Audit Area Scope of the audit

1. Compliance Compliance with KYC/AML/Sanctions:

with KYC /AML, 1.Review of the KYC, AML, Sanctions policy. Ascertaining
Regulatory whether policies, procedures and internal controls associated
Requirements with KYC, AML, sanctions laws, rules and regulations are
and Reporting appropriately documented, up to date and effectively
communicated to the bank staff.
2. Review/Scrutiny of new account documentation, including
customer due diligence for compliance with regulatory
guidelines, KYC/AML standard and bank policies and
procedures.
3.Assessment of the procedures for customer risk rating,
including periodic reviews, as per policy and regulatory
guidelines
4. Review of adequacy of Enhanced Due Diligence performed
on High Risk customers and quality of related documentation.
5. Identification of beneficial owner as per policy and
regulations.
6. Assessment of the procedures for transaction monitoring.
7. Assessment of monitoring performed over inward / outward
remittances / LCs / BGs for suspicious transactions.
8.Review of compliance with regulatory stipulations in respect
of cross-border remittances.
9.Verification of procedures for screening and reporting of
unusual / suspicious transactions.
10.Determining adequacy of segregation of duties.
11. Verification of implementation of measures to prevent /
detect terrorist financing.
12. Verification of compliance with audit findings of latest
regulatory examination report and prior audit report and follow
up with management on action taken (or in progress) in
response to reported observations and test the controls, if
applicable.
13.Review of staff training and knowledge in respect of KYC,
AML, Sanctions, Data Protection, TCF rules, regulations,
policy and procedures.
14.Determining the adequacy of management oversight
through examining follow up and disposition of investigations
on a sample of unusual / suspicious activity.

Compliance with Regulatory Requirements, Internal and

External Reporting
1.Review of operational policies in respect of code of conduct,
KYC, AML, Sanctions, Treating Customers Fairly, Data
Protection, Anti Bribery & Corruption and other applicable
regulations, credit, asset maintenance, investments,
deposits, funds transfers and remittances security,
international banking activities, etc.
2. Review of Adequacy of scenarios in AMLOCK for
transaction monitoring and alert generation for suspicious
transaction, AML/KYC non compliant accounts.
3.Interaction with key personnel to ascertain knowledge of
compliance activities including internal controls, monitoring
and reporting.
4.Review of adequacy of compliance testing programme and
quality of compliance testing.
5. Review and evaluation of the adequacy of training and
processes to ensure sufficient knowledge levels of personnel
concerning compliance with all related regulations.
6. Review of status with regard to holding of compliance
related trainings for staff as per the laid down policy and
maintenance of records relating to such trainings.
7.Review of new deposit accounts documentation and
disclosures for compliance with local regulations.
8.Review of the processes and controls to ensure the
timeliness and accuracy of periodic reports to be submitted by
the Compliance Officer to Regional Head / Country Head /
CEO of Branch.
9.Review of the processes and controls in place to ensure the
timeliness and accuracy of the reports submitted to local
regulators.
10. Review of the processes and controls in place to ensure
integrity of the reported to RBI / host country regulators.
11. Review of the quality of compliance certifications
submitted to IBG.
12. Review of timeliness of periodic reporting to controllers
regarding compliance matters.
13.Review of submission of comments / compliance reports
to the local regulators / IBG regarding regulatory
audits/statutory audits/central office audits.
14.Review of the process of submission of Branch Manager’s
monthly certificate.
15.Review of reporting of compliance breaches to IBG
promptly, including any violations pointed out by local
regulators and assessing controls which have been
implemented in relation to these to ensure compliance.
16. Review of status with regard to holding of Compliance
Committee Meetings at stipulated periodicity and quality of
discussions at the meeting.
17. Review of the effectiveness of compliance function in
monitoring compliance with Home Country / Host Country
Regulations.
18. Review of role of compliance function in new
product/process approval.
19.Review of violations if any, pointed out by the Local
Regulators.
20.Review maintenance of minimum capital, if any,
prescribed by regulatory authority.
 21.Review of Exposure Limits being tracked and strictly
adhered to.
22.Review of compliance with regulatory requirements in
respect of maintenance of reserves.
23. Review of submission of Regulatory returns on time.
24.Review of outsourced activities.
25. Review of periodical reporting of KRI
26. Review of Common Reporting Standard (CRS)
implementation on half yearly basis.
27. Review of Risk Management process
28. Review of MIS and exception reports
29. Review of monitoring transactions with sanctioned or
sensitive jurisdictions and correspondent banking
relationship.
30. Compliance with Common Reporting Standard (CRS)
2. Commercial 1.Review and evaluation of compliance with credit policy,
Credit procedures and internal controls.
2. Review of CRA, if undertaken, as per the laid down policy.
3. Scrutiny of new loans and advances covering compliance
with “Scheme of Delegation of Financial Powers (Foreign
Offices)”.
4. Scrutiny of new loans and advances covering compliance
with pre-disbursal formalities and documentation.
5. Review of enforceability of loan documents, securities, their
creation and perfection, confirmation regarding enforceability
and validity of documents from the legal counsel.
6.Scrutiny of enhancements/reductions/renewal of existing
limits including loan origination for approval according to the
bank’s authority structure, appropriateness of documentation
and reporting to senior management.
7. Review of collateral requirements and compliance with all
terms and conditions of sanction/approval.
8. Review of adequacy of insurance coverage of security.
9.Verification of updating of loan information such as loan
amount, interest rates, classification, repayment schedule,
review/renewal date, stock statement date, external ratings of
banks, etc. in the system.
10. Capturing all exposures appropriately in the system
(Finacle/BEXI) and reporting to IBG.
11. Review of adherence to prudential norms and exposure
limits, tracking Single Borrower/Group Exposure limits,
Industry-wise exposure, unsecured exposure and strict
adherence.
12. Review of conduct of loan accounts viz. repayment,
excess drawings, submission of financial and other
statements, etc.
13. Review of submission of periodical information by the
borrower and its due analysis at the branch.
14.Review of periodicity of unit inspection and submission of
the report
15.Review of periodic testing of compliance of borrower
accounts with financial covenants as per policy.
16. Review of new products, introduced after due examination
of risks and with approval of regulators, if required.
17.Review of follow up procedures / actions for recovering
overdue, adjustment of irregularities
18.Reporting of overdue / irregularities for
confirmation/information of the appropriate authority.
19. Review of recovery / income leakage in the areas of
interest rate maintenance, collection of service charges
including loan processing fees / upfront fees.
20.Review of documentation and compliance with terms of
Credit Insurance.
21. Ensuring that RMAs with Foreign Banks are valid and
adequate Bank Exposure Limit is available before assuming
exposure.
 22. Review of asset classification and adequacy of Allowance
for Loan and Lease Loss.
3. Trade 1. Determining the effectiveness of policies and procedures
Finance covering Trade Finance and for a sample of transactions, test
compliance thereof.
2. Review of compliance with Sanctions/ Trade Based Money
Laundering/ Transaction Monitoring related regulations and
procedures.
3.Review of compliance with Bank’s Policies, Procedures and
ICC rules and guidelines relating to Trade Finance.
4. Review of control aspects that impact Trade Finance such
as structure, segregation of duties and the integrity,
knowledge level and competence of personnel.
5.Review of import and export letter of credit transactions
including opening, advising, confirming and negotiations.
6.Review of pertinent financial records and management
reports related to Trade Finance to determine that there is
proper reporting/recording of assets, liabilities and contingent
liabilities and adequate information to control work in process
and determine timeliness of processing.
7.Review the adequacy of scrutiny of bills (negotiated,
purchased, discounted, collected).
8.Review of outgoing payments and SWIFT reports to assess
their adequacy for purpose of determining that all daily
transactions were processed.
9. Review of linkage of SWIFT with Finacle
10. Review of process in place to ensure 100% verification of
all financial and non financial SWIFT messages having
implications on the exposure of the bank
11. Review of process in place to ensure no SWIFT message
is sent without ensuring reflection of the transaction in
Finacle.
 12. Review of controls for collection of service charges and
interest, including follow up procedures of overdue bills /
charges / default cases.
13.Evaluating the access to and safekeeping of bills and
documents.
14.Ensuring that RMAs with Foreign Banks are valid and
adequate Bank Exposure Limit is available before assuming
exposure.
15.Review of adequacy of controlsin respect of
incoming/outgoing swift messages.
16. Review of process in place for checking invoice price with
price available on approved /reliable web sites.
4. Inward and 1.Familiarising with the paying/receiving and remittance
Outward functions through discussion with department personnel and
Remittances management and review of prior year audit reports and
examination of policy and procedures.
2. Compliance with AML / CFT guidelines and identification of
beneficial owners.
3.Review and evaluation of the adequacy of control in
handling SWIFT incoming / outgoing messages, including
handling of undelivered messages.
4.Review and evaluate of effectiveness of checking of inward
/ outward remittances and disposal for accuracy and
timeliness.
5.Review and evaluate of the key controls over the clearing
system.
6.Review of remittance department’s procedures and practice
relating to KYC/AML.
7.Review of maintenance of Security forms / Books.
8.Checking correctness of commission/exchange.
9.Review of compliance with bank’s stipulated guidelines and
procedures and regulatory requirements for inward / outward
remittances.
 10.Maintenance of specimen signatures and execution of
Standing Instructions
11.Review of Special/Concessionary arrangements extended
for appropriate approvals / documentation
12. Review of adequacy of controls in respect of
incoming/outgoing swift messages.
13. Review of overall legislative compliance framework
including compliance register.
5. Information 1.Verification of General IT controls for all the systems used
Technology at Foreign Office, including logical access controls and
exposures like unauthorised access, authorisation issues,
password management, etc. in respect ofFinacle Core,
Finacle Treasury, SWIFT, FinacleNostro Reconciliation, ACE
Pelican, Internet Banking, Oracle Database, SQL Database,
Windows AD, etc.
2.Review of effectiveness and accuracy of automated
controls including system suspense entries and review of
exception reports and other control reports.
3. Review of the control environment in network security like
blocking unrelated/unauthorised IP addresses, firewall, IDS,
social engineering, virus, worms, etc.
4.Review of the following input and output controls:
 Finacle Treasury (summary of balances) to Finacle
Core;
 Swift messaging and confirmations;
 Finacle NOSTRO reconciliation;
 Changes to customer data on INB module to Finacle;
and ACE Pelican to Finacle Core for sanctions
screening
5.Review of physical access controls to IT infrastructure,
including DR site for determining that approved BCP / DRP
exists and are updated & tested periodically.
6. Review of environmental exposures and controls for IT
infrastructure.
7. Review of Systems/Processing/Data integrity and data
security in relation to Middle Office controls, specifically where
data is downloaded by IT and sent to Middle Office, who then
upload it to another tool to extract financial and regulatory
reporting.
8. Audit of IT risk in locally purchased software / applications
9. Review of compliance with clean desk policy through
various methods like periodic walk-through, reports etc.
10. Updating Antivirus on all end points periodically
11. Using current and updated Operating Systems
12. Incident management reporting
Cyber Security / GDPR:
1 Establishment of Standard Operating Procedure for
connecting devices to the Network

2. Establishment of base line controls relating to system

access control, data integrity, audit trail, security event
tracking, exception handling etc.

3. Configuration Management to ensure integrity of any

changes
4. Conducting application security testing
5. Documenting risk based strategy for inventorying I T
components
6. Scanning of email attachments to detect malwares
7. Encryption of all credentials of the customer
8. Authentication framework to provide identity verification of
Bank to customers
9. Control over vendor / outsourcing activities
10. Defining types of media that can be sent/ received/
copied/ transferred
 11. Existence of Active Directory / End Point Management
System
12. Maintaining a white list of authorised websites required for
business
13. Conducting Vulnerability and Penetration Testing before
adopting new application
14. Conducting Cyber Security Drill
15. Notifying customers about transaction in their account
through multiple communication

6. Retail 1.Review and evaluation of policies and procedures related to

Operations / deposits operations.
Deposits 2.Evaluation of the strength of the people, processes and
controls within deposit operations by reviewing internal
reporting (management and operating), organisation charts,
policies and procedures, quality of system generated
information, etc.
3.Review of adequacy of internal controls surrounding Retail
Operations including processing of payments (inward and
outward Faster Payments, inward and outward cheques
clearing, Direct debits, standing orders, etc).
4.Review of Office accounts reconciliation procedures-
Sundry/Suspense accounts.
5.Review of controls relating to cash retention limit.
6.Review and evaluation of policies and procedures for
opening new deposit accounts, including online account
opening.
7.Review of procedures for ATM/debit cards issuance,
inventory and servicing.
8.Review of procedures for internet banking registration and
servicing.
9.Identifying key risks within Call Centre operations and
assessing the effectiveness of the controls in place to mitigate
those risks.
 10.Review of procedures for ensuring proper interest rates
application to deposits andreviewof method of calculating
interest on deposits.
11.Review of controls related to overdrafts by evaluating the
method of monitoring overdraft activity and charging service
fees to overdrawn accounts.
12.Review of controls over dormant accounts and dormant
account activity.
13.Review of adequacy of segregation of duties within deposit
operations including mailing of depositor’s statements.
14.Evaluation of processes and controls to ensure
compliance with regulatory laws and guidelines including
KYC, AML, Sanctions, Treating the Customer Fairly (TCF)
and Data Protection, related to the Retail operations.
15.Assessing Compliance with Corporate Accounts Review
process.
16.Review of adequacy and effectiveness of the CRM
process
17.Review of Complaints management process.
7. Risk 1.Review of process and controls to manage market, credit,
Management regulatory, operational and strategic risks.
and Corporate 2.Compliance with ORM Policy and Manual of the Bank -
Governance RCSA, Key Risk Indicators (KRIs) - Monitoring & Reporting,
Reporting of Internal Loss Data (Near Miss/ Loss Data) &
External Loss data and Reporting of Operational Risk losses.
3. Changes in and introduction of products/ process/ system
are carried out in accordance with Change Management
Framework (CMF) guidelines.
4.Review of processes for preparation and review of
management information and reporting to senior
management.
 5.Review of processes pertaining to Fraud Management
including fraud indicators and attempted frauds and
assessment of fraud risk.
6. Review of conduct of Risk Management Committee meets
at stipulated periodicity and the quality of discussions and
tracking and monitoring follow up action on directions.
7. Correctness of the external ratings of banks captured in
the system.
8. Review of status of monitoring of credit exposures
(Individual / Group exposure / Industry-wide exposure /
unsecured exposure).
8.Treasury(Dea 1.Adherence to Internal Control Guidelines
ling Room, 2.Appropriateness of dealing room procedures
(front office), 3.Review and evaluation of compliance with (a) Forex
back office and Trading Policy (b) Derivatives Policy (c) Policy for Trading in
middle office G-Sec & Equities (wherever applicable) (d) ALM Policy for
Foreign Offices (e) Market Risk Management Policy and (f)
Limit Management Framework.
4.Identify and evaluate the controls around the monitoring of
Profit &Loss
5.Reconciliation of NOSTRO entries on T+1 basis
6.Monitoring and control of dealing activities including review
of exception reporting, related risk management issues,
Disaster Recovery Management
7.Review of revaluation of foreign currency open positions as
per extant guidelines
8.Review of Offshore borrowing – Compliance with regulatory
guidelines and tax implications thereon
9.Review of process in place for monitoring and reporting of
exposure limits
10.Review of Back Office and dealing settlement procedures
11.Review of follow up procedures for Default cases
12.Review the effectiveness of funding structure
 13.Review of Liquidity Risk Management (LRM), including
status of compliance with ALM Policy provisions as well as
guidelines of RBI/ Host Country regulators.
14.Review of Compliance with RBI / IBG guidelines on
Country Risk monitoring, verification of Country Risk
Management Return and reporting of breaches.
15.Review of processes and controls surrounding risk
monitoring including adherence to NOOP limit, VaR, Stop
Loss, Modified Duration of Bonds, PV01 of Derivatives;
Hedge Effectiveness testing and validation; approval of
divestment breaches; Counterparty Limits and Capital
Calculation.
16.Review of validity of RMAs with Foreign Banks and
availability of adequate Bank Exposure Limit before assuming
exposure.
17. Appropriateness of all exposures captured in the system
(Finacle/BEXI) and reporting to IBG.
18.Review of adequacy of controls in respect of
incoming/outgoing swift messages.
19. Review of Exception reporting.
9. SSA of 1. Evaluation of Dealing Room Policy and procedure
Dealing Rooms
2. Review of functional segregation between Front Office /
Mid Office / Back Office

3. Review of selection and training of Dealers

4. Review of duties of Dealers

5. Evaluation of dealing procedure, Voice recording, rotation

of dealers and code of conduct and electronic order matching
system

6. Review of dealing hours, off-premises and after office hours

trading
 7. Evaluation of Electronic Data Processing System

8. Review of dealings in Exchange Traded Currency products,

Money Market Operations, Derivative business (Cross
currency options, currency & Interest Rate swaps & forward
rate agreements)

9. Review of Back Office functions

10. Review of Coordination between Front Office / Mid Office

/ Back Office

11.Review of dealings through exchange brokers

(nomination of brokers / broker panels, Complaints against
the brokers, payment of brokerage, malpractices by brokers)

12. Review of management of Credit Risk, Liquidity Risk,

Interest Rate Risk, Operation Risk, Legal Risk, evaluation of
risk management process & responsibilities of senior
management

13. Review of reporting system – Management Information

System (MIS)

14. Review of record keeping & preservation of records

15. Evaluation of foreign exchange profit and loss

16. Review of reconciliation of NOSTRO / VOSTRO accounts

on T+1 basis.

10.Investments 1.Scrutiny of new investments including approval and

documentation.
2.Assessment of the controls around reconciliation and
review of investments including source and use of funds
objectives, liquidity parameters, permissible types of
investments, maturity guidelines, interest margin guidelines,
 acceptable levels of interest rate risk and reporting
mechanisms categorised to ensure compliance with the
Branch Investment policy.
3.Review of adherence to authorisation limits and appraisal
and approval process.
4.Review and evaluation of compliance with bank / branch
investment policy.
5.Review of exceptions reporting.
6.Review of process for monitoring secondary market prices.
7. Review categorisation of investments including compliance
with regulatory / IBG categorisation guidelines.
8. Review of Risk Management including monitoring and
review of individual investments.
9.Review and evaluation of controls surrounding accounting
of investments in line with accounting policies and regulatory
guidelines.
10. Review of the process around evaluation of performance
of investment portfolio.
11. Review of RMAs with Foreign Banks to ensure they are
valid and adequate Bank Exposure Limit is available before
assuming exposure.
12.Valuation and accounting of investment as per regulatory
guide lines
11. Outsourced 1.Review of adequacy and effectiveness of policy and
Service procedures governing outsourced service providers.
Providers – 2.Review of compliance with laid down procedures pertaining
monitoring to selection and engagement of service providers.
3.Review of adequacy of documentation for contracts and
service level agreements.
4.Review of management monitoring and control processes
for compliance with the terms of service level agreements,
including regulatory requirements.
 5.Review of risk management process pertaining to
outsourced service providers.
11.Human 1.Review of controls over hiring as well as termination of
Resources / employees activities, including controls over background
Personnel & checking, accurate and timely set-up and processing,
Administration authorisation and maintenance of supporting documentation
Department and discrimination. “Know Your Employee” concept, if
followed and relevant, documents obtained/verified from the
employees before their engagement.
2.Verifying suitability of employment contracts, duly vetted by
local lawyers, executed and held on record.
3.Review of controls over payroll, overtime and other benefits
processing including accuracy, documentation, authorisation
and approval of all transactions, reconciliation and timely
reporting.
4.Assessing the job descriptions for adequacy of
documentation and appropriateness of job functions for
personnel assigned.
5.Identifying critical operations within each department and
determining if proper segregation of duties and
responsibilities are in place.
6.Review and evaluate adequacy of controls to ensure
confidentiality and physical security over critical and important
information
7.Review of adherence to local laws and regulatory guidelines
in respect of hiring and other related activities.
8.Review of job rotation and training needs of personnel.
9.Review of procedures pertaining to staff appraisals, training
and development. Efficacy of performance appraisal of each
and every employee carried out at the prescribed
quarterly/half yearly/ annual intervals.
10.Review procedures for performance linked incentives to
Sales staff.
 11. Framing and documenting the disciplinary process for
non-performance/misconduct.
12. ‘’ Know Your Employee’’ – obtaining properdocuments
and verification before their engagement.
13. Review of compliance with Office orders.
13.Administrati 1.Review procedures for Protective arrangements, security
on / Facilities arrangements including in-house security
arrangements/panic signals/police arrangements, etc.
2.Review of the monitoring of housekeeping arrangements
3.Review of controls relating records maintenance and
stationery.
4.Review of procedures relating to Fire Fighting and alarm
systems.
5.Review of procedures for access control and intruder alarm
systems.
6.Review of procedures for maintaining security documents –
Joint custody, record retention, issue, balancing, etc.
7.Review of procedures and controls for Expatriate related
management.
8.Review of policies and procedures for Health & Safety.
9.Review of periodic Health & Safety risk assessments and
implementation of remedial measures.
10.Review of fire safety and first aid arrangements.
11.Review of the adequacy and updating of Policies /
manuals / job cards.
12.Comments on functioning of BMC / BMCC / RCOM and
other committees.
13. Resource Management, performance management and
leave management.
14.Finance / 1. Review and evaluation of policies, procedures and internal
Accounting / controls covering accounting function including risk
Reconciliation management and operational risk management policies.
 2. Assessment of the processes in place for reconciling
general ledger accounts.
3. Review and evaluation of adequacy and effectiveness of
segregation of duties and accounting function in activities like
initiating, approving, processing and posting transactions and
reconciliation.
4.Assessment of completeness, accuracy and timeliness of
regulatory and management reporting.
5.Review of maintenance of minimum capital, if any,
prescribed by the regulatory authority.
6.Review of compliance with regulatory requirements in
respect of maintenance of reserves.
7.Scrutiny of vouchers / tickets pertaining to transactions in
charges, sundry and suspense accounts.
8.Fixed Assets Management/acquisition, recording and
disposal procedures.
9.Evaluation of recent Fidelity insurance policy and Insurance
policy document for Fixed Assets including computer systems
and cash and assess whether assets are appropriately
covered and whether the policy documents are up to date and
have been reviewed and approved by management.
10.Review of vouchers/supporting documents for
expenditures approvals, classification and reasonableness.
11.Scrutiny of the computation / application of interest in loan
accounts, deposit accounts, investments, money market
borrowings and placements.
12.Examination of manual debit entries to
exchange/commission/interest accounts.
13.Review of adequacy of controls in respect of
incoming/outgoing swift messages.
15.Financial 1.Review of the policies and procedures covering
Institutions Correspondent Banking / Relationship Management
Group Applications (RMAs).
 2.Review of conduct of due diligence/risk
assessment/documentation in respect of accounts of
Correspondent Banks / RMAs as per the laid down policy.
3.Assessment of Compliance procedures in respect of
regulatory requirements including KYC, AML and Sanctions.
16. Retail Processes covered at branches under each area (as
Branches applicable):
(wherever (i) Payments (Inward and Outward remittances)
applicable) (ii) Compliance
(iii) Credit
(iv) Trade Finance
(v) Information Technology
(vi) Finance, Accounting and Reconciliation
(vii) Risk Management & Corporate Governance
(viii) Retail Operations / Deposits
(ix) SCV implementation
(x) Outsourced Service Providers - Monitoring and Control
(xi) Human Resources
(xii) Administration/Facilities
(xiii) Product & Marketing
17.Product & 1.Review and evaluate policies and procedures for new
Marketing product development.
2.New Products introduced after due examination of risks and
with approval of regulators.
3.Review of processes relating to Product and Marketing
Communications - SBI Website, Social Media, Product
Leaflets, Terms and Conditions, Tariff of Charges, etc.
18. Business 1.Assessment of adequacy and effectiveness of Business
Continuity and Continuity and Disaster Recovery Plans for all areas of
Disaster Foreign Office.
Recovery Plans 2.Review of adequacy of BCP / DR testing(to be conducted
yearly in the presence of Internal Auditor).
19.Independent Remediation of compliances with findings of Internal Audit /
Testing of Regulatory Examinations to assess adequacy of compliances
Action Taken with regulatory guidelines.
Reports
20. Single 1.Review of adequacy and effectiveness of bank’s policy and
Customer View procedures for SCV implementation in ensuring compliance
Implementation with regulatory requirements.
(wherever 2.For the SCV reporting run on the test date, review
applicable) compliance with bank’s policy and procedures pertaining to
SCV implementation.
3.Review of actions taken on previous reviews/audits
conducted by regulators/auditors.
21. Root Cause For all observations made by the Internal Auditor under each
Analysis of the audit area, the IA should incorporate the root cause for
the deviations observed along with risk arising on account of
non compliance and the recommendations.
22.Macro Level Based on the risk rating of each auditable area, the number
Assessment of observation made under High Risk / Medium Risk / Low
Risk categories and the control weakness observed and their
criticality, overall rating for the each auditable area has to be
provided in the report as “Well Controlled”, “Adequately
Controlled”, ‘’Needs Improvements” and “Need Significant
Improvement”. In addition, the trend of risk for each audit area
needs to be provided by comparing the risk assigned during
the previous audit.