Agrani

Internal Control Bank Limited (ICC)

and Compliance
Agrani Bank Bhaban
Policy & Procedures-2022
9D, Dilkusha Commercial Area, Dhaka-1000, Bangladesh
www.agranibank.org

[As per 481th Board of Directors’ meeting, dated: 28/11/2016

ratification on Audit Committee ision, memo no. , dated:
09/11/2016 regarding amendment in different section of this
policy is formed and would be treated as ICC Policy and
Procedures-2016.]

Agrani Bank Limited

Agrani Bank Bhaban
9D, Dilkusha Commercial Area, Dhaka-1000, Bangladesh
www.agranibank.org

[(1) ICC Manual (2) Internal Audit Manual (3) Risk Based Internal
Audit Manual (4) Audit Compliance Manual (5) Audit Monitoring &
Controlling Manual (6) IT Audit Manual (7) Fraud Detection &
Management Policy]
First Edition:

It is to be disclosed that ICC Manual-2013 was earlier prepared by the following committee under the leadership
of Mr. Mubarak Hossain, General Manager and the then Head of ICC of Agrani Bank Ltd.
The members of the committee of ICC Manual -2013 were as under:
1. Chairman : Mr. Mobarak Hossain (General Manager and Head of ICC)
2. Member Secretary : Mr. Md. Shahidul Islam (Asstt. General Manager)
3. Member : Mr. Rafiqul Islam, Senior Officer (Auditor)
4. Member : Mr. Md. Shahidul Islam, Senior Officer (Auditor)
5. Member : Mr. Md. Anowar Hossain, Senior Officer (Auditor)
Second Edition:
Following Committee under the guidance of Mr. Md. Monowar Hossain FCA, General Manager and Head of
ICC, Agrani Bank Limited have worked for preparation of ICC Manual-2015 considering recommended
changes.
The members of the committee are as under:
1. Chairman : Mr. Md Monowar Hossain (General Manager and Head of ICC)
2. Member Secretary : Mr. Md. Hafizur Rahman (Deputy General Manager)
3. Member : Mr. Md. Abu Sohel, Principal Officer
4. Member : Mr. Jyotirmoy Sarker Sameer, Principal Officer
5. Member : Mr. Md. Abdul Jalil, Senior Officer (Auditor)

Third Edition:
It is to be disclosed that following Committee members under the guidance of Md. Monowar Hossain FCA, Head
of ICC, Agrani Bank Limited have worked for the preparation of ICC Policy & Procedure-2016 [Internal Audit
(Risk Based) Manual, Audit Compliance Manual, Audit Monitoring and Controlling Manual and IT Manual]
considering “Guidelines on Internal Control and Compliance in Banks -2016’’ is circulated by Bangladesh Bank
BRPD circular letter no-03 dated 08/03/2016.
The members of the committee are as under:
1. Chairman : Mr. Md. Monowar Hossain (General Manager and Head of ICC)
2. Member Secretary : Mr. Md. Hafizur Rahman (Deputy General Manager)
3. Member : Mr. Jyotirmoy Sarker Sameer, Principal Officer
4. Member : Mr. Md. Labib Uddin, Senior Officer
5. Member : Mr. Md. Abdul Jalil, Senior Officer (Auditor)
Foutrh Edition:
Following Committee under the guidance of Mr. Md. Monowar Hossain, FCA General Manager and Head of
ICC, Agrani Bank Limited have worked for preparation of ICC Policy and Procedures-2018 [Internal Audit
(Risk Based) Manual, Audit Compliance Manual, Audit Monitoring and Controlling Manual and IT Manual]
considering recommended changes.
The members of the committee are as under:
1. Chairman : Mr. Md Monowar Hossain FCA (General Manager and Head of ICC)
2. Member Secretary : Mr. Hossain Iman Akanda (Deputy General Manager)
3. Member : Mr.Md. Johurul Islam, Senior Principal Officer
4. Member : Mr. Jyotirmoy Sarker Sameer, Principal Officer
5. Member : Mr. Mohammad Mahbubul Haque, Principal Officer
For actively participating in the task of doing the needful the committee also thanks (ICC Team)
Mr. Md. Abdul Aziz Dewan, Deputy General Manager;
Mr. Md. Ruhul Amin Chowdhury, Deputy General Manager;
Mr.Md. Shahidul Islam, Deputy General Manager and
Mr.Md. Abul Kashem, Deputy General Manager;
 ICC Policy and Procedures-2022
Fifth Edition:
Following Committee under the guidance of Mr. Md. Monowar Hossain, FCA General Manager and Head of
ICC, Agrani Bank Limited have worked for preparation of ICC Policy and Procedures-2019 [Internal Audit
(Risk Based) Manual, Audit Compliance Manual, Audit Monitoring and Controlling Manual, IT Manual and
adding newly Fraud Detection and Management Policy] considering recommended changes.
The members of the committee are as under:
1. Chairman : Mr. Md Monowar Hossain FCA (General Manager and Head of ICC)
2. Member Secretary: Mr. Md. Abul Kashem, Deputy General Manager (Head of Audit & Inspection Division-
1)
3. Member : Mr. Ashutosh Chandra Sikder, Assistent General Manager (Head of Audit Monitoring
Division)
4. Member : Mr. Rafiqul Islam, Principal Officer, ICC

Six Edition:

The members of the committee are as under:

1. Chairman : Mr. Hossain Iman Akondo (General Manager Audit)
2. Vice Chairman : Mr. Mohammad Didarul Islam (General Manager and Head of ICC)
3. Member Secretary: Mr. Md. Kafil Uddin, Deputy General Manager
4. Member : Mr. Rafiqul Islam, Principal Officer
5. Member : Mr. Debabrata Sikder, Principal Officer.
6. Member : Mr. Mohammad Mazadul Islam, Senior Officer.

We believe that if this ICC Policy and Procedures is followed strictly, the Bank will steadily progress and
develop effectively and efficiently.
 ICC Policy and Procedures-2022

INDEX
Chapter Subjects Page#
A. Internal Control & Compliance (ICC) Policy 9-44
Chapter One Universal Discussion of ICC
1.1 Mission Statement 10
1.2 Vision Statement 10
1.3 Executive Declaration 10
1.4 Preamble 10
Chapter Two Policy Guideline and Responsibilities
2.1 Internal Control 12
2.2 Components of Internal Control 12
2.3 Internal Control Environment 13
2.4 Objective of Internal Control 13
2.5 Control Activities and Segregation of Duties 14
2.6 Corrective measures to be taken by ICC 15
2.7 Scope of Internal Control and Compliance System 15
Chapter Three Policy Guide line for Internal Control
3.0 Policy Guide line 16
3.1 Responsibility of the Board of Directors 16
3.1.1 Responsibility and power of the Board of Directors 17
3.2 Structure & Responsibility of the Audit Committee of the Board 18
3.2.1 Organizational Structure 18
3.2.2 Qualification of the members of the Audit Committee 18
3.2.3 Roles & Responsibilities of the Audit Committee 18
3.3 Responsibility of the Senior Management / MANCOM 20
3.3.1 Function of the Senior Management Team/ MANCOM 20
3.3.2 Management Reporting System 21
3.4 Role of External Auditors 21
3.5 Dispute Settlement 21
Chapter Four ICC Related Issues
4.0 Introduction 22
4.1 The Organizational Structure of ICC 22
4.2 Structure of ICC 23
4.3 The Charter of ICC 25
4.4 Standards of the Best Professional Practices 26
4.5 Head of ICC 27
4.6 Core Risks Management 27
4.7 Inspection Concluding Meeting (Account Finalization)- Finalization of 37
Quick Summary Report /Annual Accounts
4.8 Special Board Meeting On Compliance Of Annual Inspection Report 38
Of Bangladesh Bank
4.9 Liaison Meeting 38
4.10 Shariah Based Audit 38
4.11 TA/DA/Convence for ICC’s members 39
Internal Audit Charter
4.12 Chief Audit Officer / Head of Audit 41
4.13 Role and Responsibilities of Internal Auditors 41
4.14 Auditors' Ethics & Qualifications 41
4.15 Appraisal of ICC Officials 42
 ICC Policy and Procedures-2022

Chapter Subjects Page#

4.16 Training and Development 43
4.17 Training (In-house /other institutional) 43
4.18 Abroad Training 43
4.19 Job Rotation 44
4.20 Mandatory Leave 44
4.21 Recreational Leave 44
Chapter Five Internal Audit Manual 46- 58
5.0 Definition of Audit 46
5.1 Objectives of audit 46
5.2 Auditors Right 47
5.3 Responsibilities of the Auditors 47
5.4 Auditors punishment 48
5.5 Basic Principles of Auditors 48
5.6 Types of audit 48
5.7 Internal Audit 49
5.7.1 Definition of Internal Audit 49
5.7.2 Principles of internal audit 49
5.7.3 Reporting 52
5.7.4 Importance of internal audit 53
5.8 External audit 54
5.8.2 Types of External audit 54
5.9 Concurrent Audit 55
5.10 Lapses 56
5.10.2 Types of Lapses 56
5.10.2.1 Minor Irregularities (MI) 57
5.10.2.2 Major Lapses (ML) 57
5.10.2.3 Serious Lapese (SL) 57
5.11 Punishment 58
5.12 Reward/Incentive for Auditors 58
5.13 System Audit Software 58
5.14 Wrap-up Meeting after Internal Audit 58

AUDIT PROCEDURES
[Risk Based Internal Audit Manual, Audit Compliance Manual, Audit
Monitoring and controlling Manual and IT Audit Manual]

Risk Based Internal Audit Manual 60-86

Chapter Six 6.0 Risk Based Internal Audit 60
6.5 Audit Procedure 60
6.6 Preparation of Risk Based Audit Plan 61
6.7 Prioritization of Audit 62
Risk Audit Matrix 62
6.8 Risk Based Internal Auidt Methodology 63
6.9 Formation of Audit Team 63
6.10 Control Risk Assessment 64
6.11 Risk Model Construction 65
6.12 Risk Recognition & Assessmet 66
6.13 Risk Analysis of Control Functions 67
6.14 Steps in adopting Risk Based Internal Audit (RBIA) 67
 ICC Policy and Procedures-2022

Chapter Subjects Page#

6.15 Development of formats for risk assessment 68
6.16 Risk assessment of Branch as a whole 68
6.17 Risk Assessment 70
6.18 Conduct of on-site Audit and Report findings 71
6.19 Determine the composite risk level using composite risk matrix 72
6.20 Determine trend/ direction for inherent business and control risk 72
6.21 Determine the ratings of the branch 73

Categories of Audit Findings

6.22 Minor Irregularities (MI) 74
6.23 Major Irregularities (ML) 76
6.24 Serious Lapses (SL) 81

Information Technology (IT) Audit Manual 88-113

Chapter Seven 7.0 Information Technology (IT) Audit 88
7.1 Definition of IT Audit 88
7.2 System audit 88
7.3 Purposes/Objectives of IT Audit 88
7.4 Types of IT Audits 89
7.5 Elements of IT Audit Strategy 89
7.6 IT Audit Process 90
7.6.1 Area of IT Audit 90
7.7 The Scope of the IT General Controls Audit Includes 93
7.8 Role of IT Audit 94
7.9 Performing 95
7.10 Change Management 97
7.11 Auditor’s checking 97
7.12 Application Audit 97
7.13 Administration 98
7.14 Inputes, Processing, Outputs 98
7.15 Run test transactions against the application 98
7.16 Includes- can enter input and see output 98
7.17 Processing Controls 101
7.18 Output Controls 104
7.19 Disaster Recovery Plan 107
7.20 Change management 107
7.21 User support 107
7.22 Third party services 108
7.23 Technical IT Controls Audit 109
7.24 Discretionary or mandatory access control 110
7.25 Residual information protection 111
7.26 Encryption methods 112
7.27 Risk Assessment 113
 ICC Policy and Procedures-2022

Chapter Subjects Page#

Inspection Manual
(Inspection by the Controlling Office) 128-132
Chapter Eight 8.0 Inspection 128
8.1 Objecives of Inspection 128
8.2 Types of Inspection 128
8.3 Functions of Inspection 128
8.4 Inspection procedures used in Agrani Bank Limited 129
8.5 Outline of Inspection Function 129
8.6 Inspection by the Controlling Office 131
8.7 Reporting Procedures/Rules 132
8.8 Follow up procedures of Inspection Report 132

Audit Monitoring and Controlling Manual 134-137

Chapter Nine 9.0 Monitoring 134
9.1 Monitoring Activities and Corrective Measures 134
9.2 Objectives of Monitoring Department 135
9.3 Application of monitoring system 136
9.3.1 Departmental Control Function Checklist (DCFCL). 136
9.3.2 Loan Documentation Checklist 136
9.3.3 Quarterly Operations Report 136
9.4 Annual ICC Report on the health of the Bank 137

Audit Compliance Manual 140-164

Chapter Ten 10.0 Compliance 140
10.1 Overview 140
10.2 Establishment of a Compliance Culture 140
10.3 Independence of Compliance Functions 142
10.4 Compliance Process 143
10.5 Regulatory Compliance 145
10.6 Functions of Compliance 145
10.7 five interrelated components to ensure strong internal control 145
10.8 Information and Communication System 146
10.9 Responsibilities of the Management for Compliance 147
10.10 Responsibilities of The Board of Directors for Compliance 147
10.11 Responsibilities of Senior Management for Compliance 147
10.12 Responsibilities of the Head of Compliance 148
10.13 Responsibilities of the Audit Committee 149
10.14 Responsibilities of the Risk Management Committee 149
10.15 Responsibilities of the Internal Auditors 150

Different System of Compliance

10.16 Internal Audit Compliance 150
10.16.1 Instruction regarding audit Compliance 150
10.16.2 Definition of Nirikha Paripalan Patra -1 150
10.16.3 Compliance with Nirikha Paripalan Patra-1 150
10.16.4 Definition of NIPP-2 (ka) 151
10.16.5 Definition of NIPP-2 (kha) 151
10.16.6 Compliance with response to Nirikha Paripalan Patra-2 152
10.17 Internal audit objections- settlement and file close 154
 ICC Policy and Procedures-2022
10.17.1 Internal audit objections- settlement and file close 154
10.18 Settlement of Minor Irregularities and file close 155
10.19 Settlement of Major Lapse and file close 155
10.20 Settlement of Serious Lapse and file close 156
10.21 Issuing DO Letter 156
10.22 Placement of Special Note 156
10.23 Govt. Commercial Audit Compliance 157
10.23.8 Monitoring and follow up 157
10.23.9 Ordinary Objections 157
10.23.10 Advance Objections/ Clauses 158
10.23.11 Commercial audit objections settlement and file close 159
10.24 Bangladesh Bank Inspection Compliance 160
10.24.1 Bangladesh Bank Inspection objections settlement & file 160
close
10.24.2 Special Inspection on specific issue 161
10.24.3 Inspection regarding Foreign Trade Transaction 161
10.25 External audit Compliance 161
10.25.3 Settlement of objections raised by Audit Firm appointed 163
by Board and file close
10.26 Audit Clearance 162
11.0 Conclusion 162

FRAUD DETECTION AND MANAGEMENT POLICY 163-193

Chapter Eleven Preface 164
Overview 165
12.1 Objectives of Policy 166
12.2 Scope 166
12.3 Effect of Fraud 166
12.4 Definition of Fraud 167
12.5 Types of Fraud 167
12.6 Reason for occurring fraud 168
12.7 General Banking Operation Related Fraud 168
12.8 Credit Operation Related Fraud 170
12.9 Foreign Trade and Foreign Exchange Operation Related Fraud 170
Chapter Twelve Fraud Detection 171
13.1 Concept of fraud 171
13.2 Potential Fraud Indicators / Symptoms 172
13.3 How to detect Fraud 173
13.3.1 Whistleblower Hotlines 173
13.3.2 Background Reading 173
13.3.3 Benchmarking 173
13.3.4 Ratio Analysis 173
13.3.5 Special software 173
13.3.6 Risk Assessment 173
13.3.7 System Analysis 173
13.3.8 Mathematical Modelling 173
13.3.9 Exception Reporting 173
13.4 Mandatory Leave 174
13.5 Experience 174
13.6 CC TV 174
 ICC Policy and Procedures-2022
13.7 Fraud Investigation 174
13.8 Investigation Procedure 175
13.9 Formation of Team 175
13.10 Communication of Fraud Incidents 178
13.11 Analysis of Fraud 178
Chapter-Thirteen Fraud Management 179
14.1 Roles/Responsibilities of Different Entities for Fraud Management 179
14.2 Fraud Prevention 183
14.3 Fraud Assessment 183
14.4 Fraud Prevention Techniques 184
14.5 Reports 187
14.6 Administration of Fraud Risk Management Policy 187
14.7 Conclusion 188
Annexure of ICC [Annex-1 to Annex- 41 and Annex-A to 190
Annex.-E]

8
 ICC Policy and Procedures-2022

Internal Control and Compliance Policy

9
 ICC Policy and Procedures-2022

Universal Discussion of ICC

1.1. Mission Statement
To ensure corporate governance, accountability, integrity, transparency and regulatory
compliance in the operation of the Bank within the stringent frame work to achieve the
International Standard of Banking.

1.2. Vision Statement

To keep the Banking operation accurate and efficient in line with the internationally best
practices.

1.3. Executive Declaration1

A new (amended) “Guidelines on Internal Control and Compliance-2016 has been
circulated by Bangladesh Bank vide BRPD Circular No. 03 dated 08/03/2016 giving the
reference of BRPD Circular No. 17 dated 07/10/2003 followed by further amendment
vide BRPD Circular No. 06 dated 04/09/2016. Amendments were done with a view to
minimizing risks more effectively in day-by-day growing banking business.
In light of above Guidelines on ICC and under the guidance of BoD Audit Committee,
the Head of ICC & Head of Audit with the help of formulated committee of ICC, this
ICC Policy & Procedures-2022 [Risk Based Internal Audit Manual, Audit Compliance
Manual, Audit Monitoring and Controlling Manual, IT Audit Manual, Fraud
Management Manual] was finalized.
1.4. Preamble
1.4.1 Economy of Bangladesh has got a momentum of transition towards a great uplift for
development. The banking sector is playing a pivotal role in this context. In such a
time stringent banking practice in line with the best International practices is a crying
need.
1.4.2 A major risk inherent in the banking sector is systematic risk that causes the bank
regulators to have concerns with the operations of each individual bank. As such, the
regulatory body gives priority to attain a high quality banking operations of all banks
in terms of managing the key banking risks, establishing an adequate compliance
culture and having satisfactory information disclosure system.

1.4.3 Effective Internal Control System results in better risk management practices in terms
of identification, management, monitoring and mitigation of risks. It ensures reliable
financial and managerial information that promote better strategic decision for a bank.
Banking is a diversified and multifarious financial activity, which involves different

1
BRPD Circular No. 03 dated 08/03/2016
BRPD Circular No. 06 dated 04/09/2016

10
 ICC Policy and Procedures-2022

risks. The issues of effective internal control system, good governance, transparency
of all financial activities, accountability towards its stakeholders and regulators have
become momentous to ensure smooth performance of the banking industry. An
Effective internal control and compliance system has become essential in order to
underpin effective risk management practices and to ensure smooth performance of the
banking industry. In general, internal control is identified with internal audit; but the
scope of internal control is not limited to audit work. Internal control by its own merit
identifies the risks associated with the process and adopts measures to mitigate or
eliminate these risks. Internal Audit, on the other hand, reinforces the Control
system through regular review of the effectiveness of the controls.

1.4.4 The single greatest factor contributing to operational failure in banks is the lack of
adequate internal control. Bangladesh has developed an unbeliveable growth in
banking sector. A persistent moderate economic growth rate, high degree of
competition in the banking sector, speedy urbanization rate has gradually transformed
our banking sector to a large and vibrant one. The nature and magnitude of business
as well as the degree of competition in the banking industry has increased manifold in
recent years.

1.4.5 The responsibility of implementing internal controls starts from the business lines,
which are the “first lines of defense” by breaches that could cause the bank not to
fulfill its objectives, not to report properly, or not to comply with laws and regulations.
Noteable that, in any bank, the three important “control functions” are risk
management, compliance, and internal audit. This triumvirate of key functions is
underpinned by, and in turn implements and reinforces, the system of internal controls.
The first two of these control functions constitute the “second lines of defense” against
mishaps. The final, or “third line of defense” is the internal audit function. An effective
internal control system requires that there are reliable information systems in place
that cover all significant activities of the bank. A system of strong internal controls
can help ensure that the goals and objectives of a banking organization will be met,
that the bank will achieve long-term profitability targets, and maintain reliable
financial and managerial reporting.

1.4.6 Internal controls are particularly crucial elements of risk management program. An
essential part of the internal control framework is periodic testing to determine how
well the framework is operating, so that any required remedial actions can be taken.
The frequency of testing should be risk-based and should involve as appropriate
sample transaction testing, the sample size commonly known as audit plan being
determined by volume and the degree of risk of the activity.

11
 ICC Policy and Procedures-2022

Policy Guideline and Responsibilities

2.1 Internal Control
Internal control is a process, rather than a structure. It is not a separate activity
disconnected from the rest of business activities, rather is an integral part of those
activities.
It is a dynamic planned which is implemented and monitored by the board of directors and
management at all levels within an organization. Internal control is the process, affected
by the entity’s board of directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives of the management in the
effectiveness and efficiency of operations, the reliability of financial reporting and
compliance with applicable laws, regulations and internal & external policies.
There are three main types of internal controls: detective, preventative and corrective.
2.2 Components of Internal Control
In an ‘effective’ internal control system, the following five components work to support
the achievement of an entity's mission, strategies and related business objectives.
1. Control environment; - Integrity
and Ethical Values
2. Risk assessment; - Company-wide
Objectives
3. Control activities;
4. Information and communication;
5. Monitoring.

2
COSO’s 17 Principles of Internal Control
12
 ICC Policy and Procedures-2022

2.3 Internal Control Environment

The control environment reflects the overall attitude, awareness and actions of the board
and management concerning the importance of internal control. Internal controls are
developed, implemented and monitored under the framework. It consists of the
mechanisms and arrangements that ensure internal and external risks to which the bank
company is exposed to.
Control environment factors include integrity, ethical values and competence of the
employee', management’s philosophy and operating style, the way management assigns
authority and responsibility and how it organizes and develops its human resources.
The appropriate and effective internal controls are developed and implemented to soundly
and prudently manage these risks; reliable and comprehensive systems are to be put in
place to appropriately monitor the effectiveness of these controls. The factors which
together comprise the control environment are:
• A board of directors that is actively concerned with sound corporate governance
and that understands and diligently discharges its responsibilities by ensuring
that the bank is appropriately and effectively managed and controlled;
• A management that actively manages and operates the bank in a sound and
prudent manner;
• Organizational and procedural controls supported by an effective management
information system to soundly and prudently manage the bank's exposure to risk;
and
• An independent audit mechanism is to monitor the effectiveness of the
organizational and procedural controls.
2.4 Objective of Internal Control
The primary objective of Internal Control System of Agrani Bank Limited is to help the
bank to perform better through the use of its resources.

There are mainly three objectives of Internal Control and Compliance.

13
 ICC Policy and Procedures-2022

2.4.1 Three objectives of ICC are as follows:

(1) Performance objectives : To evaluate and mesurement of efficiency and
effectiveness of all divisional activities under the ICC.
(2) Information objectives : To collect reliable & relevant information and preserve
till certain time.
(3) Compliance objectives : Compliance with applicable Laws and Regulations.

2.5 Control Activities and Segregation of duties

Control activities are the most tangible internal controls that the Internal Audit function
will concentrate on to a large degree. The auditor will be concerned with understanding
whether a control prevents an error or detects and corrects an error. Control activities may
be manual or, if relevant, where processes are computerized then they may also have
specific IT control activities.

2.5.1 An effective internal control system requires that an appropriate control structure
be set up with control activities defined at every business level, i.e. top level
review; appropriate activity controls for different departments or divisions;
physical controls; checks for compliance with exposure limits and follow-up on
non-compliance; a system for approvals and authorizations; and system
verification and reconciliation.
2.5.2 Control activities involve two steps:
I. The establishment of control policies and procedures and
II. Verification that the control policies and procedures are being complied with.
2.5.3 Senior management should ensure that adequate control activities are integral
parts of the daily functions of all relevant personnel; this enables quick response
to changing conditions and avoids unnecessary costs. Control activities are most
effective when they are viewed by management and all other personnel as an
integral part of daily activities rather than an addition to it.
2.5.4 One of the most important aspects of an internal control system is an appropriate
segregation of duties and personnel who are not assigned conflicting
responsibilities.
2.5.5 Furthermore, employees must also be provided with necessary authority, and they
should be held accountable for their actions in compliance with delegated
authority. Exceeding their authority or failing to exercise their rightful authority
should both be sanctioned.
2.5.6 For employees to carry out their responsibilities properly, each employee should
have an appropriate job description.
2.5.7 Areas of potential conflicts of interest should be identified, minimized, and
subject to careful independent monitoring.

14
 ICC Policy and Procedures-2022

2.6 Corrective measures to be taken by Internal Control And Compliance (ICC):

When a system of internal control is effective, management and those charged with
governance can be reasonably assured that…
 the organization is achieving effective and efficient operations (operations),
 the organization is preparing reliable internal and external reports (reporting), and
 the organization is operating in compliance with applicable laws and regulations
(compliance).
 Corrective measures are as follows:
i. Effectiveness of bank’s internal control should be monitored on an ongoing
basis. High risk items should be identified and monitored as part of daily
activities;
ii. There should be an effective and comprehensive internal audit of the internal
control system carried out by operationally independent, appropriately trained
and competent staff specially designated by the management. The significant
deficiencies like Serious Lapses (SL) identified by the audit team should be
reported to Audit Committee of the board on a querterly/periodic basis;
Moreover, SL will be setteled through the Audit Committee’s recommendation
or decision.
iii. Internal control deficiencies identified by internal audit or other control
personnel should be reported in a timely and prompt manner to the Audit
Committee of the Board as well as appropriate management level and
addressed immediately;
iv. Material internal control deficiencies should be reported to BoD Audit
Committee with recommendations where necessary. However, it should be
noted that consideration should be given to major financial exposure or loss,
significant process lapses, serious employee misconduct etc.;
v. The Head of ICC would have a direct reporting line with Audit Committee of
the Board.
2.7 Scope of Internal Control and Compliance System:
Head Office of the Agrani Bank Limited comprises 37 Divisions. As per geographical
demarcation, there are 11 Circle Offices. Under these Circle Offices, there are 53 Zonal
Offices. These Zonal Offices are controlling 891 branches. Total number of branches is
970. Among these branches there are 43 Authorized Dealer (AD) branches and within
those 36 Corporate Branches. Moreover, there are 60 Islamic Windows for Shariah Based
Islamic Banking and also 5 Subsidiaries. Those are:
1. Agrani Exchange House Pvt. Ltd. Singapore
2. Agrani Remittance House Sdn. Bhn. Malaysia
3. Agrani Equity & Investment Limited.
4. Agrani SME Financing Company Limited.
5. Agrani Remittance House Canada Inc., Canada.
ICC will ensure the effectiveness of the Internal Audit, Issue based Audit and Special Audit
for each and every branches and offices, windows & subsidiaries of Agrani Bank Limited.
With the help of control offices and based on audit reports of the Bank, the ICC will report to
the Audit Committee and management for punishment of the concerned guilty person. They
will also make arrangement audit compliance of the said internal audit as well as External
audit (viz Bangladesh Bank Inspection, Commercial audit, functional audit, appointed audit
firm) effectively and efficiently.

15
 ICC Policy and Procedures-2022

Policy Guidelines for Internal Control

3.0 Policy Guidelines
In addition to any existing relevant legislation, the following statements of policies and
procedures relevant to internal control are to be meticulously implemented by the bank,
and adherence to which is reviewed by the Internal Audit and Compliance functions:
1. Credit Policy and Credit Risk Management Manual
2. Asset Liability Risk Management Policy and Manual
3. Foreign Exchange Risk Management Manual
4. Guidelines for Foreign Exchange Transactions
5. Information & Communication Technology (ICT) Security Policy
6. Internal Control & Compliance (ICC) Policy and Procedures
7. Money Laundering Risk Manual
8. Guidelines on Anti Money Laundering and Terrorist Financing
9. Compliance of Anti-Money Laundering and Combating Financing of
Terrorism Policy & Procedure-Guide Book
10. Finance and Accounting Manual
11. Treasury Manual
12. HR Policy Manual
13. IT Audit Manual
14. Payment System Manual
15. Agent Banking Manual
16. Green Banking Manual
17. OBU Manual
18. Agent Banking Manual

To establish internal control system in bank should be reviewed above manuals and policies
every year.
3.1 Responsibilities of Board of Directors (BoD)3
The responsibility of Board of Directors in respect of implementing a modern, scientific
and acceptable Internal Control and Compliance Process in a Bank has been described in
Banking Companies Act,1991 Rule15(Kha) and exclusively in section 15(Ga). As per
prudential guidelines of Bangladesh Bank the responsibilities of Board of Directors of
the bank are enumerated below:
 The Board shall be observant on the internal control system of the Bank in order to
accomplish a satisfactory standard of its portfolio. The Board will form an Audit
Committee with such directors who are not the members of Executive Committee of
BoD and a Risk Management Committee from its members.

 The Board will also establish such an Internal Control System so that the whole
Internal Audit process can work independently from the management which will
directly report to the Audit Committee of the Board.

3
Banking Companies Act, 1991
16
 ICC Policy and Procedures-2022

 The BoD shall review the reports submitted by its audit committee on quarterly basis
regarding compliance of recommendations made in internal and external audit reports
and as well as Bangladesh Bank inspection reports.

In addition to the above the following responsibilities will also be observed by the
BoD4:
 They should set up an organizational structure of Internal Control and Compliance
(ICC) Division in such a way that, it should have no conflict of interest with the regular
management of the bank and fulfill the requirements as directed in the Rule 15 (Ga)
(1) of BCA 1991 for establishing and maintaining effective internal control and risk
management having regard to the complexity of the activities of the bank, its size,
scope of operations and risk profile;

 The Board of directors should, at least annually, conduct a review meeting about the
effectiveness of internal control process and report to the shareholders accordingly;
The Responsibilities of Board of Directors (BoD) of the Bank are given in BRPD Circular
No.11 dated 27-10-2013 of Bangladesh Bank, from which Internal Control and Compliance
related responsibilities are enumerated below:
3.1.1 Responsibilities and power of BoD:
a) Action plan and strategic management:
i. BoD will set goals and objectives of the bank and prepare an annual action plan;
ii. In annual report of bank BoD will incorporate success and failures of the goals
and objectives elaborately, which will be the basis of future planning and
strategies. This is to be disclosed to the shareholders;
iii. The BoD will review different policies of bank annually, if any changes required
concerned division will take approval from the BoD.
b) Credit Management:
i. Under the preview of existing laws and regulations every credit/ investment
proposal evaluation, sanction and disbursement, loan recovery, rescheduling and
write-off policies etc. will be approved by BoD.
ii. At the implementation level above rules and policies regarding risk management
will be assessed quarterly. In evaluation process BoD will observe whether risk
management principles of Bangladesh Bank are followed or not.
c) Internal Control:
To ensure sustainable quality investment BoD will oversee keenly internal control
system of the bank. It will also ensure internal audit activities performed
independently. These will be evaluated on quarterly basis. BoD will ensure
compliance of all Laws and regulations that are circulated by various regulatory
authorities like, Bangladesh Bank, Ministry of Finance, Security and Exchange
Commission etc.

4
BRPD Circular No. 11 dated 27/10/2013
17
 ICC Policy and Procedures-2022

d) Human Resource Management (HRM) and Development:

i. All policies regarding HRM will be approved by BoD.
ii. For the development of HRM BoD will give emphasis for the arrangement of
training for bank personnel. This training will help them to implement IT based
MIS and correct assessment for quality loans and investments.
iii. BoD will prepare Code of Ethics for employees.

3.2 Structure and Responsibilities of the Audit Committee of the Board.

The board will approve the objectives, strategies and overall business plans of the
bank and the audit committee will assist the board in fulfilling its oversight
responsibilities. The committee will review the financial reporting process, the
system of internal control and management of financial risks, the audit process,
and the bank's process for monitoring compliance with laws and regulations and
its own code of business conduct.
3.2.1 Organizational Structure:
i. Members of the committee will be nominated by the board of directors from
the directors;
ii. The audit committee will comprise of maximum 05 (five) members, with
minimum 2 (two) independent director;
iii. Audit committee will comprise with directors who are not executive committee
members;
iv. Members may be appointed for a 03 (three) year term of office;
v. Company secretary of the bank will be the secretary of the audit committee.
3.2.2 Qualification of the Members of the Audit Committee:
i. Integrity, dedication, and opportunity to spare time in the functions of
committee will have to be considered while nominating a director to the
committee;
ii. Each member should be capable of making valuable and effective
contributions in the functioning of the committee;
iii. To perform his or her role effectively each committee member should have
adequate understanding of the detailed responsibilities of the committee
membership as well as the bank's business, operations and its risks.
iv. Professionally Experienced persons in banking/financial institutions
specially having educational qualification in Finance, Banking,
Management, Economics, Accounting will get preference in forming the
committee.
3.2.3 Roles and Responsibilities of the Audit Committee
i. Internal Control:
1.Evaluate whether management is setting an appropriate compliance culture by
communicating the importance of internal control and the management of risk and
ensuring that all employees have clear understanding of their roles and
responsibilities;
2.Review management’s actions in computerization of the bank and its
applications and Management Information System (MIS) of the bank.
18
 ICC Policy and Procedures-2022

3.Consider whether internal control strategies recommended by internal and

external auditors have been implemented by the management;
4.Consider reports relating to fraud, forgery, deficiencies in internal control or
other similar issues detected by internal and external auditors and inspectors of the
regulatory authority and place it before the board after reviewing whether
necessary corrective measures have been taken by the management.
5.As the roles and responsibilities of the Board, Executive Committee, Credit
Committee and Management Committee are of high impact and high frequency,
ICC needs to take special care in order to identify lapses specially in-
(i) Sanction and rescheduling of loans & advances, interest waiver,
write-off of loans, Director's loans, large loans, etc.
(ii) Presenting financial and non-financial position of the bank,
(iii) Allowing perks, benefits, incentives etc
(iv) Procurement and disposal of assets/services/materials,
(v) Managing risks and uncertainties in the bank.
So ICC should meticulously examine the minutes and memos of Board/Executive
Committee/Credit Committee / Management Committee meeting to assess the
fact that memos were presented with proper and adequate information and
decisions in minutes were carried accordingly.
ii. Financial Reporting:
1.Audit committee will check whether the financial statements reflect the complete
and concrete information and determine whether the statements are prepared
according to existing rules & regulations and standards enforced in the country
and as per relevant prescribed accounting standards set by Bangladesh Bank;
2.Discuss with management and the external auditors to review the financial
statements before its finalization.
iii. Internal Audit:
1. Audit committee will monitor whether internal audit is working
independently from the management.
2. Review the activities and the organizational structure of the internal audit and
ensure that no unjustified restriction or limitation hinders in the internal audit
process;
3. Examine the efficiency and effectiveness of internal audit function;
4. Examine whether the findings and recommendations made by the internal
auditors are duly considered by the management or not.
iv. External Audit
1. Review the performance of the external auditors and their audit reports;
2. Examine whether the findings and recommendations made by the external
auditors are duly considered by the management or not.
3. Make recommendations to the board regarding the appointment of the
external auditors.
19
 ICC Policy and Procedures-2022

v. Compliance with Existing Laws and Regulations:

Review whether the laws and regulations framed by the regulatory authorities
(Central Bank and other Bodies) and internal regulations approved by the board
are being complied with.
vi. Other Responsibilities:
1. Submit compliance report to the board on quarterly basis on regularization
of the omission, fraud and forgeries and other irregularities detected by
the internal and external auditors and inspectors of regulatory authorities;
2. External and internal auditors will submit their related assessment report,
if the committee solicits;
3. Perform other oversight functions as desired by the Board of Directors and
evaluate the committee's own performance on a regular basis.
vii. Meetings:
1. The audit committee should hold at least four meetings in a year and it can sit
any time as it may deem fit;
2.The Committee may invite Chief Executive Officer, Head of Internal Audit or any
other Officer to its meetings, if it deems necessary;
3.To ensure active participation and contribution by the members, a detailed
memorandum should be distributed to committee members well in advance (at
least three days) before each meeting;
4.All decisions/observations of the committee should be noted in minutes.
3.3 Responsibilities of Senior Management (MANCOM)
In setting out a strong control framework within the organization the role of
Managing Director/ CEO is very important. The Board of Directors of the
Bank/Organization will define/form Senior Management Team (SMT) / MANCOM
that should include the MD/CEO, DMDs, Head Office GMs and the Chief Financial
Officer. Any officer that perform a policy making function or is in charge of a
principal business unit/function may be member of SMT/MANCOM. However, any
executive of ICC audit should not be member of SMT/MANCOM.
The bank/organization should report the composition of SMT/MANCOM (and
update thereto) to Banking Regulation and Policy Department of Bangladesh Bank.
3.3.1 Functions of Senior Management Team (SMT)/MANCOM
Responsibilities of the SMT/MANCOM should include monitoring the adequacy and
effectiveness of the Internal Control System based on the bank’s established policy and
procedure.
The SMT/MANCOM will review on a yearly basis the overall effectiveness of the
control system of the organization and provide a certification on a yearly basis to the
Board of Directors on the effectiveness of Internal Control policy, practice and
procedure. The management will enrich audit teams with adequate skilled manpower
and proper IT support as per requisition of the ACB for purposeful and effective audit.
The management will ensure compliance of all laws and regulations that are circulated
by various regulatory authorities such as, Bangladesh Bank, Ministry of Finance,
Bangladesh Securities and Exchange Commission, etc. During the audit period, if the
present audit team finds any lapse or irregularity which was not detected or identified
by the previous auditor, then that will be reported to the Audit Committee.

20
 ICC Policy and Procedures-2022

3.3.2 Management Reporting System

 Effective internal control system requires that there is an efficient reporting

system of information that is relevant to decision making. The information
should be reliable, timely accessible and provided in a consistent format.
 Information would have to include external market information about events
and conditions that are relevant to decision making. Internal information should
include financial, operational and compliance data.
 There should be appropriate committees within the organization, w h i c h would
evaluate data received through various information systems. This will ensure
supply of correct and accurate information to the management.
 Internal information must cover all significant activities of the bank. Electronic
data must be secured, monitored independently and supported by contingency
arrangements.
 Most importantly the channels of communication must ensure that all staff fully
understand and adhere to policies and procedures affecting their duties and
responsibilities and that other relevant information are reaching the appropriate
personnel.

3.4 Role of External Auditors in Evaluating Internal Control System

 The Statutory Auditors by dint of their independence from the management of the
bank must provide recommendations on the strength and weakness of the internal
control system of the bank and submit its findings in management report
 They can examine the records, transactions of the bank and evaluate its
accounting policy, disclosure policy and methods of financial estimation made
by the Bank; this will allow the board and the management to have an
independent overview on the overall control system of the bank.

3.5 Dispute Settlement

 Any unresolved issue between SMT and ICC to be referred to the Board of
Directors through ACB respectively and then to Bangladesh Bank (if needed).

21
 ICC Policy and Procedures-2022

ICC Related Issues

4.0 Introduction
All departments, and all business lines, are responsible for developing, implementing,
and making sure that the controls are observed and not breached. Individual
departments or business lines will be vigilant and will participate fully in the internal
control regime where ICC should act as internal watchdog of the organization. The
main issue of ICC is to look after whether bank machineries are acting as vanguards of
its assets, reputation and Depositors' interests. ICC will oversee whether bank is
following regulatory guidelines, institutional policies and procedures set by/and
approved by the BoD covering related Laws of land and whether there is any deficiency
in internal policy and procedure.

4.1 Organizational Structure/ Organogram of ICC:

4.1.1 For smooth functioning of internal control and compliance, the department will
be comprised of three major Divisions, which are as follows:

Internal Control & Compliance (ICC)

1) Audit and Inspection 2) Audit Compliance 3) Audit Monitoring

and Controlling

4.1.2 For convenient way of action and effective administration according to the nature
of the bank, volume of work, number of Branches, (Rural, Urban, AD, Corporate),
Assets involvement, Concentration of assets, Risk involvement etc. Audit Division
and compliance division may be further divided in to the following divisions-

1. Audit & Inspection Division-1 : To carryout audit on Branch /offices

(Non-AD & SME /Agri. Branches).

2. Audit & Inspection Division-2: : To carryout audit on All AD,

(Foreign Exchange) Corp. Br. Circle, Zonal Office,
Subsidiaries & H/O (divisions).
3. Cyber Audit & Inspection : To carry out specialized (IT/IS),
Division: Concurrent Audit and vigilance audit.
4. Pre-Audit Division: : To carry out pre audit before making
any payment as determined by the
audit committee (consulting with the
management).
5. Audit Compliance Division : To monitor compliance activities of
(Internal): branch, Office and subsidiaries under
internal audit.

22
 ICC Policy and Procedures-2022

6. Audit Compliance Division : To monitor compliance activities of

(External): branch and office under external audit
(Bangladesh Bank Inspection,
Commercial Audit, Statutory Audit
and other Regulatory Authorities’
Audit).
7. Audit Monitoring and (i)To verify the internal control
Controlling Division system & Operational activities by
Implementing of DCFCL
(Departmental Control Functional
Check List), QOR (Quarterly
Operation Report), and LDCL (Loan
Documentation Checklist) at Branch
level.
(ii) To ensure timely and effective
audit including ICT Audit by Internal
Control Team
(iii)To Assist Audit and Inspection
Division in Risked Based Internal
Audit by assessing department wise
risk (Off sight Analysis) with grading
of all branches
(iv) To prepare and submit Self-
Assessment of Anti-Fraud Internal
Controls report and Bank’s Health
report to Bangladesh Bank.
4.2 Structure of ICC
4.2.1 There should be the Head of ICC’s secretariat, which will consist of one Deputy General
Manager, one Assistant General Manager, Two Senior Principal Officers, five Principal
Officers, Four Senior Officers and two non clerical Staffs’.

4.2.2 Each of the division is headed by a Deputy General Manager (DGM). Under the command
of the DGM of different divisions of ICC, there will be 350 numbers of executives,
officers, staffs as shown in the Organogram given below.
4.2.3 Transfer posting of the executives & officers from Audit Divisions to another
division/branch/office must require the consent of the BoD Audit Committee.
Transfer posting of the executives, officers and staff from ICC (other than auditors)
to another division/branch/office must require the consent of the Head of ICC.

4.2.4 All the divisional Head of ICC (except audit divisions) will report to the Head of ICC.
The Head of ICC position would be at least GM. For administrative purpose, the Head
of ICC would have a reporting line to MD & CEO of the Bank. However, the Head of
Audit although being a part of the ICC, would directly report to the Audit Committee
of the Board.

23
 ICC Policy and Procedures-2022

4.2.5 5The Organogram of Internal Control and Complaince (ICC) of Agrani Bank Limited
Board of Directors
Audit Committee
Managing Director & CEO
Deputy Managing Director (DMD)
Head of ICC (GM)
The Chief Audit Officer
(GM, Regular/ Contractual)

AID-1 AID-2 Cyber Audit Pre-Audit AMD ACDE ACDI

Division Division

Divisional Divisional Divisional Divisional Divisional Head Divisional Division

Head Head Head Head (DGM) Head al Head DGM
(DGM) (DGM) (DGM) (DGM) (DGM) (DGM)

12 AGM 8 AGM 4 AGM 1 AGM 2 AGM 3 AGM 2 AGM 1 AGM

18 SPO 12 SPO 8 SPO 2 SPO 3 SPO 6 SPO 6 SPO 2 SPO

24 PO 10 PO 10 PO 4 PO 7 PO 9 PO 9 PO 5 PO

36 SO 20 SO 12 SO 3 SO 8 SO 12 SO 12 SO 4 SO

12 Officer 8 Officer 10 Officer 2 Officer 8 Officer 7 Officer 8 Officer -

6 Staff 1 Staff 2 Staff 2 Staff 1 Staff

Subtotal Subtotal Subtotal Subtotal Subtotal

= 226 = 30 = 40 = 40 = 14

Total = 350

4.2.6 Manpower distributon:

Cyber Pre ICC
AID-1 AID-2 AMD ACD(I) ACD(E) Total
Audit Audit Secratriate
DGM 1 1 1 1 1 1 1 1 8
AGM 12 8 4 1 2 2 3 1 33
SPO 18 12 8 2 3 6 6 2 57
PO 24 10 10 4 7 9 9 5 78
SO 36 20 12 3 8 12 12 4 107
Officer 12 8 10 2 8 8 7 - 55
Staff 2 2 1 1 1 2 2 1 12
105 61 46 14 30 40 40 14 350

* Head of ICC must be a FCA with 20 years financial expriences including 5 years Banking experience in top position
Note:
(1) HRPDOD will arrange to implement the ICC Policy according to the Organogram
(2) HRPDO also will take initiative to include ICC Oranogram with the Agrani Bank’s Organogram

5
BRPD Circular No. 03 dated 08/03/2016
24
 ICC Policy and Procedures-2022

4.3 The Charter of ICC

4.3.1 The mission of the ICC is to provide independent objective assurance and advice
designed to add value and improve the banks' operations. It will help the bank to
accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control and
transparent governance processes.
4.3.2 The scope of work of the Department is to determine whether the Bank's
network of risk management, control and governance processes, as designed and
represented by management, is adequate and functioning in a manner to ensure:
 Appropriate identification of risk
 Need-based interaction with the various governance groups

 Significant financial, managerial and operational information in

accurate, reliable and in timely manner.

 Employees'actions in compliance with policies, standards,

procedures, laws and regulations.

 Use of acquired resources economically, efficiently and adequately.

 Achievement of programs, plans and objectives.

 Fostering the quality and continuous improvement in the bank's control

process.
 Appropriate recognition and addressing of legislative and regulatory
issues influencing the bank.

4.3.3 Officers of ICC are authorized to:

 Have unrestricted access to all functions, records, property and
personnel.
 Set frequencies, select subjects, determine scopes of work and
apply the techniques required to accomplish audit objectives.
 Obtain the necessary assistance of personnel in all departments of
the bank where they perform audits/inspection as well as other
specialized services from within or outside the bank.

25
 ICC Policy and Procedures-2022

4.3.4 Officers of the ICC are not authorized to-

 Initiate or approve accounting transactions other than the Internal Audit

Department.
 Direct the activities of any Bank officer not employed by the Internal
Audit Department except to the extent such officers have been
appropriately assigned to auditing teams or to otherwise assist the
officers of the Department.
 Audit their own works performed in their previous Departments/Offices.
4.4 Standards of Best Professional Practices
In line with The Committee of Sponsoring Organization of the Treadway Commission
(COSO) and Bank for International Settlement (BIS), the following, but not limited to,
standards should be followed:
 The internal audit function’s control risk assessment, audit plans, and audit programs
are appropriate for the bank’s activities.

 The internal audit activities have been adjusted for significant changes in the bank’s
environment, structure, activities, risk exposures, or systems.

 The internal audit activities are consistent with the long-range goals and strategic
direction of the bank and are responsive to its internal control needs.

 The bank has promptly responded to significant identified internal control

weaknesses.

 The internal audit function is adequately managed to ensure that audit plans are met,
programs are carried out, and results of audits are promptly communicated to senior
management and members of the Audit Committee and full Board.

 Work papers adequately document the internal audit work performed and support
the audit reports.

 The Audit Committee periodically assesses the performance of internal audit.

 The internal audit function provides high-quality advice and counsel to management
and the Board on current developments in the bank’s internal control policies and
procedure, and in the performance of the other control functions of the bank (Risk
Management and Compliance)
26
 ICC Policy and Procedures-2022

4.5 Head of ICC

4.5.1 As per BRPD Circular Letter No. 06 dated 04/09/2016 the Head of ICC will report
his/her activities and findings to the senior Management. The rank of the Head of
ICC must not be lower than two-step immediate below the MD &CEO.

4.5.2 Head of ICC should be a regular employee having sufficient and adequate
knowledge to act as Head of ICC in the rank of General Manager. Preference will
be given if the person having the educational qualification same as The Chief Audit
Officer.

4.6 Core Risk Management

4.6.1 Risk base audit is a methodology that links internal auditing to an organization’s
overall management framework. A risk based audit approach is designed to be
used to efficiently and effectively focus the nature, timing and extent of audit
procedures, especially those areas that have the most potential for causing
material misstatements in the financial report.

4.6.2 The risk based approach requires understanding the entity and its environment in
order to identify risks that may result in material misstatement of the financial
report.

4.6.3 Core Risks

4.6.3.1 The Auditor must always take necessary steps to audit the core risks.
Auditors must identify and evaluate whether the concerned
persons/branches/offices are duly aware of the risks associated with their
jobs related risks. There are seven core risks in banking sector. The risks
are as follows:
(1) Credit Risk
(2) Asset Liability/Balance Sheet Risk
(3) Foreign Exchange Risk
(4) Internal Control & Compliance Risk
(5) Money Laundering Risk
(6) Information & Communication Technology (ICT) Risk
(7) Environmental & Social Risk

4.6.3.2 Credit Risk:

4.6.3.2.1 Credit risk arises from the potential that a bank's borrower will
fail to meet its obligations in accordance with agreed terms.
Credit risk also refers to the risk of negative effects on the
27
 ICC Policy and Procedures-2022

financial result and capital of the bank caused by borrower's

default on its obligations to the bank.

4.6.3.2.2 There are four Credit Risks

(i) Risk of counter party,
(ii) Loan pricing risk,
(iii) Operational Risk,
(iv) Supervisory risk
(i) Risk of counter party:
A counterparty risk, also known as default risk, is a risk that
a counterparty will not pay what it is obligated to do on a
bond, credit derivative, trade credit or payment protection
insurance contract or other trade or transaction when it is
supposed to happen.
(ii) Loan pricing:
Generally, loan pricing is done by the Head Office/ Division
Appropriate techniques/ the Division should apply
procedures.
(iii) Operational Risk:
An operational risk is defined as a kind of risk incurred by a
bank's internal activities. Operational risk is the risk of loss
resulting from inadequate or failed internal processes, people
and systems, or from external events, fraud, legal risks,
physical or environmental risks.

4.6.3.2.3 Following are the considerations for Internal

Auditing of ICC:
Whether _
 Proper borrower selection process i.e. 6c’s in case of
borrower selection (Character, Capital, Collateral, Capacity,
Condition, Common sense) is considered;
 The cash flow statement (Cash inflow and outflow) of
borrower/ party is considered;
 The market reputation of the borrower for sanctioning loan
is taken into account;
 Loan sanctioned by observing CIB Report;
 Analyses of balance sheet i.e. (i) stock position (ii) liability
position (iii) assets position (iv) port Folio of the business etc
is done;
 Business Volume checked;
 Feasibility study of the projects is done;

28
 ICC Policy and Procedures-2022

 Physical verification of primary and collateral security is

done;
 Feasibility study was performed to assess the viability of the
loan both in respect of the bank and loan party (IRR, NPV,
BCR analyzing etc.);
 The length of time for loan sanction (as per bank policy and
guide line) is followed;
 Applied interest rate in accounts and sanctioned interest rate
are the same;
 The loan documentation pricing/ unethical expenditure being
forced to the party;
 Party harassment for loan disbursement in the form of taking
unethical financial interest;
 Proper Stamping is done;
 Physical verification of the collateral security is done;
 Verification of title deed and chain document with the related
offices;
 Teeming and leading techniques are applied;
 False transactions are identified in account statement
(Material misstatement of A/C) for observing business
solvency /capacity of the party;
 Periodical adjustments were in previous loan;
 Loans are sanctioned within relatives/friends beyond
procedure;
 Debit summation and credit summation of the loan accounts/
CD A/Cs show healthy business position of the party are
considered;
 Loan disbursed against fake documents;
 Loan disbursed as per target;
 Employees are working according to their assigned duties;
 Loan sanction towards unsavory environment/ business/
product;
 Legal action is taken within assigned time limit;
29
 ICC Policy and Procedures-2022

 Delegation of power is considered for loan sanctioning;

 Government direction, Bangladesh bank circular and internal
circulars are followed, etc.
(iv) Supervisory risk:
Supervisory Risk is related to ensure safety, soundness
and robustness of the bank. This lies with the
supervision functions. In continuing to achieve a
higher level of efficiency and effectiveness in
performing the supervision role, the bank will conduct
a holistic review of the financial supervisory and
regulatory functions to ensure that the departments
continue to support the achievements of the strategic
results and the desired outcomes.

Bangladesh Bank has formulated a set of policy

guidelines entitled “Credit Risk Management
Policy” to cover the entire cycle of lending (i.e.
Processing, Sanctioning, Disbursement,
Implementation, and Monitoring & Recovery).

These have formed the basis of Agrani Bank’s Credit

Policies and Procedures in order to ensure that its long
term objectives are met through sound lending
activities & practices i.e. the portfolio of Credit Risk
exposures are diversified, secure and profitable.

4.6.3.2.4 Following are the considerations for Auditing:

 Follow up function continued from the very
beginning of loan disbursement i.e. end use of loan
to recovery of the loan;
 Borrowers are selected properly;
 Proper documentation performed;
 Physical verification of collateral security done;
 Physical verification of the project/ business unit
occurred;
 Time to time stock reports obtained;
 Timely follow up done for due loan recovery;
 Physical verification done to observe the proper
utilization of every loan installment;

30
 ICC Policy and Procedures-2022

 Government directions, Bangladesh Bank circulars

and internal circulars are followed;
 The loans and advances are audited properly, etc.

4.6.3.3 Asset Liability Risk:

4.6.3.3.1 Asset Liability risk management encompasses the
independent monitoring and prudential management of the
financial risks relating to our asset and liability portfolios,
comprising market liquidity, funding, concentration and non-
trading interest rate risks on balance sheet.

4.6.3.3.2 Following are the considerations for judging asset

liability risk:
 Deposit matrix to be studied on the basis of cost
involvement;
 Asset quality judged for the loans disbursed;
 Advance/deposit ratio is maintained in giving loan;
 Whether single borrower exposure limit crossed;
 Whether loan disbursed within the allocated target/ budget;
 Provision of loan/other expenditures are kept properly;
 Interest suspense accounts are maintained properly;
 Reserve fund is maintained (in case of consumer loan) as
per sanction advice;
 Government direction, Bangladesh Bank circular and
internal circulars are followed, etc.
4.6.3.4 Foreign Exchange Risk:
4.6.3.4.1 Foreign exchange risk is the current or prospective risk to
earnings and capital arising from adverse movements in
currency exchange rates.

4.6.3.4.2 Area of Foreign Exchange Risks:

The foreign exchange positions arise from the following

activities:

31
 ICC Policy and Procedures-2022

 Trading in foreign currencies through spot, forward and

option transactions as a market maker or position taker,
including the unheeded positions arising from
customer-driven foreign exchange transactions;
 Holding foreign currency positions in the banking book
(e.g. in the form of loans, bonds, deposits or cross-
border investments); or
 Engaging in derivative transactions that are
denominated in foreign currency for trading purposes.
 Assets and Liabilities
 Acceptance and Endorsement:
i) Letter of Guarantee
ii) Letter of Credit
iii) Bills for Collection
iv) Other Contingent Liabilities.
4.6.3.4.3 Foreign Exchange Business risk
Risks occurred very often in foreign exchange business:
 Risk of non-payment
 Risk of non-delivery of goods
 Risk of receiving sub-standard goods
 Risk of fraud in goods
 Risk arises out of documents.
4.6.3.4.4 Following are the considerations for assessing foreign Exchange
risk:
 Credit report of the buyer obtained
 Business relation are built with familiar business firm
 L/C issued for the goods concerned
 Advance payment received (if possible)
 Insurance policy performed with reputed insurance
company
 Contact done under INCOTERM
 Goods are transported by reputed transport company

32
 ICC Policy and Procedures-2022

 Goods are inspected by internationally reputed inspection

company at boarded point
 Contract performed with reputed exporter/ sellers
 In case of more than one Transport Company engaged,
there should be imposed of PSI.
 Documents are checked as per prescribed checklist (e, g
checklist for import & export LC, discrepancy checklist,
back-to-back LC checklist, cautions for back-to-back LC
etc.)
 Acceptances are in accordance with the common business
practices.
 Government direction, Bangladesh bank circular and
internal circulars are followed, etc.

4.6.3.5 Internal Control & Compliance Risk

4.6.3.5.1 As an institution entrusted with managing public funds, the

Bank’s franchise is predicated on operating prudently, safely
and within the bounds of law and other prudential guidelines
that are declared from time to time. This will require that the
officers and staff of the Bank are made aware of, and adhere
to, these legal and policy prescriptions at all times.

4.6.3.5.2 Following are the considerations for assessing:

 Effective Internal Control System
 Audit clearance;
 Proper compliance of Bangladesh Bank Inspections and
its findings,
 Proper compliance of commercial audit objections,
 Proper compliance of internal audit findings
 Proper compliance of any other external audit findings;
 Aging of non-compliance findings (All kinds of audit
objections);
 Monitoring the DCFCL compliance properly through the
controlling offices (circle, zone);

33
 ICC Policy and Procedures-2022

 Monitoring the QOR compliance properly through the

controlling offices (circle, zone);
 Monitoring the Self-Assessment Anti-Fraud Internal
Control compliance properly through the controlling
offices (circle, zone);
 Time frame of audit compliance;
 Check office order and perform once according to their
work delegation;
 Total outstanding of non- compliance objections;
 Government direction, Bangladesh Bank circular and
internal circular.

4.6.3.6 Money Laundering Risk shall include:

 Know-your-customer (KYC) policy;
 Transaction monitoring processes;
 Suspicious Transaction Reporting procedures;
 Record keeping procedures;
 Placement of Cash Transaction Report (CTR) and
Suspicious Transaction Report (STR);
 Guidelines for training;
 Risk related to Goodwill of Bank;
 Risk on operational activities of Bank;
 Risk on legality. Bank may face legal crisis and charge
fine by the regulatory bodies;
 Recording all circulars of Agrani Bank Limited.

4.6.3.7 Information and Communication Technology (ICT) Risk:

4.6.3.7.1 Risks that arise out of operating the Information and

Communication related tools.

4.6.3.7.2 Source of ICT Risk:

Organization and their information systems and networks are
faced with security threats from a wide range of sources
including:
34
 ICC Policy and Procedures-2022

 Computer assisted fraud;

 Sabotage;
 Vandalism;
 Fire or flood;
 Hacking;
 Denial of Service attacks.

4.6.3.7.3 Types of ICT Risk:

4.6.3.7.3.1 ICT Risk is classified as follows:
1.Security Risk;
2.Physical Risk;
3.Operational Risk.

4.6.3.7.3.2 Security Risk:

Data & Equipments should be protected from internal

and external threats. Data, the most valuable asset for the
Bank’s operations, should be protected from any level of
intruder.

To avoid fraud and forgery, data &equipments should be

maintained in a secure environment. The security risk
covers data, data handling, authorized users & access
control of users, external attack, hardware and location &
position of hardware.

4.6.3.7.3.3 Physical Risk:

The objective is to prevent unauthorized access and

damage of information assets and protection and it can
be achieved by creating several physical barriers around
business premises. The physical security can be broken
in the form of unauthorized entry, damage or theft to
equipment or document, copying or viewing of sensitive
information, alteration of sensitive equipment and

35
 ICC Policy and Procedures-2022

information etc. A secured Data Library should be

established to preserve Data Cartridges, CDs, License
Copies of software, Agreements etc.

4.6.3.7.3.4 Operational Risk (procedures of ICT Audit):

 Bank’s Internal Control and Compliance unit/
Division should be well equipped with policy support
and adequate manpower within a unit including IT
skilled personnel for preventing and detecting fraud /
forgery in computer operated branches:
 ICT auditor prepares audit scopes, report findings,
present recommendations and coordinate with
various departments to create remediation plans for
deficiencies found during audit.
 Perform risk assessment, general controls,
application controls oversight and review to ensure
compliance with Bangladesh Bank ICT Guideline
and Bank’s internal ICT security policy.
 Development & Updating of internal ICT Audit
checklist.
 Periodically visit key ICT installations in the data
center/ disaster recovery site, branches and head
office.
 Conduct ICT audit periodically to ensure the
compliance.
 Government direction, Bangladesh Bank circular and
internal circulars are followed.

4.6.3.8 Environmental & Social Risk:

4.6.3.8.1 Environmental risks: Environmental risk is a facilitating
element of credit risk arising from environmental issues.
This can be due to environmental impacts caused by and /
36
 ICC Policy and Procedures-2022

or due to the prevailing environmental conditions. This

increases risk as it brings an element of uncertainty or
possibility of loss in the context of a financing transaction.

4.6.3.8.2 Social risks: The bank has to provide a safe and healthy
working environment for its employees. If it does not, then
there is a possibility for accidents, injury and death and
also exposure to occupational health issues. Apart from
occupational health & safety issues, there are other social
issues that tend to get combined to create unhealthy
conditions

4.7 Inspection Concluding Meeting (Account Finalization)- Finalization of

Quick Summary Report / Annual Accounts
4.7.1 In line with Section, 38 of Banking Compamis Act-1991(revised up to
d a t e ) banks have to finalize their annual account statements.
4.7.2 In compliance with BB Circlur, dated 29/07/2012, Bangladesh Bank
Inspection Team has to finalize their observation having requirements
to reflect them on the concurrent financial statements of the bank. To
impel the external auditor to reflect the issue(s) in the same vein of
inspection observation, there should be a meeting between external
auditor and management of the bank in presence of Bangladesh Bank
Inspection Team.

4.8 Special Board Meeting On Compliance Of Annual Inspection Report Of

Bangladesh Bank6
4.8.1 To bring the Bangladesh Bank inspection observation and

6
Bangladesh Bank, DBI-2 Circular No-01 dated 12/03/2009.

37
 ICC Policy and Procedures-2022

compliance thereof to the knowledge of the Board of

Directors, banks were advised to arrange a Board meeting in
presence of Bangladesh Bank inspection officials and
management of the bank as per instruction contained in DBI-
2 Circular No-01 dated 12/03/2009.
4.8.2 In such meeting the external auditor should remain present.

4.9 Liaison Meeting7

To ensure the regular compliance, Bangladesh Bank inspection departments

may ask to participate and explain their position on the relevant issues such
as timely compliance and material changes in operational and portfolio issues
quarterly in line with instructions contained in DBI-2 Circular Letter No-
BaPawBI-2/ubi-1/Circular No-01 dated 27 December 2010.

4.10 Shariah Based Audit:

At present shariah based Audit is not performing in ABL, instead of that
normal audit is performed. Because Islamic Banking Wings are still are not
established as separate bank branch. We will introduce shariah based Audit
in near future when our wings become/established as full-fledged ABL
Islamic Bank Branches.

4.11 TA/DA/Convence for ICC’s members:

(a) ICC arranges to conduct audit/compliance through the Audit and
Inspection Devision-1/2, Cyber Audit Division, Pre-Audit Division, Audit
Monitoring Division and Audit Compliance Division (External).
(b) Audit Compliance Division (External) organizes to conducte meeting to
reduce/settle commercial audit objections through arranging bilateral and
tripartite meeting by participating ICC’s members with the CAG
(Comptroller and Auditor General of Bangladesh) members in Circle/Zonal
Offices/branches. Settlement target of the commercial audit objections is
planned and approved by the Audit committee then cirtified by the Board.

7
DBI-2 Circular Letter No- BaPawBI-2/ubi-1/Circular No-01 dated 27th December, 2010.

38
 ICC Policy and Procedures-2022

(c) Audit is conducted through approval annual audit plan. These audit plans
are approved from the Audit Committee then certified by the Board.
(d) As audit plan is variable/flexible and plan is made every year, auditing
expenses regarding TA/DA/Convence for auditors or members of ICC
should be confirmed at actual basis according to the following Government
Rules/Policies regarding this.
(e) TA/DA/Convence bill for auditors or members of ICC will be paid at
actual basis by debiting TA/DA Allowance Code-62070, Convance
Allowance Code-62264 using separate own divisional Code/accounts
through following Agrani Bank Limited’s Circular no: HRPDOD-30,
Date:22-03-2017 where Government Rules/ Policies reference is Ministry
of Finance, Department of Finance, Regulation-Division, Regulation-3,
Branch, Notification No-07.00.0000.173.34.007.15-71, and Date: 25-09-
2016.

39
 ICC Policy and Procedures-2022

Internal Audit Charter

40
 ICC Policy and Procedures-2022

Internal Audit Charter

4.12 Chief Audit Officer / Head of Audit
The Chief Audit Officer shall report directly to Audit Committee of the BoD. The Chief
Audit Officer must be in the rank of GM who may be contractual or regular personnel of
the bank for independent auditing/inspecting. Preference will be given for contractual
service. The Chief Audit Officer should not be assigned with any business
responsibility/targets. An expert having extensive experience in commercial bank in
audit/ICC area, may be preferred for The Chief Audit Officer. As per BRPD-06 dated
04/09/2016 & Section 15(ga) of Bank Company Act-1991, the Audit Division should be
independent, and free from other units of the bank. The Chief Audit officer will act
independently without influence of management.
Educational qualifications of The Chief Audit Officer would be CA or FCA/ CMA or
FCMA or CFA or Master Degree along with 3/4years honor’s in Economics/ Finance/
Banking/ Accounting/Bank Management or MBA (Major in Finance/ Banking /
Accounting/Bank Management, MIS etc.) with 15 Years’ experience in Banking
including auditing. Candidates who are working at least in the post of DGM or equivalent
will be eligible for the post.
Candidate should have at least two first class/similar CGPA in whole academic career. No
third class/similar CGPA would be allowed for consideration.

As per BRPD-06 dated 04/09/2016 & Section 15(ga) of Bank Company Act-1991, the
Audit Division should be independent, and free from other units of the bank. The Chief
Audit officer will act independently without influence of auditing/inspecting.

4.13 Role and Responsibilities of Internal Auditors

4.13.1 Internal Auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control and
governance processes.

4.13.2 The purpose, authority and responsibility of the internal audit activity should be
formally defined in a charter consistent with the Auditing Standards approved by
41
 ICC Policy and Procedures-2022

the Audit Committee of the Board. Internal Audit Charter of the bank defines the
purpose, authority and responsibility of the Internal Audit Department. The internal
audit activity should be independent and objective oriented.

4.14 Auditors' Ethics & Qualifications:

4.14.1 Auditors' Qualifications:
4.14.1.1 General Auditor: Chartered Accountancy partly qualified / CMA partly qualified
with MBA / Masters with Commerce background and preferably also have banking
knowledge.

4.14.1.2 IT Auditor: CISA Qualified, B.Sc in Computer science and should have related
software, hardware and also preferably have banking knowledge.

4.14.1.3 Other general requirements:

a) Persons punished for major offence and persons under disciplinary
proceedings must not be posted in ICC. Track record of officers to be
checked and maintained before posting them in ICC.
b) ICC people should have thorough professional knowledge and banking
experience with good academic background.

c) Auditors posted in ICC should be worked at least Five (5) Years and
every officers of ABL should be posted at ICC at least once in his service
tenure.

d) For transfer / posting of ICC executives have to take consent from the
Head of ICC.

4.14.2 Internal Auditors' Ethics:

4.14.2.1 Internal auditors should have to be bold, honest and truthful.
4.14.2.2 These qualifications will be the basis for trust on the internal auditor's
professional judgement.
4.14.2.3 Internal auditors should keep strict confidentiality of information found during
audit.
4.14.2.4 Internal auditors should not use such information for personal gain or malicious
action and should be responsible for protection of such information.
4.14.2.5 The Head of the internal audit and all internal auditors should avoid conflicts
of interest.
42
 ICC Policy and Procedures-2022

4.14.2.6 Internal auditors should abide by the bank’s code of ethics because a code of
ethics should address the principles of objectivity, competence, confidentiality and
integrity.

4.15 Appraisal of ICC Officials

4.15.1 The Chairman of the Audit Committee of the Board will appraise the Head of ICC.
4.15.2 The Head of Compliance and Monitoring Division to be appraised by the Head of
ICC primarily and by the Senior Management/Managing Director and CEO finally.
4.15.3 The Head of ICC and the Chairman of the Audit Committee will appraise the Chief
Audit Officer / Head of Audit of the Bank.

4.16 Training and Development:

Training is a proven and effective instrument for human resources development. It plays
a key role in developing knowledge and skills to keep pace with the changes taking
place all around and ever developing technology and works as a catalyst for attitudinal
change of human beings. For this purpose, all executive/officer/staff of the ICC should
be provided with appropriate and advance training.

4.17 Training (In-house / other institutional):

HR Training, Research & Development Division of Agrani Bank Limited conducts
various training programs for the Executives/Officers/Staff to develop their risk-based
efficiency so that they can apply their knowledge and experience in the bank regularly.
Being apprised of updates on developments in their areas of responsibility, it is expected
that they have developed the necessary skills to perform their functions effectively. HR
Training, Research & Development Division, provides the following trainings:

1. Internal Control and Compliance Risk Management

2. Internal Audit Compliance.
3. Internal Control Audit in Bank.
4. Risk-Based Internal Audit.
5. Agri Financing & Recovery.
6. Credit Risk Grading.
7. Compliance of Bangladesh Bank Inspection.
8. Compliance of Commercial Audit objections.

43
 ICC Policy and Procedures-2022

9. Any other relevant issues.

4.18 Abroad Training:

To keep pace with the changes taking place all around the globe and ever developing
technology, Executives and Officers should be sent abroad to attend various training
courses, workshops, seminars, conferences and symposia to acquire updated knowledge
of modern banking.

4.19 Job Rotation:

a) Job Rotation within ICC:

Every auditor is to audit year to year until transferred from Audit and Inspection
Division to other divisions or branches. Nevertheless, if any auditor’s auditing
continues in the same branch or division for three times or more, he may apply
force or be biased to financial interest. Moreover, if the same person or auditor’s
auditing continues in a branch or division, he may be the person of familiar threat,
financial threat or review threat. He will not be able to audit independently or
fairly. The Chief Audit Officer will observe the circumstances before formation of
the audit team. He must set an audit team by rotation. The Head of the ICC will
effect rotation among the divisions within the ICC.

b) Job Rotation within the Bank:

By executing the rotation of jobs in a branch or office or division, the manager/head
of the office will be able to check fraud and forgeries maintain expertise
development and increase accountability of the organization, so that the daily
assignment can be done properly.

The auditors will observe the job rotation in every branch or office or division
during the period of audit. If the Branch Manager/ Zonal Head needs to audit his
branch based on special issue, he/ she will call upon to the Head of ICC to conduct
special audit.

4.20 Mandatory leave (criteria):

44
 ICC Policy and Procedures-2022

1. The management at any time as required will sanction mandatory leave; no time
bound will be applicable in this case.
2. This leave cannot be claimed.
3. Leave sanction can only be changed by the management, employee cannot claim
for alteration.
4. There will be no monetary sanction like 01 (One) month basic salary.

4.21 Recreational Leave (criteria):

1. Employees are entitled to enjoy 15 (Fifteen) days recreational leave every after
03 (Three Years).
2. There will be monetary sanction like 01 (One) month basic salary.
3. It requires the approval of the management and provision of proper replacement.
4. It can be claimed and changed.

45
 ICC Policy and Procedures-2022

Internal Audit Manual

46
 ICC Policy and Procedures-2022

Internal Audit Manual

5. 0 Audit

Audit includes an examination of the books of accounts and other documents relating to
the receipts and expenditure of the government, statutory public authorities and public
enterprise with a view to ensuring that rules and orders framed by the competent authority
in regard to financial matters have been followed, that sums due have been properly
assessed, realized and brought to account, that assets have been properly utilized and
safeguarded and that the accounts truly represents facts.

5.1 Objectives / Purpose of Audit:

The broad aim of Agrani Bank Limited audit is to safeguard the interest of the State
and to promote transparency and accountability, along with sound economic and
financial management practices. Towards that Broad aim, the auditors’ objectives
are to give an independent assessment of:
i) Whether the statements of accounts show a true and fair view of the financial
position of the audited body and its income and expenditure for the year in
question and have been properly prepared in accordance with appropriate rules
and regulations:
ii) The adequacy of the audited body’s arrangements to secure economy, efficiency
and effectiveness in the use of resources;
iii) The adequacy of the audited body’s financial management systems;
iv) The adequacy of the audited body’s arrangements for preventing and detecting
fraud, corruption and the internal control framework generally;
v) The adequacy of the audited body’s arrangements for ensuring the legality of
transactions that might have a financial consequence;
vi) The adequacy of the audited body’s arrangements for collecting, collating and
recording accounting data and publishing financial statements and reports
pursuant to appropriate rules and regulations.

47
 ICC Policy and Procedures-2022

5.2 Auditors’ Right:

The auditor should have the following rights:
(1) The right to access at all times to the bank’s books of account, document
and vouchers.
(2) The right to require from the officers of the bank such information and
explanation as the auditor considers necessary for the performance of his
duties.
(3) Inquire into particular issues regarding loans and advance, transaction
represented merely as book entries, sale of securities, treatment of
personal expenses and share allotment.
(4) Recording to the members;
(5) Visiting branches and access to the branch accounts;
(6) Signing the audit report;
(7) Receiving the remuneration and allowances
(8) Posting of ICC staff should be taken consent from Head of ICC.

5.3 Responsibilities of the Auditors:

Responsibilities of internal auditors are as below:

(i) evaluates and provides reasonable assurance that risk management, control and
governance systems are functioning as intended and will enable the
organization’s objectives and goals to be met;
(ii) reports risk management issues and internal controls deficiencies identified
directly to the audit committee and provides recommendations for improving
the organization’s operations, in terms of both efficient and effective
performance;
(iii)evaluates information security and associated risk exposures;
(iv) evaluates regulatory compliance;
(v) evaluates the organization’s readiness in case of business interruption;
(vi) maintains open communication with management and the audit committee;
(vii) Provides support to the bank's anti-fraud programs.
(viii) Preparation of Branch Audit Rating (using specific format), where rating of
the branch will be as Excellent, Very Good, Good , Satisfactory and Poor -
according to score obtained by the branch.
48
 ICC Policy and Procedures-2022

5.4 Auditors’ Punishment

5.4.1 During the audit period if present audit team find any lapses or irregularities,
which was not detected or identified by previous auditor that will be reported to
Head of ICC and MD & CEO of the Bank for taking punitive action against the
concern auditor(s).
5.4.2 If regulator find any fraud in the branch that Internal Audits unable to detect
during their auditing period then management will take disciplinary action
against the auditor(s) as per the banking rules and regulation as well as the
bank’s own rules.

5.5 Basic principles to be followed by the auditors:

The auditor should comply with the Code of Ethics regarding professionalism. Ethical
principles governing the professional responsibilities are:
 Independence;
 Integrity- Honesty , Truthfulness, Straightforwardness, Reliability;
 Objectivity- Impartiality, Independence, Neutrality;
 Confidentiality;
 Professional Competence and Due Care;
 Professional Behavior and
 Technical Standards.

5.6 Types of Audit:

1. Internal Audit
2. External Audit
i) Chartered Accountancy Firms Audit
ii) Government Commercial Audit
iii) Bangladesh Bank Inspection
iv) Functional Audit

49
 ICC Policy and Procedures-2022

5.7 Internal Audit

5.7.1 Definition of Internal Audit:
Internal Audit is the process, affected by a company's board of directors,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the effectiveness and efficiency of
operations, the reliability of financial reporting and compliance with applicable
laws, regulations, and internal policies.

8
Internal audits evaluate a company’s internal controls, including its corporate
governance and accounting processes. They ensure compliance with laws and
regulations and accurate and timely financial reporting and data collection, as well
as helping to maintain operational efficiency by identifying problems and
correcting lapses before they are discovered in an external audit.

5.7.2 Principles of Internal Audit

A. Supervisory expectations relevant to the internal audit function

Principle 1:
An effective internal audit function provides independent assurance to the
board of directors and senior management on the quality and effectiveness of
a bank’s internal control, risk management and governance systems and
processes, thereby helping the board and senior management to protect their
organization and its reputation.

Principle 2:
The Bank’s internal audit function must be independent of the audited
activities, which requires the internal audit function to have sufficient standing
and authority within the bank, thereby enabling internal auditors to carry out
their assignments with objectivity.

Principle 3:
Professional competence, including the knowledge and experience of each
internal audit and internal auditors collectively, is essential to the effectiveness
of the bank’s internal audit function.

Principle 4:
Internal auditors must act with integrity and diligence.

8
https://www.investopedia.com/terms/i/internalaudit.asp

50
 ICC Policy and Procedures-2022

Principle 5:
The bank should have an internal audit charter that articulates the purpose, standing
and authority of the internal audit function within the bank in a manner that promotes
an effective internal audit function as described in principle-1.

Principle 6:
Every activity (including outsourced activities) and every entity of the bank
should fall within the overall scope of the internal audit function.

Principle 7:
The scope of the internal audit function’s activities should ensure adequate
coverage of matter of regulatory interest within the audit plan.

Principle 8:
The bank should have a permanent internal audit function, which should be
structured consistent with principle-14 when the bank is within a banking
group or holding company.

Principle 9:
The Bank’s board of directors has the ultimate responsibility for ensuring that
senior management establishes and maintains adequate, effective and efficient
internal control system and, accordingly, the board should support the internal
audit function in discharging its duties effectively.

Principle 10:
The Audit committee, or its equivalent, should oversee the bank’s internal
audit function.

Principle 11:
The head of the internal audit department should be responsible for ensuring
that the department complies with sound internal auditing standards and with
a relevant code of ethics.

Principle 12:
The internal audit function should be accountable to the board, or its audit
committee, on all matters related to the performance of its mandate as
described in the internal audit charter.

Principle 13:
The internal audit function should independently assess the effectiveness and
efficiency of the internal control, risk management and governance system
and process created by the business units and support functions and provide
assurance on these systems and processes.

Principle 14:
To facilitate a consistent approach to internal audit across the banks within a
banking organization, the boards of directors of bank within a banking group
or holding accompany structure should ensure that either:-

51
 ICC Policy and Procedures-2022

i) The bank has its own internal audit function, either should be
accountable to the bank’s board and should report to the
banking group or holding company’s head of the internal audit;
or
ii) The banking group or holding company’s internal audit
function performs internal audit activities of having sufficient
scope at the bank to enable the board to satisfy its fiduciary and
legal responsibilities.

Principle 15:
Regardless of whether internal audit activities are outsourced, the board of
directors remains ultimately responsible for the internal audit function.

B. The relationship of the supervisory authority with the internal audit

function

Principle 16:
Supervisor should have regular communication with the bank’s internal
auditors:
i) Discuss the risk areas identified by both parties,
ii) Understand the risk mitigation measures taken by the bank, and
iii) Monitor the bank’s response to weaknesses identified.

C. Supervisory assessment of the internal audit function

Principle 17:
Bank supervisors should regularly assess whether the internal audit function
has sufficient standing and authority within the bank and operates according
to sound principles.

Principle 18:
Supervisors should formally report all weakness they identify in the internal
audit function to the board of directors and recommend remedial actions.

Principle 19:
The supervisory authority should consider the impact of its assessment of the
internal audit function on its evaluation of the bank’s risk profile and its own
supervisory work.

Principle 20:
The supervisory authority should be prepared to take informal or formal
supervisory actions requiring the board and senior management to remedy any
identified deficiencies related to the internal audit function within a specified
time frame and to provide the supervisor with periodic written progress
reports.

52
 ICC Policy and Procedures-2022

5.7.3 Reporting:
9
Internal audit reporting always includes a formal report and may include a
preliminary or memo-style interim report. An interim report typically includes
sensitive or significant results the auditor thinks the board of directors needs to know
right away. The final report includes a summary of the procedures and techniques
used for completing the audit, a description of audit findings and suggestions for
improvements to internal controls and control procedures.

5.7.3.1 Head of ICC will report to the Higher Management. Different divisions of
the bank have existing MIS; on the basis of MIS report management take
their decision for smooth operation of the bank. Reporting structure for ICC
depends upon size and complexity of business. Head of the audit directly
reports to the Audit Committee of the Board.

5.7.3.2 The Audit Division will prepare report on individual inspection/audit

programs within 15 days (except for items that needs to be escalated
immediately) and submit Audit Committee of the BoD & the same to the
Branchs/Divisions for rectification.

5.7.3.3 For low and medium risk items, findings will be reported to the Control
Office for rectification.

5.7.3.4 For high-risk items findings will be reported to the MD/CEO and the Audit
Committee of the Board.

5.7.3.5 ICC will prepare an annual report on the health of the Bank to be submitted
to the Board of Directors under supervision of Audit Committee for onward
submission to Bangladesh Bank.

5.7.3.6 At the end of the year there should be a summary report on the audit findings
and corrective actions taken which should be forwarded to the Audit
Committee of the Board and the Managing Director simultaneously.

9
https://www.investopedia.com/terms/i/internalaudit.asp

53
 ICC Policy and Procedures-2022

5.7.4 Importance of internal audit:

5.7.4.1 The Internal Audit, to be effective should provide three types of services PPC,
viz., Preventive, Protective and Curative, PPC.
(i) In the preventive role, it forewarns the management of an adverse situation in
advance;
(ii) In its protective role it protects the management by the bringing to its notice
the deficiencies in advance, before the external auditors point them out; and
(iii) As a curative function, it suggests remedial measures, thereby acting as a
catalyst for change and action.

5.7.4.2 10Internal auditing provides insight into an organization’s culture, policies,

procedures, and aids board and management oversight by verifying internal
controls such as operating effectiveness, risk mitigation controls, and
compliance with any relevant laws or regulations.

5.7.4.3 Internal audit programs are critical for monitoring and assuring that all of the
business assets have been properly secured and safeguarded from threats. It is
also important for verifying that the business processes reflect the documented
policies and procedures. Here are five reasons that Internal Audit is important:

(1) Provides Objective Insight

By providing an independent and unbiased view, the internal audit function
adds value to the organization.

(2) Improves Efficiency of Operations

By objectively reviewing organization’s policies and procedures, can
receive assurance that the organization is doing what the policies and
procedures, and that these processes are adequate in mitigating the unique
risks. By continuously monitoring and reviewing the processes, can
identify control recommendations to improve the efficiency and
effectiveness of these processes. In turn, allowing the organization to be
dependent on process, rather than people.

(3) Evaluates Risks and Protects Assets

An internal audit program assists management and stakeholders by
identifying and prioritizing risks through a systematic risk assessment. A
risk assessment can help to identify any gaps in the environment and allow
for a remediation plan to take place. Internal audit program will help to
track and document any changes that have been made to environment and
ensure the mitigation of any found risks.

10
https://kirkpatrickprice.com/blog/5-reasons-why-internal-audit-is-important/

54
 ICC Policy and Procedures-2022

(4) Assesses Controls

Internal audit is beneficial because it improves the control environment of
the organization by assessing efficiency and operating effectiveness. Are
the controls fulfilling their purpose? Are they adequate in mitigating risk?

(5) Ensure Compliance with Laws and Regulations

By regularly performing an internal audit, can ensure compliance with any
and all relevant laws and regulations. It can also help provide with peace of
mind that are prepared for the next external audit. Gaining the trust and
avoiding costly fines associated with non-compliance makes internal audit
an important and worthwhile activity for the organization.

5.8 External audit:

5.8.1 Role of External Auditors in evaluating internal control system:
a) External auditors by dint of their independence from the management of the
bank can provide unbiased recommendation on the strength and weakness
of the internal control system of the bank.

b) They can examine the records, transactions of the bank and evaluate its
accounting policy and methods of financial estimation made by the bank;
this will allow the board and the management to have an independent
overview on the overall control system of the bank.

5.8.2 Types of External audit:

5.8.2.1 Statutory Audit:
When more than one Chartered Accountants firms are appointed by
Ministry of Finance (Finance Division) Banking Wing from the enlisted/
qualified list of Bangladesh Bank for a maximum period of three (03)
years to conduct the audit it is called statutory / external Audit.

5.8.2.2 Commercial audit:

Government Commercial Audit is another external audit which conducts
by auditors of government through CAG Office. Commercial Audit
Directorate is the authority for the audit because its auditing areas are all
public sector entities and state owned enterprises (SOEs) including
nationalized commercial banks (NCBs) and financial institutions,
autonomous, semi-autonomous bodies, and public holding companies.

55
 ICC Policy and Procedures-2022

5.9 Concurrent audit in Agrani Bank Limited:

5.9.1 The role of concurrent audit has become very crucial and important for bank in
discharging duties properly and efficiently, particularly for timely detection of
irregularities and lapses, which help in minimization of irregularities as well as
prevention of frauds.

5.9.2 In ABL, auditors of ICC will be deputed in Central Accounts Division,

Principal Branch and 9 (Nine) big corporate branches for performing
concurrent audit.

5.9.3 One auditor having accounting background at the rank of Assistant General
Manager with another two auditors will be deputed in Central Accounts
Division, one Assistant General Manager with two experienced auditors in
Principal Branch and one Assistant General Manager with two experienced
auditors in each big Corporate Branch as follows:

Principal Branch 1 AGM 2 Auditors

Big Corporate Branch 1 AGM 2 Auditors
Central Accounts Division 1 AGM 2 Auditors

5.9.4 TOR of Concurrent audit:

Concurrent Auditors will check and verify constantly error, fraud, forgery and
inefficiencies lying on daily different transactions & activities i.e. vouchers,
documents and approval whether it ensures compliance with set rules and
regulations, policies and procedures issued by both the bank and the regulators.

Following steps to be followed for Auditing of-

 Every Expenditure related financial transactions.
 Pre sanction activities
- Loan applied in prescribed form is duly filled up having
sufficient information.
- Loan appraisal is proper.
- Legal opinion is favorable.
- Value of collateral is sufficient.
- Other relevant papers are collected.
 Documentation- Charge documents are obtained as per sanction advice.
- Mortgage is proper.
 Incase of installment basis loan- Utilization of every installment are duly
performed.

56
 ICC Policy and Procedures-2022

 Voucher Checking- Daily Vouchers are checked by respective/assigned

officer(s) with computer generated print.
 General banking activities.
 Foreign Exchange / Foreign Trade activities:
- Requisite papers are obtained for LC’s.
- L/C Documents are tallied with SWIFT message.
- Funded and Non-funded loan activities.
- L/C approval process.
 The concurrent auditors will act as the back office of the respective
Branch/Division.

5.9.5 Reporting of Concurrent Auditors

Concurrent auditors will report to branch manager/CFO/Head of the
division and Head of ICC on monthly basis. In case of major lapses,
auditors will immediately report it to reporting authorities.

5.10 Lapses
5.10.1 Lapses arise out of any kind of irregularities, misstatements, non-compliances
of existing policy & procedures of the bank, law of the land by which the bank
may incur financial losses. Moreover, sometimes non-compliance of existing
policies & procedures may not cause any financial loss with immediate effect
but can result in erosion of reputation. At the same time any malpractice in
banking, misuse of offices and its fund is defined as lapses.

5.10.2 Types of Lapses:

Generally in Agrani Bank Limited the Auditors are instructed to clarify the
irregularities (Annexure-E) in three groups such as:
(1) Minor Irregularities (MI);
(2) Major Lapses (ML);
(3) Serious Lapses (SL).

57
 ICC Policy and Procedures-2022

5.10.2.1 Minor Irregularities (MI):

 Minor irregularities are ordinary lapses.
 It does not involve any major potential risk or loss for the Bank.
 Minor Irregularity occurs due to ordinary carelessness of an
employee.
 Auditors should try to rectify these irregularities as far as
possible on the spot and follow-up with the branch Manager
until final rectification.

5.10.2.2 Major Lapses (ML):

 Major Lapses are those lapses or irregularities, which occurred
intentionally or un-intentionally by violating the rules,
regulations and laws, set out by regulatory authority for which
Bank faces potential financial risk at present or in the immediate
future.
 These lapses require quick action to safeguard the Bank’s
interest.

5.10.2.3 Serious Lapses (SL):

 Serious Lapses are those types of lapses, which have already

occurred, and bank has been suffering or about to suffer
financial loss.
 The following transactions are included in Serious Lapses:
(a) Fraud and Forgery occurred by any transaction;
(b) Any kind of irregularities which indicate chances of
loss or chances of manifold potential loss in near
future;
(c) Any irregularities or lapses, which require instant/
immediate administrative action by the higher
authorities.

58
 ICC Policy and Procedures-2022

5.11 Punishment:

5.11.1 Punishment is an action to be taken by the management of the bank for

committing lapses / offences done by employees of the Agrani Bank
Limited.
5.11.2 Punishable offences are activities for which higher management thinks to
take administrative action.
5.11.3 Auditor should detect level or quantum of lapses/ offence and report to
higher management including Head of ICC.

5.12 Reward / Incentive for Auditors:

Auditors will be rewarded for performing extra-ordinary works during audit period
such as any frauds, forgeries identified by the auditor that reduces the huge financial
losses of the bank. In those cases, auditors will be eligible to get reward/ incentive
from the bank. Both auditors and the bank will be financially benefited if this kind
of reward/ incentive system is introduced.

5.13 System Audit Software:

Today’s challenging service sector is the banking sector. Now the age world is the
age of automation. Banking sector is now totally IT oriented. To cope with the
International Standard, the Agrani Bank Limited has run Real Time Online
Software T-24. Online software is quicker and ensures fair transaction. This also
increases risks day by day. Therefore, the bank needs system audit software.

5.14 Wrap-up Meeting after Internal Audit:

During audit, some irregularities are to be rectified on the spot. The Audit team
must give emphasis on rectification of errors or omissions on the report. In light
of that, at the closing day of the audit there must be a meeting with the head of
Branch/Office. In this meeting, general discussion will be held on the objections
raised by the auditors during the audit period. If the branch office can satisfy the
auditor, then because of consensus the objections may be settled; while the
unsettled objections are brought into the Audit report. Audit objections raised also
are disclosed in the wrap-up Meeting to the Branch Management.
59
 ICC Policy and Procedures-2022

Risk Based Internal Audit Manual

60
 ICC Policy and Procedures-2022

Risk Based Internal Audit Manual

6. 0 Risked Based Internal Audit
6.1 11
Risk based Internal Audit (RBIA) is an internal methodology which is primarily
focused on the inherent risk involved in the activities or system and provide assurance
that risk is being managed by the management within the defined risk appetite level. It
is the risk management framework of the management and seeks at every stage to
reinforce the responsibility of management and Board of Directors for managing risk.

6.2 Risk based internal audit is conducted by internal audit department of ICC to help the
risk management function of the Bank by providing assurance about the risk
mitigation.

6.3 RBIA allows internal audit to provide assurance to the Audit Committee of the Board
that risk management processes are managing risks effectively, in relation to the risk
appetite.

6.4 As per Section 15 (ga) of Bank Company Act-1991, the Audit Division of ICC should
be independent, and free from other units of the bank. It will act independently without
influence of Management.

6.5 Audit Procedure

6.5.1 Each year the Audit Divisions of ICC will set out a Risk Based Audit plan
for the year. This would be a high-level plan, which will be approved by the
Audit Committee of the Board.
6.5.2 This will be a risk-based plan where sensitive areas will be identified with
priority.
6.5.3 The deficiencies identified during the audits should be notified to the
appropriate level and significant audit findings should be reported to the
Audit Committee of the Board.

11
https://en.wikipedia.org/wiki/Risk_based_internal_audit

61
 ICC Policy and Procedures-2022

6.5.4 At the end of the year, there should be a summary report on the audit
findings and corrective actions taken which should be forwarded to the
Audit Committee of the Board and the Managing Director & CEO of the
Bank.
6.5.5 Based on the review of monitoring reports the audit team should also
conduct surprise check on the branches where regular gaps are identified.

6.6 Preparation of Risk Based Audit Plan:

6.6.1 Audit and Inspection Division (AID) of Agrani Bank Limited will prepare a
plan for all the audit assignments to be performed.
6.6.2 The risk based audit plan includes the timing and frequency of planned
internal audit work set by the Board/ Audit committee and regulatory
guidelines.
6.6.3 The audit plan should include the rationale for audit work planned. It should
include all risk areas and their prioritization based on the level and the
direction of risk. The AID will prepare:
(1) The Annual audit plan covering all branches/ activities of the bank
to be audited in an audit cycle.
62
 ICC Policy and Procedures-2022

(2) The risk based audit plan for the audited branch/activity.
(3) The offsite risk assessment will form the basis for preparation of the
audit plan.

6.7 Prioritization for audit- the priority for audit work would be determined by the
off-site risk assessment carried out. The priority of audit resources will be given to the
branches showing the highest Level of risk. As the Magnitude and frequency of risk
should be taken in to account, the use of the Risk Audit Matrix, as shown in figure
below, has been advocated.
Risk Audit Matrix
High High M & Low F High M & Medium F High M & High F
Magnitude
of Risk
(M)

Medium Medium M & Low F Medium M & Medium F Medium M & High F

Low Low M & Low F Low M & Medium F Low M & High F
Low Medium High
Frequency of Risk (F)
Priority for audit work should be given to branches/areas having
1. High Magnitude and High frequency
2. High Magnitude and Medium frequency
3. Medium Magnitude and High frequency
4. High Magnitude and Low frequency
5. Medium Magnitude and Medium frequency

12
13

12
https://cplusglobal.wordpress.com/2014/04/15/audit-risk-model/
13
http://www.mortgagecompliancemagazine.com/risk-management/best-practices-establishing-cost-effective-internal-audit-function/

63
 ICC Policy and Procedures-2022

6.8 Risk Based Internal Audit Methodology:

14

6.9 Formation of audit team:

6.9.1 Formation of Audit Team is a very important task. An audit team will be
formatted by the auditors having all round banking knowledge like general
banking, loans and advances, foreign exchange, money laundering, treasury
functions, other banking procedurals work and obviously the team should
have ICT knowledge.

14
http://crossoverbrazil.blogspot.com/2018/03/simplifying-application-of-risk-based.html

64
 ICC Policy and Procedures-2022

6.9.2 The formation of audit team is stated below.

Team and working day Plan (TAWDP)

Total No of

Frequency/

Man-days
No of Branches

Exchange
Branch/ Office

Advance

Banking
General

Auditor
Foreign
Loan &
Leader
Team

Days

Yr
SL No

Designatio No No No No 12 30 2 720
n
Industrial Import-
Credit AGM/ AGM/
SPO-2 SPO-1
CC- AGM
1 Principal Br 1 DGM 1 3
/SPO-2 Export &
GHBL, Staff & Other AGM/
Other SPO-1
AGM/SPO-2
DGM/ AGM/ AGM/
2 9 Corporate Br. 9 1 2 7 14 2 1764
AGM SPO-2 SPO-2
Foreign
Exchange
Other Corporate SPO_1
17 AGM 1 2 Including 5 9 1 765
Br. PO-1
Loans &Adv
–1
3
Foreign
Exchange
SPO_1
AD Br. 13 AGM 1 2 Including 5 7 1 455
PO-1
Loan &Adv-
1
Main Br. SPO_1
49 AGM 1 2 - 5 6 1 1470
(District Level) PO-1
4
SPO/PO_1
A Grade Br. 299 AGM 1 1 - 3 6 1/2 2700
5 B Grade Br. 192 SPO 1 1 1 - 3 5 1/2 1440
C Grade Br. 129 SPO/PO 1 1 1 - 3 4 1/2 780
6 D Grade & New
212 SPO/PO 1 1 1 - 3 3 1/2 954
Br.
Head Office
Division, Circle DGM/AG Overall
7 105 1 2 - 3 2 1 630
Office, Zonal M Operation
Office
DGM/AG Overall
8 Islami Windows 5 1 2 - 3 3 1/2 27
M Operation
GM/
Agrani Exchange
DGM/
House Pvt
9 6 AGM 1 - - 1 4 1/2 12
Ltd/Subsidiaries
Overall
company
Operation
Total 1037 11717

6.10 Control Risk Assessment

Risk is the net negative impact of the exercise of vulnerability, considering both the
probability and the impact of occurrence. Effective risk assessment must identify and
consider both internal and external factors.

6.10.1 Assessing Business and Control Risk

6.10.1.1 Internal factors:
(i) Complexity of the organization structure,
(ii) The nature of the Bank’s activities,

65
 ICC Policy and Procedures-2022

(iii) The quality of personnel,

(iv) Organizational changes and
(v) Employee turnover.

6.10.1.2 External factors:

(i) Fluctuating economic conditions,
(ii) Changes in the Industry,
(iii) Socio-political realities
(iv) Technological advancement.
(v) Changes in rules and regulations

6.11 Risk Model Construction:

6.11.1 Audit risk arises when the auditor gives an inappropriate audit
opinion and the financial statements are materially misstated. Audit
risk has three components: control risk, detection risk and inherent
risk.

6.11.2 Control risk:

This risk occurs when a material misstatement would not be prevented,
detected or corrected by the accounting and internal systems such that
there are some practices in the banking operations which are not backed
by the law or established procedures.

6.11.3 Detection risk:

Detection risk is the risk that an auditor’s substantive procedures will
not detect, and a misstatement exists in an account balance or class of
transactions that could be material individually or when aggregated
with misstatement in other balances or classes.

66
 ICC Policy and Procedures-2022

6.11.4 Inherent risk:

Inherent risk is the susceptibility of an account balance or class of
transactions arising out of misstatement that could be material
individually or when aggregated with misstatement in other balances
or classes, assuming that there were no related internal controls.

Audit risk = Risk of material misstatement + Detection risk

Risk of material misstatement = Inherent risk + Control risk

6.12 Risk Recognition & Assessment

6.12.1 An effective internal control system continually recognizes and
assesses all of the material risks that could adversely affect the
achievement of the bank’s goals.
6.12.2 Effective risk assessment must identify and consider both internal and
external factors. Internal factors include the complexity of the
organization’s structure, the nature of the Bank’s activities, the quality
of personnel, organizational changes and the employee turnover.
External factors include fluctuating economic conditions, changes in the
industry, socio-political realities and technological advances.
6.12.3 Risk assessment by Internal Control System differs from the business
risk management process, which typically focuses more on the review
of business strategies developed to maximize the risk/reward trade-off
within different areas of the bank. The risk assessment by Internal
Control focuses more on compliance with regulatory requirements,
social, ethical and environmental risks those affect the banking industry.

67
 ICC Policy and Procedures-2022

6.13 Risk Analysis of Control Functions

6.13.1 Individual items in the Departmental Control Functions Check List

(DCFCL) need to be assigned a risk rating in terms of the following
dimensions.
a. Business Risk
b. Control Risk
6.13.2 Risk Assessment Matrix
A comprehensible list based on business and control parameters
which are quantifiable, and then should be commonly available for
Agrani Bank Limited.
6.13.3 It is a technique that brings risk orientation in its approach. In order to
identify risk , risk based auditor obtains a thorough understanding of
banks control, financial condition, sources of revenues ,expenditures,
competitions, and other factors that effects or may affect the business
of banking .

6.14 Steps in adopting Risk Based Internal Audit (RBIA):

6.14.1 RBIA adopted in Agrani Bank Limited through the completion of the
following steps.
6.14.1.1 Step 1: An overview of existing risk profile of bank:
Risk management involves identification, measurement, pricing,
monitoring, control and mitigation of risks. Risks for the purpose of
RBIA may be grouped into two categories.
1. Inherent Business Risks: Inherent business risk
indicates the intrinsic risk in a particular area of activity
of bank before considering internal controls. e.g. credit
risk, market risk, operational risk, liquidity risk, group
risk etc.
2. Control Risk: Control risk arises out of inadequate
control systems, deficiencies or gaps and or likely
failures in the existing control processes e.g.
management risk, compliance risk etc.
By going through records of the inspection of branches is very much
helpful in giving correct weightage to the different risk in the risk

68
 ICC Policy and Procedures-2022

assessment formats and it will lead to the organization working in the

same direction for improving the risk profile of the branch

6.14.1.2 Step – 2: Risk assessment:

The RBIA Guidance note states that Risk Based Internal Audit
should undertake risk assessment solely for the purpose of
formulating the risk based audit plan. Risk assessment has to be
carried out at two stages:
1. Off site: for formulation of audit plan and
2. On site: during the course of audit

6.15 Development of formats for risk assessment:

The Inherent Business risks are to be assessed together with the efficiency and
effectiveness of the controls in place to manage these risks. The overview of
the existing risk profile of the Bank will be a source of major input for the
various risk assessment parameters and their weightage in the Total score. Both
quantitative and qualitative information to be used for risk assessment. We
upgraded the format having quantitative and qualitative information. The
format is used for risk assessment. The formats incorporate the magnitude
(value) while assessing the weight age for risk assessment.

Individual items in the Departmental Control Function Checklists (DCFCL)

need to be assigned for risk rating by giving scores. Scores derived from these
DCFCL Checklists will be divided and added in two format of Risk assessing
(Inherent Business Risk and Control Risk)

6.16 Risk assessment of Branch as a whole:

Wherein the level of Inherent Business risk and control risk of the branch are
assessed separately to be as Low/Medium/High risk. The direction of inherent
business risk and control risk for the branch will be determined separately and
the direction of composite risk of the branch identified as Increasing
/Decreasing/ Stable. This will result in a risk assessment rating (RA rating) for
the branch as depicted in Figure 1.

69
 ICC Policy and Procedures-2022
Figure 1.
1. Business Risks 2. Control Risks
SL # Particulars SL # Particulars
A. Credit Risk A. Credit
1 Port folio Quality and Composition 1 Follow-up Monitoring and Control
2 Pre-sanction Credit Process 2 Review/ Renewal Time
a) Quality of appraisal 3 NPA/SMA Management
b) Quality of Assessment a) Monitoring of NPA
c) Sanction b) Quality of Assets
d) Organizational Structure for managing CR c) Recovery from NPA
Total Marks for Credit Risk (A) d) Recovery through rescheduling / waiver of interest
B. Earning e) Level of SMA
C. Liquidity Total Marks for Credit (A)
D. Strategy and business Environment B. Internal Control
1 Business achievement 1 Business Lines
2 Profitability a) Deposit business
3 Market Share b) Remittance & Collection business
Marks for Strategy and business
c) Agency and other fee based services
Environment(D)
E. Operational Risk Sub-total
1 Fraud prevention and Follow-up effects 2 Back-up operations
2 Documentation and compliance with terms a) Branch cash/Petty cash
3 Exercise of Delegated Authority b) Security forms
Accounting System/Balancing of Books/Computer
4 c) Protective arrangements
Audit (Computerized Branch)
5 Anti money laundering related issues d) Branch documents
6 Customer service e) Records and Stationery
Total Marks for Operational Risk (E) Sub-total
Total marks for Business risk (A+B+C+D+E) 3 Control Systems
a) A/C System/ Balancing of Books (Manual/ Automated)
b) Office accounts follow ups
c) Control function(Branch controls)
d) Submission of periodical returns
e) Letter receiving and disposal
Sub-total
4 General administration/Staff matters
5 Premises/Furniture
6 Control of income Leakage
Total Marks for Internal Control Risk (B)
C Compliance
1 External compliance
2 Follow-up of audit reports
Total Marks for Compliance (C)
D Management
Total Marks for Control Risk (A+B+C+D)

70
 ICC Policy and Procedures-2022

6.17 Risk Assessment:

All parameters to be assessed are summarized under "Business Risks" and "Control
Risks". Auditors are required to award the scores as follows:
Step-I: Based on observations during Audit, Quantify the breaches under each
parameter in percentage.
Step-II: Determine level of breaches as Low, Medium or High as follows:
Breaches observed Level
<10% Low
10%-20% Medium
>20 High
Step-III: Quantify the breaches in value terms, reflecting the magnitude.
Step-IV: Quantify the breaches as a percentage of Total Advances.
Step-V : Determine the level of breaches in value terms as Low, Medium or High as
follows:

Percentage of Advances Level

<10% Low
10%-25% Medium
>25% High

Step-VI: (a) Link the level relating to magnitude of Step-V with level of breaches in Step-
II to determine the Level of Risk by using the following matrix:

Magnitude High High High

High
(Value)
Step-V Medium Medium High High
Low Medium High
Low
Low Medium High

Step-II Breaches observed

(b) In qualitative parameters, link breaches observed to level of risk, as

in step- II

Step-VI: Award scores based on level of risk as follows:

Maximum Marks
Level of risk
5 10 15 20
Low/ Good 4 or 5 9 or 10 13-15 18-20
Medium/ 3 6 or 7 9 or 10 12-14
Satisfactory
High/ Weak/ Poor 2 or less 5 or less 8 or less 10 or less
Discretion is being given to the auditor (s) to award the marks within the
range specified for each level depending upon their onsite judgment.

71
 ICC Policy and Procedures-2022

6.18 Conduct of on-site Audit and Report findings.

6.18.1 Based on the Audit plan which has got a risk focus, the team will conduct
the on- site audit. The audit team will assess the efficacy and efficiency of
controls in place to manage the inherent business risks faced by the branch.
This will result in the on-site risk assessment and rating of branch/inherent
business risks/functional area/ business line.

6.18.2 Conduct of off-site risk assessment of branch:

6.18.2.1 Prepare branch/Activity profile:

This involves the collection of latest necessary data from various

sources about the branch including data/information from the
following:
 Previous internal audit reports and compliance
 Proposed changes in business lines or change in focus
 Significant changes in management/key personnel.
 Results of latest regulatory examination report.
 Reports of external auditors
 Industry trends and other environmental factors
 Time elapsed since last audit
 Substantial performance variations from the budget.

6.18.2.2 Determine the level of risk separately for inherent business and
control risk

The scoring modules for determining the level of risk would be Low,
Medium or High risk. Following range of scores will be followed by
Agrani Bank Limited:

Level of Risk % of Score awarded

Low Above 60%
Medium 40%-60%
High Below 40%

72
 ICC Policy and Procedures-2022

6.19 Determine the composite risk level using composite risk matrix.

There will be five levels of composite risk: Low, Medium, High, Very High and
Extremely High risk as shown below:
B C
A Very High Extremely High Risk
High
High Risk Risk
Inherent Business Risk

D E F
Medium
Medium High Risk Very High Risk
Risk

G H I
Low
Low Risk Medium Risk High Risk

Low Medium High

Control Risk

6.20 Determine trend/ direction for both inherent business and control risk.
The inherent business risk and control risk should be analyzed with a view to assess
whether these are showing a stable, increasing or declining trend. This can be done
when the risk assessment has been done for two or more periods. The trend matrix as
shown below:
Increasing Increasing Increasing Increasing
Inherent
Business
Risk

Stable Stable Stable/ Increasing Increasing

Decreasing Decreasing Stable Increasing
Decreasing Stable Increasing
Control Risk
Variation of marks in the same category up to +5 or -5 is considered as Stable.
Variation in the marks in the same category more than +5 or -5 is considered as
Increasing/ Decreasing as the case may be.

73
 ICC Policy and Procedures-2022

6.21 Determine the ratings of the branch.

6.21.1 Based on the level and direction of risk, the risk assessment ratings could be
any of the fifteen as shown below:
1 Extremely High risk Increasing Stable Decreasing
2 Very High risk Increasing Stable Decreasing
3 High risk Increasing Stable Decreasing
4 Medium risk Increasing Stable Decreasing
5 Low risk Increasing Stable Decreasing

6.21.2 Risk assessment matrix must consist of business and control risk. However,
only the matrix will not serve the purpose. The business and control risk
must have different factors/ parameters, w h i c h must be quantifiable and
eventually risk assessment, will give a picture of the risk associated with
the units/branches/functions upon which the annual audit plan will be drawn
up.

6.21.3 Based on the risk assessment matrix the audit plan will be as follows:
Risk Rating Frequency Sample Volume

Risk Rating Frequency

High Quarterly
Medium Half Yearly

Low Yearly

6.21.4 Risk Rating will be determined by business and control risk of a particular
branch.
6.21.5 Risk Based Audit Universe 15

15
https://www.youtube.com/watch?v=SuTlfvnZZsc

74
 ICC Policy and Procedures-2022

Categories of Audit Findings

6.22 Minor Irregularities (MI) :
wbqg cwicvj‡b GKB ai‡Yi e¨Z¨q (System Lapses) evi evi Kiv n‡”Q wKš‘ G‡Z kvLvi/Awd‡mi KvR
K‡g© †Kvb ¶wZ nq bvB, wKš‘ ¶wZi m¤¢ebv †_‡K †h‡Z cv‡i A_©vr kvLvi Af¨šÍixb Z`viKxi ˆkw_‡j¨i
Kvi‡Y †h mKj Awbqg Kiv nq †m mKj fzj-åvwšÍmg~n mvaviY Awbqg Minor Irregularities wnmv‡e
†kÖYxf‚³| Internal Auditors should try to rectify these irregularities as far as possible on
the spot and follow-up with the branch Manager until final rectification. †hgb t
6.22.1 Duty list G Job Rotation bv Kiv;
6.22.2 K¨vk †WweU fvDPv‡i bM` A_© cwi‡kv‡ai †¶‡Î MÖnYKvixi ¯^v¶i cÖZ¨qb (Verify) bv
Kiv;
6.22.3 kvLv e¨e¯’vc‡Ki AbygwZ e¨wZ‡i‡K wnmve †Lvjv;
6.22.4 GKK ¯^v¶‡i n¯ÍvšÍi Kiv;
6.22.5 mKj eo As‡Ki †PK fvDPvi †hŠ_ mycviwfkbmn cÖavb Kvh©vj‡qi wba©vwiZ mxgv Abyhvqx
K¨v‡Ý‡jkb, mycviwfkb ¯^v¶i cÖ`vb bv Kiv;

75
 ICC Policy and Procedures-2022
6.22.6 bM` cwi‡kva/MÖnY †iwRóv‡i KvUvKvwU/DcwiwjLb Kiv n‡q‡Q wKš‘ সংশ্লিষ্ট Kg©KZ©v KZ©„K
পরীশ্লিত bv Kiv;
6.22.7 UªvÝdvi †iwRóvi kvLvi mswkøó Kg©KZ©v KZ©„K hvPvBc–e©K ¯^v¶i bv Kiv;
6.22.8 শ্লিসাব †Lvjvi Av‡e`b di‡gi wnmveavixi ¯^v¶i mswkøó Kg©KZ©v KZ©„K cixw¶Z bv Kiv;
6.22.9 িস্তান্তর wbKvk fvDPvi `yBRb Kg©KZ©v KZ©„K ¯^v¶i bv Kiv;
6.22.10 †PK eB wiKzBwRkb শ্লিপপর †PK eB Bmy¨Kvix Kg©KZ©v/e¨e¯’vcK KZ©„K ¯^v¶i bv Kiv;
6.22.11 n¯ÍvšÍ‡ii gva¨‡g GdwWwW cwi‡kva Kivi †¶‡Î GdwWwWi Aci c„ôvq kvLvi Gb‡Wvm©‡g›U
bv †`qv;
6.22.12 kvLv KZ©„K fvDPvi Kfv‡i †gvU fvDPvi msL¨v bv †jLv Ges †Kvb Kg©KZ©v KZ©„K ¯^v¶i bv
Kiv;
6.22.13 eo As‡Ki †PK/wWwW GKK K¨v‡Ý‡jk‡b cwi‡kva Kiv;
6.22.14 kvLv KZ©„K bM` cwi‡kvwaZ mKj Bbóªy‡g‡›U bM` cwi‡kva mxj e¨envi bv Kiv;
6.22.15 Kw¤úDUv‡i †PK/fvDPvi †cvwós w`‡q †cvw÷sKvix KZ©„K ¯^v¶i bv Kiv;
6.22.16 n¯ÍvšÍi cwi‡kvwaZ mKj Bbóªy‡g‡›U UªvÝdvi mxj e¨envi bv Kiv;
6.22.17 bM` Rgvi †¶‡Î †c-শ্লিপপর Aci c„ôvq Ges cwi‡kv‡ai †¶‡Î †P‡Ki Aci c„ôvq bM`
A‡_©i weeiY bv †jLv;
6.22.18 †PK/Rgvi fvDPvi †cvwós Kv‡j †cvw÷sKvixi c~Y© ¯^v¶i bv Kiv;
6.22.19 †jRv‡i †P‡Ki wmwiR bv¤^vi †jLvi mgq wcÖwd· bv¤^vi bv †jLv;
6.22.20 wWwW/wUwU/GgwU Bmy¨i †¶‡Î Av‡e`bKvixi wVKvbv Av‡e`bc‡Î †jLv bv _vKv m‡Z¡I wWwW,
wUwU Bmy¨ Kiv BZ¨vw` Ges wWwW eywS‡q cvBjvg Kjv‡g ¯^v¶i MÖnY e¨wZ‡i‡K wWwW n¯ÍvšÍi
Kiv;
6.22.21 wWwW/†c-AW©vi Gi gywoc‡Î Kg©KZ©v KZ©„K ¯^v¶i bv Kiv;
6.22.22 Kv‡jKk‡bi wbwg‡Ë M„nxZ †P‡K/Bbóªy‡g‡›U †¯úkvj µwms mxj bv †`qv;
6.22.23 wWwW Bmy¨Kvix I cwi‡kvaKvix kvLvi bv‡gi bx‡P †KvW b¤^i e¨envi bv Kiv;
6.22.24 wbqg gvwdK dvBwjs bv Kiv| fvDPvi h_vh_ msi¶Y bv Kiv;
6.22.25 wb‡`©k cwicÎ/mvK©–jvi †iwRóv‡i fzw³ bv †`qv;
6.22.26 wmwKDwiwU †ókbvix †iwRóvi myôzfv‡e cwicvjb bv Kiv;
6.22.27 `v‡qiK…Z gvgjvi AviwRmn bw_ msi¶Y bv Kiv;
6.22.28 ˆ`wbK †jb‡`b †k‡l ¸iæZ¡cyY© †jRvi/†iwRóvi wbivc` ¯’v‡b bv ivLv;
6.22.29 wnmve †Lvjvi cÖv°v‡j †jRv‡i সংশ্লিষ্ট wnmv‡ei mKj Z_¨vw` †hgb cyiv bvg, †ckv,
†Uwj‡dvb b¤^i Ges we‡kl wb‡`©kbv wj‡L ivLv `iKvi, hv GKRb Kg©KZ©v KZ©„K cix¶v‡šÍ
• ¯^v¶i bv Kiv;
76
 ICC Policy and Procedures-2022
6.22.30 Dc‡`kcÎ e¨wZ‡i‡K wWwWi g–j¨ cwi‡kva Kivi †¶‡Î wWwW Bmy¨Kvix kvLv‡K AvcwËcÎ
Bmy¨ bv Kiv, BZ¨vw`|

6.23 Major Irregularities (ML) :

†h mKj Awbq‡gi Rb¨ ev¨sK Zvr¶wbKfv‡e ¶wZi m¤§yLxb bv n‡jI A`yi fwel¨‡Z ¶wZi BswMZ w`‡q _v‡K
hv ¶wZi KviY n‡Z cv‡i e‡j cÖZxqgvb nq †m mKj Awbqg‡K c×wZMZ Awbqg wnmv‡e wPwýZ Kiv nq|
Gai‡Yi Awbq‡gi Rb¨ Riæix wfwˇZ e¨e¯’v †bqv DwPr hv‡Z GB Awbqg h_vkxNª `~ixfzZ Kiv hvq Ges GKB
ai‡Yi Awbq‡gi cybive„wË bv N‡U| c×wZMZ Awbqg ¸wj‡K ¸iæZ¡ Abyhvqx †kÖYxweb¨vm K‡i Kg ¸iæZ¡c~Y©
welq¸‡jv `ªæZ wb¯úwË K‡i AvcwË msL¨v Kgv‡Z n‡e| AwaK msL¨K c×wZMZ Awbqg msNwUZ nq Ggb
kvLv/Awdm mg~‡ni e¨vcv‡i DשZb KZ©„c¶‡K Riæix wfwˇZ cÖ‡qvRbxq e¨e¯’v MÖnY Ki‡Z ejv nq t-

(A) ˆe‡`wkK evwYR¨ I ˆe‡`wkK gy`ªv welqK cÖavb Awbqg t

(Foreign exchange risk wfwËK) †hgb t

6.23.1 Gjwmi gvwR©‡bi UvKv Gjwm †Lvjvi w`b bv †bqv;

6.23.2 Gjwmi 3q I 4_© Kwc Avg`vbx-ißvbxKvi‡Ki `߇i ‡cÖiY bv Kiv;
6.23.3 Bmy¨K…Z M¨vivw›Ui wecix‡Z Kwgkb I Ab¨vb¨ PvR© Bmy¨i Zvwi‡L Av`vq bv Kiv;
6.23.4 wkwcs M¨vivw›U Bmy¨ Kivi mgq cÖPwjZ wbq‡g PvR© †Lvjvi w`b Av`vq bv Kiv;
6.23.5 kvLv KZ©„K wjg Gi wecix‡Z †jUvi Ae wK¬qv‡iÝ Ges cÖ‡qvRbxq gvwR©b MÖnY bv
Kiv;
6.23.6 ÎæwUhy³ ißvbx WKz‡g›U µq K‡i `xN©w`b a‡i †i‡L ißvbxKviK‡K jvfevb Ki‡Z
mnvqZv Kiv Ges c‡i ÎæwUgy³ K‡i we‡`kx e¨vs‡K †cÖiY Kiv;
6.23.7 ißvbx wej/Avg`vbx wej n‡Z Kg my` Av`vq/Kwgkb Av`vq bv Kiv;
6.23.8 ißvbx we‡ji wecix‡Z ˆe‡`wkK gy`ªv cÖZ¨vevm‡bi †¶‡Î kvLv h_vh_ fywgKv cvjb
bv Kiv;
6.23.9 EXP reconciliation Gi Reporting mwVKfv‡e bv Kiv;
6.23.10 wcwm FY weZiY I Av`v‡qi †¶‡Î Awbqg Kiv;
6.23.11 IFBC/Avg`vbx we‡ji g–j¨ cwi‡kv‡ai †¶‡Î Awbqg Kiv;
6.23.12 Bill of entry matching h_vh_fv‡e bv Kiv;
6.23.13 ißvbxi wecix‡Z Cash Incentive cwi‡kva mwVKfv‡e bv Kiv;
6.23.14 †gqv‡`vËxY© ißvbx FYc‡Îi wecix‡Z ißvbxK…Z c‡Y¨i wej µq K‡i UvKv cÖ`vb Kiv;
6.23.15 cÖvc¨Zvi †P‡q AwaK nv‡i FYcÎ ¯’vcb I wcwm myweav cÖ`vb;
6.23.16 ‡fvM¨cY¨ F‡Yi 3% wiRvf© msMÖn bv Kiv|

77
 ICC Policy and Procedures-2022

(B) mvaviY e¨vswKs welqK c×wZMZ Awbqg t

(Asset liability risk, Money laundering risk, ICC risk wfwËK) †hgb t

6.23.17 bZzb wnmve †Lvjvi †¶‡Î wnmveavixi Qwe MÖnY bv Kiv;

6.23.18 cwiPqKvix e¨ZxZ wnmve †Lvjv;
6.23.19 boe‡o/ KuvPv nv‡Zi †jLvq wnmve †Lvjvi †¶‡Î wmwW-50 (1036-1, 1036-3) dig
bv †bqv;
6.23.20 wnmve †Lvjvi ci mKj mÂqx I PjwZ wnmveavix‡K ab¨ev`cÎ †cÖiY bv Kiv;
6.23.21 PjwZ wnmv‡ei †¶‡Î cwiPqKvix‡K ab¨ev`cÎ †cÖiY bv Kiv;
6.23.22 wnmve †Lvjvi ci wnmveavixi wVKvbv hvPvB Gi †¶‡Î kvLv n‡Z †iwRóvW© GwW
WvK‡hv‡M ab¨ev`cÎ wbqwgZ †cÖiY bv Kiv;
6.23.23 bZzb wnmve †Lvjvi †¶‡Î KYC †bqv n‡q‡Q wKš‘ A‡bK‡¶‡Î wnmveavixi cÖ‡qvRbxq
Z_¨vw` wbqwgZ D‡jøL bv Kiv| KYC I TP weeiYx h_vh_fv‡e c~iY e¨ZxZ wnmve
†Lvjv Ges wbqwgZ/cÖ‡qvR‡b nvjbMv` bv Kiv;
6.23.24 wnmve †Lvjvi Av‡e`b di‡g wnmv‡ei wbqgvejx‡Z wnmveavixi ¯^v¶i bv †bqv;
6.23.25 †fvë †iwRóvi cwicvjb bv Kiv;

6.23.26 kvLvi wmÜz‡K mxgvwZwi³ bM` A_© msi¶Y/Avbv-†bqv Kiv;

6.23.27 d‡ib †iwg‡U‡Ýi UvKv MÖn‡Yi ZvwiL A_ev c‡ii w`‡bi g‡a¨ DcKvi‡fvMxi wnmv‡e
Rgv bv K‡i a‡i ivLv;
6.23.28 kvLvq bM` A‡_©i mv‡_ wecyj cwigv‡Y †Quov-duvUv †bvU msi¶Y Kiv Ges e`jv‡bvi
D‡`¨vM MÖnY bv Kiv;
6.23.29 wdwWs kvLvi mv‡_ bM` A‡_©i †jb‡`b mswkÐó cÖvwß ¯^xKvicÎ h_vh_fv‡e msi¶Y
bv Kiv;
6.23.30 bM` cwi‡kv‡ai mgq †PK wmwiR b¤^র mwVKfv‡e Kw¤úDUv‡র Gw›Uª Kiv;
6.23.31 cÖvBReÛ †iwRóvi cwicvjb bv Kiv;
6.23.32 †cwUK¨vk WvK, Zvi I ó¨v¤• Lv‡Z bM` I †cv‡óR mswkÐó †iwRóvi cÖwZwbqZ kvLv
e¨e¯’vcK/Kg©KZ©v KZ©„K cix¶v bv Kiv;
6.23.33 K¨vk †WweU fvDPv‡ii gva¨‡g bM` A_© cwi‡kva Kivi †¶‡Î fvDPv‡ii Aci c„ôvq
UvKv MÖnYKvixi ¯^v¶i bv †bqv;
6.23.34 kvLvi bM` cwi‡kva †iwRóv‡i cÖwZwU f~w³i wecix‡Z K¨vwkqvi Ges Awdmv‡ii
Aby¯^v¶i bv Kiv;
6.23.35 wbix¶vKvjxb mg‡q LwZqvbmg–n mylg K‡i wbix¶KMY‡K †`Lv‡Z bv cviv;
78
 ICC Policy and Procedures-2022
6.23.36 eo eo †jb‡`‡bi †¶‡Î †jRv‡i Maker & Checker পদ্ধশ্লতপত
Supervision করপত িপব।
6.23.37 2 ermivwaKKvj †jb‡`b wenxb wnmvemg–n Wi‡g›U †jRv‡i স্থানান্তর bv Kiv;
6.23.38 †jRvimg–n wbqwgZ e¨v‡jwÝs bv Kiv;
6.23.39 lvb¥vwmK Ges evwl©K wnmve mgvcbxi ci MÖvnK‡`i‡K Zv‡`i wnmv‡ei w¯’wZ
ÁvZKiYcÎ †cÖiY bv Kiv;
6.23.40 evwl©K mgvcbx‡Z wnmv‡ei wecix‡Z cÖavb Kvh©vj‡qi wb‡`©kbv †gvZv‡eK আনুসাশ্লিক
PvR©/mvwf©m PvR© bv †bqv;
6.23.41 PjwZ wnmv‡ei †¶‡Î 6 gvm Ges mÂqx wnmv‡ei †¶‡Î GK ermi hveZ †jb‡`b
wenxb wnmvemg–n mZK© nDb Wi‡g›U wnmve (Care Dormant Account) wj‡L
wPwýZ bv Kiv;
6.23.42 AwMÖg ZvwiLh–³ †P‡Ki UvKv cwi‡kva Kiv;
6.23.43 †P‡Ki Zvwi‡L KvUvKvwU/DcwiwjL‡b MÖvn‡Ki m¤§wZ Qvov bM` cwi‡kva Kiv;
6.23.44 Zvgvw` ZvwiLhy³ †P‡Ki UvKv cwi‡kva Kiv;
6.23.45 Kw¤úDUvivBRW kvLvi ˆ`bw›`b fvDPvi †PwKs bv Kiv;
6.23.46 wUcmwn/boe‡o nv‡Zi †jLvq cwi‡kvaK…Z †PK K¨v‡Ý‡jkb Kg©KZ©v KZ©„K mZ¨vwqZ
bv Kiv;
6.23.47 fvDPvi †iwRóvi mwVKfv‡e cwicvjb bv Kiv;
6.23.48 wewfbœ my`evnx AvgvbZ wnmv‡e Kg/†ekx my` Av‡ivc Kiv;
6.23.49 Kg©KZ©v KZ©„K K¨v‡Ý‡jkb e¨wZ‡i‡K †P‡Ki A_© cwi‡kva Kiv| cwi‡kv‡ai wbwg‡Ë
†PK K¨v‡Ý‡jk‡bi †¶‡Î h_vh_ wewa weavb †g‡b bv Pjv;
6.23.50 bM` A_© Rgvi †¶‡Î RgvKvixi ¯^v¶i bv †bqv;
6.23.51 kvLvq †jb‡`b PjvKvjxb mg‡q †Kvb mk¯¿ cÖnix cÖavb dU‡K †gvZv‡qb bv Kiv;
6.23.52 cyivZb †iKW© †iwRóvi cwicvjb bv Kiv;
6.23.53 AvmevecÎ †iKW© †iwRóvi cwicvjb bv Kiv;
6.23.54 óK Ae †÷kbvix †iwRóvi cwicvjb bv Kiv;
6.23.55 AwMœ-wbe©vcK hš¿ cybtf©iY bv Kiv;
6.23.56 kvLv fe‡bi fvov Pzw³i †gqv` DËxY© nIqvi ciI nvjbvMv` Pzw³ m¤úv`b bv Kiv;
6.23.57 kvLvi wm›`y‡Ki Wzwcø†KU Pvwe cÖwZ eQi AveZ©b bv Kiv;
6.23.58 kvLvi Kg©KZ©v/Kg©Pvix‡`i e¨w³MZ bw_‡Z Zv‡`i cix¶v cv‡ki g–j mb`c‡Îi
mZ¨vwqZ Kwc I nvj bvMv` Qwe msi¶Y bv Kiv;
6.23.59 Kw¤úDUv‡ii cvmIqvW© wbqš¿YKvixi †MvcbxqZv i¶v bv Kiv Ges Aby‡gvw`Z
79
 ICC Policy and Procedures-2022
Kg©KZ©vi AbygwZ Qvov Kw¤úDUvi e¨envi Kiv;
6.23.60 Kw¤úDUv‡i m¤úvw`Z †jb-†`‡bi †eªK-Avc Ges nvjbvMv` wcÖ›U Kwc h_vwbq‡g
†PwKs I msi¶Y bv Kiv;
6.23.61 Administrative Password hv Manager KZ©„K msiw¶Z bv ivLv;
6.23.62 Departmental Control Funtion Check List (DCFCL) h_vwbq‡g
cwicvjb bv Kiv;
6.23.63 kvLvq Av‡qi cwigvb e„w×i j‡¶¨ kvLvq `xN©w`‡bi †jb-†`b wenxb c‡o _vKv †QvU
†QvU w¯’wZi wnmvemg–n wewa ewnf©–Zfv‡e Avq Lv‡Z ¯’vbvšÍiKiY;
6.23.64 kvLvi Kx †iwRóvi h_vh_fv‡e cwicvjb bv Kiv;
6.23.65 kvLvq Av‡Mœqv¯¿ I †Mvjv mPj I Kvh©Ki bv _vKv;
6.23.66 mvBb‡evW©/†bvwUk †evW© bv jvMv‡bv;
6.23.67 nvjbvMv` QywUi †iwRóvi (wjf †iKW© †iwRóvi) mwVKfv‡e cwicvjb bv Kiv Ges
†bvwUk †ev‡W© wmwU‡Rb PvU©vi bv jvMv‡bv;
6.23.68 jKv‡ii fvov mwVKfv‡e Av`vq bv Kiv;
6.23.69 miKvix ivR¯^ mwVKfv‡e wbY©q I Zv wbqwgZ cwi‡kva bv Kiv;
6.23.70 GKB kvLvq Kg©iZ Kg©KZ©v/Kg©Pvix‡`i †¶‡Î cÖwZ wZb eQi অন্তর অন্তর e`jxi
Av‡`k msµvšÍ cÖavb Kvh©vj‡qi wb‡`©kbv cvjb bv Kiv| cÖ‡hvR¨ †ÿ‡Î Re †iv‡Ukb
bv Kiv;
6.23.71 g–jZex wnmve (óvd) †_‡K wecyj cwigv‡b UvKv †bqvi ci `xN©w`b ch©šÍ mgš^q bv
Kiv;
6.23.72 g–jZex wnmve (Av`vm©) Lv‡Z `xN©w`b ch©šÍ Amgwš^Z w¯’wZ mgš^q bv Kiv;
6.23.73 Avwg© †cbkb Lv‡Z `xN© w`b †_‡K c‡i _vKv Amgwš^Z w¯’wZ mgš^q bv Kiv;
6.23.74 AvÂwjK Kvh©vjq KZ©„K eivÏK…Z KwZcq wbqš¿Y‡hvM¨ e¨q Lv‡Z ev‡RU AwZwi³
LiP Kiv Ges h_vh_ KZ©„c‡¶i KvQ †_‡K Aby‡gv`b bv †bqv;
ি mb`cÎ msMÖn bv Kiv;
6.23.75 GgI/GbwR wnmv‡ei nvjbvMv` mgš^q সম্পশ্লকত
6.23.76 AvšÍtkvLv Rgv/LiP weÁwß (AvBwewmG/AvBwewWG/GgIwmG/GgIwWG) mg~n MÖnY
Kivi mv‡_ mv‡_B †imcÛ bv Kiv;
6.23.77 Bmy¨Kvix kvLvi Kg©KZ©v KZ©„K h_vh_fv‡e ¯^v¶iwenxb AvBwewmG/AvBwewWG/
GgIwmG/GgIwWG †imcÛ Kiv;
6.23.78 †PK eB wiKzBwRkb w¯ø‡c wnmveavixi ¯^v¶i cix¶v Kiv e¨wZ‡i‡K †PK eB Bmy¨
Kiv;
6.23.79 wWwW/wUwU G¨vWfvBR MÖvn‡Ki nv‡Z cÖ`vb Kiv|
80
 ICC Policy and Procedures-2022

(C) FY welqK cÖavb Awbqg (ML) -(Credit risk wfwËK) †hgb t

6.23.80 e¨emv cÖwZôv‡bi mvBb‡evW© Ges e¨vs‡Ki wbKU `vqe×Zvi mvBb‡evW© bv jvMv‡bv;
6.23.81 evqv `wjj, AviGm, wmGm, GmG, GmG wgD‡Ukb Ges gvV ciPv/weAviGm LvwiR
ciPv MÖnY bv Kiv;
6.23.82 nvj bvMv` LvRbvi iwk` bv †bqv;
6.23.83 eÜKx সম্পশ্লির mvBU প্ল্যান I †gŠRv bKmv bv †bqv;
6.23.84 DwK‡ji gZvgZ I eÜKx `wj‡ji WªvdU Kwc bv †bqv;
6.23.85 gvwmK gRy` gv‡ji óK wi‡cvU© bv †bqv;
6.23.86 gÄyixc‡Îi kZ© †gvZv‡eK FY wnmve mvgwqK mgš^q bv Kiv;
6.23.87 mxgvwZwi³ `vq, †Ljvcx F‡Yi শ্লকশ্লস্ত Av`v‡qi †¶‡Î, FYmxgv bevq‡bi †¶‡Î †Kvb
Awbqg Kiv;
6.23.88 cÖKí F‡Yi †¶‡Î gÄyixcÎ/wewb‡qvM Pzw³ jsNb K‡i exgv, †eZb fvZv I Ab¨vb¨
LiP cÖ`vb Kiv;
6.23.89 eÜKK…Z m¤úwËi †iwRwóªK…Z `wjjvw` h_vmg‡q সংশ্লিষ্ট mve-†iwRwóª Awdm †_‡K
msMÖn bv Kiv;
6.23.90 gÄyixc‡Îi kZ©vbyhvqx mwVKfv‡e `wjjcÎ/exgv BZ¨vw` m¤úv`b bv K‡i Rvgvb‡Zi
Dci e¨vs‡Ki AbyK~‡j mwVKfv‡e PvR© m„wó/wbqš¿Y cÖwZôvKiY e¨wZ‡i‡K FY weZiY/
D‡Ëvjb cÖ`vb Kiv;
6.23.91 wmwm †cøR I nvB‡cv F‡Yi †¶‡Î †gqv‡`vËx‡Y©i ci D‡Ëvjb cÖ`vb;
6.23.92 DCFCL Abyhvqx Check list ˆZix K‡i FY bw_‡Z msi¶Y bv Kiv;
6.23.93 cÖ‡hvR¨ †¶‡Î eÜKx সম্পশ্লির wel‡q †ccvi weÁwß cÖKvk bv Kiv;
6.23.94 50 jÿ UKv I cÖ‡qvR¨ †¶‡Î eÜKx m¤úwËi wel‡q AvBbMZ gZvgZ I eÜKx/
AcÖZ¨vnvi‡hvM¨ Avg-†gv³vibvgv `wjjmn Ab¨vb¨ `wjvw` cÖavb Kvh©vj‡qi AvBb
wefvM KZ©„K †f‡UW bv Kiv;
6.23.95 kvLv KZ©„K gvgjvi wWD †WU Wv‡qix cwicvjb bv Kiv;
6.23.96 eÜKx m¤úwËi g~j¨vqb cÎ MÖnY bv Kiv;
6.23.97 eÜKx `wj‡j kvLvi GKRb Kg©KZ©v ¯^v¶x wnmv‡e bv _vKv;
6.23.98 gÄyixc‡Îi kZ©vbyhvqx সমস্ত SuywK Kfvi K‡i exgvcÎ MÖnY bv Kiv| A‡bK‡¶‡Î ïay
gvwb wiwmÞ Kfvi †bvU MÖnY Kiv nq| শ্লকন্তু cwjwm MÖnY bv Kiv;
6.23.99 eÜKx `wj‡j তাশ্লিকাভুক্ত AvBbRxexi ¯^v¶i bv _vKv;
81
 ICC Policy and Procedures-2022
6.23.100 `wjjvw`i iwk` `wjj`vZv KZ©„K wWmPvR© bv Kiv;
6.23.101 FYMÖnxZvi BKz¨BwU mwVKfv‡e e¨envi bv Kiv;
6.23.102 cÖ‡hvR¨ †¶‡Î nvj bvMv` wmAvBwe wi‡cvU© MÖnY bv Kiv (m‡ev©”P 60 w`b c~‡e©i)|
6.23.103 GmGgG/†kÖYxweb¨vwmZ nIqvi Dc‡hvMx FY wnmve †kÖYxKiY bv K‡i my` Avq
Lv‡Z স্থানান্তরকরণ| GQvov cÖavb Kvh©vjq/evsjv‡`k e¨vsK Gi wb‡`©kbv jsNb K‡i
AwbqwgZfv‡e my` AwbwðZ wnmve n‡Z Avq Lv‡Z ¯’vbvš•iKiY;
6.23.104 eÜKx সম্পশ্লির/¯’vcbvw`i w¯’iwPÎ MÖnY bv Kiv;
6.23.105 FDR/APS/ABS/MIS/MDS BZ¨vw` Gi wecix‡Z FY cÖ`vbKv‡j h_vh_
gvwR©b bv †i‡L FY weZiY Ges †jRvi/†iwRóv‡i wj‡qb gvK© bv Kiv ev cvZv
cwieZ©‡bi mgq wj‡qb gvK© bv Kiv;
6.23.106 PvR© `wjjvw` mwVKfv‡e c–iY bv Kiv Ges h_vh_ স্ট্যাম্প bv jvMv‡bv|
Signature cix¶v bv Kiv;
6.23.107 mn‡hvMx Rvgvb‡Zi gvwjKvbvq ÎæwU msµvšÍ DwK‡ji gZvgZ fvjfv‡e bv †`‡LB
FY weZiY;
6.23.108 mn‡hvMx Rvgvb‡Zi avivevwnK `wjj-ciPvw` A_©¨vr Chain Documents
MÖnY e¨wZ‡i‡K FY cÖ`vb/weZiY;
6.23.109 F‡Yi LwZqvbmg–n h_vh_fv‡e mylgKiY (Balancing) n‡q‡Q wKbv Zv hvPvB
Kiv QvovB Report Kiv;
6.23.110 Mortgage m¤úwËi `wjj/AvswkK m¤úwËi `wjj †Mvc‡b n¯ÍvšÍi| Mortgage
property Gi `Lj m¤ú‡K© kvLvi `vwqZ¡cÖvß Kg©KZ©/Kg©Pvix‡`i D`vmxbZvi d‡j
m¤úwË nvZQvov n‡q hvIqv|
6.23.111 ev‡RU AwZwi³ FY weZiY Kiv|
6.23.112 FY cÖ‡mwms wd Av`vq bv Kiv|

6.24 Serious Lapses (SL) :

¸iæZi Awbqg (SL) nj H mg¯Í Awbqg hvi d‡j e¨vs‡Ki mg–n ¶wZ BwZg‡a¨ msNwUZ n‡q †M‡Q
A_ev AwZkxNªB msNwUZ n‡Z cv‡i| †h kvLvq SL †kÖYxf~³ Awbqg cvIqv hvq †m¸‡jv Riæix wfwˇZ
cÖ‡qvRbxq e¨e¯’v bv †bqv n‡j e¨vs‡Ki mg–n ¶wZ nIqvi m¤¢vebv _v‡K Ges GB Rb¨ Riæix wfwˇZ
e¨e¯’v MÖnY Kiv Acwinvh©| cÖavbZt wb¤œwjwLZ †jb‡`bmg–n ¸iæZi Awbqg (SL) wnmv‡e †kÖYxf’³ t

(K) †h mg¯Í Awbq‡gi d‡j Fraud I Forgery msNwUZ n‡q‡Q,

(L) †h mg¯Í Awbq‡gi djkÖæwZ‡Z A`–i fwel¨‡Z e¨vsK ¶wZMÖ¯’ nIqvi
cÖPzi m¤¢vebv we`¨gvb Ges
82
 ICC Policy and Procedures-2022
(M) †h mg¯Í Awbq‡gi Rb¨ Riæix wfwˇZ DשZb KZ©„c‡¶i cÖkvmwbK
e¨e¯’v MÖnY Kiv cÖ‡qvRb nq|

(I) mvaviY e¨vswKs welqK ¸iæZi Awbqgt (Asset Liability Risk,

Money Laundering Risk, Internal Control & Compliance
Risk wfwËK) t †h †Kvb ai‡Yi RvwjqvwZ/cÖZviYv/Awbq‡gi gva¨‡g
e¨vs‡Ki Avw_©K ¶wZ mvab| †hgb t-

6.24.1 kvLvi bM` A_© KvD›Uvi/fë †_‡K mwi‡q †djv ev Kvh©w`em †k‡l সংশ্লিষ্ট wnmve
†WweU bv K‡i †PK/fvDPvi kvLvi bM` A‡_©i Ask wnmv‡e a‡i ivLv;
6.24.2 cÖZvibvi gva¨‡g f~qv bvg, wVKvbv D‡jøLc~e©K wnmve †Lvjv Ges D³ wnmv‡e FY
cÖ`vb;
6.24.3 bM` A‡_©i evwÛ‡j †bv‡Ui msL¨v Kg †i‡L A_© AvZ¥mvr Kiv;
6.24.4 MÖvn‡Ki bM` A_© MÖnY K‡i Zv kvLvi bM` MÖnY ewn‡Z I MÖvn‡Ki wnmv‡e Rgv bv
K‡i AvZ¥mvr Kiv;
6.24.5 kvLvi bM` MÖnY ewn‡Z KvUvKvwU/NlvgvRv/AwZwjLb/DcwiwjL‡bi gva¨‡g MÖvn‡Ki
RgvK…Z bM` A_© Ab¨ wnmv‡e Rgv K‡i AvZ¥mvr Kiv;
6.24.6 GK kvLv †_‡K Ab¨ kvLvq/e¨vs‡K wg_¨v K¨vk †cÖiY †`wL‡q AvZ¥mvr Kiv| wdwWs
kvLv †_‡K bM` A_© G‡b kvLvq Rgv bv K‡i A_© AvZ¥mvr Kiv| wdwWs kvLv †_‡K
bM` A_© G‡b mswkÐó AvBwewmG/GgIwmG K‡qKw`b †imcÛ bv K‡i mvgwqK
AvZ¥mvr Kiv;
6.24.7 M„nxZ we`y¨r, cvwb, †Uwj‡dvb, M¨vm wej BZ¨vw`i UvKv সংশ্লিষ্ট wnmv‡e Rgv bv K‡i
I f~qv weeiYx †cÖiY K‡i A_© AvZ¥mvr Kiv| GQvov D‡jøwLZ wejmg–‡ni RgvK…Z
A_© D³ w`e‡mB সংশ্লিষ্ট wnmv‡e Rgv bv K‡i c‡K‡U †i‡L cieZx©‡Z Rgvc–e©K
mvgwqK AvZ¥mvrKiY;
6.24.8 AvšÍ t kvLv †mbvjx e¨vsK wjt/evsjv‡`k e¨vsK wnmv‡e f~qv †WweU K‡i Ges †Kvb
wnmv‡e f~qv †µwWU K‡i A_© AvZ¥mvrKiY;
6.24.9 h_vh_ g–j¨ MÖnY QvovB †c‡g›U AW©vi, wmwKDwiwU wiwmÞ, wWwW, wUwU BZ¨vw` Bmy¨i
gva¨‡g A‰eafv‡e e¨vs‡Ki UvKv AvZ¥mvr Kiv;
6.24.10 MÖvn‡Ki ¯^v¶i Rvj K‡i/Wzwcø†KU †P‡Ki gva¨‡g cÖZviYvg–jKfv‡e MÖvn‡Ki wnmve
n‡Z A_© D‡Ëvjb Kiv| e¨eüZ †PK eB‡qi wiKzBwRkb di‡gi cwie‡Z© Ab¨
di‡gi (we-dig) gva¨‡g †PK eB Bmy¨/MÖnY K‡i MÖvn‡Ki wnmve †_‡K RvwjqvwZi

83
 ICC Policy and Procedures-2022
gva¨‡g A_© AvZ¥mvr Kiv ev MÖvn‡Ki wnmv‡e wg_¨v Rgv †`wL‡q A‰ea D‡Ëvj‡bi
gva¨‡g A_© AvZ¥mvr Kiv;
6.24.11 GIGd Ges GmGm KvW© e`wj‡q/mwi‡q wnmve †_‡K A‰eafv‡e A_© D‡Ëvjb Kiv;
6.24.12 †P‡Ki g~j AsK cwieZ©b K‡i wnmve †_‡K A‰eafv‡e D‡Ëvjb Kiv;
6.24.13 Af¨šÍixY Lv`¨ msMÖ‡ni Ges cvU µq wej ev Abyiƒc †h †Kvb we‡ji wecix‡Z
GKvwaKevi g~j¨ cwi‡kva †`wL‡q A_© AvZ¥mvr Kiv;
6.24.14 f~qv I Rvj wWwW, wUwU, GgwU BZ¨vw`i wecix‡Z cwi‡kva †`wL‡q A_© AvZ¥mvr Kiv
A_ev ¯’vqx wb‡`©k I cÖPwjZ ixwZbxwZ AbymiY bv K‡i wWwW/wUwU BZ¨vw` cwi‡kv‡ai
d‡j RvwjqvwZ msNUb;
6.24.15 LwZqv‡b BRv (we,Gd) Kivi mgq A‰eafv‡e w¯’wZi cwigvb i`e`‡ji gva¨‡g
A‰eafv‡e A_© D‡Ëvjb Kiv;
6.24.16 wnmve f~qv Rgv †`wL‡q UvKv cÖ`vb Ges mswkøó wnmve †WweU e¨wZ‡i‡K †P‡Ki g~j¨
cÖ`vb;
6.24.17 UªvÝdvi fvDPv‡ii gva¨‡g f~qv Znwej ¯’vbvšÍi;
6.24.18 †jRvimg–n Ges wewfbœ wnmve LvZ f~qv e¨v‡jwÝs Kiv;
6.24.19 wewfbœ wnmve n‡Z Rgvw¯’wZi AwZwi³ UvKv D‡Ëvjb cÖ`vb|
6.24.20 Af¨šÍixY/evsjv‡`k e¨vsK/evwYwR¨K/ewnt wbix¶v cÖwZ‡e`‡bi f~qv cwicvjb|
6.24.21 †iwRóvi/ dvBbvbwmqvj †÷U‡g›U f~qv f~w³i gva¨‡g †PK cwi‡kva †`wL‡q A_©
AvZ¥mvr Kiv;
6.24.22 wbKvk ewnf©–Z GjvKvq Ab¨ e¨vs‡Ki †PK, †c-AW©vi, পপ-শ্লিপ, Gm,Avi BZ¨vw`
Bbóªy‡g›U bM` A‡_©i gva¨‡g msMÖ‡ni †¶‡Î bM` A_© Zvr¶wbKfv‡e mswkøó wnmv‡e
Rgv bv K‡i mvgwqK AvZ¥mvr ev Ab¨ wnmv‡e Rgv K‡i ¯’vqx AvZ¥mvr Kiv| G
msµvšÍ †Kvb wnmve cwicvjb bv Kiv A_©vr jR‡g›U fvDPvi Qvo bv KiY;
6.24.23 bM` cwi‡kva/n¯ÍvšÍi mx‡j ZvwiLwenxb c~‡e© cwi‡kvaK…Z †PK, wWwW, GdwWwW,
†c-AW©vi, †c-w¯øc, Gm,Avi BZ¨vw` Bbóªy‡g›U mwi‡q G‡b f~qvfv‡e cybivq
cwi‡kv‡ai gva¨‡g A_© AvZ¥mvr Kiv| GKBfv‡e Kg©KZ©v KZ©„K K¨v‡Ý‡jkb wenxb
ev bM` cwi‡kva/n¯ÍvšÍi mxjwenxb c~‡e© cwi‡kvaK…Z Bbóªy‡g›U f~qvfv‡e cybt
cwi‡kv‡ai gva¨‡g AvZ¥mvZ Kiv;
6.24.24 MÖvn‡Ki bM` A_© MÖnY K‡i Zv kvLvi bM` MÖnY ewn‡Z fyw³ bv w`‡q I mgcwigvb
A_© mswkÐó MÖvn‡Ki wnmv‡e fvDPvi wenxb fyqv fyw³ w`‡q Ges D³ fyqv fyw³
n¯ÍvšÍi fvDPv‡ii gva¨‡g mgš^q †`wL‡q A_© AvZ¥mvr Kiv;

84
 ICC Policy and Procedures-2022
6.24.25 NlvgvRv/AwZwjLb/KvUvKvwU/DcwiwjLb Gi gva¨‡g K¨vk cwRkb cwieZ©b K‡i
bM` A_© AvZ¥mvr Kiv;
6.24.26 Wzwcø†KU Pvex ˆZix K‡i wm›`y‡Ki bM` A_© mwi‡q †djv;
6.24.27 hyw³msMZ KviY e¨ZxZ mvm‡cÝ wnmve, mvwÛª †WUim Av`vm© LvZ n‡Z bM` A_©
D‡Ëvjbc–e©K cieZx©‡Z mgš^q K‡i mvgwqK AvZ¥mvZKiY wKsev Ab¨ wnmv‡e
mgš^q †`wL‡q ¯’vqx AvZ¥mvZKiY;
6.24.28 KZ©„c¶ KZ©„K RvixK…Z wb‡`©k/e¨vs‡Ki cÖPwjZ wbqg cvj‡b Pig Ae‡njvRwbZ
Kvi‡Y e¨vs‡Ki Avw_©K ¶wZ mvab BZ¨vw`;
6.24.29 A_© AvZ¥mv‡Zi D‡Ï‡k¨ e¨vs‡Ki wewfbœ LvZ /wnmve †WweU K‡i Ab¨ Lv‡Z/wnmv‡e
A_© ¯’vbvšÍi Kiv;
6.24.30 GwcGm/wWwcGm wnmv‡ei wecix‡Z FY cÖ`vb Kiv n‡q‡Q wKš‘ FY w¯’wZ mgš^q bv
K‡i D³ wnmvemg–‡ni w¯’wZ cwi‡kva Kiv|

(II) FY welqK ¸iæZi Awbqg t (Credit Risk wfwËK) †hgb t

6.24.31 gÄyix e¨ZxZ FY cÖ`vb, ¶gZv ewnf©–Zfv‡e FY gÄyix, cÖK…Z FYMÖnxZvi cwie‡Z©
†jUvi Ae A_wiwU e¨ZxZ Z…Zxq e¨w³i gva¨‡g FY cÖ`vb, bvevjK/g„Z e¨w³i bv‡g
FY cÖ`vb, c~‡e©i Abv`vqx FY †Mvcb K‡i ev ¸iæZ¡c~Y© Z_¨ †Mvcb K‡i FY MÖnY
Ges cÖ`vb, †cø†R gvj ¸`vgRvZ bv K‡i FY cÖ`vb, gvivZ¥K ÎæwUc~Y© RvgvbZ MÖnY
Ges F‡Yi e¨envi m¤ú‡K© wg_¨ cÖZ¨qbcÎ cÖ`vb BZ¨vw`;
6.24.32 Abby‡gvw`Z I f~qv FY weZi‡Yi gva¨‡g A_© AvZ¥mvr Kiv;
6.24.33 †cø†Ri gvjvgvj gÄyixc‡Îi kZ©vbyhvqx ¸`vgRvZ bv K‡i (¸`vgRvZ Kiv n‡q‡Q
†`wL‡q) Kg IRb/cwigvb I wb¤œ gv‡bi gvj ¸`v‡g MÖnY K‡i Avw_©K myweav cÖ`vb
Ges †cø†Ri/wj‡gi gvjvgvj Abby‡gvw`Z †Wwjfvix †`qv, †cøR /wj‡gi gv‡ji Dci
e¨vs‡Ki wbqš¿Y cÖwZôv bv Kiv I ¸`v‡g gv‡ji NvUwZ nIqv;
6.24.34 FY e¨e¯’vcbvq mwVK Ges wewa †gvZv‡eK mgqgZ h_vh_ c`‡¶c bv †bIqvi
d‡j cÖ`Ë FY Zvgv`x F‡Y cwibZ nIqv;
6.24.35 f~qv/†ebvgx A‰ea FY cÖ`vb Ges cÖ`vbKv‡j FYMÖnxZvi e¨emv cÖwZôv‡bi Aw¯ÍZ¡
bv _vKv;
6.24.36 Abby‡gvw`Z/AwbqwgZfv‡e e¨vsK M¨vivw›U Bmy¨ Kiv;
6.24.37 RvgvbZ/mnvqK Rvgvb‡Zi cÖPwjZ wewa weavb jsNb K‡i AwZ g~j¨vq‡bi gva¨‡g
evowZ FY cÖ`v‡b FYMÖnxZv‡K mnvqZv Kiv;

85
 ICC Policy and Procedures-2022
6.24.38 F‡Yi wecix‡Z eÜKx m¤úwËi `wjjvw` (we‡kl K‡i g~j `wjj) h_vh_fv‡e bv
†bqv Ges kvLvq mwVKfv‡e msi¶Y bv Kiv I †mBd Bb, †mBd AvDU †iwRóv‡i
Gw›Uª bv Kiv;
6.24.39 eÜKx m¤úwËi `Ljx ¯^Z¡/miKvi KZ©„K AwaMÖnYK…Z/Awc©Z m¤úwË wKbv Zv wbwðZ
bv n‡q FY weZiY Kiv;
6.24.40 eÜKx `wjj/Avg-†gv³vibvgv `wj‡ji eÜKxK…Z m¤úwËi Zdwmj/Rwgi cwigvb
gÄyixc‡Îi mv‡_ Mowgj _vKv;
6.24.41 F‡Yi `vq Av`v‡qi j‡¶¨ `v‡qiK…Z gvgjv Av`vjZ KZ©„K e¨vs‡Ki MvwdjwZi
Kvi‡Y LvwiR Kiv n‡j| A_© FY Av`vjZ AvBb-2003 Bs Abyhvqx wbw`©ó mg‡q g~j
gvgjv/Rvix gvgjv `v‡qi bv Kivi Kvi‡Y Av`vjZ KZ©„K LvwiR Kiv n‡j;
6.24.42 F‡Yi mnvqK RvgvbZ I eÜKx m¤úwË c~‡e© Ab¨ †Kvb e¨w³/cÖwZôv‡bi wbKU
n¯ÍvšÍi/`vqe× Av‡Q wKbv Zv wbwðZ bv n‡q FY gÄyix I weZiY Kiv;
6.24.43 CC Hypo, OD Hypo BZ¨vw`i †¶‡Î Cheque mswkÐó FY/OD wnmv‡e
Posting bv K‡iB f~qv †cvwós gvK© K‡i RvwjqvwZi gva¨‡g A_© AvZ¥mvr;
6.24.44 RvwjqvwZi gva¨‡g gÄyixK…Z F‡Yi †P‡q †ekx FY weZiY †`wL‡q A_© AvZ¥mvr
Kiv;
6.24.45 F‡Yi wecix‡Z wj‡qbK…Z Rvgvb‡Zi g~j¨ FY mgš^q e¨ZxZ FYMÖnxZv‡K cÖ`vb ev
wj‡qbK…Z RvgvbZ FYMÖnxZv‡K †dir †`qv;
6.24.46 eÜKx `wjj m¤úv`b bv Kiv;
6.24.47 F‡Yi wecix‡Z mxgvwZwi³ A_© cÖ`vb;
6.24.48 eÜKx m¤úwËi g~j `wjj MÖnY bv Kiv|

(III) ˆe‡`wkK evwYR¨ I ˆe‡`wkK gy`ªv welqK ¸iæZi Awbqgt(Foreign exchange risk wfwËK) †hgb t
6.24.49 L/C (FYcÎ) †Lvjvi †¶‡Î Awc©Z mxgv AwZµg K‡i Aby‡gv`b wenxbfv‡e FYcÎ †Lvjv;
6.24.50 GjwmG dig Gi Kvóg cvicvm Kwc/wej Ae †jwWs/UªvK iwk`/wegvb fvov iwk`/†ijI‡q iwk`
BZ¨vw` mswkÐó we‡ji UvKv Av`vq e¨wZ‡i‡K Avg`vbx KviK‡K n¯ÍvšÍi Kiv A_ev cÖ‡hvR¨ †¶‡Î
we‡ji UvKv Av`vq e¨wZ‡i‡K M¨vivw›Ui gva¨‡g gvj Qvo Kiv‡bvi my‡hvM †`Iqv;
6.24.51 f~qv fvDPv‡i †jb‡`‡bi gva¨‡g A‰eafv‡e Gjwm/GjwR BZ¨vw` gvwR©b wnmve †_‡K A_©
AvZ¥mvr Kiv;
6.24.52 ˆe‡`wkK we‡ji g~j¨ cwi‡kv‡ai mgq cÖavb Kvh©vj‡qi AvšÍ©RvwZK wefvM‡K Abby‡gvw`Zfv‡e
ewa©Z wewbgq nv‡e †WweU K‡i Ab¨ Lv‡Z Rgv †`wL‡q A_© AvZ¥mvr Kiv;
6.24.53 e¨vK Uz e¨vK FYcÎ †Lvjvi †¶‡Î Avg`vbxKvi‡Ki ˆea e‡ÛW Iqvi nvDR jvB‡mÝ Av‡Q wKbv

86
 ICC Policy and Procedures-2022
Ges Dnvi aviY¶gZv mvgÁm¨c~Y© wKbv Ges KviLvbvi Drcv`b ¶gZv I ißvbx FYc‡Îi †gqv`
Ges FYc‡Îi kZ©vbyhvqx wba©vwiZ mgq mxgvi g‡a¨ ißvbx m¤úv`b Kiv m¤¢e wKbv Dnv
h_vh_fv‡e hvPvB bv K‡i e¨vK Uz e¨vK FYcÎ †Lvjv;
6.24.54 f~qv AvB,we,wc' i gva¨‡g A_© AvZ¥mvr Kiv;
6.24.55 ˆe‡`wkK †jb‡`‡bi †¶‡Î Av`vqK…Z Av‡qi UvKv cy‡ivcywifv‡e Avq Lv‡Z Rgv bv K‡i Ab¨
wnmv‡e Rgvi gva¨‡g A_© AvZ¥mvr Kiv;
6.24.56 ißvbx we‡ji wecix‡Z mswkøó ißvbx m¤úv`‡bi ciI wcwm `vqmn Ab¨vb¨ †gqv‡`vËxY©/gÄyixcÎ
†gvZv‡eK wb‡`©wkZ `vq Amgwš^Z †i‡L Ges Avg`vbx we‡ji g~j¨ cwi‡kva bv K‡i ißvbxKvi‡Ki
AwaK bM` A_© cÖ`vb Kiv;
6.24.57 f~q/ÎæwUc~Y© ißvbx wej µq †`wL‡q ißvbxKviK‡K A‰ea Avw_©K myweav cÖ`vb Kiv|
6.24.58 wWgvÛ F‡Yi `vq/AwbqwgZ `vq _vKv m‡Z¡I cÖavb Kvh©vj‡qi Aby‡gv`b e¨wZ‡i‡K bZzb K‡i
cybivq e¨vK Uz e¨vK FYcÎ †Lvjv;
6.24.59 †jvKvj e¨vK Uz e¨vK FYc‡Îi wecix‡Z gvjvgvj mieiv‡ni/KviLvbvq †cŠQvi welq hvPvB bv
K‡i Avg`vbxKviK/ mieivnKvixi †hvMmvR‡k we‡j GK‡m‡ÞÝ cÖ`v‡bi gva¨‡g e¨vsK n‡Z
A‰ea Avw_©K myweav †`qv;
6.24.60 ißvbxi †¶‡Î wej Ae †jwWs/wegvb fvov iwk` wej‡¤^ Dc¯’vwcZ nIqv m‡Z¡I DשZb KZ©„c‡¶i
Aby‡gv`b e¨wZ‡iK ißvbx wej µq/Kv‡jKk‡b cvVv‡bv Ges H wej Kv‡jKk‡b †`wL‡q
ißvbxKviK‡K cieZx© Avw_©K myweav cÖ`vb;
6.24.61 ißvbx wej µq/Kv‡jKk‡b †cÖi‡Yi ci Dnv kvLvq †dir Avm‡j/`xN©w`‡bI g~j¨ cÖvwß bv n‡j
ißvbx c‡Y¨i Ae¯’v I Ae¯’vb hvPvBc~e©K gvj †dir Avbvi c`‡¶c bv †bqv;
6.24.62 wjg m„wói †¶‡Î Awbqg msNwUZ n‡j Ges wjgK…Z gvjvgvj mwVKfv‡e ¸`vgRvZ bv Kiv;
6.24.63 Abby‡gvw`Zfv‡e Bb‡WgwbwU e‡Ûi gva¨‡g gvj Lvjv‡mi my‡hvM †`qv;
6.24.64 Avg`vbx `wjj hvPvB bv K‡i Discrepent document Gi wecix‡Z Acceptence w`‡q
†`qv;
6.24.65 ‰e‡`wkK gy`ªv wbqgbxwZ D‡cÿv K‡i ‡jb‡`‡bi d‡j e¨vs‡Ki †Kvb Avw_©K ÿwZ mvwaZ n‡j;
6.24.66 wbqgbxwZi e¨Z¨q NwU‡q ˆe‡`wkK †iwgU¨vÝ msµvšÍ †jb‡`b;
6.24.67 ‡i¸‡jUix A_wiwU Ges AÎ e¨vs‡Ki cÖPwjZ wbqgbxwZ/RvixK…Z mvK©yjvi D‡cÿv K‡i cÖavb
Kvh©vj‡qi wewfbœ wefvM/mv‡K©j Avwdm/AvÂwjK Kvh©vjq/ mvewmwWqvwiR/ BmjvwgK DB‡Ûv Ges
kvLv ch©v‡q †Kvb KvR m¤úv`‡bi †cÖwÿ‡Z e¨vs‡Ki Avw_©K ÿwZ n‡j A_ev ÿwZi m¤¢vebv
cwijwÿZ n‡j;

87
 ICC Policy and Procedures-2022

Information Technology (IT) Audit Manual

88
 ICC Policy and Procedures-2022

______________________________________________________________________________________
Information Technology (IT) Audit Manual

7. 0 Information Techonology (IT) Audit

7.1 An information technology audit, or information systems audit, is an examination
of the management controls within an Information technology (IT) infrastructure.
The evaluation of obtained evidence determines if the information systems are
safeguarding assets, maintaining data integrity, and operating effectively to
achieve the organization's goals or objectives. These reviews may be performed in
conjunction with a financial statement audit, internal audit, or other form of
attestation engagement.

7.2 IT audits are also known as "automated data processing audits" and "computer
audits". They were formerly called "electronic data processing audits", and high
level ‘system audit’.

7.3 Purpose/ Objectives of IT Audit

7.3.1 The primary functions of an IT audit are to evaluate the systems that are in
place to guard an organization's information. Specifically, information
technology audits are used to evaluate the organization's ability to protect
its information assets and to properly dispense information to authorized
parties.

7.3.2 The IT audit aims to evaluate the following:

 Will the organization's computer systems be available for the
business at all times when required? (Known as availability)
 Will the information in the systems be disclosed only to authorize
users? (known as security and confidentiality)
 Will the information provided by the system always be accurate,
reliable, and timely? (measures the integrity)
89
 ICC Policy and Procedures-2022

In this way, the audit hopes to assess the risk to the company's
valuable asset (its information) and establish methods of
minimizing those risks.

7.4 Types of IT Audits

7.4.1 Others describe the spectrum of IT audits with five categories of audits:
a) Systems and Applications:.
b) Information Processing Facilities.
c) Systems Development:.
d) Management of IT and
e) Enterprise Architecture: Client / Server, Telecommunications,
Intranets, and Extranets

7.4.2 Moreover, some lump all IT audits as being one of only two types: "general
control review" audits or "application control review" audits.

7.5 Elements of IT Audit Strategy

16

16
https://www.isaca.org/Journal/archives/2016/volume-4/Pages/elements-of-an-is-it-audit-strategy-part-1.aspx?utm_referrer=

90
 ICC Policy and Procedures-2022

7.6 IT Audit process

17

7.6.1 Area of IT Audit

(1) T-24 System KZUv wbivc` ev System G Ab¨ †Kv‡bv Dcv‡q †KD cÖ‡e‡ki †Póv Ki‡Q wKbv, wKsev mvf©v‡i
iwÿZ WvUv SzuwKgy³ Av‡Q wKbv, Zv AbymÜv‡bi Rb¨ 2 Rb Kg©KZ©v‡K wb‡qvwRZ Kiv (Off site Supervision
Gi AvIZvq)| System Ges mvf©v‡i iwÿZ WvUv †Kv‡bv Af¨šÍixY/ewnivMZ n¨vKvi/c¨vwb‡UªUKvix KZ©„K
AvµvšÍ nIqvi SzuwK _vK‡j A_ev e¨vsK Ab¨ †Kv‡bv Kvi‡Y Cyber Attack Gi SzuwK‡Z _vK‡j Zv KZ©„cÿ‡K
AewnZ Ges h_vh_ Safeguard cÖwZ¯’vc‡bi cÖ‡qvRbxq civgk© cÖ`vb Kiv;
(2) T-24 System G n¨vKvi/c¨vwb‡UªUKvixi SzuwKi wel‡q e¨vs‡Ki B›Uvibvj K‡›Uªvj GÛ Kgcøv‡qÝ (AvBwmwm) Gi
Af¨šÍ‡i cÖwZwôZ Cyber Audit Cell G wb‡qvwRZ Kg©KZ©vMY KZ©„K wbqwgZ Study/Research Ae¨vnZ
ivLv Ges System Gi mvwe©K SzuwK we‡ePbvq e¨vs‡Ki Grading Kiv (Grading Gi GKwU Questioner
cÖ¯‘Z c~e©K) Ges cÖwZ †KvqvU©v‡i nvjbvMv` Z‡_¨i wfwˇZ e¨vs‡Ki Grading Review K‡i এতদসংক্রান্ত
GKwU cÖwZ‡e`b AwWU KwgwU‡Z Dc¯’vc‡bi wbwg‡Ë gnve¨e¯’vcK I †nW Ae AvBwmwm g‡nv`q Gi eive‡i
`vwLj Kiv;
(3) T-24 System Gi c~Y©v½ System Audit cwiPvjbvi Rb¨ GKwU Integrated System Audit Software
customize Ki‡Y cÖ‡qvRbxq Field identify K‡i h_vh_ KZ©„c‡ÿi gva¨‡g mswkøó †fÛvi †Kv¤úvbxi mv‡_
†hvMv‡hvM K‡i Gi m¤¢ve¨Zv hvPvB Ges GZ`&msµvšÍ GKwU iƒc‡iLv cÖ¯‘ZKiY;
(4) wbixÿv `„wó‡KvY †_‡K T-24 System Gi eZ©gvb e¨enviMZ ÎæwU/`~e©jZv AbymÜvb Kiv; AvBwU GÛ GgAvBGm
wWwfkb Gi gva¨‡g mswkøó †fÛi †Kv¤úvbxi mv‡_ †hvMv‡hvM K‡i Zv Amendment Gi cÖ‡qvRbxq e¨e¯’v
MÖnY Kiv;
(5) kvLvq T-24/Swift User ID ‡iwRóvi h_vh_fv‡e e¨eüZ nq wKbv| kvLvi Active User Gi msL¨v User
ID ‡iwRóvi Gi †gvU e¨enviKvixi msL¨vi mgvb wKbv| BwZc~‡e© Ab¨ kvLvq e`jx nIqv †Kvb Kg©KZ©vi ID (T-
24/Swift ) GLbI mPj †i‡L D³ kvLvi Ab¨ †Kvb Kg©KZ©v KZ©„K e¨eüZ n‡”Q wKbv| kvLvi cÖ‡Z¨K Kg©KZ©vi
User ID Ges Password (T-24/Swift) ‡Mvcbxqfv‡e e¨envi nq wKbv| GKRb Kg©KZ©v Ab¨ †Kvb

17
https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=698

91
 ICC Policy and Procedures-2022

Kg©KZ©vi User ID Ges Password (T-24/Swift) e¨venvi K‡i GKB mv‡_ Posting Ges Authorize
Gi KvR Ki‡Qb wKbv| T-24/Swift System e¨eüZ Kw¤úDUvi GKB mv‡_ mvaviY Internet Gi Kv‡R
e¨envi Kiv n‡”Q wKbv, BZ¨vw` QvovI wbixÿ‡Ki Judgment ‡gvZv‡eK T-24/Swift System e¨env‡i
kvLvi Ab¨ †Kvb wbivcËv SyuwK we`¨gvb _vK‡j System wbixÿvKv‡j ZvrÿwYKfv‡e ms‡kva‡bi e¨e¯’v Kiv
Ges ZvrÿwYKfv‡e ms‡kvab m¤¢e bv n‡j cÖwZ‡e`‡b AvcwË wn‡m‡e DÌvcb Kiv;

(6) kvLvi User ID avix mKj Kg©KZ©v T-24 System Operation G cÖwkÿY cÖvß wKbv Zv hvPvB| hw` bv _v‡K
Z‡e cÖwkÿY wenxb Kg©KZ©vM‡Yi ZvwjKv cÖwkÿ‡Yi wbwg‡Ë cÖavb Kvh©vj‡qi AvBwU GÛ GgAvBGm wWwfk‡b
†cÖiY Kiv|

T-24 System G e¨vs‡Ki Avq h_vh_fv‡e Av`vqK…Z n†”Q wKbv Zv hvPvBKi‡Yt

(7) wbixÿvaxb mg‡q †h mg¯Í †jb‡`‡b cÖ‡hvR¨ nv‡i PvR©/my`/wd/Kwgkb/AMÖxg Ki/f¨vU Av`v‡qi wb‡`©kbv i‡q‡Q
Zv h_vh_fv‡e Av`vq Kiv n‡q‡Q wKbv (w¯’wZ we`¨gvb/w¯’wZ mgwš^Z Dfq †ÿ‡Î) Zv hvPvB Kiv| †hgb-
wbixÿvaxb mg‡q hw` kvLvq †Kvb MÖvn‡Ki wnmv‡e K¨vk-‡WdvW© wfwËK FYcÎ ¯’vwcZ n‡q _v‡K Ges hw`
BwZg‡a¨ FYc‡Îi wecix‡Z m„ó `vq mgš^q n‡q _v‡K Z‡e D³ mgwš^Z FYc‡Îi cÖ‡hvR¨ nv‡i G‡·c‡UÝ
Kwgkb Av`vq n‡q‡Q wKbv Zv wbðZ Ki‡Z n‡e; Aciw`‡K †h mg¯Í FY wnmv‡e †jvb cÖ‡mwms wd Av`vq‡hvM¨
†m mg¯Í FY mgš^q n‡jI mgš^‡qi c~‡e© ‡jvb cÖ‡mwms wd Av`vq c~e©K mgš^q n‡qwQj wKbv Zv wbwðZ n‡Z
n‡e;
(8) cÖavb Kvh©vj‡qi wb‡`©kbv †gvZv‡eK mKj cÖKvi †j‡b‡`‡b Manual Amendment Gi gva¨‡g cÖ‡hvR¨ nvi
A‡cÿv Kg nv‡i my`/PvR©/wd/Kwgkb/AMÖxg Ki/f¨vU Av`vq Kiv n‡q‡Q/n‡”Q wKbv Zv hvPvB Kiv;
(9) kvLvq cwiPvwjZ mKj cÖKvi FY (Kg©Pvix FYmn) wnmv‡ei my‡`i nvi nvjbvMv` wb‡`©kbv Abymv‡i System G
mwVK Av‡Q wKbv Zv wbwðZ Kiv| D‡jøL¨ †h, BwZc~‡e© †Kv‡bv GK kvLvq Kg©Pvix M„nwbg©vY FY wnmv‡e Manual
Amendment Gi gva¨‡g my‡`i nvi 0% K‡i ivLv n‡qwQj;
(10) †h mg¯Í kvLvq †cÖvWv± jvB‡f _vKv m‡Ë¡I PvR©/ my`/ wd/ Kwgkb/ AMÖxg Ki/f¨vU BZ¨vw` mivmwi T-24,
wm‡ó‡g Av`vq bv K‡i Manually fvDPvi Qvo K‡i Av`vq Kiv n‡”Q Zv‡`i Manually Av`vq Kivi KviY
AbymÜvb Ges wbixÿv AvcwˇZ Zv mwbœ‡ewkZ K‡i AvBwU GÛ GgAvBGm wWwfkb‡K AewnZ Kiv;

T-24 System G e¨vs‡Ki m¤úwË Ges `vq myiwÿZ Av‡Q wKbv Zv wbwðZ n‡Z-
(11) kvLvi Provision LvZ n‡Z (†hgb-GdwWAvi, mÂqx AvgvbZ, wewfbœ cÖKv‡ii my` eve` iwÿZ UvKv) †Kvb
e¨vw³/cÖwZôv‡bi wnmv‡e AvZ¥mv‡Zi D‡Ï‡k¨ ¯’vbvšÍwiZ n‡”Q wKbv Zv hvPvB Kiv Ges n‡q _vK‡j Zv wi‡cvU©
Kiv;
(12) kvLvi ‡Kv‡bv MÖvn‡Ki wnmve n‡Z D³ kvLvq Kg©iZ wbe©vnx/Kg©KZ©vi ev Ab¨ †Kv‡bv MÖvn‡Ki bv‡g cwiPvwjZ
wnmv‡e ms‡›`nRbK †jb‡`b msMwVZ n‡”Q wKbv Zv hvPvB Ges n‡q _vK‡j Zv wi‡cv‡U© mwbœ‡ewkZKiY;
(13) T-24 System G AMÖxg KZ©bK…Z AvqKi Ges Av`vqK…Z f¨vU Gi mgy`q A_© cÖavb Kvh©vj‡q/miKvix
†KvlvMv‡i Rgv Kiv n‡”Q wKbv Zv wbwðZ Kiv;

92
 ICC Policy and Procedures-2022

(14) T-24 System G kvLvi Statement of Affairs G Total Asset/Total Contingent Asset I Total
Liability/Total Contingent Liability Mowgj _vK‡j KviY AbymÜvbc~e©K ZvrÿwYKfv‡e ms‡kva‡bi
e¨e¯’v Kiv A_ev ZvrÿwYKfv‡e ms‡kvab m¤¢e bv n‡j cÖwZ‡e`‡b AvcwË wn‡m‡e DÌvcb Kiv;
(15) T-24 System G e¨vs‡Ki Chart of Accounts †gvZv‡eK mKj Lv‡Zi wnmve ¯^-¯^ †Kv‡W Posting Kiv
nq wKbv wnmv‡ei LvZ Ges †Kv‡W †Kv‡bv Cross match Av‡Q wKbv Ges Giƒc Cross matching Gi Kvi‡Y
†Kv‡bv Manual Posting †`qv nq wKbv Zv AbymÜvb Kiv; hw` _v‡K Z‡e Zv ZvrÿwYKfv‡e ms‡kva‡bi e¨e¯’v
Kiv A_ev ZvrÿwYKfv‡e ms‡kvab m¤¢e bv n‡j cÖwZ‡e`‡b AvcwË wn‡m‡e DÌvcb Kiv;
(16) kvLvi Contingent Liability Lv‡Z m„ó †h mg¯Í `vq wba©vwiZ mgq ci System n‡Z Liability
Automatic Reverse nq Giƒc †ÿ‡Î Liability Reverse nIqvi Kvi‡Y e¨vsK Avw_©Kfv‡e ÿwZMÖ¯Í n‡q‡Q
wKbv Zv hvPvB Kiv| †hgb- kvLvq K¨vk-wfwËK †Kvb FYcÎ ¯’vwcZ n‡j FYcÎ ¯’vc‡bi Zvwi‡L MÖvn‡Ki wnmv‡e
Contingent Liability m„wó nIqvi cvkvcvwk mswkøó FYc‡Îi wecix‡Z cÖ‡hvR¨ nv‡i gvwR©b AsK MÖvn‡Ki
wnmve n‡Z kvLvi gvwR©b wnmv‡e ¯’vbvšÍwiZ nq| hw` D³ FYc‡Îi wecix‡Z wba©vwiZ †gqv‡` †Kvb gvjvgvj
Avg`vwb bv nq Ges `vqw¯’wZ FYcÎ LvZ n‡Z Ab¨ †Kvb Lv‡Z ¯’vbvšÍwiZ bv nq Z‡e wba©vwiZ †gqv` c~wZ©‡Z
System n‡Z Liability Reverse n‡q gvwR©b AsK MÖvn‡Ki wnmv‡e ¯’vbvšÍwiZ nIqvi gva¨‡g e¨vsK Aw_©Kfv‡e
ÿwZMÖ¯Í n‡Z cv‡i;
(17) T24 System G iwÿZ w¯’wZi mv‡_ kvLvi wcÖ›UK…Z supplementary Gi opening/closing Mowgj
Av‡Q wKbv hvPvB Kiv; kvLvi CNG Software Balance Gi mv‡_ T24 System Gi Statement of
Affairs Gi Balance GKB i‡q‡Q wKbv, Zv hvPvBKiY;
(18) kvLvi T24 System Gi Transfer Ges Manual Transfer Gi Figure GKB Av‡Q wKbv; hw` bv _v‡K
Z‡e D³ Mowg‡ji KviY D`NvUb;
(19) IT and MIS Division KZ©„K T24 System Operation cÖms‡M wewfbœ mgq RvixK…Z wb‡`©kbv/mvK©yjvi
kvLv KZ©„K h_vh_fv‡e AbymiY Kiv nq wKbv Ges IT and MIS Division Gi wb‡`©kbv Abyhvqx fvDPvi
h_vh_fv‡e cÖ¯‘ZKiY I †PwKs Kiv nq wKbv Zv hvPvBKiY;
(20) kvLvi ˆ`bw›`b Transfer ‡jb‡`‡bi msL¨v Ges Balance, COB cieZx© Transfer ‡jb‡`‡bi msL¨v Ges
Balance GKB i‡q‡Q wKbv, Zv hvPvBKiY; Ges
(21) kvLvi Suspense Account Gi wnmve †_‡K cwi‡kvwaZ-Avwg© †cbkb, wmwfj †cbkb, mÂqcÎ, mvwÛª
†WUi, d‡ib †iwg‡UÝ BZ¨vw` Lv‡Zi wbqwgZ w¯’wZ mylgKiY K‡i T24 System G iwÿZ w¯’wZi mv‡_ wgjKiY
Kiv nq wKbv, Zv hvPvB Kiv; G‡ÿ‡Î †Kv‡bv w¯’wZi Mowgj cwijwÿZ n‡j Mowg‡ji cÖK…Z KviY AbymÜvb
Kiv; cÖ‡qvR‡b IT and MIS Division Gi mv‡_ †hvMv‡hvM K‡i cieZx©KiYxq wba©vi‡Y kvLv‡K mnvqZvKiY;
BZ¨vw`|

7.6.2 The following are basic steps in performing the Information Technology
Audit Process
1. Planning
2. Studying and Evaluating Controls
3. Testing and Evaluating Controls
4. Reporting
5. Follow-up

93
 ICC Policy and Procedures-2022

6. Reports

7.7 The Scope of the IT General Controls Audit Includes:

7.7.1 IT General Controls
Evaluating the existence and effectiveness of internal controls in place over the
Information Security Program and related information technology processes as they
relate to the security, confidentiality, and integrity of sensitive customer information.
Access Controls – Core Processing System
Access Controls – LAN/WAN
Data Classification/Handling and Encryption
Patch/Update Management
Malware Protection
Physical and Environmental Security – Data Center
Mobile Security
Project Management/System Change Management
Intrusion Prevention & Managed Network Device Administration
Remote Access
Remote Deposit Capture
Backup and Tape Management
Disaster Recovery and Business Continuity Management
Websites
Online Banking & Bill Payment
Phone Banking
ACH/Wire Transfer Security
Access Controls – Branch Capture/Imaging System
Identity Theft Prevention
7.7.2 The Scope of the Information Security Program Audit Includes:
Information Security Program
Information Technology Risk Assessment
Information technology administration/strategic planning
Information security training and awareness
Information technology audit/independent review program
94
 ICC Policy and Procedures-2022

Vendor Management/Service Provider Oversight

Incident Response Program
7.7.3 Additional control areas can be added to the scope of the audit.
7.8 IT Audit Role:

7.8.2 Information Security officer , system auditor or any other concerned

person undertake periodic penetration tests of the system, which may
include:
a) Attempting to guess passwords using password-cracking tools.
b) Searching for backdrop traps in the programs.
c) Attempting to overload the system using DDoS (Distributed Denial
of Service) &DoS (Denial of Service) attacks.
d) Checking of commonly known holes in the software, specially the
borrower and the
e- mail software , exist.
e) Checking the weakness of the infrastructure
f) Taking control of ports.
g) Cause of application crash.
h) Injecting malicious codes to application and database servers.
7.8.3 Advising the Audit Committee and senior management on IT internal
control (General Control & Application Control ) issues

IT Auditor evaluate the use of ICT in Banking activities and identify its
importance , associated problems and report all to Audit Committee and
Senior Management .

7.8.4 Performing IT Risk Assessments

7.8.4.1 The process of identifying the risk to system security and determining
the probability of occurrence, the resulting impact and additional
safeguards those would mitigate the risks.
7.8.4.2 Auditors Tasks-
IT Auditor will find out -
7.8.4.2.1 Are there appropriate risk mitigation measures like
operating schedule for the users transaction limit,
transaction frequency limit ,fraud checks, AML checks, etc.

95
 ICC Policy and Procedures-2022

depending on the risk perception, unless otherwise

mandated by the Bangladesh Bank?
7.8.4.2.2 Does the Bank establish a process to log the information
system related problems and incidents, and also ensure real
time security log for unauthorized access?
7.8.4.2.3 Is there any system to monitor all types of account holders,
especially internal? [IT Risk Assessments Details are in
Annexure – 8]
7.9 Performing:
1. Institutional Risk Area Audits
2. General Controls Audits
3. Application Controls Audits
4. Technical IT Controls Audits

7.9.2 Institutional Risk Area Audits :

Risk area of the branches is to be audited. Risk areas are - Credit
Risk, Market Risk, Liquidity Risk, Operational Risk & Group
Risk, Management risk, Compliance risk.

7.9.3 General Control Audits :

It may include –
7.9.3.1 Physical Securities –
The objective is to prevent unauthorized access and damage of information
assets and protection and it can be achieved by creating several physical
barriers around business premises. Physical barriers are Physical
access, Environment, Fire protection, UPS etc.
- Definition of security parameters, locating facilities,
- To minimize traffic across perimeters,
- Alarmed fired doors
- Physical barriers that penetrate false floors/ceilings,
entrance controls
- Visible identification
- Responsibility to challenge unescorted strangers,
- Location of back up equipment at safe distance,
96
 ICC Policy and Procedures-2022

- Prohibition of recording equipment,

- Redundant power supplies,
- Access to cabling authorization procedures removal of
property clear desk /screen policy, etc.

7.9.3.2 Business Continuity Plan:—

Business continuity describes the processes and procedures
an organization must put in place to ensure that-
- Mission-critical functions can continue during and after
a disaster. In this sense, the concept is interchangeable
with disaster recovery plan (DRP).
- Business continuity, however, also addresses more
comprehensive planning that focuses on long term or
chronic challenges to organizational success.
7.9.3.3 Potential business continuity problems may include the -
- Illness or departure of key team members,
- Supply chain breakdowns,
- Catastrophic failures or critical malware infections.
- Business continuity planning should be corporate-wide
strategy.
- Business continuity planners should assess Business
continuity across all lines of business.
- The business continuity function often resides in the risk
management organizational structure.
- The IT department should have personnel responsible for
developing and maintaining the department’s business
continuity plans. Planning’s includes - Data Backups,
Restore procedures, Offsite Storage.

7.9.4 Disaster Recovery Plan: –

- IT disaster recovery plan is a structural approach for responding to
unplanned incidents that threaten an IT infrastructure, which
includes Hardware, Software, Networks, Processes and People.

97
 ICC Policy and Procedures-2022

- IT disaster recovery plans provide step by step procedures for

recovering disrupted systems and networks, and help them resume
normal operations
- The goal of this process is to minimize any negative impacts to
comply operations.
- The primary objective of disaster recovery planning is to protect
the organization in the event that all or part of its operations and/or
computer services is rendered unusable.
- Approaches are Business Resumption Plans, BRP Testing, and
alternate processing.
7.10 Change Management–
An effective change management discipline is arguably the most critical
requirement of a successful IT organization. Change management is-
- A set of standardized processes designed to administer all changes to
the IT production environment.
- The ultimate goal of this discipline is to minimize the impact of change-
related incidents on IT service levels.
- Ensuring this goal is achieved can help lower the total cost of IT while
increasing the value of IT to the organization.
- How changes are made to information system applications and
- Supporting infrastructures, Program change controls, Tracking, Change
approvals
7.11 Auditor’s checking–
According to the prescribed checklist, (Annexure –8) Auditor will perform audit for
above relevant controls/ factors.
7.12 Application Audit:
 Administration
 Inputs, processing, outputs
 Logical Security
 Disaster Recovery plan
 Change Management
 User Support
 Third party Services

98
 ICC Policy and Procedures-2022

7.13 Administration.
IT Auditor will find out-
Weather-
- There is any duty list for the applicators
- Roles and responsibilities are set for the applicators
- Any development and changes in the system running or
changed system installed are taken permission from Authority.
- Access authorizations are taken for the applicators
- Legal and regulatory compliances done in proper.
7.14 Inputes, Processing, Outputs

Looking for evidence of data preparation, procedures, reconciliation, process

handling requirements, etc.
7.15 Run test transactions against the application-
7.15.2 Integrated test facilities (ITF) – Also known as dummy Companies,
include records of the dummy entities in audit production files.
7.15.3 The IS Auditor can make the system process either live transactions or
test transactions during regular processing runs and have these
transactions update the records of the dummy entity. The operator enters
the test transactions simultaneously with live transactions that are
entered for the processing. The auditor then compasses the output with
the data that have been independently calculated previously to verify the
correctness of the computer processed data.
7.16 Includes- can enter input and see output-
Input Controls –
7.16.2 Data entry controls
These controls are related to the input screens on the data entry
operators. The basic premise of these controls is that the data entry
personnel OR over-the counter Front- end executives can be trained
only to a limit. This because of fast changing process, higher manpower
turn over and out sourcing of data entry. Therefore system manager
have to take onus of making the system “Idiot Resistant” if not “ Idiot
proof.

99
 ICC Policy and Procedures-2022

7.16.3 System Edits

7.16.3.1 It is important to have a basic understanding of how the
software processes a screen. The first order of business for the
software is to process the data entered and apply the edits that
are appropriate. Until this first requirement is satisfied, the
program will not let you go to any other program.

7.16.3.2 Edits in the on-line data entry process provide control over the
entry and maintenance of the information on the CIS database.
All data entering the CIS database must be validated to ensure
the edits serve the following functions:
 Maintain data integrity
 Prevent entry of illogical data
 Ensure adherence to regulations
 Control benefit disbursement
 Provide quality reports
Edits are may be -
 Move one, multiple, or all files from one folder to
another
 Delete one, multiple, or all files from a folder
 You can choose to send to recycle bin or delete
permanently
 View all programs on the machine and uninstall a
program.
 View all files in a folder and delete, rename, or open a
file
 Run a windows Run command inside the application
 Explore your file system using the folder map and open
a specific folder.

100
 ICC Policy and Procedures-2022

7.16.4 Segregation of duties –

- Avoid single person can abuse authority without detection
- Separation of duties is a classic security method to manage
conflict of interest, the appearance of conflict of interest, and
fraud. It restricts the amount of power held by any one
individual. It puts a barrier in place to prevent fraud that may
be perpetrated by one individual. Fraud will still occur if
there is collusion. To be certain that you have identified all
separation of duties issues, you will first need to create an
information flow diagram for every function within each area
of the organization.
7.16.5 Transaction authorization
Authorization controls involve the process of granting or denying
access to a network resource, converting the data to an automated
form, and entering the data into the application in an accurate,
complete, and timely manner. Testing of authorization controls
includes examining the data input process and determining if
controls exist for ensuring:
 Data are authorized prior to being entered;
 Access restrictions exist to prevent unauthorized personnel
from obtaining blank source documents to record
unauthorized information and insert the document into
production with authorized documents;
 Supervisory or independent reviews of the source document
occurs before its data is entered into the automated system;
 Data entry terminals are only accessible to authorized users
for authorized purposes;
 Users are limited to what transactions they can enter;
 Master files are configured to assist with identifying
unauthorized transactions;
 Exception reports are generated and reviewed before
transactions are posted; and
 Duties are appropriately segregated among staff.
101
 ICC Policy and Procedures-2022

7.16.6 Auditors checking’s impute control–

Weather-
- Only allowed Inputter can impute Data.
- Supervisory or independent reviews of the source document
occurs before its data is entered into the automated system;
- Data entry terminals are only accessible to authorized users for
authorized purposes;
- Users are limited to what transactions they can enter;
- Data are authorized prior to being entered;
- Prior the data entered and apply the edits that are appropriate.
- Information flow diagram for every function within each area
of organization.
- Access restrictions exist to prevent unauthorized personnel
from obtaining blank source documents to record unauthorized
information and insert the document into production with
authorized documents;
- Master files are configured to assist with identifying
unauthorized transactions;
- Exception reports are generated and reviewed before
transactions are posted;
- Only system analyst (Vendor) with the approval of authority are
given responsibility (must be escorted ) for any change in the
systems used also process the data entered and apply the edits
, that are appropriate .During the function system analyst , he
must be escorted.
- There is a Duty list, according to which in putter/data entry
operator are working. Duties are appropriately segregated
among staff. Information flow diagram for every function
within each area of organization.
- Transactions are checked & authenticated by the authorizer.

7.17 Processing controls-

7.17.2 Audit Trails–
- Audit Trails is a series of records of computer events, about an
operating system, an application, or user activities.
- It assists in detecting security violation, performance problems, and
flaws in applications.
- Audit trails help Auditors to obtain activity on a computer system and
also help system administrators ensure that the system resources have
not been attacked by Hackers, Insiders, or Technical problem.

102
 ICC Policy and Procedures-2022

- What activities is logged .how are log files protected from

manipulation.

7.17.3 Interface controls

An ICD (Interface Control Document) may describe:
- the inputs and outputs of a single system,
- the interface between two systems or subsystems,
- the complete interface protocol from the lowest physical
elements (e.g., the mating plugs, the electrical signal voltage
levels) to the highest logical levels (e.g., the level 7 application
layer of the ISO model), or some subset thereof.
The purpose of the ICD is to communicate all possible inputs to and
all potential outputs from a system for some potential or actual user of
the system. The internal interfaces of a system or subsystems are
typically not documented in an ICD, but rather in a system design
document (such as a software design document).

7.17.4 Control totals

7.17.4.1 Definition
- A control total is a figure calculated by the system, adding the
values in one of the fields in a segment. This field is called the
Control totals key figure field. It must be a numeric type field.
For example, if the control totals key figure field is Local Currency
Amount in an FI line item segment, then the system adds up all
values in the Local Currency Amount field, and that is the control
total.
7.17.4.2 Use
- You use control totals to verify the integrity of the contents of
the data that has been extracted.
- You must be familiar with the data in your R/3 applications to
use the control totals figure calculated for the first extract. You
compare this control total figure with a figure you calculate or
estimate manually, or by using other means

103
 ICC Policy and Procedures-2022

- You can use the control totals figures of two extracts that are
based on the same segments to verify that the data has not
changed since the last extract.
- By default, the system calculates the control totals figure based
on all the values in the Control totals key figure field.
- Sometimes adding all the values in a single field does not
provide you with sufficient information. For example, if the
control totals key figure field is an Amount field in a line item
of a document, and it contains debit and credit amounts, then
the resulting control totals figure may be zero. This is a positive
indication that the credit amounts are equal to the debit
amounts. However, this does not provide you with the actual
sum of the debits or credits.

7.17.4.3 Auditor’s checking’s for processing control–

Whether-
7.17.4.3.1 Any sign /evidences left behind from which auditors
can find any misstatement, security violation,
performance problems, and flaws in applications.
7.17.4.3.2 It (Audit Trails) ensure that the system resources have
not been attacked by Hackers, Insiders, or Technical
problem.
7.17.4.3.3 Any problems in Internal& external connectivity of
systems, that is to communicate all possible inputs to
and all potential outputs from a system for some
potential or actual user of the system.

7.17.4.3.4 In Auditing, totals (Control Totals) developed on”

Key” Data Fields in input records , and on the number
of records processed to ensure that data have been
properly transmitted , converted ,and processed .

104
 ICC Policy and Procedures-2022

7.18 Output controls –

7.18.2 Reconciliation -Reconciliation Tasks
The Reconciliation Tasks application combines one or more link rules
and, if necessary, a task filter, and one or more comparison rules into
a reconciliation task. This application also lets you specify how the
system reports results for comparison rule evaluations- all results,
failed reconciliations.
You also schedule execution of the reconciliation task in the
reconciliation tasks application
Tasks in the Reconciliation Process-
The system reconciles Data Set 1 and Data Set 2 by performing a rule-
based compare operation defined in a reconciliation task. You use
Reconciliation module applications to define a reconciliation task and
to schedule the reconciliation task to run. After the reconciliation task
runs, you can view result soft he reconciliation in the Asset Link
Results and Asset Reconciliation Results applications. You use the
following steps to set up and execute reconciliation:
1. Set up a task filter. A task filter is optional.
2. Define one or more link rules.
3. Define one or more comparison rules. Comparison rules are
optional.
4. Set up a reconciliation task and schedule execution of the task.
5. View results of the reconciliation.
6. If appropriate, resolve discrepancies and document how you
resolve them.
7.18.3 Distribution
- The output sub system provides functions that determine the content of
data that will be provided to users, the ways data will be formatted and
presented to users, and the ways data will be prepared for and routed to
105
 ICC Policy and Procedures-2022

users. The major components of the output system are the software and
personnel that determine the content , format ,and timeliness of data to
be provided to users , the various hardware devices used to present the
formatted output data to users (e,g, Printer ,terminal , voice synthesizers)
and the hardware , software , personnel that rout the out to users .
- When output has been produced, it should be secured to prevent loss or
unauthorized removal, especially if the output contains negotiable
instruments. For example -user / client services group employees might
collect output reports, film or cartridges, and hold them pending
collection by users. They should collect the output promptly and store it
securely.
- Control must be in place to ensure that output is dispatched on a timely
basis. Managers could make wrong decisions if they do not promptly
receive reports that notify them important changes in say, their
organizational financial positions. Regular review should be undertaken,
therefore, to ensure that output has been collected or distributed on
timely basis.
7.18.4 Access
Only authorized persons are allowed to access the computer and
handle the out put works i.e measures are to be taken that only
authorized users are able to perform actions or access information in a
network or a work station. In the fields of physical security and
information security, access control is the selective restriction of
access to a place or other resource.[1] The act of accessing may mean
consuming, entering, or using. Permission to access a resource is
called authorization.
Locks and login credentials are two analogous mechanisms of access
control.
7.18.5 Auditors checking are for output control –
Whether –
- System reports all results
- The Applicator should know how to resolve if any failure in
reconciliation
106
 ICC Policy and Procedures-2022

- Inter branch transaction, clearings, cash balances etc are checked &
found no differences.
- Major components of data preparation e,g, hardware ,software
personnel worked properly and efficiently.
- Output is complete, accurate distributed to authority in timely manner
and preserved for future reference. System reports all results
- Access is controlled strictly.

7.18.6 Auditor’s checking’s for above Security threats whether-

 Strong passwords are used
 Password stored in a secured location or committed to memory.
 Computer Screen is protected by screen saver password
 Password always changes within 30 days
 Parameter in the system to allow maximum number of invalid log
on attempts
 Report vulnerable computers to Authority.
 Be aware of any one around you –and what they are doing –
 Any curious person very often come around the computer operator
 Confidential work done confidentially
 Any suspended or terminated staffs are ever allowed in computer
room or still working in the Branch
 Previous passwords of such suspended or terminated staffs are
removed from the computer
 Computer room or server room is glass protected and under lock
and key.
 Any authorization list is maintained and reviewed on regular basis
 Visitors (contract employees, vendor programmers/analyst,
maintenance personnel, client and any relatives) are restricted or
escort during visit in the computer room>Previous passwords of
staffs left branch or transferred are removed from the computer
 Ever hold the door for unidentified individuals
 Branch confidential documents are kept under lock and key
 Report suspicious activities to IT Security

107
 ICC Policy and Procedures-2022

7.19 Disaster recovery plan

7.19.2 IT disaster recovery plans a structural approach for responding to
unplanned incidents that threaten an IT infrastructure, which includes
Hardware, Software, Networks, Processes and People.
7.19.3 The primary objective of disaster recovery planning is to protect the
organization in the event that all or part of its operations and/or
computer services is rendered unusable.
7.19.4 Auditor’s checking
7.19.4.1 Looking for an adequate and performable disaster recovery
plan that will allow the application to be recovered in a
reasonable amount of time after a disaster,
7.19.4.2 Backup guidelines, process documentation, offsite storage
guidelines, SLA’s with offsite storage vendors, etc.

7.20 Change management

7.20.2 Change management is a set of standardized processes designed to
administer all changes to the IT production environment. The ultimate
goal of this discipline is to minimize the impact of change-related
incidents on IT service levels.
7.20.3 Auditor’s checking
7.20.3.1 Examines the process changes to an application go through
7.20.3.2 Process is documented, adequate and followed
7.20.3.3 Who is allowed to make a request a change?
7.20.3.4 Change is tested and doesn’t break compliance (determined in
administration) before being placed in production.
7.21 User support
7.21.2 Be your initial point of contact for all IT queries;
7.21.3 Centrally administer all support requests;
7.21.4 Provide first line support and fixes where possible;
7.21.5 Escalate issues as and when required to relevant technical unit.
7.21.6 Auditor’s checking

108
 ICC Policy and Procedures-2022

7.21.6.1 User documentation (manuals, online half, etc.)

available & up to date
7.21.6.2 User training –productivity, proper use, security
7.21.6.3 Process for user improvement requests.

7.22 Third party services

7.22.2 The need to assure that services provide by third parties (suppliers,
vendors and partners) meet business requirements requires an effective
third party management process. This process is accomplished by
clearly defining the roles, responsibilities and expectations in third
party agreement as well as reviewing and monitoring such agreements
for effective compliance.
7.22.3 Effective management of third party services minimizes the business
risk associated with non-performing suppliers.
7.22.4 Control over the IT process management third party services that
satisfies the business requirement for IT of providing satisfactory third
party services whilst being transparent about benefit, cost and risks by
focusing on establishing relationships and bi lateral relationships and
bi lateral responsibilities with qualified third party service- providers
and monitoring the service delivery to verify and ensure adherence to
agreements by:
 Identify and categorizing supplier services
 Identifying and mitigating supplier risk
 Monitoring.
7.22.5 Auditor’s checking
7.22.5.1 Looking at the controls around any third party services that are
required to meet business objectives for the application or
system.-
- Liaison to 3rd party vendor
- Review contract agreement
- Service organizations disclose their control activities
and process to their customers and their -customers
auditors in a uniform reporting format.

109
 ICC Policy and Procedures-2022

7.23 Technical IT controls Audit

7.23.2 Technical controls used for the IT system e.g., built-in or add-on security
product that supports-
7.23.3 Identification and authentication,
7.23.3.1 Identification is the process whereby a network element
recognizes a valid user’s identity. Authentication is the process of
verifying the claimed identity of a user. A user may be a person,
a process, or a system (e.g., an operations system or network
element) that accesses a network element to perform tasks or
process a call. A user identification code is a non-confidential
auditable representation of a user. Information used to verify the
claimed identity of a user can be based on a password, Personal
Identification Number (PIN) b, smart card, biometrics, token,
exchange of keys etc. Authentication information should be kept
confidential.
7.23.3.2 If users are not properly identified, then the network element is
potentially vulnerable to access by unauthorized users. If strong
identification and authorization mechanisms are used, then the
risk that unauthorized users will gain access to a system is
significantly decreased.
7.23.3.3 The exploitation of the following vulnerabilities as well as other
identification and authentication vulnerabilities will result in the
threat of impersonating a user.
7.23.3.4 Computer Intruders have been known to compromise PSN
assets by gaining unauthorized access to network elements. It
possible for a person impersonating an authorized user to cause
the full range of threats. The severity of the threat of
impersonating a user depends on the level of privileged that is
granted to unauthorized user.
7.23.4 Auditor’s checking
Whether-
110
 ICC Policy and Procedures-2022

 Weak authentication method are used ;

 The potential exists for users to bypass the authentication
mechanism;
 The confidentiality and integrity of stored authentication
information is not preserved , and
 Authentication information which is transmitted over the network
is not encrypted
7.24 Discretionary or mandatory access control
7.24.2 When auditing logical security the auditor should investigate what
security controls are in place, and how they work? In particular, the
following areas are key points in auditing logical security:

7.24.2.1 Passwords: Every company should have written policies

regarding passwords, and employee’s use of them. Passwords
should not be shared and employees should have mandatory
scheduled changes. Employees should have user rights that are
in line with their job functions. They should also be aware of
proper log on/ log off procedures. Also helpful are security
tokens, small devices that authorized users of computer
programs or networks carry to assist in identity confirmation.
They can also store cryptographic keys and biometric data. The
most popular type of security token (RSA’s Secure ID) displays
a number which changes every minute. Users are authenticated
by entering a personal identification number and the number on
the token.
7.24.2.2 Termination Procedures: Proper termination procedures so
that old employees can no longer access the network. This can
be done by changing passwords and codes. Also, all id cards and
badges that are in circulation should be documented and
accounted for.
7.24.2.3 Special User Accounts: Special User Accounts and other
privileged accounts should be monitored and have proper
controls in place.

111
 ICC Policy and Procedures-2022

7.24.3 Auditor’s checking’s -checking to be done as per check list

(Annexure –8)

7.25 Residual information protection

7.25.2 Residual Inforamtion protection (RIP) requires memory allocation to be
overwritten with a known pattern of bits before memory is allocated to
a new resource. Meeting RIP standard can contribute to improve
security, however overwriting the memory allocation can slow
performance. After the common criteria compliance enabled option is
enabled, the overwriting is required.
7.25.3 The operating system must erase any storage resources (resisters, RAM
areas, disk sectors, data structures etc.) before they are allocated to a new
subject (user, process), to avoid information leaking from one subject to
the next.
7.25.4 This function is also known in the literature as “object reuse” or “stored
as sanitation. “
7.25.5 There is an important difference between whether residual information
is erased when a resource is
(1) Allocated to a subject or
(2) Defalcated from a subject
7.25.6 In the first case, residual information can sometimes be recovered after a
user believes it has been deleted, using specialized “undelete “tools.
7.25.7 Auditor’s checking-
Whether-
- Retrieve company confidential printed documents done
immediately
- Shred all company confidential documents.
- Lock all company confidential documents
- Report suspicious activities to your superior

112
 ICC Policy and Procedures-2022

7.26 Encryption methods

7.26.2 The process of encryption involves converting plain text into a series
of unreadable characters known as the cipher text. If the encrypted text
is stolen or attained while in transit, the content is unreadable to the
viewer. This guarantees secure transmission and is extremely useful to
companies sending/receiving critical information. Once encrypted
information arrives at its intended
- That is not accessible to programmers or outside users.
- Furthermore, management should attest that encryption
policies ensure data protection at the desired level and verify
that the cost of encrypting the data does not exceed the value
of the information itself.
- All data that is required to be maintained for an extensive
amount of time should be encrypted and transported to a
remote location.
- Procedures should be in place to guarantee that all encrypted
sensitive information arrives at its location and is stored
properly.
- Finally, the auditor should attain verification from
management that the encryption system is strong, not
attackable and compliant with all local and international laws
and regulations.
- Recipient, the decryption process is deployed to restore the
cipher text back to plaintext
- The auditor should verify that management has controls in
place over the data encryption management process.
- Access to keys should require dual control; keys should be
composed of two separate components and should be
maintained on a computer
7.26.3 Computer assisted audit tools:
All by the computers. However, it is important to turn the audit system
ON. It is important to work with the computers that are used in
business today have the ability to capture system activity that shows
details of the work performed IT Department to tailor and secure the
audit system and audit logs. Best practices include the use of automated
audit analysis tools (Use of CAAT,s in IT Audit.) to manage the audit
systems as well as the audit logs or records that are generated by the
audit system and determine significant events and trends. These tools
(like other monitoring mechanisms) must be fine-tuned over time to
eliminate false alarms and ensure that significant occurrences are made
known. These audit analysis tools should provide the audit log reports
in a human-readable and intelligible format that will facilitate the
internal systems review process of audit logs.

113
 ICC Policy and Procedures-2022

7.27 RISK ASSESSMENT

7.27.2 Risk is a function of the Likelihood of a given Threat sources exercising a
particular potential vulnerability, and the resulting impact of that adverse
event on the organization.
To determine the likelihood of a future adverse event, threats to an IT
system must be analyzed in conjunction with the potential vulnerabilities
and the controls in place for the IT system. Impact refers to the magnitude
of harm that could be caused by a threat’s exercise of vulnerability. The
level of impact is governed by the potential mission impacts and in turn
produces a relative value for the IT assets and resources affected (e.g., the
criticality and sensitivity of the IT system components and data).
• Step- 1:System Characterization
• Step- 2:Threat Identification
• Step- 3:Vulnerability Identification
• Step- 4:Control Analysis
• Step- 5:Likelihood Determination
• Step- 6:Impact Analysis
• Step- 7:Risk Determination
• Step- 8:Control Recommendations
• Step- 9:Results Documentation.
Steps- 2, 3, 4, and 6 can be conducted in parallel after Step-1 has been
completed.

7.27.3 STEP-1: SYSTEM CHARACTERIZATION

7.27.3.1 In assessing risks for an IT system, the first step is to define the
scope of the effort. In this step, the boundaries of the IT system
are identified, along with the resources and the information that
constitute the system. Characterizing an IT system establishes the
scope of the risk assessment effort, delineates the operational
authorization (or accreditation) boundaries, and provides
information (e.g., hardware, software, system connectivity, and
responsible division or support personnel) essential to defining
the risk.
7.27.3.2 System-Related Information
7.27.3.2.1 Identifying risk for an IT system requires a keen understanding
of the system’s processing environment. The person or persons
who conduct the risk assessment must therefore first collect
7.27.3.2.2 System-related information, which is usually classified as
follows:
o Hardware
o Software
o System interfaces (e.g., internal and external connectivity)
o Data and information
o Persons who support and use the IT system
o System mission (e.g., the processes performed by the IT
system)
114
 ICC Policy and Procedures-2022

o System and data criticality (e.g., the system’s value or

importance to an organization)
o System and data sensitivity.
7.27.3.2.3 Additional information related to the operational
environmental of the IT system and its dataIncludes, but is
not limited to, the following:
• The functional requirements of the IT system
• Users of the system (e.g., system users who provide technical
support to the IT system; application users who use the IT
system to perform business functions)
• System security policies governing the IT system
(organizational policies, federal Requirements, laws, industry
practices)
• System security architecture
7.27.3.2.4 The level of protection required to maintain system and data
integrity, confidentiality, and availability.
• Current network topology (e.g., network diagram)
• Information storage protection that safeguards system and
data availability, integrity, and confidentiality
• Flow of information pertaining to the IT system (e.g., system
interfaces, system input and output flowchart)
• Technical controls used for the IT system (e.g., built-in or
add-on security product that supports identification and
authentication, discretionary or mandatory access Control,
audit, residual information protection, encryption methods)
• Management controls used for the IT system (e.g., rules of
behavior, security planning)
• Operational controls used for the IT system (e.g., personnel
security, backup, contingency, and resumption and recovery
operations; system maintenance; off-site storage; user account
establishment and deletion procedures; controls for
segregation of user functions, such as privileged user access
versus standard user access)
• Physical security environment of the IT system (e.g., facility
security, data center policies)
• Environmental security implemented for the IT system
processing environment (e.g., controls for humidity, water,
power, pollution, temperature, and chemicals).

7.27.4 STEP-2: THREAT IDENTIFICATION

7.27.4.1 A threat is the potential for a particular threat-source to
successfully exercise a particular Vulnerability. IN determining
the likelihood of a threat, one must consider threat sources,
potential vulnerabilities, and existing controls.
Threat: The potential for a threat source to exercise (accidentally trigger or intentionally
exploit) a specific vulnerability.

115
 ICC Policy and Procedures-2022

7.27.4.2 Threat source identification:

Threat-Source: Either (1) intent and method targeted at the international exploitation of a
vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
Common Threat Source:
 Natural Threats-Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms,
and other such events.
 Human Threats-Events that are either enabled by or caused by human beings, such as
unintentional acts (inadvertent data entry) or deliberate actions (network based attacks,
malicious software upload, and unauthorized access to confidential information).
 Environmental Threats- Long-term power failure, pollution, chemicals, liquid leakage.
7.27.4.3 Motivation and Threat Actions
Motivation and the resources for carrying out an attack make humans potentially
dangerous Threat-sources. Table presents an overview of many of today’s
common human threats, their Possible motivations, and the methods or threat
actions by which they might carry out an attack. This information will be useful
to organizations studying their human threat environments and Customizing
their human threat statements.
Human Threats: Threat-Source, Motivation, and Threat Actions
Threat-Source Motivation Threat Actions
Hacker, Cracker - Challenge - Hacking
- Ego - Social Engineering
- Rebellion - System intrusion, break-ins
- Unauthorized system access
Computer - Destruction of - Computer crime (e.g., cyber
criminal information stalking)
- Illegal information - Fraudulent act (e.g., replay,
disclosure impersonation, interception)
- Monetary gain - Information bribery
- Unauthorized data - Spoofing
alteration - System intrusion
Insiders - Curiosity - Assault on an employee
(poorly trained, - Ego - Blackmail
disgruntled, - Intelligence - Browsing of proprietary
malicious, - Monetary gain information
negligent, - Revenge - Computer abuse
dishonest, or - Unintentional errors and - Fraud and theft
terminated - omissions (e.g., data - Information bribery
employees) entry - Input of falsified, corrupted
- error, programming dataInterception
error) - Malicious code (e.g., virus,
logicbomb, Trojan horse)
- Sale of personal information
- System bugs
- System intrusion
- System sabotage
- Unauthorized system access
116
 ICC Policy and Procedures-2022

An estimate of the motivation, resources, and capabilities that may be required to carry out a
Successful attack should be developed after the potential threat-sources have been identified,
in order to determine the likelihood of a threat is exercising system vulnerability.

7.27.5 Some IT related Threats (Security threats & countermeasures):

Malicious software:
2.27.4.1Viruses:
- Malicious (Deserve to harm anybodies ) code embedded in e-mail
messages that are capable of inflicting ( suffer ) a great deal of damage
and causing extensive frustration
- Stealing files containing personal information
- Sending emails from your account
- Rendering your computer unusable
- Removing files from your computer.
What you can do
- Do not open un known attachments to e-mails:
- Received from unknown individuals
- That in anyway appear suspicious
- If uncertain, contact IT Security
- Report all suspicious e-mails to IT security.

2.27.4.2 Phishing
Activity of getting so to give their personal details over the internet in order
to steal money from them. An online scam whereby e-mails are sent by
criminals who seek to steal your identity, rob bank accounts or takeover your
computer.

What you can do –

- Stop - do not react to phishing plays consisting of upsetting or exiting
information
- Look – look closely at the claims in the email and carefully review all the links
and web address
- Do not- reply the emails requesting
- Report- suspicious activity to contact.

2.27.4.3Unauthorized system access

- Individuals maliciously obtain unauthorized access to computers, applications
confidential information, and other valuable assets
- Not all guilty parties are unknown some can be co workers
- Unauthorized system access can result in theft damage of vital information
assets
What we can do
- Use strong password for all account
- Commit passwords to memory – If not possible store all passwords in a
secure location
- Never tell anyone your password
- Never use default passwords

117
 ICC Policy and Procedures-2022

- Protect your computer with a password protected screen saver

- Report suspicious individuals/activities to contact
- Report vulnerable computer to your department

2.27.4.4 Shoulder Surfing

The act of covertly observing employees actions with the objective of
obtaining confidential information
What we can do
- Be aware of anyone around you –and what they are doing –
- Do not perform work involving confidential organization information if
you are unable to safeguard yourself from shoulder surfing .etc.
2.27.4.5 Disgruntled employees
Upset// troubled employees with an intend to harm other employees or
organization
What we can do –
- Contact superiors, if you suspect your employee is disgruntled and
potentially dangerous
- Be observant others and report suspicious / inappropriate behavior to
superiors
- Exercise extreme care when aware of unfriendly termination

2.27.4.6 Unauthorized facility access-

Individuals maliciously obtain unauthorized access to offices with the
objective to steal equipment, confidential information and other valuable
organization assets

What we can do –
- Do not hold the door for unidentified individuals
- Do not leave anything of value exposed in your office/ work space – lock
all organizational confidential documents in desk drawers.
- Escort any of your own visitors throughout the duration of their visit

2.27.4.7 An employee who is not necessarily facilities access

What we can do –
- Retrieve your company confidential printed documents immediately
- Shred all company confidential documents.
- Lock all company confidential documents
- Report suspicious activities to your superior

2.27.4.8 Malicious software: Spyware

Any technology that aid in gathering information about you or the
organization without their knowledge and consent
What you can do
- Do not click on options in deceptive (misleading) /suspicious popup
windows
118
 ICC Policy and Procedures-2022

- Do not install any software without receiving prior approval from IT

Security
- If you experience slowness /poor computer performance or excessive
occurrence of pop up windows contact IT Security

7.27.6 STEP-3: VULNERABILITY IDENTIFICATION-

7.27.6.1 The technical and nontechnical vulnerabilities associated with an
IT system processing environment can be identified via the
information gathering techniques. The interviews and in
developing effective questionnaires to identify vulnerability that
may be applicable to specific IT systems (specific version of a
specific operating system).
7.27.6.2 Documented vulnerability sources that should be considered in a
thorough vulnerability analysis include –
 Previous risk assessment documentation of the IT system
assessed
 The IT systems audit reports, system anomaly reports,
security review reports, and system test and evaluation
reports
 Vulnerability lists, vulnerability database.

7.27.6.3 Table presents examples of vulnerability/threat pairs.

Vulnerability Threat-Source Threat Action

Terminated employees` Terminated employees Dialing into the company`s
system identifiers (ID) are network and accessing
not removed from the system company proprietary data

Company firewall allows Unauthorized users (e.g., Using telnet to XYZ server
inbound telnet, and guest ID hackers, terminated and browsing system files
is enabled on XYZ server employees, computer with the guest ID
criminals, terrorists)
The vendor has identified Unauthorized users (e.g., - Obtaining
flaws in the security design hackers, disgruntled unauthorized
of the system; however, new employees, computer - access to sensitive
patches have not been criminals, terrorists) system
applied to the system - files based on known
- system vulnerabilities
Data center uses water Fire, negligent persons Water sprinklers being
sprinklers to suppress fire; turned on in the data center
tarpaulins to protect
hardware and equipment
from water damage are not
in place.

119
 ICC Policy and Procedures-2022

7.27.6.4 Recommended methods for identifying system vulnerabilities are the use of
vulnerability Sources, the performance of system security testing, and the
development of a security requirements checklist.
7.27.6.5 Development of Security Requirements Checklist
A security requirements checklist contains the basic security standards that can
be used to systematically evaluate and identify the vulnerabilities of the assets
(personnel, hardware, Software, information), non-automated procedures,
processes, and information transfers associated with a given IT system in the
following security areas:
• Management
• Operational
• Technical.

Table lists security criteria suggested for use in identifying an IT system’s

vulnerabilities in each security area.

7.27.6.6 Security Criteria

Security Area Security Criteria
• Assignment of responsibilities
Management • Continuity of support
Security • Incident response capability
• Periodic review of security controls
• Personnel clearance and background investigations
• Risk assessment
• Security and technical training
• Separation of duties
• System authorization and reauthorization
• System or application security plan
Operational • Control of air-borne contaminants (smoke, dust, chemicals)
Security • Controls to ensure the quality of the electrical power supply
• Data media access and disposal
• External data distribution and labeling
• Facility protection (e.g., computer room, data center, office)
• Humidity control
• Temperature control
• Workstations, laptops, and stand-alone personal computers
Technical Security • Communications (e.g., dial-in, system interconnection, routers)
• Cryptography
• Discretionary access control
• Identification and authentication
• Intrusion detection
• Object reuse
• System audit

Output from Step-3: A list of the system vulnerabilities (observations) that could be exercised
by the potential threat-sources
120
 ICC Policy and Procedures-2022

7.27.7 STEP-4: CONTROL ANALYSIS

7.27.7.1 The goal of this step is to analyze the controls that have been
implemented, or are planned for implementation, by the organization
to minimize or eliminate the likelihood (or probability) of threat’s
exercising a system vulnerability. Because the risk assessment report
is not an audit report, some sites may prefer to address the identified
Vulnerabilities as observations instead of findings in the risk
assessment report.
7.27.7.2 To derive an overall likelihood rating that indicates the probability
that a potential vulnerability may be exercised within the construct of
the associated threat environment, the implementation of current or
planned controls must be considered. For example, a vulnerability
(e.g., system or procedural weakness) is not likely to be exercised or
the likelihood is low if there is a low level of threat-source interest or
capability or if there are effective security controls that can eliminate,
or reduce the magnitude of, harm.

7.27.7.3 Control Methods

Security controls encompass the use of technical and nontechnical
methods. Technical controls are safeguards that are incorporated into
computer hardware, software, or firmware (e.g., access control
mechanisms, identification and authentication mechanisms,
encryption methods, intrusion detection software). Nontechnical
controls are management and operational controls, such as security
policies; operational procedures; and personnel, physical, and
environmental security.

7.27.7.4 Control Categories

The control categories for both technical and nontechnical control
methods can be further classified as either preventive or detective.
These two subcategories are explained as follows:

• Preventive controls inhibit attempts to violate security policy

and include such controls as access control enforcement,
encryption, and authentication.
• Detective controls warn of violations or attempted violations of
security policy and
• Include such controls as audit trails, intrusion detection
methods, and checksums.
• The Implementation of such controls during the risk mitigation
process is the direct result of the Identification of deficiencies
in current or planned controls during the risk assessment
process (e.g., controls are not in place or controls are not
properly implemented).

121
 ICC Policy and Procedures-2022

7.27.7.5 Control Analysis Technique

As discussed previous, development of a security requirements
checklist or use of an available checklist will be helpful in analyzing
controls in an efficient and systematic manner.

The security requirements checklist can be used to validate security

noncompliance as well as compliance. Therefore, it is essential to
update such checklists to reflect changes in an organization’s control
environment (e.g., changes in security policies, methods, and
requirements) to ensure the checklist’s validity.

Output from Step-4 List of current or planned controls used for the
IT system to mitigate the likelihood of vulnerability’s being
exercised and reduce the impact of such an adverse event

7.27.8 STEP-5: LIKELIHOOD DETERMINATION

7.27.8.1 To derive an overall likelihood rating that indicates the probability
that a potential vulnerability may be exercised within the construct
of the associated threat environment; the following governing
factors must be considered:
• Threat-source motivation and capability
• Nature of the vulnerability
• Existence and effectiveness of current controls.
7.27.8.2 The likelihood that a potential vulnerability could be exercised by a
given threat-source can be described as high, medium, or low. Table
below describes these three likelihood levels.

7.27.8.3 Likelihood Definitions

Likelihood Level Likelihood Definition
High The threat-source is highly motivated and sufficiently
capable, and controls to prevent the vulnerability from
being exercised are ineffective.
Medium The threat-source is motivated and capable, but
controls are in place that may impede successful
exercise of the vulnerability.
Low The threat-source lacks motivation or capability, or
controls are in place to prevent, or at least significantly
impede, the vulnerability from being exercised.

Output from Step-5 Likelihood rating (High, Medium, Low)

122
 ICC Policy and Procedures-2022

7.27.9 STEP-6: IMPACT ANALYSIS

7.27.9.1 The next major step in measuring level of risk is to determine the
adverse impact resulting from a successful threat exercise of
vulnerability. Before beginning the impact analysis, it is necessary
to obtain the following necessary information
• System mission (e.g., the processes performed by the IT system)
• System and data criticality (e.g., the system’s value or importance
to an organization)
• System and data sensitivity.
7.27.9.2 This information can be obtained from existing organizational
documentation, such as the mission impact analysis report or asset
criticality assessment report. A mission impact analysis (also known
as business impact analysis [BIA] for some organizations) prioritizes
the impact levels associated with the compromise of an
organization’s information assets based on a qualitative or
quantitative assessment of the sensitivity and criticality of those
assets. An asset criticality assessment identifies and prioritizes the
sensitive and critical organization information assets (e.g., hardware,
software, systems, services, and related technology assets) that
support the organization’s critical missions.
7.27.9.3 Therefore, the adverse impact of a security event can be described in
terms of loss or degradation of any, or a combination of any, of the
following three security goals: integrity, availability, and
confidentiality. The following list provides a brief description of
each security goal and the consequence (or impact) of its not being
met:
7.27.9.3.1 Loss of Integrity.
System and data integrity refers to the requirement that
information be protected from improper modification. Integrity
is lost if unauthorized changes are made to the data or IT system
by either intentional or accidental acts. If the loss of system or
data integrity is not corrected, continued use of the
contaminated system or corrupted data could result in
inaccuracy, fraud, or erroneous decisions. In addition, violation
of integrity may be the first step in a successful attack against
system availability or confidentiality. For all these reasons, loss
of integrity reduces the assurance of an IT system.
7.27.9.3.2 Loss of Availability.
If a mission-critical IT system is unavailable to its end users, the
organization’s mission may be affected. Loss of system
functionality and operational effectiveness, for example, may
result in loss of productive time, thus impeding the end users’
performance of their functions in supporting the organization’s
mission.
123
 ICC Policy and Procedures-2022

7.27.9.3.3 Loss of Confidentiality.

System and data confidentiality refers to the protection of
information from unauthorized disclosure. The impact of
unauthorized disclosure of confidential information can range
from the jeopardizing of national security to the disclosure of
Privacy Act data. Unauthorized, unanticipated, or unintentional
disclosure could result in loss of public confidence,
embarrassment, or legal action against the organization. Some
tangible impacts can be measured quantitatively in lost revenue,
the cost of repairing the system, or the level of effort required
to correct problems caused by a successful threat action. Other
impacts (e.g., loss of public confidence, loss of credibility,
damage to an organization’s interest) cannot be measured in
specific units but can be qualified or described in terms of high,
medium, and low impacts. Because of the generic nature of this
discussion, this guide designates and describes only the
qualitative categories—high, medium, and low impact.
7.27.9.3.4 Magnitude of Impact Definitions
Magnitude of Impact Impact Definition
High Exercise of the vulnerability
(1) may result in the highly costly loss of major tangible assets
or resources;
(2) may significantly violate, harm, or impede an
organization’s mission, reputation, or interest; or
(3) may result in human death or serious injury.
Medium Exercise of the vulnerability
(1) may result in the costly loss of tangible assets or resources;
(2) may violate, harm, or impede an organization’s mission,
reputation, or interest; or
(3) may result in human injury
Low Exercise of the vulnerability
(1) may result in the loss of some tangible assets or resources
or (2) may noticeably affect an organization’s mission,
reputation, or interest
7.27.9.3.5 Quantitative versus Qualitative Assessment
In conducting the impact analysis, consideration should be
given to the advantages and disadvantages of quantitative
versus qualitative assessments. The main advantage of the
qualitative impact analysis is that it prioritizes the risks and
identifies areas for immediate improvement in addressing the
vulnerabilities. The disadvantage of the qualitative analysis is
that it does not provide specific quantifiable measurements of
the magnitude of the impacts, therefore making a cost-benefit
analysis of any recommended controls difficult.

The major advantage of a quantitative impact analysis is that it

provides a measurement of the impacts’ magnitude, which can
124
 ICC Policy and Procedures-2022

be used in the cost-benefit analysis of recommended controls.

The disadvantage is that, depending on the numerical ranges
used to express the measurement, the meaning of the
quantitative impact analysis may be unclear, requiring the result
to be interpreted in a qualitative manner. Additional factors
often must be considered to determine the magnitude of impact.

These may include, but are not limited to

 An estimation of the frequency of the threat-source’s exercise
of the vulnerability over a specified time period (e.g., 1 year)
 An approximate cost for each occurrence of the threat-source’s
exercise of the
 Vulnerability
 A weighted factor based on a subjective analysis of the relative
impact of a specific threat’s exercising a specific vulnerability
Output from Step-6 Magnitude of impact (High, Medium, or
Low)
7.27.10STEP-7: RISK DETERMINATION
7.27.10.1 The purpose of this step is to assess the level of risk to the IT
system. The determination of risk for a particular
threat/vulnerability pair can be expressed as a function of-
• The likelihood of a given threat-source’s attempting to
exercise a given vulnerability
• The magnitude of the impact should a threat-source
successfully exercise the vulnerability
• The adequacy of planned or existing security controls for
reducing or eliminating risk.
To measure risk, a risk scale and a risk-level matrix must be
developed.
2.27.9.2 Risk-Level Matrix
The final determination of mission risk is derived by multiplying the
ratings assigned for threat likelihood (e.g., probability) and threat
impact. Table below shows how the overall risk ratings might be
determined based on inputs from the threat likelihood and threat impact
categories. The matrix below is a 3 x 3 matrix of threat likelihood (High,
Medium, and Low) and threat impact (High, Medium, and Low).
Depending on the site’s requirements and the granularity of risk
assessment desired, some sites might use a 4 x 4 or a 5 x 5 matrix. The
latter can include a Very Low /Very High threat likelihood and a Very
Low/Very High threat impact to generate a Very Low/Very High risk
level. A “Very High” risk level may require possible system shutdown
or stopping of all IT system integration and testing efforts. The sample
matrix in Table7.1 shows how the overall risk levels of High, Medium,
and Low are derived. The determination of these risk levels or ratings
may be subjective. The rationale for this justification can be explained
125
 ICC Policy and Procedures-2022

in terms of the probability assigned for each threat likelihood level and
a value assigned for each impact level. For example,
• The probability assigned for each threat likelihood level is 0.1 for
High, 0.5 for Medium, 1.0 for Low.
• The value assigned for each impact level is 10 for High, 50 for
Medium, and 100 for Low.
2.27.9.3 Risk-Level Matrix
Threat Impact
Likelihood Low (100) Medium (50) High (10)
High (0.1) High Very high Extremely High
100X 0.1 = 10 50 X 0.1 = 5 10 X 0.1 = 1
Medium (0.5) Medium High Very High
100 X 0.5 = 50 50 X 0.5 = 25 10 X 0.5 = 5
Low (1.0) Low Medium High
100 X 1 = 100 50 X 1= 50 10 X 1= 10
Risk Scale: High ( >1 to 10); Medium ( >10 to 50); Low (50 to 100)
2.27.9.4 Description of Risk Level
Table describes the risk levels shown in the above matrix. This risk
scale, with its ratings of High, Medium, and Low, represents the degree
or level of risk to which an IT system, facility, or procedure might be
exposed if a given vulnerability were exercised. The risk scale also
presents actions that senior management, the mission owners, must take
for each risk level.
2.27.9.5 Risk Scale and Necessary Actions
Risk Level Risk Description and Necessary Actions
High If an observation or finding is evaluated as a high risk,
there is a strong need for corrective measures. An
existing system may continue to operate, but a
corrective action plan must be put in place as soon as
possible.
Medium If an observation is rated as medium risk, corrective
actions are needed and a plan must be developed to
incorporate these actions within a reasonable period of
time.
Low If an observation is described as low risk, the system’s
approved authority must determine whether corrective
actions are still required or decide to accept the risk.

126
 ICC Policy and Procedures-2022

2.27.9.6 Description of Risk Level

2.27.9.6.1 Describes the risk levels shown in the above matrix. This risk
scale, with its ratings of High, Medium, and Low, represents the
degree or level of risk to which an IT system, facility, or procedure
might be exposed if a given vulnerability were exercised. The risk
scale also presents actions that senior management, the mission
owners, must take for each risk level.

Output from Step-7: Risk level (High, Medium, Low)

2.27.9.6.2 If the level indicated on certain items is so low as to be deemed to

be "negligible" or non-significant (value is <1on risk scale of 1 to
100), one may wish to hold these aside in a separate bucket in lieu
of forwarding for management action. This will make sure that
they are not overlooked when conducting the next periodic risk
assessment. It also establishes a complete record of all risks
identified in the analysis. These risks may move to a new risk level
on a reassessment due to a change in threat likelihood and/or
impact and that is why it is critical that their identification not be
lost in the exercise.

7.27.11 STEP-8: CONTROL RECOMMENDATIONS

During this step of the process, controls that could mitigate or eliminate
the identified risks, as appropriate to the organization’s operations, are
provided. The goal of the recommended controls is to reduce the level of
risk to the IT system and its data to an acceptable level. The following
factors should be considered in recommending controls and alternative
solutions to minimize or eliminate identified risks:
• Effectiveness of recommended options (e.g., system
compatibility)
• Legislation and regulation
• Organizational policy
• Operational impact

127
 ICC Policy and Procedures-2022

Inspection Manual
(Inspection by the Controlling Office)

128
 ICC Policy and Procedures-2022

Inspection Manual
(Inspection by the Controlling Office)
8 Inspection
Inspection is an important appraisal involving examination, measurement, testing
and comparison of task whether it is performed in accordance with applicable rules,
regulations, policies and procedures to be complied with.

8.1 Objectives of Inspection:

8.1.1 Inspection is a crucial element of direct control mechanism over branches by
bank management. It is generally done once in every 12 months. The main
purpose of internal inspection is to scrutinize working of the branch and
various departments of the bank with the objective of helping the bank in
keeping a watch on safe and useful deployment of funds. It ensures that the
operating units scrupulously follow the laid down systems and procedures and
if found otherwise, to initiate prompt corrective steps.
8.1.2 Inspection is not a faultfinding mechanism but is a developmental tool. It is
an early warning signal system for undesirable trends in operations. It is a
whistleblowing mechanism.

8.2 Types of Inspection:

8.2.1 Inspection by Zonal Office;
8.2.2 Inspection by Circle Office;
8.2.3 Inspection by Concern GM;
8.2.4 Inspection by Head Office.

8.3 Functions of Inspection:

 Preparation and execution of the annual inspection plan.
 Conducting inspection periodically/surprise basis.
 To ensure spot rectification where possible.
 Preparation and submission of inspection report.
 Preparation of executive summary on major findings during the inspection.
 Collection of required information from other units.

129
 ICC Policy and Procedures-2022

 Detecting deviations in compliance and preventing fraud and forgeries.

 Ensuring reliability of accounting data and reporting to the proper authority.
 Examination of documents and books of accounts of account and evaluating
branch efficiency.
 Ensuring compliance with the audit observations through follow-up.
 In case of Shariah base banking, Implementation of the Shariah principles.
8.4 Inspection procedures used in Agrani Bank Limited:
8.4.1 As properly structured and governed financial organization, it is necessary to
maintain transparency in all activities of the Branch Offices. For this reason,
controlling/supervising needs to be strengthened.
8.4.2 Inspection at Branch level by the circle Office/ Zonal Offices on a regular
basis is necessary.
8.4.3 If any negligence /delay are shown in the supervising system, i.e. weak
internal control system, various fraud/forgery and irregularities will be
created.
8.5 Outline of Inspection Function:
8.5.1 Instructions were issued for submitting report on surprise Branch Office
inspection by the controlling executive in order to strengthen branch
supervising activities Vide MD:NIKO:03:84/161 dated 14 February 1988
and MD:NIKO:03:84/318.
8.5.2 Embezzlement and reduced customer service may result from not taking
effective action on Branch Inspection by the concerned controlling
executives.
8.5.3 In this regard, Branch Inspection was redesigned issuing MD: NIKO:
03:84/27 dated 07October 1997 in line with the memorandum No.
AM/ABI/BANK-5/11(35)/87/134 dated 10 February 1988 issued by
Ministry of Finance.
8.5.4 Subsequently, Surprise Branch inspection was again redesigned issuing MD:
NIKO: 03:84/06 dated 19 February 2000.

8.5.5 The latest system is as follows:

130
 ICC Policy and Procedures-2022

Inspection by the Controlling Office

For Circle Head and Zonal Head Inspection Check list no. Annexure -1 will be used.

Executive/ Inspection Report Spot Action

Officer Program submission to be Taken
1. Corporate Circle Head/Responsible  If any serious
Branch-once in General Manager of concerned lapses or fraud
every two Corporate branch will send forgery detected at
month main Copy of Inspection Report the time of
to concerned branch for inspection then the
2. Zonal Office compliance and a copy of the head of the
– Once in every report to the Concerned DMD. Circle/Responsible
three Month GM of concerned
Circle Head/ corporate branches
General 3. Non will take
Manager Corporate administrative
Branch– Two action against
or more responsible person
branches every on the spot.
month
 The GM also
informs it to the
Concerned DMD
without making
any delay.
1.Branch  Main copy of the report to  If any serious
located at town- be submitted, main copy of lapses or fraud
once in every Inspection Report to forgery detected at
month concerned branch for the time of
compliance and a copy of inspection then the
2. Minimum the report to the Concerned zonal Head will
1/3rd of the Circle Head. take administrative
Zonal Head branches under action without
Zone once in making any delay.
every month i.e  He /she will inform
every quarter all that matter
of the branches simultaneously to
to be visited. the Concerned
Circle GM.
NB: For Circle Head and Zonal Head Inspection Check list no. Annexure-1 will be used.

131
 ICC Policy and Procedures-2022

8.6 Rules to be followed during inspection:

During Branch inspection, the following documents/functions have to be scrutinized and
reviewed:
8.6.1 Cash Management: Cash Management of Branch i,e opening and closing balance
checking, cash keeping, mutilated cash management etc.
8.6.2 Administration:
8.6.2.1 Checking of Attendance Register, Duty List and job rotation.
8.6.2.2 Expenditure against budget
8.6.2.3 Leave records examination
8.6.2.4 Employees Code of Conduct.
8.6.2.5 Cleanliness of branch premises, Signboard, Security measure taken.
8.6.2.6 Customer service Quality.
8.6.2.7 Different Target achievement status (Branch Office’s deposits, advances,
foreign trade/business and profit position)
8.6.3 Other activities:
8.6.3.1 IT Security Management
8.6.3.2 Password Management
8.6.3.3 Loan Documentation checking (preparation of LDCL and Safe in Safe out
register)
8.6.3.4 Loan recovery position of Top 20 loan defaulters/Classified loans.
8.6.3.5 Compliance with head Office Instruction Circulars regarding banking
transactions. Check whether balance confirmation letters have been sent to the
customers. Creating awareness of Branch Offices to adjust loan outstanding
entries and balancing of accounts, Register/Ledger need to be taken to resolve
audit objection and to be maintained close liaison with lawyers for settlement
of filed cases.
8.6.3.6 Team Spirit of Branch functions
8.6.3.7 Recovery position of the unadjusted demand loan/LIM against imports of
garments industry
8.6.3.8 The head of Zonal Offices will send at least 20 accounts balance confirmation
letter during inspection and check the correctness of responses received.
These 20 accounts will be selected:
- Top 10 balance accounts (by Value)

132
 ICC Policy and Procedures-2022
- Five accounts where deposits and withdrawal had been made on
the same date
8.6.3.9 Unreconciled entries
8.6.3.10 DCFCL inspection
8.6.3.11 LDCL inspection
8.6.3.12 QOR inspection
8.6.3.13 Compliance of audit objections
(Internal, Bangladesh Bank, Commercial Audit)
8.6.3.14 Any other matter that seem to be inspected, etc.

8.7 Reporting Procedures/Rules:

8.7.1 If any serious lapses are observed during inspection, this has to be
communicated to concerned DMD/Circle GM with a copy to Head of ICC.
8.7.2 Within 7 days of inspection, Inspection report has to be sent to concerned
Branch Office for compliance, one copy to concerned Circle Office/
Controlling Office.
8.7.3 Circle Head/Responsible General Manager of concerned Corporate branch
will send the main Copy of Inspection Report to concerned branch for
compliance and a copy of the report to the Concerned DMD.

8.8 Follow up procedures of Inspection Report:

8.8.1 Circle Office will take appropriate steps to resolve the irregularities mentioned in
the Zonal Head’s Report.
8.8.2 When irregularities are observed during inspection or when no guidelines for
Branch Office development are observed, this has to be mentioned in the report
and subsequently, compliance/progress has to be ensured.
8.8.3 During Branch inspection by the Head of Zonal Office and for increasing deposit
of the Branch Office, the head of Zonal Office will meet at least 5 (five) depositors
and 2 (two) large borrowers in this report he will make and the comments on loan
and indicate the outcome of the meeting.

133
 ICC Policy and Procedures-2022

Audit Monitoring & Controlling Manual

134
 ICC Policy and Procedures-2022

Audit Monitoring & Controlling Manual

9 Monitoring

Monitoring is an on-going process usually directed by the management to ensure that

processes are working as intended. Monitoring is an effective control within a process.
Supervising activities in progress to ensure they are on-course and on-schedule in
meeting the objectives and performance targets.

9.1 Monitoring Activities and Corrective Measures:

9.1.1 The effectiveness of the Bank’s internal control should be monitored on an

ongoing basis. Key/high risk items should be identified and monitored as
part of daily activities.
9.1.2 Internal control deficiencies, whether identified by business lines, internal
auditors, or other control personnel should be reported in a timely and
prompt manner to the appropriate management level and addressed
immediately.

9.1.3 The ICC will report material control deficiencies to the Audit Committee of
the Board with specific recommendations.
9.1.4 Quarterly summery of QOR, DCFCL, LDCL and Inspection Report must be
sent by Circlel Head / Concern GM of Corporate Branch to the Head of ICC
for Audit Monitoring and Controlling Division, which will review the same.

9.1.5 The Audit Monitoring and Controlling Division will review the QOR,
LDCL, DCFCL, Inspection Report and Exceptions report (if any); in
addition to the line management the Audit Monitoring and Controlling
Division will instruct the branch to rectify the exception and report the same.
If deemed necessary, the Head of ICC will instruct the ICT (A Team of
Audit Monitoring and Controlling Division comprised of 3-4 members) to
carry out an audit on the specific deviation.

9.1.6 Depending upon the gravity of the deviation the ICT will report the matter
to the Head of ICC and ultimately to the Audit Committee of the Board with
a copy to the MD for necessary action and rectification through the concern
controlling office.
9.1.7 On a quarterly basis, ICC will submit a report to the Audit Committee
of the Board on the type/nature of the discrepancies.

9.1.8 In addition to the above, the ICC will depute the ICT on routinely, but also
on surprise dates, to branches/departments to carry out sample checks on the
items mentioned in the DCFCL, LDCL, QOR, and Inspection Report.

135
 ICC Policy and Procedures-2022

9.2 Objectives of Audit Monitoring and Controlling Division:

9.2.1 To conduct effective monitoring on the proper implementation of various

control tools;
9.2.2 DCFCL, QOR, LDCL and Self-Assessment Anti-Fraud Internal Control
Checklist in all branches and divisions/departments at head office of the bank
to strengthen internal check and internal control system of the bank;
9.2.3 To conduct effective monitoring for timely submission of regulatory returns as
per the calendar of returns to avoid regulatory imposition;
9.2.4 To prepare the risk grading of bank branches based on the two broad risk
parameters, i.e., control risk and business risk parameters;
9.2.5 Help to prepare a risk based internal audit plan for the bank at the end of each
year on the basis of risk grading of the branches, along with audit frequency.
9.2.6 To prepare Annual Health Report of the bank as a regulatory compliance;
9.2.7 To prepare the summary report on the DCFCL, Loan Documentation Checklist
(LDCL) and Quarterly Operations Report (QOR) and submit to the Head of
ICC on a quarterly basis for onward submission to Audit Committee of the
Board.
9.2.8 To monitor the effectiveness of the bank’s internal control system;
9.2.9 To report to the Head of ICC about major deviations, if any found by ICT.
9.2.10 To update various control tools (DCFCL, QOR, LDCL and Self-Assessment
Anti-Fraud Internal Control Checklist, etc.) as and when required by
Bangladesh Bank.
9.2.11 To identify, assess and control the risks involved in manifold operational
activities of the bank and prepare the Self-Assessment Anti-Fraud Internal
Control Checklist and place for signature by the MD and CEO and counter
signature by the Chairman of the Audit Committee of the Board for submission
of the same to the Department of Offsite Supervision of Bangladesh Bank.

136
 ICC Policy and Procedures-2022

9.3 Application of Monitoring System:

9.3.1 Departmental Control Function Checklist (DCFCL)
9.3.1.1 The guideline/procedure deals with matters relating to
review/verifications of departmental functions to ensure that
prescribed procedures are being followed by each department.

9.3.1.2 All departments are required to check whether the prescribed

controls are being observed and laid down procedures are not
overlooked & relaxed.
9.3.1.3 Departmental Managers, Branch Managers and Zonal Heads will
review the DCFCL to ensure that control functions are performed
and documented in the control sheets at the prescribed frequencies
i.e. daily, weekly, monthly and quarterly.
9.3.1.4 The DCFCL Checklist should be retained with the branch/
departments for future inspection by Internal Control Team and
Senior Management Team.
9.3.1.5 As per Head Office circular no. ICC/AMD/74 dated 13/07/14 a
specific checklist is designed for Circle Head’s/ Zonal Head’s
Branch visit, DCFCL is Branch’s daily Weekly, Monthly function
checklist; Loan Documentation Check List LDCL, IT security
management checklist , Credit Risk Management and Foreign
Exchange Check List are department wise quarterly checklist.

9.3.1.6 Individual items in the Departmental Control Function Checklists

(DCFCL) are assigned for risk rating by giving scores. Scores will
be derived from these DCFCL QOR, LDCL, IT, CRM and FEx.)
Checklists will be divided and added in two format of Risk
assessing (Business Risk and Control Risk)
9.3.1.7 Reporting pattern of DCFCL, LDCL and QOR has been changed
vide Head Office Circular No: AMD/DCFCL/36/18
dated:01/04/2018

9.3.2 Loan Documentation Checklist (LDCL- Annexure -4):

The checklist deals with matters relating to security document action for
sanctioning and drawdown credit facilities to ensure that prescribed
documentation is being obtained to safeguard the Bank’s legal charge.

9.3.3 Quarterly Operations Report (QOR –Annexure-5):

9.3.3.1 This guideline/ procedure relates to reporting of operational functions of
each branch / centre under the following heads on the enclosed format:
i. Policies, Procedures and Controls;
ii. Protection of Valuables;
137
 ICC Policy and Procedures-2022

iii. Proofs/Verifications and Internal Checks;

iv. Personal and Supervision and
v. Premises Management;
vi. Confirmation on Regulatory Compliance.
9.3.3.2 A report will be prepared in duplicate copies by each branch in the
prescribed format; one copy is to be dispatched to the Line Management
and another copy to the Internal Control Team by 10th of the following
month i.e. 10th April, July, October and January each year.
9.3.3.3 The items, which are not applicable to individual Branch or Department,
should be marked as N/A and no signature is required against the items
marked as N/A.
9.3.3.4 Any deviation in the quarterly operations report must be reported in a
separate exception report.
9.3.3.5 All concerned are advised to adhere to the requirements as outlined in
each of the above head for review by the Line Management quarterly
and by Internal Control/Audit, as and when they visit the branch.

9.4 Annual Health Report of the Bank

9.4.1 Annual Integrated Health Report

Audit Monitoring and Controlling Division will prepare health report on
annually, for onward submission to the Audit Committee of the Board,
Bangladesh Bank, Inspection Team and other regulatory Bodies. For this
purpose, ICC will collect Financial Health Score, ICC Health Score, and Image
& Reputation Health Score from the BoD, Annual Report of bank, and External
Audit report respectively.
9.4.2 Objectives of Annual Health Report
9.4.2.1 The assessment of the soundness of bank that reflects over all position
of bank's performance is not only important for bank itself, but also for
all stakeholders of bank.
9.4.2.2 The “Annual Health” Report reflects the financial, reputational and
sustainability position of bank, based on the most recent data of bank
itself. The purpose of the report is to provide stakeholders with a basic
overview of the general health of bank.
138
 ICC Policy and Procedures-2022

9.4.3 Methodology of Assessing Health ((Detail in Annexure-D & D1) :

9.4.3.1 The health of bank may be judged from different points of view, but
emphasis has to be given to the feasibility of the aspects considered for
health analysis and its quantification. Taking these two conditions into
consideration, the health of bank is assessed from a three dimensional
view points, viz. Financial Health, Internal Control & Compliance
Health and Image & Reputation Health. Depending on the nature of
business, the Board of Directors will decide on the weight of the sectors,
and inform the same to Bangladesh Bank before preparing report.

9.4.3.2 Bank will determine weight of the sectors based on their portfolio nature
with the approval of the Board and shall determine 'Health Score 'using
following model:

Sectoral Sectoral Achieved Weighted

Health Sector
Score Weight Sectoral Score Score
Financial Health 0-100 w1 g1 w1g1
Range
ICC Health 0-100 w2 g2 w2g2
Image& 0-100 w3 g3 w3g3
cdddReputation
Health Score= w1g1+w2g2+ w3g3
If the health score is 90% and above, it will be marked ‘Excellent’,
a. Reputation
b. Health
If the health score is 80% and above but below 90%, It will be marked as Very Good,
c. If the health score is 70% and above but below 80%, it will be marked as Good,
d. If the health score is 60% and above but below 70%, it will be marked as Satisfactory
e. If the health score is below 60%, it will be treated as
marginal.

9.4.4 Frequency of Health Analysis

The health analysis of the bank to be done on yearly basis as a regulatory compliance, and
analysis should be made immediately after completing an accounting year.
9.4.5 Reporting Line and its Approval Process
The yearly-integrated health report of the bank is to be submitted to the Board of Directors
for approval and review.

139
 ICC Policy and Procedures-2022

Audit Compliance Manual

140
 ICC Policy and Procedures-2022

Audit Compliance Manual

10 Compliance
Compliance refers to operating the bank in conformance with applicable laws,
regulations, policies, standards, guidelines, etc. applicable to all institutions in its
category, and responding fully and in a timely manner to supervisory criticism and
orders to take corrective action issued by applicable regulatory authorities or law
enforcement bodies. In this context, compliance also refers to preventive actions taken
to mitigate compliance risk, which is the risk of legal or regulatory sanctions, material
financial loss, or loss to reputation as a result of failure to comply with applicable rules.

10.1 Overview:
10.1.1 The Compliance unit of ICC will be responsible to ensure that the Bank complies
with all regulatory requirements while conducting its business. They will
maintain liaison with the regulators at all level and notify the other units
regarding regulatory changes. If required, this unit would contact regulatory
authorities for proper clarification on a particular issue and notify this to the
concerned departments accordingly.

10.1.2 If any major deviation is identified by the regulatory authority, they must ensure
to bring the matter to the knowledge of the Audit Committee of the Board, as
well as to Managing Director & Chief Executive Director of the Bank. Major
issues to be considered for proper functioning of ICC include commitment from
branch and divisional heads, standard operating process, regular discussion at
management level to review compliance, adequate maintaining of ICC and
appointment of experienced officers in the technical areas.

10.2 Establishment of a Compliance Culture

10.2.1 Bank should have strong compliance culture when throughout the
organization employees are encouraged to comply with policies, procedures
and regulation.
10.2.2 Even an individual at the lowest echelon should be empowered to speak up
without the fear of reprisal if he/she identifies something non-compliant.

- 141 -
 ICC Policy and Procedures-2022

10.2.3 The Board of Directors and the senior management must establish
compliance a culture within the banking organization that emphasizes and
demonstrates to all levels of personnel the importance of internal control.
10.2.4 In order to establish a compliance culture the BoD& senior management
must promote a high ethical and integrity standard.
10.2.5 In re-enforcing ethical values the banking organization should avoid
policies and practices that provide in advertent incentive for in appropriate
activities. Examples of such policies and practices includes undue emphasis
on performance targets or operational results, particularly short term ones
that ignore long term risks and compensation schemes that overly depend
on short term performance

10.3 Independence of Compliance Functions

The status of the compliance unit should be ensuring the appropriate authority
and independence. For independence, the following issues to be considered:
10.3.1 The compliance unit should have a separate status within the bank
10.3.2 This may be described in the bank’s compliance policy
10.3.3 The document should be communicated to all the staff of the bank
10.3.4 The role and responsibilities of the unit should have to be specified;
10.3.5 The independence of the unit should be ensured;
10.3.6 The relationship with other risk management units and with the
internal audit function should have to be clearly defined;
10.3.7 In cases where compliance requirements carried out by staff of
other departments, in such circumstances their responsibilities
should have to be clearly allocated;
10.3.8 The unit should have rights to access to information necessary
and all staff should co-operate in supplying information;
10.3.9 If any breaches of the compliance policy is found the unit should
have power to suggest for necessary action to the senior
management;
10.3.10 Its unit to express and disclose its findings freely to Audit
Committee of the Board and if necessary, the Board of Directors.

- 142 -
 ICC Policy and Procedures-2022

10.4 Compliance Process

10.4.1 For the banks, Bangladesh Bank is the primary regulator, which governs
their activities. In addition, National Board of Revenue, Registrar of Joint
Stock Companies and Firms, Bangladesh Securities and Exchange
Commission, Ministry of Finance, Ministry of Commerce, Ministry of
Environment, Ministry of Home Affairs, etc. are different types of
regulatory bodies whose directives have a significant impact on any bank’s
business.
10.4.2 The internal control system should always take into account the bank’s
internal processes to meet regulatory requirements before conducting any
operation.

10.4.3 The internal control system of the bank must be designed in a manner that
the compliance with regulatory requirements is recognized in each activity
of the bank. The bank must obtain regular information on regulatory
changes and distribute among the concerned departments, so that they can
take the necessary action to adapt to such changes.

10.4.4 Regulatory requirements are to be incorporated into the work process to

ensure full compliance.

10.4.5 The Bank has to ensure that all guidelines received from the regulatory
authority are properly disseminated among the relevant departments.

10.4.6 A particular unit (if possible Internal Control) should be responsible for
receiving regulatory guidelines, maintaining proper record and distribution
among all relevant units.
10.4.7 If required, this unit would contact regulatory authorities for proper
clarification on a particular issue and notify this to the concerned
departments accordingly.

10.4.8 When regulatory inspection is conducted on the operation of the Bank, this
unit should work as point of contact.
10.4.9 After receiving audit report, concerned office must ensure correction of the
said objection.

10.4.9.1 Corrective measures are to be taken and the appropriate response

is to be made on a timely fashion. Corrective measure means

- 143 -
 ICC Policy and Procedures-2022

objections raised by the auditors to be attended in time and in

appropriate manner.
10.4.9.2 If concerned branch manager and respective officials fail to
comply in stipulated time and ground, a notice will be given to
them by giving one month time for Corporate, A.D & A-Grade, 3
Weeks for B-Grade, 2 Weeks for C & D-Grade Branch for the
rectification/compliance of objections raised.
10.4.9.3 If failed to comply, then 2nd reminder letter will be given to
the manager/respective officials by giving 1 week time limit for
further compliance.
10.4.9.4 Then a final 7 days notice will be given to the controlling
office to take necessary action for rectification/compliance.
10.4.9.5 Then following administrative actions will be taken for non-
compliance after exhausting above all time limit.
a) Firstly explanation letter will be issued,
b) If the compliance is not satisfactory, then caution letter will
be given.
c) If bank falls in financial loss for further failure of
compliance, the matter to be treated as deemed to be
serious lapses. A letter will be given to HRPDOD with a
recommendation of increment held up of related
officials/manager/zonal head.
d) If bank faces any major financial loss due to non-
compliance, it will be presented to MANCOM for taking
necessary action against the respective
officials/manager/zonal head.
e) If possible the Audit team will instruct/ guide branch
management for spot compliance/ rectification of minor/
serious/ major lapses detected.
10.4.10 If any major lapse is identified by the regulatory authority they
must ensure that the Audit Committee of the Board is also notified
along with the senior management of the branch.
10.4.11This unit must arrange appropriate training for employees so that
employees are aware of the regulations that are necessary to
accomplish their job.

- 144 -
 ICC Policy and Procedures-2022

10.5 Regulatory Compliance:

10.5.1 The directives of the regulatory bodies like Bangladesh Bank, Ministry of
Finance, Office of the Income Tax Commissioner and the Office of the
Registrar of Joint Stock Companies and Firms etc. shall be complied properly.
10.5.2 In this regard, the Internal Control & Compliance has been established to
ensure that all instruction policies and regulations pertaining to the Bank’s
activities and functions are:
a) Circulated to the appropriate parties (should ensure by the
controlling office, circle, zone) ; and
b) Archived by them for future reference and use (should
ensure by the controlling office, circle, zone)

10.6 Functions of Compliance:

10.6.1 To receive audit and inspection report from audit and inspection unit and
Bangladesh Bank/Commercial Auditors;
10.6.2 Ensuring compliance of regulatory requirement and Bangladesh Bank
Inspection Reports/Commercial Audit Reports / Internal Audit Reports etc.;
10.6.3 Preparing compliance report of the Board and Audit Committee for
decisions;
10.6.4 Compiling all relevant circular and guidelines and maintaining strong
liaison with the regulatory authorities;
10.6.5 Arrange of meetings for reducing the numbers of audit objections;
10.6.6 Timely dissemination of all regulatory updates to concerned department;
10.6.7 Providing training & guidance on regulatory issues, etc.

10.7 There are five interrelated components to ensure strong internal control
over organization’s activities namely:

(1) Control environment;

(2) Control activities;
(3) Risk assessment;
(4) Information and communication, and
(5) Monitoring.

- 145 -
 ICC Policy and Procedures-2022

A structure of Internal Control Process is presented in the following diagram.

Internal control process
Monitoring

Control activities

Risk assessment

Control Environment

10.8 Information and Communication System

10.8.1 Every organization should devise a strong internal control environment as it is
the foundation for all other components of IC. The components of control
environment include management philosophy and operating style, integrity
and ethical values, competence, the Board of Directors or audit committee and
organizational structure and assignment of authority and responsibility.

10.8.2 The risk assessment component of the internal control framework structure
consists of the identification and analysis of relevant risks that may prevent the
attainment of the company’s objectives and the formation of plan to determine
how to manage the risk. Since economic, industry regulatory and operating
conditions will continue to change, mechanisms are needed to identify and deal
with the diverse risks associated with change. Information must be identified,
processed, and communicated so that appropriate personnel may carry out their
responsibilities.

10.8.3 The scope and frequency of separate evaluation will depend primarily on an
assessment of risks and the effectiveness of ongoing procedures. Internal
control deficiencies should be reported upstream, the serious matters must be
reported to the Audit Committee of the BoD and MD & CEO.

10.8.4 The Internal Control System (ICS) is intertwined with the Bank’s operating
activities and exists for fundamental business reasons. IC becomes most
effective only when controls are built into the entity’s infrastructure and are a
part of the essence of the enterprise. It is an integrated process where everyone
in an organization has responsibility in different capacities.

- 146 -
 ICC Policy and Procedures-2022

10.9 Responsibilities of the Management for Compliance

10.9.1 The Managing Director & CEO is ultimately accountable and should own
the system.
10.9.2 More than any other individual, the chief executive should uphold integrity,
ethics and other factors of a positive control environment.

10.10 Responsibilities of The Board of Directors for Compliance 18

10.10.1The bank’s Board of Directors is responsible for supervising the

total process of the bank’s compliance work.
10.10.2All banks should have a compliance policy of their own approved by
BoD, which will be a formal document, for establishing a permanent
and effective compliance function.
10.10.3At least once a year, the board or audit committee of the board should
review the scope of compliance policy whether it is working
effectively or not.
10.10.4A bank’s compliance policy will not be effective unless the board
of directors promotes the values of honesty and integrity throughout
the institution.
10.10.5They should also act proactively for implementing the policy,
ensuring that the compliance issues are resolved effectively and
expeditiously by senior management within the expected timeframe.
10.10.6The board may delegate these tasks to its audit committee, if
necessary.

10.11 Responsibilities of Senior Management for Compliance19

10.11.1 The bank’s senior management is responsible for establishing
compliance policy approved by BoD, which contains the basic
principles to be followed and explains the main processes through
which compliance risks are to be identified and managed through all
levels of the institution.
10.11.2 Transparency should be promoted by making a distinction
between general standards for all employees and rules that only
apply to specific groups.

18
BRPD Circular No. 11 (2013)
19
BRPD Circular No. 03 (2016)

- 147 -
 ICC Policy and Procedures-2022

10.11.3The duty of senior management is to ensure that the compliance

policy is observed for ensuring appropriate, corrective and
disciplinary action has taken in the events of breaches are identified.
10.11.4 Senior management should have plans how to address any shortfalls
in policy, procedures, implementation or execution, and to see how
effectively existing compliance risks have been managed, as well as,
look for the need for any additional policies or procedures to deal with
new compliance risks identified as a result of compliance risk
assessment any time in a financial year;
10.11.5 They should report it to the Board of Directors or Audit Committee of
the Board if necessary, about the management of compliance risk.
10.11.6 In case of any significant material non-compliance they should
report immediately to the Board of Directors or Audit Committee in
cases like, failures that may drag down to a significant risk of legal
or regulatory sanctions or fines, financial loss, or loss to reputation.

10.12 Responsibilities of the Head of Compliance20

10.12.1 Bank should have an executive with overall responsibility for

coordinating the recognition and supervision of the bank’s
compliance risk and for supervising the activities of other
compliance officers.
10.12.2 The nature of the reporting line or other functional relationship
between officer exercising compliance responsibilities and the Head
of Compliance will depend on how the bank has chosen to organize
its compliance functions.
10.12.3 Compliance officers placed in business units or in subsidiaries may
have a reporting line to operating business unit management or local
management.
10.12.4 It is also mentionable that such officers may have a reporting line
to the Head of Compliance as regards their support units (e.g.
legal, financial control, risk management).
10.12.5 However, these units may work closely with the Head of ICC to
ensure that he can perform his responsibilities effectively.

20
BRPD Circular No. 03 (2016)

- 148 -
 ICC Policy and Procedures-2022

10.13 Responsibilities of the Audit Committee

10.13.1 The Audit committee is often typically held responsible for
overseeing the financial reporting process and internal control system.
10.13.2 It also reinforces the internal control system and the internal and
external audit through encouraging the communication between the
members of the Board of Directors, senior management, the internal
audit department, the external auditor and the supervisory authority.
10.13.3 It confirms the initial audit charter and audit plan as well as the
resources required and receive the internal auditor’s recommendations
and management’s plan for implementation.
10.13.4 The audit committee regularly discusses the institution’s risk areas
and has to report these findings to the Board of Directors.

10.14 Responsibilities of the Risk Management Committee21

10.14.1 Risk Management Committee will comprise of five members from the
members of Board of Directors and will be nominated for three years.
10.14.2 The company secretary will be the member secretary of that
committee.
10.14.3 During the implementation of strategic plan and policies developed by
BoD, Risk Management Committee will take steps for the mitigation
of risks efficiently.
10.14.4 Risk Management Committee will monitor, identify and quantify risks
and will make arrangement for building up necessary capital and
provisional reserve for the mitigation of risks (viz. credit risk, foreign
exchange risk, internal control and compliance risk, money laundering
risk, ICT risk, operational risk, interest risk, liquidity risk and other
risks).

10.15 Responsibilities of the Internal Auditors:

10.15.1 By conducting an extensive audit throughout the year and reporting
their findings in an appropriate manner internal audit team help
management to address and resolve different risks and irregularities in
business operation.

21
BRPD Circular No. 11 (2013)

- 149 -
 ICC Policy and Procedures-2022

10.15.2 Internal Auditor should write a section in the audit report regarding the
all compliance issues of the branch/division.
10.15.3 Internal Auditors are controlled by the Audit and Inspection
Unit/Division and also the Auditors who are posted in circle office, they
are accountable to the Head Office Audit and Inspection Division under
the ICC of Agrani Bank Limited.

10.16 Internal Audit Compliance:

10.16.1 Instruction Regarding Audit Compliance:

Categorization of audit objections, preparation of audit report and
compliance of audit report, etc. are being followed vide MD’s
memorandum No. MD: NIKO: 03:84/42 dated 15 August 1993 after
revising the vide MD’s memorandum No. MD: NIKO: 03:84/74 dated
02 July 1985 and MD’s memorandum No. MD: NIKO: 03:84/203 dated
30 June 1986.

10.16.2 Definition of Nirikha ParipalanPatra -1(NIPP-1):

10.16.2.1 NIPP-1 is a prescribed printed form for using to write down
the internal audit objections by the internal auditors during
the audit period.
10.16.2.2 This form contains serial number of objections, description
of audit objections and compliance of the manager of the
branch.
10.16.2.3 The concerned manager of the branch sends the audit
compliance of the audit objections by using NIPP-1 to the
Audit Compliance Division.
10.16.2.4 NIPP-1 is only used for Minor Irregularities (MI).

10.16.3 Compliance with Nirikha Paripalan Patra-1 (NIPP-1):

10.16.3.1 A reminder letter is issued by the Audit compliance unit to

the concerned Branch/Offices for sending compliances/
responses within a specified time frame. If the responses are
not received within the specified time frame, monitoring
functions will not be stopped/ delayed.
10.16.3.2 When primary response from the branch Office is received
before issuing letter for compliance, in that case, concerned

- 150 -
 ICC Policy and Procedures-2022

section of Audit compliance unit will monitor any unsettled

irregularities mentioned in the Audit Report, the Format of
the manager’s compliance with NIPP-1.

10.16.4 Definition of NIPP-2 (ka):

10.16.4.1 It means Nirikha Paripalan Patra-2. It is a kind prescribed

printed form ordered by MD: Circular/20/07, dated
02/09/2007.
10.16.4.2 This form contains serial number of lapses, types of lapses,
details of lapses and auditors remarks. Auditors prepare
NIPP-2 (ka) in three sets for the serious lapses/major lapses.
10.16.4.3 Previous audit objections which were not resolved up to
current audit are mentioned in the First part of NIPP2.
10.16.4.4 The serious lapses and major lapses identified in the current
audit are mentioned in the second part of NIPP-2 (ka).
10.16.4.5 The original copy of NIPP-2 (ka) is kept for use by the Audit
Compliance unit/Division and the second and third copies
are kept at the concerned Branch Office for Bangladesh Bank
and Branch Office’s own use.

10.16.5 Definition of NIPP-2 (kha):

10.16.5.1 It means Nirikha Paripalan Patra-2 (kha). It is a kind
prescribed printed Form ordered by MD: Circular 03:84/43
dated 15/08/93 & MD: Circular/20/07 dated 02/09/2007.
10.16.5.2 This Form contains serial number, lapses number, types of
lapses, details of lapses, compliance done by manager and
zonal head’s remarks.
10.16.5.3 After receiving DO Letter with NIPP-2 (kha) from the
Compliance unit, Branch Office will prepare
Compliance/response to the DO Letter within 15 calendar
days from the date of the receipt using the Format and send
it to the concerned Zonal Office.
10.16.5.4 Zonal Office will verify the Branch Office’s responses and
after verification, the response together with the Zonal

- 151 -
 ICC Policy and Procedures-2022

Office’s comments will have to be sent to the Compliance

unit within the above mentioned 15 calendar days.

10.16.6 2.2.7 Compliance with Response to Nirikha Paripalan Patra-2

(NIPP-2, Ka, Kha):
10.16.6.1 Auditors prepare NIPP-2 in three sets for the serious lapses
and major lapses.
10.16.6.2 Previous audit objections which were not resolved up to
current audit are mentioned in the first part of NIPP-2.
10.16.6.3 Due care is taken when these unresolved audit objections are
mentioned so that any or all unresolved audit objections are
mentioned in the NIPP-2.
10.16.6.4 The serious lapses and major lapses identified in the current
audit are mentioned in the second part of NIPP-2.
10.16.6.5 The original copy of NIPP-2 is kept for use by the Audit
Compliance unit and the second and third copies are kept at
the concerned Branch Office for Bangladesh Bank and
Branch Office’s own use.

10.16.6.6 Following the above procedure, the original copy of NIPP -

2 is sent to the Compliance Division by the Audit Team.

10.16.6.7 The Audit & Inspection Division forwards it to the

Compliance unit.

10.16.6.8 The concerned section of the Compliance Unit will prepare

Demi Official (DO) Letter where summary of audit
objections and other relevant information are mentioned.

10.16.6.9 This DO letter is sent to the Head of the concerned Branch

office.

10.16.6.10 DO Letter contains the serious lapses. Summary of the Audit

Report is sent to the concerned Circle Office/Zonal
Office/Branch Office for taking necessary actions.
10.16.6.11 After receiving the DO letter from the Compliance unit, the
Branch Office will prepare Compliance/response to the DO
letter within 15 calendar days from the date of the receipt
using the Format and send it to the concerned Zonal Office.

- 152 -
 ICC Policy and Procedures-2022

10.16.6.12 Zonal Office will verify the Branch Office’s responses and
after verification, the response together with the Zonal
Office’s comments will have to be sent to the Compliance
unit within the above mentioned 15 calendar days.

10.16.6.13 The Zonal office will scrutinize the compliance of the

concerned Branch.

10.16.6.14 Necessary steps/guidance will be given by the Zonal Office

to resolve the Audit objections.

10.16.6.15 Steps have to be taken to prevent the repetition of the same

nature of objections in the subsequent audits.
10.16.6.16 After regularizing of the audit objections mentioned in the
audit report a compliance report is sent to the Head of ICC
within specified timeframe.
10.16.6.17 If this compliance report is not sent within the stipulated
time, the main objective of the audit is not achieved.
10.16.6.18 For this reason, the concerned section of the Compliance
Division will take steps for receiving response through
issuing of reminder letter, if necessary.
10.16.6.19 A special report has to be prepared for the serious lapses
where the Bank is facing financial loss or there is a
possibility to incur financial loss in the future.
10.16.6.20 This special report has to be placed before the Head of ICC.
10.16.6.21 Head of ICC shall place the report to the Audit Committee
of the Board and the MD & CEO for taking administrative
action.
10.16.6.22 The MD & CEO shall take administrative action against
guilty Officers/employers as per general practices of the
Bank and has to be ensured accountability and corporate
good governance within the organization.

10.17 Settlement of Audit Objections

10.17.1 Internal audit objections settlement and file close:
10.17.2 Spot rectification:

- 153 -
 ICC Policy and Procedures-2022

During audit, some irregularities are rectified on the spot. The Audit
team must give emphasis on rectification of errors or omissions on the
report.

10.17.3 Meeting Prior Submission:

At the closing day of the audit there must be a meeting with the head of
Branch/Office and the Audit team members. In this meeting generally
discussion are held on the objections raised by the auditors during the
audit period. If the branch office can satisfy the auditor, then on the basis
of consensus the objections may be settled; while the unsettled
objections are brought into the Audit report.

10.17.4 After audit settlement:

The procedures after audit settlement are as follows:

Action for Guilt: Ensuring the steps needed to be taken by the

Management/ Controlling Office regarding the persons found guilty for
non-compliance, violation of laws of the land and policy, rules &
regulation of the Bank. After initiating or taking required administrative
punitive action (such as show cause, suspension and legal action) the
matter will hand over to MANCOM. Then MANCOM will decide the
further action needed to be taken onward.

Audit objections are being classified in to four categories:

i) Minor Irregularities;
ii) Major Lapses;
iii) Serious Lapses.

10.18 Settlement of Minor Irregularities (MI) and File Close:

10.18.1.1 Minor irregularities are identified by the auditor and mentioned in

NIPP-I.
10.18.1.2 Branch Office will prepare Compliance/response within 15 calendar
days from the date of the receipt using the Format and send it to the
concerned Zonal Office.
10.18.1.3 Zonal Office will verify the Branch Office’s responses.

- 154 -
 ICC Policy and Procedures-2022

10.18.1.4 After verification, the response together with the Zonal Office’s
comments will have to be sent to the Audit compliance Division
within the above-mentioned 15 calendar days.
10.18.1.5 The Compliance Division/ Unit will raise the issue to line
management i.e., Head of ICC, MD & CEO for settlement of the
objections.

10.19 Settlement of Major Lapses (ML) and File Close:

10.19.1.1 For settlement of administrative objections Audit and Inspection

Division (AID) will raise the issue to Head of ICC and ultimately to
audit committee, if required.
10.19.1.2 When recovery or compliance made by branch regarding major
lapses, Compliance Division will decide the settlement of the
objections.
10.19.1.3 When unsettled objections or irregularities are reported in the present
audit report, then previous objections are considered as transferred to
the present report and subsequently previous file is closed.
10.19.1.4 However, if any objection/major lapses are reflected in the next audit
report two times consecutively or it is found the major lapses are not
settled in the reasonable time then this type of major lapses will be
deemed to be serious lapses.
10.19.1.5 Auditors must always be careful to identify this type of lapses.
10.19.1.6 Any mistake or failure to recognize the major lapses goes against the
auditors.
10.19.1.7 Punitive actions for Deemed to be serious lapses are the same as the
action to be taken in cases of serious lapses.

10.20 Settlement of Serious Lapses (SL) and File Close:

10.20.1.1 For settlement of administrative objections / Serious Lapses (SL),

Audit Compliance Division Internal (ACD-Int.) will raise the
issue to the Line Management through Head of ICC. Audit
Committee will give the final decision. In case of Serious Lapses

- 155 -
 ICC Policy and Procedures-2022

(SL), Audit file cannot be closed/transferred until the settlement of

objection (s).
10.20.1.2 If required the matter will be raised to Board Meeting of the Bank.
10.20.1.3 When recovery or compliance made by branch regarding serious
lapses, the Compliance Division will decide the settlement of the
objections.
10.20.1.4 Chief audit officer must place all SL to the Board Audit Committee
for decision.
10.20.1.5 Without the concent of Audit Committee any SL cannot be solved.
Audit Committee’s decision is the final.
10.20.1.6 When unsettled objections or irregularities are reported in the present
audit report, then previous objections are considered as transferred to
the present report and subsequently previous file is closed.

10.21 Issuing Demy Official (DO) Letter:

10.21.1.1 After receiving the Audit Report by the Audit Compliance Division,
a DO letter has to be issued to Branch Offices/Division /Offices
within 15 days for sending compliance/response.
10.21.1.2 In the DO letter, a specific date for sending compliance /response has
to be mentioned.

10.22 Placement of Special Note:

10.22.1 Special note has to be placed for serious lapses with specific
recommendation fixing the persons and his/her (s) responsibility along
with the punitive measures to be taken.
10.22.2 This office note requires the approval of the line management.
10.22.3 The time frame for sending responses after rectifying /complying with
the irregularities is as follows:

Branch Grade Time frame

A grade branch office 20 days
B grade branch office 15 days
C and D grade branch Office 10 days.

10.22.4 After obtaining approval from the MD & CEO administrative action
against guilt Officers/employers as per general practices of the Bank and

- 156 -
 ICC Policy and Procedures-2022

has to be ensured accountability and corporate good governance within

the organization.

10.23 Government Commercial Audit Compliance:

10.23.1 Audit is conducted in the branch offices of the Agrani Bank Limited as
well as Head Office, Divisional Offices, Circle Offices, Zonal Offices
by the office of the Director General, Directorate of the Government
Commercial Audit of CAG.
10.23.2 Branch Offices of the Bank are audited by the offices of the Deputy
Director of Dhaka, Chittagong, Rajshahi, Khulna and Sylhet
Government Commercial Audit.
10.23.3 At present Branch Offices of Sylhet and Barisal Divisions are audited
by the Offices of the Deputy Directors.
10.23.4 Government Commercial Audit is usually conducted on the period of
two years, sometimes three/four/ five year's period.
10.23.5 Head Office/ Corporate Branch Offices are audited every year.
10.23.6 If required, Circle Offices and Zonal Offices are audited by the
concerned Directorate of the Government Commercial Audit.
10.23.7 Audit Objections of the Government Commercial Audit are categorized
into two classes.
(1) Ordinary Objections are categorized as Ordinary Objection or
ordinary clause and
(2) the serious financial objections are categorized as Advance
Objection or Advance clause.

10.23.8 Monitoring and Follow-up:

The following steps are taken to expedite the compliance audit by the Audit
Compliance Division.

10.23.9 Ordinary Objections:

10.23.9.1 The responses to the ordinary objections of the concerned
offices have to be reviewed within 30 calendar days from the
date of receipt of responses.
10.23.9.2 If it is found after review that ordinary objections are not
settled, a first reminder letter has to be issued within next 7
working days.
10.23.9.3 Thirty (30) calendar days will be allowed in the first
reminder letter to settle/ resolve the ordinary objections.
10.23.9.4 If the ordinary objections are not settled within the above
time frame, a second reminder letter has to be issued within
next 7 working days and a further 10 working days will be
allowed for compliance.
10.23.9.5 The copies of the second remainder letter have to be sent to
Circle office/ Zonal office.

- 157 -
 ICC Policy and Procedures-2022

10.23.9.6 If the situation does not improve, a third reminder letter has
to be issued within next 7 working days giving a final 10
working days for compliance.
10.23.9.7 The copies of the third reminder letter have to be sent to
Circle or Zonal office.
10.23.9.8 Closed correspondence has to be maintained until settlement.
10.23.9.9 Head of ICC may put up the matter to Audit Committee of
the Board and Management for administrative action
10.23.9.10 The BoD and the senior management would establish a code
of ethics that all levels of personnel must sign and adhere too.

10.23.10 Advance Objections/ Clauses:

10.23.10.1 The responses to the advance objections of the concerned

offices have to be reviewed within 30 calendar days from
the date of receipt of responses.
10.23.10.2 If it is found after review that advance objections are not
settled, a first remainder letter has to be issued within
next 7 working days. 30 calendar days will be allowed in
the first reminder letter to settle or resolve the advance
objections.
10.23.10.3 If the advanced objections are not settled within the
above time frame, a second reminder letter has to be
issued within next 7 working days and a further 10
working days will be allowed for compliance.
10.23.10.4 Copies of the second remainder letter have to be sent to
Circle office and Zonal office.
10.23.10.5 If the situation does not improve, a third reminder letter
has to be issued within next 7 working days giving a final
10 working days for compliance. The copies of the third
reminder letter have to be sent to Circle or Zonal office.
10.23.10.6 Closed correspondence has to be maintained until
settlement.
10.23.10.7 The head of the Audit Compliance Division can put up
the matter to the Head of ICC for resolve the objection.

- 158 -
 ICC Policy and Procedures-2022

10.23.10.8 The summary of the time frame for sending reminder

letters and compliance thereon is shown as follows:
Responses have to be reviewed : Within 30 calendar days
Issuance of first Reminder letter : Within next 7 working days
Days allowed for compliance : Within next 30 calendar days
Issuance of Second reminder Letter : Within next 7 working days
Days allowance for compliance : Within next 30 calendar days
Issuance of Third reminder Letter : Within next 7 working days
Days allowance for compliance : Within next 10 calendar days
10.23.11 Commercial Audit Objections Settlement and File
Close:
a) Spot rectification: During audit some irregularities can be
rectified on the spot. The audit team must insist on
rectification of errors or omissions on the spot, when possible,
and report accordingly.
b) Discussion meeting: At the closing day of the audit there
must be a meeting between the head of the branch and the
audit team members. As a result of this discussion, some
irregularities may be mitigated.
c) After audit settlement: Audit objections are being classified
into two categories:
 Ordinary Objections (Nominal Objections)
 Advance Objections (Serious Objections)

10.23.11.1 Ordinary Objections:

i. Are settled when the Bank gives written evidence of
corrective action within a certain time, with
supporting/logical documents to the auditor.
ii. When the auditor is not convinced by the corrective
action taken by the branch, then a bi-party meeting
will be arranged for the settlement of the objections
raised. The Bank will remain present in the meeting
with supporting documents for onward settlement of
the objections in question.
iii. Following the above procedures, if the auditors are
convinced, then they will issue an office order
regarding the settlement of the audit objections.
10.23.11.2 Advance objections:

- 159 -
 ICC Policy and Procedures-2022

i. The concerned branch is to provide a written

confirmation of corrective action with related
supporting documents, viz., photocopies of
vouchers, A/c Statements, certificate of
compliance, etc. and the auditors, if convinced by
these, will issue a circular letter regarding the
settlement of the audit objections.
ii. When the stipulated time has expired and the
auditor is not convinced by the corrective action
taken, then a tri-party meeting will be arranged for
the settlement. The Bank will remain present in the
meeting with supporting documents for onward
settlement of the objections in question.
iii. After following the above procedures subject to
the full satisfaction of the auditors, they will issue
an office order regarding the settlement of the
audit objections.
10.24 Bangladesh Bank Inspection Compliance:
10.24.1 Bangladesh Bank as the regulatory authority of the nationalized
commercial Bank conducts inspection/audit in to order to ensure whether
Bangladesh Bank’s policies/ guidelines are implemented / followed by the
Bank. This inspection is usually conducted annually on the branch offices
and divisions of the Head office. Bangladesh Bank inspects the Branch
offices in the following four categories:
 Agriculture Loan Inspection
 Detailed Inspection
 Special Inspection on certain issue
 Foreign trade transaction inspection

10.24.2 Bangladesh Bank Inspection objections settlement and file close:

10.24.2.1 Compliance made by the branch with logical documents for the
settlement of Audit objections is required. On receipt, of the compliance
certificate from the branch manager with zonal head and circle heads
counter signature, the Audit Compliance Division will give decision of
final settlement of the objections.
10.24.2.2 When unsettled objections/irregularities are found and reported in the
present Inspection report of Bangladesh Bank then automatically previous
objections are transferred and considered as file closed.

- 160 -
 ICC Policy and Procedures-2022

10.24.2.3 For the settlement of long outstanding objections, the Audit

Compliance Division will arrange a meeting with Bangladesh Bank and the
Agrani Bank Limited’s top management. During discussion some
objections are settled and others are reviewed (If Bangladesh Bank isnot
convinced) Bangladesh Bank will issue re-notice for unsettled objections.
The Audit Compliance Division will inform the concerned branch
regarding the settled objections.

10.24.3 Special Inspection on specific issue:

10.24.3.1 Bangladesh Bank conducts special inspection/ investigation when they
receive objections from the customers or any other parties or any branch
office of Branches ‘daily irregular activities. Bangladesh Bank also
conducts investigation into irregularities that may be mentioned in the
newspaper.

10.24.3.2 After investigation, a detailed description of the objections/ complaints,

specifying the guilty officers/ employees is mentioned with suggestion for
taking administrative action.

10.24.3.3 If the Bank thinks or if the Bank has difference of opinion on the same
issue, investigation is done by the Audit & Inspection Division.

10.24.3.4 With the approval of the line management necessary steps can be taken
against the concerned employees by the Head of ICC.
10.24.4 Inspection regarding Foreign trade Transactions:
10.24.4.1 Foreign trade inspection Division of Bangladesh Bank inspects the
authorized dealer branch offices of the Bank.
10.24.4.2 Head of ICC will receive the file through the Managing Director about
this inspection.
10.24.4.3 The Audit Compliance Division collects the responses from the
concerned branches/ offices and then sends those responses to Bangladesh
Bank.
10.24.4.4 If necessary, the Audit Compliance Division monitors subsequent
actions regarding the file.
10.25 External audit Compliance:
10.25.1 As per section 24 of Bangladesh Bank Nationalization order 1972 and
subsequently Banking companies act 1991, at least two chartered
accountant firms established under the Bangladesh Chartered
Accountants Order, 1973(Presidential Order 2 of 1973) as auditors of
the Bank to conduct the audit.
10.25.2 The Audit firm conducts the audit, examines the financial statement
and other schedule /notes of the accounts of the Bank. After the audit
is completed, the Audit firm submits their auditor’s report along with
the financial statements.
10.25.3 Settlement of objections rose by Audit Firm appointed by Board
and file close:

- 161 -
 ICC Policy and Procedures-2022

The management of Agrani Bank Limited will take necessary action

centrally under the coordination of the Head of ICC to resolve the
objections raised by the Audit firm appointed by the Board.
10.26 Audit Clearance:
10.26.1 Audit clearance of Agrani Bank’s executives/officers/employees is necessary during
Preparatory Leave before retirement/Retirement and clearance at the time of Annual
salary Increment and Promotion.
10.26.2 The Audit Compliance Division issues audit clearance against the Memorandum of
HR Department when executives/officers/employees of the Bank plan to go Preparatory
Leave/Full retirement.
10.26.3 Audit clearance is also issued against the Memorandum regarding annual salary
increment/ promotion of the employees of the Bank. This division issues audit clearance
after judging the documentations.
11 Conclusion:
11.1 Agrani Bank Limited is playing a key role in the acceleration of development of
Bangladesh economy. It is one of the prime institutions for economic uplift of the people
of Bangladesh. It is one of the main vehicles for developing Bangladesh economy as a
whole. There are crises as well as achievements in the journey of long 42 years of banking
since independence.
11.2 The bank as a development partner must be transparent. So, there is a need to pursue a
systematic examination of books and records in order to ascertain or verify and to report
upon the facts regarding its financial operation and result thereof. In this regard there is a
direction of Bangladesh Bank that the banks should have their own Internal Control and
Compliance manual. Bangladesh Bank sets out some guidelines, in pursuance of those,
Agrani Bank Limited developed the ICC manual for its Internal Control and Compliance
purpose.
11.3 In this manual the procedures, rules and guidelines are constructed in such a way that
the related officials under ICC can easily use it as reference in discharging their duties and
responsibilities perfectly and efficiently. Moreover, it may be treated as a guide line for
others.
11.4 We believe that this Policy&Procedure-2016[Internal Audit (Risk Based) Manual,
Audit Compliance Manual, Audit Monitoring and Controlling Manual and IT Manual] will
strengthen Internal Control system of our Bank and will play a vital role towards achieving
our goal for a modern and vibrant Agrani Bank Limited.

11.5 This is not the final work. In fact, this is a continuous process. There will be always an
option for change to cope with the need of the time.

- 162 -
 ICC Policy and Procedures-2022

FRAUD DETECTION AND MANAGEMENT POLICY

Preface
Globally banking service has been tumbled into numerous threats. These threats are Cyber
Crime, theft, fraud, forgery, money laundry etc. Bank can take initiative action to prevent these
risks by different level of the management.

Forgery involves in making a false document, signature, or other imitations of an object of

value used with the intent to deceive another. Bank management can enforce to comply banking
policy & instruction circulars in every level of the bank and may be aware regarding risks.
Necessary administrative action should be taken who commits forgery or any person is related
to such crime. Before punishment, crime’s level is to be analyzed.

Internal Audit of ICC can play a vital role to prevent and detect fraud forgery. It will also affect
the resources devoted to fraud related tasks by audit. It is important for all auditors to given
proper consideration to the risk and material of fraud in bank. If auditors find any fraud forgery
reporting to concern management for administrative action.

Circle/ Zonal Head can also play a vital role to prevent and detect fraud forgery in branch level
by inspecting through detected objections properly compliance.
Managers and related officers of branches should be aware against any fraud forgery and create
compliance culture regarding any kinds of objections. Branch manager should also create
reading culture of circulars, guidelines, policies and related manuals in his branch to all officers
after day end.

IT knowledge is to be enhanced in all levels and duties to be rotted in timely basis among
officers.
Hope that this policy will strengthen Internal Control and Compliance system in bank and be
possible to reduce irregularities. This will play a vital role towards achieving our goal for a
modern and vibrant Agrani Bank Limited.

Requesting to all executives, officers and employees for complying of fraud detection and
management policy in bank.

- 163 -
 ICC Policy and Procedures-2022

Chapter-Eleven
Overview
Now-a-days business pattern has been changed whereas financial institutions are very much in
competitive position. The market growth and technological development continuously are
being upgraded in banking service. In this quick impact of the business, some risks are involved
with day-to-day business transactions. Agrani Bank Limited is a state owned commercial bank
and it has 953 branches in all over Bangladesh. In this changing environment of banking sector,
Agrani Bank Limited copes up the trend with Information Technology System. Therefore, use
of modern technology makes services faster but it also creates new risk for Agrani Bank’s
services. In the context of risk, fraud is an integral part of services in which people commit this
intentionally or unintentionally. The aims of the policy are to assess possibility of committing
fraud-forgeries and detect it to prevent for the future alert. The policy helps to make awareness
and process development for all level of the staff of Agrani Bank Limited.

Agrani Bank Limited has been continuing compliance with various circulars/ Guidelines for
Fraud Detection and Management. For good governance, it is needed to formulate a separate
policy regarding Fraud Detection and Management.

As per requirement of Bangladesh Bank and Pillar-II (Supervisory Review Process) of

BASEL-III, every Bank should take steps to strengthen the operational activity to reduce fraud
and forgery. For reducing or stopping fraud and forgery as per the directive of Bangladesh
Bank, Agrani Bank Limited has formulated this policy named as “Fraud Detection and
Management Policy”.

- 164 -
 ICC Policy and Procedures-2022

12.1 Objectives of Policy

The "Fraud Detection & Management Policy” has been framed to provide a Guideline for
detecting and preventing of fraud, reporting of detected or suspected fraud and fair dealing of
matters pertaining to fraud. The policy will also ensure and provide for the following:
i) to ensure that management is aware of their responsibilities regarding
detection and prevention of fraud;
ii) to Establish measuring procedures for preventing and detecting fraud when
it occurs;
iii) to provide a clear guidance to employees and others who deal with Agrani
Bank Limited;
iv) Administrative actions are to be taken who involve in relation with fraudulent
activity;
v) to conduct special audit to detect fraud forgery happening in any level of the
bank;

12.2 Scope
This policy applies to all level (Like Branch/Zonal office/ Circle/ Division/ Subsidiaries/
Agent/ Employees/Customers/ Stakeholders etc.) of Agrani Bank Limited.

12.3 Effect of Fraud

Agrani Bank Limited is a state owned commercial Bank in Bangladesh with huge business
portfolio. The Bank is doing business in Bangladesh with a competitive manner depend on the
continuing developed technology. In regular working process, all departments are very much
interlinked with one another. Any kind of illegal activities, which defines as fraud, has a great
impact on the Banking operation.

Some impacts of fraud stated as under:

 Loss of funds;
 Bad press publicity;
 Loss of trust;
 Staff anxiety;
 Increasing inspection/ audit costs;
 Confidentiality disclose;
 Damage to credibility;
 Loss of reputation.

- 165 -
 ICC Policy and Procedures-2022

12.4 Definition of Fraud

 Fraud means intending to take unethically advantage over another. In other words, fraud
is an act which is intended to mistake and wrongful loss to other, either by way of
concealment of facts or otherwise.

 The term ‘fraud’ commonly includes activities such as corruption, conspiracy,

embezzlement, money laundering, bribery and extortion etc.

 Some instances where in Agrani Bank Limited have been face like misrepresentation
of books of accounts, fraudulent encashment of instruments e.g cheques, bills of
exchange, unauthorized handling of securities charged to bank, embezzlement,
misappropriation of funds, cheating, shortages, irregularities etc.
12.5 Types of Fraud
Generally, two types of fraud exist in any organization based on the involvement:
1. Internal Fraud
2. External Fraud
Internal Fraud

Asset Fraudulent Corruption

Misappropriation Statement

Cash Non Cash Financial Non Conflicts of Bribery

Financial interest Extortion

External Fraud

System Security Theft & Fraud Social Engineering

1. Hacking 2. Damage 1. Theft/Robbery 1. Fake Identity
3. Theft of information 2. Forgery 2. Close relation
3. Cheque Kiting

Fraud is a broad legal concept that generally refers to an intentional act committed to secure
an unfair or unlawful gain. Misconduct is also a broad concept, generally referring to
violations of laws, regulations, and internal policies. Together, they fall into the following

- 166 -
 ICC Policy and Procedures-2022

categories of risk that can undermine public trust and damage bank’s reputation for
integrity:

 Fraudulent financial reporting (e.g., overstatement of assets, understatement of

liabilities);

 Misappropriation of assets (e.g., embezzlement, payroll fraud, external theft,

procurement fraud, royalty fraud, counterfeiting);

 Expenses or liabilities avoided by fraudulent or illegal acts (e.g., tax fraud,

falsifying compliance data provided to regulators);

 Other misconduct (e.g., conflicts of interest, discrimination, antitrust practices,

environmental violations);

 The acts committed on the bank or by the bank or for the bank from internal or
external sources and concealed. These acts are typically illegal or denote wrong
doing, such as the case of: financial misstatement, policy violation, ethical lapse,
or a perception issue.

12.6 Reason for occurring fraud:

The following are some of the act(s) which constitute fraud:
 Forgery or alteration of any document or account belonging to the bank.
 Forgery or alteration of cheque, bank draft or any other financial instrument etc;
 Misappropriation of funds;
 Accounting juggling;
 Utilizing of bank’s funds for personal purposes;
 Misuse of T-24 software;
 lack of supervision by the defined office (like Circle/ Zonal Office);
 Branch manager relies on single officer;
 lack of branch’s day to day voucher checking;

Fraud and forgery may be constituted in many ways. Many circulars including latest ICC Policy
and Procedure enumerates most of them which stated as under:

12.7 General Banking Operation Related Fraud:

i. Misappropriation of cash from counter or vault;
ii. At the end of banking hour keeping cheque/voucher in the vault as part of cash
without debiting relevant account;
iii. Cash misappropriation by keeping less number of note in a bundle;
iv. Cash misappropriation from customer by not posting in cash receives register and
depositing to customer account;
v. Customer’s deposited amount transferred to other account by strike
through/erasing/overwriting/above writing in cash receiving register for
misappropriation of cash;
vi. Misappropriation of cash through issuing pay order, security receipt, DD, TT etc
without receiving appropriate amount for the same;

- 167 -
 ICC Policy and Procedures-2022

vii. Illegally withdrawal of money from account by replacing AOF and SS Card;
viii. Illegally withdrawal of money by changing figure in cheque;
ix. Misappropriation of cash through false cash remittance from one branch to
another branch;
x. Misappropriation of cash by receipt of cash from feeding branch without
depositing at branch. Temporary misappropriation of cash by receiving cash from
feeding branch without responding IBDA/MODA for few days;
xi. Misappropriation of cash by receiving electric, WASA, telephone, gas bill etc.
without depositing the relevant account and sending false statement. Besides
these, receiving cash from the mentioned bills without depositing to the relevant
account on the same day for pocket banking and deposit the same on the following
day;
xii. Misappropriation of cash through fake debit of inter branch /Sonali Bank Ltd/
Bangladesh Bank account and fake credit the same to another account;
xiii. Cash withdrawal from customer’s account by deceiving through counterfeit
signature or through duplicate cheque. Misappropriation of money from
customer’s account through issuance of cheque book using other requisition from
(B-Form) instead of used cheque book requisition form. Misappropriation of
money from customer’s account through illegal withdrawal by creating false
deposit;
xiv. Misappropriation of cash through payment against internal food procurement and
jute purchase bill more than once;
xv. Misappropriation of money against payment of fake and counterfeit DD, TT, MT
etc. Fraud and forgery occurred due to non-compliance of permanent instruction,
rules and regulation;
xvi. Illegally withdrawal of money by illegally changing of balance of account at the
time of BF in ledger;
xvii. Payment of money by fake depositing in account and cheque payment without
debiting relevant account;
xviii. Fake fund transfer through fake transfer voucher posting;
xix. Fake balancing of ledgers and various head of accounts;
xx. Withdrawal of money exceeding deposit balance of account;
xxi. Misappropriation of cash through payment of cheque by inserting fake entry in
register/financial statement;
xxii. Temporary misappropriation of cash by holding the cash without crediting to the
relevant account and permanent misappropriation by crediting the same to other
account against collection of other bank’s cheque, Pay order, Pay Slip, Security
Receipt etc of outside clearing area. No such account maintained i.e. no lodgment
voucher passed;
xxiii. Misappropriation of money by multiple payment through replacing instrument
(cheque, DD, FDD, Pay Order, Pay Slip, Security Receipt etc.) containing un
dated Cash Payment/Transfer seal which was paid earlier. In the same manner,
misappropriation of money by multiple payments of instruments which was paid
earlier bearing no cancellation or without cash payment/ Transfer seal;
xxiv. Customer’s deposited can misappropriation through posting the same to the
customer’s account without voucher instead of primarily posting to the receiving

- 168 -
 ICC Policy and Procedures-2022

register and letter on same day adjustment of that fake entry by passing transfer
voucher;
xxv. Misappropriation of cash through changing cash position by
erasing/overwriting/strike through/above writing;
xxvi. Misappropriation of cash from vault using duplicate keys; and
xxvii. Temporary misappropriation through illegal withdrawal from suspense account
and subsequent adjustment there to or permanent misappropriation by adjusting
the same to another account.

12.8 Credit Operation Related Fraud

i. Misappropriation of money through disbursement of unauthorized and fake loan;
ii. Fake Loan sanction/Disbursement, Loan sanctioned/Disbursed without the
existence of business (showroom/factory/offices etc);
iii. In case of cheque related loans, misappropriation of money through false posting
mark in CC Hypo, CC Pledge, OD Hypo etc;
iv. Misappropriation of money through excess disbursement of loan against sanctioned
amount;
v. Issuance of unauthorized Bank Guarantee.

12.9 Foreign Trade and Foreign Exchange Operation Related Fraud:

i. Unauthorized opening of L/C by exceeding discretionary power;
ii. In Case of foreign exchange transaction, partial amount of income embezzled
through depositing another account in spite of depositing income account;
iii. Illegal financial benefit provided to the exporter by purchasing fake export bill;
iv. Unauthorized opportunity given to release goods through indemnity bond;
v. Embezzlement of money from L/C or L/G margin account through transaction by
fake voucher.
vi. While payment foreign bill, debiting International Division of Head Office by
quoting excess exchange rate and depositing the excess amount in another head of
account and embezzle that.
vii. Embezzlement of money through fake IBP.
viii. Illegal financial benefit provided to the applicant of local back to back L/C through
giving acceptance to bill by the involvement of importer and supplier/exporter
without confirmation about the supply of goods or receipt of goods at
factory/warehouse

- 169 -
 ICC Policy and Procedures-2022

Chapter -Twelve

Fraud Detection
13.1Concept of fraud:
13.1.1 Organizations can never eliminate the risk of fraud entirely. There are some people
who are motivated to commit fraud, and an opportunity can arise for someone in any
organization to override a control or collude with others to do so. Therefore, detection
techniques should be flexible, adaptable, and continuously changing to meet the various
changes in risk.

13.1.2 Although every organization is susceptible to fraud, it is not cost-effective to try to

eliminate all fraud risk. If the estimated costs of designing, implementing, and monitoring
the controls against fraud such as tools, personnel, or training exceeds the estimated impact
of the risk, they may not be cost-effective to implement.

13.1.3 A fraud detection strategy should involve use of analytical and other procedures to
highlight anomalies, and the introduction of reporting mechanisms that provide for
communication of suspected fraudulent acts. Key elements of a comprehensive fraud
detection system would include exception reporting, data mining, trend analysis and ongoing
risk assessment. Detection techniques should be established to uncover fraud events when
preventive measures fail or unmitigated risks are realized.

13.1.4 Persons who committed fraud have shown that most people do not originally set out
to commit fraud. Often they simply took advantage of an opportunity; many times the first
fraudulent act was an accident – perhaps they mistakenly processed the same invoice twice.
However, when they realized that it was not noticed, the fraudulent acts became deliberate
and more frequent. Fraud investigators talk about the 10 - 80 - 10 law, which states that 10%
of people will never commit fraud; 80% of people will commit fraud under the right
circumstances; and 10% actively seek out opportunities for fraud. Therefore, we need to be
vigilant for the 10% who are out to get us and we should try to protect the 80% from making
a mistake that could ruin their lives.

13.1.5 Generally, fraud occurs because of a combination of opportunity, pressure and

rationalization. An opportunity arises, the person feels that the act is not entirely wrong,
and has pressure pushing them to commit the fraud.

13.1.6 Opportunity. An opportunity is likely to occur when there are weaknesses in the
internal control framework or when a person abuses a position of trust.

13.1.7 Pressure. The pressures are usually financial in nature.

13.1.8 Rationalization. In the criminal’s mind rationalization usually includes the belief
that the activity is not criminal. The often feel that everyone else is doing it; or that no one
will get hurt; or it’s just a temporary loan, I’ll pay it back, and so on.

- 170 -
 ICC Policy and Procedures-2022

13.2 Potential Fraud Indicators / Symptoms:

Fraudsters often display certain behaviors or characteristics that may serve as warning signs
and may relate to time, frequency, place, amount, or personality. Warning signs include
overrides of controls by management or officers, irregular or poorly explained management
activities, consistently exceeding goals/objectives regardless of changing business
conditions and/or competition, preponderance of non-routine transactions or journal
entries, problems or delays in providing requested information. It also include transactions
that lack documentation or normal approval, employees or management hand-delivering
checks, customer complaints about delivery, and poor IT access controls such as poor
password controls. The indicators of fraud furnished below, this list may increase day by
day subject to the fraudster’s behavior/nature:
i. Anonymous emails/letters/telephone calls.
ii. Emails sent at unusual times, with unnecessary attachments or to unusual
destinations.
iii. Discrepancy between earnings and lifestyle of employees.
iv. Unusual, irrational or inconsistent behavior.
v. Alteration of documents and records.
vi. Extensive use of correction fluid and unusual erasures.
vii. Photocopies of documents in place of originals.
viii. Rubber stamp signatures instead of originals.
ix. Signature or handwriting discrepancies.
x. Missing approvals or authorization signatures.
xi. Transactions initiated without the appropriate authority.
xii. Unexplained fluctuations in stock account balances, inventory variances
and turnover rates.
xiii. Subsidiary ledgers, which do not reconcile with control accounts.
xiv. Extensive use of ‘suspense’ accounts.
xv. Inappropriate or unusual journal entries.
xvi. Confirmation letters not returned.
xvii. Higher than average number of failed login attempts.
xviii. Systems being accessed outside of normal work hours or from outside
the normal work area.
xix. Controls or audit logs being switched off.
xx. One man show.
xxi. Lack of experienced employee.
xxii. Lack of management supervision of staff.
xxiii. Poor access controls in IT security systems.
xxiv. Unauthorized access to systems by employees of external users.
xxv. Sensitive data being stolen licked or lost.
xxvi. Breaches in data security and privacy.
xxvii. High volume of classified.
xxviii. High volume of demand loan.
xxix. Abnormal transactions to any GL and PL account (Deposit, Loan, Sundry
debtors, Sundry Creditors, Provision account, Interest accruals account,
Depreciation etc.)

- 171 -
 ICC Policy and Procedures-2022

13.3 How to detect Fraud?

13.3.1 Whistleblower Hotlines: Marketing the existence of a hotline to increase awareness,
making it easy to use, and promoting the timely handling of all reported issues are strong
preventive measures that should supplement the detective control of hotlines. The hotline
should be promoted with educational materials provided to shareholders, employees,
customers and vendors all of whom can provide valuable information from a variety of
reliable sources. Hotlines are available 24 hours a day, 365 days a year. Internal Control
and Compliance (ICC) and Vigilance Division (MD’s Squad) may act as Whistleblower
Hotlines of Agrani Bank Limited. Some salient features of Whistleblower Hotlines stated
below:
i. Anonymity to any individual who willingly comes forward to report a suspicion of
fraud will be ensured and encouraged;
ii. Whistleblower hotlines preserve the confidentiality of callers and provide
assurance to employees that they will not be retaliated against for reporting their
suspicions of wrongdoing including wrongdoing by their superiors;
iii. Reporting may be directly to the Audit Committee of the Board in case of suspected
fraud that involves Senior Management;
iv. Action will be taken against reporting being lodged by complainant.
13.3.2 Background Reading: It is important to keep up-to-date with fraud trends and issues
through the press, technical journals, books and the internet.
13.3.3 Benchmarking: Comparisons of one financial period with another; or the performance
of one cost Centre, or business unit, with another;
13.3.4 Ratio Analysis: Can be used to identify any abnormal trends or patterns.
13.3.5 Specialist Software: Such as audit tools for data matching analysis can prove very
useful. Other tools allow for analysis such as real time transaction assessment, targeted
post-transactional review, or strategic analysis of management accounts.
13.3.6 Risk Assessment: Undertake a fraud risk assessment and design specific tests to detect
the significant potential frauds identified through the risk assessment. Act on
irregularities, which raise concern.
13.3.7 Systems Analysis: It is important to examine the systems in place and identify any
weaknesses that could be opportunities for the fraudster.
13.3.8 Mathematical Modeling: Using the ‘sort’ tool on a spreadsheet can help to identify
patterns in expenditure etc. Database modeling can also be used.
13.3.9 Exception Reporting: Many systems can generate automatic reports for results that
fall outside predetermined threshold values (exceptions), enabling immediate
identification of results deviating from the norm. E-mails or text alerts can be sent
directly to appropriate managers to follow up.
13.4 Mandatory Leave: Mandatory leave may be sanctioned when necessary or management
desires, as it is very effective to detect and prevent fraud on concern duty officer. As per
ICC Policy following terms should be considered for mandatory leave.
Criteria:

- 172 -
 ICC Policy and Procedures-2022

i. The management at any time as required will sanction mandatory leave; no

time bound will be applicable in this case.
ii. This leave cannot be claimed.
iii. Leave sanction can only be changed by the management, employee cannot
claim for alteration.
iv. There will be no monetary sanction like 01 (One) month basic salary.

13.5 Experience: An experienced/ trained employee is a good basis for fraud detection. The
broad understanding of business processes, the knowledge of the system and procedure
of the bank’s activities as well as the activities to think and act logically are essential for
detecting fraud efficiently and effectively which the employee develops with
experienced.
13.6 CC TV: Technology is a double-edged sword. The security camera is one of the
wonders of modern technology, which has gained immense popularity as an effective
security measure. Footage from security cameras can help make correct and fair
decisions. it helps in the following way to detect fraud:
i. Deter Crime;
ii. Monitor Scenarios and Activities;
iii. Gather Evidence;
iv. Arrive at the Right Decisions;
v. Maintain Records;

In this regard CCTV footage should be preserved for at least 1(one) year. In case of any
incidence under investigation, CCTV footage should be preserved until the settlement of the
said issue.

13.7 Fraud Investigation

13.7.1 A fraud investigation consists of gathering sufficient information about specific
details and performing those procedures necessary to determine whether fraud has
occurred, the loss or exposures associated with the fraud, who was involved, and how
it happened.

13.7.2 An important outcome of investigations is that innocent persons are cleared of

suspicion. Investigations attempt to discover the full nature and extent of the fraudulent
activity, not just the event that may have initiated the investigation.

13.7.3 Investigation work includes preparing, documenting, and preserving evidence

sufficient for potential legal proceedings.

13.7.4 Agrani Bank’s ICC, Vigilance Division (MD’s Squad) and other specialists may
conduct or participate in fraud investigations.
13.7.5 Investigations and the related resolution activities need to be carefully managed
in accordance with Agrani Bank Service Rule.
13.7.6 Local laws may direct how and where investigations are conducted, disciplinary
and recovery practices, and investigative communications. It is in the best interest of
the Agrani Bank Limited, both professionally and legally, to work effectively with the

- 173 -
 ICC Policy and Procedures-2022

bank’s legal counsel and to become familiar with the relevant laws in the country where
the fraud investigation occurs.
13.8 Investigation Procedure
13.16.1A plan is developed for each investigation following the bank’s investigation
procedures or protocols. The lead investigator determines the knowledge, skills, and
other competencies needed to carry out the investigation effectively and assigns
competent, appropriate people to the team. This process includes obtaining assurance
that there is no potential conflict of interest with those being investigated or with any
of the employees in the bank.

13.16.2 The plan should consider the following investigative activities:

a. Gathering evidence through surveillance, interviews, or written statements.
b. Documenting and preserving evidence, considering legal rules of evidence, and
the business uses of the evidence.
c. Determining the extent of the fraud.
d. Determining the techniques used to perpetrate the fraud.
e. Evaluating the cause of the fraud.
f. Identifying the perpetrators.

13.16.3 At any point during this process, the investigator may conclude that the
complaint or suspicion was unfounded and then the investigator follows bank’s
process to close the case.
13.16.4 The specific procedures employed in each investigation will differ based on
the specific situation and the goals of the investigative team. The common
investigative procedures include:
13.9 Formation of Team
13.9.1 Team member should have high moral ethics and integrity. They should have
through professional knowledge and banking experience. Team formation should be in
such a manner that there should be no conflict of interest among the team members and
person(s) related to the incidence under investigation. Designation of the members of
the team should not be below the rank of the person(s) to be investigated.
13.9.2 Obtaining Evidence
The collection and preparation of evidence is critical to understanding the fraud or
misconduct, and it is needed to support the conclusions reached by the investigation
team. The investigation team may use computer forensic procedures or computer-
assisted data analysis based on the nature of the allegations, the results of the procedures
performed, and the goals of the investigation. All reports, documents, and evidence
obtained should be recorded chronologically in an inventory or log. Some examples of
evidence include:

1. Letters, memos and correspondence, both in hard copy or electronic form (such
as e-mails or information stored on personal computers).
2. Computer files, general ledger postings, or other financial or electronic records.
3. IT or system access records.
4. Video footage.
5. Security and time keeping logs, such as security camera videos or access badge
records.
6. Internal phone records.
7. Customer or vendor information both in the public domain and maintained by
the organization, such as

- 174 -
 ICC Policy and Procedures-2022

 Contracts, invoices and payment information.

 Public records such as business registrations with government agencies
or property records.
 News articles, internal and external websites, such as social networking
sites.
13.9.3 Interviewing
The investigator will interview individuals such as witnesses and facilitating
personnel. Typically, the accused individual is interviewed after most applicable
evidence has been obtained. Many investigators prefer to approach the accused with
sufficient evidence that will support the goal to secure a confession.
The accused is interviewed by two people:
1) An experienced investigator and
2) Another individual who takes notes during the interview and later
functions as a witness if needed.

In addition, it is essential that all information obtained from the interview is

rendered correctly.
 Investigative activities need to be coordinated with management, legal counsel,
and other specialists, such as human resources and insurance risk management,
as appropriate throughout the investigation.
 Investigators need to be knowledgeable and cognizant of the rights of persons
within the scope of the investigation and the reputation of the organization itself.
The investigator has responsibility to ensure that the investigation process is
handled in a consistent and prudent manner.
 The level and extent of complicity in the fraud throughout the organization
needs to be assessed. This assessment can be critical to not destroying or tainting
crucial evidence, and to avoid obtaining misleading information from persons
who may be involved.
 The investigation needs to adequately secure evidence collected, maintaining
chain of custody procedures appropriate for the situation.

13.9.4 Reporting Fraud Investigation

Reporting fraud investigations consists of the various oral, written, interim, or final
communications to senior management and/or the board regarding the status and
results of fraud investigations. Reports can be preliminary and ongoing throughout the
investigation.
A written report or other formal communication may be issued at the conclusion of the
investigation phase. It may include the reason for beginning an investigation, time
frames, observations, conclusions, resolution, and corrective action taken (or
recommendations) to improve controls. Depending on how the investigation was
resolved, the report may need to be written in a manner that provides confidentiality
for some of the people involved. In writing the report, the investigator needs to
consider the needs of the board and management while complying with legal
requirements and restrictions, and the bank’s policies and procedures.
Additional considerations concerning fraud reporting are:
• Submitting a draft of the proposed final communications on fraud to legal counsel for
review. In cases where the organization is able to invoke attorney-client privilege, and
has chosen to do so, the report is addressed to legal counsel.
• Notifying senior management and the board timely when significant fraud or erosion
of trust occurs.

- 175 -
 ICC Policy and Procedures-2022

• The results of a fraud investigation may indicate that fraud had a previously
undiscovered adverse effect on the organization’s financial position and its operational
results for one or more years for which financial statements have already been issued.
Senior management and the board need to be informed of such a discovery so they can
decide on the appropriate reporting, usually after consulting with the external auditors.

13.9.5 Resolution of Fraud Incidents

Resolution consists of determining what actions will be taken by the organization once
a fraud scheme and perpetrator[s] have been fully investigated, and evidence has been
reviewed. Any findings of actual or potential material impact may need to be reported
to the board, the audit committee, and the external auditor. In some cases it may be
necessary to take certain actions before the investigation is complete (e.g., to preserve
evidence, maintain confidence, or mitigate losses). This could require suspension or
reassignment of individuals or legal actions to restrain assets. However, it should be
ensured that there is a sufficient basis for those actions. Management consultation with
legal counsel is strongly recommended before taking disciplinary, civil, or criminal
action. Management and the board are responsible for resolving fraud incidents not the
internal audit activity or the investigator. Resolution may include all or some of the
following:
• Disciplining an employee in accordance with the bank’s policies, employment
legislation, or employment contracts. In this regard circular no –HRDGAD/72 Dated
08/07/2014 should be followed to settle the issues (Annexure-1, Page No-31-40)
• Requesting voluntary financial restitution from an employee, customer, or supplier.
• Terminating contracts with suppliers.
• Reporting the incident to law enforcement, regulatory bodies, or similar authorities;
encouraging them to prosecute the fraudster; and cooperating with their
investigation and prosecution. An appropriate member of senior management, such
as the chief legal counsel, should be authorized to make the decision as to whether
pursuing criminal prosecution is appropriate.
• Entering into civil litigation or similar legal processes to recover the amount taken.
• Filing an insurance claim.
• Filing a complaint with the perpetrator’s professional association.
• Recommending control enhancements.
13.10 Communication of Fraud Incidents
In addition to fraud reporting mentioned above, the two types of communications that
may result from an investigation are public communications and planned internal
communications.
Management or the board determines whether to inform matters to outside entities. The
organization may have a responsibility to notify government agencies of certain types
of fraudulent acts. These agencies include law enforcement, regulatory agencies, or
oversight bodies. Additionally, bank may be required to notify the matters to its
stakeholders. Any comments made by management to the press, law enforcement, or
other external parties are best coordinated through legal counsel. Typically, only
authorized spokespersons make external announcements and comments.
An important decision in this process is the decision to prosecute the wrongdoer.
Management and the board, usually based on the input of legal counsel, make this
decision. While internal auditors do not make these decisions, they may indicate to
management and the board that prosecutions discourage future fraud by reinforcing the
repercussions of fraudulent behavior and thus serve as a fraud deterrent.

- 176 -
 ICC Policy and Procedures-2022

Internal communications are a strategic tool used by management to reinforce its

position relating to integrity, to demonstrate that it takes appropriate action (including
prosecution if appropriate) when organization policy is violated, and to show why
internal controls are important. Such communications may take the form of a newsletter
article, a memo from management, or the situation may be used as an example in the
organization’s fraud prevention training program. These communications generally take
place after the case has been resolved internally, and they do not specify the names of
perpetrators or other specific investigation details that are not necessary for the message
or that contravene laws. An investigation and its results may cause significant stress or
morale issues that may disrupt the organization, especially when the fraud becomes
public. Management may plan employee sessions and/or team building strategies to
rebuild trust and camaraderie among employees.
13.11 Analysis of Fraud
After investigating of fraud, it is important for management and the internal audit
activity to step back and consider the lessons learned. For example:
• How did the fraud occur?
• What controls failed?
• What controls were overridden?
• Why wasn’t the fraud detected earlier?
• What red flags were missed by management?
• What red flags did internal audit miss?
• How can future frauds be prevented or more easily detected?
• What controls need strengthening?
• What internal audit plans and audit steps need to be enhanced?
• What additional training is needed?
Both management and internal auditors may hold lessons learned sessions. The
dynamic feedback within these sessions needs to stress the importance of acquiring up-
to-date information on fraudsters and fraud schemes that can help internal auditors and
the anti-fraud community engage in best practices to prevent losses.

- 177 -
 ICC Policy and Procedures-2022

Chapter-Thirteen
Fraud Management

Today while, electronic tracking and improved security have deter fraud practices the threat
still exist and bank fraud still occurs on regular basis. Fraud as have been mentioned earlier on
is a crime, and is becoming difficult to pin down, however, with the right management controls,
practices and policy framework, it can be mitigated.

14.1 Roles/Responsibilities of Different Entities for Fraud Management

The senior management of the Bank, Audit Committee of the Board and the special committee
of the Board will play a crucial role in discharging their oversight responsibility in a proactive
manner, through periodical review of the fraud cases.

14.1.1 Responsibilities of the Board of Directors

Board of Directors will make an overall review of fraud cases in the bank on periodic basis.
The main aspects, which shall be taken into, account while making such review will include
the following:
1. The board of directors has responsibility for effective and responsible corporate fraud
governance.
2. The role of the board is to oversee and monitor management’s actions to manage fraud
risks. Specifically, the board will evaluate management’s identification of fraud risks,
implementation of anti-fraud measures.
3. The board will implement policies that encourage ethical behavior, including processes
for employees, customers, and external business relationship partners to report
instances where those policies are violated.
4. Whether the systems in the bank are adequate to detect frauds, once they have taken
place, within the shortest possible time.
5. Whether frauds are of staff involvement, whenever necessary, the cases are reported to
the concerned Department for further action.
6. Estimated loss to the bank because of frauds, amount recovered and provisions made.
7. Whether deterrent punishment is meted out, wherever warranted, to the persons found
responsible without undue delay.

8. Whether frauds have taken place because of laxity in following systems and procedures
or loopholes in the system and if so, whether effective action has been taken to ensure
that the systems and procedures are scrupulously follows by the staff concerned or the
loopholes are plugged.
9. According to the materiality of detected frauds are to be reported to local police or
“Anti- Corruption Commission”, as the case may be, for investigation, as per the
guidelines issued in this regard to public sector banks by Government of Bangladesh
and Bangladesh Bank.
10. Arrange to comply with the regulatory reporting regarding fraud.

14.1.2 Responsibilities of the Audit Committee of the Board (ACB)

- 178 -
 ICC Policy and Procedures-2022

The board will approve the objectives, strategies and overall business plans of the bank and
the audit committee will assist the board in fulfilling its oversight responsibilities. The
committee will review the financial reporting process, bank’s internal control, risk
management systems including the design and implementation of anti-fraud programme and
controls, audit process, and the bank's process for monitoring compliance with laws and
regulations and its own code of business conduct.

The ACB will review all the cases of fraud on periodic basis and will place it to the Board.
During review, ACB will scrutinize statistical information as well as details of each fraud. And
also review whether necessary corrective measures have been taken by the management and
recommend directions on the punitive and preventive aspects of those frauds if required.

14.1.3 Responsibilities of Senior Management

3.1.3.1 In setting out a strong control framework within the organization the role of
Managing Director/ CEO is very important.

3.1.3.2 Every fraud detected and reported will be examined by the Senior Management
and oversight board, upon being placed to them by the concerned Department of the
Bank.
3.1.3.3 Based on gravity of the findings (considering the recommendation of the
oversight Board) MD and CEO/ Senior Management of the Bank will issue directions
as may be found appropriate upon this preliminary examination of the report of fraud.
3.1.3.4 Such directions will include those for effective investigation of the fraud,
accurate and timely reporting of the fraud to regulatory and law enforcement authorities
including Bangladesh Bank and study of weaknesses in systematic controls.

3.1.3.5 The management will enrich audit teams with adequate skilled manpower and
proper IT support as per requisition of the ACB for purposeful and effective audit.
3.1.3.6 The management will ensure compliance of all laws and regulations that are
circulated by various regulatory authorities such as, Bangladesh Bank, Ministry of
Finance, Bangladesh Securities and Exchange Commission, etc.
14.1.4 Human Resources Division (HRPDOD)
14.1.4.1 A key business and fraud risk in any organization lies in the people hired to
operate the business and promoted into positions of trust and authority. For that reason,
it is important to know employees in order to evaluate their credentials and competence,
match skills to the job requirements, and be aware of any issues of personal integrity
that may impact their suitability for the position.

14.1.4.2 Human Resource Division is responsible for appointing appropriate employee

in order to run the activities effectively and efficiently. Screening of applicant before
appointment in the bank is essential. Besides this Job rotation, transfer, posting etc.
should be as per bank’s norms.
14.1.4.3 The Human Resources Department will usually have responsibility for any
internal disciplinary procedures which must be in line with, and support, the fraud
policy statement and fraud response plan.

- 179 -
 ICC Policy and Procedures-2022

14.1.4.4 Their advice should be sought in relation to the bank’s personnel management
strategies, individual employment histories, and issues relating to employment law, or
equal opportunities. Directives through circular no- HRDGAD/72, dated 08/07/2014
ensures the divisional administrative proceedings of Agrani Bank Limited
(Annexure-1, Page No-31-40)

14.1.5 Control Office

Branch Manager/ Zonal Office/ Circle offices/ Head Office shall ensure that there are
mechanisms in place within their area of control to:
i. Familiarize each employee with the types of improprieties that might occur in
their area.
ii. Instruct employees about fraud prevention and detection.
iii. Create a culture whereby employees are encouraged to report any fraud or
suspected fraud which comes to their knowledge, without any fear of
victimization.
iv. Promote employee awareness of ethical principles of banking business.

14.1.6 Internal Auditors

14.1.6.1 Internal auditors evaluate risks faced by the bank based on audit with
appropriate testing. Internal auditors need to be alert to the signs and possibilities of
fraud within bank.

14.1.6.2 While external auditors focus on misstatements in the financial statements that
are material, internal auditors are often in a better position to detect the symptoms that
accompany fraud.

14.1.6.3 Internal auditors usually have a continual presence in the organization that
provides them with a better understanding of the organization and its control systems.

14.1.6.4 Internal auditors can assist in the deterrence of fraud by examining and
evaluating the adequacy and the effectiveness of internal controls.

14.1.6.5 In addition, they may assist management in establishing effective fraud

prevention measures by knowing the bank’s strengths and weaknesses and providing
consulting expertise.
14.1.6.6 The internal auditor’s roles in relation to fraud risk management could include
initial or full investigation of suspected fraud, root cause analysis and control
improvement recommendations, monitoring of a reporting/ whistleblower hotline, and
providing ethics training sessions. If assigned such duties, internal auditing has a
responsibility to obtain sufficient skills and competencies, including knowledge of
fraud schemes, investigation techniques, and laws.

14.1.6.7 Internal auditors may conduct proactive auditing to search for

misappropriation of assets and information misrepresentation. This may include the use
of computer-assisted audit techniques, including data mining, to detect particular types
of fraud. Internal auditors also can employ analytical and other procedures to find

- 180 -
 ICC Policy and Procedures-2022

unusual items and perform detailed analyses of high-risk accounts and transactions to
identify potential fraud.
14.1.7 External Auditors
The organization’s external auditors have a responsibility to comply with professional
standards and to plan and perform the audit of the organization’s financial statements
to obtain reasonable assurance about whether the financial statements are free of
material misstatement and whether the misstatements were caused by error or fraud.
Whenever the external auditor has determined there is evidence that fraud may exist,
the external auditor’s professional standards typically require that the matter be brought
to the attention of an appropriate level of management. The external auditor typically
reports fraud involving senior management directly to those charged with governance
(e.g., the audit committee).

14.1.8 Fraud Investigators

14.1.8.1 Fraud investigators are usually responsible for the detection and investigation
of fraud. They also perform a role in fraud prevention. Senior management and the audit
committee need to support the investigators to let all stakeholders know the business
entity is ready to respond quickly and appropriately to fraud risks. Fraud investigators
often work closely with legal counsel to bring legal action against the perpetrator.
Communications between fraud investigators and the legal counsel are likely to be
considered confidential (e.g., privileged) to enable free and open dialogue. Also, a fraud
investigator’s work done at the direction of legal counsel may constitute protected
attorney work product. The lead investigator usually determines the knowledge, skills,
and other competencies needed to carry out the investigation effectively and assigns
competent and appropriate people to the team. This process could include assurance
that there is no potential conflict of interest with those being investigated or with any
other employees of the Bank.
14.1.8.2 ICC may have the primary responsibility for investigations, may act as a
resource for investigation, or may refrain from involvement in investigation. Internal
audit may refrain from involvement because it is responsible assessing the effectiveness
of investigation or it lacks the appropriate resources to be involved in investigation.

14.1.8.3 To maintain proficiency, fraud investigation teams have a responsibility to

obtain sufficient knowledge of fraudulent schemes, investigation techniques, and
applicable laws. There are national and international programs that provide training and
certification for investigators and forensic specialists.

14.1.8.4 If the internal audit activity is responsible for the investigation, it may conduct
an investigation using in-house staff, outsourcing, or a combination of both. In some
cases, internal auditing may also use non audit employees of the organization to assist.
It is often important to assemble the investigation team without delay.
14.1.8.5 In organizations where primary responsibility for the investigation function is
not assigned to the internal audit activity, the internal audit activity may still be asked
to help gather information and make recommendations for internal control
improvements.

- 181 -
 ICC Policy and Procedures-2022

14.1.9 Employees
Every employee has a role to play in fighting against fraud. Employees are the eyes and
ears of the organization, and they should be empowered to maintain a workplace of
integrity. Employees can report suspicions of fraud to an employee hotline, ICC or a
member of management. To deter and detect fraud and abuse, many experts believe an
employee hotline that is appropriately monitored is the single most cost-effective fraud
detection and deterrence measure.
14.2 Fraud Prevention
14.2.1 Prevention techniques regarding fraud should be established to mitigate possible
impacts on the bank.
14.2.2 Despite the best efforts of those responsible for preventing fraud, one inevitable
reality remains: “fraud happens.” Because fraud and misconduct can occur at various
levels in any organization.
14.2.3 It is essential that appropriate preventive and detective techniques are in place.
Although fraud prevention and detection are related concepts, they are not the same.
While prevention encompasses policies, procedures, training, and communication,
detection involves activities and programs designed to identify fraud or misconduct that
is occurring or has occurred.
14.2.4 Although preventive measures cannot ensure that fraud will not be committed,
they are the first line of defense in minimizing fraud risk.
14.2.5 One key to prevention is making personnel throughout the organization aware
of the fraud risk management program, including the types of fraud and misconduct
that may occur. This awareness should enforce the notion that all of the techniques
established in the program are real and will be enforced.
14.2.6 The ongoing communication efforts could provide information on the potential
disciplinary, criminal, and civil actions that bank could take against the individual who
involves with fraud and intend to commit fraud.
14.2.7 If bank assesses and continuously monitors their operational effectiveness to
help prevent fraud from occurring.
14.3 Fraud Assessment
14.3.1 Before going to prevent fraud it is necessary to assess fraud. In this regard covering all
the areas of banking activities a prescribed format known as “Self-Assessment of Anti-
Fraud Internal Control of the Bank” is used to combat fraud and forgery as well as
reporting to the Bangladesh Bank on Hal-Yearly basis as per DOS Circular Letter no-
10, dated 09 may, 2017 (Annexure-3, Page No-49-59).

14.3.2 The reliability of the bank’s self-assessment depends on the correctness of the responses
to issues raised in the format to mitigate the risk of in appropriate assessment arising
out of dubious responses to question; the correctness of the responses should be
checked.

14.3.3 It is done, so that bank should improve their fraud risk management program, should
conduct overall assessments of their fraud prevention techniques to ensure that progress
is being made to get full fraud prevention status and that no elements of fraud
prevention are deteriorating.

- 182 -
 ICC Policy and Procedures-2022

14.3.4 On that format all fraud issues rated as (1) Yes (Fully Complied) (2) Partially (Partially
Complied) and (3) No (Not complied). Agrani Bank Limited sends the format to all the
branches and related divisions of Head Office to inform their compliance status to ICC.

14.3.5 After collection of information from them, an overall compliance of “Self-Assessment

of Anti-Fraud Internal Control of the Bank” is sent to the related department of
Bangladesh Bank subject to the approval of Audit Committee of the Board.

14.3.6 Bangladesh Bank informs about their opinion/recommendation on compliance status.

Bangladesh Bank usually imposes deadline to comply on “None complied” and
“Partially Complied”. As per there deadline, Agrani Bank Limited tries its level best to
fully comply all the issues. In this trial and error process a fraud detection and
management has been established.

14.4 Fraud Prevention Techniques

Prevention techniques should be established to mitigate possible impacts on the bank.
Following techniques are essential for Agrani Bank Limited to prevent fraud:

14.4.1 Continuous Monitoring for Controls

14.4.1.1 Off-site supervision: DCFCL
Best tools for monitor and control is to comply Departmental Control Functional Checklist
(DCFCL) strictly by all the Branches of the Bank. In this regards latest ICC Policy and
Procedures of Agrani Bank Limited should be followed.
14.4.1.2 Onsite supervision:
In order to proper governance, Internal Audit is also an important tolls of prevention of
fraud. Moreover, branches’ visiting by circulated/Zonal Head is mandatory. In this regard
latest ICC Policy and Procedure of ABL should be followed which is also mentioned below
(Branch visiting by Circle Head/Zonal Head vide Head office Circular no:-AMD/68/18,
Date- 03/06/18)

- 183 -
 ICC Policy and Procedures-2022

14.4.1.3 Outline of Inspection Function

Level of Time frame of Report Submission Administrative Action

inspector inspection
Inspection by 1. Corporate 1) If Circle head finds any serious 1) Circle head/ GM of
Circle Head Branch Office-once lapses/fraud forgeries will send a set concerned corporate branches
in every two month of report to the concerned DMD to will take administrative action
take initiative action. against responsible person on
2. Zonal Office – 2) If Zonal head finds any serious detecting serious lapse or
Once in every lapses/fraud forgeries will send a set fraud forgery.
three Month of report to the concerned Circle 2) Circle head/ GM also
head. informs it to the Concerned
3. Non Corporate
3) Circle will also analyze both the DMD without making any
Branches – Two or
inspection report and will make a delay.
more branches
summary report to send concerned
every month
branch to comply for mitigating
lapses.
1.Branch Offices If any serious lapses or fraud
located at town- forgery detected at the time of
once in every inspection then the zonal Head
month will take administrative action
2. Minimum 1/3rd without making any delay and
Inspection by
of the branches he /she will inform that matter
Zonal Head
under Zone once in simultaneously to the
every month i,e Concerned Circle GM.
every quarter all of
the branches to be
visited.

14.4.2 Ethical Culture and Practice

a) To develop a sound ethical culture and Sound internal control system in the bank.
b) To make awareness regarding ethical culture to all level of the bank.
c) To make Clear statements on business ethics and anti-fraud, with explanations
about acceptable behavior in risk prone circumstances.
d) To run a process of reminders about ethical and fraud policies – e.g. annual letter
and/or declarations by the employee.
14.4.3 Anti-Fraud Training
Necessary training is to be required on the purpose of the fraud risk management program
including the codes of conduct and ethics, what constitutes fraud, and what to do when fraud
is suspected. The effectiveness of this training is dependent on mandatory attendance with
periodic updates and refresher sessions.

- 184 -
 ICC Policy and Procedures-2022

14.4.4 Set out authority limits

14.4.4.1 Fraud will be less likely when an individual’s level of authority is
commensurate with his or her level of responsibility.
14.4.4.2 A misalignment between authority and responsibility, particularly in the
absence of control activities and segregation of duties, can lead to fraud.
14.4.4.3 Agrani Bank Limited has established authoritative approval levels across the
enterprise to serve as an entity-level control. On the other hand, individuals
working within a specific function may be assigned only limited IT access as
a process-level control. These types of controls, supported by an appropriate
segregation of duties, assist in the first line of defense in fraud prevention.
14.4.5 Information Technology (IT) Security Policy
IT related fraud including cyber-crime is increasing day by day. In this regard latest IT Security
Policy along with instruction circular no-IT&MIS/33 dated: 13/04/2016 (Annexure-02, Page
No-41-48) should be followed strictly.

14.4.6 Integrity of the Employees

Good governance & integrity of the employees is very essential for fraud prevention. Huge
volume of Fraud and forgery can be reduced/ prevented by the honesty of employees.
14.4.7 Equipped with Updated Knowledge
Employees should be well conversant with updated knowledge in order to perform their duties
properly as per latest policies, regulations, guidelines, circulars etc. of which some are stated
below:
1. Instruction circular no-CMCD/30, dated 20-05-98;CMCD/08, dated 19-02-2000;
CMCD/85, dated 21-11-2001
2. Money Laundering and Terrorist Financing related guidelines.
3. Latest Credit Policy of Agrani Bank Ltd.
4. Latest Guidelines for Foreign Exchange Transaction (GFET) circulated by
Bangladesh Bank.
5. Latest Foreign Exchange Risk Management Manual of Agrani Bank Ltd.
6. Detection and Prevention of Foreign Trade related Fraud-forgery (Annexure-2,
Page-41-48)
7. ATM card related memo no 283 dated 07-04-2016 of Board of Directors
(Annexure-4, Page-60-62)

- 185 -
 ICC Policy and Procedures-2022

14.5 Reports
Necessary reports related to Fraud-forgery stated is as under:
SL. Name of the Compliance Reporting Time limit Reporting Time
No Statement
1. Departmental Control All Branch Audit After Quarter End Quarterly report
Functional Check List (Monthly) Committee of 10th of the next to ACB
(DCFCL) Board (ACB) month
2. Quarterly Operation All Branch Audit After Quarter End Quarterly report
Report (QOR) (Monthly) Committee of 10th of the next to ACB
Board(ACB) month
2. Self-Assessment of Branch and Bangladesh Every June and Half -Yearly
Anti-Fraud Internal Division Bank December
Controls.
3. AvZ¥mvr, Pzwi, WvKvwZI HR Senior 10th of the next Monthly
cÖZviYv msµvšÍ NUbvejxi Discipline, Secretary of month
weeiY Grievances & Finance
Appeal Ministry
Division
(HRDGAD)
4 Rvj-RvwjqvwZ msµvšÍ Branch & Bangladesh June and December Half -Yearly
cÖwZ‡e`b Subsidiaries / Bank
Unit Control
Division
(BSUCD)
5 Comprehensive Risk Risk Bangladesh June and December Half -Yearly
Management Report Management Bank
(CRMR) Division
(RMD)
6 Rationalized Input BSUCD Bangladesh 10th of the next Monthly
Template (RIT) Bank month

14.6 Administration of Fraud Risk Management Policy

The Internal Control & Compliance (ICC) may ensure the effectiveness of the Policy.
Revisions to this policy will be submitted to the BoD Audit Committee for review and
approval. The policy will be reviewed annually and revised as needed.

- 186 -
 ICC Policy and Procedures-2022

14.7 Conclusion:
Agrani Bank Limited is playing a key role in the acceleration of development of Bangladesh
economy. It is one of the prime institutions for economic uplift of the people of Bangladesh. It
is one of the main vehicles for developing Bangladesh economy as a whole. There are crises
as well as achievements in the journey of long 42 years of banking since independence.

The task of preventing and combating corruption and fraudulent practices will be complex in
nature, and progress in this area will be gradual. These guidelines ascertain the Bank’s
commitment to combat corruption in its operations and set out the procedures for realizing this
objective. The guidelines reflect management’s commitment to promote a culture of good and
sound management, and to strengthen Bank safeguards towards transparent decision- making,
quality in the project cycle and regular oversight and enforcement. They will be reinforced
through Bank-wide dissemination and sharing with relevant stakeholders outside, including
posting on its web site. Staff training-including new staff orientation, will be part of the
dissemination strategy to assist staff better understand and respond to potential incidents of
fraud and corruption.

The guidelines will also be complemented with rigorous compliance and enforcement
mechanisms. Revisions and update of these guidelines should occur with some regularity as
experience in combating corruption in Bank operations deepens.
In this policy, guidelines are constructed in such a way that the related officials can easily use
it as reference in discharging their duties and responsibilities perfectly and efficiently.
We believe that this Fraud Detection and Management Policy will strengthen Internal Control
system of the bank and will play a vital role towards achieving goal for a modern and vibrant
of Agrani Bank Limited.

--- The End ---

- 187 -
 ICC Policy and Procedures-2022

Annexures of ICC

- 188 -
 ICC Policy and Procedures-2022

Contents of Annexures
SL. Particulars Pages
No.
Audit Monitoring and Controlling Division 192-261
1 Annexure 1 Circle Head and Zonal Head Inspection Check list 194
2 Annexure-2 Credit Management Checklist 199
3 Annexure-3 (a) Departmental Control Functional Checklist-Daily 205
(b) Departmental Control Functional Checklist-Weekly 231
(c) Departmental Control Functional Checklist-Monthly 233
4 Annexure -4 Loan Documentation Checklist (LDCL) 238
5 Annexure -5 Quarterly Operational Report 243
6 Annexure -6 Control Function Risk Rating 250
7 Annexure -7 Report of Internal Control Team (ICT) 255
8 Annexure-8 IT and Security Management Checklist 256
9 Annexure-9 (a) Checklist for Import L/C 259
(b) Checklist for Back to Back L/C 260
(c) Checklist for Export L/C 261
Audit & Inspection Division 263-269
10 Annexure -10 Previous Audit Objection’s False Compliance 263
11 Annexure -11 Responsibility period wise Grip Loans/Irregularities 264
12 Annexure -12 Position of Year wise Agriculture Loan 265
13 Annexure -13 Position of Year wise Expired General Loan 266
14 Annexure -14 Position of Period wise Unsettled Certificate case 267
15 Annexure -15 Position of year wise under trial money suit for collection of general loan 268
16 Annexure -16 To perform Audit task effectively responsibilities of the Audit Team 269
Audit Compliance Division 270-275

Internal Audit 270

17 Annexure-17 Monthly Statement of Audit Objections 271
18 Annexure -18 Nirikha Paripalon Patra (NIPP)-1 273
19 Annexure -19 Nirikha Paripalon Patra (NIPP)-2 272
20 Annexure-20 Audit Objections Identified in Internal Audit 273
21 Annexure-21 Audit Clearance regarding Annual Salary Increment 274
22 Annexure-22 Branch Inspection Report 275
External Audit 278-279
23 Annexure-23 Audit Objections identified in Statutory Audit/ External Audit 278
24 Annexure -24 Response and Certification to the External Audit Report 279
Commercial Audit 280-289
25 Annexure 25- Unsettled audit objections 280
26 Annexure-26 Rectification/ Regularization/Settlement of External Audit 281
27 Annexure-27 Responses to the Government Commercial Audit Objectives 282
28 Annexure-28 Minutes of the joint Meeting 283
29 Annexure-29 Resolving ordinary Audit Objections 284
30 Annexure-30 Standing Committee Meeting 285
31 Annexure-31 Commercial Audit Objections and Settlement 286
32 Annexure-32 Statutory Audit Objections/ Settlement Summary 287

- 189 -
 ICC Policy and Procedures-2022

SL. Particulars Pages

No.
33 Annexure-33 Format of the monthly Statement sent to the Ministry & Division Offices 288
34 Annexure-34 Audit Objections identified in Statutory Audit/ External Audit 289
Bangladesh Bank Inspection 290-296
35 Annexure-35 Bangladesh Bank detailed Inspection Report 290
36 Annexure-36 Bangladesh Bank detailed Inspection Report 291
37 Annexure-37 Closing Bangladesh Bank Details Branch Inspection 292
38 Annexure-38 Audit Objections identified in Bangladesh Bank 293
39 Annexure-39 Proforma-1 of NIPP-1 to be used by the manager 294
40 Annexure-40 Proforma-2 of NIPP-2 to be used by auditor 295
41 Annexure-41 Proforma-3 of NIPP-3 to be used by ACD 296
Others
42 Annexure-A Branch Audit Rating 297
43 Annexure-B Foreign Trade and Foreign Exchange Checklist for Auditors 303
A. Import Related Irregularities (Cash L/C) 303
B. Import Related Irregularities (Back to Back L/C) 304
C. Export Related Irregularities 305
D. Foreign Remittance Related Irregularities 305
44 Annexure-C FY-MÖnxZv Iqvix FY msµvšÍ wbixÿK‡`i e¨env‡ii Rb¨ QK ÕKÕ 306
45 Annexure- D & D1 - e¨vs‡Ki Health Report ˆZix K‡í cÖ‡hvR¨ QK I wb‡`©kbvmg~n 308-320
46 Anexure –E IT Audit Repoting Sheet 321-342

Annexure: 01 Agrani Bank Limited

.................................Branch
Circle Head and Zonal Head Inspection Check list
Y(√) /
Sl. Administration Remarks
N (×)
1 Whether security measure of the branch is adequate
2 Whether attendance register is maintained properly
3 Whether office staffs are residing within 30 minutes distance place.
4 Whether Office staffs are maintain dress code of the bank
5 Whether non clerical staffs are wearing office dress.
6 Whether the leave register is maintained properly
7 Whether the duty list of all officers and staff is up to date.
8 Whether the job rotation is effected
9 Whether any employee is posted in the branch for the period over 3 years
10 Whether branch cleanliness ( both inside and outside ) is maintained properly
11 Whether the branch signboard is having proper colour and size and hanged in proper place etc.
Y(√) /
Sl. Cash N (×)
Remarks

1 Whether cash is found correct

2 Whether cash is within safe limit
3 Whether soiled and mutilated notes are admixtured with issue notes

- 190 -
 ICC Policy and Procedures-2022

4 Whether Notes are kept as per (sorting ,stitching & packet ting) instruction.
Whether long outstanding balance of mutilated notes i.e any initiative is taken for changing
5
those notes.
Whether vault is safe enough or as per specifications ie concrete(RCC) wall & floor , pore less,
6
under CCTV coverage , door alarmed bell , chap door & grilled etc.

7 Whether Vault register is maintained properly

Whether the balance of Prize bond is physically counted and found correct. Prize bonds are
8
recorded in the register.
9 Whether scroll register is maintained.
10 Whether token register is maintained.
11 Whether the Key register is updated.
12 Whether cash remittance register is maintained properly.
13 Whether cash receipt and payment seal are maintained properly.
Whether cash related posters ie mutilated note changing poster, note ( Tk. 100 ,500 , 1000 note
14
) identification poster etc are hanged properly.

Y(√) /
Sl. Deposit Banking N (×)
Remarks
1 Whether the required information /papers are obtained during account opening and posting in
software properly ( Test checking ).
2 Whether the thanks letter are sent to the customer and the introducer.
3 Whether the account statements are sent to the customers
4 Whether the stop payment register is maintained properly
5 Whether the cheque book issue register is maintained properly
6 Whether the party concerned received the cheque him/herself (Sample checking )
7 Whether the managers approval is taken in issuing duplicate cheque book on Form 'B'
8 Whether the dormant accounts are identified and transferred to the respective code of the
banking software.
9 Whether inoperative accounts are become operative by party’s application with close
monitoring of Manger GB .
10 Whether receive / deposits print of computer listing/ register are checked jointly with related
vouchers.
11 Whether signature of both inputter and authorizer are taken on every voucher.
12 Whether the double supervision is made for the big transactions
13 Etc.

Y(√) /
General Banking N (×)
Remarks

1 Whether DD/Pay 0rder/Pay-Slip/SR block is balanced every day

Whether DD/TT/MT/PO/PS/SR payable register balance and related heads figure in computer
2
are same.
Whether the OBC/IBC register / related heads in computer are maintained and monitored
3
properly
Whether the computer print of transfer sheet is checked with concerned voucher jointly and
4
recorded/ maintained properly.
Whether accounts of the parties working / residing in abroad are monitored by Manager GB time
5
to time.
Whether deceased accounts are marked stop payment and under close observation of Manager
6
GB.
5 Whether the stock of security stationery is found correct
6 Whether MICR cheque requisition and receiving are done in time.

- 191 -
 ICC Policy and Procedures-2022

7 Whether the test Keys are maintained and used properly

8 Whether the daily vouchers are checked jointly by inputter and authorizer / Manager GB .

Y(√) /
Sl. Accounts N (×)
Remarks

Whether computer print of General Ledger (GL) is checked ( product wise total Dr. / Cr. Of
1
GL checked with transaction print of all product.) daily and kept in a file.
2 Whether GL balance and ledger balances of different heads are same.
3 Whether every day’s computer generated list of voucher is checked and kept with vouchers.
Whether the daily statements of affairs and CMO/CNG A/c Extract are sent correctly and
4
regularly
5 Whether the sundry creditor/sundry debtor register/ head in software is maintained properly
6 Whether the expenditure under different heads are excess over budget.
7 Whether the statements are sent to Zonal and Head 0ffice as per schedule
8 Whether the audit reports are complied timely and properly
9 Whether any entry remains long outstanding and is there any steps taken.

Y(√) /
Sl. Loans and Advances N (×)
Remarks

1 Whether pre sanction visit of shop/ firm and collaterals are carried out.
Whether Loan is assessed earlier – considering cash flow and stock position, party’s dealing
2
in loan account, balance sheet (if required), CIB report etc.
3 Whether charge documents are stamped and filled up properly.
4 Whether insurance premium is paid regularly.
Whether the loan documents are obtained as per sanction advice before disbursing the loan
5
and party wise loan documentation checklist (LDCL) is filled up and kept with loan file.
6 Whether Safe-in-Safe out register is maintained properly
7 Whether the stock statement of Hypothecation is obtained regularly
Whether the Pledge Go down Key movement register is maintained. Proper Pledge go down
8 management (Stock resister is maintained properly, frequent pledge go down visit performed,
on receipt of recovery in loan account proportionate amount of DO issued etc).are done.
Whether accrued interest on loans advances are transferred to respective income
9
account after every quarter is ensured.
10
Whether the cash deposit, transfer voucher, cheque payment voucher, interest application
voucher are posted in loan accounts and checked/supervised by the Manager/Officer-in-charge

11 Applied interest rate in accounts and sanctioned interest rate are the same
12 Whether the insurance register is maintained properly
13 Whether the suit file register is maintained properly.
14 Whether the confidential limit register is maintained properly.
15 Whether the loan recovery assignment is distributed among the officers/staff
16 Whether the loans are out of time barred.
17 Whether before filing and after filing of suit steps are taken in time.

Y(√) /
Sl. Foreign Exchange N (×)
Remarks

1 Whether the foreign currency is found correct on physical verification

2 Whether LC commission is recovered properly
3 Whether LC margin is collected properly

- 192 -
 ICC Policy and Procedures-2022

Whether the inward foreign bill and PAD is presented for lodgment/payment/ acceptance
4
forthwith
5 Whether the necessary action is taken forthwith for reconciliation of PAD outstanding.
6 Whether LIM ledger is correctly and regularly maintained, verified and balanced
7 Whether the LIM is created as per rules
Whether the necessary measures have been taken for auction or reminder has been issued to
8
importer for adjustment of LIM outstanding
19 Whether the recoverable bills are reviewed periodically
Whether the records of shipping guarantee issued by the branch are retained and reviewed as
10
per norms
Whether the initiatives for adjustment of outstanding of guarantees have been taken and
11 whether the correspondence is ongoing with the customers for un-reconciled shipping
guarantee

12 Whether FBP,FBC, FDBC accounts are balanced and verified regularly

Whether the PCC register and ledger are maintained, verified and balanced properly and
13
regularly

14 Whether the necessary measures have been taken for adjustment of overdue PCC

15 Whether the customer is informed of the fate of the remittance

Y(√) /
Sl. IT management N (×)
Remarks

Whether -

1. Server /Router/ Switch room is under lock and key and Cables are secured.
2. Server computer ,Computers at work stations are protected by screen saver password.
Confidentiality of user ID and Admin password is maintained cautiously. Extra/unused
3. passwords are removed from the computer i.e. passwords of employees who are transferred
deactivated immediately. Active authorizer/user’s list is maintained in a register.
The length of password at least 6 characters and combination of uppercase/ lowercase of
4.
alphabets, number & special characters
5. There is other internet connection with banking & T-24 software which is strictly prohibited.
Every days voucher are checked with computer printed sheets. For T -24 software initial of
6
both authorizer and inputter are taken on vouchers.
Transfer vouchers passed / Inter branch transactions (on us/of us) are checked jointly by
7
inputter and authorizer/ manager GB.
The product wise summary balance of GL and ledger balance of respective heads are checked
8
by Manager GB.
9 Cheque serial entry list and deletion list are kept with every days voucher.
10 Every cancellation of cheque/voucher posting is done by maintaining delegation of powers.
11 For payment of remittance following are the precautions maintained or not :
Whether -
12 -User ID/ password given by Exchange House changed immediately and be treated as admin
password.
13 National ID/Passport copy and system generated Money Receipt are kept with vouchers.
14 Any delay in reimbursement, whether the matter is under close supervision of Manger GB?
Account opening and post opening management –
i
Whether -
i. Necessary papers with PP size photo etc. are taken, Data entry in computer is done properly
ii
is checked.
ii. Thanks Letters are given and after receiving Thanks Letter by the client cheque is issued
iii and the client him / herself received the cheque.

Self-Assessment of anti-fraud internal control Y(√) /

Sl. Remarks
(Internal Control and Compliance) N (×)

- 193 -
 ICC Policy and Procedures-2022

Is the branch is equipped with skilled IT knowledge based personnel to handle banking
1 soft wares viz. T24,CNG/CMO/CIB/BATCH/Classification
Statement/Bexi/Infinity/Agrani solution/BFTN.etc.
Whether any attempt of fraud /incidents of fraud in the branch in the last months from
2
previous visit.
3 Precautionary measures for controlling fraud -
i) Whether- Security stationery keeping is proper
ii) - Job rotation and Duty list implementation is done
iii) - Password handling (confidentiality, complexity, changeability) is proper.
iv) -Implementation of mandatory leave
v) - Every day and every voucher checking’s done with computer print supplementary.
-Proper formalities are maintained in account opening/check book issuing and other
vi)
general banking operations.
vii) - sitting arrangement of staffs is safe enough to protect fraud.
Whether- All officers and staffs are gone through ICC manual and the branch manager
4
review its implementation time to time.
5 Whether- QOR,LDCL, DCFCL submitted by the branch to Zonal and Head offices in time.
Whether- Risks identified by Risk Based Audit are commented upon and taken steps for
6
mitigation.
Whether- Staffs are performing job with due diligence ie, doing duties as per office order,
14 using delegation of power, works done are documented, handover takeover of charges
when applicable.
Measures taken for the Rectification /Mitigation of Fraud /Irregularities detected by both
15 External and Internal Audit and responsible personnel’s are attached /punished for the
consequence.
16 Is there any left out fraud attempts not identified by any audit.
17 Complaints at branch level are properly recorded and attended.
18 Does any suspicious account operation detected and reported to BAMELCO/ CAMELCO.
19 Life style of staffs is under close observation.
20 Mechanisms are maintained to monitor staff accounts to prevent fraud.
Y(√) /
Sl. Miscellaneous Remarks
N (×)
Whether
i There is any alternative/2nd hand to operate every sector/part of the branch?
ii Any up dated Anti-Virus, installed in each server and computer,
Branch Manager has taken steps to protect IT related fraud as per Instruction circular
iii
no.ICC/ AMD 111/13 dated 20/11/13 ( Check list no. – 8 )

- 194 -
 ICC Policy and Procedures-2022

Annexure: 02
Agrani Bank Limited
.........................Branch
Credit Management Checklist

Sl. Issues Total scores

Score yes no obtain
A. BUSINESS RISK 300 MARKS
A) Pre-sanction visit of
 Shop
 Primary Security/Stock 12.50
 Business firm
Sub Total 12.50
B) Organizational Structure for managing Credit Risk
1. The Branch has adequate experienced 5.00
/trained staff to handle Credit Portfolio
2. Proper Duty allocation is made 5.00
3. Reporting lines are laid down and there 5.00
is proper monitoring to ensure
compliance.
Sub Total 15.00
C) Borrowers Selection
1. Borrowers are selected considering 6C’s
(character, capital, collateral, capacity, 7.50
Condition, Commonsense)
2. Whether borrower is a habitual
defaulter/market reputation, have any 7.50
successor etc.
Sub Total 15.00
D) CIB Report
1. Latest CIB report to be analyzed 7.50
2. Confidential report is collected from local 7.50
bank branches. etc.
Sub Total 15.00
E) Collaterals
Collaterals have been properly
1. valued (Valuation done in prescribed form) 7.50
2. verified (confirmed in the legal opinion, 7.50
genuineness of title deeds, possession)
3. Physical visit done by Branch 10.00
Manager/Authorized Officer
Sub Total 25.00
F) CRG
Credit Risk grading done considering
1. all facilities under CRG assigned a risk grade 10.00
2. Data collection check list and limit 10.00
utilization form duly filled up
3. Risk grading score sheet/ Risk grading form 10.00
duly filled up

- 195 -
 ICC Policy and Procedures-2022

Sl. Issues Total scores

Score yes no obtain
4. Financial Risk, Business, Industrial Risk, 30.00
Management Risk, Security Risk,
Relationship Risk, analyzed properly
5. Loan proposal are sanctioned considering 10.00
Risk Grading with due importance.
Sub Total 70.00
G) Credit Assessment
1. Commencement of business relationship
stated in the proposal 2.50
2. All facilities given to the borrower
assessed annually 2.50
3. Customer detail particulars included in
the credit Application 5.00
4. Purpose and amount with type of loan
proposed by the borrower should be stated 2.50
5. Pre-sanction Inspection report is in
place. 2.50
6. Experience of borrowers, business skills,
management & success are properly
reviewed in credit proposal. 5.00
7. Borrowers rating in the industry arrested
along with overall industry concerns and
borrowers strength and weakness relative
to its competitors are identified 2.50
8. Industry position along with supplier and
risk is analyzed 7.50
9. Borrowers Credit worthiness is established
by review of 3 years historical financial
statements/past track record i.e. any
advice report marked in last Audit Reports. 7.50
10. Earnings from relationship are properly
assessed in the credit proposal 2.50
11. Cash flow analysis Justification Clients 7.00
ability to the pay are reflected in the
credit proposal
12. Credit Proposal clearly mentions current 7.50
outstanding against all limits.
13. Credit facilities availed from other bank
clearly stated in the proposal and
opinions are obtained. 5.00
14. Credit facilities are based on evaluation 5.00
of the borrower needs.
15. Possible risk identified in the credit 5.00
assessment and risk mitigation factors
clearly mentioned in the credit proposal
16. Account conduct of the borrower and his 5.00
allied concern are done.
17. Syndicate loans have been analyzed the
risk and returns in the same manner as
directly sourced loans. 2.00

- 196 -
 ICC Policy and Procedures-2022

Sl. Issues Total scores

Score yes no obtain
18. Amount & Tenures should be justified
based on the projected repayment ability
and loan purpose. 1.00
19. Adequacy used the instant of Insurance
coverage assessed. 1.00
20. Policy Compliance clearly stated in the
loan proposal 2.00
21. Changes in the pricing facilities are
highlighted in the proposal. 2.00
Sub Total 82.50
H) Disbursement Process
1. Credit Administration Department checks 2.50
collateral.
2. Legal Counsel ensures the Bank’s security 2.50
interests are perfect.
3. Standard Loan facility documentation are used. 2.50

4. Relationship Manager and Credit Administration 5.00

Department jointly sign documentation checklist
before disbursement.
5. Credit Administration Department issues 5.00
Satisfactory Security Certificate/ Security
Clearance Certificate before disbursement.
6. Authorized Officers as per Bank Policy disburse 2.50
facilities.
7. All disbursement are covered by approved credit 5.00
lines.
8. Excess over Limit (EOL) are allowed under 2.50
pre-fact credit approvals
9. Insurance policy is current and renewed on a 2.50
timely basis.
10. The Bank has authorization to debit client’s 2.50
account in order to keep policy in force.
Total 32.50
I) Valuation of Collateral
1. Credit Administration Department 2.50
independently controls and matches the
value of Cash Collateral which are lien to the
Bank and against which borrowings are
allowed as per approval.
2. Value of 1nventory and Machineries 5.00
supplied by client cross-checked.
3. Department ensure receivables actually 2.50
exist and that past due, disputed and other items
with impaired collateral value are identified and
removed from the collateral pool.
4. Value is sourced from independent 5.00
appraisals addressed to the bank.
Sub Total 15.00
J) Custodial duties
1. Business Units keep credit files under proper 2.50
control and use is restricted to authorize
individuals.

- 197 -
 ICC Policy and Procedures-2022

Sl. Issues Total scores

Score yes no obtain
2. Cash collateral such as Fixed Deposit 5.00
Receipt, Script, Bonds, Marketable
Securities and Security Documentation etc.
are held under control in fireproof vault.
3. Two custodians and their alternates are 2.50
identified in writing.
4. Safe in and safe out Register is properly 2.50
maintained to track of their movement.
5. Release of collateral or debt obligation 2.50
instruments requires appropriate approvals.
6. Inventory is held in a warehouse for financing 2.50
against pledge under bank control.
Sub Total 17.50

B. CONTROL RISK 275 MARKS

H) Compliance
1. Branch maintains diary of Bangladesh Bank 14.00
circulars, HO Circulars, guidelines related to
credit.
2. All required Bangladesh Bank returns are 7.00
submitted in the correct format in due time.
Sub Total 21.00
I) Credit Monitoring
1. Excess Over Limit (EOL), and expired credit 3.50
limit are assessed by Branch Manager on a
regular basis.
2. Drawing power excesses and collateral 7.00
shortfall are assessed by Branch Manager on
a regular basis.
3. Covenant violations and documentation 7.00
deficiencies are examined by Branch
Manager on a regular basis to ensure that
discrepancies are being acted upon
appropriately.
4. Overdrafts/CC facilities are monitored on a 7.00
regular basis by Branch Manager to ensure
accounts turn over.
5. Usages of borrowed funds `are confirmed 7.00
through financial statement analysis.
6. Branch conducted financial analysis on a 7.00
regular basis and monitor changes in the
client’s financial condition.
7. Branch Manager/ Credit in-charge regularly 7.00
monitor the performance of the clients
business as well as repayment and prepare a
Status Report.
8. Extensions of credit limits expiry dates if 7.00
circumstances warranted by analyzed by
Branch Manager.
9. Credit Department separately maintains files 7.00
on credit limits expiry dates.
10. Borrower is communicated well ahead of 3.50
time as and when the installments becomes due.

- 198 -
 ICC Policy and Procedures-2022

Sl. Issues Total scores

Score yes no obtain
11. Timely renewal of limits is ensured by Credit 3.50
Department informing Marketing Department two
months ahead of expiry limit dates.
12. Late payment is recorded and communicated 3.50
to the senior management.
Sub Total 70.00
J) Early Alert Process
1. Control mechanism exists to ensure that 10.00
calls/ inspections are made regularly on
clients & documented.
2. Regular inspections conducted to confirm 11.00
that bank’s security/collateral is secured.
Sub Total 21.00
K) Credit Recovery & Monitoring of NPL account
1. Branch has taken initiatives to manage 5.25
directly the accounts with sustained
deterioration (a Risk rating of Sub
Standard(6) or worse)
2. Classified Loan Review on a quarterly basis 5.25
to update the status of the recovery plan and
modify the bank strategy as appropriate.
3. Wherever required proper legal action taken 5.25
against Bank’s asset.
4. Court cases are regularly follow up and 5.25
necessary steps are taken for early resolution.
Sub Total 21.00
L) NPL Provisioning and write off
1. CIB Reporting and Borrowers classification 6.00
done in line with Bangladesh Bank
guidelines.
2. Loan Loss Provisions made in line with 6.00
Bangladesh Bank guidelines.
3. Eligible security value of mortgaged 6.00
property as per guidelines.
4. Appropriate authorities approve exceptions, 6.00
waiver of interest and reschedule/
compromise, settlement, where applicable
Bangladesh Bank approvals are also
obtained.
5. Appropriate authorities approve write-offs in 6.00
line with Bangladesh Bank guidelines.
Sub Total 30.00
P) Approval Process
1. Relationship/Marketing Department 10.00
originates the Credit Proposal
2. Each Borrower has an individual unique 10.00
control number.
3. Clearance of Credit Administration has been 11.00
taken for renewal proposal regarding
documentation & compliance of covenants.
4. Time frame is stipulated to decline the Credit 10.00
Application and intimation to the Client for
more information and documents.

- 199 -
 ICC Policy and Procedures-2022

Sl. Issues Total scores

Score yes no obtain
5. All credit approvals are given on a one- 10.00
obligor basis.
6. Renewal proposal has been properly 12.00
reviewed and financial projections of earlier
proposal have been considered by the Credit
committee.
Sub Total 63.00
Q) Approval Transaction Record
1. Credit Administration Department enters all 14.00
credit facility amounts into MIS-Database.
2. Standard Sanction Letter is delivered to 10.50
Borrowers per approvals and is properly filed.
3. Proper MIS is maintained and timely 10.50
reported to Management.
4. Concerned Department keeps a historical 7.00
record of all disbursement.
5. Accounting and system controls ensure that 7.00
out standings are posted to the correct
account and properly summarized for
management decision-making.
Sub Total 49.00
TOTAL CONTROL RISK 275.00
GRAND TOTAL 575

(Manager Credit/Advance in Charge) (Zonal Head)

Reference:
a) ABL Existing Practice
b) Core Risk Inspection Report Performed by Bangladesh Bank.(DB1-2 (DIV-5)/65/2016-689)
c) Branch Audit Rating (Annexure-A)

- 200 -
NAME OF THE BRANCH:
Annexure- 3
DEPARTMENTAL CONTROL FUNCTION CHECKLIST -DAILY (a)

1. GENERAL BANKING
RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
A. CASH MANAGEMENT
1.A Cheques/Withd Teller/Paying
Cashier
(a) rawal slip/
cash debit
Cash voucher to be
Transac crossed
checked with
tion
payment
register &
Computer Print
(CP) payment
list by the
tellers
(Independent)
1.A Daily cash Cash in
charge/DM
(B) received and
payments made
including
online payment
are checked.

201
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.A. Exceptions, Supervisor
(C) such as, teller
limit, posting
restrictions,
insufficiency,
etc. to be
checked
instantly
against source
document
(Vouchers
/limit
register/Posting
restriction
register).
1.A. A/C No. & Supervisor /
Cash Officer
(e) Amount of pay
in slip to be
cross checked
with Receiving
Register & CP
receiving list.
Cash in 1.A. Physical cash Cash in Charge
hand (f) balance is
(Local cross-checked
currency) and tally with
affairs
1.A. Holding of GB in
charge/DM
(g) cash within
Safe limit
1.A. Mutilated note Cash in Charge
(h) separately kept
and recorded in
the separate
register.

202
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.A. Fly leaf of the Cash in Charge
(i) branch is used
each and every
bundle of
currency notes
Cash in 1.A Selling and In-charge
GB/FEX/DM
hand (j) Buying of
(Foreign Foreign
Currency) Currency and
recording in
the register
under dual
control.
1.A Physical cash GB In charge/
(k) balance is DM
checked with
affairs.

B.SECURITY MEASURES OF THE BRANCH

1.B. Security guards In-charge
GB/FEX/DM
(a) are alert at the
branch
premises
1.B. Security alarm In-charge
GB/FEX/DM
(b) is active in the
branch.
1.B. Fire In-charge
GB/FEX/DM
(c) extinguisher is
available in the
branch.
1.B. Close Circuit In-charge
GB/FEX/DM
(d) Cameras with
TV are active
in the branch.

203
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.B. Entry into cash In-charge
GB/FEX/DM
cabins is not
(e) permitted to
unauthorized
users.

1.B. Joint custody In-charge

GB/FEX/DM
of cash and
(f) valuables is in
force
meticulously.

C. SECURITY FORM
1.C. Prize bonds are GB In charge/
(a) recorded DM
mentioning the
Prize number in the
Bond register /sheet
1.C. Checking of GB In charge/
(b) physical stock DM
of security
form and prize
bond with GL
and prize bond
register.
1.C. Physical GB In charge/
(c) verification of DM
stamps in hand
(with
denomination)
with GL and
register.

204
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
Sanchayp 1.C. Receiving and GB In charge/
atra (d) recording of SP DM
block from
feeding
branch/BB are
done properly.
1.C. Selling of GB In charge/
(e) Sanchaypatra DM
and
encashment of
SP are
recorded
properly.
1.C. Claiming GB In charge/
(f) reimbursement DM
against
encashment SP
in time.
1.C. Physical GB In charge/
(g) verification of DM
SP block with
SP stock
register and
validation of
above
transaction are
done.
Security 1.C. Security forms GB In charge/
Form DM
issued
(h) registered is
maintained
properly and
authenticated
by joint
custodians.

205
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.C. Indent security GB In charge/
DM
forms is made
(i) as per actual
needs of the
branch.

1.C. The security GB In charge/

DM
forms (Drafts /
(j) Pos are
branded with
the branch
name before
being brought
into use

1.C. All the packets GB In charge/

DM
containing
(k) security forms
are opened,
verified and
recorded in the
register under
authentication
of joint
custodians.

1.C. All the GB In charge/

DM
invoices are
(l) neatly filed for
verification.

206
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.C. Release of
security forms
(m) for uses is done
only after
authentication
of joint
custodians.

D. ACCOUNT OPENING ACTIVITIES

1.D. Complete GB In charge/
identification of DM
(a) the account
holder’s
(person/compan)
are incorporated
in the account
opening form
and genuineness
(by giving thanks
letter/RJSC
office visit) of
address/registrati
on is confirmed.

1.D. KYC, TP was GB In charge/

DM
filled up
(b) cautiously

207
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.D. Opening of GB In charge/
(c) various deposit DM
accounts by
following
applicable rules
and
information
input in
banking
software are
proper.
1.D. The account
(d) holder himself
took the
Cheque book
E. CLEARING HOUSE
1.E Scanning GB In charge/
Banglad (a) image of DM/BM
esh received
Automat instruments.
ed 1.E Marking of GB In charge/
Clearing BACH in High DM/BM
House (b) value and
(BACH) regular value.
1.E Release GB In charge/
reprocess to DM/BM
(c) Central
Clearing
Department
(CCD).
1.E Checking GB In charge/
settlement DM/BM
(d) position of
BACH

208
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.E Inform GB In charge/
returned DM/BM
(e) instruments
information to
the client
1.E Validation of GB In charge/
(f) above activities DM/BM
by Supervisor
BACH
delegation
(receiving and
printing).
1.E Scrutiny of GB In charge/
(g) BACH DM/BM
(checking of
cheque series,
routing
number,
account
number,
transaction
number,
amount of the
instruments,
manual and
electronic
endorsement of
both high value
and regular
value
instruments)
1.E Accepting of GB In charge/
(h) Instruments. DM/BM

209
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
Clearing 1.E. Whether Clearing staff
does and (i) outward
dones cheque is
scaned, and
amount
mentioned is
correct or not.
1.E. Crossing, Clearing staff
(j) Clearing and
Endorsement
seal on
outward
cheque is
confirmed.
1.E. Cheque return Clearing staff
(k) is done within
the stipulated
time
1.E. Cheque amount Clearing staff
(l) and MO
amount is same
1.E. Vouchers are Clearing staff
(m) posted before
confirming
return on the
same date
1.E. ID password of Clearing staff
(n) the branch is
secured
1.E. Preparation of Clearing staff
(o) batch ticket,
MO
preparation,
sealing on
instruments,
check entry etc
are done

210
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.E. Debit customer GB In charge/
(p) account upon DM/BM
getting positive
payment advice
from the
customer in
Case of need.

F. REMITTANCE
1.F Receiving of GB In charge/
Outward (a) instruments, DM/BM
bill for recording in
collectio the register and
n (OBC) sending of
instruments for
collection
under dual
control
1.F Return GB In charge/
(b) information of DM/BM
instruments are
informed (if
any) to the
client.
Inward 1.F Receiving and GB In charge/
bill for (c) recording are DM/BM
collectio done in the
n (IBC) register under
dual control.
Payment
complying
Relevant
Procedures

211
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
Bills and 1.F Issuance and GB Incharge/
encashment of Pay DM/BM
Remitta (d) Order, Pay Slip and
nce Demand Draft
upon complying
relevant policy and
procedure of the
bank and recording
the same in the
register under dual
control.
1.F Balancing the GB In charge/
(e) leaf of security DM/BM
blocks on
Regularly
basis.
1.F. Effective steps GB In charge/
Remittance are taken for
(f)
making of
entry in B.P
account
1.F. No deviations DM/BM
(g) are observed in
conduct of bill
business and
local
collections
1.F. Branches are GB In charge/
(h) reporting
dishonored
cheque through
informing
Zonal Office
accordingly.
G. SAFE DEPOSIT LOCKERS

212
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.G Number of keys Credit In
. issued to charge/
customers is
(a) reconciled to
record of lockers
and Agreement
Form
1.G The Locker room In
(b) is neatly charge/BM
maintained
befitting the
status of the
bank.

1.G Applications for In charge

(c) safe deposits /BM
articles are filed.

1.G Safe custody In charge

(d) ledger and /BM
register are
maintained as
per instructions
and balanced at
stipulated
periodicity.

1.G Signature in In charge

(e) locker access /BM
slips are verified
and
authenticated.

1.G All locker In charge

(f) agreements are /BM
duly filed in and
executed?

213
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
1.G Charges as laid In charge
(g) down have been /BM
recovered in
respect of all
eligible cases.

1.G Effective steps In charge

(h) are taken to /BM
recover arrears in
locker rent?

1.G Access register is In charge

(i) maintained / /BM
signatures of
hirer obtained
and verified
before following
operations as per
instructions?

2. CREDIT OPERATION
A. CREDIT RELATED
2.A Preparation of Dealing
. loan proposal officer/s
and sending to Name &
(a) sanctioning Design
authority for
approval upon Credit In
complying charge/
relevant policy DM/BM
and procedure of
the bank.
2.A Credit In
charge/
. Prepare CRG /up
to date CRG of
(b) the client.

214
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
2.A DM/BM
Obtaining CIB
. report / up to
date clean CIB
(c) report/ CIB
reporting.

2.A Receiving Credit In

sanction letter charge/
. from sanctioning
authority and
(d) accordingly
advice to the
client.
2.A Execution DM/BM
required
. papers and
documents as per
(e) sanction letter
sanction.
2.A Credit In
charge/
. Prepare LDCL
and sending to
(f) ICC

2.A DM/BM
Maintain safe in
. and safe-out
register under
(g) dual control.

2.A Credit In
Maintain due charge/
. date diary for
insurance and
(h) SRO token of the
branch.

215
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
2.A Credit In
charge/
. Prepare loan
sanction
(i) checklist

2.A Follow up and DM/BM

supervision of
. credit exposure
of the branch
(j) regularly for
keeping loans
and advances
/assets as
standard.
2.A Credit In
Follow up the charge/
. overdue and
NPL loans
(k) regularly.

2.A DM/BM
Monitoring,
. supervision and
follow up of all
(l) court cases (if
any).

2.A Credit In
charge/
. Ensure timely
renewal of loans.
(m)

2.A DM/BM
Rescheduling of
. classified loan
accounts (if any)
(n) as per BRPD
circular of BB.

216
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
2.A Credit In
Prepare of CL charge/
. Statements as per
BRPD circular of
(o) BB

3. IT SECURITY MANAGEMENT
A. IT SECURITY GENERAL

3.A PC/Laptop are IT in

(a) protected by charge/GB
screen saver Manager
password

3.A Un authorized IT in
(b) and temporary charge/GB
staffs are not Manager
involved in any
posting and
there is no one
man show in the
branch.

3.A Before leaving IT in

(c) Br. every charge/GB
PC/Server is Manager
logged off &
switched off –

3.A USB ports are IT in 1.

(d) used for mouse charge/GB
& key boards Manager
only. Other ports
are strictly
prohibited.

217
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
3.A T24/SWIFT/Ban IT in 2.
(e) king charge/GB
Software/Remiitt Manager
ance related
PC’s are
strictly
prohibited of
any net
connection,

3.A Computer room IT in 3.

(f) is under CCTV charge/GB
coverage & lock Manager
and keys.

3.A Personal IT in 4.
(g) modems are charge/GB
strictly Manager
prohibited in any
PC of the branch.

3.A Printed IT in 5.
(h) Supplementary charge/GB
of various Manager
section Audit
Trails are
checked with
vouchers after
banking hour

3.A Same person was IT in 6.

(i) not user and charge/GB
authorizer Manager

218
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
3.A Accept over IT in 7.
(j) write & cheeque charge/GB
payment without Manager
option is not
performed.

3.A Unused IT in 8.
(k) password is not charge/GB
exists and Manager
passwords used
are complex and
changed
frequently.

3.A Password’s IT in 9.
(l) confidentiality is charge/GB
maintained (not Manager
shared) strictly.

3.A Extra IT in 10.

(m) precautionary charge/GB
measures are Manager
taken for ON US
/OF US or
WBTT deposit
and payment.

3.A Daily TT issue IT in 11.

(n) and Payment charge/GB
report file print Manager
taken & kept
with signature.

B. PRECAUTION FOR PAYMENT UNDER WBTT

219
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
3.B. WBTT issue and IT in 12.
payment charge/GB
(a) completed Manager
within4.30 P.M
3.B. Beneficials A/C IT in 13.
opening, Thanks charge/GB
(b) Letter return & Manager
TP Updated
3.B. In case of ABL IT in 14.
Beneficiary`s charge/GB
(c) personnel Manager
consent
Precauti 3.B. Suspicious IT in 15.
on for activities charge/GB
payment (d) informed to Manager
under concerned
WBTT authority

3.B. During IT in 16.

authorization - charge/GB
(e) account no. and Manager
amount is
confirmed.

3.B. Day Start and IT in 17.

Day End balance charge/GB
(f) is examined and Manager
every GL head
balance is
confirmed.

3.B. Any two times – IT in 18.

posting( TT charge/GB
(g) issue, NG Manager
posting) are not
done –checked
and confirmed.

220
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
3.B. Before payment IT in 19.
test (ABCZ) charge/GB
(h) given on Manager
IBCA/MOCA
has been
confirmed
For
Account 3.B. Full test IT in 20.
examined before charge/GB
Payment (i) payment Manager

3.B Scroll No. of IT in 21.

(j) remittance charge/GB
maintained Manager

3.B Tally payment IT in 22.

detailed with charge/GB
.(k) respond advices Manager
maintained GB
managers / CD in
charge

C. PRECAUTION FOR PAYMENT CASH OVER COUNTER

3.C. Information IT in 23.

given by charge/GB
Cash (a) Beneficiaries Manager
Over such as Name of
Counter sender, sending
country , name
payment
of beneficiary
checked

221
 RESPONSIBI

26
10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31
PROCESS FUNCTIONS

9
LITY
3.C. Ist user IT in 24.
``Commit’’ 2nd charge/GB
(b) user Manager
``Authorize’’
sured

3.C Any suspicious IT in 25.

activity charge/GB
(c) informed to Manager
higher authority
instantly

4. FOREIGN EXCHANGE BUSINESS/ TRANSACTION

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PROCESS FUNCTIONS RESPONSIBILITY

1
2
3
4
5
6
7
8
9
A. GENERALS MATTERS OF FOREIGN EXCHANGE BUSINESS/ TRANSACTION
4.A.(a) Credit report of the buyer and Dealing officer/s 26.
supplier obtained Name & Design

4.A.(b) Business relation are built with Dealing officer/s 27.

familiar business firm Name & Design

4.A.(c) L/C issued for the goods Dealing officer/s 28.

Generals concerned and permitted for L/C Name & Design
Matters of
Foreign
Exchange 4.A.(d) L/C opening under legal (actual) Dealing officer/s 29.
Business/ a) PI /Indent Name & Design
Transaction b) within delegation of
power
c) obtaining permission
from competent
authority(by giving
actual information
without hiding any
information) and
d) not exceeding IRC/ERC
limit

222
 10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PROCESS FUNCTIONS RESPONSIBILITY

1
2
3
4
5
6
7
8
9
4.A.(e) Insurance Policy Dealing officer/s 30.
Performed with reputed Name & Design
insurance
company
4.A.(f) Contact done under INCOTERM Dealing officer/s 31.
Name & Design

4.A.(g) Goods are transported by reputed Dealing officer/s 32.

transport company Name & Design

4.A.(h) Goods are inspected Dealing officer/s 33.

by internationally Name & Design
reputed inspection company at
boarded point
4.A.(i) Contact Dealing officer/s 34.
performed with reputed Name & Design
exporter/Sellers
4.A.(j) In case of more than one Dealing officer/s 35.
Transport Company engaged Name & Design
there should be imposed of PSI.
4.A.(k) PAD and IFBC recovered within Dealing officer/s 36.
due date Name & Design

4.A.(l) Documents are checked as per Dealing officer/s 37.

prescribed checklist (e , g Name & Design
checklist for import & export L/C
,discrepancy checklist, back to
back L/C checklist, cautions for
back to back L/C etc.)

B. IMPORT
Import 4.B. (a) Opening of LC by obtaining 38.
FEX In-
stipulated margin/cash security.
charge/DM/BM
223
 10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PROCESS FUNCTIONS RESPONSIBILITY

1
2
3
4
5
6
7
8
9
4.B.(b) LC commission 39.
FEX In-
/charge realized properly.
charge/DM/BM
4.B.(c) LC opened with valid IRC/other 40.
FEX In-
charge/DM/BM
41.

4.B.(d) Related papers and documents are 42.

FEX In-
obtained. charge/DM/BM
43.

4.B.(e) Compliance of other terms and 44.

FEX In-
conditions as
charge/DM/BM
Stipulated in HO sanction letter.

4.B.(f) Importer’s signature verified by 45.

EX In-
the concerned branch officials of
the branch in Pro-Proforma charge/DM/BM
Invoice/Indent
/LC application form etc.

C. EXPORT
Export 4.C.(a) Clean export documents purchased. 46.
FEX In-
charge/DM/BM
47.

4.C.(b) ERC is preserved in file. 48.

FEX In-
charge/DM/BM
4.C.(c) Financial facilities are given against 49.
FEX In-
defective/fake Export Bill.
charge/DM/BM

4.C.(D) Effective steps are taken against 50.

FEX In
long no payment of Export
proceeds and steps are taken to charge/DM/BM
return exported goods.

224
 10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PROCESS FUNCTIONS RESPONSIBILITY

1
2
3
4
5
6
7
8
9
4.C.(e) Proper steps are taken for FEX In 51.
repatriation of Foreign currency charge/DM/BM
against Export Bill.

4.C.(f) Sufficient steps are taken to FEX In 52.

adjust overdue Export Bill charge/DM/BM

4.C.(g) In case of fewer amounts recovered FEX In 53.

against Export no permission is charge/DM/BM
taken from B.B.

4.C.(h) Specimen signature of shipping FEX In 54.

company agent and Air ways charge/DM/BM
company officers are preserved.
4.C.(i) Requisite interest and commissions FEX In 55.
are recovered. charge/DM/BM

4.C.(j) Sending of EXP form 2nd, 3rd FEX In 56.

copy to BB and 4th copy to office charge/DM/BM
record is maintained/done.
4.C.(k) When export made within due FEX In 57.
time issued Exp form collected charge/DM/BM
and cancelled.
4.C.(l) Concerned Heads of accounts are FEX In 58.
balanced. charge/DM/BM

D. FOREIGN REMITTANCE
4.D.(a) Foreign remittance realized and FEX In 59.
Foreig credited to the respective account charge/DM/BM
n
under dual control upon complying
Remitta
relevant rules and regulation of the
nce
bank.

225
 10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PROCESS FUNCTIONS RESPONSIBILITY

1
2
3
4
5
6
7
8
9
4.D.(b) Make payment all Foreign FEX In 60.
Remittance (Inward charge/DM/B
Remittance)with F.C account by M
complying all applicable rules and
regulations of the bank.

4.D.(c) Issue miscellaneous out ward FEX In 61.

remittance under dual control upon charge/DM/B
complying relevant rules and MD
regulation of the bank.

4.D.(d) Correspondent via SWIFT with Dealing 62.

Foreign correspondence for officer/s Name
miscellaneous Purpose. & Design

63.

226
Annexure- 3 (b)
Agrani Bank Limited
.................Branch
DEPARTMENTAL CONTROL FUNCTION CHECKLIST (DCFCL)- "WEEKLY For the Month of......................
PROCESS FUNCTIONS Responsibility 1stWEEK 2ndWEEK 3rdWEEK 4thWEEK 5thWEEK
Initial Date Initial Date Initial Date Initial Date Initial Date
Display up to date schedule of
charges of the bank.
Opening of various deposit accounts
Account by following applicable rules and
opening regulations, preserving the same and
activities loading within Banking software. Branch Manager

Contact Point Verification (CPV) to be

done as per HO instructions. Branch Manager

Realization of security deposit, lock GB In-

Locker Account and insurance premium as per HO charge/DM/BM
instructions.

Bill sand Balancing the leaf of security blocks GB In-

Remittance on regularly basis. charge/DM/BM

Reconciliation Reconciliation of online GL

transaction with other branches and GB In-
HO has been done upon complying charge/DM/BM
relevant policy and procedure of the
bank.

Reconciliation of balance of deposit GB In-

account maintained with other bank. charge/DM/BM

Outward bill for Inform return information of GB In-

collection instruments(if any)to the client. charge/DM/BM
(OBC)

Credit 1.CIB reporting

Operations 2. Execution required papers and
documents as per HO sanction.
3. Maintain safe-in and safe-out Branch Manager
register under dual control.

227
 PROCESS FUNCTIONS Responsibility 1stWEEK 2ndWEEK 3rdWEEK 4thWEEK 5thWEEK
Initial Date Initial Date Initial Date Initial Date Initial Date
Monitoring, 1. Follow up the overdue and
follow up and NPL loans regularly.
supervision 2. Monitoring, supervision and
follow up of all court cases(if
any).
3. Ensure timely renewal of Branch Manager
loans.
4. Rescheduling of classified
loan accounts(if any as per
BRPD circular of BB.
5. Prepare of CL Statements
as per BRPD circular of BB.

Returns, Prepare weekly returns as per HO & Credit in charge

statements BB guidelines. /BM
and
reporting

228
 Annexure-3(c)

Agrani Bank Limited

Departmental Control Functional CheckBranch Name:...........

List (DCFCL) “Monthly” Statements

For the Month of.......... FUNCTIONS

PROCESS Responsibility Date of Initial
Checking

OVERALL Ensure proper cleanliness of the

CLEANLINESS OF THE branch premises as per HO Branch Manager
BRANCH PREMISES instructions.

ATTENDANCE OF THE Ensure timely attendance of all

BRANCH EMPLOYEES employees of the branch. Branch Manager

Ensure 24 hours duty of security

guard.
Ensure duty of Gunman during office
hour.
Ensure CCTV coverage for24 hours.

Ensure adequate Fire Extinguisher in

branch premises.

Ensure generator backup during

office hour.
Testing of security alarm of the Branch Manager/
branch. Manager Branch
Checking of duty of security guard by Operation
the branch officials during holiday.

Emergency contact number i.e. Police

SAFETY, SECURITY station, Fire station, RAB, Hospital
MEASURES AND etc .are available in branch.
PREMISES
PROTECTION
Maintain complaint box in a visible
place

Display up to date schedule of

charges of the bank.
Holding of BAMLCO meeting
regularly
COMPLIANCE OF ANTI BAMLCO
MONEY LAUNDERING Review and reporting of CTR &STR GB In-
ACTIVITIES and maintaining hard copy there of.
CHEQUE BOOKS, Physical verification of undelivered charge/DM/BM
PRINTING cheque books and printing and
STATIONERY AND security stationery is to be done by GB In-
SECURITY dually.
charge/DM/BM
STATIONERY

229
 Annexure-3(c)

Agrani Bank Limited

Departmental Control Functional CheckBranch Name:...........

List (DCFCL) “Monthly” Statements

For the Month of.......... FUNCTIONS

PROCESS Responsibility Date of Initial
Checking
LOCKER ACCOUNT Realization of security deposit, locker GB In-
rent and insurance premium as per
HO instructions. charge/DM/BM
Wide publicity is given to availability In charge/
of Lockers.
Steps are taken to break open locker In BMcharge/
in case of long overdue of rent?
BM
Custodian's keys and keys of unrented In charge/
locker are held by two different
BILLS AND Balancing BM In-
officials? the leaf of security blocks GB
REMITTANCE on regularly basis.
Reconciliation of online GL charge/DM/BM
transaction with of the branches and
GB In-
HO has been done up on complying
RECONCILIATION relevant policy and procedure of the charge/DM/BM
bank.
Reconciliation of balance of deposit GB In-
account maintained with other bank.
charge/DM/BM
1. Balancing of ledgers and books of
accounts regularly.2. Charging of
interest, service charge and
depreciation .3.Realization of VAT
and AIT as per instructions of
concerned Government office.

4.Interest paid to deposit account.

ACTIVITIES OF Monthly provision made against
ACCOUNTS expenses.
Branch Manager
DEPARTMENT
5.Review and reversal of
REPORTS/RETURNS contraentries.6.Checkingandreviewofi
Ensure submission of monthly reports Branch Manager
nterestproductsheet.
to HO and regulatory bodies and
/STATEMENTS preserved in the file.

CREDIT OPERATIONS CIB reporting

Execution required papers and

documents as per HO sanction. Branch Manager
Maintain safe-in and safe-out register
under dual control.

Maintain due date diary for insurance

and SRO token of the ranch.

230
 Annexure-3(c)

Agrani Bank Limited

Departmental Control Functional CheckBranch Name:...........

List (DCFCL) “Monthly” Statements

For the Month of.......... FUNCTIONS

PROCESS Responsibility Date of Initial
Checking
MONITORING Follow up the overdue and NPL
,FOLLOW UP AND loans regularly.
SUPERVISION
Monitoring, supervision and follow
up of all court cases (if any).

Ensure timely renewal of loans.

Branch Manager
Rescheduling of classified loan
accounts (if any) as per BRPD
circular of BB.

Prepare of CL Statements as per

BRPD circular of BB.

Upload ISS Reporting Format from

Bangladesh Bank’s Web Portal

Collect the relevant information for

ISS Reporting and correctly fill up the
fields of ISS Reporting

Get the report checked by the Concerned ISS

concerned officials Reporting
INTEGRATED Official(s)
SUPERVISION Submit the same to the Manager for
SYSTEM(ISS) confirmation and upload in the
REPORTING Bangladesh Bank’s Web Portal on or
before10th of the following month..
Check the Integrated Supervision
System (ISS) of the branch.

Deficiency, if detected report to

concerned division/department of
HO. Upload the Integrated Branch Manager
Supervision System(ISS) Report to
Bangladesh Bank’s Web Portal and
submit back-up copy(ExcelSheet)to
HO within10thof the following month.

RETURNS, Prepare monthly returns as per HO Credit In-charge

STATEMENTS AND and B .Bank guidelines.
REPORTING /BM
Client’s applications for issuance of In charge/
Card are forwarded to Card Division
DEBIT CARD BM
for Approval.
ATM Loading of cash in ATM after In charge/
accessing previous balance.
BM

231
 Annexure-3(c)

Agrani Bank Limited

Departmental Control Functional CheckBranch Name:...........

List (DCFCL) “Monthly” Statements

For the Month of.......... FUNCTIONS

PROCESS Responsibility Date of Initial
Checking
Passing necessary entries soon after In charge/
loading and unloading.
BM

FOLLOWUP OF Follow-up of long outstanding entries In charge/

OUTSTANDING in Sundry Deposit/ Suspense/Clearing
BM
ENTRIES Suspense remittance etc.

Follow-up of outstanding entries in In charge/

inter branch/Inter bank reconciliation.
BM

CONTROL FUNCTION Control returns for expenses incurred GB In charge/

beyond discretionary powers are
DM
submitted.
Control over payments in In charge/
charges/Establishments expenses
BM
Monitoring/Checking).
In case of leave on loss of In charge/
pay/unauthorized absence of staff are
BM
reported to the controller.
Restrictive practices of staff and In charge/
indiscipline staff including
BM
misbehavior with customers and court
cases pertaining to staff reported to
controllers for follow-up action.
STATEMENT All periodical returns are submitted in In charge/
SUBMISSION time. Daily H.O Extract and Draft
BM
schedules are dispatched without
delay.
Various IBR Memos recorded as and In charge/
when received and attended to
BM
promptly. High value enquiry
Memos/IBR Memos are death with
under the personal attention of BM.
DESPATCH Letters received are opened in the In charge/
MAINTAING presence of authorized official and
BM
entered in inward mail
Register/Schedules and distributed
against acknowledgements.
Prompt disposal is entered. Disposals In charge/
are marked of, with date under
BM
authentication.
FURNITURE FIXTURE Fixed Assets register/Ledger are GB In charge/
maintained properly and depreciation
BM /
entries are passed as per HO
Guidelines.

232
 Annexure-3(c)

Agrani Bank Limited

Departmental Control Functional CheckBranch Name:...........

List (DCFCL) “Monthly” Statements

For the Month of.......... FUNCTIONS

PROCESS Responsibility Date of Initial
Checking
All furniture's and fixtures are GB In charge/
numbered, accounted for and
DM
receipted for delivery to officials.
INCOME LINKAGE All the income leakage are detected in GB In charge/
the earlier audit reports and the
BM
current report is recovered in full.
(Score to be awarded in appropriate to
the % of recovery to the total income
leakage detected).

Interest application process for GB In charge/

deposits and advances is carried out
BM
promptly and the appropriate rate of
interest is charged. No unauthoriesed
concession is observed in interest
applied/service charges.

Various service charges are recovered GB In charge/

as per extant circulars issued from time
BM
to time.
All system generated reports/interest GB In charge/
application in ledgers are checked and
BM
authorized.

233
Annexure: 04
Agrani Bank Limited.
_____________ Branch
LOAN DOCUMENTATION CHECKLIST (LDCL)

STATUS: Individual / Proprietorship / Partnership / Limited Company A/c No. First obtain General Documents; then identify the Collateral,
Facility and obtain specific documents listed hereunder. Leave out documents not called for by the terms of the Credit Approval and Facilities Advice
Letter (Sanction Letter).

Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT
No. DOC. RECEIVED LOCATED IN

A. GENERAL DOCUMENTS
1.
Letter of Borrower requesting for new
facilities / renewal

2. Authority of Borrow to Borrower (Letter of

authority from partners in case of
partnership concern and resolution in case of
limited company) – with list of
Partners/Directors

3.
Form XII certified by RJSC regarding list of
existing Directors for limited company

4.
Facilities Advice Letter: accepted
unconditionally by Borrower

5. Demand Promissory Note

6. Letter of Continuity
7.
Deed of Partnership (for Partnerships;
Borrower / third party), By-Laws etc.
8.
Memorandum and Articles of Association (for
limited company Borrower / third party) with
Certificate of Incorporation

9. Letter of Arrangement

10. Letter of Disbursement

11 Revival Letter (Form I & II)

B. LIEN OF ACCOUNT
1.
Resolution to lien account proceeds (for
Third Party partnerships and limited cos.)

2.
Letter of Lien and Set- Off (Pledge
Agreement)

C. PLEDGE OF DEPOSIT/S. PATRA

1.
Resolution to deposit (for Third Party
partnerships and limited company)

2.
Fixed Deposit Receipts / Sanchaya Patra /
Bonds endorsed by holder(s)

234
Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT
No. DOC. RECEIVED LOCATED IN

3.
Letter of Guarantee by depositor (if the
deposit stands in the name of Third Party)

4.
Letter of Lien and Set Off (Pledge
Agreement)

5.
Letter of Authority for encashment of
Sanchaya Patra/ Fixed Deposits

D. PLEDGE OF SHARES
1.
Resolution to deposit (for Third Party
partnerships and limited company)

2. Share certificates
3.
Blank transfer forms for each share
certificate (Form 117)

4. Memorandum of Deposit of Shares

5.
Letter of Guarantee by the shareholder (if
the share stands in the name of person other
than the borrower)

6. Irrevocable letter of authority for collection

of dividends, bonus etc. addressed by the
shareholder to the relevant company.

7.
Notice of pledge by the shareholder to the
relevant companies.

E. PLEDGE OF INVENTORY

1. Letter of Pledge / Pledge Agreement

2. Letter of Disclaimer (if required)

3.
RJSC Search Report (for limited company
partnerships; Borrower / third party)

4.
RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

6.
Modification of Letter of Pledge / Pledge
Agreement of Inventory
7.
RJSC Form 19, and receipt of filing with RJSC

8.
Insurance Policy with EBL as jointly insured

F. HYPOTHECATION OF INVENTORY
1.
Resolution to hypothecate inventory (for
Third Party partnerships and limited cos.)

2.
Letter of Hypothecation of Inventory /
Hypothecation Agreement
3.
RJSC Search Report (for limited company.
partnerships; borrower/third party)

235
Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT
No. DOC. RECEIVED LOCATED IN

4.
RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

Modification of Letter of Hypothecation of
6.
Inventory
7.
RJSC Form 19, and receipt of filing with RJSC

8. Insurance Policy - jointly insured

G. TRUST RECEIPT

1. Trust Receipt Agreement

H.
HYPOTHECATION OF
RECEIVABLES/BOOK DEBTS

1.
Resolution to hypothecate receivables / book
debts (for Third Party partnerships and
limited company)

2.
Letter of Hypothecation of Receivables /
Book Debts (Hypothecation Agreement)
3.
RJSC Search Report (for limited
company/registered partnerships;
borrower/third party)

4.
RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

6.
Modification of Letter of Hypothecation of
Receivables

7.
RJSC Form 19, and receipt of filing with RJSC

I.
HYPOTHECATION OF MACHINERY AND
EQUIPMENT

1.
Resolution to hypothecate inventory (for
Third Party partnerships and limited cos.)

2.
Letter of Hypothecation of Machinery and
Equipment / Hypothecation Agreement

3.
RJSC Search Report (for limited company.
partnerships; borrower/third party)

4.
RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

6.
Modification of Letter of Hypothecation of
Machinery & Equipment

7.
RJSC Form 19, and receipt of filing with RJSC

8. Latest list of machinery & equipment

236
Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT
No. DOC. RECEIVED LOCATED IN

9.
Insurance Policy with EBL as jointly insured

J. ASSIGNMENT OF RECEIVABLES
1.
Resolution to assign receivables (for Third
Party partnerships and limited cos.)

2. Deed of Assignment of receivables

3.
Notification and acknowledgement of
assignment and confirmation of receivables
from the debtor

K. MORTGAGE
1.
Letter of nomination of third party mortgagor
from Borrower with attested specimen
signature of the mortgagor

2.
Resolution to mortgage and guarantee (for
Third Party partnerships and limited
company)

3.
Copy of valid ID (for Third Party individual
mortgagor)

4.
Personal Guarantee from Third Party
mortgagor
5.
Original title deeds of mortgagor and
previous owners (Bia- Deed)

6. C.S., S.A. and R.S. Parchas

7.
Mutation Parchas in mortgagor’s name,
certified by Assistant Commissioner of Land

8.
Duplicate carbon receipt for mutation case

9.
Letter of no objection of lessor for mortgagor
to mortgage (for leasehold property)

10.
Land development tax receipt of the
immediately preceding Bengali year

11.
Municipal holding tax receipts for property in
municipalities
12.
Building/factory plan with letter of approval

13. Real Estate Appraisal / Valuation report

14.
RJSC Search Report (for limited
company/registered partnerships;
borrower/third party)

15.
Memorandum of deposit of title deeds (for
equitable mortgages) with legal counsel’s
approved draft.

16. Mortgage Deed and registration receipt

endorsed by mortgagor (for legal/Registered
mortgage) along with Power of Attorney
17.
RJSC Form 18, and receipt of filing with RJSC
if property in the name of ltd cos.

237
Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT
No. DOC. RECEIVED LOCATED IN

18. Certificate of registration from RJSC

19.
Modification of Memorandum of deposit of
title deeds

20.
RJSC Form 19, and receipt of filing with RJSC

21.
Income Tax Clearance Certificate as required
for Registration

Non Encumbrance Certificate from Land

22.
Registrar

Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT
No DOC. RECEIVED LOCATED IN

L. GUARANTEE

1. List of Directors/Partners with specimen

signatures, certified by company secretary or
chairman or managing partner (for limited
company and partnerships)
2. Resolution to guarantee (for limited company
and partnerships)

3.
Net Worth Statements (NWS) for
individuals/guarantors

4. Letter of Guarantee

5. Letter of Counter Indemnity

M. TERM LOAN AGREEMENT

1.
Term loan agreement between Borrower and
ABL

2. Draft Term Loan Agreement approved by

Head of Credit Risk Management Division and
Legal Counsel.

N. SECURITY SHARING AGREEMENT

1. Security Sharing Agreement

2. Draft Security Sharing Agreement approved

by Head of Credit Risk Management Division
and Legal Counsel.

O. SYNDICATION

1. Accepted Mandate Letter

2. Accepted Term Sheet

3. Information Memorandum

4. Participation letters

5. Facilities Agreement

6. Powers of Attorney of participants

7. Accepted Fee Letter

8. Legal counsel’s opinion

9. Head of Credit Risk Management and Legal

Counsel’s approval of documents.

P. OTHER DOCUMENTS

DEPARTMENT/UNIT NAME DATE SIGNATURE

238
RELATIONSHIP MANAGER:
CREDIT ADMINISTRATION:

239
 Annexure-5

Agrani Bank Limited

________________ Branch
QUARTERLY OPERATIONS REPORT
Date:

From: Branch Manager………..

To: General Manager and Head of ICC

Copy: Divisional Head, Audit Monitoring Division

Quarterly Operations Report for the Quarter Ended on ………………..

A. POLICIES, PROCEDURES AND CONTROLS 95 MARKS

A.1. Central Bank: 30 MARKS

The Branch/Centre was last audited by the Central bank on …………………..

We confirm that adequate corrective actions have been initiated to remove the deficiencies
other than the following papers of their Audit Report.

Audit Paras Original Target Date Revised

Number of Rectification Target Date
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A. 2. INTERNAL CONTROL (LOCAL) : 35 MARKS

The Branch’s/Centre’s operational functions were also last audited by the Internal Control on ......................... We
confirm that adequate corrective actions have been initiated to remove the deficiencies other than the following
paras of the report.
Audit Paras Target Date Revised Number
of Rectification Target Date
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A. 3. REGULATORY COMPLIANCE: 30 MARKS

We confirm that regulatory requirements in Bangladesh as outlined by Bangladesh Bank / other Govt Ministry
have been complied with except the following:

Sl. No Compliance Risk Legislation Remarks

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

240
 A. 4. CLOSED CIRCUIT TELEVISION (CCTV): 30 MARKS
(This para will be used if branches are having CCTVs at their premises)
We confirm that operations and recording of day’s activities in CCTV installed in the branches and ATM’s where
applicable have been checked regularly. The recorded cassettes are being controlled as per instructions from the
MD’s / GM’s office.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A. 5. Computer ACCESS ( if available) : 35 MARKS

a. We confirm that a full review of “Access Levels” is made to ensure that no conflicts exist and no official is
holding both IDs to input transactions and Authorise such transactions.
b. We also confirm that Administrator Passwords are held in dual custody and the both custodians review the
Administrator Journal Report and the Audit Trail Report (which reports all user access maintenance) and
investigate all activities on a daily basis.
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.6. CUSTOMER SERVICES STANDARDS: 05 MARKS

The Customer Services Standards of all departments have been checked and documented as per guidelines from
Head Office/ Regional Office. The shortfalls detected during the last quarter have been/will be removed within
the target set.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.7. DEPARTMENTAL CONTROL FUNCTIONS CHECK LISTS : 05 MARKS

a.The DCFCLs were completed and documented as per Head Office Guidelines by the concerned departments
which are being/have been verified by the designated independent officials on _______
b. We confirm that no shortfalls have been identified by the Independent Reviewer and/or the shortfalls identified
by him/her are being rectified and will be completed by ____________ under advice of the Head of Compliance.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.8 INTERNAL CHECKS : 05 MARKS

We confirm that all Internal Checks as per Head Office Guidelines applicable to us are being undertaken by the
Independent officials designated in writing. All papers and the reviewer’s certificates are retained under the
control of the Unit Head/Branch Manager/Designated official for future review by the Bangladesh Bank audit
team/ Internal Control Team.
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

241
A.9. COMPLAINTS: 05 MARKS
We confirm that complaint letters received from Customers were dealt with in terms of Head office guidelines.
All complaints in the form of statement including pending complaints of previous quarter have been forwarded to
Head of Internal Control Team for his review.
*(Strike out which is not applicable)
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.10. RECOVERY OF COSTS: 20 MARKS

We confirm that the costs of telex/swift/telegrams/telephone/fax and other charges have been recovered from the
Customers/Correspondents where applicable and credited to the appropriate Recoveries Accounts under Expenses
Head.
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.11. FRAUDS, FORGERIES & OPERATING LOSSES: 10 MARKS

Following transaction(s) involving Frauds/Forgeries/Other Operating Losses has/have been detected during the
quarter ended on ___________ and reported to Head Office / zonal office/ Bangladesh Bank / Internal Control
unit
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.12. RETURNS: 05 MARKS

We confirm that returns to Head Office /Zonal Office Bangladesh Bank including those under Calendar of Returns
have been submitted within the schedule dates except the following:

Title of Return Due Date Reasons for Delay Sent on

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.13. LEGAL: 10 MARKS

We confirm that legal matters are being monitored by us as per Head office/ Zonal Office / internal control units.
Return for this half-year ended March/September has been submitted to Internal Control department on ……
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.14. COMMUNICATIONS: 05 MARKS

Following meetings were held during this quarter to improve communication among the members of Officer/Staff.
We enclose a copy of the minutes of the meetings held for information and record.
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.15. FIXED ASSETS: 20 MARKS

Subject of discussions/or Suggestions/Outcome/

Date & Time
Agenda in brief Recommendations
We confirm that:
a) Quarterly as on December, March, June and September all items of Fixed Assets deployed to the branch have
been included in the respective departmental lists and physical check of all departmental Fixed Assets has been
242
 undertaken and verified with the departmental inventories.
b) The entries passed through Profit and Loss A/c in respect of sale of Fixed Assets for the half year ended
March/September have been reviewed to ensure that no entry is outstanding in the books .
th st

c) Returns as on 30 September and 31 December showing the Fixed Assets sold during October to September and
January to December have been prepared & reviewed for tax purposes.
st th

d) Fixed Assets of the centre as on 31 March and 30 September have been physically checked by the independent
officers designated by Internal Control team / Zonal Office.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B. PROTECTION OF VALUABLES

B.1. CHANGE OF KEYS: 10 MARKS

st
We confirm that the Key Register is being maintained as per prescribed procedure and keys were 1 changed
with the duplicates on _________ August ________
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.2 SAFE CUSTODY: 10 MARKS

We confirm that Safe Custody items are being maintained under dual custody and the Last complete independent
physical verification of Safe Custody items as per Head Office/ Zonal Office’s instructions was undertaken on
__________. We enclose a copy of the certificate received from the designated reviewer(s).
___________ ________________________________ CUSTODIAN(S)

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.3 SAFE DEPOSIT LOCKERS: 10 MARKS

We confirm that keys to unrented lockers are kept in sealed envelopes under dual control and spare locks and
surrendered keys pending change of locks and keys are controlled by two independent custodians who have no
access to locker custodian’s key(s). We also confirm that Semi-Annual and Annual Internal Checks are conducted
at the prescribed frequencies and by the independent designated officials.

CUSTODIAN – 1 CUSTODIAN – 2
(Item 3 applies to branches/centres where lockers are installed.)

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.4. CONTROLLED & RECORD STATIONERY: 05 MARKS

All Controlled Stationery are being kept under dual custody and Bulk/Working Stocks are being verified as per
instructions from Head Office / Zonal Office
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

243
B.5 RECORD STATIONERY 05 MARKS
a) The record register is maintained and records preserved properly.
b) Effective control over records is observed so as to prevent any pilferage of records.
c) All obsolete records are destroyed as per extant instructions with controller’s approval.
d) Stationery registers and ledgers are maintained up to date
e) All stationery items received are recorded and arranged in good condition.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.6. TEST KEYS: 05 MARKS

TEST/KEYS/CODE BOOKS are being maintained as per requirements.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.7. SIGNATURE BOOKS AND BRANCH DOCUMENTS: 05 MARKS

a) All signature books of branches & correspondent banks are being maintained as per requirements.
b) Branch document register is maintained as per instructions in force.
c) The key register is maintained as per extant instructions.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.7. CASH/TC/SPS ETC. 50 MARKS

Cash/TCs/Prize Bonds / Foreign Monies / Sanchaya Patras / Wage Earners’ Development Bonds are being dealt
with as per requirements – Physical verifications also being carried out at the frequencies prescribed.
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

C.PROOFS/VERIFICATIONS: 05 MARKS
C. 1. All accounts in GL/ Subsidiary ledger were proved and verified during the quarter except the following accounts.
Title of GL Difference Date Last Target Date/
Account Amount Reconciled Date Reconciled

We confirm that all outstanding entries in General Suspense (Assets & Liabilities) are being followed up for early
st th th
liquidation. We enclose the statements of General Suspense Accounts as at 31 March/30 June/30
st
September/31 December for your perusal.
Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

C.2. DIFFERENCE ACCOUNTS:

We enclose a summary showing the outstanding in Difference Accounts. The entries relating to differences are
being investigated. All unresolved entries will be adjusted in terms of approval of Head office/ Zonal Office.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

244
D. PERSONNEL & SUPERVISION

D.1. Following transfers/movements were affected during the quarter 20 MARKS

(both Officers and Unionized Staff).
Name from Period worked Transferred W.E.F. ____
(Dept.) In this department to (Dept.) (Date)

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

D.2. LEAVE PROGRAMMES: 20 MARKS

1. Officers/staff are being granted leave as per leave programme. (Exception are given below):

Name Category of Staff Numbers of days accumulated

2. Unionized staff have leave entitlement within the prescribed limit of 93 days. Exceptions having leave
accumulation over the limit of 93 days are given below:
Name Number of days accumulated over limit
3. Arrangements have been made to allow all employees including Management Staff to avail of 10 days
uninterrupted leave or half of annual leave entitlement, whichever is lesser in terms of service rules.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

D.3 TRAINING PROGRAMME 20 MARKS

Following Officers / staffs are undergoing training / have undergone training during the quarter.

Name Name of Duration of Course

Participant Course attended Course Conducted by

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

E. PREMISES MANAGEMENT

E.1. FIRE/SAFETY STANDARDS: 30 MARKS

a) Following items have been checked during the quarter ended March/June/September/December
_________.
Fire/Safety Procedure Ref: Standard Achieved/Shortfalls detected
i)
ii)
iii)
iv)
b. Half-yearly Self Audit of Fire/Safety Standards was undertaken and the return submitted to you for the period
st st
ended 31 January / 31 July ……. in a separate letter on ……….
c. We confirm that:
245
 i) Fire Drill was carried out half-yearly on ……….. and ……… in terms of Emergency Evacuation
Standards of Fire / Safety procedures.
ii) Security Drill was carried out regarding Audible Tellers Counter Alarm Protective System and
was duly documented.
iii) Recording of the arrival and departure time of all personnel occupying the Premises outside
working hours and after banking hours are being documented/reviewed in the Registers
maintained for these purposes.
d. All electric wirings were checked by M/s ………………………………….. on …………………… and
certificates obtained and kept in file for future audit / inspection. We enclose a copy of the certificate for
our record.
e. The premises were inspected on holidays by the officers on rotation. Immediate action was taken on
shortfalls detected through the checklist maintained which is retained after taking appropriate action as
applicable for future audit/inspection.
(Branch Manager) (Zonal Head)

Annexure-06 Agrani Bank Limited

Audit Monitoring Division (AMD)
Head Office, Dhaka
Control Function Risk Rating
[This Annexure will be used by ICT Team, they will also use formats (soft copy) developed by AMD].

Name of the Branch ...............................

1.Risk Assessment:

Risk Assessment ha/ s to be carried out at two stages

i) Off site – For formulation of Audit Plan
ii) On site – During the course of Audit.
The assessment formats for both off sight and on sight are same. For assessing risk - different formats/work
sheets are used. Formats are;-
i) Branch Profile – This format includes branch’s - address , location, type( AD/non AD and
computerized or not) , Affairs & GL statement’s figures , NPA management information ,
profitability etc.
ii) Score Sheets – This sheet includes the accumulated scores from different work sheets of both
Business and Control Risk items.
iii) Work Sheets for business risk –
a) Credit risk assessment work sheet
b) Earning risk assessment work sheet
c) Liquidity risk assessment work sheet
d) Strategy and business environment assessment work sheet
e) Operational risk assessment work sheet
iv) Work Sheet for Control Risk –
a) Credit risk assessment work sheet
b) Internal control risk assessment sheet
c) Compliance risk assessment work sheet
d) Management risk assessment work sheet
Scoring :
All parameters to be assessed are summarized under "Business Risks" and "Control Risks".

246
 To assess the level of Inherent Business risk and control risk for the different unit of the branch are assessed
separately to be as Low/Medium/High risk.
Risk assessment rating (RA rating) table for the branch as depicted in Figure 1.

247
 Figure-1

Max. Score Awarded Score Awarded Score Awarded

Score Year-1 Year-2 Year-3
Inherent Business risk
1. Credit Risk 450
2. Liquidity Risk 50
3. Earning Risk 100
4. Operational Risk 300
5. Strategy and Business Environment Risk 150
Total 1050
Percentage 100
Level of Inherent business risks of branch
Control Risks
1Credit 385
2. Internal Control 510
2. Management 50
3. Compliance 105
Total 1050
Percentage 100
Level of Control Risk of branch
Level of Composite Risk branch
Risk assessment rating of branch

2.Steps for awarding scores are as follows:

Step I: Based on the observations during Audit, Quantify the breaches under each parameter in percentage.
.Step II: Quantify the breaches as a percentage of Total Advances.
Step III: Award scores based on level of risk as follows:
Maximum Marks
Level of risk
5 10 15 20
Low/Good 4-5 (71%+) 8 - 10(71%+) 11-15(71%+) 14-20(71%+)
Medium/Satisfactory 2-4(41-70%) 4-7(41-70%) 6 or 10(41-70%) 8-14(41-70%)
High 0-2(up to 40%) 0-4 0-6 0-8
25 30 40
Low/Good 17-25(71%+) 21-30(71%+) 27-40(71%+)
Medium/Satisfactory 11-17(41-70%) 13-20(41-70%) 17-27(41-70%)
High 0-10 0-12 0-16

Discretion is being given to the auditor (s) to award the marks within the range specified for each level depending upon their onsite
judgment.

Level of Risk:

The Level of risk is to be determined separately for ‘Business Risks’ and ‘Control Risks
The levels will be linked to the scores and will be determined as follows:

Level of Risk Scores as a% of Total

Low Risk 70% and above
Medium Risk 40% up to 70%
High Risk Below 40%

Score Sheet Summary

—

(i) Score Sheet Summary needs to be compiled as per following sheet , based on the scores awarded as per point
—

no. 2 above. The parameters which are not applicable in a branch, the maximum marks for the same may be reduced
from the total marks.

248
 Score Sheet Summary

Business risk

SL # Particulars Marks % Level

Maximum Marks Awarded of Risk
A. Credit Risk (CR)
1 Port folio Quality and Composition 150
2 Pre-sanction Credit Process
a) Quality of appraisal 195
b) Quality of Assessment 65
c) Sanction 20
d) Organizational Structure for managing CR 20
Total Marks for Credit Risk (A) 450
B. Earning 100
C. Liquidity 50
D. Strategy and business Environment
1 Business achievement 80
2 Profitability 50
3 Market Share 20
Marks for Strategy and business Environment(D) 150
E. Operational Risk
1 Fraud prevention and Follow-up effects 40
2 Documentation and compliance with terms 50
3 Exercise of Delegated Authority 15

Accounting System/Balancing of Books/Computer Audit (Only for

4 Computerized Branch) 145
5 Anti money laundering related issues 30
6 Customer service 20
Total Marks for Operational Risk (E) 300

Total marks for Business risk 1050

249
250
c) Determine the composite risk level using composite risk matrix.

The composite risk of the branch/ activity has to be determined separately for each year. Composite risk reflects the combined effect of both business and control risk of the
branch/activity .: There will be five levels of composite risk: Low, Medium, High, Very High and Extremely High risk as shown below:
High A B C
Inherent Business
High Risk Very High Risk Extremely High Risk
Risk

Medium D E F
Medium Risk High Risk Very High Risk
Low G H I
Low Risk Medium Risk High Risk
Low Medium High
Control Risk

Composite Risk Matrix for the year 2012

Particulars Score awarded Total Score Level of Risk Category

Business Risk

Control Risk

Composite Risk

Risk Matrix
High
A (High) B (Very High) C (Extremely High)
Medium
D (Medium) E (High) F (Very High)
Business Risk G (Low) H (Medium) I (Very High)
Low

Low Medium High

Control Risk

Composite Risk Matrix for the year 2011

Particulars Score awarded Total Score Level of Risk Category

Business Risk

Control Risk

Composite Risk

Risk Matrix

A (High) B (Very High) C (Extremely High)

High
F (Very High)
D (Medium) E (High)
Medium
Business Risk G (Low) H (Medium) I (Very High)
Low

Low Medium High

Control Risk

251
Annexure: 07
Agrani Bank Limited
Audit Monitoring Division
Head Office, Dhaka
Deputy General Manager
Agrani Bank
Audit Internal Control & Compliance Division
Head Office
Dhaka

Sub: Inspection Report of Internal Control Team (ICT)

Dear Sir,
Internal Control Team (ICT) has inspected the…………….. Branch office/ Offices on………………and found major deviations and
other doubtful transactions in reviewing of Departmental Control Functional Checklist (DCFCLs) and operations Report. During our
inspection, the following issues were observed and are listed below:

Branch name Comments

1. DCFCL
2. Branch security & Administrative System
3. Cash
4. Deposit Banking
5. General Banking
6. Accounts
7. Loan & Advance
8. Foreign Exchange Trade
9. Others

Name of the Inspection Officer / Officers:

Signature & Date:

252
 Agrani Bank Limited Annexure: 08

----------------------- Branch
IT and Security Management Checklist
Yes/No (if Allocated Obtained Remark
Sl. Particulars No Marks Marks
No. explain the
(150)
reason)
A. Business Risk 75 Marks
Whether -
1 Server computer is protected by screen saver password. 5
2 Computers at work stations are protected by screen saver 5
password.
3 Confidentiality of user ID and Admin password is maintained 5
cautiously. Extra/unused passwords are removed from the
computer i.e. passwords of employees who are transferred deleted
immediately.
Active authorizer/user’s list is maintained in a register.
4 Pass words are complex (may be combination of numeric and 5
alphabetic). Password changed at regular interval.

5 There User ID Maintenance Registrar with access privileges duly 5

approved by the appropriate authority/ Br. Manager
6 The length of password at least 6 characters and combination of 5
uppercase, lowercase, number & special characters
7 There is a unique User ID and a valid password for each user 5

8 The same person is in putter and authorizer of the same transaction 5

9 Daily T-24 Securities- 5

i) Clearing suspense account is in zero balance
ii) Catch all balance is NIL
iii) At the end of day total cash is transferred to vault
by making Till is zero.
iv) When there is no work in T-24 Windows, it is not
been open and after necessary work windows been
signed off.
v) Consolidated SB/CD/STD head balance is in zero
position.
10 WEB based Q- Remittance:-Precaution for payment (Both 5
account payee and cash over counter) Ref. I. C letter no.
FRD/003/15 dated 20/05/15
For Account Payee Payment :-
i) Before payment Test (ABCZ) given on IBCA/
MOCA is confirmed.
ii) Payment is not made before full test examined
iii) Scroll no. of remittance have sequence
iv) At the end of the day GB manager/ CD in charge
tallied payment detail with respond advices.
v) User ID and Passwords are not been shared.
vi) First user committed and second user authorized .In
any case same person never used same password at
a time
vii) Any suspicious activities found are reported to IT
Security (IT Division) instantly.
For cash over counter payment :-
i) Information given by beneficiary such as name of the sender,
sending country, name, NID no. and amount are same no deviation
found.

253
 Yes/No (if Allocated Obtained Remark
Sl. Particulars No Marks Marks
No. explain the
(150)
reason)
11 WBTT (Web Based TT) . Ref. I.C no. BSUCD/43/15 dated 5
20/05/15:
i) WBTT payment completed within 4.30 pm.
ii) Beneficiary’s account opening, thanks letter
receiving/ return and TP is checked.
iii) ABL Personnel when Beneficiary, consent of him
is taken.
iv) Any suspicious activities found are reported to IT
Security (IT Division) instantly
v) For WBTT user ID and password are in fixed and
in saved position.
vi) TT issue, TT payment and cheque payment
according to the number of branches concern is
tallied with register.
12 Every cancellation of cheque/voucher posting is done with 5
maintaining delegation of powers.
13 No payment is done by using without cheque option (though 5
having cheque) of party’s request at T -24 software.
14 Accept override done without prior permission of manager 5
/authority (which is strictly prohibited).
15 For payment of remittance following are the precautions 5
maintained or not :
i Whether -
-User ID/ password given by Exchange House changed
immediately and be treated as admin password.
- Password changed at regular interval.
ii Whether
PDF advice sent by Head Office is secured and printing is done in
presence of Manager GB.
iii National ID/Passport copy and system generated Money Receipt
are kept with vouchers.
iv Any delay in reimbursement, whether the matter is under close
supervision of Manger GB.
B. Controlled Risk 75 Marks
16 Server /Router/ Switch room (safe room) is under lock and key, 5
Cables of LAN are secured.
17 Computer monitors are kept in out of clients view. 5

18 Router and other networking equipment are kept in safe and Air 5
conditioned atmosphere.
19 There is other net connection with banking & T-24 software and 5
there are other Modem/Pen drive connected in any USB port.
20 Every days voucher are checked with computer printed sheets. For 5
T -24 software initial of both authorizer and inputter are taken on
vouchers.
21 Transfer vouchers passed / Inter branch transaction (on us /of us) 5
is checked jointly by inputter and authorizer/ manager GB.
22 Manager GB is examined a whole day posting at random basis. 5

23 The summary balance and ledger balance of respective heads are 5

checked by Manager GB.
24 During monthly/half yearly/yearly closing Computer generated 5
interest sheet (accrued interest on loans and advances and interest
payable on deposits) are checked jointly and interests are posted at
respective head.
25 Cheque serial entry list and deletion list are kept with every days 5
voucher. For Cheque serial entry in T -24 software no legacy
number is used during.
26 Un authorized and Temporary staff is not involved/allowed in any 5
transaction.
27 Life style of staff concerned is under close supervision of the 5
Manger. (If any suspicious activity found, his user ID is to be
cancelled).

254
 Yes/No (if Allocated Obtained Remark
Sl. Particulars No Marks Marks
No. explain the
(150)
reason)
28 Account opening and post opening management – 5
Whether -
i. Necessary papers with PP size photo etc. are taken; Data entry
in computer is done properly is checked.
ii )During account opening data entry completed in T-24 and
signature is captured
iii). Thanks Letters are given and after receiving Thanks Letter by
the client cheque is issued and the client him / herself received the
cheque.
29 Miscellaneous 5

Whether

i i) There is any alternative/2nd hand to operate every sector /part

of the branch?
ii Any up dated Anti-Virus, installed in each server and computer,
whether it is connected with internet or LAN
iii Quality of posting, online checking, passing & security of voucher
monitored properly?
iv FDR account under Lien is marked as Lien.

v At the end of the day MO/NG Extract in soft copy uploaded and
sends it to Reconciliation division.
30 Before leaving the branch precautions to be taken by the 5
Branch Manager
i Whether –
Computers/Server (Both Monitor and CPU) switched off properly
and the main switch is off.
ii Back up is taken in CD, kept in distance secured places and back
up taken in least two computers of the Br.
iii Server / computer room is under lock and key etc.

Moreover, other instructions are given in IC No. IT&MIS/33

Dated 13/04/2016 are followed cautiously.

(Online Bastobayon Kormokorta) (Branch Manager)

Reference:

a) ICT Policy-2015

b) IT Related Circular (wb‡`©k cwicÎ bs- AvBwU GÛ GgAvBGm/33 ZvwiLt13/04/2016)

255
256
257
 9
8
7
6
5
4
3
2
1
1
Sl.
No.

2
Name of The Exporter

3
Time bill

4
After date bill

5
Demand
Bill of Exchange

bill

6
At sight
After sight

7
Commercial Invoice *
8

Bill of Lading /Air bill**

9

Marine Insurance policy

10

Local chamber of commerce certificate

Authenticity of Advising letter of

Advising Bank be judged. Under Article-

258
11

9 of UCPDC Export LC/Standby Credit

be reached to Beneficiary.

Pre Shipment Inspection by Buyers

12

nominated Firm
----------------------------------- Branch
AGRANI BANK LIMITED

13

Goods Country of Origin

14

Health Certificate , Quality certificate

Message received by SWIFT be checked

– Must be Under MT-700/701, any
15

amendment that should be under MT

707.

Geneuinity of Advising/Transferring of
CHECKLIST FOR EXPORT L/C (AS PER MASTER CIRCULAR NO. IT&FCMD/77/13 DATED 14/08/2013 ON EXPORT TRADING )

LC letter be checked , Nominating /

16

Transferring Bank name ,Whether LC

Transferable /Transferred or not be
confirmed from SWIFT etc..
Annexure-09c

17

Credit report of Issuing Bank

Payment terms (sight/deferred) and

18

Paying Bank name

Industry capacity be considered

19

(quantity, unit price, shipment &expiry

date etc.)
259
 Audit and Inspection Division
Annexure: 10

AGRANI BANK LIMITED

…………………………… BRANC
Statement of Previous Audit Objection’s False Compliance

Brief description Name, designation &

Description of Auditor’s
Previous Audit of compliance current work place of
Sl Previous Audit observation
Report’s Objection by branch signatory of the audit
no. Report’s regarding false
serial no. against audit objection’s false
objection compliance
objection compliance officer
1 2 3 4 5 6

Signature: Audit Team Leader/ Member.

260
 Annexure: 11

AGRANI BANK LIMITED

…………………………… BRANCH
…………………………………………

Statements of responsibility period wise grip loans/Irregularities

Name , Cause of
Loan Loan
Sl Description Disburse designation of Loan Present Security hold/
sanction expired
no. of loan ment Date loan disburse limit balance of loan Disburse
authority date
person policy
1 2 3 4 5 6 7 8 9 10

Loan Officer Manager

261
 Annexure: 12

AGRANI BANK LIMITED

…………………………… BRANCH
…………………………………………
Position of Year wise Agriculture Loan
Date ……………..
Sl Year Crops Allotted Total Total Collected Outstandi Outstanding Related Number of
no. Name amount disburse borrower Amount ng borrower amount Filed
amount number Amount number with Certificate
certifica Case
te
case/sui
t filed
1 2 3 4 5 6 7 8 9 10 11

Related amount Reason for Time Time Fake Borrower Fake Loan name / Remarks
with unsettled certificate barred barred quantity ( if Amount present
certificate case file case Loan Loan any) work place
unsettled quantity amount of Disburse
(if any) manager
12 13 14 15 16 17 18 19

Field staff Officer/Rural loan Officer Manager

262
Annexure: 13

AGRANI BANK LIMITED

…………………………… BRANCH
…………………………………………
(FROM 1972 TO TILL NOW)

Position of Year wise Expired General Loan & without Trade organization Borrower

Outstanding Number of without Outstanding

Number of borrower
Year balance on Audit Trade organization balance on Remarks
on Audit Date Borrower
date Audit date

1 2 3 4 5 6

Officer Manager

263
Annexure: 14

AGRANI BANK LIMITED

…………………………… BRANCH
…………………………………………

Position of Period wise unsettled Certificate Case

Number Related
Period Reason for case unsettled
of case amount with
case
More than 6 months unsettled case quantity
More than 01 year unsettled case quantity

More than 02 years unsettled case quantity

More than 03 years unsettled case quantity

More than 04 years unsettled case quantity

More than 05 years unsettled case quantity

Auditor Manager Officer

264
Annexure: 15

AGRANI BANK LIMITED

…………………………… BRANCH
…………………………………………

Position of year wise under trial money suit for collection of general loan
Number of Related
Period under trial amount on Reason for case unsettled
case Audit date

More than 6 months under trial case

More than 01 year under trial case
More than 02 years under trial case

More than 03 years under trial case

More than 04 years under trial case
More than 05 years under trial case

After earlier Audit unsettled case quantity & related amount.

265
Annexure: 16
AGRANI BANK LIMITED
AUDIT & INSPECTION DIVISION
Head Office, Dhaka.

To perform Audit-task effectively Audit-Team responsibilities are distributed below:

Name of the Branch :

Name of the Zone :
Letter No. & Date :
Audit Date :

Details of distributed works among Audit team leader & team members

Auditor’s Name Assigned Duties Signature

Mr……………………………………………………………….
( Audit Team Leader)
Mr……………………………………………………………….
( Audit Team Member)
Mr……………………………………………………………….
( Audit Team Member)
Mr……………………………………………………………….
( Audit Team Member)
Mr……………………………………………………………….
( Audit Team Member)
Mr……………………………………………………………….
( Audit Team Member)

Audit Team Leader

 This Audit task distribution copy must be attached with the Audit Report.

266
 Audit Compliance Division
Internal Audit

Annexure: 17
Agrani Bank Limited
Audit Compliance Division
Head Office, Dhaka

Monthly Statement of Audit Objections for the month of…………………………………

Unsettled report up Audit Total Settlement Position at the end
SL. Audit Report to previous month Report no. of during the of current month
received Audit month
No. of No. of during the report
reports Objections month
1 2 3 Ka 3 Kha 4 5 6 Ka 6 Kha 7 ka 7 Kha
1 Internal Audit &
Inspection
2 Bangladesh Bank
Inspection
3 Govt. Commercial
Audit
4 Others (Special
Inspection Cell,
Complain Cell,
Vigilance etc. )
Total

N.B. In the Bangladesh Inspection Report, no. of irregularities is not shown due to explanatory and qualitative
description, hence, number of report is shown. Column No. 3 kha and 7 kha are not possible to fill in with
information.

Senior Principal Officer Assistant General Manager Deputy General Manager

267
Annexure: 18
Agrani Bank Limited.
Audit Compliance Division
Compliance with Nirikha Paripalon Patra (NIPP)-1
For Ordinary/ Major Irregularities

Audit date:
………………….Branch Office

SL. No Description of Irregularities Branch Manager’s Response /

Compliance

Audit team member / Team Leader Branch Manager’s

Signature & Date

268
Annexure: 19
Agrani Bank Limited
Audit Compliance Division
Compliance with Nirikha Paripalon Patra (NIPP)-2
For Serious Lapses

Audit date:
………………….Branch/ Office
SL. No. No. of Audit Steps taken by Branch Manager/ Steps taken by For use by Head
Objection Compliance Comments of the Zonal Head Office
Branch’s Compliance

Signature & Date Signature & Date

SS no. SS no.

269
Annexure: 20

Agrani Bank Limited

Audit Compliance Division
Head Office, Dhaka

Monthly Statement of Audit Objections identified in Internal Audit & Inspection Report
For the month of ……………………………………………

SL Name Unsettled Report up Audit Total Settled during this Position at the end of
no. of the to previous months report no. of month current month
Audit received Audit
Report No. of No. of during report No. of No. of No. of No. of
report Objection this report Objection unsettled unsettled
month report Objection

1 2 3(a) 3(b) 4 5 6(a) 6(b) 7(a) 7(b)

Total

Senior Principal Officer Assistant General Manager Deputy General Manager

270
Annexure: 21

Agrani Bank Limited.

Audit Compliance Division
Head Office, Dhaka
Memorandum no.……………………………………………………. Date:
Sub: Audit Clearance regarding Annual Salary Increment

(Ref. Memorandum no NIBABI/Prosha/……………./…………../…………dated…………….)

SL. No. Officers’ Name Working Place Last Audit date Comments

1 2 3 4 5

Principal Officer Senior Principal Officer/In charge Assistant General Manager

271
Annexure: 22
Branch Inspection Report

Administration
Yes No
1 Whether security measure of the branch is adequate
2 Whether attendance register is maintained properly
3 Whether the leave register is maintained properly
4 Whether the duty list of all officers and staff is up to date.
5 Whether the job rotation is effected
6 Whether any employee is posted in the branch for the period over 3 years
Cash
Yes No
1 Whether cash is found correct
2 Whether cash is within safe limit
3 Whether the balance of Prize bond is found physically counted and
recorded in the register
4 Whether scroll register is maintained.
5 Whether token register is maintained.
6 Whether the Key register is updated.
7 Whether cash remittance register is maintained properly.
8 Whether Vault register is maintained properly
9 Whether cash receipt and payment seal are maintained properly.
Deposit Banking
Yes No
1 Whether the required information /papers are obtained ( sample checking)
2 Whether the thanks letter are sent to the customer and the introducer
3 Whether ledger balancing/daily computer sheet is checked regularly
4 Whether the account statements are sent to the customers
5 Whether the stop payment register is maintained properly
6 Whether the cheque book issue register is maintained properly
7 Whether the managers approval is taken in issuing duplicate cheque book on Form
'B'
8 Whether the dormant accounts are identified and transferred to the separate ledger
9 Whether the dormant ledgers are balanced regularly
10 Whether the double supervision is made for the big transactions

272
General Banking
Yes No
1 Whether DD/Pay 0rder/Pay-Slip/SR block is balanced every day
2 Whether DD/TT/MT/PO/PS/SR payable register is balanced regularly
3 Whether the 0BC/IBC register is maintained and monitored properly
4 Whether the transfer book is written and maintained properly
5 Whether the stock of security stationery is found correct
6 Whether the test Keys are maintained and used properly
7 Whether the daily vouchers are checked by the manager and Zonal 0fficer
regularly
Accounts
Yes No
1 Whether Cash Book-cum-General Ledger is written and checked daily
2 Whether the Profit & Loss Ledger is written and checked daily
3 Whether the voucher register is maintained up to date and checked regularly
4 Whether the daily statements of affairs and MO/NG A/c Extract are sent correctly
and regularly
5 Whether the sundry creditor/sundry debtor register is maintained properly
6 Whether the expenditure excess over budget has been incurred
7 Whether the ledger is balanced periodically within bank's rules
8 Whether the statements are sent to Head 0ffice as per schedule
9 Whether the audit reports are complied timely and properly
10 Whether any entry remains long outstanding

Loans and Advances

Yes No
1 Whether the loan documents are obtained as per sanction advice before
disbursing the loan.
2 Whether Safe-in-Safe out register is maintained properly

3 Whether the stock statement of Pledge and Hypothecation is obtained regularly

4 Whether the Pledge Godown Key movement register is maintained properly
5 Whether the cash deposit, transfer voucher, cheque payment voucher, interest
application voucher in the loan ledger are checked/supervised by the
Manager/0fficer-in-charge
6 Whether the insurance register is maintained properly
7 Whether the suit file register is maintained properly.
8 Whether the confidential limit register is maintained properly.
9 Whether the loan recovery assignment is distributed among the officers/staff
10 Whether the loan ledgers are balanced periodically as per schedule
Foreign Exchange Yes No
1 Whether the foreign currency is found correct on physical verification
2 Whether the foreign banks test keys are maintained and used by Branch
Manager/0fficer-in-charge/departmental in- charge under joint control
3 Whether LC commission is recovered properly
4 Whether LC margin is collected properly
5 Whether the inward foreign bill and PAD is presented for lodgment/payment/
acceptance forthwith

273
6 Whether the necessary action is taken forthwith for reconciliation of PAD
outstanding.
7 Whether LIM ledger is correctly and regularly maintained, verified and balanced
8 Whether the LIM is created as per rules
9 Whether the necessary measures have been taken for auction or reminder has been
issued to importer for adjustment of LIM outstanding
10 Whether the recoverable bills are reviewed periodically
11 Whether the records of shipping guarantee issued by the branch are retained and
reviewed as per norms
12 Whether the initiatives for adjustment of outstanding of guarantees have been
taken and whether the correspondence is ongoing with the customers for un-
reconciled shipping guarantee
13 Whether FBP,FBC, FDBC accounts are balanced and verified regularly

14 Whether the PCC register and ledger are maintained, verified and balanced
properly and regularly
15 Whether the necessary measures have been taken for adjustment of overdue PCC

16 Whether the customer is informed of the fate of the remittance

17 Whether the foreign currency and traveler's cheque are balanced regularly

Comments of Team Leader/Audit Team

Sl.No. Irregularities Comments

274
 Audit Compliance Division
External Audit
Annexure: 23

Agrani Bank Limited.

Audit Compliance Division
Head Office, Dhaka

Monthly Statement of Audit Objections identified in Statutory Audit/ External Audit

For the month of ……………………………………………

SL Name Unsettled Report up Audit Total Settled during this Position at the end of
no. of the to previous months report no. of month current month
Audit received Audit
Report No. of No. of during report No. of No. of No. of No. of
report Objection this report Objection unsettled unsettled
month report Objection

1 2 3(a) 3(b) 4 5 6(a) 6(b) 7(a) 7(b)

Total

Senior Principal Officer Assistant General Manager Deputy General Manager

275
Annexure: 24

Agrani Bank Limited

----------------------------------Branch
----------------------------------Zonal Office

Deputy General Manager Letter No.

Agrani Bank Limited Date:

Audit Compliance Division

Head Office
Dhaka
Through Zonal Office

Sub: Response and Certification to the External Audit Report for the Year ended December 31, 20-.

Dear Sir,

This is to certify that all the external audit objections have been adjusted/ settled/ regularized except for the
objections enclosed in the Annexure-ka herewith.

The objections mentioned in the above Annexure-ka have been again included in the subsequent external audit
report/ internal audit report/ Bangladesh Bank Inspection Report and our efforts and follow up will continue to
regularize/ adjust/ settle the objections.

This is to ensure that our efforts will continue until adjustment/ regularization/ settlement of all unresolved/
unsettled objections are met which were raised in the latest External Audit Report.

Second Officer’s Name Branch Manager’s Name Zonal Head’s Name

& Signature & Signature & Signature
SS no. SS no. SS no.

276
 Commercial Audit
Annexure: 25
Agrani Bank Limited
----------------------------------Branch/Office
Sub: Statement of unsettled audit objections as of December 31, 20 identified by the External Auditors.
The following audit objections have been included in the subsequent Audit Report. Our effort for
resolving audit objections will continue.

Para no.-- of Para no. -- of Brief description Branch Zonal Head’s

unsettled External Internal/External of Objections Comments/ Comments
Audit Objections Audit Objections Compliances
dated 31-12-- mentioned in the
subsequent Audit
Report dated 31-
12--
1 2 3 4 5

Second Officer’s Name Branch Manager’s Name Zonal Head’s Name

& Signature & Signature & Signature
SS no. SS no. SS no.

277
Annexure: 26
Agrani Bank Limited
----------------------------------Branch/Office
Sub: Statement of rectification/ regularization/settlement of objections raised by the external audit for
the year ended--------------------- and submission to Ministry of Finance.
Para no. Description of Objections Bank Comments Ministry of Finance
Comments
1 2 3 4

Second Officer Branch Manager Head of Zonal Office

278
Annexure: 27
Agrani Bank Limited.
----------------------------------Branch/Office

Responses to the Government Commercial Audit Objectives

Branch name:
Audit year:
Irregularities Heading of Taka involved in Taka realized after Taka bad debts at
Way of
para no. -- of Objections objections (party audit (party wise) present (partyregularization
Objections wise) Total taka Total taka in agri/ wise). Total taka
of loan/
in agri Woven Woven Loans in agri/ Wovenirregularities,
Loans Loans for example:
rescheduling,
renewal,
interest
waived,
written off,
etc.
Party Involved Principal Interest Principal Interest Interest
name Taka
1 2 3 4 5 6 7 8 9

Ka.) Enclose loan account statement if the objected amount in full is not recovered. For Agricultural Loan
and if it exceeds 20 loans, a certificate should be enclosed. Sanction letter/ attested copy of IBBCC and
countersigned by the Head of Zonal Office needs to be enclosed for rescheduling/ renewal/ interest
waived/ written off loans. Forward documentary evidences for taking steps.

Kha.) Use additional sheet for giving full details, if required.

279
Annexure: 28
Agrani Bank Limited

Commercial Audit:

Branch name: ………………………………………………………………………….

Audit year: …………………………………………………………………………….
Minutes of the Joint Meeting held on…………….at………………………….Zonal Office

Para Heading of Objections & Bank’s Comment Decision of the Joint

no. involved Taka Meeting

Senior Principal Officer Assistant General Manager

280
Annexure: 29

GOVERNMENT OF THE PEOPLE’S REPUBLIC OF BANGLADESH

Office of the Director General
Government Commercial Audit
Dhaka

No. Date:

To
Managing Director
Agrani Bank
Head Office
Motijheel C/A
Dhaka

Sub: Suggestion of the joint meeting for resolving ordinary audit objections mentioned in the audit report for
the year/ period ended…………………………Ordinary clauses nos.………..have been consolidated
as settled in the Joint Meeting held on………..

It is requested to Inform this office immediately regarding the steps taken to resolve unsettled clause
nos.………………………………………………………………………………………………………
……………………………………………………………………………………………………………
…………………………………………………………………………………..

Audit & Accounts Officer

Sector-1, Audit-2
Date:
CC: Copies are sent for information and taking necessary step
1. General Manager
2. ………………….
3. …………………

Audit & Accounts Officer

Sector-1,
Directorate of -------

281
Annexure: 30
Agrani Bank Limited.

Ministry’s name:

Audit Report:

Statement for discussion in the Standing Committee meeting of the Government accounts to be held on…….
Para no. Organization’s Para & page no. of Brief description Brief description Comments of the
name & audit report and of audit of the latest Audit Office based
Accounts’ year headlines of audit objections response of the on the latest
objections/ Organization/ response of the
comments Ministry Organization/
Ministry

Deputy General Manager General Manager Managing Director Secretary

(Division) (Ministry of Finance)

282
Annexure: 31
Agrani Bank Limited.
Audit Compliance Division
Head Office, Dhaka

Statement regarding Commercial Audit Objections and Settlement

For the month of…………………………………..
Figure in lac
SL.no. Bank/Financial Unresolved Objection Balance up to previous month
Institution’s Ordinary Advance Draft Included in
name Annual
Report(AR)
Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka
1 2 3 4 5 6 7 8 9 10

Current month resolved nos. & amount No. of objections raised in current month & amount
Ordinary Advance Draft Included in Ordinary Advance Draft Included in
(AR) (AR)
Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Total Unresolved Objection Balance No. of case filed and amount Comments
Ordinary Advance Draft Included in Certificate Artharin Case
(AR) Case
Nos. Taka Nos. Taka Nos.. Taka Nos. Taka Nos. Taka Nos. Taka
27 28 29 30 31 32 33 34 35 36 37 38 39

283
Annexure: 32
Agrani Bank Limited.
Audit Compliance Division
Head Office, Dhaka

Statutory Audit Objections/ Settlement summary

For the period from………………to …………………..

Classification 01/01…balance Jan/…june/…… 01/07……Balance

Previous Involved Objection Involved No. of Involved Unresolved Involved
Unresolve Taka nos. Taka settlement Taka Objection Taka
d (figure (figure (figure at ending (figure
Objection in lac) in lac) in lac) in lac)
nos.
Theft/ Robbery
Embezzlement
Deficit
Waste
Payment
violating Law
Failure to collect
Government
money
Other
irregularities
Total

Comments on payment violating law:

Audit objections regarding payment of salary, medical allowance, fringe benefit, lunch subsidy, bonus accrual,
house rent deduction, excess bonus paid, washing allowance, ex-gratia, etc.

Senior Principal Officer Assistant General Manager Deputy General Manager

284
Annexure: 33
Agrani Bank Limited.
Audit Compliance Division
Head Office, Dhaka

Format of the monthly Statement sent to the Ministry & Division Offices
(Memorandum No (MCD/Branch-11/80/748/02 date 23/06/2002)
Statement for the month of…………………………………
(Information based on the month of …………………………..)

Ka) Information on Audit Objection

Ministry/ Audit Taka in Nos. of Nos. of Balance Remarks
Organization’s objection lac Comments on settlement Sheet
name nos. Board sheet
Ministry of
Finance,
Government
commercial
Audit on
Agrani Bank

Kha) List of serious audit objections/ fraud-forgery/ embezzlement, etc.

N.B: ……………Nos. of new audit objections have been raised/ identified during this month.

Senior Principal Officer Assistant General Manager Deputy General Manager

285
Annexure: 34
Agrani Bank Limited.
Audit Compliance Division
Head Office, Dhaka

Monthly statement of Audit Objections identified in Statutory Audit/ External Audit

For the month of ……………………………………………

SL Name Unsettled Report up Audit Total Settled during this Position at the end of
no. of the to previous months report no. of month current month
Audit No. of No. of received Audit No. of No. of No. of No. of
Report report Objection during report report Objection unsettled unsettled
this report Objection
month
1 2 3(a) 3(b) 4 5 6(a) 6(b) 7(a) 7(b)

Total

Senior Principal Officer Assistant General Manager Deputy General Manager

286
 Bangladesh Bank Inspection

Annexure: 35
Agrani Bank Limited.
………………….Branch

Responses to the Bangladesh Agricultural Loan Inspection Report

For the year/ period ended………………………………

BB Agri Inspection Summary of the Response of the Comments of the For use of
Report objection of BB Concerned branch head of Zonal Bangladesh
Page Para Agri Inspection office office/ Bank
Report against branch
office’s response
1 2 3 4 5

Second Officer Branch Manager Head of Zonal Office

287
Annexure: 36
Agrani Bank Limited.
Audit Compliance Division
Head Office, Dhaka

Board/ Board Audit Committee’s Advice on Bangladesh Bank

Detailed Inspection Report
For the year/ period ended………………………………

Main Report of BB Brief description of Comments of Comments of the Remarks

Page Para special objections/ branch office/ Board
irregularities Zonal office/ Head
office
1 2 3 4 5 6

Senior Principal Officer Assistant General Manager Deputy General Manager

288
Annexure: 37
Agrani Bank Limited.
………………….Branch
……………………..Zonal Office
Deputy General Manager Letter no.
Agrani Bank Limited. Dated:
Internal Control & Compliance Division
Head Office, Dhaka

Sub: Certificate in regard to Closing Bangladesh Bank details branch Inspection File,
Audit conducted based on the year / period ended……………..

Dear Sir,
This is to certify that all the audit objections have been regularized/ adjusted/ certified except for the following
objections mentioned in the Bangladesh Bank details branch Inspection Report:
Brief description of audit Steps taken by branch office Date of subsequent inclusion of
objection & clause against audit objections the previous unsettled
objections

2. This is further to certify that our efforts will continue until full settlement of the objections mentioned
in the Bangladesh Bank details branch Inspection report for the year / period ended……………..
3. Under the above circumstances, recommendation/ suggestion is issued to close Bangladesh Bank details
branch inspection file for the year / period ended……………..

Thanking you.
Yours faithfully,
Second Officer Branch Manager
Comments of the Head of Zonal office:

289
Annexure: 38
Agrani Bank Limited.
Audit Compliance Division
Head Office, Dhaka

Monthly statement of Audit Objections identified in Bangladesh Bank Inspection Report

For the month of ……………………………………………

SL Name Unsettled Report Audit Total Settled during this Position at the end of
no. of the up to previous report no. of month current month
audit months received Audit
report No. of No. of during report No. of No. of No. of No. of
report objection this report objection unsettled unsettled
month report Objection
1 2 3(a) 3(b) 4 5 6(a) 6(b) 7(a) 7(b)

Total

Senior Principal Officer Assistant General Manager Deputy General Manager

290
Annexure: 39 (Proforma-1)

Form No-1422-11

Agrani Bank Limited. Nirikha Paripalan Patra (NIPP) -1

---------------Branch For Minor/ Major Lapses

Date of audit report-------------

Page No.

Serial Description of lapses Compliance by the manager

no.

Member / Leader of Audit Team Date and Signature of Manager

291
Annexure: 40 (Proforma-2)

Agrani Bank Limited. Nirikha Paripalan Patra (NIPP) -2

---------------Branch For Serious/ Major Lapses
Page No.

Date of audit report-------------

(For Auditor’s use only) ( MD:Circular/20/7 dated 02/09/2007 )

Serial Nature of Description of lapses Auditor’s remark

no. lapses

Member / Leader of Audit Team

292
Annexure: 41 (Proforma-3)
Form No.-1423-12
Page No.

Agrani Bank Limited. Nirikha Paripalan Patra (NIPP) -3

---------------Branch For Serious / Major Lapses (For Audit

Compliance Division’s use only)

Date of audit report----------

(MD’s Sharak No.-NIKO: 03:84/43 date 15/08/1993 and MD: Circular/20/7 date
02/09/2007)

Serial Lapse Nature of Description of Compliance by the Zonal head’

no. no. lapses lapses manager remark.
(SL/ML)

Signature and date

Signature and date
Code No-13-09657

293
Annexure- A
Agrani Bank Limited
......................Branch
Branch Audit Rating

A. INTERNAL CONTROL AND COMPLIANCE RISK MANAGEMENT

RATING
A 1. Administration
A.1(a) Security Measures of the Branch. Allotted Score
Score Obtaine
d
i) Security guards are alert at the branch premises. Yes 2.5 10
No 0
ii) Security alarm is active in the branch. Yes 2.5
No 0
iii) Fire extinguisher is available in the branch. Yes 2.5
No 0
iv) Close Circuit Cameras with TV are active in the branch. Yes 2.5
No 0
A.1(b) Branch Administration Allotted Score
Score Obtaine
i. Officials in the Branch Working More than 3 Years Yes 2 d 10
No 0
ii. Timely attendance and unauthorized absence are not in the Yes 2
branch. No 0
iii. Leave register maintained properly. Yes 2
No 0
iv. Duty list is there and staff s are working according to the Yes 2
duty list.
No 0
v. Job rotation is affected. Yes 2
No 0
A.2. General Banking
A.2.(a) Physical Cash (Opening/Closing) Verification With Allotted Score Obtained
Score
Statements of Affairs And Vault Position.
Found as per denomination in cash position /statements of affairs Yes 03 10
No 0
Soiled and mutilated notes are/not admixture with issue notes Yes 02
No 0
Whether vault is/not safe enough or as per specifications i.e. Yes 05
concrete (RCC) wall & floor , pore less, under CC TV coverage No 0
, door alarmed bell , chap door & grilled etc.
A.2.(b) Holding Of Excess Cash Over Safe Limit Allotted Score Obtained
Score
Not exceed 10 10

Exceed for long time/most of the time 8

Cash is not within safe limit and always limit exceeded. 0

294
A.2.(c) Holding Of Mutilated/Torned Notes In Safe Allotted Score Obtained
Score
Found nil 10 10
Holding 1%-<3 % out of total cash 8
Holding 3%-<5 % out of total cash 5
Holding 5% or more out of total cash 0
Allotted Score Obtained
A.2.(d) Stock position of Prize bond and Stamps. Score
Prize Bond found as per statements of affairs Yes 5 10
No 0
Stamps in hand found as per statements of affairs Yes 5
No 0
A.2(e) Branch Performance Allotted Score Obtained
Score
i. Deposit target achieved 100% or above Yes 2 10
No 0 [Scores to be given
ii. Profit target achieved 100% or above Yes 2 proportionately
according to
No 0 achievement. As for
iii. Loan & Advance target achieved 100% or above Yes 2 example Target
No 0 achieved 90% score
iv. Foreign Remittance target achieved 100% or above Yes 2 will be 1.8 out of 2].
No 0
v. Non-Interest income target achieved 100% or above Yes 2
No 0
A.2(f) Allotted Score Obtained
Payment Made Against Advance Dated Or Against Score
Stale Cheque

In no cases 10 10
Up to five cases 7
More than five cases 0
A.3 DCFCL Checklists and Other Control function of the branch Allotted Score Obtained
Score

a) DCFCL has been followed up properly by Branch Yes 3 15

Manager/ designated officers at the noted frequencies: No 0
i) a) Daily b) Weekly c) Monthly and d) Quarterly.
b) Branch has prepared Quarterly Operation Report (QOR) Yes 2
in light of BB Guidelines and duly sent the Report to the
No 0
Head of ICC.
c) Branch has prepared and started functioning of Loan Yes 2
Documentation Checklist as per ICC guidelines. No 0
d) Branch has launched L/C checklist to reduce operational Yes 2
risk
No 0
e) Outstanding entries of suspense A/C and inter- branch Yes 2
transaction are monitored and followed up on monthly
basis. No 0

f) Manager/concerned officers are allowed authority/ Yes 2

delegation of power to perform daily activities. No 0
g) Are reconciliations of Inter-branch accounts Yes 2
monitored by the branch regularly? No 0
295
A.4 Compliance status of the Branch Allotted Score Obtained
Score
Compliance of audit objection above 70% 10 10
Compliance of audit objection from 50% to 69% 8
Compliance of audit objection from 30% to 49% 5
Compliance of audit objection less than 30% 0

A.5 Lapses Status of the Branch (Serious Lapses) Allotted Score Obtained
Score
No serious Lapses Found by Audit Team 10 10
Up to 10% serious Lapses against total no of lapses detected. 8

From 11% to 15% serious Lapses detected. 5

More than 15% serious Lapses detected. 0

A.6 Fraud / Forgery Status of the Branch Allotted Score Obtained

Score
No such Cases found during Inspection time 10 10
Found during Inspection time 0

A.7 Settlement of Serious And Major Lapses Against Last Allotted Score Obtained
Audit Findings Score

Settlement above 80% 10 10

Settlement from 60% to 79 % 8
Settlement from 40% to 59% 5
Settlement below 40% 0
A.8 Customer Service Status of the Branch Allotted
Score
New account opening more than 20% from the position of last 10 10
audit/inspection and Deposit target has been achieved (above
95%)
New account opening up to 10% 08

Account close about 05%- 9% of total no of account in the 05

branch or compliant by customer more than 5 Nos. from last
audit.
Deposit target has not been achieved and Account close above 0
10% or compliant by customer more than 10 Nos. from last
audit

B. CREDIT RISK MANAGEMENT RATING

B.1. Incomplete Charge Documents/ Found Blank And Allotted Score Score Obtained
Without Stamp/ Valuation of Collateral not Verified
Properly.
No such case found 10 10
Up to 05 cases 8
06 to 10cases 5
More than10cases 0

B.2 Monthly Basis Stock Report As Per HO Sanction. Allotted Score Obtained
Score

296
 No such case found 10 10
Pending up to 15cases 8
Pending more than 15cases 0
B.3 Maintenance of Safe-In And Safe-Out Register /Loan Allotted Score Obtained
Documentation Checklist. Score

Maintained properly and found up to date 10 10

Maintained but not up to date 7
Not maintained 0
B.4 Insurance Coverage. Allotted Score Obtained
Score
All most all loans are insurance covered 10 10
Up to 05 cases not covered. 8
06 to10 cases not covered. 5
More than 10 cases not covered. 0

B.5 Obtained Of Original Title Deed/Certified True Copy Allotted Score Obtained
Along With SRO Token/Deed Ticket For Score
Registered/Mortgaged Property.
Done in all applicable cases 10 10
Pending any instance 0
C. MONEY LAUNDERING PREVENTION MEASURES RATING.
Account Opening and transaction analysis with TP. Allotted Score Obtained
Score
i) Complete identification of the account holder’s Yes 4 20
Allotted Score (person/company) are incorporated in the account
opening form and genuineness (by giving thanks No 0
letter/RJSC office visit) of address/registration is
confirmed. Score Obtained Yes
ii) KYC, TP was filled up cautiously. 4

No 0
iii) The account holder himself took the Cheque book. Yes 2
No 0
iv) Big transactions are monitored jointly (Double Yes 2
Supervision) and matched with TP No 0
v) BAMELCO is assigned and trained. All concerned are Yes 3
aware about Money laundering/ Terrorist Financing
Prevention Measures. No 0
vi) All money laundering related circulars/guidelines are Yes 3
kept in a file/cabinet
No 0

vii) Money laundering related meetings was held with Yes 2

regular intervals (Meetings minutes kept in a file).
No 0
D. ICT RISK AND OTHER ANTI-FRAUD CONTROL MANAGEMENT
RATING
Protect/ Prevent fraud and Forgery Allotted Score Obtained
Score
i) Every day’s vouchers are checked with print copy of Yes 2 20
supplementary (Audit Trails). No 0
Allotted Score
297
 ii) “Complaint Box” exists in the branch. Yes 2
No 0
iii) Balance Confirmation Certificate is sent to the customer on Yes 2
half-yearly/ yearly basis
No 0
iv). There is no other internet/other modem connection in any Yes 2
PC. No 0
v.) Computer/ Software access controlled i.e. confidentiality, Yes 2
complexity and changing of password are done at regular interval
No 0
etc. There is no existence of unused password
vi)Branch management is sincere and aware of the following Yes 3
subjects: No 0
a) Fraud/ Forgery
b) Operating losses
c) Communications
iv) Branch has taken necessary steps to protect the Yes 7
followings:
a) Change of keys
b) Safe Deposit Lockers
c) Controlled Stationary
d) Test Keys
e) Signature Books No 0
f) Cash/TC/SPs/Bond
g) Balancing of books and accounts.

E. FOREIGN EXCHANGE RISK MANAGEMENT RATING

Foreign Exchange Risk Mitigation Measures Allotted Score Obtained

Score
Taken.
Branch has launched L/C checklist to reduce operational risk and Yes 06 20
physical visit/verification of LC products /goods are done.
No 0
SWIFT-user ID Password confidentiality should be maintained Yes 04
strictly.
No 0
Other net connection / modem are strictly prohibited in Yes 06
Remittance/ SWIFT related PC’s.
No 0
Only authorized and trained officers are allowed to use Yes 04
Remittance/ SWIFT related PC’s.
No 0

F. ASSETS-LIABILITY MANAGEMENT
F.1 Status of Assets and Liabilities of the Branch Allotted Score Obtained
Score
Loan and Advance against Deposit percentage above 70 and up Yes 10 10
to 80 having NPL less than 5% No 0
0
Advance against Deposit percentage above 60% and up to 70 Yes 8
having NPL less than 10%
No 0

298
 Deposit target achievement below 95% and Loan Classified
above 10% 0
No
F.2 Non Performing Assets Management. Allotted Score Obtained
Score

Identification of NPA/SMA done properly as per guidelines. Yes 3 10

No 0
Accounts have been identified as SMA are being properly Yes 2
monitored. No 0
Timely lodging of claims/ Timely follow up for recovery. Yes 3
No 0
Timely legal action taken and prompt execution of decrease (for Yes 2
avoiding time barred) No 0

F.3 Classification Loan Recovery Allotted Score Obtained

Score
10 10
Recovery 100% of Targeted Amount
8
Recovery 80%-90% of Targeted Amount
6
Recovery 60%-79% of Targeted Amount
4
Recovery 50%-59% of Targeted Amount
0
Below 50%
G. ENVIRONMENTAL RISK RATING
Environmental Risk Management Allotted Score Obtained
Score
a. Cleanliness of the Branch premises up to the standard i.e. Yes 3 15
Branch staff are working in healthy and safe environment
No 0
b. Dress code is maintained by the branch staffs Yes 3
No 0
c. Advances are not made to environmental hazard Yes 3
sectors/firms
No 0
d. Energy savings bulbs are using and Maximum use of Yes 3
natural light and air
No 0
e. For communication purpose maximum use of electronic Yes 3
device and minimum use of papers No 0

Auditors Overall Comments for gradation of the Branch considering core Allotted Score Obtained
risk areas (ICC, CRM, AML, ICT, Forex, Assets liability Management Score
&Environmental Risk) 300
Excellent above 90%

Very Good 80%-89%

299
Good 60%-79%
Satisfactory 50% -59%

Poor below 50%

300
Annexure-B
Agrani Bank Limited
.......................Branch
Check list for Foreign Trade and Foreign Exchange Audit
A. Import Related Irregularities (Cash L/C):
1) LC opened without prior permission/approval of competent authority.
2) Insertion of false/fake information and hiding of correct information in L/C proposal or fact sheet of existing
liabilities of the importer.
3) L/C opened exceeding the delegation of power.
4) L/C/LCAF issued without obtaining up-to-date renewed IRC of the Importer.
5) Import of goods exceeding IRC limit.
6) L/C opened against illegal PI/Indent.
7) L/C opened without collecting Credit Report of the foreign supplier/exporter.
8) HS code and/or correct HS code not mentioned in LCAF and/or import L/C.
9) L/C opened without justifying over and/or under invoicing matter.
10) 3rd/4th copy of LCAF (with L/C copy) not forwarded to CCI&E in time.
11) L/C opened without L/C margin/with partial L/C margin/with less L/C margin.
12) L/C opened without L/C commission, VAT/ with partial L/C commission, fee. VAT/ with less L/C commission.
13) Existence of overdue L/C, SG, IFBC, LIM, PAD, LTR and D/L liabilities.
14) Handing over of customs purpose copy of LCAF and Transport documents (B/L, Airway bill, T/R, R/R, S/R) to
importer or to their C&F agent without taking payment against the related import bill/consignment.
15) Issue of S/G against non-negotiable/copy of import documents for release of imported goods without taking
payment against thereof.
16) Steps not taken to recover overdue PAD/LIM/LTR liabilities.
17) Margin not recovered before creation of LIM and goods under LIM not pledged duly.
18) Excessive delay in transfer of PAD liabilities to LTR in case of LTR facilitate borrower.
19) Issuance of shipping guarantee without recovery of related margin/ fee/commission etc.
20) Requisite interest/commission is not recovered against funded and non- funded import liabilities (L/C, S/G, IFBC,
PAD, LIM, LTR, D/L).
21) Payment made against import documents before receiving B/E and/or overdue B/E.
22) L/C /LG margin amount misappropriated by creating false voucher.
23) Copy of CRF (Clean Report of Findings) and the related final invoice and packing list duly endorsed by the CRF
company are not preserved in the file.
24) IMP 2nd copy and Bill of Entry /customs certified invoice not matched.
25) Bill of Entry not preserved in file.
26) Original IMP & LCA form (Exchange Control Copy) not submitted or reported to Bangladesh Bank in time.
27) L/C is opened for the importer who is defaulter of Bill of Entry /customs certified invoice submission in time.
28) While issuing guarantee against internationally reported bank’s counter guaranties commission and other charges
are not recovered.
29) L/C is opened without attestation of importers signature on LCAF.
30) Signature with seal of Authorized Bank Officer not taken on LCAF.

301
31) Importer’s signature is not identified on LC agreement/L/C application.
32) L/C is opened without taking Income Tax Declaration papers form the importer.
33) Irregularities in stamping of LCA.
34) Loan processing fee on LIM/LTR/Demand loan is not recovered.
35) Balancing of different heads of account in foreign exchange is not done.
36) Issuance of L/C ignoring overdue liabilities.

B. Import related irregularities (Back to Back L/C):

1) BTB L/C issued exceeding prescribed percentage of FOB value of the Master L/C/ Export Contract.
2) Payment of import bills under BTBL/C not made on/or before maturity date.
3) Copy of Bill of Entry is not preserved in related BTB LC file.
4) Tax free Imported goods under BTB L/C and Bonded Ware House facilities are not stocked in Bonded Ware
House or non-existence of the same in the Bonded Ware House
5) Statement / Information of stock lot goods under BTB L/C and BWH are not reported to related Customs Bond
Commissionerate office to avoid any future possible complicacy.
6) BTB L/C is opened without considering –
 Valid Bonded Ware House License.
 Capacity of the Bonded Ware House
 Production Capacity of the Factory.
 Validity of the Export L/C.
 Sufficient Shipment validity/ period of the Master L/C/ Export Contract.
 Defective / Discrepant clause of the Master L/C/ Export Contract.
7) BTB L/C is opened without considering existence of party’s demand loan/other irregular liabilities.
8) BTB L/C is opened without permission / approval of head office, in case of existence of party’s demand loan/other
irregular liabilities.
9) Accepting local import bills under local L/C without inspecting delivery / storage of the imported goods to
importer’s factory.
10) Irregularities in payment of import bill-
11) Payment made against accommodation bills.
12) In case of late export/failure of export payment of import bills are delayed avoiding creation of demand loan
which facilitates opening of further BTB L/C in favor of a irregular parties/Importer and which also deprived the
bank from interest income.
13) Non matching of Bill of Entry.
14) Non attestation of signature of importer in LCAF and LCA.
15) Signature with seal of bank authorized officers in LCAF is not taken.
16) L/C opened without recovering stamp duty, without taking latest CIB and copy of income tax declaration of the
importer.
17) Non- Balancing of concerned Heads of Accounts.

C. Export Related Irregularities:

1) Valid ERC not preserved in file.
2) Authenticity of issuance/ Advising / transferring of export L/C are not checked.
3) Financing the exporter irregularly against purchase of discrepant/ defective/fake Export Bill.
302
4) Steps are not taken to return back exported goods in own country against refuse/rejected export bills.
5) Facilitating the exporter irregularly /illegally by holding defective/irregular /discrepant export bill longtime and
to send it to the Foreign Bank after regularization.
6) Excess CM paid (in case of garments industry) / excess fund disbursed to the exporter against export bill
(FBP/IBP/FDBC) without adjusting /recovering related liabilities /overdue liabilities there against.
7) Proper steps are not taken for repatriation of exports proceeds against export bill/overdue export bill.
8) Irregularities in sending Export Bill to importers’ bank.
9) Sufficient steps are not taken to adjust overdue Export Bill.
10) Discount allowed against export bill without prior permission/approval of Bangladesh Bank or Post-Facto
approval from Bangladesh Bank.
11) Specimen signature of authorized official of shipping company / shipping agent/air agent/transport agent is not
preserved.
12) Requisite fees, commissions’ charges and interest are not recovered.
13) Excess commission (more than 5%) and Brokerage Charges are paid.
14) Improper cash incentive allowed against Export.
15) Requisite charges/fees against advising/transfer of export L/C are not recovered.
16) Export bill precede not repatriate in time.
17) Hiding information of overdue export bill in “Statement of overdue export bills” send to BB quarterly.
18) Not to send “Statement of overdue export bills” to BB quarterly.
19) Columns of Exp Form and/or Exp Register are not filled up properly.
20) To accept Exp Form without confirming customs officers signature.
21) Non sending of 2nd, 3rd copy of EXP form to BB and non-preserving of 4th copy of the same for office record.
22) Non collection and cancellation of issued Exp Form against which export is not implemented.
23) Non checking/ ensuring existence of telephone/mobile/fax no. of the issuer of the Transport Documents.
24) Requisite charges for issuance of Exp/PRC /CNF certificate and loan processing fees against import and export
loans disbursed are not recovered.
25) Concerned Heads of Accounts are not balanced.

D. Foreign Remittance Related Irregularities:

1. Cash in Hand (F.C) are not preserved properly.
2. Irregularities in connection with opening of F.C account.
3. Irregularities in connection with release / endorsement of F.C for foreign travel, education, treatment, seminar, conference,
workshop and ERQ purpose.
4. Non-adjustment of suspense account balance created in payment of Foreign Taka draft.
5. Non- collection of FDD (clean) in time.
6. Concerned Heads of Accounts are not balanced.

303
Annexure-C
QK K Ask (kvLvi Rb¨ cÖ‡hvR¨)
AMÖYx e¨vsK wjwg‡UW
kvLvi bvg------------------------------
FY msµvšÍ Z_¨vw`/weeiYxt-
µwgK bs FY MÖnxZvi bvg F‡Yi FY gÄyix bs, ZvwiL, FY mycvwikKvix I weZiYKvix FY ‡gqv` DËx©‡Yi ZvwiL FY weZiYKvjxY mg‡q M„nxZ `wjjvw`, PvR© `wjj I Rvgvb‡Zi weeiYx
I wVKvbv cÖK…wZ FYmxgv I gÄyiKvix e¨e¯’vcK/bevqb/cybtZdkxjKvix e¨e¯’vc‡Ki bvg I
KZ…c
© ÿ eZ©gvb wVKvbv I F‡Yi †kÖYx web¨vm

1 2 3 4 5 6 7

cÖv_wgK RvgvbZ mn‡hvMx RvgvbZ M„nxZ PvR© `wjj

mg~‡ni weeiYx,
(gRyZ gvjvgvj I `wjj h_vh_
AbyK~j AvBbMZ Rwgi cwigvY, Rwgi eZ©gvb g~j¨, `Ljx
†`vKv‡bi Z_¨)
gZvgZ I Z_¨ Zdwmj I M„nxZ g~j ¯^Z¡, FY cÖ`vbKvjxb mg‡q
÷¨v¤ú jvMv‡bv
`wjj I cP©v g~‡j¨i Z_¨
n‡q‡Q wKbv

FYwU gvgjvaxb n‡j Zvi Z_¨ FYwU m¤ú‡K© eZ©gvb e¨e¯’vc‡Ki mvwe©K g~j¨vqb wbixÿvKvjxb mg‡q
†jRvi w¯’wZ
8 9 10 11 12 13 14

304
 AsK
ZvwiL I
Av`vjZ,
gvgjvi bs,

gvgjvi `vex
ZvwiL
b¤^i I
n‡j Zvi
`v‡qi Kiv
Rvwi gvgjv

Z_¨
c~Yv½
wbjvg

n‡j Zvi
Rvwi Kiv
ïbvbx
gvgjv

ch©v‡q
_vK‡j
Zvi Z_¨
n‡j

Z_¨
33(7)

msMÖn ,
33(5),

BZ¨vw`i
avivq ivq

LvwiR Kiv
mvwU©wd‡KU

cÖv_wgK I mn‡hvMx RvgvbZ m¤ú‡K©

cwi`k©b Kiv n‡q‡Q|(wi‡cvU© bw_‡Z
msiÿY Av‡Q wKbv)

AbyK~j wmAvBwe wi‡cvU© wQj

F‡Yi Pvwn`v g~j¨vqb Kiv n‡q‡Q

305
B‡Zvc~‡e© M„nxZ F‡Yi †jb‡`b hvPvB
Kiv nq

Delagation of Power, Target

Gi AvIZvq FY weZiY Kiv n‡q‡Q

gU©‡MR `wjj bw_‡Z msiÿ‡Yi Z_¨

†cøR FY n‡j ¸`vg e¨e¯’vcbv mwVK

wQj| (cª‡qvR‡b Avjv`v kx‡U Z_¨
ms‡hvRb Ki‡Z n‡e)
wbav©wiZ mg‡q FY Av`v‡qi e¨e¯’v
†bqv n‡q‡Q (ZvMv`v/‡bvwUk/`vwqZ¡
e›Ub BZ¨vw`)
gvgjv `v‡qi Kiv I gvgjvi cieZx©
Kvh©µg h_vh_ wQj

PvR© `wj‡j/`wjjvq‡b †Kvb NvUwZ

Av‡Q wKbv| (we¯ÍvwiZ)
Annexure-D HEALTH REPORT
Guidelines for the preparation of “HEALTH REPORT”

In accordance with the Bangladesh Bank Guidelines of “Managing Core Risk in Banks on Internal Control and
Compliance Risk”, Internal Control and Compliance Division is required to prepare annual report on the health of the
Bank which is to be submitted to Audit Committee of the BOD and a Circulation Copy to the Managing Director for
perusal and further onward submission to the Board of Directors of the Bank as a regulatory compliance.
To comply with the above guidelines, this health report on the Bank overall activities for the year 20xx has been prepared,
as well. While assessing the health of the Bank, emphasis has been given on the progress of achievement of the Bank
long range visions set by the Management.

In order to built up necessary infrastructure. In the year 20xx, the Bank has added nos. of branches to its ever expanding
network, making presence of nos. of branches across the country. In the meantime, The Bank has become a group by
expanding its business into nos. of wholly owned subsidiaries (Securities Limited, Capital Limited and Exchange
Limited). Thus, the volume of business of the Bank has increased considerably. Bank has diversified its activities beyond
traditional corporate banking and trade financing into Primary Dealership, OBU, Retail Banking, SME Banking, Internet
Banking etc., which has made the Bank as one of the largest banking company in terms of products and services in the
country.

The health of a bank may be judged from different points of view, but emphasis has been given to the feasibility of aspect
and quantification. Taking these two conditions into consideration, Health of the Bank has been assessed from the view
point of three dimensions, viz. Financial Health, Internal Control & Compliance Health and Image & Reputation Health.
The hunch behind the segregation of health of the Bank into the above points of view is that these areas will ultimately
cover the overall health sectors of the Bank. If the overall health is found sound then it may be assumed that the bank
will achieve its long term goal with sustainable growth.

While analyzing financial health, emphasis has been given to the dynamism of the bank‟s performance in different areas
of operational activities, which have been highlighted in various financial statements of the bank.

In assessing Internal Control and Compliance Health of the Bank, emphasis has been given to internal control structure
of the Bank and its effectiveness, while compliance health is assessed considering the compliance culture of the Bank
and its achievements.
In evaluating compliance health, attention has been given to the issues like, whether the bank is able to meet regulatory
requirements and the compliance and non-compliance status of inspection reports submitted by regulatory bodies.

In assessing Image and Reputation health, attention has been given to the eminence of Board and Management of the
Bank, expansionary mode of brand image and CSR (Corporate Social Responsibility) Activities.

In preparation of this health report, both the quantitative and qualitative aspects have been taken into consideration. The
evaluation of major components of Health of the Bank is based upon four categories of ranking like Excellent, Very
Good, Good and Satisfactory and the Bank has received a status of “X ” ranking in the health assessment for the year of
20xx .

The Health of the Bank has been assessed from the view point of Financial health, Internal Control and Compliance
health and Image and Reputation health. To assess the overall health position of these three health sectors, ICC Division
has worked out a Health Grading Score sheet based on quantification of certain parameters of each health sector. In our
analysis, the average score “90-100” means Excellent, “80-89” means Very Good, “70-79” means Good and “60-69”
means Satisfactory. In the assessment, the overall health position of the Bank for the year 20 has been assessed “ ”.

Detailed break-up of the Health assessment is furnished as under:

HEALTH RESULTS Health Sector Score Obtained Remarks

306
 Financial Health 81 out of 100 Very Good

Internal Control & Compliance Health 96 out of 100 Excellent

Image & Reputation Health 93 out of 100 Excellent

Overall Health 270 out of 300 Very Good

Average 90 out of 100 Excellent

A. Financial Health: (Prepared under supervision of Chief Financial Officer and approved by ECB)

In analyzing the Financial Health, several parameters like Earnings, Liquidity, Solvency, Asset Quality, Deposits and
Loans and Advances have been considered. The Bank has received an overall Financial Health score of out of 100, which
means the financial health of the Bank, is “ ”. Hence, we are depicting below the parameter-wise financial health position
of the Bank for the year ended December 31, 20xx.
The detailed of these scores are also followed by enclosed health grading Score sheet.

Name of Parameter Score Obtained Remarks

Earnings 21 out of 30 Good

Liquidity Health 4 out of 5 Good

Capital Adequacy & Solvency 9 out of 10 Excellent

Deposit Health 19 out of 25 Good

Loans and Advances Health 28 out of 30 Excellent

Total out of 100

a. Earnings:
Healthy Banks are generally profitable, and earn money. To assess the relative profitability of the bank, we have
considered five earning criteria, namely- Operating Profit Growth, Net Interest Income Growth, Non-Interest Income
Growth, Return on Assets (ROA) and Return on Equity (ROE). These indicators measure how profitable the bank is for
its size, and a bank with higher trend in these areas tend to be a healthier bank. In our analysis, 00% weight has been
allocated to Earning history of the Bank and the Bank has received a score of 21 out of 30, which means earning health
of the Bank is “ ”.
1. Operating Profit Growth:
The operating profit of the Bank from 20 to 20 (three years back) was BDT , BDT , BDT respectively. The Operating
Profit growth from the year 20 to 20 was negative (+/- 00%), from the year 20 to 20 it was +/- 00% and from the year
2000 to 2000 it was +/-00%, while the growth from the year 20 to 20 was %. In our analysis, a score of 10 has been
allocated for 25% & above growth and 3 for below 15% growth and thus the bank has scored for its 00% growth in the
year 20 (year under review).
2. Net Interest Income (NII) Growth:
Interest Income is the main source of Income of a bank, which solely depends upon the volume of standard loans and
advances. Net Interest Income is derived by deducting Interest expenses from Interest Income. The larger the volume of
Net Interest Income, the healthier will be the operating income. Net Interest Income Growth for the year 20 was 00%,
while for the years 20 and 20 it recorded negative growth of (00%) and (00%) respectively. However, since 20 Net
307
Interest Income (NII) growth of the bank has been showing a positive trend (in 20 it was 00% and in 20 00%). In Financial
health grading sheet, we have given 5 score to Net Interest Income Growth of 20% & above and 2 score for below 10%
growth. Bank has achieved a score of 5 for 78.53% growth in Net Interest Income in the year 20 .

3. Non Interest Income (Non-II) Growth:

Non-Interest Income is the ancillary source of Income of the Bank. Non-Interest Income generally stems from the
sources, namely: Income from fees, commission, charges, exchange gain, brokerage and other operating Income. The
Growth of Non-Interest Income for the year 20 to 20 was 00%, 00% and 00% respectively. In Health grading score,
assigned 2 score to the growth of “below 20%” and 5 score for 40% and above. The Bank receives the score of 00 out
of 00 for achieving the growth of 00 % for the year 20 .

4. Return on Assets (ROA):

We have used the statistics of „Return on Average Asset‟ which is equal to the earnings of the bank, divided by its assets.
A higher ROA trend indicates a healthier bank. Return on assets of the bank from the year 20 to 20 was 00%, 00% and
00% respectively. In the Financial health grading sheet, we have assigned 5 score to ROA of 00%-00% and the Bank
scored 1 for having ROA of 0.88% in the year 20 .

5. Return on Equity (ROE):

„Return on Equity‟ is equal to the earnings of the bank, divided by its average Equity Capital. A higher ROE indicates
healthier signs. Return on Equity of the bank for the year 20 to 20 was 00%, 00% and 00% respectively. Assigned 5
score to ROE of 25% and above and the Bank scored 00 for having ROE of 00% in the year 20 .

b. Liquidity:
Bank‟s liquidity policy is designed to ensure that it can meet its obligations all times as they fall due. The liquidity
management within the Bank focuses on overall balance sheet structure and the control, within prudent limits, of risk
arising from the mismatch of maturities of the balance sheet and from exposure to un-drawn commitments and other
contingent obligations. The management of liquidity risk within the Bank is undertaken within limits and other policy
parameters set by ALCO. The compliance is monitored and co-ordinate by Bank‟s treasury, both in respect of internal
policy and regulatory requirements.
Liquidity analysis in a Bank examines whether the bank is maintaining adequate CRR and SLR, whether Loan-Deposit
Ratio at required level, dependency on inter-bank borrowing at a tolerable level and overall un-drawn commitments
within reasonable range etc. or not. Distributed 5 score for Liquidity position for the year 20 (year under review) and the
Bank has received 00 score, which means that the bank has been maintaining very good A–D ratio. However, excess
SLR was maintained in 20 (year under review) due to operation in the Primary Dealership (PD) market, which made the
bank‟s dependency on money market higher, in order to maintain adequate liquidity.

1. CRR & SLR:

Bank had been maintaining Cash Reserve Ratio (CRR) & Statutory Liquidity Reserve (SLR) as per regulatory
requirements. In the year 20 (year under review), CRR was 00% against mandatory limit of 6.50% and Statutory Liquidity
Ratio was 00% against 19.50%. In analysis a score of 3 can been allotted to CRR & SLR position of the Bank and the
Bank received a score of 00, out of 3 which indicates that the bank maintained excess SLR in the year 20 (year under
review). Bank‟s borrowing from inter-bank call money market is high due to participation in the government bills/bonds.

2. Advance-Deposit Ratio (A-D ratio):

A-D ratio is the indicator that entails what should be the Bank‟s ideal level of loans and advances against its deposit, and
to what extent the bank will be exposed to money market dependency. A-D ratios of the Bank in the year 20 to 20 were
00%, 00 and 00% respectively. In analysis the A-D ratio in the year 20 (year under review) is (00%), though the bank is
a (primary dealer) of the government securities and participation in auction of the govt. bills/bonds is mandatory. For the
purpose of analysis, a score of 2 has been allocated for an ideal A– D ratio 80%-85% and the Bank received a score of ,
out of 2 for maintaining A-D ratio of 00% in the year 20 (year under review). (Add graphic presentation if needed).
c. Capital Adequacy/Solvency:

308
A measure of a bank's financial health is its capital/asset ratio, which is required to be above a prescribed minimum. In
assessing solvency health, three parameters, namely Core Capital to RWA ratio, Capital Adequacy Ratio (as per Basel-
II/III regime) and Capital Growth have been considered, and the Bank has received a score of out of 10, which means
the Capital Adequacy position of the Bank was “ ” as on the assessment period.

1. Capital Growth:
Capital requirement is a bank‟s regulation which sets a framework on how banks must handle its capital. The
categorization of assets and capital is highly standardized so that it can be risk weighted and weights are defined by risk-
sensitivity ratios, whose calculation is dictated under the relevant Capital Accord. The growths of capital of the Bank
over the years 20 to 20 were 00%, 00% and 00% respectively. For the purpose of analysis a score of 2 has been allotted
to Capital growth of 20% and above and the Bank scored out of 2 for capital growth of % in the year 20. (Year under
review)

2. Core Capital (Tier-I) to RWA ratio:

As per existing regulation of Bangladesh Bank (Basel-II), the Bank(please write the name of the bank) is required to
maintain Core Capital (Tier-I) ratio of 5% against Risk Weighted Assets (RWA). The Bank has been maintaining Core
Capital (Tier-I) in accordance with the regulatory requirements. In the year 20 , the risk-weighted assets were BDT lac
against which the requirement was BDT lac (5.00% of RWA). The Bank maintained 00% (BDT lac) of the risk-weighted
assets against the mandatory requirement of 5.00%. In the analysis a score of 5 has been assigned to core capital (Tier-
I) ratio of 10% and above and the bank has received the score of 00 for maintaining Core Capital (Tier-I) at % in the
year 20 .(year under review)

3. Basel-II Requirement:
In line with the contents of BRPD Circular # 35 dated December 29, 2010 issued by Bangladesh Bank (BB), the bank
(please write the name of the bank) is required to compute Minimum Capital immediately after completion of each
quarter. During the year
20 , the bank computed and reported capital on the basis of Basel II regime. Under this capital accord, the minimum total
Capital Adequacy Ratio has to be 10.00% of Risk Weighted Assets (RWA) and the Bank maintained 00% as on the same
date. For the purpose analysis a score of 3 has been assigned to maintain capital adequacy ratio of above 10% (as per
Basel-II) and the Bank has received the score of 00 for maintaining Capital Adequacy Ratio of 00% in the year 20 .

d. Deposit:
Deposit is considered as the life blood of banking operation and a weapon for making maximum profit by deploying it
in a high yielding investment and mixing it up in a cost effective mode. So, deposit management is, therefore, important.
Effective deposit management entails optimum deposit mixture that leads to minimize cost of fund and optimize spread.
In assessing deposit health, four parameters namely Deposit Growth, Deposit Mix, Cost of Fund and the ratio of core
Deposit to Total Deposit have been considered, and MTB has received a score of 00 out of 25 in 20 , which means the
Deposit health of the Bank is “ ”.
1. Deposit Growth: Deposits, representing the largest portion of total liabilities, account for 00%, showing an
increase/decrease of 00%, or BDT 00.00 lac from the year 20 . Over the past three years, the bank(please indicate
your bank name) was able to increase its deposit portfolio more than (00%) from BDT 00.00 lac in the year 20
to BDT 00.00 lac in the year 20 (year under review). It is apparent that deposit growth of the Bank is in
increasing/decreasing trend (on an average basis) over the last three years. For the purpose of analysis distributed
5 score for deposit growth of 25% and above and 2 for less than 15% growth and the bank scored for deposit
growth of 00.00% in the year 20 .(year under review)

2. Deposit mix: While reviewing deposit mix of the Bank from the year 20 to 20 , it is observed that the high cost
deposit mix (FDR) is 00%, 00% and 00% respectively to total deposit. For the purpose of analysis distributed 5
score for an Ideal high cost deposit mix of 31% - 55% and the bank has scored for the deposit mix of 00.00%
in the year 20 . (year under review)

3. Cost of fund: Cost of fund is one of the most important indicators to measure the soundness of the fund
management. Lower cost of fund will enlarge the spread and thus maximize profit. In the years 20 to 20 , Cost
of Fund of the bank was 00.00%, 00.00% and 00.00% respectively. It has been observed that there is a
significant improvement in reduction/increase of Cost of Fund in 20 (year under review), compared to 20 . The
309
 scenario can further improve by increasing more low cost deposit in the deposit mix. For the purpose of analysis
a score of 10 can be distributed for an ideal cost of fund ranging 6% - 8% and the bank has received for having
00.00 % as cost of fund in the year 20 (year under review).

4. Core Deposit to Total Deposit: While reviewing deposit mix of the bank for the year 20 to 20xx, it is observed
that the Core deposits are 00.00%, 00.00% and 00.00% respectively to total deposits. For the purpose of analysis
a score of 5 has been allocated for an ideal ratio of core deposit ranging 81%-100% and the bank has received
5 for having 00.00% as Core Deposit to Total Deposit.

(Add graphic representation if needed)

e. Loans and Advances:

Financial Health of the Bank largely depends upon the volume, diversification and portfolio quality of loans and
advances, which have been disbursed by deploying customers‟ deposits. In assessing loans and advances health of the
bank, five parameters, namely - Loans and Advances Growth, Segment-wise concentration, Sector-wise concentration,
Large Loan concentration and Asset Quality have been considered. For the purpose of the analysis 30 score for Loans
and Advances Health of the Bank and the Bank has scored , which means Loans and Advances health of the Bank is “
”.

1. Loans & Advances Growth: In the years 20 to 20 , the amount of loans & advances of the Bank was at BDT 00.00
lac, BDT 00.00 lac, and BDT 00.00 lac respectively, and the growth rates were 00.00%, 00.00% and 00.00% respectively.
For the purpose of the analysis a score of 5 has been allotted for an ideal growth ranging 25% - 30% and the bank has
scored for achieving the growth of 00.00% in the year 20 (year under review).

2. Segment-wise Concentration of Loans and Advances: According to its nature, all kind of post-import finance is
highly risky now a days , because of weak control of the Bank over the business movement of the client/importer. During
the year 20 , Bank‟s investment in post-import finance (LTR+PAD) was 00.00% of total loans & advances, while the
same was 00.00% in the year 20 . For the purpose of the analysis a score of 5 has been allotted for an ideal segment-wise
concentration below 15% and the bank has received for having segment-wise concentration of 00.00% in the year 20xx
.

3. Sector-wise Concentration of Loan and Advances: Bank‟s Loans and Advances to Sector (please indicate the
highest investment sector) is around BDT 00.00 lac, which is 00.00% of total Loans and Advances. More specifically,
Loans and advances to(please indicate the specific types such RMG/Ship Building etc.) industries is BDT 00.00, which
is 00.00% of Total Loans and Advances. Bank‟s concentration in a particular sector in this respect is at
satisfactory/unsatisfactory level. For the purpose of the analysis a score of 5 has been allotted for an ideal sector-wise
concentration ranging 20% - 30% and the bank has received score for having sector-wise concentration within 00%, in
the year 20 .

4. Large Loan Concentration: Bank sanctioned & disbursed large loan (10% or more of total capital, as defined under
BRPD circular # 05, dated 2005) of BDT 00.00 lac (including non-funded loans), which is 00.00% of total loans and
advances against BB‟s set limit of 56%, which is quite satisfactory/unsatisfactory. However, this concentration in the
last year (20 ) was 52.73%. In our analysis a score of 5 has been allotted for an ideal Large Loan concentration below/high
00% and the bank has received 4 score for having Large Loan concentration of % in the year 20xx

5. Asset Quality (NPL Management): At the end of year 20xx, the Bank‟s total loans and advances were up by 00.00%
over 20 (preceding year) , showing an increase/decrease of BDT 00.00 lac. Despite this growth, loans classified as
“substandard and below” was below 00.00%, i.e 00.00(actual rate)%, which is at satisfactory level and 00.00%
less/higher than that of previous year. The NPL of 20 was 00.00%. For the purpose of the analysis a score of 10 has been
allotted for an ideal NPL ratio of below 3% and the bank has received score for having NPL ratio of 00.00% in the year
20xx. (Add graphic representation if required)

B. Internal Control and Compliance Health:( Prepared under supervision of Head of Audit and approved by
ACB)
310
Bank‟s internal control system is designed to facilitate effective and efficient operations and to ensure the quality of
internal and external reporting and compliance with applicable laws and regulations. In devising internal controls, the
Bank has taken into account the nature and extent of the risk, the likelihood of its occurring and the cost of controls. A
system of internal control is designed to manage, but not eliminate, the risk of failure to achieve business objectives and
provide a reasonable, but not absolute, assurance against the risk of material misstatement, fraud or losses.

Analyzing Internal Control and Compliance health of the Bank encompasses the level of compliance of Board and Audit
Committee decisions, Management Committees decisions, applicable laws, regulations and internal policies and
regulatory requirements. The Bank has received an overall Internal Control and Compliance Health score of out of 100,
which means that the Internal control and compliance health of the Bank was " " as on December 31, 20 . The details
of scores are followed by the enclosed health grading Score sheet.

a) Internal Control Health:

In analyzing Internal Control health, five following parameters have been considered and the Bank received out of 50
which indicate that the Internal Control system of the Bank is Excellent. Detailed score is as under:

Name of Parameter Score Obtained Remarks

Implementation Status of Board of Directors' decision
Implementation status of Audit Committee's decision
Implementation Status of MANCOM decision
% of Audit conducted to estimated Plan during the year
Implementation Status of ALCO decision
Implementation Status of WCM decision
Total

Board and Audit Committee’s Roles in the Bank:

The effectiveness of the Bank‟s internal control system is reviewed by the Board and the Audit Committee. The
Executive Committee or Board of Directors receives regular reports on significant risks facing the Bank and how they
are being controlled. In addition, Bank‟s independent auditors present reports to the Audit Committee that include details
of significant internal control matters, which they have identified.
The Board of Directors of the Bank approves and reviews the overall business strategies and policies of the Bank. The
Board of Directors of the Bank has formed Audit Committee, and the Audit Committee performs its roles in accordance
with applicable rules and regulations.

Implementation status of Board’s Instruction: During the year 20 Board meetings were held times and decisions were
taken by the Board of Directors, out of which were implemented and the implementation status is %.

Implementation status of Audit Committee’s Decisions: During the year 20 , Audit Committee met 00 times and took
00 decisions, out of which 00 decisions were fully complied with. The percentage of compliance is 00%.

Management Committee:
The Bank has established SMT, the meetings of which are presided over by Managing director of the Bank. SMT reviews
and recommends all policies and strategies, which are forwarded to the Board for approval/ratification. The Senior
Management will review the reports of Internal & External Audit, reports of regulatory bodies and take appropriate steps
in compliance process to remove the irregularities.

Implementation status of SMT Decisions: During the year 20 , SMT arranged 00 ( in words ) meetings and took
decisions out of which are fully complied with and decision related to of the bank is under process of implementation.
The percentage of compliance is 00.00%.

Implementation status of Asset-Liability Committee Decision:

Asset-Liability Committee (ALCO) regularly meets to address factors, such as the change in interest rate, market
conditions and carries out liability maturity gap analysis and re-pricing of products. During the year 20 , ALCO meetings

311
were held times. The committee took a total of decisions, out of which decisions were fully complied with. The
percentage of compliance is 00.00%.

Implementation Status of WCM Decisions:

In order to bring effectiveness in the process of Management Information System (MIS) and Internal Control System of
the bank on the activities of various Divisions/Departments of Corporate Head Office (CHO) as well as the branches,
CHO arranges meetings on weekly basis, which are attended by heads of different Divisions/ Departments of CHO and
managers of different branches (as guest attendees). Under the chair of Managing Director & CEO, regular Weekly
Communication Meeting (WCM) is held at CHO to review the progress of Divisional/Departmental activities/
implementation of action points/decisions taken by the management, and the future course of action is taken.

During the year 20 , the weekly communication meeting was held times taking 00 decisions, out of which 00 decisions
were fully implemented, and the remaining 00 decisions are under process of implementation. Percentage of
Implementation status is 00.00%.

Internal Audit and its rectification status: The audit program/schedule is developed and duly approved by the
competent authority at the very beginning of the year, and audits are conducted accordingly. In the year 20 , audit of 00
branches of the bank (out of 00 branches) has been completed, and the percentage of audited branches is 00.00%. The
audit of the remaining 00 branches has been completed this year(year of report preparing). During this period, the audit
team raised 00 objections, and 00 objections were rectified. The percentage of rectification is 00.00%. Apart from it,
special audit on different Department/Divisions of Head office and different risk areas were conducted as per
Management instructions and requirements, in 20 (year under review) .

b). Compliance Health:

In assessing compliance health, the Bank has emphasized on the compliance status of all regulatory observations and
time management. For the purpose of the analysis the following 5 indicators have been considered to assess compliance
health of the Bank and the Bank has received a score of 00 out of 50, which means Compliance health position of the
Bank is “ ”.
Name of Parameter Score Obtained Remarks
Implementation of Core risk Guidelines
Basel-II Implementation Status
External Audit Compliance
Bangladesh Bank Audits Compliance
Internal Audit Compliance
Good Governance
Total

Implementation Status of BB’s Core Risk Guideline: Bangladesh Bank‟s Inspection teams conducted inspection on
05 Core Risk areas of the Bank out of 06 Core Risk areas and raised 50 observations/ suggestions, out of which 00 have
already been complied with. The percentage of rectification is 00.00%, which is satisfactory. The concerned divisions
have been advised to rectify the remaining objections.

Basel-II compliance status: As per new capital accord, the Bank is required to maintain a regulatory capital of 10% of
RWA, against which the Bank is maintaining 00.00%.

Bangladesh Bank’s inspection and its compliance position: Bangladesh Bank submitted 00 reports on the branches
of the Bank during the year 20 . As per BB‟s report, the number of objections was 00 out of which 00 objections were
rectified as on 31.12.20 and the percentage of Compliance is about %.

External Auditor’s report and its compliance position: In the year 20 , External auditors made 00 observations on the
bank‟s activities for the year 20 , which have been complied.

Internal Audit & inspections & its Compliance: During the year 20 , the internal Audit team detected 00 objections,
out of which 00 objections were rectified and 00 objections are yet to be rectified. Percentage of rectification is 00%.
312
Close persuasion is going on to rectify all the pending Audit objections.

Good Governance:
The Bank has meticulously followed and complied with all regulatory instructions issued time to time by Securities and
Exchange Commission as well as Bangladesh Bank, vide different notifications and circulars regarding ensuring good
governance in the institutions, in the year 20 .

From the above analysis, it is evident that the Internal Control and Compliance health of the Bank
is .

C. Image & Reputation Health:(Prepared by External Auditor)

Better image and reputation increase the confidence of the stake holders, which ultimately increases market Value of the
Bank. The valuation of image and reputation is difficult but not totally impossible. We have tried to assess „Image and
Reputation health’ of the Bank by quantifying following parameters and the Bank has received a score of 00 out of
100, which indicates “ ” Image and Reputation Health. Detailed analysis of Image and Reputation health is followed by
attached score sheet.

Name of Parameter Score Obtained Remarks

Board Image
Management Image
Branding
Corporate Social Responsibilities Activities
Service to Customer
Suits filed by the counterparties
Imposition of Penalties by the regulatory bodies
Total

For the purpose of the analysis, we have considered Board Image, Management Image, Branding, CSR Activity, suit
filed against the Bank and Imposition of Fine by Regulatory bodies(such as Bangladesh Bank, SEC, The Honorable
Court etc.) as the measures of Image and reputation health, where negative score has been allocated for suit filed against
the bank and imposition of fine by the regulatory bodies.

Board Image:
Bank Limited is sponsored and directed by renowned and respected business personalities in the country, who are also
the owners of some leading conglomerate of the country and have become iconic and legendary in their own business
arena, and thus the image of the Board has upgraded the image of the Bank also. The Board of Directors of the Bank is
always supportive for the Bank Management and providing continuous guidance towards achievement of . Apart from
this, the Board has also ensured good governance in all respect of the Bank. In our analysis a score of 20 has been
assigned to Board Image and the Bank has received the score of 00 out of 20.

Management Image:
The senior Management of the bank has also outstanding image in the banking sector. The Bank has employed CEO who
is held in high esteem in the banking arena. The senior management in the core management team, has also enhanced
the image and reputation health of the Bank. The Bank is managed professionally in all respect by ensuring good
corporate governance, better customer services and compliance of regulatory requirements over the years. The rights of
all stakeholders are duly protected. The disclosure of information is duly made as per regulatory requirements, and also
for the valued shareholders. The Bank has received a score of 00 out of 20 for strong Management Image.

Branding:
Unique Branding is one of the finest ways to reach the mass people. The branding activities of the Bank are increasing
gradually, and to this effect the Bank has set up bill-board and signage in commercially important places with a view to
be „the bank of choice‟ of the people. The people of the country are familiar with the brand of , yet a lot of things need
313
to be done to enhance its brand value. In our analysis it is found that the Brand Value of the Bank is “ ” and has received
a score of 00 out of 20.

Corporate Social Responsibilities: is imbued with the spirit of Corporate Social Responsibility (CSR), and has
contributed to education, sports, art and culture, charitable, educational and healthcare institutions across the country in
the form of donation and sponsorship. had always been by the side of the common and less advantaged people of the
society in natural catastrophes; like flood, cyclone, cold waves or any other national crisis. has launched loan products
for the poor farmers and SME customers and planned to introduce more banking products and CSR programs for the
poor of the society. The Bank has received a score of 00 out of 10 in CSR Activities.

Services to Customer:
Bank Limited is committed to provide best customer services. In addition to providing customer services from the
branches (over the counter) the bank is rendering manifold personalized and prompt services to the customers, which
include ATM services, KIOSK, Card services, POS, internet banking, SMS banking etc. According to our observations,
the customers of Bank Limited are satisfied at the services provided to them. Bank employees are also “ ” to that cause,
nevertheless, there is always room for development. For the purpose of the analysis, the Bank has received a score of 00
out of 10 for customer service.

Suits filed by the counterparties:

In quantifying Image and Reputation health we have also considered the position of suits filed against the Bank, and
assigned 10 score for maximum 4 suits, and no score for 20 or more suits filed against the Bank, by the counterparties.
During the year 2014, 10 suits were filed by the counterparties, and the bank has received a score of 00 out of 10.

Imposition of Penalties by the regulatory bodies:

In our analysis we have considered whether any sort of penalty has been imposed on the bank by the regulatory bodies
or not and assigned a zero (0) score for imposition of any penalty/fine. During the year 20 the bank did not have any
imposition of penalty by the regulatory bodies, and it has received a score of 00 out of 10.

D. Conclusion:
The analysis as made above shows that the financial health of the bank is “ ”; internal control
& Compliance Health of the bank is “ ” and image and reputation health is “ ”.
To bring more sustainability and soundness in the overall health of the Bank, it is required to exert utmost efforts to
improve the financial health of the Bank, by utilizing the infrastructure, brand image and reputation of the Bank.
Following observations/ suggestions are made to sustain the overall health of the bank at excellent level: -
1. Cost of fund should be reduced by introducing wide range of low cost liability products in order to increase
NIM.
2. Dependency on inter-bank money market to be reduced by mobilizing more deposits.
3. Sources of low cost deposit to be increased, instead of concentrating on a limited number of
persons/organizations to minimize the risk of withdrawal of big chunk of deposit by them at any time.
4. High cost deposit to be deployed in high yielding asset portfolio for matching cost with the revenue.
5. Quality of Front desk service of the Bank should be improved for Image building and business growth.
6. Core Risk Guidelines of CRM should be implemented properly in order to maintain Asset quality at desired
level. Special attention to be made for improvement of Treasury Management in order to reduce ALM risk.
7. Operational risk of the Bank may be reduced by employing skilled manpower as well as by imparting need
based training.

(This is a pro-forma Annual Health Report. All the banks are advised to customize this report according to their business
volume and operation technique except grading calculation.)

314
315
316
317
318
 AGRANI BANK LIMITED
Anexure-E
……………………………..Br.
IT Audit Reporting Sheet
Audited by…………………………………………………........ & ..........................................................................................
Dt…………………..................

1. Infrastructure:

Sl Threat Source Impact & Risk of Threat Control Present Control Status Risk Level
Source (Likelihood Determination) (Score=5)
High Risk=≤10%
Yes=1, No=0
Likelihood Impact Yes/No Medium Risk= (>10 to
(Degree of 50%)
Loss) Low Risk= (>50% to
Infrastructure High=0.1 High=10 100%)
Medium=0.5 Medium=50
[ This Risk Level
Low=1.0 Low=100
represents Likelihood
Risk]
1 Status of voltage fluctuation.
2 Electric wiring (Proper wiring / Concealed wiring).
3 Does the Generator provide sufficient output?
4 Is there proper electrical grounding at the branch?
5 Are all computers and devices connected with UPS?
Composite Risk of Infrastructure

319
Magnitude of Impact Definitions:
Magnitude of Impact Definition
Impact

High Exercise of the vulnerability (1) may result in the highly costly loss of major tangible
assets or resources, (2) may significantly violate, harm or impede an organization’s
mission, reputation or interest, (3) may result in human death or serious injury.

Medium Exercise of the vulnerability (1) may result in the costly loss of tangible assets or
resource, (2) may violate, harm or impede an organization’s mission, reputation
or interest or (3) may result in human injury.

Low Exercise of the vulnerability (1) may result in the loss of some tangible assets or
resources or (2) may noticeably affect an organization’s mission, reputation or
interest.

Risk Level Matrix:

Threat Likelihood Impact

Low Medium High

(100) (50) (10)

High (0.1) High Very High ExtremelyHigh

(100×0.1=10) (50×0.1=5) (10×0.1=1)

Medium (0.5) Medium Medium Very High

(100×0.5=50) (50×0.5=25) (10×0.5=5)

Low (1.0) Low Medium High

(100×1.0=100) (50×1.0=50) (10×1.0=10)

Risk Scale: High (>1 to 10); Medium (>10 to 50); Low (>50 to 100)

320
Risk Scale and Necessary Actions:
Risk Level Risk Description and Necessary Actions

High If an observation or finding is evaluated as a high risk, there is a strong need for
corrective measures. An existing system may continue to operate, but a corrective
action plan must be put in place as soon as possible.

Medium In an observation is rated as medium risk, corrective actions are needed and a plan
must be developed to incorporate these actions within a reasonable period of time.

Low If an observation is described as low risk, the system’s DAA must determine whether
corrective actions are still required or decide to accept the risk.

2. Manpower:

Sl Threat Impact & Risk of Threat Control Present Control Status Risk Level
Source Source (Likelihood (Score=10) High
Determination) Yes=1, No=0 Risk=≤10%
Likelihood Impact Yes/No Medium
(Degree of Risk=
(>10% to
Loss)
50%)
Manpower High=0.1 High=10
Low Risk=
Medium=0.5 Medium=5
(>50% to
Low=1.0 0 100%)
Low=100
[ This Risk
Level
represents
Likelihood
Risk]
1 Do the users know
Branch Banking
Software/T-24
Software?
2 Does 2nd Officer know
Branch Banking
Software?/ T-24
Software?
3 Does GB in-charge
321
 know Branch Banking
Software? /T-24
Software?
4 Does Advance in-
charge know Branch
Banking Software? /T-
24 Software?
5 Is there any plan to
build computer skilled
manpower?
6 How many persons
know Branch Banking
Software?
7 Is there any job
description of the
computer related
employees?
8 Is there roster for IT
personnel?
9 Is life style of IT
personnel is
normal/abnormal?
10 Were related
employees given
adequate training on
IT?
Composite Risk of Manpower

322
3. Hardware:

Sl Threat Impact & Risk of Threat Source Control Present Control Risk Level
Source (Likelihood Status
Determination) (Score= High
5) Risk=≤10%
Yes=1,
No=0 Medium Risk=
Likelihood Impact Yes/No (>10% to 50%)
(Degree
ofLoss) Low Risk=
Hardware High=0.1 High=10 (>50% to
Medium=0.5 Medium=50 100%)
Low=1.0 Low=100
[ This Risk
Level
represents
Likelihood
Risk]
1 Are the computers and
related equipments at
proper working
condition?
2 Is there any obsolete
item kept in the branch
(With Brand, model
and serial number)?
3 Status of cleanliness in
and outside of the HW
equipments.
4 Status of connections
of the HW equipments?
5 Are printers connected
with UPS? (Circular No.
IT/82 Dated: 15.10.08)
Composite Risk of Hardware

323
4. IT Security (Physical):

Sl Threat Impact & Risk of Threat Source Control Present Control Risk Level
Source (Likelihood Determination) Status
High
(Score=
Risk=≤10%
5)
Yes=1, Medium Risk=
No=0 (>10% to 50%)
Likelihood Impact Yes/No Low Risk=
(Degree (>50% to
ofLoss) 100%)
IT Security High=0.1 High=10
(Physical) Medium=0.5 Medium=50 [ This Risk Level
Low=1.0 Low=100 represents
Likelihood Risk]
1 Is the Branch Banking software
running on the PC placed in a
glass enclosure with lock and
key, maintained by a
responsible person of the
bank/branch?
2 Is the computer room strong
and safe enough?
3 Is there password protected
screen saver for each PC
activated after 1 minute of
inactivated
4 Is there enough physical
security for the network
equipment’s?
5 Is there list of Authorized
Personnel who can enter
computer room and is the
server room air conditioned?
Composite Risk of IT Security (Physical)

324
5. Environment:

Sl Threat Source Impact & Risk of Threat Control Present Cont Risk Level
Source (Likelihood rol
High Risk=≤10%
Determination) Statu
s Medium Risk=
(Scor (>10% to 50%)
e=2) Low Risk=
Yes=
(>50% to 100%)
1,
No=0 [ This Risk Level
Likelihood Impact Yes/ represents
(Degree of No Likelihood Risk]
Loss)
Environment High=0.1 High=10
Medium=0.5 Medium=50
Low=1.0 Low=100

1 Is there doors are fire

alarmed. Location of
backup equipment at
safe distance,
Prohibition of
recording equipment
in the computer
room and Redundant
power supply?
2 Is the computer room
is air conditioned,
dust free, damp free,
fire protected and no
chance of watering?
At the end of the day
during departure
Branch Manager is
confirmed that
power switches are
off /computer room
is under lock and key.
Composite Risk of Environment
325
6. Fire Protection:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level
Status
(Likelihood
Determination) (Score=3) High Risk=≤10%

Yes=1,
No=0 Medium Risk=

Likelihood Impact Yes/No (>10% to 50%)

(Degree of Loss)
Low Risk=
Fire Protection High=0.1 High=10
(>50% to 100%)
Medium=0.5 Medium=50

Low=1.0 Low=100
[ This Risk Level
represents
Likelihood Risk]

1 Is Power supply of
PCs switched off
before leaving the
branch

2 Is there any fire

extinguisher with
expiry date placed
beside the power
distribution board,
maintaining and
reviewing properly
on an annual basis

3 Is there proper
earthling of
electricity

Composite Risk of Fire Protection

326
7. Passwaord:

Sl Threat Impact & Risk of Threat Control Present Control Status Risk Level
Source Source
(Likelihood Determination) (Score=10)
High Risk=≤10%
Yes=1, No=0

Likelihood Impact Yes/No

Medium Risk=
(Degree
(>10% to 50%)
of Loss)

Password High=0.1 High=10

Low Risk=
Medium=0. Medium=
(>50% to 100%)
5 50

Low=1.0 Low=100
[ This Risk Level
represents
Likelihood Risk]

1 Do Officials maintain the

confidentiality of their own
password?

2 Are Passwords of
employees who were
transferred deleted?

3 Is the system restricted

from being accessed
specially sensitive
data/fields?

4 Does anyone leave

computer while log in?

5 Are passwords complex?Is

the length of password at
327
 least 6 characters and
combination of uppercase,
lowercase, number &
special characters?

6 Is password always changed

within 30 days (the
maximum validity period of
password) cycle

7 Is there parameter in the

system to allow maximum
number of invalid logon
attempts specified properly
according to the IT security
policy (maximum 3
consecutive times)

8 Is there allowable terminal

inactive time for users, set
accordance with the bank's
policy

9 Is there defined Operating

time schedule for users
where necessary?

10 Is there the audit trail

available to review the user
profile for the maintenance
purpose?

Composite Risk of Password

328
8. User ID Maintenance:

Sl Threat Impact & Risk of Control Present Control Risk Level

Source Threat Source Status
(Likelihood Determination) High
(Score=5) Risk=≤10%

Yes=1, Medium Risk=

No=0
(>10% to 50%)
Likelihood Impact Yes/No
Low Risk=
(Degree
(>50% to
of Loss)
100%)
User ID High=0.1 High=10
Maintenance [ This Risk
Medium=0. Medium Level
5 =50 represents
Likelihood
Low=1.0 Low=10 Risk]
0

1 Are there a unique User ID and a

valid password for each user?

2 Is there any method to ensure that

the User ID locked up after 3
unsuccessful log in attempts?

3 Is there any control to ensure that

user ID and password are not
same?
4 Is there User ID Maintenance Form
with access privileges duly
approved by the appropriate
authority?

5 Is the access privileges

changed/locked within 24 hours in
case of user's status changed or left
the bank?

329
 Composite Risk of User ID Maintenance

9. Input Control:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level
Status
(Likelihood Determination) High
(Score=3) Risk=≤10%

Yes=1, Medium
No=0 Risk=

Likelihood Impact Yes/No (>10% to

50%)
(Degree of Loss)
Low Risk=
Input Control High=0.1 High=10
(>50% to
Medium=0.5 Medium=50 100%)

Low=1.0 Low=100 [ This Risk

Level
represents
Likelihood
Risk]

1 Is the software not allowed the

same person to be maker and
checker of the same
transaction?

2 Every cancellation of cheque is

done with maintaining
delegation of power .No
payment is done by using
without cheque option of
party’s request at T-24 Software

3 Every days vouchers are

checked with computer printed
sheet. Monthly/ Half yearly/
Yearly closing computer
generated Intt, sheets are
checked also.

Composite Risk of Input Control

330
10. Net Security:
Sl Threat Impact & Risk of Threat Control Present Control Risk Level
Source Source (Likelihood Determination) Status High Risk=≤10%
(Score=10)
Yes=1, No=0 Medium Risk=
Likelihood Impact Yes/No (>10% to 50%)
(Degree of
Loss) Low Risk=
Net High=0.1 High=10 (>50% to 100%)
Security Medium=0.5 Medium=5 [ This Risk Level
Low=1.0 0 represents
Low=100 Likelihood Risk]

1 Is the cabling structured? Condition of

cabling – very good / good / bad?
2 Are all the network users familiar with
this operating and security procedures?
3 Does each user have a unique User
name and a valid password?
4 Is there one person or a group of
administration responsible for the
security of the network?
5 Is the sensitive information/data kept in
restricted area in the networking
environment?
6 Are there unauthorized access and
Electronic tampering strictly controlled
for maintaining network security?
7 Is the security of the network under dual
administrative control?
8 Is there any firewall existing on the
network for any external connectivity?
9 Is there any arrangement of redundant
communication links for WAN?
10 Is there the system to detect the
unauthorized intruder for network?
Composite Risk of Net Security

331
11. Virus:

Sl Threat Impact & Risk of Threat Control Present Control Risk Level
Source Source Status
(Likelihood Determination) High Risk=≤10%
(Score=4)
Medium Risk=
Yes=1,
No=0 (>10% to 50%)

Low Risk=
Likelihood Impact Yes/No
(>50% to 100%)
(Degree of
Loss) [ This Risk Level
represents
Virus High=0.1 High=10
Likelihood Risk]
Medium=0. Medium=50
5
Low=100
Low=1.0

1 Is there any most recent Anti-

Virus, installed in each server and
computer whether it is
connected with internet or LAN?

2 Is the anti-virus software always

updated with the latest virus
definition file?

3 Are all users of the system well

trained and informed about
computer viruses and their
prevention mechanism?

4 Is there any procedure in places

that which requires all incoming
e-mail messages are scanning for
viruses to prevent virus infection
to the bank's network?

332
 Composite Risk of Virus

12. Internet &E-mail:

Sl Threat Impact & Risk of Threat Control Present Control Risk Level
Source Source Status
(Likelihood
Determination) (Score=2) High Risk=≤10%

Yes=1,
No=0 Medium Risk=

Likelihood Impact Yes/No (>10% to 50%)

(Degree of
Loss) Low Risk=
Internet & High=0.1 High=10 (>50% to 100%)
E-mail
Medium=0. Medium=50
5
Low=100 [ This Risk Level
Low=1.0 represents
Likelihood Risk]

1 Is there any procedure

that all internet
connections are routed
through a Firewall for PCs
connected to network?

Composite Risk of Internet & E-mail

333
13. Business Continuity & Disaster Recovery Plan:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level
Status
(Likelihood Determination) High Risk=≤10%
(Score=4
) Medium Risk=

Yes=1, (>10% to 50%)

No=0
Low Risk=
Likelihood Impact Yes/No
(>50% to 100%)
(Degree of Loss)
[ This Risk Level
Business High=0.1 High=10 represents
Continuity & Likelihood Risk]
Disaster Recovery Medium=0.5 Medium=50
Plan
Low=1.0 Low=100

1 Is there any Business Continuity Plan

(in line with business) for IT in place?

2 Are the followings included in the

BCP

(a) Action plan for

i) During office hours disaster

ii) Outside office hours disaster

iii) Immediate and long term action

plan in the line with business,

(b) Emergency contact, address and

phone numbers including vendors

(c) Grab list of items such as backup

tapes, laptops etc.

3 Is there any disaster recovery site

map?

4 Is there any procedure to review the

existing BCP at least once a year?

Composite Risk of Business Continuity Plan

334
14. Backup/Restore:

Sl Threat Impact & Risk of Threat Control Present Control Risk Level
Source Source Status
(Likelihood Determination)
(Score=3) High
Risk=≤10%
Yes=1, No=0
Medium Risk=
Likelihood Impact Yes/No
(Degree of (>10% to 50%)
Loss)

Backup/ High=0.1 High=10 Low Risk=

Restore
Medium=0.5 Medium=5 (>50% to
Process
0 100%)
Low=1.0
Low=100
[ This Risk Level
represents
Likelihood Risk]

1 Is there any replacement

arrangement when departure
and illness of key member is
occurred?

2 Are all Backup is kept in CD and

Backup is taken at least two
computers of the branch?

3 Are backup copies of

information stored off-site at a
geographically separate and
safe environment and Backup
restore process is tested at
least once in a year?

Composite Risk of Backup & Restore Process

335
15. Software:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level
Status
(Likelihood
Determination) (Score=1) High
Risk=≤10%
Yes=1,
No=0
Medium Risk=
Likelihood Impact Yes/No
(>10% to 50%)
(Degree of Loss)

Software High=0.1 High=10

Low Risk=
Medium=0.5 Medium=50
(>50% to
Low=1.0 Low=100 100%)

[ This Risk
Level
represents
Likelihood
Risk]

1 Is there any
unauthorized/illeg
al/banned
software in the
PCs of the
branch?

Composite Risk of Software

336
16. Banking Software Management:

Sl Threat Source Impact & Risk of Threat Control Present Control Risk Level
Source (Likelihood Determination) Status
(Score=8) High Risk=≤10%
Yes=1,
No=0 Medium Risk=
Likelihood Impact Yes/No (>10% to 50%)
(Degree
of Loss) Low Risk=
Banking High=0.1 High=10 (>50% to 100%)
Software Medium=0.5 Medium
Management Low=1.0 =50 [ This Risk Level
Low=10 represents Likelihood
0 Risk]

1 Is daily transaction list including cheque list properly

checked with voucher and signed by the competent
person?
2 Is the last transaction number of the two previous
days checked at the beginning of the day by Branch
Incumbent?
3 Is Summary Balancing of account head (transaction
balance, master balance, GL balance) tallied with
General Ledger and preserved / filed properly with
remarks column ‘OK’?
4 Is statement of daily affairs printed and verified with
GL and Is monthly balancing checked with manual
GL and preserved properly?
5 Are SS cards scanned properly?
6 Is Daily backup kept in branch computer / Zip drive
/ Pen drive preserved under direct supervision of
Branch Incumbent and preserved at different
location?
7 Do Branch Manager monitor balance / transaction
flow of the accounts of the relatives / friends of
computer operators? Does Branch user monitor
balance of dormant accounts time to time?
8 Do the User / Second Officer involve physically by
giving his high level Password at the time of adding /
changing / deleting any password? Has the
operations limit of withdrawal been set up?
Composite Risk of Net Security

337
17. SWIFT:

Sl Threat Impact & Risk of Threat Source Control Present Control Risk Level
Source Status
(Likelihood Determination) High
(Score=5) Risk=≤10%

Yes=1, Medium Risk=

No=0
(>10% to 50%)
Likelihood Impact Yes/No
Low Risk=
(Degree of
(>50% to
Loss)
100%)
SWIFT High=0.1 High=10
[ This Risk Level
Medium=0.5 Medium=50 represents
Likelihood Risk]
Low=1.0 Low=100

1 Does PC connect software

exist? Are there two
Security Officers
assigned?

2 Do Security Officers
maintain confidentiality of
their own password?

3 Have operator’s
permission been limited?

4 How many times message

is checked?

5 Does message register

exist (input and output
messages)?

Composite Risk of SWIFT

338
18. ATM:

Sl Threat Impact & Risk of Threat Control Present Control Risk Level
Source Source (Likelihood Determination) Status High Risk=≤10%
(Score=10) Medium Risk=
Yes=1, No=0 (>10% to 50%)
Likelihood Impact Yes/No Low Risk=
(Degree of (>50% to 100%)
Loss) [ This Risk Level
ATM High=0.1 High=10 represents
Medium= Medium=50 Likelihood Risk]
0.5 Low=100
Low=1.0
1 Is there separate PIN and card
officers? Is card and PIN preserved
separately?
2 Is there card and PIN distribution
register?
3 Are undelivered card/PIN submitted
to the manager after 30 days?
4 Does the branch maintain /
preserve the authorization form
(does signature exist)?
5 Check transaction frequency /
volume done by the branch officials
with ATM card?
6 Does the branch maintain
confidentiality of PIN for opening
ATM booth for cash loading?
7 Is there register for cash loading
and unloading?
8 Does the branch keep a key of ATM
booth’s cassettes safely? Does the
branch preserve summarized sheet
(photocopy)? Is statement of cash
dispensed preserved?
9 Does the branch preserve
photocopy of TT/IBCA in the ATM
file after authorized signature?
10 Does the branch preserve ATM
related circular/instructions circular
and letter properly?
Composite Risk of ATM

339
19. Miscellaneous:

Sl Threat Source Impact & Risk of Threat Control Present Control Risk Level
Source (Likelihood Determination) Status High Risk=≤10%
(Score=5) Medium Risk=
Yes=1, (>10% to 50%)
No=0 Low Risk=
Likelihood Impact Yes/No (>50% to 100%)
(Degree of [ This Risk Level
Loss) represents
Miscellaneous High=0.1 High=10 Likelihood Risk]
Medium=0.5 Medium=50
Low=1.0 Low=100
1 Do all the employees have clear
understanding on IT Policy and
aware of the IT Audit Manual?
2 Do branch officials maintain IT
related circulars separately,
discuss, and have clear
understanding on the subject
matters?
3 Has the branch taken appropriate
measures to address the
recommendations made in the
last Audit Report?
4 Are there unnecessary data / files
in the HD of the branch
computers?
5 Is there any major violation of IT
Policy of the bank? Please specify.
Composite Risk of ATM

................................. .................. ............................ ............

Signature (Manager) 2nd Officer Auditor (Leader) Auditor

340