risk based internal audit policy

374
MEMORANDUM FOR AUDIT COMMITTEE OF THE BOARD OF DIRCTORS Ref. No. HO:I&A:KPR:049 Date: 15 th January, 2007 The Chairman & Managing Director The Executive Director Risk Based Supervision in Banks Migration from the existing Internal Audit system to Risk Based Internal Audit system - Revision in Audit Policy --------------------------------------------- ------- With the aim of moving towards Risk Based Supervision for ensuring close alignment with the international best practices of banking under the aegis of Basel Committee Recommendations and also in terms of Reserve Bank of India guidelines, vide their letter No.DBS.CO.BC.10/11.01.005.2002-03 dated 27 th December 2002, we had initiated necessary steps to review our current internal audit systems and prepared ourselves for transition to a Risk Based Internal Audit (RBIA) system in a phased manner. Accordingly, our Risk Based Internal Audit policy was framed by us and the same was approved by the Audit Committee of the Board on 30.01.2003. We started implementing RBIA at the branches in a phased manner beginning with the audit year 2003-04 initially covering Large and above categories of branches. During 2004-05, RBIA was extended to cover Medium and Small categories of branches also. With some minor modifications, RBIA policy was

Upload: harath-chakra

Post on 25-Nov-2014

246 views

Category:

Documents


34 download

TRANSCRIPT

Page 1: RISK BASED INTERNAL AUDIT POLICY

MEMORANDUM FOR AUDIT COMMITTEE OF THE BOARD OF DIRCTORS

Ref. No. HO:I&A:KPR:049 Date: 15th January, 2007

The Chairman & Managing Director

The Executive Director

Risk Based Supervision in BanksMigration from the existing Internal

Audit system to Risk Based InternalAudit system -Revision in Audit Policy----------------------------------------------------

With the aim of moving towards Risk Based Supervision for ensuring close alignment with the international best practices of banking under the aegis of Basel Committee Recommendations and also in terms of Reserve Bank of India guidelines, vide their letter No.DBS.CO.BC.10/11.01.005.2002-03 dated 27 th December 2002, we had initiated necessary steps to review our current internal audit systems and prepared ourselves for transition to a Risk Based Internal Audit (RBIA) system in a phased manner. Accordingly, our Risk Based Internal Audit policy was framed by us and the same was approved by the Audit Committee of the Board on 30.01.2003. We started implementing RBIA at the branches in a phased manner beginning with the audit year 2003-04 initially covering Large and above categories of branches. During 2004-05, RBIA was extended to cover Medium and Small categories of branches also. With some minor modifications, RBIA policy was revised and the revision was approved by the Committee on 29.03.2005. From 2005-06 onwards, RBIA is being conducted on a regular basis at all branches as per the applicable periodicity either along with the existing internal audit or as a separate exercise.

2. As per the RBI guidelines/directives, we are required to switch over to RBIA system replacing the existing internal audit system once the RBIA stabilizes and staff attains proficiency. In view of the fact that RBIA system, being in vogue for the last 4 years, has stabilized in our Bank and the concept has percolated down the line reasonably and also taking into account the cost effectiveness, we have revised our Risk Based Internal Audit policy by incorporating the salient features of the existing internal audit which is mainly transaction-oriented, to have a unified RBIA system which focuses more on risk perception rather than mere transactions. While drafting

…2

Page 2: RISK BASED INTERNAL AUDIT POLICY

-2-

the revised RBIA policy, we have taken into account the relevant issues/ suggestions/observations made by Risk Management Department, Head Office vide their IOMs No.RMD:RGK:2005-06:107 dated 27.04.2006 and No.RMD:RGK:2005-06:218 dated 29.05.2006 and suitably addressed them in appropriate places.

3. As suggested by Risk Management Department, Head Office vide their IOM No.RMD:RGK:2005-06:218 dated 29.05.2006, the above revised RBIA policy was placed before a Quality Circle comprising a group of General Managers for deliberations and fine-tuning. The meetings were held on 18.10.2006 & 12.12.2006 and after the thorough scrutiny of the policy, the policy was vetted by the Group of General Managers with some suggestions/directions. With due incorporation of the said suggestions/directions, we have redrafted the revised Risk Based Internal Audit policy and now submit the same for the approval of the Audit Committee of the Board. We propose to effect the switch over from the ensuing audit year, 2007-08.

Submitted for approval, please

(B. V. S. Rana) (S.Sampath) Asst. General Manager General Manager

Page 3: RISK BASED INTERNAL AUDIT POLICY

RISK BASED INTERNAL AUDIT POLICY

EXECUTIVE SUMMARY

1. Preamble

1.1. The internal audit system which is in vogue is mainly transaction oriented and is carried out to verify whether the various transactions undertaken by the branches are correctly recorded and whether the stipulated procedures have been adhered to. In this system of audit, the auditors are not analysing the level of risk to which the branch is exposed. In the backdrop of Basel Committee’s Recommendation on Banking Supervision, Risk Based Internal Audit which is essentially an integral part of Risk Based Supervision, was to be introduced in the Banks and the audit system should be revamped so as to have focus mainly on the risk perception rather than the mere transactions testing which should be carried out to the extent of risk exposure under various parameters.

1.2. Accordingly, in terms of RBI guidelines, policy for Risk Based Internal Audit (RBIA) was approved by Audit Committee of the Board on 30.01.2003 and was introduced in our Bank in April, 2003. In the first phase, branches of Exceptionally Large, Very Large, Large and Specialised categories were brought under the purview of RBIA during 2003-04. Then, it was extended to cover all the branches of Medium and Small categories during 2004-05. With some minor modifications, the policy was reviewed and the review was approved by ACB on29.03.2005. From the year 2005-06, RBIA is being carried out in all the branches on an ongoing basis either as a separate exercise or along with the existing regular internal audit which is mainly transaction based, as per the applicable audit cycle in accordance with the approved policy.

1.3. As per the directive of RBI vide their letter No.DBS.CO.PP.BC.10/11.01.005/2002-03 dated 27th December 2002 and letter No.DBS.CO.PP.BC.17/11.01.005/2004-05 dated 1st February 2005, upon stabilisation of RBIA system and attainment of proficiency by the audit staff in this regard, RBIA should replace the existing internal audit/inspection and action plan should be chalked out for switching over to RBIA. Accordingly, RBIA policy is revised by merging the salient features of existing internal audit into it.

Page 4: RISK BASED INTERNAL AUDIT POLICY

2. Coverage

The Areas covered are:

Cash Deposits Foreign Exchange/Dealing Room Credit Investments Bills Remittances Government Business Non-Fund Based Business Staff & Establishment Estate & Premises Computer Inter-Bank and Inter-Branch reconciliation Other Miscellaneous Services

3. Approach

While carrying out the Regular Internal Audit, the auditors are scrutinizing the transactions/conduct of the accounts, verifying the security documents executed, ascertaining whether the sanction is within the delegated authority or not, verifying the compliance with the terms of sanction and also scrutinizing other operational areas. Based on the observations, the auditors are pointing out the irregularities/deficiencies existing at the branches; besides they are pointing out the revenue leakage, if any.

In RBIA, the auditors, besides carrying out the same function as mentioned above at the prescribed level in the policy, record their observations in all the areas viz, Advances, Deposits, Profitability, Business Development, Adherence to KYC/KYB norms, Cash Management, Sensitive Stationery Movement, Delegation of Power, Computer Systems Management etc. under positive and negative factors and assess the risk level taking into consideration the overall impact of these positive and negative factors. The negative factors are called risk factors. Based on the risk factors, Monitorable Action Plan (MAP) for mitigating risks under various parameters is suggested by the auditors in the audit report. Different types of audit reports are prepared for General Banking Branches, Asset Recovery Branches and Service Branches and risks are assessed under applicable parameters for these branches

Transactions testing/checking is not completely dispensed with under RBIA, but, restricted to the level spelt out in the policy

Page 5: RISK BASED INTERNAL AUDIT POLICY

As per the extant policy guidelines, issue of Special Letters (for serious irregularities noticed in accounts with sanctioned limit/exposure limit of Rs.10 lakh and above and also for revenue leakage detected exceeding Rs.10 lakh per branch) and also Special Observation Report (for serious irregularities noticed in accounts having exposure/sanctioned limit of above Rs.2 lakh but not exceeding Rs.10 lakh per account and revenue leakage detected Rs.20,000/- and over per account or revenue leakage detected for more than Rs.2 lakh but not exceeding Rs.10 lakh per branch) is proposed to be continued under amalgamated RBIA system

Under RBIA, the Risk Profile of the branch is prepared based on the audit findings and the Risk Profile reveals the risk level of the branch under various parameters in a nutshell form.

As per the RBIA policy, Risk Profiles of branches will be updated off-site as per the following intervals based on all the relevant records such as MIS data with regard to Deposits, Advances, Profitability etc. and also the compliance of previous/latest reports of Concurrent Audit, IS Audit, Regular Internal Audit, RBIA, RBI Inspection etc. which are available at ZO. MAP is suggested in this case also. Risk Profiles thus prepared will be sent to the Branch/ZO for effective implementation of MAP by drawing suitable action points and initiating necessary measures on that. The reports of Risk Profiles of the branches will be closed by the respective ZM within 3 months of the date of Risk Profile. Zonal Audit Committee will also be apprised of the Risk Profiles of branches and also closure of the same by ZM

Class/Category of branch Periodicity

All Small & Medium size branches -- As of 31st March All other branches -- As of 31st March & 30th September

4. Risk Assessment & Rating of Branches

(For General Banking Branches; i.e other than Special categories of Branches)

At present, rating of the branches under regular Internal Audit is given under six categories viz. Excellent, V.Good, Good, Satisfactory, Fair & Unsatisfactory whereas under RBIA, the ratings are awarded under 5 Composite Risk categories viz. Low Risk, Medium Risk, High Risk, Very High Risk and Extremely High Risk, the Composite Risk being arrived at with the help of risk matrix provided by RBI after taking into account the level of Business Risk and Control Risk

Risk level of the branches are assessed under Business Category and Control Category

Business Risk of the branches are assessed under Credit Risk, Earnings Risk, Business Strategy Risk & Operational Risk parameters

Page 6: RISK BASED INTERNAL AUDIT POLICY

Control Risk is assessed under Internal Control Risk and Compliance Risk parameters.

Base Level Risk under each parameter is assessed under ‘Low, Medium & High’ levels as per the marks obtained furnished as under:

Risk Percentage of Marks awarded

Low Over 75Medium 50 – 75High Below 50

The direction/trend of the risk level is also assessed under ‘Decreasing/Stable/Increasing’ directionsComposite Risk of the branch is arrived under 5 levels viz. Low Risk, Medium Risk, High Risk, Very High Risk & Extremely High Risk as per the following matrix provided by RBI taking into the level of Business Risk and Control Risk

Risk Matrix

Inhe

rent

Bus

ines

s R

isks

High AHigh Risk

B Very High Risk

C Extremely High Risk

Medium

DMedium Risk

E High Risk

F Very High Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High

Control Risks

The trend analysis of the composite risk is interpreted as shown below:

Inhe

rent

B

usin

ess

Ris

k

Increasing Increasing Increasing Increasing Stable Stable Increasing IncreasingDecreasing Decreasing Stable Increasing

Decreasing Stable Increasing

Control Risk

Page 7: RISK BASED INTERNAL AUDIT POLICY

Variation of marks in the same category upto + 5% or – 5% is considered as STABLE. Variation of marks in the same category more than +5% or –5% is considered as DECREASING/ INCREASING as the case may be.

In the case of Special Categories of branches, base level risk and composite risk will be assessed under applicable parameters as above.

5. Periodicity of Audit

The following periodicity of audit of branches is proposed

Categories Audit Frequency6 Months 9 Months 12 Months 15 Months 18 Months

All branches irrespective of the class/ category with Composite Risk rating as

E.High - Increasing/Stable/Decreasing

V.High - Increasing/Stable/Decreasing

High - Increasing/Stable/Decreasing

Medium -Increasing/Stable/Decreasing

Low - Increasing/Stable/Decreasing

Currency Chest with Composite Risk rating as

-do- -do- -do- -do- -do-

Depository Participant Office with Composite Risk rating as

E.High/V.High/HighIncreasing/Stable/Decreasing

-----

Medium/Low - Increasing/Stable /Decreasing

------ ------

6. Level of transactions testing

With regard to transaction testing in credit segment, it is proposed that all new accounts (irrespective of sanctioned limits) and also the following percentage of accounts existing (preferably those accounts not covered under previous audit) prior to current audit are to be covered in the current audit.

(In Percentage)Total Sanctioned Limit or Outstanding per borrower

whichever is more(Rs.)

Size of BranchSmall Medium Large Very

LargeExceptionally

Large

Upto Rs.50,000 10 10 5 5 5Above Rs.50,000/- up to Rs.2 lakh

30 25 20 10 10

Above Rs.2 lakh up to Rs.5 lakh

100 75 50 25 20

Above Rs.5 lakh up to Rs.10 lakh

100 100 75 75 50

Above Rs.10 lakh 100 100 100 100 100

Page 8: RISK BASED INTERNAL AUDIT POLICY

Note: The above level of transaction testing is as per the existing policy and we propose to continue the same

As regards checking of the existing accounts, audit comments relating to compliance of irregularities pointed out in the last audit report, review/documentation subsequent to last audit and further developments since last audit are to be included.

With respect to transaction testing in the Deposits/Miscellaneous areas, the percentage of deposit accounts/other miscellaneous transactions to be covered which are opened/carried out after the last audit is proposed to be fixed as under:

Size of the Branch

Percentage of accounts/transactions

Small 40Medium 50Large 100Very Large 100Exceptionally Large 100

However, 100% transaction testing in all the areas (Advance, Deposits, Miscellaneous) will be undertaken in the branches whose Composite Risk rating was assessed as ‘Extremely High/Very High’ in the previous audit.

7. Compliance & Closure of Audit Reports

Category of Branches Compliance time by branches

Closure at ZAC/GM

Large, Medium, Small & Specialised (Small & Medium category) branches

Within 2 months from the date of audit report

Within 3 months from the date of audit report at ZAC for branches with Composite Risk Rating as High (*in the case of both Business Risk and Control Risk are Medium) , Medium & Low Risk and by GM(I&A) for branches under High (#in the case of any one of Business Risk or Control Risk is High and the other is Low)Extremely High / Very High Risk

Page 9: RISK BASED INTERNAL AUDIT POLICY

Exceptionally Large, Very Large & Specialised (other than Small & Medium category) branches

Within 3 months from the date of audit report

Within 4 months from the date of audit report at ZAC for branches under High (*as above), Medium & Low Risk and by GM(I&A) for branches under High (# as above) Extremely High/ Very High Risk

8. Selection of Auditors

The guidelines for selection of audit officers are as under, at present:

i) He/She should be in Scale II/III and should have completed rural/semi-urban branch exposure of minimum 3 years.

2) Should possess adequate exposure/knowledge of Branch Banking in general and in Advances/Foreign Exchange/Computer Operations

3) Must have ‘A’ rating in Annual Performance Appraisal (APA) for preceding 3 years

4) The tenure for posting in Audit will be 3 years

9. Reporting to Head Office (Audit) Sub-Committee

i) Gist of audit observations on negative factors (risk factors) along with the present status of compliance of RBIA reports of all branches with Composite Risk rating assessment as ‘Extremely High-Increasing/Stable/Decreasing and Very High-Increasing/Stable/Decreasing’ irrespective of size will be reported to Head Office (Audit) Sub-Committee for reporting.

ii) Gist of findings in special letters will be reported to Head Office (Audit) Sub-Committee for reporting.

10. Reporting to Audit Committee of the Board/Reserve Bank of India

i) Summarized position of RBIA reports of H.O.Depts, Zonal Offices, Zonal Audit Offices, MDI, ZTCs, and Bank’s Subsidiaries closed at Head Office (Audit) Sub-Committee will be submitted to Audit Committee of the Board for noting (no other RBIA reports are closed at HOASC).

ii) Gist of audit observation with status of compliance in respect of audit reports of all Specialised Branches and Exceptionally Large Branches irrespective of their risk rating will be submitted to Audit Committee of the Board for noting at quarterly intervals.

Page 10: RISK BASED INTERNAL AUDIT POLICY

iii) The progress made in implementation of Risk Based Internal Audit will be submitted to Reserve Bank of India on quarterly basis as per the directives of RBI.

11. Any modification in the reporting format, either addition or deletion of any item necessitated due to change in policy of the Bank or change in operational guidelines, may be approved by GM (I&A), provided it does not envisage any change in the audit policy guidelines already approved by the Audit Committee of the Board.

Page 11: RISK BASED INTERNAL AUDIT POLICY

RISK BASED INTERNAL AUDIT POLICY

1. Definition

The Risk Based Internal Audit is a process which helps broaden the perspective of internal audit that includes the verification through usage of risk management techniques and efficacy of internal control system under various areas / parameters.

2. Scope

2.1 The scope of Risk Based Internal Audit will be to provide reasonable assurance to the Board and Top Management, which includes:

2.1.1 Review of internal control system and procedures

(a) The audit function should provide high quality counsel to management on the effectiveness of risk management and internal controls under various parameters including regulatory compliance.(b) The internal control system is in consonance with the organisational structure. The controls should be in-built in the operating functions to be cost effective.(c) Each control should be reviewed and analysed in terms of its costs and benefits. It would also be seen whether the internal controls were in use throughout the period of intended reliance i.e. period between the two consecutive audits.

2.1.2 Review of Custodianship and safeguarding of assets in the context of risk perception – monetary and non-monetary

(a) Auditor would review the control system to ensure that all assets are accounted for fully. He would also review the mitigants available and used for safeguarding assets against the risks which may eventually be leading to financial loss.(b) In case of use of electronic data processing equipment, the physical and system control on processing facilities as well as on data storage would be examined and tested.(c) He would also review the adequacy of insurance cover for the various risks involved.(d) He should check the verification system of assets at the branch.

2.1.3 Review of relevance and reliability of information

Page 12: RISK BASED INTERNAL AUDIT POLICY

(a) The Internal Auditor would review the information system to evaluate the reliability and integrity of financial and operating information given to management and to external agencies such as government bodies, local monetary authorities, etc.(b) The internal auditor would also review the means used for measuring, classifying and reporting information including the records from which it is extracted.

2.1.4 Review of utilisation of resources

(a) Internal auditor should check whether there is under staffing and over staffing in various areas/ departments by examining the working of the branch as these prevent optimum use of resources. (b) The auditor would also evaluate resources utilisation, identifying the facilities, which are under-utilised which may result in lesser/no income or loss. Such instances may consist of under-utilised man, machine and matter of any kind.

2.1.5 Review of accomplishment of goals and objectives

(a) The auditor should critically evaluate the accomplishment of corporate objectives in the backdrop of good risk management and availability of suitable strategy/plan for achieving the same (b) Review of means for achieving the goals would form the basis for evaluating the performance of each of the field functionaries.

2.1.6 Examining the effectiveness of control framework

(a) The auditor should report on proper recording and reporting of major exceptions and excesses that lead to risk perception.

(b) Transaction testing would continue to remain an essential aspect of risk based internal audit. The extent of transaction testing will have to be determined based on the risk assessment.

2.1.7 Review of the systems in compliance with money laundering identifying business risks/ control risks

The auditor should review the systems in place at the branch for ensuring compliance with money laundering controls, identifying potential inherent business risks and control risks, if any.

Page 13: RISK BASED INTERNAL AUDIT POLICY

2.1.8 The auditor should review/ report on :

(a) process by which risks are identified, analysed, measured and managed in various

areas;(b) the risk mitigating/control environment in various areas;(c) gaps, if any, in control mechanism, which might lead to financial loss on account of non-adherence to extant guidelines due to ignorance, negligence or fraudulent acts and identification of fraud prone areas;(d) budgetary control and performance reviews;(e) monitoring compliance with the risk based internal audit report(f) variation, if any, in the assessment of risks made during the profiling offsite vis-à-vis risk based internal audit.

2.2 Inspection and audit will be risk based and the same is introduced at all branches in a phased manner since April, 2003.

(Head Office Departments, Zonal Offices, Zonal Audit Offices, Regional Rural Banks and Subsidiaries are brought under the ambit of Risk Based Management Audit. A separate policy document is prepared for Risk Based Management Audit)

3. Objective:

3.1 RBIA essentially entails the allocation of audit resources and monitoring according to risk profile to minimise the impact of crisis situations. It involves review and report on control environment as a whole, the process by which the risks are identified, analysed, measured and managed, the line of control over key processes, reliability of branch management function, safeguarding of assets and compliance with rules and regulations and also external environment.

3.2 The main objectives of Risk Based Internal Audit are:

(a) To undertake allocation of audit resources in accordance with the risk profile to minimise the impact of crisis situations i.e. to draw audit plans based on risk assessment

(b) To ensure that the risks faced by the Bank in its efforts to meet its goals –short term as well as long term are identified, risk is assessed and the procedure followed for monitoring the risk is correct and fool proof.

(c) To answer the basic question about ‘what is’ as compared to ‘what should be’ the way the branch is managing risks.

(d) To evaluate the process, by which the risks are identified, analysed, measured, monitored and managed by reviewing and reporting on the line of control over key processes i.e. control environment as a whole instead of identifying and testing controls.

(e) To test ‘how well all the risks perceived by the bank are managed’ rather than finding out ‘whether the control over risks are adequate and effective’.

Page 14: RISK BASED INTERNAL AUDIT POLICY

(f) To differentiate activities on the basis of risk assessment of each activity during internal audit.

(g) To review and report on reliability of branch management function, safeguarding of assets and compliance with rules and regulations.

4. Approach

4.1 The present internal audit is mainly transaction based and is carried out to verify whether the various transactions undertaken by the branch are correctly recorded and whether the prescribed procedures /guidelines issued by Head Office/RBI/ Government of India have been observed/ complied with. Thus during the course of audit, the extent of risk undertaken by the branches and the factors available for mitigating the same under various areas is not assessed, which is a vital component for the existence of the Bank.

4.2 The principal responsibility of managing the risks vests with the management, the strategy of RBIA begins with independent risk analysis and allocation of audit resources is planned on the level of risks identified. RBIA would mean that greater emphasis is placed on role of mitigating risks. More attention will be paid to high risk areas vis-à-vis medium and low risk areas.

4.3 Risk Based Internal Audit being a new exercise, a gradual but effective approach would be necessary for its implementation. Since the internal audit system was fairly deep-rooted, the risk based audit system is introduced in a phased manner. Initially we conducted Risk Based Internal Audit of all branches under the categories of Exceptionally Large, Very Large, Large and Specialised (irrespective of their size) during 2003-04. As the staff started attaining proficiency in the new system, the scope was extended to cover Medium and Small branches also during 2004-05. Now, all the branches have got accustomed to RBIA and hence RBIA is being carried out at the branches as per the applicable audit cycle from 2005-06 on an ongoing basis. In terms of RBI guidelines, the time has come now to merge the existing system of transaction audit with Risk Based Audit with a view to have only one unified audit system mainly focussing the risk perception on a larger way and restricting the transaction checking to a limited extent and the unified system is proposed to be made effective in 2006-07.

4.4 The pre-requisites for implementation of RBIA in the Bank would be:

a) Total revamping of existing internal audit system,b) Making available the required resources such as manpower, development of

expertise through training including on-the job training to identified officers, technical up-gradation, etc.

c) Putting in place revised policy guidelines, procedures, methodology, etc.

Page 15: RISK BASED INTERNAL AUDIT POLICY

5. Coverage

5.1 Inspection & Audit will be conducted encompassing all the functional areas of the branch in such a manner that it serves as an important tool of internal control. Risk based audit will address audit coverage from risk management angle and it will be planned on the basis of level of risks identified i.e. coverage will be tapered according to level of identified risks with high risk areas getting priority over low risk in allocation of audit resources. The audit will cover the adequacy as well as implementation of various systems and procedures adopted in identification, measurement and mitigation of different risks. It should cover transactions during review period i.e. period between two consecutive audits. The items of coverage during inspection/ audit of the branches are given in Annexure-1.

5.2 The strategy of RBIA constitutes an independent risk analysis through proper allocation of available audit resources i.e. allocating more resources for the areas with higher risks. RBIA envisages branch-wise and business process-wise risk assessment before on site auditing. The exercise will allow identification of high risk areas and work prioritisation.

5.3 Risk Analysis of various Departments/ Sections

Areas to be looked into for Risk Analysis of various Departments/ Sections given in Annexure - 2 covers different risks involved.

The Departments covered are: Cash Deposits Foreign Exchange/Dealing Room Credit Investments Bills Remittances Government Business Non-Fund Based Business Staff & Establishment Estate & Premises Computer Inter-Bank and Inter-Branch reconciliation Other Miscellaneous Services

6 Risk Assessment:

6.1 The risk based internal audit undertakes risk assessment for the purpose of formulating the risk based audit plan. The risk assessment would, as an independent activity, cover risks at various levels (corporate and branch; the portfolio and individual transactions, etc.) as also the processes in place to identify, measure, monitor and control the risks.

Page 16: RISK BASED INTERNAL AUDIT POLICY

Clarification : The risk based internal audit undertakes an independent risk assessment solely for the purpose of formulating the risk based audit plan keeping in view the inherent business risks of an activity/ location and the effectiveness of the control systems for monitoring the inherent risks of the business activity.

6.2 The assessment process would, inter alia, include the following: Identification of inherent business risks in various activities undertaken by the

bank. Evaluation of the effectiveness of the control systems for monitoring the

inherent risks of the business activities (‘Control risk’). Setting up of rating norms with a view to determining the level of risk to which

the bank is exposed viz; low, medium or high and the direction of the risk to which the bank is proceeding viz; increasing, decreasing or stable.

Mapping of business risk and control risk and the identification of the direction of risk to enable to direct the resources to those areas of working which depict higher risk. Drawing up a risk matrix for taking into account both the factors viz. inherent business risks and control risks. The illustrative risk matrix (level) and risk matrix(trend/direction) are shown below:

Risk Matrix (Level)

Inhe

rent

B

usin

ess

Ris

ks

High AHigh Risk

BVery High Risk

CExtremely High Risk

Medium DMedium Risk

E High Risk

FVery High Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High

Control Risks

Risk Matrix (Trend/Direction)

Inhe

rent

B

usin

ess

Ris

ks

Increasing

AIncreasing

BIncreasing

CIncreasing

Stable DStable

E Increasing

FIncreasing

Decreasing

GDecreasing

HStable

IIncreasing

Decreasing Stable Increasing

Control Risks

Page 17: RISK BASED INTERNAL AUDIT POLICY

6.3 The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of control in various business activities. In order to focus attention on areas of greater risk to the bank, an activity-wise and location-wise identification of risk would be undertaken.

6.4 The assessment methodology would include, inter alia, the following parameters:

Previous internal audit reports and compliance Proposed changes in business lines or change in focus Significant change in management/ key personnel Results of latest regulatory examination report Reports of external auditors Management information data The significance of an activity and volume of business Substantial directions/variations in performance vis-à-vis the budget Industry trends and other environmental factors Time lapsed since last audit

6.5 While the interval for undertaking formal risk assessment may be one year, more frequent formal risk assessments would be desirable if the overall risk to which a branch is exposed, is perceived as high.

7. Audit Prioritisation

7.1 With a view to formally assess the degree of various business and control risks at the branch in order to prioritise the risk based internal audit of the branch under their jurisdiction and also to prepare the audit plan accordingly, each Zonal Audit Office will prepare/update the risk profile of the branch as per Annexure-3 as enumerated under para 13.3 well in advance and conduct the audit later on to compare/find out whether the risk assessment as per the profile prepared before audit turned out to be true, particularly areas identified as high risk did indeed turn out to be high risk and vice versa for low risk. Format for obtaining/updating the risk profile of the branch is as per Annexure-3.

7.2 On-site inspection covers actual Business Strategies adopted by the branch, Review of compliance methodology, Adequacy of Internal Controls, Risk Management controls, Business Environment- location, competition, clientele, products and services, Quality of Customer Service, Awareness of staff regarding systems and procedures, Futuristic View of Business Strategies, Know Your Customers/Business norms.

8. Periodicity of Audit

Page 18: RISK BASED INTERNAL AUDIT POLICY

8.1 Inspection and audit of branches will be conducted once every 18/15/12/9/6

Months depending on the composite risk rating of the branches assessed during the preceding audit.

8.2. Audit Frequency: It is based on Composite Risk rating as mentioned below:

Categories Audit Frequency6 Months 9 Months 12 Months 15 Months 18 Months

All branches irrespective of the class/ category with Composite Risk rating as

E.High - Increasing/Stable/Decreasing

V.High - Increasing/Stable/Decreasing

High - Increasing/Stable/Decreasing

Medium -Increasing/Stable/Decreasing

Low - Increasing/Stable/Decreasing

Currency Chest with Composite Risk rating as

-do- -do- -do- -do- -do-

Depository Participant Office with Composite Risk rating as

E.High/V.High/HighIncreasing/Stable/Decreasing

-----

Medium/Low - Increasing/Stable /Decreasing

------ ------

Note: All the newly opened branches should be audited immediately after completion of six months of their opening.

9. Norms for allotment of mandays

Allotment of mandays will be dependant on the percentage of transaction testing which is based on the risk perception/assessment under various areas/parameters evaluated as per the latest risk profile of the branches prepared offsite or at the time of the last RBIA whichever is found adverse taking into consideration business growth during the review period, business mix, number of accounts at the branch, etc.

10. Approval of Annual Audit Plan

10.1 Taking into consideration the norms for allotment of man days as stated under item No.8 of the policy document, in the month of March every year, Annual Audit Plan for the next financial year will be called for from all the Zonal Audit Offices giving the number of branches/other offices to be audited along with the number of man days required and the number of man days available. The annual audit plan of all the Zonal Audit Offices will be consolidated at Head Office and the consolidated Annual Audit Plan will be put up to the General Manager, Inspection & Audit Department for approval by the end of March every year. Manpower requirement for carrying out the Audit Plan is determined based upon 210 man days per officer, after providing for holidays, leave, ‘shut period’, travel time etc.

Page 19: RISK BASED INTERNAL AUDIT POLICY

Further, the audit exercise will be suspended during the ‘shut period’ i.e; March/April and September/October for approximately 15 days each, so as to facilitate the branches to concentrate on the Annual/Half-yearly closing work.

10.2 The prioritisation of Audit Resources will be determined by drawing Audit Plan with the help of Risk Audit Matrix as provided in item No.15 of the policy document by respective ZAOs and consolidated at HO, I&A which will be approved by GM, I&A.

11. Guidelines for selection of Audit Officers

The broad criteria, which are indicative in nature, for selection of officers for Audit are as under:(a) The Officer should be in Scale II or III and should have completed rural/ semi

urban branch exposure of minimum 3 years.(b) The Officer must have knowledge of/ exposure to Branch Banking in general.(c) The Officer must possess knowledge in advances/ foreign exchange/

computer operations. Exposure to investment portfolio management will be an added advantage.

(d) The Officer must have ‘A’ rating in Annual Performance Appraisal (APA) for preceding 3 years.

(e) The tenure of Officers selected for posting in Audit will be for 3 years.

12. Role of auditor

12.1 Under the risk based internal audit the main objectives being the assessment of risks to which the bank is exposed to as well as evaluation of available internal control mechanism the auditor, while evaluating the risk, has to keep in view the following:

a) Previous Audit Reports- Internal, Concurrent, Statutory, RBI, IS Audit, etc. and its compliance

b) proposed changes in business lines or change in focusc) Significant change in management/ key personneld) Industry trende) Other Environmental factors including macro/micro economic environmentf) Time elapsed since last auditg) Prior audit findings and actin taken on themh) Volume of business taking into account the potentials available.i) Internal Controls and Control Environment.j) Quality and Experience of Management i.e. Manager and his deputies.k) Complexities of business handled by the branch.l) Deviation from Budget Plan

Page 20: RISK BASED INTERNAL AUDIT POLICY

12.2 The internal auditor has to -

a) Interface with Branch Manager and other Officers and staff members.

b) Assess the effectiveness of business strategies applied, policies and procedures implemented by the branch for achievement of Corporate Goals.

c) Review of - Mechanism for reporting compliance with policies and procedures.

Accuracy in reporting and its impact. Adequacy of internal control and Risk Management Control. Branch specifics- location, business environment, competition faced, etc. Quality of Customer Service including Handling of Customer Complaints. Level of Awareness of Bank’s systems, procedures, implementation,

products and services, pricing, etc. amongst staff at all levels. Future Business Strategies in relation to the potentials available in the

area of operation

12.3 The auditor has to examine and evaluate every activity undertaken by the branch. In the process he has to, interalia

a) Check the verification system of assets at the branch.b) Scrutinise advances as well as investments portfolio including decisions taken

therefor and compliance with laid down procedures taking into account the risk mitigating tools available at the branch

c) Transaction testing and focusing on risks.d) Testing of compliance with local regulations.e) Scrutiny of budgetary control and Performance Review System.f) Testing the controls in place particularly for prevention and detection of

frauds.

13 Pre-audit preparations by Audit Teams

13.1 It involves formal preparation/updation of risk profiles of branches as enumerated in para 13.3 for determining audit objectives/scope by evaluating internal controls in managing/mitigating risk and level of compliance by walkthroughs, Testing, Data Collection, Inter-face with controlling officials. Based on this, wherever level of risk assessment is found to be high, medium or low, the level of transaction testing (as enumerated under item No.15 of this policy document) while carrying out RBIA is determined to ensure that the bank’s exposure to risk from a given function or activity is accurately captured and monitored. Thus, the exercise of preparation/updation of risk profile of branches is a pre-requisite for carrying out effective RBIA. No doubt, the risk profile prepared upon carrying out RBIA at the branch will reflect the accurate assessment of level and direction of risks under various parameters.

13.2 Risk profile document which is the final output of the risk assessment exercise is intended to be a dynamic document and hence all changes and developments

Page 21: RISK BASED INTERNAL AUDIT POLICY

within and outside the bank that may have an impact on the risk profile are to be tracked on an ongoing basis. That is, updation of risk profile will have to be taken up periodically. However, considering the nature and volume of business and other services handled at branches, the periodicity for updating the risk profiles of branches of different class/category is proposed as under:

Class/Category of branch Periodicity

All Small & Medium size branches -- As of 31st March

All other branches -- As of 31st March & 30th September

13.3 For updating the Risk Profiles of Branches (prepared off-site), the auditors can utilise the following source of inputs which may be available at respective Zonal Offices under whose jurisdiction the branches are functioning and they need not visit the branches.

a) Inspection report of RBI, if any available and also its complianceb) Concurrent Audit Reports and their compliancec) Latest Internal Audit/IS Audit/Revenue Audit Reports and their complianced) Statutory Audit Report, LFAR and their compliancee) MIS data including CCIS returns, QHP, MHP,BPR,CA-23 etc.f) Latest Risk Profile, previous Risk Based Internal Audit Report and

compliance thereofg) Any guidelines/direction given to the Branch from the controlling

authorities and the extent of their complianceh) Any other information pertaining to the Branch.

13.4 The Risk Profiles will be updated and sent to the branches by the Zonal Audit Offices within a fortnight from the conclusion of the concerned period covered as stipulated in 13.2 above with a copy to the respective Zonal Office for compliance and follow-up (as enumerated in para 17.3 & 17.4)respectively.

14. Reporting Format

14.1 Risk Based Internal Audit Report:

We have in place suitable formats for reporting the positive factors (the strength) and the negative factors (weakness) observed during the conduct of RBIA at different category of branches (General Banking Branches, Asset Recovery Branches, Treasury Branch, Service/Drafts Paying Branches, Currency Chests) considering mainly the risk perception under each area and also the transaction testing to the limited extent as provided in the policy document along with the suggestions of Monitorable Action Plan by the auditors for mitigating risk under various parameters. The audit report formats for different category of branches as specified above are provided in Annexure – 4.

Page 22: RISK BASED INTERNAL AUDIT POLICY

14.2 Special Letter/ Special Observation Report:

14.2.1 If during the course of audit any serious irregularities (the nature of such irregularities are listed in the Annexure-I) involving amount above Rs.10.00 lakh (either sanctioned limit or outstanding whichever is more) per account / revenue leakage detected exceeding Rs.10 lakh per branch, which may put bank’s interest in jeopardy, are noticed by the Auditors, the same should be brought to the notice of Chief Incumbent of the branch and thereafter to the respective Zonal Audit Chief in the form of Special Letter as specified in the format as per the Annex. In such cases where, the Branch Manager is himself involved in the irregularities, which may be fraudulent in nature, such discussions with him are not necessary. The Special Letter for reporting such irregularities will be vetted by the Zonal Audit Chief before forwarding the same to the Branch/Zonal Office with a copy to Inspection and Audit Department, Head Office immediately.

14.2.2 If during the course of audit any serious irregularities (the nature of such irregularities are listed in the Annexure-I) involving amount above Rs.2.00 lakh (either sanctioned limit or outstanding whichever is more) and upto Rs.10.00 lakh (either sanctioned limit or outstanding whichever is more) per account/ revenue leakage detected Rs.20,000 and over per account or total revenue leakage detected more than Rs.2.00 lakh but not exceeding Rs.10.00 per Branch, are noticed by the Auditors, the same should be brought to the notice of Chief Incumbent of the branch and thereafter to the respective Zonal Audit Chief in the form of Special Observation Report as specified in the format as per Annex. In such cases where, the Branch Manager is himself involved in the irregularities, which may be fraudulent in nature, such discussions with him are not necessary. The Special Observation Report for reporting such irregularities will be vetted by the Zonal Audit Chief before forwarding the same to the Branch/Zonal Office with a copy to Inspection and Audit Department, Head Office immediately.

14.2.3 For other matters (the gist of such matters is provided in the Annexure-I), where the quantification of amount involved is not possible, Special Letter or Special Observation Report will be issued depending upon the nature and seriousness of irregularity.

14.3 Risk Profile:

Page 23: RISK BASED INTERNAL AUDIT POLICY

Risk Profiles prepared on conduct of RBIA will serve as Composite Inspection Notes which furnish the actual risk assessment under various parameters in brief and also contain the Monitorable Action Plan suggested by the auditors for mitigating risks. The Zonal Audit Offices will send the copy of such Risk Profiles only, upon completion of RBIA at branches, immediately to HO, I&A. However, in the case of the branches with composite risk rating as ‘Extremely High/Very High’ or ‘High’ on account of one of the Business Risk or Control Risk is rated as High and the other is Low, Risk Profiles should be sent along with the audit report of such branches. Further, Risk Profiles will be updated as per the applicable periodicity as per the policy enumerated in item No.13.2. In both the cases, Risk Profiles are to be vetted by the Zonal Audit Chief before sending the same to the concerned branches/ZO/HO, I&A.

15. Rating of Branches

The audit rating of the branches will be done by the Audit team after conclusion of the audit based on its performance in relation with the level of control/mitigation of risks under various parameters observed during the course of audit covering the period from the date of commencement of last audit till the preceding date of commencement of the current audit as per applicable Annex-6. The branches will be awarded rating separately under each parameter and rating for consolidated performance under the parameters of Business Risk and Control Risk based on which the Composite Risk or Aggregation of Risk of the branch as per the matrix prescribed by RBI will be arrived at. There will be three basic level risk ratings i.e. Low, Medium and High under each parameter. The trend/direction viz., Increasing, Stable and Decreasing will also be indicated by comparing the level of risk under each parameter at the time of previous audit/latest updated profile with the level assessed during the current audit.

BASIS FOR RISK ASSESSMENT

Risk Percentage of Marks awarded

Low Over 75Medium 50 – 75High Below 50

The probable reasons/ attributes and the meaning attached to each rating are given in the following chart.

Page 24: RISK BASED INTERNAL AUDIT POLICY

Sr No

Level and Direction of Risk

Probable Reasons/Attributes Meaning for controlling Authorities

1 High -Increasing

Deterioration to the large extent in risk management, operational efficiency, compliance and asset quality and earning during review period.

Controlling Authority to analyse the reasons (including the negative factors brought out by the auditors in the report) for deterioration and initiate suitable immediate action plan (besides the Monitorable Action Plan suggested by the auditors) for improvement within a period of one month and monitor the branch performance on regular basis

2 High –Stable

Status-quo-ante of perturbing level in risk management, operational efficiency, compliance and asset quality coupled with stability in earnings during review period.

Controlling Authority to initiate immediate action plan including the Monitorable Action Plan suggested by the auditors for improvement within the period not exceeding two months and monitor the branch performance on regular basis.

3 High -Decreasing

Slight improvement in the perturbing level of risk management, operational efficiency, compliance and asset quality and earning during review period

Controlling Authority to initiate suitable action plan including the Monitorable Action Plan suggested by the auditors for improvement in period not exceeding two months and monitor the branch performance on regular basis.

4 Medium -Increasing

Increasing trend of inadequacy in risk management, operational efficiency, compliance & asset quality and earnings during review period, which may be of temporary nature and can be corrected in period not exceeding three months.

Controlling Authority to analyse the reasons for inadequate risk management, suggest suitable remedial action, monitor the performance and review the progress from time to time.

Page 25: RISK BASED INTERNAL AUDIT POLICY

5 Medium -Stable

Status quo ante of inadequacy in risk management, asset quality, earnings during review period.

Controlling Authority to monitor the performance and review the progress from time to time.

6 Medium -Decreasing

Improvement in previous rating, asset quality and earning during review period.

Controlling Authority to monitor the performance and review the progress from time to time.

7 Low -Increasing

Deterioration in risk management which was reasonably good in operational efficiency, compliance & in asset quality and earnings during review period, which can be corrected within a reasonable time.

Controlling Authority to analyse the reasons for deterioration and guide the branch suitably and also monitor the position in normal course.

8 Low -Stable

Status quo ante of reasonable risk management, operational efficiency, compliance & asset quality and earnings during review period.

Controlling Authority to analyse the reasons for stagnation and supervise the branch in normal course.

9 Low -Decreasing

Appreciable level in risk management, operational efficiency, compliance & asset quality and earning during review period.

Controlling Authority to supervise the branch in normal course to maintain the level.

The transaction testing will be determined based on Risk Audit Matrix depending on the level/direction of risk under each parameter of both Business Risk and Control Risk categories as per the latest updated pre-audit risk profiling of branches assessed on the basis of the frequency of risk (probability of default) and the magnitude of risk (loss given default) in the respective areas as under:

Risk Audit Matrix

Mag

nitu

de o

f R

isk

High High MLow F

High M Medium F

High MHigh F

Medium

Medium MLow F

Medium M Medium F

Medium MHigh F

Low Low MLow F

Low M Medium F

Low MHigh F

Low Medium High

Frequency of Risk

Page 26: RISK BASED INTERNAL AUDIT POLICY

However, with regard to transaction testing in credit segment, it is proposed that all new accounts (irrespective of sanctioned limits) and also the following percentage of accounts existing (preferably those accounts not covered under previous audit) prior to current audit are to be covered in the current audit.

(In Percentage)Total Sanctioned Limit or Outstanding per borrower

whichever is more(Rs.)

Size of BranchSmall Medium Large Very

LargeExceptionally

Large

Upto Rs.50,000 10 10 5 5 5Above Rs.50,000/- up to Rs.2 lakh

30 25 20 10 10

Above Rs.2 lakh up to Rs.5 lakh

100 75 50 25 20

Above Rs.5 lakh up to Rs.10 lakh

100 100 75 75 50

Above Rs.10 lakh 100 100 100 100 100

In the case of checking the accounts in existence prior to current audit, audit comments relating to compliance of irregularities pointed out in the last audit report, review/documentation subsequent to last audit and further developments since last audit are to be included.

As regards transaction testing in the Deposits/Miscellaneous areas, the percentage of deposit accounts/other miscellaneous transactions to be covered which are opened/carried out after the last audit is proposed to be fixed as under:

Size of the Branch Percentage of accounts/transactions

Small 40Medium 50Large 100Very Large 100Exceptionally Large 100

However, 100% transaction testing in all the areas (Advance, Deposits, Miscellaneous) will be undertaken in the branches whose Composite Risk rating was assessed as ‘Extremely High/Very High’ in the previous audit.

16. Exit Meeting:

Page 27: RISK BASED INTERNAL AUDIT POLICY

Upon completion of the risk based audit, the team leader alongwith other members of the team will interact with the officials of the branch, present the SWOT analysis and indicate the risk areas, in addition to the suggestions of the team for achieving perceptible improvement in overall functioning of the branch audited. The team will also suggest Monitorable Action Plan (MAP) for mitigating the risks at various areas of the branch. The minutes of the exit meeting will be submitted alongwith the audit report as per the format proved in Annexure – 5.

17. Compliance and Follow-up for Compliance of Audit Report, Updated Risk Profile

17.1 Compliance of Report – The primary responsibility for qualitative and timely compliance i.e; attending to all the negative factors brought out in the audit report conclusively and also initiating necessary measures by way of drawing suitable action points (help of the Zonal Office may be availed, if required) for implementing the Monitorable Action Plan suggested by the auditors and furnishing the present status of compliance of the same will rest with the auditee branch. The time limit for compliance will be two months from the date of audit report for Large, Medium, Small & Specialised (Small and Medium categories) Branches and three months for Exceptionally Large, Very Large and Specialised (other than Small and Medium categories) Branches.

17.2 Follow-up for Compliance of Reports – The primary responsibility of ensuring timely and qualitative compliance through well designed follow-up system will be that of Zonal Office. Follow-up Audit Cell (FAC) at Zonal Office will be the focal point and function as single point contact for all audit matters. After ensuring conclusive compliance, the ZO should submit to the appropriate authorities for closure of the audit reports of Large, Medium, Small & Specialised (Small and Medium categories) branches within three months from the date of the report and four months in the case of Exceptionally Large, Very Large and Specialised (other than Small and Medium categories) branches and the concerned branches should be advised accordingly.

17.3 Compliance of Updated Risk Profile – Taking into consideration the negative factors, the necessary measures initiated by the branch by way of drawing suitable action points, (help of the Zonal Office may be availed, if required) for implementing the Monitorable Action Plan suggested in the updated risk profile, along with the present status of compliance thereof to be submitted by the branch to the Zonal Office within two months of the date of the profile.

17.4 Follow-up for Compliance of Updated Profile - Follow-up Audit Cell of ZO should follow-up with the branch for compliance of the Monitorable Action Plan. After ensuring conclusive compliance, it should be submitted to the Zonal Manager for closure within three months of the date of the profile and the concerned branch should be advised accordingly.

Page 28: RISK BASED INTERNAL AUDIT POLICY

17.5 Compliance with Monitorable Action Plan suggested with respect to the updated Risk Profile of branches to be taken up for review during Zonal Audit Committee meetings.

18. Level of Authority for Noting & Closure of Audit Reports

18.1 Risk Based Internal Audit Reports: The audit reports of the branches will be submitted for Noting / Closure at Zonal Audit Committee meeting / to GM, I&A,H.O. after ensuring conclusive compliance of the negative factors and the Monitorable Action Plan brought out in the reports. The audit reports of Large, Medium, Small & Specialised (Small and Medium categories) branches should be closed within three months from the date of the report and four months in the case of Exceptionally Large, Very Large and Specialised (other than Small and Medium categories) branches at Zonal Audit Committee/GM, I&A, H.O. level as per the authority specified as under. In the case of audit report of DPO, the report should be closed within one month from the date of report by ZAC.

----------------------------------------------------------------------------------------------------------- Level of Assessment of Conclusive Compliance Level of Authority Composite Risk of ensured by for closure of

Branches RBIA ----------------------------------------------------------------------------------------------------------- Extremely High/I,S,D Zonal Manager & Zonal General Manager Audit Chief I&A, H.O

. Very High/I,S,D Zonal Manager & Zonal General Manager Audit Chief I&A, H.O.

High/I,S,D (on a/c of one of the Zonal Manager & Zonal General Manager parameters is High Audit Chief I&A, H.O. and the other is Low)

High/I.S.D Zonal Manager & Zonal Zonal Audit Committee(other than as above) Audit Chief

Medium/I,S,D Zonal Manager & Zonal Zonal Audit Committee Audit Chief

Low/I,S,D Zonal Manager & Zonal Zonal Audit Committee Audit Chief

-----------------------------------------------------------------------------------------------------------

Page 29: RISK BASED INTERNAL AUDIT POLICY

18.2. Special Letters: The Zonal Office will prepare and submit a detailed point-wise conclusive compliance of the irregularities pointed out in the special letter (after receipt of branch compliance) along with the staff accountability aspect to the Zonal Audit Chief and upon the later getting satisfied with the compliance, the joint recommendations of the Zonal Manager and Zonal Audit Chief will be forwarded to Head Office, Inspection & Audit Department. The General Manager (I&A), upon satisfying about the adequacy of the compliance and also the action on staff accountability aspect, will accord approval for closure of the special letters with specific time-bound action plan for compliance of pending irregularities, wherever deemed necessary, within three months of the date of the Special Letter. However, Action Take Report on the Special Letter should be apprised to GM(I&A) within 15 days from the date of receipt of the Special Letter by the Zonal Office.

18.3 Special Observation Reports: Special Observation Reports are closed at Zonal Audit Committee after ensuring point-wise conclusive compliance of the irregularities pointed out in the special observation report (after receipt of branch compliance) along with the staff accountability aspect wherever required. In respect of Revenue Leakage exceeding Rs.1.00 lakh per account, on recovery of the revenue leakage detected, the Zonal Office should furnish the details on Staff Accountability to General Manager, Head Office, Inspection & Audit Department through the Zonal Audit Office, recommending the action to be taken in this regard. The General Manager, Inspection & Audit Department, Head Office, will convey his decision to the Zonal Office/Zonal Audit Office with regard to the staff accountability aspect. The SOR (both on serious irregularities and/or revenue leakage) will be closed at Zonal Audit Committee within three months of the date of the Special Observation Report.

18.4 The Updated Risk Profiles: The updated Risk Profiles will be closed by the respective Zonal Managers within two/three months of the date of the profile as the case be as mentioned in para 17.3 & 17.4 after ensuring conclusive compliance on the negative factors and Monitorable Action Plan pointed out in the Profiles and the branch should be advised accordingly.. However, compliance with Monitorable Action Plan suggested with respect to the updated Risk Profile of branches to be taken up for review during Zonal Audit Committee meetings.

19. Zonal Audit Committee:

19.1 With a view to channelising efforts for proper follow-up action on various audit reports, Special Letters, Special Observation Reports and Updated Risk Profiles and their subsequent closure, Zonal Audit Committee has been set up at each Zone. The meeting of the Committee will be attended by the Zonal Manager (Chairman), the Zonal Audit Chief (Convenor), the senior most Zonal Executive, the Officer in charge of Follow-up Audit Cell of the Zonal Office (Members).

Page 30: RISK BASED INTERNAL AUDIT POLICY

19.2 The Zonal Audit Committee has to meet at least 6 times in a year and the interval between the two meetings, should not, normally exceed 3 months. The meetings will be fixed by the Zonal Audit Chief in consultation with the respective Zonal Manager and other members of the Committee and the meetings will be held at Zonal Head Quarters.

19.3 The Zonal Audit Chief being convenor, will attend all the meetings of Zonal Audit Committee in respect of Zones under his jurisdiction. In the absence of Zonal Audit Chief, the official holding charge shall attend such meetings. The General Manager/Deputy General Manager/Assistant General Manager of Inspection & Audit Department, Head Office shall attend the Zonal Audit Committee Meeting to oversee its functioning at periodical intervals.

19.4 The compliance submitted by the Branch/Zonal Office in respect of Audit Reports, Special Letters, Special Observation Reports and Updated Risk Profiles will be discussed from the risk angle, and if found satisfactory, they will be noted/closed/recommended for closure to Head Office. The decision of noting and closure will be taken by the Committee by consensus.

19.5 The committee will formulate a time bound action plan for clearance of pending audit reports, special letters, special observation reports, recovery of revenue leakage and updated risk profiles and review the progress in its implementation for mitigating risk under various parameters in subsequent meetings till conclusive compliance of the same.

19.6 The committee will review the compliance of Monitorable Action Plan suggested with respect to the updated of Risk Profiles of branches as and when they are closed by the Zonal Manager.

20. Reporting by Zonal Audit Offices to Head Office, I&A

All Zonal Audit Offices should report on monthly basis as at the end of every month to HO, I&A as to the details of number of branches falling due for RBIA during the month as per the approved audit plan, number of branches wherein audit is completed along with risk rating, the names of the branch whose composite risk rating is assessed as ‘Extremely High/Very High’ and also the details of risk rating as at the end of the month in the format provided in

Annexure-A and Annexure-B. Also, all ZAOs should report on monthly basis the details of total number of branches in their jurisdiction under different risk ratings along with the particulars of names of the branches whose composite risk rating is assessed as ‘Extremely High/Very High’ in the format provided in Annexure-C. Further, all ZAOs will report on monthly basis the position of pending audit reports (for closure) as at the end of every month in Annexure-D

Page 31: RISK BASED INTERNAL AUDIT POLICY

21. Reporting to the Top Management

Progress on implementation of RBIA in the branches in the line of approved audit plan will be reported to the Top Management on quarterly basis.

22. Reporting to Head Office (Audit) Sub-Committeei) Gist of audit observations on negative factors (risk factors) along with the present status of compliance of RBIA reports of all branches with Composite Risk rating assessment as ‘Extremely High-Increasing/Stable/Decreasing and Very High-Increasing/Stable/Decreasing’ irrespective of size will be reported to Head Office (Audit) Sub-Committee for reporting.ii) Gist of findings in special letters will be reported to Head Office (Audit) Sub-Committee for reporting.

23. Reporting to Audit Committee of the Board/Reserve Bank of India

23.1 Summarized position of RBIA reports of H.O.Depts, Zonal Offices, Zonal Audit Offices, MDI, ZTCs, and Bank’s Subsidiaries closed at Head Office (Audit) Sub-Committee will be submitted to Audit Committee of the Board for noting (no other RBIA reports are closed at HOASC).

23.2 Gist of audit observation with status of compliance in respect of audit reports of all Specialised Branches and Exceptionally Large Branches irrespective of their risk rating will be submitted to Audit Committee of the Board for noting at quarterly intervals.

23.3 In terms of instructions of Reserve Bank of India, a quarterly report beginning from the quarter ended 31st March 2003 on the progress made in implementation of Risk Based Internal Audit will be submitted through the Compliance Cell, H.O. to Reserve Bank of India after being duly vetted by the constituted Committee of General Managers for Risk Based Supervision as Institutional Mechanism for RBS (the reconstitution of Committee approved by the Chairman & Managing Director on 11.09.2004, vide Memorandum No.COMP:MK:30:2004-05 dated 07.09.2004).

24. Any modification in the reporting format, either addition or deletion of any item necessitated due to change in policy of the Bank or change in operational guidelines, may be approved by GM (I&A), provided it does not envisage any change in the audit policy guidelines already approved by the Audit Committee of the Board.

Page 32: RISK BASED INTERNAL AUDIT POLICY

Annexure –1

ITEMS OF COVERAGE DURING INSPECTION / AUDIT OF BRANCHES

(A) Inspection & Audit of branches

1) Audit of advances portfolio covering adherence to policy document on lending, quality of credit appraisal, credit control and adherence to Credit Monitoring Policy, Credit Risk Management, availability of credit risk mitigants, adherence to Fair Practices Code on Lender’s Liabilities, overall composition and quality of the credit portfolio with a special focus on problem credits. It will involve scrutiny of advances accounts selected as per the level prescribed in the item No.15 of policy document of which 50% of accounts should be from the new accounts opened from commencement of previous audit to present audit. The accounts should be selected in such as way that they cover the majority of the total outstanding advances in the old as well new accounts. All problem credit accounts (NPA accounts, out of order and causing concern accounts) should also be covered and developments from last audit should be seen during the audit. It will also involve scrutiny of compromise proposals, their cost benefit analysis, process of recovery / legal action and execution of decrees. The following aspects will be looked into by the Auditors :

Lending as per norms fixed by Head Office. Adherence to systems and procedures in the loan policy document. Adherence to Reserve Bank of India, FEMA rules and guidelines. Adherence to prudential exposure limits. Obtention of credit report from rating agencies. Obtention of Status Report from the previous bankers in the case of take over. Evaluation / Assessment of the net worth of the borrowers / guarantors

based on Personal Financial Statements (PFS) and analysis thereof supported by documentary evidences.

Obtention of financial statements as per HO guidelines and analysis thereof.

Obtention of CIBIL report Verification of default, if any from RBI’s Defaulters List, ECGC Caution List Verification of Credit Rating. Preparation of proposal in the standard format for new advances and

review of existing advances. Critical comments on quality of appraisal for fund based and non-fund

based facilities. Justification for fund based and non-fund based facilities. Exercise of delegated authority judiciously at the time of fresh sanction

and allowing TOL/TOD. Compliance / deviation with / from terms of sanction. Charging of correct rate of interest and effecting changes in rate of interest

as and when announced by HO

Page 33: RISK BASED INTERNAL AUDIT POLICY

Documentation with reference to stamp duty, execution, etc. as per State laws including creation and registration of charge with appropriate authorities on the assets charged to the Bank.

Submission of stock statements as per terms of sanction, calculation of drawing power, drawing limit etc.

Obtention of CMA, QIS returns, Audited Balance Sheet and other financial returns periodically and effectively scrutinising thereof.

Monitoring of operations in the account with special reference to end use of funds.

Conduct of stock inspections as per terms of sanction, submission of reports, action taken on inadequacies reported by the inspecting official.

Scrutiny of bills purchased and bills discounted with reference to terms of sanction, overdue bills, recovery of overdue bills, etc.

Insurance of assets charged to the bank with reference to the adequacy thereof, the goods covered, location, risks covered, bank’s charge, etc

Recovery of proposal processing charges, inspection charges, documentation charges etc as per the prescribed rates.

Obtention of ECGC coverage wherever applicable. Monitoring of problem credits and its steps taken for recovery including

filing of suits. Reporting of default in time to ECGC and invocation of ECGC claim within

the stipulated time Status of laws of limitation and obtention of renewal documents. Issue of guarantees, letters of credit, etc. Follow-up for reversal of liabilities in respect of expired guarantees. Steps taken for recovering the amount due to devolvement of letters of

credit. Position of Review of Advance Accounts overdue for review including

reasons for delay in review of accounts.(The above is only illustrative)

2) Audit of Investments portfolio (HTM, AFS & HFT) with reference to adherence to laid down policies, Head Office specific prescriptions, liquidity of the investment from two angles i.e. maturity and marketability, physical verification of investments, receipt of dividend / interest on investments, etc. It will also involve audit of Funds Management, Asset Liability Management, etc.

3) Cash Management including counting of cash, scrutiny of cash receipt and payment book for 15 days selected on random basis. Verification of conduct of monthly surprise cash verification by the branch officials. Maintenance of cash as per approval of Head Office. Dual custody of cash holding. Maintenance of bait money. Adequacy of insurance for cash in transit. Protective arrangements for cash safe. Lodgement and withdrawal of cash. Adherence to policy on

Page 34: RISK BASED INTERNAL AUDIT POLICY

‘Know Your Customer’ relating to Money Laundering, RBI’s clean currency policy.

4) Verification of Petty Cash, Stamps and Stamped Documents on hand, if any.

5) Accounts with other Banks including reconciliation, long outstanding entries and follow-up for clearance of these entries.

6) Verification of Cash Contra, General Ledger, General Ledger Balance Book (including hard copies) by authorised officials.

7) General Ledger Suspense Debits, Sundry Deposits, Sundry Credits entries verification; balancing of the accounts and follow-up for outstanding entries.

8) Checking of Clearing inward and outward including reconciliation of outstanding entries.

9) Checking of Profit & Loss Analysis Book including balancing from time to time and analysis of income and expenditure and judicious exercise of powers by the delegatees.

10) Verification of safe keys and key pass book.

11) Safe Deposit Vault – Balancing of keys, recovery of rental, drilling open of lockers where rent is overdue for long.

12) Safe Custody – Verification of safe custody accounts more particularly opened after previous audit.

13) Premises (including flats for officers, warehouse premises, if any) – Execution of lease, payment of rental, verification of title deeds, ambience etc.

14) Furniture & Fixtures – Checking of register, balancing, maintenance of records, disposal of unserviceable items, annual maintenance contracts, etc.

15) Insurance – Coverage of insurance policy for all items such as assets including computers, etc.

16) Remittances – Issue of DDs/MTs/Payslips, as per laid down policy, recovery of exchange, payment of DDs, follow-up for DDs paid without advice, etc.

17) Telegraphic Transfers – Maintenance of Test Keys and safe custody thereof, verification of use of TT arrangement by the branches to weed out branches where TT key may not be required, Missing variables and follow-up for the same.

Page 35: RISK BASED INTERNAL AUDIT POLICY

18) Inward Remittances – Verification of time taken for crediting proceeds of inward remittances.

19) Staff & Establishment – Verification of all aspects like attendance register, leave record, salary, allowances, Leave Fare Concessions, Travel & Transportation, recruitment of staff, job rotation, training, Medical Aid to Staff – Records of payment of medical aid to staff as per policy.

20) Test Check – Verification of conduct of test checks as per laid down policy and maintenance of records thereof.

21) Manual of Instructions – Verification of set of manual of instructions at the branch.

22) Authorised Signatories book – Verification of the book with reference to updating, safe custody, etc.

23) Old Records – Verification of maintenance of old records and its destruction from time to time as per policy.

24) Inward Bills for Collection – Physical verification of bills for collection, balancing from time to time, position of overdue bills, follow-up for disposal, recovery of service charges, VPL charges etc.

25) Outward Bills for Collection – Verification of bills for collection, balancing from time to time, overdue bills follow-up for realisation of overdue bills, recovery of service charges, etc.

26) Deposits – Verification of account opening forms, adherence to rules as regards opening and operations in the various types of deposit accounts. Charging of correct rates of interest in deposit accounts. Adherence to policy on ‘Know Your Customer’ and ‘Money Laundering’.

Page 36: RISK BASED INTERNAL AUDIT POLICY

27) Temporary Overdraft/Overlimit – The frequency of TOD/TOLs granted, basis for the same, reporting of TOD/TOLs, recovery of TOD/TOLs, action for hard core TODs, exercising of delegated powers, etc.

28) Complaints by clients – Maintenance of complaints register, time taken for redressal of complaint, etc.

29) Official Language – Policy and its implementation.

30) Payslips / Bankers Cheque issued –Verification of registers, balancing, follow-up for old payorders / payslips not presented for payment.

31) Customer Service – Quality of customers service, implementation of Goiporia Committee’s recommendations, conduct of periodical customer meetings, conduct of periodical customer service audit by the chief incumbent or any other authorised official

32) Dealing Room – Audit of dealing room / back up section operation with reference to organisational policy guidelines relating to adherence to currency wise Daylight and Overnight limits, Stop loss limits, infrastructure in dealing room, and its use, vacation by dealers, rotation of staff, panel of brokers, routing of business through brokers, maintenance of dealers pad, dealers slip, etc. as per policy.

33) Bills negotiated under L/C – Verification of register, overdue bills and follow-up for recovery.

34) Bills receivable under L/C - Verification of register, overdue bills and follow-up. Physical verification of bills receivable under L/C.

35) Information Systems Audit – For verification of adherence to Policy on Data Security, Software Modification / Purchase, Disaster Recovery and Business Continuity Plan, validity and security of IT systems etc.

36) Concurrent Audit – Verification of effectiveness of concurrent audit, including audit methodology, coverage, compliance, verification of compliance, etc.

37) Management Information Systems – Adherence to time schedule for submission of statements to Zonal Office/ Head Office. The source data for compilation of these statements should be also verified for its correctness. The MIS adequacy from the angle of market intelligence, be also looked into.

Page 37: RISK BASED INTERNAL AUDIT POLICY

Annexure - 2

A. Areas to be looked into by the Audit Team under Risk Based Internal Audit

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

I BUSINESS RISK

1 Credit RiskA ( Under Business Category )1 Trend of growth in loans and advances including forex

business

2 Trend in priority sector advances

3 Trend of growth in off balance sheet items.

4 Exposure to sensitive sectors

5 Composition of off balance sheet exposure

6 Credit concentration

7 Percentage of advances in a/cs. with limits Rs.1 crore

8 Trend of breaching exposure ceiling norm

9 Standard category advances

10 NPA Management and Recovery of NPA – NPA Movement

11 Arresting of slippages

12 Improvement in Cash Recovery

13 Improvement in upgradation

14 Percentage of accounts written off and amount involved

15 Reduction of NPAs (including upgradation, restructuring, recovery)

16 Trend of devolvement on account of off balance sheet exposures.

17 Proper provisions

18 Credit Quality improving

19 AAA / AA / A rated a/cs.

20 B rated a/cs.

21 Movement of assets

22 Increase in standard assets

23 Decrease in Doubtful / Loss assets

Page 38: RISK BASED INTERNAL AUDIT POLICY

24 Adherence to Credit Policy norms

25 Adherence to exposure (credit limits with branch and elsewhere) norms for single borrower, group, industry group and country.

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

Credit Risk (Contd.)

26 Identification of borrower and verification of antecedents through market reports, status reports from the previous bankers, credit rating agency of repute, etc.

27 Assessment of worth based on Personal Financial Statements (PFS) and moderation thereof, if necessary upon verification thereof through tax returns and other documentary evidences.

28 Assessment of term loan and working capital needs through balance sheet analysis, cash flows, etc.

29 Security position – verification of title, search report, valuation, payment of taxes of mortgage property.

30 Security Documents- Stamping, signatures, registration

31 Adherence to provisioning requirements after taking into account value of security, worth of borrowers and guarantors.

32 Adherence to Income Recognition norms.

B ( Under Control Category )1 Proper credit monitoring

2 Credit Rating as per norms

3 Review of accounts

4 Review of portfolios of credit section (Trade, Industries, Retailers, Personal Loan, Agriculture, etc.)

5 Adherence to prudential norms

6 Quality Appraisal of Credits

7 Promptness of decision process (i.e. quick disposal of loan application)

Page 39: RISK BASED INTERNAL AUDIT POLICY

8 Data checking

9 Follow-up for recovery of Term Loan installments, interest, charges, etc.

10 Adherence to accounting standards, principles and practices

2. Earning Risk1 Budgeted Profit & Actual for last 3 years

2 Trend of non-interest income

3 Trend in reduction of avoidable expenditure

4 Application of correct rate of interest and service charges

5 Interest Income

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

Earnings Risk (Contd.)

6 Recovery in written-off accounts

7 Interest expenses

8 Yield on fund based limits

9 Cost of funds

10 Staff reduction cost

11 Recovery of UCI/URI

3. Liquidity Risk1 Ratio of wholesale / Institutional deposits to total deposits

2 Ratio of Low Cost deposits to total deposits

3 Ratio of high cost deposits to total deposits

4. Business Strategy & Environment Risk1 Budget and achievement for last 3 years

Page 40: RISK BASED INTERNAL AUDIT POLICY

2 Quality of customer service

3 Competition (strength and weakness of competitors)

4 Adequacy and compatibility of IT Systems with business needs.

5 Business initiatives

6 Deposits growth – Advances growth

7 Sale of customer oriented products

8 Analysis of market survey

9 New Products / Service

5. Operational Risk1 Frequency and impact of staff rotation

2 Adherence to manuals

3 Frequency of execution errors in transactions

4 Abnormal /sudden growth in the deposit level pertaining to a particular segment (genuineness of such deposits)

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

Operational Risk (cont.)

5 Frequency of violation of operational controls (exceeding limits injudicious use of discretionary powers)

6 Efficacy of information flows

7 Risk due to loose security at operational points

8 Frequency of operational disruptions

9 Validity of IT Systems

10 IT related frauds

Page 41: RISK BASED INTERNAL AUDIT POLICY

11 Documentation for transactions (filling up of documents, registration charges, creation of mortgages, insurance of securities etc.)

12 Interaction between Legal Department and other departments like credit, treasury, etc.

13 Claims from customers

14 Compliance with customer confidentiality

15 History of litigation with regard to operations

16 Competency of staff

17 Systems and Procedures

18 Time barred documents

19 Litigation’s

20 Reputation

21 Advising the terms of sanction

22 Compliance with terms of sanction

23 Execution of Security documents including Registration of charges with appropriate authorities

24 Insurance of assets

25 Issue of DD as per guidelines including recovery of charges

26 Outward Tats sent according to HO guidelines.

27 Recovery of Tats responded twice through oversight.

28 Issue of DD against cash / payment of DD in cash

29 Management of Inward and Outward Bills for Collection

30 Balancing of IBC and OBC by physical verification of outstanding bills

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

Page 42: RISK BASED INTERNAL AUDIT POLICY

Operational Risk (Contd.)

31 Retirement of bills and despatch of proceeds

32 Checking of General Ledger, General Ledger Balance Book prints outs by officials.

33 Checking of Profit and Loss Register including vouchers of Profit and Loss more particularly Debit vouchers for signature by authorised officials. Balancing of P&L Book

34 Destruction of confidential waste, old manuals out of circulation, old records.

35 Maintenance of old record including register of old records; old record destroyed physical security of old record, etc.

36 Pest Control treatment at regular interval.

37 Provision of adequate number of fire extinguishers

II. CONTROL RISKS1. Internal Control Risk

1 Clarity / ambiguity in reporting structure and reporting lines

2 Clarity of decision making process at various levels

3 Appropriate delegation of powers

4 Inter-bank / branch reconciliation

5 Abnormal /sudden growth in the deposit level pertaining to a particular segment (genuineness of such deposits)

6 Perpetration of frauds

7 Control over outsource activities (like AMC)

8 Maintenance of customer secrecy as applicable

9 Adequacy and timeliness of MIS and financial reporting

10 IT support for business development and client service

11 Perpetration of frauds due to laxity in control over IT infrastructure

12 Adherence to Know Your Customer and Know Your Business procedures

13 Systems for monitoring high risk accounts

Page 43: RISK BASED INTERNAL AUDIT POLICY

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

Internal Control Risk (Contd.)

14 Reporting of large value (cash of Rs.10 lake and above) and suspicious transactions

15 Compliance with regulatory guidelines with regard to customer identification and monitoring funds flow

16 House Keeping 17 MIS – Timeliness / Quality

18 Employee relations

19 Management Controls

Branch Leadership –

Competency –

Problem Solving –

Attitude -

20 Monitoring end use of funds through post sanction inspections.

21 Monitoring the conduct of operations in the account including checking of periodical stock statements submitted by the borrowers, calculation of drawing power and recording thereof in the system. Follow-up for submission of stock statements with the borrowers.

22 Conduct of stock inspections including valuation of securities

23 Follow-up for recovery of interest, term loan installments and other charges, overdue bills purchased / discounted.

24 Filing of Suits

25 Execution of Decrees

26 Judicious use of delegated powers for granting TOD and TOL

Page 44: RISK BASED INTERNAL AUDIT POLICY

27 Reporting of Toads / Tools beyond delegated authority to Controlling Authority

28 Follow-up for submission of Financial Statements and other details for review of accounts. Annual Review of accounts and management of accounts not reviewed beyond three months

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

Internal Control Risk (cont.)

29 Valuation of properties mortgaged to the bank from time to time

30 Reporting of adverse features observed during inspections

31 Management of Bills Purchased and Bill Discounted portfolio including, obtention of status report from bankers of the drawees, adherence to drawee-wise limits, if any, purchase / discounting of bills as per sub-limit (DA/DP), follow-up for overdue bills and noting / protesting thereof. Follow-up for taking possession of the securities wherever available in respect of documentary bills.

32 Cancellation of expired Bank Guarantees.

33 Management of devolved L/Cs.

34 Management of problem credits i.e. steps taken for identification, upgradation, recovery, compromise of problem credits.

35 Cash and Travellers Cheques are kept under dual control.

36 Precautions during cash in transit- bait money maintenance etc.

37 Maintenance of Cash Safe Keys Pass Book.

38 Maintenance of books of cash departments including relating to Travellers Cheques properly.

39 Checking of abnormal Receipts and Payments

Page 45: RISK BASED INTERNAL AUDIT POLICY

40 Checking of accounting of Inward and Outward Cash Remittances

41 Observance of rules on accumulation of various types of leave.

42 Obtention of leave application promptly and sanction of leave by authorised official.

43 Maintenance of leave record.

44 Staff Salary checking.

45 Maintenance of old record including register of old records, old record destroyed, physical security of old record, etc.

46 Pest Control treatment at regular interval.

47 Provision of adequate number of fire extinguisher.

48 Monitoring access to old record room, computer back up tapes, etc.

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

Internal Control Risk (cont.)

A Computer related Password administration/Configuration & Monitoring

1 Procedure surrounding the setting up of user profiles, deleting users on leave / resigned / terminated from bank’s service, etc.

2 Updation of user profiles as per written requests and authorisation by Manager in writing.

3 Allotment of system excess rights on written request and authorisation by Manager.

4 Review of excess rights periodically (at least half yearly).

5 Generation and checking of log report, excess report by system administrator and submission thereof to the Manager.

6 Reporting of failed access attempts to Branch Manager and follow-up action thereon.

7 Filing of computer generator reports in chronological order.

8 Validating, previewing instructions rejected by the system by System Administrator and Manager.

B Physical security1 Monitoring of access to the computer room.

Page 46: RISK BASED INTERNAL AUDIT POLICY

2 Computer room kept under lock and key when not occupied.

3 Installation of dry type, fire extinguishers, smoke detectors, alarm, etc. in the computer room.

C Business Continuity1 Systems back up are run automatically at the end of each

day and stored off site.

2 Maintenance of back up copy of super user password in a sealed envelope and stored in fire proof safe under dual control.

3 Preservation of MIS reports.

4 Preservation of old computer data containing MIS.

5 Manual on Operating Instructions is kept in fire proof safe under dual control.

D Disaster Recovery 1 Distribution of Disaster Recovery Plan amongst staff and

maintenance of copy off site.

2 Test checking of Disaster Recovery Plan.

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

Int. Control Risk (cont.)

E Logical Access Security

1 Checking of Computer Generated Reports by officials.

2 Checking of Opening of Accounts including adherence to policy on ‘Know Your Customer’ relating to money laundering.

3 Checking of Interest paid on deposits

4 Follow-up for weeding out accounts where cheques are returned frequently on account of financial reasons.

F Fraud Risk 1 Checking of Operations in new accounts

2 Segregation of dormant accounts

3 Storage of Specimen signature cards of dormant accounts

4 Checking of transactions in staff accounts.

5 Storage of pass books, cheque books, TDRs in dual custody and maintenance of Movement Passbook.

6 Adherence to regulatory guidelines on Money Laundering

Page 47: RISK BASED INTERNAL AUDIT POLICY

7 Safe custody of Test Keys and follow-up for missing variables.

8 Follow-up for confirmation of inward TTs, Advice of Drawings of TTs and Drafts respectively.

9 Verification of signature on Mail Transfers / Credit Authorisation Notes and Test Key Number for MTs and TTs respectively.

10 Maintenance of dual control on DD / CAN / Test Key Registers and maintenance of movement pass book

11 Checking of balancing of accounts / ledgers and registers.

12 Reconciliation of inter-branch / inter-bank accounts

13 Reconciliation and Monitoring of Suspense Debits Account for clearing the entries

14 Monitoring of Sundry Deposits and Sundry Credits Account including clearing the old entries.

15 Follow-up for pending IBC / OBC

16 Safe custody of documentary bills

17 Analysis of Profit and Loss Account for various income and expenditure accounts.

18 Quality and timeliness in compliance with various audit reports

19 Checking of redressal of customers’ complaints.

20 Scrutiny of various control returns/statements submitted to H.O.

21 Maintenance of sensitive stationery

22 Branch security aspects, Compulsory licenses as per security officer’s report etc.

23 Renewal of Branch Lease, payment of Taxes etc.

24 Correctness of the furniture & fixtures items

Sr. No.

Risk Category

Sr. No.

Areas to be looked into

2. Compliance Risk

Page 48: RISK BASED INTERNAL AUDIT POLICY

1 Statutory Compliance (like TDS, etc.)

2 Regulatory Compliance (submission of BPR, CA-23, RBI guidelines)

3 Other Compliances (terms of sanction, compliance of previous audit report, etc.)

4 Cash is maintained below the ceiling limits stipulated by H.O. and bank’s indemnity policy.

5 Surprise checking of cash every month.

6 Adherence to policy on ‘Walk-in Customer’ or ‘Know Your Customer’ formulated at centre

7 Adherence to regulatory guidelines on Money Laundering.

8 Inter changing of set of keys for cash safe in use and kept off-site (at other banks) on regular basis.

9 Rotation of staff is carried out at regular intervals.

Destruction of confidential waste, old manuals out of circulation, old records.

11 Anti-virus software is installed.

12 Documentation of Business Continuity and Disaster Recovery Plan and its updation.

AREAS TO BE SEEN UNDER FOREX OPERATIONS / INVESTMENTS/DERIVATES

Sr.No.

AREAS TO BE LOOKED INTO

1. FOREX DEALINGA. Dealing Process & Settlement1. Observation of stop loss limit – quantity-wise as well as pips-wise2. Compliance on implementing revised/changed guidelines, if any, on trading

activities3. Difference between rates in Dealer’s Pad and the rates in Deal Slips4. Demarcation of Trading Deal Slips5. Scrutiny of the deals by Back-up Section6. Reporting of Daily Forex Report by Back-up Section and the Dealer7. Obtention of periodical Scan Report by Back-up Section for interest/exchange

rates8. Quoting of rates by Dealer to our foreign branches for funding their VOSTRO

Accounts, in violation of guidelines.9. Deals concluded after the office hours10. Monitoring of mismatches created by outright forward and swaps11. Deals are done during office hours only12. Deals put through to accommodate brokers

Page 49: RISK BASED INTERNAL AUDIT POLICY

13. Frequent resorting to Overseas Market for funding/cover operations within the permitted limits.

14. Loss incurred while covering Merchant Transactions15. Calculation/Quoting of exchange rates correctly for transactions of Foreign

Currency Notes and Traveller’s Cheques.16. Loss in deals for buying and selling the same currency, for same delivery and at

the same time.B. Back-up and Accounting Procedure1 Independent functioning of Back-up Section for maintaining Position Register

daily.2. Monitoring by Back Office for prompt receipt of broker notes and counter party

confirmations3. Sending confirmation of the deals to other Banks4. Preparation of analysis of trading deal5. Sending payment cheques/instructions to counter party banks.6. Follow-up for non-receipt of confirmation of contract notes/funds from counter

partyC. Dealing through Brokers1. Maintenance/review of panel of brokers2. Observance of Code of Conduct for Dealers.3. Keeping records for the deals concluded through outstation brokers.4. Correct payment of brokerage5. Submission of periodic statement of brokerage paid6. Reporting of the differences covered by brokers in respect of the rates.D. TRADING ACTIVITY1. Maintenance of separate Daylight/Overnight limits2. Transfer of trading position to merchant position or vice-versa3. Compliance of HO Guidelines/directives in respect of :

a)maintenance of separate position sheet;b)adherence to stop-loss limit;c)Submission of daily statement of trading activity.

E. ACCOUNTING PROCEDURESI. Foreign Currency Position1.Comparison of the position in Dealer’ pad with Position Sheet for their agreement.2.Reporting of exceeding of Day Light/Overnight Limits

Page 50: RISK BASED INTERNAL AUDIT POLICY

II. Inter-Bank Operations (including Swaps)1.Maintenance of back-papers for Inter-Bank Deals;2.Advising of accounting entries and payment commitments;3.Signing by Dealer in violation of the directives/guidelines;4.Maintenance of records for separate spot/forward Inter-Bank Deals;5.Indication by the Dealer, of the purpose of swap undertaken;6.Hourly preparation of Rate Scan Report independent of the Dealer;7.Settlement of Inter-Bank Contracts on due dates.III.Merchant Contracts1.Cancellation of expired contracts;2.Extension/cancellation of forward contracts and correct accounting for swap differences.IV.Maturity GapsExceeding of Gap Limit during the quarter under audit.V.Export/Import Suspense AccountsDelinking of overdue export/import bills.VI. Funds Management1.Arriving at the correct Balance in NOSTRO accounts;2.Justification for large overdraft/excess balance in NOSTRO Accounts;3.Monitoring of inoperative NOSTRO account;4.Maintenance of foreign currency account with a bank in a country in a currency other than that of the Country.VII.Consolidated Foreign Exchange Position:1.Verification for large variation in True Currency Position Statement vis-à-vis IC-4 Statement.2.Reporting of sale/purchase of foreign currency;3.Verification for distortion of true currency position on account of pipe line transactions;4.Informing Head Office of large accumulation of foreign currency notes.Foreign Currency Funds Management – Risk Management :1. Ensuring that all forex inter-bank dealings are within the exposure limits approved at appropriate level;2. Acknowledging and advising to Head Office of transfer of exposure limits from other centres;3. Transacting all money market deals in the manner similar to other forex dealings;4.Charging of interest rates on money market deals as per the scan report;5. Recording of settlement instructions in the deal slips and strict adherence thereof;6. Ensuring that Rupee/USD Swaps entered into are within the approved limits;7.Offering correct rates on placements with our overseas Branches;8.Correct covering of cost of rupee funds, in case of rupee/USD Swaps.9.Monitoring of FCNR.EEFC and RFC deposits10.Maintenance of maturity-wise and interest rate-wise classification of deposit funds;11.Coverage of maturity and interest rate mismatches within the permitted limit;12.Ensuring that interest earned on deployment of funds, after adjusting to IRS, covers the cost of funds fully.13.Coveratge of exchange risk on interest accruals on deposit funds;14.Approval of credit risk on interest rate swaps and currency swaps for corporate clients;

Page 51: RISK BASED INTERNAL AUDIT POLICY

15.Obtention of declaration from corporate clients for hedging and underlying transactions.

Page 52: RISK BASED INTERNAL AUDIT POLICY

RISK MONITORING & SYSTEMS MANAGEMENTI.Compliance with Bank’s Policy :1.Dealer is well trained and experienced;2.Availability of second line of Dealers;3.Rotation of Dealer at prescribed intervals;4.Segregation of functions of Dealer and Back-up Section;5.Proper recording of NOSTRO Accounts;6.Strict observance of Head Office guidelines for trading activity;7.Permitting Overdrafts in foreign currency accounts within the prescribed limits and time;8.Obtention of indemnity from banks for computer generated contracts;9.Adherence of Head Office norms for exposure limits fixed bank-wise and country/sovereign risks-wise. II.ALLOCATION OF LIMITS :1.Obtention of proper sanction for Daylight and Overnight limits;2.Obtention of confirmation from controlling authorities for exceeding the limits;3.Adequate reporting of Daylight/Overnight positions;III.DOCUMENTATION & RECORD KEEPING1.Submission of monthly statement of Gap;2.Submission of R Return;3.Submission of Daily Currency Position. Monthly Statement of Evaluation of Exchange Profit, Monthly Statement of Overdrafts in NOSTRO Accounts, XOS Statements, Half-yearly statement of REC-I & II.IV.EVALUATION OF PROFIT & LOSS :1.Calculation of profit/loss at prescribed intervals as per guidelines;2.Evaluation of exchange profit as per the guidelines;3.Furnishing the details of window-dressing if any, carried out before calculation of profit;4.Maintenance of proper record for profit on trading activities;5.Strict adherence of standard accounting procedure for evaluation of profit/loss;6.Ensuring valuation at the end of each month and on balance sheet date.V. INFRASTRUCTURE1.Availability of adequate infrastructure to the Dealing Room;2.Ensuring adequate security measures for preventing misuse of infrastructure;3.Authentification of Telex/Router by Back-up Section;4.Restricting access to Dealing Room;5.Ensuring continuous power supply to the infrastructure. VI.COMPUTER SYSTEM:1.Keeping the keys (Original/duplicate) of CPU with the authorised persons;2.Maintenance of diary note for computer system and carrying out of annual audit of hardware/software;3.Permitting the Dealer to have access to Computer System.NOSTRO ACCOUNTS;I.Reconciliation of NOSTRO Account/Reporting of Unreconciled Items : 1.Monthly balancing of NOSTRO Accounts;2.Entrusting the reconciliation work to a separate department/official;3.Rotation of staff is carried out periodically;4.Allotting the works of passing vouchers for originating entries and reconciliation of

Page 53: RISK BASED INTERNAL AUDIT POLICY

different staff;5.Initiating prompt follow-up action on entries found in the statements received from foreign correspondents;6.Maintenance of records for approval obtained for written off un-reconciled items;7.Consideation of ‘Value date’ debits/credits;8.Regular submission of half-yearly REC I & II statements;9.Effective follow-up of outstanding Agents Debits/Mirror Debits.

II.Internal Management Control :1.Balances with banks abroad are within the prescribed limits and as per requirement;2.Maintenance of details of interest paid/received in the accounts;3.Recovery of revenue leakage pointed out in the earlier reports;4.Recovery of service charges levied to foreign banks;5.Recording of delayed receipts and follow-up for recovery of interest;6.Recording of Overdraft allowed in excess of 5 days in NOSTRO Accounts and proper reporting and follow-up action;7.Compliance of Exchange Control Regulations in the case of overdrawn NOSTRO Accounts.VOSTRO ACCOUNT:1.Periodical review of VOSTRO Accounts;2.Granting of Overdrafts in VOSTRO accounts and their regularisation within 5 working days;3.Allowing over-limit only in VOSTRO accounts enjoying overdraft facility;4.Observance of ‘Value Date’ system;5.Prompt responding of debit notes received from branches;6.Recovering correct interest on back-value entries;7.Reporting of unusual features observed in the accounts;8.Maintenance of Rupee accounts of private exchange houses as per guidelines;9.Safe custody of test keys and other secret Codes under dual control;10.Ensuring that VOSTRO account balances are commensurate with normal business;11.Confirmation obtained from the account holders for balance certificates.

Miscellaneous Aspects :1.Periodical review of adequacy of man power and rotation of staff are undertaken;2.Prompt submission of ‘R’ Returns and other periodical statements;3.Proper keeping and exercising adequate control of ‘test-key’ for authentication of messages;4.Effecting of payments through SWIFT and proper monitoring of messages;5.Compliance of guidelines of RBI/FEDAI2. TREASURY OPERATIONSI INVESTMENT MANAGEMENT – A) Ready Forward Deals :

1 Violation of directives/guidelines in Double Ready Forward transactions in Dated Govt./Approved Securities as well as Treasury Bills.

Page 54: RISK BASED INTERNAL AUDIT POLICY

2 Violation of directives/guideline in Ready Forward/Double Ready Forward in other securities/PSU Bonds/Units.

3 Violation of directives/guideline on deals undertaken on behalf of PMS clients’ Accounts/other clients.

B) Transactions in Govt./Approved Securities: a) SGL Transactions:1 Ensuring non-return of SGL form issued to other Bank for want of funds.2 Returning of SGL forms received by the Branch for want of funds and

reporting thereof.3 Maintenance of record of authorised signatories of SGL issuing

banks/institutions.4 Direct handing over of SGL.5 Compliance of RBI guidelines and DVP system for settlement.6 Reconciling SGL balances on monthly basis.7 Checking of periodical reconciliation of SGL balances by concurrent

auditor.8 Ensuring direct payment only after receipt of SGL transfer in the case of

purchase of securities.

b) Bank Receipts (BR) : 1 BR issued in violation of directives/guidelines in the case of transactions

under SGL facility.2 BR issued in violation of directives / guidelines in the transactions not

under SGL facility.3 Adherence to guidelines for issue of BR for outright sale/switch

transactions where SGL facility is not available.C) Dealing through Brokers :

1 Review/Approval of the panel of brokers annually.2 Brokers are members of NSE/BSE and if not obtention of approval. 3 Ensuring ceiling limit of brokers.4 Ensuring role of the brokers.5 Direct settlement deals with the counterpart bank.

D) Internal Control System :Segregation of investment function division-wise.

E) Internal Procedures : 1 Preparation of Deal slip incorporating all the relevant particulars.2 Violation of directives/guidelines in substituting counter party bank and

security. 3 Monitoring and safe keeping of receipt of securities.4 Ensuring receipt of Deal slip by Back Office for incorporating the position.5 Preparation of cost memo by the Back Office.

F) Compliance with Investment Policy Norms and Accounting Requirements : 1) Policy Aspect :

1 Investment proposals comply with policy norms for credit rating and

Page 55: RISK BASED INTERNAL AUDIT POLICY

prudential norms.2 Reference of investment proposals which do not comply with the norms.3 Endorsement of investment proposals by Investment Committee.4 Compliance with pre-disbursement conditions5 Compliance of post-disbursement conditions6 Reporting of investments where issuers’ credit rating is downgraded.7 Exercising put-options built into the investments.8 Reporting of non-compliance of original conditions.

2) Trading in Securities : a) General

1 Marking of Deal Slips for secondary market trading.2 Segregation of securities to form the ‘Trading Segment’.3 Exclusion of Repo transactions.4 Review of trading segment periodically.5 Ensuring conformity of all secondary market purchases of securities to the

prudential norms. b) Trading in Govt. Securities, Bonds, Debentures and other transferable debt instruments and equity.

1 Individual security in Trading Segment is as per the guidelines.2 Securities acquired during the trading period comply with the prescribed

prudential norms.3 Approval of stop loss limits for debt and equity securities.4 Proper treatment of ‘taking profit’5 Compliance with relevant regulations of RBI/SEBI/SE in respect of all

Trading Deals.

G) NPA Management : 1 Proper classification of Investment Assets2 Proper reporting of NPA.3 Ensuring enforceability of documents of NPA.4 Reporting of NPA position to trustees.5 Follow-up of NPA accounts with BIFR.6 Recovery of sale of assets in NPA accounts is reported to Senior

Management.7 Review of NPA accounts periodically.

H) Delegation of Powers and Reporting System : 1 Investment decisions are taken as per delegation of powers.2 Authorisation of deal/transaction entered into by the Dealer3 Dealer transacts only with the approved counter party bank/broker subject

to the exposure limit 4 Periodical submission of statements on the performance of Investment

Page 56: RISK BASED INTERNAL AUDIT POLICY

Portfolio to the ManagementII Money Market Operations :

1 All Inter-bank deals and Repo deals are with authorised players.2 Correct application of rates in money market credit lines.3 Entering into Rupee/USD Swaps deals only when swap yields are at least

on par with call money rates.4 Profitable squaring off position taken in the intra-day dealings5 Justification of net borrowing position.

a) Inter-Bank participation Certificates (IBPCs) :1 Obtention of approval for issue of IBPC.2 Strict adherence of norms in the case of IBPC with risk sharing3 Strict adherence of norms in the case of IBPC without risk sharing

b) Money Market Credit Lines to Indian and Foreign Banks :1 Sanction / review of credit line at appropriate level2 Recovery of commitment fees3 Repayment in accordance with the relative agreement4 Timely renewal of period of validity of the credit line5 Segregation of credit limits

c) Call Money Operations : 1 Lending within the approved exposure limits 2 Adherence of ceiling in Money market transactions3 Maintenance of levels of liquidity mismatches in the short term

III Cash Managementa) Remittance of funds to and From Branches

1 Delay in collection / payment of funds2 Proper control over inter branch funds transfer3 Strict adherence to norms in the case of remittance of funds to

branches4 Adherence to norms for remittance of funds from branches5 Reconciliation of remittances of funds

b) Reconciliation – Accounts with RBI/SBI 1 Necessary follow-up for entries appearing in the statement of

accounts2 Proper reporting of wrong credit

Page 57: RISK BASED INTERNAL AUDIT POLICY

c) Internal Control System 1 Monitoring of money market back up / investment back up section

for CRR, SLR,Refinance,CLGFB, IBPC, Reconciliation2 Monitoring of cash management dept. for various functions

d) Funds Management – FCNR Funds Management1 Revaluation of FCNR Deposits and Foreign Currency loans on

fortnightly basis2 Correct application of interest rates3 Crediting FCNR funds to the designated Deposit A/c.4 Proper extension of Foreign Currency loans5 Submission of prescribed statements 6 Obtention of proper clearance from CMD for ALCO Decisions7 Calculation of average cost of yield on FCNR funds from time to time8 Working out of liquidity and interest rate sensitivity of FCNR funds

from time to time9 FRA/Interest Rate Swaps have been used for managing interest rate

risk and reducing the gaps.10 Ensuring that residual interest rate sensitivity gaps are within the

permissible limits11 Proper revaluation of Foreign Currency Assets and liability on

fortnightly basis.12 Working out of sources and uses of Foreign Currency funds from

time to timee) Asset-Liability Management

1 Renewal of Asset-Liability Management Policy2 Keeping record of minutes of ALCO meeting and follow-up action3 Regular agenda includes Short Term Dynamic Liquidity Statement,

impact of major policy changes and interest rate outlook.4 Submission of Structural Liquidity and Interest Rate Sensitivity

Statements within 2 months from the close of the quarter.5 Periodical submission of statements of Structural Liquidity, Interest

Rate Sensitivity and Short Term Dynamic Liquidity to ALCO. 6 Conveying of decisions of ALM to other departments for

implementation7 Decisions of ALCO cleared by CMD are submitted to the Board for

information.

Page 58: RISK BASED INTERNAL AUDIT POLICY

3. DERIVATIVESFORWARD RATE AGREEMENTS (FRA) AND INTEREST RATE SWAPS(IRS)1.Appropriate infrastructure and risk management systems are in place;2.Functions relating to hedging and market making are clearly separated between the Front and Back Offices;3.Proper Internal Control System for trading, settlement, monitoring, control and accounting activities;4.Individual deal is confirmed by Back Office in normal course;5.Exposure on account of FRA/IRS is within the prescribed limit;6.Obtention of declaration from Corporates/Mutual Funds for FRA/IRS;7.Adherence of prudential limits on Swap positions;8.Adherence of risk management norms prescribed by ALCO in respect of FRA/IRS for hedging ;9.Submission of Policy Document to MPD/RBI;10.Separate recording of transactions for hedging and market making purposes;11.Proper revaluation of FRA/IRS for trading purposes;12.Obtention of Confirmation Note and ISDA agreement;13.Net Open Position within the prescribed ceiling;14.Meticulous follow-up of prudential limits for various currencies and counter-parties;15.Credit exposure to banks are within the approved limits;16.Appropriate sanction of credit exposure to Corporates;17.Reporting of FRA/IRS to MPD/RBI;18.Monthly reporting of details of transactions to Senior Management;19.Quarterly reporting of details of transactions to Board.

Page 59: RISK BASED INTERNAL AUDIT POLICY

B. The methodology and the parameters used for assessing the risk rating of Branches

a) Methodology:

As per the guidelines provided by RBI and our Risk Based Internal Audit Policy approved by ACB on 30.01.2003, quantitative and qualitative approaches are adopted while assessing risks under Business category and Control category. Under the quantitative approach, volume of the business of the branch under credit and deposits area, other services and products, quantum of income and expenditure, availability of operational tools etc. are analysed for their trend and business strategies adopted by the branch for achieving the set goals. Under qualitative approach, application of compliance methodology, adequacy of controls, Risk Management Controls, business environment-location/competition, quality of clientelebase/products/services, quality of customer service, awareness of staff regarding systems and procedures, futuristic view of business strategies, adherence to Know Your Customer/Business Principles are analysed and deficiencies observed on these are brought out as risk perception. To perceive the things in proper perspective and to carry out the risk assessment, besides on-site inspection, previous internal audit reports and compliance, proposed changes in business lines or change in focus, significant change in management/key personnel, results of latest regulatory examination report, reports of external auditors, industry trends and other environmental factors, time lapsed since last audit are also considered by the auditors.

b) Details of parameters used for ranking of branches based on risk:

By using the methodology as briefed in a) above, risk assessment of the branch is made broadly under two categories, viz; Inherent Business

Page 60: RISK BASED INTERNAL AUDIT POLICY

Risk and Control Risk. These two categories are further segmented into four and two parameters respectively in all the branches except Treasury Branch, Service Branch, Asset Recovery Branch, Currency Chest and DPOs. They are as under:

Inherent Business Risk Control Risk

1. Credit Risk 1. Internal Control Risk2. Earnings Risk 2. Compliance Risk3. Business Strategy & Environment Risk4. Operational Risk

Under Credit Risk parameter, credit growth, credit concentration (sector/ (segment-wise, size-wise, borrower-wise), credit quality, NPA movement, adherence to prescribed systems and procedures (including Credit Monitoring Policy, Fair Practices Code), Off-balance sheet items for their volume, quality and security etc. are analysed for the available positive and negative factors with respect to quantity and quality and marks are allotted accordingly as per the proposed policy document. Under the Credit Risk parameter a maximum of 300 marks is allowed.

Under the Earnings Risk parameter, profitability, sources of income and the trend, various heads of expenditures and the trend, effective control over expenses, revenue leakage, recovery In written-off accounts, recovery of unrealised interest/other income are analysed and positive and negative factors are brought out based on which marks are assigned and this parameter carries a maximum of 40 marks.

Under the parameter of Business Strategy & Environment Risk which carries a maximum of 40 marks, positive and negative factors with respect to achievement of budgeted level, proper exploitation of locational advantage, adequacy and compatibility of ITsystems with business needs, initiatives/strategies adopted for business development, knowledge about bank’s products/services, strengths and weaknesses of the branch and also that of the competitors are taken into account for assignment of marks.

Page 61: RISK BASED INTERNAL AUDIT POLICY

In the Operational Risk parameter, operational control over staff by way of proper allocation of duties and periodical rotation / training, strict adherence to operational guidelines, ensuring customer compliance with terms of sanction, validity and security of IT systems, frequency of transaction errors, proper documentation, reputation of the bank, operating environment and availability of contingency plan to meet any unforeseen/unanticipated events/circumstances are assessed by way of bringing out positive and negative factors observed in these areas and marks are allotted accordingly. This parameter is assigned a maximum marks of 120.

The parameter of Internal Control Risk carries a maximum of 150 marks and under this parameter, positive and negative factors with respect to housekeeping, control over sensitive stationery items, control over cash management, judicious exercise of delegation of powers, observance of KYC / KYB principles, periodical Test Checks, control over furniture & fixtures/staff records/other records of the Branch, control over Branch security are considered for assessing the risk perception and marks are allotted suitably.

Under the Compliance Risk parameter, statutory requirements such as effecting TDS and its timely remittance, submission of statutory returns, obtention/renewal of statutory licences and other statutory obligations such as issue of TDS certificates, timely submission of copy of Form No.15 G/H to the appropriate authorities, regulatory requirements such as timely submission of control returns, compliance with anti money-laundering norms, exposure ceilings, IRAC norms, RBI’s clean currency note policy, priority sector requirements, conclusive compliance with audit reports and also compliance with Monitorable Action Plan suggested by appropriate authority/ies for betterment/improvement of business of the branch are taken into account and positive/negative factors available under these areas are weighed and marks are assigned accordingly. This parameter carries a maximum of 100 marks.

The risk assessment under each parameter and the risk rating of the Branch are arrived at as follows:

If the percentage of total marks obtained is more than 75, then risk assessment under that parameter is made as Low. If the percentage falls between 50 – 75, then the risk assessment is Medium and if it is below 50, the risk is assessed as High. In the same manner, the marks obtained under all the four parameters of Inherent Business Risk category is totalled and based on the percentage, the risk level of this category is assessed. Similarly, the level of Control Risk is also

Page 62: RISK BASED INTERNAL AUDIT POLICY

assessed. Then with the help of the following risk matrix provided by RBI, the composite risk level of the branch is assessed.

Risk Matrix

Inhe

rent

Bus

ines

s R

isk

High AHigh Risk

B VeryHigh Risk

C ExtremelyHigh Risk

Medium DMedium Risk

E High Risk

F VeryHigh Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High Control Risk

With regard to assessing the trend/direction (decreasing/stable/increasing) of level of risk under any parameter or the composite risk of the branch, the following risk matrix is interpreted suitably.

Inhe

rent

Bus

ines

s R

isk

Increasing Increasing Increasing Increasing

Stable Stable Increasing IncreasingDecreasing Decreasing Stable Increasing

Decreasing Stable Increasing Control Risk

Variation of marks in the same category upto + 5% or – 5% is considered as STABLE. Variation of marks in the same category more than +5% or –5% is considered as DECREASING/ INCREASING as the case may be.

In the case of the branches other than the General Banking Branches as specified in b) above, the risk assessment will be made in applicable parameters only as enumerated in the Reporting Format of the respective class of branch.

Page 63: RISK BASED INTERNAL AUDIT POLICY

Annexure-3

RISK PROFILE OF …………………………………………. BRANCH …………………………….. ZONE Position as at ……………………

Ref. No. Date:

TABLE OF CONTENTS

I Background

II Organization and Business Profile of Branch

III Assessment of the Risk Profile

IV Summary Description of Business & Control Risks

V Suggested Monitorable Action Plan for Mitigating Risk

I. BACKGROUND

In the context of having effective RBS in the Bank, the Risk Profile of …………………….. Branch is prepared in line with the Corporate Risk Profile keeping in mind the various risk factors under Business and Control areas that are observed at the branch level. The underlying objective is to :

Categorise the Branches as having composite risk rating low, medium, high, very high and extremely high

Identify the direction of risk namely increasing/ stable /decreasing

II. ORGANIZATION & BUSINESS PROFILE OF BRANCH:

Name of the Branch/Date of Opening

Page 64: RISK BASED INTERNAL AUDIT POLICY

Branch Code No.Name of the ZoneCategory Small/Medium/Large/V. Large/E Large/

SpecialisedClass Rural/Semi-Urban/Urban/MetropolitanManagement Organization Total Staff – Officers :

- Special Assistants : - Clerks : - Sub-Staff :

Branch In-charge (Present) Shri / Smt. From :

Previous Incumbent Shri / Smt. From: To:

Last Risk Audit conducted From: To:Last Risk Audit Rating Business Risk Control Risk Composite

Risk

BUSINESS PROFILE

(Outstanding Rs. in lakh)

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on (latest quarter/month) ……………..

Budget Actual Budget Actual Budget Actual1. Profit - Operating - Net 2. Deposit Current Savings Term Total Deposits of which

Wholesale/Institutional NRI

Page 65: RISK BASED INTERNAL AUDIT POLICY

3. Advances AFD of which Indirect Adv. SSI of whichAdvances under CGFTSI Scheme OPS of which Retail Trade Small Business

SRTO

Prof.& Self-Employed

Education

Housing

Total Priority Sector of which DRI

(Outstanding Rs. in lakh)Year before Last

as on 31.03.200

Last Year as on

31.03.200

Current Year as on (latest quarter/month) ……………..

Budget Actual Budget Actual Budget ActualWholesale Trade/Business Medium & Large Inds. Star Channel CreditStar Personal LoanStar Pensioner LoanHousing Loan (other than priority sector)Star Mortgage Loan

Page 66: RISK BASED INTERNAL AUDIT POLICY

Star Holiday LoanStar AutofinOther ProductsOther Personal Loan(against TDR/NSCs etc StaffTotal AdvancesTotal Advances under Govt. Sponsored SchemesForex BusinessNon-Fund Based:Letters of CreditGuarantees IssuedAcceptances/Endorsements etc.Other contingent liabilitiesNPAs:Sub-StandardDoubtfulLossTotal NPAsGross NPAs to Total Advances (%)New/Additional advances disbursed during the yearC/D RatioNames of the Competitors:Market share of our branch share in the area of operation (%)

Types of Audits conducted Date of Report Ratings awarded during the year:1.2.3.Information Technology Systems used

III Assessment of the Risk Profile

A. BUSINESS RISK:

Page 67: RISK BASED INTERNAL AUDIT POLICY

Previous Assessment Present Assessment1. Credit Risk: Level/Direction:

Assessment area

Positive Factors Negative Factors

Credit Growth

Credit Composition & Concentration

Credit quality

Off Balance sheet items

NPA Movement

Adequacy of provisions

Page 68: RISK BASED INTERNAL AUDIT POLICY

Previous Assessment Present Assessment 2. Earnings Risk : Level/Direction:

Assessment area Positive Factors Negative FactorsGross Profit – Actual v/s Budget

Interest Income

Non-Interest Income

Interest Expenses

Control over expenses

Revenue Leakage

Recovery in written-off accounts, UCI/URI etc.

Page 69: RISK BASED INTERNAL AUDIT POLICY

3. Business Strategy & Environment Risk:

Previous Assessment Present Assessment

Level/Direction:

Assessment area Positive Factors Negative FactorsGeneral Economic Outlook pertaining to the area of operation and environmental hazards, if any Knowledge about the market, strength and weakness of self/competitors and market share

Business Initiative/ Strategy adopted for new products/services

Quality of customer service

Budgeted performance

Page 70: RISK BASED INTERNAL AUDIT POLICY

Adequacy of computer systems in tune with the volume of business and business requirement

4. Operational Risk :

Previous Assessment Present Assessment Level/Direction: Assessment area Positive Factors Negative Factors

Competency of staff/ Rotation of duties, proper training/ placement

Adherence to manual of instructions/ circulars/Guidelines

Security and validity of computer systems and other technology

Page 71: RISK BASED INTERNAL AUDIT POLICY

Documentation including time-barred documents

Litigation / claims against the bank

Reputation of the bank /customer service/ redressal of customer complaints/grievancesPreparedness for tackling any unanticipated natural/ manmade calamities/ events

B. CONTROL RISK:

1. Internal Control Risk : Previous Assessment Present Assessment

Level/Direction:

Assessment area Positive Factors Negative FactorsHousekeeping

Reconciliation(inter-bank and inter-

Page 72: RISK BASED INTERNAL AUDIT POLICY

branch)

Submission of MIS returns/control returns- Timeliness/quality

Cash Management

Prevention of frauds

Judicious exercise of Delegations of Powers

Control over sensitive stationery items

Branch security aspects

Adherence to KYC/ KYB and Anti-Money Laundering norms

Control over staff records, old records, furniture & fixtures etc.

2. Compliance Risk : Previous Assessment Present Assessment Level/Direction:

Assessment Area Positive Factors Negative Factors

Page 73: RISK BASED INTERNAL AUDIT POLICY

a) Regulatory:Submission of control returns in time and accurately; obtention of PAN/GIR No. in eligible cases; implementation of Goiporia Committee recommendations; adherence to RBI’s clean currency policy etc.b) Statutory:Deduction of Income-tax, service-tax etc. and timely remittance; renewal of required licenses; submission of annual returns to statutory authorities etc.c) Monitorable Action

PlanCompliance with MAP suggested in the previous RBIA/ updated risk profile and also compliance with other audit reports.

IV. SUMMARY DESCRIPTION OF BUSINESS & CONTROL RISKS ASSESSED :

Parameters Level & Trend of risk

Positive Factors Negative Factors

Business RiskCredit

Earnings

Business Strategy

Operational

Control RiskInternal Control

Page 74: RISK BASED INTERNAL AUDIT POLICY

Compliance

V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:

Parameter Risk Level/

Direction

Action Plan suggested for the purpose of drawing necessary action points and

implementation/monitoring of the same by Branch/Zonal Office respectively

1.CREDIT RISK

2.EARNINGS RISK

3.BUSINESS STRATEGY RISK

4.OPERATIONAL RISK

5.INTERNAL CONTROL RISK

Page 75: RISK BASED INTERNAL AUDIT POLICY

6.COMPLIANCE RISK

Prepared by: Approved

………………….. …..……………………

(Auditor) (Zonal Audit Chief) ……………………. ZAO.

Annexure-4

RISK BASED INTERNAL AUDIT REPORT

Name of the Branch : Zone:Opened on: Branch Code No: Category :Class :Business Hours - Week Days :

Weekly Off:Extension Counter attached : YES/NOHoliday Home attached : YES/NOCurrency Chest : YES/NO Branch under Concurrent Audit : YES/NO

Previous Present

Branch In-Charge ---------------- -----------------

From ---------------- -----------------To ---------------- -----------------

Date of commencement of Audit ----------------- -----------------Date of conclusion ----------------- -----------------Mandays ---------------- ------------------

From To From To

Period covered by audit ----------------- ------------------- Name of the Team Leader ------------------ ------------------- Date of Report ------------------ -------------------

Page 76: RISK BASED INTERNAL AUDIT POLICY

Date of Despatch ------------------ ------------------- Date of Noting/Closure -------------------

Audit Ratings : (Level & direction)

Major Risk Parameters

Previous to Last Audit

Last Audit Present Audit

Level Direction Level Direction Level DirectionBusiness Risk

Control Risk

Composite Risk

A. BUSINESS RISK1. CREDIT RISK

Please attach the details of accounts selected as per the policy guidelines on transactions testing as to name of the account, type of advance, sanction authority/date, sanctioned limit, present outstanding. The number of accounts to be selected should cover the maximum exposure (either sanctioned limit or outstanding whichever is more per borrower) involving all sectors/segments as well as accounts not covered under the last audit:

(Rs. in lakh)

1. Growth (New/Additional Advances sanctioned)

Year before Last as on

31.03.200

Last Year as on 31.03.200

Current Year as on

(lastest quarter/month) ……………..

No. Amount No. Amount No. Amount Fund-Based Advances of which Advances against TDR Staff Advances Non-Fund Based (I &F) Letter of Credits Bank Guarantees Other Contingent Liabilities

Offer comments on

Page 77: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsObtention of application for advance facility in the prescribed format and conduct of pre-sanction inspection for identification/verification of antecedents of borrowers in all the new advances Obtention and scrutiny of CBD-23 with documentary evidence, wealth tax returns, income-tax returns, status report, CIBIL report, RBI’s defaulters list, ECGC caution list, no dues certificate, IE Code No. in the case of Imports/Exports business, ascertaining of non-listing of goods to be exported by the applicant exporter from the Negative ListObtention/ scrutiny of financial statements (CMA, QIS,MSOD,Balance Sheet, Trading/ Manufacturing Account, P&L account etc)

Items Positive Factors Negative FactorsObtention of technical feasibility report from TICC/TICD wherever applicable

Preparation of proposals in the prescribed format with proper assessment of credit needs including Non-Fund Based facilities along with proper credit rating exercise

Page 78: RISK BASED INTERNAL AUDIT POLICY

Observance of proper procedure in the case of accounts taken over from other banks/financial institutions

Issue of sanction letter and ensuring customer compliance with terms of sanction

Verification of end use of funds

Quick mortality observed

Any spurt in advances especially in the areas where the branch is facing difficulty in recovery and diversified growth of credit as per the available potentials

(Outstanding Rs. in lakh)

Page 79: RISK BASED INTERNAL AUDIT POLICY

2. Credit Concentration Year before Last as on

31.03.200

Last Year As on

31.03.200

Current Year As on latest

(quarter/month) …………….

Total Agricultural Advances of which Indirect Agricultural AdvancesSmall Scale Industries out of whichAdvances covered under CGFTSI scheme Other Priority Sector Advances Of which Retail Trade Small Business SRTO Prof.& Self-Employed Education HousingTotal Priority Sector AdvancesWholesale Trade/Business Medium & Large Inds. Star Channel CreditStar Personal LoanStar Pensioner LoanHousing Loan (other than priority sector)Star Mortgage LoanStar Holiday LoanStar AutofinOther Products (Star IPO etc.)Other Personal Loan(against TDR/NSCs etc Staff

Page 80: RISK BASED INTERNAL AUDIT POLICY

Total Advances of which > Rs.1 croreRs.10 lakh and above but < Rs.1 croreRs.2 lakh and above but < Rs.10 lakhBelow Rs.2 lakhTotal Advances under Govt. Sponsored SchemesTotal Unsecured/Clean AdvancesForex BusinessNon-Interest bearing Loans to Staff

Offer comments on:

Items Positive Factors Negative FactorsOver exposure of advances in sectors/segments vis-à-vis available potentials/ allocated target in the area of operation of the branch

Size-wise concentration of advances within manageable limit and also in tune with the available infrastructure

Significant single borrower exposure (say > 10% of total advances per borrower/group)

Page 81: RISK BASED INTERNAL AUDIT POLICY

Exposure trend in unsecured areas

Exposure of forex business taking into consideration the availability of ECGC cover and also the Country Risk

(Outstanding Rs. in lakh)3. Credit Quality Year before Last

as on 31.03.200

Last Year as on 31.03.200

This Year as on (latest quarter/month) ……………..

No. Amount No. Amount No. AmountCredit Rating (Equivalent to New Rating Model)AAA-Prime AAA Rated AA Rated A Rated B Rated Rating Not Required NPA Total

Offer comments on:

Page 82: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsQuality of credit appraisals

Credit Rating exercise with New Credit Rating models

Periodical Review of advances with proper analysis of financial statements

Post-disbursement monitoring of advances, maintenance of record/ registers/ledgers

Monitoring of advances under watch list

Items Positive Factors Negative FactorsFrequent sanction of Overlimit/Adhoc limit

Page 83: RISK BASED INTERNAL AUDIT POLICY

Availability of easily realisable securities (primary and collateral) and periodical valuation of securities charged to the bank

Ensuring customer compliance with terms of sanction

Timely action on advance accounts showing symptoms of sickness

Conduct of consortium advance accounts including joint appraisal, inspection of securities, strict adherence to the terms of consortium etc.

Ensuring no Kite-flying, routing of sale proceeds through borrowal accounts

Diversion of funds and steps taken to pluck out the same

Page 84: RISK BASED INTERNAL AUDIT POLICY

(Outstanding Rs in lakh)

4. Classification of Assets and NPA Movement/ Analysis

Year before LastAs on

31.03.200

Last Year as on

31.03.200

This Year as on (latest quarter/month) ………………

No. of a/cs.

Amount No. of a/cs

Amount No. of a/cs.

Amount

StandardSub-StandardDoubtfulLossTOTALSuit Filed AdvancesSuit Decreed AdvancesExpired Decrees

Budget Actual Budget Actual Budget ActualGross NPA (Opening)Cash Recovery -Compromise -Up-gradation -Write Off -Slippage +Gross NPA (Closing)Provision/Cash MarginNet NPA (Closing)Sectoral Concentration of NPATotal Agriculture of which Indirect FinanceSSI of whichAdvances covered under CGFTSI Scheme Other Priority Sector of which Small Business Retail Trade SRTO

Page 85: RISK BASED INTERNAL AUDIT POLICY

Prof. & Self- Employed Educational Loan Housing Loan Others

Classification of Assets and NPA Movement/Analysis: (Contd..)

Year before LastAs on

31.03.200

Last Year as on

31.03.200

This Year as on (latest quarter/month) ………………

No. of a/cs.

Amount No. of a/cs

Amount No. of a/cs.

Amount

Med. & Large Inds.Wholesale Trade/BusinessTotal Personal Loans of which Star Personal Star Mortgage Star Holiday Star Autofin Others (Star IPO etc) NSC/Share Housing Loan (other than Priority Sector) Staff Total NPANPA in Forex Businessout of total NPA

Page 86: RISK BASED INTERNAL AUDIT POLICY

Offer comments on:

Items Positive Factors Negative FactorsProper classification of Assets as per extant guidelines

Concentration of NPAs in different sectors/segments and the trend in absolute terms in the respective areas

Proper provisioning

Identification of units for restructuring/rescheduling of advance accounts wherever feasible

Page 87: RISK BASED INTERNAL AUDIT POLICY

Identification of causes for quick mortality, non-performing of accounts and remedial measures initiated

Periodical inspection of assets of NPA accounts to ensure that there is no deterioration of realisable value of security

Ensuring insurance of assets of NPA accounts wherever possible

Availability of coverage under ECGC, CGF for Small Industries, Govt. Guarantee etc. in NPA accounts

Items Positive Factors Negative FactorsEfforts for cash recovery, compromise, out of court settlement etc.

Pendency for submitting memorandum for legal action

Page 88: RISK BASED INTERNAL AUDIT POLICY

Legal action approved but suit not filed

Follow-up in suit filed accounts by keeping close liaison with Court Officials, Bank’s Advocates for expediting disposal of the case in bank’s favour Maintenance of proper records/registers (age-wise position) for suit filed/decreed accounts

Recovery Certificates filed (if Recovery Act is applicable), number of cases pending, reporting of cases pending over 3 years to ZO, efforts for expediting execution of decrees, time-barred decreesMaintenance of records/ register for compromise offers received, action taken and disposed

5. Off balance sheet (Non-Fund Based) Exposure:

(Outstanding Rs. in lakh)

Non-Fund Based Exposure

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on (latest quarter/month)

Page 89: RISK BASED INTERNAL AUDIT POLICY

……………..Budget Actual Budget Actual Budget Actual

Letters of CreditGuarantees IssuedAcceptances/Endorsements/Deferred Payment Guarantees etc.Other contingent liabilities such as Letter of Comforts, Confirmation of Stand-by L/Cs etc.Claims against bank not acknowledged as DebtLiability on account of outstanding forward exchange contracts

Offer comments on:

Items Positive Factors Negative FactorsAvailability of security coverage to Letters of Credit including the stipulated margin/ collaterals

Trend of devolvement of L/Cs and the time taken for payment of devolved L/Cs

Availability of security coverage to Guarantees Issued including the stipulated margin/Collaterals

Trend of invocation of Guarantees and the time taken for payment of invoked Guarantees

Page 90: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsFollow-up for expired guarantees and reversal of liability in the case of expired guarantees

Frequency of default in reimbursement in the case of crystallisation of liabilities under Acceptances/Endorsements/Deferred Payment Guarantees etc.Other contingent liabilities

Claims against bank not acknowledged as Debt

Maintenance of record of documents/evidence seen for booking forward exchange contract, follow-up for utilisation/ cancellation of outstanding contracts, contracts in permitted currencies, non-reimbursement of crystallised forex contracts etc.

Page 91: RISK BASED INTERNAL AUDIT POLICY

2. EARNINGS RISK (Rs. in lakh)

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on latest

(quarter/month) ……………

A – Income Interest Income (Excl. TPM) Non interest Income of whichRecovery in written-off accounts vis-à-vis the target (Amount outstanding in written- off accounts)

( ) ( ) ( )

Total Income Yield on fund based limits (%)(based on fortnightly average advances) Cost of Deposits (%)(based on fortnightly average deposits) Spread

B – ExpensesInterest expenses (Excl. TPM)Staff CostOther Expenses of which i) Controllable ExpensesTotal Expenses

C – Profit/Loss Budget Actual Budget Actual Budget ActualOperating Profit/Loss before application of TPM .Net Transfer Price MechanismNet Profit/Loss

Page 92: RISK BASED INTERNAL AUDIT POLICY

Profit per employeeUnrealised Interest Uncharged Interest

Offer comments on:

Items Positive Factors Negative FactorsApplication of correct rate of interest, penal interest, effecting change in rate of interest as and when advised in advances and deposits

Recovery of unrealised interest and uncharged interest, trend of additions etc.

Items Positive Factors Negative FactorsPayment of any penal interest towards late remittances of dues to Govt. Depts., delayed reimbursement of transfer of funds to other banks/financial institutions etc.Application of correct charges with regard to advances, deposits, remittances, account maintenance and other miscellaneous services offeredTrend of written-off accounts, additions if any, recovery effected against the budgeted level, efforts taken for effecting recovery etc.

Page 93: RISK BASED INTERNAL AUDIT POLICY

Control over expenses in general, particularly, in controllable items such as travelling, stationery & printing, telephones/ telegrams, lighting, miscellaneous expenses

Trend of revenue leakage in various areas, recurring revenue leakage in the same account, trend of volume in revenue leakage, reasons for revenue leakage (the list of accounts wherein revenue leakage is detected is to be submitted)Trend of achievement of budgeted level of profit, reasons for non-achievement if any.

3. BUSINESS STRATEGY & ENVIRONMENT RISK

(Outstanding Rs. in lakh)

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on (latest quarter/month) ……………..

Budget Actual Budget Actual Budget Actual1. Profit (Operating) 2. Deposit

Page 94: RISK BASED INTERNAL AUDIT POLICY

Current Savings Term Total Deposits3. Advances

4. Misc. Services

a) Safe Custody (No. of a/cs.)

b) SDV (No. of lockers occupied and No. of total lockers)c) Card Products (No. of cards issued & No. of Mes enrolled)d) Govt. Business (Turnover) e) Third Party Products (No. of products & income earned )

Offer comments on:

Items Positive Factors Negative FactorsGeneral Economic Outlook and

Page 95: RISK BASED INTERNAL AUDIT POLICY

environmental deficiencies (like non-availability of perennial irrigation facilities, adequate labour, other infrastructure etc.) in the operable jurisdiction of the branchKnowledge about the market, strength and weakness of self/competitors and market share

Knowledge about the products/services of Bank, business initiative/strategy adopted for exploiting available potentials for business development Quality of service rendered by the branch

Achievement of budgets monthly/half-yearly/annual basis and reasons for non- achievement, if any

Staff productivity and reasons for decline, if any

Availability of competent staff to handle the nature of business that the branch is undertaking and/or proposed to undertakeAdequacy of IT systems with business needs, especially in the circumstances where the customers are technical savvy and/or the competitors of our bank have already put in place adequate IT systems to serve the customers in an

Page 96: RISK BASED INTERNAL AUDIT POLICY

effective way

4. OPERATIONAL RISK:

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on latest

(quarter/month) ……………

1. Staff Strength Officers Special Assistants Clerks Sub-Staff 2. Available Computer Systems and the different kinds of facilities offered to the customers (like MBB, ATM, Tele- Banking, Internet Banking etc.)

3. No. of suits filed against the bank and the suit amount4. No. of complaints pending

5. Trend of repetitive irregularities in security documents under select items

a) Non-obtention of principal documents/defective execution b) Non-creation/extension of stipulated mortgage b) Non-obtention of renewal

documents within stipulated time

d) Non-registration of charges/ lien with RTO/ROC/CHS/ Other authorities

e) Inadequate/Non-insurance of primary/collateral securities

Previous to Last Audit (Rs.in lakh)A/cs. O/s.

Last Audit

(Rs.in lakh)A/cs. O/s.

Current Audit

(Rs.in lakh)A/cs. O/s.

Page 97: RISK BASED INTERNAL AUDIT POLICY

6. History of occurrence of the following hazards/ unanticipated events, if any a) Earthquake b) Flood/Cyclone c) Theft/Robbery/Dacoity d) Communal Riots/violence

Previous to Last Audit

Last Audit Current Audit

Offer comments on:

Items Positive Factors Negative FactorsPositioning of staff (Supervisory and Clerical) in key areas as per the competency Proper allocation/rotation of job (for both Supervisory and Clerical) wherever applicable

Imparting suitable training/ guidance to staff for acquiring updated knowledge in the day to day functioning, particularly in the computerised environment Frequency of execution errors in transactions (like wrong posting of vouchers which may be subsequently cancelled, not giving correct value date for the transactions, not effecting remittances for which value already receivedIn the case of CIBEX

Page 98: RISK BASED INTERNAL AUDIT POLICY

branches, proper logging-out from the computer systems when not in use, access to server/UPS/ SWIFT/administration node/network printers, not keeping secrecy of user password/Admin password, assignment of two different levels of user ID at the same time, cancellation/suspension of user ID upon transfer, retirement, resignation, leave, absence, maintenance of record for changing network user password for salary/CCIS packages, safe- keeping of admin Password, which should be changed periodically, in a sealed cover under dual control

Items Positive Factors Negative FactorsIn the case of CIBEX branches, documentation/ distribution of Disaster Recovery Plan, display of LAN layout, back-ups (daily, weekly, monthly, quarterly, milestone), dual control of in-house back-up, off-site storage of back-ups, data back-up on the hard disk of admin. Node on daily basis, purging of data, record maintenance for re-opening of days, loading of anti-virus software on the server & nodes with hard disk, back up of MBB server In the case of Finacle

Page 99: RISK BASED INTERNAL AUDIT POLICY

Branches, proper logging out from the computer systems, allotment of more than one user level code to at the same time, cancellation/suspension of user ID upon transfer, retirement, resignation, leave, absence etc., access to UPS/SWIFT system In the case of Finacle branches, documentation/ distribution of Disaster Recovery Plan, display of LAN layout, loading of anti-virus software at all nodesSanction of advances or any other facilities as per the terms including scale of finance of schemes and also with proper application in the prescribed format, preparation of proposals in the prescribed format, maintenance of application received/sanctioned/ rejected register along with recovery of suitable charges

Items Positive Factors Negative FactorsAllowing of concessions/ waiver in charges, if any, without proper application, without working out cost benefit analysis and without proper sanction and also renewing such approval as applicablePurchasing of bills accompanying lorry receipts of unapproved

Page 100: RISK BASED INTERNAL AUDIT POLICY

transport companies without proper sanction and also purchase of house bills/cheques without proper sanctionApplying/Claiming refinance from IDBI/ SIDBI/NABARD/ EXIM Bank etc., claiming/Adjustment of subsidy under various schemes, ECGC cover in eligible accounts etc.Reporting of sanction of new/additional/renewal/ reduction/adhoc limits or change in terms of advance accounts to ECGC within 30 days of sanction, obtention of formal approval from ECGC in the required casesReporting of default to ECGC within the prescribed time limit and lodgement of claims with ECGC within the prescribed time limit, lodgement of claims in respect of Central/State Govt. Guarantee accountsDisbursement of EPC without L/C or confirmed orderObtention of approval of ECGC in cases where packing credit is extended beyond 360 days/prescribed time limit and also for advance beyond prescribed discretionary limit except in standard accounts

Items Positive Factors Negative Factors

Page 101: RISK BASED INTERNAL AUDIT POLICY

Delinking of overdue bills and transferring past-due bills/shortfall on crystallisationIncorporation of amendments/additions/ cancellations from time to time in the Manuals/FEDAI Rules Book/Exchange Control Manuals etc and destruction of old manuals.Arranging for listing of cards in eligible cases for ‘Hot Listing’ through HO.

Recommendation for renewal of Cards on due dates

Opening of Deposit accounts as per the extant guidelines

NSC/KVP/TDR/Monies under Life Insurance Policy, Shares, Other Govt. Securities pledged/assigned as security in advance accounts and matured/fallen due for payment but proceeds not claimed/realised/credited to the borrowal accountsNon-conversion of foreign currency liability into rupee liability in cases where exporter is unable to fulfil his obligations or where export has not taken place within 360 daysEffecting remittances as

Page 102: RISK BASED INTERNAL AUDIT POLICY

per the extant guidelines

Items Positive Factors Negative FactorsOpening and monitoring of SDV and Safe Custody accounts as per the prevailing guidelines

Handling/Record maintenance of card products like obtention of proper application, scrutiny, issue etc. of Credit Cards/ATM Cards etc.Obtention of lawyer’s opinion about title deeds in cases where mortgage is stipulated to ascertain the validity of creation of mortgage, obtention of search report, obtention of valuation certificate from the approved Architect along with the photograph of the property, periodical updation of valuation of the property Proper obtention of correct documents in advance accounts, proper execution of security documents such as filling in completely, duly signed by the borrowers/ guarantors in the proper way, adequately stamped as per the applicable Stamp Act, properly defaced Mortgage creation/ extension, registration/

Page 103: RISK BASED INTERNAL AUDIT POLICY

noting of charges with appropriate authorities, noting/registering of bank’s lien/charges/ assignment with RTO, Related Depts. Of Govt. Offices/Undertakings Conduct of CPA-1,2 and closure thereof in big eligible advances, vetting of documents and also conduct of CPA in personal loan accounts and other small loan accounts as per the extant guidelines

Items Positive Factors Negative FactorsObtention of renewal documents within stipulated time

Ensuring adequate insurance to the assets charged to the bank and keeping record of policies and also renewing the policies on due dates

Claims made against the bank through Consumer Court/Other Courts/Other Judicial Functionaries, litigation with landlord of the branch premises and/or Manager’s residence taken on leaseQuality of customer service, redressal of customer complaints, maintenance of records for complaints received, redressed and pending, moral behaviour of staff members, customer

Page 104: RISK BASED INTERNAL AUDIT POLICY

perception of the Bank Availability of contingency plan with proper documentation and circulation to all the staff members to tackle unanticipated incidents such as communal violence, riot, earth quake, flood, etc. happening, if any, in the case of branch being situate in such areasExecution/renewal of lease deed of branch premisesMaintenance of records for cash safe keys, documents safe keys, branch keys for proper handing over/taking over

Note: With regard to irregularities in documentation and other areas, the details of such irregularities accounts-wise that have been audited should to be submitted in the format provided in Annexure-IRR (a) and overall summary sheet in Annexure-IRR (b).

B. CONTROL RISK

1. Internal Control Risk:

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on latest

(quarter/month) ……………

Sundry DepositsSundry CreditsSuspense Accounts (Debit)G/L a/c – Security DepositsAverage Cash BalanceFurniture & FixturesOutward Bills For CollectionInward Bills For CollectionDrafts Payable Outstanding

Drafts Payable O/s > 3 yearsPayorders Issued Outstanding

Page 105: RISK BASED INTERNAL AUDIT POLICY

Payorders Issued O/s > 3 yearsNet Clear – ReceivableNet Clear – PayableClearing Difference – ReceivableClearing Difference – PayableDrafts Paid Without AdviceGL a/c Subsidy Reserve FundGL a/c ProxyGL a/c- Stamps & Stamped Documents on HandBalance with SBI/Other BankForeign Travellers Cheque

Offer comments on:

Items Positive Factors Negative FactorsJudicious exercise of delegated powers – sanction of advances/ expenses/ concessional charges etc. within the delegated authority; TOL/TOD sanction as per the extant guidelines (like no TOD/TOL to be sanctioned within 6 months of opening of accounts, no TOL to be sanctioned without drawing power etc.) and within the authority

Items Positive Factors Negative FactorsReporting of sanctions to the next higher authority in the stipulated manner (Post Sanction Review System) and format; reporting of TOD/TOL sanctioned beyond delegated authority in

Page 106: RISK BASED INTERNAL AUDIT POLICY

exceptional cases and seeking ratification/approval; periodical reporting of TOD/TOL sanctioned within the delegated authority Periodical balancing of all books/ledgers which are manually operated; taking monthly jottings of balances, yearly printing of ledgers etc. in the case of computerised branches; scrutiny of exceptional transactions by the Manager/authorised official Maintenance of proper records and follow-up for OBC/IBC/ Drafts Payable/DPWA/ Payorders issued, Cheques/DW/IW entries

Periodical balancing of entries in G/L a/c Security Deposits, Sundry Deposits, Sundry Credits, Suspense Accounts (Dr.), Subsidy Reserve Fund, Int Pay, Interest ReceivablesFollow-up for early wiping/ adjustment of outstanding entries in Sundry Deposits, Sundry Credits, Subsidy Reserve Fund, Int Pay, Interest Receivables, Proxy (in the case of Finacle branches), Clearing Difference (Receivable & Payable)

Page 107: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsWeekly Reconciliation of account with SBI/Other Banks; obtention of monthly balance confirmation certificate; weekly reconciliation of Clearing Difference Adjustment a/c, Net Clear, Home ClearingMaintenance of records for receipt of reports of Inter Branch Reconciliation from H.O; raising query memorandum/follow-up for unreconciled entries with the concerned branches; replying to the query memorandum received from other branchesMaintenance of Nostro/ Vostro accounts; reconciliation of entries

Safe keeping of cash under dual control; maintenance of cash within the stipulated level; special approval obtained for holding cash more than the stipulated level

Sorting of cash; periodical surprise verification by the Manager/the authorised official and maintenance of records thereof; maintenance of bait money at all operational points, safe, in transit; maintenance of records for movement of cash; handling of petty cash with proper accounting

Page 108: RISK BASED INTERNAL AUDIT POLICY

Dual control and periodical balancing of jewel/gold packets; maintenance of proper records for movement of jewel packets

Items Positive Factors Negative FactorsControl over articles received for safe custody, control over safe deposit vault accounts (record maintenance, access to the lockers etc.)Proper record maintenance of Cards received from HO which are yet to be delivered to the applicant, dual custody of Card Products, destruction of the long pending Cards as per the extant guidelinesProper scrutiny and acknowledgement of sensitive stationery items (DD Books, TDR Books, CAN, Draft Advices, CNs, Payorder Books, DOs/ COs etc) including Stamps & Stamped Documents indented; immediate accounting in the stock register; dual custody of the stock, conducting surprise verification of the sensitive stationery by the Manager or the authorised official at least once in 6 monthsMaintenance of movement register in the proper manner for the sensitive stationery items as and when put in use and for

Page 109: RISK BASED INTERNAL AUDIT POLICY

the security documents.Maintenance/updation of BranchDocument RegisterSafe-keeping of Test Keys wherever provided; maintenance of proper records for the used Keys; efforts for deleting unused/unrequired Keys for a very long timeSafe keeping of Manuals, FEDAI Rules Book, Exchange Control Manuals, Specimen Signature Book, Oral Assent Attendance Register, Oral Assent Register etc.

Items Positive Factors Negative FactorsProper record maintenance for handing over/taking over charge at all applicable level of the branch and reporting to controlling authorities, lodgement of duplicate keys with other branch/bank and record maintenance thereofPeriodical conduct of Test Checks by the Manager or the authorised official in the prescribed manner, keeping records and submission of report thereof to the controlling authoritiesProper record maintenance of staff attendance, leave calculation, payment of salary and other allowances prompt payment of rent

Page 110: RISK BASED INTERNAL AUDIT POLICY

Proper maintenance of records and numbering pass book for Furniture & Fixtures including the Dead Stock and Furniture at the residence of Manager/Other officials, numbering and periodical physical verification, disposal of unserviceable itemsProper maintenance of records for AMCs, Insurance Policies for branch building, stationery and furniture & fixtures

Control over old records/ files Vouchers, periodical disposal of old records as per the extant guidelines, ambience of the branch premises and also proper maintenance of records and control over other stationery items

Items Positive Factors Negative FactorsProper record maintenance for newspapers/magazines purchased, sale of old newspapers, rent and other charges (telephone, electricity, taxes etc.) paidControl over branch security including provision of armed guard wherever necessary, renewal of gun license, periodical training to the armed guards wherever provided, fixing of Time-

Page 111: RISK BASED INTERNAL AUDIT POLICY

Lock, provision of security for cash lodgement/ withdrawal to/from other branch/bankMaintenance of secrecy book, obtention of signature of all the staff as per applicable periodicity, maintenance of customer secrecyKnowledge about KYC/KYB norms, reporting of suspicious cash transactions/ money-launderings, opening of accounts with proper introduction, obtention of photographs, proof of residence, monitoring of transactions, particularly huge volume, in newly opened accounts, monitoring staff accounts for any extraneous creditsPerpetration of frauds, involvement of staff if any, progress of settling cases with regard to fraud detected prior to the current audit period

2. Compliance Risk

Offer Comments on:

Items Positive Factors Negative Factors

Page 112: RISK BASED INTERNAL AUDIT POLICY

Compliance with IRAC norms

Compliance with Priority Sector Requirements

Timely submission of all returns/statements (BPR,CA-23,CCIS,BHP,R-Returns, BEF/XOS Returns, IBS, NRD-CSR, ECB-2,5, ECB-PAR, ODR LEC(NRI), LEC(FII),Sales and Purchase of Foreign Currency, BDS, ALM statement etc.) with accuracy Obtention of Form No.60/61 in all deposit accounts, obtention of Form A1,A2 etc. in forex transactions, not- effecting remittances against acceptance of cash of Rs.50,000/- and above, obtention of PAN/ GIR No. while effecting remittance against acceptance of cash of Rs.20,000/- but less than Rs.50,000/- and also in the case of effecting remittances, non-payment of proceeds of TDR by way of cash if the amount payable is > Rs.20,000/- and obtention of appropriate declaration for payment below Rs.20,000/-.

Page 113: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsPeriodical reporting of cash transactions of Rs.10 lakh and above to the controlling authorities.

Adherence to RBI’s currency note policy (non-stapling of currency notes, issue of numbered and signed receipt in the case of detection of forged/fake currency note etc.)Conducting periodical customer meetings, customer service meetings and sending the reports to the controlling authorities, conducting periodical customer service audit and sending reports to the controlling authorities, implementation of Goiporia’s Committee recommendations Adherence to Fair Practices Code on Lender’s Liability

Display of time schedule for transacting various services, display of important telephone numbers, display of important notices such as prohibition of fire arms, announcing the facility for exchange of soiled/cut notes, display of bank’s

Page 114: RISK BASED INTERNAL AUDIT POLICY

various schemes and rates of interest applicable, announcement of business timing, provision of suggestion box, setting up ‘May I help you counter’ as per the extant guidelines etc.

Items Positive Factors Negative FactorsPro-rata deduction of income-tax/professional tax etc. from salary and other allowances paid to staff membersDeduction of income-tax on interest accrued/paid on TDR in applicable cases as per the extant guidelines, obtention of Form 15 G/H in the case of non-deduction of tax in eligible casesPayment of service-tax only on leviable items under P&L Misc. Receipt and also netting of service-tax

Remittance of income-tax, service-tax deducted at source within the stipulated time to the credit of Govt. account, payment of various applicable taxes/charges in time such as property tax, tax under Shops & Establishment Act wherever applicable, electricity/ telephone

Page 115: RISK BASED INTERNAL AUDIT POLICY

charges, professional tax, BCT tax etc. Issue of TDS certificates wherever taxes are deducted, filing of annual returns (Form-24,24-A,26 etc.) to the respective authorities within the stipulated time and maintenance of proper records for the sameRBI License, License under Shops and Establishment Act (wherever applicable)

Items Positive Factors Negative FactorsCompliance with Right To Information Act

Compliance with Official Language Act

Compliance with Govt. Guidelines with respect to Pension Payment, PPF a/cs etc.

Compliance with FEMA provisions

Conclusive compliance

Page 116: RISK BASED INTERNAL AUDIT POLICY

with the previous audit reports, compliance with Monitorable Action Plan suggested in the previous Risk Based Audit Report and/or Updated Risk Profiles, compliance with special instructions/guidance etc. provided by the controlling authorities, Govt. Bodies, LDM etc.

MONITORABLE ACTION PLAN SUGGESTED:

(Copy of the MAP to be attached to the Risk Profile also)

Parameter Risk Level/

Direction assessed during the audit

Action Plan suggested for the purpose of drawing necessary action points and

implementation/monitoring of the same by Branch/Zonal Office respectively

1.CREDIT RISK

Page 117: RISK BASED INTERNAL AUDIT POLICY

2.EARNINGS RISK

3.BUSINESS STRATEGY RISK

4.OPERATIONAL RISK

5.INTERNAL CONTROL RISK

6.COMPLIANCE RISK

RISK BASED INTERNAL AUDIT RATING SHEET

Sr Category of Risk Maximum Marks Percentage Risk Rating

Page 118: RISK BASED INTERNAL AUDIT POLICY

No Marks Allowed Awarded

Level/TrendA BUSINESS RISK 6001. Credit Risk 3502. Earnings Risk 503. Business Strategy

Risk 50

4. Operational Risk 150B CONTROL RISK 4001. Internal Control Risk 2502. Compliance Risk 150C COMPOSITE RISK*

* The composite risk will be arrived at with the help of the following risk matrix

Risk Matrix

Inhe

rent

Bus

ines

s R

isks

High AHigh Risk

B Very High Risk

C Extremely High Risk

Medium

DMedium Risk

E High Risk

F Very High Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High

Control Risks

BASIS FOR RISK ASSESSMENTRisk Percentage of Marks

awardedLow Over 75Medium 50 – 75High Below 50

The trend analysis of the composite risk is interpreted as shown below:

Inhe

rent

B

usin

ess

Ris

k

Increasing Increasing Increasing Increasing Stable Stable Increasing IncreasingDecreasing Decreasing Stable Increasing

Decreasing Stable Increasing

Control Risk Variation of marks in the same category upto + 5% or – 5% is considered as STABLE. Variation in the same category of more than +5% or –5% is considered as DECREASING/ INCREASING as the case may be.

Page 119: RISK BASED INTERNAL AUDIT POLICY

The above risk rating is approved.

(Signature of the Zonal Audit Chief)

Page 120: RISK BASED INTERNAL AUDIT POLICY

Annexure -5

FORMAT OF EXIT MEETING REPORT

Branch : ____________________Exit Meeting held on _______________-------------------------------------------------

1. Date of Meeting :

2. Name and Designation of Officers who attended the meeting :

Audit Team Branch Officials

3. Period of Audit : From ______________ To ______________4. Rating

Level/Trend of the last 2 assessmentsLast

(Date )Previous to Last

(Date )Business RiskControl RiskComposite Risk

5. a) Highlights of performance

Items Budget/Target

Achie-vement

Remarks

Total Deposits

Low Cost Deposits

Advances-of whichPriority SectorGovt.Sponsored Prog.NPA reduction

Operating Profit

Productivity per employee

Last Yr.

Current

House-Keeping

Any Other Item,(please specify)

b) Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the branch).

Page 121: RISK BASED INTERNAL AUDIT POLICY

6. SWOT analysis on functioning of the branch :

Strength

Weakness

Opportunity

Threat

7. Branch views, if any.

Encl: Copy of Monitorable Action Plan

Copy received.

Branch In-Charge (Signature of the Team Leader)………………..Branch

Place:

Date:

Page 122: RISK BASED INTERNAL AUDIT POLICY

Annexure-6MARK SHEET

Branch : _______________________ Zone: _______________ Class/Category : _______________________Audited From : _______________To: _______________

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

A. BUSINESS RISK 500I. CREDIT RISK 300 1. Conduct of effective pre-sanction inspection of new

accounts covering proper identification of borrowers,scrutiny of their antecedents/financial status byobtaining CBD-23 with documentary evidence, obtention of status report/no due certificate etc. involving More than 90% of the sanction amountBetween 75% and 90%< 75%

10 6 3

2. Quality credit appraisals in the new accounts with Proper analysis of various ratios and need based involving More than 95% of the sanction amountBetween 90% and 95%< 90%

10 6 3

3. Customer compliance with terms of sanction in the New accounts involvingMore than 95% of the sanction amountBetween 90% and 95%< 90%

10 6 3

4. Accounts becoming irregular within 3 months of disbursement in Secured Loans & Advances in newa/cs. other than loan against TDR & Staff a/cs. sanctioned after last audit involving amount of <3% of such total new disbursements Between 3% to 5% More than 5%

6 4 0

5. Accounts becoming irregular within 3 months ofdisbursement in Partially Secured/Clean Loans &Advances in new accounts other than staff accounts sanctioned after the last audit involving amount of< 1% of such total disbursement1% to 3%More than 3%

6 4 0

6. Trend of NPA in new advances for the last 3 years in Secured Loans & AdvancesUpto 2%2% to 5%More than 5%

10 6 3

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

7. Trend of NPA in new advances in Clean/Partially Secured Loans & Advances Upto 1% 10

Page 123: RISK BASED INTERNAL AUDIT POLICY

1% to 3% More than 3%

6 3

8. Disbursement of new advances in the available potentials areas/sectors/segments taking into account the past experience: Well spread over Fairly spread overConcentrated in particular area/s only

6 4 2

9. Total secured advances More than 95% Between 90% and 95% < 90%

8 6 4

10. Distribution of total secured advances in the available potential areas Well spread over Fairly spread over Concentrated in particular area/s only

6 4 2

11. Satisfactory conduct of big-ticket advances (say > 10% of the total advances in a single account) covering > 90% of the total exposure of all big-ticket advances between 60% and 90% < 60%

10 6 3

12. Exposure of Forex Business taking into coverage of ECGC guarantee in eligible accounts involving > 95% of eligible advances Between 90% and 95% < 90%

6 4 2

13. Ensuring quality appraisal/review of accounts by way of analysing correctly the financial data/ Balance Sheet, CMA data etc wherever applicable Involving More than 95% of the total advances Between 90% and 95% < 90%

10 6 3

14. Credit rating exercise is carried out in the eligible Accounts involving More than 95% of the total eligible advances Between 90% and 95% < 90%

10 6 3

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

15. Yearly review of accounts in the accounts involving More than 95% of the total advances Between 90% and 95% < 90%

10 6 3

16. Periodical post-disbursement inspections as per thestipulated intervals in accounts involving More than 95% of the total advances Between 90% and 95% < 90%

10 6 3

Page 124: RISK BASED INTERNAL AUDIT POLICY

17. Customer compliance with terms of sanction is ensured in the accounts involving More than 95% of the total advances Between 90% and 95% < 90%

10 6 3

18. Availability of securities including collaterals in the case of suit filed accounts covering to the extent of > 95% of the suit filed amount Between 90% and 95% < 90%

10 6 3

19. Identification and restructuring of accounts before becoming NPA in eligible cases involving More than 95% of the eligible advances Between 80% and 95% < 80%

6 4 2

20. Correct asset classification including watch list a/cs. is carried out in the eligible accounts involving More than 95% of the total advances Between 90% and 95% < 90%

10 6 3

21. NPA level in absolute terms as compared to the position as at the last audit

DecreasingStagnantIncreasing

6 4 2

22. NPA concentration is

Well spread over in various sectors/segments/activities

Fairly spread over in various sectors/segments/activities

Concentrated in one or two sectors/segments/activities

6 4 2

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

23. Quantum of NPA level to the total advances < 1% Between 1% and 3% > 3%

10 6 3

24. Available Security level of NPA covering

> 95% to the total NPA advancesBetween 90% and 95%< 90%

10 6 3

25. Adequacy of provision for NPAs

Correctly providedExcess-providedUnder-provided

6 4 2

26. Periodical inspection of securities in NPA accounts involving amount of

Page 125: RISK BASED INTERNAL AUDIT POLICY

> 95% total NPA advancesBetween 90% and 95%< 90%

10 6 3

27. Insurance level of securities including collaterals in NPA Accounts involving amount of

> than 95% of eligible NPA advancesBetween 90% and 95%< 90%

10 6 3

28. Cash recovery ( by way of compromise, OTS, invocation of SARFAESI Act, RRC Act etc.)

> 75% of the budgeted levelBetween 50% and 75%< 50%

10 6 3

29. Upgradation of NPA accounts involving

> 75% of the budgeted level Between 50% and 75%< 50%

6 4 2

30. Age of the decrees obtained pending for execution

< 2 yearsBetween 2 and 5 years> 5 years and above

6 4 2

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

31. Availability of security coverage including the stipulated Margin to Letters of Credit > 95% of the sanction/outstanding amountBetween 75% and 95%< 75%

6 4 2

32. Devolvement of Letters of Credit (during the period covered under audit) amounting to <5% of the total amount of L/Cs issued during the period covered under audit Between 5% and 10% > 10%

6 4 2

33. Availability of security coverage including the stipulated margin to Gurantees Issued > 95% of the sanction/outstanding amount Between 75% and 95% < 75%

6 4 2

34. Invocation of Guarantees Issued (during the period covered under audit) amounting to < 5% of the total amount of Guarantees issued

during the period covered under audit Between 5% and 10% > 10%

6 4 2

35. Pendency of reversal of liabilities of expired

Page 126: RISK BASED INTERNAL AUDIT POLICY

guarantees/LCs etc involving amount of < 2% of the total L/Cs/Guarantees issued

outstanding Between 2% and 5% > 5%

6 4 2

36. Recovery of the amount of claim paid on devolved L/C, invoked Guarantee etc. from the borrower/ customer within 7 days involving > 95% of the total claim settled Between 90% and 95% < 90%

10 6 3

37. Crystallization of other contingent liabilities like Acceptances, endorsements, forward exchange contracts etc. (other than L/C, Guarantees) to the extent of

< 2% of the total of such other liabilities Between 2% and 5%> 5%

6 4 2

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

II. EARNINGS RISK 40 1. Trend of Net Interest Margin (Interest Received –

Interest paid)

> 2.5%Between 0% to 2.5% Negative

4 2 0

2. Non-Interest Income

Equal to or > non-interest expenditure< non-interest expenditure to the extent of 10%< non-interest expenditure to the extent of > 10%

3 2 1

3. Trend of write-off (to the level of NPA as on last year)

< 1%Between 1% and 3%> 3%

4 2 0

4. Recovery in written-off accounts

> 15% of the written-off amount outstandingUpto 15% of the written-off amount outstandingNo recovery

4 2 0

5. Controllable expenses Not increasing or increasing in proportion to the

business requirements Moderate increasing more than in proportion to

the business requirements Exorbitantly increasing

4 2 0

Page 127: RISK BASED INTERNAL AUDIT POLICY

6. Revenue Leakage Detected

No Revenue Leakage detectedUpto Rs.10,000/ in Large & above Branches; Upto

Rs.5,000/- in Small & Medium Brs. > Rs.10,000/- in Large & above Branches; >

Rs.5,000/- in Small & Medium Branches

4

2

0 7. Recovery of Revenue Leakage detected

Recovered > 90% of the amount detectedRecovered between 50% and 90% of the amount

detectedNo recovery effected or recovery effected only upto

50% of the amount detected

4 2 1

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

8. Repetitive nature of revenue leakage happening in the same accounts

Nothing noticed. Noticed in the current audit and in the last auditNoticed in the current audit and also in the last 2

audits

2 1 0

9. Recovery of UCI/URI

Recovered > 90% of the outstanding amountRecovered between 50% and 90% of the

outstanding amountRecovered upto 10% of the outstanding amount or

Nil recovery

4 2

1

10. Achievement of operating profit budget

AchievedAchievement falling short by < 10%Achievement falling short by > 10%

4 2 1

11. Trend of profit per employee compared with the position

of the last half-year

Increasing Stagnant/Decreasing very nominally due to change

of staff strengthDecreasing significantly

3 2

0III. BUSINESS STRATEGY & ENVIRONMENT RISK 40 1. Exploitation/usage of geographical/locational

advantage for growth of business

MaximumModerateInsignificant/Nil

4 2 1

2. Availability of business potentials other than the poverty

alleviation schemes such as SHG, PMRY,

Page 128: RISK BASED INTERNAL AUDIT POLICY

MPBCDC, THADCO etc. in the area of operation of the branch

PlentyA limited extentNo potentials

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

3. Major economic activity of the centre and the trend of the share of the branch business to this sector

IncreasingStagnantDecreasing

4 2 0

4. Knowledge of the branch officials about the bank’s products vis-à-vis market condition as regard to available potentials

Fully aware ofPartially aware ofNot aware of

4 2 0

5. Knowledge of SWOT analysis for the branch as well as for the competitors

Full knowledgeSome knowledgeNo knowledge

4 2 0

6. Rating of customer service

ExcellentSatisfactoryPoor

4 2 0

7. Achievement of Deposits and Advances at the Budgeted level

Fully achieved or achieved more than 90% of the Budgeted level in all the above areas segment-wise Achieved between 50% and 90% Achieved < 50% or not achieved in any or all the

areas

6

4 2

8. Business growth observed is due to

Vigorous convassing done by initiating suitable strategy

Dependence on Walk-in-Business onlyNo growth

4 2 0

9. Formation of suitable business strategy taking into Confidence

The entire staff members 2

Page 129: RISK BASED INTERNAL AUDIT POLICY

Only a selected staff membersNo strategy is formed

1 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

10. Adequacy and compatibility of IT systems with business needs including availability of facilities like MBB, ATM, Telebanking, Internet banking etc. wherever applicable

Commensurate with the business available in all potential areas Adequate for only for carrying out certain type of business whereas potentials are available for many other business Inadequate for any business

4

2

0IV. OPERATIONAL RISK 120 1. Positioning of staff in key areas (allocation of duties)

as per their competency GoodSatisfactoryPoor

4 2 0

2. Periodical rotation of staff (wherever possible)

As per the stipulated intervalRotation takes place but not in the stipulated interval No rotation has taken place for the last 3 years

4 2 0

3. Imparting suitable training/guidance to staff for acquiring updated knowledge in the day to day functioning under the computerised environment from the risk perspective

All the staff members are properly trained in the day to day functioning from the point of risk perspectiveOnly supervisory staff are trainedNo staff member is imparted suitable training

4

2 0

4. Frequency of execution errors in transaction such as wrong posting of vouchers, non-effecting remittances though value already received, settlement errors like overlooking value date/correct exchange rate etc.

Nothing noticedNoticed on a very few occasions Noticed on many occasions

4 2 0

5. Access to server room/UPS room etc.

Strictly restricted alwaysNot restricted sometimesNo restriction; free access to all

4 2 0

Page 130: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

6. Off-site storage of back-ups (in the case of CIBEX branches)

AlwaysSometimesNever

4 2 0

7. Maintenance of records for allotment of user level code, control over changing of user level as per the requirement

Strictly implementedSometimeNever

4 2 0

8. Awareness/monitoring the lapses in workflow/lapses leading to operational problems (like keeping cheque books on counters, not-logging out of the computer system when not in use or when the operator leaves the terminal etc.)Nothing noticedVery rarely noticedLapses noticed on many occasions

4 2 0

9. Awareness of Disaster Recovery Plan/Business Continuity Plan

All the staff-members are aware ofOnly a few members are aware ofNo one is aware of

4 2 0

10. Frequency of systems failure, programming errors etc.

Never occurred Some times occurred Very frequently occurred

4 2 0

11. Processing of request of customers in the areas of deposits, advances and other misc. services

Strictly processed and carried out as per the customers’ request

Some deviations taken place but rectified at the earliest possible time

Gross violation

4

2

0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

12. Adherence to manual of instructions/guidelines/circulars etc. with regard to operational matters in the day-to-day functioning of the branch such as obtention of proper application, preparing necessary memorandum/ Proposal etc.

Page 131: RISK BASED INTERNAL AUDIT POLICY

Strict adherence at all timesMinor deviations noticed but branch has not incurred

any loss in this regardGross violation

4 2

013. Frequency of violation of operational controls (like

exceeding limits, allowing concessions/waiver of charges without proper justification.)

Nothing observedNoticed on a very few occasionsNoticed on many occasions

4 2 0

14. Defects-free documentation including creation of Mortgage/registration of charges in the accounts Involving

More than 95% of the disbursement/sanction amountBetween 90% and 95%< 90%

6 4 2

15. Serious irregularities noticed in the execution of security documents covering

< 5% of the total advancesBetween 5% and 10% > 10%

6 4 2

16. Enforceability of security documents including Mortgages in NPA accounts involving amount of

> 95% total outstanding NPAsBetween 90% and 95% < 90%

6 4 2

17. Enforceability of documentation including mortgages and registration of charges covering

> 95% of the total advancesBetween 90% and 95%< 90%

6 4 2

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

18. Renewal documents not obtained in stipulated time covering

< 5% of the total advancesBetween 5% and 10% > 10%

6 4 2

19. Availability of insurance coverage of securities Including the collaterals in the eligible accounts as per the terms of sanction involving

More than 95% of the disbursement/sanction amountBetween 90% and 95%< 90%

6 4 2

Page 132: RISK BASED INTERNAL AUDIT POLICY

20. Conduct of CPA-1 & CPA-2 and closure thereof in Eligible accounts

Conducted and closed in all in eligible accountsNot conducted and closed in a few accounts but the

accounts are regularNot conducted in any eligible account

6 3

021. Vetting of documents in eligible accounts

Vetted in all eligible accountsNot vetted in a few accounts but the accounts are

regularNot vetted in any eligible account

4

2 0

22. Any suit/s filed against the branch by customers, counterparties or third party service providers

No suit is filedSuit/s filed against the branch but settled without any loss or very nominal loss to the branchSuit/s pending against the branch or suit/s settled with a substantial loss to the branch

4 2

023. Customer perception of the branch, quality of

customer service, quick redressal of customer complaintsGoodSatisfactoryUnsatisfactory

6 4 2

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

24. Inherent threat for the branch being situate in earthquake prone, riot prone, naxalite/terrorist infested, communal violence, flood prone area Not applicable Rarely Frequently

4 2 0

25. In the case of any or more of the above threats applicable, then contingency plan for tackling the same is Prepared and all the staff members are aware of

the same Available in records; but some or most of the staff

members are not aware of the same Not at all prepared

4

2 0

26. Execution/renewal of lease deed of the branch premises

Executed/renewed and valid Expired recently and matter taken up for extension Not at all executed/renewed for a long time

4 2 0

B. CONTROL RISK 250I. INTERNAL CONTROL RISK 150 1. Exceeding of delegated authority whether in original

Page 133: RISK BASED INTERNAL AUDIT POLICY

sanction and/or allowing TOD/TOL Never A very few occasions Very often

6 3 0

2. Reporting of TOL/TOD sanctioned beyond authority to the concerned controlling authority for ratification/ approval Always reported Reported on very few occasions Never reported

6 3 0

3. Reporting of advances sanctioned within the authority to the controlling authority with a copy of the sanctioned proposals (of > Rs.2 lakh)

Every Month reported Reported only for a few monthsNever reported

4 2 0

4. Monthly reporting of TOL/TOD sanctioned within the Authority

Always reportedReported on very few occasionsNever reported

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

5. Periodical balancing of books/ledgers which are not computerised

All the books/ledgers are being balanced periodicallyBalancing is done only in few areas/only on few occasionsAll the books/ledgers are not being balanced for a very long time

4 2 0

6. Follow-up for outstanding Drafts, DPWA, OBC/IBC/ BP/BD/Cheque Purchase/Collection entries including foreign currency items, India Card payments, pension payments etc.

Constant and effective follow-up is carried out on an ongoing basis Lopsided follow-up is done. Very rare follow-up/No follow-up is done

4 2 1

7. Periodical reconciliation/balancing of entries in Suspense Accounts (Dr.), Sundry Deposits and Sundry Credits accounts

Carried out periodically and nothing pendingCarried out only on few occasions and the report received recently only is pendingNot carried out periodically and entries outstanding for more than 6 months (except the allowable entries)

4 2

1

8. Follow-up for entries in Suspense Accounts (Dr.),

Page 134: RISK BASED INTERNAL AUDIT POLICY

Sundry Deposits and Sundry Credits which are outstanding for more than the reasonable time limit

Effective follow-up is being done and entries are cleared within a reasonable timeInsufficient follow-up and entries are not cleared/cleared after a considerable delayNo follow-up

6

3

0 9. Pendency of Inter-Branch/Inter-Bank, Nostro/Vostro

Accounts reconciliation report

No report/s pending Report/s pending for less than one month Report/s pending for more than one month

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

10. Dual custody of cash and periodical surprise check of cash

AlwaysNot found on one or two occasionsNot found always

6 3 0

11 Holding average cash (for the period covered under audit)

Always within the retention limitExceeds the retention limit sometimesAlways more than the retention limit

6 3 0

12. Clearance of entries pertaining to cash withdrawal/cash lodgement from another branch and or currency chest and or other bank

Cleared on the same day or the next day depending upon the locationPending for more than one day but less than one weekPending for more than one week

6

3

013. Maintenance of pass books for cash key holding and

cash movement within the branch

Strictly maintainedNot maintained on one or two occasions but no damage doneNot maintained always

4 2

014. Dual Control and periodical balancing of jewel/gold

Packets, maintenance of proper records for movement of jewel packetsAlways adheredMostly adhered , but no damage done so farNever adhered to

6 3 0

Page 135: RISK BASED INTERNAL AUDIT POLICY

15. Control over safe custody accounts, safe deposit lockers and other miscellaneous services including proper records maintenance of India Cards, ATM Cards etc. received from HO, safe keeping of Cards, destruction of long pending cards as per the extant guidelines

GoodJust satisfactoryPoor

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

16. Scrutiny of stock of sensitive stationery items immediately on receipt of the same and entering into the stock register and also acknowledging the receipt promptly with notification of discrepancies observed, if any

Strictly carried out immediately on receiptCarried out with a little delay, say one weekPending for a long time

6 3 0

17. Dual custody of sensitive stationery items

Always maintainedKept under single custody onlyNo custody available

6 3 0

18. Maintenance of updated movement register for sensitive stationery items in the prescribed form whenever such items are put on use and also maintenance of movement register for other security documents

Strictly maintained whenever used Maintained not in the prescribed form or maintained only on few occasionsNot maintained at all

4 2

019. Maintenance of Branch Documents Register with

updated information

Maintained with updated informationMaintained but not updatedNot maintained

2 1 0

20. Safe keeping of Test Keys wherever provided, Manuals, FEDAI Rules Book, Exchange Control Manuals, Specimen Signature Book, Oral Assent Attendance Register, Oral Assent Register etc.

All are kept under dual controlOnly a few are kept safely.Nothing is kept safely.

4 2 0

21. Carrying out periodical Test Checks effectively and reporting the findings to the controlling authorities and maintenance of record thereof

Page 136: RISK BASED INTERNAL AUDIT POLICY

Regularly carried out as per the extant guidelinesCarried out at but not at the stipulated intervals Not carried out for a very long time, say > 1 year

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

22. Maintenance of updated staff records inclusive of attendance, leave record, LFC payments, salary payments etcNo discrepancy noticedOne or two minor discrepancies noticedMore discrepancies (minor and major) noticed

6 3 0

23. Payment of rent, other taxes and other charges and maintaining proper receipts for the same

Paid on due dates promptlyPaid with a little delay with some minor fineNot paid or paid with considerable delay

4 2 0

24. Numbering and maintenance of proper records for furniture & fixtures including dead stock and furniture provided at the residence of the branch officials; periodical physical checking and maintenance of record therefor; disposal of unserviceable items

Strictly done and no deviation noticedSome minor deviation/s noticed Gross deviations noticed or not at all carried out

4 2 0

25. Control over AMC including refilling of fire extinguishers

Periodically renewed strictlyRenewed but with some delayPending for a long time, say > 6 months

4 2 0

26. Control over old records/vouchers/files/ledgers/registers etc.

Very goodSatisfactoryUnsatisfactory

4 2 0

27. Security aspects of cash movement within the branch, while effecting cash remittance/withdrawal to/from currency chest/other branch/bank as per the extant guidelines

Strictly adhered to alwaysDeviation/s noticed on one or two occasionsGross violation noticed

4 2 0

Page 137: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

28. Control over branch security like presence of armed guard (positioning at proper place) wherever applicable with gun, chaining the main collapsible gate in such a way that only one person at a time can pass through, fixing of Time-Lock wherever applicable Strictly exercised Violation on one or two occasions noticed Gross violation noticed

4 2 0

29. Safe custody of gun, obtention/renewal of gun licence; maintenance of register for gun cartridges purchased/fired during the training given to the armed guard; periodical training of armed guard wherever posted Strictly carried out as per the extant guidelines Deviation on one or two occasions noticed; but no harm done Gross violation noticed

4 2

030. Obtention of proper introduction and verification of

the introducer’s signature at the time of opening deposit accounts Obtained always properly Not obtained in a few accounts Not obtained in many accounts

4 2 0

31. Obtention of photographs, proof of address etc. of the depositors/borrowers/guarantors Strictly obtained in all the accounts Not obtained in some accounts Not obtained in many accounts

4 2 0

32. Authentication/approval of account opening forms by authorised official along with signature code number and also monitoring transactions in newly opened accounts, particularly huge transactions Always obtained and monitored Not obtained in a few accounts and inadequate monitoring Not obtained in many accounts and no monitoring

4

2 0

33. Perpetration of frauds including computer related frauds No fraud has occurred in the branch so far Detected in the past and matter settled without any loss or with minimum loss to the bank or matter is still pending for settlement Detected pertaining to the period covered under audit

4

2

0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

II. COMPLIANCE RISK 100 1. Adherence to IRAC norms

Strictly adhered to Some minor deviation/s noticed

6 3

Page 138: RISK BASED INTERNAL AUDIT POLICY

Gross violation 0 2. Compliance with the priority sector requirements

(with regard to achieving the targets given in this regard) Requirement fulfilled as budgeted Falling a little short of requirement Wide variation noticed

4 2 0

3. Submission of control returns (BPR,CCIS,CA-23,ALM statement, TOD/TOL statement, R-Returns, BHP, BEF/ XOS Returns, IBS, NRD-CSR. Sales and Purchases of Foreign Currency, BDS etc.) in time after ensuring accuracy All the statements are submitted in time with accuracy Only a few statements are submitted in time and or some minor discrepancies noticed Delayed submission of statements or non- submission and/or more discrepancies noticed

4

2

0 4. Adherence to guidelines while issuing TTs/DDs/MTs/

Payorders etc. (issue of DD/MT/TT etc. for Rs.50,000/- and more against cheque payment only And not accepting cash; obtention of PAN/GIR No. etc in the case of issue of DD/TT/MT etc. > Rs.20,000/- on acceptance of cash and for > Rs.50,000/- against cheque); non-payment of Proceeds of TDR by way of cash if the amount Payable is Rs.20,000/-and obtention of appropriate Declaration for payment below Rs.20,000/- in cash.

Strict adherence alwaysDeviation on a few occasionsDeviation on most of the occasions

6 3 0

5. Reporting of cash transaction of Rs.10 lakh and above to the controlling authorities

Reported strictly as per the stipulated periodicityReported but not strictly as per the stipulated periodicity Not reported in toto for more than 3 months

6

3 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

6. Obtention of Form No.60/61 in all deposit accounts, obtention of Form A1, A2 etc. in forex transactions

Strict adherence alwaysDeviation on a few occasionsDeviation on most of the occasions

4 2 0

7. Adherence to RBI’s clean currency policy (sorting of issueables and non-issueables, non-stapling of currency section/bundle, exchange of soiled notes tendered by the customers etc.)

Page 139: RISK BASED INTERNAL AUDIT POLICY

Strictly adhered to.Adhered but some minor variation/s observed Not adhered.

6 3 0

8. Issue of numbered and signed receipt in the case of detection of forged/fake currency note/s and reporting thereof to the concerned official/s

Strictly enforcedEnforced with some deviationNot implemented

4 2 0

9. Conducting periodical customer meeting and sending the minutes to the controlling authorities

Periodical meetings conducted and minutes sent to the controlling authoritiesMeetings conducted but not as per the periodicity and minutes sent to the controlling authoritiesMeeting not conducted for a very long time and/or minutes not sent to the controlling authorities

6

3

1

10. Conduct of periodical customer service audit by the authorised official of the branch

Conducted as per the periodicity and report sent to the controlling authoritiesConducted but not as per the periodicity and reports are sent to the controlling authoritiesNot conducted for a very long time and/or reports are not sent to the controlling authorities

4 2

1

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

11. Display of the important exhibits as instructed by HO such as time-schedule for various services, notice prohibiting entry of fire arms, important addresses and telephone numbers, branch name board as per the specification, provision of ‘May I Help You Counter/ Grahak Bandhu Desk’ in applicable areas and other exhibits advised from time to time) All the required exhibits are displayed A few exhibits are not displayed Majority of the exhibits are not displayed

4 2 1

12. Deduction of Income-Tax, Fringe Benefit Tax, Professional tax etc. as stipulated ( ie; pro-rata on monthly basis from the salary paid to the staff; deduction at the prescribed rate from interest accrued/paid on TDR as the per prevailing Income-Tax Act); Strictly enforced Some minor deviation/s noticed; but no loss/

4 2

Page 140: RISK BASED INTERNAL AUDIT POLICY

penalty incurred Gross deviations noticed 0

13. Obtention of Form No.15 G/H in eligible accounts and submission of the copy of the same to the concerned ITO Obtained in all eligible accounts and copies sent to the concerned ITO Obtained in all eligible accounts and copies not sent to the concerned ITO Obtained only in a few eligible accounts and copies not sent to ITO or not obtained in any eligible accounts

4

2

1

14. Remittance of TDS to the credit of Govt. account Effected within 7 days from the date of deduction Effected with a little delay on a few occasions Effected after considerable delay

6 3 0

15. Remittance of service-tax (after netting), BCT Tax, Professional Tax, Tax under Shops & Establishment Act, Property Tax and other applicable taxes/ charges within the stipulated time to the concerned authorities Always remitted within the stipulated time Remitted with delay on a few occasions, but no penalty levied Always remitted with considerable delay

4 2

0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

16. Issue of TDS

Issued suomoto to all the concerned persons from whose accounts tax is deducted and record is maintained in this connection Issued only on demand to the concerned persons Not issued to any person other than the staff

4

2 0

17. Submission of Annual Return (Form No.24, 26 etc.)

Submitted within the stipulated time meticulouslySubmitted with a little delay (say a week or so)Submitted with considerable delay or not submitted

4 2 1

18. Compliance with requirements under Official Language Act, Right To Information Act

Strictly enforcedLopsided implementationGross violation

4 2 0

19. Compliance with FEMA provisions

Strictly adhered toAdherence with some minor deviationAdherence with major deviations or non-adherence

4 2 1

20. Obtention/periodical renewal of License under Shops & Establishment Act wherever applicable

Page 141: RISK BASED INTERNAL AUDIT POLICY

License under S&E Act obtained/renewed periodicallyLicense overdue for renewalLicense not at all obtained

4

1 0

21. Compliance of audit reports

Complied with conclusively and effectively in time without any exceptionComplied with a few exceptions for which follow-up is not adequateNot complied with/compliance is not conclusive in toto

4

2

1

22. Compliance with MAP suggested in the previous RBIA report and/or the periodically updated profiles

Conclusive compliance of all pointsComplied only a few points Not complied with any point

4 2 0

RISK BASED INTERNAL AUDIT RATING SHEET

Sr No Category of Risk Maximum

Marks Allowed Marks Awarded Percentage Risk Rating

Level/TrendA BUSINESS RISK 5001. Credit Risk 3002. Earnings Risk 403. Business Strategy Risk 404. Operational Risk 120B CONTROL RISK 2501. Internal Control Risk 1502. Compliance Risk 100 C COMPOSITE RISK*

* The composite risk will be arrived at with the help of the following risk matrix

Risk Matrix

Inhe

rent

Bus

ines

s R

isks

High AHigh Risk

B Very High Risk

C Extremely High Risk

Medium

DMedium Risk

E High Risk

F Very High Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High

Control Risks

BASIS FOR RISK ASSESSMENTRisk Percentage of Marks awardedLow Over 75Medium 50 – 75High Below 50

The trend analysis of the composite risk is interpreted as shown below:

Inh

er en t Bu Increasing Increasing Increasing Increasing

Stable Stable Increasing Increasing

Page 142: RISK BASED INTERNAL AUDIT POLICY

sine

ss

Ris

k

Decreasing Decreasing Stable IncreasingDecreasing Stable Increasing

Control Risk

Variation of marks in the same category upto + 5% or – 5% is considered as STABLE. Variation of marks in the same category more than +5% or –5% is considered as DECREASING/ INCREASING as the case may be.

The above risk rating is approved. (Signature of the Zonal Audit Chief)

Annexure-I

Broad parameters for issue of Special Letters/Special Observation Reports

A. Advances:

1. Advances granted to apparently fictitious borrowers. 2. Double financing against same securities. 3. Sanctioning/Granting borrowing and/or non-borrowing facilities without obtaining credit report/despite adverse credit report from previous bankers 4. Disbursement of credit facilities without preparation of proposals/before complying with the terms of sanction without reporting to the Controlling Authority. 5. Injudicious use of delegated authority or lending (including overlimit/temporary overdrafts) in excess of delegated authority without reporting to Controlling Authority.6. Continuation of overlimits/temporary overdrafts despite the accounts being sticky, even at the time of audit, although such borrowers are not adhering to minimum financial discipline (i.e. they are not submitting stock/book-debt statement, Balance Sheet, Profit & Loss Accounts, QIS, MSOD etc.) 7. Non-creation of security/non-obtention of title deeds; delivery of title deeds

(lodged by way of simple deposits/equitable mortgage) without proper approval; non-registration of charge/not noting bank’s lien on assets with the concerned authorities within a reasonable period/prescribed time-frame.

8. Non-obtention of important security documents in large number of accounts/for large amounts; keeping documents incomplete; documents found defective; non-obtention of renewal documents within stipulated/limitation period and letting the documents to get time-barred.9. Weak monitoring and control over advances accounts resulting in large scale of diversion of funds, increase in NPAs., loss of revenue etc. 10. Steep increase in lending to any particular category/group of borrowers/ indiscriminate lending despite laxity in control on advances.11. Sudden depletion in value of securities in advances accounts noticed during

Inspection conducted by auditors/branch officers during the course of audit/loss of security.

12. Issue of Clean Letters of Credit against sanction on DP/DA terms; issue of guarantees without limitation clause in the absence of approval by competent authority13. Misappropriation of funds / diversion of funds / suspected fraud.14. ‘Kite flying’ operations in a group of accounts at the same branch or linked to

number of branches/other Banks. 15. Purchase or discount of ‘house bills’ without appropriate sanction/bills from customers with whom past experience was unsatisfactory.16. Returned bills which remain overdue for a long time/not found in the custody of the branch though the advance remains outstanding.

Page 143: RISK BASED INTERNAL AUDIT POLICY

17. Acceptance of Lorry Receipts of transport operators who are not in the approved list without permission of / reporting to competent authority.

18. Purchase or discount of ‘clean bills’ under sanction of ‘DP/DA’ bills limit.19. Non-transfer of large number/amount of overdue bills to ‘G/L a/c.Past Due Bills’.20. Securities (paper securities such as TDR, NSCs, KVPS, LIC Policies etc.) and/or

security documents missing/non-traceable

B. OTHER AREAS:

1. Gross violation of Govt./RBI/FEMA guidelines/regulations. 2. Shortage of cash. 3. Securities missing in safe custody accounts. 4. Sensitive stationery items viz; CAN pads/demand draft/cheque/TDR books/ leave(s) etc. missing from custody. 5. Staff: Unusual transactions in staff accounts; misrepresentation/misuse of facilities (including India Card facility). 6. Non-reconciliation of Net Clear, Clearing Difference Adjustments Account, Nostro Account, Account with SBI/RBI/Other Bank(s) for period exceeding six months. 7. Violation of security norms for computer assets i.e. hardware, software, data etc. 8. Non-adherence of extant guidelines in the case of safe deposit vault lockers which are not operated for a very long time and also rent is overdue for quite a long time.

Note: The above list is only illustrative and not exhaustive. The Auditor may write aSpecial Letter/Special Observation Report on any irregularity/malpractice which is grave enough and warrants writing of such SL/SOR to protect the Bank’s interest However, before writing a SL/SOR, it should be checked that the irregularity proposed to be covered in the SL/SOR had not been reported to the Controlling Office earlier by branch itself even before the audit. In case where such reporting has been made by the branch but no action was initiated/no confirmation was accorded by the controlling authority, an SL/SOR may be sent to Zonal Authorities.

Page 144: RISK BASED INTERNAL AUDIT POLICY

Annexure-IRR(a)

Name of the Account: ---------------------------------------------------------Estd. on: -------------------------------------Advance since: ---------------------------- Credit Rating: -------------------Group: ----------------------------------------------------------------------------Name of the Main Person: ------------------------------------------------------Nature of Activity: ---------------------------------------------------------------Consortium Leader: -------------------------------------- Our Share: ------%Other Members: ------------------------------------ Share: -------% ------------------------------------ Share: -------% ------------------------------------ Share: -------%Last Annual Consortium Meeting held on: --------------------Last Quarterly Review Meeting held on : --------------------Periodicity for Statement of Security: ------------------- Last submitted on: -------------- Periodicity for Inspection: -----------------------------------Last inspected by the branch on: ---------------- by Consortium Member on: -----------Joint Inspection on: ---------------------- Stock Audit Report dated: ----------------------Nature of Collateral Security (in brief): ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------Value: (Rs. in lakh) ------------- as on ---------------- as per valuation report dt.-------------Equitable/Legal Mortgage created on: --------------- Insurance of collateral security valid upto: ---------------Types of Facility:

Sl.No

Type of Facility

LimitSanctioned(Rs. in lakh)

Amt. O/s as on --------- (Rs. in lakh)

Authority& Date ofSanction/ Review

Nature of Primary Security & Value(Rs. in lakh)

Last Renewal Document Date

Insurance valid upto

Section A: (Grave and serious irregularities)

Page 145: RISK BASED INTERNAL AUDIT POLICY

Section B: (Other irregularities)

Annexure-IRR(b)

1. Summary of Grave and Serious Irregularities: (Rs. in lakh)

Sl.No.

Type of Irregularity No. of

A/cs.

Outstanding

1. Limits sanctioned without proper application in the prescribed format

2. Limits sanctioned without obtaining credit report/despite adverse credit report from previous bankers

3. Limits disbursed but proposals not prepared

Page 146: RISK BASED INTERNAL AUDIT POLICY

4. Advance sanctioned/disbursed beyond delegated authority and not reported to Controlling Authority

5. Disbursement effected without pre-sanction / pre-disbursement inspection

6. Disbursement effected before compliance of terms of sanction, without the approval of Competent Authority

7. Double financing against the same securities 8. Overlimit business sanctioned beyond delegated

authority and not reported to Controlling Authority 9. Security documents not obtained/charge not registered,

where applicable, for overlimit for a period of 30 days and above

10. Principal security documents not obtained/not available 11. Renewal documents not obtained within stipulated

period12. Principal security obtained but lien not noted/registered

with concerned authorities (NSC/KVP/TDR etc.)13. Security documents defective as regards stamp

duty/execution14. Security documents unfilled/partly filled in15. Defective Mortgage16. Mortgage stipulated as pre-condition but advance

disbursed without compliance/without approval of Competent Authority

17. Undertaking to create equitable mortgage obtained as per terms of sanction but mortgage not created though time limit permitted is over

18. Declaration of mortgage not sent to revenue authorities within stipulated period in agricultural advances

Sl.No.

Type of Irregularity No. of

A/cs.

Outstanding

19. Charge on vehicle not filed/registered with RTO20. Charge not filed with Registrar of Companies/

Assurances / Other Competent Authorities within stipulated period

21. Lien on flats/shops/Industrial premises in CHS not registered with the Society

22. Collateral Security released/not obtained/separate advance allowed there-against without prior approval of Competent Authority

23. NSCKVP/Monies under LIC Policy pledged/assigned as security matured/fallen due for payment but proceeds not realised/credited to borrowal account

24. Security not insured/insurance not renewed25. Security grossly under insured26. Security grossly inadequate/overvalued27. Bills accompanied by lorry receipts of unapproved

transport companies purchased without proper sanction28. House bills/cheques purchased without specific

Page 147: RISK BASED INTERNAL AUDIT POLICY

provisions in sanction terms/prior approval of Competent Authority

29. Bills returned unpaid remain overdue30. Returned bills not found in custody of the branch though

amount remains outstanding/unpaid31. Purchase/Discount of clean bills under sanction of

DP/DA limits32. Overdue bills purchased/ discounted/ negotiated/

receivable not transferred to relative G/L A/C-Past Due/ not delinked

a) Inlandb) Foreign

33. Securities pledged i.e. shares/NSC/KVP/TDR/LIC Policy etc. not traceable

34. Decree expired35. Decree obtained but petition for execution not filed36. Gross violation/non-compliance of directives of

Govt./RBI37. Refinance/subsidy/ECGC cover etc. not applied for,

though eligible38. Shares against whom advance sanctioned, held in

physical form without de-matting 39. Commitment under invoked guarantee not honoured/not

reported to Competent Authority/approval not obtained for not honouring

40. Diversion of funds noticed41. Any other major irregularities (specify) including

accounts causing concern

2. Summary of Other Irregularities:

Sl.No.

Type of Irregularity No. of

A/cs.

Outstanding

1. Accounts overdue for review a) Limit Rs.1 crore and aboveb) Limit Rs.10 lakh and above but less than Rs.1 crorec) Limit of over Rs.2 lakh but less than Rs.10 lakhd) Limit of upto and inclusive of Rs.2 lakh

2. Accounts with short review [i.e. not reviewed comprehensively (full-fledged review) based on audited financial statements]

3. Legal action approved but suit not filed even after six months

4. Statement of security not obtained regularly as per periodicity in terms of sanction

5. Statement of security not examined/not scrutinised 6. MSOD/QIS/Cash Flow/Stock/Book Debts statement not

obtained regularly/ drawings not regulated/not calculated properly on the basis of MSOD/QIS/Cash Flow/Stock/Book Debts statement

7. Inspection not carried out even once in six months 8. Bank’s charge/Name Board not displayed nor waiver for

the same obtained from Competent Authority 9. Correct rate of interest not applied/not charged/revision

as advised from to time not effected

Page 148: RISK BASED INTERNAL AUDIT POLICY

10. Lead Bank charges not recovered/recovered incorrectly11. Processing charges/proportionate processing charges,

where applicable, not recovered12. Documentation charges not recovered13. Commitment charges, where applicable, not recovered 14. Inspection charges not recovered15. Valuation of collateral security not reviewed in specific

periodicity16. Stock Audit Report/Credit Audit Report is overdue for

closure17. Where Mortgage is created at other than the sanctioning

branch, yearly certificate for holding the title deeds not obtained from the said upcountry branch

18. Out of order accounts not shown under watch category19. Non-obtention of photographs of borrowers/guarantors20. Other irregularities (specify)

Page 149: RISK BASED INTERNAL AUDIT POLICY

DRAFT RESOLUTION

Inspection & Audit Department submitted Memorandum No.HO:I&A:KPR:049

dated 15th January, 2007 bringing out revised Risk Based Internal Audit Policy for

approval.

The Memorandum was APPROVED

Page 150: RISK BASED INTERNAL AUDIT POLICY

Annexure-A Name of the ZAO: Name of the Zone: Audit Plan for 200 - 0

Progress made in implementation of Risk Based Internal Audit in the current audit year upto the end of ……………….., 20

Category of Branches

No. of Branches subject to RBIA for 200 -0 as per Audit

Plan

No. of Branches due for

RBIA upto the end of

……………

No. of Branches

wherein RBIA is completed upto the end

of……………..

No. of Branches whose Risk Assessment is evaluated as under as at the end of………….,20

Business Risk Control RiskHigh Medium Low High

I S D I S D I S D I S D

Specialised E.Large V.Large Large Medium Small Total

I - Increasing; S - Stable; D - DecreasingEH - Extremely High; VH - Very High; H – High; M – Medium; L – Low

(Signature of the ZAO Chief)

Annexure-B

Names of the Branches (Zonewise) rated under ‘Very High Risk/Extremely High Risk’ during the current audit year as at the end of

………………………., 20

Name of the ZAO:

Sr. No.

Name of the Branch Audit Report Date

Name of the Zone Risk Rating

Page 151: RISK BASED INTERNAL AUDIT POLICY

(Signature of the ZAO Chief)

Page 152: RISK BASED INTERNAL AUDIT POLICY

Annexure-3 RISK PROFILE OF ASSET RECOVERY BRANCH

…………………………….. ZONE Position as at …………………… Ref. No. Date:

TABLE OF CONTENTS

I Background

II Organization and Business Profile of Branch

III Assessment of the Risk Profile

IV Summary Description of Business & Control Risks

V Suggested Monitorable Action Plan for Mitigating Risk

I. BACKGROUND

In the context of having effective RBS in the Bank, the Risk Profile of …………………….. Branch is prepared in line with the Corporate Risk Profile keeping in mind the various risk factors under Business and Control areas that are observed at the branch level. The underlying objective is to :

Categorise the Branches as having composite risk rating low, medium, high, very high and extremely high

Identify the direction of risk namely increasing/ stable /decreasing

II. ORGANIZATION & BUSINESS PROFILE OF BRANCH:

Name of the Branch/Date of Opening

Branch Code No.Name of the ZoneCategory Large/V.Large/E.Large/SpecialisedClass Urban/MetropolitanManagement Organization Total Staff – Officers :

- Special Assistants : - Clerks : - Sub-Staff :

Branch In-charge (Present) Shri / Smt. From :

Previous Incumbent Shri / Smt. From: To:

Last RBIA conducted From: To:Last RBIA Rating Business Risk Control Risk Composite

Risk

Page 153: RISK BASED INTERNAL AUDIT POLICY

BUSINESS PROFILE

(Outstanding Rs. in lakh)

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on (latest quarter/month) ……………..

Budget Actual Budget Actual Budget Actual1. Profit 2. Advances AFD OPS SSI Wholesale Trade/Business Medium Large IndustriesHousing Loan (other than priority sector)Star Mortgage LoanTotal AdvancesNPA Classification:Sub-StandardDoubtfulLossTotal NPAs

Types of Audits conducted Period Ratings awarded during the year:1.2.3.

Information Technology Systems used

Page 154: RISK BASED INTERNAL AUDIT POLICY

III Assessment of the Risk Profile

A. BUSINESS RISK: Previous Assessment Present AssessmentCredit Risk: Level/Direction:

Assessment area

Positive Factors Negative Factors

NPA Composition & Concentration

Adequacy of provisions

Quality of securities available and their RVS

Previous Assessment Present Assessment Earnings Risk : Level/Direction:

Assessment area Positive Factors Negative FactorsProfit – Actual v/s Budget

Interest Income(Unrealised/Uncharged interest)

Non-Interest Income(Written-off account recovery)

Control over expenses (only under controllable items)

Page 155: RISK BASED INTERNAL AUDIT POLICY

Previous Assessment Present Assessment3. Operational Risk : Level/Direction: Assessment area Positive Factors Negative Factors

Competency of staff, proper training/ placement

Documentation including time-barred documents

Litigation/claims against the bank

Preparedness for tackling any unanticipated natural/ manmade calamities/ events

B. CONTROL RISK: Previous Assessment Present Assessment

1. Internal Control Risk : Level/Direction:

Assessment area Positive Factors Negative FactorsHousekeeping (including reconciliation and follow-up for entries in Sundry Credits, Suspense Accounts)Reconciliation(inter-branch)

Submission of MIS returns/control returns- timeliness/quality

Control over sensitive stationery items, if any provided to the branchControl over staff records, old records, furniture & fixtures etc.

Page 156: RISK BASED INTERNAL AUDIT POLICY

Previous Assessment Present Assessment 2. Compliance Risk : Level/Direction:

Assessment Area Positive Factors Negative FactorsRegulatory:Submission of control returns in time and accurately Statutory:Deduction of Income-tax,. and timely remittance; renewal of required licenses; submission of annual returns to statutory authorities etc.Monitorable Action PlanCompliance with MAP suggested in the previous RBIA and also compliance with other audit reports.

IV. SUMMARY DESCRIPTION OF BUSINESS & CONTROL RISKS ASSESSED :

Parameters Level & Trend of risk

Positive Factors Negative Factors

Business RiskCredit

Earnings

Operational

Control RiskInternal Control

Compliance

Page 157: RISK BASED INTERNAL AUDIT POLICY

V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:

Parameter Risk Level/Direction

Action Plan suggested for the purpose of drawing necessary action points and

implementation/monitoring of the same by Branch/Zonal Office respectively

1. Credit Risk:

2. Earnings Risk:

3. Operational Risk:

4. Internal Control Risk:

5. Compliance Risk:

Prepared by: Approved

………………….. …..……………………

(Auditor) (Zonal Audit Chief) ……………………. ZAO.

Page 158: RISK BASED INTERNAL AUDIT POLICY

Annexure-4

RISK BASED INTERNAL AUDIT REPORT

Name of the Branch:……………ASSET RECOVERY BRANCH Zone:Opened on: Branch Code No: Category : Large/V.Large/E.Large/SpecialisedClass : Semi-Urban/Urban/MetropolitanBusiness Hours - Week Days :Holiday on:Branch under Concurrent Audit : YES/NO

Previous Present

Branch In-Charge ---------------- -----------------

From ---------------- -----------------To ----------------- -----------------

Date of commencement of Audit ----------------- -----------------Date of conclusion ----------------- -----------------Mandays --------------- ------------------

From To From To

Period covered by audit ----------------- ------------------- Name of the Team Leader ------------------ ------------------- Date of Report ------------------ -------------------Date of Despatch ------------------ ------------------- Date of Noting/Closure -------------------

Audit Ratings : (Level & direction)

Major Risk Parameters

Previous to Last Audit

Last Audit Present Audit

Level Direction Level Direction Level DirectionBusiness Risk

Control Risk

Composite Risk

A. BUSINESS RISK

1. CREDIT RISK (Outstanding Rs. in lakh)

Page 159: RISK BASED INTERNAL AUDIT POLICY

1. NPA Composition & Concentration

Year before Last as on

31.03.200

Last Year As on

31.03.200

Current Year As on latest

(quarter/month) …………….

Total Agricultural Advances Small Scale Industries Other Priority Sector Advances Of which Retail Trade Small Business SRTO Prof.& Self-Employed Education HousingTotal Priority Sector AdvancesWholesale Trade/Business Medium Industries. Large IndustriesHousing Loan (other than priority sector)Star Mortgage LoanTotal NPAs of which > Rs.1 croreRs.10 lakh and above but < Rs.1 crore> Rs.2 lakh but < Rs.10 lakhSub-Standard AssetsDoubtful AssstsLoss AssetsForex BusinessSuit Filed/DRT AdvancesSuit Decreed AdvancesExpired DecreesNon-Fund Based Liability

No. of a/cs.

Amount No. of a/cs

Amount No. of a/cs.

Amount

Budget Actual Budget Actual Budget Actual

Page 160: RISK BASED INTERNAL AUDIT POLICY

Gross NPA (Opening)Cash Recovery -Compromise -Write Off -Gross NPA (Closing)Provision/Cash MarginNet NPA (Closing)

Offer comments on:

Items Positive Factors Negative FactorsProper classification of Assetsas per extant guidelines

Review of accounts in applicable cases

Concentration of NPAs in different sectors/segments against the chances for recovery taking into account the present economic scenario in those sectors/segmentsProper provisioning

Periodical inspection of assets (wherever available) to ensure that there is no deterioration of realisable value of security; reasons for quick deterioration, if any of RVS

Items Positive Factors Negative FactorsAvailability of coverage

Page 161: RISK BASED INTERNAL AUDIT POLICY

under ECGC, CGF for Small Industries, Govt. Guarantee etc. in NPA accounts

Efforts for cash recovery, compromise, out of court settlement etc.; maintenance of register for compromise offers received, action taken and disposed cases Follow-up in suit filed accounts by keeping close liaison with Court Officials, Bank’s Advocates for expediting disposal of the case in bank’s favour, obtention of consent decree in the case of compromise offers etc. Maintenance of proper records/registers (age-wise position) for suit filed/decreed status along with the list of securities and security documents availableEmpanelment of Recovery Agents and monitoring their functioning, Recovery Certificates filed (if Recovery Act is applicable), number of cases pending, reporting of cases pending over 3 years to ZO, efforts for expediting execution of decrees, time-barred decrees

Items Positive Factors Negative FactorsAction initiated/taken for

Page 162: RISK BASED INTERNAL AUDIT POLICY

acquiring possession of securities under SARFESI Act and maintenance of records for securities acquired/ disposed amount recovered etc.; ensuring safeguarding of securities wherever security agencies are appointed for this purpose (by making surprise visits, prompt payment of charges to service agencies in this connection)

2. EARNINGS RISK

Offer comments on:

Items Positive Factors Negative FactorsRecovery of unrealised/uncharged interest

Recovery in written-off accounts

Monitoring over controllable expenses

3. OPERATIONAL RISK:

Offer comments on:

Page 163: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsImparting necessary training and positioning of staff (designating officer/s) by proper allocation of suit-filed/decreed accounts for effective follow-up for recovery and maintaining liaison with Bank Advocates/DRT Officials and other court officials.Applying/Claiming refinance from IDBI/SIDBI/NABARD/ EXIM Bank etc., claiming/Adjustment of subsidy under various schemes, ECGC cover in eligible accounts etc.

Reporting of default to ECGC within the prescribed time limit and lodgement of claims with ECGC within the prescribed time limit, lodgement of claims in respect of Central/State Govt. Guarantee accountsNSC/KVP/Monies under Life Insurance Policy, Shares, Other Govt. Securities pledged/assigned as security in advance accounts and matured/fallen due for payment but proceeds not claimed/realised/credited to the borrowal accounts

Items Positive Factors Negative FactorsEnsuring valid Computer System for record/other transactions maintenance, security of such computer

Page 164: RISK BASED INTERNAL AUDIT POLICY

systems including taking periodical back-ups, storage of back-ups etc. Ensuring adequate insurance to the assets (wherever applicable) charged to the bank and keeping record of policies and also renewing the policies on due dates Dealing with Staff Accountability aspect for conclusive closure of SAR

Execution/renewal of lease deed of branch premises

B. CONTROL RISK

1. Internal Control Risk:

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on latest

(quarter/month) ……………

Sundry CreditsSuspense Accounts (Debit)G/L a/c – Security DepositsFurniture & Fixtures

Offer comments on:

Items Positive Factors Negative FactorsTaking monthly jottings of balances and tallying with GLB, yearly printing of ledgers.

Items Positive Factors Negative FactorsPeriodical balancing/ reconciliation of entries in G/L a/c Security Deposits, Sundry Credits, Suspense Accounts (Dr.), written-off

Page 165: RISK BASED INTERNAL AUDIT POLICY

accountsFollow-up for early wiping/ adjustment of outstanding entries in Sundry Credits, Suspense Accounts (Dr.), Written-off accountsMaintenance of records for receipt of reports of Inter Branch Reconciliation from H.O; raising query memorandum/follow-up for unreconciled entries with the concerned branches; replying to the query memorandum received from other branchesMaintenance of movement register in the proper manner for the sensitive stationery items as and when put in use and for the security documents.Maintenance and updation of Branch Document RegisterAnd also safe-keeping of security documents (only in applicable cases) and in the case of documents kept at the transferor branch, obtention of certificate to this effect, safe-keeping of sensitive stationery items (Cheque Book, Payorder Book etc.) if any provided to the branch Proper maintenance of records for AMCs, Insurance Policies for branch building, stationery and furniture & fixtures

Items Positive Factors Negative FactorsProper record maintenance of staff

Page 166: RISK BASED INTERNAL AUDIT POLICY

attendance, leave calculation, payment of salary and other allowances prompt payment of rentProper maintenance of records and numbering pass book for Furniture & Fixtures including the Dead Stock and Furniture at the residence of Manager/Other officials, numbering and periodical physical verification, disposal of unserviceable itemsControl over old records/filesVouchers, periodical disposal of old records as per the extant guidelines, ambience of the branch premises and also proper maintenance of records and control over other stationery items Proper record maintenance for newspapers / magazines purchased, sale of old newspapers, rent and other charges (telephone, electricity, taxes etc.) paidMaintenance of secrecy book, obtention of signature of all the staff as per applicable periodicity, maintenance of customer secrecy

2. Compliance Risk

Page 167: RISK BASED INTERNAL AUDIT POLICY

Offer Comments on:

Items Positive Factors Negative FactorsCompliance with IRAC norms

Timely submission of all returns/statements (BPR,BR-39,40, CA-23,CCIS,BHP, BDS, etc.) with accuracy Pro-rata deduction of income-tax/professional tax etc. from salary and other allowances paid to staff membersPayment of service-tax only on leviable items under P&L Misc.Receipt and also netting of service-tax

Remittance of income-tax, service-tax deducted at source within the stipulated time to the credit of Govt. account, payment of various applicable taxes/charges in time such as property tax, tax under Shops & Establishment Act wherever applicable, electricity/ telephone charges, professional tax etc.

Items Positive Factors Negative Factors

Page 168: RISK BASED INTERNAL AUDIT POLICY

RBI License, License under Shops and Establishment Act (wherever applicable)Compliance with Right To Information Act

Compliance with Official Language Act

Conclusive compliance with the previous audit reports, compliance with Monitorable Action Plan suggested in the previous Risk Based Audit Report, compliance with special instructions/guidance etc. provided by the controlling authorities, Govt. Bodies etc.

MONITORABLE ACTION PLAN SUGGESTED FOR MITIGATING RISK:( Copy of the Monitorable Action Plan should be attached to the Risk Profile)

Page 169: RISK BASED INTERNAL AUDIT POLICY

Parameter Risk Level/

Direction

Action Plan suggested for drawing action points, implementation of the same and for monitoring

1.CREDIT RISK

2.EARNINGS RISK

3.OPERATIONAL RISK

4.INTERNAL CONTROL RISK

5.COMPLIANCE RISK

Annexure -5 FORMAT OF EXIT MEETING REPORT

Branch : ____________________Exit Meeting held on _______________-------------------------------------------------

1. Date of Meeting :

Page 170: RISK BASED INTERNAL AUDIT POLICY

2. Name and Designation of Officers who attended the meeting :

Audit Team Branch Officials

3. Period of Audit : From ______________ To ______________

4. RatingLevel/Trend of the last 2 assessments

Last(Date

)

Previous to Last(Date

)Business RiskControl RiskComposite Risk

5. a) Highlights of performance

Items Budget/

Target

Achie-vement

Remarks

NPA Recovery

UCI/URI Recovery

Recovery in written-off accountsOperating Profit/Loss

House-Keeping

Any Other Item,(please specify)

b) Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the branch).

Page 171: RISK BASED INTERNAL AUDIT POLICY

6. SWOT analysis on functioning of the branch :

Strength

Weakness

Opportunity

Threat

7. Branch views, if any.

Encl: Copy of Monitorable Action Plan

Copy received.

Manager (Signature of the Team Leader)………………..Branch

Annexure-6MARK SHEET

Branch : _______________________ Zone: _______________ Class/Category : _______________________Audited From : _______________To: _______________

Page 172: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

A. BUSINESS RISK 140I. CREDIT RISK 80 1. Spread of advances (NPAs) against the chances for

recovery considering the security value and the prevailing economic scenario

Well spread over in different sectors/segmentsFairly spread overConcentrated in particular area/s only

6 4 2

2. Availability of coverage under ECGC, CGF for SmallIndustries, govt. Guarantee etc.

> 95% of eligible advancesBetween 90% and 95%< 90%

6 4 2

3. Periodical Status Review of accounts

More than 95% of the total advancesBetween 90% and 95%< 90%

10 6 3

4. Periodical inspections of assets in applicable casesInvolving

More than 95% of the total advances Between 90% and 95%< 90%

10 6 3

5. Availability of securities including collaterals covering to the extent of

> 95% of the suit filed amountBetween 90% and 95%< 90%

10 6 3

6. Correct asset classification

More than 95% of the total advancesBetween 90% and 95%< 90%

10 6 3

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

7. Adequacy of provision for NPAs

Correctly providedExcess-providedUnder-provided

6 4 2

Page 173: RISK BASED INTERNAL AUDIT POLICY

8. Insurance level of securities including collaterals (inapplicable cases)

> than 95% of eligible NPA advancesBetween 90% and 95%< 90%

6 4 2

9. Cash recovery ( by way of compromise, OTS, invocation of SARFAESI Act, RRC Act etc.)

> 90% of the budgeted levelBetween 60% and 90%< 60%

10 6 3

10. Age of the decrees obtained pending for execution

< 2 yearsBetween 2 and 5 years> 5 years and above

6 4 2

II. EARNINGS RISK 20 1. Trend of write-off including prudential write-off

< 1%Between 1% and 3%> 3%

4 2 0

2. Recovery in written-off accounts

> 25% of the written-off amount outstanding15% to < 25% of the written-off amount outstanding< 15% or No recovery

4 2 1

3. Controllable expenses

Not increasing or increasing in proportion to the business requirements

Moderate increasing more than in proportion to the business requirements

Exorbitantly increasing

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

4. Recovery of UCI/URI

Recovered > 90% of the outstanding amountRecovered between 50% and 90% of the

4 2

Page 174: RISK BASED INTERNAL AUDIT POLICY

outstanding amountRecovered upto 10% of the outstanding amount 1

5. Achievement of operating profit/loss budget

AchievedAchievement falling short by < 10%Achievement falling short by > 10%

4 2 1

III. OPERATIONAL RISK 40 1. Positioning of staff in key areas (allocation of duties)

as per their competency GoodSatisfactoryPoor

4 2 0

2. Imparting suitable training/guidance to staff for acquiring updated knowledge in the field of recovery and also operational matter under the computerised environment from the risk perspective

All the staff members are properly trained in the day to day functioning from the point of risk perspectiveOnly supervisory staff are trainedNo staff member is imparted suitable training

4

2 0

3. Access to server room/UPS room etc.

Strictly restricted alwaysNot restricted sometimesNo restriction; free access to all

2 1 0

4. Maintenance of records for allotment of user level code, control over changing of user level as per the requirement

Strictly implementedSometimeNever

2 1 0

5. Awareness of Disaster Recovery Plan/Business Continuity Plan

All the staff-members are aware ofOnly a few members are aware ofNo one is aware of

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

6. Frequency of systems failure, programming errors etc.

Never occurred Some times occurred

4 2

Page 175: RISK BASED INTERNAL AUDIT POLICY

Very frequently occurred 0 7. Adherence to manual of

instructions/guidelines/circulars etc. with regard to operational matters such as obtention of proper application, preparing necessary memorandum for compromise/write-off, invocation of ECGC claim, Govt. Guarantee etc.

Strict adherence at all timesMinor deviations noticed but branch has not incurred

any loss in this regardGross violation

4 2

0

8. Any suit/s filed against the branch by customers, counterparties or third party service providers

No suit is filedSuit/s filed against the branch but settled without any loss or very nominal loss to the branchSuit/s pending against the branch or suit/s settled with a substantial loss to the branch

4 2

0 9. Inherent threat for the branch being situate in

earthquake prone, riot prone, naxalite/terrorist infested, communal violence, flood prone area Not applicable Rarely Frequently

4 2 0

10. In the case of any or more of the above threats applicable, then contingency plan for tackling the same is

Prepared and all the staff members are aware of the same

Available in records; but some or most of the staff members are not aware of the same

Not at all prepared

4

2

011. Execution/renewal of lease deed of the branch

premises Executed/renewed and valid Expired recently and matter taken up for extension Not at all executed/renewed for a long time

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

B. CONTROL RISK 80I. INTERNAL CONTROL RISK 45 1. Exceeding of delegated authority in sanctioning

regular write-off, prudential write-off, compromise offers, appointing recovery agents etc. Never

3

Page 176: RISK BASED INTERNAL AUDIT POLICY

A very few occasions Very often

1 0

2. Periodical reconciliation/balancing of entries in Suspense Accounts (Dr.), Sundry Deposits and Sundry Credits accounts, written-off accounts

Carried out periodically and nothing pendingCarried out only on few occasions and the report received recently only is pendingNot carried out periodically and entries outstanding for more than 6 months (except the allowable entries)

4

2

1

3. Follow-up for entries in Suspense Accounts (Dr.), Sundry Deposits and Sundry Credits which are outstanding for more than the reasonable time limit

Effective follow-up is being done and entries are cleared within a reasonable timeInsufficient follow-up and entries are not cleared/cleared after a considerable delayNo follow-up

6

3

0 4. Dual custody of sensitive stationery items

Always maintained Kept under single custody only No custody available

2 1 0

5. Maintenance of updated movement register for sensitive stationery items in the prescribed form whenever such items are put on use and also maintenance of movement register for other security documents

Strictly maintained whenever used Maintained not in the prescribed form or maintained only on few occasionsNot maintained at all

2 1

0

6. Maintenance of Branch Documents Register with updated information Maintained with updated information Maintained but not updated Not maintained

2 1 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

7. Safe keeping of Security Documents of NPA accounts, Manuals, FEDAI Rules Book, Exchange Control Manuals, Specimen Signature Book etc.

All are kept under dual control 4

Page 177: RISK BASED INTERNAL AUDIT POLICY

Only a few are kept safely.Nothing is kept safely.

2 0

8. Maintenance of updated staff records inclusive of attendance, leave record, LFC payments, salary payments etcNo discrepancy noticedOne or two minor discrepancies noticedMore discrepancies (minor and major) noticed

6 3 0

9. Payment of rent, other taxes and other charges and maintaining proper receipts for the same

Paid on due dates promptlyPaid with a little delay with some minor fineNot paid or paid with considerable delay

4 2 0

10. Numbering and maintenance of proper records for furniture & fixtures including dead stock and furniture provided at the residence of the branch officials; periodical physical checking and maintenance of record therefor; disposal of unserviceable items

Strictly done and no deviation noticedSome minor deviation/s noticed Gross deviations noticed or not at all carried out

4 2 0

11. Control over AMC including refilling of fire extinguishers

Periodically renewed strictlyRenewed but with some delayPending for a long time, say > 6 months

4 2 0

12. Control over old records/vouchers/files/ledgers/registers etc.

Very goodSatisfactoryUnsatisfactory

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

II. COMPLIANCE RISK 35 1. Adherence to IRAC norms

Strictly adhered to 3

Page 178: RISK BASED INTERNAL AUDIT POLICY

Some minor deviation/s noticedGross violation

2 0

2. Submission of control returns (BPR,CA-23,ALM statement, BHP, CCIS etc.) in time after ensuring accuracy

All the statements are submitted in time with accuracy Only a few statements are submitted in time and or some minor discrepancies noticed Delayed submission of statements or non-submission and/or more discrepancies noticed

4

2

0

3. Display of the important exhibits as instructed by HO such as notice prohibiting entry of fire arms, important addresses and telephone numbers, branch name board as per the specification and other exhibits advised from time to time

All the required exhibits are displayedA few exhibits are not displayedMajority of the exhibits are not displayed

2 1 0

4. Deduction of Income-Tax, Professional tax etc. as stipulated ( ie; pro-rata on monthly basis from the salary paid to the staff )

Strictly enforcedSome minor deviation/s noticed; but no loss/penalty incurredGross deviations noticed

4 2

0

5. Remittance of TDS to the credit of Govt. account

Effected within 7 days from the date of deductionEffected with a little delay on a few occasionsEffected after considerable delay

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

6. Remittance of service-tax (after netting), Professional Tax, Tax under Shops & Establishment Act, Property Tax and other applicable taxes/charges within the stipulated time to the

Page 179: RISK BASED INTERNAL AUDIT POLICY

concerned authoritiesAlways remitted within the stipulated timeRemitted with delay on a few occasions, but no penalty leviedAlways remitted with considerable delay

4 2

0 7. Submission of Annual Return (Form No.24)

Submitted within the stipulated time meticulouslySubmitted with a little delay (say a week or so)Submitted with considerable delay or not submitted

3 2 0

8. Compliance with requirements under Official Language Act, Right To Information Act

Strictly enforcedLopsided implementationGross violation

3 2 0

9. Obtention/periodical renewal of License under Shops & Establishment Act wherever applicable

License under S&E Act obtained/renewed periodicallyLicense overdue for renewalLicense not at all obtained

2 1 0

10. Compliance of audit reports

Complied with conclusively and effectively in time without any exceptionComplied with a few exceptions for which follow-up is not adequateCompliance is not conclusive in toto

3

2

011. Compliance with MAP suggested in the previous

RBIA report and/or the periodically updated profiles

Conclusive compliance of all pointsComplied only a few points Not complied with any point

3 2 0

RISK BASED INTERNAL AUDIT RATING SHEET

Sr. No Category of RiskMaximum Marks Allowed

Marks Awarded Percentage Risk Rating

Level/Trend

A BUSINESS RISK 1401. Credit Risk 802. Earnings Risk 20

Page 180: RISK BASED INTERNAL AUDIT POLICY

3. Operational Risk 40B CONTROL RISK 801. Internal Control Risk 452. Compliance Risk 35 C COMPOSITE RISK*

* The composite risk will be arrived at with the help of the following risk matrix

Risk Matrix

Inhe

rent

B

usin

ess

Ris

ks

High AHigh Risk

B Very High Risk

C Extremely High Risk

Medium

DMedium Risk

E High Risk

F Very High Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High Control Risks

BASIS FOR RISK ASSESSMENTRisk Percentage of Marks

awardedLow Over 75Medium 50 – 75High Below 50

The trend analysis of the composite risk is interpreted as shown below:

Inhe

rent

B

usin

ess

Ris

k

Increasing Increasing Increasing Increasing Stable Stable Increasing IncreasingDecreasing Decreasing Stable Increasing

Decreasing Stable Increasing

Control Risk

Variation of marks in the same category upto + 5% or – 5% is considered as STABLE. Variation in the same category of more than +5% or –5% is considered as DECREASING/ INCREASING as the case may be.

The above risk rating is approved. (Signature of the Zonal Audit Chief)

Page 181: RISK BASED INTERNAL AUDIT POLICY

Annexure-3

RISK PROFILE OF …………………………………DP/SERVICE BRANCH …………………………….. ZONE Position as at …………………… Ref. No. Date:

TABLE OF CONTENTS

I Background

II Organization and Business Profile of Branch

III Assessment of the Risk Profile

IV Summary Description of Business & Control Risks

V Suggested Monitorable Action Plan for Mitigating Risk

I. BACKGROUND

In the context of having effective RBS in the Bank, the Risk Profile of …………………….. Branch is prepared in line with the Corporate Risk Profile keeping in mind the various risk factors under Business and Control areas that are observed at the branch level. The underlying objective is to :

Categorise the Branches as having composite risk rating low, medium, high, very high and extremely high

Identify the direction of risk namely increasing/ stable /decreasing

II. ORGANIZATION & BUSINESS PROFILE OF BRANCH:

Name of the Branch/Date of Opening

Branch Code No.Name of the ZoneCategory SpecialisedClass Urban/MetropolitanManagement Organization Total Staff – Officers :

- Special Assistants : - Clerks : - Sub-Staff :

Branch In-charge (Present) Shri / Smt. From :

Previous Incumbent Shri / Smt. From: To:

Last Risk Audit conducted From: To:Last Risk Audit Rating Business Risk Control Risk Composite

Risk

Page 182: RISK BASED INTERNAL AUDIT POLICY

BUSINESS PROFILE(Outstanding Rs. in lakh)

Year before Last as on31.03.200 .

Last Year As on

31.03.200 .

Current Yearas on latest

(quarter/month)……………

Head Office Account --- Finacle Branches --- Non-Finacle Branches Sundry DepositsDrafts Payable < 3 yearsDrafts Paid Without AdvicePayslips IssuedSundry CreditsClearing Difference – PayableNet ClearCurrent Account with RBI/SBISecurity DepositsClearing Difference – ReceivableSuspense Accounts (Debit)Furniture & FixturesStaff CostMiscellaneous ChargesTravelling ExpensesLightingTelephones & TelegramsStationeryTotal ExpensesProfit & Loss Account Balance Types of Audits conducted Date of Report Ratings awarded during the year:1.2.3.4.5.

Information Technology Systems used

Page 183: RISK BASED INTERNAL AUDIT POLICY

III Assessment of the Risk Profile

A. BUSINESS RISK: Previous Assessment Present Assessment Earnings Risk : Level/Direction:

Assessment area Positive Factors Negative FactorsGross Profit/Loss – Actual v/s Budget

Control over expenses

Previous Assessment Present Assessment2. Operational Risk : Level/Direction: Assessment area Positive Factors Negative Factors

Competency of staff/ Rotation of duties, proper training/ placement

Adherence to manual of instructions/ circulars/Guidelines

Security and validity of computer systems and other technology

Litigation/claims against the bank

Preparedness for tackling any unanticipated natural/ manmade calamities/ events

Page 184: RISK BASED INTERNAL AUDIT POLICY

B. CONTROL RISK: Previous Assessment Present Assessment

1. Internal Control Risk : Level/Direction:

Assessment area Positive Factors Negative FactorsHousekeeping

Reconciliation(inter-bank and inter-branch)

Submission of MIS returns/control returns- Timeliness/quality

Prevention of frauds

Judicious exercise of Delegations of Powers

Control over sensitive stationery items

Branch security aspects

Control over staff records, old records, furniture & fixtures etc.

Page 185: RISK BASED INTERNAL AUDIT POLICY

Previous Assessment Present Assessment 2. Compliance Risk : Level/Direction:

Assessment Area Positive Factors Negative FactorsRegulatory:Submission of control returns in time and accurately; adherence to clearing house rules Statutory:Deduction of Income-tax, service-tax etc. and timely remittance; renewal of required licenses; submission of annual returns to statutory authorities etc.Monitorable Action PlanCompliance with MAP suggested in the previous RBIA/ updated risk profile and also compliance with other audit reports.

IV. SUMMARY DESCRIPTION OF BUSINESS & CONTROL RISKS ASSESSED :

Parameters Level & Trend of risk

Positive Factors Negative Factors

Business RiskEarnings

Operational

Control RiskInternal Control

Compliance

Page 186: RISK BASED INTERNAL AUDIT POLICY

V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:

Parameter Risk Level/

Direction

Action Plan suggested for the purpose of drawing necessary action points and

implementation/monitoring of the same by Branch/Zonal Office respectively

1.EARNINGS RISK

2.OPERATIONAL RISK

3.INTERNAL CONTROL RISK

4.COMPLIANCE RISK

Prepared by: Approved

………………….. …..……………………

(Auditor) (Zonal Audit Chief) ……………………. ZAO.

Page 187: RISK BASED INTERNAL AUDIT POLICY

Annexure-4

RISK BASED INTERNAL AUDIT REPORT (SERVICE/DP BRANCH)

Name of the Branch :………………Service/DP Branch; Zone:Opened on: Branch Code No: Category :Class :Business Hours - Week Days :Holiday on:Whether under Concurrent Audit : YES/NO

Previous Present

Branch In-Charge ---------------- -----------------

From ---------------- -----------------To ----------------- -----------------

Date of commencement of Audit ----------------- -----------------Date of conclusion ----------------- -----------------Mandays ---------------- ------------------

From To From To

Period covered by audit ----------------- ------------------- Name of the Team Leader ------------------ ------------------- Date of Report ------------------ -------------------Date of Despatch ------------------ ------------------- Date of Noting/Closure -------------------

Audit Ratings : (Level & direction)

Major Risk Parameters

Previous to Last Audit

Last Audit Present Audit

Level Direction Level Direction Level DirectionBusiness Risk

Control Risk

Composite Risk

Page 188: RISK BASED INTERNAL AUDIT POLICY

A. BUSINESS RISK

1. Earnings Risk: (Amount Rs. in Lakh)

Year before Last as on31.03.200 .

Last Year As on

31.03.200 .

Current Yearas on latest

(quarter/month)……………

Staff CostMiscellaneous ChargesTravelling ExpensesLightingTelephones & TelegramsStationeryTotal ExpensesProfit & Loss Account Balance

Offer comments on:

Items Positive Factors Negative FactorsMonitoring of expenses under each head vis-à-vis the approved budget

Page 189: RISK BASED INTERNAL AUDIT POLICY

2. Operational Risk:

Offer comments on:

Items Positive Factors Negative FactorsCompetency of the staff , imparting of suitable training, proper work allocation, periodic rotation/shift of duties of staff Frequency of execution errors in transactions (like wrong posting of instruments which may be subsequently cancelled)Compatibility of software for ECS, EFT, RTGS systems; record maintenance of user level code allotments/ cancellations/suspensions back-up for MBB server, access to MBB server/UPS; documentation/ distribution of Disaster Recovery Plan; display of LAN layout; loading of anti-virus software at all nodes Restricted access to authorised Smart Card Holders, Network security, Access to Internet/Intranet etc.Claims against the branch with regard to payment/ return of instruments etc.

Strategy adopted for lodging/receiving clearing instruments to/ from the clearing houses; availability of contingency plan in the event of failure of the routine arrangementExecution/renewal of lease deed of branch premises

Page 190: RISK BASED INTERNAL AUDIT POLICY

B. CONTROL RISK

1. Internal Control Risk: (Amt. Rs. in Lakh)

Year before Last as on31.03.200 .

Last Year As on

31.03.200 .

Current YearAs on latest

(quarter/month)……………

Head Office Account --- Finacle Branches --- Non-Finacle Branches Sundry DepositsDrafts Payable < 3 yearsDrafts Paid Without AdvicePayslips IssuedSundry CreditsClearing Difference – PayableNet ClearCurrent Account with RBI/SBISecurity DepositsClearing Difference – ReceivableSuspense Accounts (Debit)Furniture & Fixtures

Offer Comments on:

Items Positive Factors Negative FactorsSubmission of BDS Floppy (in the case of Non-Finacle transactions)

Inter-Branch Reconciliation Reports (Non-Finacle Branches)

Weekly reconciliation of Net Clear/Clearing Difference (Receivable/ Payable) and follow-up for outstanding entries; Weekly reconciliation of accounts with RBI/SBI; obtention of periodic balance confirmation

Page 191: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsWeekly reconciliation and follow-up for outstanding drafts and also for Drafts Paid Without Advice (for Non-Finacle Branches)Weekly reconciliation of RTGS Mirror account and follow-up for unreconciled entriesHandling of D/Ws – Proper record maintenance, follow-up etc. Timely despatch of instruments/cheques etc. received in clearing to respective branches for responding and also proper handling of returned unpaid instruments; timely advising the branches about realisation of the instruments (sending the inbuilt CN of SCS)Maintenance of records for Inward and Outward entries of EFT, ECS, RTGS transactions; follow-up for unresponded/ missing/ incorrect entries Proper record maintenance of Payslips Issued and follow-up for outstanding entriesControl over Jet Clearing, National Clearing instruments (both Inward and Outward) for their expeditious clearance

Page 192: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsReconciliation and follow-up for old outstanding entries in Sundry Credits, Suspense Accounts (Debit)Control over sensitive stationery items; maintenance and updation of records for missing drafts, payslips etc. of branches as informed by H.O.Exercising care for prevention of payment of forged/missed/fake instruments to avoid any fraudMaintenance of Furniture & Fixtures, proper accounting, numbering, physical verification, insurance etc. Maintenance of Staff Records for payment of Salary, LFC, Medical Aid etc.; maintenance of leave records of staff

2. Compliance Risk:

Offer comments on:

Items Positive Factors Negative FactorsPro-rata TDS from salary of staff and remittance of the same in time; submission of annual returns to Income-Tax authorities in time; netting of service tax and payment of service tax in time

Page 193: RISK BASED INTERNAL AUDIT POLICY

Items Positive Factors Negative FactorsSubmission of CA-23 in time; RBI fortnightly statement (RBI secondary account balances)

Timely and conclusive compliance with the various audit reports; compliance with the previous Monitorable Action Plan suggested

SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:

Parameter Risk Level/

Direction

Action Plan suggested for the purpose of drawing necessary action points and

implementation/monitoring of the same by Branch/Zonal Office respectively

1.EARNINGS RISK

2.OPERATIONAL RISK

3.INTERNAL CONTROL RISK

4.COMPLIANCE RISK

Page 194: RISK BASED INTERNAL AUDIT POLICY

Annexure -5 FORMAT OF EXIT MEETING REPORT

Branch : ____________________Exit Meeting held on _______________-------------------------------------------------

1. Date of Meeting :

2. Name and Designation of Officers who attended the meeting :

Audit Team Branch Officials

3. Period of Audit : From ______________ To ______________

4. RatingLevel/Trend of the last 2 assessments

Last(Date

)

Previous to Last(Date

)Business RiskControl RiskComposite Risk

5. a) Highlights of performance

Items Budget/

Target

Achie-vement

Remarks

Operating Profit/Loss

House-Keeping

Any Other Item,(please specify)

b) Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the branch).

Page 195: RISK BASED INTERNAL AUDIT POLICY

6. SWOT analysis on functioning of the branch :

Strength

Weakness

Opportunity

Threat

7. Branch views, if any.

Encl: Copy of Monitorable Action Plan

Copy received.

Manager (Signature of the Team Leader)………………..Branch

Page 196: RISK BASED INTERNAL AUDIT POLICY

Annexure-6

MARK SHEET

Branch : _______________________ Zone: _______________ Class/Category : _______________________Audited From : _______________To: _______________

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

A. BUSINESS RISK 70I. EARNINGS RISK 10 1. Controllable expenses

Not increasing or increasing in proportion to the business requirements

Moderate increasing more than in proportion to the business requirements

Exorbitantly increasing

5 2 0

2. Achievement of operating profit/loss budget

AchievedAchievement falling short by < 10%Achievement falling short by > 10%

5 2 1

II. OPERATIONAL RISK 60 1. Positioning of staff in key areas (allocation of duties)

as per their competency GoodSatisfactoryPoor

4 2 0

2. Periodical rotation of staff (wherever possible)

As per the stipulated intervalRotation takes place but not in the stipulated interval No rotation has taken place for the last 3 years

4 2 0

3. Imparting suitable training/guidance to staff for acquiring updated knowledge in the day to day functioning under the computerised environment

All the staff members are properly trained in the day to day functioning from the point of risk perspectiveOnly supervisory staff are trainedNo staff member is imparted suitable training

4

2 0

4. Frequency of execution errors in transaction such as wrong posting of vouchers/instruments etc.

Nothing noticedNoticed on a very few occasions Noticed on many occasions

4 2 0

Page 197: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

5. Access to MBB server/UPS/ECS/EFT/RTGS etc.

Strictly restricted alwaysNot restricted sometimesNo restriction; free access to all

4 2 0

6. Off-site storage of back-up of MBB server AlwaysSometimesNever

4 2 0

7. Maintenance of records for allotment of user level code, control over changing of user level as per the requirement

Strictly implementedSometimeNever

4 2 0

8. Awareness/monitoring the lapses in workflow/lapses leading to operational problems (not-logging out of the computer system when not in use or when the operator leaves the terminal etc.)

Nothing noticedVery rarely noticedLapses noticed on many occasions

4 2 0

9. Awareness of Disaster Recovery Plan/Business Continuity Plan

All the staff-members are aware ofOnly a few members are aware ofNo one is aware of

4 2 0

10. Frequency of systems failure, programming errors etc.

Never occurred Some times occurred Very frequently occurred

4 2 0

11. Adherence to manual of instructions/guidelines/circulars etc. with regard to operational matters in effecting ECS/EFT/MBB/RTGS transactions

Strict adherence at all timesMinor deviations noticed but branch has not incurred

4 2

Page 198: RISK BASED INTERNAL AUDIT POLICY

any loss in this regardGross violation

0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

12. Any suit/s filed against the branch by customers/any other bank or third party service providers

No suit is filedSuit/s filed against the branch but settled without any loss or very nominal loss to the branchSuit/s pending against the branch or suit/s settled with a Substantial loss to the branch

4 2

0

13. Inherent threat for the branch being situate in earthquake prone, riot prone, naxalite/terrorist infested, communal violence, flood prone area

Not applicable Rarely Frequently

4 2 0

14. In the case of any or more of the above threats applicable, then contingency plan for tackling the same is Prepared and all the staff members are aware of the

same Available in records; but some or most of the staff

members are not aware of the sameNot at all prepared

4

2 0

15. Execution/renewal of lease deed of the branch premises

Executed/renewed and valid Expired recently and matter taken up for extensionNot at all executed/renewed for a long time

4 2 0

B. CONTROL RISK 110I. INTERNAL CONTROL RISK 70 1. Follow-up for outstanding Drafts, DPWA, Payslips

Constant and effective follow-up is carried out on an ongoing basis Lopsided follow-up is done. Very rare follow-up/No follow-up is done

4 2 1

2. Periodical reconciliation/balancing of entries in Suspense Accounts (Dr.), Sundry Deposits and Sundry Credits accounts

Carried out periodically and nothing pendingCarried out only on few occasions and the report received recently only is pending

4 2

Page 199: RISK BASED INTERNAL AUDIT POLICY

Not carried out periodically and entries outstanding for more than 6 months (except the allowable entries)

1

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

3. Follow-up for entries in Suspense Accounts (Dr.), Sundry Deposits and Sundry Credits which are outstanding for more than the reasonable time limit

Effective follow-up is being done and entries are cleared within a reasonable timeInsufficient follow-up and entries are not cleared/cleared after a considerable delayNo follow-up

4

2

0 4. Pendency of Inter-Branch reconciliation report (Non-

Finacle branches) No report/s pending Report/s pending for less than one month Report/s pending for more than one month

4 2 0

5. Weekly reconciliation of Net Clear/Clearing Difference (Receivable/Payable) and follow-up for outstanding entries

Meticulously reconciled weekly and followed up effectivelyReconciliation done late by a week and follow-up doneReconciliation delayed by more than a week and no effective follow-up done

4

2

0

6. Weekly reconciliation of accounts with RBI/SBI etc. and obtention of periodic balance confirmation

Reconciliation done on weekly basis and balance confirmation obtained periodicallyReconciliation done once in a month and balance confirmation obtained periodicallyReconciliation pending more than a month and balance confirmation obtained not on regular basis

4

2

0

7. Weekly reconciliation of RTGS Mirror account and follow-up for unresponded entries

Meticulously reconciled weekly and followed up effectivelyReconciliation done late by a week and follow-up doneReconciliation delayed by more than a week and no effective follow-up done

4

2

0

8. Time taken for presentation of instruments in Jet

Page 200: RISK BASED INTERNAL AUDIT POLICY

Clearing/National Clearing (both Inward and Outward) Within 3 days Within one week Beyond one week

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

9.. Submission of BDS Floppy (in the case of Non-Finacle tranasactions) Submitted within 3 days from the close of the fortnight Submitted late by > 3 days but less than a week Beyond one week

2

1 0

10. Dual custody of sensitive stationery items (Cheque Book/ Payslips/DOs/COs) with proper accounting thereof Always maintained Kept under single custody only No custody available

2 1 0

11. Maintenance of updated movement register for sensitive stationery items in the prescribed form whenever such items are put on use and also maintenance of movement register for other security documents Strictly maintained whenever used Maintained not in the prescribed form or maintained only on few occasions Not maintained at all

2 1

012. Maintenance and Updation of records for missing

drafts/payslips etc.

Record Maintained and updated immediately on receipt of information Record Maintained and updation delayed by more than 2 daysRecord not maintained/Updation pending for a long time

4

2

0

13. Maintenance of Branch Documents Register with updated information Maintained with updated information Maintained but not updated Not maintained

2 1 0

14. Safe keeping of Manuals, Specimen Signature Book etc.

All are kept under dual control Only a few are kept safely. Nothing is kept safely.

2 1 0

15. Carrying out periodical Test Checks effectively and

Page 201: RISK BASED INTERNAL AUDIT POLICY

reporting the findings to the controlling authorities and maintenance of record thereof Regularly carried out as per the extant guidelines Carried out at but not at the stipulated intervals Not carried out for a very long time, say > 1 year

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

16. Maintenance of updated staff records inclusive of attendance, leave record, LFC payments, salary payments etcNo discrepancy noticedOne or two minor discrepancies noticedMore discrepancies (minor and major) noticed

4 2 0

17. Payment of rent, other taxes and other charges and maintaining proper receipts for the same

Paid on due dates promptlyPaid with a little delay with some minor fineNot paid or paid with considerable delay

4 2 0

18. Numbering and maintenance of proper records for furniture & fixtures including dead stock and furniture provided at the residence of the branch officials; periodical physical checking and maintenance of record therefor; disposal of unserviceable items; insurance of all furniture including computer hardware

Strictly done and no deviation noticedSome minor deviation/s noticed Gross deviations noticed or not at all carried out

4 2 0

19. Control over AMC including refilling of fire extinguishers

Periodically renewed strictlyRenewed but with some delayPending for a long time, say > 6 months

4 2 0

20. Control over old records/vouchers/files/ledgers/registers etc.

Very goodSatisfactoryUnsatisfactory

4 2 0

II. COMPLIANCE RISK 40 1. Submission of control returns (BPR,CA-23 etc.) and

also RBI fortnightly statement (RBI secondary account balances) in time after ensuring accuracy

Page 202: RISK BASED INTERNAL AUDIT POLICY

All the statements are submitted in time with accuracy Only a few statements are submitted in time and or some minor discrepancies noticed Delayed submission of statements or non-submission and/or more discrepancies noticed

4

2

0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

2. Display of the important exhibits as instructed by HO such as time-schedule for various services, notice prohibiting entry of fire arms, important addresses and telephone numbers, branch name board as per the specification and other exhibits advised from time to time

All the required exhibits are displayedA few exhibits are not displayedMajority of the exhibits are not displayed

4 2 1

3. Deduction of Income-Tax, Professional tax etc. as stipulated ie; pro-rata on monthly basis from the salary paid to the staff

Strictly enforcedSome minor deviation/s noticed; but no loss/penalty incurredGross deviations noticed

4 2

0 4. Remittance of TDS to the credit of Govt. account

Effected within 7 days from the date of deductionEffected with a little delay on a few occasionsEffected after considerable delay

6 3 0

5. Remittance of service-tax (after netting), Professional Tax, Tax under Shops & Establishment Act, Property Tax and other applicable taxes/charges within the stipulated time to the concerned authoritiesAlways remitted within the stipulated timeRemitted with delay on a few occasions, but no penalty leviedAlways remitted with considerable delay

4 2

0 6. Submission of Annual Return (Form No.24, 26 etc.)

Submitted within the stipulated time meticulouslySubmitted with a little delay (say a week or so)

4 2

Page 203: RISK BASED INTERNAL AUDIT POLICY

Submitted with considerable delay or not submitted 1 7. Compliance with requirements under Official

Language Act, Right To Information Act

Strictly enforcedLopsided implementationGross violation

4 2 0

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

8. Obtention/periodical renewal of License under Shops & Establishment Act wherever applicable

License under S&E Act obtained/renewed periodicallyLicense overdue for renewalLicense not at all obtained

2 1 0

9. Compliance of audit reports

Complied with conclusively and effectively in time without any exceptionComplied with a few exceptions for which follow-up is not adequateNot complied with/compliance is not conclusive in toto

4

2

1

10. Compliance with MAP suggested in the previous RBIA report and/or the periodically updated profiles

Conclusive compliance of all pointsComplied only a few points Not complied with any point

4 2 0

Page 204: RISK BASED INTERNAL AUDIT POLICY

RISK BASED INTERNAL AUDIT RATING SHEET

Sr No Category of RiskMaximum Marks Allowed

Marks Awarded Percentage Risk Rating

Level/Trend

A BUSINESS RISK 701. Earnings Risk 102. Operational Risk 60B CONTROL RISK 1101. Internal Control Risk 702. Compliance Risk 40 C COMPOSITE RISK*

* The composite risk will be arrived at with the help of the following risk matrix

Risk Matrix

Inhe

rent

Bus

ines

s R

isks

High AHigh Risk

B Very High Risk

C Extremely High Risk

Medium

DMedium Risk

E High Risk

F Very High Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High

Control Risks

BASIS FOR RISK ASSESSMENTRisk Percentage of Marks

awardedLow Over 75Medium 50 – 75High Below 50

The trend analysis of the composite risk is interpreted as shown below:

Page 205: RISK BASED INTERNAL AUDIT POLICY

Inhe

rent

B

usin

ess

Ris

k

Increasing Increasing Increasing Increasing Stable Stable Increasing IncreasingDecreasing Decreasing Stable Increasing

Decreasing Stable Increasing

Control Risk

Variation of marks in the same category upto + 5% or – 5% is considered as STABLE. Variation in the same category of more than +5% or –5% is considered as DECREASING/ INCREASING as the case may be.

The above risk rating is approved.

(Signature of the Zonal Audit Chief)

Page 206: RISK BASED INTERNAL AUDIT POLICY

Annexure-3

RISK PROFILE OF ………………………………………. CURRENCY CHEST …………………………….. ZONE Position as at …………………… Ref. No. Date:

TABLE OF CONTENTS

I Background

II Organization and Business Profile of Currency Chest

III Assessment of the Risk Profile

IV Summary Description of Business & Control Risks

V Suggested Monitorable Action Plan for Mitigating Risk

I. BACKGROUND

In the context of having effective RBS in the Bank, the Risk Profile of …………………….. Currency Chest is prepared in line with the Corporate Risk Profile keeping in mind the various risk factors under Business and Control areas that are observed at the Currency Chest level. The underlying objective is to :

Categorise the Currency Chests as having composite risk rating low, medium, high, very high and extremely high

Identify the direction of risk namely increasing/ stable /decreasing

II. ORGANIZATION & BUSINESS PROFILE OF CURRENCY CHEST:

Name of the Currency Chest/Date of Opening

Currency Chest Code No.Type of Currency Chest/Holding Capacity (in pieces)

Type of Currency Chest : A/B/CHolding Capacity (specified if any, by RBI) :

Name of the ZoneLocation Urban/MetropolitanStaffing Pattern Total Staff – Officers :

- Clerks : - Sub-Staff :

Chest In-charge (Present) Shri / Smt. From :

Previous Incumbent Shri / Smt. From: To:

Last Risk Audit conducted From: To:Last Risk Audit Rating Business Risk Control Risk Composite

Risk

Page 207: RISK BASED INTERNAL AUDIT POLICY

BUSINESS PROFILE

Currency Holding: Amount in Rs.

Denomi-nation

As on date ofPrior to Last Audit

(……………)

As on date ofLast Audit

(……………..)

As on date ofPresent Audit(……………..)

No. ofPieces

Amount No. ofPieces

Amount No. ofPieces

Amount

1000500100502010521Total (A) 5 (Coin) 2 (Coin) 1 (Coin)Total (B)Grand Total (A+B)Of which Non-Issueables

No. of Remittances For the period covered under prior

to Last Audit

For the period covered under Last

Audit

For the period covered under Present Audit

InwardOutward

Page 208: RISK BASED INTERNAL AUDIT POLICY

Nature of Inspections conducted after the date of

Last Audit

Date of Inspection

Major Findings

Page 209: RISK BASED INTERNAL AUDIT POLICY

III Assessment of the Risk Profile

A. BUSINESS RISK:

Previous Assessment Present Assessment

1. Operational Risk : Level/Direction: Assessment area Positive Factors Negative Factors

Competency of staff/, proper training in currency chest operations

Adherence to manual of instructions/ circulars/Guidelines with regard to deposits/withdrawals of cash to/from the chest, remittance to/from RBI/other currency chest

Renewal of Lease Deed of Currency Chest premises; preparedness for tackling any unanticipated natural/ manmade calamities/ events

Shortages in currency chest balances due to pilferage/frauds or otherwise and inclusion of amounts of safe custody deposits in chest balances on behalf of Courts, Govt. Depts. Etc; making good the shortages;

Page 210: RISK BASED INTERNAL AUDIT POLICY

B. CONTROL RISK:

Previous Assessment Present Assessment

1. Internal Control Risk : Level/Direction:

Assessment areaPositive Factors Negative Factors

Housekeeping – Records maintenance and submission of statements/returns

Periodical surprise verification of currency chest balances, periodical disaffection of strong room

Control over safe custody of keys, annual exchange of keys, RBI Code Book, dual control of currency chest

Control over security aspects Currency Chest

Claim of admissible expenses; recovery of applicable service charges from non-chest branches of other bank/s

Page 211: RISK BASED INTERNAL AUDIT POLICY

Previous Assessment Present Assessment

2. Compliance Risk : Level/Direction:

Assessment Area Positive Factors Negative FactorsDisplay of duplicate copy of fitness certificate, annual renewal of fitness certificate, timely execution of diversion orders of RBI, non-stapling of currency notes; acceptance of minimum deposit/withdrawal as stipulated by RBI, providing exchange facilityTimely compliance with the inspection/audit reports and compliance with Monitorable Action Plan suggested in the previous audit report

IV. SUMMARY DESCRIPTION OF BUSINESS & CONTROL RISKS ASSESSED :

Parameters Level & Trend of risk

Positive Factors Negative Factors

Business RiskOperational

Control RiskInternal Control

Compliance

Page 212: RISK BASED INTERNAL AUDIT POLICY

V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:

Parameter Risk Level/

Direction

Action Plan suggested for the purpose of drawing necessary action points and

implementation/monitoring of the same by Branch/Zonal Office respectively

1.OPERATIONAL RISK

2.INTERNAL CONTROL RISK

3.COMPLIANCE RISK

Prepared by: Approved

………………….. …..……………………

Page 213: RISK BASED INTERNAL AUDIT POLICY

(Auditor) (Zonal Audit Chief) ……………………. ZAO.

Annexure-4

RISK BASED INTERNAL AUDIT REPORT - CURRENCY CHEST

Name of the Currency Chest :………………Currency Chest Zone:Opened on: Chest Code No: Class of Currency Chest : A/B/C Business Hours - Week Days :Holiday on: Previous Present

Currency Chest In-Charge ---------------- -----------------

From ---------------- -----------------To ----------------- -----------------

Date of commencement of Audit ----------------- -----------------Date of conclusion ----------------- -----------------Mandays ---------------- ------------------

From To From To

Period covered by audit ----------------- ------------------- Name of the Team Leader ------------------ ------------------- Date of Report ------------------ -------------------Date of Despatch ------------------ ------------------- Date of Noting/Closure -------------------

Audit Ratings : (Level & direction)

Major Risk Parameters

Previous to Last Audit

Last Audit Present Audit

Level Direction Level Direction Level DirectionBusiness Risk

Control Risk

Composite Risk

Page 214: RISK BASED INTERNAL AUDIT POLICY

A. BUSINESS RISK1. Operational Risk:

Offer comments on:

Items Positive Factors Negative FactorsCompetency of the staff , imparting of suitable training on currency chest operations, shift of duties of staff, if anyPassing of vouchers correctly at the time deposit/withdrawal to/from currency chest by the branches (Chest Slip TE-2 & Note Delivery Book to be scrutinised for any correction made and correction, if any, in Chest Slip is duly authenticated by both the officers-in-charge of the Currency Chest under their full signatures and also whether Chest Slips are serially numbered etc.); number of times such corrections noticed during the period covered under audit Frequency of delay in advising Link Branch (for the branches not maintaining a/c with RBI) about the position of total deposits, total withdrawals and net position on daily basis and to RBI by Link BranchFrequency of wrong reporting to RBI, cases of counterfeit bank notes found in the

Page 215: RISK BASED INTERNAL AUDIT POLICY

remittances from currency chests

Items Positive Factors Negative FactorsSorting of notes, cases of return of remittances by RBI for the reasons that reissuable bank notes are found to be in excess of 10% in any soiled note remittance, adherence to the extant guidelines in the case of remittances of soiled notesExecution/renewal of lease deed of currency chest premisesTimely submission of indents to RBI Issue Office through Link Offices for fresh notes and coinsStrict adherence to RBI guidelines in the case of receipt of remittances of fresh notes/coins and also in the case of late receipt of remittanceStrict adherence to the prescribed guidelines in the case of remittances effected through Railway; exercising proper care while hiring vans on contract basis for remittance purposes (keeping the key of the van under dual control after utilising the van; maintenance of log book; changing the route of travel frequently; allowing only the driver duly authorised by the hiree company and having a

Page 216: RISK BASED INTERNAL AUDIT POLICY

copy of his driving licence etc.)

Items Positive Factors Negative FactorsAdherence to the guidelines stipulated in the case of diversion of surplus amount to deficit chests as per the order of RBI Acceptance of ‘fully paid notes’ in multiples of Rs.500/- with a minimum of Rs.1000/-; submission of consolidated reimbursement certificate (DN-5) to RBI in the case of reimbursement certificates received from branches in Form DN-4 with regard to total value of fully paid notes and rejected notes of the mutilated/ soiled notes tendered by the public for refund; segregation of fully paid notes and storing in a separate receptacle bearing a warning “CARE: Paid defective notes not to be sent to RBI as Chest remittance Awareness of the contingency plan as suggested by RBI (vie DO Letter No.622/Dir(B)-79 dated 14.11.1979 of Ministry of Finance, GOI) in times of war and also in the case of earth

Page 217: RISK BASED INTERNAL AUDIT POLICY

quake, any civil commotion, floods etc.

Items Positive Factors Negative FactorsShortage detected, if any, during the verification of RBI inspectors / our internal inspectors/ auditors / bank’s/Govt’s own officers deputed for the purpose and making good the same; inclusion of amounts of safe custody deposits in chest balances on behalf of Courts, Govt. Depts. Etc.

B. CONTROL RISK1. Internal Control Risk:

Offer Comments on:

Items Positive Factors Negative FactorsProper record maintenance for Currency Chest Register (TE-1), Note Delivery Book, Chest Slip(TE-2), Value Book (TR-9), Statement of Currency Transfer, Copies of Covering Letter advising the total deposits, withdrawals, net position etc. for the day, Copies of preliminary receipt for remittance received, Copies of remittance invoice (TR-64) to be prepared by the currency chest at Metro Centre/Mofussil Centre, Copies of final

Page 218: RISK BASED INTERNAL AUDIT POLICY

receipt to be issued by the receiving office, Copies of Potdar’s certificate, register of Outward Remittance effected deputing potdar

Items Positive Factors Negative FactorsMaintenance of register by Link Branch for each currency chest containing particulars such as currency chest slip No. and date, total deposits, total withdrawals, net deposit/withdrawal, date of which vouchers are passed/RBI is advised and remarks, if any; maintenance of pass book showing bundles of cash denomination and total value of currency; bin-wise chart showing the updated number of bundles and denomination, pass book in each bin for the details of deposit/ withdrawal of currency Adequacy of arrangements for storage and security of currency notes, dual control of currency chests, safe custody of keys and exchange of keys with original once a year, RBI Code Book; Currency Chest ManualProvision of Ultra Violet Lamp, weighing machines, dual display note counting machines, sorting

Page 219: RISK BASED INTERNAL AUDIT POLICY

machines for proper sorting/ identification of suspect notes, Emergency Lamps, fire extinguishers, Alarm System, hotline facility to nearest police station etc. and also to ensure that all are in working condition

Items Positive Factors Negative FactorsPeriodical surprise verification of currency chest balances by an officer unconnected with the currency chest work and submission of report to ZO/HO, carrying out joint inspection with an audit officer annually Periodical disinfection of strong rooms

Claiming of admissible expenses (railway fares of police escorts, railway freight where railway warrants or Credit Notes are used) from the concerned RBI Issue Office; claiming of service charge at the rate prescribed by RBI for the cash received from non-chest branches of other bank/s

2. Compliance Risk:

Offer comments on:

Items Positive Factors Negative FactorsDisplay of duplicate

Page 220: RISK BASED INTERNAL AUDIT POLICY

copy of fitness certificate duly verified by RBI in a conspicuous place within the strong room; annual renewal of fitness certificate by the Bank’s Architect or Engineer

Items Positive Factors Negative FactorsExecution of diversion orders of RBI within the stipulated timeNon-stapling of currency notes, not-using of gum tapes or rubber bands; Strict adherence of RBI norms for acceptance of minimum deposit/ withdrawal amount (at present minimum of Rs.1.00 lakh and thereafter, in multiples of Rs.50,000/-)Obtention of prior permission of the concerned Issue Office in case of effecting remittance by road

Providing exchange facility to Branches as per RBI Note Refund Rules

Timely and conclusive compliance with the inspection/audit reports; compliance with the previous Monitorable Action

Page 221: RISK BASED INTERNAL AUDIT POLICY

Plan suggested

Page 222: RISK BASED INTERNAL AUDIT POLICY

Annexure -5 FORMAT OF EXIT MEETING REPORT

Currency Chest : ____________________Exit Meeting held on _______________-------------------------------------------------

1. Date of Meeting :

2. Name and Designation of Officers who attended the meeting :

Audit Team Currency Chest Officials

3. Period of Audit : From ______________ To ______________

4. RatingLevel/Trend of the last 2 assessments

Last(Date

)

Previous to Last(Date

)Business RiskControl RiskComposite Risk

5. Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the Currency Chest).

6. SWOT analysis on functioning of the Currency Chest :

Strength

Weakness

Opportunity

Threat

7. Currency Chest views, if any.

Encl: Copy of Monitorable Action Plan Copy received.

Officer-in-Charge (Signature of the Team Leader)……………….. Currency Chest

Page 223: RISK BASED INTERNAL AUDIT POLICY

Annexure-6MARK SHEET

Currency Chest : ______________________ Zone: _______________ Class/Category : _______________________Audited From : _______________To: _______________

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

A. BUSINESS RISK 50 I. OPERATIONAL RISK 50 1. Competency of staff and imparting suitable training

on Currency Chest operations Good Satisfactory Poor

4 2 0

2. Frequency of corrections in Chest Slips Nothing noticed Noticed on a very few occasions Noticed on many occasions

4 2 0

3. Frequency of delay observed in reporting of transaction figures relating to a particular chest in the Link Office Statement/ delay in submission of the Chest Slip to Link Branch/RBI Reported on the same day of transactions Reported on the next working day Reported beyond three clear working days

4 2 0

4. Submission of corrected statement on wrong Reporting of figures already made to Link Branch/RBI No correction has taken place Corrected statement submitted on the next working day Corrected statement submitted beyond three clear working days

6 3

0

5. Making good the shortage detected in the chest balances during the verification of RBI inspectors/ our internal inspectors/ auditors/ bank’s/Govt’s own officers deputed for the purpose No shortage detected Shortage made good on the same dayShortage made good beyond one clear working day

6 3 0

6. Keeping amounts in safe custody in sealed covers, trunks, etc. on behalf of Courts, Govt. Depts. etc. and included in the chest balance Nothing noticed Amounts removed on the next day Amounts pending for more than two days (including the day of transaction)

6 3 0

Page 224: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

7. Frequency of counterfeit bank notes found in the remittances from currency chests

Not a single occasion aroseOnly once foundMore than one occasion

4 2 0

8. Adherence to manual of instructions/guidelines/circulars of Bank/RBI etc. with regard to remittance of soiled notes to RBI with respect to sorting, mode of transport (rail/road) etc.

Strict adherence at all timesMinor deviations noticed but Chest has not incurred any loss in this regardGross violation

6 3 1

9. Execution of diversion orders of RBI (remittance of surplus of fresh/reissuable notes to other chests)Strictly as per the ordersMinor deviations noticed but Chest has not incurred any loss in this regardGross violation

4 2

010. Execution/renewal of lease deed of the branch

premises

Executed/renewed and valid Expired recently and matter taken up for renewalNot at all executed/renewal pending for a long time

4 2 0

11. Awareness of contingency plan in the case of any war/other disasters in the lines of RBI’s directives

All the staff-members are aware ofOnly a few members are aware ofNo one is aware of

2 1 0

Page 225: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

B. CONTROL RISK 50I. INTERNAL CONTROL RISK 25 1. Maintenance of proper records for Currency Chest

Register, Note Delivery Book, Chest Slip, Value Book, Copies of remittance invoice etc. Strictly maintained and updated immediately always Maintained but updation not done immediatelyA few items either not maintained or updated after considerable time

5 3

1 2. Dual control of currency chest, custody of safe keys,

exchange of keys with original once a year, RBI Code Book, Currency Chest Manual

Always maintained by authorised officialsMajority of the times, under single authorised officialAccess to other officials also

5 3 0

3. Availability of Ultra Violet Lamp, weighing machines, dual display note counting machines, sorting machines, emergency lamps, fire extinguishers, Alarm System, hotline facility to the nearest police stationAll are available and are in working conditionEither one or two not provided or are not in working conditionMany items either not provided or not in working condition

5 3

1

4. Periodical surprise verification of currency chest balance by an officer unconnected with the currency chest work, joint inspection with an audit officer annually and reporting the findings to the controlling authorities/RBI and maintenance of record thereof

Regularly carried out as per the extant guidelinesCarried out at but not at the stipulated intervals Not carried out for a very long time

5 3 0

5. Prompt claiming of admissible expenses (railway fares of police escorts, railway freight where railway warrants or Credit Notes are used) from RBI & claiming of applicable service charges from non-chest branches of other bank/sNo leakage detectedNon-recovery/claim observed once or delayed claim/recoveryNon-recovery/claim observed more than once

5

2

0

Page 226: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

II. COMPLIANCE RISK 25 1. Display of the duplicate copy of fitness certificate

duly verified by RBI & annual renewal of fitness certificate by Bank’s Architect/Engineer

Displayed and annual renewal done in timeDisplayed but annual renewal done belatedlyNeither displayed nor renewal is overdue

5 3 1

2. Execution of diversion of orders of RBI in time and adherence to RBI norms for acceptance of deposit/withdrawal of minimum amount and thereafter

Strictly enforcedSome minor deviation/s noticed; but no loss/penalty incurredGross deviations noticed

5 3

1

3. Non-stapling of currency notes and not using of gum tapes or rubber bandsNothing observed

Either a few currency packets are stapled or gum tapes/rubber bands are used (but removed immediate upon pointing out by the auditors)

Sizeable number of currency packets observed with stapled condition and/or gum tapes/rubber bands are used (not removed till the completion of audit)

5

3

1

4. Providing exchange facility to Branches as per RBI Note Refund Rules

Facility provided and record maintained Facility provided but record not maintainedNo facility is provided

5 3 1

5. Timely and conclusive compliance of inspection/audit reports/Monitorable Action Plan

Complied with conclusively and effectively in time without any exceptionComplied with a few exceptions for which follow-up is not adequateNot complied with/compliance is not conclusive in toto

5

2

1

Page 227: RISK BASED INTERNAL AUDIT POLICY

RISK BASED INTERNAL AUDIT RATING SHEET

Sr No Category of RiskMaximum Marks Allowed

Marks Awarded Percentage Risk Rating

Level/Trend

A BUSINESS RISK 501. Operational Risk 50B CONTROL RISK 501. Internal Control Risk 252. Compliance Risk 25 C COMPOSITE RISK*

* The composite risk will be arrived at with the help of the following risk matrix

Risk Matrix

Inhe

rent

Bus

ines

s R

isks

High AHigh Risk

B Very High Risk

C Extremely High Risk

Medium

DMedium Risk

E High Risk

F Very High Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High

Control Risks

BASIS FOR RISK ASSESSMENTRisk Percentage of Marks

awardedLow Over 75Medium 50 – 75High Below 50

The trend analysis of the composite risk is interpreted as shown below:

Inhe

rent

B

usin

ess

Ris

k

Increasing Increasing Increasing Increasing Stable Stable Increasing IncreasingDecreasing Decreasing Stable Increasing

Decreasing Stable Increasing

Control Risk

Variation of marks in the same category upto + 5% or – 5% is considered as STABLE. Variation of marks in the same category more than +5% or –5% is considered as DECREASING/ INCREASING as the case may be.

The above risk rating is approved.

(Signature of the Zonal Audit Chief)

Page 228: RISK BASED INTERNAL AUDIT POLICY

Annexure-3

RISK PROFILE OF ……………………………D.P.O …………………………….. ZONE Position as at …………………… Ref. No. Date:

TABLE OF CONTENTS

I Background

II Organization and Business Profile of DPO

III Assessment of the Risk Profile

IV Summary Description of Business & Control Risks

V Suggested Monitorable Action Plan for Mitigating Risk

I. BACKGROUND

In the context of having effective RBS in the Bank, the Risk Profile of …………………….. D.P.O is prepared in line with the Corporate Risk Profile keeping in mind the various risk factors under Business and Control areas that are observed at the D.P.O. level. The underlying objective is to :

Categorise the D.P.Os as having composite risk rating low, medium, high, very high and extremely high

Identify the direction of risk namely increasing/ stable /decreasing

II. ORGANIZATION & BUSINESS PROFILE OF DPO:

Name of the DPO/Date of Opening

DPO ID No.Name of the ZoneCategory CDSL / NSDLClass Urban/MetropolitanManagement Organization Total Staff – Officers :

- Special Assistants : - Clerks : - Sub-Staff :

DPO In-charge (Present) Shri / Smt. From :

Previous Incumbent Shri / Smt. From: To:

Last Risk Audit conducted From: To:Last Risk Audit Rating Business Risk Control Risk Composite

Risk

Page 229: RISK BASED INTERNAL AUDIT POLICY

BUSINESS PROFILE

Previous to Last Year

Last Year Current Year(as on ………..)

No. of Back Office connected Branches (details to be given in separate Annexure)Total No. of branches using CDAS for DP operationsTotal No. of Demat Accounts of whichTotal No. of active accountsNo. of new accounts opened vis-à-vis the target allotted

No. of accounts closedInitiated by BOsInitiated by DPOTotal No. of account modificationsTotal No. of DematerializationRematerialization instructionsTotal No. of pledge instructions executed (creation)Total No. of unpledge instructions executed Total No. of instructions accepted/executed forFreezing accountsUnfreezing accountsTotal No. of confiscation instructions executedTotal No. of transmissions executedOff market, on market & inter-depository transfers/instructions

Types of Audits conducted Date of Report Ratings awarded during the year:1.2.3.4.5.

Information Technology Systems used

Page 230: RISK BASED INTERNAL AUDIT POLICY

I Assessment of the Risk Profile

A. BUSINESS RISK: Previous Assessment Present Assessment

Earnings Risk : Level/Direction:

Assessment area Positive Factors Negative FactorsGross Profit/Loss – Actual v/s Budget

Control over expenses

Recovery of charges from the clients as reported by the branches

Previous Assessment Present Assessment2. Operational Risk : Level/Direction: Assessment area Positive Factors Negative Factors

Competency of staff/ Rotation of duties, proper training/ placement

Adherence to manual of instructions/ circulars/SEBI Guidelines

Security and validity of computer systems and other technology

Litigation/claims against the bank

Preparedness for tackling any unanticipated natural/ manmade calamities/ events

Page 231: RISK BASED INTERNAL AUDIT POLICY

B. CONTROL RISK: Previous Assessment Present Assessment

1. Internal Control Risk : Level/Direction:

Assessment area Positive Factors Negative FactorsHousekeeping, record/ register maintenance

Reconciliation(demat / remat requests received)

Submission of returns/ control returns- Timeliness/quality

Prevention of frauds

Judicious exercise of Delegations of Powers

Control over sensitive stationery items (DIS, agreements, account opening forms etc.)

DPO security aspects

Page 232: RISK BASED INTERNAL AUDIT POLICY

Previous Assessment Present Assessment

2. Compliance Risk : Level/Direction:

Assessment Area Positive Factors Negative FactorsRegulatory:Submission of control returns/other statements in time and accurately; adherence to SEBI/Depository rules Statutory:Timely remittance of Service Tax; renewal of SEBI license; submission of annual returns to statutory authorities etc.Monitorable Action PlanCompliance with MAP suggested in the previous RBIA/ updated risk profile and also compliance with other audit reports.

IV. SUMMARY DESCRIPTION OF BUSINESS & CONTROL RISKS ASSESSED :

Parameters Level & Trend of risk

Positive Factors Negative Factors

Business RiskEarnings

Operational

Control RiskInternal Control

Compliance

Page 233: RISK BASED INTERNAL AUDIT POLICY

V. SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:

Parameter Risk Level/

Direction

Action Plan suggested for the purpose of drawing necessary action points and

implementation/monitoring of the same by D.P.O./Zonal Office respectively

1.EARNINGS RISK

2.OPERATIONAL RISK

3.INTERNAL CONTROL RISK

4.COMPLIANCE RISK

Prepared by: Approved

………………….. …..……………………

(Auditor) (Zonal Audit Chief) ……………………. ZAO.

Page 234: RISK BASED INTERNAL AUDIT POLICY

Annexure-4

RISK BASED INTERNAL AUDIT REPORT

…………………………. DPO ………………………….. ZONE

Name of the DPO: …………………………… Zone:Opened on: DP - ID No: Category : NSDL / CDSLClass : Urban/MetropolitanBusiness Hours - Week Days :Holiday on:DPO under Concurrent Audit : YES/NO Last Inspection conducted by Depository on:

Previous Present

Office In-Charge ---------------- -----------------

From ---------------- -----------------To ----------------- -----------------Date of commencement of Audit ----------------- -----------------Date of conclusion ----------------- -----------------Mandays ---------------- ------------------

From To From To

Period covered by audit ----------------- ------------------- Name of the Team Leader ------------------ ------------------- Date of Report ------------------ -------------------Date of Despatch ------------------ ------------------- Date of Noting/Closure -------------------

Audit Ratings : (Level & direction)

Major Risk Parameters

Previous to Last Audit

Last Audit Present Audit

Level Direction Level Direction Level DirectionBusiness Risk

Control Risk

Composite Risk

Page 235: RISK BASED INTERNAL AUDIT POLICY

BUSINESS PROFILE:

Previous to Last Year

Last Year Current Year(as on ………..)

No. of Back Office connected Branches (details to be given in separate Annexure)Total No. of branches using CDAS for DP operationsTotal No. of Demat Accounts Of whichTotal No. of active accountsNo. of new accounts opened vis-à-vis the target allotted

No. of accounts closedi) Initiated by BOsii) Initiated by DPOTotal No. of account modificationsTotal No. of DematerializationRematerialization instructionsTotal No. of pledge instructions executed (creation)Total No. of unpledge instructions executed Total No. of instructions accepted/executed fori) Freezing accountsii) Unfreezing accountsTotal No. of confiscation instructions executedTotal No. of transmissions executedOff market, on market & inter-depository transfers/instructions

Page 236: RISK BASED INTERNAL AUDIT POLICY

A.BUSINESS RISK1. Earnings Risk: (Rs. in lakh)

Year before Last as on

31.03.200

Last Year as on

31.03.200

Current Year as on

(quarter/month) ……………

A – IncomeAccount Opening ChargesAccount Maintenance ChargesDematerialisation ChargesPledge ChargesUnpledge Charges On/Off Market Transaction charges

B – ExpensesStaff CostOther Expenses of which Depository fees to DPs Controllable ExpensesTotal Expenses

C – Profit Budget Actual Budget Actual Budget Actual

Operating Profit/Loss Charges not recovered by the branches (NPA accounts as reported by the branches)Net Profit/Loss

Offer comments on: (Please list out the lapses noticed item-wise and account-wise)

Items/Areas Positive Factors Negative FactorsCharges levied for various transactions as per extant guidelinesAdherence to billing cycle

Recovery of charges within the stipulated time

Non-charging of fees in the cases of Participant stops sending transaction statements to clients under circumstances mentioned in NSDL Circular 2004/1515 dt 24.08.04 & 2005/1692 dt. 09.09.05 Waiver of fees in the case of transmissionPayment of bills raised by Depository within the stipulated time including grace period

Page 237: RISK BASED INTERNAL AUDIT POLICY

2. Operational Risk:

Offer comments on: (Please list out the lapses noticed item-wise and account-wise)

Items/Areas Positive Factors Negative FactorsHaving at least one staff member of back office connected branches on the payroll of DPOKnowledge on overview of capital market, pay-in/pay-out mechanism of stock exchanges, depository rules, bye-laws, operating instructions etc. and imparting necessary training for updating knowledge of the staff handling portfolioAvailability of qualified staff NCFM certification in the case of NSDL and BCCD certification in the case of CDSL and also staff trained and qualified by them to handle DP work at DPOObtention/verification of proof of identity and residence in the case of account openingObtention of necessary documents/information from clients as prescribed by CDSL/NSDL at the time of account opening (demat accounts should not be opened in the name of partnership firm except for commodities)

Page 238: RISK BASED INTERNAL AUDIT POLICY

Items/Areas Positive Factors Negative FactorsOpening of large number of accounts with the same or similar names and / or same address and / or with the same bank account details; verification of the genuineness of the particularsAdherence to the procedures prescribed for opening and operating accounts of illiterate/disabled personsOpening of accounts of HUF without nominee/joint holdersand also under the stamp of HUFScanning of Beneficiary Owners’ (BO) signatures Execution/Updation of nomination as per the procedure prescribed in the DP Operating Instructions

Modification of account details (only after receipt of letter/form duly signed by the BOs and also after collecting new proof of address in the case of change of address) Acceptance/processing of demat requests as per procedures along with inward date and stamp of the DP within the stipulated timeProcessing of Transmission-cum-demat requests as per the prescribed procedure

Page 239: RISK BASED INTERNAL AUDIT POLICY

tems/Areas Positive Factors Negative FactorsAcceptance of Delivery Instructions and also dating and stamping of the same including DIS received beyond the deadline at client’s riskExecution of Delivery Instructions as per the extant guidelines (obtention of DIS in the prescribed format, due verification of signature, verification of DIS by two officials in case of DIS with value of securities over the limit specified by SEBI/Depository, ensuring receipt of original instructions within two days in case fax instructions are accepted, filling up of column for cash transfer, striking off blank columns, execution on the same day/before the settlement deadline as the case may be, etc.) Closure of demat account [receipt/scrutiny of Account Closing Form (ACF), sending confirmation for closing of account to BO, following the prescribed procedure in the case of BO wanting to close account with pending demat postion, following the procedure for transferring account from one DP to another etc.]

Page 240: RISK BASED INTERNAL AUDIT POLICY

Items/Areas Positive Factors Negative FactorsCarrying out remat/repurchase /stock lending transactions in accordance with the stipulated procedures (obtention of RRF, verification of the signature, proper filling up of the form, availability of the balance of the security, forwarding RRF to the Issuer/R&T Agent etc.)Freezing/Unfreezing of transactions in accordance with the stipulated proceduresDealing with pledging, un-pledging and invocation of pledge as per the stipulated procedure (pledgor and pledgee having account in CDS to create a pledge, security in demat form, securities to be fully paid-up, unencumbered and in marketable lots, account of pledgor and pledgee not tagged for closure, non-allowing part unpledging/ invocation under one PSN, obtention of Pledge Request Form (PRF) countersigned by pledgee, non-cancellation of pledge by CDS without prior concurrence of the pledgee, obtention of URF counter signed by the pledgee for unpledging, obtention of proper Invocation Request Form from the pledgee etc.)

Page 241: RISK BASED INTERNAL AUDIT POLICY

Items/Areas Positive Factors Negative FactorsDealing with the transmission transaction in accordance with the stipulated procedure (proper filling up the Transmission Request Form by the Transmittee, ensuring that Transmittee is having an account with CDS, obtention of death certificate of the deceased BO, succession certificate/letter of administration/probate of the will of the deceased, letter of surety, letter of indemnity etc.)Regular upgradation of back office operations including website, daily back up of data residing in back office (or any data maintained in electronic from) with respect to DP operations, off-site safe keeping of back ups, using the back office software for the purpose of depository related activities (data entry with respect to account opening, demat, remat/repurchase, settlement, pledge, stock lending and borrowing, statement of transactions etc.), ensuring the formats used by the DP are in conformity with the prescribed format of the Depositories etc.Number of persons authorized to access CDAS system and their training experience, maintaining of secrecy of passwords at all levels, deletion of old reports from the system

Page 242: RISK BASED INTERNAL AUDIT POLICY

Items/Areas Positive Factors Negative FactorsInstallation/upgradation of Anti-virus software, adequate protection of CDAS in a secure area with adequate power supply (UPS or voltage stabilizer), maintenance of DP terminal (like database purging, application of new releases etc.) as per the extant operating instructions and Communiques of the Depositories, connection of CDAS to any other network without approval of DOT and/or the DepositoryExecution/stamping of agreement/ supplementary agreement, letter of confirmation etc. in accordance with the Depository’s prescribed procedure, proper execution/ notarizing Power of Attorney (POA) documents, Maintaining adequate documents for closure/ freezing/unfreezing of client account (this includes the procedure followed by the Participant in respect of accounts which did not have balance at the time of closing the account),Availability of contingency plan and successful test checks of contingency plan in the event of failure of users hardware system/loss of connectivity with the Depository Dealing with claims / litigation against the Bank

Page 243: RISK BASED INTERNAL AUDIT POLICY

B. CONTROL RISK

1. Internal Control Risk:

Offer comments on: (Please list out the lapses noticed item-wise and account-wise)

Items/Areas Positive Factors Negative FactorsAdequate infrastructure, including staff, commensurate with the level of activity, control over accountability, proper role definitions and segregation of dutiesControl over reporting of exceptional events like problem in hardware or any component of hardware / software, back up, UPS, telephone line, reduction in space to business ratio, staff to business ratio, decreasing speed of machine etc. Reporting of exceptional transactions related issues like failure in delivery instruction, failure of transactions leading to action of clients, delay in confirmation to clients, loss certificates sent for demat, complaints from clients that they have not received credit for the securities etc.Attempted frauds, misappropriation of securities etc. by clients or by any employee of the participant / franchisee, mutilating / defacing of certificates received for dematerialization in the prescribed manner

Page 244: RISK BASED INTERNAL AUDIT POLICY

Items/Areas Positive Factors Negative FactorsControl over safe keeping/ issuing/record maintenance of physical securities till dispatch to the Issuer / RTA and also the returned certificates to the concerned BOs, Delivery Instruction Slip Booklets, Loose Delivery Instruction Slips, account opening form, Clients’ signatures in physical form, copies of PRF, URF, IRF,RRF etc.Record maintenance for account opening forms, agreements and supporting documents of all Bos, documents/certificates received/sent for dematerialisation, instruction slips signed by; clients for account transfer, delivery out, pledge, securities lending and borrowing, inter-settlement transfer, inter depository transfer instructions, account closure etc. Maintenance of Register for Investor Grievance, Backup, Power of Attorney, Nomination etc. and also maintenance of Circulars/Instructions/ Guidelines etc. received from the concerned Depository/SEBI/Others Redressal of investor queries/complaints

Page 245: RISK BASED INTERNAL AUDIT POLICY

Items/Areas Positive Factors Negative FactorsDaily reconciliation of requests received for account opening/demat/remat, instructions executed, pending at the end of day, balance held in different accounts in the DPM with balances held in the DM and providing the details of changes made in the accounts of the clients from the last EOD processing to the Depository Control over physical security of office (restricting unsolicited persons) and other records (keeping all the records under lock and key control)

2. Compliance Risk:

Offer comments on: (Please list out the lapses noticed item-wise and account-wise)

Items/Areas Positive Factors Negative FactorsStrict adherence to KYC norms at the time of opening accounts by way of establishing the identity of the person by verifying with the original of any of the identity document such as passport, voter’s ID card, PAN Card etc; obtention of PAN details for existing accounts opened before 01.04.2006 (it is mandatory to obtain PAN details for new a/cs opened); confirmation of details of PAN from Income-Tax Dept. website

Page 246: RISK BASED INTERNAL AUDIT POLICY

Items/Areas Positive Factors Negative FactorsSending the transaction statements at intervals and also in the required format as prescribed by the Depository to the BOs of all branch DPs Sending of demat requests received from Bos to the Issuer / RTA within seven days from the date of receiptIn case of account closure initiated by BO, compliance with the procedure for closure / transfer of balances / rematerialisation within 2 days of receipt of account closure request Giving 30 days notice to BO before closing accounts in the case of account closure initiated by DPRecording and redressing all the grievances of BOs arising at the main DP or at the branch /back office /collection center within the stipulated 30 daysFurnishing copy of the agreement, schedule of charges and client master report to each client

Sending of monthly investor grievances report to NSDL before 10th next month

Page 247: RISK BASED INTERNAL AUDIT POLICY

Items/Areas Positive Factors Negative FactorsSubmission of periodical information/reports such as Annual Report, Networth Certificate and Computation Sheet, Internal Audit Report along with compliance, SEBI annual fees and dues to the Depository, replies to specific information/ compliance required by the Depository etc. to the Depository Timely submission of compliance with the previous internal audit/concurrent audit/other audit reportsIntimating the change in office address and / or investor relation officers / compliance officers of DPO to NSDL/CDSLDisplay of SEBI Licence and periodical renewal thereof

Timely remittance of service tax and also Annual Tax returns to the concerned authorities

Page 248: RISK BASED INTERNAL AUDIT POLICY

SUGGESTED MONITORABLE ACTION PLAN FOR MITIGATING RISK:

Parameter Risk Level/

Direction

Action Plan suggested for the purpose of drawing necessary action points and

implementation/monitoring of the same by D.P.O./Zonal Office respectively

1.EARNINGS RISK

2.OPERATIONAL RISK

3.INTERNAL CONTROL RISK

4.COMPLIANCE RISK

Page 249: RISK BASED INTERNAL AUDIT POLICY

Annexure -5 FORMAT OF EXIT MEETING REPORT

DPO : ____________________Exit Meeting held on _______________-------------------------------------------------

1. Date of Meeting :

2. Name and Designation of Officers who attended the meeting :

Audit Team Branch Officials

3. Period of Audit : From ______________ To ______________

4. RatingLevel/Trend of the last 2 assessments

Last(Date

)

Previous to Last(Date

)Business RiskControl RiskComposite Risk

5. a) Highlights of performance

Items Budget/Target

Achie-vement

Remarks

Operating Profit/Loss

Demat a/c opening and other business budgetHouse-Keeping

Any Other Item,(please specify)

b) Risk areas identified (a copy of the Monitorable Action Plan to be submitted to the DPO).

Page 250: RISK BASED INTERNAL AUDIT POLICY

6. SWOT analysis on functioning of the DPO :

Strength

Weakness

Opportunity

Threat

7. DPO’s views, if any.

Encl: Copy of Monitorable Action Plan

Copy received.

Manager (Signature of the Team Leader)……………….. DPO

Page 251: RISK BASED INTERNAL AUDIT POLICY

Annexure-6

MARK SHEET

DPO : ______________________ Zone: _______________ Category : CDSL / NSDLAudited From : _______________To: _______________

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

A. BUSINESS RISK 100I. EARNINGS RISK 30 1. Controllable expenses

Not increasing or increasing in proportion to the business requirements

Moderate increasing more than in proportion to the business requirements

Exorbitantly increasing

5 2 0

2. Achievement of operating profit/loss budget

AchievedAchievement falling short by < 10%Achievement falling short by > 10%

5 2 1

3. Levying of charges for various transactions as per extant guidelines (i.e; detection of revenue leakage)Levied in all transactions, no revenue leakage

detectedRevenue leakage detected to the extent of

Rs.10,000/-Revenue leakage detected more than Rs.10,000/-

6 4

2

4. Payment of Bills raised by Depository within the stipulated time alwaysViolation observed only once during the period covered Under auditViolation observed more than once

6

2 0

5. Recovery of charges from the customers (as Reported by the branches where the customers are maintaining charge Account)Fully recoveredPending recovery to the extent of 5% of bills raisedPending recovery to the extent of more than 5%

8 4 2

Page 252: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

II. OPERATIONAL RISK 70 1. Availability of qualified staff and positioning of staff in

key areas (allocation of duties) as per their competency GoodSatisfactoryPoor

6 4 2

2. Obtention of all the relevant documents at the time of opening demat accounts Obtained all the timesNot obtained in one or two cases but no damage done Not obtained in many cases

6 4

2 3. Opening of large number of accounts (say 20 or

more) with the same or similar names / other particularsNot observedOne or two occasions observed but no damage doneMore than two occasions

6 4 0

4. Frequency of execution errors in transaction such as wrong punching of shares as to number, name of the company etc. Nothing noticedNoticed on one or two occasions but no damage Noticed on many occasions

6 4 0

5. Processing of demat requestsNo aberration observedOne or two aberrations noticed but no damageMore than two aberrations

6 4 2

6. Execution of Delivery InstructionsStrict adherence alwaysAberrations observed one or two times but no loss Violation more than two times

6 4 2

7. Remat/Freezing/Unfreezing operationsStrict adherence as per the guidelinesViolation observed one or two times but no loss

incurredViolation observed on more than two occasions

6 4

2 8. Pledging/unpledging/stock lending/borrowing

operationsStrict adherence as per the extant guidelinesBreaches observed one or two occasions but no

damageViolation noticed on more than two occasions

6 4

2

Page 253: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

9. Access to different Servers/UPS/Hardwares/ Softwares/V-sat etc.Allowed only to the authorised personnel alwaysRarely other staff members also allowedNo restriction

6 4 0

10. Taking daily back-up, off-site storage of back-up, regular upgradation of back office operations, upgradation of Anti-virus software, maintenance of secrecy of passwords at all levelsNot a single aberration observedViolation observed one or two occasions but no

damageGross violation observed

6 4 2

11. Documentation including execution of stamped agreement / supplementary agreement, notarizing Power of Attorney documents, processing of transmission requests etc.Perfect execution; no irregularity observedVery few minor irregularities noticed but no loss

observedMany irregularities observed

6 4

2 12. Successful Test Check of Contingency Plan like

switching to dial-up mode in case of V-sat failure etc.Successful at all timesFailure observed once; but minimum fine paidFailure observed more than once

4 2 0

Page 254: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

B. CONTROL RISK 100I. INTERNAL CONTROL RISK 50 1. Adequacy of staff strength, role definitions,

segregation of duties and periodical trainingGoodSatisfactoryPoor

8 4 2

2. Control over safe custody/movement of physical securities and other recordsGood control observed alwaysLaxity observed on a very few occasionsNo control

8 4 2

3. Incidence of frauds (either manual or system related), prevention of fraudsNothing noticed during the period covered under auditFraud attempted; but averted and no damage doneFraud noticed

10 5 0

4. Record maintenance for account opening forms, agreements executed, certificates received/sent for demat, DIS register etcAll the records maintained upto dateEither one or two records not maintained or all the records are not updated; but no damage doneRecords not maintained for many items and records not updated

8

4 2

5. Control over security of office premises/records (screening of persons entering into / getting out of office, safe custody of other office records, proper placing/refilling of fire extinguishers, control over AMC etc.)

Strict control exercised at all timesLaxity observed on a few occasions; but no damage doneLoose control always

8 4 2

6. Maintenance of complaint register, redressal of customer complaints/queries

No complaint receivedVery few complaints received; but redressed within the stipulated timeMany complaints received/pending

8

4 2

Page 255: RISK BASED INTERNAL AUDIT POLICY

Sr.No.

Parameters for awarding marks Maximum marks allowed

Marks awarded

II. COMPLIANCE RISK 50 1. Submission of periodical reports such as Annual

Report, Audit Report, Grievances Report etc. to the Depository/SEBI All the statements/reports are submitted in time with accuracy Only a few statements are submitted in time and or some minor discrepancies noticed Delayed submission of statements or non-submission and/or more discrepancies noticed

10

4 2

2. Timely remittance of Service Tax and periodical submission of required return to the concerned authorities, display of SEBI Licence and periodical renewal thereof

Strictly enforcedSome minor deviation/s noticed; but no loss/penalty incurredGross deviations noticed

10 4 2

3. Compliance of various audit/inspection reports including compliance with MAP

Complied with conclusively and effectively in time without any exceptionComplied with a few exceptions for which follow-up is not adequateNot complied with/compliance is not conclusive in toto

10

4 2

4. Adherence to KYC normsAdhered strictly at all timesA very few aberrations noticed; but no damage doneMany lapses observed

10 4 2

5. Adherence to the time limit for execution of DIS, demating, account closing etc.

Strict adherence alwaysLapses noticed on one or two occasions but no damage doneGross violation observed

10 4 2

Page 256: RISK BASED INTERNAL AUDIT POLICY

RISK BASED INTERNAL AUDIT RATING SHEET

Sr No Category of Risk Maximum

Marks AllowedMarks Awarded Percentage Risk Rating

Level/TrendA BUSINESS RISK

1001. Earnings Risk 302. Operational Risk 70B CONTROL RISK 1001. Internal Control Risk 502. Compliance Risk 50 C COMPOSITE RISK*

* The composite risk will be arrived at with the help of the following risk matrix

Risk Matrix

Inhe

rent

Bus

ines

s R

isks

High AHigh Risk

B Very High Risk

C Extremely High Risk

Medium

DMedium Risk

E High Risk

F Very High Risk

Low GLow Risk

HMedium Risk

IHigh Risk

Low Medium High

Control Risks

BASIS FOR RISK ASSESSMENTRisk Percentage of Marks

awardedLow Over 75Medium 50 – 75High Below 50

The trend analysis of the composite risk is interpreted as shown below:

Inhe

rent

B

usin

ess

Ris

k

Increasing Increasing Increasing Increasing Stable Stable Increasing IncreasingDecreasing Decreasing Stable Increasing

Decreasing Stable Increasing

Control Risk

Variation of marks in the same category upto + 5% or – 5% is considered as STABLE. Variation in the same category of more than +5% or –5% is considered as DECREASING/ INCREASING as the case may be.

The above risk rating is approved.

(Signature of the Zonal Audit Chief)

Page 257: RISK BASED INTERNAL AUDIT POLICY