Assessment Factor

Indication of Stronger Controls

Section 1 Control Environment Section 2 Risk Assessment Section 3 Control Activities Section 4 Information and Communication Section 5 Monitoring

Indication of Weaker Controls

Assessment Strong - Weak 1 2 3 4 5 Avg 1.87 3.24 2.89 1.80 2.93

Sl 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

Audit Name IFR Q4 2010 on Inventories IFR Q4 2010 on Inventories IFR Q4 2010 on Inventories IFR Q4 2010 on Inventories IFR Q4 2010 on Inventories IFR Q4 2010 on Inventories IFR Q4 2010 on Inventories IFR Q4 2010 on Inventories In-house Developed Software In-house Developed Software In-house Developed Software In-house Developed Software In-house Developed Software In-house Developed Software In-house Developed Software In-house Developed Software In-house Developed Software Call Center Management Call Center Management Call Center Management Call Center Management Call Center Management Call Center Management Call Center Management Call Center Management Call Center Management Call Center Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management Regulatory Management

42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

Advance, Deposit and pre-payment Advance, Deposit and pre-payment Advance, Deposit and pre-payment Advance, Deposit and pre-payment Network Quality and Availability Network Quality and Availability Network Quality and Availability Network Quality and Availability Network Quality and Availability Network Quality and Availability Network Quality and Availability Network Quality and Availability IFR on Trade and Other Receivables IFR on Trade and Other Receivables Interconnect Billing Interconnect Billing Interconnect Billing Interconnect Billing Interconnect Billing Interconnect Billing Interconnect Billing Interconnect Billing Interconnect Billing Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Information Security Project Insurance & Financial Risk Management Insurance & Financial Risk Management Insurance & Financial Risk Management Insurance & Financial Risk Management Insurance & Financial Risk Management Insurance & Financial Risk Management PIR of NSN Project (Swap) PIR of NSN Project (Swap) PIR of NSN Project (Swap) PIR of NSN Project (Swap) PIR of NSN Project (Swap)

90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

PIR of NSN Project (Swap) PIR of NSN Project (Swap) PIR of NSN Project (Swap) PIR of NSN Project (Swap) PIR of NSN Project (Swap) Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management Channel Distribution Management IFR on Accrued Expenses and Provision for Liabilities

110 IFR on Accrued Expenses and Provision for Liabilities 111 Fixed Asset and CWIP 112 113 114 115 Fixed Asset and CWIP Fixed Asset and CWIP Fixed Asset and CWIP Fixed Asset and CWIP

116 Fixed Asset and CWIP 117 118 119 120 121 122 123 124 125 126 127 128 129 Procurement Procurement Procurement Procurement Procurement Procurement Project Review: M-Commerce Project Review: M-Commerce Project Review: M-Commerce Project Review: M-Commerce Project Review: M-Commerce Project Review: M-Commerce Project Review: M-Commerce

130 Project Review: M-Commerce 131 132 133 134 Project Review: M-Commerce Project Review: M-Commerce Project Review: M-Commerce Power System Management

135 Power System Management 136 Power System Management 137 Power System Management

138 Power System Management 139 Power System Management 140 Power System Management 141 142 143 144 145 146 147 Revenue Assurance Revenue Assurance Revenue Assurance Revenue Assurance Revenue Assurance Revenue Assurance Revenue Assurance

148 SAP Application and General Control 149 SAP Application and General Control 150 SAP Application and General Control 151 SAP Application and General Control 152 153 154 155 156 157 158 159 160 161 162 163 164 SAP Application and General Control SAP Application and General Control SAP Application and General Control SAP Application and General Control SAP Application and General Control SAP Application and General Control SAP Application and General Control SAP Application and General Control SAP Application and General Control SAP Application and General Control SAP Application and General Control Related Party Transaction Related Party Transaction

165 Related Party Transaction 166 Winning/Defense Initiatives 167 168 169 170 171 172 173 174 175 176 177 178 Winning/Defense Initiatives Winning/Defense Initiatives Winning/Defense Initiatives Winning/Defense Initiatives Winning/Defense Initiatives Winning/Defense Initiatives Information Technology Governance Information Technology Governance Information Technology Governance Information Technology Governance Information Technology Governance IFR on Cash and Bank Balances

179 IFR on Cash and Bank Balances 180 IFR on Cash and Bank Balances 181 IFR on Cash and Bank Balances 182 Debt Management

183 184 185 186 187

Debt Management Data, VAS & Devices Data, VAS & Devices Data, VAS & Devices Data, VAS & Devices

188 Data, VAS & Devices 189 Data, VAS & Devices 190 Data, VAS & Devices

Audit Issue Inventories include items amounting to BDT19 million which do not qualify as inventory as per IAS 2 Inventories Inventory of Easy Load and Replacement SIMs are not valued at the lower of cost and NRV resulting in overstatement of inventories by BDT13,557,603 Obsolete items amounting to BDT396,389 are not written off Central warehouse of trading inventory is located at residential area without obtaining permission from appropriate authority Inaccurate information in fire license of Gulshan warehouse VAT Registration for Gulshan warehouse is not obtained as required by the Bangladesh VAT Act 1991 Absence of coordination amongst related departments on Inventory planning Inadequate fire safety training/drill for the employees Development Related Duties & Responsibilities Are Not Captured In JD Inadequate Practice for Risk Assessment Activity For In-house Development Inadequate Guideline For In-house Developed Software Absence Of Formal Segregation Between In-house Development And Support Excessive Access To Customer Systems Production Server Absence Of Appropriate Incident And Change Management Inadequate Practice For Offsite Source Code Backup Absence Of SLA With Concern Units For In-house Developed Applications Absence of KPI Achievement Monitoring :Critical System Availability Inadequate Control Over Formal Risk Assessment & Management Process For Call Center Management Absence Of Guideline For Crisis Management Ineffective Data Backup Management For Call Center Absence Of Request Prioritization Process in Outbound Contact Center Function SLA KPIs Are Not Updated in CMS System Inadequate Process For Occupational Safety & Health Administration Absence Of License Certification For Database Absence Of AMC for Voice Recorder & Agent Management System Absence Of Problem Management Process Inadequate Management For Database Administration Absence of necessary number of Service Level Agreement (SLA) & comprehensive Standard Operating Procedures (SOPs) for regulatory affairs function Absence of updated Job Description (JDs) for RAD staff Absence of department level risk assessment and irregular update of Risk Register Non compliance to the SIM Registration Guideline Lack of attention on Registration compliance of SIMs sold in Chittagong Hill Tracks area Interconnection Agreements not shared with BTRC as required by BTA 2010 (Sec 47(2)(e) Corporate SIMs are excluded from barring exercise based on BTRC shared ICX report List of unbarred SIMs are not communicated to BTRC Non-Compliance to BTRC Customer Service Directive Non-Compliance to BTRCs Directive on Tariff and Marketing Promotion Absence of analyzing the SIMs barred for suspected involvement in VOIP Delayed barring of SIMs suspected for VOIP Absence of monitoring on barred SIM to prevent subsequent unauthorized unbarring Absence of formal process for monitoring of Frequency use and border sites coverage

Absence of Comprehensive Guidelines for Advance, Deposit and Prepayments Inadequate Justification for Advance Requests Unrealized/unadjusted outstanding advances to Employee and Vendor Absence of formal framework for Vendor wise Advance Monitoring Absence Of Documented SOP/Guideline For Core Activities Inadequate Practice Of Formal Risk Management Ineffective PAT Process For Site Handover Inadequate Change Management Process For BTS Logical Configurations Poor Achievements Of Customer Complaint Resolution Inappropriate Closure Of Radio Network Related Customer Complaints Inappropriate Presentation Of Customer Complaint Records Absence Of Monitoring For More Than 50% Microwave Links Net off payments received from IGW operators are credited under Receivables causing overstatement in Receivable and Payable Line items for Receivable Long pending open line items in General Ledgers of Receivables from Roaming Partners despite payments are made Inadequate Documented SOP / Guideline for Inter Operator Settlement Absence Of Documented SOP For Interconnection Management Inadequate Practice Of Formal Risk Assessment Operational Inefficiency Due To Inherent Limitations Of Interconnect Billing System Absence Of Formal Change Management For Interconnect Billing System Security Vulnerabilities Of Interconnect Web Application And Related Database User Accounts Inadequate Management Of In-house Developed Interconnect Billing Web Applications Absence Of SLA Among Interconnection Billing Related Stakeholders Use Of Unlicensed And Unsupported Monitoring Tool Ineffective Project Management By Project Manager Absence Of Formal Project Organization Structure Inadequate Project Initiation Documentation Absence Of Project Risk Management Process Poor Achievement Of Project Scope & Objectives Inadequate Project Resource And Poor Time Management Inadequate Project Issue Management Process Inadequate Work Breakdown Structure For IS Projects Absence Of Project Quality Management Process Absence Of Project Change Management Process Absence Of Project Status Report From Project Manager Inconsistent Data In Project Highlight Report from PMO & Internal Support Unit Inadequate Involvement Of Project Steering Committee Absence Of Project Monitoring Function Absence of practice methodical financial risk identification. Inappropriate insurance coverage for trading inventory and CWIP Inappropriate method for calculating insurable value of network equipments Asset under Construction (AUC) at site are not covered by insurance policy. Inappropriate procedure for covering insurable interest of assets under NSN swap project. Discontinuation of monthly reporting of insurance management Absence Of Project Manager Of NSN Swap Project Since January 2011 Inadequate Project Risk Assessment and Monitoring Function Poor Quality Of Workmanship By NSN Contractors Poor Achievement Of Radio KPI and Increased Customer Complain in Swap Area Deployment Of Additional E1 For Achieving EDGE Capability

Absence of Site Wise Comprehensive PAT (Provisional Acceptance Test) Inadequate Fault Management and SPMS support from NSN Incomplete Deliverables From NSN Swap Project Absence Of Expected Financial Benefit Realization Monitoring Inappropriate Procedure For Fixed Asset Recognition, Reporting And Management Under SWAP Project Critical Functions are not Assigned Inadequate Control Over Formal Risk Assessment & Management Process For Channel Distribution Management (CDM) Fraudulent Activation by Channel High Number of Non Revenue Generating Activations Existence of wholesalers in CC Regions Deficiency Within Commission Management Process Inadequate Control within SIM Re-initialization Process from Channel. Poor Quality Performance by STS vendor Inadequate Administration Of STS Database Absence Of Appropriate Change Management Procedure Inadequate Problem Management Process Inappropriate Customer Registration Compliance Reporting Inadequate Communication and Implementation Of Approved Security Policy Risk Of STS Service Unavailability: Ineffective Operating System Monitoring Inadequate provision made for provision for income tax and interest on loans. Overstatement of provision for local and IDD (IGW) operators by BDT 1,112.28 million Non recognition of fixed asset although recognition criteria as per International Accounting Standard (IAS) 16 are met Under statement of Capital Work in Progress (CWIP) Non issuance of GR of CAPEX causing delayed assetization Asset transfers are not properly reflected in the asset register Inadequate control of physical asset in BTS and BSC sites Absence of ownership/process for monitoring BTRC compliances of asset deployment Splitting of Procurement Transactions both at PR and PO level Absence of formalized process for vendor data management Inadequate control on procurement negotiation process. Lack of physical security of Quotation box . Delayed issuance of PO and delayed handing the PO to vendor. Absence of effective vendor performance evaluation. Ineffective Project Governance Process Absence Of Training Need Assessment (TNA) & Training Absence Of Project Risk Management Process Non-Compliance With Fraud Management Clause Of Agreement Absence Of Project Issue Management Process Absence Of Project Quality Management Process Inadequate Project Status Report From Project Manager Deficiency Within Remittance Disbursement Process Due to Inadequate Communication Absence Of Project Steering Committee Inconsistent Project Reporting Inadequate Post Launch Review Inadequate Documented SOP / Guideline for Power System Implementation Absence of Formalized Job Description for Power System Implementation and Power System Operation Employees Inadequate Practice of Formal Risk Management Inadequate Control on Financial Losses Due to Inefficient Use of Fuel

Ambiguity on Accountability for Office Power related Activity Absence of Formalized Key Management Process Absence of Timeline Mentioned and Non compliance to the Recommendation of Budgetary Approval Note for Payment of Labor Cost to Replace Old Batteries Ineffective RAFM KPI: Revenue Leakage Percentage Inadequate Practice Of Formal Risk Management Inadequate Security For Source Code And Database Server Absence Of Process To Exclude Overcharge From Revenue Inadequate Recording Of Trouble And Change Management Developers Access To RAFMs Production Server Is Not Restricted Inadequate SLA with OSS & Office IT Potential conflict of interest and improper segregation of duties on user access to transaction code in system Inadequate knowledge of detail features provided by SAP to support business operations & monitoring requirement Inadequate system configuration for PO related creation and tolerance limit of delivery Inadequate system configuration on Goods Receipt and Invoice Receipt processes Inadequate system configuration for reporting & monitoring purposes. Inadequate SOP for SAP basis and other administrative activities Inadequate compliance with RAx technology security policy Inadequate governance for Master Data Management Inadequate practice of formal risk management Inappropriate configuration in SAP production system Inadequate management of SAP user authorization and roles Inadequate authorization review process for leavers and movers Inadequate security configuration for SAP production system Excessive access to SAP production system Absence of SLA with stakeholders Non compliance to Foreign Exchange Regulation Act 1947 Non compliance to RAx policy regarding Related Party Transaction Stamp duty for Technical & Management Service Agreement with Axiata Group Berhad has not been paid No Formal Risk Assessment Process For Winning/Defense Initiatives/Strategies & Execution Lack Of Adequate Control Over Research Function PPLM Process Guidelines Are Found Un-updated Non-Compliance With PPLM process Inadequate Control Over Pricing Process Inadequate Information Dissemination Within W/D Strategic Priorities/Initiatives Absence Of Strategy Monitoring Process Inadequate Alignment Of IT Strategy Plan Inadequate Accountability For IT Governance Inadequate Involvement Of IT Steering Committee Inadequate Process For IT Governance Focus Area Inadequate Monitoring Of IT Value Delivery BDT 71 million paid but not recorded in the GL Sales proceeds are deposited in the Operational Account instead of Collection Accounts as required by the Treasury Policy Interest income and foreign exchange gain have not been timely recognized Collection in Hand (Sales proceeds) are deposited into bank account but not recorded in SAP on a timely basis Absence of cross functional SOP/SLA for ensuring compliance to RAxs undertakings mentioned in the loan agreement

Inadequate risk assessment on debt management by Corporate Finance Absence Of Formal Risk Assessment & Management Process Inadequate Control Over Business Plan & Execution of Related DVD Strategy Non-Compliance With Pricing, Product Life Cycle Management Process (PPLM) Important Positions Are Not Assigned Inadequate Customer Awareness Program For Volume Based Data Bundle Migration Inadequate Information Dissemination Within DVD Process/Initiatives Lack Of Formal Review & Monitoring On DVD Function

Codification of 17 principles embedded in the original Framework

Control Environment
1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 6. Specifies relevant objectives 5. Enforces accountabilityrisk 7. Identifies and analyzes 8. Assesses fraud risk 9. Identifies and analyzes significant change

Risk Assessment

Control Activities Information & Communication Monitoring Activities

10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies

al Framework

ntegrity and

ompetence

ant change

ntrols over

rocedures

e evaluations