EC No. 193 / DoS-22 /2022
Ref. No. NB. DoS. HO. Pol./2116/J-1 / 2022-23
23 August 2022
The Chairman, All Regional Rural Banks
The Managing Director, All State Cooperative Banks
The Chief Executive Officer, All District Central Cooperative Banks
Information System (IS) Audit
Please refer to our circular Ref. No. NB. DoS. HO. Pol. / 3634 / J-1 / 2014-15 [No. 33 / DoS-01 / 2015] dated 25 February 2015 forwarding broad guidelines on Information System (IS) Audit and circular Ref. No. NB. DoS. Pol. HO / 794 / J-1 / 2019-20 [No. 13 / DoS-13 / 2019] dated 21 May 2019 reiterating the guidelines on IS Audit. A copy of the circulars mentioned ibid above is enclosed for ready reference.
2. A review of implementation of IS Audit by Supervised Entities (SEs) has since been undertaken. It was observed that some banks did not have IS Audit policy while others did not conduct IS Audit on an annual basis as per NABARD guidelines. It was also observed that some banks had conducted IS Audit without having a Board approved IS Policy, many banks were placing neither the IS Audit Report nor the Compliance to IS Audit Report before the Board of Directors / Audit Committee / Top Management.
3. Considering that IS Audit is one of the supervisory requirements to ensure mitigation of risks emanating from adoption of technology, especially in the scenario where customers of RRBs and RCBs are also falling prey to cyber-crimes, we once again advise the Supervised Entities to put-in place an appropriate and robust IS Audit policy and Information System Audit.
4. We also advise the banks to furnish the following information to our concerned Regional Offices :
a) Whether the bank has Board approved IS Audit Policy. If so, the date of Board approval.
b) Whether the bank has adopted appropriate system and practices for conducting IS Audit by a qualified audit firm or by a team of competent IS personnel on annual basis covering all the critically important branches and functions at HO/Controlling Offices. The date of last such IS Audit conducted may be indicated.
c) In case the bank has not adopted an IS Audit Policy with the approval of the Board, the same may be done and a confirmation in this regard should be sent to the concerned Regional Offices by 30 September 2022.
d) Whether a system has been put-in place to ensure that IS Audit is undertaken prior to conduct of Statutory Audit and the IS Audit report is shared with the Statutory Auditors so that they can incorporate comments from the IS Audit Report.
e) Whether a system has been put-in place to ensure that the IS Audit Reports are prepared within a month from the date of IS Audit Report and the bank’s compliance to IS Audit Reports are placed before the Top Management / Audit Committee of the Board / Board of Directors.
5. Banks to ensure that the compliance to the IS Audit report should be furnished within a stipulated timeframe of one month from the date of issue of the IS Audit Report.
6. Further, banks may note that adoption and implementation of IS Audit guidelines will be reviewed by NABARD as part of on-site inspection / off-site monitoring and in case of non-adherence / non-compliance, NABARD will initiate the following course of action:
a) Non-compliance for 1 year: Issue letter of caution to the bank with instruction to initiate action for achieving full compliance within 3 months of issue of caution letter.
b) Non-compliance for 2 years: Issue letter of displeasure to the Supervised Entity (SE) with instructions to devise an action plan for achieving full compliance within 3 months from date of issue of displeasure letter, failing which supervisory action will be recommended to RBI against the bank.
c) Non-compliance for more than 2 years: NABARD will recommend supervisory / regulatory action against the bank to RBI.
7. We advise that the progress in the implementation of IS Audit is being closely monitored by the Board of Supervision (BoS). Non-adherence / non-compliance to policy directions issued by RBI / NABARD necessitate recommending regulatory action against the banks. You are, therefore, advised to initiate remedial action on gaps in IS Audit policy implementation immediately.
8. Please acknowledge receipt of this circular to us and our Regional Office concerned.
Chief General Manager
Enclosure: as above