on daily basis. The detailed concurrent audit process for Treasury is enclosed as Annexure VII in the Concurrent Audit Framework. B–4. Nostro Account Reconciliation Concurrent audits of the following activities viz., SWIFT along with Nostro reconciliation
Audit Policy, Ver. 7 Page 63 of 102
is also being carried out by IAD. The detailed concurrent audit process for the same is enclosed as Annexure VIII in the Concurrent Audit Framework. 3 Separate Vertical with Responsibility and Accountability In order to have a focused approach to concurrent audit, a separate vertical is proposed to be created under the Chief Audit Executive within Internal Audit Department, which would cater to the concurrent audit requirements and focus on developing and enhancing the quality of concurrent audit system in the Bank. Accountability and responsibility of the concurrent audit shall be with the said vertical. If external firms are appointed and any serious acts of omission or commission noticed in their working, their appointments may be cancelled after giving them reasonable opportunity to be heard and the fact shall be reported to ACB/ LMC of the bank, RBI and ICAI. Appointment of the requisite number of concurrent auditors with the minimum required skills for carrying out the audits effectively shall be completed by HR Department before April, 2020.
4 Collation, Consolidation & Reporting
i) Concurrent auditor should prepare the report on daily basis and same would be shared with Head of the auditee unit for compliance of the same within a stipulated time frame of 3 days.
ii) The Supervisors shall have the responsibility of collation and follow up with the ground level auditors every month and submit the same to their respective Zonal Heads for onward transmission.
iii) The ZHs will submit to IAD, Head Office for consolidation of the reports of different verticals.
iv) The Concurrent Audit reports of every month should be closed by the end of the next month. In case the same could not be closed, the open points should be tracked though ATR which shall be placed to ACE on a monthly basis.
5 Reporting to ACE & ACB Reporting systems under each individual area of audit has been included in the respective Annexures. Format of placing the summary of the concurrent audit observations to ACE and ACB is given in Annexure IX. 6 Facilities for effective concurrent audit In order to make the Concurrent Audit effective, the following facilities shall be made available to the auditors:
i) Unfettered and continuous availability of Data. ii) Provision of requisite desktops/laptops (equipped with MS Word and MS
Audit Policy, Ver. 7 Page 64 of 102
Excel)/Tablet (Hand Held Computers). iii) Wherever, Tablets (Hand Held Computers) are to be provided, the Audit
Checklist/reports for various kinds of audits are to be programmed in the Tablet by the IT Department.
7 Recruitment & Training
i) Eligibility criteria for Concurrent Auditors a) Must have relevant work experience of 2-5 years in Banks for respective verticals
/ areas, viz., in BUs the concurrent auditor must be experienced in BU activity for at least 2-5 years and having good track record/ retail branch banking / audit / Risk / Compliance channel.
b) Proficient in office / MS office package & must be mobile in nature. c) Efficient in timely reporting and maintenance of TAT.
ii) Supervisors for Concurrent Auditors a) Must have work experience of 8-10 years of work experience in Banks in retail
branch banking / audit / Risk / Compliance channel. b) Must have prior experience of handling team of 10-15 people. c) Proficient in office / MS office package & must be mobile in nature. d) Efficient in timely reporting and maintenance of TAT.
iii) Training Appropriate training shall be arranged in phases and Zone wise for continuous upgrade of skills and expertise.
8 Remuneration Concurrent Auditors/Supervisors would be recruited in the grade of AM / DM / other senior grades, and the remuneration would be as per the Bank’s remuneration structure. Supervisors may be selected through IJP / lateral selection mode.
Audit Policy, Ver. 7 Page 65 of 102
Annexure 7
Sampling Methodology
Design of the sample:
When designing an audit sample, the internal auditor should consider the specific audit
objectives, the population from which the internal auditor wishes to sample, and the
sample size.
Stratification:
To assist in the efficient and effective design of the sample, stratification may be
appropriate. Stratification is the process to dividing a population into sub-populations,
each of which is a group of sampling units, which have similar characteristics (often
monetary value); usually a random selection from each of the subgroups is selected for
review.
Sample Size:
When determining the sample size, the internal auditor should consider sampling risk,
the tolerable error, and the expected error.
The sample size can be determined by the application of a statistically based formula or
through exercise of professional judgment applied objectively to the circumstances of the
particular internal audit engagement.
Selection of the sample:
The internal auditor should select sample items in such a way that that sample can be
expected to be representative of the population. This requires that all items or sampling
units in the population have an opportunity, of being selected.
Methods of Sample selection:
1. Random selection
2. Systematic selection
3. Haphazard selection
One Hundred Percent - In case of audit areas checked by analysing Reports generated by
Offsite Audit Unit, hundred percent sample is taken.
Based on the criteria as defined under design of sample, sample size is determined for
different departments which is given below:
Audit Policy, Ver. 7 Page 66 of 102
1. Bank Branch Audits: Sample size is defined for each and every checkpoint in the audit
checklist based on the following criteria:
25% of the population or minimum 30 cases whichever is lower.
100% in case of physical counting of valuables (cash, inventory)
In case of areas audited by analysing Offsite Reports, 100% sampling is done.
2. Banking Unit Audits: Sample size is defined for relevant checkpoints in the audit
checklist based on the following criteria:
Number of Loan Forms to be checked:
• 50% of Loan Forms of immediately previous two months
• 25% of Loan Forms of first two months
Group visit: 10 to 12 groups visit per audit
Project visit or Visit of house of Borrowers: Minimum 75 houses visit
3. Retail Assets, SEL Audits, SME Audits & Trade Finance Audits:
In case of Retail Assets (HL and LAP), per asset centre, sample size is defined as given
below:
a) All loans above Rs 20 lakh- 100% population
b) All other loans which are overdue for more than 30 days and do not fall under the
category mentioned in point (a) then sample during audit is 100% of all such loans.
c) All other loans less than Rs 20 lakh which do not fall in the samples mentioned in
point (b) above then 30 files or 10% of population whichever is less, to be reviewed.
The total sample covering point a, b and c should be (i) lower of 50 files or(ii) sum
total number of files covered in point a, b and c respectively.
In case of SEL Audits, per asset centre, sample size is defined as given below:
a) All loans above Rs 8 lakh and above (100%)
b) All loans which are overdue above 30 days and not covered as part of the above
sample mentioned in point a. shall be 100% of population
c) All other loans Rs 8 lakh and below: 75 files or 10% of population whichever is
less
The total sample covering point a, b and c should be lower of 100 files or sum total
Audit Policy, Ver. 7 Page 67 of 102
number of files mentioned in points a, b and c respectively.
In case of Micro-Home loans, per asset centre, sample size is defined as given below:
a) Above 5 lacs-100% of samples
b) Overdue case above 30 days -100% of population
c) For loans of Rs 5 lakh and below: 25% of total population and not covered in point
(a) and (b) or 30 files whichever is less
In case of Agri loans, per asset centre, sample size is defined as given below:
a) Above 5 lacs-100% of samples
b) Overdue case above 30 days -100% of population
c) For loans of Rs 5 lakh and below: 25% of total population and not covered in point
(a) and (b) or 30 files whichever is less
In case of Next Gen Yuva Loans, per asset centre, sample size is defined as given below:
a) Above 5 lacs-100% of population
b) Overdue case above 30 days -100% of population and not covered in point a.
c) For loans of Rs 5 lakh and below: 25% of total population and not covered in point
(a) and (b) or 30 files whichever is less
In case of SME Audits, per asset centre, sample size is defined as given below:
a) All loan above Rs. 50 lakhs, 100% sampling during audit.
b) In the remaining cases, 25% of the population or 15 cases whichever is lower.
In case of Trade Finance (Bank Guarantee) per asset centre: 25% of the population or
minimum 30 Bank Guarantees issued, whichever is lower.
4. HO Departments Audits:
a) 100% checking of policies, process notes and SOPs.
b) In case of transactional data, 25% of the population or 30 cases whichever is lower.
Audit Policy, Ver. 7 Page 69 of 102
Preamble
The Bank has chosen technology as a differentiating factor to achieve desired goals.
Technology is a prime factor that encompasses all areas of the organization including
regulatory / statutory compliance. With the introduction of various delivery channels
and customer interfaces, the challenge is to ensure confidentiality, integrity and
availability of data. Well planned and structured audit is essential for risk management
and monitoring and control of Information Systems. IS Audit function therefore becomes
an important tool to review all aspects of technology, its business impacts and risks
associated with the technologies on an on-going basis.
Considering the importance of IS Audit function, this IS Audit Policy has been prepared.
The IS Audit Policy is a subset of Bank’s Internal Audit Policy. Hence various
organizational aspects which are not covered by the IS Audit Policy shall be governed by
Bank’s overall Internal Audit Policy and practice.
1 IS Audit Policy
1.1 Definition
This IS Audit Policy defines the responsibility, authority and accountability of the
Information System Audit function in a documented form, from which IS Audit gets its
mandate to perform its function. This also assists the IS Audit Function to determine how
to achieve the implementation of applicable IS Audit standards, use professional
judgment in their applications and justify any departure therefrom under specific
constraints. Reporting on IT governance in the organization would involve Auditing at
the highest level in the organization and will be across divisional, functional or
departmental boundaries. The Audit Policy for the IS Audit Function includes IT
governance of the organization.
1.2 Mission Statement
To give reasonable assurance to the Board/Top Management that Information Systems
and Infrastructure deployed in the organization together with the business /operational
processes are able to accomplish the information system goals effectively and that the
Audit Policy, Ver. 7 Page 70 of 102
risks built-in during the process of building such systems are addressed adequately or
are within acceptable limit.
1.3 Aims/Goals of IS Audit Policy
i) To ensure that data integrity, confidentiality and availability across various
systems are maintained
ii) To assess the impact on business/customers due to system change/procedural
changes proposed
iii) To assess the project planning and execution methodology
iv) To evaluate impact on business due to various changes in system
v) To ensure that all system changes/deployments are in alignment with business
and IT strategic objectives
vi) To have timely triggers on various IS/technical risks
vii) To ensure compliance of Information Technology (IT) Act 2000, Information
Technology (Amendment) Act 2008 and other IS related guidelines
viii) To ensure that risk based approach is followed in all areas.
1.4 Scope of IS Audit
The scope of IS Audit covers all information systems used by the bank (including
erstwhile Gruh Finance Information Systems) in related activities viz. system planning,
organization, acquisition, implementation, delivery and support to end-users. The scope
also covers monitoring of implementation in terms of its process effectiveness,
input/output controls and accomplishments of system goals. The IS Audit scope includes
testing on the processes for planning and organizing the information systems activities
and the processes for monitoring those activities. The broad scope of the Audit is given
below:
i) Determining effectiveness of planning and oversight of IT activities.
ii) Evaluating adequacy of operating processes and internal controls.
iii) Determining adequacy of enterprise-wide compliance efforts, related to IT policies
and internal control procedures.
Audit Policy, Ver. 7 Page 71 of 102
iv) Identifying areas with deficient internal controls, recommend corrective action to
address deficiencies and follow-up, to ensure that the management effectively
implements the required actions.
1.5 Objectives
IS Audit shall be required to carry out several assignments. Accordingly, the objective of
all assignments shall be derived based on the mission statement and goals of IS Audit
policy. The individual assignment and report shall carry out the specific objective of the
assignments as applicable.
1.6 Independence
IS Audit, like any other Audit function, is an independent function by itself. IS decision
making, IS operations, Project planning, execution and implementation shall be carried
out by process controllers with set processes and norms. Similarly, business process
owners shall utilize various information systems and the resources to achieve the
business objectives. IS Audit is an independent tool to evaluate whether the processes are
getting executed as per set norms and whether sufficient internal controls and the risk
mitigation mechanism are in place and functioning as intended. Additionally, to ensure
independence for the IS Auditors:
i) Auditors to have unfettered access to information, IT Systems, applications,
databases etc. and facilities (DC/DR/Branches/Vendor Locations etc.);
ii) Auditors will conduct independent data inspection and analysis.
iii) Auditors will independently seek data, carry out system walk through, verify
project & change implementation status etc., independently from vendors /
service providers.
1.7 Relationship with external IS Auditors
The IS Audit plan will be carried out by the in-house audit team. Certain audits may be
outsourced in case of specific skillset requirements.
Audit Policy, Ver. 7 Page 72 of 102
In all such events of engaging with external agencies, there shall be a formal document
for engagement defining the activity in its totality including the commercial
terms/conditions. The outsourcing will be within the framework of bank’s outsourcing
policy and with the approval of the competent authority.
1.8 Relationship with Internal Auditors
The IS Audit function is as a part of the Internal Audit Department, will work in close
coordination with the Internal audit team to ensure that effectiveness of controls is built
into all the systems and identify areas for scope for improvement.
1.9 Coverage of Outsourced Services
IS Audit shall cover the services of outsourced service providers to ensure that they
adhere to the contracted levels of service set out in the Service Level Agreements entered
into with the Bank. The IS Auditor shall verify the compliances by the service providers
to various regulatory and statutory requirements to ensure that Bank is not unduly
exposed to any risks on account of act of commission /omission by them. All service
providers shall, at all times, provide the IS Auditor with necessary support, including
data, information, compliances etc.
1.10 Critical Success Factors
The Information Systems encompass a wide variety of activities throughout the
organization. The embedded risks during the computerization process are very high and
the evolution of business needs keeps on increasing the expectations from IS Audit. It is
therefore, critical for the success for IS Audit, to achieve the standard and best practices
in a phased manner with continued improvements and enhancements in capabilities.
The success of IS audit is also highly dependent on the support of the Auditee such as:
i) Timely availability of data.
ii) Audit access to the systems and full access to UAT environment.
iii) Time bound response to the queries of the observations.
Audit Policy, Ver. 7 Page 73 of 102
The auditee department has to ensure that a conducive environment for IS Audit is
provided to ensure its success. All the contracts/SLA with outsourced agencies should
have an explicit provision for IS audit rights.
2 Authority
2.1 Right to Access Information
IS Auditor shall have right of access to information, personnel, locations and systems
relevant to performance of the audit. IS Audit shall have complete right to examine
/evaluate all manual/system related records, documents and any other evidence covered
under organizational activities from employees and outsourced persons and
organizations at all levels. IS Audit shall have a query access to various systems/sub-
systems that are implemented in the organization. IS Audit shall have right to seek
system related information e.g. Architecture design, system functioning, integration etc.
and walk-throughs of System directly from the vendors for expediting the ongoing audit
work.
2.2 Scope or any limitations of scope
Business /product decisions shall not be subjected to IS Audit. However, all associated
systems and their integration as well as related controls would be assessed by IS Audit.
2.3 Functions to be audited
IS Audit shall cover different functions, such as system architecture, IT Governance,
various application systems/ sub-systems/ components for data/ design/
infrastructures/ users/ procedures/ data integrity/ efficiency and effectiveness of any
other area communicated or arising from any other report, with prior approval of the
Head-Internal Audit.
2.4 Reporting relationship
IS Audit function shall report to Chief Audit Executive (Head of Internal Audit).
Audit Policy, Ver. 7 Page 74 of 102
2.5 IS Audit Skills
The IS Auditors shall meet the following technological proficiency requirements on an
overall basis, such as:
i) Hands-on experience on various aspect of computerization process with generic
as well as specific skills
ii) Ability to review and evaluate IS Internal Controls
iii) Understanding of the Information System’s design and operations
iv) Knowledge of programming languages and techniques and the ability to apply
computer assisted audit tools and to access their results.
v) Knowledge of computer operating system and software.
vi) Appropriate number of CISA qualified IS Auditors and remaining should have
required skill, knowledge and expertise.
3 Accountability
The accountability of the IS Auditors shall be governed by the extant policies of the Bank.
4 IS Audit Planning
4.1 Risk Based Audit Approach
The IS Audit will follow a Risk Based approach. The IS Auditors shall assess the Risks to
any information system by evaluating the probability of an untoward event occurring
and its impact on business. In case any significant incidence occurs that considerably
impacts business, the risk to those information systems in question shall be evaluated and
be subject to immediate audit. The risk assessment methodology shall include system
definition, threat identification, vulnerability identification, control analysis, probability,
Impact analysis and risk determination.
IS Auditors will periodically review the status of the Risk in the information systems and
the Internal Control Processes and in case of necessity, include an area of high risk in the
Audit Plan. Accordingly, the auditee units will keep the auditors up-to-date on major
changes, such as introduction of a new product, implementation of a new system,
Audit Policy, Ver. 7 Page 75 of 102
application conversions, significant changes in organisation or staff, regulatory and legal
requirements, and security incidents, if any.
4.2 Defining the IS Audit Universe
Defining the Audit Universe is first step of the risk assessment process. It defines the
areas which are subject to audit. It is usually a high-level structure that identifies
processes, resources, risks and controls related to IT, allowing for a risk-based selection
of the audit areas.
The IS Audit Universe can be classified under the broad heads, Application systems, IT
processes / operations, IT Infrastructure (technology and facilities such as hardware,
operating systems, database management systems, networking, multimedia, and the
environment that houses and supports them and enable processing of applications) and
People (internal or outsourced personnel required to plan, organise, acquire, implement,
deliver, support, monitor and evaluate the information systems and services).
Due to frequent changes in the existing IT infrastructure and implementation /
acquisition of new applications, Information Technology and Information Security
department shall provide updated inventory of information system and list of projects &
major changes to be implemented in the next six months on a half yearly basis to the IS
Audit team for updating the IS Audit Universe and reassessing the risk in the Information
Systems ecosystem.
4.3 Information System Risk Assessment methodology
The risk assessment process should, inter alia, include the following: -
i) Identification of inherent IT risks in each Information System Units in the bank.
ii) Evaluation of the effectiveness of the control systems for monitoring the inherent
risks in the Information System Units (`Control risk’)
iii) Drawing up a risk-matrix taking into account both the factors viz., inherent and
control risks. An illustrative risk-matrix is shown in the Audit Policy (Part-II)
under “Risk Matrix for the Bank”.
Audit Policy, Ver. 7 Page 76 of 102
4.3.1 Identification of inherent risks in Information system units
The following factors will be considered for gauging the Inherent Risk in the system,
business criticality, regulatory requirements, amount or value of transactions processed,
extent of customer information held, customer facing systems, financial loss potential, ,
experience of management and staff, staff turnover, technical competence, degree of
delegation, technical and process complexity, stability of application, age of system,
training of users, number of interfaces, availability of documentation, extent of
dependence on the IT system, confidentiality requirements, major changes carried out,
previous audit observations and extent of senior management oversight. These risk
factors shall be grouped into the following six basic risk categories:
i) Financial Impact: a) Business Criticality b) Loss of revenue c) Value of transactions processed
ii) Operations Risk: a) Volume of transaction. b) Number of users impacted c) Critical Systems/services impacted. d) Loss of information.
iii) Reputation Risk: a) Reputation Risk on account of
outsourcing. b) Number of customer impacted. c) Impact by media news
iv) Legal & Regulatory Risk: a) Impact on the legal & regulatory
compliance b) Regulatory findings
v) IT environmental Risk: a) Changes in the system. b) Number of interfaces. c) Exposed to internet. d) Existence and effectiveness of
BCP/DRP
vi) Miscellaneous Risk a) Experience of management and staff b) Technical competence, training of
users c) Technical and process complexity d) Previous audit reports and
compliance level
Inherent system risks indicate the intrinsic risk in a particular system /process of the
Bank and could be grouped into low, medium and high categories depending on the
severity of risk. The process of inherent risk assessment may make use of both
quantitative and qualitative approaches.
Audit Policy, Ver. 7 Page 77 of 102
4.3.2 Measurement of impact of risk parameters
The risk parameters as defined above for all the risks are considered for arriving at the
score for Inherent Risk. A high, medium or low score is assigned to each parameter,
wherever applicable. Based on these scores for each risk parameter, an aggregate score
for that risk category is quantified and a score on the scale of 1 to 6 (High 5-6, Medium 3-
4 and Low 1-2) is awarded to each of the six risks listed above. Where an information
System is not exposed to a particular risk, a score of zero is given.
The maximum Risk score would be 36 (aggregate of six primary risks) for any
information system based on discussion and internal judgment, an inherent risk of up to
20% may be considered as “low”, between 21% to 50% may be considered as “medium”
and inherent risk greater than 50% may be considered as “high”.
4.3.3 Control Risk evaluation and rating of an IS System
The previous audit rating will be considered as an indicator of the level of control risk.
Control risks arise out of inadequate control systems, vulnerabilities/gaps and/or likely
failures in the existing controls. The control risks could also be classified into low,
medium and high categories. Control Risk would be numerically indicated on a “0 to
100” scale, with a score of “0” being the ideal score, which would indicate that the risk is
fully covered by the existing controls. The control risk score for the IS System is arrived
at by subtracting the audit score from 100, in respect of all units which have undergone
internal audit previously. The control risk score in respect of previously unaudited units
will be based on subjective judgment based on the criticality of the system and
importance of the unit in the scheme of things. In such instances generally, the control
risk is taken as the same as the inherent risk in the first year of audit.
In order to measure the extent to which the inherent risks are addressed by controls,
threshold limits i.e. three levels of threshold levels viz. “High”, “Medium “and “Low”
have been defined. These would be expressed in terms of percentage as under:
Audit Policy, Ver. 7 Page 78 of 102
Control Risks Score
Low 10% and below
Medium Between 10% to 30%
High Above 30%
The gaps observed in the controls viz-a-viz the inherent risks give the control risk or the
residual risk. The residual risks can be classified into Extremely High, Very High, High,
Medium and Low based on the following and accordingly fall in the respective cells in
the Risk Matrix.
4.3.4 Risk Matrix for the Information Systems of the Bank
Based on the Control Risk Score and the Inherent Risk Scores, a Risk Matrix for the Bank
is prepared comprising all Information System Units. Based on the Inherent Risk and
Control Risk for each IS Unit, the same will be placed in the Risk Matrix as under:
Risk Matrix
I
nh
eren
t B
usi
nes
s R
isk
s
High “4”
High Risk
“2”
Very High Risk
“1”
Extremely High Risk
Medium “7”
Medium Risk
“5”
High Risk
“3”
Very High Risk
Low “9”
Low Risk
“8”
Medium Risk
“6”
High Risk
Low Medium High
Control Risks
[ Inherent Risk: Low 0-7, Medium 8-18, High 19-36]
[ Control Risk: Low <10%, Medium 10%-30%, High >30%]
Audit Policy, Ver. 7 Page 79 of 102
In the overall risk assessment both the inherent IT risks and control risks should be
factored in. The overall risk assessment as reflected in each cell of the risk matrix is
explained below:
1 – Extremely High Risk – Both the inherent business risk and control risk are high which makes this an Extremely High Risk area. This area would require immediate audit attention, maximum allocation of audit resources besides ongoing monitoring by the bank’s top management. 2 – Very High Risk- The business unit/area is perceived to have “high” inherent risk coupled with medium control risk makes this a Very High Risk area 3 – Very High Risk – Although the inherent business risk is medium, this is a Very High Risk area due to high control risk. 4 – High Risk- The business unit/area is perceived to have “high” inherent risk, but the control risks as borne out by the previous audit ratings are weak (cells 4, 5, & 6). 5 – High Risk – Although the inherent business risk is medium this is a High Risk area because of control risk also being medium. 6 – High Risk – Although the inherent business risk is low, due to high control risk this becomes a High Risk area. 7 – Medium Risk – Although the control risk is low this is a Medium Risk area due to Medium inherent business risks. 8 – Medium Risk - The inherent business risk is low and the control risk is medium. 9 – Low Risk – Both the inherent business risk and control risk are low.
4.3.5 Risk Profiling of Auditable Units
Where any IS entity itself comprises of several independent auditable units with different
levels of controls, like servers, applications, networking and information security system
etc., the following approach will be taken:
A risk map of all the auditable units will be prepared taking the “inherent risk” of the
individual units to be the same as that of the group. The control risk of the individual
auditable units would be derived from the previous audit ratings as well as other factors
like any frauds detected etc.
Direction of Risk: As detailed in Part II – Audit Policy.
4.4 Scoping for IS Audit
The scope of IS Audit includes the identification of controls and activities to be tested for
assessing effectiveness. The scope will be decided based on the risk assessment. While
scoping the audit, the factors like control objective, materiality and fraud risk will be
Audit Policy, Ver. 7 Page 80 of 102
considered in addition to other requirements. IS Audit shall also cover large as well as
critical branches to access areas such as control of passwords / user-ids, operating system
security, maker/checker, physical security, BCP Policy etc.
4.5 Documenting the Audit Plan
The IS Audit Plan will be a formal document to be prepared as part of the overall internal
audit plan. The components of Audit Plan shall include subject, nature, period and scope
of audit. Audit approach, audit methodology, audit consideration for irregularities and
audit evidence / information is given in Annexure I to IV.
5 Issue Assessment Framework
The process of issue assessment identifies the risk level of audit observations as L1, L2,
L3 and L4 depending upon the potential impact of the control weakness / vulnerabilities
observed during the audit and the likelihood of its occurrence. The matrix for classifying
the observation level is as under:
Likelihood
Impact
Less Likely
Possible Most Likely
Very High L2 L1 L1
High L3 L2 L1
Medium L4 L3 L2
Low L4 L4 L3
The likelihood and the impact assessed would be broadly carried out by taking into
consideration the following factors.
Likelihood
Most Likely: Has happened in several instances or process gaps exist.
Possible: Could happen in the foreseeable future.
Less Likely: Less likely to happen.
Impact
The Auditor shall use qualitative as well as quantitative risk assessment approach for
Audit Policy, Ver. 7 Page 81 of 102
arriving at the risk level of the audit issues. The following parameters will be used for
risk assessment of the issues, and the impact assessed while applying these parameters.
Risk Customers Affected
Financial Impact
Brand & Reputation Impact
Systems / Services affected
Regulatory, Internal Policy and Legal implications
Information Security risk / System users impacted.
Very High
> 2% > Rs. 25 lacs
Coverage in high profile global/ national media which could lead to significant damage of brand
Poses any systemic risk. Critical business system / service is affected.
Non-compliance to regulatory guidelines / law having impact of possible penalty from regulatory / law enforcement bodies. Not complying with Statutory Audit or RBI Audit Observations
i) Potential loss of all information ii) > 5000 user affected. ii) Application Security testing / VAPT not conducted in case of public facing applications.
High 1 - 2% > Rs. 10 lacs and up to Rs. 25 lacs
Coverage in industry specific / local media which could lead to negative impact on brand
Poses any undefined or unexpected risks. Non- critical business systems / services are affected.
Non-compliance to regulatory guidelines / law not having direct impact of penalty. Non-Compliance of Bank’s Policy or PCMC approved process.
i) Potential loss of confidential information ii) 500-5000 users affected. iii) Application Security testing / VAPT not conducted in case of internal financial applications e.g. CBS, ITMS
Medium Up to 1% > Rs. 5 lacs and up to Rs. 10 lacs
Negative Information limited to employees/ vendors
Only Support services are affected, but business can run as usual.
No violation of any regulatory guidelines / law. Partial non-compliance to the Policies / SOPs.
i) Potential loss of internal Information ii) < 500 users affected. iii) Application Security testing / VAPT not conducted in case of internal applications – non-financial but identified as critical e.g. AML, ALM.
Low No Customers affected
Upto Rs. 5 lacs
Negative Information in closed user group
No Systems / Services affected
No Implication i) Potential loss of public information ii) No users affected iii) Application Security testing / VAPT not conducted in case of non- critical internal applications.
Under the overall Issue Assessment Framework detailed above, detailed issue
assessment illustrations for IS Audit based on specific audit issues identified in IS Audit
have been separately drawn up and is given in Annexure V.
Audit Policy, Ver. 7 Page 82 of 102
Reporting and Communication and the Escalation Matrix will be the same as per the
Internal Audit Policy.
6 Performance of Audit Work
6.1 Review of System Strategies
System strategies shall be reviewed by analysing –
i) Minutes of meeting of the Board of Directors for Audit information relating to the consideration of the matters concerning the information systems and their control and the supporting materials for any such items.
ii) Minutes of the meeting of the Audit Committee of the Board of Directors for the Audit Information relating to the considerations of the matters concerning the information systems and their controls by the supporting materials for any such items.
iii) Assessment of the risk associated with the organization’s use of the information systems and approach to managing those risks
iv) IS Strategy, plans to be implement the strategy and monitoring of progress against those plans
v) High level policies for IS use and the protection and monitoring of compliances with these policies
vi) Major contract approvals and monitoring of supplier’s performance vii) Monitoring of performance against Service Level Agreements viii) Acquisition of major systems and decision on implementation ix) Impact of external influence on IS such as internet, merger of suppliers or
liquidation etc. x) Business Continuity Planning, Disaster Recovery management, Contingency
Planning, Testing thereof and test results
6.2 Review of system related policies /compliance
The IS Auditor will consider whether the system related policies cover all of the
appropriate areas for which board –level direction is necessary in order to provide
reasonable assurance that the business objectives are met. Such Policies on board-level
direction will require to be documented and such documented policies shall among
others, include Security Policy, Outsourcing Policy etc.
6.3 Organization and Administration
IS Audit shall check for segregation of duties, dual-control aspect in performing
important operations, level of training, imparted to staff, availability of skilled personnel
Audit Policy, Ver. 7 Page 83 of 102
to run critical operations with suitable backup arrangement, maintenance of records for
work assigned to staffs, rotation and other aspects critical to smooth operation of all
systems.
6.4 Review of system responsibilities of owners of business process
The IS Auditor will require to review the responsibilities of the business process owners,
as under and assess whether these are appropriate to support the policies and goals of
the Bank.
i) Reports of attempted access to the system supporting business processes and follow-up action taken,
ii) Reports of the Changes of user access rights, including new users and those whose access right have been removed
iii) Reports of the result of the business continuity tests and follow up action taken iv) Report on the results of feasibility studies and tendering process for systems
acquisition v) Reports of the results of the user’s acceptance testing of new systems or changes to
the existing system vi) Reports on performance against agreed service level vii) Statistics on the availability, number of failures, number of system changes
requested and implemented etc. viii) Status of the system changes in progress ix) Reports of changes to corporate data dictionary entries x) Reports on input control/process control features
Assessment of the system which produce the above information and its reliability,
integrity and potential for management override.
6.4.1 Consideration of external factors
The IS Auditor will require to verify that the organization has put in place the procedures
to monitor the external factors like regulatory compliances, which are relevant to the
organization.
6.4.2 Materiality
During the performance of IS Audit, the concept of materiality will play a vital role.
Criteria such as criticality of business process supported by systems, cost of system,
Audit Policy, Ver. 7 Page 84 of 102
potential cost of error, number of access per period etc. shall be considered while
determining materiality.
7 Frequency of Audit
i) IT Systems will be divided into five risk categories viz extremely high, very high,
high, medium and low based on the risk matrix.
ii) Frequency of the system audit will be as per audit plan depending upon the risk
factors or level of criticality of operation of the auditee unit. Extremely high (9
months, very high (12 months), high risk (15 months), medium risk (18 months) and
low risk (24 months) .
iii) New IT systems or those systems, which have undergone major changes, shall be
audited within six to twelve months of implementation
iv) All the systems, domains and processes irrespective of their risk levels shall be
covered within a period of two years.
v) Notwithstanding the above, IT governance, Information security governance, Data
Centre, IT processes, critical business applications and MIS systems shall be
subjected to audit at least once a year.
8 Compliance and Closure of Audit Report
The Auditee shall be required to send comments/compliance within a month from the
date of issue of final audit report. The summary of report along with compliance, will be
placed before the Audit Committee of the Board. The compliance shall normally be
completed within 3 months from the date of the report. Any area pending compliance
shall be addressed within a defined time frame which shall be tracked through the ATR
(Action tracking report). The audit report shall be deemed to be closed after verification
by audit that all major observations have been complied with.
Audit Policy, Ver. 7 Page 85 of 102
9 Audit Documentation
Audit evidence/information gathered by the IS Auditor would be appropriately
documented and organized to support the IS Auditor’s findings and conclusions.
Following documents would form a part of audit documentation:
i) Test Reports ii) Snapshot reports iii) E-mail correspondence iv) Any other important document/information/Audit back papers. v) Audit Committee Reports
10 Restriction of Scope
In the event the IS Auditor has reason to believe that sufficient audit
evidence/information cannot be obtained, the IS Auditor shall disclose this fact in a
manner consistent with the Audit Policy and the guidelines laid out herein for
communication of audit results.
Audit Policy, Ver. 7 Page 86 of 102
IS Audit Annexure – I: Audit Approach
1. Audit Phases
IS Audit follows a three-phase process. The first phase is the audit planning phase
followed by the test of controls phase and finally the substantive testing phase.
In the planning or first phase, an IS Auditor will identify the various risks and exposures
and the security controls, which provide safeguards against these exposures. The tests
which need to be conducted to make the second phase of the audit, will also planned in
detail in the first phase.
In the second phase, the security controls will be tested. Control activities in the
organization are the policies and procedures used to ensure that appropriate actions are
taken to deal with the organization’s identified risks. One of the primary areas of IS Audit
will be to check the effectiveness of these security controls. Control activities in turn, are
divided into two major areas- System Controls and Physical Controls. Within system
controls and security controls are the general control and the application controls.
General controls pertain to area-wise concerns such as controls over the data centre,
organizational data bases, system development and program maintenance. Application
controls will ensure the integrity of specific application software. Physical controls
include access control, transaction authorization, segregation of duties, supervision,
accounting records and independent verification.
In the third or the substantive testing phase, individual transactions are tested. The IS
Audit substantive tests extensively use computer assisted audit tools and techniques.
Audit of Information Systems is a very challenging job, especially in the light of the fast
changing pace of information technology including communication systems. All these
phases will be implicit in nature and would get reflected only through audit report.
2. Change Control Management
Audit Policy, Ver. 7 Page 87 of 102
Considering the fact that business runs in on-going basis, most of the application system,
network systems and various components thereof, constantly undergo changes. It is
essential, therefore, that these changes take place in a controlled manner, in a controlled
environment and process have to exist for the same. IS Auditor would review changes
made to all the systems on a need / perception of risks or on routine basis. This would
be fixed component of the IS Audit Function.
3. IS Audit at Branches
i) IS Audit from time to time may issue checklist for branches or units so that
internal/concurrent auditors can use them at branches or units.
ii) Special IS Audit may be carried out at branches or units for evaluating
data/procedural integrity/security or any such IS activity,
iii) Visits to Branches or units on routine/surprise basis may be planned to have
overall effectiveness
iv) Branches/units IS Audit Reports compiled across branches/units would help IS
Audit to carry out further planning.
During the branch rating exercise, the IS Audit exercise will be given appropriate
weightage.
4. Overall Assessment
Based on the various system documents, key discussions, risk assessments and
evaluation of internal controls, IS Auditor would do an overall assessment of the system.
Audit Policy, Ver. 7 Page 88 of 102
IS Audit Annexure – II: Audit Methodology
1. Testing Methodology
Audit activities are broadly divided into five major steps for the convenience and
effective conduct of audit. (a) Planning IS Audit (b) Test of Control (c) Test of transactions
(d) Test of Balances (e) Completion of audit.
i) Planning IS Audit: Planning IS Audit includes understanding of the objectives to
accomplish the audit, collecting background information, assigning appropriate staff
keeping in mind skills, aptitude etc. and identifying the areas of risk. Risk analysis of
the operating systems is carried out to identify the system with highest risks,
considering the critical nature of the information processed through such system as
well as the number and the values of the transactions processed. This is to identify
the systems having the highest risks and decide on the extent of the detailed analysis
and testing to be conducted on those systems. Risk assessments can be done through
review of previous audit reports/papers, interview/interaction with the
management and the information system personnel, observations of the activities
carried out within the information systems function and review of information
system documentation.
ii) Test of controls: IS Auditor will participate in various activities and will be in touch
with employees. Internal Controls will be tested to evaluate whether they operate
effectively on an on-going basis. This includes testing of management controls and
application controls. The objective is to evaluate the reliability of the controls and find
out the weaknesses of the controls for meeting the IS Audit objectives. IS Auditor
would make recommendations to rectify the weaknesses, observed during the course
of an IS Audit. While carrying out tests of controls, the IS Auditors should satisfy
themselves regarding the following aspects of controls right from pre-design stage to
post-implementation stage: identification, implementation, existence, adequacy,
documentation, maintenance and monitoring.
iii) Test of Transactions: Test of transactions would be used to evaluate whether
erroneous transaction have led to a material misstatement of the financial
Audit Policy, Ver. 7 Page 89 of 102
information and whether the transactions have been handled effectively and
efficiently. The objective is to evaluate data integrity. Some of such tests include the
tracing of journal entries to their source documents, the examination of the price/rate
files, the testing of computational accuracy, the study of the transaction log etc. These
tests are used to indicate the data base system’s effectiveness.
iv) Completion of audit: This is the final stage of IS Audit. IS Auditors would form their
opinion, clearly indicating their findings, analysis and recommendations. Potential
IS Audit findings would be discussed with the appropriate /authorized personnel
throughout the course of IS Auditing. Preliminary conclusions and the audit finding
would be presented to the auditee during closure of the audit. All potential findings
with sufficient merits and preliminary IS Audit recommendations will be placed for
discussion. Work papers used in the auditing should be well organized, clearly
written and address all the areas included in IS Audit. IS Audit work papers should
contain sufficient evidence/information of the tasks performed and the conclusions
reached, including the results achieved, issues identified and the final opinion. The
audit report will include an introduction to the audit objectives, scope, general
approach employed and summary of the critical findings, and the auditor
recommendations.
2. Sub-system factoring
The IS systems of the Bank are huge and highly complex in nature, encompassing various
activities, procedures and people. Hence, it may not be possible to have comprehensive
coverage of activities at any given point of time. The systems can also be further factored
into various sub-system, based on inherent cohesiveness and interdependencies. Each
factor sub-system can then be evaluated for audit purpose.
3. Control through IS procedural definitions
The IS environmental control, infrastructural controls, data integrity controls and
operational controls form a fundamental basis of governing various activities happening
in the organization. IS Audit would, therefore, lay a great emphasis on IS procedural
Audit Policy, Ver. 7 Page 90 of 102
manuals covering these topics. IS audit would review these manuals for continuous
enhancement and compliances.
4. Network and security audit
All areas of network, including wide area network, local area network, data center
management, security architecture, shall fall under the purview of IS Audit.
5. Checklist
Checklist, if any used for IS Audit shall be upgraded on an on-going basis.
Audit Policy, Ver. 7 Page 91 of 102
IS Audit Annexure - III: AUDIT CONSIDERATIONS FOR IRREGULARITIES
Due professional care and the observance of the internationally accepted professional
auditing standards would be exercised by the IS Auditor in all aspect of the IS Auditing.
The Information Systems Auditor will plan the information systems audit work to
address the audit objectives and to comply with internationally accepted professional
auditing standards. Further, during the course of IS Auditing, the Information System
Auditors would obtain sufficient, reliable, relevant and useful evidence /information to
achieve the audit objectives effectively. In addition, the audit findings and conclusions
have to be supported by appropriate analysis and interpretation of this
evidence/information by the IS Auditor. The Information Systems Auditor will provide
report in an appropriate form to the Head-Internal Audit upon the completion of the
audit work.
In planning the audit work as appropriate for the nature of the audit assignment, the IS
Auditor would use the results of the risk assessment to determine the nature, timing and
extent of the testing required in order to obtain sufficient audit evidence /information to
provide reasonable assurance that the irregularities, which could have a material effect
on the area under audit or on the organization as a whole, will be identified and that the
control weaknesses, which would fail to prevent or detect material irregularities will be
identified.
Audit Policy, Ver. 7 Page 92 of 102
IS Audit Annexure – IV: AUDIT EVIDENCE/INFORMATION
1. Consideration under audit evidence
When Planning the IS Audit work, the IS Auditor would take into account the type of
audit evidence/information to be gathered, its use as audit evidence/information to meet
the audit objectives and its varying levels of responsibilities. Among the things to be
considered are the independence of the provider of the audit evidence / information. For
example, corroborative audit evidence/information from an independent third party can
be more reliable that the audit evidence /information from the organization being
audited. Physical audit evidence/information is generally more reliable than the
representation of an individual.
The various types of audit evidence/information which the IS Auditor should consider
using include: (a) Observed processes and existence of physical items (b) Documentary
audit evidence/information (c) representation (d) Analysis of observed process and
existence of physical items.
Documentary audit evidence/information, recorded on paper or other media, can
include: (a) Results of data extraction (b) Records of transactions (c) Programs listings (d)
Invoices & Activities and control logs (e) System development documentation.
Representations of those being audited can be audit evidence/information such as: (a)
Written policies and procedures (b) System flow chart (c) Written or oral statements.
The results of analysing information through comparison, simulations, calculations and
reasoning can also be used as audit evidence/information. Example include: (a)
Benchmarking IS performance against other organization or previous period (b)
comparison of error rates between the application transactions and the users.
2. Availability of audit evidence/information
The IS Auditor should consider the time during which the evidence/information exists
or is available in determining the nature, timing and extent of substantive testing and if
applicable, Compliance Testing. For example, the audit evidence/information processed
by Electronic Data Interchange (EDI), Document Image Processing (DIP) and dynamic
systems such as spreadsheets etc. may not be retrievable after a specific period of time, if
Audit Policy, Ver. 7 Page 93 of 102
changes to the files are not controlled or the files are not backed up. Since it is not possible
for an internal auditor to make multiple copies of system document, IS Auditor would
sign various documents produced for the purpose of audit and would advise the auditees
to preserve these documents for further reference.
3. Selection of audit evidence/information
The IS Auditor would plan to use the best audit evidence/information attainable,
consistent with the importance of the audit objectives and the time and effort involved in
obtaining the audit evidence /information. When the audit evidence/information
obtained in the form of oral representations, is critical to the audit opinion or conclusion,
the IS Auditor would consider obtaining documentary confirmation of the
representation, either on paper or on other media.
4. Nature of audit evidence/information
Audit evidence/information should be sufficient, reliable, relevant and useful in order to
form an opinion or support the IS Auditor’s finding and conclusions. If in the IS Auditor’s
judgment, the audit evidence/information obtained does not meet these criteria, the IS
Auditor should obtain additional audit evidence/information.
5. Gathering audit evidence/information
There are different procedures used to gather audit evidence/information vary
depending on the information system being audited. The IS Auditor would select the
most appropriate procedure for the audit objective. The following procedures will be
considered (a) enquiry (b) observations (c) inspection (d) confirmation (e) re-performance
(f) monitoring. The above can be applied through the use of manual audit procedures,
computer assisted audit techniques or a combined of both.
Detailed transaction records may be available in machine- readable format requiring the
IS Auditor to obtain audit evidence/information, using Computer Assisted Audit
Techniques (CAAT). Many a time, system records, design documents, system flow chart,
system manuals and notes also forms a part of audit evidence. It is, however, not possible
Audit Policy, Ver. 7 Page 94 of 102
to duplicate these records only for the purpose of audit. In all such events, Audit would
send a communication to Auditees to preserve a set of document as a part of Audit
Evidence.
Audit Policy, Ver. 7 Page 95 of 102
IS Audit Annexure – V - Issue Assessment Illustrations
IT General Controls (ITGC)
Issue Assessment Illustrations
Issue Assessment level: L-1 Scenario one: Impact is Very High and Likelihood can be Possible or Most Likely
Scenario two: Impact is High and Likelihood can be Most Likely
Sr. No. Types Findings
1 IT Operations Downtime of identified critical systems impacting more than 5000 users and issue occurred more than one time
2 IT Operations Corruption and/or Leakage of all data and information. E.g. the RAID failure of storage system due to improper configuration. The sensitive data like PII, business sensitive data can be extracted from the system
3 IT Operations Lack of backup and contingency planning increases the risk of being unable to continue processing following a disaster for identified critical systems. E.g. no redundant system for biometric authentication system or any such application which is required to be highly available during the business time.
4 IT Operations Lack of system capacity to process transactions in a timely manner preventing the posting of any new transactions. E.g. unable to process RTGS transactions, AML data, impacting regulatory / statutory return submission.
5 Logical Access
Users have unauthorized access to the systems. E.g. access to core application or IT infrastructure is possible with little efforts like manual brute forcing or social engineering techniques
6 Logical Access
Segregation of duties (SoD) not being configured appropriately as business users have access to administrative privileges for the concerned applications. E.g. SoD not implemented in SWIFT processing system or the network administrator has access to system administration, DBA has access to OS, Security administrator has access to any of the systems in bank except any of the system required for security monitoring and control.
7 Change Management
Unauthorized changes migrated in the systems.
8 Change Management
Lack of SoD in the change management process enabling the Developer to migrate its own code to the production environment.
Issue Assessment level: L-2
Audit Policy, Ver. 7 Page 96 of 102
Scenario one: Impact is Very High and Likelihood is Less Likely Scenario two: Impact is High and Likelihood is Possible
Scenario Three: Impact is Medium and Likelihood is Most Likely
1 IT Operations Downtime of identified critical systems impacting 500-5000 users (confined to single instance)
2 IT Operations Corruption and/or Leakage of confidential data and information. E.g. corruption of data file impacting the availability of the system for couple of days, leakage of information like bank’s internal policies, processes, employee information etc.
3 IT Operations Lack of backup and contingency planning increases the risk of being unable to continue processing following a disaster for identified critical systems. E.g. no backup being taken for business critical data, no redundant network connectivity impacting business of large branches.
4 IT Operations Lack of system capacity to process transactions in a timely manner preventing the posting of any new transactions. E.g. slow systems impacting report generation which are having regulatory impact or business requirement
5 Logical Access
Users have unauthorized access to the systems (impact to be measured as Risk Assessment guidelines).
6 Logical Access
Segregation of duties not being configured appropriately as business users have access to administrative privileges for the concerned applications. E.g. end user can execute end to end transaction processing or make change in system configuration,
7 Change Management
No documented change management policy / process to ensure consistent system changes.
8 Change Management
Developers have access to the Production environment
9 Change Management
Inadequate testing of changes before moving to production
10 Change Management
Developers have access to the Production environment for migration of changes
Issue Assessment level: L-3 Scenario one: Impact is High and Likelihood can be Less Likely Scenario two: Impact is Medium and Likelihood can be Possible Scenario three: Impact is Low and Likelihood can be Most Likely
1 IT Operations Downtime of identified critical systems impacting 0.1-1% of the entire user base
2 IT Operations Corruption and/or Leakage of internal data and information. E.g. leakage of internal information like, user manuals
Audit Policy, Ver. 7 Page 97 of 102
3 IT Operations Lack of backup and contingency planning increases the risk of being unable to continue processing following a disaster for identified critical systems. E.g. restoration of backup not being tested, inadequate documentation of backup and recovery procedures.
4 IT Operations Lack of system capacity to process transactions in a timely manner preventing the posting of any new transactions. E.g. CPU unable to process days volume within time
5 Logical Access
Users have unauthorized access to the systems. E.g. non-compliance with password policies
6 Logical Access
Segregation of duties not being configured appropriately as business users have access to administrative privileges for the concerned applications. E.g. one user assigned multiple roles like back office users performing mid-office tasks.
7 Change Management
No documented review and approval of changes, no roll- back procedure.
8 Change Management
Developers have access to the Production environment to support infrastructures.
9 Change Management
Improper prioritization of changes, no post implementation review of changes
Issue Assessment level: L-4 Scenario one: Impact is Medium and Likelihood can be Less Likely
Scenario two: Impact is Low and Likelihood can be less Likely Scenario three: Impact is Low and Likelihood can be Possible
1 IT Operations Downtime of identified critical systems impacting no users
2 IT Operations Corruption and/or Leakage of all data and information. E.g. end users data backup corruption, unavailability of shared drives
3 IT Operations Lack of backup and contingency planning increases the risk of being unable to continue processing following a disaster for identified critical systems. e.g. end user desktop backups not performed.
4 IT Operations Lack of system capacity to process transactions in a timely manner preventing the posting of any new transactions. E.g. unavailability of non-critical systems
5 Logical Access
Users have unauthorized access to the systems. E.g. Email access to users
6 Logical Access
Segregation of duties not being configured appropriately as business users have access to administrative privileges for the concerned applications. SoD conflicts in non-critical systems
7 Change Management
Inadequate documentation of changes
Audit Policy, Ver. 7 Page 98 of 102
Application Controls
Issue Assessment Illustrations
Issue Assessment level: L-1 Scenario one: Impact is Very High and Likelihood can be Possible or Most Likely
Scenario two: Impact is High and Likelihood can be Most Likely
Sr. No. Types Findings
1 Input Transaction
Unauthorized and incomplete data entry. E.g. NPA classification, no input validation in regulatory reporting, amount filled without validation
2 Input Transaction
Duplicate data entry in the systems. E.g. duplicate creation and approval of loan account
3 Processing Incomplete transaction processing in the systems. E.g. creation of customer accounts without KYC
4 Processing Duplicate transaction processing in the systems. E.g. duplicate RTGS /NEFT / UPI transactions
5 Output Non-availability of the information. E.g. generation of incorrect regulatory reports
6 Master Data Unauthorized changes in the master data of systems. E.g. table level changes in the database of financial transaction
7 Master Configuration
Inaccurate configuration of interest rate methodology during leap year
8 Configuration Incorrect Logics for mapping of regulatory reports
Issue Assessment level: L-2 Scenario one: Impact is Very High and Likelihood is Less Likely
Scenario two: Impact is High and Likelihood is Possible Scenario Three: Impact is Medium and Likelihood is Most Likely
1 Input Transaction
Unauthorized and incomplete data entry. E.g. incorrect customer classification for regulatory reporting
2 Input Transaction
Duplicate data entry in the systems. E.g. duplicate vendor payments
3 Processing Incomplete transaction processing in the systems. E.g. charges not levied in the customer accounts
4 Processing Duplicate transaction processing in the systems. E.g. duplicate customer transaction processing (as per impact matrix)
5 Output Non-availability of the information. E.g. system providing incorrect output of customer transactions
6 Master Data Unauthorized changes in the master data of systems. E.g. table level changes in the user master maintenance.
7 Regulatory Non-adherence on minimum stipulated LTV (75%) by RBI
Audit Policy, Ver. 7 Page 99 of 102
8 Configuration Mismatch between product master and approved product note
Issue Assessment level: L-3 Scenario one: Impact is High and Likelihood can be Less Likely Scenario two: Impact is Medium and Likelihood can be Possible Scenario three: Impact is Low and Likelihood can be Most Likely
1 Input Transaction
Unauthorized and incomplete data entry. E.g. incorrect customer classification for internal reporting
2 Input Transaction
Duplicate data entry in the systems. E.g. incorrect mobile, email etc. updation in different customers
4 Processing Incomplete transaction processing in the systems. E.g. transaction processed incorrectly (as per impact matrix)
5 Master Data Unauthorized changes in the master data of systems. E.g. audit trail not maintained for IT operation transactions
6 Configuration Absence of in-built logics and internal non-compliance related to products
Issue Assessment level: L-4 Scenario one: Impact is Medium and Likelihood can be Less Likely
Scenario two: Impact is Low and Likelihood can be less Likely Scenario three: Impact is Low and Likelihood can be Possible
1 Input Transaction
Unauthorized and incomplete data entry. E.g. incorrect classification of non-reportable fields in the product
2 Input Transaction
Duplicate data entry in the systems. E.g. duplicate transaction not having any financial impact
4 Processing Incomplete transaction processing in the systems. E.g. incomplete processing of non-critical transactions
5 Processing Duplicate transaction processing in the systems. E.g.
6 Output Incorrect output generated for non-reportable reports
7 Master Data Unauthorized changes in the master data of systems. E.g. non-maintenance of table fields like system usage etc.
8 Configuration Inaccurate configurations in the systems. E.g. incorrect configuration of fields not affecting business operations
Note: Criticality of systems will be reliant on the classification as implemented by IT Department.
Audit Policy, Ver. 7 Page 100 of 102
Glossary of Terms
Abbreviation Full Name Abbreviation Full Name
ACB Audit Committee of Board
IA Internal Audit
ACE Audit Committee of Executives
IAD Internal Audit Department
ACF Account Closure Form
IJP Internal Job Posting
ALCO Asset Liability Committee
INR Indian Rupee
AM Assistant Manager
IOGL Inter Office General Ledger
AML Anti-Money Laundering
IS Information System
AOF Account Opening Form
IT Information Technology
ATM Automated Teller Machine
ITGC IT General Control
ATR Action Taken Report
ITMS Integrated Treasury Management System
AUS Australia
ITR Income Tax Return
BCP Business Continuity Plan
JV Journal Voucher
BDO Block Development Officer
KRA Key Responsibility Areas
BERP Bandhan Enterprise Resource Planning
KYC Know Your Customer
BG Bank Guarantee
LAP Loan Against property
BOCS Banking Operation and Cus-tomer Service
LC Letter of Credit
BOM Branch Operation Manual
LCR Loan to Cost Ratio
BRS Bank Reconciliation Statement
LLP Limited Liability Partnership
BU Banking Unit
LOA Letter of Authorization
CA Current Account
LOS Loan Originating System
CAAT Computer Assisted Auditing Technique.
LPU Loan Processing Unit
CAE Chief Audit Executive
LTV Loan To Value
CAIIB Certified Associate of Indian In-stitute of Bankers.
MB Micro banking
CAM Credit Appraisal Memo
MCA Ministry of Company Affairs
CASA Current Account and Savings Account
MD & CEO Managing Director & Chief Executive
Officer CBO Corporate Banking Operations
MFI Micro Finance Institution
CBS Core Banking Solution
MID Merchant Identification Number
CCO Chief Compliance Officer
MIS Management Information System
CCTV Close Circuit Television
MITC Most Important Terms and Condition
CDC Continuous Discharge Certifi-cate
MOE Memorandum of Entry
CERSAI Central Registry of Securitiza-tion Asset Reconstruction and Security Interest
MOP Multi Option Payment
CH Cluster Head
MSME Micro, Small and Medium Enterprise
CIC Credit Information Company
NBFC Non-Banking Financial Company
CIF Customer Information File
NDTL Net Demand and Time Liabilities
CISA Certified Information System Auditor
NEFT National Electronic Fund Transfer
Audit Policy, Ver. 7 Page 101 of 102
Abbreviation Full Name Abbreviation Full Name
CIT Cash In Transit
NOC No Objection Certificate
CKYC Central Know Your Customer
NPS National Pension System
CMS Cash Management System
NRE Non-Resident External
CPIS Customer Primary Information Sheet
NREGA National Rural Employment Guaran-
tee Act CPU Central Processing Unit
NRO Non-Residential Ordinary
CPV Customer Profile Validation
OATD Overdraft Against Term Deposit
CRF Customer Request Form
OCR Own Contribution Receipt
CRILCI Central Repository of Infor-mation on Large Credit
OS Operating System
CRL Cash Retention Limit
OSV Original Seen and Verified
CRO Chief Risk Officer
OTC Over The Counter
CRS Common Reporting Standard
OVD Officially Valid Document
CS Company Secretory
PAN Permanent Account Number
CSGL Constituent Subsidiary General Ledger
PCMC Product and Change Management
Committee CTS Cheque Truncation System
PD Post Disbursement
DBA Database Administrator
PL Personal Loan
DBO Doorstep Banking Officer
PO Pay Order
DCCD Declaration Cum Confirmation Deed
POA Power of Attorney
DD Demand Draft
PSL Priority Sector Lending
DFP Delegation of Financial Power
RAID Redundant Array of Independent Disks
DIP Document Image Processing
RBI Reserve Bank of India
DISA Diploma in Information System Auditor
RBS Risk Base Supervision
DM Deputy Manager
RMP Risk Mitigation Plan
DOB Date of Birth
ROC Registrar of Companies
DOE DSC Operations Executive
ROI Rate of Interest
DOP Delegation of Power
RTGS Real Time Gross Settlement
DPD Days Past Due
SB Savings Bank Account
DPIN Designated Partner Identifica-tion Number
SDL State Development Loan
DPN Demand Promissory Note
SEBI The Securities and Exchange Board of India
DRP Disaster Recovery Plan
SEL Small Enterprise Loan
DTL Demand and Time Liabilities
SEL Small Enterprise Loan
EDI Electronic Data Interchange
SENP Self Employed Non Professional
EMI Equated Monthly Instalment
SEP Self Employed Professional
FATCA Foreign Accounts Tax Compli-ance Act
SGL Subsidiary General Ledger
FCNR Foreign Currency Non Resi-dence
SHG Self Help Group
FCY Foreign Currency
SIA Standards on Internal Audits
FD Fixed Deposit
SLA Service Level Agreement
Audit Policy, Ver. 7 Page 102 of 102
Abbreviation Full Name Abbreviation Full Name
FEMA Foreign Exchange Management Act
SME Small and Medium Enterprise
FFR Financial Follow Up Reports
SME Small and Medium Enterprise
FIS Fidelity National Information Services Inc.
SOD Segregation of Duties
FOIR Fixed Obligation to Income Ra-tio
SOP Standard Operating Procedure
FRFC Fire Resistant Filing Cabinet
SQL Structured Query Language
FTO Fund Transfer Officer
SWIFT Society for Worldwide Interbank Fi-nancial Telecommunications
FVR Field Visit Report
TASC Trust Association Society and Club
GL General Ledger
TAT Turn Around Time
GST Goods and Services Tax
TD Term Deposit
H.O Dept. Head Office Department
TDS Tax Deducted at Source
Head-CC Head Corporate Centre
TOD Temporary Overdraft
HHD Hand Held Device
TPP Third Party Product
HIA Head of Internal Audit TSR Title Search Report
HO Head Office
TWL Two Wheeler Loan
HR Human Resource
UAT User Acceptance Testing
HUF Hindu Undivided Family
UCPDC Uniform Customs & Practice for Doc-umentary Credits
UPI Universal Payment Interface
UV Ultra Violet
UV lamp Ultra Violate Lamp
ZH Zonal Head