sitemapHome | Registration | Job Portal for CA's | Expert Exchange | Currency Converter | Post Matrimonial Ads | Post Property Ads
News shortcuts: From the Courts | News Headlines | VAT (Value Added Tax) | Placements & Empanelment | Various Acts & Rules | Latest Circulars | New Forms | Forex | Auditing | Direct Tax | Customs and Excise | ICAI | Corporate Law | Markets | Students | General | Mergers and Acquisitions | Continuing Prof. Edu. | Budget Extravaganza | Transfer Pricing | GST - Goods and Services Tax
Latest Expert Exchange
Tenders »
  National Institute Of Mental Health And Neuro Sciences, Bangalore - Karnataka
 Madhya Pradesh Paschim Kshetra Vidvut Vitaran Company Limited, Indore, Madhya Pradesh
 Maharashtra State Co-operative Bank Limited, Mumbai, Maharashtra
 Central Medical Stores Organisation, Meerut, Uttar Pradesh
  Indian Council Of Agricultural Research, New Delhi
 Housing And Urban Development Corporation Limited, Chandigarh
 Amendment in PQR and Extension of Tender Submission
 Tamil Nadu Warehousing Corporation Limited, Chennai - Tamil Nadu
 Power Finance Corporation Limited, New Delhi, Delhi
 Housing And Urban Development Corporation Limited, New Delhi
 Empanelment Of Is Auditor For Security Cum Functional Audit Of Application Software
 Office Of The Municipal Corporation Rewa, Rewa (MP)

Empanelment Of Is Auditor For Security Cum Functional Audit Of Application Software
April, 02nd 2018
        Punjab National Bank, Inspection & Audit Division, HO, Delhi




                                      Punjab National Bank


                                   REQUEST FOR PROPOSAL

                                  FOR
                     EMPANELMENT OF IS AUDITOR FOR
         SECURITY CUM FUNCTIONAL AUDIT OF APPLICATION SOFTWARE

                                 Inspection & Audit Division
                          Corporate Office, Plot-4, Sector-10, Dwarka
                                     New Delhi - 110075




RFP for security cum functional audit of application software     Confidential
                                                                                 1
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
 CONTENTS

 1              INTRODUCTION
 1.1            Background
 1.2            Purpose
 1.3            Project Scope
 1.4            Invitation
 1.5            Time Schedule of Various bid related events
 1.6            Confidentiality
 1.7            Non Disclosure Clause
 1.8            RFP Terminology
 1.9            Disclaimer
 2              BIDDING PROCESS
 2.1            Bidding
 2.2            Minimum Eligibility Criteria for Bidder(s)
 2.3            Scope of Bid
 2.4            Amendments/Supplements to Bidding Documents
 2.5            Rights of PNB
 2.6            Governing Law and Disputes
 3              INSTRUCTIONS TO BIDDER
 3.1            The Bidding Documents
 3.1.1          Cost of Bidding
 3.1.2          Content of Bidding Document
 3.1.3          Clarification on RFP
 3.1.4          Language of bids
 3.2            Preparation of Bids
 3.2.1          Document Constituting the Bid
 3.2.2           Document Establishing Bidder's Qualification
 3.2.3          Documents establishing Solution Conformity to Bidding Documents
 3.2.4          Bid Security
 3.2.5          Period of Validity of Bids
 3.2.6          Format and Signing of Bid
 3.2.7          Sealing, Marking and Submission of Bids
 3.2.8          Deadline for Submission of Bids
 3.2.9          Late Bids
 3.2.10         Modification and Withdrawal of Bids
 3.2.11         Acceptance or rejection of bid
 3.2.12         Notification of award
 3.3            Bid Opening and Evaluation of Bids
 3.3.1          Assumptions and Agreements
 3.3.2          Opening and evaluation of Technical Bids by the Bank
 3.3.3          Clarification of Bids
 3.3.4          Evaluation Criteria for empanelment
 3.3.5          Contacting the Bank
 3.3.6          Signing of Contract
 3.3.7          Performance Guarantee
 3.3.8          Notification of Empanelment




RFP for security cum functional audit of application software   Confidential
                                                                                  2
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
 3.4            Award of Contract
 3.4.1          Post qualification
 3.4.2          Award Criteria on post empanelment
 3.4.3          Dead Line / Critical Dates
 3.4.4          Right to accept any Bid and to reject any or All Bids
 3.4.5          Notification of Award of Contract
 4              Broad Terms and Conditions
 4.1            Standards
 4.2            Arbitration
 4.3            Notices
 4.4            Use of Contract Documents and Information
 4.5            Patent and Copyrights
 4.6            Deliverables
 4.7            Payment Terms
 4.8            Taxes and Duties
 4.9            Delay in the Performance
 4.10           Penalty
 4.11           Force Majeure
 4.12           Correspondences
 4.13           Successful bidder's Obligations
 4.14           Contract Amendments
 4.15           Extension of Bank Guarantees
4.16            Adherence to Standards
4.17            Subcontracting


Annexure        A        Detailed Scope of Audit
Annexure        B        Performance Guarantee Form
Annexure        C        Technical BID FORM
Annexure        D        Score Sheet
Annexure        E        Undertaking 1
Annexure        F        Undertaking 2
Annexure        G        Compliance Statement
Annexure        H        Technical Compliance Sheet
Annexure        I        Security cum functional audit of application software assignment
Annexure        J        Confidentiality Cum Non Disclosure Agreement
Annexure        K        Professional's details
Annexure        L        Check list for the Documents to be submitted




RFP for security cum functional audit of application software      Confidential
                                                                                       3
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
Chapter - 1: Introduction

1.1. Background
Punjab National Bank (PNB) has taken many IT initiatives. Bank has computerized
100% of its branches and has implemented a Centralized Banking Solution with Data
Centre at New Delhi and Disaster Recovery Site at Mumbai.
Bank has already implemented Data Ware House project for providing better access to
information, to foster better and more informed decision-making, besides providing
statutory reporting and MIS for the bank.
In the bank there are several applications which are developed in house/or procured
through outsourcing for internal requirements of Bank. Some of these applications are
accessed through Enterprise Wide Network by different Branch Offices and also
available through Internet and through Dial-up Connection. Approximately, every year
50-60 software are being developed In house / procured in our bank for which Security
cum Functional Audit is required.
We have alternate Delivery channels services like Internet Banking, ATM, Mobile
Banking, Mobile Apps, Tab Banking and POS etc which is being also offered to the Bank
customers. An ATM Switch has been installed at New Delhi in the Data Centre and a DR
setup in Mumbai. Internet Banking Infrastructure is also located and integrated with the
Enterprise Wide Network in a secured manner.
The Operating Systems used in Different applications include different flavors of Unix
like Solaris, AIX, SCO etc.), Windows NT, Windows 2008/2012 enterprise Servers,
Guardian, IBM AIX, HP Unix, Novell Netware, Tandem, DOS etc. Applications, which
use messaging, include SWIFT, SFMS (RBI Infinet), Cash Management Services,
Electronic Funds Transfer, and other RBI Projects etc. The Mail Server is on MS
Exchange Server 2010. The Data bases include Oracle, MS SQL, DB2, Access, Sybase
etc.
To Secure the Application software, Data bases, Data, Information etc and to ensure the
availability of resources including the network to authorized users without any disruption
or degradation, the bank plans to utilize the services of Information Security.
The bank houses various security devices positioned across various locations to protect
its infrastructure from internet threats.

1.2. Purpose
For empanelment of IS Auditor for Security cum functional Audit of application software
for providing independent reasonable assurance to the management on:
 1. Audit of application software or any enhancement in any existing Application/IT
Platform before roll out in live environment which serves our following purpose:-

       I.   Ensure better quality of software development.
      II.   Reducing the chances of security breach in the software.
     III.   Improve the secure coding practices for future software development..
     IV.    Robust IT security.
      V.    Mitigation of risks where there are significant control weaknesses
     VI.    Efficient utilization of IT Resources.


RFP for security cum functional audit of application software   Confidential
                                                                                     4
         Punjab National Bank, Inspection & Audit Division, HO, Delhi
      VII.     Ensuring compliance of IT Security Policy and procedures defined by the
               Bank.

1.3. Project Scope
Detailed scope is at Annexure A. The overall approach of the Security cum functional
Audit of application software shall be constructive/ contributory. The evaluation shall be
comprehensive, clear and Security cum functional Audit shall help rectify the lacunae by
concise directions.

1.4. Invitation
This RFP seeks Bidder(s) who are committed to the Information Security business and
have the capability and experience in conducting Security cum functional audit of
application software. Auditor wherever mentioned in RFP means the bidder/ company
/firm who can conduct the security cum functional audit of application software.
Evaluation criteria, evaluation of the responses to the RFP and subsequent selection of
the successful bidder(s) will be entirely at PNB's sole discretion.Bank's decision shall
be final and binding and no correspondence about the decision shall be entertained.

1.5. Time Schedule of Various bid related events
 1.     Date of commencement of availability                    12.03.2018
        of Bidding Documents for Sale
 2.          Last date & time for submission of                 18.03.2018
             queries (by e-mail).                                05.00 PM
 3.          Last date and time for receipt of Bidding          02.04.2018
             Documents.                                          02.00 PM
 4.          Date and Time of Bid Opening.                       02.04.2018
             (Change if any will be communicated to               03.00 PM
             bidders who have purchased RFP.)
 5.          Cost of RFP                            Rs. 5000/- (non refundable) to be
                                                    deposited           in        A/C
                                                    1522002100021143, PNB IAD,
                                                    IFSC ­ PUNB0976200, Branch ­
                                                    PNB Head Office (9762200),
                                                    Sector -10Dwarka New Delhi
 6.          Earnest Money Deposit Amount           Rs.50000/- Rs. Fifty Thousand
                                                    Only to be deposited in A/C
                                                    1522002100021143, PNB IAD,
                                                    IFSC ­ PUNB0976200, Branch ­
                                                    PNB Head Office (9762200),
                                                    Sector -10Dwarka New Delhi
 7.          Place of opening of Bids               Punjab National Bank,
                                                    IT Audit Cell, Inspection & Audit
                                                    Division, Head Office
                                                    2nd Floor, East Wing, Corporate
                                                    Office, Plot-4, Sector 10, Dwarka,
                                                    New Delhi ­ 110075
Note:
RFP for security cum functional audit of application software   Confidential
                                                                                     5
           Punjab National Bank, Inspection & Audit Division, HO, Delhi
    (i) Bids will be opened in the presence of bidders who choose to attend as above
    (ii) The schedule is subject to change and notice in writing of any changes will be
         published and communicated wherever feasible through bank's corporate web-
         site www.pnbindia.in. The PNB reserves the right to cancel the RFP at any time
         without incurring any financial obligation to any Bidder or potential Bidder.
    (iii) Any query regarding the RFP may be sent to iadisaudit@pnb.co.in and
          pankajgupta@pnb.co.in addressed to The Chief Manager, IT Audit Cell,
          Inspection & Audit Division, Head Office, 2nd Floor, East Wing, Corporate Office,
          Plot 4, Sector-10, Dwarka, Rajendra Place, New Delhi ­ 110075 before the Last
          date & time for submission of queries by e-mail.

1.6 Confidentiality
The RFP document is confidential and is not to be reproduced, transmitted, or made
available or disclosed in any form or manner by the Recipient to any other person.
Punjab National Bank may amend or revise the RFP document or any part of it. The
Recipient accepts that they will receive any such revised or amended document subject
to the same terms and conditions as this original and subject also to confidentiality.
The Recipient will not disclose or discuss the contents of the RFP document with any
officer, employee, consultant, director, agent, or other person associated or affiliated in
any way with Punjab National Bank or any of its customers, Auditors, or agents without
the prior written consent of the Bank. The empanelled bidder shall execute a
Confidentiality & Non Disclosure agreement with the Bank as per Annexure `J'.

1.7 Non Disclosure Clause
      i)    The bidder (and his employees) shall not, unless the bank gives permission in
            writing, disclose any part or whole of this RFP document, of the proposal and/or
            contract, or any specification, plan, drawing, pattern, sample or information
            furnished by the bank, in connection therewith to any person other than a
            person employed by the bidder in the pursuance of the proposal and/or
            contract. Disclosure to any such employed person shall be made in confidence
            and shall be to the extent only so far as may be necessary for purposes of such
            performance. The bidder will ensure that the employees engaged by the bidder
            will maintain strict confidentiality.
      ii) The bidder, his employees and agents shall not without prior written consent
          from the bank make any use of any document or information given by the Bank,
          except for purposes of performing the contract award.
      iii) In case of breach, the bank shall take such legal action as it may deem fit.
1.8 RFP TERMINOLOGY
Definitions
Throughout this RFP, unless inconsistent with the subject matter or context, the
following terms will have the meaning as under:
    i. Agreement:
           Any written contract to be entered into between Punjab National Bank and the
           Bidder(s) qualifying for empanelment with respect to providing for any
           deliverables or services contemplated by this RFP. Any Agreement shall be
           deemed to incorporate, as schedules, this RFP and all supplements issued by
RFP for security cum functional audit of application software     Confidential
                                                                                          6
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
        the Bank, the bid of the Successful Bidder(s) and any negotiated modifications
        thereto.

    ii. Bidder/Vendor/Auditor:
        A firm/ Company submitting a bid in response to this RFP. "Bidder" definition for
        this specific RFP for empanelment of IS auditors shall include bidder(s) who
        directly possesses capabilities of conducting such assignments.

   iii. Bank:
        Reference to "the Bank", "Bank", "PNB" and "Punjab National Bank" shall be
        determined in context and may mean without limitation "Punjab National Bank", a
        Nationalized Bank in India.
   iv. Proposal/Bid:
        The Bidder's written reply or submissions in response to this RFP.
    v. RFP:
        The Request for Proposal document in its entirety, inclusive of any supplement
        that may be issued by the Bank.
   vi. ITB:
        Instructions to Bidders as Contained in Chapter ­ 3.
   vii Successful bidder:
       Empanelled IS Auditor to whom job has been awarded.

1.9 Disclaimer
Subject to any law to the contrary, and to the maximum extent permitted by law, PNB
and its officers, employees, contractors, agents, and advisers disclaim all liability from
any loss or damage (whether foreseeable or not) suffered by any person acting on or
refraining from acting because of any information including forecasts, statements,
estimates, or projections contained in this RFP document or conduct ancillary to it
whether or not the loss or damage arises in connection with any negligence, omission,
default, lack of care or misrepresentation on the part of PNB or any of its officers,
employees, contractors, agents, or advisers.

Chapter ­ 2: Bidding Process

2.1. Bidding
Bidder who decides to bid will have to deposit a non-refundable amount of Rs. 5000/-
(Five Thousand only) to the cost of Bidding Fee.. Bid amount to be deposited in A/C
1522002100021143, PNB IAD, IFSC ­ PUNB0976200, Branch ­ PNB Head Office
(9762200), Sector -10Dwarka New Delhi
Bidders shall submit their Bid in sealed envelope containing:-
(i)Technical Compliance Sheet: - It contains the details to prove that it meets the
minimum eligibility criteria with documentary evidence to support the same.


RFP for security cum functional audit of application software    Confidential
                                                                                     7
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
(ii) Score sheet: - It contains the details with documentary evidence to score maximum
on different parameter.
Note: - Bid will not contain any pricing or commercial information at all.
Technical compliance sheet will be opened for evaluation. Those bidders who meet the
minimum eligibility criteria, as per the requirements and the terms and conditions of this
document, shall be shortlisted for further processing. Scoring will be done by the
technical committee for the shortlisted bidders.

2.2. Minimum Eligibility Criteria for Bidder(s)
To become eligible to respond to this RFP the vendor should fulfill the following
minimum eligibility criteria:-
       a) Bidder must be a legal entity in India and must be financially solvent.
       b) Should not be a vendor for Software and Hardware components of the Bank .
       c) Should be a Company /Firm /Organization /independent subsidiary with an
          average annual turnover of Rs.1 (One) crore or more for the last three financial
          years and should be in profit during all three financial years.(i.e. 2014-
          2015,2015-2016,2016-2017)
       d) Should have at least 3 years experience in the field of providing Security Cum
          functionality audit of application software and company should have carried out
          similar work in the Government organization /PSUs/ Banks. The company
          should provide the adequate documentary evidence in support of providing
          similar services.
           For consideration of above experience in Security cum functional Audit of
           application software, the activities similar to given below will be considered:-
            I.   Application Control Review.
           II.   System Processing Logic.
          III.   Review of parameters and other areas.
          IV.    Interface with other applications
           V.    Data Integrity of the report generated from the system
          VI.    Assessment of Role based security for application under scope.
         VII.    Adequacy of Audit trail and logs.
         VIII.   Vulnerability assessment and penetration test [VAPT] of server/security
                 equipment/network equipment/ Applications through intranet.
           IX.   Verification of compliance of system and procedures as per Organization's
                 IT Security Policy/ guidelines.
           X.    Business Impact Analysis.
          XI.    Migration Audit
          XII.   Any other Computer/Mobile/IT Application.
       e) Should not have been blacklisted by any nationalized Bank/RBI/IBA/ PSUs or
          any other Government agency from offering such audit services/solutions to
          them. Bidder must give an Undertaking to this effect.

       f) Firm must have minimum 5 qualified professionals with degree from Govt.
          recognized         reputable         Universities/Institutions       as
          BE/B.Tech/ME/M.Tech/MCA/C.A.(ICAI)    and    certifications    as CISA/

RFP for security cum functional audit of application software    Confidential
                                                                                      8
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
           /CISSP/CEH / Sun Certified Security Administrator (SCSECA) / OCE (Oracle
           Certified Expert - Security Administrator), Cisco CCIE-security along with
           minimum 2 years post qualification experience in security cum functional audit
           of application software with at least one software audit of PSUs/Banks and on
           permanent roll of the organization.

       g) Firm must be empanelled with Cert-In, Govt of India for Security Auditors with
          a certificate of empanelment for the block 2016-2019.

    Bidder must submit a detailed statement of facts and profile of company including
    year of commencement of business, Internet site details and name and title of the
    authorized signatory for their Bid and their contact numbers and e-mail address.

    Bidder should provide the documents in support of their eligibility in terms of above
    minimum eligibility criteria.

2.3. Scope of Bid
The scope of the bid shall be to empanel Information System Auditor to conduct security
cum functional audit of application software as per detailed scope given in Annexure A.

2.4. Amendments/Supplements to Bidding Documents
At any time prior to the deadline for submission of bids, the bank may, for any reason,
modify the Bidding Document by amendments at the sole discretion of the bank. All
amendments will be in writing and shall be communicated and published on bank's
website and will be binding on all prospective bidders. Further for any communication
bidders must provide name of the contact person, mailing address, telephone number
and FAX numbers on the covering letter sent along with the bids/ request for bidding
document.
In order to provide, prospective bidders, reasonable time to take the amendment into
account in preparing their bid, the bank may, at its discretion, extend the deadline for
submission of bids.

2.5. Rights of PNB
PNB reserves the right to:-
     Modify any terms, conditions and specifications of the RFP.
     Negotiate with Bidders.
     Accept any Bid in whole or in part.
     Split orders in favor of more than one Bidder.
     Release order, part order or more than one order.
     Finalize the bill of material and repeat orders.
     Issue the amendments to the RFP at anytime, prior to the deadline for the
       submission of Bids. From the date of issue, amendments to Tender Document
       shall be deemed to form an integral part of the Tender Document.
The Bids received and accepted will be evaluated by PNB to ascertain the best in the
interest of PNB. However, PNB does not bind itself to accept any Bid and reserves the
right to reject any or all Bids at any point of time prior to the placing of order without
assigning any reasons whatsoever. PNB reserves the right to re-tender. PNB shall not
incur any liability to the affected Bidder(s) on account of such rejection. PNB shall not be
obliged to inform the affected Bidder(s) of the grounds for PNB's decision of rejection. It

RFP for security cum functional audit of application software    Confidential
                                                                                       9
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
is to be understood clearly by the Bidders that the selection process requires them to
have adequate expertise in the audit domain.

2.6. Governing Law and Disputes
The Bid and the resulting Contract with the successful Bidders shall be governed in
accordance with the Laws of India for the time being in force.
All disputes or differences whatsoever arising between PNB and the Bidders out of the
meaning and operation or effect of this Tender Document or breach thereof, shall be
settled amicably. If, however, the parties, as above, are not able to resolve them
amicably, the same shall be settled by Arbitration in accordance with the Arbitration and
Conciliation Act 1996, and the award made in pursuance thereof shall be binding on the
parties.
Any appeal will be subject to the exclusive jurisdiction of the courts at Delhi (India). In
such instances, the Successful bidder shall continue to work under the Contract during
the arbitration proceedings unless otherwise directed in writing by PNB or unless the
matter is such that the work cannot possibly be continued until the decision of the
Arbitrator or of the umpire, as the case may be, is obtained.
The venue of the arbitration shall be Delhi, India.

Chapter ­ 3: Instructions to Bidders (ITB)
3.1. The Bidding Documents
3.1.1. Cost of Bidding
The cost of bidding and submission of tender documents in response to this RFP is
entirely the responsibility of bidders, regardless of the conduct or outcome of the
tendering process. PNB will not be liable for any costs incurred by the Bidder in replying
to this RFP. It is also clarified that no binding relationship will exist between any of the
Respondents and the Bank until execution of a contractual agreement.

3.1.2. Content of Bidding Document
The bidding document provides overview of the requirements, bidding procedures and
contract terms. It includes Introduction, eligibility criteria; Instruction to Bidders, Broad
terms and conditions of Contract and Bid, The bidder must conduct its own investigation
and analysis regarding any information contained in the RFP document and the meaning
and impact of that information.

The Bidder is expected to examine all instructions, statements, forms, terms and
specifications in the bidding documents. Failure to furnish all information required by the
bidding documents or submission of a bid not responsive to the bidding documents in
every respect will be at the Bidder's risk and may result in rejection of the bid. While the
Bank has made considerable effort to ensure that accurate information is contained in
this RFP, the information contained in this RFP is supplied solely as a guideline for
Bidders. Furthermore, during the RFP process, the Bank has disclosed or will disclose
in the RFP and supplement as applicable, available information relevant to the Work to
the extent, detail, and accuracy allowed by prevailing circumstances. Subject to the
provision in the previous sentence, the Bank has used or will use its best judgment and
assessment to fairly and reasonably represent the nature and scope of the Work in order
for Bidders to submit viable Proposals. However, the Bank shall not be deemed to give
any guarantees or warranties of accuracy of any of the information in this RFP or any

RFP for security cum functional audit of application software     Confidential
                                                                                      10
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
supplement, nor of its being comprehensive or exhaustive. Nothing in this RFP or any
supplement is intended to relieve Bidders from forming their own opinions and
conclusions in respect of the matters addressed in this RFP or any supplement, as
applicable.

3.1.3. Clarification on RFP
The Bidder shall carefully examine and understand the specifications / conditions of RFP
and seek written clarifications, if required, to ensure that they have understood all
specifications / conditions of RFP. Written requests for clarification may be submitted to
PNB before last date specified for queries (through email) in this regard.
Thereafter, no more clarification other than that asked by the last date specified for this
purpose shall be entertained. No oral consultation either shall be entertained thereafter.
The Bid should not carry any sections like clarifications, 'as orally told',        `to be
discussed', interpretations and assumptions. With the submission of the Bid, the Bidder
acknowledges that he/she has carefully studied and understood the RFP in totality.
Any questions concerning this RFP must be submitted through email                        at
iadisaudit@pnb.co.in, pankajgupta@pnb.co.in on or before the last date of submission
of queries to:
Chief Manager,
Punjab National Bank,
IT Audit Cell, Inspection & Audit Division,
Head Office, 2nd Floor, East Wing
Corporate Office, Plot-4, Sector-10, Dwarka,
New Delhi ­ 110075
No requests for clarification will be accepted by over telephone.

3.1.4 Language of Bid
The bid prepared by the Bidder, as well as all correspondence and documents relating to
the bid exchanged between the Bidder and the Bank shall be written in English language
only.

3.2 Preparation of Bids

3.2.1 Document Constituting the Bid
The bid prepared by the Bidder shall comprise the following components:
  a) Technical Compliance Sheet:-
      Details establishing the qualification of the bidder as per Minimum eligibility criteria
      (see Chapter-2) for the Bidders. Annexure-H
  b) Point wise compliance of the terms and conditions enumerated in Tender
     Document. Any technical/commercial deviation with the Tender Document should
     be clearly stated with the reasons thereof.
  c) Documentary evidence established in accordance with ITB Section 3.2.2 that the
     Bidder is qualified to perform the contract if its bid is accepted and that the bidder
     has financial, technical capability necessary to perform the contract and meets the
     criteria outlined in the Qualification Requirement and fulfills all the conditions of the
     Contract.

RFP for security cum functional audit of application software       Confidential
                                                                                       11
            Punjab National Bank, Inspection & Audit Division, HO, Delhi
  d) - Bid security furnished in accordance with ITB Section 3.2.4.
 e) An undertaking from the bidder (As per Annexure C) that the bidder is complying
    with all the conditions of the Contract and Technical Specifications of the Bidding
    Document as no deviation will be acceptable to the Bank.
 f) Score Sheet (Annexure-D)

  g) Compliance statement as per the Annexure-G.
This will be evaluated by the technical committee as per the procedure elaborated in ITB
Section 3.3.2(v).
3.2.2 Document Establishing Bidder's Qualification.
Pursuant to ITB section 3.2.1, the Bidder shall furnish, as part of its Bid, documents
establishing the Bidder's qualification to perform the Contract if the bid is accepted.
The documentary evidence of Bidder's qualification to perform the Contract if the bid is
accepted should establish to the Bank's full satisfaction that the bidder has the financial,
technical and performance capability necessary to perform the Contract and meets the
criteria outlined in the Minimum eligibility Criteria specified in this RFP. Bids that do not
fully comply with minimum eligibility criteria will be rejected, Technical scoring will be
done for only for bidders who fulfill minimum eligibility criteria and have been shortlisted.

3.2.3 Documents establishing Solution Conformity to Bidding Documents
All the documents must accompany the response to this RFP as per Annexure L.
Willful misrepresentation of the facts will lead to the cancellation of the contract without
prejudice to any other action that the Bank may take.
All the submissions, including any accompanying documents, will become property of
Punjab National Bank. The bidders shall be deemed to have license, and grant all rights
to, Punjab National Bank, to reproduce the whole or any portion of thereof for the
purpose of evaluation, to disclose the contents of submission to other bidders and to
disclose and/or use the contents of submission as the basis for RFP process.

3.2.4 Bid Security
    (i)      Pursuant to ITB Section 3.2.2, the Bidder shall furnish, as part of its bid, a bid
             security of INR 50000/-(Rupees Fifty Thousand only).
    (ii)     The bid security is required to protect the Bank against the risk of Bidder's
             misconduct, which would result in the forfeiture for the bid security.
    (iii)    The bid security shall be in Indian Rupees and shall be in the form of a Draft
             /Banker's cheque, in favor of Punjab National Bank, Inspection & Audit Division,
             payable at Delhi.
    (iv)     Any bid, not secured in accordance with above will be rejected by the Bank as
             non-responsive.
    (v)      Unsuccessful bidder's bid security will be discharged/returned as promptly as
             possible but not later than 30 days after the expiry of the period of bid validity
             prescribed by the Bank. Bank will not be liable for any delay beyond 30 days as
             aforesaid and no claim for delayed interest will be allowed



RFP for security cum functional audit of application software        Confidential
                                                                                        12
           Punjab National Bank, Inspection & Audit Division, HO, Delhi
    (vi)    Bid security of bidders who have qualified for empanelment will be discharged
            upon the Bidder signing the Contract, and furnishing the Performance
            Guarantee.
    (vii) The bid security may be forfeited, if a Bidder
            a) Withdraws its bid during the period of bid validity specified by the Bidder on
               the Bid Form; or does not accept the correction of errors or attempts to
               influence the Bank in its decisions on bid evaluation or bid comparison
            b) In case of a successful Bidder, if the Bidder fails:
                  To sign the Contract in accordance with Section 3.3.6; or
                  To furnish Performance Guarantee in accordance with Section 3.3.7.

3.2.5 Period of Validity of Bids
The bids shall be valid for a period of 180 days from the date of closure for submission
of the bid. The bid valid for shorter period shall be rejected as non-responsive.
In exceptional circumstances, the Bank may solicit the Bidder's consent to an extension
of the period of validity. The request and the response thereto shall be made in writing
(or by fax). The bid security validity period shall also be suitably extended. A Bidder may
refuse the request without forfeiting its bid security. A Bidder granting the request of
extension will not be required nor permitted to modify its bid.






3.2.6 Format and Signing of Bid
    (i) The Bidder shall prepare Bid in accordance with ITB Section 3.2.1.
    (ii) The bid shall be typed or written in indelible ink, numbered and shall be signed by
         the Bidder or a person or persons duly authorized to bind the Bidder to the
         Contract. The authorization shall be indicated by a written power-of-attorney or a
         board resolution accompanying the bid. The person or persons signing the bid
         shall sign & seal all pages of the bid;
    (iii) Any interlineations, erasures or overwriting shall be valid only if the person or
          persons signing the bid sign them.
    (iv) Bid should be typed and submitted on A4 size paper and bound securely.
        Bidders responding to this RFP must comply with the following format
        requirements:

(a) COVER LETTER/BIDDER CERTIFICATIONS:
Certificates and other supporting document may be attached with covering letter while
submitting the proposal.
Proposals submitted in response to this RFP must be signed by the person working in
the bidder's organization who is responsible for the decision or by a person who has
been authorized in writing to act as agent for the person responsible for the decision.
Each bid shall stipulate that it is predicated upon the terms and conditions of this RFP
and any supplement or revision thereof. By submitting a signed proposal, the bidder's
signatories certify that in connection with this assignment:
           The bidder's organization or an agent of the bidder's organization has submitted
           the bid without consultation, communication or agreement with any other
           respondent or with any competitor for the purpose of restricting competition.
RFP for security cum functional audit of application software      Confidential
                                                                                      13
        Punjab National Bank, Inspection & Audit Division, HO, Delhi

        No attempt has been made or will be made by the bidder's organization or by any
        agent of the bidder's organization to induce any other person or firm to submit or
        not to submit a bid for the purpose of restricting competition.

(b) REFERENCE DATA SHEET:
For the services offered, Bidder must furnish a list of minimum of two (2) references that
will be capable of verifying information supplied by the Bidders in proposal. Bidders
should submit additional Reference Data Sheet forms if they have more than two (2)
references.
The Bank reserves the right to contact and/or visit any party listed as a reference, which
has previously utilized or is presently utilizing service(s) identical or similar to those
being proposed by the bidder. The Bank may also utilize other sources of information
about the product(s) and/or service(s) proposed by the Bidder where these sources are
publicly available and are equally available for all competing bidders. The Bidder should
not be present during site visits.

(c)FINANCIAL STABILITY DOCUMENTATION:
Bidders responding to this RFP must be able to substantiate their financial stability.
Audited Financial statements along with additional supporting documentation must be
submitted with the bid.

(d) RESPONSE TO GENERAL, TECHNICAL, PERFORMANCE AND SUPPORT
REQUIREMENTS:
Provide a point-by-point response to each and every requirement specified in this RFP.
Responses must indicate that either bidder's bid "does comply" with specifications or
that it "does not comply." A succinct explanation of how each requirement can be met or
cannot be met must be included.
(e) ADDITIONAL INFORMATION:
Include additional information, which will be essential to an understanding of the
proposal. This might include diagrams, excerpts from manuals, or other explanatory
documentation, which would clarify and/or substantiate the bid. Any material included
here should be specifically referenced elsewhere in the bid.

(f) GLOSSARY:
Provide a glossary of all abbreviations, acronyms, and technical terms used to describe
the services or products proposed. This glossary should be provided even if these terms
are described or defined at their first use in the bid response.

3.2.7 SEALING, MARKING AND SUBMISSION OF BIDS
Bidders should provide their `Minimum Eligibility Criteria' and `Score Sheet in one
original and two additional copies and shall be labeled as "Original" or "Copy" as
appropriate. Each of these shall then be sealed in a separate envelope labeled "Original
Tender" or "Copy Tender" as appropriate. All the sealed envelopes containing Technical
responses shall then be sealed in one envelope marked " Bid for Empanelment of IS
Auditor For Security Cum Functional Audit Of Application Software" in the top left hand

RFP for security cum functional audit of application software   Confidential
                                                                                    14
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
corner. The Bids, which are not sealed as indicated above, are liable to be rejected. PNB
will not be liable for Postal/Courier delay, non-receipt/non-delivery of documents, loss of
documents in transit, etc., if any, in the Bidder receiving the RFP and/or in submitting the
Bid before the scheduled time.
All pages of the Bid including Brochures are to be numbered as Page --- (current page)
of --- (total pages). The numbering shall be done for the whole Bid and not section-wise.
The envelopes shall be dated with the current date in the top right hand corner and
addressed to as below:
      The Chief Manager,
      Punjab National Bank,
      IT Audit Cell, Inspection & Audit Division,
      Head Office, 2nd Floor, East Wing
      Corporate Office, Sector-10, Dwarka
      New Delhi ­ 110075
If the envelope is not sealed and marked, the Bank will assume no responsibility for the
bid's misplacement or premature opening.
Telex, Email or fax bids will be rejected.

3.2.8 Deadline for Submission of Bids
Bid must be received by the Bank at the address specified under Section 3.2.7 on or
before the last date of receipt of the Bid. In the event of the specified date for the
submission of Bids being declared a holiday for the Bank, the Bids will be received up to
the appointed time on the next working day.
The Bank may, at its discretion, extend this deadline for submission of bids by amending
the bid documents in accordance with section 2.5, in which case all rights and
obligations of the Bank and Bidders previously subject to the deadline will thereafter be
subject to the deadline as extended.

3.2.9 Late Bids
Any bid received by the Bank after the deadline fixed for submission of the bids will not
be considered. PNB will not be liable for any delayed receipt due to Postal/Courier delay.
Bidder shall ensure timely dispatch so that the same reaches the Bank before deadline.

3.2.10 Modification and Withdrawal of Bids
        i)   The Bidder may modify or withdraw its bid after the bid's submission, provided
             that written notice of the modification or withdrawal is received by the Bank
             prior to the deadline prescribed for submission of bids.
        ii) The Bidder's modification or withdrawal notice should be sealed and marked
            accordingly.
        iii) No bid can be modified subsequent to the deadline for submission of bids.
        iv) No bid can be withdrawn during the interval period between the deadline for
            submission of bids and the expiration of period of bid validity. The act of
            withdrawal of a bid during this interval will result in the forfeiture of the
            Bidder's bid security. In other words, no withdrawal of the Bid is allowed after
            the Dead Line fixed for Submission of the Bid.

RFP for security cum functional audit of application software     Confidential
                                                                                     15
               Punjab National Bank, Inspection & Audit Division, HO, Delhi
       3.2.11 Acceptance or rejection of bid
       Incomplete Bid(s), conditional Bid(s), Bid(s) not conforming to the terms and
       conditions, Bid without EMD are liable for rejection by PNB.
       The Bank reserves the right not to accept any bid, or to accept or reject a particular bid
       at its sole discretion without assigning any reason whatsoever.

       3.2.12 Notification
       Any relevant information regarding the bid will be published         on bank's web site
       www.pnbindia.in & www.pnbinida.biz only.

       3.3 Bid Opening and Evaluation of Bids

       3.3.1. Assumptions and Agreements
       PNB, at its discretion, may make modifications to the selection criteria and the
       weightage pattern, which will be notified to the bidders.
       PNB reserves the right to accept or reject any proposal without assigning any reason
       whatsoever.

       3.3.2. Opening and evaluation of Technical Bids by the Bank
  I.       The Bank will open the bid, in the Inspection and Audit division, Punjab National
           Bank, 2nd Floor, East Wing, , Plot-4, Sector 10, Dwarka, New Delhi. Bidders'
           representatives who choose to attend at the date/time and venue specified in section
           1.5. shall have to sign a register evidencing their attendance. In case no
           representatives attend the bid opening, the bids shall be opened in their absence. In
           the event of the specified date of Bid opening being declared a holiday for the Bank
           or bids cannot be opened due to any unavoidable circumstances, the Bids shall be
           opened at the time and location on the next working day or any other day as decided
           by the Bank.
 II.       The bidder's names, bid modifications or withdrawals and the presence or absence
           of requisite bid security and such other details as the Bank at its discretion may
           consider appropriate will be announced at the time of bid opening.
III.       Bids that are not opened and read out at bid opening shall not be considered for
           further evaluation, irrespective of the circumstances.
IV.        The Bank will prepare minutes of the bid opening.
V.         The Minimum eligibility criteria and score sheet would be evaluated by the Technical
           Committee. Score sheet would be evaluated as per the following criteria/weight-



       SNo           Details                   Scale of Measurement ­(Marks)
       1   No. of qualified auditor in Maximum Marks -30
           the firm as defined in 2.2. (i) 15 or more qualified auditor : 30 Marks
           (f) on the permanent roll of (ii) More than or equal to 10 but less than 15: 20
           the organization.                       Marks
           Maximum Marks -30            (iii) More than or equal to 5 but less than 10: 15
                                                   Marks


       RFP for security cum functional audit of application software   Confidential
                                                                                           16
           Punjab National Bank, Inspection & Audit Division, HO, Delhi
   2      No. of completed Security Maximum Marks -40
          cum Functional Audit of 1. Total no. of application software audit in PSU/Govt./
          Application software in        Bank in last 5 years
          Government organization        (i) More than 25 software audit - 40 Marks
          /PSUs/ Banks during last 5     (ii) More than or equal to 15 but less than 25- 30
          years.                     Marks
                                         (iii) More than or equal to 10 but less than 15- 20
          (Maximum Marks -50)        Marks
                                     Maximum Marks ­ 10
                                     1. Audit of Application software in Banks
                                     (i) Audit of Core Banking Solution (CBS) project of the
                                     Bank in any bank having more than 200 offices- 10
                                     Marks
                                     (ii) Audit of financial software other than above (like
                                     ATM, IBS, Treasury) of any bank having more than
                                     200 offices- 7 marks
                                     (iii) Other than above- 5 Marks
   3      Total no. of PSU/Banks No. of PSU/Bank customer dealt in last 5 year.
          customer for the purpose Maximum Marks ­ 20
          of security cum functional (i) More than or equal to 5 Customer-20 Marks
          audit     of   application (ii) More than or equal to 2 but less than 5 Customer-
          software during last 5 15 Marks
          years:                     (iii) 1 Customers-10 Marks

          (Maximum Marks -20)
   Bidders have to submit the details as above with documentary proof. Scoring for
   shortlisted bidders will be done on the parameter as given above. Bidders scoring more
   than or equal to 60% marks will qualify for empanelment for security cum functional audit
   of application software. In case there are less than 5 firms who qualify with a score of
   60% or above, the bank may at its discretion include the next top scoring firms so that
   total number of selected firms is at least 5(Five).However Bank reserves the rights of
   lowering the qualifying marks in case of non-qualifying of stipulated number of bidders .
   In case more than one firm have secured same score and selection for empanelment of
   top 5 firms requires inclusion of one or more firm(s) at that score, then all the firms on
   that score will be selected for empanelment.

VI If a bid is not responsive or not fulfilling all the conditions of the Contract or not meeting
   Technical Specifications and Qualification Requirement, it will be rejected by the bank
   out rightly and may not subsequently be made responsive by the Bidder by correction of
   the non- Conformity.
VI. Proposal will be reviewed to assess compliance with the requirements set out on this
    RFP. Proposals that do not fully comply with the minimum requirements will be rejected
    without further consideration.




   RFP for security cum functional audit of application software      Confidential
                                                                                          17
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
3.3.3. Clarification of Bids
During evaluation of bids, the Bank may, at its discretion, ask the Bidder for a
clarification of its bid. The request for clarification and the response shall be in writing.

3.3.4. Evaluation Criteria for Empanelment:-
       i) Preliminary scrutiny of all the bids received will be done and bids not meeting
          the minimum eligibility criteria would be rejected.
        ii) Scoring would be done only for shortlisted bidders who qualify the minimum
            eligibility criteria.
        iii) Shortlisted bidders will qualify for empanelment as IS Auditors on the basis of
             scores procured by the bidders and as per process defined in section 3.3.2(v).
        iv) Technical evaluation committee would recommend the name of bidders who
            qualify for empanelment after evaluating the score sheet.
        v) In the process of scrutiny of the proposals, Bank may seek additional inputs
           and clarifications as may be needed and also may request the service
           providers to make a presentation.

3.3.5. Contacting the Bank
No Bidder shall contact the Bank or its employees on any matter relating to its bid, from
the time of the bid opening to the time the empanelment is completed. If the bidder
wishes to bring additional information to the notice of the Bank, it should do so in writing.
Any effort by a Bidder to influence the Bank in its decisions on bid evaluation or bid
comparison may result in rejection of the Bidder's bid and forfeiture of their Bid Security.

3.3.6 Signing of Contract
At the same time as the Bank notifies the successful bidders that they have been
qualified for empanelment; the Bank will send the bidders the Contract Form
incorporating all agreements between the parties as enumerated in RFP.
Within 7 days of receipt of the Contract Form, the successful bidder shall sign and date
the Contract and return it to the Bank. The Bidder will agree to all the terms and
conditions as mentioned in this RFP.

3.3.7 Performance Guarantee
Within 7 days of the receipt of notification for qualifying for empanelment from the Bank,
the successful Bidder shall furnish the Performance Guarantee from a scheduled
commercial public sector bank, payable on demand for an amount of Rs. 100000/-(One
Lakh Only) for the due performance and fulfillment of the contract by the empanelled
bidder, in accordance with the conditions of Contract, in the Performance Guarantee
Form provided in the bidding documents or in another form acceptable to the Bank.
The Performance Guarantee may be discharged by the PNB upon being satisfied that
there has been due performance of the obligations by the Successful bidder under the
contract during the empanelment period. The Performance Guarantee shall be valid till
the end of the empanelment Period.




RFP for security cum functional audit of application software     Confidential
                                                                                      18
         Punjab National Bank, Inspection & Audit Division, HO, Delhi
Failure of the successful bidder to comply with the requirement shall constitute sufficient
grounds for the annulment of the empanelment and forfeiture of the bid security.


3.3.8 Notification of Empanelment:
The process of empanelment would complete only after signing of Contract,
Confidentiality cum Non Disclosure Agreement and furnishing of Performance
Guarantee by the bidders who have qualified for empanelment.
The Bank will notify the successful bidders in writing by registered letter / courier/ email
or by fax that they have been empanelled, as IS Auditor for Security Cum Functional
Audit of Application Software for a period of 2 years.
Upon the successful Bidders' furnishing of Performance Guarantee as specified in
Section 3.3.7 thereof, the Bank will promptly discharge the bid security.

3.4 Award of Contract

3.4.1. Post qualification
The Bank will determine to its satisfaction whether the empanelled IS Auditor is qualified
to perform the contract satisfactorily. The determination will take into account the
Bidder's financial, technical and performance capabilities. It will be based upon an
examination of the documentary evidence of the Bidder's qualifications, expertise,
capability submitted by the bidder as well as such other information as the Bank deems
necessary and appropriate.

The empanelment doesn't entitle the empanelled IS Auditor the right of getting any
assignment during the contract period & it will be solely subject to requirement and
discretion of bank.
Empanelment would be initially for the period of 2 years subject to review of
performance on yearly basis.

3.4.2 Award Criteria on Post Empanelment

All the empanelled IS auditors would be asked to submit their commercial bid for
security cum functional audit of application software as per requirement of the bank.
For this purpose requisite applicable documents will be provided to them for each
software separately from the list given below:-
    1.      System documentation (Details of Systems/OS/RDBMS/development
            platform /Web Server etc.)
    2.      User Requirement Specifications frozen for customization
    3.      Change request Documentation (for packages undergoing enhancement)
    4.      User Manual & Other instructions
    5.      Details of Acceptance Tests conducted along with details
    6.      Pilot testing reports in case of packages released for implementation
    7.      Problems reported during the pilot testing and their resolution details
    8.      Release / implementation instructions
         (The above list not exhaustive)


RFP for security cum functional audit of application software    Confidential
                                                                                     19
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
E-Mail asking the empanelled auditors to submit their commercials within a specified
date will be sent by the bank as and when requirement of audit of application software(s)
will arise. It will be binding on all the empanelled auditors to participate in the bidding
process whenever initiated by the Bank. Bank may also consider online bidding
whenever required and all bidders shall be required to participate in the online bidding
process as stipulated by the bank. On failing to participate in the bidding process for any
3 consecutive occasions during the empanelment period bank may cancel the
empanelment of the respective bidder as well as may forfeit the amount of the
performance bank guarantee.
Empanelled auditors would submit their commercials for the job separately for each
software within the specified date in a sealed envelope through courier/registered post or
online whichever mode decided by the bank. The commercial bids so received will be
opened by the Bank as per intimated date & time and in presence of the representatives
of the bidders whoever whishes to attend otherwise the same would be opened in their
absence. The job of audit of application software will be awarded to the empanelled
auditor whose commercial bid would be lowest for that particular software.
On assignment of job Empanelled auditor will submit the audit plan along with full
credentials of Audit team within 3 days as per the annexure-`A'(3.1). The job of Audit
must be commenced within 7 days of assignment.

The bank retains the right to finally negotiate the commercials with the lowest bidder to
arrive at reasonable remuneration before awarding the job. It may be noted that the
Bank will not entertain any price negotiation with any other bidder, till the successful
bidder declines to accept the offer, in which event the Bank may make the award to the
next lowest bidder or call for new bids
3.4.3 Dead Line / Critical Dates
The empanelled auditor to whom job would be awarded shall complete/perform all
activities before last date. If audit activity awarded by the bank is not carried-out by the
L1 bidder as per the timeline then bidder shall be liable of strict action including
cancellation of audit assignment and de-empanelment of the bidder firm.

Bank may also terminate the contract after giving a notice of 30 days at its sole
discretion without assigning any reason.

(For last date please refer Annexure- `A' Time lines clause 3.1.)

3.4.4 Right to accept any Bid and to reject any or All Commercial Bids
        (a) The Bank reserves the right to accept or reject any or all Bids without
            assigning any reasons. Bids may be accepted or rejected in total or in any
            part or items thereof. Any Bid not containing sufficient information, in view of
            the Bank, so as to enable a thorough analysis may be rejected.
        (b) The Bank reserves the right to verify the validity of bid information, and to
            reject any bid where the contents appear to be incorrect, inaccurate or
            inappropriate in the Bank's estimation.
        (c) The Bank shall have the right to determine in its own best judgment, the
            Bidders who will qualify for the short list, if any, and thereafter, the final
            successful bidder shall undertake the work.

RFP for security cum functional audit of application software       Confidential
                                                                                     20
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
        (d) Bids not conforming to the requirements of the Bank may not be considered.
            However, the Bank reserves the right, at any time, to waive any of the
            requirements of the RFP, if, in the sole discretion of the Bank, the best
            interests of the Bank would be served by such change.
        (e) If, in the opinion of the Bank, any Bidder has clearly misinterpreted the Work
            and /or underestimated the hours and / or value of the Work to be performed
            as reflected in the bid content and quoted price(s)/rate(s), then the Bank may
            reject the bid as unbalanced (i.e. not representative of the Work Scope).
        (f) Further, the bank shall have the right to cancel the Bid process at any time
            prior to execution of the contract, without thereby incurring any liability to the
            affected Bidder or bidders. Reasons for cancellation, as determined by the
            Bank in its sole discretion, include, but are not limited to, the following:
            (i) Services contemplated are no longer required;
            (ii) Requirements and terms of reference (scope of work) of the RFP were
                  not adequately or clearly defined due to unforeseen circumstances and
                  /or factors and /or new developments;
            (iii) The RFP did not allow for consideration of all significant elements of the
                  Bank for the work (e.g. new/additional matters have arisen);
            (iv) Proposed price is unacceptable for the Work; and
            (v) The Project is not in the best interest of the Bank
            (vi) Any other reason

3.4.5 Notification of Award of Contract
Prior to the expiration of the period of bid validity, the Bank will notify the successful
bidder in writing by registered letter / courier/ email or by fax, to be confirmed in writing
by registered letter, that its bid has been accepted.
The notification of empanelment will constitute the formation of the Contract and
agreement shall be executed with all the empanelled bidders separately.

Chapter ­ 4: Broad Terms and Conditions
This chapter describes the general terms and conditions of the Contract. However, the
terms and conditions are not conclusive and PNB reserves the right to add, delete,
modify or alter all or any of these terms and conditions in any manner, as deemed
necessary by PNB.
If any irregularity is detected anytime in respect of the above, PNB will have the right to
take appropriate action against the Bidder, as deemed fit by PNB.
Successful bidder wherever mentioned under this chapter shall mean the
empanelled IS Auditor to whom job has been awarded.

4.1. Standards
The services rendered under the contract shall in conformity with the industry standards/
best practices.

4.2. Arbitration
All disputes and differences of any kind, whatsoever, between the parties i.e.
empanelled IS Auditor and PNB, arising out of or in relation to the construction,

RFP for security cum functional audit of application software      Confidential
                                                                                       21
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
meaning, operation or effect of the Contract, shall be settled amicably. If, however, the
parties are not able to resolve any dispute or differences amicably, the same shall be
settled by arbitration in accordance with the provisions of Arbitration and Conciliation
Act, 1996 and the award made in pursuance thereof shall be binding on the parties.
The Successful bidder shall continue to work under the Contract during the arbitration
proceedings unless otherwise directed in writing by PNB or unless the matter is such
that the work cannot possibly be continued until the decision of the Arbitrator or of the
umpire, as the case may be, is obtained.
Save as those, which are otherwise explicitly provided in the contract, no payment due
or payable by PNB, to the successful bidder shall be withheld on account of the ongoing
arbitration proceedings, if any, unless it is the subject matter or one of the subject
matters thereof.

The venue of the arbitration shall be Delhi, India & arbitration will be in English.

4.3. Notices
Notice or other communications given or required to be given under the Contract shall
be in writing and shall be hand-delivered with acknowledgement thereof, or transmitted
by pre-paid registered post or by recognized courier, or by facsimile, provided that where
such notice is sent by facsimile, a confirmation copy shall be sent by pre-paid registered
post or by recognized courier within five days of the transmission by facsimile, to the
address of the receiving party by the other in writing, provided such change of address
has been notified at least ten days prior to the date on which such notice has been given
under the terms of the contract.
Any notice or other communications shall be deemed to have validly given on date of
delivery if hand-delivered; if sent by registered post or by recognized courier, then on the
expiration of seven days from the date of posting; and if transmitted by facsimile, then on
the next business date after the date of transmission.

4.4. Use of Contract Documents and Information
The empanelled IS Auditor shall not, without PNB's prior written consent, disclose the
Contract or any provision thereof, or any specification or information furnished by or on
behalf of PNB in connection therewith, to any person other than a person employed by
the empanelled IS Auditor in the performance of the Contract. Disclosure to any such
employed person shall be made in confidence against Non-disclosure agreements
completed prior to disclosure and disclosure shall extend only so far, as may be
necessary for the purposes of such performance. Any document, other than the Contract
itself, shall remain the property of PNB and all copies thereof shall be returned to PNB
on termination of the Contract.

4.5. Patent and Copyrights
The empanelled IS Auditor shall, at its own cost and expenses, defend and indemnify
and keep indemnified PNB against all third-party claims including those of the
infringement of Intellectual Property Rights, including patent, trademark, copyright, trade
secret or industrial design rights, arising from use of the Products or services or any part
thereof in India.



RFP for security cum functional audit of application software      Confidential
                                                                                       22
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
If PNB is required to pay compensation to a third party resulting from such infringement,
the empanelled IS Auditor shall be fully responsible therefore, including all expenses and
cost and legal fees. PNB will give notice to the empanelled IS Auditor of any such claim
and shall provide reasonable assistance to the empanelled IS Auditor in disposing of the
claim.
The empanelled IS Auditor shall also be liable to indemnify PNB, at its own cost and
expenses, against all losses/damages, which PNB may suffer on account of violation by
the empanelled IS Auditor of any or all national/international trade laws, norms,
standards, procedures etc.
The empanelled IS Auditor shall be liable to indemnify PNB, at its own cost and
expense, in respect of any losses sustained or suffered by any third party, on account of
breach of any stipulation of this agreement by the Empanelled IS Auditor or any
negligent or fraudulent act or omission by Empanelled IS Auditor in course of fulfilling its
obligations under the RFP.

4.6. Deliverables
Schedule of audit and reports required are covered in scope of audit. (Annexure-`A')

4.7. Payment Terms

The successful bidder will be entitled to claim 80% payment on submission of final report
of security cum functional audit of application software and 20% on completion of
compliance audit of the observations.

In case of factors not attributed to auditor for delay in completion of compliance audit, 20%
payment will also be released to the IS auditor after 30 days of submission of final report.

4.8 Taxes and Duties
Price will be quoted excluding all taxes. All applicable Taxes and Duties should be
indicated in the Commercial Bid separately and will be payable on actual basis on
providing the proof of the payment.

4.9 Delays in the Performance
The Successful bidder must strictly adhere to the audit schedule, as specified in the
contract in the performance of the obligations and any delay in this regard will enable
PNB to resort to any or both of the following:
      (a) Claiming Liquidated Damages
      (b) Termination of the agreement fully or partly and claim liquidated damages.
      (c) Imposing penalty.

4.10 Penalty
Delayed start of audit, Delayed completion of audit and Delayed submission of report as
per agreed terms defined in scope of audit will attract penalty of 1 % per day on delay of
total amount payable for the audit of software­(maximum up to 15% of the fees).If the
report is not submitted within 15 days after completion of audit, the bank may cancel the
order.



RFP for security cum functional audit of application software    Confidential
                                                                                     23
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
PNB will have the rights to recover the liquidated damages, if any, from any amount
payable to the Successful bidder.

4.11 Force Majeure
The Successful bidder or PNB shall not be responsible for delays or non-performance of
any or all contractual obligations, caused by war, revolution, insurrection, civil
commotion, riots, mobilizations, strikes, blockade, acts of God, Plague or other
epidemics, fire, flood, obstructions of navigation by ice of Port of dispatch, acts of
government or public enemy or any other event beyond the control of either party, which
directly, materially and adversely affect the performance of any or all such contractual
obligations.
Provided either party shall within ten (10) days from the occurrence of such a cause
notify the other in writing of such causes. Unless otherwise directed by the Bank in
writing, the Successful bidder shall continue to perform his obligations under the contract
as far as possible, and shall seek all means for performance of all other obligations, not
prevented by the Force Majeure event.
4.12 Correspondences
PNB and the empanelled IS Auditors shall nominate a Project Manager each
immediately on empanelment, who shall be the single point of contact for the projects to
be assigned for IS Audit. However, for escalation purpose, details of other persons shall
also be given. The project manager nominated by the Bidder should have prior
experience in implementing similar systems in the past and should be a qualified
professional.

4.13 Successful bidder's Obligations
The following form illustrative obligations of the Successful bidder. These are not exhaustive.
The Successful bidder will abide by the job safety, customs and immigration measures
prevalent and laws in force in India, and will indemnify PNB against all demands or
responsibilities arising from accidents or loss of life, the cause of which is the Successful
bidder's negligence. The Successful bidder will pay all indemnities arising from such
incidents and will not hold PNB responsible or obligated.
The Successful bidder is responsible for, and obligated to conduct all contracted activities
with due care and diligence, in accordance with the Contract and using state-of-the-art
methods and economic principles, and exercising all reasonable means to achieve the
performance specified in the Contract.
The Successful bidder is obliged to work closely with PNB's staff, act within its own authority,
and abide by directives issued by PNB that are consistent with the terms of the Contract.
The Successful bidder is responsible for managing the activities of its personnel, and will
hold itself responsible for any misdemeanors.
The Successful bidder shall be solely responsible for the performance of the contract to the
satisfaction of PNB.
No right to employment in bank shall accrue of arise by virtue of empanelment of the
successful bidder. Neither the successful bidder nor its employees, agents or representative
shall hold out or represent as agents of bank. None of the employees, representatives or
agents of successful bidder shall be entitled to claim permanent absorption or any other



RFP for security cum functional audit of application software       Confidential
                                                                                         24
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
claim or benefit against the bank/employment. The personnel employed by the successful
bidder shall not have any claim whatsoever against the bank.

4.14 Contract Amendments
Any change made in any clause of the contract which shall modify the purview of the
contract within the validity and currency of the contract shall be deemed as an Amendment.
Such an amendment can and will be made and be deemed legal only when the parties to the
contract provide their written consent about the amendment, subsequent to which the
amendment is duly signed by the parties and shall be construed as a part of the contract.
The details of the procedure for amendment shall be as specified in the contract.

4.15 Extension of Bank Guarantees
The Bidder shall be responsible for extending the validity date and claim period of all the
bank guarantees as and when it is due. PNB shall invoke the guarantee before expiry of
validity if work is not completed and the guarantee is not extended, accordingly.

4.16 Adherence to Standards & Right of Audit/Visit
The selected Bidder must adhere to laws of land and rules, regulations and guidelines
prescribed by various regulatory, statutory and Government authorities.

The Bank and Regulatory bodies such as RBI reserve the right itself or through a
consultant to conduct audit/ongoing audit or visit the office locations of the selected Bidders.
The cost of the audit/Consultant shall be borne by the Bank.

4.17 Subcontracting
              No Subcontracting of the work will be permissible to the empanelled bidders.




RFP for security cum functional audit of application software        Confidential
                                                                                          25
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
                                                                              Annexure     A

    1     SCOPE

    Scope of Security cum Functional Audit of the application software i.e. Programs/
    Webscripts/Applications etc coded in any computer programming language, during
    the contract period will include:-

          Functionality implemented vis-à-vis the Bank's requirements.
          Input, processing and output controls across various schemes across the bank
          Controls for performing/changing parameter setup of functionality across
          applications.
          Through-put validation
          Automated batch processing, scheduled tasks, critical calculations etc
          IT General Control Review
          In case of web based application, the validation against top 10 OWASP
          vulnerabilities.
          Regular updation of job cards with new version releases.
          Checks against network attacks
          Code Review, wherever possible
          Application Security & Controls Review
          Database Security & Integrity Review
          Review of Interface Controls with other applications
          Review of Network & Communication Controls with relation to the application
          package
          Test of robustness of the system by running a specific number of transactions on
          it
          Evaluation of Efficiency & Effectiveness of the package vis-à-vis business
          processes and requirements. Whether the objectives of the application are likely
          to be fulfilled by implementation.
          Assessment of the risk component in the package
          Compliance testing of the changes in software made for mitigation of the
          discrepancies pointed out in the audit report
          Availability of necessary audit logs and its accuracy and effectiveness.
          Integration with Delivery Channels including data and transaction integrity for the
          same.
          Suggestions for mitigating the risks.
          If outsourced, escrow arrangement with application vendors.

The above scope is illustrative and subject to change as per the requirement of the Bank
and may vary on case to case basis.

.   1.2        VULNERABILITY/THREAT ASSESSMENT & PENETRATION TESTING
             (INTERNAL/EXTERNAL)

    Testing should not disrupt our services. Test cases should not be selected that are
    destructive. The techniques, the tools used should have been thoroughly tested.



RFP for security cum functional audit of application software      Confidential
                                                                                      26
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
    Exercise will be carried out from the place where servers are placed. The same will
    also be carried out from a selected branch outlet for selected sample critical
    application/ servers.

   Appropriate updated tools should be used for each phase of test.

    a) Vulnerability assessment of all newly developed application software servers.
    b) Placement/ Deployment of security equipments, network equipments for securing
       database, application, web servers of various applications.
    c) In Penetration testing on applications through internal network (Intranet).

           NOTE: Penetration testing should include network and application layer
           testing as well as controls & processes around the networks &
           applications, and should conduct from inside the network (internal testing).

1.3 OPEARATING SYSTEM (OS)

       i.     Set up and maintenance of operative system parameters.
      ii.     All the Security features available in the OS are enabled/taken advantage of
              as far as possible.
     iii.     Vulnerabilities in OS are being taken care off. Compensatory controls for
              known vulnerabilities are in place.
     iv.      Security configuration of devices with respect to OEM latest released patches
              and software versions.
      v.      Changes in system software are controlled in line with the organization's
              change management procedures. Proper record is maintained and
              authenticated regarding installation, its up-gradation, re-installation and
              maintenance.
     vi.      Use of sensitive system software utilities is in controlled manner and it is
              monitored and logged.
     vii.     Root and sensitive passwords are used in controlled manner. Their use is
              logged and monitored.
    viii.     Performance, scalability and availability.

1. 4 DATA BASE MANAGEMENT SYSTEM AND DATA SECURITY

              a) Use of Data Repository System (DRS), Data Definition Language (DDL),
                 Data Manipulation Language (DML).
              b) Storage of duplicate copy of Data Definition and DRS at off-site.
              c) Monitoring of log of changes to the Data Definitions.
              d) Data Dictionary and Data Directory System
              e) Procedures to ensure that all data are classified in terms of sensitivity by a
                 formal and explicit decision by the data owner and necessary safeguards
                 for its confidentiality, integrity and authenticity are taken as per IT Security
                 Policy.
              f) Logical access controls which ensure the access to data is restricted to
                 unauthorized users
              g) Confidentiality and privacy requirements are met.
              h) Authorization, authentication and access control are in place
              i) Segregation of duties is ensured for accessing data.

RFP for security cum functional audit of application software         Confidential
                                                                                          27
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
            j) Purging policy-procedures of Data Files.
            k) How the database integrity is ensured in case tables are not properly
               updated by application software due to various reasons, i.e. break in link,
               bug in software, etc. In case of direct Updation /modification of database is
               done by opening the tables in live environment, evaluate the controls.
            l) Protection of Sensitive Information during Transmission and Transport.
            m) Separation of duties.
            n) Rotation of duties.
            o) Patches and new versions are updated as and when released by vendor/
               Research and Development team. If not done then comment upon
               vulnerabilities and availability of services of existing version being used.
               Evaluate procedure for correct updation of the same and confirmation by
               user/ Research and Development team.

1.5 OUTSOURCING
         a) Service levels are defined and managed.
         b) Non Disclosure agreement NDA is in place.
         c) Responsibility and liability of vendors have been defined.
         d) Service Level Agreements (SLAs) covers key performance indicators
             which formalize the performance criteria with penalty clause against which
             the quantity and quality of service is measured.
         e) Monitoring of vendors activities as per SLAs.
         f) Imposing penalties wherever there are deviations.
         g) Formal agreements are entered which takes care of all the risks
             associated with outsourcing.
1.6 Migration Audit

          a) Review of Data Migration strategy/methodology followed by the
             Bank.Review of data mapping performed by the Bank.
          b) Review of Data Migration tools/scripts configured/developed by Bank.
          c) Review of data validation performed by the Bank.
          d) Review of logs of data migration activity and the identified errors in
             accuracy, integrity, conformity and completeness of data reconciled and
             uploaded into Target System and whether they have been rectified by
             Bank.
          e) Review of appropriate data integrity checks like batch totals, check digit
             totals, number of records & other value parameters.
1.7 Other Audit
         a) Special Audit such as for RA Audit or any regulatory guidelines etc.
         b) Any other Audit as and when required.

2       Schedule of Audit:

Successful bidder will have to visit the respective location and no remote access will be
given. Audit location shall be primarily 5, Sansad Marg, New Delhi however in case of
any change same shall be informed accordingly.

Audit to be completed as per schedule mentioned under point no. 3.1 of the scope.

3     DELIVERABLES:

RFP for security cum functional audit of application software     Confidential
                                                                                     28
         Punjab National Bank, Inspection & Audit Division, HO, Delhi

      3.1 Time Lines

      1. On acceptance of the commercials for audit of application software, the
          successful bidder will provide schedule of audit, within 2 working days with full
          credentials of Audit team (qualification & experience as defined in RFP) who will
          be conducting the audit of the software. Audit should be commenced not later
          than 3 days from the award of the application audit work.
      2. Completion of each software audit as per the scope within 7 working days from
          the date of commencement of audit.
      3. Giving draft report for discussions with owners within 2 working days after
          completion of audit.
      4. Discussion of the issues with owner after 2 working days of submission of draft
          report..
      5. Give digitally signed final report within 2 working days after discussions with
          owners.
      6. If recommendation for risk mitigation/ removal could not be implemented as
          suggested, alternate solutions will be provided over phone/ email or personal
          visits to respective location if required. Response over phone/ email should come
          within 4 hours of receipt of request and personal visit should be made within 4
          days.
      7. Compliance testing of the changes in software made for mitigation of the
          discrepancies pointed out in the audit report should be completed within 2 days
          from the submission of compliance report by the auditee. Compliance testing
          report should be submitted through email/Hard copy not later than 3 days after
          compliance testing.
      8. Resources strength with experience as defined in 2.2(f) will be deployed keeping
          in view the scope of audit and time schedule.
      9. No inexperienced / less qualified resource should be deployed for audit. Resume
          of auditor will be provided to Bank before hand and will be deputed to assignment
          only after Bank's consent.
      10. Single point of contact person should not be changed frequently.

3.2      REPORTS:

Report should be wherever possible provided with snap shot / evidence/ documents
details from which observation made wherever required by Bank.

Report shall be submitted in digitally singed soft copies as well as signed hard copies.

Audit Report format should at the minimum include:-

      a) Broad domain categorization of activity (Port/SQL injection/ Services/Logical
         access control etc.)
      b) Risk category ­ High, Medium, Low
      c) Risk / Implication
      d) Recommendation for risk mitigation/ removal as per bank's existing
         environmental setup ­ step wise. If not resolved, alternate solutions will be
         provided over phone/ email or personal visits to department if required. Response
         over phone/ email should come within 4 hours of receipt of request.

RFP for security cum functional audit of application software    Confidential
                                                                                     29
         Punjab National Bank, Inspection & Audit Division, HO, Delhi
      e) Provision for updating owner's compliance comments.
      f) Explicit reference to key policy and procedure documents of the Bank against
          identified risk/observation.
      g) Additional mandatory or voluntary standards or regulations applicable to the
          banking industry as best practices should be reported under "Improvement
          /suggestions"
      h) Summary of audit findings including identification tests, tools used and results of
      tests performed (like vulnerability assessment, application security assessment
                   a. Tools used
                   b. List of vulnerabilities identified.
                   c. Description of vulnerability
                   d. Test cases used for assessing the vulnerabilities and
                         Analysis of vulnerabilities and issues of concern
      i) Personnel involved in the audit, including identification of any trainees

The auditor may further provide any other required information as per the approach
adopted by them and which they feel is relevant to the audit process.

             Report will be given in editable and non editable softcopy so that editable can
             be used in updating compliances by User Department
             Report will be given in signed hard copy also.
             Presentation on findings of audit will be given to Management by the person
             who audited accompanied by senior consultant after completion of each
             software audit within a week time of giving final report whenever requested by
             the bank.

3.3      Training:

The successful bidders (who will be awarded with maximum work orders during the
period) shall have to provide 1 day training on half yearly basis at Bank's Premise at
New Delhi without charging any cost. The training shall be provided to Bank's in-house
software developers/internal auditors regarding secure code practices and secured
application development.




RFP for security cum functional audit of application software      Confidential
                                                                                       30
        Punjab National Bank, Inspection & Audit Division, HO, Delhi

                                                                                 Annexure ­ B
Performance Guarantee Form
                                                                                  Date:

The Chief Manager,
      Punjab National Bank,
      IT Audit Cell, Inspection & Audit Division,
      Head Office, 2nd Floor, East Wing
      Corporate Office, Sector-10, Dwarka
      New Delhi ­ 110075

Dear Sir,

PERFORMANCE BANK GUARANTEE ­SECURITY CUM FUNCTIONAL AUDIT OF
APPLICATION SOFTWARE OF THE PUNJAB NATIONAL BANK AS PER SCOPE IN
RFP.

WHEREAS

M/s.(name of Auditor), a company/Firm registered under the Companies Act, 1956,(as
applicable) having its registered and corporate office at (address of the Auditor), (
hereinafter referred to as "our constituent", which expression, unless excluded or
repugnant to the context or meaning thereof, includes its successors and assigns),
entered into a Agreement dated.........(hereinafter , referred to as "the said Agreement")
with you ( Punjab National Bank) for Security cum functional audit of application software
as detailed in the said Agreement.

We are aware of the fact that in terms of sub-para (...), Section (...), Chapter (...) of the
said Agreement, our constituent is required to furnish a Bank Guarantee for an amount
Rs 100000/-(Rs. One Lakh only) as per the said Agreement, as security against
breach/default of the said Agreement by our Constituent.

In consideration of the fact that our constituent is our valued customer and the fact that
he has entered into the said Agreement with you, we, (name and address of the bank),
have agreed to issue this Performance Bank Guarantee.

Therefore, we (name and address of the bank) hereby unconditionally and irrevocably

Guarantee you as under:
  I.     We (Name of the Bank), do hereby undertake to pay the amounts due and
        payable under this guarantee without any demur, merely on a demand from
        Punjab National Bank that the amount clamed is due by way of loss or damage
        caused to or would be caused to or suffered by Punjab National Bank by reason
        of breach by our constituent, of any of the terms or conditions contained in the
        said agreement.
 II.    Notwithstanding anything to the contrary, as contained in the said Agreement,
        We agree that your decision as to whether our constituent has made any such
        default/s/ breach/es, as afore-said and the amount or amounts to which you are

RFP for security cum functional audit of application software     Confidential
                                                                                          31
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
        entitled by reasons thereof, subject to the terms and conditions of the said
        Agreement, will be binding on us and we shall not be entitled to ask you to
        establish your claim or claims under this Performance Bank Guarantee, but will
        pay the same forthwith on your demand without any protest or demur.

 III.   This Performance Bank Guarantee shall continue and hold good till the
        completion of 30 months from the date of agreement i.e. (date), subject to the
        terms and conditions in the said Agreement.

 IV.    We bind ourselves to pay the above said amount at any point of time
        commencing from the date of the said Agreement until the completion of the
        contract.

  V.    We further agree that the termination of the said Agreement, for reasons solely
        attributable to our constituent, virtually empowers you to demand for the payment
        of the above said amount under this guarantee and we have an obligation to
        honour the same without demur.

 VI.    In order to give full effect to the guarantee contained herein, we (name and
        address of     the bank), agree that you shall be entitled to act as if we were your
        principal debtors in respect of your claims against our constituent. We hereby
        expressly waive all our rights of surety ship and other rights, if any, which are in
        any way inconsistent with any of the provisions of this Performance Bank
        Guarantee.

VII.    We confirm that this Performance Bank Guarantee will cover your claim/s against
        our constituent made in accordance with this Guarantee from time to time, arising
        out of or in relation to the said Agreement and in respect of which your claim is
        lodged with us on or before the data of expiry of this Performance Guarantee,
        irrespective of your entitlement to other claims, rights and relief, as provided in
        the said Agreement.

VIII.   Any notice by way of demand or otherwise hereunder may be sent by special
        courier, telex, fax, registered post or other electronic media to our address, as
        aforesaid and if sent by post, it shall be deemed to have been given to us after
        the expiry of 48 hours when the same has been posted.

 IX.    If it is necessary to extend this guarantee on account of any reason whatsoever,
        we undertake to extend the period of this guarantee on the request of our
        constituent under intimation to you (Punjab National Bank).

  X.    This Performance Bank Guarantee shall not be affected by any change in the
        constitution of our constituent nor shall it be affected by any change in our
        constitution or by any amalgamation or absorption thereof or therewith or
        reconstruction or winding up, but will ensure the benefit to you and be available to
        and be enforceable by you.

 XI.    Notwithstanding anything contained hereinabove, our liability under this
        Performance Guarantee is restricted to Rs.100000/-(Rs. One Lakh only) and
        shall continue to exist, subject to the terms and conditions contained herein,

RFP for security cum functional audit of application software     Confidential
                                                                                     32
        Punjab National Bank, Inspection & Audit Division, HO, Delhi
        unless a written claim is lodged on us on or before the afore-said date of expiry of
        this guarantee.

XII.    We hereby confirm that we have the power/s to issue this Guarantee in your
        favour and the undersigned is/are the recipient of authority by express delegation
        of power/s and has/have full power/s to execute this guarantee under the Power
        of Attorney issued by the bank in his/their favour.

XIII.   We further agree that the exercise of any of your rights against our constituent to
        enforce or forbear to enforce or any other indulgence of facility, extended to our
        constituent to carry out the contractual obligations as per the said Agreement,
        would not release our liability under this guarantee and that your right against us
        shall remain in full force and effect, notwithstanding any arrangement that may be
        entered into between you and our constituent, during the entire currency of this
        guarantee.

Notwithstanding anything contained herein:

a.     Our liability under this Performance Bank Guarantee shall not exceed Rs
100000/-           ( Rs. One Lakh only)) ;
b.     This Performance Bank Guarantee shall be valid only up to ..............( and
c.     We are liable to pay the guaranteed amount or part thereof under this
Performance Bank Guarantee only and only if we receive a written claim or demand on
or before ...........( .

 This Performance Bank Guarantee must be returned to the bank upon expiry of the
claim period as under (c) above. If the Performance Bank Guarantee is not received by
the bank within the above-mentioned period, subject to the terms and conditions
contained herein, it shall be deemed to be automatically cancelled.

Dated......................this...............day.............20...

Yours faithfully,

For and on behalf of the ..............Bank,

(Signature)
Designation
(Address of the Bank)

Note:

a) This guarantee will attract stamp duty as a security bond.
b) A duly certified copy of the requisite authority conferred on the official/s to execute
the guarantee on behalf of the bank should be annexed to this guarantee for verification
and retention thereof as documentary evidence in the matter.




RFP for security cum functional audit of application software         Confidential
                                                                                     33
        Punjab National Bank, Inspection & Audit Division, HO, Delhi

Annexure ­ C

                                      TECHNICAL BID FORM
                                                                          Date:
The Chief Manager,
      Punjab National Bank,
      IT Audit Cell, Inspection & Audit Division,
      Head Office, 2nd Floor, East Wing
      Corporate Office, Sector-10, Dwarka
      New Delhi ­ 110075

Dear Sir,
Reg: Security cum functional audit of application software(s) of the Punjab
National Bank as per scope in RFP.

Dear Sir,
Having examined the RFP Documents, the receipt of which is hereby duly
acknowledged, we, the undersigned, offer to conduct security cum functional audit of
application software in conformity with the said RFP Documents and hereby undertake
that we accept all the conditions of the contract as per the Bidding Document and will
audit the application software as per the Scope of audit (Annexure-`A'). We further
undertake that we fulfill the Minimum eligibility criteria stated in Chapter 2 clause 2.2 and
for this purpose we enclose the details. In addition to this, the particulars of our
organization such as legal status, principal place of business, details of experience and
past performance, service support details, capability statement and the required bid
security in shape of bank draft are furnished with this bid form.
We further undertake, if our bid is accepted, to execute the audit assignment in
accordance with the requirements and the delivery schedule as mentioned in the
Schedule of Requirements.
If our bid is accepted, we will obtain the guarantee of a bank in the form prescribed by you for a sum equivalent to Rs. 100000/- for the due performance of the Contract. We agree to abide by this bid for the Bid validity period specified in section 3.2.5 of the ITB and it shall remain binding upon us and may be accepted at any time before the expiration of that period. Until a formal contract is prepared and executed, this bid, together with your written acceptance thereof and your notification of award shall constitute a binding Contract between us. We undertake that, in competing for (and, if the award is made to us, in executing) the above contract, we will strictly observe the laws against fraud and corruption in force in India namely "Prevention of Corruption Act. We understand that you are not bound to accept the lowest or any bid you may receive. Dated this ........... Day of ............... 20..... (Signature and the capacity of the person duly authorized to sign Bid for and on behalf of) RFP for security cum functional audit of application software Confidential 34 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure ­ D Score Sheet SNo Criteria Details 1 No. of qualified auditor in Bio data of the qualified auditors to be deployed for the firm as defined in 2.2. audit is to be given as per Annexure K. (f) on the permanent roll of the organization. Maximum Marks -30 2 No. of completed Security Details of Security cum functional audit of application cum Functional Audit of software conducted in Government organization Application software in /PSUs/ Banks during last 5 years with details as given Government organization in Annexure-I. /PSUs/ Banks during last 5 years. Details of Security cum functional audit of application software in Banks with bifurcation as given below in (Maximum Marks -50) Annexure-I. (i) Audit of Core Banking Solution (CBS) project of the Bank in any bank having more than 200 offices. (ii) Audit of financial software other than above (like ATM, IBS, Treasury) of any bank having more than 200 offices. (iii) Other than above. 3 Total no. of PSU/Banks No. & name of PSU/Bank for the security cum customer for the purpose functional audit of application software in last 5 of security cum functional year.(Attach work order in support of audit work). audit of application software during last 5 years. (Maximum Marks -20) RFP for security cum functional audit of application software Confidential 35 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure ­E Undertaking- 1 To, Date The Chief Manager, Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing Corporate Office, Sector-10, Dwarka New Delhi ­ 110075 Dear Sir, Reg: Security cum functional audit of application software(s) of the Punjab National Bank as per scope in RFP. We understand that a) You are not bound to accept the lowest or any bid received by you, and you may reject all or any bid. b) If we qualify for the empanelment, we undertake to enter into and execute at our cost, when called upon by the bank to do so, a contract in the prescribed form. Unless and until a formal contract is prepared and executed, this bid together with your written acceptance thereof shall constitute a binding contract between us. c) After empanelment if our commercials are accepted, we are responsible for the due performance of the contract. d) You may accept or entrust the entire work to one vendor or divide the work to more than one vendor without assigning any reason or giving any explanation whatsoever. (Vendor means the bidder who is decided and declared so after examination of commercial bids submitted by empanelled IS Auditor.) Dated at____________this _______________day of __________20. (Signature and the capacity of the person duly authorized to sign Bid for and on behalf of) RFP for security cum functional audit of application software Confidential 36 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure ­F Undertaking 2 To, Date The Chief Manager, Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing Corporate Office, Sector-10, Dwarka New Delhi ­ 110075 Dear Sir, Reg: Security cum functional audit of application software(s) of the Punjab National Bank as per scope in RFP. a) We hereby confirm that all the requirements as enumerated in RFP as per requirement of the Bank have been included in the bid. Further, we hereby undertake and agree to abide by all the terms and conditions stipulated by the Bank in this RFP. We understand that any deviation may result in disqualification of bids. b) We undertake that adequate number of qualified auditors will be deployed for audit process to complete the audit within stipulated time as per clause 3.1 of annexure A. c) We undertake that reporting formats should at the minimum include all the requirements as per clause 3.2 of annexure A. d) We undertake that we will have legal right to use any third party software if required for audit and under such licenses, in terms set out under any relevant license or sub-license agreement. We will indemnify the Bank for any and all costs that may arise out of the use of software, in which it is alleged that any rights of the owners of such software have been infringed. e) We shall provide Risk Movement for various activities as desired. f) We have not been blacklisted by any nationalized Bank/ RBI/IBA or any other Government agency. No legal action is pending against us for any cause in any legal jurisdiction. (Deviation to the above if any, the Bidder must provide details of such action (s).) 1) 2) 3) 4) (Signature and the capacity of the person duly authorized to sign Bid for and on behalf of) RFP for security cum functional audit of application software Confidential 37 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure-G COMPLIANCE STATEMENT DECLARATION We hereby undertake and agree to abide by all the terms & conditions and Scope of audit stipulated by the Bank in the RFP including all annexure, addendum and corrigendum. Signature and Seal of Bidder Date:- RFP for security cum functional audit of application software Confidential 38 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure - H Technical Compliance Sheet S. Criteria Details No a Bidder must prove that it is a current Bidder's Firm/Company Name: Registered Head office: legal entity in India and must warrant that it is financially solvent. Offices at other locations: 1 2 Brief Profile: Year of commencement of Business Website: Authorized person: Designation: Phone No Email Address b Must not be a vendor for Software and Provided following hardware and Hardware components of the Bank. software to the Bank: c Must be a Company /Firm /Organization Turnover and profit during last 3 /independent subsidiary with an average years: (In Indian Rupee) annual turnover of Rs.1 (One) Crore or 2014-15 2015-16 2016-17 more during the last three financial years Turnover and should be in profit during all three Profit financial years. Attach copy of audited balance sheets of above periods. d Must have at least 3 years experience in Conducted following Security the field of providing Security Cum cum functional Audit of functionality audit of application software application software in last three and The company should provide the years: adequate documentary evidence in support Organizations of providing similar services. Fill details in Annexure I e Must not have been blacklisted by any Signed Undertaking in annexure nationalized Bank/ RBI/IBA or any other F Government agency. f Firm must have minimum 5 qualified Number of such Professionals on professionals with degree from Govt. the permanent roll of the bidding recognized reputable company with certifications Universities/Institutions as CISA BE/B.Tech/ME/M.Tech/MCA/C.A.(ICAI) CISSP and certifications as CISA/ CISSP/CEH / CEH Sun Certified Security Administrator SCSECA/OCE (SCSECA) / OCE (Oracle Certified Expert - CCIE-Security Security Administrator), Cisco CCIE- RFP for security cum functional audit of application software Confidential 39 Punjab National Bank, Inspection & Audit Division, HO, Delhi security along with 2 or more years post Others(Specify) qualification experience of security cum functional audit of application software with at least one software audit of PSUs/Banks and on permanent roll of the organization. g Must be empanelled with Cert-in, Govt of Attach self attested copy of India for Security audit with a certificate certificate of empanelment. of empanelment for the Block 2016-2019 i Must be able to provide deliverables as Undertaking by the bidder. per clause 3 of Annexure A of RFP. Place: Date: Seal & Signature of Bidder RFP for security cum functional audit of application software Confidential 40 Punjab National Bank, Inspection & Audit Division, HO, Delhi ANNEXURE I Security cum functional audit of application software assignment: Organization Scope of Audit Date/ Details of software Period Website: (Attach copy of when address: order / contract) conducted Place: Date: Seal & Signature of Bidder RFP for security cum functional audit of application software Confidential 41 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure J CONFIDENTIALITY - CUM - NON DISCLOSURE AGREEMENT If it is not a company, This Confidentiality ­cum- Nondisclosure Agreement is entered into at Constituti on this day of 2016, between (Insert Name of the on and Service Provider) a company within the meaning of Companies Act, 1956, address having its Registered Office at (herein after called `Service be Provider') and Punjab National Bank, a Body Corporate constituted under stated the Banking Companies (Acquisition & Transfer of Undertakings) Act, 1970 appropria having its Head Office at ,Plot-4, Sector-10, Dwarka, New Delhi ­ 110 075 and inter-alia, its Information & Technology Division at 5 Sansad Marg, New Delhi ­ 110 001 (herein after referred to as `PNB'). The Service Provider and PNB would be having discussions and negotiations concerning the establishment of and during continuance of a business relationship between them as per Agreement dated (hereinafter referred to as `Agreement'). In the course of such discussions and negotiations, it is anticipated that either party may disclose or deliver to the other party certain of its trade secrets or confidential or proprietary information for the purpose of enabling the other party to evaluate the feasibility of such a business relationship. The parties have entered into this Agreement, in order to assure the confidentiality of such trade secrets and confidential and proprietary information in accordance with the terms of this Agreement. As used in this Agreement, the party disclosing Proprietary Information (as defined below) is referred to as the `Disclosing Party' and will include its affiliates and subsidiaries, the party receiving such Proprietary Information is referred to as the `Recipient', and will include its affiliates and subsidiaries. Now this Agreement witnessed:- 1. Proprietary Information: As used in this Agreement, the term `Proprietary Information' shall mean all trade secrets or confidential or Proprietary Information designated as such in writing by the Disclosing Party, whether by letter or by the use of an appropriate prominently placed Proprietary stamp or legend, prior to or at the time such trade secret or confidential or Proprietary Information is disclosed by the Disclosing Party to the Recipient. Notwithstanding the forgoing, information which is orally or visually disclosed to the recipient by the Disclosing Party or is disclosed in writing unaccompanied by a covering letter, proprietary stamp or legend, shall constitute proprietary information if the disclosing party, within 10 (ten) days after such disclosure, delivers to the Recipient a written document or documents describing such Proprietary Information and referencing the place and date of such oral, visual or written disclosure and the names of the employees or officers of the Recipient to whom such disclosure was made. RFP for security cum functional audit of application software Confidential 42 Punjab National Bank, Inspection & Audit Division, HO, Delhi 2. Confidentiality: a) Each party shall keep secret and treat in strictest confidence all confidential information it has received about the other party or its customers and will not use the confidential information otherwise than for the purpose of performing its obligations under this Agreement in accordance with its terms and so far as may be required for the proper exercise of the Parties' respective rights under this Agreement. b) The term `confidential information' shall include all written or oral information (including information received from third parties that the `Disclosing Party' is obligated to treat as confidential) that is (i) clearly identified in writing at the time of disclosure as confidential and in case of oral or visual disclosure, or (ii) that a reasonable person at the time of disclosure reasonably would assume, under the circumstances, to be confidential. Confidential information shall also include, without limitation, software programs, technical data, methodologies, know-how, processes, designs, new products, developmental work, ma rket in g requirements, marketing plans, customer names, prospective customer names, customer information and business information of the `Disclosing Party'. 3. Non-Disclosure o f Proprietary Information: For the period during the Agreement or its renewal, the Recipient will: (a) Use such Proprietary Information only for the purpose for which it was disclosed and without prior written authorization of the Disclosing Party shall not use or exploit such Proprietary Information for its own benefit or the benefit of others. (b) Protect the Proprietary Information against disclosure to third parties in the same manner and with the reasonable degree of care, with which it protects its confidential information of similar importance: and (c) Limit disclosure of Proprietary Information received under this Agreement to persons within its organization and to those 3rd party contractors performing tasks that would otherwise customarily or routinely be performed by its employees, who have a need to know such Proprietary Information in the course of performance of their duties and who are bound to protect the confidentiality of such Proprietary Information. 4. Limit on Obligations: The obligations of the Recipient specified in clause 3 above shall not apply and the Recipient shall have no further obligations, with respect to any Proprietary Information to the extent that such Proprietary Information: is generally known to the public at the time of disclosure or becomes generally known without any wrongful act on the part of the Recipient, a) is in the Recipient's possession at the time of disclosure otherwise than as a result of the Recipient's breach of a legal obligation; RFP for security cum functional audit of application software Confidential 43 Punjab National Bank, Inspection & Audit Division, HO, Delhi b) Becomes known to the Recipient through disclosure by any other source, other than the Disclosing Party, having the legal right to disclose such Proprietary Information. c) Is independently developed by the Recipient without reference to or reliance upon the Proprietary Information; or d) Is required to be disclosed by the Recipient to comply with applicable laws or governmental regulation, provided that the recipient provides prior written notice of such disclosure to the Disclosing Party and takes reasonable and lawful actions to avoid and/or minimize the extent of such disclosure. 5. Return of Documents: The Recipient shall, upon the request of the Disclosing Party, in writing, return to the Disclosing Party all drawings, documents and other tangible manifestations of Proprietary Information received by the Recipient pursuant to this Agreement (and all copies and reproductions thereof) within a reasonable period. Each party agrees that in the event it is not inclined to proceed further with the engagement, business discussions and negotiations, or in the event of termination of this Agreement, the Recipient party will promptly return to the other party or with the consent of the other party, destroy the Proprietary Information of the other party. 6. Communications: Written communications requesting or transferring Proprietary Information under this Agreement shall be addressed only to the respective designees as follows (or to such designees as the parties hereto may from time to time designate in writing) M/s __________________________________ (PNB) Attn: _________________________________ Attn: ________________________________ 7. Term: The obligation pursuant to Clause 2 and 3 (Confidentiality and Non- Disclosure of Proprietary Information) will survive for ----- years following the term of the Agreement dated . Nothing herein contained shall be construed as a grant by implication, estoppels, or otherwise or a license by either party to the other to make, have made, use or sell any product using Proprietary Information or as a license under any patent, patent application, utility model, copyright or any other industrial or intellectual property right covering same. 8. Damages: The provisions of this Agreement are necessary for the protection of the business goodwill of the parties and are considered by the parties to be reasonable for such purposes. Both the parties agree that any breach of this Agreement will cause substantial and irreparable damages to the other party and, therefore, in the event RFP for security cum functional audit of application software Confidential 44 Punjab National Bank, Inspection & Audit Division, HO, Delhi of such breach, in addition to other remedies, which may be available, the party violating the terms of Agreement shall be liable for the entire loss and damages on account of such disclosure. Each party agrees to indemnify the other against loss suffered due to breach of contract and undertakes to make good the financial loss caused directly or indirectly by claims brought about by its customers or by third parties. 9. Miscellaneous: a) This Agreement may not be modified, changed or discharged, in whole or in part, except by a further Agreement in writing signed by both the parties. b) This Agreement will be binding upon and ensure to the benefit of the parties hereto and it also includes their respective successors and assigns c) The Agreement shall be construed and interpreted in accordance with the laws prevailing in India. In witness whereof, the parties hereto have agreed, accepted and a cknowledged and signed these presents, on the day, month and year mentioned herein above. For M/s Authorized Signatory Shri Designation For Punjab National Bank Authorized Signatory Shri Designation _____________ RFP for security cum functional audit of application software Confidential 45 Punjab National Bank, Inspection & Audit Division, HO, Delhi ANNEXURE-`K' Professional's Details:- SNo. Name Designation Educational Qualification Certifications Total Experience Since when in the bidder organization Conducted Security cum functional audit of application software for organization(s) with brief scope and when conducted Role, which may be given by the bidder in the assignment Employee profile (Domain Specific & others e.g. Banking, Ethical Hacking, Sun Solaris security, Oracle DB Security, Network Security etc.) Whether member is part of the team proposed to be deployed for PNB Project (Yes/No) Important Note: CVs of minimum 5 qualified professional as per Para 2.2 (F) are to be furnished on a separate sheet including their Credential in the specialized qualification and their previous employment record. Attach copy of certificate for proof of qualification & certification of qualified professional as per para 2.2(F). Place: Date: Seal & Signature of Bidder RFP for security cum functional audit of application software Confidential 46 Punjab National Bank, Inspection & Audit Division, HO, Delhi ANNEXURE L Check list for the Documents to be submitted Document Particular YES/NO Page No. From To Company Details Brief Profile Audited Balance Copy of balance sheets for 2016- Sheets 2017, 2015-16 and 2014-15 Authorization Power of Attorney for authorized Letter for signatory, duly attested by notary Signatory public/Board resolution. Annexure C Technical BID FORM Annexure D Score Sheet Annexure E Undertaking 1 Annexure F Undertaking 2 Annexure G Compliance Statement Annexure H Technical Compliance Sheet Annexure I Security cum functional audit of application software assignment (copy of purchase order/completion) Annexure J Confidentiality cum Non- disclosure agreement. Annexure K Professional Details with copy of certificates. RFP for security cum functional audit of application software Confidential 47
Home | About Us | Terms and Conditions | Contact Us
Copyright 2018 CAinINDIA All Right Reserved.
Designed and Developed by Binarysoft Technologies Pvt. Ltd.
Integrated Software Solutions Integrated Software Development Integrated Software Services Integrated Software Solutions India Integrated Softw

Transfer Pricing | International Taxation | Business Consulting | Corporate Compliance and Consulting | Assurance and Risk Advisory | Indirect Taxes | Direct Taxes | Transaction Advisory | Regular Compliance and Reporting | Tax Assessments | International Taxation Advisory | Capital Structuring | Withholding tax advisory | Expatriate Tax Reporting | Litigation | Badges | Club Badges | Seals | Military Insignias | Emblems | Family Crest | Software Development India | Software Development Company | SEO Company | Web Application Development | MLM Software | MLM Solutions