To

All Scheduled Commercial Banks (excl. RRBs & LABs)

Dear Sir,

As you are aware, Reserve Bank of India has been taking many initiatives in sensitising Banks to the risks and concerns that emerge from adoption of information technology. Various committee reports, instructions and circulars have been issued from time to time towards assisting banks in adopting sound IS Audit policy framework and practices, the latest being the Report of the Committee on Computer Audit, standardising the check list for conducting IS audit (annexure enclosed). With a view to assessing the current practices being followed by banks vis-à-vis IS audit, we had recently conducted a study in this regard.

Though the study revealed that the banks, by and large, have put in place a mechanism for conducting IS/EDP audit, the practices differ from bank to bank depending upon the level of adoption of technology. Further, many banks are in the process of implementing IS audit system in place of computer/ EDP audit. In this backdrop, we advise that

i) The banks may adopt an IS audit policy (if not done already) appropriate to its level of computerisation and review the same at regular intervals in tune with the industry best practices and guidelines issued by RBI from time to time

ii) Banks may adopt appropriate system and practices for conducting IS audit on annual basis covering all the critically important branches (in terms of nature and volume of business)

iii) Such audits should be preferably undertaken prior to the statutory audit so that the IS audit reports are available to the statutory auditors well in time for examination and incorporating comments, if any, in the audit reports

iv) The IS audit reports should be placed before the top management and the compliance should be ensured within the time frame as outlined in the audit policy.

The above instructions may be implemented during the current financial year. This circular may be placed before the bank’s Board in its next meeting. Please acknowledge receipt of this circular to Shri P. Parthasarathi, General Manager, Reserve Bank of India, Department of Banking Supervision, IS Audit Cell, WTC I, 3^rd floor, Cuffe Parade, Colaba, Mumbai 400005.

Encl: As above

Annexure

1. Jilani Committee Recommendations (1995): The Jilani Working Group reviewed the internal controls and inspection/audit systems in banks in order to focus on the deficiencies and suggest remedies. Accordingly, the Working Group suggested various control measures to address the risks, including the need for a specialized system of EDP audit and to bring the EDP system under the control and superintendence of the inspection and audit department (Specific recommendations – Chapter XII – nos. 52 to 62).

2. Report of the Committee on Technology Upgradation in the Banking Sector (1999): While examining various issues on outsourcing of technology and upgradation, the Committee recommended development of in-house capabilities for managing the audit of CPPD/IT department and outsourcing auditing of fully computerised branches (paragraphs 4.5.13 and 4.5.14).

3. Report on Internet Banking (2001): The Working Group was set up to examine different aspects of Internet banking from regulatory and supervisory perspective and recommend appropriate standards for adoption in India. The report highlighted several important security policy issues in Internet Banking (various paragraphs under section 9.3).

4. Working Group for Information System Security for the Banking and Financial Sector (2001): The Working Group was constituted to discuss and finalise standards and procedures for IS Audit and IS Security Guidelines for banking and financial sector. The report serves as a basic document for adopting standards and procedures on a wide range of IS audit and IS security issues.

5. Report of the Committee on Computer Audit (2002): At the behest of BFS, a committee comprising representatives of RBI, ICAI and few banks was constituted to compile a standardised check list so that all the banks can ensure that their computerized branches apply the requisite controls and the branch auditors also verify the same and report accordingly. The check list covered relevant risk areas and the banks and FIs were to adopt the check list as general guidelines.

6. IBA's Preventive Vigilance Manual for Computerised Branches of the Banks (2002): The Manual comprehensively covered, amongst others, internal controls and security, information security and IS Audit, check list for self review and compliance, IT Management, IT Policies and Law.

1. DOS.No.PP.BC.20/16.03.026/96-97, November 1, 1996: Instructions were issued to banks to act upon the Jilani committee recommendations, which were divided into three parts. One set of 25 recommendations were to be necessarily implemented by banks while another set of 79 recommendations were to be implemented as far as possible. These recommendations covered EDP audit and to bring the entire domain of EDP activities under the scrutiny of the inspection and audit department.

2. Guidelines on "Risks and Controls in Computer and Telecommunications Systems" (February 1998): The Guidance Note outlined various risks and prescribed control measures in risk management and banks were to take into account the nature, scale and complexity of the operating environment when designing control procedures. While formulating the control systems, additional requirements of RBI Inspection/Supervisory System/ internal/external auditors were to be considered.

3. Guidelines on Record Maintenance (February 1998 and July 2002):

The Guidance Note on Record Maintenance set a minimum level of criteria in record maintenance which was comprehensively revised in May 2002 on account of changes in legal aspects and operational risks relating to information and communication technology. Banks were advised to comply with the changes in Record Maintenance Policy which included electronic media maintenance policy and IS Audit should cover a review of the said policy.

4. DOS.No.CO.PP.BC. 55/11.01.005/98-99 dated June 19, 1999: Banks were advised to create and set up EDP audit cell within the Inspection and Audit Department.

5. DBS.CO.PP.BC.11/11.01.005/2001-2002, April 17, 2002. LONG FORM AUDIT REPORT (LFAR) – REVISION: The Long Form Audit Report filed by the Central Statutory Auditors covers the Automation and Computerisation aspects (paragraph III-V), EDP audit, internal controls and procedures etc and Systems and Controls (paragraph III – VII).

6. DBS.CO.PP.BC. 10/11.01.005/2002-03, December 27, 2002 on Risk-based Internal Audit: While disseminating the concepts and modalities of switching over to risk-based internal audit, banks were also advised to implement IS Audit as a part of the risk-based internal audit system.