A good governance framework and effective risk and compliance culture should be complemented by a robust assurance mechanism by way of internal audit function. This is an integral part of sound corporate governance, which should provide an independent assurance to the Board of the bank as well as to external stakeholders that the operations of the entity are performed in accordance with the set policies and procedures.
In order to ensure the completeness and integrity of the automated Asset Classification (classification of advances/investments as NPA/NPI and their upgradation), Provisioning calculation and Income Recognition processes, RBI issued notification Automation of Income Recognition, Asset Classification and Provisioning processes in banks And banks are advised to put in place / upgrade their systems to conform to the following guidelines latest by June 30, 2021.
Banks should ensure that the asset classification status is updated as part of day end process. Banks should also be able to generate classification status report at any given point of time with actual date of classification of assets as NPAs/NPIs.
Exceptions may be granted from System driven classification in certain circumstances, which are expected to be minimum and temporary.
Banks shall not resort to manual intervention / over-ride in the System based asset classification process. In any exceptional circumstance where manual intervention is required to override the System classification, it must have at least two level authorisation. Such delegation of powers for authorising the exceptions should be as per the Board approved policy of the bank (by CEO, in case of unavailability of Board) and preferably should be done from the centralised location and suitably documented. Further, any such intervention shall have appropriate audit trails and subjected to audit by concurrent and statutory auditors. Detail reports of such manual intervention shall be placed before the Audit Committee / Audit Head (banks having no Board) regularly.
System Requirements and System Audit:
In case a separate application outside the CBS is used as the System for NPA/NPI identification and/or classification, the System must have access to the required data from the CBS and/or other relevant applications of the bank and the borrower/investment accounts shall be updated back into the CBS automatically, wherever applicable, through STP.
Banks shall keep the business logic and other parameters/configurations of the System updated to ensure that the System based identification, classification, provisioning and income recognition are strictly in compliance with the regulatory guidelines on an ongoing basis. There should be periodic system audit, at least once in a year, by Internal / External Auditors who are well versed with the system audit both on system parameters as also from the perspective of compliance to Income Recognition, Asset Classification and Provisioning guidelines.
Baseline requirements for the NPA classification have been provided in the Annex. Banks are required to adhere to these instructions while designing and maintaining the System.
An effective early warning system and forward-looking stress testing framework should be an integral part of the risk management framework of the banks. Banks should be able to pick-up incipient signals of stress faced by their borrowers, and take proactive remedial action, which may include a viable resolution of the credit facilities aimed at preserving the value of the assets and not just aimed at reducing the short term burden on the balance sheet of the banks.
IT auditing is the future of the accounting profession. In today’s world, company dynamics / financial state is determined by the use of computers. The role IT auditors play may be unknown to most but it impacts the lives of all. IT auditing adds security, reliability and accuracy to the information systems.
Technology has impacted the auditing profession in terms of how audits are performed (information capture and analysis, control concerns) and the knowledge required to draw conclusions regarding operational system effectiveness, efficiency and integrity, and reporting integrity.
Initially, the impact was focused on dealing with a changed processing environment. As the need for auditors with specialized skills regarding technology grew, so did the beginning of the information systems auditing profession.
Baseline Requirements for the NPA classification Solution
I. Data Input
1. Data Input in the system by any means should be fully captured and stored without truncation [For example, time stamp – with date and time, narration field, or any other text data captured].
2. Ensure presence of necessary validation/verification checks in the solution for the user inputs, wherever applicable. Such validations, among other things should check for data type validations, min/max value, exceptions, etc.
3. Ensure necessary data validation/checks in the system for the data keyed in manually, wherever applicable. For example, such validations with master data (or parameters used in asset classification fed into the system as per the internal policy of the bank) could prevent issues related to incorrect entries generally seen (illustrative but not exhaustive list) in margin setting, moratorium period, security valuation, repayment schedule, products mapped/linked to different categories of account holders (as per applicability) etc.
4. Data input shall be effected only after authentication and authorisation.
II. User Access Management
5. Ensure that all “user-ids” in the solution have unique identification. If there are any generic user-ids used, it should only be used under exceptional circumstances and such ids should be mandatorily mapped to the employee ID of the user to fix accountability of the activities carried-out under the generic ID.
6. Provide for two-factor or higher level of authentication for the users of the application.
7. Restrict the access to the solution on “need to have/least privilege” basis for all users.
8. Provide for maker checker authorisation /control for transactions (an illustrative list of transactions includes updating/modifying the internal accounts, customer accounts, parameters – both financial and non-financial that affect the status of the credit portfolio/loan/asset.) entered in the solution. This shall also include transactions/activities carried out by administrator accounts in the application. (For example: Activities such as create/update/modify user-ids, roles, privileges including access rights to various modules; system related activities including updates to master data, etc. should have at least two individuals to complete the activity).
III. Straight Through Processing (STP)
9. Provide for straight-through processing (STP) and support for STP integration with all critical systems/add-on sub-systems/modules etc., in a seamless and secure manner for NPA/NPI classification as per extant guidelines on IRAC. Such STP mechanism shall seamlessly take into account all the facilities availed by a given customer (in case of advances) and all the instruments of an entity (where bank has made investments in an entity), maintained across multiple systems of the bank without any manual intervention. Further, banks shall also ensure that the updated account status, including asset classification of the customer accounts, flow to the CBS automatically, if NPA classification process is performed outside CBS.
IV. Back-end Data Access Restriction
10. Any changes to the data, parameters from backend shall be avoided. The solution should provide for changes to the data items only through front end (from the application (Ex: CBS) itself and not through the backend database update) after requisite authorisation. Audit trails/logs of access, changes to any data, parameters, if any, should be captured with specific user details in the system.
11. In case of exceptions in rare circumstances, such changes should be duly approved at an appropriate level and documented. Provision for MIS report should be available to auditors to generate complete list of back-end access and changes made.
V. Audit Logs
12. Provisions of audit trails/logs to capture details of mandatory fields (that are essential to complete the transaction and essential to identify the transaction for audit/forensic purpose in the future) of all the transactions (financial and non-financial) shall be made.
13. Logs should be maintained for changing the master data. System generated activity logs of the users with administrative privileges should also be maintained.
14. Secure storage and retention of logs in encrypted format with access controls in an archival solution.
VI. System Generated NPAs
15. All parameters required for NPA/NPI identification shall be captured in the CBS or associated sub-system(s)/module(s) meant for NPA/NPI identification/classification of asset codes as per Income Recognition and Asset Classification (IRAC) norms and extant instructions. It should provide for separate MIS report capturing all parameters for NPA/NPI identification. Such parameters could either be configured in database or application itself as per the architecture of the solution/sub-system.
VII. Test Environment
16. The existing test environment in the bank with dummy data and functional logic similar to that of the product environment of the solution shall be made available to the supervisors during their onsite supervisory visit(s) as per the requirements. This shall be required, inter alia, to perform sample transactions review to assess whether the solution adheres in complying with regulatory prescriptions in the extant environment for NPA/NPI identification as per applicability.