Latest Expert Exchange Queries
sitemapHome | Registration | Job Portal for CA's | Expert Exchange | Currency Converter | Post Matrimonial Ads | Post Property Ads
 
 
News shortcuts: From the Courts | News Headlines | VAT (Value Added Tax) | Service Tax | Sales Tax | Placements & Empanelment | Various Acts & Rules | Latest Circulars | New Forms | Forex | Auditing | Direct Tax | Customs and Excise | ICAI | Corporate Law | Markets | Students | General | Indirect Tax | Mergers and Acquisitions | Continuing Prof. Edu. | Budget Extravaganza | Transfer Pricing
 
 
 
 
Popular Search: VAT Audit :: Central Excise rule to resale the machines to a new company :: cpt :: ICAI offer Get Windows 7,Office 2010 in Rs.799 Taxes :: VAT RATES :: form 3cd :: list of goods taxed at 4% :: TAX RATES - GOODS TAXABLE @ 4% :: articles on VAT and GST in India :: ACCOUNTING STANDARDS :: ACCOUNTING STANDARD :: due date for vat payment :: ARTICLES ON INPUT TAX CREDIT IN VAT :: TDS :: empanelment
 
 
ICAI »
  Syllabus for the Limited Insolvency Examination on 31st December, 2016 to become Insolvency Professional
 Extension of last date for submission of application forms for Information Systems Audit-Assessment Test (ISA-AT), upto 10th December 2016.
 Four Weeks Residential Programme to be held from 28th January, 2017 to 24th February, 2017 at Centre of Excellence, Hyderabad for Women Participants only.
 CPE Events 5th December - 10th December 2016
 Here's how your employer can help you save tax
 Introduction of facility for online submission of requests for issue of duplicate mark sheets/pass certificates.
 ICAI invites suggestions on revised Model GST Law
 Guidance Note on Reports in Company Prospectuses (Revised 2016) issued by the Auditing and Assurance Standards Board
 President's Message - December 2016
 Ind AS Transition Facilitation Group (ITFG) Clarification Bulletin 6
 Announcement regarding registration as an Insolvency Professional with the Indian Institute of Insolvency Professionals of ICAI

Inviting comments on the basic draft of the "Relevance of Information Systems Audit in Insurance Sector" (Comments to be received by 30th April 2014) by email at cobip@icai.in
April, 16th 2014
             Inviting comments on
                 the Basic draft
                       on
          Relevance of
  Information Systems Audit in
        Insurance Sector
       (Last date for comments: April 30th April 2014)
Comments should be submitted in writing to the Secretary,
Committee on Banking, Insurance and Pension, The Institute of
Chartered Accountants of India, ICAI Bhawan, Indraprastha Marg,
New Delhi -110002, so as to be received not later than April 30th,
2014. Comments can also be sent by email to cobip@icai.in




                                                                 i
                                                             Contents

I          Introduction ­ IT Governance ..........................................................................................................1
           a.          Insurance ...............................................................................................................................1
           b.          IT Governance .......................................................................................................................5
II         State of Information Systems in Insurance Industry........................................................................7
III        Regulatory framework for Information Systems in Insurance.......................................................11
           a.          The Insurance Act 1938.......................................................................................................11
           b.          Regulations issued by IRDA (Insurance Regulatory and Development Authority) .............11
           c.      The Information Technology Act 2000....................................................................................13
           d.          Prevention of Money Laundering Act .................................................................................14
IV         Information Systems Audit in Insurance Sector.............................................................................15
           a.          IT Governance .....................................................................................................................15
      1.        Strategic Alignment.....................................................................................................................16
      2.        Value Delivery .............................................................................................................................17
      3.        Resource management ...............................................................................................................17
      4.        Risk management........................................................................................................................17
      5.        Performance measures ...............................................................................................................18
           b.          Risk Management................................................................................................................18
      1.        Security Policy and Implementation ...........................................................................................18
      2.        Asset Management .....................................................................................................................19
      3.        Information Systems Acquisition, Development & Maintenance...............................................20
      4.        Physical & Environmental Security..............................................................................................20
      5.        Access Controls ...........................................................................................................................21
      6.        System Parameters .....................................................................................................................21
      7.        IT Controls review ­ OS, Database, Networking devices ............................................................22
      8.        Capacity Management ................................................................................................................23
      9.        Disaster Recovery, Backup & Contingency planning...................................................................24
      10.          Customer Services...................................................................................................................24


                                                                                                                                                               ii
Appendix A ­ About COBIT..........................................................................................................................25
Appendix B ­ About COSO ..........................................................................................................................27
Appendix C ­ Guidelines on Outsourcing of Activities by Insurance Companies .......................................29
Appendix D ­ Clarifications on Guidelines on Outsourcing of Activities by Insurance Companies ............42
Appendix E ­ IRDA (Web Aggregators) Regulation, 2013 ...........................................................................44
Appendix F ­ IRDA Circular on Investment Risk Management Systems and Process Audit .......................82
Appendix G ­ Extracts from ICAI Technical Guide.......................................................................................83




                                                                                                                                                 iii
I Introduction ­ IT Governance
   a. Insurance
Insurance is an assurance of compensation for specific potential future losses in exchange for
a periodic payment called `Premium'. Insurance is designed to safeguard the financial well-
being of an individual, company or any other entity in the case of an unexpected loss.
Some forms of insurance are mandated by law, while others are optional. A contract is enforced
between the insured (The Policy Holder) and the insurer (The Insurance Company) on mutual
agreement to the terms of an insurance policy.

The insured makes a payment towards the policy periodically as premium for which the
insurer agrees to pay the policy holder a sum of money upon the occurrence of a specific event.
The policy holder bears a part of the loss called the uninsured amount while making a claim and
the insurer pays the rest as compensation. Examples of insurance include car insurance, health
insurance, disability insurance, life insurance, and business insurance.

There are 24 life insurance companies and 27 general insurance companies operating in India as
per the details published on IRDA website (www.irda.gov.in) as on 30th June 2013.

Some of the key functions in the insurance lifecycle are:


New Business

Proposal or lead generation, Enrolment, Scanning/ Digitization are some of the key processes in
expanding the customer base.

Underwriting

This is the process of evaluating the risk, acceptability and premium of an entity to be insured.
This is typically a complicated process and involves significant time and effort and contributes
towards increasing the time taken to finally issue the policy to the customer. Technology has
been aggressively deployed to aid the underwriting process; analytics and predictive modelling
has advanced considerably to keep pace with the business requirement for speedy issuance of
policies in consistent manner throughout the enterprise while appropriately assessing risk.

Policy Administration






                                                                                               1
Some of the key processes that fall under this function include

       Policy holder correspondence
       Collateral verification
       Payment processing
       Policy issuance, printing and dispatch
       Record changes

Issuance of insurance policies is a fairly complicated process though the base model is the
same. Every insured has the option to choose from a variety of clauses which must be
accurately captured in the insurance document. In addition, personal information of the client
including medical, family and other data need to be part of the insurance document.

Document management systems are used to manage policies issued and also to meet
regulatory requirements regarding the storage of policies issued.

Claims Processing

One of the key challenges that face insurance companies is the need to provide a seamless and
integrated claims processing function across the organization and partners landscape. They
need to implement information processing systems that enable the smooth flow of information
from claims processing to underwriting to marketing. A smooth flow will enable insurance
companies to assess risk more accurately and thereby provide solutions that are tailor made to
customer requirements. The progressive adaptation of integrated systems to handle entire
ecosystem of processes provides management with a holistic view of the business, thus
improving the business offering to customers.




                                                                                            2
                                           New Business




                                               Key
                          Claims
                        Processing           Business         Underwriting
                                            Functions




                                             Policy
                                          Administration




Some of the key enabling functions in the insurance lifecycle are represented below:




                                           Channel
                                          Management




                    HR, Audit,
                   Marketing &               Key
                                                                 Investment
                      Other                Enabling             Management
                   supporting
                    functions
                                          Functions




                                          Accounts &
                                           Finance




                                                                                       3
The above functions are also applicable to Reinsurance and as such would be subject to the
same requirements of IT Governance and Risk Management initiatives.


Micro-Insurance

Micro-insurance is insuring the low-income population. This sector can insure a variety of risks
including health, property, crop, livestock/cattle, theft, fire, disability etc. IRDA has issued
microinsurance draft norms (as of this writing) which are soon expected to be translated into a
final set of regulations. For distribution of these products, IRDA has said regional rural banks,
micro finance institutions, district cooperative banks, non-governmental organisations, self-
help groups, urban cooperative banks, banking correspondents and individual owners of kirana
stores, public call offices, fuel stations and fair price shops in rural areas will be allowed to sell
these.



Selecting the right technology will be a key to the success of any microinsurance endeavour.
The most important question that need to be answered before taking a final call is "what is the
technology expected to deliver?" Is it ease of use, mobile capabilities, reduce cost, reduce
transaction turnaround time etc. Clarity in this aspect will be a pre-requisite for choosing the
most appropriate technology.



Smart cards may be issued to customers. These could contain policy details like name, photo ID,
biometric fingerprint, insurance history, etc. When the smart card is swiped on a hand held
device, this information is made available to the agent.



Handheld devices are expected to play a critical role in microinsurance. These devices can have
various integrated components including smart card readers, biometric authentication devices,
printers etc. Internet connectivity may be through GPRS or Wi-Fi.




GPRS has been used to connect hand held devices to central servers. The availability of GPRS
connectivity in locations where the hand held devices are expected to operate (typically rural

                                                                                                    4
settings) should be examined - trial runs should be made to avoid surprises. In the absence of a
robust GPRS connectivity, microinsurance companies have taken the approach of storing the
data locally in the device until such time that a connectivity is available. Once the device detects
a connection to the internet, the data is sent to the central servers. The transaction is
completed seamlessly though there is an invisible time buffer during which the data resides on
the device itself.



The use of SMS as a technology platform has been used by a microinsurance provider in Brazil.
The Brazilian government issues a social security number to each citizen. This number is sent as
the primary information during enrollment. The server which receives this number then
connects to another central repository of citizen information. This approach vastly reduces the
need for elaborate data entry and eliminates multiple entries of the same data. Data entry
errors are also eliminated. It is possible that a similar technology may be adopted by Indian
insurance companies if the Indian government's Aadhar initiative becomes a success.



   b. IT Governance


IT governance in simple terms refers to the process of how the organizations align the IT
strategy with the Business strategy and ensure that the companies stay on track in achieving
their strategies and goals and implement good ways to measure its performance. An IT
governance framework addresses the functioning of the IT department, the key metrics
required by the management and the returns achieved by the business from the investment
made in IT.



Organizations today are subject to many regulations governing data retention, confidentiality of
information, financial accountability and recovery from disasters. One of the goals of IT
governance is that, the internal controls of an organization should meet the core guidelines of
many of these regulations, as well as adherence to various international standards such as
COBIT (refer Appendix A) and COSO (refer Appendix B).

India has a high potential for development in insurance as most of its household are still
untapped by the insurance companies. With the increase in competition among the insurers,
providing service to the customer has become a key issue. Moreover, customers are getting
increasingly sophisticated and tech-savvy. This highlights the importance of technology in

                                                                                                  5
designing and developing products to suit the personalized need of the customer. As
technology is embraced and becomes a core component of the insurance industry, the inbuilt
security threats also increase exponentially. This commentary makes an attempt to explore
tactics to defeat such threats faced by the insurers.




                                                                                        6
II State of Information                                               Systems                   in
   Insurance Industry
The insurance sector is now open to private enterprises and this has resulted in the emergence
of Insurance Regulatory and Development Authority (IRDA) as the regulator of insurance in
India. Insurance companies were forced to introduce a variety of products and to venture into
wider diversified areas. This intense competition renders insurance companies more aggressive,
slashing premiums and increasing the exposure of the companies.



The Insurance sector has a dual role to play. It has to protect and secure its own information
and infrastructure to achieve its business objectives apart from promoting the information
security through positive reinforcement. The insurance company may do this by distributing
rewards and providing insurance cover with lower premium for cyber risks of entities that have
information security systems in place. This will drive the importance of securing information
technology in organizations.



In addition, the integral component of the insurance sector lies in obtaining accurate
information as promptly and efficiently as possible. Insurers normally base their rates on
actuarial models which determine the likely occurrence of the risks to experience a loss.
Insurance companies use technology to analyze the claims of prior years and to scrutinize the
data of the policy holder. Technology is also used to explore the correlation between risk
characteristics and claims. Actuaries have the opportunity to use technology in analyzing the
risk at a much more precise level of granularity.

Outsourcing

IRDA, in its notification to the CEOs of insurance firms, said that "it is not desirable to outsource
the core and important activities which will affect corporate governance, protection of policy
holders, solvency and revenue flows of insurer."

Core Activities are:

   -   Underwriting
   -   Product design and actuarial functions; enterprise wide risk management
   -   Investment and related functions


                                                                                                   7
   -   Fund accounting and NAV calculations
   -   Admitting or repudiation of claims
   -   Bank Reconciliation
   -   Policyholder grievances redressal
   -   Approving advertisements
   -   Market conduct issues
   -   Appointment of surveyors and loss assessors
   -   Compliance with AML, KYC
   -   Policy servicing

Refer Appendix C ­ Guidelines on outsourcing of activities by Insurance Companies

Refer Appendix D ­ Clarifications on Guidelines on outsourcing of activities by Insurance
Companies

The above issues pose a challenge to the insurance industry in India today and also worldwide
and need to be addressed on a war footing. A few typical challenges and risks faced by the
insurance companies are:

   a. Storage and processing of data
   b. Accessing and retrieval of data
   c. Security of information
   d. Embracing technology developments
   e. Safeguarding of information against natural disasters
   f. Business continuity planning

Web Aggregators

The term "Web Aggregator" pertains to any online website or portal which provides
information and comparison of insurance products by different insurers and provides leads to
insurers.

Some of the guidelines relating to display of product comparisons on the website are:

   a. Web aggregators shall not display ratings, rankings, endorsements or bestsellers of
       insurance products on their website. The content of the websites of the web



                                                                                           8
       aggregators shall be unbiased and factual in nature; they shall desist from commenting
       on insurers or their products in their editorials or at any other location in their websites.
   b. The default/home page of the websites of the web aggregators shall clearly and
       prominently provide links to the product comparison charts and tables for each category
       of products covered by them. The visitor to the website should be given clear product
       options to choose from and once a particular option is chosen, a product comparison
       chart relevant to his choice shall be displayed. The product comparison chart shall have,
       interalia, columns to display a) the premium quoted by each insurer relevant to the age,
       health and other personal details of the client for the product category, policy/premium
       term, quantum of cover etc chosen b) the default underwriting requirements such as
       medical examination, diagnostics or other documents c) exclusions, limits or other
       conditions, if any c) key features of the product chosen.
   c. Web aggregators shall disclose prominently on the home page that the client/visitor's
       particulars could be shared with insurers/insurance brokers.
   d. Web aggregators shall not carry any advertisements or sponsored content on their
       websites.
   e. Product comparisons that are displayed shall be upto date and reflect a true picture of
       the products.
   f. Web aggregators shall display product information purely on the basis of the
       information furnished to them by insurers.

Refer Appendix E for the IRDA (Web Aggregators) Regulation, 2013

With the growing use of technology in the insurance industry, some of the potential Game
Changers from the Technology Arena are:

       Hand held devices / Mobile / Tablet based data collection and dissemination
       Cloud computing enabling users to access data from wherever they are
       Marketing through social media
       Digitisation of documents
       Higher degree of segmentation, customer data analytics and predictive modeling

                                                                                                   9
   Smart cards that can be swiped on hand held devices in Microinsurance
   Document management systems to manage policies and customer data
   Biometric data of customers stored in smart cards
   GPRS for hand held devices
   SMS in microinsurance
   Centralized database of vehicles insured for access by transport and police authorities
   Use of telematics for vehicle tracking and determining insurance premiums




                                                                                             10
III             Regulatory     framework       for
                Information Systems in Insurance
   a. The Insurance Act 1938

In 1938, with a view to protecting the interest of the Insurance public, all the earlier legislation
was consolidated and amended by the Insurance Act, 1938 with comprehensive provisions for
effective control over the activities of insurers.



This Act addresses over 31 provisions applicable to insurers. It also addresses the investigative
powers of the authority, appointment of staff, control over management, amalgamation and
transfer of insurance business, assignment or transfer of policies and nominations, commission
and rebates and licensing of agents, special provisions of law, management by administration
and acquisition of the undertakings of insurers in certain cases.

   b. Regulations issued by IRDA (Insurance Regulatory and Development
      Authority)


The Insurance Regulatory and Development Authority (IRDA) was constituted as an
autonomous body to develop the insurance industry based on the recommendations of the
`Malhotra Committee report', in 1999. The IRDA was incorporated as a statutory body in April,
2000 to monitor Insurance sector in India.

The key objectives of the IRDA are

    Promotion of competition among insurance companies to enhance customer
    satisfaction through increased consumer choice and lower premiums.
    Safeguarding the financial security of the insurance market and to eradicate the
    shortcomings of the industry.


Application for registrations in the market was invited by the IRDA in August 2000. Foreign
companies were allowed to own a share up to 26%.


IRDA has the power to frame regulations under Section 114A of the Insurance Act, 1938
subsequent to which various regulations ranging from registration of companies for carrying on
insurance business to protection of policyholders' interests were framed
                                                                                                 11
The Insurance Regulatory and Development Authority (IRDA) is a public authority as defined in
the Right to Information Act, 2005. As such, the Insurance Regulatory and Development
Authority is obliged to provide information to members of public in accordance with the
provisions of the said Act.


The subsidiaries of the General Insurance Corporation of India were restructured into
independent companies in December, 2000, when GIC was converted into a national re-insurer.
The bill to de-link the four subsidiaries from GIC was passed by The Parliament in July, 2002.


The Insurance Regulatory and Development Authority was established by the Indian
Government, for two significant reasons-to safeguard the interest of the policy holders and for
the up gradation of the entire insurance sector right from the approach adopted by the existing
insurance companies towards their shareholders to the eradication of the shortcomings of the
industry.


Scope of Insurance Regulatory and Development Authority

The Insurance Regulatory and Development Authority has been authorized to register new
insurance companies in India. The list of new insurance companies also includes the
collaborations of the renowned insurance companies overseas with the existing Indian
companies. The insurance companies in India are required to approach the Insurance
Regulatory and Development Authority for the purpose of renewal of the insurance
registration. The Insurance Regulatory and Development Authority are allowed to withdraw
registration of the companies and even cancel the registration of a company if required. It is
also authorized to modify the registration procedure for a company.


Functions of Insurance Regulatory and Development Authority


The emergence of Insurance Regulatory and Development Authority was to safeguard the
interests of the policyholders. The Insurance Regulatory and Development Authority ensures it
through various ways such as

       Nomination by Policyholders
       Settlement of insurance claim
       Practical training for Insurance agents and other intermediaries
                                                                                            12
       Insurable Interest
       Surrender value of Policyholders
       Code of conduct of Insurance intermediaries
       Assistance in gaining correct information about policies
       Creation of management information system
       Promotion of Self regulation within the insurance sector


   The IRDA has come out with various guidelines/ regulations relating to information
   technology including but not limited to the following:

              Guidelines on web aggregators
              Electronic Transactions Administration and Settlement Systems
              Audit of investment risk management systems and process, internal,
              concurrent
              Anti money laundering guidelines


   c. The Information Technology Act 2000

The Information Technology Act was passed by the Indian parliament in 2000. It was
subsequently amended in 2008.


The Act provides legal recognition for electronic transactions and electronic records. It also
provides legal recognition for E-Filing of documents with government agencies. Section 43
prescribes penalties for hacking of computing resources. Section 43A prescribes penalties for
Corporates who fail to protect sensitive personal data that are available in their computing
systems.


This Act emerged to curb `Cyber Crime' which is an unlawful act where computer is used as a
tool or target or both.


Insurance companies are posed with the duty to safeguard the data of the client under the
Information Technology Act, specifically section 43A. Insurance companies need to store data
securely and share it only with authorized partners for permitted purposes as prescribed in this
Act.

                                                                                             13
   d. Prevention of Money Laundering Act


The Prevention of Money Laundering Act, 2002 (PMLA) forms the core of the legal framework
put in place by India to combat money laundering. PMLA and the Rules notified there under
came into force with effect from July 1, 2005.


The PMLA and rules notified thereunder impose obligation on banking companies, financial
institutions and intermediaries to verify identity of clients, maintain records and furnish
information to Financial Intelligence Unit -India. PMLA defines money laundering offence and
provides for the freezing, seizure and confiscation of the proceeds of crime.


The insurance companies are required to comply with the regulations of anti money laundering
legislation. The insurers may mandate the norms of "KYC" ­ know your customer" mechanisms
to minimize, prevent and detect money laundering abuse.




                                                                                         14
IV          Information Systems Audit in
            Insurance Sector
Information System Audit has a significant role to play in the emerging Insurance Sector.
Information System Audit aims at providing assurance in respect of Confidentiality, Availability
and Integrity for Information systems. It focuses at their efficiency, effectiveness,
responsiveness and compliance with laws and regulations.



Information systems are the lifeblood of any large business. As in years past, computer systems
do not merely record business transactions, but actually drive the key business processes of the
enterprise. In the context of the growing dependence of Insurance Sector on Information
Systems for record keeping, transacting business, reporting, as well as regulatory compliance
and providing information and results to stakeholders, Information System Audit has assumed a
very significant role. Effective IS Audit systems in place would tantamount to corporate
governance; compliance and effective regulation of the insurance sector.

IRDA has already issued guidelines for Risk Management System Audit of Investments by
Insurance Companies (Refer Appendix F).

The Institute of Chartered Accountants of India has also issued a Technical Guide on Review and
Certification of Investment Risk Management Systems and Processes of Insurance Companies
(Refer Appendix G).

ICAI has also issued a Technical Guide on Internal & Concurrent Audit of Investment Functions
of Insurance Companies.

a.     IT Governance

Every organization either large or small, either public or private has to ensure that the IT
function sustains the organization's strategies and objectives. The level of sophistication that is
applied to IT governance however, may vary accordingly to the size, industry or applicable
regulations. The larger and more regulated the organization; it becomes essential to have the
more detailed IT governance structure.




                                                                                                15
IT governance in simple terms refers to the process of how the organizations align IT strategy
with business strategy and ensure that companies stay on track in achieving their strategies and
goals also by implementing good ways to measure its performance.



IT governance framework focuses on

   (I)        the overall functioning of the IT department,
   (II)       providing the management with the key metrics that it needs, and
   (III)      the returns earned from the investments in IT.




According to the IT Governance Institute (formed by ISACA), there are five areas of focus:

   1. Strategic Alignment

Strategic alignment refers to the process of linking the business strategy and IT strategy in
achieving the predetermined goals. Typically, the lightning rod is the planning process, and true
alignment can occur only when the corporate side of the business communicates effectively
with line-of-business leaders and IT leaders about costs, reporting and impacts.



Key business challenges that the Insurance Industry faces include:

           Growing the business

           Improving customer experience

           Providing better products and services using Information Analytics

           Improving operations like claims processing

           Complying with various regulatory requirements

           Improving Risk Management

           Reducing enterprise cost



Technology can be used facilitate many of these issues.

                                                                                              16
For e.g. Data Analytics programs can help insurance companies design products that are
customer centric and not based on the experiences and understandings of the underwriters
and/or legal department. Such products can vastly enhance the ability of an insurance company
to retain customers.

Target customers belonging to the 20 ­ 30 age group may be very comfortable researching,
buying and renewing policies online and increasingly from mobile phones and tablets.
Insurance companies need to think of social media marketing, quote aggregators and search
engine optimization to improve their brand recall value. Additionally, customers may be willing
to change their insurance company based on convenience provided using a particular channel.

   2. Value Delivery

Value delivery means the benefits reaped from the investments made by the IT department.
The optimal approach would be to develop a process to ensure that certain functions are
accelerated when the value proposition is growing and by eliminating functions when the value
decreases.

Adoption of Cloud computing is expected to bring down costs in the insurance sector.

   3. Resource management

Resource management involves the process of managing resources more effectively in
organizing the staff more efficiently based on the skills instead of the line of business. This will
allow organizations to deploy employees to various lines of business on a demand basis.

Attracting and retaining talent in IT will be a key challenge for insurance companies given that
they often operate a mish-mash of legacy and contemporary systems.

   4. Risk management

Risk management institutes a formal risk framework which imposes rigidity in accepting,
measuring and managing risk by the IT and reporting on how IT is managing in terms of risk.




                                                                                                 17
     5. Performance measures

A performance measure is about measuring the business performance. One popular method
involves instituting an IT Balanced Scorecard, which examines the contribution made by IT in
terms of achieving business goals, by the utilization of resources effectively and by developing
people. The qualitative and quantitative measures are used to ascertain these performances.


b.     Risk Management

Risk management of Information Systems is crucial to insurance companies as they handle a
huge amount of data relating to customers. A layered approach to security should be adopted
to ensure that the information resources within the domain are adequately protected.
Insurance companies have adopted technology in a big way and in order to cater to the new-
age needs of customers, they have brought in new distribution channels like web and mobile.
Also, agents and distributors expect to interact with the insurance company through various
channels. Protecting all such data is a critical requirement for insurance companies.
Additionally, Section 43A of the Information Technology Act provides for penalties to be
imposed on companies that fail to protect sensitive private data.


Insurance companies need to adopt the following measures to ensure that an information
systems management system is in place.

     1. Security Policy and Implementation

A well thought out security policy is needed because security is not a technology issue but a
business issue. The goal of corporate security policies is to define the procedures, guidelines
and practices for configuring and managing security within the operational environment. The
goal of implementing security policies, procedures and guidelines is to ensure that a common
baseline security framework is defined for the entire enterprise. This framework should ensure
that various entities in the computing environment are adequately protected and the
confidentiality, availability and integrity of computing resources and data are ensured.

Insurance companies have vast computing resources to cater to their clients and business
partners and other third party service providers. The insurance sector is faced with challenges
relating to retention of customers and providing a better customer experience. The solutions to
these challenges include innovative ways to reach out to customers. For e.g. cloud computing,
mobile, social media, data aggregators and other new technology needs to be embraced by
insurance companies to ensure that they stay in the race.


                                                                                             18
Introduction of any new technology in large enterprises like insurance companies is a long
drawn process typically involving analysis of the technology and various solutions and products
available from different vendors, procurement, installation, roll-out. Training of staff in
optimum use of the technology solution is sometimes followed by training of staff including
sales force, agents and distributors when such entities need to interact with the solution. If the
solution directly involves the customer ­ like a new smartphone application ­ then some
amount of customer engagement will also have to be on the agenda. Maintenance of the
technology and continuous training of new staff is also envisaged.

All the above mentioned activities need to done within the security framework of the
organization. It is therefore imperative that a well thought out set of policies, procedures and
guidelines be adopted by all insurance companies. This will only aid them in smooth operations
and ensuring that they maintain a secure computing environment.

   2. Asset Management

Data is the most critical asset of insurance companies. Typically, insurance companies sit on a
data mine collected over the years. The data they have includes customer's basic information,
premium paying pattern ­ chronic late payers, chronic bad check customers, preferred channels
of payment, how this is changing over the years, performance patterns of products, customer
preferences with respect to product type, payment modes, claims history, demographic
changes. All this data can be used by Analytics Engines to provide insights into customer
behavior patterns which insurance companies can use to tailor their products and services
accordingly. They also sit on financial investment data. They can find out how their investments
have performed over the years, which sectors have given better return on investments etc.

Innovative ways of capturing customer data may emerge in the near future. Telematics based
insurance, where premiums will be based on how well a person drive, may become available in
India once the technology is available. In telematics based insurance, a small black box (or data
box) will be fitted in a car. This will collect data like the distance the car travels, the period of
time the car is used, the location of the car at all times, types of roads the driver is travelling on,
speed and direction of travel prior to and after a collision/ accident, the driver's speed, the
driver's braking behavior, force of impact in an accident/ collision.




Insurance companies also invest in application software for their various functions like billing,
claims processing etc. Software assets also including operating systems and other operational
software like Office, Adobe Reader, etc.


                                                                                                    19
Assets need to be identified and classified based on criticality. Asset handling methodologies
need to be defined for each class of asset. Asset disposal methodology for hardware and
software also needs to be defined. Regular monitoring of assets also needs to be done.

   3. Information Systems Acquisition, Development & Maintenance

Customers and potential customers have come to expect newer ways of interacting with
insurance companies. This leads to adoption of new solutions/ products / technology.
Insurance companies may either opt to acquire said products/ solutions or develop the same in-
house. Since information is a core component of the insurance industry, software acquisition,
development and maintenance should be done with information security in mind.

Care should be taken to ensure that
        Before application development begins, security controls should be defined and
          agreed upon ­ these should include input, processing and output related controls
        Sufficient access controls should be built into the systems
        Encryption should be considered for both data at rest and data in transit
        Application code, configuration files, documentation and other system related files
          should have proper access control mechanisms protecting them
        Maintain separate test and production environments ­ avoid leakage of production
          data through test systems
        Conduct vulnerability assessments on applications before deploying them
        Ensure that systems are capable of adhering to the organisation's information
          security policies and procedures
        Ensure that no new threats are introduced into the computing infrastructure as a
          result of implementing the new systems

   4. Physical & Environmental Security

Confidentiality of data that insurance companies hold needs to be maintained. Physical access
to servers can mean access to the data stored on the device. So, preventing unauthorized
physical access to servers is very important. Availability of data is also key to the smooth
functioning of insurance companies ­ considering that premiums are being paid online,
engagement with customers, agents happens using the internet and other similar activities that
require that the servers be available at all times. Making sure that proper environmental
controls are implemented in data centers is one way to ensure availability of data. Additionally,
improper environmental controls can cause damage to services, hardware and lives. Power,
heating, ventilation, air-conditioning and air quality controls can be complex and contain many
variables. These need to be operating properly and be monitored regularly.


                                                                                              20
Issues that need to be looked into:

        prevent unauthorized physical access, damage, and interference to premises and
        information

        ensure sensitive information and critical information technology are housed in
        secure areas

        prevent loss, damage, theft, or compromise of assets

        prevent interruption of activities

        protect assets from physical and environmental threats

        ensure appropriate equipment location, removal, and disposal

        ensure appropriate supporting facilities (e.g., electrical supply, data and voice
        cabling infrastructure)

   5. Access Controls

Insurance companies have critical and sensitive data and information resources. The access to
these resources should be authorized and measures should be put in place to prevent
unauthorized access to valuable resources. Controls may be technical, physical or
administrative in nature.

Access to networks, servers and other end user systems, applications and data should be
controlled and restricted. Of particular importance is administrative access. Administrative
access bestows great power on individuals who have this role. Therefore, administrative access
should be granted on a need basis. A regular review of administrative access to resources
should be undertaken. This is especially true of insurance companies who may have a plethora
of systems, applications, networks and databases being accessed by a vast workforce and also
by third party service providers. So, it is critical that a matrix of administrative access to various
key resources be maintained up-to-date. Additionally, a regular audit of access control systems
including administrative access to resources may be undertaken to ensure that IT management
has a dashboard view of accesses granted.

   6. System Parameters

System Parameters are very critical for insurance companies as these control various important
touch points in the application. Applications could have system parameters for commission
rates, premium load values for different demographics etc. Therefore system parameters, if
not carefully calibrated and regularly monitored/ audited, could lead to revenue leaks.


                                                                                                   21
   7. IT Controls review ­ OS, Database, Networking devices

Insurance companies have information systems that are increasingly being brought online.
Cloud computing is being seen as a way to reduce costs. Customer interaction is through
websites, social media and mobile applications. As the avenues and modes of interaction with
customers' increases, so do the possible attack surfaces. As insurance companies hold critical
data that they must protect, they need to adopt a layered approach to security. One layer of
this approach would be to securely configure the core elements of their information
infrastructure ­ the operating systems, databases and networking devices.

Whenever bugs are discovered in operating systems, bug fixes or patches are released. If the
bug is not fixed, it may lead to a compromise of confidentiality, integrity and/or availability of
the server in question. Insurance companies should make sure they have a defined process to
address the issue of patching.

Securing the operating system should include the following

        Enable only those services that are required

        Enable only secure services ­ do not use telnet, FTP etc.

        Enforce strong password policies, delete unused accounts

        Routinely review system logs

Databases are the repositories of data which is the most critical asset of any organization,
especially insurance companies. It is possible that the data of insurance companies is spread
across a variety of databases maybe due to the presence of legacy applications, acquisitions
and the new ways and channels through which data is collected. Securing databases is of
paramount importance to insurance companies. As stated earlier, all database assets should be
identified and categorized.

Some of the key measures to be taken to secure databases include:

        Make sure that applications do not run with privileged database accounts. This will
           ensure that even if an application account is compromised, the compromise is
           contained and cannot contaminate other applications/ databases. Even application
           administrators should not be able to view database metadata.

        Password policies should be set according to organization information security policy



                                                                                               22
        Initialization parameters should be set as per best practices

        User access should be restricted and should be as per best practices. For e.g. users
        should not have access to the SYS.USER$ table in oracle as this table stores sensitive
        authentication information.

        System privileges should be restricted and given only as per best practices

        Access to sensitive packages should be restricted

Networking devices like routers and switches direct and control much of the data flowing across
computer networks. These networking devices need to be configured to control access, resist
attacks, shield other network components, and protect the integrity and confidentiality of
network traffic. In general, well-configured secure routers can greatly improve the overall
security posture of a network. Security policy enforced at a router is difficult for negligent or
malicious end-users to circumvent, thus avoiding a very serious potential source of security
problems.

Some of the key measures to be taken to secure networking devices include:

        Physically protect the networking device

        Keep software up-to-date by applying the latest patches

        A login banner should be set up with a `no trespassing' warning

        Virtual terminal login should be disabled if remote administration is not needed

        Secure password protection should be used (e.g. in Cisco devices, the Type 7
        password is known to be weak and should not be used)

        AAA mechanisms may be used

        Do not use common/ generic user names for administrators who log into the devices

        If remote administration is required, use SSH or IPSec

        The auxiliary port on routers should be disabled

        Run only those services that are required as per best practice recommendation

   8. Capacity Management




                                                                                              23
Assess the existing capacity and planned capacity for growth and adequacy of the current
capacity to handle existing and future business.

The volume of computing resources at the disposal of insurance companies is fairly large and
complex in nature. Companies also expect growth of business and this involves increase of
computing resources to cater to the needs of a growing footprint. Companies should be able to
smoothly handled increased capacity by understanding current processing power, memory etc.
If there are increased loads at a particular time of the day, then companies should investigate
the root cause of the surge and try to come up with possible solutions like moving non-critical
processing to a low-demand time period etc.

   9. Disaster Recovery, Backup & Contingency planning

This should include review of the existing disaster recovery, backup and contingency plans and
policies of the insurance companies and verify and assess the compliance to current policies.

Insurance companies require mature capabilities in this domain. Insurance companies are
concerned with the protection of a citizen's life and/ or properties as well as national wealth.
So, the data that they store is critical and it is imperative that their ability to serve the public
continues even in case of a disaster affecting their data centre. Sufficient backups should exist
as should an alternative processing facility. Periodically, live processing should be carried out
from the disaster recovery site to ensure that the insurance company has the capabilities to
handle a disaster in the data centre. Disaster recovery testing should also focus on sufficient
human resources backup and training for backup personnel.

   10.         Customer Services

Review the procedures and channels through which services are provided to customers and
other partners. In view of the new channels of providing services to customers, the procedures
adopted should be audited to ensure that information being disbursed through various
channels is accurate and reflect the corporate position. It should also be ensured that these
channels do not lead to information leakage. For e.g. If insurance companies have tied up with
aggregator websites, ensure that accurate information is being displayed on the said websites
and that it is in accordance with the guidelines on web aggregators issued by IRDA. Ensure that
customer engagement forums are not avenues for information leakage.




                                                                                                 24
Appendix A ­ About COBIT
COBIT 5 is the latest edition of ISACA's (www.isaca.org) globally accepted
framework, providing an end-to-end business view of the governance of enterprise IT that
reflects the central role of information and technology in creating value for enterprises.

COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals
and deliver value through effective governance and management of enterprise IT.

The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether
commercial, useful for enterprises of all sizes, whether commercial, not-for-profit or in the
public sector.

COBIT 5 is based on five key principles for governance and management of enterprise IT:

       Principle 1: Meeting Stakeholder Needs

       Principle 2: Covering the Enterprise End-to- End

       Principle 3: Applying a Single, Integrated Framework

       Principle 4: Enabling a Holistic Approach

       Principle 5: Separating Governance From Management

The COBIT 5 framework describes seven categories of enablers:

   1) Principles, policies and frameworks are the vehicle to translate the desired behavior
      into practical guidance for day-to-day management.

   2) Processes describe an organized set of practices and activities to achieve certain
      objectives and produce a set of outputs in support of achieving overall IT-related goals.

   3) Organizational structures are the key decision-making entities in an enterprise.

   4) Culture, ethics and behavior of individuals and of the enterprise are very often
      underestimated as a success factor in governance and management activities.

   5) Information is required for keeping the organization running and well governed, but at
      the operational level, information is very often the key product of the enterprise itself.



                                                                                             25
6) Services, infrastructure and applications include the infrastructure, technology and
   applications that provide the enterprise with information technology processing and
   services.

7) People, skills and competencies are required for successful completion of all activities,
   and for making correct decisions and taking corrective actions.




                                                                                         26
Appendix B ­ About COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint
initiative of the following five private sector organizations:

       American Accounting Association (www.aaahq.org)

       American Institute of CPAs (www.aicpa.org)

       Financial Executives International (www.financialexecutives.org)

       The Association of        Accountants    and    Financial   Professionals   in   Business
       (www.imanet.org)

       The Institute of Internal Auditors (www.theiaa.org)

COSO is dedicated to providing thought leadership through the development of frameworks
and guidance on enterprise risk management, internal control and fraud deterrence.

COSO through its "Internal Control ­ Integrated Framework" provides principles-based
guidance for designing and implementing effective internal controls.

The Framework will enable organizations to effectively and efficiently develop and maintain
systems of internal control that can enhance the likelihood of achieving the entity's objectives
and adapt to changes in the business and operating environments.

The updated COSO Framework (2013) lists 5 components of internal control with 17 principles
under them.

The 5 components of internal control are:

   1) Control Environment

   2) Risk Assessment

   3) Control Activities

   4) Information & Communication

   5) Monitoring Activities




                                                                                             27
The COSO framework has always presumed that, for internal control to be effective, all
components must be present and functioning. If a principle is not attained, then a component is
not present and functioning; hence, internal control is deficient.




                                                                                            28
Appendix C ­ Guidelines on Outsourcing of Activities
             by Insurance Companies

IRDA/Life/CIR/GLD/013/02/2011

01st February, 2011



Guidelines on Outsourcing of Activities by Insurance Companies
Reference:     1. INV/CIR/031/2004-05 dated 27th July, 2004

2. INV/CIR/058/2004-05 dated 28th December, 2004

3. RBI/2006/167 DBOD.NO.BO.40/21.04.158/2006-07

4. Regulation 7(c) of IRDA (Registration of Companies) Regulations, 2000

1.     INTRODUCTION

1.1    Insurers in India are increasingly using outsourcing, as a means of both reducing cost
and accessing expertise, not available internally and achieving strategic aims. 'Outsourcing'
may be defined as "Insurer's use of a third party (either an affiliated entity within a
corporate group or an entity that is external to the corporate group) to perform activities
on a continuing basis that would normally be undertaken by the Insurer itself, now or in
the future". These outsourcing arrangements are becoming increasingly complex.

1.2     Joint Forum set up by Basel Committee on Banking Supervision, International
Organization of Securities Commissions and International Association of Insurance Supervisors
has devised high-level principles on outsourcing in financial firms which gives guidance to firms,
and to regulators, in effectively managing risks involved in outsourcing without hindering the
efficiency and effectiveness of firms. Reserve Bank of India also brought out Guidelines on
Managing Risk and Code of Conduct in outsourcing of financial services vide reference 3 cited
above. This circular is issued based on best practices adopted internationally as outlined in
above document. These instructions are intended to provide direction and guidance to insurers
to adopt sound and responsible risk management practices for effective oversight.

1.3     Regulation 7 (c) of IRDA (Registration of Companies) Regulations, 2000, clearly sates
"The applicant will carry on "all functions" in respect of insurance business including
"management of Investment" within its own organization". It has been observed that certain
insurers are outsourcing even core activities such as Investment, Underwriting and Policy
servicing. It is not desirable to outsource the core and important activities which will affect
corporate governance, protection of policy holders, solvency and revenue flows of insurer.


                                                                                               29
1.4      In order to ensure proper corporate and regulatory oversight over the outsourcing of
activities of insurers, the Authority has decided to issue following instructions under Section
14(2) of Insurance Regulatory and Development Authority Act, 1999. These guidelines apply in
addition to the instructions given vide reference 2 cited above.

1.5   However this circular supercedes the provisions of para 3 of reference 2 cited above.

1.6       The insurer shall ensure that outsourcing arrangements neither diminish its ability to
fulfill its obligations to Policyholders nor impede effective supervision by IRDA. Insurers
therefore have to take steps to ensure that the service provider employs the same standards in
performing the services as would be employed by them if the activities were conducted in
house. Accordingly, insurers should not engage in outsourcing that would result in their internal
control, business conduct or reputation being compromised or weakened.

1.7    Activities of insurers are broadly classified into two categories namely `Core' and `Non-
Core', in accordance with Regulation 7(c) of IRDA (Registration of companies) Regulation,
2000.

2.     CORE ACTIVITIES

2.1    All activities relating to:-

Underwriting,

Product design and all Actuarial functions and Enterprise wide Risk Management

Investment and related functions

Fund Accounting including NAV calculations

Admitting or Repudiation of all Claims

Bank Reconciliation

Policyholder Grievances Redressal

Approving Advertisements

Market Conduct issues

Appointment of Surveyors and Loss Assessors

Compliance with AML, KYC etc.

All integral components of the above activities shall be treated as Core Activities

2.2    Policy Servicing and related activities

2.3    Insurers shall not outsource any of the core activities listed in para 2.1.



                                                                                              30
3. NON CORE ACTIVITIES:

Facility management i.e. Housekeeping, Security, Catering, etc.

PF Trust

Internal audit, Internal / branch /concurrent audit etc. (Note: However, the Board of
Directors shall appoint the internal /branch / concurrent auditor based on the recommendation of
the Audit Committee / Investment Committee respectively as mandated by the Authority in
Corporate Governance Guidelines. The report of internal auditor / concurrent auditor shall be
placed before the Audit Committee / Investment Committee / Board Meeting for their information
and necessary action)

Website Development and Management / Software and other IT Support

Pay Roll Management

HR Services

Service Tax Consultancy and Support

TDS filing

Compliance with labour laws

Data entry Including Scanning, Indexing Services

Printing and posting of reminders and other documents

Pre employment medical checkups

Reminders for Premium Payment

Call Centre and outbound calling for registering complaints or answering enquiries

Claim Processing for Overseas Medical Insurance Contracts

Tele-marketing

Consultancy Services pertaining to Service Tax, Income Tax and any other taxes payable by
insurer

Other Employee Benefits

Deployment of personnel within the premises / offices of the Insurer on a contract basis



4. ACTIVITIES SUPPORTING CORE ACTIVITIES:



                                                                                             31
4.1     Certain activities which support the core activities as listed in column 3 of Annexure ­I
may be outsourced as per risk management principles outlined in these guidelines subject to
reporting requirements.

4.2    Activities in column 4 of Annexure I, which insurers normally assign to outside
professionals, regulated either under different laws or provide outside expertise and economies,
may be outsourced to such entity as otherwise legally permitted to carry out those activities.

5. PREMIUM COLLECTION & CHEQUE PICK-UP ACTIVITIES:

5.1 The insurer shall ensure that the entities, other than those referred at Sl No. 3 Column No. 4
of Annexure ­ 1 shall be only a Company registered under Indian Companies Act, 1956. Such
entities engaged for cheque pick-up shall have a net worth of at least Rs.10 Crores. However,
these conditions are not applicable to Scheduled Commercial Banks and Post Office.

5.2 In respect of outsourcing of premium collection, insurers shall strictly ensure that the same
is outsourced only to entities listed at Sl.No.2 of Column 4.

5.3 Notwithstanding what is stated at Sl No. 2 of Column 4 of Annexure ­ 1 Insurers are also
permitted to outsource cheque pick up and premium collection to their respective Individual
Agents and Corporate Agents in respect of those policies that are not sourced by such
intermediaries. Such collection and pick up by agents who have not procured such business is
regarded as outsourcing. However, Insurers shall carry out the due diligence on individual
agents and corporate agents while outsourcing the same. However, the activity of premium
collection / cheque pick up referred in this paragraph shall be subject to the following conditions.

5.4 The total amount entrusted to be collected and picked up by Agents and Corporate Agents
for a given financial year shall not exceed three times the renewal commission that the said
agent earned in the preceding financial year. Thus it is a prerequisite for carrying out activity
that such agents are in existence at least for a period of 2 years.

5.5 The insurer shall assign this activity to agents and corporate agents by allocating only a
specified list of the policies, where the services of the agents that procured the business are no
longer available to the insurer.

5.6 The above referred conditions are not applicable in respect of Scheduled Commercial
Banks, Post Office when these activities are carried out in their capacity as a collecting bank.

5.7 Where an insurer permits its agent to collect premiums on its behalf, it shall be noted that in
such instances the agent is acting on behalf of insurers. Insurer shall remain accountable to the
receipts issued by the authorised agents / intermediaries.

5.8 Insurers shall notify Policyholders about all the options available for payment of premiums.

6. Bank Reconciliation: With reference to 2.1 (vi) the Insurer is solely responsible for
reconciling various Bank Accounts, cash and other instruments; and accountable to any
liabilities created through these accounts. However, Insurers are allowed to outsource clerical
activities like sorting and organizing the instruments to Scheduled Commercial Banks. The

                                                                                                 32
activity of tallying that what is stated in the account and actual availability of instrument shall not
be outsourced. The Scheduled Commercial Banks shall be required to submit the certified
copies of compilation of various assets inclusive of Cash / Fixed Deposits etc.

7.Policy Servicing and Related Activities: With regard to the activities referred in para 2.2,
the following components of the activities, referred at point no. 7.1, are allowed to be outsourced
to any service provider at the discretion of the Insurers and as per these guidelines. However, it
is reiterated that execution of these services shall remain to be Core Activity to be carried out by
the Insurers:

7.1 Receiving requests in physical/electronic/telephonic forms and transmitting to the insurer
without accessing the original data base of Insurers for the following areas of Policy Servicing;



Issuance of Policy Document / Certificates of Insurance

Change of Name / Address

Fund Switching/ Premium Redirection

Surrender, Maturity, Withdrawals Free look Cancellations Payouts

Loan Against Policy

Change of Policy Terms and Conditions / Details Change

Registration of Assignment / Nomination

Revival / Cancellation of Policy

Transfer of Policy

Substitution of Vehicle Communications, Reports, Printouts to Policyholders / Claimants

Laid up Vehicles

Withdrawal of No Claim Bonus

Declarations Update

Extension of Cover

Duplicate Policy

Document Collection and Investigation for complying with AML and KYC norms



8. General Principles: Outsourcing of activities allowed in these guidelines are subject to
following general principles.

                                                                                                    33
8.1 To avoid a potential conflict of interest no insurer shall outsource the internal audit to their
respective statutory auditors.



8.2.    The third party service providers engaged by insurers are subject to the various
provisions of Insurance Act, 1938, IRDA Act, 1999, Rules, Regulations or any other orders
issued there under. The third party service provider shall comply with provisions of Regulations,
Guidelines and any other law under force and the insurer shall be responsible for all acts of
omission and commission of its third party service providers in this regard.

8.3.    The regulated activities of the Agents, Corporate Agents, Brokers, TPA's, Surveyors and
other regulated entities, as provided in the Insurance Act,1938, IRDA Act,1999 and Regulations,
guidelines made there under, are not covered by these guidelines.

8.5.    Subject to these Guidelines, Agents, Corporate Agents, Brokers, TPA's and Surveyors
and other regulated entities shall not be contracted to perform any outsourced activity other than
those permitted by the respective regulations/instructions governing their licensing and
functioning.



9.       Risk Management Principles: While outsourcing activities every insurer shall abide by
criteria laid down in the following principles:

         9.1     An insurer intending to outsource any of its activities shall put in place a
comprehensive outsourcing policy, approved by its Board, which incorporates,       inter  alia,
criteria for selection of such activities as well as service providers, delegation of authority
depending on risks and materiality and systems to monitor and review the operations of these
activities.

9.2    In case any of the third party service provider becomes a group entity as defined vide
IRDA (Investment) Regulations, 2000, the insurer shall report the fact to the Authority within 30
days of such an event.

9.3    The Board of Directors of insurer shall review the performance of all third party service
providers every year with respect to compliance with provisions of Insurance Act 1938,
Regulations, Rules or any other order issued there under.

9.4    In case of termination of contract between insurer and third party service provider, the
compensation or penalty or any payment in lieu of foreclosure shall be reasonable and shall not
be excessive.

9.5   Insurer shall establish a comprehensive outsourcing risk management programme to
address the outsourced activities and the relationship with the service provider.


                                                                                                 34
9.6    Some factors that could help in considering materiality in a risk management programme
include the following:

The financial, reputational and operational impact on the insurance company of the failure of a
service provider to adequately perform the activity

Cost Benefit Analysis;

Potential losses to policyholders and their counterparts in the event of a service provider failure;

Consequences of outsourcing the activity on the ability and capacity of the insurer to conform
with regulatory requirements and changes in requirements,

Interrelationship of the outsourced activity with other activities within the Insurance Company.

Affiliation or other relationship between the insurer and the service provider;

Regulatory status of the service provider;

Degree of difficulty and time required to select an alternative service provider or to bring the
business activity in-house, if necessary; and

Complexity of the outsourcing arrangement. For example, the ability to control the risks where
more than one service provider collaborates to deliver an end-to-end outsourcing solution.



        9.7    Data protection, security and other risks may be adversely affected by the
geographical location of an outsourcing service provider. To this end, specific risk management
expertise in assessing country risk related, for example, to political or legal conditions, could be
required when entering into and managing outsourcing arrangements that are taken outside of
the home country.

9.8     Insurer shall ensure that outsourcing arrangements neither diminish its ability to fulfill its
obligations to policyholders and regulators, nor impede effective supervision by regulators.

9.9    Outsourcing relationships shall be governed by written contracts that clearly describe all
material aspects of the outsourcing arrangement, including the rights, responsibilities,
expectations of all parties. The outsourcing contracts may carry the following components:-

The contract shall clearly define what activities are going to be outsourced, including
appropriate service and performance levels. The service provider's ability to meet performance
requirements in both quantitative and qualitative terms should be assessable in advance;



The contract shall neither prevent nor impede Insurer from meeting its respective regulatory
obligations, nor the regulator from exercising its regulatory powers of conducting inspection,
investigation, obtaining information from either the insurer or the third party service provider.

                                                                                                   35
Insurer must ensure it has the right to access all books, records and information relevant to the
outsourced activity in the third party service provider;

The contract shall provide for the continuous monitoring and assessment by Insurer of the
service provider so that any necessary corrective measures can be taken immediately;

A termination clause and minimum periods to execute a termination provision, if deemed
necessary, shall be included. The latter should allow the outsourced services to be transferred
to another third-party service provider or to the Insurance Company. Such a clause shall include
provisions relating to insolvency or other material changes in the corporate form, and clear
delineation of ownership of intellectual property following termination, including transfers of
information back to the Insurer and other duties that continue to have an effect after the
termination of the contract;

Material issues unique to the outsourcing arrangement shall be meaningfully addressed. For
example, where the third party service provider is located abroad, the contract shall include
choice-of-law provisions and agreement covenants and jurisdictional covenants that provide for
adjudication of disputes between the parties under the laws of a specific jurisdiction;

9.10 Insurer and its third party service providers shall establish and maintain contingency
plans, including a plan for disaster recovery and periodic testing of backup facilities.

9.11 The Insurer shall take appropriate steps to require that third party service providers
protect confidential information of both the Insurer and its clients from intentional or inadvertent
disclosure to unauthorized persons.

9.12 The Insurer shall ensure that the third party service provider does not have any conflict
of interest. The third party service provider or any of their group entities shall not be able to
derive any benefit by causing loss to the insurer or policyholder. For instance the third party
service provider shall not have the responsibility of repairing the damaged vehicle, supply of
spare parts and marketing of the policy. In case of existence of conflict of interest among group
entities, the insurer shall avoid outsourcing to such entities.

9.13 No employee of Insurer shall be directly or indirectly involved in (i) creation of or (ii) any
outsourced activity of the outsourced entity.

9.14 The Insurer shall ensure that there is no risk of loss of control over outsourced activity
and potential impersonal treatment of policy holder / agents, before outsourcing any activity.

9.15 Where the third party service provider is either a group entity as defined in provisions of
Regulation (2) (ca) of IRDA (Investment) Regulations, 2000 and having a common director with
the insurer, the insurer shall ensure that the transfer pricing is done according to the sound
principles and or all such transactions shall be disclosed to the Authority as soon as the
agreement is completed and before payment is made to the third party service provider.



                                                                                                 36
However nothing contained herein shall be applicable for outsourcing of activities to a
scheduled commercial bank

10.     Evaluating the Capability of the Service Provider: In considering or renewing an
outsourcing arrangement, appropriate due diligence should be performed to assess the
capability of the service provider to comply with obligations in the outsourcing agreement. Due
diligence should take into consideration qualitative and quantitative, financial, operational and
reputational factors. Insurers should consider whether the service providers' systems are
compatible with their own and also whether their standards of performance including in the area
of policyholder service are acceptable to it. Where possible, the insurer should obtain
independent reviews and market feedback on the service provider to supplement its own
findings.



       10.1 Due diligence should involve an evaluation of all available information about the
service provider, including but not limited to:-

Past experience and competence to implement and support the proposed activity over the
contracted period;

Financial soundness and ability to service commitments even under adverse conditions;

Business reputation and culture, compliance, complaints and outstanding or potential litigation;

Security and internal control, audit coverage, reporting and monitoring environment, Business
continuity management;

External factors like political, economic, social and legal environment of the jurisdiction in which
the service provider operates and other events that may impact service performance.

Ensuring due diligence by service provider of its employees.



11. Reporting Requirements:

11.1 The activities outsourced vide point no.4.1 of these guidelines shall be reported to IRDA
within 45 days from the date of entering into outsourcing agreement.

11.2 With respect to each of the other outsourced activities all insurers shall file a report in
Form A (attached as Annexure-II) within 45 days from the end of every half year.

12. Electronic Issuance of Policies and Data Storage: Where insurers issue policies in
electronic form in accordance to the guidelines issued in this regard or where Insurers prefer to
outsource the Data Storage, the outsourcing of data storage in electronic form shall be
mandatorily with the repository service providers authorised by IRDA. The guidelines for
issuance of electronic policies and authorization of repositories will be issued separately.


                                                                                                 37
12.1 In respect of policies issued in electronic form, the terms and conditions of the policies
shall be drafted in simple and plain language. Insurers shall take prior approval of IRDA for the
text format of such policy documents.

12.2 Insurers are also permitted to allow the execution of the activities referred at point no. 7.1
to the authorised repository service providers at their discretion with respect to all category of
policies, both electronic policies and otherwise.

13.      Classification of any of the activities, that are not explicitly referred herein, as core or
noncore shall be done after due diligence. Mere listing of an activity as a non core shall not be
taken as freedom to outsource without proper risk assessment/due diligence. Further, Insurers
are advised to refer to IRDA for further clarification in case of any ambiguity regarding the
classification of the activities as core or noncore which are not specified in these guidelines.

14.     Redressal of Grievances related to Outsourced services: Every Insurer shall direct in
house Grievance Redressal Machinery to deal with grievances relating to services provided by
the outsourced agencies. Wide publicity has to be given through print and electronic media
about this. The Grievance Redressal Machinery shall deal with every grievance in a fair,
objective and just manner and issue reasoned speaking reply for every grievance rejected. It
shall also analyze grievances received to help identification of the problem areas in which
modifications of policies and procedures could be undertaken with a view to making the delivery
of services easier and more expeditious. The TAT's for redressal of grievances shall be as
notified by the Authority from time to time

15.     Centralized list of Outsourced Agents: If a service provider services are terminated by
an Insurer on grounds of mischief, fraud and non compliance with terms and conditions of
outsourcing agreement, they shall inform the Authority with reasons for such termination. The
Authority would be maintaining a caution list of such service providers for the entire insurance
industry for sharing among insurers.

16.     These guidelines shall not be construed to be authorizing, any activity which otherwise is
prohibited by any law under force and/or Regulation and Guidelines of the Authority.

17.     These guidelines would be reviewed by IRDA periodically.

18.     These guidelines come into force with immediate effect.

19.     The insurers shall terminate all existing outsourcing contracts entered into in
contravention of these guidelines before 31st June, 2011. Beyond the time period specified
herein, the Authority may relax time limit by 3 more months, on a case to case basis, in respect
of existing contracts that are in contravention of this circular.

      (A.Giridhar)

      Executive Director


                                                                                                  38
Annexure I

Sl. Activity            Specified activities that   Activities external to Insurers may be
                        can be outsourced with      Outsourced
No. (2)                 due reporting
                                                    (4)**
(1)                     (3)*

1. Underwriting         Data collection of        Data analysis
                        prospect/insured details,
                                                  Medical examination
                        Submission of proposals
                                                  Risk management service at policyholders' /
                        Data Entry                insured premises

                                                    Reinsurance


2. Premium              Printing of receipt         Collection by RBI approved banks, institutions,
   Collection                                       business correspondents of banks
                        Dispatch
                                                    Government, private partnerships like AP
                        Data entry of details       Online, e-mitra, e-seva, MP Online etc.
                        Issuance of receipt         Government offices like Post office

                                                    Payment aggregators eg VISA, Mastercard, Bill
                                                    desk, payments through RBI approved gateway

                                                    RBI Cleared Payment Collectors, e.g ECS

                                                    Licensed Insurance Intermediaries,

                                                        which includes agent / micro insurance
                                                    agent/ corporate agent/Broker who are
                                                    authorized and who himself procured the
                                                    policies related to the premium being collected.


3. Cheque pick up                                   Cash management services of banks
   and Banking
                                                    Picking up arrangement with couriers, Post
      Picking up from                               office,
      policyholder
      premises                                      Drop box

      Drop box

      Picking up from


                                                                                                  39
     acceptance
     points

4. Data Storage       Scanning      Physical storage of documents

                      Indexing

5. Admitting and                    Legal / expert / professional opinion
   repudiation of
   Claims                           Investigation

                                    Forensic analysis

                                    Salvage / sue and labour

                                    Average adjustors

                                    Recovery agents

                                    Third party claims negotiators

                                    Claims document aggregator

                                    Accident / road assistance

                                    International travel and medical assistance
                                    services

                                    Global repricing



*       Refer 4.1 of the Circular

**      Refer 4.2 of the Circular




                                                                                  40
Annexure ­ II

Form A

Sl. Particulars               For the Up to    For the corresponding      Up to the Half Year
No.                           Half    the Half Half Year of the preceding of the preceding
    (2)                       Year    year     year                       year
(1)
                              (3)     (4)      (5)                        (6)


1.   Activity out sourced
     (detailed description)


2.   Name of the Vendor


3.   Total Amount Agreed


4.   Amount Paid so far


5.   Whether vendor
     belongs to insurer
     group

6.   %of outsourcing
     payments to Operating
     Expense




Date :                                                      Signature of CEO




                                                                                           41
Appendix D ­ Clarifications on Guidelines on Outsourcing of
             Activities by Insurance Companies

Clarification 1

Ref: IRDA/Life/Cir/Misc/ 103 /05/2011

Date: 18-05-2011

Title: Clarification on Guidelines on Outsourcing of Activities by Insurance Companies



Reference is invited to point no. 5.1 of Guidelines on Outsourcing of Activities by
Insurance Companies (Circular No:            IRDA/Life/CIR/GLD/013/02/2011 dated
   st
01 February, 2011) wherein it is prescribed that entities engaged for the activities
referred at Column (4) of   Sl. No. 3 of Annexure - 1 (Cheque pick and Banking) shall
be only a Company registered under Indian Companies Act, 1956 with a net worth of
atleast Rs 10 Cores.

It is now clarified that these conditions are not applicable to the entities that are
permitted by RBI to facilitate collections using technology platform. Entities permitted by
RBI for collection are allowed to carry out the activity of `Cheque pick and Banking' in
accordance to the provisions of the within referred outsourcing guidelines and also in
compliance with those prescribed by RBI. The insurers shall put in place procedures for
issuance of simultaneous receipts to the policyholders through such entities. It is further
clarified that insurers shall remain responsible for the receipts issued and date and time
of such receipt shall be taken into account for considering the underlying benefits of an
insurance contract.

This issues with the approval of the Competent Authority.


(A Giridhar)
Executive Director




                                                                                         42
     Clarification 2

     Ref: IRDA/Life/CIR/GLD/219 /09/2011

     Date: 21-09-2011

     Title: Clarifications on Guidelines on Outsourcing of Activities by Insurance Companies

     With reference to the captioned guidelines the following clarifications are issued for
     compliance by all insurers.

1. Reference is invited to the Authorities Circular No. IRDA/Life/CIR/GLD/013/02/2011
   dated 01st February, 2011 wherein it was prescribed vide proviso 9.15 that the insurer
   shall report to the Authority before making payment to the third party service providers
   which is either a group entity as defined in provisions of Regulation (2) (ca) of IRDA
   (Investment) Regulations, 2000 and having a common director with the insurer.

a.    In clarification of the above provision it is now clarified that where the terms and
     quantum of payments agreed are explicitly mentioned in the terms and conditions of the
     agreement /MOU entered with above referred third party, the disclosure of the same
     shall be reported as soon as the agreement is made. And all subsequent transactions
     shall form part of Form ­ A and be reported in accordance to Clause 11.2 of the within
     referred guidelines.

2. Reference is also invited to proviso 5.2 read in conjunction with Sl No. 2 Column 4 of
   Annexure ­ 1 of the within referred guidelines. With regard to the Registration Fee
   collected under RSBY in addition to the entities referred therein, it is clarified that the
   TPAs which are engaged as Intermediaries for discharging various pre determined
   functions may also collect the registration fee.

     The above clarifications will come into effect immediately.
     Sd/-
     A.Giridhar
     Executive Director




                                                                                               43
Appendix E ­ IRDA (Web Aggregators) Regulation, 2013


Since the file size of the Appendix E is too heavy to upload, hence it can be downloaded from the
http://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo2168&flag=1&mid=Ins
urance%20Laws%20etc.%20%3E%3E%20Regulations




                                                                                              44
Appendix   F   ­   IRDA Circular on Investment Risk
                   Management Systems and Process Audit




                                                     82
Appendix G ­ Extracts from ICAI Technical Guide on Review
            and    Certification  of    Investment    Risk
            Management Systems and Processes of
            Insurance Companies (2013)
THE SCOPE

3.22. With a view to addressing the concerns of the Regulator and other stakeholders, the review of
investment risk and management system should include within its scope the following minimum areas
of information system security and audit:

i. Risk Management: Ensure that the features and system parameters implemented in the system are in
accordance with the policies and procedures covered in IRDA Investment Regulations and applicable
Guidelines / Circulars.

ii. Application Review: Review and ensure that the software used by the insurance companies is in
accordance with the security standards and policies and guidelines as prescribed by IRDA.

iii. Security Policy and Implementation: Review the security policy and implementation procedures with
special reference to the Hardware Platform, Network, Operating System, Physical Perimeter, Backups
and databases.

iv. Capacity Management: Assess the existing and planned capacity for growth and adequacy of the
current capacity to handle the existing and future business.

v. Disaster Recovery, Back-up and Contingency Planning: Review the existing disaster recovery, back-up
and contingency plans and policies of the insurance companies and verify and assess the compliance to
current policies.

vi. Customer Services: Review the procedures for providing services and communicating with clients /
investors.

vii. Internal Vulnerability Assessment: Ascertain the data integrity, availability and security of the key
information present in the network and the efficiency, effectiveness, responsiveness and compliance of
the IS processing facilities.

THE APPROACH

3.23. The checklist-based review should address and cover the following key activities of an Insurance
Company:

i. Understanding the Information Technology Infrastructure of the insurance company as it exists at the
location.



                                                                                                       83
ii. Understanding the business process, related to the Investment function and risk management system.

iii. Understanding the transaction mechanism and data flow with respect to investment management
function.

iv. Inspection and review of the documented policies and procedures, infrastructure and network
diagram.

v. Collection of evidence in the form of documents, test results, screenshots, confirmations, logs, third
party evidence.

vi. Conducting a risk analysis in the environment to evaluate and test the existing risk management
processes and available controls, both system- based and manual.

vii. Vulnerability analysis and audit of host servers.

viii. Discussing critical observations / findings with the Insurance Company and generating a report to be
submitted to IRDA.



Annexure C - Review of Information Technology (IT) Systems and Processes supporting Investment
Operations




                                                                                                       84
                     Annexure C




   REVIEW OF INFOR M ATION
TECHNOLOGY (IT) SYSTEMS AND
   PROCESSES SUPPORTING
  INVESTMENT OPERATIONS




                              85
 Technical Guide

 Review of Information Technology (IT) Systems and Processes
 supporting Investment Operations
S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
A       Planning the IT Function
        IT Plan and Strategy                                      Very
                                                                  Serious
A.1.    Does the Organization have an
        IT strategy / IT plan approved
        by Management
A.2.    Is there a process of minimum
        of annual review of the IT
        strategy / Plan
A.3.    Is there a periodic review
        (minimum annual) of         IT
        performance - covering key
        parameters in IT strategy such
        as Data Sizing, Network
        Performance?
        Information Architecture ­
        Policy and Procedure Review
        INFORMATION    SECURITY                                   Very
        POLICY DOCUMENT                                           Serious
A.4.    Is there an Information security
        policy, approved by         the
        management and adopted by
        the Board?
A.5.    Does it state the management
        commitment and set out the
        organisational approach        in
        managing information security?
 Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments
A.6.    Does the Information Security
        Policy cover the following key
        areas of IT Security
         · Detailed IT Security Policy
             and Procedures
         · Organisa0tion and security
         · Asset Classification and
             Control
         · Personnel Security
         · Physical                 and
             Environmental Security
         · Communications           and
             Operations Manag em ent
         · Access Control
         · Systems Development and
             Maintenance
         · Information          Security
             Incident Manag em ent
         · Business           Continuity
             Management
         · Compliance requirements
             to Policies and Procedures
        IT Risk Management Process?
A.7.    Has the Security Policy been
        published and communicated as
        appropriate to all employees
        and vendors?
A.8.    Are new members of staff and
        vendors made aware of
        Information Security Policy?
A.9.    Are     continuous awareness
        programmes conducted for
        security awareness?
 Technical Guide

S. No Audit Objective                                A ud itor's        R isk
                                                   O bserv ation     C ateg o ry
                                               Y    N     Comments
A.10.   Has the role of Information
        Security         Officer with
        responsibilities           for
        implementation of the Security
        Policy been assigned?
A.11.   Whether detailed procedures for
        each      policy     statement
        developed?
A.12.   Is the Information Security
        Officer made responsible for:
             · Reporting            non-
                 compliance with the
                 approved policy
             · Incidents of security
                 breaches to the Top
                 Management,
             · Initiating and effecting
                 corrective action?
        INCIDENT   MANAGEMENT
        PROCEDURES
A.13.   Whether      an           Incident
        Management procedure exists
        to handle security incidents.
A.14.   Whether there are clearly
        defined procedures and rules
        covering the different types of
        security incidents.
A.15.   Whether        the      procedure
        addresses        the      incident
        management         responsibilities,
        orderly and quick response to
        security incidents.
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
A.16.   Whether         the     procedure
        addresses different types of
        incidents ranging from denial of
        service      to      breach    of
        confidentiality etc., and ways to
        handle them.
        INVENTORY OF ASSETS
A.17.   Whether an inventory or register
        is maintained with the important
        assets associated with each
        information system.
A.18.   Whether each asset identified
        has an owner, the security
        classification defined   and
        agreed and the location
        identified.
A.19.   Is there an up-to-date network
        diagram?
A.20.   Is the inventory schedule and
        networking plan reviewed at
        regular intervals to ensure that
        they are complete and up-
        dated?
A.21.   Are       all the        system
        configurations          properly
        documented?
A.22.   Is the configuration document
        regularly updated as per a fixed
        schedule?
        INFORMATION          LABELING
        AND HANDLING
 Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments
A.23.   Whether an appropriate set of
        procedures are defined for
        information      labeling  and
        handling in accordance with the
        classification scheme adopted
        by the organization.
        CORRECT DISPOSAL OF
        RESOURCES   REQUIRING
        PROTECTION
A.24.   Is there a policy of identifying
        resources and media based on
        their level of sensitivity
A.25.   Is there a disposal process
        commensurate with each level
        of sensitivity
A.26.   Are the specified disposal
        provisions complied with
A.27.   Is the     disposal   procedure
        reliable
        ACCESS CONTROL POLICY
A.28.   Whether       the       business
        requirements for access control
        have    been      defined    and
        documented.
A.29.   Whether the Access control
        policy does address the rules
        and rights for each user or a
        group of user.
A.30.   Whether the users and service
        providers were given a clear
        statement of the business
        requirement to be met by
        access controls.
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
        CLASSIFICATION
        GUIDELINES
A.31.   Whether there is an Information
        classification     scheme     or
        guideline in place; which will
        assist in determining how the
        information is to be handled and
        protected.
        MANAGEMENT                OF
        REMOVABLE           COMPUTER
        MEDIA
A.32.   Whether    there     exists   a
        procedure for management of
        removable computer media
        such as tapes, disks, cassettes,
        memory cards and reports.
        OTHER     FORMS      OF                                   Serious
        INFORMATION EXCHANGE
A.33.   Whether there are any policies,
        procedures or controls in place
        to protect the exchange of
        information through the use of
        voice, facsimile and video
        communication facilities.
A.34.   Whether staffs are reminded to
        maintain the confidentiality of
        sensitive information while using
        such forms of information
        exchange facility.

        INFORMATION              AND                              Serious
        SOFTWARE            EXCHANGE
        AGREEMENT
Technical Guide
S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

A.35.   Whether there exists any formal
        or informal agreement between
        the organisations for exchange
        of information and software.
A.36.   Whether the agreement does
        address the security issues
        based on the sensitivity of the
        business information involved.
        Determine         technological
        direction.
        INDEPENDENT REVIEW OF                                      Very
        INFORMATION SECURITY                                       Serious
A.37.   Whether the implementation of
        security policy is reviewed
        independently on regular basis.
        This is to provide assurance
        that organisational practices
        properly reflect the policy, and
        that it is feasible and effective.
        TESTING, MAINTAINING AND                                   Very
        RE-ASSESSING    BUSINESS                                   Serious
        CONTINUITY PLAN
A.38.   Whether Business continuity
        plans are tested regularly to
        ensure that they are up to date
        and effective.
A.39.   Whether Business continuity
        plans were maintained by
        regular reviews and updates to
        ensure       their   continuing
        effectiveness.
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
A.40.   Whether      procedures     were
        included        within        the
        organisations            change
        management programme to
        ensure that Business continuity
        matters     are     appropriately
        addressed.
        MOBILE COMPUTING                                          Serious
A.41.   Whether a formal policy is
        adopted that takes into account
        the risks of working with
        computing facilities such as
        notebooks,     palmtops    etc.,
        especially    in    unprotected
        environments.
        WORKING FROM OFFSITE                                      Very
                                                                  Serious
A.42. · Whether policy, operational
        plan and procedures are
        developed and implemented
        for working from offsite. This
        should cover both employees
        and partners.
      · Whether such activity is
        authorized and controlled by
        management and does it
        ensure       that     suitable
        arrangements are in place for
        this way of working.
        Define the IT        Processes,
        Organization               and
        Relationships
        AUTHORISATION PROCESS                                     Very
        FOR         INFORMATION                                   Serious
        PROCESSING FACILITIES
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments

A.43. · Whether        there    is    a
         management authorisation
         process in place for any new
         facilities such as
      · Hardware
      · Software incl. applications
      · information          processing
         facility like data centers,
         offices etc
      · changes to configurations in
         existing Assets.
A.44.   Are log-books kept of system
        changes
A.45.   Are there any guidelines for
        implementing changes to IT
        components,       software or
        configuration data?
A.46.   Are all changes documented?
        INFORMATION          SECURITY                             Procedural
        COORDINATION
A.47.   Whether there is a cross-
        functional forum of management
        representatives from relevant
        parts of the organization to
        coordinate the implementation
        of information security controls.
        ALLOCATION             OF                                 Very
        INFORMATION      SECURITY                                 Serious
        RESPONSIBILITIES
A.48.   Has an IT Security Officer been
        appointed?
 Technical Guide

S. No Audit Objective                               A ud itor's        R isk
                                                  O bserv ation     C ateg o ry
                                              Y    N     Comments
A.49.   Whether responsibilities for the
        protection of individual assets
        and for carrying out specific
        security processes are clearly
        defined.
A.50.   Is there an establishment of a
        suitable organisational structure
        for IT security
        CONFIDENTIALITY                                             Very
        AGREEMENTS                                                  Serious
A.51.   Whether employees are asked
        to sign confidentiality or non-
        disclosure agreement as a part
        of their initial terms and
        conditions of the employment.
A.52.   Whether this agreement covers
        the security of the information
        processing      facility   and
        organisation assets.
        INCLUDING SECURITY IN JOB                                   Procedural
        RESPONSIBILITIES
A.53.   Whether security roles and
        responsibilities as laid down in
        Organization's         information
        security policy documented
        were appropriate.
A.54.   Does      it    include     general
        responsibilities               for:
        implementing or maintaining
        security policy,
        specific     responsibilities   for
        protection of particular assets,
        extension of particular security
        processes or activities.
 Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments
        PERSONNEL         SCREENING                              Very
        AND POLICY                                               Serious
A.55.   Whether verification checks on
        permanent staff were carried
        out at the time of job
        applications.
        This should include:
        · character reference,
        · confirmation of claimed
            academic
        · professional qualifications
        · independent identity checks.
        TERMS AND CONDITIONS OF                                  Procedural
        EMPLOYMENT
A.56.   Whether terms and conditions of
        the employment covers the
        employee's responsibility for
        information security. Where
        appropriate:
         · At the joining date
         · At time of internal transfers
         · On termination/end of the
            em ploym e nt.
        INFORMATION    SECURITY                                  Procedural
        EDUCATION AND TRAINING
A.57.   Whether all employees of the
        organization and third party
        users (where relevant) receive
        appropriate Information Security
        training and regular updates in
        organisational policies and
        procedures.
 Technical Guide

S. No Audit Objective                               A ud itor's        R isk
                                                  O bserv ation     C ateg o ry
                                              Y    N     Comments
A.58.   Is the IT Security Management
        Team involved in the planning
        and delivery of IT training?
        DATA PROTECTION AND                                         Serious
        PRIVACY OF PERSONAL
        INFORMATION
A.59.   Whether there is a management
        structure and control in place to
        protect data and privacy of
        personal information.
        IDENTIFICATION                 OF                           Serious
        APPLICABLE LEGISLATION
A.60.   Whether all relevant statutory,
        regulatory     and      contractual
        requirements were explicitly
        defined and documented for
        each information system.
        INTELLECTUAL PROPERTY                                       Very
        RIGHTS                                                      Serious
A.61.   Whether there exist any
        procedures       to         ensure
        compliance       with         legal
        restrictions on use of material in
        respect of which there may be
        intellectual property (IPR) rights
        such as copyright, design rights,
        trade marks.
A.62.   Whether the procedures are
        well implemented.
A.63.   Whether proprietary software
        products are supplied under a
        licence agreement that limits the
        use of the products to specified
        machines. The only exception
        might be for making own back-
        up copies of the software.
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments

        SAFEGUARDING        OF                                    Very
        ORGANISATIONAL RECORDS                                    Serious
A.64.   Whether important records of
        the organisation are protected
        from loss destruction and
        falsification.
        SECURING OF EQUIPMENT                                     Very
        OFF-PREMISES                                              Serious
A.65.   Whether any equipment usage
        outside    an     organisation's
        premises     for     information
        processing has to be authorized
        by the management..
A.66.   Whether the security provided
        for these equipments while
        outside the premises is at par
        with or more than the security
        provided inside the premises.
        SEGREGATION OF DUTIES                                     Very
                                                                  Serious
A.67.   Whether duties and areas of
        responsibility are separated in
        order to reduce opportunities for
        unauthorized modification or
        misuse of information or
        services. This should include.
        Distinction between IT and
        Business Development and
        Production.
        SEPARATION             OF                                 Very
        DEVELOPMENT           AND                                 Serious
        OPERATIONAL FACILITIES
 Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments
A.68.   Whether the development and
        testing facilities are isolated
        from operational facilities. For
        example, development software
        should run on a computer
        different from the computer with
        production software. Where
        necessary development and
        production network should be
        separated from each other.
        NETWORK CONTROLS                                         Very
                                                                 Serious
A.69.   Whether effective operational
        controls such as separate
        network         and       system
        administration facilities were
        established where necessary.
A.70.   Whether responsibilities and
        procedures for management of
        remote equipment, including
        equipment in user areas are
        established.
A.71.   Whether there exist any special
        controls       to      safeguard
        confidentiality and integrity of
        data processing over the public
        network and to protect the
        connected systems.
A.72.   Whether access attempts via
        telnet, ftp are logged and
        reviewed.
        IDENTIFICATION OF RISKS                                  Very
        FROM THIRD PARTY                                         Serious
A.73.   Whether risks from third party
        access are identified and
        appropriate security controls
        implemented.
 Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

A.74.   Whether security risks with third
        party contractors working onsite
        are identified and appropriate
        controls are implemented.
        SECURITY REQUIREMENTS                                      Very
        IN THIRD PARTY CONTRACTS                                   Serious
A.75.   Whether there is a formal
        contract containing, or referring
        to, all the security requirements
        to ensure compliance with the
        organization's security policies
        and standards.
        WORKING IN SECURE AREAS                                    Very
                                                                   Serious
A.76.   Whether there exists any
        security control for third parties
        or for personnel working in
        secure area.
        PREVENTION OF MISUSE OF                                    Very
        INFORMATION PROCESSING                                     Serious
A.77.   Whether use of information
        processing facilities for any non-
        business      or     unauthorised
        purpose, without management
        approval is treated as improper
        use of the facility.
A.78.   Whether at the log-on a warning
        message is presented on the
        computer screen indicating that
        the system facility being entered
        is private and that unauthorised
        access is not permitted.
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments

        REGULATION                   OF                           Procedural
        CRYPTOGRAPHIC
        CONTROLS
A.79.   Whether the         cryptographic
        controls are used in compliance
        with all relevant agreements,
        laws, and regulations.
        ACCEPTABLE         USE       OF                           Very
        ASSETS                                                    Serious
A.80.   Whether       regulations   for
        acceptable use of information
        and assets associated with an
        information processing facility
        were identified, documented
        and implemented. The auditor is
        required to understand the
        policies with respect to use of
        Information Assets and controls
        available to prevent their
        misuse.
        MANAGEMENT                                                Procedural
        RESPONSIBILITIES
A.81.   Whether      the     management
        requires employees, contractors
        and third party users to apply
        security in accordance with the
        established      policies    and
        procedures of the organization.
        Manage the IT investment
        REVIEW AND EVALUATION                                     Procedural
 Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments
A.82.   Whether the IT Security process
        ensures that a review takes
        place in response to any
        changes affecting the basis of
        the original assessment, for
        example: significant security
        incidents, new vulnerabilities or
        changes to organisational or
        technical infrastructure.
        LEARNING FROM INCIDENTS                                    Procedural
A.83.   Whether there are mechanisms
        in place to enable the types,
        volumes and costs of incidents
        and     malfunctions      to   be
        quantified and monitored.
        REPORTING             SECURITY                             Procedural
        INCIDENTS
A.84.   Are steps taken to ensure that
        anything unusual in the log files
        gets reported?
A.85.   Are the users regularly advised
        of the requirement to inform the
        administrator at once in case of
        irregularities?
        Communicate management
        aims and direction
        PUBLICLY             AVAILABLE                             Procedural
        SYSTEMS
A.86.   Whether there is any formal
        authorisation process in place
        for the information to be made
        publicly available. Such as
        approval from Change Control
        which       includes     Business,
        Application owner etc., Auditor
        may also evaluate the control to
        disclose NAV on the website.
 Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

A.87.   Whether there are any controls
        in place to protect the integrity
        of such information publicly
        available from any unauthorised
        access. The auditor may obtain
        VA and PT reports of the
        website     and     other   web
        applications where investment
        related data is hosted.
        SECURITY REQUIREMENTS                                      Serious
        IN        OUTSOURCING
        CONTRACTS
A.88.   · Whether               security
           requirements are addressed
           in the contract with the third
           party, when the organization
           has       outsourced       the
           management and control of
           all or some of its information
           systems, networks and/ or
           desktop environments.
        · The contract should address
           how the legal requirements
           are to be met, how the
           security of the organization's
           assets are maintained and
           tested, and the right of audit,
           physical security issues and
           how the availability of the
           services is to be maintained
           in the event of disaster.
        INFORMATION             ACCESS                             Serious
        RESTRICTION
 Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

A.89.   Whether access to application
        by various groups/ personnel
        within the organisation has been
        defined in the access control
        policy as per the individual
        business               application
        requirement and whether it is
        consistent      with           the
        organisation's        Information
        access policy.
        PASSWORD USE                                               Very
                                                                   Serious
A.90.   Whether      there    are  any
        guidelines in place to guide
        users     in    selecting  and
        maintaining secure passwords.
        UNATTENDED                USER                             Procedural
        EQUIPMENT
A.91.   Whether     the     users    and
        contractors are made aware of
        the security requirements and
        procedures      for    protecting
        unattended equipment, as well
        as their responsibility to
        implement such protection.
        CLEAR DESK AND CLEAR                                       Procedural
        SCREEN POLICY
A.92.   Whether automatic computer
        screen locking facility is
        enabled. This would lock the
        screen when the computer is
        left unattended for a period.
 Technical Guide

S. No Audit Objective                                 A ud itor's        R isk
                                                    O bserv ation     C ateg o ry
                                                Y    N     Comments
A.93.   Whether employees are advised
        not to leave any confidential
        material in the form of paper
        documents, media, etc., in a
        locked place while unattended.
        RETURN OF ASSETS                                              Very
                                                                      Serious
A.94.   Whether there is a process in
        place      that     ensures       all
        employees, contractors and
        third party users surrender all of
        the organization's assets in their
        possession upon termination of
        their employment, contract or
        agreement.
        MANAGEMENT COMMITMENT                                         Serious
        TO INFORMATION SECURITY
A.95.   Whether              management
        demonstrates active support for
        security measures within the
        organization. This can be done
        via           clear       direction,
        demonstrated          commitment,
        explicit     assignment         and
        acknowledgement of information
        security responsibilities.
        ROLES                         AND                             Procedural
        RESPONSIBILITIES
A.96.   · Whether employee security
          roles and responsibilities,
          contractors and third party
          users were defined and
          documented in accordance
          with    the    organization's
          information security policy.
 Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments
        · Were the roles and
           responsibilities defined and
           clearly communicated to job
           candidates during the pre-
           employment process
         Manage IT human resources
         USER DELETION                                             Very
                                                                   Serious
A.97.  Is there a well defined process
       for revoking user rights on
       termination of employment?
A.98. Is the IS Team promptly
       informed of the termination of
       service by a staff member?
A.99. Are there any former staff
       members       who      still  hold
       previously issued passes or
       user ID?
A.100. Is it ensured that all entry and
       access rights of a staff member
       whose services have been
       terminated are revoked and
       deleted, and is the process
       adequate?
A.101. When       the          contractual
       relationship with outside staff is
       terminated, are all access
       authorisations      revoked      or
       deleted?
       TERMINATION                                                 Very
       RESPONSIBILITIES                                            Serious
A.102. Whether responsibilities for
       performing         employment
       termination, or change of
       employment, are clearly defined
       and assigned.
 Technical Guide

S. No Audit Objective                           A ud itor's        R isk
                                              O bserv ation     C ateg o ry
                                          Y    N     Comments
        Manage quality
        EXTERNAL           FACILITIES                           Serious
        MANAGEMENT
A.103. Whether any of the Information
       processing facility is managed
       by external company or
       contractor (third party).
A.104. Whether the risks associated
       with such management were
       identified in advance, discussed
       with the third party, and
       appropriate     controls    were
       incorporated into the contract.
        OUTSOURCED        SOFTWARE                              Serious
        DEVELOPMENT
A.105. · Whether the outsourced
         software development is
         supervised and monitored
         by the organization.
       · Whether points such as:
         Licensing     arrangements,
         escrow         arrangements,
         contractual requirement for
         quality assurance, testing
         before installation to detect
         Trojan code etc., are
         considered.
        Manage Projects
        EMERGENCY PROCEDURES                                    Serious
A.106. Is there an authorized person to
       determine the existence of an
       emergency?
A.107. Is   there an     Emergency
       Procedure Manual?
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
A.108. Is a description of the
       emergency       organisation
       available?
A.109. Is consideration given to all
       possible emergencies?
A.110. Are     all     persons       and
       organisational units stated in the
       Manual aware of the emergency
       organization?
A.111. Has configuration back-up been
       produced for every employed
       computer type and/or every
       employed operating system and
       easily accessible in case of
       emergency?
A.112. Is a startup disk available for
       each configuration PC which
       can be used to boot the system
       in the event of a boot failure?
        NETWORK PERFORMANCE                                       Procedural
        MEASUREMENT
A.113. Are performance measurements
       and      traffic-flow analyses
       conducted regularly?
       Is it within the SLA agreed to
       with the vendor?
A.114. Has a security analysis of the
       network environment been
       conducted?
        SENSITIVE              SYSTEM                             Procedural
        ISOLATION
 Technical Guide

S. No Audit Objective                                A ud itor's        R isk
                                                   O bserv ation     C ateg o ry
                                               Y    N     Comments
A.115. Whether sensitive systems are
       provided        with         isolated
       computing environment such as
       running      on      a     dedicated
       computer, sharing resources
       only with trusted application
       systems, etc.
        ALTERNATE PROCESSING                                         Procedural
A.116. Is there a specification of
       internal         and         external
       alternatives?
A.117. Are these available and
       effective?
A.118. Are the configuration, capacity
       and compatibility of internal and
       external      alternatives      being
       adapted to the current status of
       procedures?
A.119. Are       the      integrity      and
       confidentiality of IT application
       and data moved to external
       resources ensured in the case
       of      recourse      to     external
       alternatives?
A.120. Are there any contingency plans
       for failure of individual assets?
A.121. Are there contingency plans in
       case of breakdown of data
       transmission?
A.122. Has the data transmission
       capacity required for the use of
       alternative resources been
       adequately assessed?
A.123. Are there any alternative
       solutions    for     important
       communication links?
 Technical Guide

S. No Audit Objective                                 A ud itor's        R isk
                                                    O bserv ation     C ateg o ry
                                                Y    N     Comments
A.124. Is there a provision of redundant
        communication lines?
A.125. Is there a sufficient redundant
        arrangement          for     network
        components?
A.126. Is there any point of failure in
        the current infrastructure?
B       Implement IT Plan
        Acquire         and        maintain
        application software
        OPERATIONAL                CHANGE                             Very
        CONTROL                                                       Serious
B.1     Whether all programs running
        on production systems are
        subject to strict change control
        i.e., whether any change to be
        made to those production
        programs needs to go through
        the          change           control
        authorisation.
B.2     Whether        audit     logs     are
        maintained for any change
        made        to   the      production
        programs.
         AUDIT LOGGING                                                Procedural
B.3    · Whether audit logs recording
             user activities, exceptions,
             and information security
             events are produced and
             kept for an agreed period to
             assist         in         future
             investigations and access
             control monitoring.
       · Whether appropriate Privacy
             protection measures are
             considered in Audit log
             maintenance
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
        FAULT LOGGING                                             Procedural
B.4    · Whether faults are logged
         analysed and appropriate
         action taken.
       · Whether level of logging
         required     for  individual
         system are determined by a
         risk assessment, taking
         performance      degradation
         into account.
        APPLICATION ACCEPTANCE                                    Procedural
        CRITERIA AND TESTS
B.5    INPUT DATA VALIDATION
       · Whether data input to
          application      system     is
          validated to ensure that it is
          correct and appropriate.
       · Whether the controls such
          as: Different types of inputs
          to check for error messages,
          Procedures for responding
          to validation errors, defining
          responsibilities     of     all
          personnel involved in data
          input process etc., are
          considered.
B.6     CONTROL OF INTERNAL
        PROCESSING
       · Whether validation checks
          are     incorporated    into
          applications to detect any
          corruption of information
          through processing errors or
          deliberate acts.
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments

       · Whether the design and
          implementation             of
          applications ensure that the
          risks of processing failures
          leading to a loss of integrity
          are minimized.
       · Auditor needs to review the
          tests performed on the
          application at the time of
          acquisition and during any
          change
B.7     MESSAGE INTEGRITY
       · Whether requirements for
          ensuring and protecting
          message         integrity   in
          applications are identified,
          and appropriate controls
          identified and implemented.
       · Whether a security risk
          assessment was carried out
          to determine if message
          integrity is required, and to
          identify the most appropriate
          method of implementation.
B.8     OUTPUT DATA VALIDATION
        Whether the data output of
        application system is validated
        to ensure that the processing of
        stored information is correct and
        appropriate to circumstances.
 Technical Guide

S. No Audit Objective                               A ud itor's        R isk
                                                  O bserv ation     C ateg o ry
                                              Y    N     Comments
B.9     ACCESS         CONTROL         TO
        PROGRAM SOURCE CODE
        Whether strict controls are in
        place to restrict access to
        program source libraries.
        (This is to avoid the potential for
        unauthorized,        unintentional
        changes.)
B.10    RESTRICTION ON CHANGES
        TO SOFTWARE PACKAGES
        Whether     modifications     to
        software        package       is
        discouraged and/ or limited to
        necessary changes.
        Whether all changes are strictly
        controlled
        Acquire     and      maintain
        technology infrastructure
        EQUIPMENT MAINTENANCE                                       Procedural
B.11    Whether the equipment is
        maintained as per the supplier's
        recommended service intervals
        and specifications.
B.12    Whether the maintenance is
        carried out only by authorized
        personnel.
B.13    Whether appropriate controls
        are implemented while sending
        equipment off premises.
B.14    If the equipment is covered by
        insurance,   whether       the
        insurance requirements are
        satisfied.
        LAPTOPS                                                     Procedural
 Technical Guide

S. No Audit Objective                           A ud itor's        R isk
                                              O bserv ation     C ateg o ry
                                          Y    N     Comments
B.15    Are laptop users instructed as
        regards safe keeping of their
        computers during mobile use?
B.16    Is there use of an encryption
        product for laptop PCs?
        AUTOMATIC             TERMINAL                          Procedural
        IDENTIFICATION
B.17    Whether automatic terminal
        identification mechanism is
        used        to    authenticate
        connections.
        PLANNING       OF    A
        WINDOWS `OS' NETWORK
B.18    Is there any documentation
        indicating which directories on
        which computers have been
        shared for network access?
        CONFIGURATION         OF   `OS'                         Procedural
        SERVERS
B.19    Is there a document detailing
        the    settings    of   various
        parameters in the OS Server?
B.20    Are these settings adhered to?
B.21    Is protection of the registry
        under Windows in place?
B.22    Have the default passwords for
        local access been replaced by
        secure ones?
        PROTECTION       OF    SYSTEM                           Procedural
        TEST
 Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments
B.23    Whether system test data is
        protected   and     controlled.
        Whether use of personal
        information or any sensitive
        information     for    testing
        operational   database       is
        shunned.
        Enable operation and use
        DOCUMENTED        OPERATING                              Very
        PROCEDURES                                               Serious
B.24    Whether the Security Policy has
        identified   any     Operating
        procedures such as Back-up,
        Equipment maintenance etc.
B.25    Whether such procedures are
        documented and used.
        SECURITY  OF          SYSTEM                             Very
        DOCUMENTATION                                            Serious
B.26    Whether        the       system
        documentation is protected from
        unauthorised access.
B. 27   Whether the access list for the
        system documentation is kept to
        the minimum and authorized by
        the application owner (for use
        by a limited number of users.)
        Manage Changes
        USE OF SYSTEM UTILITIES                                  Very
                                                                 Serious
B.28    Whether system utilities that
        come        with        computer
        installations, but may override
        system and application control
        are tightly controlled.
 Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments
        CHANGE MANAGEMENT                                          Very
                                                                   Serious
B.29    Whether     all  changes       to
        information processing facilities
        and systems are controlled.
B.30    Is there a written SOP covering
        the change control program that
        has been approved?
        TECHNICAL          REVIEW      OF                          Very
        APPLICATIONS               AFTER                           Serious
        OPERATING                SYSTEM
        CHANGES
B.31    Whether there is process or
        procedure in place to review
        and test business critical
        applications for adverse impact
        on organizational operations or
        security after the change to
        Operating Systems.
        Periodically it is necessary to
        upgrade operating system i.e.,
        to install service packs, patches,
        hot fixes etc.
C       Management of IT
        Service delivery                                           Procedural
C.1     Whether measures are taken to
        ensure that the security
        controls, service definitions and
        delivery levels, included in the
        third party service delivery
        agreement, are implemented,
        operated and maintained by a
        third party.
        Manage third party services
 Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments
        MONITORING AND REVIEW                                      Serious
        OF THIRD PARTY SERVICES
C.2    · Whether       the     services,
           reports and records provided
           by third party are regularly
           monitored and reviewed.
       · Whether         audits      are
           conducted on the above
           third party services, reports
           and records, on regular
           interval.
        MANAGING CHANGES TO                                        Serious
        THIRD PARTY SERVICES
C.3    · Whether        changes       to
            provision    of     services,
            including maintaining and
            improving             existing
            information security policies,
            procedures and controls, are
            managed.
       · Does this take into account
            criticality  of     business
            systems, processes involved
            and re-assessment of risks?
        Manage Performance and
        capacity
        PATCH MANAGEMENT                                           Serious
C.4     Are steps taken to ensure that
        information about the latest
        patches is always available?
        How is the patch level status of
        systems verified?
        CAPACITY PLANNING                                          Serious
 Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
C.5     Whether the capacity demands
        are monitored and projections of
        future capacity requirements are
        made.
        This is to ensure that adequate
        processing power and storage
        are      available.    Example:
        Monitoring Hard disk space,
        RAM, CPU on critical servers.
        Ensure continuous service
        BUSINESS            CONTINUITY                            Very
        PLANNING FRAMEWORK                                        Serious
C.6     Whether there is       a single
        framework       of      Business
        continuity plan.
C.7     Whether this framework is
        maintained to ensure that all
        plans are consistent and identify
        priorities for testing and
        maintenance.
C.8     Whether     this       identifies
        conditions for activation and
        individuals   responsible     for
        executing each component of
        the plan.
        WRITING            AND                                    Very
        IMPLEMENTING CONTINUITY                                   Serious
        PLAN
C.9     Whether plans were developed
        to restore business operations
        within the required time frame
        following an interruption in or
        failure of business process.
C.10    Whether the plan is regularly
        tested and updated.
 Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

C.11    Review the written BCP / DRP
        (s) and verify whether the BCP /
        DRP(s):
       · Address(es) the recovery of
           each                  business
           unit/department/ function,
       · According to its priority
           ranking     in    the      Risk
           Assessment; and
       · Considering
           interdependencies       among
           systems.
C.12    Whether it take(s) into account:
       · Personnel;
       · Facilities;
       · Technology           (hardware,
          software,            operational
          equipment);
       · Telecommunications/networks;
       · Vendors;
       · Utilities;
       · Documentation (data and
          records);
       · Law enforcement;
       · Security;
       · Media; and
       · Shareholders
C.13   Whether it include(s) emergency
       preparedness      and      crisis
       management aspects:
       · Has an accurate employee/
          manager contact tree;
Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments
       · Clearly defines
         responsibilities and decision-
         making        authorities     for
         designated teams and/or staff
         members, including those
         who have authority to declare
         a disaster;
       · Explains actions to be taken
         in     specific      emergency
         situations;
       · Defines the conditions under
         which the back-up site would
         be used;
       · Has procedures in place for
         notifying the back-up site;
       · Designates a public relations
         spokesperson; and
       · Identifies sources of needed
         office space and equipment
         and list of key vendors
         (hardware/              software/
         communications, etc.)
C.14   Whether the BCP / DRP
       establishes processing priorities
       to be followed in the event not
       all    applications   can      be
       processed.

C.15   Whether adequate procedures
       are in place to ensure the BCP /
       DRP (s) is (are) maintained in a
       current fashion and updated
       regularly.
Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

C.16   Whether a senior manager has
       been assigned responsibility to
       oversee    the     development,
       implementation, testing, and
       maintenance of the BCP / DRP.

C.17   Whether the board reviews and
       approves the written BCP /
       DRP(s) and testing results at
       least annually and documents
       these reviews in the board
       minutes.

C.18   Whether senior management
       periodically       reviews     and
       prioritizes each business unit,
       business process, department,
       and subsidiary for its critical
       importance        and      recovery
       prioritization. If so, determine
       how       often     reviews     are
       conducted.

C.19   If applicable, determine whether
       the senior management has
       evaluated the adequacy of the
       BCP/DRPs for its service
       providers, and ensured the
       organization's    BCP/DRP     is
       compatible with those service
       provider plans, commensurate
       with        adequate    recovery
       priorities.
Technical Guide

S. No Audit Objective                                A ud itor's        R isk
                                                   O bserv ation     C ateg o ry
                                               Y    N     Comments
       BUSINESS IMPACT ANALYSIS                                      Very
                                                                     Serious
C.20   Are     all   functions and
       departments included in the
       BIA?
C.21   Review the BIA to determine
       whether the identification and
       prioritization   of     business
       functions are adequate.
C.22   Does      the   BIA    identifies
       maximum allowable downtime
       for critical business functions,
       acceptable levels of data loss
       and backlogged transactions,
       and the cost and recovery time
       objectives    associated    with
       downtime?
C.23   Review the risk assessment and
       determine if it includes scenarios
       and probability of occurrence of
       disruptions       of     information
       services, technology, personnel,
       facilities, and service providers
       from internal and external
       sources, including:
       · Natural events such as
             fires, floods, and severe
             weather;
       · Technical events such as
             communication          failure,
             power        outages,       and
             equipment and software
             failure; and
       · Malicious activity including
             network security attacks,
             fraud, and terrorism.
Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments

C.24   Whether the risk assessment
       and BIA have been reviewed
       and   approved by       senior
       management and the board.

C.25   Are reputation, operational,
       compliance, and other risks
       considered in plan(s).

       RISK                 MITIGATION                           Procedur
       STRATEGIES                                                al

C.26   Whether        adequate     risk
       mitigation strategies have been
       considered for:
       · Alternate locations and
            capacity for:
       · Data centers and computer
            operations;
       · Back-room operations;
       · Work locations for business
            functions; and
       · Telecommunications.

C.27   Is there a policy for Back-up of:
       · Data;
       · Operating systems;
       · Applications;
       · Utility programs; and
       · Telecommunications?
Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments

C.28   Is there a policy for Off-site
       storage of:
       · Back-up media;
       · Supplies; and
       · Documentation,           e.g.,
            BCP(s), DRP, operating and
            other procedures, inventory
            listings, etc?

C.29   Is there a provision for Alternate
       power     supplies     such     as
       Uninterruptible power supplies
       (UPS); and Back-up generators.
Technical Guide

S. No Audit Objective                           A ud itor's        R isk
                                              O bserv ation     C ateg o ry
                                          Y    N     Comments

C.30   Whether there are procedures
       for,
       · Duplicates of the operating
          systems are available both
          on- and off-site.
       · Duplicates of the production
          programs are available both
          on- and off-site, including
          both source (if applicable)
          and object versions.
       · All    programming       and
          system software changes
          are included in the back up.
       · Back-up media is stored off-
          site in a place from which it
          can be retrieved quickly at
          any time.
       · Frequency and number of
          back-up generations is
          adequate in view of the
          volume of transactions
          being processed and the
          frequency    of   system
          updates.
       · Duplicates of transaction
          files are maintained on- and
          off-site.
       · Data file back-ups are taken
          off-site in a timely manner
          and not brought back until a
          more current back-up is off-
          site.
Technical Guide

S. No Audit Objective                               A ud itor's        R isk
                                                  O bserv ation     C ateg o ry
                                              Y    N     Comments

C.31   Review the written IT continuity
       plan(s) and determine whether
       the plan(s) addresses the back-
       up of the systems and
       programming         function  (if
       applicable), including,
       Back-up of programming tools
       and software; and
       Off-site copies of program and
       system documentation.

C.32   Does the plan deal with how
       backlogged transactions and
       other activity will be brought
       current.

C.33   Whether adequate physical
       security and access controls
       exist over data back-ups and
       program libraries throughout
       their life cycle, including when
       they         are          created,
       transmitted/delivered to storage,
       stored, retrieved and loaded,
       and destroyed.

C.34   Do       appropriate       policies,
       standards,     and      processes
       address business continuity
       planning issues including:
        · Systems Development Life
            Cycle, including project
            management;
        · The       change       control
            process;
        · Data synchronization, back
            up, and recovery;
Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
       ·  Employee training and
          communication planning;
       · Insurance; and
       · Government and community
          coordination?

C.35   Whether       personnel     are
       adequately trained as to their
       specific responsibilities under
       the plan(s) and whether
       emergency procedures are
       posted in prominent locations
       throughout the facility.

C.36   Does the continuity strategy
       include       alternatives     for
       interdependent components and
       stakeholders, including:
       · Utilities;
       · Telecommunications;
       · Third-party         technology
            providers;
       · Key         suppliers/business
            partners; and
       · Customers/members?

C.37   ·  Are     there      adequate
          processes in place to
          ensure the plan(s) are
          maintained     to    remain
          accurate and current?
        · Designated personnel are
          responsible for maintaining
          changes in processes,
          personnel,              and
          environment(s)?
Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

       · The board of directors
          reviews and approves the
          plan(s) annually and after
          significant changes and
          updates?
       · Process             includes
          notification and distribution
          of     revised plans        to
          personnel and recovery
          locations?
       DISASTER RECOVERY SITE /                                    Very
       ALTERNATE    PROCESSING                                     Serious
       SITE
C.38   Does the Insurer have a clear
       Off-site Back-up of Data in a
       City falling under a different
       Seismic Zone, either on its own
       or through a Service Provider?
C.39   Does the Insurer have, in
       addition to above, the necessary
       infrastructure for Mission Critical
       Systems to address at least the
       following:
        · Calculation of daily NAV
             (Fund wise) Redemption
             processing?
C.40   ·  Whether            satisfactory
          consideration      has been
          given      to       geographic
          diversity for:
       · Alternate           processing
          locations;
Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

       · Alternate      locations      for
          business processes          and
          functions; and
       · Off-site storage.

C.41   Are there arrangements for
       alternative processing capability
       in the event any specific
       hardware, the data center, or
       any portion of the network
       becomes         disabled       or
       inaccessible, and determine if
       those arrangements are in
       writing?

C.42   If the organization is relying on
       in-house systems at separate
       physical locations for recovery,
       whether the equipment is
       capable       of    independently
       processing        all      critical
       applications.

C.43   ·  If the organization is relying
          on outside facilities for
          recovery, whether the
          recovery site,
       · Has the ability to process
          the required volume;
       · Provides            sufficient
          processing time for the
          anticipated workload based
          on emergency priorities;
          and,
Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments
       ·   Allows the organization to
           use the facility until it
           achieves a full recovery
           from the disaster and
           resumes activity at the
           organization's own facilities.

C.44   Review the contract between
       applicable parties, such as
       recovery vendors if any.
       Determine if the terms and
       conditions of the contract relate
       to the BCP/DRP
C.45   Whether     the     organization
       ensures that when any changes
       (e.g. hardware or software
       upgrades or modifications) in the
       production environment occur
       that a process is in place to
       make or verify a similar change
       in each alternate recovery
       location.
C.46   Whether the organization is kept
       informed of any changes at the
       recovery site that might require
       adjustments       to         the
       organization's software or its
       recovery plan(s).
C.47   Whether there are plans in place
       that address the return to normal
       operations and original business
       locations once the situation has
       been resolved and permanent
       facilities are again available.
Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments

C.48   Whether               adequate
       documentation is housed at the
       alternate   recovery    location
       including:
        · Copies of each BCP / DRP;
        · Copies of necessary system
            documentation

C.49   Whether appropriate physical
       and logical access controls have
       been considered and planned
       for the inactive production
       system when processing is
       temporarily transferred to an
       alternate facility.

C.50   ·  Whether the methods by
          which        personnel     are
          granted temporary access
          (physical and logical) during
          continuity            planning
          implementation periods are
          reasonable.
       · Evaluate the extent to which
          back-up personnel have
          been reassigned different
          responsibilities and tasks
          when business continuity
          planning scenarios are in
          effect and if these changes
          require a revision to the
          levels        of     systems,
          operational,      data,   and
          facilities access.
Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

        · Review the assignment of
           authentication           and
           authorization credentials to
           determine if they are based
           upon         primary      job
           responsibilities and if they
           also     include     business
           continuity           planning
           responsibilities.
C.51    Whether the intrusion detection
        and incident response plan
        considers resource availability,
        and facility and systems
        changes that may exist when
        alternate facilities are placed in
        use.
        TESTING                                                    Very
                                                                   Serious
C.52    Whether the BCP / DRP(s) is
        tested periodically
C.53    Whether all critical business
        units/departments/functions are
        included in the testing.
C. 54   Whether the tests include:
        · Setting goals and objectives
            in advance;
        · Realistic conditions and
            activity volumes;
        · Use of actual back-up
            system and data files while
            maintaining off-site back-up
            copies for use in case of an
            event concurrent with the
            testing;
Technical Guide

S. No Audit Objective                                 A ud itor's        R isk
                                                    O bserv ation     C ateg o ry
                                                Y    N     Comments
       ·  Participation and review by
          internal audit;
       · A post-test analysis report
          and review process that
          includes a comparison of
          test results to the original
          goals;
       · Development of a corrective
          action plan(s) for all
          problems encountered; and
       · Board of Directors' review.




C.55   Whether             interdependent
       departments, vendors, and key
       market providers have been
       involved in testing at the same
       time to uncover potential
       conflicts and/or inconsistencies.

C.56   Whether the level of testing is
       adequate for the size and
       complexity of the organization.
       Determine if the testing includes:
       · Testing       the      operating
           systems        and       utilities
           (infrastructure);
       · Testing of all critical
           applications       (application
           level);
       · Data transfer between
           applications        (integrated
           testing); and
       · Testing       the      complete
           environment and workload
           (stress test).
Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments

C.57   Whether testing at an alternative
       location includes:
       · Network connectivity;
       · Items       processing     and
            backroom          operations
            connectivity             and
            information; and
       · Other critical data feed
            connections/interfaces.

C.58   Whether       testing     of   the
       information             technology
       infrastructure includes:
       · Rotation       of    personnel
            involved; and
       · Business unit personnel
            involvement.

C.59   Whether             management
       considered testing with:
       · Critical service providers;
       · Customers;
       · Affiliates;
       · Correspondent institutions;
           and
       · Payment systems and
           major financial market
           participants.

C.60   When testing with the critical
       service providers, determine
       whether              management
       considered testing,
       · From       the     institution's
            primary location to the
            TSPs' alternative location;
Technical Guide

S. No Audit Objective                             A ud itor's         R isk
                                                O bserv ation      C ateg o ry
                                            Y    N     Comments
       ·  From       the    institution's
          alternative location to the
          TSPs' primary location; and
        · From      the    institution's
          alternative location to the
          TSPs' alternative location.
      INFORMATION BACK-UP                                         Very
                                                                  Serious
C.61 Whether Back-up of essential
     business information such as
     production       server,   critical
     network               components,
     configuration backup etc., were
     taken regularly.
C.62 Whether the backup media along
     with the procedure to restore the
     backup are stored securely and
     well away from the actual site.
C.63 Can     data   restoration  be
     performed with the help of the
     documentation even by a person
     other than the one who backed
     up the data?
C.64 Are the persons responsible for
     data backup and restoration
     sufficiently trained?
C.65 Are data restoration exercises
     carried out periodically?
C.66 Whether the backup media are
     regularly tested to ensure that
     they could be restored within the
     time frame allotted in the
     operational     procedure      for
     recovery.
Technical Guide

S. No Audit Objective                         A ud itor's         R isk
                                            O bserv ation      C ateg o ry
                                        Y    N     Comments
      Ensure systems security
      MANAGEMENT INFORMATION                                  Very
      SECURITY FORUM                                          Serious
C.67 Whether there is a management
     forum to ensure there is a clear
     direction and visible management
     support for security initiatives
     within the organisation.
      IT SECURITY GUIDELINES AND                              Very
      PROCEDURES                                              Serious
C.68 Does the organization have a
     detailed IT Security Guidelines
     and procedures manual?
C.69 Is there a process of reviewing
     and updating these manuals at
     periodic intervals?
      ENDPOINT               USAGE                            Very
      GUIDELINES                                              Serious
C.70 Have Endpoint Use Guidelines
     been established?
C.71 How is compliance with the
     Endpoint   Use    Guidelines
     monitored?
C.72 Does every user have a copy of
     these Endpoint Use Guidelines?
      SECURITY OF ELECTRONIC                                  Very
      OFFICE SYSTEMS                                          Serious
C.73 Whether there is an acceptable
     use policy to address the use of
     Electronic office systems.
Technical Guide

S. No Audit Objective                            A ud itor's         R isk
                                               O bserv ation      C ateg o ry
                                           Y    N     Comments
C.74 Whether there are any guidelines
     in place to effectively control the
     business and security risks
     associated with the electronic
     office systems.
      DISABLING          REMOVABLE                               Very
      DRIVES                                                     Serious
C.75 Has it been ensured that floppy
     disk / USB drives will generally
     be locked and can be accessed
     only through authorized use?
      POWER SUPPLIES / UPS                                       Very
                                                                 Serious
C.76 Is the equipment protected from
     power failures by multiple feeds,
     through uninterruptible power
     supply (UPS), backup generator
     etc.?
C.77 Are the required intervals for
     UPS      maintenance     being
     observed?
C.78 Is the effectiveness of the UPS
     system being tested on a regular
     basis?
C.79 If any failures due to the location
     occurred in the past, had
     remedial action been taken for
     the same?
C.80 Are generators available to
     protect against prolonged power
     loss and are they in working
     condition?
Technical Guide

S. No Audit Objective                           A ud itor's         R isk
                                              O bserv ation      C ateg o ry
                                          Y    N     Comments
      GRANTING             OF                                   Very
      (SYSTEM/NETWORK) ACCESS                                   Serious
      RIGHTS
C.81 Are the issue and the retrieval of
     access     authorizations     and
     access-granting            means
     documented?
C.82 Is separation of functions being
     observed in the granting of
     access rights?
C.83 Are users being trained in the
     correct handling of access-
     granting means?
C.84 If use of access-granting means
     is logged, are such logs also
     analysed?

      USER                PASSWORD                              Very
      MANAGEMENT                                                Serious
C.85 Is the allocation and reallocation
     of passwords controlled through
     a formal management process?
C.86 Are the users asked to sign a
     statement to keep the password
     confidential?
C.87 Have users been informed on
     how to handle passwords
     correctly?
C.88 Is    the   password       quality
     controlled?
C.89 Are     password         changes
     mandatory?
Technical Guide

S. No Audit Objective                          A ud itor's         R isk
                                             O bserv ation      C ateg o ry
                                         Y    N     Comments
C.90 Has every user been provided
     with a password?
C.91 Are there any fixed procedures
     relating to the escrow of
     passwords?
C.92 If Yes, are the escrowed
     passwords complete and up-to-
     date?
C.93 Have provisions been made to
     ensure proper handling of
     escrowed passwords?
C.94 Is the system of password
     changes controlled on the basis
     of updating entries for escrowed
     passwords?
      PASSWORD USE                                             Very
                                                               Serious
C.95 Are there any guidelines in place
     to guide users in selecting and
     maintaining secure passwords?
      POLICY ON USE OF NETWORK                                 Very
      SERVICES                                                 Serious
C.96 Does a policy exist that does
     address concerns relating to
     networks and network services
     such as:
     Parts of network to be accessed,
     Authorisation     services    to
     determine who is allowed to do
     what, Procedures to protect the
     access to network connections
     and network services?
Technical Guide

S. No Audit Objective                           A ud itor's         R isk
                                              O bserv ation      C ateg o ry
                                          Y    N     Comments
C.97 Are users provided with standard
     configuration of work stations? If
     not, are deviations authorized
     and documented?
      TERMINAL                LOGON                             Very
      PROCEDURES                                                Serious

C.98 Has it been ensured that access
     to    information    system    is
     attainable only via a secure log-
     on process?
C.99 Are machines configured to boot
     from hard drives?
C.100 Is there a BIOS password set for
      PC to disable users from booting
      through CD drives?
C.101 Is the number of unsuccessful
      log-in attempts restricted?
C.102 Whether After each unsuccessful
      log-in attempt, the waiting time
      until the next log-in prompt
      increases.
C.103 Are unsuccessful log-in attempts
      reported to the user?
C.104 Is access to the console
      protected by passwords or other
      means?
      USER IDENTIFICATION AND                                   Very
      AUTHORISATION                                             Serious
Technical Guide

S. No Audit Objective                            A ud itor's         R isk
                                               O bserv ation      C ateg o ry
                                           Y    N     Comments
C.105 Whether unique identifier is
      provided to every user such as
      operators, system administrators
      and all other staff including
      technical.
C.106 Whether the generic user
      accounts are supplied under
      exceptional circumstances only
      where there is a clear business
      benefit. Additional controls may
      be necessary to maintain
      accountability.
C.107 Whether     the     authentication
      method used does substantiate
      the claimed identity of the user.
      Commonly        used      method:
      Password that only the user
      knows.
      PASSWORD          MANAGEMENT                               Very
      SYSTEM                                                     Serious
C.108 Whether there exists a password
      management        system     that
      enforces     various    password
      controls such as individual
      password for accountability,
      enforcing password changes,
      storing passwords in encrypted
      form, not displaying passwords
      on screen etc.
      TERMINAL TIMEOUT                                           Very
                                                                 Serious
Technical Guide

S. No Audit Objective                            A ud itor's         R isk
                                               O bserv ation      C ateg o ry
                                           Y    N     Comments
C.109 Whether Inactive terminal in
      public areas are configured to
      clear the screen or shut down
      automatically after a defined
      period of inactivity.
       LIMITATION OF CONNECTION                                  Very
       TIME                                                      Serious
C.110 Whether there exists any
      restriction on connection time for
      high-risk applications. This type
      of set up should be considered
      for sensitive applications for
      which the terminals are installed
      in high-risk locations.
       USER REGISTRATION                                         Very
                                                                 Serious
C.111 Whether there is any formal user
      registration and deregistration
      procedure for granting access to
      multi-user information systems
      and services.
      The creation of a user account
      must be approved by the
      business owner of the application
      in question or their nominee.
C.112 Are there standard rights profiles
      for different functions or tasks?
       PRIVILEGE MANAGEMENT                                      Very
                                                                 Serious
Technical Guide

S. No Audit Objective                            A ud itor's         R isk
                                               O bserv ation      C ateg o ry
                                           Y    N     Comments

C.113 Whether the allocation and use
      of any privileges in multi-user
      information system environment
      is restricted and controlled i.e.,
      privileges are allocated on need-
      to-use basis; privileges are
      allocated only after formal
      authorisation process.
C.114 Are there any organisational
      procedures    governing  the
      designation of users or user
      groups?
C.115 Is there any program for the
      configuration of users or user
      groups?
C.116 Are there records of the
      authorized users and groups and
      their authorisation profiles?
      REVIEW OF USER ACCESS                                      Very
      RIGHTS                                                     Serious
C.117 Whether there exists a process
      to review user access rights at
      regular    intervals.   Example:
      Special privilege review every 3
      months, normal privileges every
      6 months.
      INFORMATION             ACCESS                             Very
      RESTRICTION                                                Serious
Technical Guide

S. No Audit Objective                            A ud itor's         R isk
                                               O bserv ation      C ateg o ry
                                           Y    N     Comments

C.118 Whether access to application by
      various groups/ personnel within
      the organisation has been
      defined in the access control
      policy as per the individual
      business application requirement
      and whether it is consistent with
      the organisation's Information
      access policy.
      MONITORING SYSTEM USE                                      Very
                                                                 Serious
C.119 Whether procedures are set up
      for monitoring the use of
      information processing facility.
      The procedure should ensure
      that the users are performing
      only the activities that are
      explicitly authorized.
C.120 Whether the results of the
      monitoring activities are reviewed
      regularly.
      UNAUTHORISED SOFTWARE                                      Very
                                                                 Serious
C.121 Has a procedure for the
      authorisation and registration of
      software been laid down?
C.122 Has the ban on use of non-
      approved software been put in
      writing?
C.123 Have all staff members been
      informed of the ban?
Technical Guide

S. No Audit Objective                              A ud itor's         R isk
                                                 O bserv ation      C ateg o ry
                                             Y    N     Comments
C.124 What possibilities happen to be
      there for installation or use of
      unauthorised software?
C.125 Are     checks      carried  out
      periodically on the software
      inventory?
      ADMINISTRATOR FUNCTIONS                                      Very
                                                                   Serious
C.126 To which persons is the
      supervisor password known?
C.127 Have administrator roles been
      divided up?
C.128 Are the authorisations assigned
      by the administrator randomly
      checked?
C.129 How frequently are logins and
      logouts using administrator ID
      checked?
      EVENT LOGGING                                                Very
                                                                   Serious
C.130 Whether audit logs recording
      exceptions and other security
      relevant events are produced and
      kept for an agreed period to
      assist in future investigations and
      access control monitoring.
      REPORTING                SECURITY                            Very
      WEAKNESSES                                                   Serious
C.131 Whether a formal reporting
      procedure or guideline exists for
      users,     to     report    security
      weakness in, or threats to,
      systems or services.
Technical Guide

S. No Audit Objective                              A ud itor's         R isk
                                                 O bserv ation      C ateg o ry
                                             Y    N     Comments
C.132 Are staff members informed in a
      suitable form of IT security
      incidents which have occurred
      either within the organisation or
      which have become public
      knowledge, and are they told how
      to avoid them?
      DISCIPLINARY PROCESS                                         Very
                                                                   Serious
C.133 Whether there is a formal
      disciplinary process in place for
      employees who have violated
      organisational security policies
      and procedures. Such a process
      can act as a deterrent to
      employees who might otherwise
      be inclined to disregard security
      procedures.
      EQUIPMENT SITING                                             Very
      PROTECTION                                                   Serious
C.134 Whether critical equipment is
      located in appropriate place to
      minimize unnecessary access
      into work areas.
C.135 Whether the items requiring
      special protection were isolated
      to reduce the general level of
      protection required.
C.136 Whether controls were adopted
      to minimize risk from potential
      threats such as theft, fire,
      explosives, smoke, water, dust,
      vibration,    chemical      effects,
      electrical   supply     interfaces,
      electromagnetic radiation, flood.
Technical Guide

S. No Audit Objective                            A ud itor's         R isk
                                               O bserv ation      C ateg o ry
                                           Y    N     Comments
C.137 Whether there is a policy towards
      eating, drinking and smoking in
      proximity     to       information
      processing services.
C.138 Whether             environmental
      conditions,   which         would
      adversely affect the information
      processing      facilities,   are
      monitored.
C.139 Verify that heating, ventilation
      and air-conditioning systems
      maintain constant temperatures
      within the data center.
C.140 Verify that ground earthing exists
      to protect the computer systems.
      Ensure that power is conditioned
      to prevent data loss.
C.141 Is the Server Room designed as
      a closed secure area?
       CABLING SECURITY                                          Procedural
C.142 Whether     the     power  and
      telecommunications        cable
      carrying data or supporting
      information    services     are
      protected from interception or
      damage.
C.143 Whether there are any additional
      security controls in place for
      sensitive or critical information.
       SECURITY      OF     NETWORK                              Very
       SERVICES                                                  Serious
Technical Guide

S. No Audit Objective                             A ud itor's        R isk
                                                O bserv ation     C ateg o ry
                                            Y    N     Comments

C.144 Whether the organisation, using
      public or private network service
      does ensure that a clear
      description of security attributes
      of all services used is provided.

C.145 Are all Internet connections
      routed through a Firewall? Does
      a dedicated team manage the
      Firewall? Are the ports opened
      only on a "need to have" basis?

C.146 Is there an Intruder Detection
      System (IDS) implemented?

C.147 Are the application and database
      servers kept separated from the
      web server in the de-militarized
      zone?

C.148 Is the de-militarized zone
      separated from the Internet cloud
      by means of a Firewall?

C.149 If the de-militarized zone is
      connected to the Intranet, is it
      separated by a Firewall?

C.150 Is the Firewall rule base treated
      as a sensitive information and is
      knowledge of the same restricted
      to only authorized officials in the
      IT / Computer operations
      department?
Technical Guide

S. No Audit Objective                              A ud itor's         R isk
                                                 O bserv ation      C ateg o ry
                                             Y    N     Comments
C.151 Is the decision to open specific
      firewall ports/rule base approved
      in accordance with IT Security
      Policy (IT Security Policy should
      list out such ports) e.g. firewalls
      should block unwanted ports
      running services such as ftp,
      telnet, SMTP, etc. into the de-
      militarized zone?
       CLOCK SYNCHRONISATION                                       Procedural
C.152 Whether the computer or
      communication device has the
      capability of operating a real time
      clock. If yes, has it been set to an
      agreed standard such              as
      Universal Coordinated Time or
      local standard time? The correct
      setting of the computer clock is
      important to ensure the accuracy
      of the audit logs.
       UNATTENDED                  USER                            Procedural
       EQUIPMENT
C.153 Whether      the     users     and
      contractors are made aware of
      the security requirements and
      procedures       for     protecting
      unattended equipment, as well as
      their responsibility to implement
      such protection.
       SENSITIVE SYSTEM                                            Procedural
       ISOLATION
Technical Guide

S. No Audit Objective                               A ud itor's         R isk
                                                  O bserv ation      C ateg o ry
                                              Y    N     Comments
C.154 Whether sensitive systems are
      provided with isolated computing
      environment such as running on
      a dedicated computer, sharing
      resources only with trusted
      application systems, etc.
       SECURITY OF ELECTRONIC                                       Procedural
       EMAIL
C.155 Whether there is a policy in place
      for the acceptable use of
      electronic mail or does security
      policy address the issues with
      regards to use of electronic mail.
C.156 Whether there are adequate
      procedures, which require that all
      the incoming e-mail messages be
      scanned for virus to prevent virus
      infection to the network
C.157 Have regulations governing file
      transfer and exchange of
      messages with external parties
      been established?
C.158 Are there formal rules based on
      which e-mail addresses are
      assigned?
C.159 Are security measures such as
      filtering and text search in emails
      implemented?
C.160 Is the criterion for e-mail filtering
      adequate?       What    are       the
      procedures for changes in
      filtering parameters?
Technical Guide

S. No Audit Objective                           A ud itor's         R isk
                                              O bserv ation      C ateg o ry
                                          Y    N     Comments
C.161 Have controls such as anti-virus
      checking, isolating potentially
      unsafe     attachments,      spam
      control, anti relaying etc., been
      put in place to reduce the risks
      created by electronic mail?
      CONTROL          AGAINST                                  Serious
      MALICIOUS SOFTWARE
C.162 Whether there exists any control
      against   malicious    software
      usage.
C.163 Whether the security policy does
      address software licensing issues
      such as prohibiting usage of
      unauthorized software.
C.164 Whether there exists any
      Procedure to verify that all
      warning bulletins are accurate
      and informative with regards to
      the malicious software usage.
C.165 Whether Antivirus software is
      installed on the computers to
      check and isolate or remove any
      viruses from computer and
      media.
C.166 Whether this software signature
      is updated on a regular basis to
      check any latest viruses.
Technical Guide

S. No Audit Objective                             A ud itor's         R isk
                                                O bserv ation      C ateg o ry
                                            Y    N     Comments
C.167 Whether all the traffic originating
      from un-trusted network into the
      organisation is checked for
      viruses. Example: Checking for
      viruses      on   email,      email
      attachments and on the web,
      FTP traffic.
C.168 Are periodic runs of a virus
      detection program configured?
C.169 Are there occasional checks as
      to whether updates have been
      performed? Have the results
      been documented?
C.170 Use of a virus scanning program
      when exchanging of data media
      and data transmission ­ Is Anti
      Virus auto enabled to check CDs
      and floppies?
C.171 Are received files and data media
      checked for virus infection before
      being imported?
       REMOTE DIAGNOSTIC PORT                                     Procedural
       PROTECTION
C.172 Whether accesses to diagnostic
      ports are securely controlled i.e.,
      protected    by     a     security
      mechanism.
       SEGREGATION IN NETWORKS                                    Very
                                                                  Serious
Technical Guide

S. No Audit Objective                             A ud itor's         R isk
                                                O bserv ation      C ateg o ry
                                            Y    N     Comments
C.173 Whether the network (where
      business partner's and/ or third
      parties     need     access    to
      information     system)        is
      segregated     using    perimeter
      security mechanisms such as
      firewalls.
       NETWORK            CONNECTION                              Very
       PROTOCOLS                                                  Serious
C.174 Whether there exists any network
      connection control for shared
      networks that extend beyond the
      organisational          boundaries.
      Example: electronic mail, web
      access, file transfers, etc.,
       NETWORK                ROUTING                             Procedural
       CONTROL
C.175 Are    changes     to   network
      configuration documented?
C.176 Is the system administrator the
      only person who is able to
      change the configuration
C.177 Is the system administrator the
      only person who is able to read
      the network log files
       SECURITY      OF    MEDIA      IN                          Procedural
       TRANSIT
C.178 Whether security of media while
      in transit has been taken into
      account.
Technical Guide

S. No Audit Objective                             A ud itor's         R isk
                                                O bserv ation      C ateg o ry
                                            Y    N     Comments
C.179 Whether the media is well
      protected from unauthorised
      access, misuse or corruption.
       ELECTRONIC          COMMERCE                               Procedural
       SECURITY
C.180 Whether Electronic commerce is
      well protected and controls
      implemented to protect against
      fraudulent     activity,   contract
      dispute and disclosure or
      modification of information.
C.181 Whether Security controls such
      as Authentication, Authorisation
      are considered in the E-
      Commerce environment.
C.182 Whether electronic commerce
      arrangements between trading
      partners include a documented
      agreement, which commits both
      parties to the agreed terms of
      trading, including details of
      security issues.
       USER AUTHENTICATION FOR                                    Procedural
       EXTERNAL CONNECTIONS
C.183 Whether there exists any
      authentication mechanism for
      challenging external connections.
      Examples: Cryptography based
      technique, hardware tokens,
      software     tokens,    challenge/
      response protocol etc.,
Technical Guide

S. No Audit Objective                              A ud itor's         R isk
                                                 O bserv ation      C ateg o ry
                                             Y    N     Comments

       FIRE   DETECTION    AND                                     Serious
       PREVENTION CONTROLS
C.184 Are Fire detection measures
      adequate such as fire alarms
      available?
C.185 Has staff been informed of the
      location of hand-held fire
      extinguishers?
C.186 Can      the   hand-held        fire
      extinguishers     actually       be
      accessed in case of a fire?
C.187 Is training provided for the use of
      hand-held fire extinguishers?
C.188 Are hand-held fire extinguishers
      regularly    inspected      and
      maintained?
C.189 Is the fire alarm system checked
      periodically to ensure that it is
      working properly?
C.190 Has all the staff been informed of
      the steps to be taken in the event
      that an alarm goes off?
C.191 Is there an adequate number of
      fire extinguishers (generally one
      for every 50 sqft of area)?
C.192 · Is a fire suppression system
         in place consisting of Fire
         extinguishers            and
         Sprinklers?
      · Are they in working order
         and being monitored?
Technical Guide

S. No Audit Objective                              A ud itor's         R isk
                                                 O bserv ation      C ateg o ry
                                             Y    N     Comments

       Manage the configuration
       CONTROL OF TECHNICAL
       VULNERABILITIES
C.193 · Whether timely information
        about                technical
        vulnerabilities of information
        systems being used is
        obtained.
      · Whether the organization's
        exposure         to      such
        vulnerabilities evaluated and
        appropriate measures taken
        to mitigate the associated
        risk.
       SAFEGUARDING         OF                                     Very
       ORGANISATIONAL RECORDS                                      Serious
C.194 Whether important records of the
      organisation are protected from
      loss destruction and falsification.
       DISPOSAL OF MEDIA                                           Very
                                                                   Serious
C.195 Whether the media that are no
      longer required are disposed off
      securely and safely.
C.196 Whether disposal of sensitive
      items is logged where necessary
      in order to maintain an audit trail.
       SECURE DISPOSAL OR RE-                                      Very
       USE OF EQUIPMENT                                            Serious
Technical Guide

S. No Audit Objective                           A ud itor's         R isk
                                              O bserv ation      C ateg o ry
                                          Y    N     Comments
C.197 Whether         storage   device
      containing sensitive information
      is physically destroyed or
      securely over- written.
      INFORMATION          HANDLING                             Procedural
      PROCEDURES
C.198 Whether there exists a procedure
      for handling the storage of
      information. Does this procedure
      address     issues     such    as
      information    protection   from
      unauthorised     disclosure    or
      misuse?
      DATA MANAGEMENT                                           Procedural
C.199 Are the persons responsible for
      the exchange of data media
      familiar with the process of
      physical erasure?
      MANAGEMENT                   OF                           Procedural
      REMOVABLE MEDIA
C.200 · Whether procedures exist
        for     management       of
        removable media, such as
        tapes, disks, cassettes,
        memory cards, and reports.
      · Whether all procedures and
        authorization levels are
        clearly      defined    and
        documented.
      BUSINESS          INFORMATION                             Procedural
      SYSTEMS
Technical Guide

S. No Audit Objective                           A ud itor's         R isk
                                              O bserv ation      C ateg o ry
                                          Y    N     Comments
C.201 Whether policies and procedures
      have been developed and
      enforced to protect information
      associated        with      the
      interconnection of business
      information systems.
      Manage      the        physical
      environment
      PHYSICAL             SECURITY                             Serious
      PERIMETER
C.202 · Are physical border security
         facilities      implemented
         adequate to protect the
         Information        processing
         service? Some examples of
         such security facilities are:
         card control for entry gate,
         walls, manned reception
         etc.?
      · Are visitors required to
         record their entry inside the
         premises in a separate
         register?
       · Are      details   of   their
          possessions recorded and
          verified at the time of their
          exit from the premises
       · Are cameras disallowed
          inside the premises?
Technical Guide

S. No Audit Objective                             A ud itor's         R isk
                                                O bserv ation      C ateg o ry
                                            Y    N     Comments
C.203 · Does Data Center exterior
         Lighting, building orientation
         provide         a        secure
         environment?
      · Data Centers should be
         anonymous. Ensure that
         there is no signage or
         listings in directories?
       SECURING OFFICES, ROOMS                                    Serious
       AND FACILITIES
C.204 Whether the rooms, which have
      the     Information processing
      service, are:
       · locked
       · have lockable cabinets
       · safes.
C.205 Whether       the       Information
      processing service is protected
      from natural and man-made
      disaster such as raised floors,
      good exterior walls /or other
      suitable acceptable infrastructure
C.206 Whether there is any potential
      threat    from     neighboring
      premises.
C.207 Ensure that water alarm system
      is configured to detect water in
      high risk areas of the data center
C.208 Ensure that burglar alarm is
      protecting the data center from
      physical intrusion.
Technical Guide

S. No Audit Objective                            A ud itor's         R isk
                                               O bserv ation      C ateg o ry
                                           Y    N     Comments
C.209 Are there adequate controls over
      modems and other dial up
      devices for employees and
      visitors (data cards, etc)?
C.210 Ensure that surveillance systems
      (CCTV) are designed and
      operating properly?
      PHYSICAL ENTRY CONTROLS                                    Serious
C.211 Are entry controls in place to
      allow only authorised personnel
      into   various   areas    within
      organisation?
C.212 Is there a practice of Supervising
      or          escorting     outside
      staff/visitors?
      REMOVAL OF PROPERTY                                        Serious
C.213 Whether equipment, information
      or software can be taken off-site
      without appropriate authorisation.
      PROTECTING       AGAINST                                   Serious
      EXTERNAL             AND
      ENVIRONMENTAL THREATS
C.214 Whether physical protection
      against damage from fire, flood,
      earthquake,    explosion,    civil
      unrest and other forms of natural
      or man-made disaster has been
      designed and applied.
  D   Maintain IT
      Monitoring and Compliance
Technical Guide

S. No Audit Objective                            A ud itor's         R isk
                                               O bserv ation      C ateg o ry
                                           Y    N     Comments

       COMPLIANCE WITH SECURITY                                  Serious
       POLICIES AND STANDARDS
 D.1   · Whether managers ensure
         that all security procedures
         within     their   area     of
         responsibility are carried out
         correctly       to    achieve
         compliance with security
         policies and standards.
       · Do managers regularly
          review the compliance of
          information        processing
          facility within their area of
          responsibility for compliance
          with appropriate security
          policy and procedure?
       ADMINISTRATOR               AND                           Serious
       OPERATOR LOGS
 D.2   · Whether                system
         administrator and system
         operator     activities     are
         logged.
       · Whether      the       logged
         activities are reviewed on
         regular basis.
       TECHNICAL         COMPLIANCE                              Serious
       CHECKING
Technical Guide

S. No Audit Objective                           A ud itor's         R isk
                                              O bserv ation      C ateg o ry
                                          Y    N     Comments

 D.3   · Whether         information
         systems     are     regularly
         checked for compliance with
         security     implementation
         standards.
       · Whether    the    technical
         compliance check is carried
         out by, or under the
         supervision of, competent,
         authorized personnel.
       INFORMATION          SYSTEMS                             Serious
       AUDIT CONTROLS
 D.4   · Whether audit requirements
         and activities involving
         checks     on    operational
         systems have been carefully
         planned and agreed to
         minimise    the    risk   of
         disruptions to business
         process.
       · Whether      the   audit
         requirements, scope are
         agreed with appropriate
         management.
       Application and logical access                           Very
       controls                                                 Serious
       Name of the application used for
       investment operations:
Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments
 D.5 Obtain a list of valid user IDs at
     the location and,
      · Reconcile Active users to
          those present in the location
          as per attendance roles
      · Validate User Work Class
          with the designation of the
          users at the location
      · Verify if concurrent auditors
          have been provided with
          only view access
      · Check for user with
          maximum inactive time
          greater than 10 minutes
      · Check for user with
          password       expiry    date
          greater than 40 days from
          the current day.
      · For user ID disabled, check
          whether these have been
          done immediately after their
          names have been removed
          from the attendance register.
          In case any delays are
          noticed from the time of
          removal from attendance
          register to the actual date of
          disabling the user Id report
          the same.
      Are there any discrepancies in
      the above?
Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments
 D.6   Are Access privileges defined for
       each user as per the
       designation?
 D.7   Whether the User Ids of
       employees who have been
       transferred, or have retired/
       resigned are deleted from
       application.
 D.8   · Whether the application
          logs out the user after 5
          minutes of inactivity.
       · Whether the system forces
          the user to change the
          initial password given by
          system manager.
       · Users acknowledge receipt
          of the password on the
          register maintained for the
          purpose
 D.9   Whether the user log-off the
       application whenever they leave
       the work place for break.
D.10   · Check that all user
          accounts are identifiable to
          a user and generic user-
          ids, which cannot be
          attributed to any individual,
          are not allowed.
       · Check that all default
          vendor accounts shipped
          with the application have
          been disabled.
Technical Guide

S. No Audit Objective                              A ud itor's        R isk
                                                 O bserv ation     C ateg o ry
                                             Y    N     Comments

D.11   Is the user ID temporarily
       suspended when the staff
       members         are      out    on
       training/outstation     assignment
       and the user ID will remain
       inactive for certain days?
D.12   Whether an undertaking          for
       maintaining      secrecy       and
       confidentiality of password    has
       been obtained from every      user
       and preserved.
D.13   Whether super user passwords
       are changed immediately after
       those are used by support
       persons for rectification of
       problems and this usage is
       documented.
D.14   Whether every user has only
       one identifiable user ID and not
       more than one user id has been
       given to any user.
D.15   Whether Super user passwords
       (for applications hosted at the
       location)    are    confined to
       systems manager only and the
       same are kept with the location
       in charge in a sealed cover.
Technical Guide

S. No Audit Objective                             A ud itor's         R isk
                                                O bserv ation      C ateg o ry
                                            Y    N     Comments
D.16   Password Security:-
        · Whether the users change
           their password periodically.
        · Does the application force
           the user to set an alpha
           numeric password/
        · Is the minimum length of
           the password set to 8
           characters?
        · Whether password entry is
          disabled      after       three
          unsuccessful             log-on
          attempts?
        · Whether the system forces
          the users to change their
          password after 40 days
          from the date of last
          creation / modification.
        · Whether password history
          is maintained by the
          application.              From
          Transaction records, day
          end reports or audit trails,
          perform a sample check to
          verify if user ID has been
          used on any day when the
          user is on leave.
       ENFORCED PATH                                              Procedural
D.17 Whether there is any control that
     restricts the route between the
     user terminal and the designated
     computer services the user is
     authorised to access, for
     example, enforced path to reduce
     the risk.
Technical Guide

S. No Audit Objective                         A ud itor's         R isk
                                            O bserv ation      C ateg o ry
                                        Y    N     Comments
      NODE AUTHENTICATION                                     Procedural
D.18 Whether connections to remote
     computer systems that are
     outside organisations security
     management are authenticated.
     Node authentication can serve as
     an        alternate means     of
     authenticating groups of remote
     users where they are connected
     to a secure, shared computer
     facility.
      NETWORK TESTS                                           Serious
D.19 Is       it      ensured    that
     products/services that use the
     Internet for connectivity or
     communications have undergone
     a successful penetration test
     prior        to       production
     implementation?
D.20 Is there a penetration test
     process that ensures that
     modifications       to      the
     product/service that uses the
     Internet for connectivity or
     communication     have    been
     reviewed to determine whether a
     subsequent penetration test is
     warranted?
D.21 Is there an intrusion detection
     system in place for all the
     external IP connections?
      ON-LINE TRANSACTIONS                                    Serious
Technical Guide

S. No Audit Objective                            A ud itor's        R isk
                                               O bserv ation     C ateg o ry
                                           Y    N     Comments
D.22 Whether information involved in
     online transactions is protected
     to       prevent        incomplete
     transmission,          mis-routing,
     unauthorized message alteration,
     unauthorized            disclosure,
     unauthorized              message
     duplication or replay.
                      Annexure D




APPLICATION CONTROLS CHECKLIST
Technical Guide

IRDA Regulations
S.     Area or Sub      IRDA R equirem ent            Auditor's O bserv ation
No.       A rea         (Extracted from its            Y es-      No Comments
                          Circulars) (refer         C o m plies
                         columns 2 and 3)            with the
                                                    regu lation
   1   Functional ­    The        Investment
       Overall         System should have
                       separate modules for
                       Front, Mid and Back
                       Office with separate
                       login
   2   Segregation     (1) In the case of a
       of              Life Insurer, (SFIN In
       Shareholders    the case of ULIP) each
       &               individual fund, both
       Policyholders   falling             under
       ' funds         Shareholder              /
                       Policyholders', under
                       any class of business,
                       has      `scrip'     level
                       investments (except in
                       the case of General
                       Insurance Companies)
                       to comply with the
                       provisions of Section
                       11(1B) of Insurance
                       Act,                 1938
                       (2) Furthermore the
                       Shareholders        funds
                       beyond           Solvency
                       Margin, to which the
                       pattern of Investment
                       will not apply, shall
                       have      a      separate
                       custody account with


  Please check the parameterisation and configuration of the application
related to these. Screen shots may be taken as evidence. Any non compliance
is treated as "Very Serious".
Technical Guide

S.    Area or Sub     IRDA R equirem ent           Auditor's O bserv ation
No.      A rea        (Extracted from its           Y es-      No Comments
                        Circulars) (refer        C o m plies
                       columns 2 and 3)           with the
                                                 regu lation
                    identified scrip for both
                    Life and General
                    Insurance Companies.
 3                  To ensure Business
                    continuity, the Insurer
                    should have a clear
                    Off-site Backup of
                    Data in a City falling
                    under      a     different
                    Seismic Zone, either
                    on his own or through
                    a Service Provider.
                    Further, the Insurer /
                    service provider (if
                    outsourced) is required
                    to have the necessary
                    infrastructure         for
                    Mission.          Critical
                    Systems to address at
                    least the following:
                    1. Calculation          of
                          daily NAV (Fund
                          wise)
                     2. Redemption
                          processing

 4                  System based checks
                    should be in place for
                    investments in an
                    Investee     Company,
                    Group,        Promoter
                    Group and Industry
                    Sector. The system
                    should signal when the
                    Internal / Regulatory
Technical Guide
 S.   Area or Sub    IRDA R equirem ent           Auditor's O bserv ation
No.       A rea      (Extracted from its           Y es-      No Comments
                       Circulars) (refer        C o m plies
                      columns 2 and 3)           with the
                                                regu lation
                    limits   are   nearly
                    reached PRIOR to
                    taking such exposure
                    and making actual
                    investment.
5    Functional ­   Transfer of data from
     Overall        Front Office to Back
                    Office     should      be
                    electronic        without
                    Manual       intervention
                    (Real time basis) i.e.,
                    without       re-entering
                    data at Back Office.
6    Functional ­   All           Investment
     Overall        Systems         to    be
                    seamlessly integrated
                    without            manual
                    intervention.
7                   The Insurer may have
                    multiple Data Entry
                    Systems, but all such
                    Systems should be
                    seamlessly integrated
                    without       manual
                    intervention.
8    Functional -   Audit trail to be
     Overall        available for all data
                    entry points including
                    at the Checker /
                    Authorizer level
9    Functional -   Maker          Checker
     Overall        process to be enforced
10   Functional -   System based checks
     Overall        to be in place for
Technical Guide

S.    Area or Sub     IRDA R equirem ent          Auditor's O bserv ation
No.      A rea        (Extracted from its          Y es-      No Comments
                        Circulars) (refer       C o m plies
                       columns 2 and 3)          with the
                                                regu lation
                     investments as per
                     Internal / Regulatory
                     limits PRIOR to taking
                     such exposure and
                     making          actual
                     investment.
 11                  Inter-Fund     transfer
                     capability

 12                  Inter-Fund      transfer
                     capability   -      Non
                     Switching      between
                     Traditional and Unit
                     Linked Funds
 13   Functional -   The system to be
      Overall        capable of computing
                     various      portfolio
                     returns
 14                  The System should
                     handle Inter Fund
                     transfer as per Circular
                     IRDA-FA-02-10-2003-
                     04. The Investment
                     Committee may fix the
                     Cut Off time as per
                     Market practice, for
                     such transfer within
                     the fund. (The inter
                     fund transfer should be
                     like any other Market
                     deal and the same
                     needs to be carried out
                     with in the Market
                     hours only)
Technical Guide

S.    Area or Sub     IRDA R equirem ent          Auditor's O bserv ation
No.      A rea        (Extracted from its          Y es-      No Comments
                        Circulars) (refer       C o m plies
                       columns 2 and 3)          with the
                                                regu lation
 15   Functional -   System to perform
      Overall        regular           limits
                     monitoring          and
                     Exception Reporting.
                     Also    reporting    on
                     movement of prices.
 16   Functional -   Cash       Management
      Overall        System should provide
                     the funds available for
                     Investment considering
                     the          settlement
                     obligations         and
                     subscription        and
                     redemption of units
 17   Functional -   The System to be
      Overall        validated not to accept
                     any        commitment
                     beyond availability of
                     funds.
 18   Functional -   The System to be
      Overall        validated to restrict
                     Short Sales at the time
                     of placing the order
 19   Functional -   The         Investment
      Overall        System to capture
                     Instrument Ratings to
                     enable       it     to
                     automatically generate
                     FORM 2 (Statement of
                     Downgraded
                     Investments) through
                     the System.
 20   Functional -   The         Investment
      Overall        System    to capture
Technical Guide

S.    Area or Sub     IRDA R equirem ent           Auditor's O bserv ation
No.      A rea        (Extracted from its           Y es-      No Comments
                        Circulars) (refer        C o m plies
                       columns 2 and 3)           with the
                                                 regu lation
                     Instrument Ratings to
                     enable       it     to
                     automatically generate
                     FORM 2 (Statement of
                     Downgraded
                     Investments) through
                     the System.
 21   Functional -   The System to have
      Overall        the ability to track
                     changes in ratings
                     over a period &
                     generate appropriate
                     alerts,   along     with
                     ability  to     classify
                     investment     between
                     Approved and Other
                     Investments
 22   Functional -   Track of movement of
      Overall        Securities     between
                     Approved and Other
                     Investments Status, as
                     a part of Audit trail, at
                     individual      security
                     level
 23   Functional -   The System should
      Overall        have key limits preset
                     for            ensuring
                     compliance with all
                     Regulatory
                     requirements       and
                     should be supported
                     by workflow through
                     the System, (Real time
                     basis)     for    such
                     approval, if Regulatory
Technical Guide

S.    Area or Sub     IRDA R equirem ent            Auditor's O bserv ation
No.      A rea        (Extracted from its            Y es-      No Comments
                        Circulars) (refer         C o m plies
                       columns 2 and 3)            with the
                                                  regu lation
                     limit is close to be
                     breached
 24   Functional -   The System to have
      Overall        capability           of
                     generating Exception
                     reports for Audit by
                     Internal / Concurrent
                     Auditor The System
                     should have capability
                     of          generating
                     Exception reports for
                     Audit by Internal /
                     Concurrent Auditor
 25   Functional -   System                  to
      Overall        automatically track and
                     report all internal limits
                     breaches. All such
                     breaches should be
                     audited by Internal /
                     Concurrent Auditor.
 26   Functional -   The system to be
      Overall        validated in such a
                     way, that the Deal can
                     only be rejected by the
                     Back Office & NOT
                     edited
 27                  The System to be
                     capable of computing
                     NAV
 28                  The System should be
                     capable of computing
                     NAV and compare it
                     with   the       NAV
                     computed    by    the
                     Service provider, if
Technical Guide

S.    Area or Sub      IRDA R equirem ent           Auditor's O bserv ation
No.      A rea         (Extracted from its           Y es-      No Comments
                         Circulars) (refer        C o m plies
                        columns 2 and 3)           with the
                                                  regu lation
                      outsourced.
 29                   The Insurer should
                      maintain NAV history
                      (Fund wise) in his
                      Public Domain from
                      the Start of the Fund to
                      Current Date.
 30   Functional -    Method of computing
      Overall         NAV should be in line
                      with IRDA regulations
 31   Methodology     Every Purchase, Sale
      of Operating    of Investment, Income
      Segregated      on          Investment
      Fund'           (including   Corporate
                      Action)    shall     be
                      identified         with
                      reference     to    the
                      particular `Segregated
                      Fund' and accounted
                      for.
 32   Methodology     Every `Deal Slip' shall
      of Operating    be     identified    with
      Segregated      reference       to   the
      Fund'           `segregated         fund'
                      along with `Segregated
                      Fund       Identification
                      Number "SFIN" for
                      such Segregated Fund
                      and the respective
                      `sub-code' of Custody
                      and the respective
                      Bank Account.
 33   Units           Unit Report shall be
      Creation    /   reconciled with the
                      Investment Accounting
Technical Guide

S.    Area or Sub     IRDA R equirem ent          Auditor's O bserv ation
No.      A rea        (Extracted from its          Y es-      No Comments
                        Circulars) (refer       C o m plies
                       columns 2 and 3)          with the
                                                regu lation
      Redemption     System's Creation /
                     Redemption Report,
                     after booking of unit
                     capital entries
 34   Units          Units created on a
      Creation   /   `day-to-day'      basis
      Redemption     (including    switches),
                     shall be backed by
                     `segregated fund wise'
                     Investment assets. In
                     other words, the value
                     / amount for which
                     Units are created for
                     the particular day (at
                     the prevailing NAV, at
                     the opening of the day,
                     of the respective fund),
                     should be equivalent
                     to the premium receipt
                     (net of switches) less
                     applicable charges and
                     other outflows such as
                     benefits           paid,
                     surrenders          and
                     foreclosures          in
                     excluding     applicable
                     charges      of     the
                     `respective segregated
                     fund'.
 35   Security       1. Equity Investments
      Master         Based on the inputs
      Creation       from treasury: the
                     investment back-office
                     shall create Security
                     Masters in the system
                     (linked via NSE/BSE
Technical Guide

S.    Area or Sub     IRDA R equirem ent           Auditor's O bserv ation
No.      A rea        (Extracted from its           Y es-      No Comments
                        Circulars) (refer        C o m plies
                       columns 2 and 3)           with the
                                                 regu lation
                     codes) and the same
                     shall be validated by
                     the Mid-Office. The
                     procedure      includes
                     documentation          of
                     supporting            and
                     supervisory sign off.
 36   Security       2. Debt Investments:
      Master         Security masters for
      Creation       debt Instruments are
                     prepared on the basis
                     of          Information
                     memorandum in case
                     of     primary       and
                     secondary        market
                     deals by the Back
                     Office. The procedure
                     includes
                     documentation         of
                     supporting          and
                     supervisory sign off.
 37   Primary        1. Booking of Primary
      Market Deals   Market      Deals:Debt
      / IPO          Primary Market Deals
                     shall be booked on the
                     date of application,
                     and on the date of
                     allotment          the
                     Securities   will   be
                     reflected    in    the
                     Investment Accounts
 38   Primary        2. Booking of Equity
      Market Deals   IPO:
      / IPO          Equity     Investments
                     shall be accounted on
Technical Guide

S.    Area or Sub      IRDA R equirem ent             Auditor's O bserv ation
No.      A rea         (Extracted from its             Y es-      No Comments
                         Circulars) (refer          C o m plies
                        columns 2 and 3)             with the
                                                    regu lation
                      the date of application
                      for IPO Issue as
                      `Application      Money'
                      and on the date of
                      allotment the allotted
                      Shares       shall    be
                      reflected      in    the
                      Investment accounts.
 39   Secondary       1. Debt DealsAll Debt
      Market Debt /   securities              as
      Equity Deal     categorised              in
      Authorization   IRDA/GLN/001/2003-
                      04 ­ Categories of
                      Investments,            as
                      amended from time to
                      time, shall be executed
                      with      counterparties
                      and reported on NSE /
                      BSE       /     FIMMDA
                      reporting platform and
                      the same shall be
                      confirmed            with
                      counterparties.       The
                      deals       shall       be
                      authorised     in      the
                      investment system and
                      the trade files /
                      information shall be
                      sent to custodian /
                      other online settlement
                      systems as recognised
                      by      any      financial
                      regulator               for
                      settlement.
 40   Secondary       2. Equity Deals - STP
      Market Debt /   (Straight     Through
Technical Guide

S.    Area or Sub      IRDA R equirem ent             Auditor's O bserv ation
No.      A rea         (Extracted from its             Y es-      No Comments
                         Circulars) (refer          C o m plies
                        columns 2 and 3)             with the
                                                    regu lation
      Equity Deal     Process)
      Authorization   Reconciliation:
                      All Secondary Market
                      equity deals shall be
                      put through the STP
                      module         in       the
                      investment         system.
                      The dealer shall put
                      though the deal in the
                      investment          system
                      after concluding the
                      transaction. The deal
                      would then flow to the
                      back office which
                      would be compared
                      with the input details
                      and the STP file
                      received from broker.
                      If all details match, the
                      transaction would be
                      authorised       in     the
                      system for settlement.
 41   Secondary       2. Equity Deals - STP
      Market Debt /   (Straight       Through
      Equity Deal     Process)
      Authorization   Reconciliation
                      Custodian       /Broker
                      settlement:
                      After               STP
                      reconciliation       the
                      equity trade files ISO
                      files shall be sent to
                      custodian and broker
                      houses through STP.
 42   Secondary       All deals shall be
      Market Debt /   recorded on trade date
Technical Guide

S.    Area or Sub      IRDA R equirem ent          Auditor's O bserv ation
No.      A rea         (Extracted from its          Y es-      No Comments
                         Circulars) (refer       C o m plies
                        columns 2 and 3)          with the
                                                 regu lation
      Equity Deal     accounting basis.
      Authorization
 43   Settlement      1. Equity (Sale) - (as
      Process         per          Exchange
                      Compliance     Norms,
                      Currently        T+2):
                      Bank settlement (trade
                      receivables)    entries
                      shall be passed for
                      trades settling on
                      current day.
 44   Settlement      2. Equity (Purchase) -
      Process         (as per Exchange
                      Compliance        Norms,
                      Currently          T+1):
                      Bank settlement (trade
                      payables) entries shall
                      be passed for trades
                      settling on current day.
                      It may also be settled
                      on T+2 basis, if the
                      company              had
                      deposited         margin
                      money       with     the
                      exchanges as required
                      for equity settlement.
 45   Settlement      3. Debt (purchase/
      Process         Sale) - (as per
                      Exchange Compliance
                      Norms, Currently T+1):
                      Bank settlement (trade
                      payables/receivables)
                      entries shall be passed
                      for trades settling on
                      current day. Corporate
Technical Guide

S.    Area or Sub    IRDA R equirem ent          Auditor's O bserv ation
No.      A rea       (Extracted from its          Y es-      No Comments
                       Circulars) (refer       C o m plies
                      columns 2 and 3)          with the
                                               regu lation
                    Debt deals dealt on
                    T+0 basis shall be
                    settled on T+0 basis.
 46   Settlement    4. Money market
      Process       transactions & Non-
                    SLR -         (as   per
                    Exchange Compliance
                    Norms, Currently T+1):
                    Bank settlement (trade
                    payables/receivables)
                    entries shall be passed
                    for trades settling on
                    current day. Money
                    market     transactions
                    excluding treasury bills
                    could also be dealt
                    and settled on T+O
                    basis.
 47   Settlement    5.    Reverse   Repo
      Process       withdrawal:
                    Reverse         Repo
                    maturities shall be
                    posted      in  bank
                    accounts

 48   Settlement    6. Brokerage
      Process       Payments:
                    Brokerage Payment
                    shall be settled in
                    Bank
 49   Corporate     2. Debt: The insurer
      Action        shall configure their
                    Investment System for
                    details of     interest
                    receivable         and
Technical Guide

S.    Area or Sub    IRDA R equirem ent            Auditor's O bserv ation
No.      A rea       (Extracted from its            Y es-      No Comments
                       Circulars) (refer         C o m plies
                      columns 2 and 3)            with the
                                                 regu lation
                    redemption          dates.
                    Further, details of
                    interest receivable and
                    redemption can also
                    be obtained from the
                    custodian      /     other
                    online        settlement
                    systems as recognised
                    by      any      financial
                    regulator.
 50   Valuation     Valuation of securities
      Process       shall be in line with the
                    INV/CIR/020/2008-09
                    ­ Point. G ­ Statement
                    of           Investment
                    Reconciliation          -
                    Annexure 2.
 51   Valuation     The Insurer shall close
      Process       the Investment Front
                    Office    system     for
                    transactions at 5.30
                    PM. The Concurrent
                    Auditor shall confirm
                    the compliance of this
                    requirement in their
                    quarterly report to the
                    Board of Directors .
 52   Charges   -   Fund       Management
      Fund          Charges          (FMC)
      Management    including service tax
      Charges       shall be `accounted' for
                    on a day-to-day basis
                    in    the    investment
                    accounting      system.
                    The actual transfer of
Technical Guide

S.    Area or Sub        IRDA R equirem ent           Auditor's O bserv ation
No.      A rea           (Extracted from its           Y es-      No Comments
                           Circulars) (refer        C o m plies
                          columns 2 and 3)           with the
                                                    regu lation
                        accumulated       FMC
                        shall be done at the
                        end of the month.
 53   Charges       -   Dealing costs including
      Dealing           brokerage, securities
      costs             transaction tax and
                        service tax shall be
                        adjusted in the cost of
                        investments.
 54   NAV               The NAV of the
      Computation       Segregated        FUND
                        shall be computed as
                        Market     Value       of
                        investment held by the
                        fund + Value of
                        Current Assets ­ Value
                        of Current Liabilities &
                        Provisions, if       any
                        DIVIDED BY Number
                        of Units existing on
                        Valuation Date
 55   NAV               Number      of    units
      Computation       derived    from     the
                        investment accounting
                        system     shall     be
                        reconciled on a day to
                        day basis with the
                        policy admin system
 56   `NAV' error ­     All    expenses and
      Computation       incomes accrued up to
      &                 the Valuation date
      Compensation      shall be considered for
                        computation of NAV.
                        For this purpose, while
                        major expenses like
Technical Guide

S.    Area or Sub     IRDA R equirem ent             Auditor's O bserv ation
No.      A rea        (Extracted from its             Y es-      No Comments
                        Circulars) (refer          C o m plies
                       columns 2 and 3)             with the
                                                   regu lation
                     management fees and
                     other         periodic
                     expenses should be
                     accrued on a day to
                     day basis, other minor
                     expenses and income
                     can be accrued on a
                     weekly basis, provided
                     the non-accrual does
                     not affect the NAV
                     calculations by more
                     than 1%.
 57   Functional -   System        to     have
      Overall        capability to upload
                     Corporate          Actions
                     such as Stock Splits,
                     Dividend, Rights Issue,
                     Buy      Back,      Bonus
                     issues       etc.,      for
                     computation of NAV /
                     Portfolio valuation
 58   Functional -   Ability    to      have
      Overall        Segregation          of
                     Shareholders          &
                     Policyholders' funds
 59                  Ability to      maintain
                     Fund wise
 60   Functional -   The Systems to have
      Overall        the     capability     of
                     providing alerts on
                     transaction           to
                     transaction basis, its
                     "current"   level      of
                     exposure      BEFORE
                     taking           further
Technical Guide

S.    Area or Sub     IRDA R equirem ent           Auditor's O bserv ation
No.      A rea        (Extracted from its           Y es-      No Comments
                        Circulars) (refer        C o m plies
                       columns 2 and 3)           with the
                                                 regu lation
                     exposure.
 61   Functional -   Investment valuation
      Overall        methodology as per
                     IRDA      circular   for
                     different          asset
                     categories
 62   Functional -   Investment Category
      Overall        Handling for different
                     categories
 63   Functional -   NAV Error handling
      Overall
 64   Functional -   IRDA forms to be
      Overall        directly generated from
                     the system
 65   Functional -   Capability to compute
      Overall        Yield on investment for
                     quarter / yearly basis
 66   Functional -   NPA computation and
      Overall        classification
 67   Security       Access to information
      Issues -       system should be only
      Application    via a secure log-on
      security       process.
      controls
 68   ULIP            `Deal Slip' to be
      Business       identified           with
                     reference     to     the
                     `segregated        fund'
                     along with `Segregated
                     Fund       Identification
                     Number "SFIN" for
                     such        Segregated
                     Fund(s)      and      the
                     respective `sub-code'
Technical Guide

S.    Area or Sub    IRDA R equirem ent          Auditor's O bserv ation
No.      A rea       (Extracted from its          Y es-      No Comments
                       Circulars) (refer       C o m plies
                      columns 2 and 3)          with the
                                               regu lation
                    of Custodian and the
                    respective      Bank
                    Account
 69   ULIP          Every Purchase, Sale
      Business      of Investment, Income
                    on          Investment
                    (including   Corporate
                    Action)    shall     be
                    identified         with
                    reference     to    the
                    particular `Segregated
                    Fund'
 70   ULIP          Daily     Report      of
      Business      `Subscription          &
                    Redemptions' received
                    from the Policy Admin
                    System (PAS) to be
                    uploaded        [without
                    manual      intervention
                    through         process
                    integration] in the
                    Investment Accounting
                    System
 71   ULIP          Units created on a
      Business      'day-to-day'      basis
                    (including    switches),
                    shall be backed by
                    'segregated fund wise'
                    Investment assets. In
                    other words, the value
                    / amount for which
                    Units are created for
                    the particular day (at
                    the prevailing NAV,
                    applicable for the day,
Technical Guide

S.    Area or Sub    IRDA R equirem ent            Auditor's O bserv ation
No.      A rea       (Extracted from its            Y es-      No Comments
                       Circulars) (refer         C o m plies
                      columns 2 and 3)            with the
                                                 regu lation
                    of the respective fund),
                    should be equivalent
                    to the premium receipt
                    (net of switches) less
                    applicable charges and
                    other outflows such as
                    benefits           paid,
                    surrenders          and
                    foreclosures          in
                    excluding    applicable
                    charges      of     the
                    'respective segregated
                    fund'.
 72   ULIP          All Debt securities as
      Business      categorized shall be
                    executed             with
                    counterparties       and
                    reported on NSE / BSE
                    / FIMMDA reporting
                    platform and the same
                    shall be confirmed with
                    counterparties.
                    The deals to be
                    authorized     in     the
                    investment system and
                    the trade files /
                    information shall be
                    sent to custodian /
                    other online settlement
                    systems as recognized
                    by     any      financial
                    regulator              for
                    settlement
 73   ULIP          All Secondary Market
      Business      equity deals shall be
                    put through the STP
Technical Guide

S.    Area or Sub    IRDA R equirem ent          Auditor's O bserv ation
No.      A rea       (Extracted from its          Y es-      No Comments
                       Circulars) (refer       C o m plies
                      columns 2 and 3)          with the
                                               regu lation
                    module      in     the
                    investment system.
 74                 All Equity deals should
                    be     through     STP
                    gateway for all broker
                    transactions.
 75   ULIP          The        insurer    to
      Business      configure          their
                    Investment System for
                    details of      interest
                    receivable          and
                    redemption dates.
 76   ULIP           Accounting of coupon
      Business      payments,
                    redemption/maturities
                    for debt investments
                    shall be automatically
                    triggered     by    the
                    system, based on the
                    interest payment dates
                    and maturity dates
                    defined in the security
                    masters created for
                    'each' security.
 77   ULIP          Investment       Front
      Business      Office system should
                    close for transactions
                    at 6.00 PM.
 78   ULIP          The Investment Trial
      Business      Balance, in respect of
                    each       `Segregated
                    Fund' with clear link to
                    SFI + is generated
                    through the system.

 
 
Home | About Us | Terms and Conditions | Contact Us
Copyright 2016 CAinINDIA All Right Reserved.
Designed and Developed by Binarysoft Technologies Pvt. Ltd.
Integrated Software Solutions Integrated Software Development Integrated Software Services Integrated Software Solutions India Integrated Softw

Transfer Pricing | International Taxation | Business Consulting | Corporate Compliance and Consulting | Assurance and Risk Advisory | Indirect Taxes | Direct Taxes | Transaction Advisory | Regular Compliance and Reporting | Tax Assessments | International Taxation Advisory | Capital Structuring | Withholding tax advisory | Expatriate Tax Reporting | Litigation | Badges | Club Badges | Seals | Military Insignias | Emblems | Family Crest | Software Development India | Software Development Company | SEO Company | Web Application Development | MLM Software | MLM Solutions