Annexure to Cir.

Admin 05- I S AUDIT POLICY - 2012-13

A
Information Systems Audit (I S Audit) Policy 2012- 2013
PREAMBLE:
1. The present Information Systems (I S) Audit Policy approved by the Board on 26 03 2011 is
in place. I S Audit policy will be subjected to an annual review to ensure its continued relevance
and effectiveness. In continuation of the existing policy, certain modifications and
improvements have been made in the current policy for 2012-13.

Mission Statement
Indian Bank is committed to achieve highest quality in IS audit in tune with the best
practices in the Industry.

2. Basis for I S Audit Policy

The framework and policy formulation for audit of technological risks has emanated from the
report of working group constituted by RBI for finalising the standards and procedures for IS
Audit and IS security for the banking and financial sector, titled ‘Information systems Audit
Policy’ including Information system Security guidelines and latest RBI working group
guidelines on electronic banking and information security published in April 2011.
3. Objectives & Scope of IS Audit.
3.1 Objectives
It is essential for the Bank to ensure that its Systems Assets/Resources and IT Processes are
dependable, controlled and protected from misuse at all times. As part of the confirmatory
process, it follows that all IT systems are audited at periodic intervals and a report on their
status are submitted to Audit Committee of the Board.
Major objectives of the Information Systems Audit Policy:

Safeguarding Information Systems Assets/Resources and IT Processes

Verification of Data integrity and Security

Evaluation of System effectiveness and efficiency:

Verification of compliance to internal guidelines & procedures in addition to legal,
regulatory and statutory requirements.

a) Safeguarding Information Systems Assets / Resources and IT Processes:

• Monitoring effective usage of Hardware, software, networking & communication
facilities, people (Knowledge), system documentation, supplies etc
• Evaluation of infrastructure (like Power, Air Conditioning, Humidity Control, physical
security, Surveillance and monitoring, Incident monitoring etc ) in safeguarding of I S
Assets/Resources.

b) Verification of Data integrity and Security:

Validate that the data entered and captured in the system is duly authorised, verified and
completed and that proper control is exercised at all stages viz. Data preparation, input,
verification, output, modification, deletion, electronic transmission, etc. to ensure authenticity
and correctness of data.
c) Evaluation of System effectiveness and efficiency:
Evaluate the extent to which the organisational goals, business and user needs have been
met with and to determine whether resource utilisation is effective and efficient in achieving
the desired objectives.
d) Verification of compliance to internal guidelines & procedures in addition to legal, regulatory
and statutory requirements.
Evaluate the level of compliance on

Page 1
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

adherence to maintenance of Integrity, Confidentiality, Reliability, Availability and
Dependability of information resources;

Legal, Regulatory and Statutory requirements,

Internal Policy and Procedures based on prescribed standards and guidelines.

3.2. Scope of I S Audit:

The scope of I S audit includes the collection and evaluation of evidence / information to
determine whether the Information Systems in use safeguards the assets, maintain data
security/integrity/availability, achieve the organisational goals effectively and utilise the
resources efficiently. It also includes the processes for the planning and organisation of the
Information Systems activity, the processes for monitoring of such activities and the
examination of the adequacy of the organisation and management of the I S specialist staff and
non-specialists with I S responsibilities to address the I S exposures of the organisation.

The I S audit covers all the computerised departments/offices of the Bank including CBS
Project office / Data Centre, DR Site and branches under Core Banking Solution, Overseas
Branches, Service Branches, ATM Switch and ATM service centre, Credit Card Centre,
Treasury Branch, NEFT/ RTGS Cell, and any other new area of IT implemented / to be
implemented by the Bank. In short, it includes all the activities/areas of the organisation, where
IT systems are used for business purposes.

4. I S Audit Methodology:

I. Identify the risks that the organisation is exposed to, in the existing computerised
environment and to prioritise such risks for remedial action.
II. Whether the implementation of Information Technology in the organisation is as per the
parameters laid down in the Information Security Policy and as duly approved by the
Board of Directors.
III. Verify whether the Information systems policies have been devised covering various
information assets for the entire organisation and that the organisation’s systems and
procedures and laid down I S security policies are adhered to.
IV. Verify whether the checks and balances prescribed by I S security policy and other
relevant guidelines are strictly adhered to / complied with, towards risk mitigation through
proper maintenance and prevention of abuse /misuse of I T assets and computer crimes.
V. Verify and comment on the level of checks and balances for ensuring compliance of laid
down control measures.
VI. Adhere to the established norms of ethics and professional standards to ensure quality
and consistency of audit work.

5. I S Audit Set up
5.1 Audit Charter:
The responsibility, authority and accountability of the information systems audit function, has to
be appropriately documented in the engagement letter clearly defining the responsibility,
authority and accountability of the IS audit function, for outsourcing of I S Audit.

The responsibility and accountability of internal I S auditors will be the same, as applicable to
general inspecting officials as per the prevailing internal inspection/audit guidelines.

5.2 Independence:
To maintain the independence of I S Audit function (Inspection Department) from other
departments and offices, its personnel shall report to AGM, IS AUDIT Cell. AGM, IS AUDIT
Cell will report to Chief Audit Executive-CAE/General Manager Inspection, who shall report to

Page 2
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
the Audit Committee of the Board through Executive Director / Chairman and Managing
Director.
The Inspection department shall be independent of the activities audited. The I S audit cell at
CO: Inspection department and CO: I S Security Cell should be managed by two different
groups to avoid conflict of interest, under different controlling authorities/ General Managers.
5.3 Responsibilities:
The primary responsibility of the I S Audit is to achieve the objectives of the I S Audit function
as enumerated in Para 3.0 of this policy document. In brief, the responsibilities of I S Audit
function of the Bank is to
I. Identify and assess potential risks to the Bank’s operations.
II. Assess the means of risk mitigation and safeguarding of IT assets
III. Review the adequacy of controls established, to ensure compliance with the policies,
plans, procedures, and business objectives.
IV. Assess the level of compliance to established procedures / controls
V. Assess the reliability and security of financial / management information and the
systems and operations that provide this information.
VI. Assess the level of utilization of I T resources to understand their efficient and effective
use for business growth.
5.4 Authority:
The Inspection Department / System, in the course of its I S Audit activities, is authorized to
have unrestricted access to all areas of the bank, activities, documents, records, information,
properties and personnel etc relevant to the performance of I S Audit function.
Require all members of staff and Management to supply such information and explanations as
may be needed within a reasonable period of time to I S Audit staff.
Heads of Department/Branches should inform Inspection department/ system without delay of
any significant incident concerning security and / or compliance with regulations and
procedures.
5.5 O rganisat iona l Structure

Board of Directors

Chairman and Managing Director

Audit committee of the Board Executive Director HO: Audit Committee

General Manager A G M (I S Audit Cell)

(Inspection)

I S Audit Cell
Deputy General
Manager

IC Chennai IC IC Delhi IC IC IC IC
Coimbatore
5.5.1. I S Audit resource persons of ACB - Hyderabad Kolkata skilledMumbai
ACB will have adequately Thanjavur
composition of

Page 3
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
Directors to manage the complexity of I S Audit Oversight. A designated member of the Audit
Committee needs to possess the relevant knowledge of Information Systems, I S Controls and
I S Audit issues. The designated member should also have relevant competencies to
understand the ultimate impact of deficiencies identified in IT Internal Control framework by the
IS Audit function. The Board or its Audit Committee members should be imparted training to fill
any gaps in the knowledge related to IT risks and controls.

5.5.2 - Functions of ACB on I S Audit related areas - The Audit Committee should devote
appropriate and sufficient time to I S audit findings identified during IS Audits and members of
the Audit Committee would need to review critical issues highlighted and provide appropriate
guidance to the Bank’s management.

5.5.3. IS Audit Cell - Bank will have an exclusive Cell with IS Audit function, within the Inspection
Department led by an IS Audit Head (Assistant General Manager, preferably with CISA/DISA
Qualification), assuming responsibility and accountability of the IS audit function, reporting to
the Chief Audit Executive (CAE)/General Manager, Inspection.

5.5.4 Wherever the bank uses external resources for conducting IS Audit in areas where the
required expertise / professional skills are lacking within the bank, the responsibility and
accountability for such external IS audits shall remain with the IS Audit Head – AGM and
CAE/General Manager, Inspection.

5.5.5 Officers with sufficient exposure of say.3 to 5 years in information technology with
CISA/DISA/CISSP qualification will be inducted into IS Audit Cell

I S Audit cell shall work in co-ordination with CO: TMD, CO: RMD and CO: IS Security Cell with
regard to various operational and security guidelines covering various assets of Information
and Communication Technology infrastructure used by the bank.
5.6. Acc ounta bilit y
(i) The Inspection Department shall prepare annual plan for I S audit along with RBIA (regular
inspection), covering all the computerized environments of the Bank viz. Branches / Offices /
Departments etc, as per the periodicity prescribed in the Inspection & Audit Policy document.

(ii) Segmented risk profiling of IT Resources/Processes/Infrastructure are to be made by

CO: ISSC, in consultation with CO: RMD and CO: TMD, covering all critical Assets to begin
with. Based on the risk profiling / risk assessment provided by CO: ISSC, IS Audit Cell will
prepare scoping document and Risk Based I S Audit (RBIA) Plan, covering all critical I S
Assets used in CBS environment.

(iii)The plan covering I S Audit of Branches/Offices/Departments/Critical Resources approved

finalized by the General Manager Inspection shall be placed for approval/adoption by ACB.

In case of need, General Manager, Inspection may make modifications to the approved plan
based on the exigencies and keep ACB appraised of such modifications

(iv) The I S Audit Cell of Inspection Department is responsible for deciding on the scope /
Timing of I S Audits and in finalisation/ implementation of I S Audit Plan. I S Audit covering
Branches/Offices/Departments will be implemented by I S Audit Cell through Inspection
Centres.

However I S Audit of Critical Resources may be carried out by utilizing the services of External
Resources, (wherever required Professional / Technological expertise is not available
internally). The I S Audit Cell at CO: Inspection Department shall coordinate with External I S
Auditors whenever their services are engaged for any I S Audit activity in the Bank.

Page 4
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

(v) I S Audit Cell shall ensure strict adherence of timely I S Audit of the I S resources as per
the approved plan. The IS Audit cell (CO: Inspection department), shall follow up the I S Audit,
through Inspection centres in case of branches and through CO: TMD & CO: ISSC, in case of
critical resources and ensure timely rectification / compliance (by Zones for the branches and
CO: TMD for other critical resources). CO: I S Audit Cell shall place a periodic review report on
the above to ACB and follow up the directions/observations of ACB are for compliance.

6. Administration of I S Audit
6.1. Conduct of Audit.
Information System Audit of branches / Offices/ Department shall be carried out as per the
prescribed periodicity. I S Audit being a specialised job, the scope and function of IS Audit
Cell shall be limited to organising /conducting audit of Information and Communication
Technology infrastructure used by the bank, follow up with CO:TMD / I S Security Cell etc for
timely rectification of the deficiencies.

CISA/DISA/CISSP qualified officers and officers with 3 to 5 years experience in Information

Technology will be utilised in this cell. Bank may decide to outsource the execution of segments
of the audit plan to external professional service providers, as per the overall audit strategy
decided in co-ordination with the CAE and the Audit Committee of the Board.

6.2. System of I S Audit:

The I S Audit Policy approved by the Board covers all the computerised Departments/Offices of
the Bank including CBS Project Office / Data Centre, DR Site for CBS/ATM, Branches under
Core Banking Solution, Foreign Branches, Service Branches, ATM Switch /ATM Service
Centre, ATMs, Treasury Branch, Credit Card Department, HRM Department, NEFT/ RTGS
Cell, Registering Authority (Digital Certificate) etc and any other new information technologies
to be implemented by the Bank from time to time. In short, it includes all the activities/areas of
the organisation, where IT systems are used for business purpose.
The methodology adopted for I S Audit / Computer audit includes a blend of input- output report
reconciliation, interview and interaction with the concerned IT users/ IT personnel, verification
of reports / registers maintained both manually as well as in the system.
6.3 Conduct of IS Audit of CBS application and Delivery channels – at CO:

I S audit of CBS application and Delivery channels at HO level is of specialised nature requiring
technical expertise /specific skill / additional tools. Specific audit tools (CAAT) may be
introduced / used in addition to other audit techniques like “audit through the computer” and
“audit with the computer, so as to timely identify and plug vulnerable areas in safeguarding IT
assets, by way of risk mitigation for the audit of IT resources at centralized locations.

For carrying out the said task of I S Audit, a core team of officers with experience in Information
Technology and/or CISA/DISA/CISSP qualification shall be formed at CO. Core team shall be
trained extensively. Initially, they shall work in co-ordination with identified external IS Audit
firms/agencies who undertake IS audit of various systems of the bank and in course of time,
the core team shall gradually take over the same.
Suitable audit tools (Computer Assisted Audit Tools – CAAT) and testing accelerators for direct
interrogation of the system shall be provided to the I S Auditors, in consultation/ co-ordination
with CO: Technology Management Department (TMD) and Information Systems Security Cell
(ISSC) for generation of certain special/specific reports. Core team of I S auditors shall be
thoroughly exposed to the use of CAAT and related system tools in carrying out the I S audit.

Page 5
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
The audit emphasises on determining the level of compliance with laid down policies, systems
and procedures.
6.4. Role of I S Audit Cell –
1. I S audit Cell at Corporate Office is established under the overall control of CO: Inspection
Department for organising and follow up of I S Audit activities of the bank. The wing shall be
manned by CISA/DISA/CISSP qualified IT Officers of the Bank in addition to officers with
Information Technology experience. The term of these Officers shall be limited to a period of 5
Years. They shall be periodically provided with necessary training (class room as well as on the
job) to update/upgrade their IT knowledge and skills to conduct IS audit using audit tools
(CAAT) and testing accelerators which will enable them to effectively carry out the job assigned
to them.
2. The IS Audit shall be covering all the computerised departments/offices of the Bank
including CBS Project Office / Data Centre, DR Site of CBS and ATM, all branches, Foreign
Branches, Service Branches, ATM Switch /ATM Service centre ATMs, Treasury Branch, Credit
card department, HRM department, NEFT/ RTGS Cell, Registering authority (Digital certificate)
etc and any other new information technologies to be implemented by the Bank from time to
time. Outsourcing may be resorted to, in areas of vital and critical importance, in case of
necessary.
3. Project Office-CBS / Centralised Data Centre (PO-CBS/CDC), being the nerve centre for
CBS, PO-CBS/CDC will be subjected to concurrent audit through a team of CISA/DISA/CISSP
qualified officers and monthly report shall be submitted by them to CO:TMD under copy to CO:
IS Audit Cell. CO: TMD shall provide all necessary inputs/infrastructure to Internal Audit Team
at PO-CBS/CDC required for the successful conduct of the audit. CO: TMD shall follow up for
rectification of deficiencies and submit Action Taken Report (ATR)/ steps initiated as risk
mitigation measure to CO: I S Audit Cell within 15 days of the report.
4. Registering Authority (RA) - Digital Certificate Cell under Banking Operations Department
will be subjected to half yearly internal audit and one annual external audit (using auditors
empanelled by IDRBT- certifying Authority for Digital certificate) during the year and the time
gap between the above two internal audits should not be more than 6 months.
CO: BOD shall follow up for rectification of deficiencies and place periodical note to CO: Audit
Committee on the steps initiated /Action Taken report as risk mitigation measure
5. IS Audit Cell shall continue to function independent of TMD and IS Security Cell but work in
co-ordination with them. IS Audit being a specialised job, the scope and function of IS Audit
Cell shall be limited to auditing of the computer based information systems and shall not
include financial/transactional audit.
6. IS audit cell shall monitor the compliance to various IT guidelines/ RBI/legal /statutory
requirements by various wings of the organisation that are making use of IT assets. The follow
up and placement of reports will be carried out as per the internal guidelines and schedule
attached (Annexure- I & II).

6.5 External I S Audit firms:

The Bank may consider engaging the services of accredited External I S Audit firms for I S
Audit of Branches / Offices / IT infrastructure including Netware Audit, software audit,
Vulnerability Assessment, etc to meet any Business /Statutory requirements. Depending on the
nature and criticality of assignment, the Bank may stipulate eligibility criteria of the External I S
Audit firms, fees payable etc. The engagement letter should cover the scope of IS Audit,
objectivity, duration etc apart from addressing the areas of responsibility, authority, and
accountability.

Page 6
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

7.0 I S Audit Policy Guidelines:

7.1 General
The checklist based I S audit shall cover all the computerized branches / departments / offices
of the bank.
The checklist based I S Audit of Branches (including new branches opened/ to be opened)
shall be carried out along with regular inspection of the Branch (RBIA) and I S audit rating
arrived shall be dovetailed to RBIA format, as spelt out under Rating System (Para 8.1of this
Policy) .

7.2 Critical Success Factors:

The following critical factors are important for successful implementation of the I S Audit Policy.
I. Posting of IT Officers to Inspection System – Officers, who have at least 3 years of
experience in Information Technology as well as those with CISA/DISA qualification, may be
posted to Inspection System to the possible extent.
II. Keeping CO: Inspection, Information Systems Audit Cell / Inspection centres informed about
various IT Policies, Procedures and guidelines, Database structure, Availability of Audit trails,
Shortcomings in Application software, OS etc by Technology Management Department.
III. Imparting periodic need based internal/external training to IS Auditors on Operating Systems,
Database Management, Software Audit, Network Audit, Penetration Testing, etc, keeping
pace with the changes in IT technology and IT environment in the bank.
7.3 Periodicity of I S Audits (Schedule as per Annexure II):
7.3.1 - Software Audit:

To subject all the software/patches/Hot fixes to audit by Internal Audit Team placed at CBS
Project Office / Data Centre (PO-CBS/CDC), before accepting any software / patches / hot
fixes for implementation, so as to ensure that the software meets the procedures laid down by
the bank, the following procedure shall be adopted:
I. TMD to categorize the patches/hot fixes according to the urgency of release, while forwarding
to Internal Audit Team at PO-CBS/CDC, so that the audit can be completed on top priority.
II. CO: TMD shall provide all necessary inputs/infrastructure to Internal Audit Team at PO-
CBS/CDC required for the successful conduct of the audit (be it pre-implementation or post-
implementation).
III. Any new software release/implementation status should be informed to IS Audit Cell enabling
them to draw suitable IS Audit Plan for the new System.
IV. Emergency patches/fixes, if anything made without IS Audit, as a measure of risk mitigation
due to paucity of time, the fact should be reported immediately to IS audit Cell, indicating
approval of such action by General Manager, concerned.
V. Software audit shall be carried out generally by utilising the services of CISA/DISA qualified
officers of the bank; however, the same shall be outsourced, when the software to be
deployed is of highly technical in nature requiring specific skill set for such audit and such
required skill set is not available internally.
7.3.2 Network Audit:
I. Network Audit shall conform to the broad guidelines provided under “Internet Banking
Guidelines” issued by RBI and the IT Security Policy/Procedures of the Bank.
II. Network audit may be initially outsourced on account of the high level of technical skill and
high end tools used for penetration and other relevant tests. In course of time,
CISA/DISA/CISSP qualified officers attached to core team of IS Audit shall be utilised for
this task.

Page 7
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

7.3.3 - Regular I S Audit:

7.3.3.1 - Branches:
i. I S audit of all branches shall be scheduled as per risk profile of the Branch under RBIA
(regular inspection) and shall be carried out by the inspecting official conducting RBIA.
ii. The checklist based I S Audit of Branches (including new branches opened/ to be opened )
shall be carried out along with regular inspection of the Branch (RBIA) and I S audit rating
arrived as per IS Audit format, shall be dovetailed to RBIA format, as spelt out under Rating
System (Para 8.1 of this policy).
7.3.3.2 - Half yearly Computer Security Review by ZO - Adherence to I S Guidelines by
Branches:
All Branches (including Service Branches) shall be subjected to half yearly Computer Security
review of I S guidelines, in addition to submission of “Monthly Managers certificate on computer
security”, on the following lines:
(i) If the branch has undergone I S Audit along with regular RBIA during that half year, it may
be exempted from separate half yearly computer security review for that half year by the Zonal
Office.
ICs will inform Zonal Office, the list of branches likely to be inspected during that ensuing half
year and exempt Zonal Office from carrying out separate half yearly computer security review
for that half year covering the said branches
ii) ZO will continue with the existing system of carrying out Computer Security Review being
carried out by the Branch champions/ System Managers of other branches once in a half year
for all branches (except as in (i) referred above) and ensure that all the branches are subjected
to half yearly computer security review either by regular inspection or by swapping System
Manager of one branch to the other.
7.3.3.3 - I S Audit of Overseas Branches (FOREIGN BRANCHES):
The I S Audit of Overseas Branches shall be carried out along with the Regular Inspection of
the branch. The inspection team identified for regular inspection of foreign branches may
include IT personnel for carrying out the same.
7.3.3.4 - Audit of ATMs:
1. Audit of ATMs connected to our Branches (both on-site & Off-site ATMs) shall be carried out
along with Regular inspection of branches (RBIA). This will be in addition to the review of ATM
carried out by Zonal Office / concurrent auditors, on the following lines.
2. a) ATM audit by inspector of Branches along with RBIA of the branch (including the branch
under concurrent audit) and ATM audit report is followed up for rectification & closure along
with regular RBIA.
b) ATM Review
(i) Quarterly ATM review by the concurrent auditor, in branches having concurrent auditor
(ii) Half yearly ATM review in other branches, by Zonal Office (for the half year/s, when
there is no RBIA for that branch), through officers from nearby branches / Zonal Office.
3. Inspection Centres shall furnish the list of ATMs in advance to the concerned Zonal Offices,
where such half yearly review of ATM has to be carried out.
4 .Inspection centres to collect ATM review reports, follow up with Zonal Office for rectification
of deficiencies observed and ensure that all ATMs are covered either by regular inspection or
by review during that half year. The details of ATM Audit (by inspectors) & ATM review (by
ZO/CAs) are to be reported separately in the monthly IIS report.
7.3.3.5 Administrative/ Other Offices where back office operations are computerized:

Page 8
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

I S Audit of PCs/Servers/Email PCs at administrative offices shall be carried out along with
regular inspection of the department /office.

The following offices shall be subjected to I S Audit (Technical Audit) annually.
I. Specialized branches like Overseas Branch, Treasury Branch etc.
II. CO: International Division.
III. ATM Switch / ATM Service Centre
IV. Data Centre, CBS Project Office, Disaster Recovery Site of CBS & ATM
V. NEFT/ RTGS Cell etc
VI. CO: HRM Department
VII. CO : Credit Card Department
VIII. Registering authority (RA)- Digital certificate
7.3.3.6 – Other I S Audits:
The following other I S Audits have to be carried out periodically, preferably annually.
I. I S Audit of Aggregation Points (Network Equipments - Routers & Switches) centrally at
CO: TMD and Centralised Data centre (CDC).
II. I S Audit of Internet Banking, Mobile banking, Tele-banking etc.,
III. I S Audit of Network infrastructure/systems with thrust on Penetration Testing
IV. I S Audit covering Corporate Governance on IT Systems.
V. I S Audit of Third party IT environments – Bank shall subject IT environments of I T
Service Providers to I S Audit, to verify / satisfy about the safety & security of
Information Assets of the Bank in the hands of third party vendors .The Audit shall
confine to the areas related to the service extended by IT Service providers to the Bank.
The audit may be carried out by Banks’ Internal Auditors or by External Auditors,
depending up on the complexity of the environment.
I S Audit Issues in Concurrent Audit: As the concurrent Audit report is submitted monthly,
some of the critical issues pertaining to CBS /computerized environment are included in the
concurrent audit checklist, to enable the concurrent auditors to point out the same so that they
are addressed at the earliest.
7.4 Authorities Responsible to conduct I S Audit, Review & follow up of audit reports.
The guidelines for conducting I S Audit, authorities empowered to conduct the audit, review of
the reports, issuance of closure certificates etc are as per the I S Audit internal guidelines
document and as per the periodicity detailed in the enclosed annexure- I & II.
The I S Auditor may prepare a letter on critical matters of serious concern requiring immediate
action, if any, observed during the conduct of IS audit and submit the same directly to General
Manager (Inspection), apart from marking a copy of the same to CO:TMD, IS Security cell and
IS Audit Cell.
Special reports drawing immediate attention may be submitted when warranted as per the
guidelines spelt out in the internal guidelines, attached with this policy as annexure-I.
7.5 Implementation of I S Audit Plan:
CO: Inspection Department is responsible for implementing and monitoring I S Audit Plans of
the Bank. They are empowered to decide on the following with in the overall framework of the
I S Audit Policy of the Bank.
I. I S Audit Approaches, Audit tools to be adopted within the framework of I S Security
Policy of the bank, in co-ordination with IS Security cell.
II. Periodicity of I S Audits.
III. Bringing in of new areas/activities under the purview of I S Audit
IV. Preparation of Checklists for conducting various I S Audits, based on guidelines /
checklist issued by IS Security cell/ TMD/ O& M Dept etc (synchronizing with RBI/GOI
guidelines).
V. Issue of various guidelines with regard to carrying out of I S Audit.
VI. Take appropriate steps to improve the quality of I S Audit in the bank.

Page 9
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

7.6 External I S Audit Firms - Engagement Letter:

These may be used for individual assignments setting out the scope and objectives of the
relationship between the external I S Audit agency and the organisation.

The engagement letter, namely audit charter for third party auditors should also include objectives
and information on delegation of authority to the IS Auditors. The following aspects, namely
responsibility, authority and accountability should be considered while preparing the engagement
letters.
8. Rating Of Branches under IS Audit:
Evaluation of performance and functioning of a Branch based on I S Audit findings through a
system of Rating is an important tool to assess vulnerability and threat associated with the IS
activities of the branch. This Rating has a bearing on the performance of Branch Manager and
other officials and staff. Hence, an objective system of rating is developed based on the risk
associated with the various I S activities, mainly through the concept of I S audit around the
computer. The Inspecting Official is required to use the same, to effectively evaluate the use of I S
assets for effective performance and functioning of a branch.
8.1. Rating system under IS Audit:

I. The following ratings will be awarded for computerised branches under IS Audit, based on their
adherence to various guidelines in safeguarding the I S Assets of the bank in addition to
effective and efficient use of I S Assets.
Below 50% - High Risk
50 to 70% - Medium Risk
Above 70% - Low Risk
II. Inspecting official has to discuss the rating given by him with the Branch Manager concerned,
on completion of IS Audit and finalisation of the report. Rating given by the inspector shall be
vetted by the Inspection Centre and Final IS Audit Rating for the branch shall be arrived at and
communicated to the Branch and Zonal Office.

III. A Branch will be rated as “High Risk” either for scoring below 50 marks, OR for not scoring
full marks under identified ‘Compulsory scoring items’ as indicated in the I S rating chart
( due to non-adherence/non-compliance of various guidelines under IS Audit).

IV. The above I S Audit score of the branch shall be dovetailed to RBIA rating format and IS audit
report is followed up for rectification & closure along with regular RBIA.
9. Compliance
I. Bank’s I S Audit policy generally conforms to “Information Systems Audit Policy for the Banking
and Financial Sector” of Reserve Bank of India and latest RBI working group guidelines on
electronic banking and information security published in April 2011. Wherever a specific
mention is not made herein, details provided in Reserve Bank of India guidelines mentioned
above, shall hold good as far as it is applicable to the environment.

II. Inspecting officials shall ensure that the branches/offices using IT infrastructure are strictly
adhering to the various guidelines issued by CO: O&M Department, CO: TMD, CO: IS security
Cell and CO: IS Audit Cell from time to time.

III. IS Audit checklists and procedures shall conform to “Checklists for IS Audit” provided by the
Reserve Bank of India, in so far as applicable to respective IS Audit. In case of any conflict in
guidelines provided therein, with the “IS Security Policy” of the bank, provisions of “IS Security
Policy” will prevail over.

IV. AGM IS Audit Cell with the approval of General Manager, Inspection department may devise
/modify the reporting formats for Information Systems Audit, as and when required.

Page 10
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
Annexure - I - Information System ( I S ) Audit Policy 2012-13 - Internal Guidelines

1. Importance of I S Audit:
An organisation’s ability to survive can get severely undermined by corruption or destruction of
its information assets - viz Data, computer/networking systems etc, if proper policy/controls are
not built in. Adherence to guidelines may result in
I. Effective allocation of available IT resources (based on dependable quality of Data).
II. Protection of Information assets through various controls will prevent the possibilities of
misuse leading to avoidable loss.
III. Ensures achievement of organisational goals - viz Business and profit maximisation
through effective, efficient and optimal use of IT assets - namely Computer Hardware,
Software and IT Personnel.
IV. Prevention of Computer errors (which may result in financial loss).

The IS audit assesses the strengths and weaknesses of the Information Systems. It also
assesses whether each Information System actually translates itself into an effective tool to
meet the business goals of the organisation. The following major benefits are expected from
the conduct of IS audit:

I. IS audit can be equated to a diagnostic tool. IS audit can bring to light the
weakness/lapses in implementing and handling of IT assets which will help to identify
the risk arising out of non-compliance of laid down guidelines in protecting the IT
assets, necessitating follow up action / remedial measures by the concerned authorities
in the organisation.
II. Regular conduct of IS audit would deter people/employees/users from indulging in
manipulation of data, frauds etc. Any laxity in the controls/security of the Information
Systems can be minimised effectively. Proper and timely follow up action on IS Audit
report by concerned authorities, will provide the management reasonable assurance
about the functionality of the Information Systems.
III. Security features and controls in a computerised Information System could be assessed
and be taken up for further improvement.
IV. IS audit can assess the level of controls complied with, by the branches /offices of the
organisation in safeguarding /protecting the IT assets.
V. IS audit assesses the health of the Information Systems in an organisation.

The observations / findings emerging from an IS audit shall influence the decision making
process of the management on IT Asset safeguarding and utilisation.

2. I S Audit methodology

The I S Audit process basically involves verification and reporting of, level of compliance
covering all areas of IT and IS security policy guidelines, based on the observations / findings.
IS security policies includes Anti Virus Management, Physical and Environmental Security,
Logical Access Control, Business Continuity Planning, Internet Banking, ATM Security etc.

The methodology adopted includes a blend of input / output report reconciliation, interview and
interaction with the concerned IT users/ IT personnel, verification of reports / registers
maintained both manually as well as in the system. Suitable tools for direct interrogation of the
system shall be provided to the IS Auditors for generation of certain special/specific reports.
The IS Auditors will be provided with necessary guidelines, audit tools coupled with adequate
training to enhance their audit skills to carry out such audits.

Page 11
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

The IS audit work includes manual procedures, computer assisted procedures and fully
automated procedures, depending on whether it is around the computer, through the computer,
with the computer or a combination of all these types of audit. In many cases, a combination
of all these techniques is required. The IS auditors may utilise the manual procedures when
they are more effective than the other alternatives or when these procedures cannot be
partially or fully automated. The auditor may also use computer assisted procedures known as
Computer Assisted Audit Tools (CAATs) and any other specific utility tool developed /available
for that purpose.
I S Audit activity is broadly divided into 5 major steps for the convenience and effective
conduct of audit.
a) Planning I S Audit
b) Tests of Controls
c) Tests of Transactions
d) Test of Balances
e) Completion of Audit.
a) Planning IS audit:
Planning is the first step of the I S audit. I S auditors should plan the audit work in a manner
appropriate for meeting the audit objectives.
IS auditors are required to understand the internal controls used within an organization, like
review of previous audit reports/papers, interview/interaction with the management and
Information Systems personnel, observation of activities carried out within the Information
Systems function and review of Information Systems documentation.
In addition to the above, in case of outsourcing of I S Audit they should have an understanding
of the auditee department / office / organisation and its processes. It includes understanding of
the objectives to be accomplished in the audit, collecting background information, assigning
appropriate staff keeping in mind skills, aptitude etc. and identifying the areas of risk and to
decide on the extent of the detailed analysis and testing to be conducted on those systems.
b) Tests of Controls:
Internal Controls are tested to evaluate the effectiveness of management and application
controls. This will throw light on the level of reliability of the controls as per prescribed
guidelines in the Information System Security Policy and find out weaknesses if any.
c) Tests of Transactions:
These tests are generally carried out using Computer Assisted Audit Tools (CAAT) /Utility
Tools to assess the data integrity and computational accuracy of the transactions carried out.
This will also bring out erroneous transactions, if any, leading to data abuse / misuse/ fraud
with the help of transaction log available in the system.
d) Tests of Balances:
General Audit Software / expert systems can be used to assess the efficiency of system
functioning and to estimate the losses that could have occurred during the failure of system
safeguards in maintaining the data integrity, computational errors etc.

e) Completion of Audit:

This is the final stage of IS audit, where auditors will be recording their findings/observations,
analysis and recommendations for necessary follow-up and monitoring for
rectification/compliance by the concerned authorities. Potential IS audit findings should be
discussed with the appropriate / authorised personnel throughout the course of IS auditing.

Page 12
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

3. Organisational Set up and Functions

a) IS Audit Cell is a wing of CO:Inspection Department, which is independent from the Internal
Control process. The I S Audit cell is headed by an AGM. The Inspection Department is
headed by a General Manager and assisted by Deputy/Asst General Manager and other
senior officers at the Corporate Office. Department Head will report to the Board of
Directors/ACB.
b) Inspection function has been decentralised to seven Inspection Centres (ICs) to effectively
cover the vast net work of branches. Accordingly, the checklist based I S Audit of
Branches (including new branches opened/to be opened) / department/offices shall be
carried out by the inspection centres as per specified format, along with regular inspection
of the Branch/department/office.
c) The coverage of IS Audit of branches through the seven Inspection Centres will be as
applicable under Inspection and audit policy of the bank approved by the Board and in
force, from time to time.

3.1 Functions of IS Audit Cell at CO:Inspection Dept.

⇒ Implementation of Information Systems (IS) Audit Policy guidelines in tune with the I S
Security Policies of the Bank implemented by I S Security Cell;
⇒ Organising / conducting various types of IS Audit of Branches / Offices; and
⇒ Monitoring the periodic progress of rectification through Inspection Centres.
 To arrange for conducting/ organising / coordinating the

IS Audit of Foreign Branches

Audit of all the software/patches
• Developed in-house through CISA/DISA/CISSP qualified officers
• Outsourced/acquired Software through external IS audit firms/agencies, before
porting the software at the branches/offices.

Testing of Operating System/Browser/Database Service Packs, Patches & Hot fixes etc.

Network audit, auditing of Internet Banking, ATM service centre etc

IS Audit of Branches (including attached ATMs – both onsite /off-site ATMs)

Audit of administrative /other offices where IT systems are used for business purpose
and for back office operations, like HRMS, Cash Management System Hubs (CMS),
RTGS cell, internet Banking, Mobile Banking, Tele-banking, e-payments, NEFT etc and
any other IT solutions that are introduced / to be introduced from time to time by the
Bank.
 Audit of Internet Banking will / to be carried out by qualified personnel who have passed
CISA/DISA with Information Technology exposure and having expertise in vulnerability
assessment and penetration testing.
 IS audit cell is to monitor the compliance to various IT guidelines/ RBI/legal /statutory
requirements by various wings of the organisation that are making use of IT assets. The
follow up and placement of reports will be carried out as per schedule attached.
3.2. Functions of Inspection centre on IS Audit
 Giving assignment for IS Audit of the branch along with RBIA (regular inspection).
 Organising ATM review - quarterly in branches having concurrent auditor and half yearly in
other branches.
• The responsibility of effective follow up of I S audit reports towards rectification of all the
irregularities lies with concerned Zonal Office. ICs will monitor the follow up by Zonal Offices,
submission of FRCs, placement of IS Audit reports including special reports in ZIAC and
closure of all reports except special reports. Special Reports after placement, discussion and
acceptance in the ZIAC, have to be recommended by the respective Zonal Office, for closure to
CO:Inspection department.
• Consolidation of IS Audit data, under Inspection information System (IIS) from all Zonal offices
under their jurisdiction and submission of such data to CO:Inspection department.

Page 13
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines

3.3. Functions of Zonal Office on I S Audit:

Audit/Inspection department at Zonal Office is the focal point of the Inspection system as the
department monitors and follows up the rectification of irregularities and deficiencies pointed
out in all Inspection reports. CO: Audit/Inspection department is handled by a senior level
officer not less than the rank of a senior manager.
The observations of IS Audit report are to be followed up for timely rectification by Zonal Office.
Zonal Audit/Inspection department coordinates the conduct of Zonal Inspection Audit
Committee (ZIAC). All the observations of IS Audit reports are to be deliberated in detail in
ZIAC on rectification of the deficiencies, and recommended for closure.
4. I S Audit schedule and cycle:
4.1. I S Audit of Branches /offices:
I. I S audit of branches shall be scheduled as per risk rating of the Branches under regular
inspection (RBIA), wherein the I S Audit rating of the branch shall be dovetailed to RBIA rating
format, as spelt out under Rating chart guidelines.
II. In the case of all other Offices/department/service providing centres which are not subjected
to risk rating (RBIA rating) at present, IS audit shall be carried out along with the regular
inspection, by the inspecting official as per the prescribed periodicity.

I S audit of Service Branch, Cash Management (CMS) HUB and such other units of special
nature having separate branch code with specific supporting function (without direct
customer transaction) established / to be established, shall be carried out on an ‘Annual
Basis’ along with regular inspection by Inspectors attached to the respective inspection
centre and due process is to be adhered to, for follow up, placement in ZIAC and closure of
such report.

The IS audit of Zonal Office, IMAGE, Computer Learning Centres at Zonal Office / Staff
Training centre etc shall be carried out along with regular inspection (as part of the
department /office to which they are attached).

III. In case of vulnerable and critical areas like CBS – Project Office /Data centre, DR site of
CBS and ATM, Internet Banking etc, where the services of external IS audit firm are used for
I S audit, a compliance audit also shall be carried out, on obtention of compliance report
from the functional /control department.
4.2. ATM Audit / ATM review

1. All Offsite and on-site ATMs shall be subjected to either ATM audit or ATM review once in
six months. However, ATMs attached to branches with Concurrent / Internal Auditor shall be
subjected to quarterly review.
2. ATM service centre shall be subjected to an annual I S Audit (in addition to the monthly
transaction internal audit as per the inspection and audit policy).

3. Audit of ATMs connected to our Branches shall be carried out along with Regular inspection
of branches (RBIA), while ATM review shall be conducted by Zonal Office / Concurrent
auditors, on the following lines.

 Quarterly ATM Review by the concurrent auditor, in branches having concurrent auditor.

 Half yearly ATM review in other branches - ATM review by Zonal Office for the half year/s,
(when there is no RBIA for the ATM attached branch), through officers from nearby
branches / Zonal Office.

Page 14
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
4. Inspection Centres shall furnish the list of ATMs in advance to the concerned Zonal Offices,
where such half yearly review has to be carried out.

5. ATM review by Zonal Office has to be carried out preferably by an officer familiar with ATM
administrative operations & maintenance activities and no two continuous ATM review of the
branch be done by the same officer.

6. The procedural guidelines for follow up of ATM audit report (carried out along with RBIA),
submission of FRC and closure shall be as applicable to regular inspection reports (RBIA),
whereas ATM review reports (Both by CA & others) are to be placed and discussed in ZIAC
for follow up & rectification of deficiencies observed.

7. Inspection centres to collect ATM review reports, to follow up with Zonal Office for
rectification of deficiencies observed and to ensure that all ATMs are covered either by regular
inspection or by review during that half year. The details of ATM audit & ATM review are to be
reported separately in the monthly IIS report.

4.3 Information Systems Audit of offices other than branches :

4.3.1 System audit of Zonal Offices:
IS audit of Zonal Office is to be conducted once in a year, along with regular inspection of
Zonal Office. The report is to be submitted to the respective Zonal Manager, Inspection Centre
and CO:IS Audit Cell. An extract of critical observations of IS Audit report will be forwarded to
General Manager (TMD) , General Manager in charge of IS Security Cell and General manager
(I&C).

Inspection Centres have to follow up for rectification of the adverse features with respective
Zonal Offices and submit a review to CO:IS Audit Cell, who in turn will submit a consolidated
note on IS Audit of Zonal Offices to GM (Inspection). There should be discussion in ZIAC
meetings on rectification of adverse features observed.
4.3.2. IS Audit of Treasury Branch shall be carried out at HO, along with regular IS Audit of
CBS Project Office, Data centre etc. The inspection will cover the efficacy and efficiency of the
software used, parameter settings, access control, authorisation etc in safeguarding the IT
assets through proper controls & procedures. The follow up, monitoring and closure of such
reports shall be done by GM (Treasury &Investments).
4.3.3. IS Audit of offices other than Zonal Offices - Inspection centres, IMAGE and other
Training centres, CO:Departments and regional Stationery departments shall be done once in
two years, along with regular inspection. Reports of IMAGE, CO:Departments and Inspection
Centres are followed up by CO:Inspection Dept. and a consolidate review note shall be placed
to CO:Audit Committee. Inspection Reports of Training Centres are followed up by IMAGE and
monitored by respective IC. Stationery Centre reports are followed up by CO:Stationery Dept.
and monitored by respective ICs.

4.3.4. Subsidiaries & Regional Rural Banks

IS Audit Cell to ensure that subsidiaries and Regional Rural Banks sponsored by the Bank are
having suitable policies for system audit and are adhered to in letter and spirit. The deficiencies
are to be taken up with the Management of the subsidiary/RRB and to the General Manager,
concerned in the Bank for follow up, rectification and compliance.
4.3.5 - I S Audit of Overseas Branches (Foreign Branches):
The I S Audit of Overseas Branches shall be carried out along with the Regular Inspection of
the branch. The inspection team identified for regular inspection of foreign branches shall
include IT personnel for carrying out the same.

Page 15
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
4.3.6 Administrative/ Other Offices where back office operations are computerized:

I S Audit of PCs/Servers/Email PCs at administrative offices shall be carried out along with
regular inspection of the department /office.

The following offices shall be subjected to annual audit, by External I S Audit firm
• Specialized branches like Overseas Branch, Treasury Branch etc.
• CO:HRM Department. International Division
• ATM Switch / Service Centre
• Data Centre, CBS Project Office, Disaster Recovery Site of CBS & ATM
• NEFT / RTGS Cell etc.
• HO : Credit Card Department
• Registering authority (RA)- Digital certificate (apart from half yearly internal audit)
In case of vulnerable and critical areas like CBS – Project Office / Data centre, DR site of CBS
and ATM, Internet Banking etc, Compliance / Confirmatory Audit also shall be carried out, on
obtention of compliance report.

4.3.7 – Other I S Audits:

The following other I S Audits have to be carried out periodically.
• I S Audit of Aggregation Points (Network Equipments - Routers & Switches) on yearly
basis, centrally at CO:TMD and Centralised Data centre (CDC).
• I S Audit of Internet Banking, Mobile banking, Tele-banking etc., on yearly basis.
• I S Audit of Network infrastructure/systems with thrust on Penetration Testing on yearly
basis.
• I S Audit of Third party IT environments – Bank shall subject IT environments of third
parties (service providers) to I S Audit by our Banks’ Internal auditors or by External
auditors depending up on the complexity of the environment, to verify / satisfy about safety
& security of information assets of the bank in the hands of third party vendors.

4.4 – Obtention of Monthly Managers certificate on computer security and conducting of half
yearly Computer security review of Branches - adherence to Information System guidelines:
I. Zonal Office has to submit half yearly compliance certificate (as of September and March)
covering all the branches, on receipt of “Monthly Managers certificate on computer security” &
their follow up and rectification of deficiencies observed to CO:I S Audit Cell.
II. Zonal Office has to carry out Half yearly computer security review covering all the branches
(including Service Branches), on the following lines:
(i) If the branch has undergone I S Audit along with regular RBIA during that half year, it is
exempted from separate half yearly computer security review for that half year by the Zonal
Office. ICs will inform Zonal Office, the list of branches likely to be inspected (through periodical
advance intimation), based on which Zonal Office exempts those branches from exclusive half
yearly computer security review for that half year.

(ii) In all other cases, Zonal Office will carry out exclusive Half Yearly Computer Security
Review by swapping Branch champions.

(iii) Zonal office to ensure that all branches in their Zone are covered under half yearly
Computer Security Review either along with RBIA or separately by swapping Branch System
Champions as mentioned above.

While assigning the Half Yearly Computer Security Review to Branch champion of CBS branches,
Zonal Offices are to adhere to the following guidelines

Page 16
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
a) The officer who has conducted security review is not deputed to the same branch by ZO for
the subsequent review.
b) The services of the Branch champion deputed for half yearly computer security review
of assigned branch may be utilised for surprise branch/ATM cash verification, etc. of the
concerned branch, on the same day.
c) The following time schedule has to be strictly adhered to, on the conduct and submission
of compliance report on “Half yearly computer Security review” by Zonal Office
 Communicate assignments to various officers well in advance i.e in January / July {every
half year for the half year ending March & September}
 Ensuring completion of assignments before the 15th of February / August every year
th
 Collection of reports and perusal thereof before 5 of March / September every year
 Follow up of rectification & submission of compliance certificate to CO:I S Audit Cell
(Inspection Department), before 15th of March / September every year
5. Authorities Responsible to conduct I S Audit, Review & follow up of audit reports.
The guidelines for conducting I S Audit, authorities empowered to conduct the audit / review
the reports/ closure of reports etc shall be as per the I S Audit procedures document and as per
the periodicity detailed in the enclosed annexure.
6. Implementation of I S Audit Plan:
CO:Inspection Department is responsible for implementing and monitoring I S Audit Plans of
the Bank. They are empowered to decide on the following with in the overall framework of I S
Audit Policy of the Bank.
• I S Audit Approaches, Audit tools to be adopted within the framework of I S Security Policy
of the bank, in co-ordination with IS Security cell.
• Periodicity of I S Audits.
• Bringing in of new areas/activities under the purview of I S Audit
• Preparation of Checklists for conducting various I S Audits, based on guidelines / checklist
issued by IS Security cell/ TMD/ O& M dept etc.
• Issue of various guidelines with regard to carrying out of I S Audit.
• Take appropriate steps to improve the quality of IS Audit in the bank.

7. I S Audit schedule and cycle:

The checklist based I S Audit of Branches (including new branches opened /to be opened)
shall be carried out along with regular inspection of the Branch (RBIA) and I S audit rating
arrived shall be dovetailed to RBIA format, as spelt out under Rating chart guidelines.

8. Follow up and closure of IS Audit reports.

ICs shall ensure that the inspecting official submits the report immediately on completion of the
assignment and the report reaches the Branch/Zonal Office/IC concerned within 3 working
days.

The follow up, monitoring and closure of IS Audit report shall be taken up by the respective
inspection centre in the case of branches in India and in the case of foreign branches, the
same exercise shall be carried out by CO:International Division in co-ordination with TMD. With
regard to other administrative offices/ service providers like Data centre, Project Office, DR
site, RTGS Cell, etc the closure of IS Audit report shall be taken up by HO:TMD. Registering
Authority (RA) – Digital Certificate shall be followed up by CO:BOD, the controlling department.

8.1 Zonal Inspection and Audit Committee (ZIAC)

The formation and functioning of Zonal Inspection and Audit Committee will be as per
guidelines spelt out in the Bank’s regular Inspection and Audit Policy. Additionally the senior
officer nominated by the Zonal Office for coordinating the CBS Help Desk / I S Audit shall be
inducted into the committee. All IS audit reports falling within the jurisdiction of the inspection

Page 17
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
centres shall be followed up, placed in ZIAC by Zonal Office concerned and recommended for
closure/closed in a time bound manner, strictly, within the time schedule specified (as detailed
in the annexure).

8.2 - I S Audit -Others

All other I S Audits, covered under Para 7.3.3.5 and 7.3.3.6 of I S Audit Policy 2012-13, are to
be followed up by the concerned Department Head i.e concerned General Manager. In the
case of Service Branch, CMS Hub etc the same shall be followed up by the respective Zonal
offices in which they are functioning.

9. Special Reports
a) The I S Auditor may prepare a letter on critical matters of serious concern requiring
immediate action, if any, observed during the conduct of IS audit and forward the same directly
to General Manager (Inspection), apart from marking a copy of the same to HO:TMD, IS
Security cell and IS Audit Cell.
b) All serious deficiencies of critical nature, related to IT assets, shall be reported to CO:IS
Audit Cell under intimation to CO:TMD and IS Security Cell, in the form of Special Reports as
soon as they are identified.

The following is an illustrative list, warranting special reports:

o Lack of awareness in maintaining password secrecy;
o Non-checking of Single window operator (SWO) report/ e-VVR with physical vouchers on
daily basis;
o Non-checking of exceptional / Override report / other branch transactions on a daily basis
by Branch in charge;
o Maintenance of Parking a/c in branches, other than those permitted by the system;

In the case of ATMs attached to Branches:

o Persistence of long pending items in SR II in respect of ATM operations
o Long pending unrecovered TODs in accounts due to ATM operations;
o Non-maintenance of Cash Balance Book
10. Rating Of Branches under IS Audit:
Evaluation of performance and functioning of a Branch based on I S Audit findings through a
system of Rating, is an important tool to assess vulnerability and threat associated with the IS
activities of the branch. This Rating has a bearing on the performance of Branch Manager and
other officials and staff. Hence, an objective system of rating is developed based on the risk
perception associated with the various I S activities, mainly through the concept of IS audit
around the computer, to start with. The Inspecting Official is required to use the same to
effectively evaluate the use of I S assets for effective performance and functioning of a branch.
10. 1. Rating system under IS Audit:
The following ratings will be awarded under IS Audit functioning based on adherence to various
guidelines by the branch in safeguarding the IS Assets of the bank in addition to effective and
efficient use of IS Assets.

Below 50% - High Risk

Between 50 and 70% - Medium Risk
Above 70% - Low Risk

A Branch will be rated as “High Risk” either for scoring below 50% marks, OR for not scoring full
marks under identified ‘Compulsory scoring items’ as indicated in the I S rating chart ( due to non-
adherence/non-compliance of various guidelines under IS Audit) .

Page 18
 A
Information System (IS) Audit Policy 2012-13 & Internal guidelines
Inspecting official has to discuss the rating given by him with the Branch Manager concerned, on
completion of I S Audit and finalisation of the report. Rating given by the inspector shall be vetted by
the Inspection Centre and Final I S Audit Rating for the branch be arrived at and communicated to
the Branch and Zonal Office. The above I S Audit rating score of the branch shall be dovetailed to
RBIA rating format and IS Audit report is followed up for rectification & closure along with RBIA.
10.2 I S Audit Issues in Concurrent Audit- As the concurrent Audit report is submitted
monthly, the critical issues pertaining to computerized environment relating to CBS and ATM
Operation and commented by the concurrent auditors are to be followed up by Zonal Office for
immediate rectification.
10.3 MIS / Database on IS audit of branches/offices maintained at ICs:
Inspection centres are to maintain MIS in respect of IS Audit and report to CO:Inspection
department along with their monthly IS report, indicating the gist of major deficiencies and critical
observations made by the IS Auditors in the IS audit report submitted by them during the month.
These are to be followed up with Zonal Offices for rectification in a time bound manner for
improvement.
11. Compliance
Inspecting officials shall ensure that the branches/offices using IT infrastructure are strictly
adhering to the various guidelines issued by CO:O&M Department, CO:TMD, CO:IS security
Cell and CO:IS Audit Cell from time to time, apart from the manuals like
a) Handbook on Information System Security
b) Hand Book on ATM operations
c) CBS – An Introduction
d) CBS – Procedural & Operational Guidelines
and present guidelines on Information Systems Audit.

Page 19