Domains Sub-domain Objective

1. IT Governance 1.1 IT Strategy Committee To have a well-defined IT strategy committee as per

the NHB/ RBI guidelines for HFC/ NBFC respectively.

1.2 Roles and Responsibilities To have well-defined roles and responsibilities of IT

of IT Strategy Committee Strategy committee as per the NHB/ RBI guidelines
for HFC/ NBFC respectively.

2. IT Policy IT Policy 2.a To have a documented organizational structure

with the size, scale and nature of the business
activities carried out by the organization.

IT Policy 2.b CIO or in-charge IT of operations ensure the

implementation of IT Policy at operational level
involving IT strategy, value delivery, risk management
and IT resource management.

IT Policy 2.c To ensure technical competence at senior/middle

level management of HFC/ NBFC and formulate
periodic assessment of the IT training requirements
 IT Policy 2.d HFCs/ NBFCs which are currently not using IPv6
platform should migrate to the same as per the
National Telecom Policy issued by the Government of
India in 2012, as amended from time to time

3. Information Policies related to Information HFCs/ NBFCs must have a board approved IS Policy
Security Security with the following basic tenets: Confidentiality,
Integrity, Availability and Authenticity.

3.1 (a) Identification and To maintain a detailed inventory of Information Asset

Classification of Information with distinct and clear identification of the asset
Assets

3.1 (b) Segregation of Segregation of duties of Security Officer/ Group (both

functions physical & cyber security) dealing exclusively with
information systems security & IT division which
actually implements computer systems

3.1 (c) Role based Access
Control
i. Access to information should be based on well-
defined user roles (system administrator, user
manager, application owner etc.)
ii. HFCs/ NBFCs shall avoid dependence on one or
few persons for a particular job.
iii. There should be clear delegation of authority for
right to upgrade/change user profiles and permissions
and also key business parameters (e.g. interest rates)
which should be documented
3.1 (d) Personnel Security HFC/ NBFC should have a process of appropriate
check and balance in this regard. Personnel with
privileged access like system administrator, cyber
security personnel, etc. should be subject to rigorous
background check and screening

3.1 (e) Physical Security HFCs/ NBFCs should take measures for physical
security of IS Assets such as secure location of critical
data, restricted access to sensitive areas like data
center etc

3.1 (f) Maker-checker For each transaction, there must be at least two
individuals necessary for its completion as this will
reduce the risk of error and will ensure reliability of
information

3.1 (g) Incident Management The IS Policy should define what constitutes an
incident. HFCs/ NBFCs shall develop and implement
processes for preventing, detecting, analysing and
responding to information security incidents

3.1 (h) Trails HFCs/ NBFCs shall ensure that audit trails exist for IT
assets satisfying its business requirements including
regulatory and legal requirements, facilitating audit,
serving as forensic evidence when required and
assisting in dispute resolution

3.1 (i) Public Key HFCs/ NBFCs may increase the usage of PKI to ensure
Infrastructure confidentiality of data, access control, data integrity,
authentication and nonrepudiation.

3.2 Cyber Security HFCs/ NBFCs should put in place a cyber-security

policy elucidating the strategy containing an
appropriate approach to combat cyber threats given
the level of complexity of business and acceptable
levels of risk, duly approved by their Board
3.3 Vulnerability Management HFCs/NBFCs may devise a strategy for managing and
eliminating vulnerabilities and such strategy may
clearly be communicated in the Cyber Security policy.

3.4 Cyber security Cyber security preparedness indicators should be

preparedness indicators defined to measure and assess the level of risk
preparedness.
These indicators should be used for testing through
compliance checks and audit

3.5 Cyber Crisis Management
Plan (CCMP)
CCMP should be part of overall board approved
strategy. HFCs/ NBFCs should take necessary
preventive and corrective measures in addressing
various types of cyber threats including, but not
limited to, denial of service, distributed denial of
services (DDoS), ransom-ware / crypto ware,
destructive malware, business email frauds including
spam, email phishing, spear phishing, whaling, vishing
frauds, drive-by downloads, browser gateway fraud,
ghost administrator exploits, identity frauds, memory
update frauds, password related frauds, etc.

3.6 Reporting of information HFCs shall put in place a suitable mechanism to

on cyber security report all types of unusual security incidents to its IT
Steering Committee and the Risk Management
Committee

3.6 Sharing of information on NBFCs are required to report all types of unusual
cyber-security incidents with security incidents as specified in point No. 2 of Annex
RBI I which deals with Basic Information including Cyber
Security Incidents as specified in CSIR Form of Annex I
(both the successful as well as the attempted
incidents which did not fructify) to the DNBS Central
Office, Mumbai.
3.7 Cyber-security awareness Cyber security awareness session should be conducted
among stakeholders / Top to ensure awareness among all stakeholders
Management / Board

3.8 Digital signatures HFCs/ NBFCs may consider use of Digital signatures to
protect the authenticity and integrity of important
electronic documents and also for high value fund
transfer

3.9 IT Risk Assessment HFCs/ NBFCs should undertake a comprehensive risk

assessment of their IT systems at least on a yearly
basis. The risk assessment should be brought to the
notice of the Chief Risk Officer (CRO), CIO and the
Board of the organization

3.10 Mobile Financial services HFCs/ NBFCS that are already using or intending to
use Mobile Financial Services should develop a
mechanism for safeguarding information assets that
are used by mobile applications to provide services to
customers

3.11 Social Media Risks HFCs/ NBFCs using Social Media to market their
products should be well equipped in handling social
media risks and threats

3.12 Training Employees should be trained periodically to ensure

information security awareness.
There needs to be a mechanism to track the
effectiveness of training programmes through an
assessment / testing process. At any point of time,
HFCs/ NBFCs need to maintain an updated status on
user training and awareness relating to information
security
4. IT Operations IT Operations The Board or Senior Management should take into
consideration the risk associated with existing and
planned IT operations and the risk tolerance and then
establish and monitor policies for risk management

4.1 Acquisition and HFCs/ NBFCs should identify system deficiencies and
Development of Information defects at the system design, development and
Systems (New Application testing phases.
Software) HFCs/ NBFCs should establish a steering committee,
consisting of business owners, the development team
and other stakeholders to provide oversight and
monitoring of the progress of the project, including
deliverables to be realized at each phase of the
project and milestones to be reached according to
the project timetable.

4.1 Change Management HFCs/ NBFCS are required to realign their IT systems
on a regular basis in line with the changing needs of
its customers and business
HFCs/ NBFCs should develop, with the approval of
their Board, a Change Management Policy that
encompasses the following:
a) prioritizing and responding to change proposals
from business,
b) cost benefit analysis of the changes proposed,
c) assessing risks associated with the changes
proposed,
d) change implementation, monitoring and reporting.
It should be the responsibility of the senior
management to ensure that the Change Management
policy is being followed on an ongoing basis

4.3 IT Enabled Management The IT function of an HFC/ NBFC should support a

Information System robust and comprehensive Management Information
System (MIS) in respect of various business functions
as per the needs of the business
 4.4 Management Information HFCs/NBFCs may put in place MIS that assist the Top
System Management as well as the business heads in decision
making and also to maintain an oversight over
operations of various business verticals.

4.5 MIS for Supervisory All regulatory/supervisory returns should be system

requirements driven; there should be seamless integration between
MIS system of the HFC/ NBFC and reporting under
ORMIS/ COSMOS respectively. Further, it is essential
that “”Read Only” access be provided to NHB/ RBI
Inspectors or persons authorized by it

5. IS Audit 5.1 IS Audit policy IS Audit should form an integral part of Internal Audit
system of the HFC/NBFC.
While designing the IS framework, HFCs/ NBFCs shall
refer to guidance issued by Professional bodies like
ISACA, IIA, ICAI in this regard.
HFCs/ NBFCs shall adopt an IS Audit framework duly
approved by their Board. Further, HFCs/ NBFCs shall
have adequately skilled personnel in Audit Committee
who can understand the results of the IS Audit

5.2 Coverage IS Audit should cover effectiveness of policy,

oversight of IT Systems, evaluation of processes and
internal controls, effectiveness of business continuity
planning and disaster recovery set up and ensure that
BCP is effectively implemented in the organization.
During the process of IS Audit, due importance shall
be given to compliance of all the applicable legal and
statutory requirements

5.3 Personnel IS Audit may be conducted by an internal team of the

HFC/ NBFC. In case of inadequate internal skills,
HFCs/ NBFCS may appoint an outside agency having
enough expertise in area of IT/IS audit for the
purpose
IS Auditors should act independently of HFC/ NBFCs'
Management both in attitude and appearance

5.4 Periodicity The periodicity of IS audit should ideally be based on

the size and operations of the HFC/ NBFC but may be
conducted at least once in a year
IS Audit should be undertaken preferably prior to the
statutory audit so that IS audit reports are available
to the statutory auditors well in time for examination
and for incorporating comments, if any, in the audit
reports.
 5.5 Reporting
5.6 Compliance
5.7 Computer-Assisted Audit
Techniques (CAATs)
6. Business ContinuBusiness Continuity Planning
(BCP) and Disaster Recovery
6.1 Business Impact Analysis
6.2 Recovery strategy/
Contingency Plan
6.3 Disaster recovery
The framework should clearly prescribe the reporting
framework, whether to the Board or a Committee of
the Board viz. Audit Committee of the Board (ACB)
HFC/ NBFCs’ management is responsible for deciding
the appropriate action to be taken in response to
reported observations and recommendations during IS
Audit.
HFCs/ NBFCs shall adopt a proper mix of manual
techniques and CAATs for conducting IS Audit.
HFC/ NBFC should adopt a Board approved BCP
Policy. The functioning of BCP shall be monitored by
the Board by way of periodic reports. The CIO shall be
responsible for formulation, review and monitoring of
BCP to ensure continued effectiveness
HFCs/ NBFCs shall first identify critical business
verticals, locations and shared resources to come up
with the detailed Business Impact Analysis.
The entity shall clearly list the business impact areas
in order of priority.
HFCs/ NBFCs shall try to fully understand the
vulnerabilities associated with interrelationships
between various systems, departments and business
processes. The BCP should come up with the
probabilities of various failure scenarios. Evaluation
of various options should be done for recovery and
the most cost-effective, practical strategy should be
selected to minimize losses in case of a disaster
HFCs/ NBFCs shall consider the need to put in place
necessary backup sites for their critical business
systems and Data centers
 6.4 BCP test HFCs/ NBFCs shall test the BCP either annually or
when significant IT or business changes take place to
determine if the entity could be recovered to an
acceptable level of business within the timeframe
stated in the contingency plan. The test should be
based on ‘worst case scenarios’. The results along
with the gap analysis may be placed before the CIO
and the Board. The GAP Analysis along with Board’s
insight should form the basis for construction of the
updated BCP

7. IT Service Policy for IT Services Prior to commencement of any outsourcing

Outsourcing Outsourcing arrangement, careful consideration of risks, threats
of contractual arrangements and regulatory
compliance obligations must take place.
The HFC/ NBFC’s decision to outsource IT Services
should fit into the institution’s overall strategic plan
and corporate objectives

7.1(a) Monitoring and Provide for continuous monitoring and assessment by

Oversight the HFC/ NBFC of the service provider so that any
necessary corrective measure can be taken
immediately. Outsourcing service provider should
have adequate systems and procedures in place to
ensure protection of data/application outsourced

7.1(b) Access to books and
records / Audit and Inspection access all books, records and information relevant to
i. Ensure that the HFC/ NBFC has the ability to
the outsourced activity available with the service
provider. For technology outsourcing, requisite audit
trails and logs for administrative activities should be
retained and accessible to the HFC/ NBFC based on
approved requests
ii. Provide the HFC/ NBFC with the right to conduct
audits on the service provider whether by its internal
or external auditors, or by external specialists
appointed to act on its behalf and to obtain copies of
any audit or review reports and findings made on the
service provider in conjunction with the services
performed for the HFC/ NBFC
iii. The contract should have the following provisions;
provide for continuous monitoring, assessment,
adequacy of safeguards, access to all books and
records, right to audit and any other reasonable
information.
7.2 Outsourcing Risk The Board and IT Strategy committee have the
responsibility to institute an effective governance
mechanism and risk management process for all IT
outsourced operations

7.3 Senior Management Role of IT Strategy committee

 Data Requirements
1. IT Strategy committee member list/
organization chart
2. MOM of last two IT Strategy Committee

1. Roles, designation and Responsibilities of IT

Strategy Committee members

1. Organization structure/ chart

2. Board approved IT policy

1. Roles and Responsibilities of IT Head

1. IT training records (calendar, manual,

attendance)
1. Compliance letter from ISP regarding IPv6
compatibility
2. IP schema

1. Board approved Information Security Policy

1. Asset Management Policy/ Procedure

2. Asset Inventory
3. Information classification and handling policy

1. Roles and Responsibilities of IT and

Information security division
2. SOD matrix
3. Organization chart for IT Management

1. Access Control Policy/ Procedure

2. Application RBAC matrix
3. SOD matrix
4. User access review reports
1. HR Policy/ Procedure
2. List of users with privileged access
3. BGV report of sample selected for personnel
with privileged access

1. Physical and Environmental Security Policy &

Procedure
2. Entry register for restricted areas
3. Screenshot of CCTV logs
4. Visitor logs
5. Latest data center audit report

1. Access Control Policy/ Procedure

2. Maker-checker configuration of the financial
system/ application

1. Information Security Policy

2. List of information security incidents for the
audit period
3. Incident response plan of the sample incident
selected
4. Root cause analysis for the sample incidents

1. Logging & Monitoring Policy/ Procedure

2. Application/ Transaction logs for the audit
period
3. Audit log configuration

1. Cryptography policy
2. List of users who have assigned digital
signatures along with its validity

1. Cyber Security Policy

1. Cyber Security Policy
2. Vulnerability & Patch Management Policy &
Procedure
3. VAPT Reports
4. Secure configuration documents
5. Antivirus Management Policy

1. List of cyber security preparedness indicator

1. Cyber Crisis Management Plan

2. Web application firewall configuration
3. Web application security assessment report

1. Incident dumps for the audit period

2. Root cause analysis for the sample incidents
1. Cyber security training records (calendar,
manual, attendance)

1. Cryptography policy
2. List of users who have assigned digital
signatures along with its validity

1. Risk Assessment Methodology/ Framework/

Policy
2. Risk assessment report
3. Risk treatment plan

1. Mobile Application Security Testing Report

1. Social media usage policy

2. List of active social media accounts
3. Roles and responsibilities for handling
organization's social media account

1. Information security training and awareness

records (calendar, manual, attendance)
1. Roles and Responsibilities of personnel
handling IT operation
2. MOM of last two IT Strategy Committee
3. Risk Assessment Methodology/ Framework/
Policy
4. Risk register
5. Risk treatment plan

1. System Acquisition, Development &

Maintenance Policy
2. IT steering committee member list/
organization chart
3. Roles and responsibilities of IT steering
committee
4. Application VAPT and revalidation report(s)
5. Secure Coding Guidelines (If any)
6. Source Code reviews (If any)

1. Change Management Policy/ Procedure

2. Change dumps for the audit period
3. For sample changes, provide evidences for
process followed for the change authorization,
testing and movement to production.
4. Change testing report/ result

1. MIS reports
2. Monthly reports submitted to the
management
1. MIS reports
2. Monthly reports submitted to the
management

1. IS Audit policy/ framework

2. Latest IS Audit report/Internal Audit report
(whichever available)
3. Audit committee member list/ organization
chart
4. MOM of management review meeting
5. List of applicable legal and regulatory
requirements
1. BCP/ DR policy
2. Business Continuity Management Framework

1. Business Impact Analysis

1. Recovery strategy/ Contingency plan

1. Disaster recovery plan

2. Network Architecture diagram
3. Service agreement/ contract signed with the
third-party vendor (If any)
1. BCP and DRP test report

1. IT Services Outsourcing policy

2. List of IT & IS related vendors

1. Service agreements/ contracts signed with IT

& IS vendors
1. IT Services Outsourcing policy

1. Roles and Responsibilities of IT Strategy

Committee
 Test Strategy
1. Check whether the IT Strategy Committee has formed
2. If yes, then verify the following:
- The chairman of the committee is an independent director
- CIO & CTO are part of the committee
- Frequency of meetings (it should not be more than 6 months
between 2 meetings)
3. Review the MoM of IT Strategy Committee meetings and check
if it includes the board policy reviews, amendment of the IT
strategies, cybersecurity arrangements and any other matter
related to IT governance

1. Check whether the roles, designation and responsibilities of the

IT Strategy Committee has defined and documented
2. If yes, then check if the responsibility includes the following:
- Approving IT strategy and policy documents
- Ascertaining that management has implemented processes and
practices
- Ensuring IT investments represent a balance of risks and benefits
and that budgets are acceptable
- Monitoring the method that management uses to determine the
IT resources needed to achieve strategic goals and provide high-
level direction for sourcing and use of IT resources
- Ensuring proper balance of IT investments for sustaining HFC/
NBFC’s growth and becoming aware about exposure towards IT
risks and controls

1. Check whether the IT policy is documented and approved by

the board
2. Review the IT organization structure, and it should
commensurate with the size, scale, and nature of the business
activities

1. Check if there is a designated person assigned to ensure

implementation of IT policy to the operational level
2. If yes, then review there roles and responsibilities

1. Check if IT training is provided to all the employees

2. If yes, then review the following:
- Frequency of training
- No of employees attended the training
- Periodic assessment of IT training
1. Verify the IP platform (IPv4/ IPv6) used by the organization
2. Check the status on IPv6 migration
3. If the organization is currently not using IPv6 platform, then
review the compliance letter provided by the ISP regarding IPv6
compatibility
4. If the organization is already migrated to IPv6 platform, then
review the IP schema

1. Check whether the information security policy is documented

and approved by the board
2. Check whether the policy is regularly reviewed and updated
3. Check whether the policy updates are documented

1. Check whether the asset inventory is defined and maintained

2. If yes, then review the asset inventory:
- It should have a distinct and clear identification of asset
- It should include risk classifications, End of Life/ End of Support
details

1. Check if there exists segregation of IT and Information Security

division
2. If yes, then review there responsibilities
3. Check if information security function is adequately resourced
in terms of the number of staff, level of skill and tools or
techniques like risk assessment, security architecture,
vulnerability assessment, forensic assessment, etc.
4. Verify if there is a clear segregation of responsibilities relating
to system administration, database administration and transaction
processing

1. Check if the access control policy is defined, documented and

approved
2. Identify the application(s) used by the organization to support
their business
3. Check if the users have access to the application based on their
job roles
4. If yes, then review the application RBAC matrix
5. Check if the SOD matrix is established for the role of system
administration, DB administration and transaction processing
6. If yes, then verify that critical jobs are not dependent on just
one employee
7. Check whether the delegation of authority for rights to change
user profiles and key business parameters are documented
8.Check whether user access review are performed.
1. Walk-through of background verification process
2. Review the parameters considered for BGV
3. Review the privileged user list and select samples for
background verification checks
4. Review the BGV reports of selected samples

1. Check if there exists a sensitive area like data center, server

room, etc. within the organization
2. If yes, then review the physical security controls implemented
in those areas
3. If no, then mention the location of data center
4. Review the latest data center audit report and check for the
following:
- Physical security control
- Environmental security
- Disaster recovery
5. Check the responsibility for ensuring physical safety for assets
such as CCTV, visitor entry lies with the organization or it is
managed by the building owner

1. Walk-through of Financial system/ application

2. For each transaction executed, check whether maker-checker
mechanism is followed
3. If yes, then review the maker and checker configuration of
financial transaction

1. Check whether Information security policy includes incident

management process
2. If no, then check whether it is defined and documented
separately
3. Walk-through of incident management process
4. Verify the processes for preventing, detecting, analysing and
responding to information security incidents
5. Review the incident response plan of selected sample incidents

1. Review the logging and monitoring policy/ procedure

2. Check whether audit trails are enabled for the financial
system/ application
3. If yes, then review the system/ application logs
4. Check the log retention period

1. Review the cryptography policy

2. Verify if the organization uses the digital signatures
3. If yes, then review the list of users who have assigned digital
signatures along with its validity

1. Check whether the cyber security policy is defined and

documented
2. Verify if the policy is approved by the board
3. Check whether the policy include strategies for cybersecurity
events
1. Review the Cyber Security policy and check if it includes the
vulnerability management clause
2. If not, then check whether it is documented separately
3. Check whether the policy include strategies for managing and
eliminating vulnerabilities
4. Check if periodicity of the VAPT (Application & Infrastructure)
is defined
5. Check if the remediation action is taken against the
vulnerabilities identified in VAPT reports
6. Are Security configuration documents for networks, operating
systems, databases, applications and desktops defined
7. Verify AV dashboard and Scan frequency

1. Check whether the cyber security preparedness indicators are

defined and documented
2. Review the list of cyber security preparedness indicators
3. Verify if the list is utilized to measure compliance

1. Check whether the cyber crisis management plan is

documented and approved by board.
2. Verify whether CCMP addresses the following aspects:
- Detection
- Response
- Recovery
- Containment
3. Check if the organization has configured the web application
firewall
4. If yes, then review the configuration
- the configuration should address the cyber threats (i.e. DDoS,
ransom-ware, email phishing & spam, drive-by downloads, etc.)
5. Check if the organization has conducted web application
security assessment
6. If yes, then review the assessment report and remediation
action taken against the vulnerabilities identified in the report

1. Check if the organization has defined the security incident

reporting mechanism
2. Review the policy & procedure and validate if process is
followed as defined
3. For HFCs, check if unusual security incidents are reported to
their IT steering committee and the risk management committee
4. For NBFCs, check if unusual security incidents are reported to
DNBS Central office, Mumbai
1. Check if employees (at all levels) are made aware of
cybersecurity events
2. Review the frequency of conducting cyber security awareness
session
3. Check if the organization has maintained a repository of
awareness posters and mailers

1. Review the cryptography policy and check if it covers the use

of digital signatures
2. Verify if the organization uses the digital signatures
3. If yes, then review the list of users who have assigned digital
signatures along with its validity

1. Evaluate the risk register with respect to risk assessment

methodology.
2. Check if risk assessment includes the IT systems.
3. Check how controls are mapped with respect to each risk.
4. Check the mitigation plans if any for residual risk.
5. Check the risk acceptance criteria
6. Check the frequency for conducting a risk assessment.
7. Check Last two year IT risk assessment report.
8. Verify whether risk assessment is brought to the notice of the
CRO, CIO and the Board of HFCs/NBFCs

1. Check if the organization provide any mobile financial services

to the customers
2. If yes, then check the authentication mechanism implemented
for mobile financial services
3. Walk-through of mobile application used (if any)

1. Check whether organization is using social media for marketing

purpose
2. If yes, then check whether the social media usage policy is
documented and approved by the board
3. Verify if there is an active social media account for the
company
4. If yes, then check how the company is managing the access
rights of user having access to company social media account
5. Review the roles and responsibilities of personnel handling
those accounts
6. Evaluate the controls implemented to safeguards the social
media account

1. Check if the organization conducts information security training

for all the employees (i.e. new and existing employees)
2. Evaluate the IS training and awareness records
3. Check if training is conducted periodically
4. Check if there is any tracking mechanism to measure
effectiveness of the program
5. If yes, then review the records
1. Check if there is a team responsible for IT operations
2. If yes, then evaluate their roles and responsibilities
3. Check if IT strategy meeting focuses on risk related to existing
or planned IT operations
4. Evaluate the risk register focusing the IT aspect
5. Check how controls are mapped with respect to each risk
6. Check the mitigation plans if any for residual risk
7. Check the risk acceptance criteria

1. Check if there exists any IT steering committee within the

organization
2. If yes, then review their roles and responsibilities
3. Check if the application system used by the organization is
developed in-house or outsourced
- If the application is developed in-house, check whether the
security aspects are included in each phases of SDLC
i. Evaluate the project risk reports
ii. Verify if the secure coding guidelines are inline with the
standard guidelines
iii. Verify the Secure code review reports and application security
test reports
- If the application is outsourced, check the periodicity of the
VAPT conducted
i. Review the VAPT report
ii. Check if the remediation action is taken against the
vulnerabilities identified in the VAPT report

1. Review the policy/ procedure document and validate if the

process is followed as defined. Further, check whether the policy
is approved by the board
2. Check if the change management process includes the
following:
- prioritizing and responding to change proposals from business
- cost benefit analysis of the changes proposed
- assessing risks associated with the changes proposed
- change implementation, monitoring and reporting
3. For sample changes, review the process followed for the
change authorization, testing and users having access to the
production environment
4. Check if the responsibility is assigned to the senior
management to ensure the policy is followed on an ongoing basis

1. Check if the organization prepares and maintain the MIS reports

2. If yes, then review the reports available with the team (which
may include financial reports, fraud analysis reports, reports
relating to treasury operations, regulatory requirement and
compliance reports)
3. Check if the MIS include dashboard for the Top Management
1. Check if the organization prepares and maintain the MIS reports
2. If yes, then review the reports available with the team (which
may include financial reports, fraud analysis reports, reports
relating to treasury operations, regulatory requirement and
compliance reports)
3. Check if the MIS include dashboard for the Top Management

1. Review the reporting structure

2. Check if "read only" access is provided to NHB/RBI inspector or
person authorized by it.

1. Check if the IS audit policy is documented and approved by the

board. Further validate the process is followed as defined
2. Check whether the organization has formed an audit
committee
3. If yes, then review the audit committee member list and their
roles and responsibilities
4. Validate whether the organization refer to guidance issued by
Professional bodies like ISACA, IIA, ICAI

1. Review the IS audit scope

2. Check if the IS audit covers the following:
- Effectiveness of policy
- Oversight of IT systems
- Evaluating adequacy of processes and internal controls
- Effectiveness of business continuity planning & disaster recovery
set up
3. Check if the organization maintain the list of applicable legal
and statutory requirements
4. If yes, then verify whether all the applicable legal and
regulatory requirements are compliant

1. Check if the IS audit is conducted by an internal team or any

external agency
2. If it is conducted by an internal team, then review their
competency level
3. Verify if the IS Auditors are independent of organizations'
management
4. Verify if the findings of the IS Audit were discussed in the IT
strategy committee meeting

1. Review the frequency of IS Audit conducted by the organization

2. Check if the IS audit was conducted prior to the statutory audit
1. Review the IS Audit reporting mechanism

1. Review the observations, recommendations along with

remediation action and timelines
2. Check if the IS framework includes responsibilities for
compliance, reporting lines, timelines for submission of
compliance, authority for accepting compliance

1. Check if the organization adopt a proper mix of manual

techniques and CAATs for conducting IS audit.
1. Check if the BCP/ DR policy is document and approved by board
2. If yes, then review the responsibilities of the Business
Continuity Task Force
3. Review the Business Continuity Management Plan
4. Check whether the board monitors the functioning of BCP
5. Check if the CIO is responsible for formulation, review and
monitoring of BCP to ensure continued effectiveness

1. Check if the organization conduct Business Impact Analysis

2. If yes, then review the following:
- BIA report
- RTO, RPO
- Business impact areas in order of priority

1. Check if the organization conduct Business Impact Analysis

2. If yes, then review the following:
- BIA report
- RTO, RPO
- Business impact areas in order of priority
3. Verify whether the plan is formulated based on the derived
RTO & RPO
4. Evaluate the recovery strategy/ contingency plan/ failure
scenarios

1. Check if the organization has put in place the backup sites for
their critical business systems and data centers
2. Check if DR services are procured from a third-party vendor
3. If yes, then review the service agreement/ contract signed with
the third-party vendor
4. Within the agreement/contract, verify the uptime provided by
the vendor
5. Review the disaster recovery plan & network diagram
6. Review the backup site setup
1. Check if the organization tests the BCP annually or when
significant IT or business changes takes place
2. Review the test report and further verify if the test was based
on the worst-case scenario
3. Evaluate the test results. Further, check if the gap analysis is
also included in the test results
4. Verify if the results was presented before the CIO and the
board
5. Check if the updated BCP includes Board's insight

1. Check if the IT Services Outsourcing policy is defined and

documented
2. Identify the outsourced activities and verify if the risk
assessment is performed before outsourcing these IT services
3. Check if the risk assessment is presented before the
management
4. Verify the decision to outsource IT services fits into the
institution’s overall strategic plan and corporate objectives

1. Verify if the organization monitors the services provided by the

third-party vendor
2. Check whether there are weekly/ monthly meetings scheduled
with the third-party vendor regarding the status update or any
enhancement to be made within the outsourced service
3. If yes, then review the weekly/ monthly MoMs
4. Review the security controls implemented by the vendor to
ensure the protection of data/ application outsourced

1. Check if the organization requests the third-party vendor to

share the audit trails and administrative logs for outsourced
technology
2. If yes, then review the sample audit logs
3. Review the sample contract and check whether the contract
includes right to audit
4. Check if the contract have the following provisions -
- Provide for continuous monitoring
- Assessment
- Adequacy of safeguards
- Access to all books and records
- Right to audit
1. Check if there is a well defined governance mechanism and risk
assessment process for all IT outsourced operations

1. Check if the organization has defined the roles and

responsibilities of IT Strategy Committee
2. Verify the role of the IT strategy committee which should
includes the following -
- Defining approval authorities,
- Developing and testing policies and procedures,
- Undertaking periodic review of outsourcing strategies,
- Evaluating the risks and materiality,
- Communicating risks,
- Ensuring independent audits and continuity
Test Result TOD Result TOE Result
Observations Risk Recommendations Test Result
<to be filled>

<to be filled>