Circulars/Notifications - Banking Supervision Department  
 BSD Circular No. 08 of 2005
December 12, 2005 

The Presidents / Chief Executives
All Banks / DFIs

Dear Sirs/Madam,

Information Systems: Guidelines on Audits and
System Switchover Planning


Please refer to the SBP Guidelines on Information Technology Security issued to banks/DFIs vide BSD Circular No. 15 dated September 29, 2004. The following additional guidelines for further strengthening the IT Security are hereby issued:-

i) Banks/DFIs should get their I.T. services audited by internal / third party auditors to ensure that adequate security and controls are in place. The internal/ third party auditors so engaged should review the IT related internal controls and evaluate/ validate the effectiveness of control systems. The risk-based Information system audit should also ensure that the bank/DFI’s systems and information technology are adequately secured and are meeting the needs of the business. IS Audit being a continuous process should be carried out as such. In- house audit function should ensure that follow-up activities and performance of reviews is on regular basis. Therefore, to ensure that best practices in the field of I.T. Security and Control are adopted and practiced in the banking industry, the banks/DFIs are encouraged to establish an independent internal Information System Audit function for regular monitoring of I.T. organizational setup and activities. The board and the management should ensure that the independence, authority and accountability of the Information System Audit function are maintained and established by appropriate organizational setup in line with the international best practices. A broad definition for Information System Audit and some general points of reference for the role of Internal Audit in relation to Information System Audit are attached as Annex-I.

ii) Furthermore, to meet the growing business requirements and to improve upon the focus and quality of Management Information System, the banks/DFIs are encouraged to upgrade their systems and related software.
In this regard, the selection of new computer software ensuring its compatibility with internal controls and supervisory requirements is of paramount importance. Therefore, the banks/DFIs have to ensure a smooth switchover from existing software platform to the new one while managing the pace of its implementation. Whether the new software is developed or acquired off-the-shelf, the focus should be on managing all the eminent risks which the banks / DFIs may encounter during the transition to the new software platform. Banks /DFIs should also ensure that before introduction of new I.T. driven processes and systems for launching new products, the inherent operational risk is fully assessed and mitigated. For this purpose, a well-defined implementation plan should be drawn up to ensure that the new or changed activities due to new products or system conversions are evaluated as a whole for operational risk prior to going online. The implementation plan for each new system development should, among other things, also include a System transfer portion which focuses on identifying and mitigating risks associated with switching over from the existing system to the new system. Moreover, the banks/DFIs should analyze compatibility/suitability of such plans for existing/future requirements. This can be done broadly on the basis of the reference points set out in the attached Annex – II. Banks/DFIs are also encouraged to take into account the reference points of Annex- II while embarking on to new software/system.

2) Other guidelines on the subject shall remain unchanged.

Please acknowledge receipt.

1) Annex-I

2) Annex-II

Yours faithfully,


About SBP
Economic Data
Press Releases
Laws & Regulations
Monetary Policy
Help Desk
SBP Videos
Contact us
What's New?
Online Tenders
Web Links

Educational Resources
Regulatory Returns
Rupey ko Pehchano
Zahid Husain Memorial Lecture
Best view Screen Resolution : 1024 * 768
Copyright © 2016. All Rights Reserved.