Audit Policy - Bandhan Bank

Audit PolicyVersion 7

Audit Policy, Ver. 7 of 102

Charter for the Internal Audit Department

and

Audit Policy

Document Owner: Chief Audit Executive, Bandhan Bank Limited. Version History:

Version Author Recommended by Approved

by

Date of

Approval

Effective date

Version 1 Head Internal

Audit

Board of

Directors

July 10, 2015 July 10, 2015

Version 2 Head Internal

Audit

Audit Committee

of the Board

Board of

Directors

May 11, 2016 May 11, 2016

Version 3 Chief Audit

Executive

Audit Committee

of the Board

Board of

Directors

April 26, 2017 April 26, 2017


Executive

Audit Committee

of the Board

Board of

Directors

July 7, 2018 July 7, 2018


Executive

Audit Committee

of the Board

Board of

Directors

June 14, 2019 June 14, 2019


Executive

Audit Committee

of the Board

Board of

Directors

October 12,

2020

October 12,

2020


Executive

Audit Committee

of the Board

Board of

Directors

May 6, 2021 May 6, 2021

VALIDITY OF THE POLICY

This Audit Policy would be put into force after approval of the Board.

POLICY UPDATION

This documents and processes described herein are subject to review by Authorities from time to

time as per the need of the Bank for the effective functioning of Internal Audit.

The Policy shall be subjected to review at least once annually to keep it current with regulatory /

statutory and business requirements. Revisions other than as stated herein shall be done only in

case of any major regulatory / environment changes, which shall be placed for ratification before

the ACB / Board.


Contents of the Document

Part – I ............................................................................................................................................. 6

Charter for the Internal Audit Department .................................................................................... 6 1 Introduction ............................................................................................................................. 7 2 Authority ................................................................................................................................. 7 3 Audit Department ................................................................................................................... 8 4 Roles & Responsibilities .......................................................................................................... 9

4.1 Senior Management 4.2 Chief Audit Executive or Head of Internal Audit ................................................................. 9 4.3 Heads of General Banking Audit verticals and Micro Banking Audit verticals ............. 10 4.4 Offsite Audit Head ................................................................................................................... 10 4.5 Information System (IS) Audit Head .................................................................................... 11 4.6 Head Concurrent Audit .......................................................................................................... 11 4.7 Team Leaders of Audit verticals ............................................................................................ 11 4.8 Cluster Audit Heads of Banking Unit audits ....................................................................... 11

5 Selection and Recruitment for IA Department ...................................................................... 12 5.1 Qualification and Experience Profile of the Internal Auditor ........................................... 12 5.2 Age Profile................................................................................................................................. 12 5.3 Rotation ..................................................................................................................................... 13

6 Code of Ethics for Internal Auditor ....................................................................................... 13 6.1 Integrity, Objectivity & Independence of Internal Auditor ............................................... 13 6.2 Confidentiality .......................................................................................................................... 14 6.3 Proficiency and Due Professional Care ................................................................................. 14

7 Duties of the Internal Auditor ............................................................................................... 16 8 Limitations ............................................................................................................................. 16

Part – II ......................................................................................................................................... 18

Audit Policy .................................................................................................................................. 18 Preamble ....................................................................................................................................... 19 1 Risk Governance Model - Three Lines of Defence ................................................................ 19

1.1 Independence............................................................................................................................ 20 1.2 Reporting Structure ................................................................................................................. 21 1.3 Risk Based Internal Audit (RBIA) .......................................................................................... 21 1.4 Expectation Setting .................................................................................................................. 22

2 Risk Assessment Framework ................................................................................................ 23 2.1 Identification of Audit Universe ............................................................................................ 23 2.2 Risk assessment methodology ............................................................................................... 25

3 Risk Matrix for the Bank ........................................................................................................ 26 3.1 Measurement of impact of risk parameters .......................................................................... 27 3.2 Control Risk evaluation for a business group ...................................................................... 28 3.3 Risk Profiling of Auditable Units:.......................................................................................... 30 3.4 Direction of Risk: ...................................................................................................................... 30

4 Audit Planning ...................................................................................................................... 31 4.1 Training Needs Assessment ................................................................................................... 31


4.2 Frequency of audits ................................................................................................................. 32 4.3 Frequency of Risk Based Internal Audit ............................................................................... 32 4.4 Audit Scope and Coverage ..................................................................................................... 33 4.5 Audit Report ............................................................................................................................. 33

5 Issue Assessment Framework, Reporting and Communication ........................................... 34 5.1 Escalation Matrix ...................................................................................................................... 36

6 Audit Ratings (Other than BU) .............................................................................................. 37 7 Compliance Report / Issue tracking Standards .................................................................... 37 8 Other relevant features of the audit policy ........................................................................... 39 9 Audit of Banking Units (BU) ................................................................................................. 39 10 Offsite Audit .......................................................................................................................... 41 11 Snap / Special audit .............................................................................................................. 43 12 Concurrent Audit .................................................................................................................. 44 13 Audit of Head Office (HO) Departments / Products & Processes ....................................... 44 14 Credit Audit ........................................................................................................................... 44 15 Audit Committee of Executives (ACE) ................................................................................. 45

15.1 Constitution of Audit Committee of Executives (ACE): .................................................... 45 15.2 The functions of the proposed ACE are listed below ......................................................... 46

Annexure I - Issue Assessment Framework for Audit of Branches: ............................................ 47 Annexure 3 - Issue Assessment Framework for Audit of Small Enterprise Loans (SEL) ............ 53 Annexure 4 - Issue Assessment Framework for Credit Audit ..................................................... 55 Annexure 5 - Issue Assessment Framework for Audit of Housing Finance ................................ 57 Annexure 6 - Concurrent Audit ................................................................................................... 60

Part III ........................................................................................................................................... 68

Information System Audit Policy ................................................................................................. 68 Preamble ....................................................................................................................................... 69 1 IS Audit Policy ....................................................................................................................... 69

1.1 Definition ................................................................................................................................... 69 1.2 Mission Statement .................................................................................................................... 69 1.3 Aims/Goals of IS Audit Policy .............................................................................................. 70 1.4 Scope of IS Audit ...................................................................................................................... 70 1.5 Objectives .................................................................................................................................. 71 1.6 Independence............................................................................................................................ 71 1.7 Relationship with external IS Auditors ................................................................................. 71 1.8 Relationship with Internal Auditors ..................................................................................... 72 1.9 Coverage of Outsourced Services .......................................................................................... 72 1.10 Critical Success Factors............................................................................................................ 72

2 Authority ............................................................................................................................... 73 2.1 Right to Access Information ................................................................................................... 73 2.2 Scope or any limitations of scope .......................................................................................... 73 2.3 Functions to be audited ........................................................................................................... 73 2.4 Reporting relationship ............................................................................................................. 73 2.5 IS Audit Skills ........................................................................................................................... 74

3 Accountability ....................................................................................................................... 74 4 IS Audit Planning .................................................................................................................. 74


4.1 Risk Based Audit Approach ................................................................................................... 74 4.2 Defining the IS Audit Universe .............................................................................................. 75 4.3 Information System Risk Assessment methodology .......................................................... 75

4.3.1 Identification of inherent risks in Information system units ..................................... 76 4.3.2 Measurement of impact of risk parameters .................................................................. 77 4.3.3 Control Risk evaluation and rating of an IS System ................................................... 77 4.3.4 Risk Matrix for the Information Systems of the Bank ................................................. 78 4.3.5 Risk Profiling of Auditable Units ................................................................................... 79

4.4 Scoping for IS Audit ................................................................................................................ 79 4.5 Documenting the Audit Plan.................................................................................................. 80

5 Issue Assessment Framework ............................................................................................... 80 6 Performance of Audit Work .................................................................................................. 82

6.1 Review of System Strategies ................................................................................................... 82 6.2 Review of system related policies /compliance .................................................................. 82 6.3 Organization and Administration ......................................................................................... 82 6.4 Review of system responsibilities of owners of business process ..................................... 83

6.4.1 Consideration of external factors ................................................................................... 83 6.4.2 Materiality ......................................................................................................................... 83

7 Frequency of Audit ................................................................................................................ 84 8 Compliance and Closure of Audit Report ............................................................................. 84 9 Audit Documentation ............................................................................................................ 85 10 Restriction of Scope ............................................................................................................... 85 IS Annexure – I: Audit Approach ................................................................................................. 86 IS Annexure – II: Audit Methodology .......................................................................................... 88 IS Annexure - III: AUDIT CONSIDERATIONS FOR IRREGULARITIES .................................... 91 IS Annexure – IV: AUDIT EVIDENCE/INFORMATION ........................................................... 92 IS Annexure – V - Issue Assessment Illustrations ........................................................................ 95 Glossary ...................................................................................................................................... 100


Part – I

Charter for the Internal Audit Department


1 Introduction

“The Charter for the Internal Audit Department” is approved by the Audit Committee of

the Board and it defines the Internal Audit Department’s purpose, authority, stature,

responsibility and position within the organization.

The Audit Policy is prepared based on reference and best practises on Standards of

Auditing issued by ICAI, Guidelines issued by Basel Committee and Banking

Supervision (BSBA), Institute of Internal Auditors (IIA) and International Standard for

professional practices from time to time.

2 Authority

The internal audit activity, with strict accountability for confidentiality and safeguarding

of records and information, should be authorized full, free, and unrestricted access to any

and all of records, physical properties, and personnel pertinent to carrying out any

engagement. All employees of the Bank are expected to assist the Internal Audit activity

in fulfilling its roles and responsibilities.

Following are the facilities which needs to be ensured by the Bank to the Internal Audit

function:

i) The Internal Audit Department in the Head Office shall be provided a separate sitting

arrangement and sufficient record room to keep their audit records and files safe and

intact along with separate sets of computers and its peripherals and other

communications facility.

Additionally, the Internal Audit Department shall be provided with an access to a

separate server space or file server in the Bank. The access to the server space or file

server should be provided to all members of the internal audit department. This

server or storage space should be a common drive where all audit reports, audit

evidences & correspondences should be stored for record purposes and ready

retrieval.

ii) The Internal Auditor should have full & free access to all departments and all the

records. The Internal Audit is free to review and critically appraise any activity of the

Departments/authorities, but their review and appraisal does not in any way relieve


the Executives and Line supervisors of their responsibilities as internal audit is an

advisory function

iii) The usefulness of the internal audit will depend much on the co-operation and

working facilities provided to the department.

iv) Head of Internal Audit would have power to split the yearly programme as approved

by the Audit Committee into detailed quarterly programme / monthly programme.

All tours and contingency will be planned accordingly.

v) Internal Audit department should not be involved in any operational activities like

tendering, hiring, etc.

vi) Due to large number of Departments/ Disciplines, it will not be possible to audit all

the Departments/ Disciplines each year. Therefore, selection of the Departments/

disciplines for audit should be in line with the Risk Based Audit Plan, where

preference should be given to those Departments/Disciplines which have been

identified as high risk areas as per audit policy or which by nature of their activities

and as revealed by past experience, are more sensitive. The functions selected for this

purpose should include those where lapses and inadequacy of internal control may

result into considerable financial losses.

3 Audit Department

The Internal Audit Department will be an independent department. Neither the Chief

Audit Executive nor any Internal Auditors shall have any reporting relationship with the

business verticals, shall not assume operational responsibilities and shall not be given

any business targets. Persons transferred to or temporarily engaged by the Internal Audit

department should not be assigned to audits of activities which they previously

performed until a reasonable period of time has elapsed.

The Audit Policy of the Bank depicts the proposed organization chart showing internal

audit set-up, their locations and area of activities. Based on strength available, the

preference shall be given to plan audits with the internal team. In absence of required

manpower strength or the requisite skillsets, specific Internal Audits can be outsourced

by the CAE in consultation with the MD & CEO, subject to the ACB being assured that


such expertise does not exist within the audit function of the bank. However, the

ownership of the audit reports in all such cases shall rest with regular functionaries of the

internal audit function.

4 Roles & Responsibilities

The Duties and responsibilities of various functionaries of the bank including the internal

audit department are as under:

4.1 Role of Senior Management

i) Senior management shall be responsible for developing an adequate, effective and

efficient internal control framework that identifies, measures, monitors and

controls all risks faced by the bank.

ii) It should maintain an organisational structure that clearly assigns responsibility,

authority and reporting relationships and ensures that delegated responsibilities

are effectively carried out.

iii) Senior Management should inform the internal audit function of new

developments, initiatives, projects, products and operational changes and ensure

that all associated risks, known and anticipated, are identified and communicated

at an early stage.

iv) Senior management should be accountable for ensuring that timely and

appropriate actions are taken on all internal audit findings and recommendations.

v) Senior management should ensure that the head of internal audit has the necessary

resources viz. staffs, financial tools and otherwise, available to carry out his or her

duties commensurate with the annual internal audit plan, scope and budget

approved by the audit committee, thereby enabling the auditors to carry out their

assignments with objectivity.

4.2 Chief Audit Executive or Head of Internal Audit

The Head of Internal Audit, as defined in the RBI circular, will be designated as Chief

Audit Executive of the bank.


i) To update the Audit Policy from time to time and place the same before the ACB for

approval.

To update the Audit Manuals and Audit Department’s organization chart from time

to time and get the same approved by the competent authority.

ii) To timely inform the Management about the findings of all the Internal Audits

undertaken by internal auditors along with the compliances given by Head of the

auditee units.

iii) To investigate in the matters assigned by the Audit Committee from time to time.

iv) Finalize the Audit plan for the Bank as a whole and obtain the approval from the

ACB.

v) Timely submission of MIS and inform MD & CEO and the ACB on all the matters

pertaining to Internal Audit Department.

vi) Design appropriate training programme for the executives in internal audit.

vii) To arrange for periodical internal audit in accordance with the audit plan.

viii) To arrange for a special audit as and when required and also as per the direction of

the management.

ix) To ensure prompt disposal of audit observations.

x) To update the checklist for audit at regular intervals based on the experience gained

during audit as well as based on changes in regulatory requirements or operations.

4.3 Heads of General Banking Audit verticals and Micro Banking Audit verticals

They shall be responsible for the audit plan of their respective audit verticals and shall

ensure smooth functioning of the audits under their respective vertical.

4.4 Offsite Audit Head

Bank has established an Offsite Audit vertical, headed by Head-Offsite Audit, within the

Internal Audit Department for offsite monitoring of certain transactions/activities at

branches/offices/BUs. The tasks for offsite monitoring team would be added/modified

based on new issues arising and based on feedback from field auditors.

For carrying out these tasks the Team will be provided with read only access to the MIS-


databases and other systems to enable them to query the required data using tools like

SQL, etc.

The Offsite Audit Team will support on-field branch banking auditors and Banking Unit

auditors with the necessary reports/ inputs that may be required.

4.5 Information System (IS) Audit Head

Bank has established an IS Audit vertical, headed by Head-IS Audit, within the Internal

Audit Department. The scope of IS Audit covers all information systems used by the bank

in related activities viz. system planning, organization, acquisition, implementation,

delivery and support to end-users. The scope also covers monitoring of implementation

in terms of its process effectiveness, input/output controls and accomplishments of

system goals. The IS Audit scope includes testing on the processes for planning and

organizing the information systems activities and the processes for monitoring those

activities

4.6 Head Concurrent Audit

The Head of Concurrent Audit, along with the CAE and Advisor Concurrent Audit, will

be responsible for satisfactory implementation of the Concurrent Audit system of the

Bank, including review and reporting of observations noted during the audit and their

timely compliance.

4.7 Team Leaders of Audit verticals

They shall be responsible for execution of the audits as per the allotted work in

accordance with the audit programme of their respective audit verticals.

4.8 Cluster Audit Heads of Banking Unit audits

They shall be responsible for execution of the audit plans in their BU audit clusters by

optimum utilization of allocated auditors to him/her. The utilities and responsibilities of

the subordinates should be communicated to the Team Leader of the BU audit verticals.


5 Selection and Recruitment for IA Department

The Bank should have a well-defined HR policy, including the recruitment process and

the same should be applicable for the Internal Audit Department.

5.1 Qualification, Experience and Competence of the Internal Auditor

The qualification and experience requirements of the internal auditors for the department

should be well defined. Adequate number of resources of the Internal Audit Department

should be professionally competent, qualified and/or experienced bankers to ensure

effectiveness of the bank's internal audit function. The desired areas of knowledge and

experience shall include banking operations, accounting, information technology, data

analytics and forensic investigation, among others. Bank shall ensure that internal audit

function has the requisite skills to audit all areas of the bank. Given below are some

indicative qualifications / experience required:

5.2 Age Profile

A conscious effort needs to be made to maintain a proper mix of people in the

Professionally Qualified Persons Or

Chartered Accountant/Cost Accountant/ CISA/ DISA/ CAIIB/ MBA

Experienced Persons from the Department Or

i. Persons promoted under departmental promotion process or persons with experience and knowledge in respective domain ii. Persons with technical qualifications and having field experience.

IS Auditor Appropriate number of CISA qualified and remaining should have required skills, knowledge and expertise.

Offsite Auditor Persons with knowledge and experience in banking sector in addition to experience in database querying and analysis

Branch Auditor Persons promoted or transferred through departmental action having the requisite experience in Branch Banking operations.

BU Auditor Persons promoted or transferred through the departmental action having the requisite experience in Micro Banking operations.

Support Staff Graduates or Persons laterally hired or transferred through departmental action.


department. A constant review should be done of the age profile of the internal auditors

to ensure that there are adequate numbers of fresh and young people willing to undertake

intensive travel.

Age limit for retired staff engaged as internal / concurrent auditors shall be capped at 70

years.

5.3 Rotation

The bank has a separate and independent Audit team and hence any staffs posted in

Audit team (career internal auditor or otherwise) shall work in the Department for a

minimum period of three years. Post that permanent staff within the Internal Audit

Department may be transferred to other departments. Transfer of any staff from Internal

Audit before the stipulated three years’ period would require exception approval from

the CAE or Head-HR.

Vacancies so created can be fill up by way of recruitment of suitable resources possessing

specialized knowledge useful for the audit function from within the bank or outside to

ensure continuity and adequate skills for the staff in Audit Function.

Similarly, the maximum period for which an external concurrent auditor shall be allowed

to continue with a branch/business unit shall not be more than three years.

6 Code of Ethics for Internal Auditor

There are certain moral principles which the Internal Auditors should follow. These are

illustrative and not exhaustive; these provide the basic guidelines to the Internal Auditors

with regard to the moral hazards and conflicts which they may face while carrying out

Internal Audit assignments.

6.1 Integrity, Objectivity & Independence of Internal Auditor

i) Internal Auditor shall have an obligation to exercise honesty, objectivity, and

diligence in performance of their duties and responsibilities.

ii) Internal Auditors holding the trust of the Bank, shall exhibit loyalty in all matters

pertaining to the affairs of the Bank.


iii) Internal Auditors shall refrain from entering into any activity which may be in conflict

with the interest of the Bank.

iv) Internal Auditors shall not accept a fee or a gift from an employee, a Contractor or a

supplier.

v) Internal Auditor must be fair and must not allow prejudice or bias to override his

objectivity. She/he should maintain an impartial attitude. The internal auditor should

not, therefore, to the extent possible, undertake activities, which are or might appear

to be incompatible with her/his independence and objectivity. For example, to avoid

any conflict of interest, the internal auditor should not review an activity for which

she/he was previously responsible.

vi) Internal Auditor should immediately bring any actual or apparent conflict of interest

to the attention of the appropriate level of management so that necessary corrective

action may be taken.

6.2 Confidentiality

i) Internal Auditor shall be prudent in the use of information acquired in the course of

their duties. She/he shall not use confidential information for any personal reason or

in a manner which would be detrimental to the interest of the Bank.

ii) Internal Auditor should not disclose any such information to a third party, including

employees of the entity, without specific authority of management/ client or unless

there is a legal or a professional responsibility to do so.

6.3 Proficiency and Due Professional Care

i) Internal Auditor should exercise due professional care in carrying out the work

entrusted to him in terms of deciding on aspects such as the extent of work required

to achieve the objectives of the engagement, relative complexity and materiality of the

matters subjected to internal audit, assessment of risk management, control and

governance processes and cost benefit analysis. Due professional care, however,

neither implies nor guarantees infallibility, nor does it require the internal auditor to

go beyond the scope of his engagement.


ii) Internal Auditor should have obtained required skills and competence through

general education, technical knowledge obtained through study and formal courses,

as are necessary for the purpose of discharging his responsibilities.

iii) Internal Auditor shall also have a continuing responsibility to maintain professional

knowledge and skills at a level required to ensure that the Bank receives the

advantage of competent professional service based on the latest developments in the

profession, the economy, the relevant industry and legislation.

iv) in cases of serious acts of omission or commission noticed in the working of bank's

own staff or retired staff, working as concurrent auditors, the accountability action

would be fixed as per the extant process of the bank.

v) Ensure adherence to various Standards of Practice issued by Institute of Chartered

Accountants of India such as:

a) SA 230, Audit Documentation: The record of audit procedures performed,

relevant audit evidence obtained, and conclusions the auditor reached (b) Audit

file: One or more folders or other storage media, in physical or electronic form,

containing the records that comprise the audit documentation for a specific

engagement

b) SA 320, Materiality in Planning and Performing an Audit: The concept of

materiality is applied by the auditor both in planning and performing the audit,

and in evaluating the effect of identified misstatements on the audit and of

uncorrected misstatements.

c) SA 315, Identifying and Assessing the Risks of Material Misstatement

through understanding the Entity and its environment: The objective of the

auditor is to identify and assess the risks of material misstatement, whether due

to fraud or error, at the financial statement and assertion levels, through

understanding the entity and its environment, including the entity’s internal

control, thereby providing a basis for designing and implementing responses to

the assessed risks of material misstatement. This will help the auditor to reduce

the risk of material misstatement to an acceptably low level.


d) SA 500, Audit Evidence: Information used by the auditor in arriving at the

collusions on which the auditor’s opinion is based. Audit evidence includes

both information contained in the accounting records underlying the financial

statements and information obtained from other sources. The auditor shall

design and perform audit procedures that are appropriate in the circumstances

for the purpose of obtaining sufficient appropriate audit evidence.

e) SA 530, Audit Sampling: When designing an audit sample, the auditor shall

con-sider the purpose of the audit procedure and the characteristics of the

population from which the sample will be drawn. The auditor shall determine

a sample size sufficient to reduce sampling risk to an acceptably low level.

7 Duties of the Internal Auditor

Key objectives of the internal auditor can be summarized as:

i) To obtain sufficient appropriate audit evidence regarding compliance with the

provisions of those laws and regulations generally recognized to have a direct effect

on the determination of material amounts and disclosures in the financial statements.

ii) To perform specified audit procedures to help identify instances of non-compliance

with other laws and regulations that may have a significant impact on the functioning

of the entity.

iii) To respond appropriately to non-compliance or suspected non-compliance with laws

and regulations identified during the internal audit.

8 Limitations

Owing to the inherent limitations of an internal audit, there is an unavoidable risk that

some non-compliance with laws and regulations and consequential material

misstatements in the financial statements may not be detected, even though the internal

audit is properly planned and performed in accordance with the SIAs. In the context of

laws and regulations, the potential effects of inherent limitations on the internal auditor’s

ability to detect non-compliance are greater for such reasons as the following:


a) There are many laws and regulations, relating principally to the operating aspects of

an entity that typically do not affect the financial statements and are not captured by

the entity’s information systems relevant to financial reporting.

b) Non-compliance may involve conduct designed to conceal it, such as collusion,

forgery, deliberate failure to record transactions, management override of controls or

intentional misrepresentations being made to the internal auditor.

Whether an act constitutes non-compliance is ultimately a matter for legal determination

by a court of law. Ordinarily, certain non-compliance is from the events and transactions

captured or reflected in the entity’s information systems relevant to financial reporting,

the less likely the internal auditor is to become aware of it or to recognize the non-

compliance.


Part – II

Audit Policy


Preamble

The role of internal audit is to provide independent assurance that an organization’s risk

management, governance and internal control processes are operating effectively. The

Bank will have a risk based Annual Internal Audit Plan, approved by the Audit

Committee of the Board. Relevant audits and reviews will be carried out by the Internal

Audit Department in accordance with the audit methodology defined in the Audit Policy.

Under risk-based internal audit, the focus is prioritization of audit areas and allocation

of audit resources in accordance with the risk assessment of all areas and functions of the

Bank. It is therefore essential for the Bank to have a well-defined policy, for undertaking

risk-based internal audit. The policy shall include the risk assessment methodology for

identifying the risk areas based on which the audit plan would be formulated. Risk based

policy to focus on frequency, prioritizing, extent of checking, risk-assessment/ profiling

of activities/ functions/ products and their updating, broadening the risk classifications

etc. during audit process.

This Audit Policy is formulated taking consideration of RBI requirements, best industry

practices and other factors as per the need of the Bank. It will come to effect immediately

on approval by the Board and will be in force until the same is revised.

1 Risk Governance Model - Three Lines of Defence

To manage different risks across various products and processes, the Bank has adopted

‘three lines of defence’ under Risk Governance model. The first line of defence role is the

line management, while second line of defence are the Risk Management, Compliance

and other Control Functions and Internal Audit Department (IAD) being the third line of

defence.

This model defines the following responsibilities at various levels:

i) FIRST LINE of DEFENCE: Primary accountability for identifying, assessing and

managing the various operational and compliance risks pertaining to their business

or area of operation (e.g. Branches, Treasury, Information Technology, etc.) rests with

Heads of Business Units and Departments.


ii) SECOND LINE of DEFENCE: Risk Management, Compliance and other Control

Functions:

a) Have to coordinate, oversee and objectively challenge the execution of business

/ operations (keeping in mind the risk and control framework), management, etc.

b) Are independent of the management and personnel that originate or manage the

risk exposures

c) Have the power to escalate / veto high risk business activity

iii) THIRD LINE of DEFENCE: IAD is independent of both business and risk functions

and performs independent evaluation / assessments of the first two lines of defence.

IAD places reliance on review procedures conducted by the two lines of defence and

effectively uses the results in assessing and developing an audit approach which is a

judicious combination of various assurance practices that are in place. This approach

promotes the convergence between various monitoring, evaluation and assessment

procedures and aims at reducing redundancies (in terms of time, cost and effort).

1.1 Independence

The Internal Audit function shall be an independent function with ability to provide

independent assurance and consulting services designed to add value and improve the

Bank’s operations and also make appropriate recommendations for improving the

corporate governance, including ethics and values of the Bank. The Head of Internal

Audit shall be a Senior Executive having relevant experience with no operational or

business responsibilities, shall have the ability to exercise independent judgement and

shall be appointed for a reasonably long period, preferably for a period of three years.

The Board and Audit Committee of the Board shall be kept informed of any change in

Head of Internal Audit, as also reasons for the change in the incumbent. The name of

Head of Internal Audit and any change in incumbency shall be intimated to RBI, as &

when it takes place.


1.2 Reporting Structure

The Chief Audit Executive (Head of Internal Audit) shall functionally report to the MD

& CEO of the bank. Audit Committee of Board shall meet the CAE (HIA) at least once in

a quarter, without the presence of the senior management, including the MD & CEO.

The ‘reviewing authority’ shall be with the ACB and the ‘accepting authority’ shall be

with the Board in matters of Performance Appraisal of the HIA.

All ACB directions will be monitored by the CAE.

Accordingly, the overall structure of the Internal Audit Department shall be as given

below:

1.3 Risk Based Internal Audit (RBIA)

RBI vide its circular no. DBS.CO.PP.BC.10/11.01.005/2002-03 dated December 27, 2002

provided a guidance note on Risk Based Internal Audit. RBI advised initiation of


necessary steps to prepare a risk-based internal audit system in a phased manner,

keeping in view Bank’s risk management practices, business requirements, manpower

availability etc.

A sound internal audit function plays an important role in contributing to the

effectiveness of the internal control system. The audit function shall provide high quality

counsel to the management on the effectiveness of risk management and internal controls

including regulatory / statutory compliance by the bank.

1.4 Expectation Setting

This step facilitates the alignment of IAD resources with the Bank’s business objectives to

maximize the value delivered to business by IAD and hence it forms a key cornerstone of

IAD planning. This activity which requires extensive interaction between the IAD and

Top Management would be accomplished through workshops, facilitated sessions, one-

to-one interactions, or other forums considered appropriate by IAD.

The following are the key milestones of this activity:

i) Risk assessment: Risk Assessment is a critical and important part of Planning. It

includes the process of identifying the risks, assessing the risk, taking steps to

reduce the risks to acceptable levels, considering both probability and impact of

the risks. Risk Assessment allows the auditor to determine the scope of the audit

and nature, extent and timing of audit. Risk Assessment mainly implies Inherent

risk assessment, control risk assessment and the residual risk. The Auditor should

satisfy himself that the risk assessment procedure adequately covers the periodic

and timely assessment of all the risks.

ii) Prioritization of business objectives through identification of priority / focus

level of business areas: Priority should be given to the risk that has the potential

to cause significant impact and harm.

iii) Scope, coverage and management expectations from IAD: Coverage would

specify the extent of audit work to be conducted. Expectations of Management, is

the outcome of audit which would satisfy the objective and its requirement to all


the stakeholders. In order that there is no confusion, the scope, coverage and

management expectation should be clearly defined and that should be integrated

as a part of the Planning exercise.

iv) Timelines with respect to completion and presentation of results to

management: Timeline is an essential milestone to measure the achievement of

objectives of audit. It defines the timeliness of delivery of required deliverables to

various stakeholders. Reports should be issued in a timely manner, to encourage

prompt corrective measures. When appropriate, the auditor should report

significant findings promptly to the concerned persons.

2 Risk Assessment Framework

The risk assessment framework would include the following:

i) Identification of Audit Universe

ii) Inherent Risk Assessment

iii) Control Risk Assessment

iv) Residual Risk Assessment.

All the activities will be reviewed annually along with the overall Policy.

2.1 Identification of Audit Universe

The first step in performing the risk assessment is to identify various business groups

and support functions within the Bank based on which the inherent risk profile would be

prepared and presented for each such groups. The groups shall be identified and updated

to remain aligned with the other prevailing frameworks for management oversight and

control of the business and operations. Thus the Audit Universe of the Bank, comprises

of the Business, Operation, Corporate Centre and other Support groups collectively

called “Business Groups”. Each Group is further broken up into auditable units/areas.

Based on the risk assessment process explained below, a risk matrix for the Bank,

comprising all the Business groups is drawn up. Further a risk matrix for each Business

Group comprising various auditable units/ areas, is also drawn up.

At the beginning of the year as a first step towards preparation of the RBAP (Risk Based


Audit Plan), a list of all Business Groups and the auditable units/areas are drawn up.

This will consider and evaluate modifications during the financial year, required on

account of changes, if any in the control environment in the auditee units within the same

business / group.

The Audit Universe would cover the following units and activities:

• Branch Banking

• Micro Banking i.e., Banking Units (BUs)

• Central Processing Units (CPU) o Account Opening o Accounts Modification Unit o Collateral & Logistics Unit o Loan Processing Unit o Phone Banking Unit o Corporate Internet Banking Admin Function o EDC MID/TID processing o Aadhaar Enrolment and updation Operation

• Head Office Departments: (in alphabetical order) o Administration o Banking Operations & Customer Service o Business Intelligence Unit o Company Secretary o Compliance o Corporate Branding & Communication o Corporate Legal o Corporate Services o Finance & Accounts o Fraud containment and Monitoring Department o Human Resource o Information Security o Information Technology o Logistics & Purchase o Payments and Settlement system (as per NPCI guideline) o Retail Banking including Head, ZH, RH & CH o Risk o Third Party Products o Treasury o Vigilance o Wholesale Banking including the controlling offices at all places

• Products, Processes and Activities: o Outsourced Activities (including payment gateway service providers) o Following loan products at various Asset Centres:


• Retail Assets (Housing Loans, Loans against Property, Personal Loans, Two wheeler Loans, Gold Loans etc.)

• Small Enterprises Loans (SEL) o SME Loans o Any other Loans & Advances (Funded or Non-funded) o Debit/ATM Cards and Credit cards o Merchant acquisition business o Forex & Trade Finance

2.2 Risk assessment methodology

The risk assessment process should, inter alia, include the following: -

Risk Assessment for Business Groups based in business model

i) Identification of inherent business risks in each Business Group in the bank;

ii) Evaluation of the effectiveness of the control systems for monitoring the inherent

risks of the business groups (`Control risk’);

iii) Drawing up a risk-matrix for taking into account both the factors viz., inherent and

control risks. As per illustrative risk-matrix above.

The steps to be followed is detailed hereunder:

i) The basis for determination of the inherent risk (high, medium, low) should be

clearly spelt out.

ii) The process of inherent risk assessment may make use of both quantitative and

qualitative approaches.

iii) Compare of the current residual risk of auditable units with that of the previous

audit to assess the effectiveness of the control environment and assess the direction

of risk.

While the quantum of credit, market, and operational risks could largely be determined

by quantitative assessment, a qualitative approach may be adopted for assessing the

regulatory and reputation risks in various business groups. In order to focus attention on

areas of greater risk to the bank, an activity-wise and location-wise identification of risk


should be undertaken.

The risk assessment methodology will also include, inter alia, the following parameters:

• Previous internal audit reports and compliance

• Proposed changes in business lines or change in focus

• Significant change in management / key personnel

• Results of latest regulatory examination report

• Reports of external auditors

• Volume of business including quantum of cross selling and complexity of activities

• Substantial performance variations from the budget etc.

• Operational Risk, Credit and Market Risk parameters, like CTR/STR, NPA, etc.

• Number of Customer complaints

• Industry trends and other environmental factors

• Time elapsed since last audit

3 Risk Matrix for the Bank

Based on the Control Risk Score and the Inherent Risk Scores, a Risk Matrix for the Bank

is prepared comprising all Business Groups. Based on the Inherent Risk and Control Risk

for each group, the group will be placed in the Risk Matrix.

Inherent Risk

Inherent Business risks indicate the intrinsic risk in a particular area/activity of the Bank

and could be grouped into low, medium and high categories depending on the severity

of risk.

For ease of determination, all the primary risks will be grouped into six categories,

namely, credit risk, market risk, operation risk, regulatory risk, reputation risk, and

information technology risk. These may be further broken down into risk parameters as

under:

i) Operations Risk

a) Volume of transaction

b) Complexity

c) Documented process

d) Staff skills

ii) Market Risk

a) Risk from changes in

interest/exchange rates

b) Laid down system support

c) Availability of tools/models


e) Frequent changes in process

f) System Support

d) Skill sets

iii) Reputation Risk

a) Impact of process on reputation of

Bank

b) Extent of customer interaction

c) Risk on account of outsourcing

d) Proper grievance handling

mechanism

iv) Credit Risk

a) Existence of proper credit appraisal

process

b) Complexity of products

c) Existence of strong Delegation of

Financial Power (DFP) System

d) Level of delinquencies

v) Regulatory Risk

a) Degree of regulation in process

b) Complexity of regulation

c) Existence of compliance risk

monitoring process

d) Regulatory findings

vi) IT Risk

e) Complexity of system

f) Vulnerability of system to cyber

attacks

g) Dependence on external vendor for

system support

h) Existence and effectiveness of

BCP/DRP

3.1 Measurement of impact of risk parameters

The risk parameters as defined above for all the primary risks are considered for arriving

at the score for Inherent Risk. A high, medium or low score is assigned to each parameter,

wherever applicable. Based on these scores for each risk parameter, an aggregate score

for that risk category is quantified and a score on the scale of 1 to 6 (High 5-6, Medium 3-

4 and Low 1-2) is awarded to each of the six primary risks listed above. Where a business

group is not exposed to a particular risk, a score of zero is given.

Thus the maximum Inherent Risk score would be 36 (aggregate of six primary risks) for


any business group based on discussion and internal judgment, an inherent risk of up to

20% may be considered as “low”, between 21% to 50% may be considered as “medium”

and inherent risk greater than 50% may be considered as “high”.

3.2 Control Risk evaluation

The previous audit rating would indicate the level of control risk. Control risks arise out

of inadequate control systems, deficiencies/gaps or likely failures in the existing control

processes, incidents pointing to gaps in implementation of control processes etc. The

control risks could also be classified into low, medium and high categories. Control Risk

would be numerically indicated on a “0 to 100” scale, with a score of “0” being the ideal

score, which would indicate that the risks are fully covered by the existing controls.

In order to measure the extent to which the inherent risks are addressed by controls,

threshold limits i.e. three levels of threshold for measurement of Control Risk viz.,

“High”, “Medium” and “Low” have been defined. These would be expressed in terms of

percentage as under:

Control Risks Score

Low Less than 15%

Medium 15% to 30%

High Above 30%

The gaps observed in the control risks vis-à-vis, the inherent risks lead us to the residual

risk. The residual risks can be classified into Extremely High, Very High, High, Medium

and Low based on the following and accordingly fall in the respective cells in the Risk

Matrix (as under):

Risk Matrix

Inh

ere

nt

Bu

s

ines

s Ris

ks High “4” “2” “1”


High Risk Very High Risk Extremely High Risk

Medium “7”

Medium Risk

“5”

High Risk

“3”

Very High Risk

Low “9”

Low Risk

“8”

Medium Risk

“6”

High Risk

Low Medium High

Control Risks

[ Inherent Risk: Low 0-7, Medium 8-18, High 19-36] Scale of 0 to 36 [ Control Risk: Low <15%, Medium 15%-30%, High >30%] Scale of 0 to 100

In the overall risk assessment both the inherent business risks and control risks should

be factored in. The overall risk assessment as reflected in each cell of the risk matrix is

explained below:

1 – Extremely High Risk – Both the inherent business risk and control risk are high which

makes this an Extremely High Risk area. This area would require immediate audit

attention, maximum allocation of audit resources besides ongoing monitoring by the

bank’s top management.

2 – Very High Risk- The business unit/area is perceived to have “high” inherent risk

coupled with medium control risk makes this a Very High Risk area

3 – Very High Risk – Although the inherent business risk is medium, this is a Very High

Risk area due to high control risk.

4 – High Risk- The business unit/area is perceived to have “high” inherent risk, but the

control risks as borne out by the previous audit ratings are weak (cells 4, 5, & 6).

5 – High Risk – Although the inherent business risk is medium this is a High Risk area

because of control risk also being medium.

6 – High Risk – Although the inherent business risk is low, due to high control risk this

becomes a High Risk area.

7 – Medium Risk – Although the control risk is low this is a Medium Risk area due to


Medium inherent business risks.

8 – Medium Risk - The inherent business risk is low and the control risk is medium.

9 – Low Risk – Both the inherent business risk and control risk are low.

3.3 Risk Profiling of Auditable Units:

Where any Business group itself comprises of several independent auditable units with

different level of controls, like branch banking etc., the following approach will be taken:

A risk map of all the auditable units will be prepared taking the “inherent risk” of the

individual units to be the same as that of the group. The control risk of the individual

auditable units would be derived from the previous audit ratings as well as other factors

like any frauds detected etc.

3.4 Direction of Risk:

i) If the Current Control Risk Score is more than 3% of the previous Audit score, the

Direction of Risk would be considered as “Decreasing”

ii) If the Current Control Risk Score is in the range of +3% to – 3% of previous Audit

score, the Direction of Risk would be considered as “Stable”

iii) If the Current Control Risk Score is less than 3% of the previous Audit score, the

Direction of Risk would be considered as “Increasing”

In addition to the above, where the direction of risk is found to be increasing, the below

shall also be taken into consideration, for the limited purpose of deciding the frequency

of next audit, as under:

i) The difference in Control Risk score between previous audit and current audit is

greater than 5% but less than 10%, then 5% will be deducted from the current audit

score to arrive at the Control Risk score.

ii) The difference in Control Risk score between previous audit and current audit is

between 10% to 15%, then 7% will be deducted from the current audit score to arrive

at the Control Risk score.


iii) The difference in Control Risk score between previous audit and current audit score

is more than 15%, then 10% will be deducted from the current audit to arrive at the

Control Risk score.

4 Audit Planning

An Audit plan defines the scope, coverage and resources, including time, required for

audit over a defined period. Adequate planning ensures that appropriate attention is

devoted to significant areas of audit, potential problems are identified, and that the skills

and time of the staff are appropriately utilised.

The Audit plan would be drawn up consistent with the goals and objectives of the

Internal Audit function as listed out in the Internal Audit charter as well as the goals and

objectives of the Bank.

All new branches shall be subjected to internal audit within six months of opening of the

branch.

A plan once prepared would be continuously reviewed by the IAD to identify any

modifications required to bring the same in line with the changes, if any, in the audit

environment. However, any major modification to the plan would be done in

consultation with the ACB.

4.1 Training Needs Assessment

At the beginning of every financial year, IAD shall examine and assess the training needs

of the internal auditors across all verticals, according to the skill-sets required to conduct

the audits of various entities - as per the approved Audit Plan. This shall be

communicated to the HR Department for arrangement of in-house, appropriate training

programmes or deputing the concerned auditor(s) to suitable institutes for imparting

relevant inputs.

The staffs in the Internal Audit department shall also appear for all mandatory and

functional e-learning courses hosted on the LMS from time to time. The current courses

relevant to audit team include KYC/AML, Operational Risk, Reading Financial

Statements, Fraud awareness etc.


IAD will implement the process of rotation of auditors by transferring them to other

departments at regular intervals and fill up the gaps either by way of rotation or

recruitment of suitable resources from outside to ensure the quality of auditors.

4.2 Frequency of audits

The IAD carries out internal audits as a part of the overall audit assurance framework to

the Bank. The risk map of the auditable units so derived will decide the frequency of

audit of the respective units as under:

4.3 Frequency of Risk Based Internal Audit

Frequency of individual auditable unit would be based on the position of the individual

auditable unit in the Risk Matrix. All the auditable unit will be audited at least once in

two years.

Auditable units falling under cell “9” (i.e., Low Risk) would be audited once in two years.

Auditable units falling under cell “7 & 8” (i.e., Medium Risk) would be audited once in

eighteen months.

Auditable units falling under cell “4, 5 & 6” (i.e., High Risk) would be audited once in

twelve months.

Auditable units falling under cell “2 & 3” (i.e., Very High Risk) would be audited once in

nine months.

Auditable units falling under cell “1” (i.e., Extremely High Risk) would be audited once

in six months.

The above intervals between two internal audits is indicative and the interval is the outer

limit and the audit must be conducted within the quarter in which the audit becomes

due.

The internal audits of Bank Branches shall be conducted with an element of surprise; no

advance intimation shall be given to the branches. The audits may be conducted any time

within a period of three months prior to the outer limit.


4.4 Audit Scope and Coverage

The scope of each audit shall be determined by respective Audit Team Lead and

approved by the Head of respective Audit vertical in consultation with the CAE.

However, at the minimum, the scope will cover the following areas:

i) Availability of approved product / process guidelines ii) The control environment in various areas iii) Data integrity, information security iv) Regulatory and Internal Compliance v) Adherence to KYC/AML Guidelines vi) Compliance with outsourcing guidelines vii) Customer Service Quality viii) Compliance to previous audit observations

The field work shall be conducted by the internal auditors at the branches (onsite) with

the audit checklist prepared by IAD. The audit checklist shall be revised by the audit

manager whenever there is any change in the underlying process and it shall be approved

by CAE.

4.5 Audit Report

At the end of the field work a draft report shall be prepared containing the executive

summary, the objective of the audit, the scope including limitations and exclusions,

sampling methodology (Annexure 7), audit rating and opinion. All the audit findings in

the audit reports shall be categorized and levelled as per the Issue Assessment

Framework. All the audit findings will be communicated to the respective groups and an

auditee response having the components- proposed actions, timelines for compliance and

responsibility will be obtained. The reports will be peer-reviewed, rated and circulated

as defined hereunder:

i) Bank Branches Report would be issued to the Branch Head and Cluster Head, copy

marked to the concerned controllers i.e. Regional Head, Head-Branch Banking.

ii) BUs (Refer Point No. 10 below for the defined process)

iii) Other reports: Rating would be done as per the Audit Policy; draft report would be

shared with the Head of the Department of the respective Department for


management response. Final Report would be issued to the respective Department

Head.

iv) Sign-off, on the draft audit report from the respective auditee department, to be

obtained before release of the final report.

5 Issue Assessment Framework, Reporting and Communication

The process of issue assessment distinguishes between “Very High”, “High”, “Medium”

and “Low” Risk categorization of audit issues, where “Very High” is classified as “Level-

1” or L1, “High” as “Level-2” or L2, “Medium” as “Level-3” or L3 and “Low” as “Level-

4” or L4.

The categorization of issues as L1, L2, L3 or L4 is done on the basis of the estimated

likelihood and the potential impact of the control weakness as depicted hereunder:

Likelihood Impact

Less Likely Possible Most Likely

Very High L2 L1 L1

High L3 L2 L1

Medium L4 L3 L2

Low L4 L4 L3

The likelihood and the impact assessed would be broadly carried out taking into

consideration the following factors.

Likelihood:

Most Likely: Has happened in several instances or process gap exists.

Possible: Could happen in the foreseeable future.

Less Likely: Less likely to happen.

Impact:

The Impact assessment shall be based on various factors individually or in combination

of the below factors:


Risk Customers Affected

Financial Impact

Brand & Reputation Impact

Systems / Services affected

Regulatory, Internal Policy and Legal implications

Information Security risk / System users impacted.

Very High

> 2% > Rs. 25 lacs

Coverage in high profile global/ national media which could lead to significant damage of brand

Poses any systemic risk. Critical business system / service is affected.

Non-compliance to regulatory guidelines / law having impact of possible penalty from regulatory / law enforcement bodies. Not complying with Statutory Audit or RBI Audit Observations

i) Potential loss of all information ii) > 5000 user affected. ii) Application Security testing / VAPT not conducted in case of public facing applications.

High 1 - 2% > Rs. 10 lacs and up to Rs. 25 lacs

Coverage in industry specific / local media which could lead to negative impact on brand

Poses any undefined or unexpected risks. Non- critical business systems / services are affected.

Non-compliance to regulatory guidelines / law not having direct impact of penalty. Non-Compliance of Bank’s Policy or PCMC approved process.

i) Potential loss of confidential information ii) 500-5000 users affected. iii) Application Security testing / VAPT not conducted in case of internal financial applications e.g. CBS, ITMS

Medium Up to 1%

> Rs. 5 lacs and up to Rs. 10 lacs

Negative Information limited to employees/ vendors

Only Support services are affected, but business can run as usual.

No violation of any regulatory gudelines / law. Partial non-compliance to the Policies / SOPs.

i) Potential loss of internal Information ii) < 500 users affected. iii) Application Security testing / VAPT not conducted in case of internal applications – non-financial but identified as critical e.g. AML, ALM.

Low No Customers affected

Upto Rs. 5 lacs

Negative Information in closed user group

No Systems / Services affected

No Implication i) Potential loss of public information ii) No users affected iii) Application Security testing / VAPT not conducted in case of non- critical internal applications.

Notwithstanding the above matrix for financial impact, instances of Revenue leakage shall be

classified based on the quantum of leakage / potential of leakage identified. Where gap is

identified in the process of recovery of revenue, which can potentially lead to a high revenue

leakage at bank level or quantum of leakage identified is Rs. 1 lac & above the same shall be

classified as Level 1, leakage below Rs. 1 lac and up to Rs. 10000, shall be classified as Level 2 and

any revenue leakage below Rs. 10000 shall be classified as L3 at a Unit level.


Compliance to Audit Observation: Any submission of compliance to audit observation without

actual rectification of the audit observation is very high risk and shall be classified as Level 1

issue. Similarly repeat audit observation in more than 1 area coupled with an increased direction

of risk at the unit level shall be treated as Level 2 issue, where the direction of risk is stable the

same shall be classified as L3 issue and where the direction of Risk is decreasing the same shall

be classified as L4 issue.

The key findings of all the audit reports would be classified into four levels L1, L2, L3 &

L4, L1 being the highest level of importance.

While endeavour would be made to ensure that the audit issues would be classified as per the

framework, in the event the assessment framework requires any interpretation / clarity, the risk

can be upgraded /downgraded, as per direction of CAE.

Under the overall Issue Assessment Framework detailed above, an illustrative list of

specific audit issues identified at Branches, BUs, SEL, Credit Audit and HF (Housing

Finance Department) have been separately drawn up and the same is furnished in

Annexure 1 to 5 respectively.

5.1 Escalation Matrix

In order to enable the Audit Committee of the Board /Management get a more business

/ function -wide view of processes across the Bank and the key findings noted thereof,

including effectiveness of audit thereof, the IAD at the end of the audit cycle or at other

periodic intervals (as directed by Top Management and the ACB) would present the

aggregated audit findings and would also present the key reports / dashboards to the

Top Management and the Audit Committee of the Board.

The individual audit observations would be presented as under:

• Level 1: To be reported to MD & CEO and all levels below

• Level 2: To be issued to Business/Department Head and all levels below


• Level 3: To be issued to Deputy Business/Deputy Department Head all levels below

• Level 4: To be issued to respective Unit Head

All the issues pertaining to Level 1, Level 2, Level 3 and Level 4 will be put up to the

Audit Committee of Executives (ACE).

All the issues pertaining to Level 1 & 2 and the Minutes of meeting of the ACE will be

put up to the Audit Committee of Board at their next meeting.

A summary of the high risk issues will be placed to the Board on a half yearly basis.

Apart from the above escalations, if there are any serious regulatory and other violations,

instances of suspected fraud or malpractices, those will be escalated to MD, and Senior

Management within ten working days from the date of detection of such incidents.

6 Audit Ratings (Other than BU)

All auditable units will be assigned an audit rating based on quantitative and qualitative

parameters. The ratings will be classified as per control score on a scale of 0 to 100 as

under:

Ratings Control Scores Audit Opinion Control Risk

A ≥ 85 Effective Low

B ≥ 75 ˂ 85 Meets Requirement Medium

C ≥ 70 ˂ 75 Partially Effective

D ≥ 65 ˂ 70 Improvement Needed High

E ˂ 65 Significant Improvement Needed

7 Compliance Report / Issue tracking Standards

At all levels, the Bank is subject to audits initiated both internally and externally via

regulatory / statutory institutions. It is important to monitor the findings raised during

audits as well as the progress made to resolve them. In order to make this process more

efficient and transparent, the IAD would follow a standard action tracking process which

would enable the business to keep track of the status of the issues with regard to resolving

them within the timelines agreed.

The Methodology to be used for action tracking and closure of the audit issues / reports


would be as under:

Nature of the Audit Issue

Timelines for submission of the compliance by the Units

Timelines for IAD to assess the responses and consider closure of the issue.

Extremely High Risk / Very High Risk (L1)

15 working days 7 working days

High Risk (L2) 21 working days 7 working days

Medium Risk (L3) 30 working days 15 working days

Low Risk (L4) 30 working days 15 working days

i) The follow-up with auditee units would be undertaken on a regular basis, keeping

the H.O. Department / Competent Authority controlling the auditee units concerned

in the loop, to ensure closure of the audit issues within the stipulated time.

ii) The audit issues overdue for closure would be advised to H.O. Department /

Competent Authority controlling the auditee units concerned on monthly basis to

ensure closure of the issues at the earliest.

iii) The extension of timelines for closure of issues would be considered by the Internal

Audit Department based on the satisfactory recommendations received from the

Competent Authority controlling the auditee units concerned.

iv) The audit reports will need to be closed within an overall period of 45 days. The audit

reports would be considered for the closure after receipt of satisfactory compliances

of the audit issues. Issues where the concerned department has completed their

actionable shall be considered as satisfactory compliance for this purpose. Issues

where there is dependency on other departments / customers, shall be considered as

satisfactory compliance for the concerned department.

Audit reports, with any other open issues, would be considered for closure only in

exceptional cases with the approval of the Head of the Department. In such cases, the

overall resolution of the issue would be tracked centrally though ATR.

v) IAD will compile a report on issues pending for compliance on monthly basis and

present it to the Competent Authority controlling the auditee units concerned and on

quarterly basis to the ACB. The action tracking report will also provide information


to Audit Committee of the Board, Senior Management and Line Management on the

status of overdue issues.

vi) Closure of Audit report at various levels would be based on Risk assessment which

would be based on the Audit Rating / Control Score as under:

Control Risk Audit Rating Control Score Closure Level

Low A >85% Team Leader / Vertical Head of the Audit Department at the level of AVP & above

Medium B & C 70 - 85% CAE

High D & E <70% CAE

vii) IAD will test the correctness of all compliances reported on a test check basis and a

report on the same will be placed to the ACB at half yearly intervals.

8 Other relevant features of the audit policy

While Risk Assessment Methodology, Audit Plan, Reporting, etc. have been enumerated

above, certain other features of the audit policy with regard to Information System Audit,

BU Audits, Snap/Special audits are furnished below.

9 Audit of Banking Units (BU)

There will be separate audit vertical as well as dedicated resources, having specific skill

sets, deployed to audit BUs. For better control, all BUs are to be divided into adequate

number of Audit Clusters by including a few Business Clusters in each Audit Cluster.

Each Audit Cluster is headed by an Audit Cluster-In Charge and there are internal

auditors in each Audit Cluster depending on the number of BUs of the respective Audit

Cluster. The Clusters-in-charge ensures the execution of the BU internal audit, through

the internal auditors, according to the approved audit plans.

With the introduction of onsite Concurrent Audit, it has been decided to bring 600 BUs

under the ambit of Concurrent Audit. As these BUs will be subjected to Concurrent

Audit, there will be only one annual Internal Audit. Each of the other BUs, not subjected

to concurrent audit, will be audited once in four months. Individual audit report of the

BU’s will be kept at the respective BU with a copy retained with the Audit Cluster -In


Charge. The BU Head will be responsible for the compliance of the report and will submit

a compliance statement to Audit Cluster-In Charge, within the stipulated period.

Audit Cluster-In Charges are reportable to the Audit Team at Head Office. The Summary

of the findings of the BU’s audited in the month by the Internal Audit team, will be issued

in the form of a Monthly Report of BU Internal Audits to be submitted to the

Management.

During the BU internal audit, the internal auditor also attends Group Meetings. There is

a proper selection methodology, of the Group the internal auditor will visit. The basis is

given below

• He has to select each DBO's group

• He has to select Groups of different timings

• Groups in which number of overdue cases are more, would be prioritized

• Groups in which very high amount of loan jumping are noted, would be

prioritized

• Groups at remote location

Apart from Group visit, internal auditor also visits some borrower's houses. There is a

proper selection methodology, regarding the borrower's houses the internal auditor will

visit. Emphasis is given on visiting houses of Overdue borrowers, Deceased Borrowers,

Absentee borrowers etc.

The internal auditors use a uniform checklist during the BU audit. The Salient feature of

the checklist are to check compliance of previous internal audit report, Cash

management, cash retention limit, remittance to Bank Branch, Management of Keys, dual

custody of keys, Checking of Loan Forms, Checking of address proof and Id proof

attached with Loan Form, Handling of biometric device, Biometric capturing, adherence

with laid down process for Credit Bureau data sending, Death case settlement, Quality

of Monitoring of Cluster Head and the Cluster Team Members, BU staff administration

matters, IT infrastructure at BU, Books of accounts, Registers etc.

9.1 Audit Rating of Banking Unit:


After the audit, each BU is to be given a Risk rating (High/Medium/Low) based on the control

assessment. Risk Rating for each BU is done based on a Risk Matrix (which covers maximum 100

marks) on the following basis:

Risk Category Control Score

High < 70

Medium > 70 – < 85

Low > 85

The summary audit report of the BUs shall be submitted to the Head MB. 10 Offsite Audit

10.1 Bank has established an Offsite Audit vertical within Internal Audit Department for

offsite monitoring of certain transactions/activities at branches/offices/BUs.

10.2 Apart from generating regular predetermined exception reports to support the

Field auditors, the Offsite Audit team also monitors the following activities e.g.,

• Transaction monitoring of specific products like BSBDA (521), BSBDA Small (501)

• Verification of correctness of TDS deduction in SB-NRO accounts from quarterly

interest credits

• Random verification of interest calculation of various loan products

• Random verification of interest application in SB accounts, every quarter

• Maintenance and updating of tables in separate database 'IARDB' with data culled

out from BBPRE and transaction data received from FIS

• Support by Offsite Audit team member to H.O Audit team in conducting audits,

whenever required

• Support to all units of IAD in understanding and analysis of the data provided

• Random check of NPA classification and interest application correctness in the

loan accounts in case of re-classification of accounts into standard asset.

The tasks for offsite monitoring team would be added/modified based on the new issues

arising and based on feedback from field auditors.


10.3 For carrying out these tasks the Team will be provided with read only access to the

MIS-database, BBPRE and other systems like FIS Profile, Newgen OmniFlow

application etc., to enable them to query the required data using tools like SQL, etc.

10.4 The Offsite Audit Team will support on-field branch banking auditors with the

necessary reports/ inputs that may be required, prior to visit to auditee units, to

enable them to analyse the branch profile and to shortlist the tasks to be focused on

and to choose appropriate samples for checking on-site. Some of the reports

designed, for example, are:

i) Cash deposits above Rs.50000/- without PAN

ii) Deposit accounts without having PAN

iii) Debits in Income GLs

iv) Multiple CIFs with same PAN

v) Transactions in NRE/NRO accounts

vi) Cash deposits of Rs.10 lakhs and above (both individual and cumulative) etc.

In addition to above, Offsite Audit is assigned to provide inputs through reports to

auditors while on-site, wherever, exceptions are observed by them.

Support to BU auditors through various reports have also been put in place.

10.5 Further as newer products and newer processes are introduced, some of the

parameters become redundant and some parameters undergo a change. The team

regularly reviews such changes in the environment and accordingly the parameters

and / or the reports are suitably modified.

Such review will be carried out periodically, as and when necessitated and changes

/ additions / reductions, if any, would be carried out after the approval of the CAE.

A detailed review note will be prepared and put up to the ACB at half yearly

intervals. The review process will entail the following steps.

i) Respective audit vertical heads will review all the parameters and the

corresponding reports for applicability. In case of any modification and change in

the underlying parameters, the same will be proposed to the offsite monitoring

team Head.


ii) The offsite monitoring Head will review the feasibility of the revision and

recommend the change to the CAE.

iii) The CAE will review the request and accord his approval.

iv) The new report will replace the old report.

v) This change will be documented in the ‘Report review register’

11 Snap / Special Thematic audits

Snap / Special Thematic audit at auditee units or specific segment of the bank would be

conducted as per the instructions of CAE / advices of Heads of Departments, Controllers

and ACB from time to time. Snap audit would be conducted in the following events:

i) An abnormal increase in business and / or risk levels in specific activities, product

or an area determined from the Offsite data analysis.

ii) In those units where frauds or financial irregularities are unearthed

iii) when there is breach of Risk Appetite by significant margin

iv) In case of substantial increase in overdue.

v) When there is a sudden significant increase in portfolio in one quarter as compared

to previous quarter.

In addition, the following will also trigger snap audits:

Branches:

i) Cash transactions in account not commensurate with customer profile.

ii) Non-submission of Control Returns

iii) Compliance of ROE/ ROM's observations, including CH's reports.

BUs:

i) Irregularities in monitoring;

ii) Non-maintenance of mandatory books and registers.

As regards snap audits of assets centres/clusters, the following will act as triggers:

i) Comparative analysis of delinquent status of loans quarter-wise

ii) List of SEL/Retail Asset (HL and LAP) which are quick mortality loans


Further, Snap Audit will be taken up at various clusters whenever there is increase in

overdue levels breaching the Risk Appetite of the Bank.

12 Concurrent Audit

In line with RBI directions, a revised framework of onsite Concurrent Audit has been

drawn up for implementation at the BUs and Branches. The framework was approved by

the Board at its meeting held on Jan 10, 2020.

The extract of the Concurrent Audit Framework is appended as Annexure 6.

In addition to the board approved framework, all other regulatory requirement would

also be added under concurrent audit from time to time. Indicative list of other areas to

be covered are monitoring of transactions in new accounts/staff accounts, reporting of

CTR/STR, opening and periodic monitoring of Internal Office Accounts, verification of

Merchant Banking Business, verification of Credit Card / Debit card business, conduct

of employees, mis-selling of products, etc.

13 Audit of Head Office (HO) Departments / Products & Processes

All the HO Departments, as listed in the Audit Universe in Para No. 2 of this Policy are

subject to audit coverage. All the individual verticals and activities in each HO

Departments, products & processes also form part of the Audit Universe and are covered

in the Risk Based Annual Audit Plan, for determining the frequency of the audit. The

Risk Based Audit Plan forms the basis of the audit scope of each department / function

/ products etc., which documents the activities of the Department. The Risk Based Audit

Plan which is an addendum to the Audit Policy, also documents the scope of coverage of

all HO Audits.

14 Credit Audit

14.1 For all the credit exposures with an aggregate exposure of Rs.2 crores and above

(including exposure to credit derivative), Credit Audit shall be conducted within

six months of sanction / renewal & enhancement of limits.

The guidance notes on Credit Risk Management issued by Department of Banking


and Operation, RBI Central Office, Mumbai has detailed guidance on Credit Risk

Management. One of the important features of credit audit as per RBI Guidelines

for Credit Audit is to examine Compliance with extant terms and conditions of

sanction and post sanction processes and procedures.

14.2 Scope of Credit Audit:

The broad Scope of Credit Audit will be to review the portfolio quality, compliance

with laid down policies including regulatory compliance, credit control, process of

appraisal and sanction, adequacy of documentation, rectification of audit

observation, violation of sanctioning powers, conduct and follow up of accounts,

evidence of early warning signals, staff accountability etc.

15 Audit Committee of Executives (ACE)

15.1 Constitution of Audit Committee of Executives (ACE):

The constitution of ACE is:

Members:

• Head - Human Resource – Chairman of the Committee

• Chief Audit Executive - Convener

• Chief Risk Officer

• Chief Compliance Officer

• Head - Operations & Technology Permanent invitees:

• Chief Financial Officer

• CIO

• Head – Legal

• Head – Business

• Head – BOCS

• Head - EEB

• Head - HF The quorum for the meeting would be three members.

The Audit Committee of Executives may invite Department Heads or any other

official(s), as it considers appropriate, to be present in the meeting of the Committee.


15.2 The functions of the proposed ACE are listed below

i) To meet once every month to discuss and note all the issues pertaining to Level 1,

Level 2, Level 3 and Level 4 as per the “Escalation Matrix”

ii) To discuss and note synopses of audit reports of branches

iii) To discuss and note synopses of audit reports of BUs

iv) To discuss and note synopses of Head Office department audit reports, Product and

process audit reports, IS Audit reports and Offsite audit reports.

v) To take note of closure of audit reports approved by IAD

vi) To recommend for putting up summary of critical issues observed (pertaining to

Level 1 & Level 2 as per the “Escalation Matrix”) in the above mentioned synopses

of audit reports along with any other matter, which the Committee may consider

appropriate to be brought to the notice of the ACB.

vii) To put up Closure Note statistics to the ACB in respect of synopses approved by the

said Committee.

viii) To put up status of actual audits completed vs Board approved Audit Plan.

ix) To discuss status of Action Tracker Report.


Annexure I - Issue Assessment Framework for Audit of Branches: Sr. No. Types Findings

Issue Assessment level : L-1 (Very High Risk)

1 Transaction & Internal Control

Cash: Cash found short, in cash-in-hand / vault / ATM, at the time of physical verification of cash and tallying with GL Balance, Cash Balance Register/ Vault Register.

2 Internal Control Keys: Cash / vault keys were shared by one of the joint custodians; Dual Custody policy not followed while operating cash vault or ATM Vault.

3 Compliance & Internal Control

Protective Arrangements: CCTV/ alarm system not working for more than 6 months.

4 Transaction Sharing of password observed.

5 Transaction & Internal Control

Gross violations in compliance to KYC / AML guidelines.

Fraudulent transactions detected during audit.


Demand draft made above Rs. 50,000 in cash by single customer on same day.

7 Housekeeping & Internal Control

Physical balance of customer deliverables does not tally with system balance and stock registers.

8 Compliance PAN/Form 60 not collected for FD above Rs. 50,000 by single customer on same day or FDs aggregating to more than Rs 5 lakhs in a financial year.

Notices from statutory bodies e.g., IT/GST Authority not acted upon or acted with significant delay.

9 Transaction Cash remittance done above Rs. 50 lakhs without any armed guard by branch in more than one occasion.

10 Compliance False compliance / certification Issue Assessment level : L-2 (High Risk)


Physical balance of other deliverables does not tally with system balance and stock registers.


Branch had not updated Large cash transaction register for cash transactions above Rs. 10 lakhs.


CCTV recording is not available for a period of 45 days out of stipulated period of 90 days.

4 Compliance Customer Complaint regarding Disputed transactions in ATM was not resolved within 7 days.

5 Internal Control Both set of keys of Cash safe/Strong Room held by same custodian at different point of time without CH approval taken.


Deliverables: Stocks of Debit Card Pins and debit cards were held by same custodian (seals are not tampered with)


Cash transactions in account not commensurate with customer profile.


Sr. No. Types Findings

8 Internal Control Compliance of ROE/ROM's observations, including CH's reports.

Issue Assessment level : L-3 (Medium Risk)

1 Compliance Clean Note policy not followed by Branch ( Writing on the watermark portion by teller, non-issuable pre-2005 note mixed with issuable notes, soiled or mutilated notes mixed with issuable notes)

2 Housekeeping All mandatory notices as notified by BOCS & Compliance department not been displayed at the Branch & ATM.

3 Compliance Branch had not updated the TDS flag in CBS promptly on customer depositing 15G/15H.


Death claims settled & payment not made within the stipulated time norm of accounts with survivor (s)/nominee, within 15 days & without survivor (s)/ nominee within 30 days from the date of receipt of the claim with completed requisite papers.

5 Transactions Payment of expenses approved by Branch Head beyond the limit as fixed by DOP and no approval taken from Cluster Head as per limit as fixed by DOP.

6 Compliance Personal loan was sanctioned where prescribed minimum Credit Bureau score (650) was not adhered to [or credit bureau score not verified] as stipulated by circular on personal loan.


Non-Permissible credits in NRE accounts accepted by branch.

8 Important Oversight

Control Return not submitted by BH (as sanctioning authority) to Cluster Head, at monthly interval for personal loans sanctioned by him.

Issue Assessment level : L-4 (Low Risk)

1 Transaction Denomination-wise cash details on reverse of cheque, was not written by teller in cash payment.

2 Compliance Verification of cheques under UV lamp, signature verification not noted in cheques for cash or transfer payment.

3 Transaction Date and time of receipt of the request for stop payment of cheque was not recorded in the request letter.

4 Important Oversight

Custodian of vacant locker keys also handled the Master Key / allowed access to hirer.


Annexure 2 - Issue Assessment Framework for Audit of Banking Units

S. N Subject Types Issue Classification


1 Financial Transaction Instalment amount or deposit amount of customers short deposited or not recorded in CBS

Any such incident regardless of amount.

Transaction Excess collection of Last Instalment / Prepayment amount of customers.

Transaction Borrower not traceable/identifiable where Loan Disbursed

Transaction Unauthorized withdrawal from customer's account

2 Loan Form / Master roll Checking

Housekeeping

BU Manager approval signature not available in loan form

10% or more of sample not approved

3 Cash in hand Transaction & Internal Control

Cash in hand is not tallied with Physical cash in cash vault, Cash Register and CBS balance

4 Cash deposit above Rs. 50,000

Compliance PAN/Form 60 not collected for cash deposit in excess of Rs.50,000 in cash by single customer on same day.

5 Deficit in Monitoring

Important Oversight

Deficit in Area Manager (AM) Monitoring

4 or more shortfalls in number of monitoring in audit period. (approval not obtained)

Important Oversight

Deficit in Divisional Manager (BU) [D.M.] Monitoring

No DM monitoring done in last 12 months.

6 Password Sharing

Transaction Password Sharing

7 Compliance Compliance False compliance / certification Issue Assessment level : L-2 (High Risk)

1 Key related irregularities

Transaction Irregularity regarding joint custody of vault keys (Both keys under one custodian)


Housekeeping


More than 5% (up to 10%) of sample not approved.

3 Group meeting

Transaction TAB machines not used during collection in group (without any reasonable cause)



Transaction Record Book not given to customer

Transaction Instalment / prepayment / withdrawal amount posting not done in Record Book


Important Oversight


2 - 3 monitoring shortfall in audit period. (approval not obtained)

Important Oversight



5 Credit Bureau checking

Transaction Credit Bureau checking not done for loan disbursement

6 IT Housekeeping

CCTV backup not available for a period of 45 days out of the stipulated period of 90 days.



Housekeeping


Less than 5% of sample not approved

Housekeeping

BU Manager checking signature not available in loan form

Housekeeping

Document related Irregularities (KYC not attached with loan form)

Housekeeping

Master roll not updated (loan amount mismatch with CBS and Customer signature is missing)

Housekeeping

Customer signature is missing in Loan form

Housekeeping

DBO recommendation not available in loan form

2 Cash retention limit

Transaction Violation of Cash retention limit Retention Limit exceeded > 10 times in audit period, with at least one occasion for three consecutive days.

3 Group meeting

Housekeeping

DBO Group Register is not updated (collection/loan posting not done)

Housekeeping

Resolution Register is not properly updated




Important Oversight


1 monitoring shortfall in audit period. (approval not obtained)

Important Oversight



5 Administrative Matter :

Housekeeping

Rent Agreement not Available / Expired

Compliance Notice Board not displayed at BU (like Help line No., Vernacular declaration, grievance redressal mechanism, RBI License etc.)

Compliance Complaint Box not there at BU

Compliance Bandhan Bank Signboard not displayed at BU

Compliance Trade License / Shop & Establishment License not available

Insurance/ Death case related

Death Cases not registered in BERP within 30 days or wrongly done.

6 Irregularities observed in IT hardware

Transaction Computer System not in working condition

Transaction One or more HHD at the BU not working

Compliance One or more CCTV cameras installed are not working

Compliance CCTV backup not available for period less than 45 days out of the last 90 days.

7 Key related irregularities

Compliance Irregularities for Duplicate set of keys are kept in linked bank branch / rotation of Keys

8 Cash Remittance from/to Bank Branch

Transaction Irregularities in Cash Remittance documentation (Slip not filled up/register not updated etc.)

9 Expenses related Approval

Transactions Payment of expenses approval not obtained from competent authority beyond the limit as fixed by DOP.

Issue Assessment level : L- 4 (Low Risk)

1 Key related Compliance Key register not maintained/not



irregularities updated regularly

Compliance Receipt Copy of acknowledgement Confirming deposit of Duplicate Keys in linked Bank Branch not preserved in BU

2 Cash retention limit

Transaction Non-adherence to Cash retention limit

3 Cash Remittance from / to Bank Branch

Transaction Approval is not obtained for remittance of cash.

4. Loan Form Housekeeping

Joint photograph not taken

5. Administrative Matter:

Housekeeping

Credit Bureau Report not held on record.25

Staff joining order, evidence of staff verification, guarantee bond etc. not held on record.


Annexure 3 - Issue Assessment Framework for Audit of Small Enterprise Loans (SEL)

SL Subject Type of Risks involved

Findings


1 Operations and control

Operational Loan disbursed without approval of sanctioning authority

2 Operations and controls

Operational Loan sanctioned more than loan eligibility of the customer and the same has also been disbursed by LPU

3 Financial Credit and Operational

Loan sanctioned below the investment grade of the customer such as BB9-BB12. Loan proceeds not utilized as per sanction terms. Non-existent business entity, false field visit report etc.

4 Compliance and Controls

Operational Income documents and or other documents such as Salary slips, ITR , trade license etc., provided by the customer was forged/tampered


Operational Identity / Address / Income and other documents furnished are not verified as per process and are found to be forged / invalid.

6 Credit monitoring

Credit and Operational

Loan has been sanctioned without any CRIF report either consumer or commercial.

Issue Assessment level : L-2 (High Risk)

1 Financial Credit Risk and Operational Risk

Existing financial obligations not considered which makes the customer ineligible for loan.

2 Credit monitoring

Credit Risk and Operational Risk

Loan sanctioned when the Credit bureau score was less than benchmark limit mentioned in the process and policy

3 Compliance and internal controls


ITR furnished was invalid or electronically not verified even after 120 days of filing.

4 Credit Monitoring

Operational and Credit

Turnover in BERP is substantially higher than income documents against which proper justification not available


Operational Improper/incomplete execution of security documents.



Incorrect rate of interest applied in loan.



Regulatory Non-KYC / Income and other documents furnished are not verified as per process but are otherwise valid.

2 Compliance and Operational Residence stability proof and business vintage



Findings

Controls proof not obtained as per laid down process

3 Compliance and controls

Operational Minor anomalies in security documentation.


Operational Commercial Credit Bureau Report not obtained observed

5 Financial and appraisal


Loan sanctioned for a tenure which is not in line with the internal process

6 Operation and controls

Operational Loan sanctioned without CA certified financials even though CA certified financials is mandatory as per laid down process observed

7 Credit monitoring


Banking Turnover mentioned in BERP, without obtaining Bank statement from customer thereby increasing the internal scoring of the borrower.


Operational Non-submission of Control Return.


Operational Non-availability of Handover and takeover certificate for movement of Credit Operation incharge in the asset centre.


1 Operational monitoring

Operational Renewed Trade License not obtained


Operational Charges mentioned in sanction letter not recovered


Annexure 4 - Issue Assessment Framework for Credit Audit


Findings



Operational Loan sanctioned greater than limits given to Sanctioning authorities or use of discretion beyond approved matrix.


Operational Primary / Collateral security as per terms of sanction not obtained.

3 Financial Credit and Operational

Loans declared as fraudulent.

4 Credit monitoring


Non-compliance with post disbursement terms and conditions.

5 Documentation Operational Improper and incomplete execution of security documents. Title deed not with the Bank, NOC not obtained in case of lease hold property.

6 Credit monitoring


Anomaly observed in post disbursement periodic submission like non-submission of stock statements, FFR1, FFR2, book debt statements etc.


Regulatory Non-Compliance

Any non-compliance to regulatory requirements like review/renewal pending for 180 days & above and customer not marked NPA, registration with ROC not done in line with regulatory/sanction terms etc.


1 Credit monitoring


Delay in submission of book debt statement/cash budget/stock statements beyond 15 days and penal interest not charged as per terms of sanction without obtaining waiver. Also delays observed is submission of other MIS/financial or other data as specified in the sanction terms.



Non-compliance of sanction terms regarding obtention of insurance on assets/inadequate insurance taken/Bank clause not mentioned in insurance policy

3 Credit Monitoring


Routing of transactions in Cash credit /OD/Current account not in line with the share of limits sanctioned. Fund diversion observed/end-use not in line with sanction terms

4 Compliance and internal

Regulatory Search not conducted before appraisal and sanction Registration with CERSAI not in line



Findings

controls with regulatory guidelines/sanctioned terms.



Insurance Policy not assigned in the name of the Bank

6 Collateral Operational Exceptions/comments in the Valuation report not approved by relevant authority. Similarly, exceptions/ comments in the Legal audit report not approved by relevant authorities.

7 Credit monitoring

Operational Stock Audit not conducted/not initiated as per Credit Policy /and or sanction terms. Adverse observations mentioned in Stock Audit Report, previous audit reports etc. not actioned. Legal Audit not conducted/not initiated as per Credit Policy /and or RBI guideline



Statutory Registration with Registrar of Companies (ROC) not done in line with regulatory/sanction terms.


Operational External Rating not obtained as per terms of sanction.


Operational Inspection of the projects not done as per term of sanction.

4 Regulatory Operational Legal Entity Identifier (LEI) not obtained in line with RBI Directions

5 Credit monitoring


Review/renewal pending for more than 180 days and account not marked as NPA

6 Credit monitoring


Any adverse opinion observed in the Stock Audit Report on which corrective action/reporting to controlling authority not evident on record.



Operational Valid Trade License not provided as per terms of sanction/delay in providing valid license


Operational Unhedged Foreign currency exposure declaration not obtained/not filled up properly


Annexure 5 - Issue Assessment Framework for Audit of Housing Finance


Findings



Operational Original property documents e.g. Sale deed, Share certificate, Gift deed, allotment letter etc. as stipulated by TSR/others etc. not obtained for primary security which would affect the creation of mortgage.


Operational Documents like DCCD and MOE blank/ not filled up at all and signed by bank officials.


Operational 1. Title deeds obtained are fake/tampered with. 2. ITR obtained is fake/tampered/invalid 3. Trade License is tampered/fake

4 Regulatory Operational Risk

Search in CERSAI Database not conducted or Registration with CERSAI not done where required.

5 Operations and Controls


Loan has been sanctioned without following laid down process such as loan has been sanctioned without obtaining Credit Bureau Report, all the owners of the property not taken as applicants/co-applicants, construction approval from competent authorities not taken


Operational Loan sanctioned without obtaining Title Search Reports and valuation reports


Operational Anomalies observed in appraisal leading improper sanction or sanction / disbursement of loans in excess of customer eligibility.


Operational Leakage of income due to incorrect rate of interest applied


Operational Delegation of power pertaining to sanctioning of loans exceeded.


Operational Anomaly observed in Value of property.


1 Regulatory compliance

Regulatory Registration with CERSAI conducted after 30 days from the date of creation of mortgage.

2 Regulatory compliance

Statutory Registration with Registrar of Companies (ROC) conducted after 30 days from date of creation of mortgage



Property insurance expired as on date of audit. Anomaly observed in insurance policy etc.



Findings


Operational Agreed Bank Clause not mentioned in insurance policy/insurance policy not obtained/not assigned in favour of the Bank.


Operational ITR furnished was electronically not verified even after 120 days of filing. ITR obtained from customer were for multiple previous years but were filed within a gap of less than 6 months.


Operational Non-compliance of sanction terms such as closure proof of previous loans not obtained.

7 Regulatory Credit and Operational

Non-compliance of loan to value ratio


Operational Credit bureau report not generated or Credit bureau report more than 30 days old from the date of sanction of loan.


Operational Anomaly observed in other security documentation.

10 Credit monitoring


Legal, technical and re-appraisal not done as per laid down process

11 Credit monitoring


Field Verification report do not cover critical parameters of visit by Bank officials.


Operational TSR conducted by lawyers or Valuation reports by valuers who are not empanelled.



Operational Original search receipt not held in file.


Operational Construction done more than permissible area



Interview sheet not available / incorrectly filled.


Operational Under-payment of stamp duty in loan / security documents such as Loan Agreement, Deed of Guarantee and other security documents


Operational Construction stage property photograph not filed.


Operational Non-submission of Control Return.


Operational Non-availability of Handover and takeover certificate for movement of Credit Operation in Charge in the asset centre.



Findings



Operational Valid Trade License not provided as per terms of sanction/delay in providing valid license

2 Operational and controls

Operational Legal appraisal checklist has not been prepared and filed / incomplete / not signed by official.


Operational Correction done in application form not counter-signed by the borrower.

4 Credit Monitoring

Operational Dockets/files not maintained properly.


Annexure 6: Concurrent Audit Framework (without Annexures) 1 Background During the current RBS, vide an RMP item, the Bank was advised that an ‘onsite’ Concurrent Audit mechanism may be put in place, for regular monitoring of ‘transactional data’ instead of the system of offsite monitoring. It was also recommended that the Bank should cover at least 50% of its ‘assets’ and ‘liabilities’ as in the past. Accordingly, with the level of ’assets’ and ‘liabilities’ as on 30th November, 2019 as the base, the following Concurrent Audit Plan has been drawn up in line with extant RBI guidelines and as directed by RBI during the RBS meeting. 2 Scope of Concurrent Audit: In line with the Risk Based Internal Audit Policy, the following ‘business areas’, processes and products have been identified as having ‘Very High Risk’ and ‘High Risk’.

A. Assets B. Liability & Other High Risk areas

1. Micro Banking (BUs) 2. Retail Assets (Mortgage based) 3. Small Enterprise Loans (SEL) 4. SME (including NBFC MFI, LCs and

Guarantees)

1. Branch Banking 2. Central Processing Unit 3. Treasury Department 4. Nostro Account

A. Assets As on 30th November, 2019 the total Asset Book of the Bank was ₹65,199 Crs., of which the Micro Banking assets portfolio stood at approx. ₹40,656 crs, the Retail Assets (Mortgages) portfolio at ₹18,000 crs and other assets at ₹6,471 crs. Accordingly, in line with the regulatory expectations, it is proposed to subject all the 196 Retail Asset Centers of erstwhile Gruh, covering approx. ₹18,000 crs of Mortgage and Housing loan assets. It is also proposed to cover the entire SEL portfolio of approx. ₹1,700 crs across all the 54 Clusters, as well as SME loans (operations) including LCs & Guarantees (₹3,500 crs.), vide the concurrent audit of Corporate Banking Operations (CBO). Further, it is proposed to subject around 600 BUs having a total asset book size of approx. ₹12,000 crs. This will collectively cover approx. ₹35,200 crs of the total asset book i.e., 54%. A-1. Micro Banking (BUs) As indicated above, it is proposed to cover approx. ₹12,000 crs of Micro Banking loans under the ambit of Concurrent Audit. The number of BUs that would be brought under the ambit of concurrent audit has been based on the following criterion:

a) BUs rated High and Medium b) BUs with higher percentage of overdue c) BUs with high business volumes d) BUs where frauds and other financial and other irregularities have been observed.

In line with the above criteria, approx. 600 BUs have been identified for concurrent audit.


The detailed concurrent audit process for BUs is enclosed as Annexure I in the Concurrent Audit Framework. A-2. Retail Assets (Mortgage based) It is proposed to cover the entire Rs. 18,000 crs approx. of retail assets (mortgages) portfolio of the Bank under the mechanism of concurrent audit. Majority of the portfolio comprises of the portfolio of the erstwhile Gruh Finance Limited, which merged into Bandhan Bank, effective October 17, 2019. Accordingly, all 196 branches have been identified for coverage under Concurrent Audit. The detailed audit process for Retail Assets is enclosed in Annexure II in the Concurrent Audit Framework. A-3. Small Enterprise Loans (SEL) It is also proposed to cover the entire portfolio of SEL of approx. ₹1,700 crs under concurrent audit. SEL loans are disbursed through Bank branches. The loans are sourced by ROs (Relationship Officers) who source the loan proposals and submit the same to Credit Managers posted in select branches also called as Asset Centers. The respective credit managers appraise and sanction the loans. Post documentation formalities, the sanction letter, loan application form, disbursement memo, etc. are uploaded to Newgen system for disbursement by LPU. All security documents are obtained and retained at the respective asset centers. Asset Centers are further grouped under ’Clusters’. The detailed audit process for SEL loans is enclosed as Annexure III in the Concurrent Audit Framework. Apart from the above ‘business units’, all centralized operational units listed hereunder will also be brought under the ambit of concurrent audit. A-4. SME (including NBFC MFI, LCs and Guarantees) Apart from the aforementioned asset books, the Bank also has a portfolio of SME assets, which have been booked at various branches across the country. In respect of these assets, including loans to NBFC / NBFC MFI, the CBO undertakes the following activities.

i) Issuance of sanction letter/loan documents/security documents ii) Creation of security iii) Compliance of pre-disbursement terms and conditions as per sanction terms iv) CERSAI entry v) Legal Audit vi) Post disbursement terms and conditions such as stock statements /DP updating

/FFR analysis, exchange of information, pending security creation, inspection and insurance

vii) Bank guarantee – documentation / limit maintenance. Amendment / reversal / closure

viii) Letter of Credit issuance/LC bill handling. The activities of the CBO will also be brought under the ambit of Concurrent audit. The detailed audit process for CBO is enclosed vide Annexure IV in the Concurrent Audit Framework.


B. Liabilities and other areas As on 30th November, 2019 the total deposits of the Bank stood at ₹50435.06 cr. B-1. Branch Banking As advised by RBI during the current Supervisory meeting, it was decided to bring at least 50% of deposits under Concurrent Audit; accordingly, 140 branches covering around 55% of the Bank’s deposits are considered under the ambit of concurrent audit. The selection of branches has been done on the following criteria:

a) Large & exceptionally large size branches b) High risk branches c) Seven days working branches

The detailed concurrent audit process for Branch Banking is enclosed as Annexure V in the Concurrent Audit Framework. Apart from the above ‘business units’, all centralized operational units listed hereunder will also be brought under the ambit of concurrent audit. B–2. Central Processing Unit (CPU) In respect of back-end operations, currently Branches only source accounts and forward the scan copies of account opening forms along with the KYC documents to the CPU through the Newgen workflow software and account opening. The entire account opening process at the Bank is centralized at the CPU, which is currently also under onsite concurrent audit. The ambit of the concurrent audit is proposed to be enhanced in line with the Risk Based Audit approach proposed for Concurrent Audits. Activities at Loan Processing Unit (LPU), a unit of the CPU which takes care of creation and disbursement of Micro Home Loans, Overdraft against Term Deposits, Personal Loans, two wheeler loans, Next Gen Yuva loans and SEL will be brought under the ambit of concurrent audit. The CIF and account modification wing, being a part of CPU is also proposed for Concurrent Audit. The detailed concurrent audit process for CPU is enclosed as Annexure VI in the Concurrent Audit Framework. B–3. Treasury Department The Treasury Back Office, has also been identified for covering under concurrent audit. The concurrent audit system of Treasury has been in place since the beginning. Considering the fact that all Treasury deals are validated and accounted for by the Operations team at the Back Office, the Back Office and Mid Office function will be subject to regular concurrent audit on daily basis. The detailed concurrent audit process for Treasury is enclosed as Annexure VII in the Concurrent Audit Framework. B–4. Nostro Account Reconciliation Concurrent audits of the following activities viz., SWIFT along with Nostro reconciliation


is also being carried out by IAD. The detailed concurrent audit process for the same is enclosed as Annexure VIII in the Concurrent Audit Framework. 3 Separate Vertical with Responsibility and Accountability In order to have a focused approach to concurrent audit, a separate vertical is proposed to be created under the Chief Audit Executive within Internal Audit Department, which would cater to the concurrent audit requirements and focus on developing and enhancing the quality of concurrent audit system in the Bank. Accountability and responsibility of the concurrent audit shall be with the said vertical. If external firms are appointed and any serious acts of omission or commission noticed in their working, their appointments may be cancelled after giving them reasonable opportunity to be heard and the fact shall be reported to ACB/ LMC of the bank, RBI and ICAI. Appointment of the requisite number of concurrent auditors with the minimum required skills for carrying out the audits effectively shall be completed by HR Department before April, 2020.

4 Collation, Consolidation & Reporting

i) Concurrent auditor should prepare the report on daily basis and same would be shared with Head of the auditee unit for compliance of the same within a stipulated time frame of 3 days.

ii) The Supervisors shall have the responsibility of collation and follow up with the ground level auditors every month and submit the same to their respective Zonal Heads for onward transmission.

iii) The ZHs will submit to IAD, Head Office for consolidation of the reports of different verticals.

iv) The Concurrent Audit reports of every month should be closed by the end of the next month. In case the same could not be closed, the open points should be tracked though ATR which shall be placed to ACE on a monthly basis.

5 Reporting to ACE & ACB Reporting systems under each individual area of audit has been included in the respective Annexures. Format of placing the summary of the concurrent audit observations to ACE and ACB is given in Annexure IX. 6 Facilities for effective concurrent audit In order to make the Concurrent Audit effective, the following facilities shall be made available to the auditors:

i) Unfettered and continuous availability of Data. ii) Provision of requisite desktops/laptops (equipped with MS Word and MS


Excel)/Tablet (Hand Held Computers). iii) Wherever, Tablets (Hand Held Computers) are to be provided, the Audit

Checklist/reports for various kinds of audits are to be programmed in the Tablet by the IT Department.

7 Recruitment & Training

i) Eligibility criteria for Concurrent Auditors a) Must have relevant work experience of 2-5 years in Banks for respective verticals

/ areas, viz., in BUs the concurrent auditor must be experienced in BU activity for at least 2-5 years and having good track record/ retail branch banking / audit / Risk / Compliance channel.

b) Proficient in office / MS office package & must be mobile in nature. c) Efficient in timely reporting and maintenance of TAT.

ii) Supervisors for Concurrent Auditors a) Must have work experience of 8-10 years of work experience in Banks in retail

branch banking / audit / Risk / Compliance channel. b) Must have prior experience of handling team of 10-15 people. c) Proficient in office / MS office package & must be mobile in nature. d) Efficient in timely reporting and maintenance of TAT.

iii) Training Appropriate training shall be arranged in phases and Zone wise for continuous upgrade of skills and expertise.

8 Remuneration Concurrent Auditors/Supervisors would be recruited in the grade of AM / DM / other senior grades, and the remuneration would be as per the Bank’s remuneration structure. Supervisors may be selected through IJP / lateral selection mode.


Annexure 7

Sampling Methodology

Design of the sample:

When designing an audit sample, the internal auditor should consider the specific audit

objectives, the population from which the internal auditor wishes to sample, and the

sample size.

Stratification:

To assist in the efficient and effective design of the sample, stratification may be

appropriate. Stratification is the process to dividing a population into sub-populations,

each of which is a group of sampling units, which have similar characteristics (often

monetary value); usually a random selection from each of the subgroups is selected for

review.

Sample Size:

When determining the sample size, the internal auditor should consider sampling risk,

the tolerable error, and the expected error.

The sample size can be determined by the application of a statistically based formula or

through exercise of professional judgment applied objectively to the circumstances of the

particular internal audit engagement.

Selection of the sample:

The internal auditor should select sample items in such a way that that sample can be

expected to be representative of the population. This requires that all items or sampling

units in the population have an opportunity, of being selected.

Methods of Sample selection:

1. Random selection

2. Systematic selection

3. Haphazard selection

One Hundred Percent - In case of audit areas checked by analysing Reports generated by

Offsite Audit Unit, hundred percent sample is taken.

Based on the criteria as defined under design of sample, sample size is determined for

different departments which is given below:


1. Bank Branch Audits: Sample size is defined for each and every checkpoint in the audit

checklist based on the following criteria:

25% of the population or minimum 30 cases whichever is lower.

100% in case of physical counting of valuables (cash, inventory)

In case of areas audited by analysing Offsite Reports, 100% sampling is done.

2. Banking Unit Audits: Sample size is defined for relevant checkpoints in the audit

checklist based on the following criteria:

Number of Loan Forms to be checked:

• 50% of Loan Forms of immediately previous two months

• 25% of Loan Forms of first two months

Group visit: 10 to 12 groups visit per audit

Project visit or Visit of house of Borrowers: Minimum 75 houses visit

3. Retail Assets, SEL Audits, SME Audits & Trade Finance Audits:

In case of Retail Assets (HL and LAP), per asset centre, sample size is defined as given

below:

a) All loans above Rs 20 lakh- 100% population

b) All other loans which are overdue for more than 30 days and do not fall under the

category mentioned in point (a) then sample during audit is 100% of all such loans.

c) All other loans less than Rs 20 lakh which do not fall in the samples mentioned in

point (b) above then 30 files or 10% of population whichever is less, to be reviewed.

The total sample covering point a, b and c should be (i) lower of 50 files or(ii) sum

total number of files covered in point a, b and c respectively.

In case of SEL Audits, per asset centre, sample size is defined as given below:

a) All loans above Rs 8 lakh and above (100%)

b) All loans which are overdue above 30 days and not covered as part of the above

sample mentioned in point a. shall be 100% of population

c) All other loans Rs 8 lakh and below: 75 files or 10% of population whichever is

less

The total sample covering point a, b and c should be lower of 100 files or sum total


number of files mentioned in points a, b and c respectively.

In case of Micro-Home loans, per asset centre, sample size is defined as given below:

a) Above 5 lacs-100% of samples

b) Overdue case above 30 days -100% of population

c) For loans of Rs 5 lakh and below: 25% of total population and not covered in point

(a) and (b) or 30 files whichever is less

In case of Agri loans, per asset centre, sample size is defined as given below:

a) Above 5 lacs-100% of samples

b) Overdue case above 30 days -100% of population



In case of Next Gen Yuva Loans, per asset centre, sample size is defined as given below:

a) Above 5 lacs-100% of population

b) Overdue case above 30 days -100% of population and not covered in point a.



In case of SME Audits, per asset centre, sample size is defined as given below:

a) All loan above Rs. 50 lakhs, 100% sampling during audit.

b) In the remaining cases, 25% of the population or 15 cases whichever is lower.

In case of Trade Finance (Bank Guarantee) per asset centre: 25% of the population or

minimum 30 Bank Guarantees issued, whichever is lower.

4. HO Departments Audits:

a) 100% checking of policies, process notes and SOPs.

b) In case of transactional data, 25% of the population or 30 cases whichever is lower.


Part III Information System Audit Policy


Preamble

The Bank has chosen technology as a differentiating factor to achieve desired goals.

Technology is a prime factor that encompasses all areas of the organization including

regulatory / statutory compliance. With the introduction of various delivery channels

and customer interfaces, the challenge is to ensure confidentiality, integrity and

availability of data. Well planned and structured audit is essential for risk management

and monitoring and control of Information Systems. IS Audit function therefore becomes

an important tool to review all aspects of technology, its business impacts and risks

associated with the technologies on an on-going basis.

Considering the importance of IS Audit function, this IS Audit Policy has been prepared.

The IS Audit Policy is a subset of Bank’s Internal Audit Policy. Hence various

organizational aspects which are not covered by the IS Audit Policy shall be governed by

Bank’s overall Internal Audit Policy and practice.

1 IS Audit Policy

1.1 Definition

This IS Audit Policy defines the responsibility, authority and accountability of the

Information System Audit function in a documented form, from which IS Audit gets its

mandate to perform its function. This also assists the IS Audit Function to determine how

to achieve the implementation of applicable IS Audit standards, use professional

judgment in their applications and justify any departure therefrom under specific

constraints. Reporting on IT governance in the organization would involve Auditing at

the highest level in the organization and will be across divisional, functional or

departmental boundaries. The Audit Policy for the IS Audit Function includes IT

governance of the organization.

1.2 Mission Statement

To give reasonable assurance to the Board/Top Management that Information Systems

and Infrastructure deployed in the organization together with the business /operational

processes are able to accomplish the information system goals effectively and that the


risks built-in during the process of building such systems are addressed adequately or

are within acceptable limit.

1.3 Aims/Goals of IS Audit Policy

i) To ensure that data integrity, confidentiality and availability across various

systems are maintained

ii) To assess the impact on business/customers due to system change/procedural

changes proposed

iii) To assess the project planning and execution methodology

iv) To evaluate impact on business due to various changes in system

v) To ensure that all system changes/deployments are in alignment with business

and IT strategic objectives

vi) To have timely triggers on various IS/technical risks

vii) To ensure compliance of Information Technology (IT) Act 2000, Information

Technology (Amendment) Act 2008 and other IS related guidelines

viii) To ensure that risk based approach is followed in all areas.

1.4 Scope of IS Audit

The scope of IS Audit covers all information systems used by the bank (including

erstwhile Gruh Finance Information Systems) in related activities viz. system planning,

organization, acquisition, implementation, delivery and support to end-users. The scope

also covers monitoring of implementation in terms of its process effectiveness,

input/output controls and accomplishments of system goals. The IS Audit scope includes

testing on the processes for planning and organizing the information systems activities

and the processes for monitoring those activities. The broad scope of the Audit is given

below:

i) Determining effectiveness of planning and oversight of IT activities.

ii) Evaluating adequacy of operating processes and internal controls.

iii) Determining adequacy of enterprise-wide compliance efforts, related to IT policies

and internal control procedures.


iv) Identifying areas with deficient internal controls, recommend corrective action to

address deficiencies and follow-up, to ensure that the management effectively

implements the required actions.

1.5 Objectives

IS Audit shall be required to carry out several assignments. Accordingly, the objective of

all assignments shall be derived based on the mission statement and goals of IS Audit

policy. The individual assignment and report shall carry out the specific objective of the

assignments as applicable.

1.6 Independence

IS Audit, like any other Audit function, is an independent function by itself. IS decision

making, IS operations, Project planning, execution and implementation shall be carried

out by process controllers with set processes and norms. Similarly, business process

owners shall utilize various information systems and the resources to achieve the

business objectives. IS Audit is an independent tool to evaluate whether the processes are

getting executed as per set norms and whether sufficient internal controls and the risk

mitigation mechanism are in place and functioning as intended. Additionally, to ensure

independence for the IS Auditors:

i) Auditors to have unfettered access to information, IT Systems, applications,

databases etc. and facilities (DC/DR/Branches/Vendor Locations etc.);

ii) Auditors will conduct independent data inspection and analysis.

iii) Auditors will independently seek data, carry out system walk through, verify

project & change implementation status etc., independently from vendors /

service providers.

1.7 Relationship with external IS Auditors

The IS Audit plan will be carried out by the in-house audit team. Certain audits may be

outsourced in case of specific skillset requirements.


In all such events of engaging with external agencies, there shall be a formal document

for engagement defining the activity in its totality including the commercial

terms/conditions. The outsourcing will be within the framework of bank’s outsourcing

policy and with the approval of the competent authority.

1.8 Relationship with Internal Auditors

The IS Audit function is as a part of the Internal Audit Department, will work in close

coordination with the Internal audit team to ensure that effectiveness of controls is built

into all the systems and identify areas for scope for improvement.

1.9 Coverage of Outsourced Services

IS Audit shall cover the services of outsourced service providers to ensure that they

adhere to the contracted levels of service set out in the Service Level Agreements entered

into with the Bank. The IS Auditor shall verify the compliances by the service providers

to various regulatory and statutory requirements to ensure that Bank is not unduly

exposed to any risks on account of act of commission /omission by them. All service

providers shall, at all times, provide the IS Auditor with necessary support, including

data, information, compliances etc.

1.10 Critical Success Factors

The Information Systems encompass a wide variety of activities throughout the

organization. The embedded risks during the computerization process are very high and

the evolution of business needs keeps on increasing the expectations from IS Audit. It is

therefore, critical for the success for IS Audit, to achieve the standard and best practices

in a phased manner with continued improvements and enhancements in capabilities.

The success of IS audit is also highly dependent on the support of the Auditee such as:

i) Timely availability of data.

ii) Audit access to the systems and full access to UAT environment.

iii) Time bound response to the queries of the observations.


The auditee department has to ensure that a conducive environment for IS Audit is

provided to ensure its success. All the contracts/SLA with outsourced agencies should

have an explicit provision for IS audit rights.

2 Authority

2.1 Right to Access Information

IS Auditor shall have right of access to information, personnel, locations and systems

relevant to performance of the audit. IS Audit shall have complete right to examine

/evaluate all manual/system related records, documents and any other evidence covered

under organizational activities from employees and outsourced persons and

organizations at all levels. IS Audit shall have a query access to various systems/sub-

systems that are implemented in the organization. IS Audit shall have right to seek

system related information e.g. Architecture design, system functioning, integration etc.

and walk-throughs of System directly from the vendors for expediting the ongoing audit

work.

2.2 Scope or any limitations of scope

Business /product decisions shall not be subjected to IS Audit. However, all associated

systems and their integration as well as related controls would be assessed by IS Audit.

2.3 Functions to be audited

IS Audit shall cover different functions, such as system architecture, IT Governance,

various application systems/ sub-systems/ components for data/ design/

infrastructures/ users/ procedures/ data integrity/ efficiency and effectiveness of any

other area communicated or arising from any other report, with prior approval of the

Head-Internal Audit.

2.4 Reporting relationship

IS Audit function shall report to Chief Audit Executive (Head of Internal Audit).


2.5 IS Audit Skills

The IS Auditors shall meet the following technological proficiency requirements on an

overall basis, such as:

i) Hands-on experience on various aspect of computerization process with generic

as well as specific skills

ii) Ability to review and evaluate IS Internal Controls

iii) Understanding of the Information System’s design and operations

iv) Knowledge of programming languages and techniques and the ability to apply

computer assisted audit tools and to access their results.

v) Knowledge of computer operating system and software.

vi) Appropriate number of CISA qualified IS Auditors and remaining should have

required skill, knowledge and expertise.

3 Accountability

The accountability of the IS Auditors shall be governed by the extant policies of the Bank.

4 IS Audit Planning

4.1 Risk Based Audit Approach

The IS Audit will follow a Risk Based approach. The IS Auditors shall assess the Risks to

any information system by evaluating the probability of an untoward event occurring

and its impact on business. In case any significant incidence occurs that considerably

impacts business, the risk to those information systems in question shall be evaluated and

be subject to immediate audit. The risk assessment methodology shall include system

definition, threat identification, vulnerability identification, control analysis, probability,

Impact analysis and risk determination.

IS Auditors will periodically review the status of the Risk in the information systems and

the Internal Control Processes and in case of necessity, include an area of high risk in the

Audit Plan. Accordingly, the auditee units will keep the auditors up-to-date on major

changes, such as introduction of a new product, implementation of a new system,


application conversions, significant changes in organisation or staff, regulatory and legal

requirements, and security incidents, if any.

4.2 Defining the IS Audit Universe

Defining the Audit Universe is first step of the risk assessment process. It defines the

areas which are subject to audit. It is usually a high-level structure that identifies

processes, resources, risks and controls related to IT, allowing for a risk-based selection

of the audit areas.

The IS Audit Universe can be classified under the broad heads, Application systems, IT

processes / operations, IT Infrastructure (technology and facilities such as hardware,

operating systems, database management systems, networking, multimedia, and the

environment that houses and supports them and enable processing of applications) and

People (internal or outsourced personnel required to plan, organise, acquire, implement,

deliver, support, monitor and evaluate the information systems and services).

Due to frequent changes in the existing IT infrastructure and implementation /

acquisition of new applications, Information Technology and Information Security

department shall provide updated inventory of information system and list of projects &

major changes to be implemented in the next six months on a half yearly basis to the IS

Audit team for updating the IS Audit Universe and reassessing the risk in the Information

Systems ecosystem.

4.3 Information System Risk Assessment methodology

The risk assessment process should, inter alia, include the following: -

i) Identification of inherent IT risks in each Information System Units in the bank.

ii) Evaluation of the effectiveness of the control systems for monitoring the inherent

risks in the Information System Units (`Control risk’)

iii) Drawing up a risk-matrix taking into account both the factors viz., inherent and

control risks. An illustrative risk-matrix is shown in the Audit Policy (Part-II)

under “Risk Matrix for the Bank”.


4.3.1 Identification of inherent risks in Information system units

The following factors will be considered for gauging the Inherent Risk in the system,

business criticality, regulatory requirements, amount or value of transactions processed,

extent of customer information held, customer facing systems, financial loss potential, ,

experience of management and staff, staff turnover, technical competence, degree of

delegation, technical and process complexity, stability of application, age of system,

training of users, number of interfaces, availability of documentation, extent of

dependence on the IT system, confidentiality requirements, major changes carried out,

previous audit observations and extent of senior management oversight. These risk

factors shall be grouped into the following six basic risk categories:

i) Financial Impact: a) Business Criticality b) Loss of revenue c) Value of transactions processed

ii) Operations Risk: a) Volume of transaction. b) Number of users impacted c) Critical Systems/services impacted. d) Loss of information.

iii) Reputation Risk: a) Reputation Risk on account of

outsourcing. b) Number of customer impacted. c) Impact by media news

iv) Legal & Regulatory Risk: a) Impact on the legal & regulatory

compliance b) Regulatory findings

v) IT environmental Risk: a) Changes in the system. b) Number of interfaces. c) Exposed to internet. d) Existence and effectiveness of

BCP/DRP

vi) Miscellaneous Risk a) Experience of management and staff b) Technical competence, training of

users c) Technical and process complexity d) Previous audit reports and

compliance level

Inherent system risks indicate the intrinsic risk in a particular system /process of the

Bank and could be grouped into low, medium and high categories depending on the

severity of risk. The process of inherent risk assessment may make use of both

quantitative and qualitative approaches.


4.3.2 Measurement of impact of risk parameters

The risk parameters as defined above for all the risks are considered for arriving at the

score for Inherent Risk. A high, medium or low score is assigned to each parameter,

wherever applicable. Based on these scores for each risk parameter, an aggregate score

for that risk category is quantified and a score on the scale of 1 to 6 (High 5-6, Medium 3-

4 and Low 1-2) is awarded to each of the six risks listed above. Where an information

System is not exposed to a particular risk, a score of zero is given.

The maximum Risk score would be 36 (aggregate of six primary risks) for any

information system based on discussion and internal judgment, an inherent risk of up to

20% may be considered as “low”, between 21% to 50% may be considered as “medium”

and inherent risk greater than 50% may be considered as “high”.

4.3.3 Control Risk evaluation and rating of an IS System

The previous audit rating will be considered as an indicator of the level of control risk.

Control risks arise out of inadequate control systems, vulnerabilities/gaps and/or likely

failures in the existing controls. The control risks could also be classified into low,

medium and high categories. Control Risk would be numerically indicated on a “0 to

100” scale, with a score of “0” being the ideal score, which would indicate that the risk is

fully covered by the existing controls. The control risk score for the IS System is arrived

at by subtracting the audit score from 100, in respect of all units which have undergone

internal audit previously. The control risk score in respect of previously unaudited units

will be based on subjective judgment based on the criticality of the system and

importance of the unit in the scheme of things. In such instances generally, the control

risk is taken as the same as the inherent risk in the first year of audit.

In order to measure the extent to which the inherent risks are addressed by controls,

threshold limits i.e. three levels of threshold levels viz. “High”, “Medium “and “Low”

have been defined. These would be expressed in terms of percentage as under:


Control Risks Score

Low 10% and below

Medium Between 10% to 30%

High Above 30%

The gaps observed in the controls viz-a-viz the inherent risks give the control risk or the

residual risk. The residual risks can be classified into Extremely High, Very High, High,

Medium and Low based on the following and accordingly fall in the respective cells in

the Risk Matrix.

4.3.4 Risk Matrix for the Information Systems of the Bank

Based on the Control Risk Score and the Inherent Risk Scores, a Risk Matrix for the Bank

is prepared comprising all Information System Units. Based on the Inherent Risk and

Control Risk for each IS Unit, the same will be placed in the Risk Matrix as under:

Risk Matrix

I

nh

eren

t B

usi

nes

s R

isk

s

High “4”

High Risk

“2”

Very High Risk

“1”

Extremely High Risk

Medium “7”

Medium Risk

“5”

High Risk

“3”

Very High Risk

Low “9”

Low Risk

“8”

Medium Risk

“6”

High Risk

Low Medium High

Control Risks

[ Inherent Risk: Low 0-7, Medium 8-18, High 19-36]

[ Control Risk: Low <10%, Medium 10%-30%, High >30%]


In the overall risk assessment both the inherent IT risks and control risks should be

factored in. The overall risk assessment as reflected in each cell of the risk matrix is

explained below:

1 – Extremely High Risk – Both the inherent business risk and control risk are high which makes this an Extremely High Risk area. This area would require immediate audit attention, maximum allocation of audit resources besides ongoing monitoring by the bank’s top management. 2 – Very High Risk- The business unit/area is perceived to have “high” inherent risk coupled with medium control risk makes this a Very High Risk area 3 – Very High Risk – Although the inherent business risk is medium, this is a Very High Risk area due to high control risk. 4 – High Risk- The business unit/area is perceived to have “high” inherent risk, but the control risks as borne out by the previous audit ratings are weak (cells 4, 5, & 6). 5 – High Risk – Although the inherent business risk is medium this is a High Risk area because of control risk also being medium. 6 – High Risk – Although the inherent business risk is low, due to high control risk this becomes a High Risk area. 7 – Medium Risk – Although the control risk is low this is a Medium Risk area due to Medium inherent business risks. 8 – Medium Risk - The inherent business risk is low and the control risk is medium. 9 – Low Risk – Both the inherent business risk and control risk are low.

4.3.5 Risk Profiling of Auditable Units

Where any IS entity itself comprises of several independent auditable units with different

levels of controls, like servers, applications, networking and information security system

etc., the following approach will be taken:

A risk map of all the auditable units will be prepared taking the “inherent risk” of the

individual units to be the same as that of the group. The control risk of the individual

auditable units would be derived from the previous audit ratings as well as other factors

like any frauds detected etc.

Direction of Risk: As detailed in Part II – Audit Policy.

4.4 Scoping for IS Audit

The scope of IS Audit includes the identification of controls and activities to be tested for

assessing effectiveness. The scope will be decided based on the risk assessment. While

scoping the audit, the factors like control objective, materiality and fraud risk will be


considered in addition to other requirements. IS Audit shall also cover large as well as

critical branches to access areas such as control of passwords / user-ids, operating system

security, maker/checker, physical security, BCP Policy etc.

4.5 Documenting the Audit Plan

The IS Audit Plan will be a formal document to be prepared as part of the overall internal

audit plan. The components of Audit Plan shall include subject, nature, period and scope

of audit. Audit approach, audit methodology, audit consideration for irregularities and

audit evidence / information is given in Annexure I to IV.

5 Issue Assessment Framework

The process of issue assessment identifies the risk level of audit observations as L1, L2,

L3 and L4 depending upon the potential impact of the control weakness / vulnerabilities

observed during the audit and the likelihood of its occurrence. The matrix for classifying

the observation level is as under:

Likelihood

Impact

Less Likely

Possible Most Likely

Very High L2 L1 L1

High L3 L2 L1

Medium L4 L3 L2

Low L4 L4 L3

The likelihood and the impact assessed would be broadly carried out by taking into

consideration the following factors.

Likelihood

Most Likely: Has happened in several instances or process gaps exist.

Possible: Could happen in the foreseeable future.

Less Likely: Less likely to happen.

Impact

The Auditor shall use qualitative as well as quantitative risk assessment approach for


arriving at the risk level of the audit issues. The following parameters will be used for

risk assessment of the issues, and the impact assessed while applying these parameters.

Risk Customers Affected

Financial Impact

Brand & Reputation Impact

Systems / Services affected

Regulatory, Internal Policy and Legal implications

Information Security risk / System users impacted.

Very High

> 2% > Rs. 25 lacs

Coverage in high profile global/ national media which could lead to significant damage of brand

Poses any systemic risk. Critical business system / service is affected.

Non-compliance to regulatory guidelines / law having impact of possible penalty from regulatory / law enforcement bodies. Not complying with Statutory Audit or RBI Audit Observations

i) Potential loss of all information ii) > 5000 user affected. ii) Application Security testing / VAPT not conducted in case of public facing applications.

High 1 - 2% > Rs. 10 lacs and up to Rs. 25 lacs

Coverage in industry specific / local media which could lead to negative impact on brand

Poses any undefined or unexpected risks. Non- critical business systems / services are affected.

Non-compliance to regulatory guidelines / law not having direct impact of penalty. Non-Compliance of Bank’s Policy or PCMC approved process.

i) Potential loss of confidential information ii) 500-5000 users affected. iii) Application Security testing / VAPT not conducted in case of internal financial applications e.g. CBS, ITMS

Medium Up to 1% > Rs. 5 lacs and up to Rs. 10 lacs

Negative Information limited to employees/ vendors

Only Support services are affected, but business can run as usual.

No violation of any regulatory guidelines / law. Partial non-compliance to the Policies / SOPs.

i) Potential loss of internal Information ii) < 500 users affected. iii) Application Security testing / VAPT not conducted in case of internal applications – non-financial but identified as critical e.g. AML, ALM.

Low No Customers affected

Upto Rs. 5 lacs

Negative Information in closed user group

No Systems / Services affected

No Implication i) Potential loss of public information ii) No users affected iii) Application Security testing / VAPT not conducted in case of non- critical internal applications.

Under the overall Issue Assessment Framework detailed above, detailed issue

assessment illustrations for IS Audit based on specific audit issues identified in IS Audit

have been separately drawn up and is given in Annexure V.


Reporting and Communication and the Escalation Matrix will be the same as per the

Internal Audit Policy.

6 Performance of Audit Work

6.1 Review of System Strategies

System strategies shall be reviewed by analysing –

i) Minutes of meeting of the Board of Directors for Audit information relating to the consideration of the matters concerning the information systems and their control and the supporting materials for any such items.

ii) Minutes of the meeting of the Audit Committee of the Board of Directors for the Audit Information relating to the considerations of the matters concerning the information systems and their controls by the supporting materials for any such items.

iii) Assessment of the risk associated with the organization’s use of the information systems and approach to managing those risks

iv) IS Strategy, plans to be implement the strategy and monitoring of progress against those plans

v) High level policies for IS use and the protection and monitoring of compliances with these policies

vi) Major contract approvals and monitoring of supplier’s performance vii) Monitoring of performance against Service Level Agreements viii) Acquisition of major systems and decision on implementation ix) Impact of external influence on IS such as internet, merger of suppliers or

liquidation etc. x) Business Continuity Planning, Disaster Recovery management, Contingency

Planning, Testing thereof and test results

6.2 Review of system related policies /compliance

The IS Auditor will consider whether the system related policies cover all of the

appropriate areas for which board –level direction is necessary in order to provide

reasonable assurance that the business objectives are met. Such Policies on board-level

direction will require to be documented and such documented policies shall among

others, include Security Policy, Outsourcing Policy etc.

6.3 Organization and Administration

IS Audit shall check for segregation of duties, dual-control aspect in performing

important operations, level of training, imparted to staff, availability of skilled personnel


to run critical operations with suitable backup arrangement, maintenance of records for

work assigned to staffs, rotation and other aspects critical to smooth operation of all

systems.

6.4 Review of system responsibilities of owners of business process

The IS Auditor will require to review the responsibilities of the business process owners,

as under and assess whether these are appropriate to support the policies and goals of

the Bank.

i) Reports of attempted access to the system supporting business processes and follow-up action taken,

ii) Reports of the Changes of user access rights, including new users and those whose access right have been removed

iii) Reports of the result of the business continuity tests and follow up action taken iv) Report on the results of feasibility studies and tendering process for systems

acquisition v) Reports of the results of the user’s acceptance testing of new systems or changes to

the existing system vi) Reports on performance against agreed service level vii) Statistics on the availability, number of failures, number of system changes

requested and implemented etc. viii) Status of the system changes in progress ix) Reports of changes to corporate data dictionary entries x) Reports on input control/process control features

Assessment of the system which produce the above information and its reliability,

integrity and potential for management override.

6.4.1 Consideration of external factors

The IS Auditor will require to verify that the organization has put in place the procedures

to monitor the external factors like regulatory compliances, which are relevant to the

organization.

6.4.2 Materiality

During the performance of IS Audit, the concept of materiality will play a vital role.

Criteria such as criticality of business process supported by systems, cost of system,


potential cost of error, number of access per period etc. shall be considered while

determining materiality.

7 Frequency of Audit

i) IT Systems will be divided into five risk categories viz extremely high, very high,

high, medium and low based on the risk matrix.

ii) Frequency of the system audit will be as per audit plan depending upon the risk

factors or level of criticality of operation of the auditee unit. Extremely high (9

months, very high (12 months), high risk (15 months), medium risk (18 months) and

low risk (24 months) .

iii) New IT systems or those systems, which have undergone major changes, shall be

audited within six to twelve months of implementation

iv) All the systems, domains and processes irrespective of their risk levels shall be

covered within a period of two years.

v) Notwithstanding the above, IT governance, Information security governance, Data

Centre, IT processes, critical business applications and MIS systems shall be

subjected to audit at least once a year.

8 Compliance and Closure of Audit Report

The Auditee shall be required to send comments/compliance within a month from the

date of issue of final audit report. The summary of report along with compliance, will be

placed before the Audit Committee of the Board. The compliance shall normally be

completed within 3 months from the date of the report. Any area pending compliance

shall be addressed within a defined time frame which shall be tracked through the ATR

(Action tracking report). The audit report shall be deemed to be closed after verification

by audit that all major observations have been complied with.


9 Audit Documentation

Audit evidence/information gathered by the IS Auditor would be appropriately

documented and organized to support the IS Auditor’s findings and conclusions.

Following documents would form a part of audit documentation:

i) Test Reports ii) Snapshot reports iii) E-mail correspondence iv) Any other important document/information/Audit back papers. v) Audit Committee Reports

10 Restriction of Scope

In the event the IS Auditor has reason to believe that sufficient audit

evidence/information cannot be obtained, the IS Auditor shall disclose this fact in a

manner consistent with the Audit Policy and the guidelines laid out herein for

communication of audit results.


IS Audit Annexure – I: Audit Approach

1. Audit Phases

IS Audit follows a three-phase process. The first phase is the audit planning phase

followed by the test of controls phase and finally the substantive testing phase.

In the planning or first phase, an IS Auditor will identify the various risks and exposures

and the security controls, which provide safeguards against these exposures. The tests

which need to be conducted to make the second phase of the audit, will also planned in

detail in the first phase.

In the second phase, the security controls will be tested. Control activities in the

organization are the policies and procedures used to ensure that appropriate actions are

taken to deal with the organization’s identified risks. One of the primary areas of IS Audit

will be to check the effectiveness of these security controls. Control activities in turn, are

divided into two major areas- System Controls and Physical Controls. Within system

controls and security controls are the general control and the application controls.

General controls pertain to area-wise concerns such as controls over the data centre,

organizational data bases, system development and program maintenance. Application

controls will ensure the integrity of specific application software. Physical controls

include access control, transaction authorization, segregation of duties, supervision,

accounting records and independent verification.

In the third or the substantive testing phase, individual transactions are tested. The IS

Audit substantive tests extensively use computer assisted audit tools and techniques.

Audit of Information Systems is a very challenging job, especially in the light of the fast

changing pace of information technology including communication systems. All these

phases will be implicit in nature and would get reflected only through audit report.

2. Change Control Management


Considering the fact that business runs in on-going basis, most of the application system,

network systems and various components thereof, constantly undergo changes. It is

essential, therefore, that these changes take place in a controlled manner, in a controlled

environment and process have to exist for the same. IS Auditor would review changes

made to all the systems on a need / perception of risks or on routine basis. This would

be fixed component of the IS Audit Function.

3. IS Audit at Branches

i) IS Audit from time to time may issue checklist for branches or units so that

internal/concurrent auditors can use them at branches or units.

ii) Special IS Audit may be carried out at branches or units for evaluating

data/procedural integrity/security or any such IS activity,

iii) Visits to Branches or units on routine/surprise basis may be planned to have

overall effectiveness

iv) Branches/units IS Audit Reports compiled across branches/units would help IS

Audit to carry out further planning.

During the branch rating exercise, the IS Audit exercise will be given appropriate

weightage.

4. Overall Assessment

Based on the various system documents, key discussions, risk assessments and

evaluation of internal controls, IS Auditor would do an overall assessment of the system.


IS Audit Annexure – II: Audit Methodology

1. Testing Methodology

Audit activities are broadly divided into five major steps for the convenience and

effective conduct of audit. (a) Planning IS Audit (b) Test of Control (c) Test of transactions

(d) Test of Balances (e) Completion of audit.

i) Planning IS Audit: Planning IS Audit includes understanding of the objectives to

accomplish the audit, collecting background information, assigning appropriate staff

keeping in mind skills, aptitude etc. and identifying the areas of risk. Risk analysis of

the operating systems is carried out to identify the system with highest risks,

considering the critical nature of the information processed through such system as

well as the number and the values of the transactions processed. This is to identify

the systems having the highest risks and decide on the extent of the detailed analysis

and testing to be conducted on those systems. Risk assessments can be done through

review of previous audit reports/papers, interview/interaction with the

management and the information system personnel, observations of the activities

carried out within the information systems function and review of information

system documentation.

ii) Test of controls: IS Auditor will participate in various activities and will be in touch

with employees. Internal Controls will be tested to evaluate whether they operate

effectively on an on-going basis. This includes testing of management controls and

application controls. The objective is to evaluate the reliability of the controls and find

out the weaknesses of the controls for meeting the IS Audit objectives. IS Auditor

would make recommendations to rectify the weaknesses, observed during the course

of an IS Audit. While carrying out tests of controls, the IS Auditors should satisfy

themselves regarding the following aspects of controls right from pre-design stage to

post-implementation stage: identification, implementation, existence, adequacy,

documentation, maintenance and monitoring.

iii) Test of Transactions: Test of transactions would be used to evaluate whether

erroneous transaction have led to a material misstatement of the financial


information and whether the transactions have been handled effectively and

efficiently. The objective is to evaluate data integrity. Some of such tests include the

tracing of journal entries to their source documents, the examination of the price/rate

files, the testing of computational accuracy, the study of the transaction log etc. These

tests are used to indicate the data base system’s effectiveness.

iv) Completion of audit: This is the final stage of IS Audit. IS Auditors would form their

opinion, clearly indicating their findings, analysis and recommendations. Potential

IS Audit findings would be discussed with the appropriate /authorized personnel

throughout the course of IS Auditing. Preliminary conclusions and the audit finding

would be presented to the auditee during closure of the audit. All potential findings

with sufficient merits and preliminary IS Audit recommendations will be placed for

discussion. Work papers used in the auditing should be well organized, clearly

written and address all the areas included in IS Audit. IS Audit work papers should

contain sufficient evidence/information of the tasks performed and the conclusions

reached, including the results achieved, issues identified and the final opinion. The

audit report will include an introduction to the audit objectives, scope, general

approach employed and summary of the critical findings, and the auditor

recommendations.

2. Sub-system factoring

The IS systems of the Bank are huge and highly complex in nature, encompassing various

activities, procedures and people. Hence, it may not be possible to have comprehensive

coverage of activities at any given point of time. The systems can also be further factored

into various sub-system, based on inherent cohesiveness and interdependencies. Each

factor sub-system can then be evaluated for audit purpose.

3. Control through IS procedural definitions

The IS environmental control, infrastructural controls, data integrity controls and

operational controls form a fundamental basis of governing various activities happening

in the organization. IS Audit would, therefore, lay a great emphasis on IS procedural


manuals covering these topics. IS audit would review these manuals for continuous

enhancement and compliances.

4. Network and security audit

All areas of network, including wide area network, local area network, data center

management, security architecture, shall fall under the purview of IS Audit.

5. Checklist

Checklist, if any used for IS Audit shall be upgraded on an on-going basis.


IS Audit Annexure - III: AUDIT CONSIDERATIONS FOR IRREGULARITIES

Due professional care and the observance of the internationally accepted professional

auditing standards would be exercised by the IS Auditor in all aspect of the IS Auditing.

The Information Systems Auditor will plan the information systems audit work to

address the audit objectives and to comply with internationally accepted professional

auditing standards. Further, during the course of IS Auditing, the Information System

Auditors would obtain sufficient, reliable, relevant and useful evidence /information to

achieve the audit objectives effectively. In addition, the audit findings and conclusions

have to be supported by appropriate analysis and interpretation of this

evidence/information by the IS Auditor. The Information Systems Auditor will provide

report in an appropriate form to the Head-Internal Audit upon the completion of the

audit work.

In planning the audit work as appropriate for the nature of the audit assignment, the IS

Auditor would use the results of the risk assessment to determine the nature, timing and

extent of the testing required in order to obtain sufficient audit evidence /information to

provide reasonable assurance that the irregularities, which could have a material effect

on the area under audit or on the organization as a whole, will be identified and that the

control weaknesses, which would fail to prevent or detect material irregularities will be

identified.


IS Audit Annexure – IV: AUDIT EVIDENCE/INFORMATION

1. Consideration under audit evidence

When Planning the IS Audit work, the IS Auditor would take into account the type of

audit evidence/information to be gathered, its use as audit evidence/information to meet

the audit objectives and its varying levels of responsibilities. Among the things to be

considered are the independence of the provider of the audit evidence / information. For

example, corroborative audit evidence/information from an independent third party can

be more reliable that the audit evidence /information from the organization being

audited. Physical audit evidence/information is generally more reliable than the

representation of an individual.

The various types of audit evidence/information which the IS Auditor should consider

using include: (a) Observed processes and existence of physical items (b) Documentary

audit evidence/information (c) representation (d) Analysis of observed process and

existence of physical items.

Documentary audit evidence/information, recorded on paper or other media, can

include: (a) Results of data extraction (b) Records of transactions (c) Programs listings (d)

Invoices & Activities and control logs (e) System development documentation.

Representations of those being audited can be audit evidence/information such as: (a)

Written policies and procedures (b) System flow chart (c) Written or oral statements.

The results of analysing information through comparison, simulations, calculations and

reasoning can also be used as audit evidence/information. Example include: (a)

Benchmarking IS performance against other organization or previous period (b)

comparison of error rates between the application transactions and the users.

2. Availability of audit evidence/information

The IS Auditor should consider the time during which the evidence/information exists

or is available in determining the nature, timing and extent of substantive testing and if

applicable, Compliance Testing. For example, the audit evidence/information processed

by Electronic Data Interchange (EDI), Document Image Processing (DIP) and dynamic

systems such as spreadsheets etc. may not be retrievable after a specific period of time, if


changes to the files are not controlled or the files are not backed up. Since it is not possible

for an internal auditor to make multiple copies of system document, IS Auditor would

sign various documents produced for the purpose of audit and would advise the auditees

to preserve these documents for further reference.

3. Selection of audit evidence/information

The IS Auditor would plan to use the best audit evidence/information attainable,

consistent with the importance of the audit objectives and the time and effort involved in

obtaining the audit evidence /information. When the audit evidence/information

obtained in the form of oral representations, is critical to the audit opinion or conclusion,

the IS Auditor would consider obtaining documentary confirmation of the

representation, either on paper or on other media.

4. Nature of audit evidence/information

Audit evidence/information should be sufficient, reliable, relevant and useful in order to

form an opinion or support the IS Auditor’s finding and conclusions. If in the IS Auditor’s

judgment, the audit evidence/information obtained does not meet these criteria, the IS

Auditor should obtain additional audit evidence/information.

5. Gathering audit evidence/information

There are different procedures used to gather audit evidence/information vary

depending on the information system being audited. The IS Auditor would select the

most appropriate procedure for the audit objective. The following procedures will be

considered (a) enquiry (b) observations (c) inspection (d) confirmation (e) re-performance

(f) monitoring. The above can be applied through the use of manual audit procedures,

computer assisted audit techniques or a combined of both.

Detailed transaction records may be available in machine- readable format requiring the

IS Auditor to obtain audit evidence/information, using Computer Assisted Audit

Techniques (CAAT). Many a time, system records, design documents, system flow chart,

system manuals and notes also forms a part of audit evidence. It is, however, not possible


to duplicate these records only for the purpose of audit. In all such events, Audit would

send a communication to Auditees to preserve a set of document as a part of Audit

Evidence.


IS Audit Annexure – V - Issue Assessment Illustrations

IT General Controls (ITGC)

Issue Assessment Illustrations

Issue Assessment level: L-1 Scenario one: Impact is Very High and Likelihood can be Possible or Most Likely

Scenario two: Impact is High and Likelihood can be Most Likely


1 IT Operations Downtime of identified critical systems impacting more than 5000 users and issue occurred more than one time

2 IT Operations Corruption and/or Leakage of all data and information. E.g. the RAID failure of storage system due to improper configuration. The sensitive data like PII, business sensitive data can be extracted from the system

3 IT Operations Lack of backup and contingency planning increases the risk of being unable to continue processing following a disaster for identified critical systems. E.g. no redundant system for biometric authentication system or any such application which is required to be highly available during the business time.

4 IT Operations Lack of system capacity to process transactions in a timely manner preventing the posting of any new transactions. E.g. unable to process RTGS transactions, AML data, impacting regulatory / statutory return submission.

5 Logical Access

Users have unauthorized access to the systems. E.g. access to core application or IT infrastructure is possible with little efforts like manual brute forcing or social engineering techniques

6 Logical Access

Segregation of duties (SoD) not being configured appropriately as business users have access to administrative privileges for the concerned applications. E.g. SoD not implemented in SWIFT processing system or the network administrator has access to system administration, DBA has access to OS, Security administrator has access to any of the systems in bank except any of the system required for security monitoring and control.

7 Change Management

Unauthorized changes migrated in the systems.

8 Change Management

Lack of SoD in the change management process enabling the Developer to migrate its own code to the production environment.

Issue Assessment level: L-2


Scenario one: Impact is Very High and Likelihood is Less Likely Scenario two: Impact is High and Likelihood is Possible

Scenario Three: Impact is Medium and Likelihood is Most Likely

1 IT Operations Downtime of identified critical systems impacting 500-5000 users (confined to single instance)

2 IT Operations Corruption and/or Leakage of confidential data and information. E.g. corruption of data file impacting the availability of the system for couple of days, leakage of information like bank’s internal policies, processes, employee information etc.

3 IT Operations Lack of backup and contingency planning increases the risk of being unable to continue processing following a disaster for identified critical systems. E.g. no backup being taken for business critical data, no redundant network connectivity impacting business of large branches.

4 IT Operations Lack of system capacity to process transactions in a timely manner preventing the posting of any new transactions. E.g. slow systems impacting report generation which are having regulatory impact or business requirement

5 Logical Access

Users have unauthorized access to the systems (impact to be measured as Risk Assessment guidelines).

6 Logical Access

Segregation of duties not being configured appropriately as business users have access to administrative privileges for the concerned applications. E.g. end user can execute end to end transaction processing or make change in system configuration,

7 Change Management

No documented change management policy / process to ensure consistent system changes.

8 Change Management

Developers have access to the Production environment

9 Change Management

Inadequate testing of changes before moving to production

10 Change Management

Developers have access to the Production environment for migration of changes

Issue Assessment level: L-3 Scenario one: Impact is High and Likelihood can be Less Likely Scenario two: Impact is Medium and Likelihood can be Possible Scenario three: Impact is Low and Likelihood can be Most Likely

1 IT Operations Downtime of identified critical systems impacting 0.1-1% of the entire user base

2 IT Operations Corruption and/or Leakage of internal data and information. E.g. leakage of internal information like, user manuals


3 IT Operations Lack of backup and contingency planning increases the risk of being unable to continue processing following a disaster for identified critical systems. E.g. restoration of backup not being tested, inadequate documentation of backup and recovery procedures.

4 IT Operations Lack of system capacity to process transactions in a timely manner preventing the posting of any new transactions. E.g. CPU unable to process days volume within time

5 Logical Access

Users have unauthorized access to the systems. E.g. non-compliance with password policies

6 Logical Access

Segregation of duties not being configured appropriately as business users have access to administrative privileges for the concerned applications. E.g. one user assigned multiple roles like back office users performing mid-office tasks.

7 Change Management

No documented review and approval of changes, no roll- back procedure.

8 Change Management

Developers have access to the Production environment to support infrastructures.

9 Change Management

Improper prioritization of changes, no post implementation review of changes

Issue Assessment level: L-4 Scenario one: Impact is Medium and Likelihood can be Less Likely

Scenario two: Impact is Low and Likelihood can be less Likely Scenario three: Impact is Low and Likelihood can be Possible

1 IT Operations Downtime of identified critical systems impacting no users

2 IT Operations Corruption and/or Leakage of all data and information. E.g. end users data backup corruption, unavailability of shared drives

3 IT Operations Lack of backup and contingency planning increases the risk of being unable to continue processing following a disaster for identified critical systems. e.g. end user desktop backups not performed.

4 IT Operations Lack of system capacity to process transactions in a timely manner preventing the posting of any new transactions. E.g. unavailability of non-critical systems

5 Logical Access

Users have unauthorized access to the systems. E.g. Email access to users

6 Logical Access

Segregation of duties not being configured appropriately as business users have access to administrative privileges for the concerned applications. SoD conflicts in non-critical systems

7 Change Management

Inadequate documentation of changes


Application Controls

Issue Assessment Illustrations

Issue Assessment level: L-1 Scenario one: Impact is Very High and Likelihood can be Possible or Most Likely

Scenario two: Impact is High and Likelihood can be Most Likely


1 Input Transaction

Unauthorized and incomplete data entry. E.g. NPA classification, no input validation in regulatory reporting, amount filled without validation

2 Input Transaction

Duplicate data entry in the systems. E.g. duplicate creation and approval of loan account

3 Processing Incomplete transaction processing in the systems. E.g. creation of customer accounts without KYC

4 Processing Duplicate transaction processing in the systems. E.g. duplicate RTGS /NEFT / UPI transactions

5 Output Non-availability of the information. E.g. generation of incorrect regulatory reports

6 Master Data Unauthorized changes in the master data of systems. E.g. table level changes in the database of financial transaction

7 Master Configuration

Inaccurate configuration of interest rate methodology during leap year

8 Configuration Incorrect Logics for mapping of regulatory reports

Issue Assessment level: L-2 Scenario one: Impact is Very High and Likelihood is Less Likely

Scenario two: Impact is High and Likelihood is Possible Scenario Three: Impact is Medium and Likelihood is Most Likely

1 Input Transaction

Unauthorized and incomplete data entry. E.g. incorrect customer classification for regulatory reporting

2 Input Transaction

Duplicate data entry in the systems. E.g. duplicate vendor payments

3 Processing Incomplete transaction processing in the systems. E.g. charges not levied in the customer accounts

4 Processing Duplicate transaction processing in the systems. E.g. duplicate customer transaction processing (as per impact matrix)

5 Output Non-availability of the information. E.g. system providing incorrect output of customer transactions

6 Master Data Unauthorized changes in the master data of systems. E.g. table level changes in the user master maintenance.

7 Regulatory Non-adherence on minimum stipulated LTV (75%) by RBI


8 Configuration Mismatch between product master and approved product note

Issue Assessment level: L-3 Scenario one: Impact is High and Likelihood can be Less Likely Scenario two: Impact is Medium and Likelihood can be Possible Scenario three: Impact is Low and Likelihood can be Most Likely

1 Input Transaction

Unauthorized and incomplete data entry. E.g. incorrect customer classification for internal reporting

2 Input Transaction

Duplicate data entry in the systems. E.g. incorrect mobile, email etc. updation in different customers

4 Processing Incomplete transaction processing in the systems. E.g. transaction processed incorrectly (as per impact matrix)

5 Master Data Unauthorized changes in the master data of systems. E.g. audit trail not maintained for IT operation transactions

6 Configuration Absence of in-built logics and internal non-compliance related to products

Issue Assessment level: L-4 Scenario one: Impact is Medium and Likelihood can be Less Likely

Scenario two: Impact is Low and Likelihood can be less Likely Scenario three: Impact is Low and Likelihood can be Possible

1 Input Transaction

Unauthorized and incomplete data entry. E.g. incorrect classification of non-reportable fields in the product

2 Input Transaction

Duplicate data entry in the systems. E.g. duplicate transaction not having any financial impact

4 Processing Incomplete transaction processing in the systems. E.g. incomplete processing of non-critical transactions

5 Processing Duplicate transaction processing in the systems. E.g.

6 Output Incorrect output generated for non-reportable reports

7 Master Data Unauthorized changes in the master data of systems. E.g. non-maintenance of table fields like system usage etc.

8 Configuration Inaccurate configurations in the systems. E.g. incorrect configuration of fields not affecting business operations

Note: Criticality of systems will be reliant on the classification as implemented by IT Department.


Glossary of Terms

Abbreviation Full Name Abbreviation Full Name

ACB Audit Committee of Board

IA Internal Audit

ACE Audit Committee of Executives

IAD Internal Audit Department

ACF Account Closure Form

IJP Internal Job Posting

ALCO Asset Liability Committee

INR Indian Rupee

AM Assistant Manager

IOGL Inter Office General Ledger

AML Anti-Money Laundering

IS Information System

AOF Account Opening Form

IT Information Technology

ATM Automated Teller Machine

ITGC IT General Control

ATR Action Taken Report

ITMS Integrated Treasury Management System

AUS Australia

ITR Income Tax Return

BCP Business Continuity Plan

JV Journal Voucher

BDO Block Development Officer

KRA Key Responsibility Areas

BERP Bandhan Enterprise Resource Planning

KYC Know Your Customer

BG Bank Guarantee

LAP Loan Against property

BOCS Banking Operation and Cus-tomer Service

LC Letter of Credit

BOM Branch Operation Manual

LCR Loan to Cost Ratio

BRS Bank Reconciliation Statement

LLP Limited Liability Partnership

BU Banking Unit

LOA Letter of Authorization

CA Current Account

LOS Loan Originating System

CAAT Computer Assisted Auditing Technique.

LPU Loan Processing Unit

CAE Chief Audit Executive

LTV Loan To Value

CAIIB Certified Associate of Indian In-stitute of Bankers.

MB Micro banking

CAM Credit Appraisal Memo

MCA Ministry of Company Affairs

CASA Current Account and Savings Account

MD & CEO Managing Director & Chief Executive

Officer CBO Corporate Banking Operations

MFI Micro Finance Institution

CBS Core Banking Solution

MID Merchant Identification Number

CCO Chief Compliance Officer

MIS Management Information System

CCTV Close Circuit Television

MITC Most Important Terms and Condition

CDC Continuous Discharge Certifi-cate

MOE Memorandum of Entry

CERSAI Central Registry of Securitiza-tion Asset Reconstruction and Security Interest

MOP Multi Option Payment

CH Cluster Head

MSME Micro, Small and Medium Enterprise

CIC Credit Information Company

NBFC Non-Banking Financial Company

CIF Customer Information File

NDTL Net Demand and Time Liabilities

CISA Certified Information System Auditor

NEFT National Electronic Fund Transfer



CIT Cash In Transit

NOC No Objection Certificate

CKYC Central Know Your Customer

NPS National Pension System

CMS Cash Management System

NRE Non-Resident External

CPIS Customer Primary Information Sheet

NREGA National Rural Employment Guaran-

tee Act CPU Central Processing Unit

NRO Non-Residential Ordinary

CPV Customer Profile Validation

OATD Overdraft Against Term Deposit

CRF Customer Request Form

OCR Own Contribution Receipt

CRILCI Central Repository of Infor-mation on Large Credit

OS Operating System

CRL Cash Retention Limit

OSV Original Seen and Verified

CRO Chief Risk Officer

OTC Over The Counter

CRS Common Reporting Standard

OVD Officially Valid Document

CS Company Secretory

PAN Permanent Account Number

CSGL Constituent Subsidiary General Ledger

PCMC Product and Change Management

Committee CTS Cheque Truncation System

PD Post Disbursement

DBA Database Administrator

PL Personal Loan

DBO Doorstep Banking Officer

PO Pay Order

DCCD Declaration Cum Confirmation Deed

POA Power of Attorney

DD Demand Draft

PSL Priority Sector Lending

DFP Delegation of Financial Power

RAID Redundant Array of Independent Disks

DIP Document Image Processing

RBI Reserve Bank of India

DISA Diploma in Information System Auditor

RBS Risk Base Supervision

DM Deputy Manager

RMP Risk Mitigation Plan

DOB Date of Birth

ROC Registrar of Companies

DOE DSC Operations Executive

ROI Rate of Interest

DOP Delegation of Power

RTGS Real Time Gross Settlement

DPD Days Past Due

SB Savings Bank Account

DPIN Designated Partner Identifica-tion Number

SDL State Development Loan

DPN Demand Promissory Note

SEBI The Securities and Exchange Board of India

DRP Disaster Recovery Plan

SEL Small Enterprise Loan

DTL Demand and Time Liabilities

SEL Small Enterprise Loan

EDI Electronic Data Interchange

SENP Self Employed Non Professional

EMI Equated Monthly Instalment

SEP Self Employed Professional

FATCA Foreign Accounts Tax Compli-ance Act

SGL Subsidiary General Ledger

FCNR Foreign Currency Non Resi-dence

SHG Self Help Group

FCY Foreign Currency

SIA Standards on Internal Audits

FD Fixed Deposit

SLA Service Level Agreement



FEMA Foreign Exchange Management Act

SME Small and Medium Enterprise

FFR Financial Follow Up Reports

SME Small and Medium Enterprise

FIS Fidelity National Information Services Inc.

SOD Segregation of Duties

FOIR Fixed Obligation to Income Ra-tio

SOP Standard Operating Procedure

FRFC Fire Resistant Filing Cabinet

SQL Structured Query Language

FTO Fund Transfer Officer

SWIFT Society for Worldwide Interbank Fi-nancial Telecommunications

FVR Field Visit Report

TASC Trust Association Society and Club

GL General Ledger

TAT Turn Around Time

GST Goods and Services Tax

TD Term Deposit

H.O Dept. Head Office Department

TDS Tax Deducted at Source

Head-CC Head Corporate Centre

TOD Temporary Overdraft

HHD Hand Held Device

TPP Third Party Product

HIA Head of Internal Audit TSR Title Search Report

HO Head Office

TWL Two Wheeler Loan

HR Human Resource

UAT User Acceptance Testing

HUF Hindu Undivided Family

UCPDC Uniform Customs & Practice for Doc-umentary Credits

UPI Universal Payment Interface

UV Ultra Violet

UV lamp Ultra Violate Lamp

ZH Zonal Head

Audit Policy - Bandhan Bank

Documents

Transcript of Audit Policy - Bandhan Bank