Pors 1 04-Dec-2012 Policy & Others

8/22/2019 Pors 1 04-Dec-2012 Policy & Others

1/110

DOS AND DONTS FOR CONCURRENT AUDITORS(CA FIRMS)

Dos:

1. Pre concurrent audit study of the branch/ department should be donegetting all relevant information and off site surveillance reports of the

auditee as stated in the engagement letter.

2. Prepare proper audit plan based on 1 above, covering all the areas ofthe scope, keeping in the view the time lines

3. Have a structured introductory meeting with the auditee and seek allthe information required in advance with proper time schedule.

Introduce the audit team to the auditee officials.

4. Audit team should accompanied by senior and experienced membersas required.

5. Auditors to display team spirit and avoid misunderstandings/arguments in the presence of auditees.

6. Discuss his findings with branch officials on daily basis and try torectify the defects then and there itself.

7.Give auditees a chance to express their opinion while discussing theissues. Getting proper explanation in a co-operative atmosphere will

save precious time.

8. In case of difference of opinion with auditee, the auditor should firstdiscuss with the leader of his team. Further discussion on a higher

level may be made, if required.

9. In case, auditor comes across any information which causes him tosuspect any element of fraud, gross negligence, gross incompetence orsimilar unfavorable actions or tendencies, he should report the matter

to the leader of the team immediately.

10.Auditor should keep utmost secrecy of the information/ audit

observations/ issues etc. relating to the auditee.


2/110

11.Be courteous, cooperative and professional.

Don'ts:

1. Auditor should not have any professional or commercial relationshipeither direct or indirect with borrowers/ beneficiaries of the branch /department which they are auditing and also will not have in future as

far as possible for a minimum period of three years.

2. Auditor should not take advantage of his association as concurrentauditor with the branch/ department of the bank and canvas for any

client/ business with the bank either directly or indirectly.

3. Auditor should not represent on behalf of any client/ customer of thebank for a minimum period of as far as possible three years after thecompletion of term of the audit.

4. Auditor should not share/ pass on/ discuss any audit relatedobservations/ issues/ findings with any one other than concerned in

the bank.

5. Auditor need not act overly reserved or unfriendly in order to maintainhis independence as an auditing officer. A forbidding attitude on his

part may well cause others to adopt the same attitude towards him.This can adversely affect the work entrusted to the inspecting officer.

6. Auditor should not get involved in heated argument with auditee.7. Auditor should not give orders to auditee and seek requirements from

the officer assigned to assist him on a particular job. The concerned

officer would issue the necessary orders to their employees if he

accepts inspectors suggestions and recommendations.

8. Auditor should not delay the submission of audit report

-- :: --


3/110

REPORT ON BRANCH PROFILE & EXECUTIVE SUMMARY

1. Branch Details

Branch Region Code

ZO Area Rural / Semi-urban / Urban / MetroDate of Opening of

the Branch

Category Small /Medium / Large /Very Large / ELB / IFB/ SSI /Others..

Name/s of EC/ Sub-office/ Satellite offices attached

Designated for FX business (Yes/ No)

Branch Mechanisation (ALPM/ TBM/ CBS)

Rating Last Year Present Year

2. Incumbents during the period under review:

Designation Name Grade From To

Branch Manager

Asst. Br. Manager

In-Charge (Credit)

3) Other Staff:

SN Category Current Previous

1 Officers

2 Clerks

3 Attenders

Total

4. Details of Inspecting Officers:

Sl. No. Name Designation

Period Covered : From : To:

Date of Commencement: Date of Completion:

Mandays utilised: Present Audit: Previous Audit:


4/110

Executive Summary

Important positive/ negative features noticed during Audit to be furnished in brief under the

following parameters

Branch RO ZO

Sr. No Parameter Auditors Finding

1. - Performance of the branch

Advances

Deposit

NPA

2. - Major findings of the inspections

3. - House Keeping

4. - Customer Service

5. - Statutory Compliance

6. - Systemic weakness

7. - Persisting irregularities

8. - Suggestions for improvement


5/110

Data Sheet

A) Advances:

1. Sector wise Classification

Sector As on As on

Agriculture Limits O/s Overdue Limits O/s Overdue

MSME

Retail loans

- Housing Loan

- Personal Loan

- Others

Corporate Loans

Others

Limits O/s Overdue Limits O/s Overdue

Sensitive Sectors:

a) Real estate sector

b) Capital Market sector

c) Commodities sector

2. Individual Exposure ( list Top five/ten individual borrower)

Name of the borrower Sector Limit O/s % of total exposure to total advances of the

branch

3. Group Exposure ( list Top five/ten group borrower)

Name of the Group Limit O/s % of total exposure to total advances of the

branch

4. Industry wise Classification (relevant for corporate branches)

Sl.

No.Industry

Limit O/s % of o/s to total gross

exposure

1 Textiles

2 Paper & Paper Products3 Chemicals & Chemical Products

- Fertilizer

- Drugs & Pharmaceuticals

- Petrochemicals& others

4 Iron & Steel

5 All Engineering


6/110

5. Secured / Unsecured Advances

Particulars Limit O/s Overdue % to total exposure

1 Total Secured Exposure

2 Total unsecured Exposure

Total Exposure

% of unsecured exposure to total

exposure

6. Non fund based business:

6 Gems & Jewellery

7 Construction

8 Infrastructure

- Power

- Telecommunication

- Roads & Ports

- Others

9 Petroleum

10 Cement & Cement Products

11 NBFCs including MFIs

12 Film Industry

Limit O/s % of exposure to total exposureLCBGOther

Total non Fund based exposure

Particulars No AmountBG Issued during the reviewperiod

Total Turnover of BG issuedLC issued during the reviewperiod

Total turnover of LC IssuedBG invokedLC devolved% of BG invoked to total

Turnover of BG

% of LC devolved to TotalTurnover of LC% of BG invoked to O/s of BG% of LC devolved to O/s of LC


7/110

7. Time barred debts.

a) Total no. of AODs are pending for obtention as on

b) Amount involved in Pending AODs as on date of inspection

c) Total no. of AOD and amount involved is pending at the time of

previous inspection

d) No of cases where documents are expiring within next 3/6 monthse) % of time barred debt to Total NPA.

8. Rating wise Clarification of Advances.

a. Internal rating wise

Rating grade As on As on..

Rating gradeNo of

borrower

Limit O/s % of

composi

tion

No of

borro

wer

Exposure O/s % of

compositi

onFB NFB FB

NF

BFB NFB FB NFB

1

2

34

5

6

7

8

9

10

Total

Total Low Risk

Total Medium

Risk

Total High Risk

b) Report on borrower not rated by approved external rating agencies (in applicable cases only)

No of unrated borrower Limits O/s % of exposure to unrated

borrower to total advances.

Total

c) Not caring out internal rating based on latest financials in applicable cases

No of unrated borrower Exposure to unrated borrower % of exposure to unrated

borrower to total advances.


8/110

9. Income Leakage: Details of seepage of income detected in various audits since last RBIA

Particulars Detected in

other various

inspection

Seepage

of income

detected Total

% to total

seepage

detected

Seepage of

income

pending for

RecoveryApplicable ROI is not charged

Prescribed processing, inspection charges

and other service charges are not

collected

Penal interest / additional interest is not

charged for

- Overdue loans

- Stock statements, QIS, financial

statements,

- Delay in submission of renewal

proposal

- Non creation of mortgage, adhoc

limit etc

Processing charges are not collected at

the time of annual review/ renewal

Income Leakage in Forex Business

ROI on Deposit

Other

Total Seepage Detected

% of seepage of income detected to totalbusiness

Total seepage of income detected in

previous inspection/ review period.

Increasing / decreasing

B) 1) NPA Management

As on As on Increase/

Decrease

Amount % to

Gross

NPA

Amount % to

Gross

NPA

Amount %

a) Standard Assets

b) Special Mention ( out of A)

c) Substandard Assets

d) Doubtful Assets - up to 1 year

e) Doubtful Assets - 1 to 3 years


9/110

f) Doubtful Assets - above three years

g) Loss Assets

h) Total NPAs ( Gross)

i) % of NPAs to Total Advances -

j) Provisions made for NPAs

k) Understatement of provisions

l) % of provision to Gross NPA

m) Net NPA

n) % of Net NPA to Total Advances.

o) NPA more than 2 years (Chronic)

p) % of chronic NPA to total NPA

q) % of SMA to total Standard Advances

r) Fresh NPAs added & Quick Mortality

1. Fresh NPAs added- Number & amount

involved2. Out Fresh NPA- Quick mortality cases-

N umber and amount.

3. % of quick mortality cases to sanctions

made during the review period.

s) Recovery of NPA

t) Accounts covered under SARFESI Act

C) No of accounts where notices issued

under SARFESI Act

D) No of cases where notice issued ,

possession not taken

E) No of cases where possession taken but

not auctioned.

u) Up gradation of NPA to Standard

1. No. of accounts upgraded to Standard

Assets and Amount involved during the

review period.

2. % of up gradation to total NPA

v) Written Off accounts and its recovery

1. No. of Written of Accounts and amount

involved.

2. Amount of written off accounts

w) Restructured Accounts/CDR

1. No. of accounts restructured

2. Amount involved in restructure

x) OTS


10/110

1. No of cases and amount involved in

OTS

2. Amount of waiver.

3. % of waiver to Total amount.

4. No. of account where payments of OTS

is not forthcoming as per term of OTS.

y) Other

2) Sectoral Concentration of NPA

a) Product wise.

Sector As on As on

Agriculture Limits O/s Overdue Limits O/s Overdue

MSME

Retail loans

-Housing Loan

- Personal Loan

- Others

Corporate Loans

Others

Limits O/s Overdue Limits O/s Overdue

Sensitive Sectors:

a) Real estate sector

b) Capital Market sector

c) Commodities sector

C) Deposits

As on. As on..

No of a/c Amount No of a/c Amount

1. SB

2. CA

3. Term liabilities

4. Total

5. Low Cost Deposits

6. % of low cost deposit to total deposits

7. Inoperative account

8. Risk categorization of customers

- Low Risk

- Medium Risk

- High Risk


11/110

D) Non Interest Income:

As on As ona) Non-interest Income

- Processing charges and upfront fees- Commission, exchange and brokerage- Service charges- Income from forex transaction

- Income from govt. business- Other income

b) % increase/ decrease over previous yearc) % of non interest income in total IncomeE) Frauds

As on As on .

No. Amount % No. Amount %

a) Frauds detected during the

review period

- -

b) Nature of fraud

1. Miss appropriation and

Criminal Breach of trust.

2. Fraudulent Encashment

3. Loan related frauds

4. Unauthorized Credit

facilities for

reward/gratification

5. Negligence and cash

shortages

6. Cheating and forgery7. Irregularities in Foreign

Exchange Transactions.

8. Other.

Total

c) Predator- wise

1. Staff

2. Customer

3. Outsiders

4. Staff and customer

5. Customer and outsider6. Staff, Customer & outsider.

d) Detection

1. Within 3 months

2. Within 6 months

3. Within 12 months

4. After 1 year


12/110

e) Whether staff

accountability examined.

F) Impersonal Accounts

Head of A/cUpto 1 month

1 months toless than 3

months

3 months toless than 6

year

above 6

monthsTotal

No. of

Entries

Amt No. of

Entries

Amt No. of

Entries

Amt No. of

Entries

Amt

Suspense A/c

Parking GL

End Point

Branch Adjustment/ inter

branch transfer etc

Sundry deposits/assets

Capital ExpenditureAdjustment

Accounts with other bank

un reconciliation items

TT paid/ payable account

Other

Total

G) Inspections conducted during the review period:

SL

NoInspection type

Closure time

of report (as

per guidelines)

Date/ month of Remark on delay

in rectification,

level ofrectification etc.

AuditSubmiss

ion

Rectifi

cation Closure

1 Previous RBIA

2 Concurrent audit

(month)

3 Credit Audit

4 I S Audit

(ALPM/TBM/CBS)

5 RBIA

6 RBI inspection

7 Statutory Audit

8 Other


13/110

H) Complaints

During previous inspection

review period

During present inspection

review period

No. % to total No % to totalNo of complaints received

Nature of complaints

- Deficiency in service

- Loans related

- Rude behaviour of

Manager/staff

- Alleged wrongful debits to

their accounts

- Charging excess interest

/commission/service charges- Alleged wrongful dishonour of

cheques

- Disputed ATM transactions

- Others

Total


14/110

SGR

Related

Department

Area of

Operations

Section/

AuditFrequency Report

1 Accounts Dept Cash OMU* Daily Days on which cash retention limit has been exceeded

2 Inspection

Dept/AML

Cash CA** Weekly Accounts in which there were more than 10 cash deposits during

the week

3 Inspection Dept

/KYC

Cash CA Weekly Cash Deposits between Rs. 40000 and Rs. 50000

4 Accounts Dept Deposit CA Monthly Dormant account which need to be transferred to CO

5 Accounts Dept Deposit Acs CA Daily Dormant Accounts where transactions have taken place

6Accounts Dept

Control OMU Monthly List of long pending items in Sensitive and Reconciliation General

Heads

7Accounts Dept

Remittance CA Weekly DD/PO issued against deposit of cash - arranged according to the

name of the purchaser

8 Department of

Information

Technology

IT OMU Weekly List of unsuccessful logins

9Department of

Information

Technology/

Human Resource

Department

IT OMU Daily List of staff members who are on leave but under whose log in ID

transactions have been input/verified

10 Department of

Information

Technology/ RO

Credit CA Daily New advances accounts are not opened properly in the system . All

f ields in the customer master is input and the sanctioned limit is

input correctly

11 Department of

Information

Technology/ RO

Deposit Acs CA Daily New deposit accounts opened, category wise (Current, Savings, FD,

RD with NRE/NRO/FCRA account marked)). Also indicate fields in

account master left blank

12 Inspection Dept Control CA Weekly All manual debits to expenses accounts

13 Inspection Dept Control CA Weekly All manual debits to Income accounts

14

Inspection Dept/

RO

Credit OMU Weekly Current Accounts and Savings Accounts without OD limit in which

TODs were permitted more than three times during the quarter,

including TOD, if any , outstanding (Separate Reports for Current

and Savings accounts)

15 Inspection Dept/RO

Deposit OMU Monthly Debit transactions in NO Frill Accounts exceeding Rs. 10000 in amonth

16Inspection Dept

Deposit OMU Yearly Credit transactions in NO FRILL a/cs exceeding Rs. 100000 in a year

17 Inspection Dept/

Accounts Dept /

RO

Deposit Acs CA Weekly Debits in inactive accounts

18 Inspection Dept/

RO

Deposit Acs CA Weekly Debit balances in Savings / Current accounts

19 Inspection Dept Transactions CA Weekly Entries reversed

20 Inspection Dept Transactions CA Daily Transactions with value date prior to date of transaction

21Inspection Dept

Transactions CA Weekly List of all high value transactions - Cash, Clearing, Transfer-

seperately

22 Inspection Dept Controls OMU Daily List of staff accounts with unusual or high value transactions

23Accounts Dept

Control OMU Daily List of credit to NEFT/RTGS suspense outstanding beyond a day

24Recovery Dept

Credit CA Weekly Accounts which were upgraded from substandard to standard status

25Recovery Dept

NPA OMU Monthly List of accounts which should have been marked as NPA but has not

been done

26 RO- Credit

Monitoring Cell

Credit CA Weekly List of all new gurantees issued

OFFSITE SURVEILLANCE REPORT / SYSTEM GENERATED REPORTS


15/110

SGR

Related

Department

Area of

Operations

Section/


27

RO- Credit

Monitoring Cell

Credit OMU Daily Cash Credit /Overdraft/Bill Purchase/Packing Credit/Guarantees/LC

accounts in which balance exceeded the drawing limit (Separate

report for each type of account to be generated)

28 RO- Credit

Monitoring Cell

Credit OMU Monthly Exceeding in Sanctioned Limits

29RO- Credit

Monitoring Cell

Credit OMU Daily Advances accounts (OD, CC, Loan, BP, BD, BN, PC and Cheque

Purchase) irregular/overdue.

30Risk Management

Dept/ RO- RMC

Credit OMU Weekly Guarantees expired

31Risk Management

Dept/ RO- RMC

Credit OMU Weekly Guarantees invoked

32 RO- Credit

Monitoring Cell

Credit OMU Monthly Accounts in which stock statements / uploading of drawing limit is

overdue, arranged age wise

33 RO- Credit

Monitoring Cell

Credit OMU Weekly Credit Accounts in which limits have expired

34Risk Management

Dept / RO

Credit OMU Monthly List showing unusual growth in advances (numbers of accounts and

amount ) Spurt in advances

35

RO

Cheque

Collection/Purc

hase

OMU Monthly Cheques/DDs/Bills purchased returned unpaid

36

RO

Cheque

Collection/Purc

hase

CA Monthly List of all cheque purchases (Inland/Foreign seperately)

37 RO- Credit

Monitoring Cell

Credit OMU Weekly Cash Credit accounts with turnover during the quarter less than the

sanctioned limit

38 RO- Credit

Monitoring Cell

Credit OMU Weekly Cash credit accounts with cash withdrawals in excess of 10% of the

sanctioned limit39 Inspection Dept/

RO

Credit CA Monthly List of new /renewed credit accounts in which proposal processing

charges have not been recovered

40 Inspection Dept Credit OMU Weekly Advances accounts in which interest rate code is "0"

41 RO- Credit

Monitoring Cell

Credit OMU Weekly Credit accounts in which insurance has expired

42Special Mention

Account Dept/RO

Credit OMU Monthly Loan accounts in which installments are falling due within the next

15 days

43RO- Credit

Monitoring Cell

Credit CA Monthly Loans granted against FDs

44 RO- Credit

Monitoring Cell

Credit CA Weekly New advances accounts opened, category wise

45 RO- Credit

Monitoring Cell

Credit CA Monthly List of all fresh Packing Credits disbursed

46 RO-RMC Credit CA Weekly FD accounts from which Lien Marking has been removed

47 RO-RMC Credit CA Weekly FDs matured but Lien Marking continues

48 RO- Credit

Monitoring Cell

Credit CA Weekly Accounts in which date of expiry of insurance has been changed

49 RO- Credit

Monitoring Cell

Credit CA Weekly Accounts in which drawing limit has been changed

50 Inspection Dept Credit CA Weekly Accounts in which rate of interest has been changed

51 Inspection Dept Credit CA Monthly Drawing limits entered with back value

52 Inspection Dept/

RO

Deposit OMU Weekly Current Accounts without OD limit and debit balance (TOD)

outstanding for more than 15 days at the close of the month


16/110

SGR

Related

Department

Area of

Operations

Section/


53 Inspection Dept Deposit OMU Weekly Overdue FDs

54 Department of

Information

Technology

Deposit OMU Weekly Savings/Current Accounts/Cash Credit in which signature has not

been scanned

55 AML Cell Deposit OMU Weekly Deposit accounts opened and closed within 6 months

56AML Cell

Deposit OMU Daily Savings and Current accounts which were opened less than six

months ago in which there are high value transactions

57 Inspection Dept Deposit/Credit OMU Monthly Deposit and Advances Accounts in which interest rate has beenmodified (separate for deposits and advances)

58Inspection Dept

Deposit Acs OMU Weekly Savings/Current/Advances accounts with blank Interest flag

59RO-RMC

Deposit Acs CA Weekly List of Accounts of MINORs who have attained majoriy during the

month

60RO-Planning Dept

Deposit Acs CA Weekly List of welcome kit accounts activated with name of customer left

blank

61Risk Management

Dept/ RO- RMC

Forex OMU Weekly LCs devolved

62Inspection Dept

Forex CA Weekly Charges collected on LC/BG/Bills in branches designated for Foreign

Exchange Transactions

63 Treasury- NonResident Deposit

Cell

Forex OMU Weekly FCNR deposits renewed after 14 days after maturity

64 Treasury- Non

Resident Deposit

Cell

Forex CA Weekly Debits and Credits in NRE, NRO and FCNR accounts

65 RO- Credit

Monitoring Cell

Forex CA Weekly List of all new LCs issued (Inland/Foreign seperately)

66 RO- Credit

Monitoring Cell

Forex CA Weekly List of all Bills Purchased/Discounted/Negotiated (Inland/Foreign

seperately)

67 RO- Credit

Monitoring Cell

Forex CA Weekly List of LCs advised

68 Treasury Forex CA Weekly List of foreign outward remittances

69 Treasury Forex CA Weekly List of Foreign Inward remittances

70 Treasury Forex CA Weekly List of export Bills on collection/purchase/negotiation

71 Treasury Forex CA Weekly List of import bills

72 RO-RMC Forex CA Weekly List of LC opened

73 Treasury Forex CA Weekly List of EEFC transactions

74

Inspection Dept.

Remittance CA Weekly List of DD/PO/RTGS/NEFT/cheque purchase/Bills/LCs/Gurantees in

which charges collected are less than the charges calculated by the

system

75 Inspection Dept. Remittance OMU Weekly More than 5 DDs/Pos issued to the same purchaser

76 RO-RMC Remittance CA Weekly Duplicate FD Receipts printed

77 RO-RMC Remittance CA Weekly Duplicate DD/PO printed

78 RO- Credit

Monitoring Cell

Credit CA Weekly List of credit limits newly created/ enhanced/ modofied with its

validity

79 Inspection Dept Deposit Acs OMU Weekly List of high value deposits of Rs 50 lacs and above having differentrate of interest than card rate

80Tax Cell

Statutory Compli CA Weekly Opening balance and debits to the account in all TAX accounts -

TDS, Service Tax etc

81Tax Cell

Tax compliance CA Weekly FDs with TDS exempt flag both at Account level and Customer

Master level (seperately)

* Off Site Monitoring Unit

** To be used by Concurrent Auditor


17/110

Weekly Concurrent Audit Report

To be submitted to the Branch Manager as soon as the weekly audit is over.

Concurrent Audit Branch:

Weekly Report for the period ____________ to ____________ Date of report:____________

Department Irregularity/Deficiency Observed Branch Comment Date&Sign


18/110

To be submitted to the Controlling Office by the 15th

of the next month


Monthly Report of pending irregularities/deficiencies observed during the month ended ____________ Date of report:____________

Department Irregularity/Deficiency Observed Branch Comment Date & Sign

Certificate

We confirm having audited all the areas/processes/activities marked as High Risk in the audit check list. We also confirm that we have adhered to the

periodicity and coverage indicated in your instructions to us.

A copy of the report has been handed over to the Branch Manager for taking necessary action.

Signature


19/110

To be submitted to the Controlling Office within 15 days of the close of the quarter.


Quarterly Report of recurring irregularities for the period ____________ to ____________Date of report:____________

Department Irregularity/Deficiency Observed Action Recommended Action Initiated

(To be filled in by CO)


20/110

KEY AUDIT FINDINGS MONITORABLE ACTION PLAN RECOMMENDED

A CREDIT

Amt

involved

Rs. Crores

% to

Credit

Portfolio

1

2

3

4

5

6

7

8

9

10

B NPA MANAGEMENT

1

2

3

4

5

6

7

8

(Not more than 10 comments for Credit,NPA Managent, Forex and not more than 5 comments for other areas.It is not necessary to have Key

Audit Findings in each of the areas. This being a report for the use of Senior Management only very serious irregulariti

Key Audit Findings and Monitorable Action Plan


21/110

9

10

C DEPOSITS

1

2

3

4

5

D CASH MANAGEMENT

1

2

3

E REMITTANCE

1

2

3

Etc


22/110


23/110

SL

NO

ASSESSMENT AREA

1 IT ENVIRONMENT RISK

A LEGAL RISK

Systems do not have any unauthorized software

Records in electronic and paper based format are

Branch is in a position to furnish the historical data of a

customer for legal purposes at times of need

Necessary archival is maintained in a secure media and

preserved (CD Cutting of Ledger reports in respect of

ALPM/TBM modules).

B ORGANISATION RISK

All the staff in the Branch are formally trained in CBS

operations.(If not, furnish the list of employees not

trained)

Jobs assigned to staff have been properly defined and

segregated

Second in line trained System Administrator is available in

the branch to take up the duty of System

Administrator in the absence of the assigned System

Administrator

C ENVIRONMENTAL SECURITY

Server room is not prone to risks like water seepage, flood,

fire or magnetic interferenceBranch Server is being maintained in a dust free and

temperature controlled environment

Systems are maintained neatly/ dust-free

Eatables and drinks are prohibited in the server room

Photography/video equipment and mobile phones are

prohibited in the server room

Server room is kept rodent free

Terminal/nodes outside the server room are switched off

when persons are not working

Physical access to server room is restricted to authorized

persons/identified vendor personnelPhysical access to server room is closely monitored

Server room is kept locked before the branch personnel

leave the Office in the evening

Server is housed sufficiently away from UPS

room/Batteries but close enough to be monitored by

System Administrator

D ELECTRICAL LINES

Electrical wiring is concealed and is not hanging from

ceilings or nodes

Power supply to the computer systems is provided through

UPS only

Check List to IT Procedure


24/110

SL

NO

ASSESSMENT AREA

Power supply to Access control equipment of server room

is provided through UPS only

E DATA CABLING AND CONNECTIVITY

Electric cable and data cable do not cross each other

Leased line connecting cable to the Branch Server is secure

and protected from tampering

Data Cables are properly labeled for identification

Data cabling is secure and no loose data cables are

observed

Redundant communication lines like ISDN is provided

Connectivity is automatically switched over to ISDN in case

of Leased Line failure

FIRE PROTECTION


25/110

SL

NO

ASSESSMENT AREA

Fire-extinguishers are fitted at strategic points viz server

room and UPS room

Refilling of fire extinguishers is done before the expiry date

Branch personnel are aware of the fire extinguisher usage

procedures

Smoke detectors are installed in the business hall and

server room

Smoke detectors are tested for their satisfactory working

2 IT OPERATIONS RISK

A SYSTEMS SECURITY

The stock of hardware has been reconciled

Hardware noted in Asset Register

All hardware are covered under Warranty/ AnnualMaintenance Contract

Floppy drive is disabled in server

USB drive/s is disabled in server and nodes

Devices such as Printer, Modem, Scanner etc are not

connected to the Server

Server/ Nodes in CBS LAN are not connected to external

networks / other networks

Boot sequence is changed to Hard Disk only in Server and

nodes

No unnecessary shared drives/ folders are present in the

server

No unnecessary users/ Groups are present in the server

and nodes

Guest and ILS_ANONYMOUS_USER users are disabled in

server and nodes

Screen saver is set with password option in server and

nodes

Screen savers provided by Microsoft/DIT only are used

All the Operating System Software patches are applied in

server, nodes and Stand alone PCs

Sufficient free space is available in all disk partitions in the

server and other PCs.IP Messaging, Dbase, MS Office, Other applications relating

to clearing, Ret2ABCD etc do not exist in server

Developer 2000 and SQL Navigator are not installed in

server and nodes.

Remote desktop sharing is disabled in server and nodes.

Usage of Net Meeting is recorded with particulars like

purpose, duration, to whom given etc.


26/110

SL

NO

ASSESSMENT AREA

Branch Managers authorization is obtained before the

usage of Net Meeting.

Network components like Switch/Router etc are kept

securely.

Dial up modems are not connected in the network.

IP addresses used are in the range specified by DIT.

Only one node in a branch is entitled to route the IP

messages to Data Center/ Help Desk/DIT/ other branches.

Quarterly back up of IP message log of the node used for

routing messages is taken.

ANTI VIRUS

Anti-Virus solution is implemented in CBS server, nodes

and Stand alone PCsAntivirus solution is updated in CBS server, nodes and

Stand alone PCs

Automatic Full scanning for virus is scheduled in CBS

server, nodes and Stand alone PCs

BACKUP/ DISASTER RECOVERY PROCEDURES


27/110

1

INTERNAL AUDIT POLICY

Chapter Details Page

No.

1 Preamble 3

2 Risk Based Supervision 73 Risk Based Internal Audit (RBIA) 7

4 Offsite Monitoring Cell/ Similar Structure at Bank 8

5 Risk Based Internal Audit Policy

5.1 Functional Independence

5.2 Objectives of risk based internal audit

5.3 Organisation Structure of inspection

system

5.4 Roles & Responsibilities

5.5 Types of Internal-Audit

5.6 Coverage & Areas of Audit

5.7 Objectivity

5.8 Staffing

5.9 Selection of staff for audit system

11

6 Risk Based Internal Audit Strategy

6.1Pre Audit requisite for auditor

6.2 Indexing of Products and Processes

6.3 Identification of Risk

6.4 Indication of Risk Level

6.5 Implementation of the Audit Plan based

on Risk levels

19

7 Using the RBIA Methodology

7.1 At the annual audit planning stage7.2 At the start of individual audits

7.3 At the end of the audit

22


28/110

2

8 The mechanics of Risk Assessment Module (RAM)

8.1 Guiding factors and information for

development of a RAM

8.2 Developing the Risk Assessment

Module (RAM)8.3 Developing a scoring model based on

the RAM

8.4 Distribution of total points

8.5 Weightages assigned to risk grading

8.6 Maximum achievable Risk scores

24

9 Rating under Risk Based Internal Audit

9.8 Branch Audit Rating under the RBIA

Strategy.

9.9 Mapping of branch audit rating to risk

level (control risk)

27

10 Identification of branch business risk 29

11 Audit Risk Matrix (ARM) 30

12 Audit Periodicity 30

13 Measures for Improvement 31

14 Corrective Action Plan CAP (indicative steps) 31

15 Scope and Extent of Checking 32

16 Audit reporting and follow up

16.3 Reporting Pattern

16.4 Structure of the Internal Audit Report

16.5 Grading

16.6 Spot Rectification

16.7 Follow up and compliance

33

17 Performance Evaluation 40

18 Resources 40

19 Outsourcing of Audit assignments under RBIA

strategy

40

20 Standards for Internal Auditors 41

Appendices:

A Appendix-A: Guidance on Risk definitions 44


29/110

3

RISK BASED INTERNAL AUDIT POLICY

1. Preamble

Deregulation and globalization of financial services, together with the

growing sophistication of financial technology, are making the activities of

the bank and thus their risk profiles i.e the level of risk across the firmsactivities / risk categories more complex. Developing banking practices

suggest that there can be substantial risks the banks have to address other

than credit risk, interest rate risk and market risks. However, efficiency of

every bank depends on how effectively it is managing the risks. For this, it

is essential to have in place effective risk management and internal control

systems, which are crucial to the conduct of banking business not only to

lead the bank more profitably but also in compliance of prudential

guidelines, for which a professional approach in risk management is a pre-

requisite.

Some of the growing risks faced by the banks would be like technology

risks, risks associated with mergers and acquisitions, legal risk, outsourcing

risk, etc. These diverse risks can be grouped under the heading of

operational risk. The Basel Committee has defined the operational risk as

t h e r i sk o f l o ss r e su l t i n g f r o m i n a d e q u a t e o r f a i l ed i n t e r n a l

p r o c e ss es , p eo p l e a n d s y s t e m s o r f r o m e x t e r n a l e v e n t s . The

Committee recognizes that the exact approach for operational risk

management chosen by an individual bank will depend upon a range of

factors including its size and sophistication and nature of complexity of its

activities. Clear strategies and oversight by the Board of Directors and

Senior Management, a strong operational risk culture and internal control

culture are all crucial elements of effective operational risk management.

The Basel Committee (1988) while setting out comprehensive core

principles for effective banking supervision spelt out the need for effective

internal controls and internal audit. Thus the purpose of the internal

controls is to ensure that the business of a bank is conducted in a prudent

manner in accordance with the policies and strategies established by the

Banks Board of Directors and the management is able to identify, assess,

manage and control the risks associated with the business.


30/110

4

These controls must be supplemented by an effective audit function that

independently evaluates the adequacy, completeness, operational

effectiveness and efficiency of the control systems within the organization.

Consequently the internal auditor must have the appropriate status withinand adequate reporting lines designed to safeguard his / her independence.

The external audit can provide a crosscheck on the effectiveness of this

process. Banking supervisors must be satisfied that effective policies and

practices are in place and the management takes appropriate corrective

action in response to the internal control weakness identified by internal /

external auditors. The Basel Committee in their Framework for the

evaluation of internal control systems described the essential elements of

sound internal controls system.

There is a need to reorient transaction based internal audit to risk focused

internal audit, which should conduct risk assessment of every activity &

location of the Bank, including risk management function, which has

assumed greater importance.

Keeping in view the importance of the risk management and the roleinternal auditors have to play in ensuring proper risk management to

safeguard the interest of the organization and ensuring better corporate

governance.

Under risk-based internal audit, the focus will shift from the system of full-

scale transaction testing to risk identification, prioritization of audit areas

and allocation of audit resources in accordance with the risk assessment.

Banks will, therefore, need to develop a well defined policy, duly approved

by the Board, for undertaking risk-based internal audit. The policy should

include the risk assessment methodology for identifying the risk areas

based on which the audit plan would be formulated. Risk based policy to

focus on frequency, prioritizing, extent of checking, risk-assessment/

profiling of activities/ functions/ products and their updating, broadening

the risk classifications etc. during audit process.


31/110

5

Internal auditing - overview


32/110

6

Summary of the audit process


33/110

7

2. Risk Based Supervision

Reserve Bank of India in its Monetary and Credit Policy for 2000-01 stated

that they would be developing an overall plan for moving towards Risk-

based Supervision (RBS). Subsequently in August 2001, RBI came out with

discussion paper on moving towards RBS in which they spelt out the line ofaction contemplated in this regard (Circular No. DBS.

/RBS/58/36.01.002/2001-02 dated 13th August 2001). This RBS is

essentially to entail the allocation of supervisory resources and paying

supervisory attention with the risk profile. The frequency of supervisory

inspection would depend upon the risk profile of the bank. As one of

component under this approach, RBI suggested adoption of risk focused

internal audit by banks. Under the proposed RBS approach, the supervisory

process would seek to leverage the work done by internal auditors of banks.

3. Risk Based Internal Audit (RBIA)

RBI vide it's circular no. DBS.CO.PP.BC.10/11.01.005/2002-03 dated

December 27, 2002 provided a guidance note on Risk Based Internal Audit.

RBI advised the banks to initiate necessary steps to review their current

internal audit systems and prepare for transition to a risk-based internal

audit system in a phased manner, keeping in view their risk managementpractices, business requirements, manpower availability etc.

In the eyes of RBI, a sound internal audit function plays an important role in

contributing to the effectiveness of the internal control system. The audit

function should provide high quality counsel to management on the

effectiveness of risk management and internal controls including regulatory

compliance by the bank. Historically, the internal audit system in banks has

been concentrating on transaction testing, testing of accuracy and reliability

of accounting records and financial reports, integrity, reliability and

timeliness of control reports, and adherence to legal and regulatory

requirements. However, in the changing scenario, such testing by itself

would not be sufficient. There is a need for widening as well as redirecting

the scope of internal audit to evaluate the adequacy and effectiveness of

risk management procedures and internal control systems in the banks. To

achieve these objectives, RBI advised the Banks to gradually move towards

risk-based internal audit which will include, in addition to selective


34/110

8

transaction testing, an evaluation of the risk management systems and

control procedures prevailing in various areas of a banks operations. The

implementation of risk-based internal audit would mean that greater

emphasis is placed on the internal auditor's role in mitigating risks. While

focusing on effective risk management and controls, in addition toappropriate transaction testing, the risk-based internal audit would not only

offer suggestions for mitigating current risks but also anticipate areas of

potential risks and play an important role in protecting the bank from

various risks. The risk-based internal audit, on the other hand, undertakes

an independent risk assessment solely for the purpose of formulating the

risk-based audit plan keeping in view the inherent business risks of an

activity/location and the effectiveness of the control systems for monitoring

the inherent risks of the business activity. It needs to be emphasized that

while formulating the audit plan, every activity/location of the bank,

including the risk management function, should be subjected to risk

assessment by the risk-based internal audit. Banks were, therefore, advised

to develop a well-defined policy, duly approved, for undertaking risk-based

internal audit. The policy should include the risk assessment methodology

for identifying the risk areas based on which the audit plan would be

formulated. The policy should also lay down the maximum time periodbeyond which even the low risk business activities/locations should not

remain unaudited. There are certain benefits expected to accrue from the

risk based audit approach to the organizations due to the shift in the

approach to audit. Generally expected changes compared to the traditional

approach are tabled below to add clarity in understanding the RBIA

approach recommended by Regulators all over.

4. Off Site Monitoring Cell/ Similar Structure at Bank

Banks should set-up proper off-site monitoring cell in the Audit Department

or similar structure, the cell/ structure should review the structured MIS on

critical items and sensitise the Controlling Offices and Branches /

Departments for corrective action on a daily basis. The cell should also

sensitise Top Management on serious irregularities, if any on spot basis. To

make optimum use of technology, Bank should consider various system

generated reports for monitoring / controlling operations of the branches.


35/110

9

Frequency of these reports may be looked into on daily, weekly, monthly,

quarterly basis.

4.1 Variance between traditional method of audit and risked based

internal audit:

Audit Area Traditional Method Risk based Audit

Audit Sphere Primarily financial

areas but also

involving compliance

with laws and

regulations, and

operations

All activities of the business

Audit

objective

Confirm internal

controls are operating.

Improve efficiency

Provide assurance on risk

management and that risks are

being mitigated to acceptable

levels through internal controls

that is adequate and that works.

Annual plan Cyclical plan of audits,

not necessarily

dependent on risk

levels

Audits prioritized on risk ranking

Involvement

of the rest of

the

organisation

Minimal. May approve

the audit plan and be

involved at the end of

an audit to agree the

points found

Involved at all stages of

planning and the audit, since

they own the risks and must

provide assurance to the

stakeholders

Staff plan One audit allocated to

one or more staff

More risk focused.

Time budgets Easy to set since the

audit has usually been

done before

Difficult to set. May be a first-

time audit, or one where

systems have changed

Fieldwork and

testing

Based on a set work

programme, where

there may be no clear

objective set, just test

Ensures the organisation has

identified all its risks, and is

controlling them


36/110

10

to carry out

Report Confirms internal

controls are operating

and reports where

they are not

A kind of assurance to

management that its risks are

being kept within the accepted

levels or mitigated to acceptablelevels, and reports if they are

not

Annual report

to the Board /

Audit

Committee

Confirms that the

audit plan has been

completed, and

highlights controls not

operating. Cannot give

any indication as to

the proportion of

significant risks

covered

Provides assurances that the

significant risks across the

organisation are being mitigated

to acceptable levels and reports

where they are not. Can give an

indication as to the proportion of

risks covered.

Staffing Usually by persons

having filed knowledge

and experience and

professional auditors.

Risk appreciation skills a must.

Should be able to identify the

weak links, evaluate the controls

in place and anticipate the

likelihood of occurrence. Self-

motivated, experienced staff

used to working with senior

management. May be specialists

who are not accountants, and

may be seconded.

Direction

indicators

Generally each audit

assignment is

considered on isolated

basis except for listing

out the persisting

deficiencies from the

past reports

Since risk based audit is a

continuous process and the

direction of risk is always one of

the evaluating criteria. Gives

significant importance to the

direction of risk that is a pointer

towards the effectiveness of risk

management put in place.


37/110

11

5. Risk based internal audit policy

The Bank has been following the risk-oriented approach for internal audit

purpose. The observations are classified under low, medium and high risk.

The ratings are based on the risk levels. Risk based policy will focus onfrequency, prioritizing, extent of checking, risk-assessment/ profiling of

activities/ functions/ products and their updating, broadening the risk

classifications etc. during audit process. The basic rationale behind the

suggested policy guidelines enshrined hereunder would be to ensure that

high-risk areas are looked into more frequently and with wider examination

than low risk areas. It is akin to ABC analysis approach in inventory control.

5.1 Functional Independence

5.1.1 As envisaged in the guidelines issued by Reserve Bank of India, the

Internal Audit Department should be independent from the internal

control process in order to avoid any conflict of interest and should be

given the appropriate standing within the bank to carry out the

assignments. Such independence would also be maintained by the

department while carrying out the audits under Risk Based approach as

well.

5.2 Objectives of Risk Based Internal Audit:

5.2.1 To contribute to Banks responsibilities in preparing itself for move

towards Risk Based Supervision (RBS) in so far as adoption of Risk

focused Internal Audit is concerned.

5.2.2 Putting in place a risk assessment methodology which, amongst other

things, would enable development of independent risk assessments,

capture the applications and effectiveness of risk management

procedures and assist critical evaluation of internal control systems for

formulation of a risk based audit plan and ensuring deployment of

audit resources according to risk profiles of the auditee units.

5.2.3 Provide basis for risk audit scoring of the auditee units based on

evaluation of their risk profiles, risk management and control

procedures and results of any substantive audit tests / procedures

performed by the auditor.


38/110

12

5.2.4 To enable the internal audit to serve as an independent, objective

assurance and consulting activity.

5.2.5 To define and design the suitable risk based internal audit strategy

commensurate with the underlying risks, organizational structure and

needs for implementation. The scope of internal audit shall encompassthe examination and evaluation of the adequacy and effectiveness of

the Banks system of internal control and the quality of performance in

carrying out assigned responsibilities.

5.3 Organization Structure of Inspection System:

5.3.1 Internal audit shall be independent of the activities they audit.

Independence permits internal auditors to render impartial and

unbiased judgments essential to the proper conduct of audits. This

independence shall be achieved through organizational status and

objectivity.

5.3.2 The organizational status of the internal audit department shall be

sufficient to permit the accomplishments of its audit responsibilities

5.3.3 Ideal organization structure for inspection system comprises Audit

Committee of the Board (ACB), Audit of Committee of Executives

(ACE) and Inspection/ Audit Department (IAD).

5.4 Roles and Responsibilities:a) Audit Committee of Board :

It oversees overall Internal Audit function of the bank. The committee

will guide in developing effective internal audit, concurrent audit, IS

audit and all other inspection & audit functions for protecting the assets

of the bank. The committee will monitor the functioning of the Audit

Committee of Executives and inspection/ audit department in the bank.

b) Audit Committee of the Executives (ACE)/ Zonal Audit Committee of theExecutives (ZACE)

i. The Committee suggests that all the PSBs should form Audit Committeeof Executives (ACE) headed by the Head of Audit (IA&A), General

Manager (Risk) and other two General Managers as Members. Large

banks with many branches can have Zonal Audit Committee of


39/110

13

Executives (ZACE) with similar composition at lower level; the

composition of which would be approved by CMD. If so required, officers

of the auditee verticals / departments and other officers in IAD shall

attend the ACE meetings for selected agenda items.

ii.

ACE/ ZACE should meet minimum six times in a year, at least once in aquarter with a minimum quorum of four members. The ACE & ZACE will

work under the guidance of ACB and all the minutes of ACE & ZACE

should be put up to ACB.

iii. The ACE is authorized and empowered to approve/ratifychanges/amendment in the scoring pattern, rating parameters and

reporting formats.

iv. All Very High Risk Audit Reports Critical Findings (Below 40% marks)should be put up to ACB. Banks may also consider putting up to the ACB

reports of High Risk branches (at least the critical findings in reports of

High Risk Branches). Other reports should be put up the ACE & ZACE.

However, closure of such reports can be done by CGM- Inspection/ Audit

Department. The responsibilities of the ACE shall include:

Reviewing the scope and nature of the work of the IAD and reviewinternal audit reports and compliances thereof;

Review of the significant findings arising from all internal auditreports, including concurrent and Information System (IS) audit

reports;

Review and recommend Annual Risk based Audit Plan of the Bank toACB for consideration and approval;

Review the progress of Audits vis--vis scheduled audits as per theapproved Annual Audit plan;

Review and revision of existing Risk Assessment Models (RAM), andadoption of new RAM for different verticals;

Review coverage/ area of various types. Review of audit report/ checklist Review of various audit policies To report the significant findings of audit reports and also other

matters as required for consideration of ACB.

c) Inspection/ Audit Department (IAD)


40/110

14

i. Policy formulation in respect of inspection function keeping in view- Reserve Bank of India/Government of India guidelines- Observations made by the RBI Inspectors during their inspection of the

Bank.

ii. Placing notes before the Top Management and Audit Committee ofthe Board on periodic basis.

iii. Drawing up of Annual Action Plan for inspection of branches andfunctional departments and placing the same for approval to ACE andACB.

iv. Regular monitoring of Annual Action Plan and ensure that the auditsare conducted as per its periodicity specified in the audit policy.

v. To study that requisite number of internal staff for carrying out /fulfilling the Annual Action plan of audit plan and requiredinfrastructure, necessary arrangements are made.

vi. Selection of internal staff for Audit/ inspection and appointment ofconcurrent auditor and review of their performance.

vii. To evaluate internal audit system/ Concurrent Audit system.viii. Monitoring the inspections conducted at various branches/offices by

the RBI u/s 35 of Banking Regulation Act and FEMA.

ix. Review of audit report and initiating necessary actionx. Monitoring of pending inspection/ audit reports and ensuring timely

closure.

xi. Undertaking investigations covering staff accountability in the case ofcomplicated fraud cases, credit irregularities, transgression ofpowers, etc. and appraising the findings to the Competent Authority.

xii. Provide necessary guidelines for conducting inspection of variousoffices/ locations of the Bank and ensure proper implementation ofthese guidelines.

xiii. Updating of structured formats for inspection/audit.xiv. Updating Inspection Manual/Kit for use of the Inspecting officials.xv. Issuing guidelines / instructions from time to time on preventive

aspects of irregularities and risk mitigation measures

xvi. Arranging internal and institutional training needs of the personnelxvii. Maintaining data on the Branch risk carry out rating migration

analysis and initiating of necessary action.


41/110

15

xviii. Reviewing the reliability and integrity of financial and operatinginformation and the means used to identify, measure, classify andreport such information. To this end internal auditors shall examineinformation systems and ascertain whether: (a) Financial andoperating records and reports contain accurate, reliable, timely,complete and useful information; (b) Controls over record keeping

and reporting are adequate and effective.

5.4.1 Internal auditors shall also be responsible for:

(i) assisting in the deterrence of fraud by examining and evaluating the

adequacy and the effectiveness of control, commensurate with the

extent of the potential exposure / risk in the various segments of

the Banks operations. In carrying out this responsibility internal

auditors shall determine whether:

(a) The organizational environment fosters control consciousness;

(b) Appropriate authorization policies for transactions are established

and maintained;

(d) Communication channels provide management with adequate and

reliable information;

(e) Recommendations need to be made for the establishment of cost-

effective controls to help deter fraud.

(ii) Reviewing operations or programmes to ascertain whether resultsare consistent with established objectives and goals and whether

the operations or programmes are being carried out as planned.

(iii) Identifying all risk areas within the Bank and determining whether

effective and adequate control systems exist in these areas.

(iv)Planning and conducting the audit assignments subject to

supervisory review and approval.

5.4.2 Supervision by Head-Audit

Supervision shall be a continuing process, beginning with planning andending with the conclusion of the audit assignment. The Head-Audit

shall be responsible for providing appropriate audit supervision.

Supervision shall include:(i) providing suitable instructions to subordinates at the outset of the audit;

(ii) ensuring that the approved audit program is carried out unless

deviations are justified and authorized;


42/110

16

(iii) determining that audit working papers adequately support the audit

findings, conclusions and reports;

(iv) ensure that the audit reports are accurate, objective, clear, concise,

constructive and timely; and

(v) determining that audit objectives are being met. 5.6.3 All internalauditing assignments, whether performed by or for the internal auditing

department, shall remain the responsibility of the Head-Audit.

5.4.3 General guidelines

The Board of Directors (BOD) / Management of the Bank shall have thegeneral responsibility for taking such steps as are reasonably available

to them to safeguard the assets of the Bank and to prevent irregularities

and fraud. The BOD / Management shall maintain effective systems ofcontrol including an internal audit function.

The internal audit function shall be carried out by Internal AuditDepartment of the Bank and will function under those policies, which

have been established by the management and approved by the ACB /

Board. It shall be an independent appraisal function established to

examine and evaluate the Banks activities.

5.5 Types of Internal Audit

The Internal Audit Department shall undertake audits as per Risk

Based Internal Audit Plan as approved by the Audit Committee of the

Board on annual basis. The Audit Plan shall comprise mainly the

Internal Audit, Information System Audit, Concurrent Audit, Credit

Audit and Snap Audit. IAD shall develop suitable Audit Manual for such

audits. IS Audit policy and Concurrent Audit Policy shall form part of

this policy and be taken to ACB for review and approval on annual

basis. Snap audit of newly opened branches shall be undertaken

generally within six months of their opening. However, under certain

circumstances like staff shortage, excess work pressure on available

man-power, etc., Head-Audit could consider granting extension of 3

months in such cases. Significant findings be reported to ACE/ACB on

quarterly basis.


43/110

17

5.6 Coverage/ areas of audit

5.6.1 To have effective audit, there is a need to clearly define the scope of

audit, depth of verification etc for branches covered under concurrent

audits.

5.6.2 The concurrent audit is being conducted at selected branches on

ongoing basis i.e on monthly basis, whereas internal audit is to be

conducted periodically depending on risk / business involved.

- In view of moving to Risk Based Concurrent Audit, the committee has

devised single check list and separate report formats for concurrent audit

and internal audit. However, committee suggests bifurcating audit areas

as High Risk, medium risk and low risk accordingly, Individual banks,

based on their risk profile may classify the areas and coverage can befixed under both internal and concurrent audit. However, all areas

forming part of check list to be verified under Internal Audit by

inspectors.

- For defining quantum of verification, business of the branches and riskinvolved in internal control of the branches/ risk profile of the branches

are to be considered.

- Observations made under Loan Review Mechanism (LRM) also may beconsidered by the inspector while undertaking Internal Audit.

- Depth of verification to be specified for various areas like 100%verification, sample size and selection of sample etc

- Banks should also consider the coverage of other audits while fixing thedepth/ quantum of verification to avoid duplicity of audit work.

- Wherever verification is less than 100%, auditor can use the techniqueof sample selection. It is expected that, on each aspect, the auditor

should select a sample that would be representative enough to

sufficiently bring out the criticality involved. Sample should be selected

in such a way that, they constitute fairly representative picture of the

portfolio. The sample size would depend on the size of the branch and

the importance of the business function in the overall portfolio of the

branch operations. While featuring, the size of the sample and the

proportion of the sample in which the deficiency was observed should be

indicated.


44/110

18

5.7 Objectivity5.7.1 The internal auditors shall be objective in performance of their duties.

Objectivity is an independent mental attitude. They shall not be

involved in performing functions like drafting procedures for systems,

and designing, installing and operating systems as these activitieswould impair their objectivity.

5.7.2 Internal auditors shall audit in such a manner that they can have an

honest belief in their work product and that no significant and quality

compromises are made. They shall not be placed in situations in

which they feel unable to make objective professional judgments.

5.7.3 Internal auditors assignments shall be made in such a way that

potential and actual conflicts of interest and bias are avoided. The

Head-Audit shall periodically obtain from the staff information

concerning potential conflicts of interest and bias.

5.7.4 Internal auditors shall report to the Head-Audit any situations in

which a conflict of interest and bias are present or may reasonably be

inferred. The Head-Audit shall then reassign such auditors to other

assignments.

5.7.5 Internal auditors shall not be permitted to work in a particular

department over long periods of time. Assignments of internalauditors shall be rotated periodically whenever it is practicable to do

so.

5.7.6 Internal auditors shall not assume operating responsibilities.

However, if on occasion, management directs internal auditors to

assume operating responsibilities, it shall be understood that they are

not functioning as internal auditors.

5.7.7 Internal auditors shall not audit any activity for which they have

authority or responsibility.

5.7.8 Persons transferred to or temporarily engaged by the Internal Audit

Department shall not be assigned those activities they previously

performed until a period of at least six months has elapsed.

5.8 Staffing

5.8.1 The Head-Audit shall be supported with requisite number of Deputy

General Managers (DGMs), Assistant General Managers (AGMs) and


45/110

19

other officers in different grades. He shall establish suitable criteria of

education and experience for filling vacancies in the internal audit

department giving due consideration to scope of work and level of

responsibility.

5.8.2 Internal auditors, whenever necessary, shall be drawn from within theBank from other line and staff functions.

5.9 Selection of staff for audit systemBank shall clearly define the guidelines for selecting internal staff for

Inspection/ Audit work. The guidelines may include the following

Minimum experience in the bank Minimum exposure to various functions of the bank Educational qualification Minimum tenor in the department Auditor should not have worked as reporting junior to the auditee branch

head

6. Risk Based Internal Audit Strategy

Risk Based Internal Audit has following 4 dimensions

(i) Pre Audit requisite for auditor

(ii) Indexing of Products, Services, Processes

(iii) Identification of risks

(iv) Indication of level of risk

(v) Implementation of Audit Plan based on Risk level.

For the sake of convenience a suggestive list of different type of risks is

given at Appendix-A to this policy document.

6.1 Pre Audit requisite for auditorTo carry out effective audit and accomplish audit objectives, auditor needs

to plan his audit assignment. However, meaningful plan can be drawn only

after understanding major issues and areas to be focused rigorously. This

understanding will come if auditor has enough background about overall

risk profile of the branch. There is a need to provide relevant information to

auditor before commencement of the audit.

The controlling office should have a system of maintaining and updating

branch profile which includes ongoing issues at the branch and system


46/110

20

generated reports. This information to be made available well in advance to

the auditor as pre-audit requisite, to plan and undertake audit assignment

6.2 Indexing of products and processes

(i) This primarily means compiling of Audit Universe, so that risk

focused audit is a comprehensive exercise covering all the activitieswithin the bank;

(ii) This should cover All Products, Services, Processes;

(iii) Audit Universe must be reviewed periodically for addition,

substitution or modification;

(iv) Head-Audit is responsible for ensuring the comprehensiveness of

the Audit Universe. To achieve this objective, Heads of line functions /

products should keep Internal Audit informed of all the changes in

products, designs, controls, processes and the product/ process

manuals / programs for evaluating risk and designing necessary

changes in audit programs.

(v) Review needs to be completed latest by April every year.

6.3 Identification of risk

The objective of this process is to identify risks to which the organization is

exposed, and to develop a logical, well-defined methodology to assess,quantify and classify risks. This enables Internal Audit to effectively

determine resource requirements, and decide upon their appropriate

allocation. The goal is to provide an evaluation of the risks associated with

the auditable entities from a business perspective, and to develop a basis

for preparing the annual audit plan.

(i) Risk evaluation to be done for both Inherent Business risk and Control

risk.

(ii) The evaluation process is captured in Risk Assessment Module (RAM).

(iii) When new products and processes are introduced, RAM exercise would

be undertaken for their risk evaluation.

(iv) RAM will be revisited for Changes in Processes, Products and services

(v) Head- Audit is overall responsible for the process of identification of

risks either through group processes, delegation of assignment within

department or within the bank and in case of need can solicit / avail the


47/110

21

assistance of specialists wherever considered necessary and expedient.

(vi) Review needs to be completed latest by April every year.

6.4 Indication of Risk Level

(i) This is an important step in the risk based internal audit as it takesthe inputs of risks, from the identification process and would lead to

the implementation process.

(ii) Audit team would indicate the level of risk at Branches or at

functional units based on their findings and judgment about the risk

grade (e.g. High, Medium, Low).

(iii) The risk indication process involves auditing and resultant grading

of risk. This grading will be an assessment of control risks. While

carrying out the risk indication, auditors need to take into account the

status of laid down control mechanisms and also the compensatory

controls that units might be putting in place in lieu of or in addition to

the prescribed internal controls to serve the objectivity of the exercise.

(iv) Grading would indicate the chances or probability of risk envisaged

in the identification process, being crystallized in to actual threat.

(v) It is a pointer towards vulnerability of the branch/unit towards

potential loss. Hence, needed to be precisely assessed to the extentpossible.

(vi) The Corrective Action Plan (CAP) of the controller would depend

upon the audit rating based on control risk.

(vii) The direction of the risk increasing, stable & decreasing, should

also be identified

6.5 Implementation of the Audit Plan based on Risk Levels:

(i) Head Audit is responsible for smooth implementation of the audit plan.

Based on the risks assessed and the status of the internal controls he

had to draw and design Risk based internal audit plan and submit before

the Audit Committee for approval.

(ii) Audit Planning should encompass Scheduling, Prioritizing, and

Determination of scope and extent of checking.

(iii) Audit Planning should essentially consider the Vulnerability and Volume

of business.


48/110

22

(iv) For scheduling, the Audit Risk Matrix (ARM) be prepared, in which

inherent Business risk and control risks are mapped. The risk

assessments (inherent and control risks) would be based on a three-

point risk grading namely high, medium and low. The substantive audit

tests / procedures would be carried out by auditor(s), based on theassessed Control risk. The Audit Risk Matrix (ARM) arrived at after

consideration of the inherent and control risks, would be based on a five-

point risk grading namely Extremely High, Very High, High, Medium and

Low.

(v) As bank has adopted functional approach as organizational

structure/philosophy viz; Corporate (ICG, LCG, MCG), Retail (Personal

Banking, SME, Agri), Operations, Transaction Banking, the branches

would be put in respective risk buckets for each functional area. This

needs to be periodically reviewed keeping in view the changes in

reporting lines, organization structure etc.

(vi) Business Risk may primarily indicate / rest on the volume of business,

Business mix, growth rate and/or profits/ losses either in isolation or in

relative terms to the total volume of banks business would be

considered for deciding the inherent business risks.

(vii) In the initial phase, the volume of business would be taken as corecriteria of business at risk. Going forward, the composition of various

products and their inherent risks in the business mix would be

considered by assigning suitable scores for each product for arriving at

weighted business at risk.

7. Using the RBIA methodology

The methodology is to be used on a number of occasions during the audit

cycle:

7.1 At the annual audit planning stage

7.1.1 Once an audit is completed a copy of the completed & updated risk

assessment should be filed for access at the time of the annual audit

plan. The risk assessment methodology should include, inter alia, the

following parameters:

(i) Pervious internal audit reports;


49/110

23

(ii) Proposed changes in business lines or change in focus;

(iii) Significant changes in management/key personnel;

(iv) Result of the latest regulatory examination reports;

(v) Reports of the external auditors;

(vi) Industry trends and other environmental factors;(vii) Time lapsed since last audit;

(viii) Volume of business and complexity of activities;

(ix) Substantial performance variations from the budgets.

At this time, the risk assessment should also be updated to take into

account the changes in business environment, activities and work

processes etc.

7.1.2 Audit plan needs to be approved by the Audit Committee of the

Board. It should include the schedule and the rationale for audit work

planned. It should also include all risk areas and their prioritization

based on level and direction of risk.

7.2 At the start of the individual audits

7.2.1 At the planning stage for ongoing audits, the team leader / sole

auditor will obtain the latest version of the relevant risk assessmentand review the assessment in the current context. This will normally

involve no more than internal discussion, and meetings with

management responsible for the area in question, unless the auditor

is - or becomes - aware of major changes within the area. At this

stage, the risk assessment will form the start of the detailed audit

planning, during which inherent risks of the area will be reviewed in

much greater detail; control objectives will be established and an

audit programme (plan) will be established.

7.2.2 Documentation will show the trail for this process, and allow any

subsequent review to see how the audit programme matches and

covers the risks and control objectives of the area in question.

7.3 At the end of the audit

The methodology will also be reviewed at the end of the audit, and

the area in question will be given a risk assessment again. This


50/110

24

assessment is likely to be the most important (and accurate) in the

audit cycle, coming at a time when internal audit has first-hand, up-

to-date information on which to make the assessment.

8. The mechanics of Risk Assessment Module (RAM)

8.1 Guiding factors and information for development of a RAM

Important factors like process reengineering and certain controlled

information must be considered appropriately for purposes of risk

assessment and risk grading of the auditee entity. Some of such

factors / controlled information would include but not limited to:

(i) Centralized functioning of activities / processes viz. Central /

Regional Processing units, Retail Assets operations etc.

(ii) Functioning of centralized controlling units within the organizationviz. Credit administration for corporate / retail assets, Corporate

and Retail risk etc.

(iii) Functioning of concurrent audit at branches / Corporate office

units

(iv) Availability of data from information systems that could be used

for performance of effective off site procedures

(v) Automated processes viz. interest application in accounts, cheque

return charges etc.

(vi) Incidence Reporting system for Operations Risk, data from CORE

and the discussion papers in Operational Risk Committee, Zonal

Operations (CMO) review reports and Branch head Compliance

Certificates (BHCC), Reports of RBI under AFI or any other form of

inspection by whatever name called etc.

(vii) Various MIS and regulatory returns submitted that might capture

exceptions and major impact e.g. fraud reports (FMRs) submitted

to RBI etc.

The auditor would evaluate the quality of information available from

these channels and place effective reliance on them for the purpose

of risk assessments and subsequent substantive audit tests /

procedures. Other sources of information on which reliance is

proposed to be placed can be individually discussed and concurred

upon with Head-Audit on a case-to-case basis.


51/110

25

8.2. Developing the Risk Assessment Module (RAM)

A RAM would be developed for each significant auditee unit viz.

business, division, product, support area or a branch location and

broken down into relevant parts (i.e. products, processes etc) toaddress the auditee units activities and related risk profile

comprehensively. Each of the parts would be divided into sub parts and

further into detailed activities to ensure audit coverage of all-important

aspects within a particular part. Inherent risk would be identified and

documented for each activity under the sub parts / parts of the RAM.

The inherent risks would then be graded on a three-point scale of high,

medium or low. Against each identified inherent risk, existing control

procedures (risk mitigants) that provide higher level of assurances to

the auditor would be noted. Implementation of the RAM and its

continuous assessment for any refinements, would be a primary

responsibility of the concerned product / process owners within the

Internal Audit department.

8.3 Developing a scoring model based on the RAM

Each RAM would have an accompanying scoring model. The scoringmodel would have a Total Score (TS). These TS points would be

distributed amongst various parts, and further allocated internally to

sub parts and finally to various activities within each sub part. Audit

Committee of Executives (ACE) shall review all type of risk assessment

models every year while considering the annual audit plan and may

amend the model keeping in view the changes in organizational

products/processes etc.

8.4 Distribution of total points:

8.4.1 Each part (i.e. the product or process) should be assigned a

percentage weight depending on the significance of the part to the

auditee unit(s) total activities. For e.g. in respect of a Retail branch

location, there could be three parts viz. i) Retail Products (Assets and

Liabilities), ii) Retail services (Remittances, Cheque collections, Cash

Management Services, Depository services and Third Party


52/110

26

Distribution) and iii) Branch operations. The TS thus gets allocated to

each of the parts based on the percentage weight allocated.

8.4.2 Each sub part within a part would be assigned parameter weights

such that the sum of parameter weights of all the sub parts must

total to the assigned score for the applicable part. The parameterweights should be assigned depending on the significance of the sub

part within the applicable part.

8.4.3 Each activity within a sub part would be assigned a rating score

(depending upon the significance / controls designed) such that the

sum of rating scores of all the activities put together total to the

assigned parameter weight of the applicable sub part. The rating

scores should be assigned to each activity depending on its inherent

risk grading and other factors including but not limited to past history

of the inherent risk crystallizing into a loss or a liability for the

organization.

8.5 Weight-ages assigned to risk grading

Weights would be assigned to respective risk grading viz. Very Low,

Low, Medium, High, Very High as may be decided by Head- Audit. The

very low indicates the lowest probability or unlikelihood of the riskoccurrence while the very high indicating the highest probability or

certainty of risk crystallization. The present weight-ages would be 100

%, 80%, 50%, 20%, 0% or in decimal terms 1,0.8,0.5,0.2, 0.

8.6 Maximum achievable Risk scores

8.6.1 For each activity, there would be a maximum achievable score based

on the product of i) weight assigned to the highest Risk grading and

ii) rating score. Sum of the maximum scores for all the activities

under a sub part would provide the maximum achievable Risk score

for that sub part and sum of maximum scores for all sub parts taken

together would provide the maximum achievable Risk score for the

applicable part. Sum of maximum achievable Risk scores for all parts

put together would provide the maximum achievable Risk score for

the auditee unit(s).

8.6.2 In case any part or sub part of the risk assessment module is not


53/110

27

applicable for any particular unit the same would be excluded while

arriving at the risk profile of the units. Hence the total points would

stand calibrated based on the applicable scores and the scores

obtained. This is to ensure that the unit is neither penalized nor given

undue credit for the activities not carried out by them.

9. Rating under Risk Based Internal Audit

9.1 All the branches and audit units would be awarded an Audit Rating

based on the risk based internal audit carried out during the year. The

rating would primarily focus on the controls and compliance level at the

branch assessed for each risk parameter that are predetermined as

stated above.

9.2 Approval of the ACE would be obtained whenever rating model needs achange and it would be reviewed on yearly basis to avoid measuring of

branch performances in two different platforms thus making them not

comparable.

9.3 The bank may develop any rating mechanism either on grading basis or

attributes for any other units or activity of the banks. Wherever no

comparable units exist, the bank would not award ratings eg. -

different products, only one centralised unit, activities carried out are

not similar, Head Office (HO) departments, Management audits etc.

9.4 Head- Audit (or any other senior officer designated by Head-Audit)

would convey the rating awarded to the branches to them in writing.

He may also choose to withhold the rating for any particular reason, if

considered necessary and keep Top Management informed of the

same. He may also convey the areas where the branch has to focus

attention in order to strengthen controls.

9.5 The rating awarded is normally for a period till the next audit is carriedout. The rating awarded would not provide assurance or guarantee to

the branch or to the controllers against any frauds committed / that

may be committed and hence should not be construed as insurance

against frauds. The rating in successive audits need not be in step-by-

step approach but depending upon the improvements/ deterioration

the ratings may be accelerated one.

9.6 Head- Audit to inform ACE/ACB the migration of the ratings of branches


54/110

28

on Annual basis.

9.7 Keeping in view the organizational structure, the rating would be

awarded function wise in case of major mixed branches where each

activity is significantly visible.

9.8 Branch audit

Pors 1 04-Dec-2012 Policy & Others

Documents

Transcript of Pors 1 04-Dec-2012 Policy & Others