Ref No. NB. DoS. Pol. HO/ 794 / J-1/2019-20
21st May 2019
Circular No. 134 /DoS - 13/2019
All Regional Rural Banks
The Managing Director
All State Cooperative Banks
The Managing Director/Chief Executive Officer
All District Central Cooperative Banks
Information System (IS) Audit
Please refer to our Circular Letter No. NB. DoS. HO. Pol./ 3634 / J-1/2014-15 (DoS Circular No.33/DoS-01/2015) dated 25th February 2015, enclosing the guidelines of Information System (IS) Audit in Banks. The guidelines interalia, provided the following: -
i. Checklist for the guidance of Auditor carrying out IS Audit
ii. Scope of IS Audit and Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds
2. Banks were instructed to adopt an IS Audit Policy, adopt appropriate system and practices for conducting IS Audit by a qualified audit firm or by a team of competent IS personnel on annual basis, covering all the critically important branches and functions at HO/Controlling Offices. Such IS Audits were to be undertaken prior to Statutory Audit so that the Statutory Auditors could incorporate comments from the IS Audit Report. Further, the IS Audit Reports were to be placed before the Top Management/Audit Committee of the Board/Board of Directors and the compliance was to be furnished within a stipulated time frame.
3. The Board of Supervision (BoS) has expressed concern over the implementation of IS Audit Guidelines by banks and suggested for immediate remedial action. In this connection, you are advised to ensure compliance to the instructions given in our Circular dated 25th February 2015 ibid and certify to our concerned Regional Offices that –
i. the bank has an IS Audit Policy. If so, the date of Board approval.
ii. the bank has adopted appropriate system and practices for conducting IS Audit by a qualified audit firm or by a team of competent IS personnel on annual basis covering all the critically important branches and functions at HO/Controlling Offices. The date of the last such IS Audit conducted may be indicated.
iii. in the event that the bank has not adopted an IS Audit Policy with the approval of the Board, the same may be done within 3 months from the date of this circular.
4. Banks are advised to undertake to ensure that the IS Audit prior to conduct of Statutory Audit to facilitate Statutory Auditors to incorporate comments from the IS Audit Report.
5. Banks may note to ensure that the IS Audit Reports are placed before the Top Management/Audit Committee of the Board/Board of Directors.
6. The compliance to the IS Audit may be furnished within a stipulated time frame of one month from the date of issue of the IS Audit Report.
7. Please acknowledge the receipt of this circular to our Regional Office concerned.
(K. R. Rao)
Chief General Manager