Pors 1 04-Dec-2012 Policy & Others
-
Upload
kartik-goyal -
Category
Documents
-
view
214 -
download
0
Transcript of Pors 1 04-Dec-2012 Policy & Others
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
1/110
DOS AND DONTS FOR CONCURRENT AUDITORS(CA FIRMS)
Dos:
1. Pre concurrent audit study of the branch/ department should be donegetting all relevant information and off site surveillance reports of the
auditee as stated in the engagement letter.
2. Prepare proper audit plan based on 1 above, covering all the areas ofthe scope, keeping in the view the time lines
3. Have a structured introductory meeting with the auditee and seek allthe information required in advance with proper time schedule.
Introduce the audit team to the auditee officials.
4. Audit team should accompanied by senior and experienced membersas required.
5. Auditors to display team spirit and avoid misunderstandings/arguments in the presence of auditees.
6. Discuss his findings with branch officials on daily basis and try torectify the defects then and there itself.
7.Give auditees a chance to express their opinion while discussing theissues. Getting proper explanation in a co-operative atmosphere will
save precious time.
8. In case of difference of opinion with auditee, the auditor should firstdiscuss with the leader of his team. Further discussion on a higher
level may be made, if required.
9. In case, auditor comes across any information which causes him tosuspect any element of fraud, gross negligence, gross incompetence orsimilar unfavorable actions or tendencies, he should report the matter
to the leader of the team immediately.
10.Auditor should keep utmost secrecy of the information/ audit
observations/ issues etc. relating to the auditee.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
2/110
11.Be courteous, cooperative and professional.
Don'ts:
1. Auditor should not have any professional or commercial relationshipeither direct or indirect with borrowers/ beneficiaries of the branch /department which they are auditing and also will not have in future as
far as possible for a minimum period of three years.
2. Auditor should not take advantage of his association as concurrentauditor with the branch/ department of the bank and canvas for any
client/ business with the bank either directly or indirectly.
3. Auditor should not represent on behalf of any client/ customer of thebank for a minimum period of as far as possible three years after thecompletion of term of the audit.
4. Auditor should not share/ pass on/ discuss any audit relatedobservations/ issues/ findings with any one other than concerned in
the bank.
5. Auditor need not act overly reserved or unfriendly in order to maintainhis independence as an auditing officer. A forbidding attitude on his
part may well cause others to adopt the same attitude towards him.This can adversely affect the work entrusted to the inspecting officer.
6. Auditor should not get involved in heated argument with auditee.7. Auditor should not give orders to auditee and seek requirements from
the officer assigned to assist him on a particular job. The concerned
officer would issue the necessary orders to their employees if he
accepts inspectors suggestions and recommendations.
8. Auditor should not delay the submission of audit report
-- :: --
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
3/110
REPORT ON BRANCH PROFILE & EXECUTIVE SUMMARY
1. Branch Details
Branch Region Code
ZO Area Rural / Semi-urban / Urban / MetroDate of Opening of
the Branch
Category Small /Medium / Large /Very Large / ELB / IFB/ SSI /Others..
Name/s of EC/ Sub-office/ Satellite offices attached
Designated for FX business (Yes/ No)
Branch Mechanisation (ALPM/ TBM/ CBS)
Rating Last Year Present Year
2. Incumbents during the period under review:
Designation Name Grade From To
Branch Manager
Asst. Br. Manager
In-Charge (Credit)
3) Other Staff:
SN Category Current Previous
1 Officers
2 Clerks
3 Attenders
Total
4. Details of Inspecting Officers:
Sl. No. Name Designation
Period Covered : From : To:
Date of Commencement: Date of Completion:
Mandays utilised: Present Audit: Previous Audit:
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
4/110
Executive Summary
Important positive/ negative features noticed during Audit to be furnished in brief under the
following parameters
Branch RO ZO
Sr. No Parameter Auditors Finding
1. - Performance of the branch
Advances
Deposit
NPA
2. - Major findings of the inspections
3. - House Keeping
4. - Customer Service
5. - Statutory Compliance
6. - Systemic weakness
7. - Persisting irregularities
8. - Suggestions for improvement
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
5/110
Data Sheet
A) Advances:
1. Sector wise Classification
Sector As on As on
Agriculture Limits O/s Overdue Limits O/s Overdue
MSME
Retail loans
- Housing Loan
- Personal Loan
- Others
Corporate Loans
Others
Limits O/s Overdue Limits O/s Overdue
Sensitive Sectors:
a) Real estate sector
b) Capital Market sector
c) Commodities sector
2. Individual Exposure ( list Top five/ten individual borrower)
Name of the borrower Sector Limit O/s % of total exposure to total advances of the
branch
3. Group Exposure ( list Top five/ten group borrower)
Name of the Group Limit O/s % of total exposure to total advances of the
branch
4. Industry wise Classification (relevant for corporate branches)
Sl.
No.Industry
Limit O/s % of o/s to total gross
exposure
1 Textiles
2 Paper & Paper Products3 Chemicals & Chemical Products
- Fertilizer
- Drugs & Pharmaceuticals
- Petrochemicals& others
4 Iron & Steel
5 All Engineering
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
6/110
5. Secured / Unsecured Advances
Particulars Limit O/s Overdue % to total exposure
1 Total Secured Exposure
2 Total unsecured Exposure
Total Exposure
% of unsecured exposure to total
exposure
6. Non fund based business:
6 Gems & Jewellery
7 Construction
8 Infrastructure
- Power
- Telecommunication
- Roads & Ports
- Others
9 Petroleum
10 Cement & Cement Products
11 NBFCs including MFIs
12 Film Industry
Limit O/s % of exposure to total exposureLCBGOther
Total non Fund based exposure
Particulars No AmountBG Issued during the reviewperiod
Total Turnover of BG issuedLC issued during the reviewperiod
Total turnover of LC IssuedBG invokedLC devolved% of BG invoked to total
Turnover of BG
% of LC devolved to TotalTurnover of LC% of BG invoked to O/s of BG% of LC devolved to O/s of LC
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
7/110
7. Time barred debts.
a) Total no. of AODs are pending for obtention as on
b) Amount involved in Pending AODs as on date of inspection
c) Total no. of AOD and amount involved is pending at the time of
previous inspection
d) No of cases where documents are expiring within next 3/6 monthse) % of time barred debt to Total NPA.
8. Rating wise Clarification of Advances.
a. Internal rating wise
Rating grade As on As on..
Rating gradeNo of
borrower
Limit O/s % of
composi
tion
No of
borro
wer
Exposure O/s % of
compositi
onFB NFB FB
NF
BFB NFB FB NFB
1
2
34
5
6
7
8
9
10
Total
Total Low Risk
Total Medium
Risk
Total High Risk
b) Report on borrower not rated by approved external rating agencies (in applicable cases only)
No of unrated borrower Limits O/s % of exposure to unrated
borrower to total advances.
Total
c) Not caring out internal rating based on latest financials in applicable cases
No of unrated borrower Exposure to unrated borrower % of exposure to unrated
borrower to total advances.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
8/110
9. Income Leakage: Details of seepage of income detected in various audits since last RBIA
Particulars Detected in
other various
inspection
Seepage
of income
detected Total
% to total
seepage
detected
Seepage of
income
pending for
RecoveryApplicable ROI is not charged
Prescribed processing, inspection charges
and other service charges are not
collected
Penal interest / additional interest is not
charged for
- Overdue loans
- Stock statements, QIS, financial
statements,
- Delay in submission of renewal
proposal
- Non creation of mortgage, adhoc
limit etc
Processing charges are not collected at
the time of annual review/ renewal
Income Leakage in Forex Business
ROI on Deposit
Other
Total Seepage Detected
% of seepage of income detected to totalbusiness
Total seepage of income detected in
previous inspection/ review period.
Increasing / decreasing
B) 1) NPA Management
As on As on Increase/
Decrease
Amount % to
Gross
NPA
Amount % to
Gross
NPA
Amount %
a) Standard Assets
b) Special Mention ( out of A)
c) Substandard Assets
d) Doubtful Assets - up to 1 year
e) Doubtful Assets - 1 to 3 years
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
9/110
f) Doubtful Assets - above three years
g) Loss Assets
h) Total NPAs ( Gross)
i) % of NPAs to Total Advances -
j) Provisions made for NPAs
k) Understatement of provisions
l) % of provision to Gross NPA
m) Net NPA
n) % of Net NPA to Total Advances.
o) NPA more than 2 years (Chronic)
p) % of chronic NPA to total NPA
q) % of SMA to total Standard Advances
r) Fresh NPAs added & Quick Mortality
1. Fresh NPAs added- Number & amount
involved2. Out Fresh NPA- Quick mortality cases-
N umber and amount.
3. % of quick mortality cases to sanctions
made during the review period.
s) Recovery of NPA
t) Accounts covered under SARFESI Act
C) No of accounts where notices issued
under SARFESI Act
D) No of cases where notice issued ,
possession not taken
E) No of cases where possession taken but
not auctioned.
u) Up gradation of NPA to Standard
1. No. of accounts upgraded to Standard
Assets and Amount involved during the
review period.
2. % of up gradation to total NPA
v) Written Off accounts and its recovery
1. No. of Written of Accounts and amount
involved.
2. Amount of written off accounts
w) Restructured Accounts/CDR
1. No. of accounts restructured
2. Amount involved in restructure
x) OTS
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
10/110
1. No of cases and amount involved in
OTS
2. Amount of waiver.
3. % of waiver to Total amount.
4. No. of account where payments of OTS
is not forthcoming as per term of OTS.
y) Other
2) Sectoral Concentration of NPA
a) Product wise.
Sector As on As on
Agriculture Limits O/s Overdue Limits O/s Overdue
MSME
Retail loans
-Housing Loan
- Personal Loan
- Others
Corporate Loans
Others
Limits O/s Overdue Limits O/s Overdue
Sensitive Sectors:
a) Real estate sector
b) Capital Market sector
c) Commodities sector
C) Deposits
As on. As on..
No of a/c Amount No of a/c Amount
1. SB
2. CA
3. Term liabilities
4. Total
5. Low Cost Deposits
6. % of low cost deposit to total deposits
7. Inoperative account
8. Risk categorization of customers
- Low Risk
- Medium Risk
- High Risk
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
11/110
D) Non Interest Income:
As on As ona) Non-interest Income
- Processing charges and upfront fees- Commission, exchange and brokerage- Service charges- Income from forex transaction
- Income from govt. business- Other income
b) % increase/ decrease over previous yearc) % of non interest income in total IncomeE) Frauds
As on As on .
No. Amount % No. Amount %
a) Frauds detected during the
review period
- -
b) Nature of fraud
1. Miss appropriation and
Criminal Breach of trust.
2. Fraudulent Encashment
3. Loan related frauds
4. Unauthorized Credit
facilities for
reward/gratification
5. Negligence and cash
shortages
6. Cheating and forgery7. Irregularities in Foreign
Exchange Transactions.
8. Other.
Total
c) Predator- wise
1. Staff
2. Customer
3. Outsiders
4. Staff and customer
5. Customer and outsider6. Staff, Customer & outsider.
d) Detection
1. Within 3 months
2. Within 6 months
3. Within 12 months
4. After 1 year
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
12/110
e) Whether staff
accountability examined.
F) Impersonal Accounts
Head of A/cUpto 1 month
1 months toless than 3
months
3 months toless than 6
year
above 6
monthsTotal
No. of
Entries
Amt No. of
Entries
Amt No. of
Entries
Amt No. of
Entries
Amt
Suspense A/c
Parking GL
End Point
Branch Adjustment/ inter
branch transfer etc
Sundry deposits/assets
Capital ExpenditureAdjustment
Accounts with other bank
un reconciliation items
TT paid/ payable account
Other
Total
G) Inspections conducted during the review period:
SL
NoInspection type
Closure time
of report (as
per guidelines)
Date/ month of Remark on delay
in rectification,
level ofrectification etc.
AuditSubmiss
ion
Rectifi
cation Closure
1 Previous RBIA
2 Concurrent audit
(month)
3 Credit Audit
4 I S Audit
(ALPM/TBM/CBS)
5 RBIA
6 RBI inspection
7 Statutory Audit
8 Other
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
13/110
H) Complaints
During previous inspection
review period
During present inspection
review period
No. % to total No % to totalNo of complaints received
Nature of complaints
- Deficiency in service
- Loans related
- Rude behaviour of
Manager/staff
- Alleged wrongful debits to
their accounts
- Charging excess interest
/commission/service charges- Alleged wrongful dishonour of
cheques
- Disputed ATM transactions
- Others
Total
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
14/110
SGR
Related
Department
Area of
Operations
Section/
AuditFrequency Report
1 Accounts Dept Cash OMU* Daily Days on which cash retention limit has been exceeded
2 Inspection
Dept/AML
Cash CA** Weekly Accounts in which there were more than 10 cash deposits during
the week
3 Inspection Dept
/KYC
Cash CA Weekly Cash Deposits between Rs. 40000 and Rs. 50000
4 Accounts Dept Deposit CA Monthly Dormant account which need to be transferred to CO
5 Accounts Dept Deposit Acs CA Daily Dormant Accounts where transactions have taken place
6Accounts Dept
Control OMU Monthly List of long pending items in Sensitive and Reconciliation General
Heads
7Accounts Dept
Remittance CA Weekly DD/PO issued against deposit of cash - arranged according to the
name of the purchaser
8 Department of
Information
Technology
IT OMU Weekly List of unsuccessful logins
9Department of
Information
Technology/
Human Resource
Department
IT OMU Daily List of staff members who are on leave but under whose log in ID
transactions have been input/verified
10 Department of
Information
Technology/ RO
Credit CA Daily New advances accounts are not opened properly in the system . All
f ields in the customer master is input and the sanctioned limit is
input correctly
11 Department of
Information
Technology/ RO
Deposit Acs CA Daily New deposit accounts opened, category wise (Current, Savings, FD,
RD with NRE/NRO/FCRA account marked)). Also indicate fields in
account master left blank
12 Inspection Dept Control CA Weekly All manual debits to expenses accounts
13 Inspection Dept Control CA Weekly All manual debits to Income accounts
14
Inspection Dept/
RO
Credit OMU Weekly Current Accounts and Savings Accounts without OD limit in which
TODs were permitted more than three times during the quarter,
including TOD, if any , outstanding (Separate Reports for Current
and Savings accounts)
15 Inspection Dept/RO
Deposit OMU Monthly Debit transactions in NO Frill Accounts exceeding Rs. 10000 in amonth
16Inspection Dept
Deposit OMU Yearly Credit transactions in NO FRILL a/cs exceeding Rs. 100000 in a year
17 Inspection Dept/
Accounts Dept /
RO
Deposit Acs CA Weekly Debits in inactive accounts
18 Inspection Dept/
RO
Deposit Acs CA Weekly Debit balances in Savings / Current accounts
19 Inspection Dept Transactions CA Weekly Entries reversed
20 Inspection Dept Transactions CA Daily Transactions with value date prior to date of transaction
21Inspection Dept
Transactions CA Weekly List of all high value transactions - Cash, Clearing, Transfer-
seperately
22 Inspection Dept Controls OMU Daily List of staff accounts with unusual or high value transactions
23Accounts Dept
Control OMU Daily List of credit to NEFT/RTGS suspense outstanding beyond a day
24Recovery Dept
Credit CA Weekly Accounts which were upgraded from substandard to standard status
25Recovery Dept
NPA OMU Monthly List of accounts which should have been marked as NPA but has not
been done
26 RO- Credit
Monitoring Cell
Credit CA Weekly List of all new gurantees issued
OFFSITE SURVEILLANCE REPORT / SYSTEM GENERATED REPORTS
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
15/110
SGR
Related
Department
Area of
Operations
Section/
AuditFrequency Report
27
RO- Credit
Monitoring Cell
Credit OMU Daily Cash Credit /Overdraft/Bill Purchase/Packing Credit/Guarantees/LC
accounts in which balance exceeded the drawing limit (Separate
report for each type of account to be generated)
28 RO- Credit
Monitoring Cell
Credit OMU Monthly Exceeding in Sanctioned Limits
29RO- Credit
Monitoring Cell
Credit OMU Daily Advances accounts (OD, CC, Loan, BP, BD, BN, PC and Cheque
Purchase) irregular/overdue.
30Risk Management
Dept/ RO- RMC
Credit OMU Weekly Guarantees expired
31Risk Management
Dept/ RO- RMC
Credit OMU Weekly Guarantees invoked
32 RO- Credit
Monitoring Cell
Credit OMU Monthly Accounts in which stock statements / uploading of drawing limit is
overdue, arranged age wise
33 RO- Credit
Monitoring Cell
Credit OMU Weekly Credit Accounts in which limits have expired
34Risk Management
Dept / RO
Credit OMU Monthly List showing unusual growth in advances (numbers of accounts and
amount ) Spurt in advances
35
RO
Cheque
Collection/Purc
hase
OMU Monthly Cheques/DDs/Bills purchased returned unpaid
36
RO
Cheque
Collection/Purc
hase
CA Monthly List of all cheque purchases (Inland/Foreign seperately)
37 RO- Credit
Monitoring Cell
Credit OMU Weekly Cash Credit accounts with turnover during the quarter less than the
sanctioned limit
38 RO- Credit
Monitoring Cell
Credit OMU Weekly Cash credit accounts with cash withdrawals in excess of 10% of the
sanctioned limit39 Inspection Dept/
RO
Credit CA Monthly List of new /renewed credit accounts in which proposal processing
charges have not been recovered
40 Inspection Dept Credit OMU Weekly Advances accounts in which interest rate code is "0"
41 RO- Credit
Monitoring Cell
Credit OMU Weekly Credit accounts in which insurance has expired
42Special Mention
Account Dept/RO
Credit OMU Monthly Loan accounts in which installments are falling due within the next
15 days
43RO- Credit
Monitoring Cell
Credit CA Monthly Loans granted against FDs
44 RO- Credit
Monitoring Cell
Credit CA Weekly New advances accounts opened, category wise
45 RO- Credit
Monitoring Cell
Credit CA Monthly List of all fresh Packing Credits disbursed
46 RO-RMC Credit CA Weekly FD accounts from which Lien Marking has been removed
47 RO-RMC Credit CA Weekly FDs matured but Lien Marking continues
48 RO- Credit
Monitoring Cell
Credit CA Weekly Accounts in which date of expiry of insurance has been changed
49 RO- Credit
Monitoring Cell
Credit CA Weekly Accounts in which drawing limit has been changed
50 Inspection Dept Credit CA Weekly Accounts in which rate of interest has been changed
51 Inspection Dept Credit CA Monthly Drawing limits entered with back value
52 Inspection Dept/
RO
Deposit OMU Weekly Current Accounts without OD limit and debit balance (TOD)
outstanding for more than 15 days at the close of the month
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
16/110
SGR
Related
Department
Area of
Operations
Section/
AuditFrequency Report
53 Inspection Dept Deposit OMU Weekly Overdue FDs
54 Department of
Information
Technology
Deposit OMU Weekly Savings/Current Accounts/Cash Credit in which signature has not
been scanned
55 AML Cell Deposit OMU Weekly Deposit accounts opened and closed within 6 months
56AML Cell
Deposit OMU Daily Savings and Current accounts which were opened less than six
months ago in which there are high value transactions
57 Inspection Dept Deposit/Credit OMU Monthly Deposit and Advances Accounts in which interest rate has beenmodified (separate for deposits and advances)
58Inspection Dept
Deposit Acs OMU Weekly Savings/Current/Advances accounts with blank Interest flag
59RO-RMC
Deposit Acs CA Weekly List of Accounts of MINORs who have attained majoriy during the
month
60RO-Planning Dept
Deposit Acs CA Weekly List of welcome kit accounts activated with name of customer left
blank
61Risk Management
Dept/ RO- RMC
Forex OMU Weekly LCs devolved
62Inspection Dept
Forex CA Weekly Charges collected on LC/BG/Bills in branches designated for Foreign
Exchange Transactions
63 Treasury- NonResident Deposit
Cell
Forex OMU Weekly FCNR deposits renewed after 14 days after maturity
64 Treasury- Non
Resident Deposit
Cell
Forex CA Weekly Debits and Credits in NRE, NRO and FCNR accounts
65 RO- Credit
Monitoring Cell
Forex CA Weekly List of all new LCs issued (Inland/Foreign seperately)
66 RO- Credit
Monitoring Cell
Forex CA Weekly List of all Bills Purchased/Discounted/Negotiated (Inland/Foreign
seperately)
67 RO- Credit
Monitoring Cell
Forex CA Weekly List of LCs advised
68 Treasury Forex CA Weekly List of foreign outward remittances
69 Treasury Forex CA Weekly List of Foreign Inward remittances
70 Treasury Forex CA Weekly List of export Bills on collection/purchase/negotiation
71 Treasury Forex CA Weekly List of import bills
72 RO-RMC Forex CA Weekly List of LC opened
73 Treasury Forex CA Weekly List of EEFC transactions
74
Inspection Dept.
Remittance CA Weekly List of DD/PO/RTGS/NEFT/cheque purchase/Bills/LCs/Gurantees in
which charges collected are less than the charges calculated by the
system
75 Inspection Dept. Remittance OMU Weekly More than 5 DDs/Pos issued to the same purchaser
76 RO-RMC Remittance CA Weekly Duplicate FD Receipts printed
77 RO-RMC Remittance CA Weekly Duplicate DD/PO printed
78 RO- Credit
Monitoring Cell
Credit CA Weekly List of credit limits newly created/ enhanced/ modofied with its
validity
79 Inspection Dept Deposit Acs OMU Weekly List of high value deposits of Rs 50 lacs and above having differentrate of interest than card rate
80Tax Cell
Statutory Compli CA Weekly Opening balance and debits to the account in all TAX accounts -
TDS, Service Tax etc
81Tax Cell
Tax compliance CA Weekly FDs with TDS exempt flag both at Account level and Customer
Master level (seperately)
* Off Site Monitoring Unit
** To be used by Concurrent Auditor
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
17/110
Weekly Concurrent Audit Report
To be submitted to the Branch Manager as soon as the weekly audit is over.
Concurrent Audit Branch:
Weekly Report for the period ____________ to ____________ Date of report:____________
Department Irregularity/Deficiency Observed Branch Comment Date&Sign
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
18/110
To be submitted to the Controlling Office by the 15th
of the next month
Concurrent Audit Branch:
Monthly Report of pending irregularities/deficiencies observed during the month ended ____________ Date of report:____________
Department Irregularity/Deficiency Observed Branch Comment Date & Sign
Certificate
We confirm having audited all the areas/processes/activities marked as High Risk in the audit check list. We also confirm that we have adhered to the
periodicity and coverage indicated in your instructions to us.
A copy of the report has been handed over to the Branch Manager for taking necessary action.
Signature
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
19/110
To be submitted to the Controlling Office within 15 days of the close of the quarter.
Concurrent Audit Branch:
Quarterly Report of recurring irregularities for the period ____________ to ____________Date of report:____________
Department Irregularity/Deficiency Observed Action Recommended Action Initiated
(To be filled in by CO)
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
20/110
KEY AUDIT FINDINGS MONITORABLE ACTION PLAN RECOMMENDED
A CREDIT
Amt
involved
Rs. Crores
% to
Credit
Portfolio
1
2
3
4
5
6
7
8
9
10
B NPA MANAGEMENT
1
2
3
4
5
6
7
8
(Not more than 10 comments for Credit,NPA Managent, Forex and not more than 5 comments for other areas.It is not necessary to have Key
Audit Findings in each of the areas. This being a report for the use of Senior Management only very serious irregulariti
Key Audit Findings and Monitorable Action Plan
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
21/110
9
10
C DEPOSITS
1
2
3
4
5
D CASH MANAGEMENT
1
2
3
E REMITTANCE
1
2
3
Etc
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
22/110
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
23/110
SL
NO
ASSESSMENT AREA
1 IT ENVIRONMENT RISK
A LEGAL RISK
Systems do not have any unauthorized software
Records in electronic and paper based format are
Branch is in a position to furnish the historical data of a
customer for legal purposes at times of need
Necessary archival is maintained in a secure media and
preserved (CD Cutting of Ledger reports in respect of
ALPM/TBM modules).
B ORGANISATION RISK
All the staff in the Branch are formally trained in CBS
operations.(If not, furnish the list of employees not
trained)
Jobs assigned to staff have been properly defined and
segregated
Second in line trained System Administrator is available in
the branch to take up the duty of System
Administrator in the absence of the assigned System
Administrator
C ENVIRONMENTAL SECURITY
Server room is not prone to risks like water seepage, flood,
fire or magnetic interferenceBranch Server is being maintained in a dust free and
temperature controlled environment
Systems are maintained neatly/ dust-free
Eatables and drinks are prohibited in the server room
Photography/video equipment and mobile phones are
prohibited in the server room
Server room is kept rodent free
Terminal/nodes outside the server room are switched off
when persons are not working
Physical access to server room is restricted to authorized
persons/identified vendor personnelPhysical access to server room is closely monitored
Server room is kept locked before the branch personnel
leave the Office in the evening
Server is housed sufficiently away from UPS
room/Batteries but close enough to be monitored by
System Administrator
D ELECTRICAL LINES
Electrical wiring is concealed and is not hanging from
ceilings or nodes
Power supply to the computer systems is provided through
UPS only
Check List to IT Procedure
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
24/110
SL
NO
ASSESSMENT AREA
Power supply to Access control equipment of server room
is provided through UPS only
E DATA CABLING AND CONNECTIVITY
Electric cable and data cable do not cross each other
Leased line connecting cable to the Branch Server is secure
and protected from tampering
Data Cables are properly labeled for identification
Data cabling is secure and no loose data cables are
observed
Redundant communication lines like ISDN is provided
Connectivity is automatically switched over to ISDN in case
of Leased Line failure
FIRE PROTECTION
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
25/110
SL
NO
ASSESSMENT AREA
Fire-extinguishers are fitted at strategic points viz server
room and UPS room
Refilling of fire extinguishers is done before the expiry date
Branch personnel are aware of the fire extinguisher usage
procedures
Smoke detectors are installed in the business hall and
server room
Smoke detectors are tested for their satisfactory working
2 IT OPERATIONS RISK
A SYSTEMS SECURITY
The stock of hardware has been reconciled
Hardware noted in Asset Register
All hardware are covered under Warranty/ AnnualMaintenance Contract
Floppy drive is disabled in server
USB drive/s is disabled in server and nodes
Devices such as Printer, Modem, Scanner etc are not
connected to the Server
Server/ Nodes in CBS LAN are not connected to external
networks / other networks
Boot sequence is changed to Hard Disk only in Server and
nodes
No unnecessary shared drives/ folders are present in the
server
No unnecessary users/ Groups are present in the server
and nodes
Guest and ILS_ANONYMOUS_USER users are disabled in
server and nodes
Screen saver is set with password option in server and
nodes
Screen savers provided by Microsoft/DIT only are used
All the Operating System Software patches are applied in
server, nodes and Stand alone PCs
Sufficient free space is available in all disk partitions in the
server and other PCs.IP Messaging, Dbase, MS Office, Other applications relating
to clearing, Ret2ABCD etc do not exist in server
Developer 2000 and SQL Navigator are not installed in
server and nodes.
Remote desktop sharing is disabled in server and nodes.
Usage of Net Meeting is recorded with particulars like
purpose, duration, to whom given etc.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
26/110
SL
NO
ASSESSMENT AREA
Branch Managers authorization is obtained before the
usage of Net Meeting.
Network components like Switch/Router etc are kept
securely.
Dial up modems are not connected in the network.
IP addresses used are in the range specified by DIT.
Only one node in a branch is entitled to route the IP
messages to Data Center/ Help Desk/DIT/ other branches.
Quarterly back up of IP message log of the node used for
routing messages is taken.
ANTI VIRUS
Anti-Virus solution is implemented in CBS server, nodes
and Stand alone PCsAntivirus solution is updated in CBS server, nodes and
Stand alone PCs
Automatic Full scanning for virus is scheduled in CBS
server, nodes and Stand alone PCs
BACKUP/ DISASTER RECOVERY PROCEDURES
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
27/110
1
INTERNAL AUDIT POLICY
Chapter Details Page
No.
1 Preamble 3
2 Risk Based Supervision 73 Risk Based Internal Audit (RBIA) 7
4 Offsite Monitoring Cell/ Similar Structure at Bank 8
5 Risk Based Internal Audit Policy
5.1 Functional Independence
5.2 Objectives of risk based internal audit
5.3 Organisation Structure of inspection
system
5.4 Roles & Responsibilities
5.5 Types of Internal-Audit
5.6 Coverage & Areas of Audit
5.7 Objectivity
5.8 Staffing
5.9 Selection of staff for audit system
11
6 Risk Based Internal Audit Strategy
6.1Pre Audit requisite for auditor
6.2 Indexing of Products and Processes
6.3 Identification of Risk
6.4 Indication of Risk Level
6.5 Implementation of the Audit Plan based
on Risk levels
19
7 Using the RBIA Methodology
7.1 At the annual audit planning stage7.2 At the start of individual audits
7.3 At the end of the audit
22
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
28/110
2
8 The mechanics of Risk Assessment Module (RAM)
8.1 Guiding factors and information for
development of a RAM
8.2 Developing the Risk Assessment
Module (RAM)8.3 Developing a scoring model based on
the RAM
8.4 Distribution of total points
8.5 Weightages assigned to risk grading
8.6 Maximum achievable Risk scores
24
9 Rating under Risk Based Internal Audit
9.8 Branch Audit Rating under the RBIA
Strategy.
9.9 Mapping of branch audit rating to risk
level (control risk)
27
10 Identification of branch business risk 29
11 Audit Risk Matrix (ARM) 30
12 Audit Periodicity 30
13 Measures for Improvement 31
14 Corrective Action Plan CAP (indicative steps) 31
15 Scope and Extent of Checking 32
16 Audit reporting and follow up
16.3 Reporting Pattern
16.4 Structure of the Internal Audit Report
16.5 Grading
16.6 Spot Rectification
16.7 Follow up and compliance
33
17 Performance Evaluation 40
18 Resources 40
19 Outsourcing of Audit assignments under RBIA
strategy
40
20 Standards for Internal Auditors 41
Appendices:
A Appendix-A: Guidance on Risk definitions 44
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
29/110
3
RISK BASED INTERNAL AUDIT POLICY
1. Preamble
Deregulation and globalization of financial services, together with the
growing sophistication of financial technology, are making the activities of
the bank and thus their risk profiles i.e the level of risk across the firmsactivities / risk categories more complex. Developing banking practices
suggest that there can be substantial risks the banks have to address other
than credit risk, interest rate risk and market risks. However, efficiency of
every bank depends on how effectively it is managing the risks. For this, it
is essential to have in place effective risk management and internal control
systems, which are crucial to the conduct of banking business not only to
lead the bank more profitably but also in compliance of prudential
guidelines, for which a professional approach in risk management is a pre-
requisite.
Some of the growing risks faced by the banks would be like technology
risks, risks associated with mergers and acquisitions, legal risk, outsourcing
risk, etc. These diverse risks can be grouped under the heading of
operational risk. The Basel Committee has defined the operational risk as
t h e r i sk o f l o ss r e su l t i n g f r o m i n a d e q u a t e o r f a i l ed i n t e r n a l
p r o c e ss es , p eo p l e a n d s y s t e m s o r f r o m e x t e r n a l e v e n t s . The
Committee recognizes that the exact approach for operational risk
management chosen by an individual bank will depend upon a range of
factors including its size and sophistication and nature of complexity of its
activities. Clear strategies and oversight by the Board of Directors and
Senior Management, a strong operational risk culture and internal control
culture are all crucial elements of effective operational risk management.
The Basel Committee (1988) while setting out comprehensive core
principles for effective banking supervision spelt out the need for effective
internal controls and internal audit. Thus the purpose of the internal
controls is to ensure that the business of a bank is conducted in a prudent
manner in accordance with the policies and strategies established by the
Banks Board of Directors and the management is able to identify, assess,
manage and control the risks associated with the business.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
30/110
4
These controls must be supplemented by an effective audit function that
independently evaluates the adequacy, completeness, operational
effectiveness and efficiency of the control systems within the organization.
Consequently the internal auditor must have the appropriate status withinand adequate reporting lines designed to safeguard his / her independence.
The external audit can provide a crosscheck on the effectiveness of this
process. Banking supervisors must be satisfied that effective policies and
practices are in place and the management takes appropriate corrective
action in response to the internal control weakness identified by internal /
external auditors. The Basel Committee in their Framework for the
evaluation of internal control systems described the essential elements of
sound internal controls system.
There is a need to reorient transaction based internal audit to risk focused
internal audit, which should conduct risk assessment of every activity &
location of the Bank, including risk management function, which has
assumed greater importance.
Keeping in view the importance of the risk management and the roleinternal auditors have to play in ensuring proper risk management to
safeguard the interest of the organization and ensuring better corporate
governance.
Under risk-based internal audit, the focus will shift from the system of full-
scale transaction testing to risk identification, prioritization of audit areas
and allocation of audit resources in accordance with the risk assessment.
Banks will, therefore, need to develop a well defined policy, duly approved
by the Board, for undertaking risk-based internal audit. The policy should
include the risk assessment methodology for identifying the risk areas
based on which the audit plan would be formulated. Risk based policy to
focus on frequency, prioritizing, extent of checking, risk-assessment/
profiling of activities/ functions/ products and their updating, broadening
the risk classifications etc. during audit process.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
31/110
5
Internal auditing - overview
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
32/110
6
Summary of the audit process
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
33/110
7
2. Risk Based Supervision
Reserve Bank of India in its Monetary and Credit Policy for 2000-01 stated
that they would be developing an overall plan for moving towards Risk-
based Supervision (RBS). Subsequently in August 2001, RBI came out with
discussion paper on moving towards RBS in which they spelt out the line ofaction contemplated in this regard (Circular No. DBS.
/RBS/58/36.01.002/2001-02 dated 13th August 2001). This RBS is
essentially to entail the allocation of supervisory resources and paying
supervisory attention with the risk profile. The frequency of supervisory
inspection would depend upon the risk profile of the bank. As one of
component under this approach, RBI suggested adoption of risk focused
internal audit by banks. Under the proposed RBS approach, the supervisory
process would seek to leverage the work done by internal auditors of banks.
3. Risk Based Internal Audit (RBIA)
RBI vide it's circular no. DBS.CO.PP.BC.10/11.01.005/2002-03 dated
December 27, 2002 provided a guidance note on Risk Based Internal Audit.
RBI advised the banks to initiate necessary steps to review their current
internal audit systems and prepare for transition to a risk-based internal
audit system in a phased manner, keeping in view their risk managementpractices, business requirements, manpower availability etc.
In the eyes of RBI, a sound internal audit function plays an important role in
contributing to the effectiveness of the internal control system. The audit
function should provide high quality counsel to management on the
effectiveness of risk management and internal controls including regulatory
compliance by the bank. Historically, the internal audit system in banks has
been concentrating on transaction testing, testing of accuracy and reliability
of accounting records and financial reports, integrity, reliability and
timeliness of control reports, and adherence to legal and regulatory
requirements. However, in the changing scenario, such testing by itself
would not be sufficient. There is a need for widening as well as redirecting
the scope of internal audit to evaluate the adequacy and effectiveness of
risk management procedures and internal control systems in the banks. To
achieve these objectives, RBI advised the Banks to gradually move towards
risk-based internal audit which will include, in addition to selective
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
34/110
8
transaction testing, an evaluation of the risk management systems and
control procedures prevailing in various areas of a banks operations. The
implementation of risk-based internal audit would mean that greater
emphasis is placed on the internal auditor's role in mitigating risks. While
focusing on effective risk management and controls, in addition toappropriate transaction testing, the risk-based internal audit would not only
offer suggestions for mitigating current risks but also anticipate areas of
potential risks and play an important role in protecting the bank from
various risks. The risk-based internal audit, on the other hand, undertakes
an independent risk assessment solely for the purpose of formulating the
risk-based audit plan keeping in view the inherent business risks of an
activity/location and the effectiveness of the control systems for monitoring
the inherent risks of the business activity. It needs to be emphasized that
while formulating the audit plan, every activity/location of the bank,
including the risk management function, should be subjected to risk
assessment by the risk-based internal audit. Banks were, therefore, advised
to develop a well-defined policy, duly approved, for undertaking risk-based
internal audit. The policy should include the risk assessment methodology
for identifying the risk areas based on which the audit plan would be
formulated. The policy should also lay down the maximum time periodbeyond which even the low risk business activities/locations should not
remain unaudited. There are certain benefits expected to accrue from the
risk based audit approach to the organizations due to the shift in the
approach to audit. Generally expected changes compared to the traditional
approach are tabled below to add clarity in understanding the RBIA
approach recommended by Regulators all over.
4. Off Site Monitoring Cell/ Similar Structure at Bank
Banks should set-up proper off-site monitoring cell in the Audit Department
or similar structure, the cell/ structure should review the structured MIS on
critical items and sensitise the Controlling Offices and Branches /
Departments for corrective action on a daily basis. The cell should also
sensitise Top Management on serious irregularities, if any on spot basis. To
make optimum use of technology, Bank should consider various system
generated reports for monitoring / controlling operations of the branches.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
35/110
9
Frequency of these reports may be looked into on daily, weekly, monthly,
quarterly basis.
4.1 Variance between traditional method of audit and risked based
internal audit:
Audit Area Traditional Method Risk based Audit
Audit Sphere Primarily financial
areas but also
involving compliance
with laws and
regulations, and
operations
All activities of the business
Audit
objective
Confirm internal
controls are operating.
Improve efficiency
Provide assurance on risk
management and that risks are
being mitigated to acceptable
levels through internal controls
that is adequate and that works.
Annual plan Cyclical plan of audits,
not necessarily
dependent on risk
levels
Audits prioritized on risk ranking
Involvement
of the rest of
the
organisation
Minimal. May approve
the audit plan and be
involved at the end of
an audit to agree the
points found
Involved at all stages of
planning and the audit, since
they own the risks and must
provide assurance to the
stakeholders
Staff plan One audit allocated to
one or more staff
More risk focused.
Time budgets Easy to set since the
audit has usually been
done before
Difficult to set. May be a first-
time audit, or one where
systems have changed
Fieldwork and
testing
Based on a set work
programme, where
there may be no clear
objective set, just test
Ensures the organisation has
identified all its risks, and is
controlling them
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
36/110
10
to carry out
Report Confirms internal
controls are operating
and reports where
they are not
A kind of assurance to
management that its risks are
being kept within the accepted
levels or mitigated to acceptablelevels, and reports if they are
not
Annual report
to the Board /
Audit
Committee
Confirms that the
audit plan has been
completed, and
highlights controls not
operating. Cannot give
any indication as to
the proportion of
significant risks
covered
Provides assurances that the
significant risks across the
organisation are being mitigated
to acceptable levels and reports
where they are not. Can give an
indication as to the proportion of
risks covered.
Staffing Usually by persons
having filed knowledge
and experience and
professional auditors.
Risk appreciation skills a must.
Should be able to identify the
weak links, evaluate the controls
in place and anticipate the
likelihood of occurrence. Self-
motivated, experienced staff
used to working with senior
management. May be specialists
who are not accountants, and
may be seconded.
Direction
indicators
Generally each audit
assignment is
considered on isolated
basis except for listing
out the persisting
deficiencies from the
past reports
Since risk based audit is a
continuous process and the
direction of risk is always one of
the evaluating criteria. Gives
significant importance to the
direction of risk that is a pointer
towards the effectiveness of risk
management put in place.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
37/110
11
5. Risk based internal audit policy
The Bank has been following the risk-oriented approach for internal audit
purpose. The observations are classified under low, medium and high risk.
The ratings are based on the risk levels. Risk based policy will focus onfrequency, prioritizing, extent of checking, risk-assessment/ profiling of
activities/ functions/ products and their updating, broadening the risk
classifications etc. during audit process. The basic rationale behind the
suggested policy guidelines enshrined hereunder would be to ensure that
high-risk areas are looked into more frequently and with wider examination
than low risk areas. It is akin to ABC analysis approach in inventory control.
5.1 Functional Independence
5.1.1 As envisaged in the guidelines issued by Reserve Bank of India, the
Internal Audit Department should be independent from the internal
control process in order to avoid any conflict of interest and should be
given the appropriate standing within the bank to carry out the
assignments. Such independence would also be maintained by the
department while carrying out the audits under Risk Based approach as
well.
5.2 Objectives of Risk Based Internal Audit:
5.2.1 To contribute to Banks responsibilities in preparing itself for move
towards Risk Based Supervision (RBS) in so far as adoption of Risk
focused Internal Audit is concerned.
5.2.2 Putting in place a risk assessment methodology which, amongst other
things, would enable development of independent risk assessments,
capture the applications and effectiveness of risk management
procedures and assist critical evaluation of internal control systems for
formulation of a risk based audit plan and ensuring deployment of
audit resources according to risk profiles of the auditee units.
5.2.3 Provide basis for risk audit scoring of the auditee units based on
evaluation of their risk profiles, risk management and control
procedures and results of any substantive audit tests / procedures
performed by the auditor.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
38/110
12
5.2.4 To enable the internal audit to serve as an independent, objective
assurance and consulting activity.
5.2.5 To define and design the suitable risk based internal audit strategy
commensurate with the underlying risks, organizational structure and
needs for implementation. The scope of internal audit shall encompassthe examination and evaluation of the adequacy and effectiveness of
the Banks system of internal control and the quality of performance in
carrying out assigned responsibilities.
5.3 Organization Structure of Inspection System:
5.3.1 Internal audit shall be independent of the activities they audit.
Independence permits internal auditors to render impartial and
unbiased judgments essential to the proper conduct of audits. This
independence shall be achieved through organizational status and
objectivity.
5.3.2 The organizational status of the internal audit department shall be
sufficient to permit the accomplishments of its audit responsibilities
5.3.3 Ideal organization structure for inspection system comprises Audit
Committee of the Board (ACB), Audit of Committee of Executives
(ACE) and Inspection/ Audit Department (IAD).
5.4 Roles and Responsibilities:a) Audit Committee of Board :
It oversees overall Internal Audit function of the bank. The committee
will guide in developing effective internal audit, concurrent audit, IS
audit and all other inspection & audit functions for protecting the assets
of the bank. The committee will monitor the functioning of the Audit
Committee of Executives and inspection/ audit department in the bank.
b) Audit Committee of the Executives (ACE)/ Zonal Audit Committee of theExecutives (ZACE)
i. The Committee suggests that all the PSBs should form Audit Committeeof Executives (ACE) headed by the Head of Audit (IA&A), General
Manager (Risk) and other two General Managers as Members. Large
banks with many branches can have Zonal Audit Committee of
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
39/110
13
Executives (ZACE) with similar composition at lower level; the
composition of which would be approved by CMD. If so required, officers
of the auditee verticals / departments and other officers in IAD shall
attend the ACE meetings for selected agenda items.
ii.
ACE/ ZACE should meet minimum six times in a year, at least once in aquarter with a minimum quorum of four members. The ACE & ZACE will
work under the guidance of ACB and all the minutes of ACE & ZACE
should be put up to ACB.
iii. The ACE is authorized and empowered to approve/ratifychanges/amendment in the scoring pattern, rating parameters and
reporting formats.
iv. All Very High Risk Audit Reports Critical Findings (Below 40% marks)should be put up to ACB. Banks may also consider putting up to the ACB
reports of High Risk branches (at least the critical findings in reports of
High Risk Branches). Other reports should be put up the ACE & ZACE.
However, closure of such reports can be done by CGM- Inspection/ Audit
Department. The responsibilities of the ACE shall include:
Reviewing the scope and nature of the work of the IAD and reviewinternal audit reports and compliances thereof;
Review of the significant findings arising from all internal auditreports, including concurrent and Information System (IS) audit
reports;
Review and recommend Annual Risk based Audit Plan of the Bank toACB for consideration and approval;
Review the progress of Audits vis--vis scheduled audits as per theapproved Annual Audit plan;
Review and revision of existing Risk Assessment Models (RAM), andadoption of new RAM for different verticals;
Review coverage/ area of various types. Review of audit report/ checklist Review of various audit policies To report the significant findings of audit reports and also other
matters as required for consideration of ACB.
c) Inspection/ Audit Department (IAD)
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
40/110
14
i. Policy formulation in respect of inspection function keeping in view- Reserve Bank of India/Government of India guidelines- Observations made by the RBI Inspectors during their inspection of the
Bank.
ii. Placing notes before the Top Management and Audit Committee ofthe Board on periodic basis.
iii. Drawing up of Annual Action Plan for inspection of branches andfunctional departments and placing the same for approval to ACE andACB.
iv. Regular monitoring of Annual Action Plan and ensure that the auditsare conducted as per its periodicity specified in the audit policy.
v. To study that requisite number of internal staff for carrying out /fulfilling the Annual Action plan of audit plan and requiredinfrastructure, necessary arrangements are made.
vi. Selection of internal staff for Audit/ inspection and appointment ofconcurrent auditor and review of their performance.
vii. To evaluate internal audit system/ Concurrent Audit system.viii. Monitoring the inspections conducted at various branches/offices by
the RBI u/s 35 of Banking Regulation Act and FEMA.
ix. Review of audit report and initiating necessary actionx. Monitoring of pending inspection/ audit reports and ensuring timely
closure.
xi. Undertaking investigations covering staff accountability in the case ofcomplicated fraud cases, credit irregularities, transgression ofpowers, etc. and appraising the findings to the Competent Authority.
xii. Provide necessary guidelines for conducting inspection of variousoffices/ locations of the Bank and ensure proper implementation ofthese guidelines.
xiii. Updating of structured formats for inspection/audit.xiv. Updating Inspection Manual/Kit for use of the Inspecting officials.xv. Issuing guidelines / instructions from time to time on preventive
aspects of irregularities and risk mitigation measures
xvi. Arranging internal and institutional training needs of the personnelxvii. Maintaining data on the Branch risk carry out rating migration
analysis and initiating of necessary action.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
41/110
15
xviii. Reviewing the reliability and integrity of financial and operatinginformation and the means used to identify, measure, classify andreport such information. To this end internal auditors shall examineinformation systems and ascertain whether: (a) Financial andoperating records and reports contain accurate, reliable, timely,complete and useful information; (b) Controls over record keeping
and reporting are adequate and effective.
5.4.1 Internal auditors shall also be responsible for:
(i) assisting in the deterrence of fraud by examining and evaluating the
adequacy and the effectiveness of control, commensurate with the
extent of the potential exposure / risk in the various segments of
the Banks operations. In carrying out this responsibility internal
auditors shall determine whether:
(a) The organizational environment fosters control consciousness;
(b) Appropriate authorization policies for transactions are established
and maintained;
(d) Communication channels provide management with adequate and
reliable information;
(e) Recommendations need to be made for the establishment of cost-
effective controls to help deter fraud.
(ii) Reviewing operations or programmes to ascertain whether resultsare consistent with established objectives and goals and whether
the operations or programmes are being carried out as planned.
(iii) Identifying all risk areas within the Bank and determining whether
effective and adequate control systems exist in these areas.
(iv)Planning and conducting the audit assignments subject to
supervisory review and approval.
5.4.2 Supervision by Head-Audit
Supervision shall be a continuing process, beginning with planning andending with the conclusion of the audit assignment. The Head-Audit
shall be responsible for providing appropriate audit supervision.
Supervision shall include:(i) providing suitable instructions to subordinates at the outset of the audit;
(ii) ensuring that the approved audit program is carried out unless
deviations are justified and authorized;
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
42/110
16
(iii) determining that audit working papers adequately support the audit
findings, conclusions and reports;
(iv) ensure that the audit reports are accurate, objective, clear, concise,
constructive and timely; and
(v) determining that audit objectives are being met. 5.6.3 All internalauditing assignments, whether performed by or for the internal auditing
department, shall remain the responsibility of the Head-Audit.
5.4.3 General guidelines
The Board of Directors (BOD) / Management of the Bank shall have thegeneral responsibility for taking such steps as are reasonably available
to them to safeguard the assets of the Bank and to prevent irregularities
and fraud. The BOD / Management shall maintain effective systems ofcontrol including an internal audit function.
The internal audit function shall be carried out by Internal AuditDepartment of the Bank and will function under those policies, which
have been established by the management and approved by the ACB /
Board. It shall be an independent appraisal function established to
examine and evaluate the Banks activities.
5.5 Types of Internal Audit
The Internal Audit Department shall undertake audits as per Risk
Based Internal Audit Plan as approved by the Audit Committee of the
Board on annual basis. The Audit Plan shall comprise mainly the
Internal Audit, Information System Audit, Concurrent Audit, Credit
Audit and Snap Audit. IAD shall develop suitable Audit Manual for such
audits. IS Audit policy and Concurrent Audit Policy shall form part of
this policy and be taken to ACB for review and approval on annual
basis. Snap audit of newly opened branches shall be undertaken
generally within six months of their opening. However, under certain
circumstances like staff shortage, excess work pressure on available
man-power, etc., Head-Audit could consider granting extension of 3
months in such cases. Significant findings be reported to ACE/ACB on
quarterly basis.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
43/110
17
5.6 Coverage/ areas of audit
5.6.1 To have effective audit, there is a need to clearly define the scope of
audit, depth of verification etc for branches covered under concurrent
audits.
5.6.2 The concurrent audit is being conducted at selected branches on
ongoing basis i.e on monthly basis, whereas internal audit is to be
conducted periodically depending on risk / business involved.
- In view of moving to Risk Based Concurrent Audit, the committee has
devised single check list and separate report formats for concurrent audit
and internal audit. However, committee suggests bifurcating audit areas
as High Risk, medium risk and low risk accordingly, Individual banks,
based on their risk profile may classify the areas and coverage can befixed under both internal and concurrent audit. However, all areas
forming part of check list to be verified under Internal Audit by
inspectors.
- For defining quantum of verification, business of the branches and riskinvolved in internal control of the branches/ risk profile of the branches
are to be considered.
- Observations made under Loan Review Mechanism (LRM) also may beconsidered by the inspector while undertaking Internal Audit.
- Depth of verification to be specified for various areas like 100%verification, sample size and selection of sample etc
- Banks should also consider the coverage of other audits while fixing thedepth/ quantum of verification to avoid duplicity of audit work.
- Wherever verification is less than 100%, auditor can use the techniqueof sample selection. It is expected that, on each aspect, the auditor
should select a sample that would be representative enough to
sufficiently bring out the criticality involved. Sample should be selected
in such a way that, they constitute fairly representative picture of the
portfolio. The sample size would depend on the size of the branch and
the importance of the business function in the overall portfolio of the
branch operations. While featuring, the size of the sample and the
proportion of the sample in which the deficiency was observed should be
indicated.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
44/110
18
5.7 Objectivity5.7.1 The internal auditors shall be objective in performance of their duties.
Objectivity is an independent mental attitude. They shall not be
involved in performing functions like drafting procedures for systems,
and designing, installing and operating systems as these activitieswould impair their objectivity.
5.7.2 Internal auditors shall audit in such a manner that they can have an
honest belief in their work product and that no significant and quality
compromises are made. They shall not be placed in situations in
which they feel unable to make objective professional judgments.
5.7.3 Internal auditors assignments shall be made in such a way that
potential and actual conflicts of interest and bias are avoided. The
Head-Audit shall periodically obtain from the staff information
concerning potential conflicts of interest and bias.
5.7.4 Internal auditors shall report to the Head-Audit any situations in
which a conflict of interest and bias are present or may reasonably be
inferred. The Head-Audit shall then reassign such auditors to other
assignments.
5.7.5 Internal auditors shall not be permitted to work in a particular
department over long periods of time. Assignments of internalauditors shall be rotated periodically whenever it is practicable to do
so.
5.7.6 Internal auditors shall not assume operating responsibilities.
However, if on occasion, management directs internal auditors to
assume operating responsibilities, it shall be understood that they are
not functioning as internal auditors.
5.7.7 Internal auditors shall not audit any activity for which they have
authority or responsibility.
5.7.8 Persons transferred to or temporarily engaged by the Internal Audit
Department shall not be assigned those activities they previously
performed until a period of at least six months has elapsed.
5.8 Staffing
5.8.1 The Head-Audit shall be supported with requisite number of Deputy
General Managers (DGMs), Assistant General Managers (AGMs) and
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
45/110
19
other officers in different grades. He shall establish suitable criteria of
education and experience for filling vacancies in the internal audit
department giving due consideration to scope of work and level of
responsibility.
5.8.2 Internal auditors, whenever necessary, shall be drawn from within theBank from other line and staff functions.
5.9 Selection of staff for audit systemBank shall clearly define the guidelines for selecting internal staff for
Inspection/ Audit work. The guidelines may include the following
Minimum experience in the bank Minimum exposure to various functions of the bank Educational qualification Minimum tenor in the department Auditor should not have worked as reporting junior to the auditee branch
head
6. Risk Based Internal Audit Strategy
Risk Based Internal Audit has following 4 dimensions
(i) Pre Audit requisite for auditor
(ii) Indexing of Products, Services, Processes
(iii) Identification of risks
(iv) Indication of level of risk
(v) Implementation of Audit Plan based on Risk level.
For the sake of convenience a suggestive list of different type of risks is
given at Appendix-A to this policy document.
6.1 Pre Audit requisite for auditorTo carry out effective audit and accomplish audit objectives, auditor needs
to plan his audit assignment. However, meaningful plan can be drawn only
after understanding major issues and areas to be focused rigorously. This
understanding will come if auditor has enough background about overall
risk profile of the branch. There is a need to provide relevant information to
auditor before commencement of the audit.
The controlling office should have a system of maintaining and updating
branch profile which includes ongoing issues at the branch and system
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
46/110
20
generated reports. This information to be made available well in advance to
the auditor as pre-audit requisite, to plan and undertake audit assignment
6.2 Indexing of products and processes
(i) This primarily means compiling of Audit Universe, so that risk
focused audit is a comprehensive exercise covering all the activitieswithin the bank;
(ii) This should cover All Products, Services, Processes;
(iii) Audit Universe must be reviewed periodically for addition,
substitution or modification;
(iv) Head-Audit is responsible for ensuring the comprehensiveness of
the Audit Universe. To achieve this objective, Heads of line functions /
products should keep Internal Audit informed of all the changes in
products, designs, controls, processes and the product/ process
manuals / programs for evaluating risk and designing necessary
changes in audit programs.
(v) Review needs to be completed latest by April every year.
6.3 Identification of risk
The objective of this process is to identify risks to which the organization is
exposed, and to develop a logical, well-defined methodology to assess,quantify and classify risks. This enables Internal Audit to effectively
determine resource requirements, and decide upon their appropriate
allocation. The goal is to provide an evaluation of the risks associated with
the auditable entities from a business perspective, and to develop a basis
for preparing the annual audit plan.
(i) Risk evaluation to be done for both Inherent Business risk and Control
risk.
(ii) The evaluation process is captured in Risk Assessment Module (RAM).
(iii) When new products and processes are introduced, RAM exercise would
be undertaken for their risk evaluation.
(iv) RAM will be revisited for Changes in Processes, Products and services
(v) Head- Audit is overall responsible for the process of identification of
risks either through group processes, delegation of assignment within
department or within the bank and in case of need can solicit / avail the
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
47/110
21
assistance of specialists wherever considered necessary and expedient.
(vi) Review needs to be completed latest by April every year.
6.4 Indication of Risk Level
(i) This is an important step in the risk based internal audit as it takesthe inputs of risks, from the identification process and would lead to
the implementation process.
(ii) Audit team would indicate the level of risk at Branches or at
functional units based on their findings and judgment about the risk
grade (e.g. High, Medium, Low).
(iii) The risk indication process involves auditing and resultant grading
of risk. This grading will be an assessment of control risks. While
carrying out the risk indication, auditors need to take into account the
status of laid down control mechanisms and also the compensatory
controls that units might be putting in place in lieu of or in addition to
the prescribed internal controls to serve the objectivity of the exercise.
(iv) Grading would indicate the chances or probability of risk envisaged
in the identification process, being crystallized in to actual threat.
(v) It is a pointer towards vulnerability of the branch/unit towards
potential loss. Hence, needed to be precisely assessed to the extentpossible.
(vi) The Corrective Action Plan (CAP) of the controller would depend
upon the audit rating based on control risk.
(vii) The direction of the risk increasing, stable & decreasing, should
also be identified
6.5 Implementation of the Audit Plan based on Risk Levels:
(i) Head Audit is responsible for smooth implementation of the audit plan.
Based on the risks assessed and the status of the internal controls he
had to draw and design Risk based internal audit plan and submit before
the Audit Committee for approval.
(ii) Audit Planning should encompass Scheduling, Prioritizing, and
Determination of scope and extent of checking.
(iii) Audit Planning should essentially consider the Vulnerability and Volume
of business.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
48/110
22
(iv) For scheduling, the Audit Risk Matrix (ARM) be prepared, in which
inherent Business risk and control risks are mapped. The risk
assessments (inherent and control risks) would be based on a three-
point risk grading namely high, medium and low. The substantive audit
tests / procedures would be carried out by auditor(s), based on theassessed Control risk. The Audit Risk Matrix (ARM) arrived at after
consideration of the inherent and control risks, would be based on a five-
point risk grading namely Extremely High, Very High, High, Medium and
Low.
(v) As bank has adopted functional approach as organizational
structure/philosophy viz; Corporate (ICG, LCG, MCG), Retail (Personal
Banking, SME, Agri), Operations, Transaction Banking, the branches
would be put in respective risk buckets for each functional area. This
needs to be periodically reviewed keeping in view the changes in
reporting lines, organization structure etc.
(vi) Business Risk may primarily indicate / rest on the volume of business,
Business mix, growth rate and/or profits/ losses either in isolation or in
relative terms to the total volume of banks business would be
considered for deciding the inherent business risks.
(vii) In the initial phase, the volume of business would be taken as corecriteria of business at risk. Going forward, the composition of various
products and their inherent risks in the business mix would be
considered by assigning suitable scores for each product for arriving at
weighted business at risk.
7. Using the RBIA methodology
The methodology is to be used on a number of occasions during the audit
cycle:
7.1 At the annual audit planning stage
7.1.1 Once an audit is completed a copy of the completed & updated risk
assessment should be filed for access at the time of the annual audit
plan. The risk assessment methodology should include, inter alia, the
following parameters:
(i) Pervious internal audit reports;
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
49/110
23
(ii) Proposed changes in business lines or change in focus;
(iii) Significant changes in management/key personnel;
(iv) Result of the latest regulatory examination reports;
(v) Reports of the external auditors;
(vi) Industry trends and other environmental factors;(vii) Time lapsed since last audit;
(viii) Volume of business and complexity of activities;
(ix) Substantial performance variations from the budgets.
At this time, the risk assessment should also be updated to take into
account the changes in business environment, activities and work
processes etc.
7.1.2 Audit plan needs to be approved by the Audit Committee of the
Board. It should include the schedule and the rationale for audit work
planned. It should also include all risk areas and their prioritization
based on level and direction of risk.
7.2 At the start of the individual audits
7.2.1 At the planning stage for ongoing audits, the team leader / sole
auditor will obtain the latest version of the relevant risk assessmentand review the assessment in the current context. This will normally
involve no more than internal discussion, and meetings with
management responsible for the area in question, unless the auditor
is - or becomes - aware of major changes within the area. At this
stage, the risk assessment will form the start of the detailed audit
planning, during which inherent risks of the area will be reviewed in
much greater detail; control objectives will be established and an
audit programme (plan) will be established.
7.2.2 Documentation will show the trail for this process, and allow any
subsequent review to see how the audit programme matches and
covers the risks and control objectives of the area in question.
7.3 At the end of the audit
The methodology will also be reviewed at the end of the audit, and
the area in question will be given a risk assessment again. This
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
50/110
24
assessment is likely to be the most important (and accurate) in the
audit cycle, coming at a time when internal audit has first-hand, up-
to-date information on which to make the assessment.
8. The mechanics of Risk Assessment Module (RAM)
8.1 Guiding factors and information for development of a RAM
Important factors like process reengineering and certain controlled
information must be considered appropriately for purposes of risk
assessment and risk grading of the auditee entity. Some of such
factors / controlled information would include but not limited to:
(i) Centralized functioning of activities / processes viz. Central /
Regional Processing units, Retail Assets operations etc.
(ii) Functioning of centralized controlling units within the organizationviz. Credit administration for corporate / retail assets, Corporate
and Retail risk etc.
(iii) Functioning of concurrent audit at branches / Corporate office
units
(iv) Availability of data from information systems that could be used
for performance of effective off site procedures
(v) Automated processes viz. interest application in accounts, cheque
return charges etc.
(vi) Incidence Reporting system for Operations Risk, data from CORE
and the discussion papers in Operational Risk Committee, Zonal
Operations (CMO) review reports and Branch head Compliance
Certificates (BHCC), Reports of RBI under AFI or any other form of
inspection by whatever name called etc.
(vii) Various MIS and regulatory returns submitted that might capture
exceptions and major impact e.g. fraud reports (FMRs) submitted
to RBI etc.
The auditor would evaluate the quality of information available from
these channels and place effective reliance on them for the purpose
of risk assessments and subsequent substantive audit tests /
procedures. Other sources of information on which reliance is
proposed to be placed can be individually discussed and concurred
upon with Head-Audit on a case-to-case basis.
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
51/110
25
8.2. Developing the Risk Assessment Module (RAM)
A RAM would be developed for each significant auditee unit viz.
business, division, product, support area or a branch location and
broken down into relevant parts (i.e. products, processes etc) toaddress the auditee units activities and related risk profile
comprehensively. Each of the parts would be divided into sub parts and
further into detailed activities to ensure audit coverage of all-important
aspects within a particular part. Inherent risk would be identified and
documented for each activity under the sub parts / parts of the RAM.
The inherent risks would then be graded on a three-point scale of high,
medium or low. Against each identified inherent risk, existing control
procedures (risk mitigants) that provide higher level of assurances to
the auditor would be noted. Implementation of the RAM and its
continuous assessment for any refinements, would be a primary
responsibility of the concerned product / process owners within the
Internal Audit department.
8.3 Developing a scoring model based on the RAM
Each RAM would have an accompanying scoring model. The scoringmodel would have a Total Score (TS). These TS points would be
distributed amongst various parts, and further allocated internally to
sub parts and finally to various activities within each sub part. Audit
Committee of Executives (ACE) shall review all type of risk assessment
models every year while considering the annual audit plan and may
amend the model keeping in view the changes in organizational
products/processes etc.
8.4 Distribution of total points:
8.4.1 Each part (i.e. the product or process) should be assigned a
percentage weight depending on the significance of the part to the
auditee unit(s) total activities. For e.g. in respect of a Retail branch
location, there could be three parts viz. i) Retail Products (Assets and
Liabilities), ii) Retail services (Remittances, Cheque collections, Cash
Management Services, Depository services and Third Party
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
52/110
26
Distribution) and iii) Branch operations. The TS thus gets allocated to
each of the parts based on the percentage weight allocated.
8.4.2 Each sub part within a part would be assigned parameter weights
such that the sum of parameter weights of all the sub parts must
total to the assigned score for the applicable part. The parameterweights should be assigned depending on the significance of the sub
part within the applicable part.
8.4.3 Each activity within a sub part would be assigned a rating score
(depending upon the significance / controls designed) such that the
sum of rating scores of all the activities put together total to the
assigned parameter weight of the applicable sub part. The rating
scores should be assigned to each activity depending on its inherent
risk grading and other factors including but not limited to past history
of the inherent risk crystallizing into a loss or a liability for the
organization.
8.5 Weight-ages assigned to risk grading
Weights would be assigned to respective risk grading viz. Very Low,
Low, Medium, High, Very High as may be decided by Head- Audit. The
very low indicates the lowest probability or unlikelihood of the riskoccurrence while the very high indicating the highest probability or
certainty of risk crystallization. The present weight-ages would be 100
%, 80%, 50%, 20%, 0% or in decimal terms 1,0.8,0.5,0.2, 0.
8.6 Maximum achievable Risk scores
8.6.1 For each activity, there would be a maximum achievable score based
on the product of i) weight assigned to the highest Risk grading and
ii) rating score. Sum of the maximum scores for all the activities
under a sub part would provide the maximum achievable Risk score
for that sub part and sum of maximum scores for all sub parts taken
together would provide the maximum achievable Risk score for the
applicable part. Sum of maximum achievable Risk scores for all parts
put together would provide the maximum achievable Risk score for
the auditee unit(s).
8.6.2 In case any part or sub part of the risk assessment module is not
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
53/110
27
applicable for any particular unit the same would be excluded while
arriving at the risk profile of the units. Hence the total points would
stand calibrated based on the applicable scores and the scores
obtained. This is to ensure that the unit is neither penalized nor given
undue credit for the activities not carried out by them.
9. Rating under Risk Based Internal Audit
9.1 All the branches and audit units would be awarded an Audit Rating
based on the risk based internal audit carried out during the year. The
rating would primarily focus on the controls and compliance level at the
branch assessed for each risk parameter that are predetermined as
stated above.
9.2 Approval of the ACE would be obtained whenever rating model needs achange and it would be reviewed on yearly basis to avoid measuring of
branch performances in two different platforms thus making them not
comparable.
9.3 The bank may develop any rating mechanism either on grading basis or
attributes for any other units or activity of the banks. Wherever no
comparable units exist, the bank would not award ratings eg. -
different products, only one centralised unit, activities carried out are
not similar, Head Office (HO) departments, Management audits etc.
9.4 Head- Audit (or any other senior officer designated by Head-Audit)
would convey the rating awarded to the branches to them in writing.
He may also choose to withhold the rating for any particular reason, if
considered necessary and keep Top Management informed of the
same. He may also convey the areas where the branch has to focus
attention in order to strengthen controls.
9.5 The rating awarded is normally for a period till the next audit is carriedout. The rating awarded would not provide assurance or guarantee to
the branch or to the controllers against any frauds committed / that
may be committed and hence should not be construed as insurance
against frauds. The rating in successive audits need not be in step-by-
step approach but depending upon the improvements/ deterioration
the ratings may be accelerated one.
9.6 Head- Audit to inform ACE/ACB the migration of the ratings of branches
-
8/22/2019 Pors 1 04-Dec-2012 Policy & Others
54/110
28
on Annual basis.
9.7 Keeping in view the organizational structure, the rating would be
awarded function wise in case of major mixed branches where each
activity is significantly visible.
9.8 Branch audit