with KYC /AML, 1.Review of the KYC, AML, Sanctions policy. Ascertaining Regulatory whether policies, procedures and internal controls associated Requirements with KYC, AML, sanctions laws, rules and regulations are and Reporting appropriately documented, up to date and effectively communicated to the bank staff. 2. Review/Scrutiny of new account documentation, including customer due diligence for compliance with regulatory guidelines, KYC/AML standard and bank policies and procedures. 3.Assessment of the procedures for customer risk rating, including periodic reviews, as per policy and regulatory guidelines 4. Review of adequacy of Enhanced Due Diligence performed on High Risk customers and quality of related documentation. 5. Identification of beneficial owner as per policy and regulations. 6. Assessment of the procedures for transaction monitoring. 7. Assessment of monitoring performed over inward / outward remittances / LCs / BGs for suspicious transactions. 8.Review of compliance with regulatory stipulations in respect of cross-border remittances. 9.Verification of procedures for screening and reporting of unusual / suspicious transactions. 10.Determining adequacy of segregation of duties. 11. Verification of implementation of measures to prevent / detect terrorist financing. 12. Verification of compliance with audit findings of latest regulatory examination report and prior audit report and follow up with management on action taken (or in progress) in response to reported observations and test the controls, if applicable. 13.Review of staff training and knowledge in respect of KYC, AML, Sanctions, Data Protection, TCF rules, regulations, policy and procedures. 14.Determining the adequacy of management oversight through examining follow up and disposition of investigations on a sample of unusual / suspicious activity.
Compliance with Regulatory Requirements, Internal and
External Reporting 1.Review of operational policies in respect of code of conduct, KYC, AML, Sanctions, Treating Customers Fairly, Data Protection, Anti Bribery & Corruption and other applicable regulations, credit, asset maintenance, investments, deposits, funds transfers and remittances security, international banking activities, etc. 2. Review of Adequacy of scenarios in AMLOCK for transaction monitoring and alert generation for suspicious transaction, AML/KYC non compliant accounts. 3.Interaction with key personnel to ascertain knowledge of compliance activities including internal controls, monitoring and reporting. 4.Review of adequacy of compliance testing programme and quality of compliance testing. 5. Review and evaluation of the adequacy of training and processes to ensure sufficient knowledge levels of personnel concerning compliance with all related regulations. 6. Review of status with regard to holding of compliance related trainings for staff as per the laid down policy and maintenance of records relating to such trainings. 7.Review of new deposit accounts documentation and disclosures for compliance with local regulations. 8.Review of the processes and controls to ensure the timeliness and accuracy of periodic reports to be submitted by the Compliance Officer to Regional Head / Country Head / CEO of Branch. 9.Review of the processes and controls in place to ensure the timeliness and accuracy of the reports submitted to local regulators. 10. Review of the processes and controls in place to ensure integrity of the reported to RBI / host country regulators. 11. Review of the quality of compliance certifications submitted to IBG. 12. Review of timeliness of periodic reporting to controllers regarding compliance matters. 13.Review of submission of comments / compliance reports to the local regulators / IBG regarding regulatory audits/statutory audits/central office audits. 14.Review of the process of submission of Branch Manager’s monthly certificate. 15.Review of reporting of compliance breaches to IBG promptly, including any violations pointed out by local regulators and assessing controls which have been implemented in relation to these to ensure compliance. 16. Review of status with regard to holding of Compliance Committee Meetings at stipulated periodicity and quality of discussions at the meeting. 17. Review of the effectiveness of compliance function in monitoring compliance with Home Country / Host Country Regulations. 18. Review of role of compliance function in new product/process approval. 19.Review of violations if any, pointed out by the Local Regulators. 20.Review maintenance of minimum capital, if any, prescribed by regulatory authority. 21.Review of Exposure Limits being tracked and strictly adhered to. 22.Review of compliance with regulatory requirements in respect of maintenance of reserves. 23. Review of submission of Regulatory returns on time. 24.Review of outsourced activities. 25. Review of periodical reporting of KRI 26. Review of Common Reporting Standard (CRS) implementation on half yearly basis. 27. Review of Risk Management process 28. Review of MIS and exception reports 29. Review of monitoring transactions with sanctioned or sensitive jurisdictions and correspondent banking relationship. 30. Compliance with Common Reporting Standard (CRS) 2. Commercial 1.Review and evaluation of compliance with credit policy, Credit procedures and internal controls. 2. Review of CRA, if undertaken, as per the laid down policy. 3. Scrutiny of new loans and advances covering compliance with “Scheme of Delegation of Financial Powers (Foreign Offices)”. 4. Scrutiny of new loans and advances covering compliance with pre-disbursal formalities and documentation. 5. Review of enforceability of loan documents, securities, their creation and perfection, confirmation regarding enforceability and validity of documents from the legal counsel. 6.Scrutiny of enhancements/reductions/renewal of existing limits including loan origination for approval according to the bank’s authority structure, appropriateness of documentation and reporting to senior management. 7. Review of collateral requirements and compliance with all terms and conditions of sanction/approval. 8. Review of adequacy of insurance coverage of security. 9.Verification of updating of loan information such as loan amount, interest rates, classification, repayment schedule, review/renewal date, stock statement date, external ratings of banks, etc. in the system. 10. Capturing all exposures appropriately in the system (Finacle/BEXI) and reporting to IBG. 11. Review of adherence to prudential norms and exposure limits, tracking Single Borrower/Group Exposure limits, Industry-wise exposure, unsecured exposure and strict adherence. 12. Review of conduct of loan accounts viz. repayment, excess drawings, submission of financial and other statements, etc. 13. Review of submission of periodical information by the borrower and its due analysis at the branch. 14.Review of periodicity of unit inspection and submission of the report 15.Review of periodic testing of compliance of borrower accounts with financial covenants as per policy. 16. Review of new products, introduced after due examination of risks and with approval of regulators, if required. 17.Review of follow up procedures / actions for recovering overdue, adjustment of irregularities 18.Reporting of overdue / irregularities for confirmation/information of the appropriate authority. 19. Review of recovery / income leakage in the areas of interest rate maintenance, collection of service charges including loan processing fees / upfront fees. 20.Review of documentation and compliance with terms of Credit Insurance. 21. Ensuring that RMAs with Foreign Banks are valid and adequate Bank Exposure Limit is available before assuming exposure. 22. Review of asset classification and adequacy of Allowance for Loan and Lease Loss. 3. Trade 1. Determining the effectiveness of policies and procedures Finance covering Trade Finance and for a sample of transactions, test compliance thereof. 2. Review of compliance with Sanctions/ Trade Based Money Laundering/ Transaction Monitoring related regulations and procedures. 3.Review of compliance with Bank’s Policies, Procedures and ICC rules and guidelines relating to Trade Finance. 4. Review of control aspects that impact Trade Finance such as structure, segregation of duties and the integrity, knowledge level and competence of personnel. 5.Review of import and export letter of credit transactions including opening, advising, confirming and negotiations. 6.Review of pertinent financial records and management reports related to Trade Finance to determine that there is proper reporting/recording of assets, liabilities and contingent liabilities and adequate information to control work in process and determine timeliness of processing. 7.Review the adequacy of scrutiny of bills (negotiated, purchased, discounted, collected). 8.Review of outgoing payments and SWIFT reports to assess their adequacy for purpose of determining that all daily transactions were processed. 9. Review of linkage of SWIFT with Finacle 10. Review of process in place to ensure 100% verification of all financial and non financial SWIFT messages having implications on the exposure of the bank 11. Review of process in place to ensure no SWIFT message is sent without ensuring reflection of the transaction in Finacle. 12. Review of controls for collection of service charges and interest, including follow up procedures of overdue bills / charges / default cases. 13.Evaluating the access to and safekeeping of bills and documents. 14.Ensuring that RMAs with Foreign Banks are valid and adequate Bank Exposure Limit is available before assuming exposure. 15.Review of adequacy of controlsin respect of incoming/outgoing swift messages. 16. Review of process in place for checking invoice price with price available on approved /reliable web sites. 4. Inward and 1.Familiarising with the paying/receiving and remittance Outward functions through discussion with department personnel and Remittances management and review of prior year audit reports and examination of policy and procedures. 2. Compliance with AML / CFT guidelines and identification of beneficial owners. 3.Review and evaluation of the adequacy of control in handling SWIFT incoming / outgoing messages, including handling of undelivered messages. 4.Review and evaluate of effectiveness of checking of inward / outward remittances and disposal for accuracy and timeliness. 5.Review and evaluate of the key controls over the clearing system. 6.Review of remittance department’s procedures and practice relating to KYC/AML. 7.Review of maintenance of Security forms / Books. 8.Checking correctness of commission/exchange. 9.Review of compliance with bank’s stipulated guidelines and procedures and regulatory requirements for inward / outward remittances. 10.Maintenance of specimen signatures and execution of Standing Instructions 11.Review of Special/Concessionary arrangements extended for appropriate approvals / documentation 12. Review of adequacy of controls in respect of incoming/outgoing swift messages. 13. Review of overall legislative compliance framework including compliance register. 5. Information 1.Verification of General IT controls for all the systems used Technology at Foreign Office, including logical access controls and exposures like unauthorised access, authorisation issues, password management, etc. in respect ofFinacle Core, Finacle Treasury, SWIFT, FinacleNostro Reconciliation, ACE Pelican, Internet Banking, Oracle Database, SQL Database, Windows AD, etc. 2.Review of effectiveness and accuracy of automated controls including system suspense entries and review of exception reports and other control reports. 3. Review of the control environment in network security like blocking unrelated/unauthorised IP addresses, firewall, IDS, social engineering, virus, worms, etc. 4.Review of the following input and output controls: Finacle Treasury (summary of balances) to Finacle Core; Swift messaging and confirmations; Finacle NOSTRO reconciliation; Changes to customer data on INB module to Finacle; and ACE Pelican to Finacle Core for sanctions screening 5.Review of physical access controls to IT infrastructure, including DR site for determining that approved BCP / DRP exists and are updated & tested periodically. 6. Review of environmental exposures and controls for IT infrastructure. 7. Review of Systems/Processing/Data integrity and data security in relation to Middle Office controls, specifically where data is downloaded by IT and sent to Middle Office, who then upload it to another tool to extract financial and regulatory reporting. 8. Audit of IT risk in locally purchased software / applications 9. Review of compliance with clean desk policy through various methods like periodic walk-through, reports etc. 10. Updating Antivirus on all end points periodically 11. Using current and updated Operating Systems 12. Incident management reporting Cyber Security / GDPR: 1 Establishment of Standard Operating Procedure for connecting devices to the Network
2. Establishment of base line controls relating to system
access control, data integrity, audit trail, security event tracking, exception handling etc.
3. Configuration Management to ensure integrity of any
changes 4. Conducting application security testing 5. Documenting risk based strategy for inventorying I T components 6. Scanning of email attachments to detect malwares 7. Encryption of all credentials of the customer 8. Authentication framework to provide identity verification of Bank to customers 9. Control over vendor / outsourcing activities 10. Defining types of media that can be sent/ received/ copied/ transferred 11. Existence of Active Directory / End Point Management System 12. Maintaining a white list of authorised websites required for business 13. Conducting Vulnerability and Penetration Testing before adopting new application 14. Conducting Cyber Security Drill 15. Notifying customers about transaction in their account through multiple communication
6. Retail 1.Review and evaluation of policies and procedures related to
Operations / deposits operations. Deposits 2.Evaluation of the strength of the people, processes and controls within deposit operations by reviewing internal reporting (management and operating), organisation charts, policies and procedures, quality of system generated information, etc. 3.Review of adequacy of internal controls surrounding Retail Operations including processing of payments (inward and outward Faster Payments, inward and outward cheques clearing, Direct debits, standing orders, etc). 4.Review of Office accounts reconciliation procedures- Sundry/Suspense accounts. 5.Review of controls relating to cash retention limit. 6.Review and evaluation of policies and procedures for opening new deposit accounts, including online account opening. 7.Review of procedures for ATM/debit cards issuance, inventory and servicing. 8.Review of procedures for internet banking registration and servicing. 9.Identifying key risks within Call Centre operations and assessing the effectiveness of the controls in place to mitigate those risks. 10.Review of procedures for ensuring proper interest rates application to deposits andreviewof method of calculating interest on deposits. 11.Review of controls related to overdrafts by evaluating the method of monitoring overdraft activity and charging service fees to overdrawn accounts. 12.Review of controls over dormant accounts and dormant account activity. 13.Review of adequacy of segregation of duties within deposit operations including mailing of depositor’s statements. 14.Evaluation of processes and controls to ensure compliance with regulatory laws and guidelines including KYC, AML, Sanctions, Treating the Customer Fairly (TCF) and Data Protection, related to the Retail operations. 15.Assessing Compliance with Corporate Accounts Review process. 16.Review of adequacy and effectiveness of the CRM process 17.Review of Complaints management process. 7. Risk 1.Review of process and controls to manage market, credit, Management regulatory, operational and strategic risks. and Corporate 2.Compliance with ORM Policy and Manual of the Bank - Governance RCSA, Key Risk Indicators (KRIs) - Monitoring & Reporting, Reporting of Internal Loss Data (Near Miss/ Loss Data) & External Loss data and Reporting of Operational Risk losses. 3. Changes in and introduction of products/ process/ system are carried out in accordance with Change Management Framework (CMF) guidelines. 4.Review of processes for preparation and review of management information and reporting to senior management. 5.Review of processes pertaining to Fraud Management including fraud indicators and attempted frauds and assessment of fraud risk. 6. Review of conduct of Risk Management Committee meets at stipulated periodicity and the quality of discussions and tracking and monitoring follow up action on directions. 7. Correctness of the external ratings of banks captured in the system. 8. Review of status of monitoring of credit exposures (Individual / Group exposure / Industry-wide exposure / unsecured exposure). 8.Treasury(Dea 1.Adherence to Internal Control Guidelines ling Room, 2.Appropriateness of dealing room procedures (front office), 3.Review and evaluation of compliance with (a) Forex back office and Trading Policy (b) Derivatives Policy (c) Policy for Trading in middle office G-Sec & Equities (wherever applicable) (d) ALM Policy for Foreign Offices (e) Market Risk Management Policy and (f) Limit Management Framework. 4.Identify and evaluate the controls around the monitoring of Profit &Loss 5.Reconciliation of NOSTRO entries on T+1 basis 6.Monitoring and control of dealing activities including review of exception reporting, related risk management issues, Disaster Recovery Management 7.Review of revaluation of foreign currency open positions as per extant guidelines 8.Review of Offshore borrowing – Compliance with regulatory guidelines and tax implications thereon 9.Review of process in place for monitoring and reporting of exposure limits 10.Review of Back Office and dealing settlement procedures 11.Review of follow up procedures for Default cases 12.Review the effectiveness of funding structure 13.Review of Liquidity Risk Management (LRM), including status of compliance with ALM Policy provisions as well as guidelines of RBI/ Host Country regulators. 14.Review of Compliance with RBI / IBG guidelines on Country Risk monitoring, verification of Country Risk Management Return and reporting of breaches. 15.Review of processes and controls surrounding risk monitoring including adherence to NOOP limit, VaR, Stop Loss, Modified Duration of Bonds, PV01 of Derivatives; Hedge Effectiveness testing and validation; approval of divestment breaches; Counterparty Limits and Capital Calculation. 16.Review of validity of RMAs with Foreign Banks and availability of adequate Bank Exposure Limit before assuming exposure. 17. Appropriateness of all exposures captured in the system (Finacle/BEXI) and reporting to IBG. 18.Review of adequacy of controls in respect of incoming/outgoing swift messages. 19. Review of Exception reporting. 9. SSA of 1. Evaluation of Dealing Room Policy and procedure Dealing Rooms 2. Review of functional segregation between Front Office / Mid Office / Back Office
3. Review of selection and training of Dealers
4. Review of duties of Dealers
5. Evaluation of dealing procedure, Voice recording, rotation
of dealers and code of conduct and electronic order matching system
6. Review of dealing hours, off-premises and after office hours
trading 7. Evaluation of Electronic Data Processing System
8. Review of dealings in Exchange Traded Currency products,
10. Review of Coordination between Front Office / Mid Office
/ Back Office
11.Review of dealings through exchange brokers
(nomination of brokers / broker panels, Complaints against the brokers, payment of brokerage, malpractices by brokers)
12. Review of management of Credit Risk, Liquidity Risk,
Interest Rate Risk, Operation Risk, Legal Risk, evaluation of risk management process & responsibilities of senior management
13. Review of reporting system – Management Information
System (MIS)
14. Review of record keeping & preservation of records
15. Evaluation of foreign exchange profit and loss
16. Review of reconciliation of NOSTRO / VOSTRO accounts
on T+1 basis.
10.Investments 1.Scrutiny of new investments including approval and
documentation. 2.Assessment of the controls around reconciliation and review of investments including source and use of funds objectives, liquidity parameters, permissible types of investments, maturity guidelines, interest margin guidelines, acceptable levels of interest rate risk and reporting mechanisms categorised to ensure compliance with the Branch Investment policy. 3.Review of adherence to authorisation limits and appraisal and approval process. 4.Review and evaluation of compliance with bank / branch investment policy. 5.Review of exceptions reporting. 6.Review of process for monitoring secondary market prices. 7. Review categorisation of investments including compliance with regulatory / IBG categorisation guidelines. 8. Review of Risk Management including monitoring and review of individual investments. 9.Review and evaluation of controls surrounding accounting of investments in line with accounting policies and regulatory guidelines. 10. Review of the process around evaluation of performance of investment portfolio. 11. Review of RMAs with Foreign Banks to ensure they are valid and adequate Bank Exposure Limit is available before assuming exposure. 12.Valuation and accounting of investment as per regulatory guide lines 11. Outsourced 1.Review of adequacy and effectiveness of policy and Service procedures governing outsourced service providers. Providers – 2.Review of compliance with laid down procedures pertaining monitoring to selection and engagement of service providers. 3.Review of adequacy of documentation for contracts and service level agreements. 4.Review of management monitoring and control processes for compliance with the terms of service level agreements, including regulatory requirements. 5.Review of risk management process pertaining to outsourced service providers. 11.Human 1.Review of controls over hiring as well as termination of Resources / employees activities, including controls over background Personnel & checking, accurate and timely set-up and processing, Administration authorisation and maintenance of supporting documentation Department and discrimination. “Know Your Employee” concept, if followed and relevant, documents obtained/verified from the employees before their engagement. 2.Verifying suitability of employment contracts, duly vetted by local lawyers, executed and held on record. 3.Review of controls over payroll, overtime and other benefits processing including accuracy, documentation, authorisation and approval of all transactions, reconciliation and timely reporting. 4.Assessing the job descriptions for adequacy of documentation and appropriateness of job functions for personnel assigned. 5.Identifying critical operations within each department and determining if proper segregation of duties and responsibilities are in place. 6.Review and evaluate adequacy of controls to ensure confidentiality and physical security over critical and important information 7.Review of adherence to local laws and regulatory guidelines in respect of hiring and other related activities. 8.Review of job rotation and training needs of personnel. 9.Review of procedures pertaining to staff appraisals, training and development. Efficacy of performance appraisal of each and every employee carried out at the prescribed quarterly/half yearly/ annual intervals. 10.Review procedures for performance linked incentives to Sales staff. 11. Framing and documenting the disciplinary process for non-performance/misconduct. 12. ‘’ Know Your Employee’’ – obtaining properdocuments and verification before their engagement. 13. Review of compliance with Office orders. 13.Administrati 1.Review procedures for Protective arrangements, security on / Facilities arrangements including in-house security arrangements/panic signals/police arrangements, etc. 2.Review of the monitoring of housekeeping arrangements 3.Review of controls relating records maintenance and stationery. 4.Review of procedures relating to Fire Fighting and alarm systems. 5.Review of procedures for access control and intruder alarm systems. 6.Review of procedures for maintaining security documents – Joint custody, record retention, issue, balancing, etc. 7.Review of procedures and controls for Expatriate related management. 8.Review of policies and procedures for Health & Safety. 9.Review of periodic Health & Safety risk assessments and implementation of remedial measures. 10.Review of fire safety and first aid arrangements. 11.Review of the adequacy and updating of Policies / manuals / job cards. 12.Comments on functioning of BMC / BMCC / RCOM and other committees. 13. Resource Management, performance management and leave management. 14.Finance / 1. Review and evaluation of policies, procedures and internal Accounting / controls covering accounting function including risk Reconciliation management and operational risk management policies. 2. Assessment of the processes in place for reconciling general ledger accounts. 3. Review and evaluation of adequacy and effectiveness of segregation of duties and accounting function in activities like initiating, approving, processing and posting transactions and reconciliation. 4.Assessment of completeness, accuracy and timeliness of regulatory and management reporting. 5.Review of maintenance of minimum capital, if any, prescribed by the regulatory authority. 6.Review of compliance with regulatory requirements in respect of maintenance of reserves. 7.Scrutiny of vouchers / tickets pertaining to transactions in charges, sundry and suspense accounts. 8.Fixed Assets Management/acquisition, recording and disposal procedures. 9.Evaluation of recent Fidelity insurance policy and Insurance policy document for Fixed Assets including computer systems and cash and assess whether assets are appropriately covered and whether the policy documents are up to date and have been reviewed and approved by management. 10.Review of vouchers/supporting documents for expenditures approvals, classification and reasonableness. 11.Scrutiny of the computation / application of interest in loan accounts, deposit accounts, investments, money market borrowings and placements. 12.Examination of manual debit entries to exchange/commission/interest accounts. 13.Review of adequacy of controls in respect of incoming/outgoing swift messages. 15.Financial 1.Review of the policies and procedures covering Institutions Correspondent Banking / Relationship Management Group Applications (RMAs). 2.Review of conduct of due diligence/risk assessment/documentation in respect of accounts of Correspondent Banks / RMAs as per the laid down policy. 3.Assessment of Compliance procedures in respect of regulatory requirements including KYC, AML and Sanctions. 16. Retail Processes covered at branches under each area (as Branches applicable): (wherever (i) Payments (Inward and Outward remittances) applicable) (ii) Compliance (iii) Credit (iv) Trade Finance (v) Information Technology (vi) Finance, Accounting and Reconciliation (vii) Risk Management & Corporate Governance (viii) Retail Operations / Deposits (ix) SCV implementation (x) Outsourced Service Providers - Monitoring and Control (xi) Human Resources (xii) Administration/Facilities (xiii) Product & Marketing 17.Product & 1.Review and evaluate policies and procedures for new Marketing product development. 2.New Products introduced after due examination of risks and with approval of regulators. 3.Review of processes relating to Product and Marketing Communications - SBI Website, Social Media, Product Leaflets, Terms and Conditions, Tariff of Charges, etc. 18. Business 1.Assessment of adequacy and effectiveness of Business Continuity and Continuity and Disaster Recovery Plans for all areas of Disaster Foreign Office. Recovery Plans 2.Review of adequacy of BCP / DR testing(to be conducted yearly in the presence of Internal Auditor). 19.Independent Remediation of compliances with findings of Internal Audit / Testing of Regulatory Examinations to assess adequacy of compliances Action Taken with regulatory guidelines. Reports 20. Single 1.Review of adequacy and effectiveness of bank’s policy and Customer View procedures for SCV implementation in ensuring compliance Implementation with regulatory requirements. (wherever 2.For the SCV reporting run on the test date, review applicable) compliance with bank’s policy and procedures pertaining to SCV implementation. 3.Review of actions taken on previous reviews/audits conducted by regulators/auditors. 21. Root Cause For all observations made by the Internal Auditor under each Analysis of the audit area, the IA should incorporate the root cause for the deviations observed along with risk arising on account of non compliance and the recommendations. 22.Macro Level Based on the risk rating of each auditable area, the number Assessment of observation made under High Risk / Medium Risk / Low Risk categories and the control weakness observed and their criticality, overall rating for the each auditable area has to be provided in the report as “Well Controlled”, “Adequately Controlled”, ‘’Needs Improvements” and “Need Significant Improvement”. In addition, the trend of risk for each audit area needs to be provided by comparing the risk assigned during the previous audit.