The
Presidents / Chief Executives
All Banks / DFIs
Dear
Sirs/Madam,
Information
Systems: Guidelines on Audits and
System Switchover Planning
Please
refer to the SBP Guidelines on Information Technology Security
issued to banks/DFIs vide BSD Circular No. 15 dated September
29, 2004. The following additional guidelines for further
strengthening the IT Security are hereby issued:-
i)
Banks/DFIs should get their I.T. services audited by internal
/ third party auditors to ensure that adequate security
and controls are in place. The internal/ third party auditors
so engaged should review the IT related internal controls
and evaluate/ validate the effectiveness of control systems.
The risk-based Information system audit should also ensure
that the bank/DFI’s systems and information technology
are adequately secured and are meeting the needs of the
business. IS Audit being a continuous process should be
carried out as such. In- house audit function should ensure
that follow-up activities and performance of reviews is
on regular basis. Therefore, to ensure that best practices
in the field of I.T. Security and Control are adopted and
practiced in the banking industry, the banks/DFIs are encouraged
to establish an independent internal Information System
Audit function for regular monitoring of I.T. organizational
setup and activities. The board and the management should
ensure that the independence, authority and accountability
of the Information System Audit function are maintained
and established by appropriate organizational setup in line
with the international best practices. A broad definition
for Information System Audit and some general points of
reference for the role of Internal Audit in relation to
Information System Audit are attached as Annex-I.
ii)
Furthermore, to meet the growing business requirements and
to improve upon the focus and quality of Management Information
System, the banks/DFIs are encouraged to upgrade their systems
and related software.
In this regard, the selection of new computer software ensuring
its compatibility with internal controls and supervisory
requirements is of paramount importance. Therefore, the
banks/DFIs have to ensure a smooth switchover from existing
software platform to the new one while managing the pace
of its implementation. Whether the new software is developed
or acquired off-the-shelf, the focus should be on managing
all the eminent risks which the banks / DFIs may encounter
during the transition to the new software platform. Banks
/DFIs should also ensure that before introduction of new
I.T. driven processes and systems for launching new products,
the inherent operational risk is fully assessed and mitigated.
For this purpose, a well-defined implementation plan should
be drawn up to ensure that the new or changed activities
due to new products or system conversions are evaluated
as a whole for operational risk prior to going online. The
implementation plan for each new system development should,
among other things, also include a System transfer portion
which focuses on identifying and mitigating risks associated
with switching over from the existing system to the new
system. Moreover, the banks/DFIs should analyze compatibility/suitability
of such plans for existing/future requirements. This can
be done broadly on the basis of the reference points set
out in the attached Annex – II. Banks/DFIs are also
encouraged to take into account the reference points of
Annex- II while embarking on to new software/system.
2)
Other
guidelines on the subject shall remain unchanged.