Inviting comments on
the Basic draft
on
Relevance of
Information Systems Audit in
Insurance Sector
(Last date for comments: April 30th April 2014)
Comments should be submitted in writing to the Secretary,
Committee on Banking, Insurance and Pension, The Institute of
Chartered Accountants of India, ICAI Bhawan, Indraprastha Marg,
New Delhi -110002, so as to be received not later than April 30th,
2014. Comments can also be sent by email to cobip@icai.in
i
Contents
I Introduction IT Governance ..........................................................................................................1
a. Insurance ...............................................................................................................................1
b. IT Governance .......................................................................................................................5
II State of Information Systems in Insurance Industry........................................................................7
III Regulatory framework for Information Systems in Insurance.......................................................11
a. The Insurance Act 1938.......................................................................................................11
b. Regulations issued by IRDA (Insurance Regulatory and Development Authority) .............11
c. The Information Technology Act 2000....................................................................................13
d. Prevention of Money Laundering Act .................................................................................14
IV Information Systems Audit in Insurance Sector.............................................................................15
a. IT Governance .....................................................................................................................15
1. Strategic Alignment.....................................................................................................................16
2. Value Delivery .............................................................................................................................17
3. Resource management ...............................................................................................................17
4. Risk management........................................................................................................................17
5. Performance measures ...............................................................................................................18
b. Risk Management................................................................................................................18
1. Security Policy and Implementation ...........................................................................................18
2. Asset Management .....................................................................................................................19
3. Information Systems Acquisition, Development & Maintenance...............................................20
4. Physical & Environmental Security..............................................................................................20
5. Access Controls ...........................................................................................................................21
6. System Parameters .....................................................................................................................21
7. IT Controls review OS, Database, Networking devices ............................................................22
8. Capacity Management ................................................................................................................23
9. Disaster Recovery, Backup & Contingency planning...................................................................24
10. Customer Services...................................................................................................................24
ii
Appendix A About COBIT..........................................................................................................................25
Appendix B About COSO ..........................................................................................................................27
Appendix C Guidelines on Outsourcing of Activities by Insurance Companies .......................................29
Appendix D Clarifications on Guidelines on Outsourcing of Activities by Insurance Companies ............42
Appendix E IRDA (Web Aggregators) Regulation, 2013 ...........................................................................44
Appendix F IRDA Circular on Investment Risk Management Systems and Process Audit .......................82
Appendix G Extracts from ICAI Technical Guide.......................................................................................83
iii
I Introduction IT Governance
a. Insurance
Insurance is an assurance of compensation for specific potential future losses in exchange for
a periodic payment called `Premium'. Insurance is designed to safeguard the financial well-
being of an individual, company or any other entity in the case of an unexpected loss.
Some forms of insurance are mandated by law, while others are optional. A contract is enforced
between the insured (The Policy Holder) and the insurer (The Insurance Company) on mutual
agreement to the terms of an insurance policy.
The insured makes a payment towards the policy periodically as premium for which the
insurer agrees to pay the policy holder a sum of money upon the occurrence of a specific event.
The policy holder bears a part of the loss called the uninsured amount while making a claim and
the insurer pays the rest as compensation. Examples of insurance include car insurance, health
insurance, disability insurance, life insurance, and business insurance.
There are 24 life insurance companies and 27 general insurance companies operating in India as
per the details published on IRDA website (www.irda.gov.in) as on 30th June 2013.
Some of the key functions in the insurance lifecycle are:
New Business
Proposal or lead generation, Enrolment, Scanning/ Digitization are some of the key processes in
expanding the customer base.
Underwriting
This is the process of evaluating the risk, acceptability and premium of an entity to be insured.
This is typically a complicated process and involves significant time and effort and contributes
towards increasing the time taken to finally issue the policy to the customer. Technology has
been aggressively deployed to aid the underwriting process; analytics and predictive modelling
has advanced considerably to keep pace with the business requirement for speedy issuance of
policies in consistent manner throughout the enterprise while appropriately assessing risk.
Policy Administration
1
Some of the key processes that fall under this function include
Policy holder correspondence
Collateral verification
Payment processing
Policy issuance, printing and dispatch
Record changes
Issuance of insurance policies is a fairly complicated process though the base model is the
same. Every insured has the option to choose from a variety of clauses which must be
accurately captured in the insurance document. In addition, personal information of the client
including medical, family and other data need to be part of the insurance document.
Document management systems are used to manage policies issued and also to meet
regulatory requirements regarding the storage of policies issued.
Claims Processing
One of the key challenges that face insurance companies is the need to provide a seamless and
integrated claims processing function across the organization and partners landscape. They
need to implement information processing systems that enable the smooth flow of information
from claims processing to underwriting to marketing. A smooth flow will enable insurance
companies to assess risk more accurately and thereby provide solutions that are tailor made to
customer requirements. The progressive adaptation of integrated systems to handle entire
ecosystem of processes provides management with a holistic view of the business, thus
improving the business offering to customers.
2
New Business
Key
Claims
Processing Business Underwriting
Functions
Policy
Administration
Some of the key enabling functions in the insurance lifecycle are represented below:
Channel
Management
HR, Audit,
Marketing & Key
Investment
Other Enabling Management
supporting
functions
Functions
Accounts &
Finance
3
The above functions are also applicable to Reinsurance and as such would be subject to the
same requirements of IT Governance and Risk Management initiatives.
Micro-Insurance
Micro-insurance is insuring the low-income population. This sector can insure a variety of risks
including health, property, crop, livestock/cattle, theft, fire, disability etc. IRDA has issued
microinsurance draft norms (as of this writing) which are soon expected to be translated into a
final set of regulations. For distribution of these products, IRDA has said regional rural banks,
micro finance institutions, district cooperative banks, non-governmental organisations, self-
help groups, urban cooperative banks, banking correspondents and individual owners of kirana
stores, public call offices, fuel stations and fair price shops in rural areas will be allowed to sell
these.
Selecting the right technology will be a key to the success of any microinsurance endeavour.
The most important question that need to be answered before taking a final call is "what is the
technology expected to deliver?" Is it ease of use, mobile capabilities, reduce cost, reduce
transaction turnaround time etc. Clarity in this aspect will be a pre-requisite for choosing the
most appropriate technology.
Smart cards may be issued to customers. These could contain policy details like name, photo ID,
biometric fingerprint, insurance history, etc. When the smart card is swiped on a hand held
device, this information is made available to the agent.
Handheld devices are expected to play a critical role in microinsurance. These devices can have
various integrated components including smart card readers, biometric authentication devices,
printers etc. Internet connectivity may be through GPRS or Wi-Fi.
GPRS has been used to connect hand held devices to central servers. The availability of GPRS
connectivity in locations where the hand held devices are expected to operate (typically rural
4
settings) should be examined - trial runs should be made to avoid surprises. In the absence of a
robust GPRS connectivity, microinsurance companies have taken the approach of storing the
data locally in the device until such time that a connectivity is available. Once the device detects
a connection to the internet, the data is sent to the central servers. The transaction is
completed seamlessly though there is an invisible time buffer during which the data resides on
the device itself.
The use of SMS as a technology platform has been used by a microinsurance provider in Brazil.
The Brazilian government issues a social security number to each citizen. This number is sent as
the primary information during enrollment. The server which receives this number then
connects to another central repository of citizen information. This approach vastly reduces the
need for elaborate data entry and eliminates multiple entries of the same data. Data entry
errors are also eliminated. It is possible that a similar technology may be adopted by Indian
insurance companies if the Indian government's Aadhar initiative becomes a success.
b. IT Governance
IT governance in simple terms refers to the process of how the organizations align the IT
strategy with the Business strategy and ensure that the companies stay on track in achieving
their strategies and goals and implement good ways to measure its performance. An IT
governance framework addresses the functioning of the IT department, the key metrics
required by the management and the returns achieved by the business from the investment
made in IT.
Organizations today are subject to many regulations governing data retention, confidentiality of
information, financial accountability and recovery from disasters. One of the goals of IT
governance is that, the internal controls of an organization should meet the core guidelines of
many of these regulations, as well as adherence to various international standards such as
COBIT (refer Appendix A) and COSO (refer Appendix B).
India has a high potential for development in insurance as most of its household are still
untapped by the insurance companies. With the increase in competition among the insurers,
providing service to the customer has become a key issue. Moreover, customers are getting
increasingly sophisticated and tech-savvy. This highlights the importance of technology in
5
designing and developing products to suit the personalized need of the customer. As
technology is embraced and becomes a core component of the insurance industry, the inbuilt
security threats also increase exponentially. This commentary makes an attempt to explore
tactics to defeat such threats faced by the insurers.
6
II State of Information Systems in
Insurance Industry
The insurance sector is now open to private enterprises and this has resulted in the emergence
of Insurance Regulatory and Development Authority (IRDA) as the regulator of insurance in
India. Insurance companies were forced to introduce a variety of products and to venture into
wider diversified areas. This intense competition renders insurance companies more aggressive,
slashing premiums and increasing the exposure of the companies.
The Insurance sector has a dual role to play. It has to protect and secure its own information
and infrastructure to achieve its business objectives apart from promoting the information
security through positive reinforcement. The insurance company may do this by distributing
rewards and providing insurance cover with lower premium for cyber risks of entities that have
information security systems in place. This will drive the importance of securing information
technology in organizations.
In addition, the integral component of the insurance sector lies in obtaining accurate
information as promptly and efficiently as possible. Insurers normally base their rates on
actuarial models which determine the likely occurrence of the risks to experience a loss.
Insurance companies use technology to analyze the claims of prior years and to scrutinize the
data of the policy holder. Technology is also used to explore the correlation between risk
characteristics and claims. Actuaries have the opportunity to use technology in analyzing the
risk at a much more precise level of granularity.
Outsourcing
IRDA, in its notification to the CEOs of insurance firms, said that "it is not desirable to outsource
the core and important activities which will affect corporate governance, protection of policy
holders, solvency and revenue flows of insurer."
Core Activities are:
- Underwriting
- Product design and actuarial functions; enterprise wide risk management
- Investment and related functions
7
- Fund accounting and NAV calculations
- Admitting or repudiation of claims
- Bank Reconciliation
- Policyholder grievances redressal
- Approving advertisements
- Market conduct issues
- Appointment of surveyors and loss assessors
- Compliance with AML, KYC
- Policy servicing
Refer Appendix C Guidelines on outsourcing of activities by Insurance Companies
Refer Appendix D Clarifications on Guidelines on outsourcing of activities by Insurance
Companies
The above issues pose a challenge to the insurance industry in India today and also worldwide
and need to be addressed on a war footing. A few typical challenges and risks faced by the
insurance companies are:
a. Storage and processing of data
b. Accessing and retrieval of data
c. Security of information
d. Embracing technology developments
e. Safeguarding of information against natural disasters
f. Business continuity planning
Web Aggregators
The term "Web Aggregator" pertains to any online website or portal which provides
information and comparison of insurance products by different insurers and provides leads to
insurers.
Some of the guidelines relating to display of product comparisons on the website are:
a. Web aggregators shall not display ratings, rankings, endorsements or bestsellers of
insurance products on their website. The content of the websites of the web
8
aggregators shall be unbiased and factual in nature; they shall desist from commenting
on insurers or their products in their editorials or at any other location in their websites.
b. The default/home page of the websites of the web aggregators shall clearly and
prominently provide links to the product comparison charts and tables for each category
of products covered by them. The visitor to the website should be given clear product
options to choose from and once a particular option is chosen, a product comparison
chart relevant to his choice shall be displayed. The product comparison chart shall have,
interalia, columns to display a) the premium quoted by each insurer relevant to the age,
health and other personal details of the client for the product category, policy/premium
term, quantum of cover etc chosen b) the default underwriting requirements such as
medical examination, diagnostics or other documents c) exclusions, limits or other
conditions, if any c) key features of the product chosen.
c. Web aggregators shall disclose prominently on the home page that the client/visitor's
particulars could be shared with insurers/insurance brokers.
d. Web aggregators shall not carry any advertisements or sponsored content on their
websites.
e. Product comparisons that are displayed shall be upto date and reflect a true picture of
the products.
f. Web aggregators shall display product information purely on the basis of the
information furnished to them by insurers.
Refer Appendix E for the IRDA (Web Aggregators) Regulation, 2013
With the growing use of technology in the insurance industry, some of the potential Game
Changers from the Technology Arena are:
Hand held devices / Mobile / Tablet based data collection and dissemination
Cloud computing enabling users to access data from wherever they are
Marketing through social media
Digitisation of documents
Higher degree of segmentation, customer data analytics and predictive modeling
9
Smart cards that can be swiped on hand held devices in Microinsurance
Document management systems to manage policies and customer data
Biometric data of customers stored in smart cards
GPRS for hand held devices
SMS in microinsurance
Centralized database of vehicles insured for access by transport and police authorities
Use of telematics for vehicle tracking and determining insurance premiums
10
III Regulatory framework for
Information Systems in Insurance
a. The Insurance Act 1938
In 1938, with a view to protecting the interest of the Insurance public, all the earlier legislation
was consolidated and amended by the Insurance Act, 1938 with comprehensive provisions for
effective control over the activities of insurers.
This Act addresses over 31 provisions applicable to insurers. It also addresses the investigative
powers of the authority, appointment of staff, control over management, amalgamation and
transfer of insurance business, assignment or transfer of policies and nominations, commission
and rebates and licensing of agents, special provisions of law, management by administration
and acquisition of the undertakings of insurers in certain cases.
b. Regulations issued by IRDA (Insurance Regulatory and Development
Authority)
The Insurance Regulatory and Development Authority (IRDA) was constituted as an
autonomous body to develop the insurance industry based on the recommendations of the
`Malhotra Committee report', in 1999. The IRDA was incorporated as a statutory body in April,
2000 to monitor Insurance sector in India.
The key objectives of the IRDA are
Promotion of competition among insurance companies to enhance customer
satisfaction through increased consumer choice and lower premiums.
Safeguarding the financial security of the insurance market and to eradicate the
shortcomings of the industry.
Application for registrations in the market was invited by the IRDA in August 2000. Foreign
companies were allowed to own a share up to 26%.
IRDA has the power to frame regulations under Section 114A of the Insurance Act, 1938
subsequent to which various regulations ranging from registration of companies for carrying on
insurance business to protection of policyholders' interests were framed
11
The Insurance Regulatory and Development Authority (IRDA) is a public authority as defined in
the Right to Information Act, 2005. As such, the Insurance Regulatory and Development
Authority is obliged to provide information to members of public in accordance with the
provisions of the said Act.
The subsidiaries of the General Insurance Corporation of India were restructured into
independent companies in December, 2000, when GIC was converted into a national re-insurer.
The bill to de-link the four subsidiaries from GIC was passed by The Parliament in July, 2002.
The Insurance Regulatory and Development Authority was established by the Indian
Government, for two significant reasons-to safeguard the interest of the policy holders and for
the up gradation of the entire insurance sector right from the approach adopted by the existing
insurance companies towards their shareholders to the eradication of the shortcomings of the
industry.
Scope of Insurance Regulatory and Development Authority
The Insurance Regulatory and Development Authority has been authorized to register new
insurance companies in India. The list of new insurance companies also includes the
collaborations of the renowned insurance companies overseas with the existing Indian
companies. The insurance companies in India are required to approach the Insurance
Regulatory and Development Authority for the purpose of renewal of the insurance
registration. The Insurance Regulatory and Development Authority are allowed to withdraw
registration of the companies and even cancel the registration of a company if required. It is
also authorized to modify the registration procedure for a company.
Functions of Insurance Regulatory and Development Authority
The emergence of Insurance Regulatory and Development Authority was to safeguard the
interests of the policyholders. The Insurance Regulatory and Development Authority ensures it
through various ways such as
Nomination by Policyholders
Settlement of insurance claim
Practical training for Insurance agents and other intermediaries
12
Insurable Interest
Surrender value of Policyholders
Code of conduct of Insurance intermediaries
Assistance in gaining correct information about policies
Creation of management information system
Promotion of Self regulation within the insurance sector
The IRDA has come out with various guidelines/ regulations relating to information
technology including but not limited to the following:
Guidelines on web aggregators
Electronic Transactions Administration and Settlement Systems
Audit of investment risk management systems and process, internal,
concurrent
Anti money laundering guidelines
c. The Information Technology Act 2000
The Information Technology Act was passed by the Indian parliament in 2000. It was
subsequently amended in 2008.
The Act provides legal recognition for electronic transactions and electronic records. It also
provides legal recognition for E-Filing of documents with government agencies. Section 43
prescribes penalties for hacking of computing resources. Section 43A prescribes penalties for
Corporates who fail to protect sensitive personal data that are available in their computing
systems.
This Act emerged to curb `Cyber Crime' which is an unlawful act where computer is used as a
tool or target or both.
Insurance companies are posed with the duty to safeguard the data of the client under the
Information Technology Act, specifically section 43A. Insurance companies need to store data
securely and share it only with authorized partners for permitted purposes as prescribed in this
Act.
13
d. Prevention of Money Laundering Act
The Prevention of Money Laundering Act, 2002 (PMLA) forms the core of the legal framework
put in place by India to combat money laundering. PMLA and the Rules notified there under
came into force with effect from July 1, 2005.
The PMLA and rules notified thereunder impose obligation on banking companies, financial
institutions and intermediaries to verify identity of clients, maintain records and furnish
information to Financial Intelligence Unit -India. PMLA defines money laundering offence and
provides for the freezing, seizure and confiscation of the proceeds of crime.
The insurance companies are required to comply with the regulations of anti money laundering
legislation. The insurers may mandate the norms of "KYC" know your customer" mechanisms
to minimize, prevent and detect money laundering abuse.
14
IV Information Systems Audit in
Insurance Sector
Information System Audit has a significant role to play in the emerging Insurance Sector.
Information System Audit aims at providing assurance in respect of Confidentiality, Availability
and Integrity for Information systems. It focuses at their efficiency, effectiveness,
responsiveness and compliance with laws and regulations.
Information systems are the lifeblood of any large business. As in years past, computer systems
do not merely record business transactions, but actually drive the key business processes of the
enterprise. In the context of the growing dependence of Insurance Sector on Information
Systems for record keeping, transacting business, reporting, as well as regulatory compliance
and providing information and results to stakeholders, Information System Audit has assumed a
very significant role. Effective IS Audit systems in place would tantamount to corporate
governance; compliance and effective regulation of the insurance sector.
IRDA has already issued guidelines for Risk Management System Audit of Investments by
Insurance Companies (Refer Appendix F).
The Institute of Chartered Accountants of India has also issued a Technical Guide on Review and
Certification of Investment Risk Management Systems and Processes of Insurance Companies
(Refer Appendix G).
ICAI has also issued a Technical Guide on Internal & Concurrent Audit of Investment Functions
of Insurance Companies.
a. IT Governance
Every organization either large or small, either public or private has to ensure that the IT
function sustains the organization's strategies and objectives. The level of sophistication that is
applied to IT governance however, may vary accordingly to the size, industry or applicable
regulations. The larger and more regulated the organization; it becomes essential to have the
more detailed IT governance structure.
15
IT governance in simple terms refers to the process of how the organizations align IT strategy
with business strategy and ensure that companies stay on track in achieving their strategies and
goals also by implementing good ways to measure its performance.
IT governance framework focuses on
(I) the overall functioning of the IT department,
(II) providing the management with the key metrics that it needs, and
(III) the returns earned from the investments in IT.
According to the IT Governance Institute (formed by ISACA), there are five areas of focus:
1. Strategic Alignment
Strategic alignment refers to the process of linking the business strategy and IT strategy in
achieving the predetermined goals. Typically, the lightning rod is the planning process, and true
alignment can occur only when the corporate side of the business communicates effectively
with line-of-business leaders and IT leaders about costs, reporting and impacts.
Key business challenges that the Insurance Industry faces include:
Growing the business
Improving customer experience
Providing better products and services using Information Analytics
Improving operations like claims processing
Complying with various regulatory requirements
Improving Risk Management
Reducing enterprise cost
Technology can be used facilitate many of these issues.
16
For e.g. Data Analytics programs can help insurance companies design products that are
customer centric and not based on the experiences and understandings of the underwriters
and/or legal department. Such products can vastly enhance the ability of an insurance company
to retain customers.
Target customers belonging to the 20 30 age group may be very comfortable researching,
buying and renewing policies online and increasingly from mobile phones and tablets.
Insurance companies need to think of social media marketing, quote aggregators and search
engine optimization to improve their brand recall value. Additionally, customers may be willing
to change their insurance company based on convenience provided using a particular channel.
2. Value Delivery
Value delivery means the benefits reaped from the investments made by the IT department.
The optimal approach would be to develop a process to ensure that certain functions are
accelerated when the value proposition is growing and by eliminating functions when the value
decreases.
Adoption of Cloud computing is expected to bring down costs in the insurance sector.
3. Resource management
Resource management involves the process of managing resources more effectively in
organizing the staff more efficiently based on the skills instead of the line of business. This will
allow organizations to deploy employees to various lines of business on a demand basis.
Attracting and retaining talent in IT will be a key challenge for insurance companies given that
they often operate a mish-mash of legacy and contemporary systems.
4. Risk management
Risk management institutes a formal risk framework which imposes rigidity in accepting,
measuring and managing risk by the IT and reporting on how IT is managing in terms of risk.
17
5. Performance measures
A performance measure is about measuring the business performance. One popular method
involves instituting an IT Balanced Scorecard, which examines the contribution made by IT in
terms of achieving business goals, by the utilization of resources effectively and by developing
people. The qualitative and quantitative measures are used to ascertain these performances.
b. Risk Management
Risk management of Information Systems is crucial to insurance companies as they handle a
huge amount of data relating to customers. A layered approach to security should be adopted
to ensure that the information resources within the domain are adequately protected.
Insurance companies have adopted technology in a big way and in order to cater to the new-
age needs of customers, they have brought in new distribution channels like web and mobile.
Also, agents and distributors expect to interact with the insurance company through various
channels. Protecting all such data is a critical requirement for insurance companies.
Additionally, Section 43A of the Information Technology Act provides for penalties to be
imposed on companies that fail to protect sensitive private data.
Insurance companies need to adopt the following measures to ensure that an information
systems management system is in place.
1. Security Policy and Implementation
A well thought out security policy is needed because security is not a technology issue but a
business issue. The goal of corporate security policies is to define the procedures, guidelines
and practices for configuring and managing security within the operational environment. The
goal of implementing security policies, procedures and guidelines is to ensure that a common
baseline security framework is defined for the entire enterprise. This framework should ensure
that various entities in the computing environment are adequately protected and the
confidentiality, availability and integrity of computing resources and data are ensured.
Insurance companies have vast computing resources to cater to their clients and business
partners and other third party service providers. The insurance sector is faced with challenges
relating to retention of customers and providing a better customer experience. The solutions to
these challenges include innovative ways to reach out to customers. For e.g. cloud computing,
mobile, social media, data aggregators and other new technology needs to be embraced by
insurance companies to ensure that they stay in the race.
18
Introduction of any new technology in large enterprises like insurance companies is a long
drawn process typically involving analysis of the technology and various solutions and products
available from different vendors, procurement, installation, roll-out. Training of staff in
optimum use of the technology solution is sometimes followed by training of staff including
sales force, agents and distributors when such entities need to interact with the solution. If the
solution directly involves the customer like a new smartphone application then some
amount of customer engagement will also have to be on the agenda. Maintenance of the
technology and continuous training of new staff is also envisaged.
All the above mentioned activities need to done within the security framework of the
organization. It is therefore imperative that a well thought out set of policies, procedures and
guidelines be adopted by all insurance companies. This will only aid them in smooth operations
and ensuring that they maintain a secure computing environment.
2. Asset Management
Data is the most critical asset of insurance companies. Typically, insurance companies sit on a
data mine collected over the years. The data they have includes customer's basic information,
premium paying pattern chronic late payers, chronic bad check customers, preferred channels
of payment, how this is changing over the years, performance patterns of products, customer
preferences with respect to product type, payment modes, claims history, demographic
changes. All this data can be used by Analytics Engines to provide insights into customer
behavior patterns which insurance companies can use to tailor their products and services
accordingly. They also sit on financial investment data. They can find out how their investments
have performed over the years, which sectors have given better return on investments etc.
Innovative ways of capturing customer data may emerge in the near future. Telematics based
insurance, where premiums will be based on how well a person drive, may become available in
India once the technology is available. In telematics based insurance, a small black box (or data
box) will be fitted in a car. This will collect data like the distance the car travels, the period of
time the car is used, the location of the car at all times, types of roads the driver is travelling on,
speed and direction of travel prior to and after a collision/ accident, the driver's speed, the
driver's braking behavior, force of impact in an accident/ collision.
Insurance companies also invest in application software for their various functions like billing,
claims processing etc. Software assets also including operating systems and other operational
software like Office, Adobe Reader, etc.
19
Assets need to be identified and classified based on criticality. Asset handling methodologies
need to be defined for each class of asset. Asset disposal methodology for hardware and
software also needs to be defined. Regular monitoring of assets also needs to be done.
3. Information Systems Acquisition, Development & Maintenance
Customers and potential customers have come to expect newer ways of interacting with
insurance companies. This leads to adoption of new solutions/ products / technology.
Insurance companies may either opt to acquire said products/ solutions or develop the same in-
house. Since information is a core component of the insurance industry, software acquisition,
development and maintenance should be done with information security in mind.
Care should be taken to ensure that
Before application development begins, security controls should be defined and
agreed upon these should include input, processing and output related controls
Sufficient access controls should be built into the systems
Encryption should be considered for both data at rest and data in transit
Application code, configuration files, documentation and other system related files
should have proper access control mechanisms protecting them
Maintain separate test and production environments avoid leakage of production
data through test systems
Conduct vulnerability assessments on applications before deploying them
Ensure that systems are capable of adhering to the organisation's information
security policies and procedures
Ensure that no new threats are introduced into the computing infrastructure as a
result of implementing the new systems
4. Physical & Environmental Security
Confidentiality of data that insurance companies hold needs to be maintained. Physical access
to servers can mean access to the data stored on the device. So, preventing unauthorized
physical access to servers is very important. Availability of data is also key to the smooth
functioning of insurance companies considering that premiums are being paid online,
engagement with customers, agents happens using the internet and other similar activities that
require that the servers be available at all times. Making sure that proper environmental
controls are implemented in data centers is one way to ensure availability of data. Additionally,
improper environmental controls can cause damage to services, hardware and lives. Power,
heating, ventilation, air-conditioning and air quality controls can be complex and contain many
variables. These need to be operating properly and be monitored regularly.
20
Issues that need to be looked into:
prevent unauthorized physical access, damage, and interference to premises and
information
ensure sensitive information and critical information technology are housed in
secure areas
prevent loss, damage, theft, or compromise of assets
prevent interruption of activities
protect assets from physical and environmental threats
ensure appropriate equipment location, removal, and disposal
ensure appropriate supporting facilities (e.g., electrical supply, data and voice
cabling infrastructure)
5. Access Controls
Insurance companies have critical and sensitive data and information resources. The access to
these resources should be authorized and measures should be put in place to prevent
unauthorized access to valuable resources. Controls may be technical, physical or
administrative in nature.
Access to networks, servers and other end user systems, applications and data should be
controlled and restricted. Of particular importance is administrative access. Administrative
access bestows great power on individuals who have this role. Therefore, administrative access
should be granted on a need basis. A regular review of administrative access to resources
should be undertaken. This is especially true of insurance companies who may have a plethora
of systems, applications, networks and databases being accessed by a vast workforce and also
by third party service providers. So, it is critical that a matrix of administrative access to various
key resources be maintained up-to-date. Additionally, a regular audit of access control systems
including administrative access to resources may be undertaken to ensure that IT management
has a dashboard view of accesses granted.
6. System Parameters
System Parameters are very critical for insurance companies as these control various important
touch points in the application. Applications could have system parameters for commission
rates, premium load values for different demographics etc. Therefore system parameters, if
not carefully calibrated and regularly monitored/ audited, could lead to revenue leaks.
21
7. IT Controls review OS, Database, Networking devices
Insurance companies have information systems that are increasingly being brought online.
Cloud computing is being seen as a way to reduce costs. Customer interaction is through
websites, social media and mobile applications. As the avenues and modes of interaction with
customers' increases, so do the possible attack surfaces. As insurance companies hold critical
data that they must protect, they need to adopt a layered approach to security. One layer of
this approach would be to securely configure the core elements of their information
infrastructure the operating systems, databases and networking devices.
Whenever bugs are discovered in operating systems, bug fixes or patches are released. If the
bug is not fixed, it may lead to a compromise of confidentiality, integrity and/or availability of
the server in question. Insurance companies should make sure they have a defined process to
address the issue of patching.
Securing the operating system should include the following
Enable only those services that are required
Enable only secure services do not use telnet, FTP etc.
Enforce strong password policies, delete unused accounts
Routinely review system logs
Databases are the repositories of data which is the most critical asset of any organization,
especially insurance companies. It is possible that the data of insurance companies is spread
across a variety of databases maybe due to the presence of legacy applications, acquisitions
and the new ways and channels through which data is collected. Securing databases is of
paramount importance to insurance companies. As stated earlier, all database assets should be
identified and categorized.
Some of the key measures to be taken to secure databases include:
Make sure that applications do not run with privileged database accounts. This will
ensure that even if an application account is compromised, the compromise is
contained and cannot contaminate other applications/ databases. Even application
administrators should not be able to view database metadata.
Password policies should be set according to organization information security policy
22
Initialization parameters should be set as per best practices
User access should be restricted and should be as per best practices. For e.g. users
should not have access to the SYS.USER$ table in oracle as this table stores sensitive
authentication information.
System privileges should be restricted and given only as per best practices
Access to sensitive packages should be restricted
Networking devices like routers and switches direct and control much of the data flowing across
computer networks. These networking devices need to be configured to control access, resist
attacks, shield other network components, and protect the integrity and confidentiality of
network traffic. In general, well-configured secure routers can greatly improve the overall
security posture of a network. Security policy enforced at a router is difficult for negligent or
malicious end-users to circumvent, thus avoiding a very serious potential source of security
problems.
Some of the key measures to be taken to secure networking devices include:
Physically protect the networking device
Keep software up-to-date by applying the latest patches
A login banner should be set up with a `no trespassing' warning
Virtual terminal login should be disabled if remote administration is not needed
Secure password protection should be used (e.g. in Cisco devices, the Type 7
password is known to be weak and should not be used)
AAA mechanisms may be used
Do not use common/ generic user names for administrators who log into the devices
If remote administration is required, use SSH or IPSec
The auxiliary port on routers should be disabled
Run only those services that are required as per best practice recommendation
8. Capacity Management
23
Assess the existing capacity and planned capacity for growth and adequacy of the current
capacity to handle existing and future business.
The volume of computing resources at the disposal of insurance companies is fairly large and
complex in nature. Companies also expect growth of business and this involves increase of
computing resources to cater to the needs of a growing footprint. Companies should be able to
smoothly handled increased capacity by understanding current processing power, memory etc.
If there are increased loads at a particular time of the day, then companies should investigate
the root cause of the surge and try to come up with possible solutions like moving non-critical
processing to a low-demand time period etc.
9. Disaster Recovery, Backup & Contingency planning
This should include review of the existing disaster recovery, backup and contingency plans and
policies of the insurance companies and verify and assess the compliance to current policies.
Insurance companies require mature capabilities in this domain. Insurance companies are
concerned with the protection of a citizen's life and/ or properties as well as national wealth.
So, the data that they store is critical and it is imperative that their ability to serve the public
continues even in case of a disaster affecting their data centre. Sufficient backups should exist
as should an alternative processing facility. Periodically, live processing should be carried out
from the disaster recovery site to ensure that the insurance company has the capabilities to
handle a disaster in the data centre. Disaster recovery testing should also focus on sufficient
human resources backup and training for backup personnel.
10. Customer Services
Review the procedures and channels through which services are provided to customers and
other partners. In view of the new channels of providing services to customers, the procedures
adopted should be audited to ensure that information being disbursed through various
channels is accurate and reflect the corporate position. It should also be ensured that these
channels do not lead to information leakage. For e.g. If insurance companies have tied up with
aggregator websites, ensure that accurate information is being displayed on the said websites
and that it is in accordance with the guidelines on web aggregators issued by IRDA. Ensure that
customer engagement forums are not avenues for information leakage.
24
Appendix A About COBIT
COBIT 5 is the latest edition of ISACA's (www.isaca.org) globally accepted
framework, providing an end-to-end business view of the governance of enterprise IT that
reflects the central role of information and technology in creating value for enterprises.
COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals
and deliver value through effective governance and management of enterprise IT.
The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether
commercial, useful for enterprises of all sizes, whether commercial, not-for-profit or in the
public sector.
COBIT 5 is based on five key principles for governance and management of enterprise IT:
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to- End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
The COBIT 5 framework describes seven categories of enablers:
1) Principles, policies and frameworks are the vehicle to translate the desired behavior
into practical guidance for day-to-day management.
2) Processes describe an organized set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT-related goals.
3) Organizational structures are the key decision-making entities in an enterprise.
4) Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
5) Information is required for keeping the organization running and well governed, but at
the operational level, information is very often the key product of the enterprise itself.
25
6) Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and
services.
7) People, skills and competencies are required for successful completion of all activities,
and for making correct decisions and taking corrective actions.
26
Appendix B About COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint
initiative of the following five private sector organizations:
American Accounting Association (www.aaahq.org)
American Institute of CPAs (www.aicpa.org)
Financial Executives International (www.financialexecutives.org)
The Association of Accountants and Financial Professionals in Business
(www.imanet.org)
The Institute of Internal Auditors (www.theiaa.org)
COSO is dedicated to providing thought leadership through the development of frameworks
and guidance on enterprise risk management, internal control and fraud deterrence.
COSO through its "Internal Control Integrated Framework" provides principles-based
guidance for designing and implementing effective internal controls.
The Framework will enable organizations to effectively and efficiently develop and maintain
systems of internal control that can enhance the likelihood of achieving the entity's objectives
and adapt to changes in the business and operating environments.
The updated COSO Framework (2013) lists 5 components of internal control with 17 principles
under them.
The 5 components of internal control are:
1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information & Communication
5) Monitoring Activities
27
The COSO framework has always presumed that, for internal control to be effective, all
components must be present and functioning. If a principle is not attained, then a component is
not present and functioning; hence, internal control is deficient.
28
Appendix C Guidelines on Outsourcing of Activities
by Insurance Companies
IRDA/Life/CIR/GLD/013/02/2011
01st February, 2011
Guidelines on Outsourcing of Activities by Insurance Companies
Reference: 1. INV/CIR/031/2004-05 dated 27th July, 2004
2. INV/CIR/058/2004-05 dated 28th December, 2004
3. RBI/2006/167 DBOD.NO.BO.40/21.04.158/2006-07
4. Regulation 7(c) of IRDA (Registration of Companies) Regulations, 2000
1. INTRODUCTION
1.1 Insurers in India are increasingly using outsourcing, as a means of both reducing cost
and accessing expertise, not available internally and achieving strategic aims. 'Outsourcing'
may be defined as "Insurer's use of a third party (either an affiliated entity within a
corporate group or an entity that is external to the corporate group) to perform activities
on a continuing basis that would normally be undertaken by the Insurer itself, now or in
the future". These outsourcing arrangements are becoming increasingly complex.
1.2 Joint Forum set up by Basel Committee on Banking Supervision, International
Organization of Securities Commissions and International Association of Insurance Supervisors
has devised high-level principles on outsourcing in financial firms which gives guidance to firms,
and to regulators, in effectively managing risks involved in outsourcing without hindering the
efficiency and effectiveness of firms. Reserve Bank of India also brought out Guidelines on
Managing Risk and Code of Conduct in outsourcing of financial services vide reference 3 cited
above. This circular is issued based on best practices adopted internationally as outlined in
above document. These instructions are intended to provide direction and guidance to insurers
to adopt sound and responsible risk management practices for effective oversight.
1.3 Regulation 7 (c) of IRDA (Registration of Companies) Regulations, 2000, clearly sates
"The applicant will carry on "all functions" in respect of insurance business including
"management of Investment" within its own organization". It has been observed that certain
insurers are outsourcing even core activities such as Investment, Underwriting and Policy
servicing. It is not desirable to outsource the core and important activities which will affect
corporate governance, protection of policy holders, solvency and revenue flows of insurer.
29
1.4 In order to ensure proper corporate and regulatory oversight over the outsourcing of
activities of insurers, the Authority has decided to issue following instructions under Section
14(2) of Insurance Regulatory and Development Authority Act, 1999. These guidelines apply in
addition to the instructions given vide reference 2 cited above.
1.5 However this circular supercedes the provisions of para 3 of reference 2 cited above.
1.6 The insurer shall ensure that outsourcing arrangements neither diminish its ability to
fulfill its obligations to Policyholders nor impede effective supervision by IRDA. Insurers
therefore have to take steps to ensure that the service provider employs the same standards in
performing the services as would be employed by them if the activities were conducted in
house. Accordingly, insurers should not engage in outsourcing that would result in their internal
control, business conduct or reputation being compromised or weakened.
1.7 Activities of insurers are broadly classified into two categories namely `Core' and `Non-
Core', in accordance with Regulation 7(c) of IRDA (Registration of companies) Regulation,
2000.
2. CORE ACTIVITIES
2.1 All activities relating to:-
Underwriting,
Product design and all Actuarial functions and Enterprise wide Risk Management
Investment and related functions
Fund Accounting including NAV calculations
Admitting or Repudiation of all Claims
Bank Reconciliation
Policyholder Grievances Redressal
Approving Advertisements
Market Conduct issues
Appointment of Surveyors and Loss Assessors
Compliance with AML, KYC etc.
All integral components of the above activities shall be treated as Core Activities
2.2 Policy Servicing and related activities
2.3 Insurers shall not outsource any of the core activities listed in para 2.1.
30
3. NON CORE ACTIVITIES:
Facility management i.e. Housekeeping, Security, Catering, etc.
PF Trust
Internal audit, Internal / branch /concurrent audit etc. (Note: However, the Board of
Directors shall appoint the internal /branch / concurrent auditor based on the recommendation of
the Audit Committee / Investment Committee respectively as mandated by the Authority in
Corporate Governance Guidelines. The report of internal auditor / concurrent auditor shall be
placed before the Audit Committee / Investment Committee / Board Meeting for their information
and necessary action)
Website Development and Management / Software and other IT Support
Pay Roll Management
HR Services
Service Tax Consultancy and Support
TDS filing
Compliance with labour laws
Data entry Including Scanning, Indexing Services
Printing and posting of reminders and other documents
Pre employment medical checkups
Reminders for Premium Payment
Call Centre and outbound calling for registering complaints or answering enquiries
Claim Processing for Overseas Medical Insurance Contracts
Tele-marketing
Consultancy Services pertaining to Service Tax, Income Tax and any other taxes payable by
insurer
Other Employee Benefits
Deployment of personnel within the premises / offices of the Insurer on a contract basis
4. ACTIVITIES SUPPORTING CORE ACTIVITIES:
31
4.1 Certain activities which support the core activities as listed in column 3 of Annexure I
may be outsourced as per risk management principles outlined in these guidelines subject to
reporting requirements.
4.2 Activities in column 4 of Annexure I, which insurers normally assign to outside
professionals, regulated either under different laws or provide outside expertise and economies,
may be outsourced to such entity as otherwise legally permitted to carry out those activities.
5. PREMIUM COLLECTION & CHEQUE PICK-UP ACTIVITIES:
5.1 The insurer shall ensure that the entities, other than those referred at Sl No. 3 Column No. 4
of Annexure 1 shall be only a Company registered under Indian Companies Act, 1956. Such
entities engaged for cheque pick-up shall have a net worth of at least Rs.10 Crores. However,
these conditions are not applicable to Scheduled Commercial Banks and Post Office.
5.2 In respect of outsourcing of premium collection, insurers shall strictly ensure that the same
is outsourced only to entities listed at Sl.No.2 of Column 4.
5.3 Notwithstanding what is stated at Sl No. 2 of Column 4 of Annexure 1 Insurers are also
permitted to outsource cheque pick up and premium collection to their respective Individual
Agents and Corporate Agents in respect of those policies that are not sourced by such
intermediaries. Such collection and pick up by agents who have not procured such business is
regarded as outsourcing. However, Insurers shall carry out the due diligence on individual
agents and corporate agents while outsourcing the same. However, the activity of premium
collection / cheque pick up referred in this paragraph shall be subject to the following conditions.
5.4 The total amount entrusted to be collected and picked up by Agents and Corporate Agents
for a given financial year shall not exceed three times the renewal commission that the said
agent earned in the preceding financial year. Thus it is a prerequisite for carrying out activity
that such agents are in existence at least for a period of 2 years.
5.5 The insurer shall assign this activity to agents and corporate agents by allocating only a
specified list of the policies, where the services of the agents that procured the business are no
longer available to the insurer.
5.6 The above referred conditions are not applicable in respect of Scheduled Commercial
Banks, Post Office when these activities are carried out in their capacity as a collecting bank.
5.7 Where an insurer permits its agent to collect premiums on its behalf, it shall be noted that in
such instances the agent is acting on behalf of insurers. Insurer shall remain accountable to the
receipts issued by the authorised agents / intermediaries.
5.8 Insurers shall notify Policyholders about all the options available for payment of premiums.
6. Bank Reconciliation: With reference to 2.1 (vi) the Insurer is solely responsible for
reconciling various Bank Accounts, cash and other instruments; and accountable to any
liabilities created through these accounts. However, Insurers are allowed to outsource clerical
activities like sorting and organizing the instruments to Scheduled Commercial Banks. The
32
activity of tallying that what is stated in the account and actual availability of instrument shall not
be outsourced. The Scheduled Commercial Banks shall be required to submit the certified
copies of compilation of various assets inclusive of Cash / Fixed Deposits etc.
7.Policy Servicing and Related Activities: With regard to the activities referred in para 2.2,
the following components of the activities, referred at point no. 7.1, are allowed to be outsourced
to any service provider at the discretion of the Insurers and as per these guidelines. However, it
is reiterated that execution of these services shall remain to be Core Activity to be carried out by
the Insurers:
7.1 Receiving requests in physical/electronic/telephonic forms and transmitting to the insurer
without accessing the original data base of Insurers for the following areas of Policy Servicing;
Issuance of Policy Document / Certificates of Insurance
Change of Name / Address
Fund Switching/ Premium Redirection
Surrender, Maturity, Withdrawals Free look Cancellations Payouts
Loan Against Policy
Change of Policy Terms and Conditions / Details Change
Registration of Assignment / Nomination
Revival / Cancellation of Policy
Transfer of Policy
Substitution of Vehicle Communications, Reports, Printouts to Policyholders / Claimants
Laid up Vehicles
Withdrawal of No Claim Bonus
Declarations Update
Extension of Cover
Duplicate Policy
Document Collection and Investigation for complying with AML and KYC norms
8. General Principles: Outsourcing of activities allowed in these guidelines are subject to
following general principles.
33
8.1 To avoid a potential conflict of interest no insurer shall outsource the internal audit to their
respective statutory auditors.
8.2. The third party service providers engaged by insurers are subject to the various
provisions of Insurance Act, 1938, IRDA Act, 1999, Rules, Regulations or any other orders
issued there under. The third party service provider shall comply with provisions of Regulations,
Guidelines and any other law under force and the insurer shall be responsible for all acts of
omission and commission of its third party service providers in this regard.
8.3. The regulated activities of the Agents, Corporate Agents, Brokers, TPA's, Surveyors and
other regulated entities, as provided in the Insurance Act,1938, IRDA Act,1999 and Regulations,
guidelines made there under, are not covered by these guidelines.
8.5. Subject to these Guidelines, Agents, Corporate Agents, Brokers, TPA's and Surveyors
and other regulated entities shall not be contracted to perform any outsourced activity other than
those permitted by the respective regulations/instructions governing their licensing and
functioning.
9. Risk Management Principles: While outsourcing activities every insurer shall abide by
criteria laid down in the following principles:
9.1 An insurer intending to outsource any of its activities shall put in place a
comprehensive outsourcing policy, approved by its Board, which incorporates, inter alia,
criteria for selection of such activities as well as service providers, delegation of authority
depending on risks and materiality and systems to monitor and review the operations of these
activities.
9.2 In case any of the third party service provider becomes a group entity as defined vide
IRDA (Investment) Regulations, 2000, the insurer shall report the fact to the Authority within 30
days of such an event.
9.3 The Board of Directors of insurer shall review the performance of all third party service
providers every year with respect to compliance with provisions of Insurance Act 1938,
Regulations, Rules or any other order issued there under.
9.4 In case of termination of contract between insurer and third party service provider, the
compensation or penalty or any payment in lieu of foreclosure shall be reasonable and shall not
be excessive.
9.5 Insurer shall establish a comprehensive outsourcing risk management programme to
address the outsourced activities and the relationship with the service provider.
34
9.6 Some factors that could help in considering materiality in a risk management programme
include the following:
The financial, reputational and operational impact on the insurance company of the failure of a
service provider to adequately perform the activity
Cost Benefit Analysis;
Potential losses to policyholders and their counterparts in the event of a service provider failure;
Consequences of outsourcing the activity on the ability and capacity of the insurer to conform
with regulatory requirements and changes in requirements,
Interrelationship of the outsourced activity with other activities within the Insurance Company.
Affiliation or other relationship between the insurer and the service provider;
Regulatory status of the service provider;
Degree of difficulty and time required to select an alternative service provider or to bring the
business activity in-house, if necessary; and
Complexity of the outsourcing arrangement. For example, the ability to control the risks where
more than one service provider collaborates to deliver an end-to-end outsourcing solution.
9.7 Data protection, security and other risks may be adversely affected by the
geographical location of an outsourcing service provider. To this end, specific risk management
expertise in assessing country risk related, for example, to political or legal conditions, could be
required when entering into and managing outsourcing arrangements that are taken outside of
the home country.
9.8 Insurer shall ensure that outsourcing arrangements neither diminish its ability to fulfill its
obligations to policyholders and regulators, nor impede effective supervision by regulators.
9.9 Outsourcing relationships shall be governed by written contracts that clearly describe all
material aspects of the outsourcing arrangement, including the rights, responsibilities,
expectations of all parties. The outsourcing contracts may carry the following components:-
The contract shall clearly define what activities are going to be outsourced, including
appropriate service and performance levels. The service provider's ability to meet performance
requirements in both quantitative and qualitative terms should be assessable in advance;
The contract shall neither prevent nor impede Insurer from meeting its respective regulatory
obligations, nor the regulator from exercising its regulatory powers of conducting inspection,
investigation, obtaining information from either the insurer or the third party service provider.
35
Insurer must ensure it has the right to access all books, records and information relevant to the
outsourced activity in the third party service provider;
The contract shall provide for the continuous monitoring and assessment by Insurer of the
service provider so that any necessary corrective measures can be taken immediately;
A termination clause and minimum periods to execute a termination provision, if deemed
necessary, shall be included. The latter should allow the outsourced services to be transferred
to another third-party service provider or to the Insurance Company. Such a clause shall include
provisions relating to insolvency or other material changes in the corporate form, and clear
delineation of ownership of intellectual property following termination, including transfers of
information back to the Insurer and other duties that continue to have an effect after the
termination of the contract;
Material issues unique to the outsourcing arrangement shall be meaningfully addressed. For
example, where the third party service provider is located abroad, the contract shall include
choice-of-law provisions and agreement covenants and jurisdictional covenants that provide for
adjudication of disputes between the parties under the laws of a specific jurisdiction;
9.10 Insurer and its third party service providers shall establish and maintain contingency
plans, including a plan for disaster recovery and periodic testing of backup facilities.
9.11 The Insurer shall take appropriate steps to require that third party service providers
protect confidential information of both the Insurer and its clients from intentional or inadvertent
disclosure to unauthorized persons.
9.12 The Insurer shall ensure that the third party service provider does not have any conflict
of interest. The third party service provider or any of their group entities shall not be able to
derive any benefit by causing loss to the insurer or policyholder. For instance the third party
service provider shall not have the responsibility of repairing the damaged vehicle, supply of
spare parts and marketing of the policy. In case of existence of conflict of interest among group
entities, the insurer shall avoid outsourcing to such entities.
9.13 No employee of Insurer shall be directly or indirectly involved in (i) creation of or (ii) any
outsourced activity of the outsourced entity.
9.14 The Insurer shall ensure that there is no risk of loss of control over outsourced activity
and potential impersonal treatment of policy holder / agents, before outsourcing any activity.
9.15 Where the third party service provider is either a group entity as defined in provisions of
Regulation (2) (ca) of IRDA (Investment) Regulations, 2000 and having a common director with
the insurer, the insurer shall ensure that the transfer pricing is done according to the sound
principles and or all such transactions shall be disclosed to the Authority as soon as the
agreement is completed and before payment is made to the third party service provider.
36
However nothing contained herein shall be applicable for outsourcing of activities to a
scheduled commercial bank
10. Evaluating the Capability of the Service Provider: In considering or renewing an
outsourcing arrangement, appropriate due diligence should be performed to assess the
capability of the service provider to comply with obligations in the outsourcing agreement. Due
diligence should take into consideration qualitative and quantitative, financial, operational and
reputational factors. Insurers should consider whether the service providers' systems are
compatible with their own and also whether their standards of performance including in the area
of policyholder service are acceptable to it. Where possible, the insurer should obtain
independent reviews and market feedback on the service provider to supplement its own
findings.
10.1 Due diligence should involve an evaluation of all available information about the
service provider, including but not limited to:-
Past experience and competence to implement and support the proposed activity over the
contracted period;
Financial soundness and ability to service commitments even under adverse conditions;
Business reputation and culture, compliance, complaints and outstanding or potential litigation;
Security and internal control, audit coverage, reporting and monitoring environment, Business
continuity management;
External factors like political, economic, social and legal environment of the jurisdiction in which
the service provider operates and other events that may impact service performance.
Ensuring due diligence by service provider of its employees.
11. Reporting Requirements:
11.1 The activities outsourced vide point no.4.1 of these guidelines shall be reported to IRDA
within 45 days from the date of entering into outsourcing agreement.
11.2 With respect to each of the other outsourced activities all insurers shall file a report in
Form A (attached as Annexure-II) within 45 days from the end of every half year.
12. Electronic Issuance of Policies and Data Storage: Where insurers issue policies in
electronic form in accordance to the guidelines issued in this regard or where Insurers prefer to
outsource the Data Storage, the outsourcing of data storage in electronic form shall be
mandatorily with the repository service providers authorised by IRDA. The guidelines for
issuance of electronic policies and authorization of repositories will be issued separately.
37
12.1 In respect of policies issued in electronic form, the terms and conditions of the policies
shall be drafted in simple and plain language. Insurers shall take prior approval of IRDA for the
text format of such policy documents.
12.2 Insurers are also permitted to allow the execution of the activities referred at point no. 7.1
to the authorised repository service providers at their discretion with respect to all category of
policies, both electronic policies and otherwise.
13. Classification of any of the activities, that are not explicitly referred herein, as core or
noncore shall be done after due diligence. Mere listing of an activity as a non core shall not be
taken as freedom to outsource without proper risk assessment/due diligence. Further, Insurers
are advised to refer to IRDA for further clarification in case of any ambiguity regarding the
classification of the activities as core or noncore which are not specified in these guidelines.
14. Redressal of Grievances related to Outsourced services: Every Insurer shall direct in
house Grievance Redressal Machinery to deal with grievances relating to services provided by
the outsourced agencies. Wide publicity has to be given through print and electronic media
about this. The Grievance Redressal Machinery shall deal with every grievance in a fair,
objective and just manner and issue reasoned speaking reply for every grievance rejected. It
shall also analyze grievances received to help identification of the problem areas in which
modifications of policies and procedures could be undertaken with a view to making the delivery
of services easier and more expeditious. The TAT's for redressal of grievances shall be as
notified by the Authority from time to time
15. Centralized list of Outsourced Agents: If a service provider services are terminated by
an Insurer on grounds of mischief, fraud and non compliance with terms and conditions of
outsourcing agreement, they shall inform the Authority with reasons for such termination. The
Authority would be maintaining a caution list of such service providers for the entire insurance
industry for sharing among insurers.
16. These guidelines shall not be construed to be authorizing, any activity which otherwise is
prohibited by any law under force and/or Regulation and Guidelines of the Authority.
17. These guidelines would be reviewed by IRDA periodically.
18. These guidelines come into force with immediate effect.
19. The insurers shall terminate all existing outsourcing contracts entered into in
contravention of these guidelines before 31st June, 2011. Beyond the time period specified
herein, the Authority may relax time limit by 3 more months, on a case to case basis, in respect
of existing contracts that are in contravention of this circular.
(A.Giridhar)
Executive Director
38
Annexure I
Sl. Activity Specified activities that Activities external to Insurers may be
can be outsourced with Outsourced
No. (2) due reporting
(4)**
(1) (3)*
1. Underwriting Data collection of Data analysis
prospect/insured details,
Medical examination
Submission of proposals
Risk management service at policyholders' /
Data Entry insured premises
Reinsurance
2. Premium Printing of receipt Collection by RBI approved banks, institutions,
Collection business correspondents of banks
Dispatch
Government, private partnerships like AP
Data entry of details Online, e-mitra, e-seva, MP Online etc.
Issuance of receipt Government offices like Post office
Payment aggregators eg VISA, Mastercard, Bill
desk, payments through RBI approved gateway
RBI Cleared Payment Collectors, e.g ECS
Licensed Insurance Intermediaries,
which includes agent / micro insurance
agent/ corporate agent/Broker who are
authorized and who himself procured the
policies related to the premium being collected.
3. Cheque pick up Cash management services of banks
and Banking
Picking up arrangement with couriers, Post
Picking up from office,
policyholder
premises Drop box
Drop box
Picking up from
39
acceptance
points
4. Data Storage Scanning Physical storage of documents
Indexing
5. Admitting and Legal / expert / professional opinion
repudiation of
Claims Investigation
Forensic analysis
Salvage / sue and labour
Average adjustors
Recovery agents
Third party claims negotiators
Claims document aggregator
Accident / road assistance
International travel and medical assistance
services
Global repricing
* Refer 4.1 of the Circular
** Refer 4.2 of the Circular
40
Annexure II
Form A
Sl. Particulars For the Up to For the corresponding Up to the Half Year
No. Half the Half Half Year of the preceding of the preceding
(2) Year year year year
(1)
(3) (4) (5) (6)
1. Activity out sourced
(detailed description)
2. Name of the Vendor
3. Total Amount Agreed
4. Amount Paid so far
5. Whether vendor
belongs to insurer
group
6. %of outsourcing
payments to Operating
Expense
Date : Signature of CEO
41
Appendix D Clarifications on Guidelines on Outsourcing of
Activities by Insurance Companies
Clarification 1
Ref: IRDA/Life/Cir/Misc/ 103 /05/2011
Date: 18-05-2011
Title: Clarification on Guidelines on Outsourcing of Activities by Insurance Companies
Reference is invited to point no. 5.1 of Guidelines on Outsourcing of Activities by
Insurance Companies (Circular No: IRDA/Life/CIR/GLD/013/02/2011 dated
st
01 February, 2011) wherein it is prescribed that entities engaged for the activities
referred at Column (4) of Sl. No. 3 of Annexure - 1 (Cheque pick and Banking) shall
be only a Company registered under Indian Companies Act, 1956 with a net worth of
atleast Rs 10 Cores.
It is now clarified that these conditions are not applicable to the entities that are
permitted by RBI to facilitate collections using technology platform. Entities permitted by
RBI for collection are allowed to carry out the activity of `Cheque pick and Banking' in
accordance to the provisions of the within referred outsourcing guidelines and also in
compliance with those prescribed by RBI. The insurers shall put in place procedures for
issuance of simultaneous receipts to the policyholders through such entities. It is further
clarified that insurers shall remain responsible for the receipts issued and date and time
of such receipt shall be taken into account for considering the underlying benefits of an
insurance contract.
This issues with the approval of the Competent Authority.
(A Giridhar)
Executive Director
42
Clarification 2
Ref: IRDA/Life/CIR/GLD/219 /09/2011
Date: 21-09-2011
Title: Clarifications on Guidelines on Outsourcing of Activities by Insurance Companies
With reference to the captioned guidelines the following clarifications are issued for
compliance by all insurers.
1. Reference is invited to the Authorities Circular No. IRDA/Life/CIR/GLD/013/02/2011
dated 01st February, 2011 wherein it was prescribed vide proviso 9.15 that the insurer
shall report to the Authority before making payment to the third party service providers
which is either a group entity as defined in provisions of Regulation (2) (ca) of IRDA
(Investment) Regulations, 2000 and having a common director with the insurer.
a. In clarification of the above provision it is now clarified that where the terms and
quantum of payments agreed are explicitly mentioned in the terms and conditions of the
agreement /MOU entered with above referred third party, the disclosure of the same
shall be reported as soon as the agreement is made. And all subsequent transactions
shall form part of Form A and be reported in accordance to Clause 11.2 of the within
referred guidelines.
2. Reference is also invited to proviso 5.2 read in conjunction with Sl No. 2 Column 4 of
Annexure 1 of the within referred guidelines. With regard to the Registration Fee
collected under RSBY in addition to the entities referred therein, it is clarified that the
TPAs which are engaged as Intermediaries for discharging various pre determined
functions may also collect the registration fee.
The above clarifications will come into effect immediately.
Sd/-
A.Giridhar
Executive Director
43
Appendix E IRDA (Web Aggregators) Regulation, 2013
Since the file size of the Appendix E is too heavy to upload, hence it can be downloaded from the
http://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo2168&flag=1&mid=Ins
urance%20Laws%20etc.%20%3E%3E%20Regulations
44
Appendix F IRDA Circular on Investment Risk
Management Systems and Process Audit
82
Appendix G Extracts from ICAI Technical Guide on Review
and Certification of Investment Risk
Management Systems and Processes of
Insurance Companies (2013)
THE SCOPE
3.22. With a view to addressing the concerns of the Regulator and other stakeholders, the review of
investment risk and management system should include within its scope the following minimum areas
of information system security and audit:
i. Risk Management: Ensure that the features and system parameters implemented in the system are in
accordance with the policies and procedures covered in IRDA Investment Regulations and applicable
Guidelines / Circulars.
ii. Application Review: Review and ensure that the software used by the insurance companies is in
accordance with the security standards and policies and guidelines as prescribed by IRDA.
iii. Security Policy and Implementation: Review the security policy and implementation procedures with
special reference to the Hardware Platform, Network, Operating System, Physical Perimeter, Backups
and databases.
iv. Capacity Management: Assess the existing and planned capacity for growth and adequacy of the
current capacity to handle the existing and future business.
v. Disaster Recovery, Back-up and Contingency Planning: Review the existing disaster recovery, back-up
and contingency plans and policies of the insurance companies and verify and assess the compliance to
current policies.
vi. Customer Services: Review the procedures for providing services and communicating with clients /
investors.
vii. Internal Vulnerability Assessment: Ascertain the data integrity, availability and security of the key
information present in the network and the efficiency, effectiveness, responsiveness and compliance of
the IS processing facilities.
THE APPROACH
3.23. The checklist-based review should address and cover the following key activities of an Insurance
Company:
i. Understanding the Information Technology Infrastructure of the insurance company as it exists at the
location.
83
ii. Understanding the business process, related to the Investment function and risk management system.
iii. Understanding the transaction mechanism and data flow with respect to investment management
function.
iv. Inspection and review of the documented policies and procedures, infrastructure and network
diagram.
v. Collection of evidence in the form of documents, test results, screenshots, confirmations, logs, third
party evidence.
vi. Conducting a risk analysis in the environment to evaluate and test the existing risk management
processes and available controls, both system- based and manual.
vii. Vulnerability analysis and audit of host servers.
viii. Discussing critical observations / findings with the Insurance Company and generating a report to be
submitted to IRDA.
Annexure C - Review of Information Technology (IT) Systems and Processes supporting Investment
Operations
84
Annexure C
REVIEW OF INFOR M ATION
TECHNOLOGY (IT) SYSTEMS AND
PROCESSES SUPPORTING
INVESTMENT OPERATIONS
85
Technical Guide
Review of Information Technology (IT) Systems and Processes
supporting Investment Operations
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A Planning the IT Function
IT Plan and Strategy Very
Serious
A.1. Does the Organization have an
IT strategy / IT plan approved
by Management
A.2. Is there a process of minimum
of annual review of the IT
strategy / Plan
A.3. Is there a periodic review
(minimum annual) of IT
performance - covering key
parameters in IT strategy such
as Data Sizing, Network
Performance?
Information Architecture
Policy and Procedure Review
INFORMATION SECURITY Very
POLICY DOCUMENT Serious
A.4. Is there an Information security
policy, approved by the
management and adopted by
the Board?
A.5. Does it state the management
commitment and set out the
organisational approach in
managing information security?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.6. Does the Information Security
Policy cover the following key
areas of IT Security
· Detailed IT Security Policy
and Procedures
· Organisa0tion and security
· Asset Classification and
Control
· Personnel Security
· Physical and
Environmental Security
· Communications and
Operations Manag em ent
· Access Control
· Systems Development and
Maintenance
· Information Security
Incident Manag em ent
· Business Continuity
Management
· Compliance requirements
to Policies and Procedures
IT Risk Management Process?
A.7. Has the Security Policy been
published and communicated as
appropriate to all employees
and vendors?
A.8. Are new members of staff and
vendors made aware of
Information Security Policy?
A.9. Are continuous awareness
programmes conducted for
security awareness?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.10. Has the role of Information
Security Officer with
responsibilities for
implementation of the Security
Policy been assigned?
A.11. Whether detailed procedures for
each policy statement
developed?
A.12. Is the Information Security
Officer made responsible for:
· Reporting non-
compliance with the
approved policy
· Incidents of security
breaches to the Top
Management,
· Initiating and effecting
corrective action?
INCIDENT MANAGEMENT
PROCEDURES
A.13. Whether an Incident
Management procedure exists
to handle security incidents.
A.14. Whether there are clearly
defined procedures and rules
covering the different types of
security incidents.
A.15. Whether the procedure
addresses the incident
management responsibilities,
orderly and quick response to
security incidents.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.16. Whether the procedure
addresses different types of
incidents ranging from denial of
service to breach of
confidentiality etc., and ways to
handle them.
INVENTORY OF ASSETS
A.17. Whether an inventory or register
is maintained with the important
assets associated with each
information system.
A.18. Whether each asset identified
has an owner, the security
classification defined and
agreed and the location
identified.
A.19. Is there an up-to-date network
diagram?
A.20. Is the inventory schedule and
networking plan reviewed at
regular intervals to ensure that
they are complete and up-
dated?
A.21. Are all the system
configurations properly
documented?
A.22. Is the configuration document
regularly updated as per a fixed
schedule?
INFORMATION LABELING
AND HANDLING
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.23. Whether an appropriate set of
procedures are defined for
information labeling and
handling in accordance with the
classification scheme adopted
by the organization.
CORRECT DISPOSAL OF
RESOURCES REQUIRING
PROTECTION
A.24. Is there a policy of identifying
resources and media based on
their level of sensitivity
A.25. Is there a disposal process
commensurate with each level
of sensitivity
A.26. Are the specified disposal
provisions complied with
A.27. Is the disposal procedure
reliable
ACCESS CONTROL POLICY
A.28. Whether the business
requirements for access control
have been defined and
documented.
A.29. Whether the Access control
policy does address the rules
and rights for each user or a
group of user.
A.30. Whether the users and service
providers were given a clear
statement of the business
requirement to be met by
access controls.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
CLASSIFICATION
GUIDELINES
A.31. Whether there is an Information
classification scheme or
guideline in place; which will
assist in determining how the
information is to be handled and
protected.
MANAGEMENT OF
REMOVABLE COMPUTER
MEDIA
A.32. Whether there exists a
procedure for management of
removable computer media
such as tapes, disks, cassettes,
memory cards and reports.
OTHER FORMS OF Serious
INFORMATION EXCHANGE
A.33. Whether there are any policies,
procedures or controls in place
to protect the exchange of
information through the use of
voice, facsimile and video
communication facilities.
A.34. Whether staffs are reminded to
maintain the confidentiality of
sensitive information while using
such forms of information
exchange facility.
INFORMATION AND Serious
SOFTWARE EXCHANGE
AGREEMENT
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.35. Whether there exists any formal
or informal agreement between
the organisations for exchange
of information and software.
A.36. Whether the agreement does
address the security issues
based on the sensitivity of the
business information involved.
Determine technological
direction.
INDEPENDENT REVIEW OF Very
INFORMATION SECURITY Serious
A.37. Whether the implementation of
security policy is reviewed
independently on regular basis.
This is to provide assurance
that organisational practices
properly reflect the policy, and
that it is feasible and effective.
TESTING, MAINTAINING AND Very
RE-ASSESSING BUSINESS Serious
CONTINUITY PLAN
A.38. Whether Business continuity
plans are tested regularly to
ensure that they are up to date
and effective.
A.39. Whether Business continuity
plans were maintained by
regular reviews and updates to
ensure their continuing
effectiveness.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.40. Whether procedures were
included within the
organisations change
management programme to
ensure that Business continuity
matters are appropriately
addressed.
MOBILE COMPUTING Serious
A.41. Whether a formal policy is
adopted that takes into account
the risks of working with
computing facilities such as
notebooks, palmtops etc.,
especially in unprotected
environments.
WORKING FROM OFFSITE Very
Serious
A.42. · Whether policy, operational
plan and procedures are
developed and implemented
for working from offsite. This
should cover both employees
and partners.
· Whether such activity is
authorized and controlled by
management and does it
ensure that suitable
arrangements are in place for
this way of working.
Define the IT Processes,
Organization and
Relationships
AUTHORISATION PROCESS Very
FOR INFORMATION Serious
PROCESSING FACILITIES
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.43. · Whether there is a
management authorisation
process in place for any new
facilities such as
· Hardware
· Software incl. applications
· information processing
facility like data centers,
offices etc
· changes to configurations in
existing Assets.
A.44. Are log-books kept of system
changes
A.45. Are there any guidelines for
implementing changes to IT
components, software or
configuration data?
A.46. Are all changes documented?
INFORMATION SECURITY Procedural
COORDINATION
A.47. Whether there is a cross-
functional forum of management
representatives from relevant
parts of the organization to
coordinate the implementation
of information security controls.
ALLOCATION OF Very
INFORMATION SECURITY Serious
RESPONSIBILITIES
A.48. Has an IT Security Officer been
appointed?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.49. Whether responsibilities for the
protection of individual assets
and for carrying out specific
security processes are clearly
defined.
A.50. Is there an establishment of a
suitable organisational structure
for IT security
CONFIDENTIALITY Very
AGREEMENTS Serious
A.51. Whether employees are asked
to sign confidentiality or non-
disclosure agreement as a part
of their initial terms and
conditions of the employment.
A.52. Whether this agreement covers
the security of the information
processing facility and
organisation assets.
INCLUDING SECURITY IN JOB Procedural
RESPONSIBILITIES
A.53. Whether security roles and
responsibilities as laid down in
Organization's information
security policy documented
were appropriate.
A.54. Does it include general
responsibilities for:
implementing or maintaining
security policy,
specific responsibilities for
protection of particular assets,
extension of particular security
processes or activities.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
PERSONNEL SCREENING Very
AND POLICY Serious
A.55. Whether verification checks on
permanent staff were carried
out at the time of job
applications.
This should include:
· character reference,
· confirmation of claimed
academic
· professional qualifications
· independent identity checks.
TERMS AND CONDITIONS OF Procedural
EMPLOYMENT
A.56. Whether terms and conditions of
the employment covers the
employee's responsibility for
information security. Where
appropriate:
· At the joining date
· At time of internal transfers
· On termination/end of the
em ploym e nt.
INFORMATION SECURITY Procedural
EDUCATION AND TRAINING
A.57. Whether all employees of the
organization and third party
users (where relevant) receive
appropriate Information Security
training and regular updates in
organisational policies and
procedures.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.58. Is the IT Security Management
Team involved in the planning
and delivery of IT training?
DATA PROTECTION AND Serious
PRIVACY OF PERSONAL
INFORMATION
A.59. Whether there is a management
structure and control in place to
protect data and privacy of
personal information.
IDENTIFICATION OF Serious
APPLICABLE LEGISLATION
A.60. Whether all relevant statutory,
regulatory and contractual
requirements were explicitly
defined and documented for
each information system.
INTELLECTUAL PROPERTY Very
RIGHTS Serious
A.61. Whether there exist any
procedures to ensure
compliance with legal
restrictions on use of material in
respect of which there may be
intellectual property (IPR) rights
such as copyright, design rights,
trade marks.
A.62. Whether the procedures are
well implemented.
A.63. Whether proprietary software
products are supplied under a
licence agreement that limits the
use of the products to specified
machines. The only exception
might be for making own back-
up copies of the software.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
SAFEGUARDING OF Very
ORGANISATIONAL RECORDS Serious
A.64. Whether important records of
the organisation are protected
from loss destruction and
falsification.
SECURING OF EQUIPMENT Very
OFF-PREMISES Serious
A.65. Whether any equipment usage
outside an organisation's
premises for information
processing has to be authorized
by the management..
A.66. Whether the security provided
for these equipments while
outside the premises is at par
with or more than the security
provided inside the premises.
SEGREGATION OF DUTIES Very
Serious
A.67. Whether duties and areas of
responsibility are separated in
order to reduce opportunities for
unauthorized modification or
misuse of information or
services. This should include.
Distinction between IT and
Business Development and
Production.
SEPARATION OF Very
DEVELOPMENT AND Serious
OPERATIONAL FACILITIES
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.68. Whether the development and
testing facilities are isolated
from operational facilities. For
example, development software
should run on a computer
different from the computer with
production software. Where
necessary development and
production network should be
separated from each other.
NETWORK CONTROLS Very
Serious
A.69. Whether effective operational
controls such as separate
network and system
administration facilities were
established where necessary.
A.70. Whether responsibilities and
procedures for management of
remote equipment, including
equipment in user areas are
established.
A.71. Whether there exist any special
controls to safeguard
confidentiality and integrity of
data processing over the public
network and to protect the
connected systems.
A.72. Whether access attempts via
telnet, ftp are logged and
reviewed.
IDENTIFICATION OF RISKS Very
FROM THIRD PARTY Serious
A.73. Whether risks from third party
access are identified and
appropriate security controls
implemented.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.74. Whether security risks with third
party contractors working onsite
are identified and appropriate
controls are implemented.
SECURITY REQUIREMENTS Very
IN THIRD PARTY CONTRACTS Serious
A.75. Whether there is a formal
contract containing, or referring
to, all the security requirements
to ensure compliance with the
organization's security policies
and standards.
WORKING IN SECURE AREAS Very
Serious
A.76. Whether there exists any
security control for third parties
or for personnel working in
secure area.
PREVENTION OF MISUSE OF Very
INFORMATION PROCESSING Serious
A.77. Whether use of information
processing facilities for any non-
business or unauthorised
purpose, without management
approval is treated as improper
use of the facility.
A.78. Whether at the log-on a warning
message is presented on the
computer screen indicating that
the system facility being entered
is private and that unauthorised
access is not permitted.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
REGULATION OF Procedural
CRYPTOGRAPHIC
CONTROLS
A.79. Whether the cryptographic
controls are used in compliance
with all relevant agreements,
laws, and regulations.
ACCEPTABLE USE OF Very
ASSETS Serious
A.80. Whether regulations for
acceptable use of information
and assets associated with an
information processing facility
were identified, documented
and implemented. The auditor is
required to understand the
policies with respect to use of
Information Assets and controls
available to prevent their
misuse.
MANAGEMENT Procedural
RESPONSIBILITIES
A.81. Whether the management
requires employees, contractors
and third party users to apply
security in accordance with the
established policies and
procedures of the organization.
Manage the IT investment
REVIEW AND EVALUATION Procedural
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.82. Whether the IT Security process
ensures that a review takes
place in response to any
changes affecting the basis of
the original assessment, for
example: significant security
incidents, new vulnerabilities or
changes to organisational or
technical infrastructure.
LEARNING FROM INCIDENTS Procedural
A.83. Whether there are mechanisms
in place to enable the types,
volumes and costs of incidents
and malfunctions to be
quantified and monitored.
REPORTING SECURITY Procedural
INCIDENTS
A.84. Are steps taken to ensure that
anything unusual in the log files
gets reported?
A.85. Are the users regularly advised
of the requirement to inform the
administrator at once in case of
irregularities?
Communicate management
aims and direction
PUBLICLY AVAILABLE Procedural
SYSTEMS
A.86. Whether there is any formal
authorisation process in place
for the information to be made
publicly available. Such as
approval from Change Control
which includes Business,
Application owner etc., Auditor
may also evaluate the control to
disclose NAV on the website.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.87. Whether there are any controls
in place to protect the integrity
of such information publicly
available from any unauthorised
access. The auditor may obtain
VA and PT reports of the
website and other web
applications where investment
related data is hosted.
SECURITY REQUIREMENTS Serious
IN OUTSOURCING
CONTRACTS
A.88. · Whether security
requirements are addressed
in the contract with the third
party, when the organization
has outsourced the
management and control of
all or some of its information
systems, networks and/ or
desktop environments.
· The contract should address
how the legal requirements
are to be met, how the
security of the organization's
assets are maintained and
tested, and the right of audit,
physical security issues and
how the availability of the
services is to be maintained
in the event of disaster.
INFORMATION ACCESS Serious
RESTRICTION
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.89. Whether access to application
by various groups/ personnel
within the organisation has been
defined in the access control
policy as per the individual
business application
requirement and whether it is
consistent with the
organisation's Information
access policy.
PASSWORD USE Very
Serious
A.90. Whether there are any
guidelines in place to guide
users in selecting and
maintaining secure passwords.
UNATTENDED USER Procedural
EQUIPMENT
A.91. Whether the users and
contractors are made aware of
the security requirements and
procedures for protecting
unattended equipment, as well
as their responsibility to
implement such protection.
CLEAR DESK AND CLEAR Procedural
SCREEN POLICY
A.92. Whether automatic computer
screen locking facility is
enabled. This would lock the
screen when the computer is
left unattended for a period.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.93. Whether employees are advised
not to leave any confidential
material in the form of paper
documents, media, etc., in a
locked place while unattended.
RETURN OF ASSETS Very
Serious
A.94. Whether there is a process in
place that ensures all
employees, contractors and
third party users surrender all of
the organization's assets in their
possession upon termination of
their employment, contract or
agreement.
MANAGEMENT COMMITMENT Serious
TO INFORMATION SECURITY
A.95. Whether management
demonstrates active support for
security measures within the
organization. This can be done
via clear direction,
demonstrated commitment,
explicit assignment and
acknowledgement of information
security responsibilities.
ROLES AND Procedural
RESPONSIBILITIES
A.96. · Whether employee security
roles and responsibilities,
contractors and third party
users were defined and
documented in accordance
with the organization's
information security policy.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· Were the roles and
responsibilities defined and
clearly communicated to job
candidates during the pre-
employment process
Manage IT human resources
USER DELETION Very
Serious
A.97. Is there a well defined process
for revoking user rights on
termination of employment?
A.98. Is the IS Team promptly
informed of the termination of
service by a staff member?
A.99. Are there any former staff
members who still hold
previously issued passes or
user ID?
A.100. Is it ensured that all entry and
access rights of a staff member
whose services have been
terminated are revoked and
deleted, and is the process
adequate?
A.101. When the contractual
relationship with outside staff is
terminated, are all access
authorisations revoked or
deleted?
TERMINATION Very
RESPONSIBILITIES Serious
A.102. Whether responsibilities for
performing employment
termination, or change of
employment, are clearly defined
and assigned.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
Manage quality
EXTERNAL FACILITIES Serious
MANAGEMENT
A.103. Whether any of the Information
processing facility is managed
by external company or
contractor (third party).
A.104. Whether the risks associated
with such management were
identified in advance, discussed
with the third party, and
appropriate controls were
incorporated into the contract.
OUTSOURCED SOFTWARE Serious
DEVELOPMENT
A.105. · Whether the outsourced
software development is
supervised and monitored
by the organization.
· Whether points such as:
Licensing arrangements,
escrow arrangements,
contractual requirement for
quality assurance, testing
before installation to detect
Trojan code etc., are
considered.
Manage Projects
EMERGENCY PROCEDURES Serious
A.106. Is there an authorized person to
determine the existence of an
emergency?
A.107. Is there an Emergency
Procedure Manual?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.108. Is a description of the
emergency organisation
available?
A.109. Is consideration given to all
possible emergencies?
A.110. Are all persons and
organisational units stated in the
Manual aware of the emergency
organization?
A.111. Has configuration back-up been
produced for every employed
computer type and/or every
employed operating system and
easily accessible in case of
emergency?
A.112. Is a startup disk available for
each configuration PC which
can be used to boot the system
in the event of a boot failure?
NETWORK PERFORMANCE Procedural
MEASUREMENT
A.113. Are performance measurements
and traffic-flow analyses
conducted regularly?
Is it within the SLA agreed to
with the vendor?
A.114. Has a security analysis of the
network environment been
conducted?
SENSITIVE SYSTEM Procedural
ISOLATION
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.115. Whether sensitive systems are
provided with isolated
computing environment such as
running on a dedicated
computer, sharing resources
only with trusted application
systems, etc.
ALTERNATE PROCESSING Procedural
A.116. Is there a specification of
internal and external
alternatives?
A.117. Are these available and
effective?
A.118. Are the configuration, capacity
and compatibility of internal and
external alternatives being
adapted to the current status of
procedures?
A.119. Are the integrity and
confidentiality of IT application
and data moved to external
resources ensured in the case
of recourse to external
alternatives?
A.120. Are there any contingency plans
for failure of individual assets?
A.121. Are there contingency plans in
case of breakdown of data
transmission?
A.122. Has the data transmission
capacity required for the use of
alternative resources been
adequately assessed?
A.123. Are there any alternative
solutions for important
communication links?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
A.124. Is there a provision of redundant
communication lines?
A.125. Is there a sufficient redundant
arrangement for network
components?
A.126. Is there any point of failure in
the current infrastructure?
B Implement IT Plan
Acquire and maintain
application software
OPERATIONAL CHANGE Very
CONTROL Serious
B.1 Whether all programs running
on production systems are
subject to strict change control
i.e., whether any change to be
made to those production
programs needs to go through
the change control
authorisation.
B.2 Whether audit logs are
maintained for any change
made to the production
programs.
AUDIT LOGGING Procedural
B.3 · Whether audit logs recording
user activities, exceptions,
and information security
events are produced and
kept for an agreed period to
assist in future
investigations and access
control monitoring.
· Whether appropriate Privacy
protection measures are
considered in Audit log
maintenance
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
FAULT LOGGING Procedural
B.4 · Whether faults are logged
analysed and appropriate
action taken.
· Whether level of logging
required for individual
system are determined by a
risk assessment, taking
performance degradation
into account.
APPLICATION ACCEPTANCE Procedural
CRITERIA AND TESTS
B.5 INPUT DATA VALIDATION
· Whether data input to
application system is
validated to ensure that it is
correct and appropriate.
· Whether the controls such
as: Different types of inputs
to check for error messages,
Procedures for responding
to validation errors, defining
responsibilities of all
personnel involved in data
input process etc., are
considered.
B.6 CONTROL OF INTERNAL
PROCESSING
· Whether validation checks
are incorporated into
applications to detect any
corruption of information
through processing errors or
deliberate acts.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· Whether the design and
implementation of
applications ensure that the
risks of processing failures
leading to a loss of integrity
are minimized.
· Auditor needs to review the
tests performed on the
application at the time of
acquisition and during any
change
B.7 MESSAGE INTEGRITY
· Whether requirements for
ensuring and protecting
message integrity in
applications are identified,
and appropriate controls
identified and implemented.
· Whether a security risk
assessment was carried out
to determine if message
integrity is required, and to
identify the most appropriate
method of implementation.
B.8 OUTPUT DATA VALIDATION
Whether the data output of
application system is validated
to ensure that the processing of
stored information is correct and
appropriate to circumstances.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
B.9 ACCESS CONTROL TO
PROGRAM SOURCE CODE
Whether strict controls are in
place to restrict access to
program source libraries.
(This is to avoid the potential for
unauthorized, unintentional
changes.)
B.10 RESTRICTION ON CHANGES
TO SOFTWARE PACKAGES
Whether modifications to
software package is
discouraged and/ or limited to
necessary changes.
Whether all changes are strictly
controlled
Acquire and maintain
technology infrastructure
EQUIPMENT MAINTENANCE Procedural
B.11 Whether the equipment is
maintained as per the supplier's
recommended service intervals
and specifications.
B.12 Whether the maintenance is
carried out only by authorized
personnel.
B.13 Whether appropriate controls
are implemented while sending
equipment off premises.
B.14 If the equipment is covered by
insurance, whether the
insurance requirements are
satisfied.
LAPTOPS Procedural
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
B.15 Are laptop users instructed as
regards safe keeping of their
computers during mobile use?
B.16 Is there use of an encryption
product for laptop PCs?
AUTOMATIC TERMINAL Procedural
IDENTIFICATION
B.17 Whether automatic terminal
identification mechanism is
used to authenticate
connections.
PLANNING OF A
WINDOWS `OS' NETWORK
B.18 Is there any documentation
indicating which directories on
which computers have been
shared for network access?
CONFIGURATION OF `OS' Procedural
SERVERS
B.19 Is there a document detailing
the settings of various
parameters in the OS Server?
B.20 Are these settings adhered to?
B.21 Is protection of the registry
under Windows in place?
B.22 Have the default passwords for
local access been replaced by
secure ones?
PROTECTION OF SYSTEM Procedural
TEST
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
B.23 Whether system test data is
protected and controlled.
Whether use of personal
information or any sensitive
information for testing
operational database is
shunned.
Enable operation and use
DOCUMENTED OPERATING Very
PROCEDURES Serious
B.24 Whether the Security Policy has
identified any Operating
procedures such as Back-up,
Equipment maintenance etc.
B.25 Whether such procedures are
documented and used.
SECURITY OF SYSTEM Very
DOCUMENTATION Serious
B.26 Whether the system
documentation is protected from
unauthorised access.
B. 27 Whether the access list for the
system documentation is kept to
the minimum and authorized by
the application owner (for use
by a limited number of users.)
Manage Changes
USE OF SYSTEM UTILITIES Very
Serious
B.28 Whether system utilities that
come with computer
installations, but may override
system and application control
are tightly controlled.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
CHANGE MANAGEMENT Very
Serious
B.29 Whether all changes to
information processing facilities
and systems are controlled.
B.30 Is there a written SOP covering
the change control program that
has been approved?
TECHNICAL REVIEW OF Very
APPLICATIONS AFTER Serious
OPERATING SYSTEM
CHANGES
B.31 Whether there is process or
procedure in place to review
and test business critical
applications for adverse impact
on organizational operations or
security after the change to
Operating Systems.
Periodically it is necessary to
upgrade operating system i.e.,
to install service packs, patches,
hot fixes etc.
C Management of IT
Service delivery Procedural
C.1 Whether measures are taken to
ensure that the security
controls, service definitions and
delivery levels, included in the
third party service delivery
agreement, are implemented,
operated and maintained by a
third party.
Manage third party services
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
MONITORING AND REVIEW Serious
OF THIRD PARTY SERVICES
C.2 · Whether the services,
reports and records provided
by third party are regularly
monitored and reviewed.
· Whether audits are
conducted on the above
third party services, reports
and records, on regular
interval.
MANAGING CHANGES TO Serious
THIRD PARTY SERVICES
C.3 · Whether changes to
provision of services,
including maintaining and
improving existing
information security policies,
procedures and controls, are
managed.
· Does this take into account
criticality of business
systems, processes involved
and re-assessment of risks?
Manage Performance and
capacity
PATCH MANAGEMENT Serious
C.4 Are steps taken to ensure that
information about the latest
patches is always available?
How is the patch level status of
systems verified?
CAPACITY PLANNING Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.5 Whether the capacity demands
are monitored and projections of
future capacity requirements are
made.
This is to ensure that adequate
processing power and storage
are available. Example:
Monitoring Hard disk space,
RAM, CPU on critical servers.
Ensure continuous service
BUSINESS CONTINUITY Very
PLANNING FRAMEWORK Serious
C.6 Whether there is a single
framework of Business
continuity plan.
C.7 Whether this framework is
maintained to ensure that all
plans are consistent and identify
priorities for testing and
maintenance.
C.8 Whether this identifies
conditions for activation and
individuals responsible for
executing each component of
the plan.
WRITING AND Very
IMPLEMENTING CONTINUITY Serious
PLAN
C.9 Whether plans were developed
to restore business operations
within the required time frame
following an interruption in or
failure of business process.
C.10 Whether the plan is regularly
tested and updated.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.11 Review the written BCP / DRP
(s) and verify whether the BCP /
DRP(s):
· Address(es) the recovery of
each business
unit/department/ function,
· According to its priority
ranking in the Risk
Assessment; and
· Considering
interdependencies among
systems.
C.12 Whether it take(s) into account:
· Personnel;
· Facilities;
· Technology (hardware,
software, operational
equipment);
· Telecommunications/networks;
· Vendors;
· Utilities;
· Documentation (data and
records);
· Law enforcement;
· Security;
· Media; and
· Shareholders
C.13 Whether it include(s) emergency
preparedness and crisis
management aspects:
· Has an accurate employee/
manager contact tree;
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· Clearly defines
responsibilities and decision-
making authorities for
designated teams and/or staff
members, including those
who have authority to declare
a disaster;
· Explains actions to be taken
in specific emergency
situations;
· Defines the conditions under
which the back-up site would
be used;
· Has procedures in place for
notifying the back-up site;
· Designates a public relations
spokesperson; and
· Identifies sources of needed
office space and equipment
and list of key vendors
(hardware/ software/
communications, etc.)
C.14 Whether the BCP / DRP
establishes processing priorities
to be followed in the event not
all applications can be
processed.
C.15 Whether adequate procedures
are in place to ensure the BCP /
DRP (s) is (are) maintained in a
current fashion and updated
regularly.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.16 Whether a senior manager has
been assigned responsibility to
oversee the development,
implementation, testing, and
maintenance of the BCP / DRP.
C.17 Whether the board reviews and
approves the written BCP /
DRP(s) and testing results at
least annually and documents
these reviews in the board
minutes.
C.18 Whether senior management
periodically reviews and
prioritizes each business unit,
business process, department,
and subsidiary for its critical
importance and recovery
prioritization. If so, determine
how often reviews are
conducted.
C.19 If applicable, determine whether
the senior management has
evaluated the adequacy of the
BCP/DRPs for its service
providers, and ensured the
organization's BCP/DRP is
compatible with those service
provider plans, commensurate
with adequate recovery
priorities.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
BUSINESS IMPACT ANALYSIS Very
Serious
C.20 Are all functions and
departments included in the
BIA?
C.21 Review the BIA to determine
whether the identification and
prioritization of business
functions are adequate.
C.22 Does the BIA identifies
maximum allowable downtime
for critical business functions,
acceptable levels of data loss
and backlogged transactions,
and the cost and recovery time
objectives associated with
downtime?
C.23 Review the risk assessment and
determine if it includes scenarios
and probability of occurrence of
disruptions of information
services, technology, personnel,
facilities, and service providers
from internal and external
sources, including:
· Natural events such as
fires, floods, and severe
weather;
· Technical events such as
communication failure,
power outages, and
equipment and software
failure; and
· Malicious activity including
network security attacks,
fraud, and terrorism.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.24 Whether the risk assessment
and BIA have been reviewed
and approved by senior
management and the board.
C.25 Are reputation, operational,
compliance, and other risks
considered in plan(s).
RISK MITIGATION Procedur
STRATEGIES al
C.26 Whether adequate risk
mitigation strategies have been
considered for:
· Alternate locations and
capacity for:
· Data centers and computer
operations;
· Back-room operations;
· Work locations for business
functions; and
· Telecommunications.
C.27 Is there a policy for Back-up of:
· Data;
· Operating systems;
· Applications;
· Utility programs; and
· Telecommunications?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.28 Is there a policy for Off-site
storage of:
· Back-up media;
· Supplies; and
· Documentation, e.g.,
BCP(s), DRP, operating and
other procedures, inventory
listings, etc?
C.29 Is there a provision for Alternate
power supplies such as
Uninterruptible power supplies
(UPS); and Back-up generators.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.30 Whether there are procedures
for,
· Duplicates of the operating
systems are available both
on- and off-site.
· Duplicates of the production
programs are available both
on- and off-site, including
both source (if applicable)
and object versions.
· All programming and
system software changes
are included in the back up.
· Back-up media is stored off-
site in a place from which it
can be retrieved quickly at
any time.
· Frequency and number of
back-up generations is
adequate in view of the
volume of transactions
being processed and the
frequency of system
updates.
· Duplicates of transaction
files are maintained on- and
off-site.
· Data file back-ups are taken
off-site in a timely manner
and not brought back until a
more current back-up is off-
site.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.31 Review the written IT continuity
plan(s) and determine whether
the plan(s) addresses the back-
up of the systems and
programming function (if
applicable), including,
Back-up of programming tools
and software; and
Off-site copies of program and
system documentation.
C.32 Does the plan deal with how
backlogged transactions and
other activity will be brought
current.
C.33 Whether adequate physical
security and access controls
exist over data back-ups and
program libraries throughout
their life cycle, including when
they are created,
transmitted/delivered to storage,
stored, retrieved and loaded,
and destroyed.
C.34 Do appropriate policies,
standards, and processes
address business continuity
planning issues including:
· Systems Development Life
Cycle, including project
management;
· The change control
process;
· Data synchronization, back
up, and recovery;
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· Employee training and
communication planning;
· Insurance; and
· Government and community
coordination?
C.35 Whether personnel are
adequately trained as to their
specific responsibilities under
the plan(s) and whether
emergency procedures are
posted in prominent locations
throughout the facility.
C.36 Does the continuity strategy
include alternatives for
interdependent components and
stakeholders, including:
· Utilities;
· Telecommunications;
· Third-party technology
providers;
· Key suppliers/business
partners; and
· Customers/members?
C.37 · Are there adequate
processes in place to
ensure the plan(s) are
maintained to remain
accurate and current?
· Designated personnel are
responsible for maintaining
changes in processes,
personnel, and
environment(s)?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· The board of directors
reviews and approves the
plan(s) annually and after
significant changes and
updates?
· Process includes
notification and distribution
of revised plans to
personnel and recovery
locations?
DISASTER RECOVERY SITE / Very
ALTERNATE PROCESSING Serious
SITE
C.38 Does the Insurer have a clear
Off-site Back-up of Data in a
City falling under a different
Seismic Zone, either on its own
or through a Service Provider?
C.39 Does the Insurer have, in
addition to above, the necessary
infrastructure for Mission Critical
Systems to address at least the
following:
· Calculation of daily NAV
(Fund wise) Redemption
processing?
C.40 · Whether satisfactory
consideration has been
given to geographic
diversity for:
· Alternate processing
locations;
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· Alternate locations for
business processes and
functions; and
· Off-site storage.
C.41 Are there arrangements for
alternative processing capability
in the event any specific
hardware, the data center, or
any portion of the network
becomes disabled or
inaccessible, and determine if
those arrangements are in
writing?
C.42 If the organization is relying on
in-house systems at separate
physical locations for recovery,
whether the equipment is
capable of independently
processing all critical
applications.
C.43 · If the organization is relying
on outside facilities for
recovery, whether the
recovery site,
· Has the ability to process
the required volume;
· Provides sufficient
processing time for the
anticipated workload based
on emergency priorities;
and,
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· Allows the organization to
use the facility until it
achieves a full recovery
from the disaster and
resumes activity at the
organization's own facilities.
C.44 Review the contract between
applicable parties, such as
recovery vendors if any.
Determine if the terms and
conditions of the contract relate
to the BCP/DRP
C.45 Whether the organization
ensures that when any changes
(e.g. hardware or software
upgrades or modifications) in the
production environment occur
that a process is in place to
make or verify a similar change
in each alternate recovery
location.
C.46 Whether the organization is kept
informed of any changes at the
recovery site that might require
adjustments to the
organization's software or its
recovery plan(s).
C.47 Whether there are plans in place
that address the return to normal
operations and original business
locations once the situation has
been resolved and permanent
facilities are again available.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.48 Whether adequate
documentation is housed at the
alternate recovery location
including:
· Copies of each BCP / DRP;
· Copies of necessary system
documentation
C.49 Whether appropriate physical
and logical access controls have
been considered and planned
for the inactive production
system when processing is
temporarily transferred to an
alternate facility.
C.50 · Whether the methods by
which personnel are
granted temporary access
(physical and logical) during
continuity planning
implementation periods are
reasonable.
· Evaluate the extent to which
back-up personnel have
been reassigned different
responsibilities and tasks
when business continuity
planning scenarios are in
effect and if these changes
require a revision to the
levels of systems,
operational, data, and
facilities access.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· Review the assignment of
authentication and
authorization credentials to
determine if they are based
upon primary job
responsibilities and if they
also include business
continuity planning
responsibilities.
C.51 Whether the intrusion detection
and incident response plan
considers resource availability,
and facility and systems
changes that may exist when
alternate facilities are placed in
use.
TESTING Very
Serious
C.52 Whether the BCP / DRP(s) is
tested periodically
C.53 Whether all critical business
units/departments/functions are
included in the testing.
C. 54 Whether the tests include:
· Setting goals and objectives
in advance;
· Realistic conditions and
activity volumes;
· Use of actual back-up
system and data files while
maintaining off-site back-up
copies for use in case of an
event concurrent with the
testing;
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· Participation and review by
internal audit;
· A post-test analysis report
and review process that
includes a comparison of
test results to the original
goals;
· Development of a corrective
action plan(s) for all
problems encountered; and
· Board of Directors' review.
C.55 Whether interdependent
departments, vendors, and key
market providers have been
involved in testing at the same
time to uncover potential
conflicts and/or inconsistencies.
C.56 Whether the level of testing is
adequate for the size and
complexity of the organization.
Determine if the testing includes:
· Testing the operating
systems and utilities
(infrastructure);
· Testing of all critical
applications (application
level);
· Data transfer between
applications (integrated
testing); and
· Testing the complete
environment and workload
(stress test).
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.57 Whether testing at an alternative
location includes:
· Network connectivity;
· Items processing and
backroom operations
connectivity and
information; and
· Other critical data feed
connections/interfaces.
C.58 Whether testing of the
information technology
infrastructure includes:
· Rotation of personnel
involved; and
· Business unit personnel
involvement.
C.59 Whether management
considered testing with:
· Critical service providers;
· Customers;
· Affiliates;
· Correspondent institutions;
and
· Payment systems and
major financial market
participants.
C.60 When testing with the critical
service providers, determine
whether management
considered testing,
· From the institution's
primary location to the
TSPs' alternative location;
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
· From the institution's
alternative location to the
TSPs' primary location; and
· From the institution's
alternative location to the
TSPs' alternative location.
INFORMATION BACK-UP Very
Serious
C.61 Whether Back-up of essential
business information such as
production server, critical
network components,
configuration backup etc., were
taken regularly.
C.62 Whether the backup media along
with the procedure to restore the
backup are stored securely and
well away from the actual site.
C.63 Can data restoration be
performed with the help of the
documentation even by a person
other than the one who backed
up the data?
C.64 Are the persons responsible for
data backup and restoration
sufficiently trained?
C.65 Are data restoration exercises
carried out periodically?
C.66 Whether the backup media are
regularly tested to ensure that
they could be restored within the
time frame allotted in the
operational procedure for
recovery.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
Ensure systems security
MANAGEMENT INFORMATION Very
SECURITY FORUM Serious
C.67 Whether there is a management
forum to ensure there is a clear
direction and visible management
support for security initiatives
within the organisation.
IT SECURITY GUIDELINES AND Very
PROCEDURES Serious
C.68 Does the organization have a
detailed IT Security Guidelines
and procedures manual?
C.69 Is there a process of reviewing
and updating these manuals at
periodic intervals?
ENDPOINT USAGE Very
GUIDELINES Serious
C.70 Have Endpoint Use Guidelines
been established?
C.71 How is compliance with the
Endpoint Use Guidelines
monitored?
C.72 Does every user have a copy of
these Endpoint Use Guidelines?
SECURITY OF ELECTRONIC Very
OFFICE SYSTEMS Serious
C.73 Whether there is an acceptable
use policy to address the use of
Electronic office systems.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.74 Whether there are any guidelines
in place to effectively control the
business and security risks
associated with the electronic
office systems.
DISABLING REMOVABLE Very
DRIVES Serious
C.75 Has it been ensured that floppy
disk / USB drives will generally
be locked and can be accessed
only through authorized use?
POWER SUPPLIES / UPS Very
Serious
C.76 Is the equipment protected from
power failures by multiple feeds,
through uninterruptible power
supply (UPS), backup generator
etc.?
C.77 Are the required intervals for
UPS maintenance being
observed?
C.78 Is the effectiveness of the UPS
system being tested on a regular
basis?
C.79 If any failures due to the location
occurred in the past, had
remedial action been taken for
the same?
C.80 Are generators available to
protect against prolonged power
loss and are they in working
condition?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
GRANTING OF Very
(SYSTEM/NETWORK) ACCESS Serious
RIGHTS
C.81 Are the issue and the retrieval of
access authorizations and
access-granting means
documented?
C.82 Is separation of functions being
observed in the granting of
access rights?
C.83 Are users being trained in the
correct handling of access-
granting means?
C.84 If use of access-granting means
is logged, are such logs also
analysed?
USER PASSWORD Very
MANAGEMENT Serious
C.85 Is the allocation and reallocation
of passwords controlled through
a formal management process?
C.86 Are the users asked to sign a
statement to keep the password
confidential?
C.87 Have users been informed on
how to handle passwords
correctly?
C.88 Is the password quality
controlled?
C.89 Are password changes
mandatory?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.90 Has every user been provided
with a password?
C.91 Are there any fixed procedures
relating to the escrow of
passwords?
C.92 If Yes, are the escrowed
passwords complete and up-to-
date?
C.93 Have provisions been made to
ensure proper handling of
escrowed passwords?
C.94 Is the system of password
changes controlled on the basis
of updating entries for escrowed
passwords?
PASSWORD USE Very
Serious
C.95 Are there any guidelines in place
to guide users in selecting and
maintaining secure passwords?
POLICY ON USE OF NETWORK Very
SERVICES Serious
C.96 Does a policy exist that does
address concerns relating to
networks and network services
such as:
Parts of network to be accessed,
Authorisation services to
determine who is allowed to do
what, Procedures to protect the
access to network connections
and network services?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.97 Are users provided with standard
configuration of work stations? If
not, are deviations authorized
and documented?
TERMINAL LOGON Very
PROCEDURES Serious
C.98 Has it been ensured that access
to information system is
attainable only via a secure log-
on process?
C.99 Are machines configured to boot
from hard drives?
C.100 Is there a BIOS password set for
PC to disable users from booting
through CD drives?
C.101 Is the number of unsuccessful
log-in attempts restricted?
C.102 Whether After each unsuccessful
log-in attempt, the waiting time
until the next log-in prompt
increases.
C.103 Are unsuccessful log-in attempts
reported to the user?
C.104 Is access to the console
protected by passwords or other
means?
USER IDENTIFICATION AND Very
AUTHORISATION Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.105 Whether unique identifier is
provided to every user such as
operators, system administrators
and all other staff including
technical.
C.106 Whether the generic user
accounts are supplied under
exceptional circumstances only
where there is a clear business
benefit. Additional controls may
be necessary to maintain
accountability.
C.107 Whether the authentication
method used does substantiate
the claimed identity of the user.
Commonly used method:
Password that only the user
knows.
PASSWORD MANAGEMENT Very
SYSTEM Serious
C.108 Whether there exists a password
management system that
enforces various password
controls such as individual
password for accountability,
enforcing password changes,
storing passwords in encrypted
form, not displaying passwords
on screen etc.
TERMINAL TIMEOUT Very
Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.109 Whether Inactive terminal in
public areas are configured to
clear the screen or shut down
automatically after a defined
period of inactivity.
LIMITATION OF CONNECTION Very
TIME Serious
C.110 Whether there exists any
restriction on connection time for
high-risk applications. This type
of set up should be considered
for sensitive applications for
which the terminals are installed
in high-risk locations.
USER REGISTRATION Very
Serious
C.111 Whether there is any formal user
registration and deregistration
procedure for granting access to
multi-user information systems
and services.
The creation of a user account
must be approved by the
business owner of the application
in question or their nominee.
C.112 Are there standard rights profiles
for different functions or tasks?
PRIVILEGE MANAGEMENT Very
Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.113 Whether the allocation and use
of any privileges in multi-user
information system environment
is restricted and controlled i.e.,
privileges are allocated on need-
to-use basis; privileges are
allocated only after formal
authorisation process.
C.114 Are there any organisational
procedures governing the
designation of users or user
groups?
C.115 Is there any program for the
configuration of users or user
groups?
C.116 Are there records of the
authorized users and groups and
their authorisation profiles?
REVIEW OF USER ACCESS Very
RIGHTS Serious
C.117 Whether there exists a process
to review user access rights at
regular intervals. Example:
Special privilege review every 3
months, normal privileges every
6 months.
INFORMATION ACCESS Very
RESTRICTION Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.118 Whether access to application by
various groups/ personnel within
the organisation has been
defined in the access control
policy as per the individual
business application requirement
and whether it is consistent with
the organisation's Information
access policy.
MONITORING SYSTEM USE Very
Serious
C.119 Whether procedures are set up
for monitoring the use of
information processing facility.
The procedure should ensure
that the users are performing
only the activities that are
explicitly authorized.
C.120 Whether the results of the
monitoring activities are reviewed
regularly.
UNAUTHORISED SOFTWARE Very
Serious
C.121 Has a procedure for the
authorisation and registration of
software been laid down?
C.122 Has the ban on use of non-
approved software been put in
writing?
C.123 Have all staff members been
informed of the ban?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.124 What possibilities happen to be
there for installation or use of
unauthorised software?
C.125 Are checks carried out
periodically on the software
inventory?
ADMINISTRATOR FUNCTIONS Very
Serious
C.126 To which persons is the
supervisor password known?
C.127 Have administrator roles been
divided up?
C.128 Are the authorisations assigned
by the administrator randomly
checked?
C.129 How frequently are logins and
logouts using administrator ID
checked?
EVENT LOGGING Very
Serious
C.130 Whether audit logs recording
exceptions and other security
relevant events are produced and
kept for an agreed period to
assist in future investigations and
access control monitoring.
REPORTING SECURITY Very
WEAKNESSES Serious
C.131 Whether a formal reporting
procedure or guideline exists for
users, to report security
weakness in, or threats to,
systems or services.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.132 Are staff members informed in a
suitable form of IT security
incidents which have occurred
either within the organisation or
which have become public
knowledge, and are they told how
to avoid them?
DISCIPLINARY PROCESS Very
Serious
C.133 Whether there is a formal
disciplinary process in place for
employees who have violated
organisational security policies
and procedures. Such a process
can act as a deterrent to
employees who might otherwise
be inclined to disregard security
procedures.
EQUIPMENT SITING Very
PROTECTION Serious
C.134 Whether critical equipment is
located in appropriate place to
minimize unnecessary access
into work areas.
C.135 Whether the items requiring
special protection were isolated
to reduce the general level of
protection required.
C.136 Whether controls were adopted
to minimize risk from potential
threats such as theft, fire,
explosives, smoke, water, dust,
vibration, chemical effects,
electrical supply interfaces,
electromagnetic radiation, flood.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.137 Whether there is a policy towards
eating, drinking and smoking in
proximity to information
processing services.
C.138 Whether environmental
conditions, which would
adversely affect the information
processing facilities, are
monitored.
C.139 Verify that heating, ventilation
and air-conditioning systems
maintain constant temperatures
within the data center.
C.140 Verify that ground earthing exists
to protect the computer systems.
Ensure that power is conditioned
to prevent data loss.
C.141 Is the Server Room designed as
a closed secure area?
CABLING SECURITY Procedural
C.142 Whether the power and
telecommunications cable
carrying data or supporting
information services are
protected from interception or
damage.
C.143 Whether there are any additional
security controls in place for
sensitive or critical information.
SECURITY OF NETWORK Very
SERVICES Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.144 Whether the organisation, using
public or private network service
does ensure that a clear
description of security attributes
of all services used is provided.
C.145 Are all Internet connections
routed through a Firewall? Does
a dedicated team manage the
Firewall? Are the ports opened
only on a "need to have" basis?
C.146 Is there an Intruder Detection
System (IDS) implemented?
C.147 Are the application and database
servers kept separated from the
web server in the de-militarized
zone?
C.148 Is the de-militarized zone
separated from the Internet cloud
by means of a Firewall?
C.149 If the de-militarized zone is
connected to the Intranet, is it
separated by a Firewall?
C.150 Is the Firewall rule base treated
as a sensitive information and is
knowledge of the same restricted
to only authorized officials in the
IT / Computer operations
department?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.151 Is the decision to open specific
firewall ports/rule base approved
in accordance with IT Security
Policy (IT Security Policy should
list out such ports) e.g. firewalls
should block unwanted ports
running services such as ftp,
telnet, SMTP, etc. into the de-
militarized zone?
CLOCK SYNCHRONISATION Procedural
C.152 Whether the computer or
communication device has the
capability of operating a real time
clock. If yes, has it been set to an
agreed standard such as
Universal Coordinated Time or
local standard time? The correct
setting of the computer clock is
important to ensure the accuracy
of the audit logs.
UNATTENDED USER Procedural
EQUIPMENT
C.153 Whether the users and
contractors are made aware of
the security requirements and
procedures for protecting
unattended equipment, as well as
their responsibility to implement
such protection.
SENSITIVE SYSTEM Procedural
ISOLATION
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.154 Whether sensitive systems are
provided with isolated computing
environment such as running on
a dedicated computer, sharing
resources only with trusted
application systems, etc.
SECURITY OF ELECTRONIC Procedural
EMAIL
C.155 Whether there is a policy in place
for the acceptable use of
electronic mail or does security
policy address the issues with
regards to use of electronic mail.
C.156 Whether there are adequate
procedures, which require that all
the incoming e-mail messages be
scanned for virus to prevent virus
infection to the network
C.157 Have regulations governing file
transfer and exchange of
messages with external parties
been established?
C.158 Are there formal rules based on
which e-mail addresses are
assigned?
C.159 Are security measures such as
filtering and text search in emails
implemented?
C.160 Is the criterion for e-mail filtering
adequate? What are the
procedures for changes in
filtering parameters?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.161 Have controls such as anti-virus
checking, isolating potentially
unsafe attachments, spam
control, anti relaying etc., been
put in place to reduce the risks
created by electronic mail?
CONTROL AGAINST Serious
MALICIOUS SOFTWARE
C.162 Whether there exists any control
against malicious software
usage.
C.163 Whether the security policy does
address software licensing issues
such as prohibiting usage of
unauthorized software.
C.164 Whether there exists any
Procedure to verify that all
warning bulletins are accurate
and informative with regards to
the malicious software usage.
C.165 Whether Antivirus software is
installed on the computers to
check and isolate or remove any
viruses from computer and
media.
C.166 Whether this software signature
is updated on a regular basis to
check any latest viruses.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.167 Whether all the traffic originating
from un-trusted network into the
organisation is checked for
viruses. Example: Checking for
viruses on email, email
attachments and on the web,
FTP traffic.
C.168 Are periodic runs of a virus
detection program configured?
C.169 Are there occasional checks as
to whether updates have been
performed? Have the results
been documented?
C.170 Use of a virus scanning program
when exchanging of data media
and data transmission Is Anti
Virus auto enabled to check CDs
and floppies?
C.171 Are received files and data media
checked for virus infection before
being imported?
REMOTE DIAGNOSTIC PORT Procedural
PROTECTION
C.172 Whether accesses to diagnostic
ports are securely controlled i.e.,
protected by a security
mechanism.
SEGREGATION IN NETWORKS Very
Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.173 Whether the network (where
business partner's and/ or third
parties need access to
information system) is
segregated using perimeter
security mechanisms such as
firewalls.
NETWORK CONNECTION Very
PROTOCOLS Serious
C.174 Whether there exists any network
connection control for shared
networks that extend beyond the
organisational boundaries.
Example: electronic mail, web
access, file transfers, etc.,
NETWORK ROUTING Procedural
CONTROL
C.175 Are changes to network
configuration documented?
C.176 Is the system administrator the
only person who is able to
change the configuration
C.177 Is the system administrator the
only person who is able to read
the network log files
SECURITY OF MEDIA IN Procedural
TRANSIT
C.178 Whether security of media while
in transit has been taken into
account.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.179 Whether the media is well
protected from unauthorised
access, misuse or corruption.
ELECTRONIC COMMERCE Procedural
SECURITY
C.180 Whether Electronic commerce is
well protected and controls
implemented to protect against
fraudulent activity, contract
dispute and disclosure or
modification of information.
C.181 Whether Security controls such
as Authentication, Authorisation
are considered in the E-
Commerce environment.
C.182 Whether electronic commerce
arrangements between trading
partners include a documented
agreement, which commits both
parties to the agreed terms of
trading, including details of
security issues.
USER AUTHENTICATION FOR Procedural
EXTERNAL CONNECTIONS
C.183 Whether there exists any
authentication mechanism for
challenging external connections.
Examples: Cryptography based
technique, hardware tokens,
software tokens, challenge/
response protocol etc.,
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
FIRE DETECTION AND Serious
PREVENTION CONTROLS
C.184 Are Fire detection measures
adequate such as fire alarms
available?
C.185 Has staff been informed of the
location of hand-held fire
extinguishers?
C.186 Can the hand-held fire
extinguishers actually be
accessed in case of a fire?
C.187 Is training provided for the use of
hand-held fire extinguishers?
C.188 Are hand-held fire extinguishers
regularly inspected and
maintained?
C.189 Is the fire alarm system checked
periodically to ensure that it is
working properly?
C.190 Has all the staff been informed of
the steps to be taken in the event
that an alarm goes off?
C.191 Is there an adequate number of
fire extinguishers (generally one
for every 50 sqft of area)?
C.192 · Is a fire suppression system
in place consisting of Fire
extinguishers and
Sprinklers?
· Are they in working order
and being monitored?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
Manage the configuration
CONTROL OF TECHNICAL
VULNERABILITIES
C.193 · Whether timely information
about technical
vulnerabilities of information
systems being used is
obtained.
· Whether the organization's
exposure to such
vulnerabilities evaluated and
appropriate measures taken
to mitigate the associated
risk.
SAFEGUARDING OF Very
ORGANISATIONAL RECORDS Serious
C.194 Whether important records of the
organisation are protected from
loss destruction and falsification.
DISPOSAL OF MEDIA Very
Serious
C.195 Whether the media that are no
longer required are disposed off
securely and safely.
C.196 Whether disposal of sensitive
items is logged where necessary
in order to maintain an audit trail.
SECURE DISPOSAL OR RE- Very
USE OF EQUIPMENT Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.197 Whether storage device
containing sensitive information
is physically destroyed or
securely over- written.
INFORMATION HANDLING Procedural
PROCEDURES
C.198 Whether there exists a procedure
for handling the storage of
information. Does this procedure
address issues such as
information protection from
unauthorised disclosure or
misuse?
DATA MANAGEMENT Procedural
C.199 Are the persons responsible for
the exchange of data media
familiar with the process of
physical erasure?
MANAGEMENT OF Procedural
REMOVABLE MEDIA
C.200 · Whether procedures exist
for management of
removable media, such as
tapes, disks, cassettes,
memory cards, and reports.
· Whether all procedures and
authorization levels are
clearly defined and
documented.
BUSINESS INFORMATION Procedural
SYSTEMS
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.201 Whether policies and procedures
have been developed and
enforced to protect information
associated with the
interconnection of business
information systems.
Manage the physical
environment
PHYSICAL SECURITY Serious
PERIMETER
C.202 · Are physical border security
facilities implemented
adequate to protect the
Information processing
service? Some examples of
such security facilities are:
card control for entry gate,
walls, manned reception
etc.?
· Are visitors required to
record their entry inside the
premises in a separate
register?
· Are details of their
possessions recorded and
verified at the time of their
exit from the premises
· Are cameras disallowed
inside the premises?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.203 · Does Data Center exterior
Lighting, building orientation
provide a secure
environment?
· Data Centers should be
anonymous. Ensure that
there is no signage or
listings in directories?
SECURING OFFICES, ROOMS Serious
AND FACILITIES
C.204 Whether the rooms, which have
the Information processing
service, are:
· locked
· have lockable cabinets
· safes.
C.205 Whether the Information
processing service is protected
from natural and man-made
disaster such as raised floors,
good exterior walls /or other
suitable acceptable infrastructure
C.206 Whether there is any potential
threat from neighboring
premises.
C.207 Ensure that water alarm system
is configured to detect water in
high risk areas of the data center
C.208 Ensure that burglar alarm is
protecting the data center from
physical intrusion.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
C.209 Are there adequate controls over
modems and other dial up
devices for employees and
visitors (data cards, etc)?
C.210 Ensure that surveillance systems
(CCTV) are designed and
operating properly?
PHYSICAL ENTRY CONTROLS Serious
C.211 Are entry controls in place to
allow only authorised personnel
into various areas within
organisation?
C.212 Is there a practice of Supervising
or escorting outside
staff/visitors?
REMOVAL OF PROPERTY Serious
C.213 Whether equipment, information
or software can be taken off-site
without appropriate authorisation.
PROTECTING AGAINST Serious
EXTERNAL AND
ENVIRONMENTAL THREATS
C.214 Whether physical protection
against damage from fire, flood,
earthquake, explosion, civil
unrest and other forms of natural
or man-made disaster has been
designed and applied.
D Maintain IT
Monitoring and Compliance
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
COMPLIANCE WITH SECURITY Serious
POLICIES AND STANDARDS
D.1 · Whether managers ensure
that all security procedures
within their area of
responsibility are carried out
correctly to achieve
compliance with security
policies and standards.
· Do managers regularly
review the compliance of
information processing
facility within their area of
responsibility for compliance
with appropriate security
policy and procedure?
ADMINISTRATOR AND Serious
OPERATOR LOGS
D.2 · Whether system
administrator and system
operator activities are
logged.
· Whether the logged
activities are reviewed on
regular basis.
TECHNICAL COMPLIANCE Serious
CHECKING
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
D.3 · Whether information
systems are regularly
checked for compliance with
security implementation
standards.
· Whether the technical
compliance check is carried
out by, or under the
supervision of, competent,
authorized personnel.
INFORMATION SYSTEMS Serious
AUDIT CONTROLS
D.4 · Whether audit requirements
and activities involving
checks on operational
systems have been carefully
planned and agreed to
minimise the risk of
disruptions to business
process.
· Whether the audit
requirements, scope are
agreed with appropriate
management.
Application and logical access Very
controls Serious
Name of the application used for
investment operations:
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
D.5 Obtain a list of valid user IDs at
the location and,
· Reconcile Active users to
those present in the location
as per attendance roles
· Validate User Work Class
with the designation of the
users at the location
· Verify if concurrent auditors
have been provided with
only view access
· Check for user with
maximum inactive time
greater than 10 minutes
· Check for user with
password expiry date
greater than 40 days from
the current day.
· For user ID disabled, check
whether these have been
done immediately after their
names have been removed
from the attendance register.
In case any delays are
noticed from the time of
removal from attendance
register to the actual date of
disabling the user Id report
the same.
Are there any discrepancies in
the above?
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
D.6 Are Access privileges defined for
each user as per the
designation?
D.7 Whether the User Ids of
employees who have been
transferred, or have retired/
resigned are deleted from
application.
D.8 · Whether the application
logs out the user after 5
minutes of inactivity.
· Whether the system forces
the user to change the
initial password given by
system manager.
· Users acknowledge receipt
of the password on the
register maintained for the
purpose
D.9 Whether the user log-off the
application whenever they leave
the work place for break.
D.10 · Check that all user
accounts are identifiable to
a user and generic user-
ids, which cannot be
attributed to any individual,
are not allowed.
· Check that all default
vendor accounts shipped
with the application have
been disabled.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
D.11 Is the user ID temporarily
suspended when the staff
members are out on
training/outstation assignment
and the user ID will remain
inactive for certain days?
D.12 Whether an undertaking for
maintaining secrecy and
confidentiality of password has
been obtained from every user
and preserved.
D.13 Whether super user passwords
are changed immediately after
those are used by support
persons for rectification of
problems and this usage is
documented.
D.14 Whether every user has only
one identifiable user ID and not
more than one user id has been
given to any user.
D.15 Whether Super user passwords
(for applications hosted at the
location) are confined to
systems manager only and the
same are kept with the location
in charge in a sealed cover.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
D.16 Password Security:-
· Whether the users change
their password periodically.
· Does the application force
the user to set an alpha
numeric password/
· Is the minimum length of
the password set to 8
characters?
· Whether password entry is
disabled after three
unsuccessful log-on
attempts?
· Whether the system forces
the users to change their
password after 40 days
from the date of last
creation / modification.
· Whether password history
is maintained by the
application. From
Transaction records, day
end reports or audit trails,
perform a sample check to
verify if user ID has been
used on any day when the
user is on leave.
ENFORCED PATH Procedural
D.17 Whether there is any control that
restricts the route between the
user terminal and the designated
computer services the user is
authorised to access, for
example, enforced path to reduce
the risk.
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
NODE AUTHENTICATION Procedural
D.18 Whether connections to remote
computer systems that are
outside organisations security
management are authenticated.
Node authentication can serve as
an alternate means of
authenticating groups of remote
users where they are connected
to a secure, shared computer
facility.
NETWORK TESTS Serious
D.19 Is it ensured that
products/services that use the
Internet for connectivity or
communications have undergone
a successful penetration test
prior to production
implementation?
D.20 Is there a penetration test
process that ensures that
modifications to the
product/service that uses the
Internet for connectivity or
communication have been
reviewed to determine whether a
subsequent penetration test is
warranted?
D.21 Is there an intrusion detection
system in place for all the
external IP connections?
ON-LINE TRANSACTIONS Serious
Technical Guide
S. No Audit Objective A ud itor's R isk
O bserv ation C ateg o ry
Y N Comments
D.22 Whether information involved in
online transactions is protected
to prevent incomplete
transmission, mis-routing,
unauthorized message alteration,
unauthorized disclosure,
unauthorized message
duplication or replay.
Annexure D
APPLICATION CONTROLS CHECKLIST
Technical Guide
IRDA Regulations
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
1 Functional The Investment
Overall System should have
separate modules for
Front, Mid and Back
Office with separate
login
2 Segregation (1) In the case of a
of Life Insurer, (SFIN In
Shareholders the case of ULIP) each
& individual fund, both
Policyholders falling under
' funds Shareholder /
Policyholders', under
any class of business,
has `scrip' level
investments (except in
the case of General
Insurance Companies)
to comply with the
provisions of Section
11(1B) of Insurance
Act, 1938
(2) Furthermore the
Shareholders funds
beyond Solvency
Margin, to which the
pattern of Investment
will not apply, shall
have a separate
custody account with
Please check the parameterisation and configuration of the application
related to these. Screen shots may be taken as evidence. Any non compliance
is treated as "Very Serious".
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
identified scrip for both
Life and General
Insurance Companies.
3 To ensure Business
continuity, the Insurer
should have a clear
Off-site Backup of
Data in a City falling
under a different
Seismic Zone, either
on his own or through
a Service Provider.
Further, the Insurer /
service provider (if
outsourced) is required
to have the necessary
infrastructure for
Mission. Critical
Systems to address at
least the following:
1. Calculation of
daily NAV (Fund
wise)
2. Redemption
processing
4 System based checks
should be in place for
investments in an
Investee Company,
Group, Promoter
Group and Industry
Sector. The system
should signal when the
Internal / Regulatory
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
limits are nearly
reached PRIOR to
taking such exposure
and making actual
investment.
5 Functional Transfer of data from
Overall Front Office to Back
Office should be
electronic without
Manual intervention
(Real time basis) i.e.,
without re-entering
data at Back Office.
6 Functional All Investment
Overall Systems to be
seamlessly integrated
without manual
intervention.
7 The Insurer may have
multiple Data Entry
Systems, but all such
Systems should be
seamlessly integrated
without manual
intervention.
8 Functional - Audit trail to be
Overall available for all data
entry points including
at the Checker /
Authorizer level
9 Functional - Maker Checker
Overall process to be enforced
10 Functional - System based checks
Overall to be in place for
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
investments as per
Internal / Regulatory
limits PRIOR to taking
such exposure and
making actual
investment.
11 Inter-Fund transfer
capability
12 Inter-Fund transfer
capability - Non
Switching between
Traditional and Unit
Linked Funds
13 Functional - The system to be
Overall capable of computing
various portfolio
returns
14 The System should
handle Inter Fund
transfer as per Circular
IRDA-FA-02-10-2003-
04. The Investment
Committee may fix the
Cut Off time as per
Market practice, for
such transfer within
the fund. (The inter
fund transfer should be
like any other Market
deal and the same
needs to be carried out
with in the Market
hours only)
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
15 Functional - System to perform
Overall regular limits
monitoring and
Exception Reporting.
Also reporting on
movement of prices.
16 Functional - Cash Management
Overall System should provide
the funds available for
Investment considering
the settlement
obligations and
subscription and
redemption of units
17 Functional - The System to be
Overall validated not to accept
any commitment
beyond availability of
funds.
18 Functional - The System to be
Overall validated to restrict
Short Sales at the time
of placing the order
19 Functional - The Investment
Overall System to capture
Instrument Ratings to
enable it to
automatically generate
FORM 2 (Statement of
Downgraded
Investments) through
the System.
20 Functional - The Investment
Overall System to capture
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
Instrument Ratings to
enable it to
automatically generate
FORM 2 (Statement of
Downgraded
Investments) through
the System.
21 Functional - The System to have
Overall the ability to track
changes in ratings
over a period &
generate appropriate
alerts, along with
ability to classify
investment between
Approved and Other
Investments
22 Functional - Track of movement of
Overall Securities between
Approved and Other
Investments Status, as
a part of Audit trail, at
individual security
level
23 Functional - The System should
Overall have key limits preset
for ensuring
compliance with all
Regulatory
requirements and
should be supported
by workflow through
the System, (Real time
basis) for such
approval, if Regulatory
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
limit is close to be
breached
24 Functional - The System to have
Overall capability of
generating Exception
reports for Audit by
Internal / Concurrent
Auditor The System
should have capability
of generating
Exception reports for
Audit by Internal /
Concurrent Auditor
25 Functional - System to
Overall automatically track and
report all internal limits
breaches. All such
breaches should be
audited by Internal /
Concurrent Auditor.
26 Functional - The system to be
Overall validated in such a
way, that the Deal can
only be rejected by the
Back Office & NOT
edited
27 The System to be
capable of computing
NAV
28 The System should be
capable of computing
NAV and compare it
with the NAV
computed by the
Service provider, if
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
outsourced.
29 The Insurer should
maintain NAV history
(Fund wise) in his
Public Domain from
the Start of the Fund to
Current Date.
30 Functional - Method of computing
Overall NAV should be in line
with IRDA regulations
31 Methodology Every Purchase, Sale
of Operating of Investment, Income
Segregated on Investment
Fund' (including Corporate
Action) shall be
identified with
reference to the
particular `Segregated
Fund' and accounted
for.
32 Methodology Every `Deal Slip' shall
of Operating be identified with
Segregated reference to the
Fund' `segregated fund'
along with `Segregated
Fund Identification
Number "SFIN" for
such Segregated Fund
and the respective
`sub-code' of Custody
and the respective
Bank Account.
33 Units Unit Report shall be
Creation / reconciled with the
Investment Accounting
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
Redemption System's Creation /
Redemption Report,
after booking of unit
capital entries
34 Units Units created on a
Creation / `day-to-day' basis
Redemption (including switches),
shall be backed by
`segregated fund wise'
Investment assets. In
other words, the value
/ amount for which
Units are created for
the particular day (at
the prevailing NAV, at
the opening of the day,
of the respective fund),
should be equivalent
to the premium receipt
(net of switches) less
applicable charges and
other outflows such as
benefits paid,
surrenders and
foreclosures in
excluding applicable
charges of the
`respective segregated
fund'.
35 Security 1. Equity Investments
Master Based on the inputs
Creation from treasury: the
investment back-office
shall create Security
Masters in the system
(linked via NSE/BSE
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
codes) and the same
shall be validated by
the Mid-Office. The
procedure includes
documentation of
supporting and
supervisory sign off.
36 Security 2. Debt Investments:
Master Security masters for
Creation debt Instruments are
prepared on the basis
of Information
memorandum in case
of primary and
secondary market
deals by the Back
Office. The procedure
includes
documentation of
supporting and
supervisory sign off.
37 Primary 1. Booking of Primary
Market Deals Market Deals:Debt
/ IPO Primary Market Deals
shall be booked on the
date of application,
and on the date of
allotment the
Securities will be
reflected in the
Investment Accounts
38 Primary 2. Booking of Equity
Market Deals IPO:
/ IPO Equity Investments
shall be accounted on
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
the date of application
for IPO Issue as
`Application Money'
and on the date of
allotment the allotted
Shares shall be
reflected in the
Investment accounts.
39 Secondary 1. Debt DealsAll Debt
Market Debt / securities as
Equity Deal categorised in
Authorization IRDA/GLN/001/2003-
04 Categories of
Investments, as
amended from time to
time, shall be executed
with counterparties
and reported on NSE /
BSE / FIMMDA
reporting platform and
the same shall be
confirmed with
counterparties. The
deals shall be
authorised in the
investment system and
the trade files /
information shall be
sent to custodian /
other online settlement
systems as recognised
by any financial
regulator for
settlement.
40 Secondary 2. Equity Deals - STP
Market Debt / (Straight Through
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
Equity Deal Process)
Authorization Reconciliation:
All Secondary Market
equity deals shall be
put through the STP
module in the
investment system.
The dealer shall put
though the deal in the
investment system
after concluding the
transaction. The deal
would then flow to the
back office which
would be compared
with the input details
and the STP file
received from broker.
If all details match, the
transaction would be
authorised in the
system for settlement.
41 Secondary 2. Equity Deals - STP
Market Debt / (Straight Through
Equity Deal Process)
Authorization Reconciliation
Custodian /Broker
settlement:
After STP
reconciliation the
equity trade files ISO
files shall be sent to
custodian and broker
houses through STP.
42 Secondary All deals shall be
Market Debt / recorded on trade date
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
Equity Deal accounting basis.
Authorization
43 Settlement 1. Equity (Sale) - (as
Process per Exchange
Compliance Norms,
Currently T+2):
Bank settlement (trade
receivables) entries
shall be passed for
trades settling on
current day.
44 Settlement 2. Equity (Purchase) -
Process (as per Exchange
Compliance Norms,
Currently T+1):
Bank settlement (trade
payables) entries shall
be passed for trades
settling on current day.
It may also be settled
on T+2 basis, if the
company had
deposited margin
money with the
exchanges as required
for equity settlement.
45 Settlement 3. Debt (purchase/
Process Sale) - (as per
Exchange Compliance
Norms, Currently T+1):
Bank settlement (trade
payables/receivables)
entries shall be passed
for trades settling on
current day. Corporate
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
Debt deals dealt on
T+0 basis shall be
settled on T+0 basis.
46 Settlement 4. Money market
Process transactions & Non-
SLR - (as per
Exchange Compliance
Norms, Currently T+1):
Bank settlement (trade
payables/receivables)
entries shall be passed
for trades settling on
current day. Money
market transactions
excluding treasury bills
could also be dealt
and settled on T+O
basis.
47 Settlement 5. Reverse Repo
Process withdrawal:
Reverse Repo
maturities shall be
posted in bank
accounts
48 Settlement 6. Brokerage
Process Payments:
Brokerage Payment
shall be settled in
Bank
49 Corporate 2. Debt: The insurer
Action shall configure their
Investment System for
details of interest
receivable and
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
redemption dates.
Further, details of
interest receivable and
redemption can also
be obtained from the
custodian / other
online settlement
systems as recognised
by any financial
regulator.
50 Valuation Valuation of securities
Process shall be in line with the
INV/CIR/020/2008-09
Point. G Statement
of Investment
Reconciliation -
Annexure 2.
51 Valuation The Insurer shall close
Process the Investment Front
Office system for
transactions at 5.30
PM. The Concurrent
Auditor shall confirm
the compliance of this
requirement in their
quarterly report to the
Board of Directors .
52 Charges - Fund Management
Fund Charges (FMC)
Management including service tax
Charges shall be `accounted' for
on a day-to-day basis
in the investment
accounting system.
The actual transfer of
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
accumulated FMC
shall be done at the
end of the month.
53 Charges - Dealing costs including
Dealing brokerage, securities
costs transaction tax and
service tax shall be
adjusted in the cost of
investments.
54 NAV The NAV of the
Computation Segregated FUND
shall be computed as
Market Value of
investment held by the
fund + Value of
Current Assets Value
of Current Liabilities &
Provisions, if any
DIVIDED BY Number
of Units existing on
Valuation Date
55 NAV Number of units
Computation derived from the
investment accounting
system shall be
reconciled on a day to
day basis with the
policy admin system
56 `NAV' error All expenses and
Computation incomes accrued up to
& the Valuation date
Compensation shall be considered for
computation of NAV.
For this purpose, while
major expenses like
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
management fees and
other periodic
expenses should be
accrued on a day to
day basis, other minor
expenses and income
can be accrued on a
weekly basis, provided
the non-accrual does
not affect the NAV
calculations by more
than 1%.
57 Functional - System to have
Overall capability to upload
Corporate Actions
such as Stock Splits,
Dividend, Rights Issue,
Buy Back, Bonus
issues etc., for
computation of NAV /
Portfolio valuation
58 Functional - Ability to have
Overall Segregation of
Shareholders &
Policyholders' funds
59 Ability to maintain
Fund wise
60 Functional - The Systems to have
Overall the capability of
providing alerts on
transaction to
transaction basis, its
"current" level of
exposure BEFORE
taking further
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
exposure.
61 Functional - Investment valuation
Overall methodology as per
IRDA circular for
different asset
categories
62 Functional - Investment Category
Overall Handling for different
categories
63 Functional - NAV Error handling
Overall
64 Functional - IRDA forms to be
Overall directly generated from
the system
65 Functional - Capability to compute
Overall Yield on investment for
quarter / yearly basis
66 Functional - NPA computation and
Overall classification
67 Security Access to information
Issues - system should be only
Application via a secure log-on
security process.
controls
68 ULIP `Deal Slip' to be
Business identified with
reference to the
`segregated fund'
along with `Segregated
Fund Identification
Number "SFIN" for
such Segregated
Fund(s) and the
respective `sub-code'
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
of Custodian and the
respective Bank
Account
69 ULIP Every Purchase, Sale
Business of Investment, Income
on Investment
(including Corporate
Action) shall be
identified with
reference to the
particular `Segregated
Fund'
70 ULIP Daily Report of
Business `Subscription &
Redemptions' received
from the Policy Admin
System (PAS) to be
uploaded [without
manual intervention
through process
integration] in the
Investment Accounting
System
71 ULIP Units created on a
Business 'day-to-day' basis
(including switches),
shall be backed by
'segregated fund wise'
Investment assets. In
other words, the value
/ amount for which
Units are created for
the particular day (at
the prevailing NAV,
applicable for the day,
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
of the respective fund),
should be equivalent
to the premium receipt
(net of switches) less
applicable charges and
other outflows such as
benefits paid,
surrenders and
foreclosures in
excluding applicable
charges of the
'respective segregated
fund'.
72 ULIP All Debt securities as
Business categorized shall be
executed with
counterparties and
reported on NSE / BSE
/ FIMMDA reporting
platform and the same
shall be confirmed with
counterparties.
The deals to be
authorized in the
investment system and
the trade files /
information shall be
sent to custodian /
other online settlement
systems as recognized
by any financial
regulator for
settlement
73 ULIP All Secondary Market
Business equity deals shall be
put through the STP
Technical Guide
S. Area or Sub IRDA R equirem ent Auditor's O bserv ation
No. A rea (Extracted from its Y es- No Comments
Circulars) (refer C o m plies
columns 2 and 3) with the
regu lation
module in the
investment system.
74 All Equity deals should
be through STP
gateway for all broker
transactions.
75 ULIP The insurer to
Business configure their
Investment System for
details of interest
receivable and
redemption dates.
76 ULIP Accounting of coupon
Business payments,
redemption/maturities
for debt investments
shall be automatically
triggered by the
system, based on the
interest payment dates
and maturity dates
defined in the security
masters created for
'each' security.
77 ULIP Investment Front
Business Office system should
close for transactions
at 6.00 PM.
78 ULIP The Investment Trial
Business Balance, in respect of
each `Segregated
Fund' with clear link to
SFI + is generated
through the system.
|