Dated 19^th December 2002

To Chairmen & Managing Director / Chief Executive Officers
All Scheduled Commercial Banks (excl. RRBs)

Dear Sir,

Technology adoption by Banks and Financial Institutions (FIs) has increased significantly in recent times to the extent that financial services sector is seen as the major driver for technological innovation. This has led technology to move from a stage where it was perceived as a ‘differentiator’ to a stage where it is seen as ‘essential’ part of the business.

While the benefits derived from this have been significant to the industry, this has also opened up host of vulnerabilities, more so, on account of the special characteristics of Banks/FIs as custodians of public money. Operational Risk, which includes the losses that may arise from failed systems or processes, is now an important topic of discussion in the new supervisory initiatives including the New Basel Accord.

As you are aware, the Reserve Bank of India has been taking several initiatives to make the Banks / FIs aware of the risks and concerns that emerge from adoption of technology. The Reports of the Committee on Internet Banking and the Working Group for Information System Security for the Banking and Financial Sector have already been forwarded to Banks last year for implementation. More recently, Indian Banks’ Association (IBA) has come out with a ‘Preventive Vigilance Manual’ highlighting the need for proper information system security and controls.

The Board for Financial Supervision (BFS) too has been taking a keen interest in the field of information systems security and audit. At the direction of the Audit Sub-committee of BFS, a Committee on Computer Audit was constituted under the chairmanship of Chief General Manager-in-Charge of Department of Banking Supervision, Central Office with members from RBI, ICAI, SBI, ICICI Bank and Citi Bank.

The Committee has since submitted its report and has been accepted by the Audit sub-committee of the BFS. Two copies of the Report of the Committee on Computer Audit is forwarded herewith for the guidance of banks. The Committee has classified the possible areas of audit interest in the Information System (IS) environment into 15 broad categories and has prepared ‘standardized checklists’ under each category to facilitate the conduct of computer audit. The issues elaborated in the checklists would give a fair idea about areas that need to be controlled. These checklists would be only in the nature of guidelines and banks would be free to have more elaborate checklists to conduct IS Audit suitable to the IT environment in which they operate and propose to operate.

The circular along with the report may please be placed before the Board of the bank in its next meeting. Please acknowledge receipt of this circular to Department of Banking Supervision, Central Office, IS Audit Cell, OSMOS Division, Cuffe Parade, Mumbai 400 005.

Yours faithfully,