25 SNo.ComponentDescriptionARisk ManagementAs part of risk identification and assessment, banks should identify events or activities that could disrupt operations or negatively affect reputation or earnings and assess compliance to regulatory requirements.BIT Operations Processes(i)IT StrategyA well-defined IT strategy framework will assist IT operations in supporting IT services as required by the business and defined in SLAs.(ii)DesignThe components which should be considered when designing a new IT service or making a change to the existing IT service include business processes, service level agreements, IT infrastructure, IT environment etc.(iii)TransitionThe transition phase provides frameworks and processes that may be utilized by banks to:• Evaluate service capabilities and risk profile of new or changes service before it is released into production environment• Evaluate and maintain integrity of all identified service assets and configuration items required to support the service(iv)OperationThe various aspects that banks need to consider include event management, incident management, problem management and access management.
35 S No.ComponentDescription(i)IS AuditBecause the IS Audit is an integral part of the Internal Auditors, auditors will also be required to be independent, competent and exercise due professional care.(ii)Outsourcing relating to IS AuditRisk evaluation should be performed prior to entering into an outsourcing agreement and reviewed periodically in light of known and expected changes, as part of the strategic planning or review process.2Audit Charter, Audit Policy to include IS AuditAn Audit Charter / Audit Policy is a document which guides and directs the activities of the Internal Audit function. IS Audit, being an integral part of the Internal Audit function, should also be governed by the same Audit Charter / Audit Policy. The document should be approved by the Board of Directors. IS Audit policy/charter should be subjected to an annual review to ensure its continued relevance and effectiveness.3Planning an IS AuditBanks need to carry out IS Audit planning using the Risk Based Audit Approach. The approach involves aspects like IT risk assessment methodology, defining the IS Audit Universe, scoping and planning the audit, execution and follow up activities.4Executing IS AuditDuring audit, auditors should obtain evidences, perform test procedures, appropriately document findings, and conclude a report.6Reporting and Follow upThis phase involves reporting audit findings to the CAE and Audit Committee. Before reporting the findings, it is imperative that IS Auditors prepare an audit summary memorandum providing overview of the entire audit processing from planning to audit findings.7Quality ReviewIt is to assess audit quality by reviewing documentation, ensuring appropriate supervision of IS Audit members and assessing whether IS Audit members have taken due care while performing their duties.
38 SNoComponentDescription(i)Fraud prevention practicesThese include fraud vulnerability assessments(for business functions and also delivery channels), review of new products and processes, putting in place fraud loss limits, root cause analysis for actual fraud cases above Rs.10 lakhs, reviewing cases where a unique modus operandi is involved, ensuring adequate data/information security measures, following KYC and Know your employee/vendor procedures, ensuring adequate physical security, sharing of best practices of fraud prevention and creation of fraud awareness among staff and customers.(ii)Fraud detectionQuick fraud detection capability would enable a bank to reduce losses and also serve as a deterrent to fraudsters. Setting up a transaction monitoring group within the fraud risk management group, alert generation and redressal mechanisms, dedicated id and phone number for reporting suspected frauds, mystery shopping and reviews.(iii)Fraud investigationThe examination of a suspected fraud or an exceptional transaction or a customer dispute/alert in a bank shall be undertaken by Fraud risk management group & special committee.(iv)Reporting of fraudsAs per RBI circular, dated July 1, 2010, fraud reports should be submitted in all cases of fraud of 1 lakh and above perpetrated through misrepresentation, breach of trust, manipulation of books of account, fraudulent encashment of instruments like cheques, drafts and bills of exchange, unauthorized handling of securities charged to the bank, misfeasance, embezzlement, misappropriation of funds, conversion of property, cheating, shortages, irregularities, etc.(v)Customer awarenessBanks should thus aim at continuously educating its customers and solicit their participation in various preventive/detective measures.(vi)Employee awareness and trainingEmployee awareness is crucial to fraud prevention. Training on fraud prevention practices should be provided by the fraud risk management group at various forums.
43 R&R SNo. Roles & Responsibilities Responsibility description (a) Board of Directors and Senior ManagementIndian banks follow the RBI guideline of reporting all frauds above 1 crore to their respective Audit Committee of the Board.1.1.BCP Head or Business Continuity CoordinatorA senior official needs to be designated as the Head of BCP activity or function1.2.BCP Committee or Crisis Management TeamPresent in each department to implement BCP department wise.1.3BCP TeamsThere needs to be adequate teams for various aspects of BCP at central office, as well as individual controlling offices or at a branch level, as required.
44 SNoComponentDescription2.1BCP MethodologyBanks should consider various BCP methodologies and standards, like BS 25999, as inputs for their BCP framework.2.3Key Factors to be considered for BCP DesignFollowing factors should be considered while designing the BCP:• Probability of unplanned events, including natural or man-made disasters, earthquakes, fire, hurricanes or bio-chemical disaster• Security threats• Increasing infrastructure and application interdependencies• Regulatory and compliance requirements, which are growing increasingly complex• Failure of key third party arrangements• Globalization and the challenges of operating in multiple countries.3Testing a BCPBanks must regularly test BCP to ensure that they are up to date and effective: Testing of BCP should include all aspects and constituents of a bank i.e. people, processes and resources (including technology). Banks should consider having unplanned BCP drill, Banks should involve their Internal Auditors (including IS Auditors) to audit the effectiveness of BCP etc. Various other techniques shall be used for testing the effectiveness of BCP.4Maintenance and Re-assessment of PlansBCPs should be maintained by annual reviews and updates to ensure their continued effectiveness. Changes should follow the bank’s formal change management process in place for its policy or procedure documents. A copy of the BCP, approved by the Board, should be forwarded for perusal to the RBI on an annual basis.5Procedural aspects of BCPBanks should also consider the need to put in place necessary backup sites for their critical payment systems which interact with the systems at the Data centers of the Reserve Bank.6Infrastructural aspects of BCPBanks should consider paying special attention to availability of basic amenities such as electricity, water and first-aid box in all offices.7Human Aspect of BCPBanks must consider training more than one individual staff for specific critical jobs, They must consider cross-training employees for critical functions and document-operating procedures.8Technology aspects of BCPApplications and services in banking system which are highly mission critical in nature and therefore requires high availability, and fault tolerance to be considered while designing and implementing the solution.
63 SNo.ComponentDescription1‘Material’ OutsourcingBanks need to assess the degree of ‘materiality’ inherent in the outsourced functions. Outsourcing of non-financial processes, such as technology operations, is ‘material’ and if disrupted, has the potential to significantly impact business operations, reputation and stability of a Bank.2Risk Management in outsourcing arrangementsRisk evaluation should be performed prior to entering into an outsourcing agreement and reviewed periodically in light of known and expected changes, as part of the strategic planning or review process.(i)Risk Evaluation and MeasurementRisk evaluation should be performed prior to entering into an outsourcing agreement and reviewed periodically in the light of known and expected changes, as part of the strategic planning or review processes.(ii)Service Provider SelectionManagement should identify functions to be outsourced along with necessary controls and solicit responses from prospective bidders via an RFP process. While negotiating/ renewing an outsourcing arrangement, appropriate diligence should be performed to assess the capability of the technology service provider to comply with obligations in the outsourcing agreement. Due diligence should involve an evaluation of all information about the service provider including qualitative, quantitative, financial, operational and reputational factors.