InternalAgrani Control and Compliance Limited (ICC) Agrani Bank Bhaban 9D, Dilkusha Policy Commercial & Procedures-2018 Area, -1000, Bangladesh (Approved in the 573 rd Boardwww.agranibank.org of Directors’ Meeting held on 27/08/2018)

[As per 481 th Board of Directors’ meeting, dated: 28/11/2016 ratification on Audit Committee ision, memo no. , dated: 09/11/2016 regarding amendment in different section of this policy is formed and would be treated as ICC Policy and Procedures-2016.]

Agrani Bank Limited Agrani Bank Bhaban 9D, Dilkusha Commercial Area, Dhaka-1000, Bangladesh www.agranibank.org

[(1) ICC Manual (2) Internal Audit Manual (3) Risk Based Internal Audit Manual (4) Audit Compliance Manual (5) Audit Monitoring & Controlling Manual (6) IT Audit Manual] 0

ICC Policy and Procedures-2018

Preface

Now a day, Banking has evolved into a diversified and complex financial activity, which is no longer limited within the geographic boundaries of a country. The issues of effective internal control systems, corporate governance, ethical banking, transparency and accountability and regulatory compliance have become prime need for high-level performance.

Banking operations involve both inherent and acquired risks in the pursuit of value creation. To avoid the complexities and risk arising out of those activities some sort of internal corrective measures must be there. Internal control is now being termed as an integral part of the daily activities of a bank assuring the Bank’s management and stakeholders that the Bank’s service delivery systems are efficient, safe and compliant with all their expectations. Further, audit activities are the most important means of reinforcing control systems through the regular review of operations.

Effective Internal Control System results in better risk management practices in terms of identification, management, monitoring and mitigation of risks. This ensures reliable financial and managerial information that promote better strategic decision for a bank. Internal Control and Compliance (ICC) ensures compliance with laws and regulations, policies and procedures issued by both the bank management and the regulators. ICC enhances confidence over the bank and facilitates risk based bank examination. Risk management and control are not burden on business; rather this is one of the scientific means by which business opportunities are maximized and potential losses associated with unwanted events are reduced.

In this manual the procedures, rules and guidelines are assembled in such a way that the related officials can easily use it as a reference manual in discharging their duties and responsibilities perfectly and efficiently.

Internal Control and Complaince Policy and Procedures-2018 -1-

ICC Policy and Procedures-2018

This manual will ensure uniformity and consistency in audit compliance procedure and establish a set of standard in this regard. This Manual reflects the hopes and aspiration of Bangladesh in “Internal Control and Compliance” system of Agrani Bank Limited. Here nothing is new; rather everything is to fulfill the requirement of Audit.

Considering the changing environment of banking business and requirement of for reviewing the policy every year, ABL management has taken decision for the amendment in some paras of ICC Policy as well as Manuals. ABL’s Board nominated Audit Committee has approved those amendments and is incorporated in ICC Policy and Manuals.

I sincerely believe that this manual will strengthen Internal Control and Compliance system of our Agrani Bank. This will play a vital role towards achieving our goal for a modern and vibrant Agrani Bank Limited.

Thanks are due to all concerned Executives and Officers who have put their sincere efforts to prepare this manual.

Internal Control and Complaince Policy and Procedures-2018 -2-

ICC Policy and Procedures-2018 INDEX

Chapter Subjects Page# A. Internal Control & Compliance (ICC) Policy 08-42 Chapter One Universal Discussion of ICC 1.1 Mission Statement 09 1.2 Vision Statement 09 1.3 Executive Declaration 09 1.4 Preamble 09 Chapter Two Policy Guideline and Responsibilities 2.1 Internal Control 11 2.2 Components of Internal Control 11 2.3 Internal Control Environment 12 2.4 Objective of Internal Control 12 2.5 Control Activities and Segregation of Duties 13 2.6 Corrective measures to be taken by ICC 14 2.7 Scope of Internal Control and Compliance System 14 Chapter Policy Guide line for Internal Control Three 3.0 Policy Guide line 15 3.1 Responsibility of the Board of Directors 15 3.1.1 Responsibility and power of the Board of Directors 16 3.2 Structure & Responsibility of the Audit Committee of the Board 17 3.2.1 Organizational Structure 17 3.2.2 Qualification of the members of the Audit Committee 17 3.2.3 Roles & Responsibilities of the Audit Committee 17 3.3 Responsibility of the Senior Management / mancom 19 3.3.1 Function of the Senior Management Team/mancom 19 3.3.2 Management Reporting System 20 3.4 Role of External Auditors 20 3.5 Dispute Settlement 20 Chapter Four ICC Related Issues 4.0 Introduction 21 4.1 The Organizational Structure of ICC 21 4.2 Structure of ICC 22 4.3 The Charter of ICC 24 4.4 Standards of the Best Professional Practices 25 4.5 Head of ICC 26 4.6 Core Risks Management 26 4.7 Inspection Concluding Meeting (Account Finalization)- Finalization of 36 Quick Summary Report / Annual Accounts 4.8 Special Board Meeting On Compliance Of Annual Inspection Report Of 37 Bangladesh Bank 4.9 Liaison Meeting 37 4.10 Shariah Based Audit 37

Internal Audit Charter 4.11 Chief Audit Officer / Head of Audit 39 4.12 Role and Responsibilities of Internal Auditors 39 4.13 Auditors' Ethics & Qualifications 39

Internal Control and Complaince Policy and Procedures-2018 -3-

ICC Policy and Procedures-2018

Chapter Subjects Page# 4.14 Appraisal of ICC Officials 40 4.15 Training and Development 41 4.16 Training (In-house / other institutional) 41 4.17 Abroad Training 41 4.18 Job Rotation 42 4.19 Mandatory Leave 42 4.20 Recreational Leave 42 Chapter Five Internal Audit Manual 44- 85 5.0 Definition of Audit 44 5.1 Objectives of audit 44 5.2 Auditors Right 45 5.3 Responsibilities of the Auditors 45 5.4 Auditors punishment 46 5.5 Basic Principles of Auditors 46 5.6 Types of audit 46 5.7 Internal Audit 47 5.7.1 Internal Audit 47 5.7.2 Principles of internal audit 47 5.7.3 Reporting 50 5.7.4 Importance of internal audit 51 5.8 External audit 52 5.8.2 Types of External audit 52 5.9 Concurrent Audit 53 5.10 Lapses 25 5.10.2 Types of Lapses 54 5.10.2.1 Minor Irregularities (MI) 55 5.10.2.2 Major Lapses (ML) 55 5.10.2.3 Serious Lapese (SL) 55 5.11 Punishment 56 5.12 Reward/Incentive for Auditors 56 5.13 System Audit Software 56 5.16 Wrap-up Meeting after Internal Audit 56

AUDIT PROCEDURES [Risk Based Internal Audit Manual, Audit Compliance Manual Audit Monitoring and controlling Manual and IT Audit Manual]

Risk Based Internal Audit Manual 57-85 Chapter Six 6.0 Risk Based Internal Audit 58 6.5 Audit Procedure 58 6.6 Preparation of Risk Based Audit Plan 59 6.7 Prioritization of Audit 60 Risk Audit Matrix 60 6.8 Risk Based Internal Auidt Methodology 61 6.9 Formation of Audit Team 61 6.10 Control Risk Assessment 62 6.11 Risk Model Construction 63 6.12 Risk Recognition & Assessmet 64

Internal Control and Complaince Policy and Procedures-2018 -4-

ICC Policy and Procedures-2018

Chapter Subjects Page# 6.13 Risk Analysis of Control Functions 65 6.14 Steps in adopting Risk Based Internal Audit (RBIA) 65 6.15 Development of formats for risk assessment 66 6.16 Risk assessment of Branch as a whole 67 6.17 Risk Assessment 68 6.18 Conduct of on-site Audit and Report findings 69 6.19 Determine the composite risk level using composite risk matrix 70 6.20 Determine trend/ direction for inherent business and control risk 70 6.21 Determine the ratings of the branch 71

Categories of Audit Findings 72-85 6.22 Minor Irregularities (MI) 72 6.23 Major Irregularities (ML) 74 6.24 Serious Lapses (SL) 80

Information Technology (IT) Audit Manual 86-123 Chapter 7.0 Information Techonology (IT) Audit 87 Seven 7.3 Purposes/Objectives of IT Audit 87 7.4 Types of IT Audits 88 7.5 Elements of IT Audit Strategy 88 7.6 IT Audit Process 89 7.7 The Scope of the IT General Controls Audit Includes 89 7.8 IT Audit Role 90 7.9 Performing 92 7.10 Change Management 94 7.11 Auditor’s checking 94 7.12 Application Audit 94 7.17 Processing Controls 98 7.18 Output Controls 101 7.19 Disaster Recovery Plan 104 7.23 Technical IT Controls Audit 106 7.24 Discretionary or mandatory access control 107 7.25 Residual information protection 108 7.27 Risk Assessment 109

Inspection Manual (Inspection by the Controlling Office) 124- 130 Chapter Eight 8.0 Inspection 125 8.1 Objecives of Inspection 125 8.2 Types of Inspection 125 8.3 Functions of Inspection 125 8.4 Inspection procedures used in Agrani Bank Limited 126 8.5 Outline of Inspection Function 126 Inspection by the Controlling Office 127 8.7 Reporting Procedures/Rules 129

Audit Monitoring and Controlling Manual 131- 136

Internal Control and Complaince Policy and Procedures-2018 -5-

ICC Policy and Procedures-2018

Chapter Subjects Page# Chapter Nine 9.0 Monitoring 132 9.1 Monitoring Activities and Corrective Measures 132 9.2 Objectives of Monitoring Department 133 9.3 Application of monitoring system 133 9.3.1 Departmental Control Function Checklist (DCFCL). 133 9.3.2 Loan Documentation Checklist 134 9.3.3 Quarterly Operations Report 134 9.4 Annual ICC Report on the health of the Bank 135- 136

Audit Compliance Manual 137-163 Chapter Ten 10.0 Compliance 138 10.1 Overview 138 10.3 Independence of Compliance Functions 139 10.4 Compliance Process 140 10.5 Regulatory Compliance 142 10.6 Functions of Compliance 142 Roles and Responsibilities of different Parties 10.9 Responsibilities of the Management for Compliance 145 10.10 Responsibilities of The Board of Directors for Compliance 145 10.11 Responsibilities of Senior Management for Compliance 146 10.12 Responsibilities of the Head of Compliance 147 10.13 Responsibilities of the Audit Committee 147 10.14 Responsibilities of the Risk Management Committee 148 10.15 Responsibilities of the Internal Auditors 148

Different System of Compliance 10.16 Internal Audit Compliance 148 10.16.1 Instruction regarding audit Compliance 148 10.16.2 Definition of Nirikha Paripalan Patra -1 149 10.16.3 Compliance with Nirikha Paripalan Patra-1 149 10.16.4 Definition of NIPP-2 (ka) 149 10.16.5 Definition of NIPP-2 (kha) 150 10.16.6 Compliance with response to Nirikha Paripalan Patra-2 150 10.17 Internal audit objections settlement and file close 152 10.17.1 Internal audit objections settlement and file close 152 10.18 Settlement of Minor Irregularities and file close 153 10.19 Settlement of Major Lapse and file close 154 10.20 Settlement of Serious Lapse and file close 154 10.21 Issuing DO Letter 155 10.22 Placement of Special Note 155 10.23 Govt. Commercial Audit Compliance 156 10.23.8 Monitoring and follow up 156 10.23.9 Ordinary Objections 156 10.23.10 Advance Objections/ Clauses 157 10.23.11 Commercial audit objections settlement and file close 158 10.24 Bangladesh Bank Inspection Compliance 159 10.24.2 Bangladesh Bank Inspection objections settlement & file 159 close

Internal Control and Complaince Policy and Procedures-2018 -6-

ICC Policy and Procedures-2018

Chapter Subjects Page# 10.24.2 Special Inspection on specific issue 159 10.24.3 Inspection regarding Foreign Trade Transaction 160 10.25 External audit Compliance 161 10.25.3 Settlement of objections raised by Audit Firm appointed 161 by Board and file close 10.26 Audit Clearance 161 Chapter Eleven 11.0 Conclusion 162 Annexure of ICC [Annex. -1 to Annex.- 41 and Annex.-A to Annex.-E] 164-316

Internal Control and Complaince Policy and Procedures-2018 -7-

ICC Policy and Procedures-2018

Internal Control and Compliance Policy

Internal Control and Complaince Policy and Procedures-2018 -8-

ICC Policy and Procedures-2018

Universal Discussion of ICC

1.1. Mission Statement

To ensure corporate governance, accountability, integrity, transparency and regulatory compliance in the operation of the Bank within the stringent frame work to achieve the International Standard of Banking.

1.2. Vision Statement

To keep the Banking operation accurate and efficient in line with the internationally best practices.

1.3. Executive Declaration 1

A new (amended) “Guidelines on Internal Control and Compliance-2016 has been circulated by Bangladesh Bank vide BRPD Circular No. 03 dated 08/03/2016 giving the reference of BRPD Circular No. 17 dated 07/10/2003 followed by further amendment vide BRPD Circular No. 06 dated 04/09/2016. Amendments were done with a view to minimizing risks more effectively in day-by-day growing banking business.

In light of above Guidelines on ICC and under the guidance of BoD Audit Committee, the Head of ICC Md. Monowar Hossain FCA, with the help of Audit Monitoring Division of ICC this ICC Policy & Procedures-2018 [Risk Based Internal Audit Manual, Audit Compliance Manual, Audit Monitoring and Controlling Manual and IT Audit Manual] finalized.

1.4. Preamble 1.4.1 Economy of Bangladesh has got a momentum of transition towards a great uplift for development. The banking sector is playing a pivotal role in this context. In such a time stringent banking practice in line with the best International practices is a crying need.

1.4.2 A major risk inherent in the banking sector is systematic risk that causes the bank regulators to have concerns with the operations of each individual bank. As such, the regulatory body gives priority to attain a high quality banking operations of all in terms of managing the key banking risks, establishing an adequate compliance culture and having satisfactory information disclosure system.

1.4.3 Effective Internal Control System results in better risk management practices in terms of identification, management, monitoring and mitigation of risks. It ensures reliable

1 BRPD Circular No. 03 dated 08/03/2016 BRPD Circular No. 06 dated 04/09/2016

Internal Control and Complaince Policy and Procedures-2018 -9-

ICC Policy and Procedures-2018 financial and managerial information that promote better strategic decision for a bank. Banking is a diversified and multifarious financial activity, which involves different risks. The issues of effective internal control system, good governance, transparency of all financial activities, accountability towards its stakeholders and regulators have become momentous to ensure smooth performance of the banking industry. An Effective internal control and compliance system has become essential in order to underpin effective risk management practices and to ensure smooth performance of the banking industry. In general, internal control is identified with internal audit; but the scope of internal control is not limited to audit work. Internal control by its own merit identifies the risks associated with the process and adopts measures to mitigate or eliminate these risks. Internal Audit, on the other hand, reinforces the Control system through regular review of the effectiveness of the controls.

1.4.4 The single greatest factor contributing to operational failure in banks is the lack of adequate internal control. Bangladesh has witnessed a considerable growth in banking sector. A persistent moderate economic growth rate, high degree of competition in the banking sector, speedy urbanization rate has gradually transformed our banking sector to a large and vibrant one. The nature and magnitude of business as well as the degree of competition in the banking industry has increased manifold in recent years.

1.4.5 The responsibility of implementing internal controls starts with the business lines, which are the “first lines of defense” against breaches that could cause the bank not to fulfill its objectives, not to report properly, or not to comply with laws and regulations. Beyond that, in any bank, the three important “control functions” are risk management, compliance, and internal audit. This triumvirate of key functions is underpinned by, and in turn implements and reinforces, the system of internal controls. The first two of these control functions constitute the “second lines of defense” against mishaps. The final, or “third line of defense” is the internal audit function . An effective internal control system requires that there are reliable information systems in place that cover all significant activities of the bank. A system of strong internal controls can help ensure that the goals and objectives of a banking organization will be met, that the bank will achieve long-term profitability targets, and maintain reliable financial and managerial reporting.

1.4.6 Internal controls are particularly crucial elements of risk management program. An essential part of the internal control framework is periodic testing to determine how well the framework is operating, so that any required remedial actions can be taken. The frequency of testing should be risk-based and should involve as appropriate sample transaction testing, the sample size commonly known as audit plan being determined by volume and the degree of risk of the activity.

Internal Control and Complaince Policy and Procedures-2018 -10-

ICC Policy and Procedures-2018

Internal Control 2.1 Internal Control

Internal control is a process, rather than a structure. It is not a separate activity disconnected from the rest of business activities, rather is an integral part of those activities. It is a dynamic, continuing series of activities planned, implemented and monitored by the board of directors and management at all levels within an organization. Internal control is the process, affected by the entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives of the management in the effectiveness and efficiency of operations, the reliability of financial reporting and compliance with applicable laws, regulations and internal & external policies. There are three main types of internal controls: detective, preventative and corrective.

2.2 Components of Internal Control

In an ‘effective’ internal control system, the following five components work to support the achievement of an entity's mission, strategies and related business objectives.

1. Control environment; - Integrity and Ethical Values

2. Risk assessment; - Company-wide Objectives

3. Control activities;

4. Information and communication;

5. Monitoring.

2

2 COSO’s 17 Principles of Internal Control

Internal Control and Complaince Policy and Procedures-2018 -11-

ICC Policy and Procedures-2018

2.3 Internal Control Environment

The control environment reflects the overall attitude, awareness and actions of the board and management concerning the importance of internal control. Internal controls are developed, implemented and monitored under the framework. It consists of the mechanisms and arrangements that ensure internal and external risks to which the bank company is exposed to.

Control environment factors include integrity, ethical values and competence of the employee', management’s philosophy and operating style, the way management assigns authority and responsibility and how it organizes and develops its human resources.

• The appropriate and effective internal controls are developed and implemented to soundly and prudently manage these risks; reliable and comprehensive systems are to be put in place to appropriately monitor the effectiveness of these controls. The factors which together comprise the control environment are: • A board of directors that is actively concerned with sound corporate governance and that understands and diligently discharges its responsibilities by ensuring that the bank is appropriately and effectively managed and controlled; • A management that actively manages and operates the bank in a sound and prudent manner; • Organizational and procedural controls supported by an effective management information system to soundly and prudently manage the bank's exposure to risk; and • An independent audit mechanism to monitor the effectiveness of the organizational and procedural controls.

2.4 Objective of Internal Control

The primary objective of Internal Control System of Agrani Bank Limited is to help the bank to perform better through the use of its resources.

There are mainly three objectives of Internal Control and Compliance.

Internal Control and Complaince Policy and Procedures-2018 -12-

ICC Policy and Procedures-2018

2.4.1 Three objectives of ICC are as follows:

(1) Performance objectives : Efficiency and effectiveness of activities.

(2) Information objectives : Reliability, completeness, timelines of financial, and management information.

(3) Compliance objectives : Compliance with applicable Laws and Regulations.

2.5 Control Activities and Segregation of duties

Control activities are the most tangible internal controls that the Internal Audit function will concentrate on to a large degree. The auditor will be concerned with understanding whether a control prevents an error or detects and corrects an error. Control activities may be manual or, if relevant, where processes are computerized then they may also have specific IT control activities.

2.5.1 An effective internal control system requires that an appropriate control structure be set up with control activities defined at every business level, i.e. top level review; appropriate activity controls for different departments or divisions; physical controls; checks for compliance with exposure limits and follow-up on non-compliance; a system for approvals and authorizations; and system verification and reconciliation.

2.5.2 Control activities involve two steps: I. The establishment of control policies and procedures and II. Verification that the control policies and procedures are being complied with.

2.5.3 Senior management should ensure that adequate control activities are integral parts of the daily functions of all relevant personnel; this enables quick response to changing conditions and avoids unnecessary costs. Control activities are most effective when they are viewed by management and all other personnel as an integral part of daily activities rather than an addition to it.

2.5.4 One of the most important aspects of an internal control system is an appropriate segregation of duties and personnel who are not assigned conflicting responsibilities.

2.5.5 Furthermore, employees must also be provided with necessary authority, and they should be held accountable for their actions in compliance with delegated authority. Exceeding their authority or failing to exercise their rightful authority should both be sanctioned.

2.5.6 For employees to carry out their responsibilities properly, each employee should have an appropriate job description.

2.5.7 Areas of potential conflicts of interest should be identified, minimized, and subject to careful independent monitoring.

Internal Control and Complaince Policy and Procedures-2018 -13-

ICC Policy and Procedures-2018

2.6 Corrective measures to be taken by Internal Control And Compliance:

When a system of internal control is effective, management and those charged with governance can be reasonably assured that…

• the organization is achieving effective and efficient operations (operations), • the organization is preparing reliable internal and external reports (reporting), and • the organization is operating in compliance with applicable laws and regulations (compliance). • Corrective measures are as follows : i. Effectiveness of bank’s internal control should be monitored on an ongoing basis. High risk items should be identified and monitored as part of daily activities; ii. There should be an effective and comprehensive internal audit of the internal control system carried out by operationally independent, appropriately trained and competent staff specially designated by the management. The significant deficiencies identified by the audit team should be reported to the board on a periodic basis; iii. Internal control deficiencies, whether identified by business lines, internal audit or other control personnel should be reported in a timely and prompt manner to the appropriate management level and addressed immediately; iv. Material internal control deficiencies should be reported to BoD Audit Committee with recommendations where necessary. However it should be noted that consideration should be given to major financial exposure or loss, significant process lapses, serious employee misconduct etc.; v. The Head of ICC would have a direct reporting line with Audit Committee of the Board.

2.7 Scope of Internal Control and Compliance System:

Head Office of the Agrani Bank Limited comprises 36 Divisions. As per geographical demarcation, there are 11 Circle Offices. Under these Circle Offices, there are 53 Zonal Offices. These Zonal Offices are controlling 911 branches. Total number of branches is 953. Among these branches there are 42 Authorized Dealer (AD) branches and within those 28 Corporate Branches. Moreover there are 5 Islamic Windows for Shariah Based Islamic Banking and also 5 Subsidiaries. Those are: 1. Agrani Exchange House Pvt. Ltd. Singapore 2. Agrani Remittance House Sdn. Bhn. Malaysia 3. Agrani Equity & Investment Limited. 4. Agrani SME Financing Company Limited. 5. Agrani Remittance House Canada Inc., Canada.

ICC will ensure the effectiveness of the Internal Audit, Issue based Audit and Special Audit for each and every branches and offices, windows & subsidiaries of Agrani Bank Limited. With the help of administration of the Bank, the ICC will ensure punishment of the concerned guilt person. They will also make arrangement audit compliance of the said internal audit as well as External audit (viz Bangladesh Bank Inspection, Commercial audit, functional audit, appointed audit firm) effectively and efficiently.

Internal Control and Complaince Policy and Procedures-2018 -14-

ICC Policy and Procedures-2018

Policy Guidelines for Internal Control

3.0 Policy Guidelines

In addition to any existing relevant legislation, the following statements of policies and procedures relevant to internal control are to be meticulously implemented by the bank, and adherence to which is reviewed by the Internal Audit and Compliance functions:

1. Credit Policy and Credit Risk Management Manual 2. Asset Liability Risk Management Policy and Manual 3. Foreign Exchange Risk Management Manual 4. Guidelines for Foreign Exchange Transactions 5. Information & Communication Technology (ICT) Security Policy 6. Internal Control & Compliance (ICC) Policy and Procedures 7. Money Laundering Risk Manual 8. Guidelines on Anti Money Laundering and Terrorist Financing 9. Compliance of Anti-Money Laundering and Combating Financing of Terrorism Policy & Procedure-Guide Book 10. Finance and Accounting Manual 11. Treasury Manual 12. HR Policy Manual 13. IT Audit Manual 14. Payment System Manual 15. Agent Banking Manual 16. Green Banking Manual 17. OBU Manual 18. Agent Banking Manual

3.1 Responsibilities of Board of Directors (BoD) 3 The responsibility of Board of Directors in respect of implementing a modern, scientific and acceptable Internal Control and Compliance Process in a Bank has been described in Banking Companies Act,1991 Rule15(Kha) and exclusively in section 15(Ga). As per prudential guidelines of Bangladesh Bank the responsibilities of Board of Directors of the bank are enumerated below:  The Board shall be observant on the internal control system of the Bank in order to accomplish a satisfactory standard of its portfolio. The Board will form an Audit Committee with such directors who are not the members of Executive Committee of BoD and a Risk Management Committee from its members.

 The Board will also establish such an Internal Control System so that the whole Internal Audit process can work independently from the management which will directly report to the Audit Committee of the Board.

 The BoD shall review the reports submitted by its audit committee on quarterly basis regarding compliance of recommendations made in internal and external audit reports and as well as Bangladesh Bank inspection reports.

3 Banking Companies Act, 1991

Internal Control and Complaince Policy and Procedures-2018 -15-

ICC Policy and Procedures-2018

In addition to the above the following responsibilities will also be observed by the BoD 4:

 They should set up an organizational structure of Internal Control and Compliance (ICC) Division in such a way that, it should have no conflict of interest with the regular management of the bank and fulfill the requirements as directed in the Rule 15 (Ga) (1) of BCA 1991 for establishing and maintaining effective internal control and risk management having regard to the complexity of the activities of the bank, its size, scope of operations and risk profile;

 The Board of directors should, at least annually, conduct a review meeting about the effectiveness of internal control process and report to the shareholders accordingly; The Responsibilities of Board of Directors (BoD) of the Bank are given in BRPD Circular No.11 dated 27-10-2013 of Bangladesh Bank, from which Internal Control and Compliance related responsibilities are enumerated below:

3.1.1 Responsibilities and power of BoD: a) Action plan and strategic management: i. BoD will set goals and objectives of the bank and prepare an annual action plan; ii. In annual report of bank BoD will incorporate success and failures of the goals and objectives elaborately, which will be the basis of future planning and strategies. This is to be disclosed to the shareholders; iii. The BoD will review different policies of bank annually, if any changes required concerned division will take approval from the BoD. b) Credit Management: i. Under the preview of existing laws and regulations every credit/ investment proposal evaluation, sanction and disbursement, loan recovery, rescheduling and write-off policies etc. will be approved by BoD. ii. At the implementation level above rules and policies regarding risk management will be assessed quarterly. In evaluation process BoD will observe whether risk management principles of Bangladesh Bank are followed or not. c) Internal Control: To ensure sustainable quality investment BoD will oversee keenly internal control system of the bank. It will also ensure internal audit activities performed independently. These will be evaluated on quarterly basis. BoD will ensure compliance of all Laws and regulations that are circulated by various regulatory authorities like, Bangladesh Bank, Ministry of Finance, Security and Exchange Commission etc. d) Human Resource Management (HRM) and Development:

4 BRPD Circular No. 11 dated 27/10/2013

Internal Control and Complaince Policy and Procedures-2018 -16-

ICC Policy and Procedures-2018 i. All policies regarding HRM will be approved by BoD. ii. For the development of HRM BoD will give emphasis for the arrangement of training for bank personnel. This training will help them to implement IT based MIS and correct assessment for quality loans and investments. iii. BoD will prepare Code of Ethics for employees.

3.2 Structure and Responsibilities of the Audit Committee of the Board. The board will approve the objectives, strategies and overall business plans of the bank and the audit committee will assist the board in fulfilling its oversight responsibilities. The committee will review the financial reporting process, the system of internal control and management of financial risks, the audit process, and the bank's process for monitoring compliance with laws and regulations and its own code of business conduct . 3.2.1 Organizational Structure: i. Members of the committee will be nominated by the board of directors from the directors; ii. The audit committee will comprise of maximum 05 (five) members, with minimum 2 (two) independent director; iii. Audit committee will comprise with directors who are not executive committee members; iv. Members may be appointed for a 03 (three) year term of office; v. Company secretary of the bank will be the secretary of the audit committee.

3.2.2 Qualification of the Members of the Audit Committee: i. Integrity, dedication, and opportunity to spare time in the functions of committee will have to be considered while nominating a director to the committee; ii. Each member should be capable of making valuable and effective contributions in the functioning of the committee; iii. To perform his or her role effectively each committee member should have adequate understanding of the detailed responsibilities of the committee membership as well as the bank's business, operations and its risks. iv. Professionally Experienced persons in banking/financial institutions specially having educational qualification in Finance, Banking, Management, Economics, Accounting will get preference in forming the committee. 3.2.3 Roles and Responsibilities of the Audit Committee i. Internal Control: 1.Evaluate whether management is setting an appropriate compliance culture by communicating the importance of internal control and the management of risk and ensuring that all employees have clear understanding of their roles and responsibilities; 2.Review management’s actions in computerization of the bank and its applications and Management Information System (MIS) of the bank.

Internal Control and Complaince Policy and Procedures-2018 -17-

ICC Policy and Procedures-2018

3.Consider whether internal control strategies recommended by internal and external auditors have been implemented by the management; 4.Consider reports relating to fraud, forgery, deficiencies in internal control or other similar issues detected by internal and external auditors and inspectors of the regulatory authority and place it before the board after reviewing whether necessary corrective measures have been taken by the management. 5.As the roles and responsibilities of the Board, Executive Committee, Credit Committee and Management Committee are of high impact and high frequency, ICC needs to take special care in order to identify lapses specially in- (i) Sanction and rescheduling of loans & advances, interest waiver, write-off of loans, Director's loans, large loans, etc. (ii) Presenting financial and non-financial position of the bank, (iii) Allowing perks, benefits, incentives etc (iv) Procurement and disposal of assets/services/materials, (v) Managing risks and uncertainties in the bank. So ICC should meticulously examine the minutes and memos of Board/Executive Committee/Credit Committee / Management Committee meeting to assess the fact that memos were presented with proper and adequate information and decisions in minutes were carried accordingly. ii. Financial Reporting: 1.Audit committee will check whether the financial statements reflect the complete and concrete information and determine whether the statements are prepared according to existing rules & regulations and standards enforced in the country and as per relevant prescribed accounting standards set by Bangladesh Bank;

2.Discuss with management and the external auditors to review the financial statements before its finalization. iii. Internal Audit: 1. Audit committee will monitor whether internal audit is working independently from the management.

2. Review the activities and the organizational structure of the internal audit and ensure that no unjustified restriction or limitation hinders in the internal audit process;

3. Examine the efficiency and effectiveness of internal audit function;

4. Examine whether the findings and recommendations made by the internal auditors are duly considered by the management or not. iv. External Audit 1. Review the performance of the external auditors and their audit reports; 2. Examine whether the findings and recommendations made by the external

Internal Control and Complaince Policy and Procedures-2018 -18-

ICC Policy and Procedures-2018 auditors are duly considered by the management or not. 3. Make recommendations to the board regarding the appointment of the external auditors.

v. Compliance with Existing Laws and Regulations: Review whether the laws and regulations framed by the regulatory authorities (Central Bank and other Bodies) and internal regulations approved by the board are being complied with. vi. Other Responsibilities: 1. Submit compliance report to the board on quarterly basis on regularization of the omission, fraud and forgeries and other irregularities detected by the internal and external auditors and inspectors of regulatory authorities; 2. External and internal auditors will submit their related assessment report, if the committee solicits; 3. Perform other oversight functions as desired by the Board of Directors and evaluate the committee's own performance on a regular basis. vii. Meetings: 1. The audit committee should hold at least four meetings in a year and it can sit any time as it may deem fit; 2.The Committee may invite Chief Executive Officer, Head of Internal Audit or any other Officer to its meetings, if it deems necessary; 3.To ensure active participation and contribution by the members, a detailed memorandum should be distributed to committee members well in advance (at least three days) before each meeting; 4.All decisions/observations of the committee should be noted in minutes.

3.3 Responsibilities of Senior Management (MANCOM)

In setting out a strong control framework within the organization the role of Managing Director/ CEO is very important. The Board of Directors of the Bank/Organization will define/form Senior Management Team (SMT) / MANCOM that should include the MD/CEO, DMDs, Head Office GMs and the Chief Financial Officer. Any officer that perform a policy making function or is in charge of a principal business unit/function may be member of SMT/MANCOM. However, any executive of ICC audit should not be member of SMT/MANCOM.

The bank/organization should report the composition of SMT/MANCOM (and update thereto) to Banking Regulation and Policy Department of Bangladesh Bank.

3.3.1 Functions of Senior Management Team (SMT)/MANCOM

Responsibilities of the SMT/MANCOM should include monitoring the adequacy and effectiveness of the Internal Control System based on the bank’s established policy and procedure. The SMT/MANCOM will review on a yearly basis the overall effectiveness of the control system of the organization and provide a certification on a yearly basis to the Board of Directors on the effectiveness of Internal Control policy, practice and procedure. The management will enrich audit teams with adequate skilled manpower and proper IT support as per requisition of the ACB for purposeful and effective audit.

Internal Control and Complaince Policy and Procedures-2018 -19-

ICC Policy and Procedures-2018 The management will ensure compliance of all laws and regulations that are circulated by various regulatory authorities such as, Bangladesh Bank, Ministry of Finance, Bangladesh Securities and Exchange Commission, etc. During the audit period, if the present audit team finds any lapse or irregularity which was not detected or identified by the previous auditor, then that will be reported to the Audit Committee.

3.3.2 Management Reporting System

• Effective internal control system requires that there is an efficient reporting system of information that is relevant to decision making. The information should be reliable, timely accessible and provided in a consistent format. • Information would have to include external market information about events and conditions that are relevant to decision making. Internal information should include financial, operational and compliance data. • There should be appropriate committees within the organization, which would evaluate data received through various information systems. This will ensure supply of correct and accurate information to the management. • Internal information must cover all significant activities of the bank. Electronic data must be secured, monitored independently and supported by contingency arrangements. • Most importantly the channels of communication must ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information are reaching the appropriate personnel.

3.4 Role of External Auditors in Evaluating Internal Control System • The Statutory Auditors by dint of their independence from the management of the bank must provide recommendations on the strength and weakness of the internal control system of the bank and submit its findings in management report • They can examine the records, transactions of the bank and evaluate its accounting policy, disclosure policy and methods of financial estimation made by the Bank; this will allow the board and the management to have an independent overview on the overall control system of the bank.

3.5 Dispute Settlement • Any unresolved issue between SMT and ICC to be referred to the Board of Directors through ACB respectively and then to Bangladesh Bank (if needed).

Internal Control and Complaince Policy and Procedures-2018 -20-

ICC Policy and Procedures-2018

ICC Related Issues 4.0 Introduction

All departments, and all business lines, are responsible for developing, implementing, and making sure that the controls are observed and not breached. Individual departments or business lines will be vigilant and will participate fully in the internal control regime where ICC should act as internal watchdog of the organization. The main issue of ICC is to look after whether bank machineries are acting as vanguards of its assets, reputation and Depositors' interests. ICC will oversee whether bank is following regulatory guidelines, institutional policies and procedures set by/and approved by the BoD covering related Laws of land and whether there is any deficiency in internal policy and procedure.

4.1 Organizational Structure/ Organogram of ICC:

4.1.1 For smooth functioning of internal control and compliance, the department will be comprised of three major Divisions, which are as follows:

Internal Control & Compliance (ICC)

1) Audit and Inspection 2) Audit Compliance 3) Audit Monitoring and Controlling

4.1.2 For convenient way of action and effective administration according to the nature of the bank, volume of work, number of Branches, (Rural, Urban, AD, Corporate), Assets involvement, Concentration of assets, Risk involvement etc. Audit Division and compliance division may be further divided in to the following divisions-

1. Audit & Inspection Division-1 : To carryout audit on Branch /offices (Non-AD & SME /Agri. Branches).

2. Audit & Inspection Division-2: : To carryout audit on All AD, (Foreign Exchange) Corp. Br. Circle, Zonal Office, Subsidiaries & H/O (divisions).

3. Cyber Audit & Inspection : To carry out specialized (IT/IS), Division: Concurrent Audit and vigilance audit.

4. Pre-Audit Division : : To carry out pre audit before making any payment as determine by the audit committee (consulting with the management).

5. Audit Compliance Division : To monitor compliance activities of (Internal): branch, Office and subsidiaries under internal audit.

Internal Control and Complaince Policy and Procedures-2018 -21-

ICC Policy and Procedures-2018

6. Audit Compliance Division : To monitor compliance activities of (External): branch and office under external audit (Bangladesh Bank Inspection, Commercial Audit, Statutory Audit and other Regulatory Authorities’ Audit).

7. Audit Monitoring and (i)To verify the internal control Controlling Division system & Operational activities by Implementing of DCFCL (Departmental Control Functional Check List), QOR (Quarterly Operation Report), and LDCL (Loan Documentation Checklist) at Branch level.

(ii) To ensure timely and effective audit including ICT Audit by Internal Control Team

(iii)To Assist Audit and Inspection Division in Risked Based Internal Audit by assessing department wise risk (Off sight Analysis) with grading of all branches

(iv) To prepare and submit Self- Assessment of Anti-Fraud Internal Controls report and Bank’s Health report to Bangladesh Bank. 4.2 Structure of ICC

4.2.1 There should be the Head of ICC’s secretariat, which will consist of one (1) Deputy General Manager (1) Assistant General Manager, Two (2) Senior Principal Officers, five (5) Principal Officers, Four (4) Senior Officers and two (2) non clerical Staffs’.

4.2.2 Each of the division is headed by a Deputy General Manager (DGM). Under the command of the DGM of different divisions of ICC, there will be 350 numbers of executives, officers, staffs as shown in the Organogram given below.

4.2.3 Transfer posting of the executives, officers and staff from ICC to another division/branch/office must require the consent of the Head of ICC.

4.2.4 All the divisional Head of ICC will report to the Head of ICC. 5The Head of ICC, position would be DMD (the position may be in contractual), would have a direct reporting line with Audit Committee of the Board. Thus, Audit Committee of the Board will be the contact point for the ICC. On the other hand, for the administrative purpose, the Head of ICC also has a direct reporting line to MD & CEO of the Bank.

5 BRPD Circular No. 03 dated 08/03/2016

Internal Control and Complaince Policy and Procedures-2018 -22-

ICC Policy and Procedures-2018

4.2.5 6The Organogram of Internal Control and Complaince (ICC) of Agrani Bank Limited

Board of Directors

Audit Committee

Managing Director & CEO

* Head of ICC (Contractuala DMD/GM)

Chief of Monitoring & Chief Audit Officer Controlling Office (GM/DGM) (Contractual GM/DGM)

AID-1 AID-2 Cyber Audit Pre -Audit AMD ACDE ACDI Division Division

Divisional Divisional Divisional Divisional Divisional Head Divisional Division Head Head Head Head (DGM) Head al Head DGM (DGM) (DGM) (DGM) (DGM) (DGM) (DGM)

12 AGM 8 AGM 4 AGM 1 AGM 2 AGM 3 AGM 2 AGM 1 AGM

18 SPO 12 SPO 8 SPO 2 SPO 3 SPO 6 SPO 6 SPO 2 SPO

24 PO 10 PO 10 PO 4 PO 7 PO 9 PO 9 PO 5 PO

36 SO 20 SO 12 SO 3 SO 8 SO 12 SO 12 SO 4 SO

12 Officer 8 Officer 10 Officer 2 Officer 8 Officer 7 Officer 8 Officer -

6 Staff 1 Staff 2 Staff 2 Staff 1 Staff

Subtotal Subtotal Subtotal Subtotal Subtotal = 226 = 30 = 40 = 40 = 14

Total = 350

4.2.6 Manpower distributon:

Cyber Pre ICC AID-1 AID-2 AMD ACD(I) ACD(E) Total Audit Audit Secratriate DGM 1 1 1 1 1 1 1 1 8 AGM 12 8 4 1 2 2 3 1 33 SPO 18 12 8 2 3 6 6 2 57 PO 24 10 10 4 7 9 9 5 78 SO 36 20 12 3 8 12 12 4 107 Officer 12 8 10 2 8 8 7 - 55 Staff 2 2 1 1 1 2 2 1 12 105 61 46 14 30 40 40 14 350

* Head of ICC must be a FCA with 20 years financial expriences including 5 years Banking experience in top position

Note: (1) HRPDOD will arrange to implement the ICC Policy according to the Organogram (2) HRPDO also will take initiative to include ICC Oranogram with the Agrani Bank’s Organogram

6 BRPD Circular No. 03 dated 08/03/2016

Internal Control and Complaince Policy and Procedures-2018 -23-

ICC Policy and Procedures-2018 4.3 The Charter of ICC

4.3.1 The mission of the ICC is to provide independent objective assurance and advice designed to add value and improve the banks' operations. It will help the bank to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and transparent governance processes.

4.3.2 The scope of work of the Department is to determine whether the Bank's network of risk management, control and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:

 Appropriate identification of risk

 Need-based interaction with the various governance groups

 Significant financial, managerial and operational information in accurate, reliable and in timely manner.

 Employees' actions in compliance with policies, standards, procedures, laws and regulations.

 Use of acquired resources economically, efficiently and adequately.

 Achievement of programs, plans and objectives.

 Fostering the quality and continuous improvement in the bank's control process.

 Appropriate recognition and addressing of legislative and regulatory issues influencing the bank.

4.3.3 Officers of ICC are authorized to:

 Have unrestricted access to all functions, records, property and personnel.  The Head of ICC has full and free access to the Audit Committee.  Set frequencies, select subjects, determine scopes of work and apply the techniques required to accomplish audit objectives.  Obtain the necessary assistance of personnel in all departments of

Internal Control and Complaince Policy and Procedures-2018 -24-

ICC Policy and Procedures-2018 the bank where they perform audits/inspection as well as other specialized services from within or outside the bank.

4.3.4 Officers of the ICC are not authorized to-

 Initiate or approve accounting transactions other than the Internal Audit Department.  Direct the activities of any Bank officer not employed by the Internal Audit Department except to the extent such officers have been appropriately assigned to auditing teams or to otherwise assist the officers of the Department.  Audit their own works performed in their previous Departments/Offices.

4.4 Standards of Best Professional Practices

In line with Committee of Sponsoring Organization of the Tread way Commission (COSO) and Bank for International Settlement (BIS), the following, but not limited to, standards should be followed: • The internal audit function’s control risk assessment, audit plans, and audit programs are appropriate for the bank’s activities.

• The internal audit activities have been adjusted for significant changes in the bank’s environment, structure, activities, risk exposures, or systems.

• The internal audit activities are consistent with the long-range goals and strategic direction of the bank and are responsive to its internal control needs.

• The bank has promptly responded to significant identified internal control weaknesses.

• The internal audit function is adequately managed to ensure that audit plans are met, programs are carried out, and results of audits are promptly communicated to senior management and members of the Audit Committee and full Board.

• Work papers adequately document the internal audit work performed and support the audit reports.

• The Audit Committee periodically assesses the performance of internal audit.

Internal Control and Complaince Policy and Procedures-2018 -25-

ICC Policy and Procedures-2018 • The internal audit function provides high-quality advice and counsel to management and the Board on current developments in the bank’s internal control policies and procedure, and in the performance of the other control functions of the bank (Risk Management and Compliance)

4.5 Head of ICC

4.5.1 As per BRPD Circular Letter No.03 dated 08/03/2016 the Head of ICC will be responsible for reporting of Internal Control and Compliance (ICC) and Monitoring activities of the bank to Audit Committee of the Board. The rank of the Head of ICC to be lower than one-step immediate below the CEO. Bangladesh Bank should arrange conference of ICC head of all Banks once a year to share their problems and experiences in discharging their responsibilities without undue influence of others.

4.5.2 For working independently, the Head of ICC should be a qualified chartered accountant with more than twenty years professional experience and must be an outsider of the bank.

4.6 Core Risk Management 4.6.1 Risk base audit is a methodology that links internal auditing to an organization’s overall management framework. A risk based audit approach is designed to be used to efficiently and effectively focus the nature, timing and extent of audit procedures, especially those areas that have the most potential for causing material misstatements in the financial report.

4.6.2 The risk based approach requires understanding the entity and its environment in order to identify risks that may result in material misstatement of the financial report.

4.6.3 Core Risks

4.6.3.1 The Auditor must always take necessary steps to audit the core risks. Auditors must identify and evaluate whether the concerned persons/branches/offices are duly aware of the risks associated with their jobs related risks. There are seven core risks in banking sector. The risks are as follows: (1) Credit Risk (2) Asset Liability/Balance Sheet Risk (3) Foreign Exchange Risk (4) Internal Control & Compliance Risk (5) Money Laundering Risk

Internal Control and Complaince Policy and Procedures-2018 -26-

ICC Policy and Procedures-2018 (6) Information & Communication Technology( ICT) Risk (7) Environmental & Social Risk

4.6.3.2 Credit Risk:

4.6.3.2.1 Credit risk arises from the potential that a bank's borrower will fail to meet its obligations in accordance with agreed terms. Credit risk also refers to the risk of negative effects on the financial result and capital of the bank caused by borrower's default on its obligations to the bank.

4.6.3.2.2 There are four Credit Risks (i) Risk of counter party, (ii) Loan pricing risk, (iii) Operational Risk, (iv) Supervisory risk

(i) Risk of counter party: A counterparty risk, also known as default risk, is a risk that a counterparty will not pay what it is obligated to do on a bond, credit derivative, trade credit or payment protection insurance contract or other trade or transaction when it is supposed to happen.

(ii) Loan pricing: Generally, loan pricing is done by the Head Office/ Division Appropriate techniques / the Division should apply procedures.

(iii) Operational Risk: An operational risk is defined as a kind of risk incurred by a bank's internal activities. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, fraud, legal risks, physical or environmental risks.

4.6.3.2.3 Following are the considerations for Internal Auditing of ICC: Whether _  Proper borrower selection process i.e. 6c’s in case of borrower selection (Character, Capital, Collateral, Capacity, Condition, Common sense) is considered;  The cash flow statement (Cash inflow and outflow) of borrower/ party is considered;

Internal Control and Complaince Policy and Procedures-2018 -27-

ICC Policy and Procedures-2018  The market reputation of the borrower for sanctioning loan is taken into account;  Loan sanctioned by observing CIB Report;  Analyses of balance sheet i.e. (i) stock position (ii) liability position (iii) assets position (iv) port Folio of the business etc is done;  Business Volume checked;  Feasibility study of the projects is done;  Physical verification of primary and collateral security is done;  Feasibility study was performed to assess the viability of the loan both in respect of the bank and loan party (IRR, NPV, BCR analyzing etc.);  The length of time for loan sanction (as per bank policy and guide line) is followed;  Applied interest rate in accounts and sanctioned interest rate are the same;  The loan documentation pricing/ unethical expenditure being forced to the party;  Party harassment for loan disbursement in the form of taking unethical financial interest;  Proper Stamping is done;  Physical verification of the collateral security is done;  Verification of title deed and chain document with the related offices;  Teeming and leading techniques are applied;  False transactions are identified in account statement (Material misstatement of A/C) for observing business solvency / capacity of the party;  Periodical adjustments were in previous loan;  Loans are sanctioned within relatives/friends beyond procedure;

Internal Control and Complaince Policy and Procedures-2018 -28-

ICC Policy and Procedures-2018  Debit summation and credit summation of the loan accounts/ CD A/Cs show healthy business position of the party are considered;  Loan disbursed against fake documents;  Loan disbursed as per target;  Employees are working according to their assigned duties;  Loan sanction towards unsavory environment/ business/ product;  Legal action is taken within assigned time limit;  Delegation of power is considered for loan sanctioning;  Government direction, Bangladesh bank circular and internal circulars are followed, etc.

(iv) Supervisory risk:

Supervisory Risk is related to ensure safety, soundness and robustness of the bank. This lies with the supervision functions. In continuing to achieve a higher level of efficiency and effectiveness in performing the supervision role, the bank will conduct a holistic review of the financial supervisory and regulatory functions to ensure that the departments continue to support the achievements of the strategic results and the desired outcomes.

Bangladesh Bank has formulated a set of policy guidelines entitled “Credit Risk Management Policy” to cover the entire cycle of lending (i.e. Processing,Sanctioning,Disbursement, Implementation, Monitoring & Recovery).

These have formed the basis of Agrani Bank’s Credit Policies and Procedures in order to ensure that its long term objectives are met through sound lending activities & practices i.e. the portfolio of Credit Risk exposures are diversified, secure and profitable.

4.6.3.2.4 Following are the considerations for Auditing:  Follow up function continued from the very beginning of loan disbursement i.e. end use of loan to recovery of the loan;

Internal Control and Complaince Policy and Procedures-2018 -29-

ICC Policy and Procedures-2018  Borrowers are selected properly;  Proper documentation performed;  Physical verification of collateral security done;  Physical verification of the project/ business unit occurred;  Time to time stock reports obtained;  Timely follow up done for due loan recovery;  Physical verification done to observe the proper utilization of every loan installment;  Government directions, Bangladesh Bank circulars and internal circulars are followed;  The loans and advances are audited properly, etc.

4.6.3.3 Asset Liability Risk:

4.6.3.3.1 Asset Liability risk management encompasses the independent monitoring and prudential management of the financial risks relating to our asset and liability portfolios, comprising market liquidity, funding, concentration and non-trading interest rate risks on balance sheet.

4.6.3.3.2 Following are the considerations for judging asset liability risk:  Deposit matrix to be studied on the basis of cost involvement;  Asset quality judged for the loans disbursed;  Advance/deposit ratio is maintained in giving loan;  Whether single borrower exposure limit crossed;  Whether loan disbursed within the allocated target/ budget;  Provision of loan/other expenditures are kept properly;  Interest suspense accounts are maintained properly;  Reserve fund is maintained (in case of consumer loan) as per sanction advice;  Government direction, Bangladesh Bank circular and internal circulars are followed, etc.

Internal Control and Complaince Policy and Procedures-2018 -30-

ICC Policy and Procedures-2018

4.6.3.4 Foreign Exchange Risk:

4.6.3.4.1 Foreign exchange risk is the current or prospective risk to earnings and capital arising from adverse movements in currency exchange rates.

4.6.3.4.2 Area of Foreign Exchange Risks:

The foreign exchange positions arise from the following activities:  Trading in foreign currencies through spot, forward and option transactions as a market maker or position taker, including the unheeded positions arising from customer-driven foreign exchange transactions;  Holding foreign currency positions in the banking book (e.g. in the form of loans, bonds, deposits or cross- border investments); or  Engaging in derivative transactions that are denominated in foreign currency for trading purposes.  Assets and Liabilities  Acceptance and Endorsement: i) Letter of Guarantee ii) Letter of Credit iii) Bills for Collection iv) Other Contingent Liabilities.

4.6.3.4.3 Foreign Exchange Business risk Risks occurred very often in foreign exchange business:  Risk of non-payment  Risk of non-delivery of goods  Risk of receiving sub-standard goods  Risk of fraud in goods  Risk arises out of documents.

Internal Control and Complaince Policy and Procedures-2018 -31-

ICC Policy and Procedures-2018 4.6.3.4.4 Following are the considerations for assessing foreign Exchange risk:  Credit report of the buyer obtained  Business relation are built with familiar business firm  L/C issued for the goods concerned  Advance payment received ( if possible)  Insurance policy performed with reputed insurance company  Contact done under INCOTERM  Goods are transported by reputed transport company  Goods are inspected by internationally reputed inspection company at boarded point  Contract performed with reputed exporter/ sellers  In case of more than one Transport Company engaged, there should be imposed of PSI.  Documents are checked as per prescribed checklist (e, g checklist for import & export LC, discrepancy checklist, back-to-back LC checklist, cautions for back-to-back LC etc.)  Acceptances are in accordance with the common business practices.  Government direction, Bangladesh bank circular and internal circulars are followed, etc.

4.6.3.5 Internal Control & Compliance Risk

4.6.3.5.1 As an institution entrusted with managing public funds, the Bank’s franchise is predicated on operating prudently, safely and within the bounds of law and other prudential guidelines that are declared from time to time. This will require that the officers and staff of the Bank are made aware of, and adhere to, these legal and policy prescriptions at all times.

4.6.3.5.2 Following are the considerations for assessing:  Effective Internal Control System  Audit clearance;

Internal Control and Complaince Policy and Procedures-2018 -32-

ICC Policy and Procedures-2018  Proper compliance of Bangladesh Bank Inspections and its findings,  Proper compliance of commercial audit objections,  Proper compliance of internal audit findings  Proper compliance of any other external audit findings;  Aging of non-compliance findings (All kinds of audit objections);  Monitoring the DCFCL compliance properly through the controlling offices (circle, zone);  Monitoring the QOR compliance properly through the controlling offices (circle, zone);  Monitoring the Self-Assessment Anti-Fraud Internal Control compliance properly through the controlling offices (circle, zone);  Time frame of audit compliance;  Check office order and perform once according to their work delegation;  Total outstanding of non- compliance objections;  Government direction, Bangladesh Bank circular and internal circular.

4.6.3.6 Money Laundering Risk shall include:  Know-your-customer (KYC) policy;  Transaction monitoring processes;  Suspicious Transaction Reporting procedures;  Record keeping procedures ;  Placement of Cash Transaction Report (CTR) and Suspicious Transaction Report (STR);  Guidelines for training;  Risk related to Goodwill of Bank;  Risk on operational activities of Bank;  Risk on legality. Bank may face legal crisis and charge fine by the regulatory bodies;  Recording all circulars of Agrani Bank Limited.

Internal Control and Complaince Policy and Procedures-2018 -33-

ICC Policy and Procedures-2018

4.6.3.7 Information and Communication Technology (ICT) Risk:

4.6.3.7.1 Risks that arise out of operating the Information and Communication related tools.

4.6.3.7.2 Source of ICT Risk:

Organization and their information systems and networks are faced with security threats from a wide range of sources including:  Computer assisted fraud;  Sabotage;  Vandalism;  Fire or flood;  Hacking;  Denial of Service attacks.

4.6.3.7.3 Types of ICT Risk: 4.6.3.7.3.1 ICT Risk is classified as follows: 1.Security Risk; 2.Physical Risk; 3.Operational Risk.

4.6.3.7.3.2 Security Risk:

Data & Equipments should be protected from internal and external threats. Data, the most valuable asset for the Bank’s operations, should be protected from any level of intruder.

To avoid fraud and forgery, data &equipments should be maintained in a secure environment. The security risk covers data, data handling, authorized users & access control of users, external attack, hardware and location & position of hardware.

Internal Control and Complaince Policy and Procedures-2018 -34-

ICC Policy and Procedures-2018 4.6.3.7.3.3 Physical Risk:

The objective is to prevent unauthorized access and damage of information assets and protection and it can be achieved by creating several physical barriers around business premises. The physical security can be broken in the form of unauthorized entry, damage or theft to equipment or document, copying or viewing of sensitive information, alteration of sensitive equipment and information etc. A secured Data Library should be established to preserve Data Cartridges, CDs, License Copies of software, Agreements etc.

4.6.3.7.3.4 Operational Risk (procedures of ICT Audit):  Bank’s Internal Control and Compliance unit/ Division should be well equipped with policy support and adequate manpower within a unit including IT skilled personnel for preventing and detecting fraud / forgery in computer operated branches:  ICT auditor prepares audit scopes, report findings, present recommendations and coordinate with various departments to create remediation plans for deficiencies found during audit.  Perform risk assessment, general controls, application controls oversight and review to ensure compliance with Bangladesh Bank ICT Guideline and Bank’s internal ICT security policy.  Development & Updating of internal ICT Audit checklist.  Periodically visit key ICT installations in the data center/ disaster recovery site, branches and head office.

Internal Control and Complaince Policy and Procedures-2018 -35-

ICC Policy and Procedures-2018  Conduct ICT audit periodically to ensure the compliance.  Government direction, Bangladesh Bank circular and internal circulars are followed.

4.6.3.8 Environmental & Social Risk:

4.6.3.8.1 Environmental risks: Environmental risk is a facilitating element of credit risk arising from environmental issues. This can be due to environmental impacts caused by and / or due to the prevailing environmental conditions. This increases risk as it brings an element of uncertainty or possibility of loss in the context of a financing transaction.

4.6.3.8.2 Social risks: The bank has to provide a safe and healthy working environment for its employees. If it does not, then there is a possibility for accidents, injury and death and also exposure to occupational health issues. Apart from occupational health & safety issues, there are other social issues that tend to get combined to create unhealthy conditions

4.7 Inspection Concluding Meeting (Account Finalization)- Finalization Of Quick Summary Report / Annual Accounts

4.7.1 In line with Section, 38 of Banking Compamis Act-1991(revised up to date) banks have to finalize their annual account statements. 4.7.2 In compliance with BB Circlur, dated 29/07/2012, Bangladesh Bank Inspection Team has to finalize their observation having requirements to reflect them on the concurrent financial statements of the bank. To impel the external auditor to reflect the issue(s) in the same vein of inspection observation, there should be a meeting between external auditor and management of the bank in presence of Bangladesh Bank Inspection Team.

Internal Control and Complaince Policy and Procedures-2018 -36-

ICC Policy and Procedures-2018

4.8 Special Board Meeting On Compliance Of Annual Inspection Report Of Bangladesh Bank 7

4.8.1 To bring the Bangladesh Bank inspection observation and compliance thereof to the knowledge of the Board of Directors, banks were advised to arrange a Board meeting in presence of Bangladesh Bank inspection officials and management of the bank as per instruction contained in DBI- 2 Circular No-01 dated 12/03/2009. 4.8.2 In such meeting the external auditor should remain present.

4.9 Liaison Meeting 8

To ensure the regular compliance, Bangladesh Bank inspection departments may ask to participate and explain their position on the relevant issues such as timely compliance and material changes in operational and portfolio issues quarterly in line with instructions contained in DBI-2 Circular Letter No- BaPawBI-2/ubi-1/Circular No-01 dated 27 December 2010.

4.10 Shariah Based Audit :

At present shariah based Audit is not performing in ABL, instead of that normal audit is performed. Because Islamic Banking Wings are still are not established as separate bank branch. We will introduce shariah based Audit in near future when our wings become / established as full-fledged ABL Islamic Bank Branches.

7 Bangladesh Bank, DBI-2 Circular No-01 dated 12/03/2009.

8 DBI-2 Circular Letter No- BaPawBI-2/ubi-1/Circular No-01 dated 27th December, 2010.

Internal Control and Complaince Policy and Procedures-2018 -37-

ICC Policy and Procedures-2018

Internal Audit Charter

Internal Control and Complaince Policy and Procedures-2018 -38-

ICC Policy and Procedures-2018

Internal Audit Charter

4.11 Chief Audit Officer / Head of Audit

The Chief Audit Officer / Head of Audit shall report directly to Head of ICC. The Head of Audit may be at the ranks of GM who would be a contractual Professional Auditor from the outside of the bank for independent auditing/inspecting.

4.12 Role and Responsibilities of Internal Auditors

4.12.1 Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk Management, control and governance processes.

4.12.2 The purpose, authority and responsibility of the internal audit activity should be formally defined in a charter consistent with the Auditing Standards approved by the Audit Committee of the Board. Internal Audit Charter of the bank defines the purpose, authority and responsibility of the Internal Audit Department. The internal audit activity should be independent and objective oriented.

4.13 Auditors' Ethics & Qualifications:

4.13.1 Auditors' Qualifications: 4.13.1.1 General Auditor: Chartered Accountancy partly qualified / CMA partly qualified with MBA / Masters with Commerce background and preferably also have banking knowledge.

4.13.1.2 IT Auditor: CISA Qualified , B.Sc in Computer science and should have related software, hardware and also preferably have banking knowledge.

4.13.1.3 Other general requirements: a) Persons punished for major offence and persons under disciplinary proceedings must not be posted in ICC. Track record of officers to be checked and maintained before posting them in ICC.

Internal Control and Complaince Policy and Procedures-2018 -39-

ICC Policy and Procedures-2018 b) ICC people should have thorough professional knowledge and banking experience with good academic background.

c) Auditors posted in ICC should be worked at least Five (5) Years and every officers of ABL should be posted at ICC at least once in his service tenure.

d) For transfer / posting of ICC executives have to take consent from the Head of ICC.

4.13.2 Internal Auditors' Ethics:

4.13.2.1 Internal auditors should have to be bold, honest and truthful. 4.13.2.2 These qualifications will be the basis for trust on the internal auditor's professional judgment. 4.13.2.3 Internal auditors should keep strict confidentiality of information found during audit. 4.13.2.4 Internal auditors should not use such information for personal gain or malicious action and should be responsible for protection of such information. 4.13.2.5 The Head of the internal audit and all internal auditors should avoid conflicts of interest. 4.13.2.6 Internal auditors should abide by the bank’s code of ethics because a code of ethics should address the principles of objectivity, competence, confidentiality and integrity.

4.14 Appraisal of ICC Officials

4.14.1 The Chairman of the Audit Committee of the Board will appraise the Head of ICC. 4.14.2 The Head of Compliance and Monitoring Division to be appraised by the Head of ICC primarily and by the Senior Management/Managing Director and CEO finally. 4.14.3 The Head of ICC and the Chairman of the Audit Committee will appraise the Chief Audit Officer / Head of Audit of the Bank.

Internal Control and Complaince Policy and Procedures-2018 -40-

ICC Policy and Procedures-2018

4.15 Training and Development:

Training is a proven and effective instrument for human resources development. It plays a key role in developing knowledge and skills to keep pace with the changes taking place all around and ever developing technology and works as a catalyst for attitudinal change of human beings. For this purpose, all executive/officer/staff of the ICC should be provided with appropriate and advance training.

4.16 Training (In-house / other institutional):

HR Training, Research & Development Division of Agrani Bank Limited conducts various training programs for the Executives/Officers/Staff to develop their risk-based efficiency so that they can apply their knowledge and experience in the bank regularly. Being apprised of updates on developments in their areas of responsibility, it is expected that they have developed the necessary skills to perform their functions effectively. HR Training, Research & Development Division, provides the following trainings:

1. Internal Control and Compliance Risk Management 2. Internal Audit Compliance. 3. Internal Control Audit in Bank. 4. Risk-Based Internal Audit. 5. Agri Financing & Recovery. 6. Credit Risk Grading. 7. Compliance of Bangladesh Bank Inspection. 8. Compliance of Commercial Audit objections. 9. Any other relevant issues.

4.17 Abroad Training:

To keep pace with the changes taking place all around the globe and ever developing technology, Executives and Officers should be sent abroad to attend various training courses, workshops, seminars, conferences and symposia to acquire updated knowledge of modern banking.

Internal Control and Complaince Policy and Procedures-2018 -41-

ICC Policy and Procedures-2018 4.18 Job Rotation:

a) Job Rotation within ICC:

Every auditor is to audit year to year until transferred from Audit and Inspection Division to other divisions or branches. Nevertheless, if any auditor’s auditing continues in the same branch or division for three times or more, he may apply force or be biased to financial interest. Moreover, if the same person or auditor’s auditing continues in a branch or division, he may be the person of familiar threat, financial threat or review threat. He will not be able to audit independently or fairly. The Chief Audit Officer will observe the circumstances before formation of the audit team. He must set an audit team by rotation. The Head of the ICC will effect rotation among the divisions within the ICC.

b) Job Rotation within the Bank:

By executing the rotation of jobs in a branch or office or division, the manager/head of the office will be able to check fraud and forgeries maintain expertise development and increase accountability of the organization, so that the daily assignment can be done properly.

The auditors will observe the job rotation in every branch or office or division during the period of audit. If the branch manager/ Zonal head needs to audit his branch based on special issue, he/ she will call upon to the Head of ICC to conduct special audit.

4.19 Mandatory leave (criteria):

1. The management at any time as required will sanction mandatory leave; no time bound will be applicable in this case. 2. This leave cannot be claimed. 3. Leave sanction can only be changed by the management, employee cannot claim for alteration. 4. There will be no monetary sanction like 01 (One) month basic salary.

4.20 Recreational Leave (criteria):

1. Employees are entitled to enjoy 15 (Fifteen) days recreational leave every after 03 (Three Years). 2. There will be monetary sanction like 01 (One) month basic salary. 3. It requires the approval of the management and provision of proper replacement. 4. It can be claimed and changed.

Internal Control and Complaince Policy and Procedures-2018 -42-

ICC Policy and Procedures-2018

Internal Audit Manual

Internal Control and Complaince Policy and Procedures-2018 -43-

ICC Policy and Procedures-2018

Internal Audit Manual

5. Audit

Audit includes an examination of the books of accounts and other documents relating to the receipts and expenditure of the government, statutory public authorities and public enterprise with a view to ensuring that rules and orders framed by the competent authority in regard to financial matters have been followed, that sums due have been properly assessed, realized and brought to account, that assets have been properly utilized and safeguarded and that the accounts truly represents facts.

5.1 Objectives / Purpose of Audit:

The broad aim of Agrani Bank Limited audit is to safeguard the interest of the State and to promote transparency and accountability, along with sound economic and financial management practices. Towards that Broad aim, the auditors’ objectives are to give an independent assessment of: i) Whether the statements of accounts show a true and fair view of the financial position of the audited body and its income and expenditure for the year in question and have been properly prepared in accordance with appropriate rules and regulations: ii) The adequacy of the audited body’s arrangements to secure economy, efficiency and effectiveness in the use of resources; iii) The adequacy of the audited body’s financial management systems; iv) The adequacy of the audited body’s arrangements for preventing and detecting fraud, corruption and the internal control framework generally; v) The adequacy of the audited body’s arrangements for ensuring the legality of transactions that might have a financial consequence; vi) The adequacy of the audited body’s arrangements for collecting, collating and recording accounting data and publishing financial statements and reports pursuant to appropriate rules and regulations.

Internal Control and Complaince Policy and Procedures-2018 -44-

ICC Policy and Procedures-2018

5.2 Auditors’ Right: The auditor should have the following rights: (1) The right to access at all times to the bank’s books of account, document and vouchers. (2) The right to require from the officers of the bank such information and explanation as the auditor considers necessary for the performance of his duties. (3) Inquire into particular issues regarding loans and advance, transaction represented merely as book entries, sale of securities, treatment of personal expenses and share allotment. (4) Recording to the members; (5) Visiting branches and access to the branch accounts; (6) Signing the audit report; (7) Receiving the remuneration and allowances (8) Posting of ICC staff should be taken consent from Head of ICC.

5.3 Responsibilities of the Auditors:

Responsibilities of internal auditors are as below: (i) evaluates and provides reasonable assurance that risk management, control and governance systems are functioning as intended and will enable the organization’s objectives and goals to be met; (ii) reports risk management issues and internal controls deficiencies identified directly to the audit committee and provides recommendations for improving the organization’s operations, in terms of both efficient and effective performance; (iii) evaluates information security and associated risk exposures; (iv) evaluates regulatory compliance; (v) evaluates the organization’s readiness in case of business interruption; (vi) maintains open communication with management and the audit committee; (vii) Provides support to the bank's anti-fraud programs.

Internal Control and Complaince Policy and Procedures-2018 -45-

ICC Policy and Procedures-2018 (viii) Preparation of Branch Audit Rating (using specific format), where rating of the branch will be as Excellent, Very Good, Good , Satisfactory and Poor - according to score obtained by the branch.

5.4 Auditors’ Punishment

5.4.1 During the audit period if present audit team find any lapses or irregularities, which was not, detected or identified by previous auditor that will be reported to Head of ICC and MD & CEO of the Bank for taking punitive action against the concern auditor(s). 5.4.2 If regulator find any fraud in the branch that Internal Audits unable to detected during their auditing period then management will take disciplinary action against the auditor(s) as per the banking rules and regulation as well as the bank’s own rules.

5.5 Basic principles to be followed by the auditors:

The auditor should comply with the Code of Ethics regarding professionalism. Ethical principles governing the professional responsibilities are:

 Independence;  Integrity- Honesty , Truthfulness, Straightforwardness, Reliability;  Objectivity- Impartiality, Independence, Neutrality;  Confidentiality;  Professional Competence and Due Care;  Professional Behavior and  Technical Standards.

5.6 Types of Audit: 1. Internal Audit 2. External Audit i) Chartered Accountancy Firms Audit ii) Government Commercial Audit iii) Bangladesh Bank Inspection iv) Functional Audit

Internal Control and Complaince Policy and Procedures-2018 -46-

ICC Policy and Procedures-2018

5.7 Internal Audit

5.7.1 Definition of Internal Audit:

Internal Audit is the process, affected by a company's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, the reliability of financial reporting and compliance with applicable laws, regulations, and internal policies.

9Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. They ensure compliance with laws and regulations and accurate and timely financial reporting and data collection, as well as helping to maintain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.

5.7.2 Principles of Internal Audit

A. Supervisory expectations relevant to the internal audit function

Principle 1 : An effective internal audit function provides independent assurance to the board of directors and senior management on the quality and effectiveness of a bank’s internal control, risk management and governance systems and processes, thereby helping the board and senior management to protect their organization and its reputation.

Principle 2 : The Bank’s internal audit function must be independent of the audited activities, which requires the internal audit function to have sufficient standing and authority within the bank, thereby enabling internal auditors to carry out their assignments with objectivity.

Principle 3 : Professional competence, including the knowledge and experience of each internal audit and internal auditors collectively, is essential to the effectiveness of the bank’s internal audit function.

Principle 4 : Internal auditors must act with integrity and diligence.

9 https://www.investopedia.com/terms/i/internalaudit.asp

Internal Control and Complaince Policy and Procedures-2018 -47-

ICC Policy and Procedures-2018 Principle 5 : The bank should have an internal audit charter that articulates the purpose, standing and authority of the internal audit function within the bank in a manner that promotes an effective internal audit function as described in principle-1.

Principle 6 : Every activity (including outsourced activities) and every entity of the bank should fall within the overall scope of the internal audit function.

Principle 7 : The scope of the internal audit function’s activities should ensure adequate coverage of matter of regulatory interest within the audit plan.

Principle 8 : The bank should have a permanent internal audit function, which should be structured consistent with principle-14 when the bank is within a banking group or holding company.

Principle 9 : The Bank’s board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains adequate, effective and efficient internal control system and, accordingly, the board should support the internal audit function in discharging its duties effectively.

Principle 10 : The Audit committee, or its equivalent, should oversee the bank’s internal audit function.

Principle 11 : The head of the internal audit department should be responsible for ensuring that the department complies with sound internal auditing standards and with a relevant code of ethics.

Principle 12 : The internal audit function should be accountable to the board, or its audit committee, on all matters related to the performance of its mandate as described in the internal audit charter.

Principle 13 : The internal audit function should independently assess the effectiveness and efficiency of the internal control, risk management and governance system and process created by the business units and support functions and provide assurance on these systems and processes.

Principle 14 : To facilitate a consistent approach to internal audit across the banks within a banking organization, the boards of directors of bank within a banking group or holding accompany structure should ensure that either:-

Internal Control and Complaince Policy and Procedures-2018 -48-

ICC Policy and Procedures-2018 i) The bank has its own internal audit function, either should be accountable to the bank’s board and should report to the banking group or holding company’s head of the internal audit; or ii) The banking group or holding company’s internal audit function performs internal audit activities of having sufficient scope at the bank to enable the board to satisfy its fiduciary and legal responsibilities.

Principle 15 : Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for the internal audit function.

B. The relationship of the supervisory authority with the internal audit function

Principle 16 : Supervisor should have regular communication with the bank’s internal auditors: i) Discuss the risk areas identified by both parties, ii) Understand the risk mitigation measures taken by the bank, and iii) Monitor the bank’s response to weaknesses identified.

C. Supervisory assessment of the internal audit function

Principle 17 : Bank supervisors should regularly assess whether the internal audit function has sufficient standing and authority within the bank and operates according to sound principles.

Principle 18 : Supervisors should formally report all weakness they identify in the internal audit function to the board of directors and recommend remedial actions.

Principle 19 : The supervisory authority should consider the impact of its assessment of the internal audit function on its evaluation of the bank’s risk profile and its own supervisory work.

Principle 20 : The supervisory authority should be prepared to take informal or formal supervisory actions requiring the board and senior management to remedy any identified deficiencies related to the internal audit function within a specified time frame and to provide the supervisor with periodic written progress reports.

Internal Control and Complaince Policy and Procedures-2018 -49-

ICC Policy and Procedures-2018

5.7.3 Reporting:

10 Internal audit reporting always includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings and suggestions for improvements to internal controls and control procedures.

5.7.3.1 Head of ICC directly report to the Audit Committee of the Board. Different divisions of the bank have existing MIS; on the basis of MIS report management take their decision for smooth operation of the bank. Reporting structure for ICC depends upon size and complexity of business.

5.7.3.2 The Audit Division will prepare report on individual inspection/audit programs within 15 days (except for items that needs to be escalated immediately) and submit the same to the branch/business unit for rectification with a copy to Head of ICC.

5.7.3.3 For low and medium risk items, findings will be reported to the Control Office for rectification.

5.7.3.4 For high-risk items findings will be reported to the MD/CEO and the Audit Committee of the Board.

5.7.3.5 ICC will prepare an annual report on the health of the Bank to be submitted to the Board of Directors under supervision of Audit Committee for onward submission to Bangladesh Bank.

5.7.3.6 At the end of the year there should be a summary report on the audit findings and corrective actions taken which should be forwarded to the Audit Committee of the Board and the Managing Director simultaneously.

10 https://www.investopedia.com/terms/i/internalaudit.asp

Internal Control and Complaince Policy and Procedures-2018 -50-

ICC Policy and Procedures-2018

5.7.4 Importance of internal audit:

5.7.4.1 The Internal Audit, to be effective should provide three types of services PPC , viz., Preventive, Protective and Curative, PPC . (i) In the preventive role, it forewarns the management of an adverse situation in advance; (ii) In its protective role it protects the management by the bringing to its notice the deficiencies in advance, before the external auditors point them out; and (iii) As a curative function, it suggests remedial measures, thereby acting as a catalyst for change and action.

5.7.4.2 11 Internal auditing provides insight into an organization’s culture, policies, procedures, and aids board and management oversight by verifying internal controls such as operating effectiveness, risk mitigation controls, and compliance with any relevant laws or regulations. 5.7.4.3 Internal audit programs are critical for monitoring and assuring that all of the business assets have been properly secured and safeguarded from threats. It is also important for verifying that the business processes reflect the documented policies and procedures. Here are five reasons that Internal Audit is important:

(1) Provides Objective Insight By providing an independent and unbiased view, the internal audit function adds value to the organization.

(2) Improves Efficiency of Operations By objectively reviewing organization’s policies and procedures, can receive assurance that the organization is doing what the policies and procedures, and that these processes are adequate in mitigating the unique risks. By continuously monitoring and reviewing the processes, can identify control recommendations to improve the efficiency and effectiveness of these processes. In turn, allowing the organization to be dependent on process, rather than people.

(3) Evaluates Risks and Protects Assets

An internal audit program assists management and stakeholders by identifying and prioritizing risks through a systematic risk assessment. A risk assessment can help to identify any gaps in the environment and allow for a remediation plan to take place. Internal audit program will help to track and document any changes that have been made to environment and ensure the mitigation of any found risks.

11 https://kirkpatrickprice.com/blog/5-reasons-why-internal-audit-is-important/ Internal Control and Complaince Policy and Procedures-2018 -51-

ICC Policy and Procedures-2018 (4) Assesses Controls

Internal audit is beneficial because it improves the control environment of the organization by assessing efficiency and operating effectiveness. Are the controls fulfilling their purpose? Are they adequate in mitigating risk?

(5) Ensure Compliance with Laws and Regulations

By regularly performing an internal audit, can ensure compliance with any and all relevant laws and regulations. It can also help provide with peace of mind that are prepared for the next external audit. Gaining the trust and avoiding costly fines associated with non-compliance makes internal audit an important and worthwhile activity for the organization.

5.8 External audit:

5.8.1 Role of External Auditors in evaluating internal control system: a) External auditors by dint of their independence from the management of the bank can provide unbiased recommendation on the strength and weakness of the internal control system of the bank.

b) They can examine the records, transactions of the bank and evaluate its accounting policy and methods of financial estimation made by the bank; this will allow the board and the management to have an independent overview on the overall control system of the bank.

5.8.2 Types of External audit:

5.8.2.1 Statutory Audit: When more than one Chartered Accountants firms are appointed by Ministry of Finance (Finance Division) Banking Wing from the enlisted/ qualified list of Bangladesh Bank for a maximum period of three (03) years to conduct the audit it is called statutory / external Audit.

5.8.2.2 Commercial audit: Government Commercial Audit is another external audit which conducts by auditors of government through CAG Office. Commercial Audit Directorate is the authority for the audit because its auditing areas are all public sector entities and state owned enterprises (SOEs) including nationalized commercial banks (NCBs) and financial institutions, autonomous, semi-autonomous bodies, and public holding companies.

Internal Control and Complaince Policy and Procedures-2018 -52-

ICC Policy and Procedures-2018 5.9 Concurrent audit in Agrani Bank Limited:

5.9.1 The role of concurrent audit has become very crucial and important for bank in discharging duties properly and efficiently, particularly for timely detection of irregularities and lapses, which help in minimization of irregularities as well as prevention of frauds.

5.9.2 In ABL, auditors of ICC will be deputed in Central Accounts Division, Principal Branch and 9 (Nine) big corporate branches for performing concurrent audit.

5.9.3 One auditor having accounting background at the rank of Assistant General Manager with another two auditors will be deputed in Central Accounts Division, one Assistant General Manager with two experienced auditors in Principal Branch and one Assistant General Manager with two experienced auditors in each big Corporate Branch as follows:

Principal Branch 1 AGM 2 Auditors Big Corporate Branch 1 AGM 2 Auditors Central Accounts Division 1 AGM 2 Auditors

5.9.4 TOR of Concurrent audit:

Concurrent Auditors will check and verify constantly error, fraud, forgery and inefficiencies lying on daily different transactions & activities i.e. vouchers, documents and approval whether it ensures compliance with set rules and regulations, policies and procedures issued by both the bank and the regulators.

Following steps to be followed for Auditing of- • Every Expenditure related financial transactions. • Pre sanction activities - Loan applied in prescribed form is duly filled up having sufficient information. - Loan appraisal is proper. - Legal opinion is favorable. - Value of collateral is sufficient. - Other relevant papers are collected. • Documentation- Charge documents are obtained as per sanction advice. - Mortgage is proper. • Incase of installment basis loan- Utilization of every installment are duly performed.

Internal Control and Complaince Policy and Procedures-2018 -53-

ICC Policy and Procedures-2018 • Voucher Checking- Daily Vouchers are checked by respective/assigned officer(s) with computer generated print. • General banking activities. • Foreign Exchange / Foreign Trade activities: - Requisite papers are obtained for LC’s. - L/C Documents are tallied with SWIFT message. - Funded and Non-funded loan activities. - L/C approval process. • The concurrent auditors will act as the back office of the respective Branch/Division .

5.9.5 Reporting of Concurrent Auditors

Concurrent auditors will report to branch manager/CFO/Head of the division and Head of ICC on monthly basis. In case of major lapses, auditors will immediately report it to reporting authorities.

5.10 Lapses

5.10.1 Lapses arise out of any kind of irregularities, misstatements, non-compliances of existing policy & procedures of the bank, law of the land by which the bank may incur financial losses. Moreover, sometimes non-compliance of existing policies & procedures may not cause any financial loss with immediate effect but can result in erosion of reputation. At the same time any malpractice in banking, misuse of offices and its fund is defined as lapses.

5.10.2 Types of Lapses:

Generally in Agrani Bank Limited the Auditors are instructed to clarify the irregularities (Annexure-E) in three groups such as: (1) Minor Irregularities (MI); (2) Major Lapses (ML); (3) Serious Lapses (SL).

Internal Control and Complaince Policy and Procedures-2018 -54-

ICC Policy and Procedures-2018

5.10.2.1 Minor Irregularities (MI):

 Minor irregularities are ordinary lapses.  It does not involve any major potential risk or loss for the Bank.  Minor Irregularity occurs due to ordinary carelessness of an employee.  Auditors should try to rectify these irregularities as far as possible on the spot and follow-up with the branch Manager until final rectification.

5.10.2.2 Major Lapses (ML):

 Major Lapses are those lapses or irregularities, which occurred intentionally or un-intentionally by violating the rules, regulations and laws, set out by regulatory authority for which Bank faces potential financial risk at present or in the immediate future.  These lapses require quick action to safeguard the Bank’s interest.

5.10.2.3 Serious Lapses (SL):

 Serious Lapses are those types of lapses, which have already occurred, and bank has been suffering or about to suffer financial loss.  The following transactions are included in Serious Lapses: (a) Fraud and Forgery occurred by any transaction; (b) Any kind of irregularities which indicate chances of loss or chances of manifold potential loss in near future; (c) Any irregularities or lapses, which require instant/ immediate administrative action by the higher authorities.

Internal Control and Complaince Policy and Procedures-2018 -55-

ICC Policy and Procedures-2018 5.11 Punishment:

5.11.1 Punishment is an action to be taken by the management of the bank for committing lapses / offences done by employees of the Agrani Bank Limited. 5.11.2 Punishable offences are activities for which higher management thinks to take administrative action. 5.11.3 Auditor should detect level or quantum of lapses/ offence and report to higher management including Head of ICC.

5.12 Reward / Incentive for Auditors:

Auditors will be rewarded for performing extra-ordinary works during audit period such as any frauds, forgeries identified by the auditor that reduces the huge financial losses of the bank. In those cases, auditors will be eligible to get reward/ incentive from the bank. Both auditors and the bank will be financially benefited if this kind of reward/ incentive system is introduced.

5.13 System Audit Software:

Today’s challenging service sector is the banking sector. Now the age world is the age of automation. Banking sector is now totally IT oriented. To cope with the International Standard, the Agrani Bank Limited has run Real Time Online Software T-24. Online software is quicker and ensures fair transaction. This also increases risks day by day. Therefore, the bank needs system audit software.

5.14 Wrap-up Meeting after Internal Audit

During audit, some irregularities are to be rectified on the spot. The Audit team must give emphasis on rectification of errors or omissions on the report. In light of that, at the closing day of the audit there must be a meeting with the head of Branch/Office. In this meeting, general discussion will be held on the objections raised by the auditors during the audit period. If the branch office can satisfy the auditor, then because of consensus the objections may be settled; while the unsettled objections are brought into the Audit report. Audit objections raised also are disclosed in the wrap-up Meeting to the Branch Management.

Internal Control and Complaince Policy and Procedures-2018 -56-

ICC Policy and Procedures-2018

Risk Based Internal Audit Manual

Internal Control and Complaince Policy and Procedures-2018 -57-

ICC Policy and Procedures-2018

Risk Based Internal Audit Manual

6. Risked Based Internal Audit

6.1 12 Risk based Internal Audit (RBIA) is an internal methodology which is primarily focused on the inherent risk involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level. It is the risk management framework of the management and seeks at every stage to reinforce the responsibility of management and Board of Directors for managing risk.

6.2 Risk based internal audit is conducted by internal audit department of ICC to help the risk management function of the Bank by providing assurance about the risk mitigation.

6.3 RBIA allows internal audit to provide assurance to the Audit Committee of the Board that risk management processes are managing risks effectively, in relation to the risk appetite.

6.4 As per Section 15 (ga) of Bank Company Act-1991, the Audit Division of ICC should be independent, and free from other units of the bank. It will act independently without influence of Management.

6.5 Audit Procedure

6.5.1 Each year the Audit Divisions of ICC will set out a Risk Based Audit plan for the year. This would be a high-level plan, which will be approved by the Audit Committee of the Board. 6.5.2 This will be a risk-based plan where sensitive areas will be identified with priority. 6.5.3 The deficiencies identified during the audits should be notified to the appropriate level and significant audit findings should be reported to the Audit Committee of the Board.

12 https://en.wikipedia.org/wiki/Risk_based_internal_audit

Internal Control and Complaince Policy and Procedures-2018 -58-

ICC Policy and Procedures-2018 6.5.4 At the end of the year, there should be a summary report on the audit findings and corrective actions taken which should be forwarded to the Audit Committee of the Board and the Managing Director & CEO of the Bank. 6.5.5 Based on the review of monitoring reports the audit team should also conduct surprise check on the branches where regular gaps are identified.

13

6.6 Preparation of Risk Based Audit Plan:

6.6.1 Audit and Inspection Division (AID) of Agrani Bank Limited will prepare a plan for all the audit assignments to be performed. 6.6.2 The risk based audit plan includes the timing and frequency of planned internal audit work set by the Board/ Audit committee and regulatory guidelines. 6.6.3 The audit plan should include the rationale for audit work planned. It should include all risk areas and their prioritization based on the level and the direction of risk. The AID will prepare:

13 rbiapractical-approachiasbernaculam10022016-160218074540%20.

Internal Control and Complaince Policy and Procedures-2018 -59-

ICC Policy and Procedures-2018 (1) The Annual audit plan covering all branches/ activities of the bank to be audited in an audit cycle. (2) The risk based audit plan for the audited branch/activity. (3) The offsite risk assessment will form the basis for preparation of the audit plan.

6.7 Prioritization for audit - the priority for audit work would be determined by the off-site risk assessment carried out. The priority of audit resources will be given to the branches showing the highest Level of risk. As the Magnitude and frequency of risk should be taken in to account, the use of the Risk Audit Matrix, as shown in figure below, has been advocated. Risk Audit Matrix

High High M & Low F High M & Medium F High M & High F

Medium Medium M & Low F Medium M & Medium F Medium M & High F (M)

of Riskof Low Low M & Low F Low M & Medium F Low M & High F Magnitude Low Medium High Frequency of Risk (F)

Priority for audit work should be given to branches/areas having 1. High Magnitude and High frequency 2. High Magnitude and Medium frequency 3. Medium Magnitude and High frequency 4. High Magnitude and Low frequency 5. Medium Magnitude and Medium frequency

14

14 https://cplusglobal.wordpress.com/2014/04/15/audit-risk-model/

Internal Control and Complaince Policy and Procedures-2018 -60-

ICC Policy and Procedures-2018 15

6.8 Risk Based Internal Audit Methodology

16 6.9 Formation of audit team:

6.9.1 Formation of Audit Team is a very important task. An audit team will be formatted by the auditors having all round banking knowledge like general banking, loans and advances, foreign exchange, money laundering, treasury

15 http://www.mortgagecompliancemagazine.com/risk-management/best-practices-establishing-cost-effective-internal-audit-function/ 16 http://crossoverbrazil.blogspot.com/2018/03/simplifying-application-of-risk-based.html

Internal Control and Complaince Policy and Procedures-2018 -61-

ICC Policy and Procedures-2018 functions, other banking procedurals work and obviously the team should have ICT knowledge. 6.9.2 The formation of audit team is stated below.

Team and working day Plan (TAWDP)

Yr Yr Days Days Team Leader Loan& Foreign Auditor General No of Banking Advance Office SL No Exchange Man-days Branch/ Frequency/ Total of No Branches Designation No No No No 12 30 2 720 Industrial Import- Credit AGM/ AGM/ SPO-2 SPO-1 CC- AGM 1 Principal Br 1 DGM 1 3 Export & /SPO-2 Other GHBL, Staff AGM/ & Other SPO-1 AGM/SPO-2 9 Corporate DGM/ AGM/ AGM/ 2 9 1 2 7 14 2 1764 Br. AGM SPO-2 SPO-2 Foreign Exchange Other SPO_1 17 AGM 1 2 Including 5 9 1 765 Corporate Br. PO-1 Loans &Adv – 1 3 Foreign Exchange SPO_1 AD Br. 13 AGM 1 2 Including 5 7 1 455 PO-1 Loan &Adv- 1 Main Br. SPO_1 49 AGM 1 2 - 5 6 1 1470 (District Level) PO-1 4 SPO/PO_1 A Grade Br. 299 AGM 1 1 - 3 6 1/2 2700

5 B Grade Br. 192 SPO 1 1 1 - 3 5 1/2 1440 C Grade Br. 129 SPO/PO 1 1 1 - 3 4 1/2 780 6 D Grade & 212 SPO/PO 1 1 1 - 3 3 1/2 954 New Br. Head Office Division, DGM/AG Overall 7 105 1 2 - 3 2 1 630 Circle Office, M Operation Zonal Office Islami DGM/AG Overall 8 5 1 2 - 3 3 1/2 27 Windows M Operation Agrani GM/ Exchange DGM/ 9 House Pvt 6 AGM 1 - - 1 4 1/2 12 Ltd/Subsidiarie Overall s company Operation Total 1037 11717

6.10 Control Risk Assessment

Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Effective risk assessment must identify and consider both internal and external factors.

Internal Control and Complaince Policy and Procedures-2018 -62-

ICC Policy and Procedures-2018 6.10.1 Assessing Business and Control Risk 6.10.1.1 Internal factors: (i) Complexity of the organization structure, (ii) The nature of the Bank’s activities, (iii) The quality of personnel, (iv) Organizational changes and (v) Employee turnover.

6.10.1.2 External factors: (i) Fluctuating economic conditions, (ii) Changes in the Industry, (iii) Socio-political realities (iv) Technological advancement. (v) Changes in rules and regulations

6.11 Risk Model Construction.

6.11.1 Audit risk arises when the auditor gives an inappropriate audit opinion and the financial statements are materially misstated. Audit risk has three components: control risk, detection risk and inherent risk.

6.11.2 Control risk : This risk occurs when a material misstatement would not be prevented, detected or corrected by the accounting and internal systems such that there are some practices in the banking operations which are not backed by the law or established procedures.

6.11.3 Detection risk: Detection risk is the risk that an auditor’s substantive procedures will

Internal Control and Complaince Policy and Procedures-2018 -63-

ICC Policy and Procedures-2018 not detect, and a misstatement exists in an account balance or class of transactions that could be material individually or when aggregated with misstatement in other balances or classes.

6.11.4 Inherent risk: Inherent risk is the susceptibility of an account balance or class of transactions arising out of misstatement that could be material individually or when aggregated with misstatement in other balances or classes, assuming that there were no related internal controls.

Audit risk = Risk of material misstatement + Detection risk Risk of material misstatement = Inherent risk + Control risk

6.12 Risk Recognition & Assessment

6.12.1 An effective internal control system continually recognizes and assesses all of the material risks that could adversely affect the achievement of the bank’s goals.

6.12.2 Effective risk assessment must identify and consider both internal and external factors. Internal factors include the complexity of the organization structure, the nature of the Bank’s activities, the quality of personnel, organizational changes and the employee turnover. External factors include fluctuating economic conditions, changes in the industry, socio-political realities and technological advances.

6.12.3 Risk assessment by Internal Control System differs from the business

Internal Control and Complaince Policy and Procedures-2018 -64-

ICC Policy and Procedures-2018 risk management process, which typically focuses more on the review of business strategies developed to maximize the risk/reward trade-off within different areas of the bank. The risk assessment by Internal Control focuses more on compliance with regulatory requirements, social, ethical and environmental risks those affect the banking industry.

6.13 Risk Analysis of Control Functions

6.13.1 Individual items in the Departmental Control Functions Check List (DCFCL) need to be assigned a risk rating in terms of the following dimensions. a. Business Risk b. Control Risk 6.13.2 Risk Assessment Matrix A comprehensible list based on business and control parameters which are quantifiable, and then should be commonly available for Agrani Bank Limited. 6.13.3 It is a technique that brings risk orientation in its approach. In order to identify risk , risk based auditor obtains a thorough understanding of banks control, financial condition, sources of revenues ,expenditures, competitions, and other factors that effects or may affect the business of banking .

6.14 Steps in adopting Risk Based Internal Audit (RBIA):

6.14.1 RBIA adopted in Agrani Bank Limited through the completion of the following steps.

6.14.1.1 Step 1: An overview of existing risk profile of bank: Risk management involves identification, measurement, pricing, monitoring, control and mitigation of risks. Risks for the purpose of RBIA may be grouped into two categories. 1. Inherent Business Risks: Inherent business risk indicates the intrinsic risk in a particular area of activity of bank before considering internal controls. e.g. credit risk, market risk, operational risk, liquidity risk, group risk etc.

Internal Control and Complaince Policy and Procedures-2018 -65-

ICC Policy and Procedures-2018 2. Control Risk: Control risk arises out of inadequate control systems, deficiencies or gaps and or likely failures in the existing control processes e.g. management risk, compliance risk etc.

By going through records of the inspection of branches is very much helpful in giving correct weightage to the different risk in the risk assessment formats and it will lead to the organization working in the same direction for improving the risk profile of the branch

6.14.1.2 Step – 2: Risk assessment:

The RBIA Guidance note states that Risk Based Internal Audit should undertake risk assessment solely for the purpose of formulating the risk based audit plan. Risk assessment has to be carried out at two stages: 1. Off site: for formulation of audit plan and 2. On site : during the course of audit

6.15 Development of formats for risk assessment:

The Inherent Business risks are to be assessed together with the efficiency and effectiveness of the controls in place to manage these risks. The overview of the existing risk profile of the Bank will be a source of major input for the various risk assessment parameters and their weight age in the Total score. Both quantitative and qualitative information to be used for risk assessment. We upgraded the format having quantitative and qualitative information. The format is used for risk assessment. The formats incorporate the magnitude (value) while assessing the weight age for risk assessment.

Individual items in the Departmental Control Function Checklists (DCFCL) need to be assigned for risk rating by giving scores. Scores derived from these DCFCL Checklists will be divided and added in two format of Risk assessing (Inherent Business Risk and Control Risk)

6.16 Risk assessment of Branch as a whole:

Internal Control and Complaince Policy and Procedures-2018 -66-

ICC Policy and Procedures-2018

Wherein the level of Inherent Business risk and control risk of the branch are assessed separately to be as Low/Medium/High risk. The direction of inherent business risk and control risk for the branch will be determined separately and the direction of composite risk of the branch identified as Increasing /Decreasing/ Stable. This will result in a risk assessment rating (RA rating) for the branch as depicted in Figure 1.

Figure 1. 1. Business Risks 2. Control Risks SL SL # Particulars Particulars # A. Credit Risk A. Credit 1 Port folio Quality and Composition 1 Follow-up Monitoring and Control 2 Pre-sanction Credit Process 2 Review/ Renewal Time a) Quality of appraisal 3 NPA/SMA Management b) Quality of Assessment a) Monitoring of NPA c) Sanction b) Quality of Assets d) Organizational Structure for managing CR c) Recovery from NPA Total Marks for Credit Risk (A) d) Recovery through rescheduling / waiver of interest B. Earning e) Level of SMA C. Liquidity Total Marks for Credit (A) D. Strategy and business Environment B. Internal Control 1 Business achievement 1 Business Lines 2 Profitability a) Deposit business 3 Market Share b) Remittance & Collection business Marks for Strategy and business c) Agency and other fee based services Environment(D) E. Operational Risk Sub-total 1 Fraud prevention and Follow-up effects 2 Back-up operations 2 Documentation and compliance with terms a) Branch cash/Petty cash 3 Exercise of Delegated Authority b) Security forms Accounting System/Balancing of 4 Books/Computer Audit (Computerized c) Protective arrangements Branch) 5 Anti money laundering related issues d) Branch documents 6 Customer service e) Records and Stationery Total Marks for Operational Risk (E) Sub-total Total marks for Business risk 3 Control Systems (A+B+C+D+E) a) A/C System/ Balancing of Books (Manual/

Automated) b) Office accounts follow ups c) Control function(Branch controls) d) Submission of periodical returns e) Letter receiving and disposal Sub-total 4 General administration/Staff matters 5 Premises/Furniture 6 Control of income Leakage Total Marks for Internal Control Risk (B) C Compliance 1 External compliance

Internal Control and Complaince Policy and Procedures-2018 -67-

ICC Policy and Procedures-2018

2 Follow-up of audit reports Total Marks for Compliance (C) D Management Total Marks for Control Risk (A+B+C+D)

6.17 Risk Assessment: All parameters to be assessed are summarized under "Business Risks" and "Control Risks". Auditors are required to award the scores as follows:

Step-I: Based on observations during Audit, Quantify the breaches under each parameter in percentage.

Step-II : Determine level of breaches as Low, Medium or High as follows:

Breaches observed Level <10% Low 10%-20% Medium >20 High

Step-III : Quantify the breaches in value terms, reflecting the magnitude.

Step-IV: Quantify the breaches as a percentage of Total Advances.

Step-V : Determine the level of breaches in value terms as Low, Medium or High as follows:

Percentage of Advances Level <10% Low 10%-25% Medium >25% High

Step-VI: (a) Link the level relating to magnitude of Step-V with level of breaches in Step- II to determine the Level of Risk by using the following matrix:

Magnitude High High High High (Value) Step-V Medium Medium High High

Medium High Low Low Low Medium High

Step-II Breaches observed

(b) In qualitative parameters, link breaches observed to level of risk, as in step- II

Step-VI: Award scores based on level of risk as follows:

Maximum Marks Level of risk 5 10 15 20

Internal Control and Complaince Policy and Procedures-2018 -68-

ICC Policy and Procedures-2018 Low/ Good 4 or 5 9 or 10 13-15 18-20 Medium/ 3 6 or 7 9 or 10 Satisfactory 12-14

High/ Weak/ Poor 2 or less 5 or less 8 or less 10 or less

Discretion is being given to the auditor (s) to award the marks within the range specified for each level depending upon their onsite judgment.

6.18 Conduct of on-site Audit and Report findings.

6.18.1 Based on the Audit plan which has got a risk focus, the team will conduct the on- site audit. The audit team will assess the efficacy and efficiency of controls in place to manage the inherent business risks faced by the branch. This will result in the on-site risk assessment and rating of branch/inherent business risks/functional area/ business line.

6.18.2 Conduct of off-site risk assessment of branch:

6.18.2.1 Prepare branch/Activity profile:

This involves the collection of latest necessary data from various sources about the branch including data/information from the following:  Previous internal audit reports and compliance  Proposed changes in business lines or change in focus  Significant changes in management/key personnel.  Results of latest regulatory examination report.  Reports of external auditors  Industry trends and other environmental factors  Time elapsed since last audit  Substantial performance variations from the budget.

6.18.2.2 Determine the level of risk separately for inherent business and control risk

The scoring modules for determining the level of risk would be Low, Medium or High risk. Following range of scores will be followed by Agrani Bank Limited:

Internal Control and Complaince Policy and Procedures-2018 -69-

ICC Policy and Procedures-2018 Level of Risk % of Score awarded Low Above 60% Medium 40%-60% High Below 40%

6.19 Determine the composite risk level using composite risk matrix.

There will be five levels of composite risk: Low, Medium, High, Very High and Extremely High risk as shown below:

B C A High Very High Risk Extremely High Risk High Risk

D E F Medium Medium Risk High Risk Very High Risk

G H I Inherent Business Risk Low Low Risk Medium Risk High Risk

Low Medium High Control Risk

6.20 Determine trend/ direction for both inherent business and control risk. The inherent business risk and control risk should be analyzed with a view to assess whether these are showing a stable, increasing or declining trend. This can be done when the risk assessment has been done for two or more periods. The trend matrix as shown below:

Increasing Increasing Increasing Increasing Stable Stable Stable/ Increasing Increasing Risk Business Inherent Decreasing Decreasing Stable Increasing Decreasing Stable Increasing Control Risk

Internal Control and Complaince Policy and Procedures-2018 -70-

ICC Policy and Procedures-2018 Variation of marks in the same category up to +5 or -5 is considered as Stable. Variation in the marks in the same category more than +5 or -5 is considered as Increasing/ Decreasing as the case may be.

6.21 Determine the ratings of the branch. 6.21.1 Based on the level and direction of risk, the risk assessment ratings could be any of the fifteen as shown below: 1 Extremely High risk Increasing Stable Decreasing 2 Very High risk Increasing Stable Decreasing 3 High risk Increasing Stable Decreasing 4 Medium risk Increasing Stable Decreasing 5 Low risk Increasing Stable Decreasing

6.21.2 Risk assessment matrix must consist of business and control risk. However, only the matrix will not serve the purpose. The business and control risk must have different factors/ parameters , which must be quantifiable and eventually risk assessment, will give a picture of the risk associated with the units/branches/functions upon which the annual audit plan will be drawn up.

6.21.3 Based on the risk assessment matrix the audit plan will be as follows:

Risk Rating Frequency Sample Volume

Risk Rating Frequency

High Quarterly

Medium Half Yearly

Low Yearly

6.21.4 Risk Rating will be determined by business and control risk of a particular branch.

Internal Control and Complaince Policy and Procedures-2018 -71-

ICC Policy and Procedures-2018

6.21.5 Risk Based Audit Universe 17

Categories of Audit Findings

6.22 Minor Irregularities (MI) : wbqg cwicvj‡b GKB ai‡Yi e¨Z¨q ( System Lapses) evi evi Kiv n‡”Q wKš‘ G‡Z kvLvi/Awd‡mi KvR K‡g© †Kvb ¶wZ nq bvB, wKš‘ ¶wZi m¤¢ebv †_‡K †h‡Z cv‡i A_©vr kvLvi Af¨šÍixb Z`viKxi ˆkw_‡j¨i Kvi‡Y †h mKj Awbqg Kiv nq †m mKj fzj-åvwšÍmg~n mvaviY Awbqg Minor Irregularities wnmv‡e †kÖYxf‚³| Internal Auditors should try to rectify these irregularities as far as possible on the spot and follow-up with the branch Manager until final rectification. †hgb t 6.22.1 Duty list G Job Rotation bv Kiv|

17 https://www.youtube.com/watch?v=SuTlfvnZZsc

Internal Control and Complaince Policy and Procedures-2018 -72-

ICC Policy and Procedures-2018

6.22.2 K¨vk †WweU fvDPv‡i bM` A_© cwi‡kv‡ai †¶‡Î MÖnYKvixi ¯^v¶i cÖZ¨qb (Verify ) bv Kiv| 6.22.3 kvLv e¨e¯’vc‡Ki AbygwZ e¨wZ‡i‡K wnmve †Lvjv| 6.22.4 †PK wmwi‡R (†jRv‡i) Kg©KZ©v KZ©„K hvPvBc–e©K ¯^v¶i bv Kiv| 6.22.5 †jRv‡i KvUvKvwU, NlvgvRv I DcwiwjL‡bi †¶‡Î †Kvb Kg©KZ©v KZ©„K cÖgvYxKiY ¯^v¶i bv Kiv| 6.22.6 GKK ¯^v¶‡i n¯ÍvšÍi Kiv| 6.22.7 †hŠ_ ¯^v¶‡i e¨v‡jwÝs †PwKs †iwRóvi cwicvjb bv Kiv| 6.22.8 LwZqv‡bi w¯’wZ Aci cvZvq ¯’vbvšÍi Kivi ci wnmveavixi cy‡iv bvg,wVKvbv †jLv nqbv Ges †Kvb Kg©KZ©v KZ©„K wbwðZ bv Kiv| 6.22.9 mKj eo As‡Ki †PK fvDPvi †hŠ_ mycviwfkbmn cÖavb Kvh©vj‡qi wba©vwiZ mxgv Abyhvqx K¨v‡Ý‡jkb, mycviwfkb ¯^v¶i cÖ`vb bv Kiv| 6.22.10 †PK cvm Kivi c–‡e© †jRvi f~w³K…Z †PK wmwi‡Ri mv‡_ †PK b¤^i wgwj‡q b¤^‡ii cv‡k¦© Aby¯^v¶i bv Kiv| 6.22.11 bM` cwi‡kva/MÖnY †iwRóv‡i KvUvKvwU/DcwiwjLb Kiv n‡q‡Q wKš‘ mswkÐó Kg©KZ©v KZ©„K cwiw¶Z bv Kiv| 6.22.12 UªvÝdvi †iwRóvi kvLvi mswkÐó Kg©KZ©v KZ©„K hvPvBc–e©K ¯^v¶i bv Kiv| 6.22.13 wn&mve †Lvjvi Av‡e`b di‡gi wnmveavixi ¯^v¶i mswkÐó Kg©KZ©v KZ©„K cixw¶Z bv Kiv| 6.22.14 n¯ÍvšÍi wbKvk fvDPvi `yBRb Kg©KZ©v KZ©„K ¯^v¶i bv Kiv| 6.22.15 †PK eB wiKzBwRkb wú‡ci †PK eB Bmy¨Kvix Kg©KZ©v/e¨e¯’vcK KZ©„K ¯^v¶i bv Kiv| 6.22.16 n¯ÍvšÍ‡ii gva¨‡g GdwWwW cwi‡kva Kivi †¶‡Î GdwWwWi Aci c„ôvq kvLvi Gb‡Wvm©‡g›U bv †`qv| 6.22.17 kvLv KZ©„K fvDPvi Kfv‡i †gvU fvDPvi msL¨v bv †jLv Ges †Kvb Kg©KZ©v KZ©„K ¯^v¶i bv Kiv| 6.22.18 eo As‡Ki †PK/wWwW GKK K¨v‡Ý‡jk‡b cwi‡kva Kiv| 6.22.19 kvLv KZ©„K bM` cwi‡kvwaZ mKj Bbóªy‡g‡›U bM` cwi‡kva mxj e¨envi bv Kiv| 6.22.20 Kw¤úDUv‡i †PK/fvDPvi †cvwós w`‡q †cvwósKvix KZ©„K ¯^v¶i bv Kiv| 6.22.21 n¯ÍvšÍi cwi‡kvwaZ mKj Bbóªy‡g‡›U UªvÝdvi mxj e¨envi bv Kiv| 6.22.22 bM` Rgvi †¶‡Î †c-wúª‡ci Aci c„ôvq Ges cwi‡kv‡ai †¶‡Î †P‡Ki Aci c„ôvq bM` A‡_©i weeiY bv †jLv| 6.22.23 †PK/Rgvi fvDPvi †cvwós Kv‡j †cvwósKvixi c~Y© ¯^v¶i bv Kiv| 6.22.24 †jRv‡i †P‡Ki wmwiR bv¤^vi †jLvi mgq wcÖwd· bv¤^vi bv †jLv|

Internal Control and Complaince Policy and Procedures-2018 -73-

ICC Policy and Procedures-2018 6.22.25 wWwW/wUwU/GgwU Bmy¨i †¶‡Î Av‡e`bKvixi wVKvbv Av‡e`bc‡Î †jLv bv _vKv m‡Z¡I wWwW, wUwU Bmy¨ Kiv BZ¨vw` Ges wWwW eywS‡q cvBjvg Kjv‡g ¯^v¶i MÖnY e¨wZ‡i‡K wWwW n¯ÍvšÍi Kiv| 6.22.26 wWwW/†c-AW©vi Gi gywoc‡Î Kg©KZ©v KZ©„K ¯^v¶i bv Kiv| 6.22.27 Kv‡jKk‡bi wbwg‡Ë M„nxZ †P‡K/Bbóªy‡g‡›U †¯úkvj µwms mxj bv †`qv| 6.22.28 wWwW Bmy¨Kvix I cwi‡kvaKvix kvLvi bv‡gi bx‡P †KvW b¤^i e¨envi bv Kiv| 6.22.29 wbqg gvwdK dvBwjs bv Kiv| fvDPvi h_vh_ msi¶Y bv Kiv| 6.22.30 wb‡`©k cwicÎ/mvK©–jvi †iwRóv‡i f’w³ bv †`qv| 6.22.31 wmwKDwiwU †ókbvix †iwRóvi myôzfv‡e cwicvjb bv Kiv| 6.22.32 `v‡qiK…Z gvgjvi AviwRmn bw_ msi¶Y bv Kiv| 6.22.33 ˆ`wbK †jb‡`b †k‡l ¸i“Z¡cyY© †jRvi/†iwRóvi wbivc` ¯’v‡b bv ivLv| 6.22.34 wnmve †Lvjvi cÖv°v‡j †jRv‡i mswkÐó wnmv‡ei mKj Z_¨vw` †hgb cyiv bvg, †ckv, †Uwj‡dvb b¤^i Ges we‡kl wb‡`©kbv wj‡L ivLv `iKvi, hv GKRb Kg©KZ©v KZ©„K cix¶v‡š ¯^v¶i bv Kiv| 6.22.35 Dc‡`kcÎ e¨wZ‡i‡K wWwWi g–j¨ cwi‡kva Kivi †¶‡Î wWwW Bmy¨Kvix kvLv‡K AvcwËcÎ Bmy¨ bv Kiv| 6.22.36 LwZqv‡bi w¯’wZ Aci cvZvq ¯’vbvš i Kivi ci w¯’wZi evg cv‡k¦© mgvšÍivj wPý e¨envi bv Kiv|

6.23 Major Irregularities (ML) : †h mKj Awbq‡gi Rb¨ ev¨sK Zvr¶wbKfv‡e ¶wZi m¤§yLxb bv n‡jI A`yi fwel¨‡Z ¶wZi BswMZ w`‡q _v‡K hv ¶wZi KviY n‡Z cv‡i e‡j cÖZxqgvb nq †m mKj Awbqg‡K c×wZMZ Awbqg wnmv‡e wPwýZ Kiv nq| Gai‡Yi Awbq‡gi Rb¨ Riæix wfwˇZ e¨e¯’v †bqv DwPr hv‡Z GB Awbqg h_vkxNª `~ixfzZ Kiv hvq Ges GKB ai‡Yi Awbq‡gi cybive„wË bv N‡U| c×wZMZ Awbqg ¸wj‡K ¸iæZ¡ Abyhvqx †kÖYxweb¨vm K‡i Kg ¸iæZ¡c~Y© welq¸‡jv `ªæZ wb¯úwË K‡i AvcwË msL¨v Kgv‡Z n‡e| AwaK msL¨K c×wZMZ Awbqg msNwUZ nq Ggb kvLv/Awdm mg~‡ni e¨vcv‡i DשZb KZ©„c¶‡K Riæix wfwˇZ cÖ‡qvRbxq e¨e¯’v MÖnY Ki‡Z ejv nq t-

(A) ˆe‡`wkK evwYR¨ I ˆe‡`wkK gy`ªv welqK cÖavb Awbqg t (Foreign exchange risk wfwËK) †hgb t

6.23.1 Gjwmi gvwR©‡bi UvKv Gjwm †Lvjvi w`b bv †bqv| 6.23.2 Gjwmi 3q I 4_© Kwc Avg`vbx-ißvbxKvi‡Ki `߇i ‡cÖiY bv Kiv| 6.23.3 Bmy¨K…Z M¨vivw›Ui wecix‡Z Kwgkb I Ab¨vb¨ PvR© Bmy¨i Zvwi‡L Av`vq bv Kiv|

Internal Control and Complaince Policy and Procedures-2018 -74-

ICC Policy and Procedures-2018 6.23.4 wkwcs M¨vivw›U Bmy¨ Kivi mgq cÖPwjZ wbq‡g PvR© †Lvjvi w`b Av`vq bv Kiv| 6.23.5 kvLv KZ©„K wjg Gi wecix‡Z †jUvi Ae wK¬qv‡iÝ Ges cÖ‡qvRbxq gvwR©b MÖnY bv Kiv| 6.23.6 ΓwUhy³ ißvbx WKz‡g›U µq K‡i `xN©w`b a‡i †i‡L ißvbxKviK‡K jvfevb Ki‡Z mnvqZv Kiv Ges c‡i ΓwUgy³ K‡i we‡`kx e¨vs‡K †cÖiY Kiv| 6.23.7 ißvbx wej/Avg`vbx wej n‡Z Kg my` Av`vq/Kwgkb Av`vq bv Kiv| 6.23.8 ißvbx we‡ji wecix‡Z ˆe‡`wkK gy`ªv cÖZ¨vevm‡bi †¶‡Î kvLv h_vh_ f’wgKv cvjb bv Kiv| 6.23.9 EXP reconciliation Gi Reporting mwVKfv‡e bv Kiv| 6.23.10 wcwm FY weZiY I Av`v‡qi †¶‡Î Awbqg Kiv| 6.23.11 IFBC /Avg`vbx we‡ji g–j¨ cwi‡kv‡ai †¶‡Î Awbqg Kiv| 6.23.12 Bill of entry matching h_vh_fv‡e bv Kiv| 6.23.13 ißvbxi wecix‡Z Cash Incentive cwi‡kva mwVKfv‡e bv Kiv| 6.23.14 †gqv‡`vËxY© ißvbx FYc‡Îi wecix‡Z ißvbxK…Z c‡Y¨i wej µq K‡i UvKv cÖ`vb Kiv| 6.23.15 cÖvc¨Zvi †P‡q AwaK nv‡i FYcÎ ¯’vcb I wcwm myweav cÖ`vb| 6.23.16 ‡fvM¨cY¨ F‡Yi 3% wiRvf© msMÖn bv Kiv|

(B) mvaviY e¨vswKs welqK c×wZMZ Awbqg t (Asset liability risk, Money laundering risk, ICC risk wfwËK) †hgb t

6.23.17 bZzb wnmve †Lvjvi †¶‡Î wnmveavixi Qwe MÖnY bv Kiv| 6.23.18 cwiPqKvix e¨ZxZ wnmve †Lvjv| 6.23.19 e¨emv cÖwZôv‡bi bv‡g PjwZ wnmve †Lvjvi †¶‡Î †UªW jvB‡mÝ I gvwjKvbv m¤úwK©Z †NvlYvcÎ MÖnY bv Kiv| 6.23.20 boe‡o/ KuvPv nv‡Zi †jLvq wnmve †Lvjvi †¶‡Î wmwW-50 (1036-1, 1036-3) dig bv †bqv| 6.23.21 cÖZvibvi gva¨‡g f~qv bvg, wVKvbv D‡jøLc~e©K wnmve †Lvjv Ges D³ wnmv‡e FY cÖ`vb| 6.23.22 wnmve †Lvjvi ci mKj mÂqx I PjwZ wnmveavix‡K ab¨ev`cÎ †cÖiY bv Kiv| 6.23.23 PjwZ wnmv‡ei †¶‡Î cwiPqKvix‡K ab¨ev`cÎ †cÖiY bv Kiv| 6.23.24 wnmve †Lvjvi ci wnmveavixi wVKvbv hvPvB Gi †¶‡Î kvLv n‡Z †iwRóvW© GwW WvK‡hv‡M ab¨ev`cÎ wbqwgZ †cÖiY bv Kiv|

Internal Control and Complaince Policy and Procedures-2018 -75-

ICC Policy and Procedures-2018

6.23.25 bZzb wnmve †Lvjvi †¶‡Î KYC †bqv n‡q‡Q wKš‘ A‡bK‡¶‡Î wnmveavixi cÖ‡qvRbxq Z_¨vw` wbqwgZ D‡jøL bv Kiv| KYC I TP weeiYx h_vh_fv‡e c~iY e¨ZxZ wnmve †Lvjv Ges wbqwgZ/cÖ‡qvR‡b nvjbMv` bv Kiv | 6.23.26 wnmve †Lvjvi Av‡e`b di‡g wnmv‡ei wbqgvejx‡Z wnmveavixi ¯^v¶i bv †bqv| 6.23.27 †fvë †iwRóvi cwicvjb bv Kiv| 6.23.28 ¯Œj †iwRóvi, †Uv‡Kb †iwRóvi cwicvjb bv Kiv| 6.23.29 kvLvi wmÜz‡K mxgvwZwi³ bM` A_© msi¶Y/Avbv-†bqv Kiv| 6.23.30 d‡ib †iwg‡U‡Ýi UvKv MÖn‡Yi ZvwiL A_ev c‡ii w`‡bi g‡a¨ DcKvi‡fvMxi wnmv‡e Rgv bv K‡i a‡i ivLv| 6.23.31 f’qv ågY fvZv wej †`wL‡q A_© MÖnY| 6.23.32 kvLvq bM` A‡_©i mv‡_ wecyj cwigv‡Y †Quov-duvUv †bvU msi¶Y Kiv Ges e`jv‡bvi D‡`¨vM MÖnY bv Kiv| 6.23.33 wdwWs kvLvi mv‡_ bM` A‡_©i †jb‡`b mswkÐó cÖvwß ¯^xKvicÎ h_vh_fv‡e msi¶Y bv Kiv| 6.23.34 bM` cwi‡kva †iwRóv‡i †PK wmwiR b¤^i mwVKfv‡e bv †jLv| 6.23.35 cÖvBReÛ †iwRóvi cwicvjb bv Kiv| 6.23.36 †cwUK¨vk WvK, Zvi I ó¨v¤• Lv‡Z bM` I †cv‡óR mswkÐó †iwRóvi cÖwZwbqZ kvLv e¨e¯’vcK/Kg©KZ©v KZ©„K cix¶v bv Kiv| 6.23.37 K¨vk †WweU fvDPv‡ii gva¨‡g bM` A_© cwi‡kva Kivi †¶‡Î fvDPv‡ii Aci c„ôvq UvKv MÖnYKvixi ¯^v¶i bv †bqv| 6.23.38 kvLvi bM` cwi‡kva †iwRóv‡i cÖwZwU f~w³i wecix‡Z K¨vwkqvi Ges Awdmv‡ii Aby¯^v¶i bv Kiv| 6.23.39 LwZqv‡bi cvZv †Quov-dvUv Ae¯’vq _vKv m‡Z¡I MÖvn‡Ki wnmve bZzb LwZqv‡b ¯’vbvš i bv Kiv/†Quov-dvUv †jRvi cwieZ©b bv Kiv| 6.23.40 wbix¶vKvjxb mg‡q LwZqvbmg–n mylg K‡i wbix¶KMY‡K †`Lv‡Z bv cviv| 6.23.41 eo eo †jb‡`‡bi †¶‡Î †jRv‡i `yRb Kg©KZ©v KZ©„K mycviwfkb bv Kiv| 6.23.42 2 ermivwaKKvj †jb‡`b wenxb wnmvemg–n Wi‡g›U †jRv‡i ¯’vbvš i bv Kiv| 6.23.43 †jRvimg–n wbqwgZ e¨v‡jwÝs bv Kiv| 6.23.44 lvb¥vwmK Ges evwl©K wnmve mgvcbxi ci MÖvnK‡`i‡K Zv‡`i wnmv‡ei w¯’wZ ÁvZKiYcÎ †cÖiY bv Kiv| 6.23.45 evwl©K mgvcbx‡Z wnmv‡ei wecix‡Z cÖavb Kvh©vj‡qi wb‡`©kbv †gvZv‡eK AvbylvswMK PvR©/mvwf©m PvR© bv †bqv|

Internal Control and Complaince Policy and Procedures-2018 -76-

ICC Policy and Procedures-2018 6.23.46 PjwZ wnmv‡ei †¶‡Î 6 gvm Ges mÂqx wnmv‡ei †¶‡Î GK ermi hveZ †jb‡`b wenxb wnmvemg–n “mZK© nDb Wi‡g›U wnmve” ( Care Dormant Account ) wj‡L wPwýZ bv Kiv| 6.23.47 AwMÖg ZvwiLh–³ †P‡Ki UvKv cwi‡kva Kiv| 6.23.48 †P‡Ki Zvwi‡L KvUvKvwU/DcwiwjL‡b MÖvn‡Ki m¤§wZ Qvov bM` cwi‡kva Kiv| 6.23.49 Zvgvw` ZvwiLhy³ †P‡Ki UvKv cwi‡kva Kiv| 6.23.50 Kw¤•DUvivBRW kvLvi ˆ`bw›`b fvDPvi †PwKs bv Kiv| 6.23.51 wUcmwn/boe‡o nv‡Zi †jLvq cwi‡kvaK…Z †PK K¨v‡Ý‡jkb Kg©KZ©v KZ©„K mZ¨vwqZ bv Kiv| 6.23.52 fvDPvi †iwRóvi mwVKfv‡e cwicvjb bv Kiv| 6.23.53 wewfbœ my`evnx AvgvbZ wnmv‡e Kg/†ekx my` Av‡ivc Kiv| 6.23.54 Kg©KZ©v KZ©„K K¨v‡Ý‡jkb e¨wZ‡i‡K †P‡Ki A_© cwi‡kva Kiv| cwi‡kv‡ai wbwg‡Ë †PK K¨v‡Ý‡jk‡bi †¶‡Î h_vh_ wewa weavb †g‡b bv Pjv| 6.23.55 bM` A_© Rgvi †¶‡Î RgvKvixi ¯^v¶i bv †bqv| 6.23.56 kvLvq †jb‡`b PjvKvjxb mg‡q †Kvb mk¯¿ cÖnix cÖavb dU‡K †gvZv‡qb bv Kiv| 6.23.57 cyivZb †iKW© †iwRóvi cwicvjb bv Kiv| 6.23.58 AvmevecÎ †iKW© †iwRóvi cwicvjb bv Kiv| 6.23.59 óK Ae †÷kbvix †iwRóvi cwicvjb bv Kiv| 6.23.60 AwMœ-wbe©vcK hš¿ cybtf©ib bv Kiv| 6.23.61 kvLv fe‡bi fvov Pzw³i †gqv` DËxY© nIqvi ciI nvjbvMv` Pzw³ m¤úv`b bv Kiv| 6.23.62 kvLvi wm›`y‡Ki Wzwcø†KU Pvwe cÖwZ eQi AveZ©b bv Kiv| 6.23.63 kvLvi Kg©KZ©v/Kg©Pvix‡`i e¨w³MZ bw_‡Z Zv‡`i cix¶v cv‡ki g–j mb`c‡Îi mZ¨vwqZ Kwc I nvj bvMv` Qwe msi¶Y bv Kiv| 6.23.64 Kw¤úDUv‡ii cvmIqvW© wbqš¿YKvixi †MvcbxqZv i¶v bv Kiv Ges Aby‡gvw`Z Kg©KZ©vi AbygwZ Qvov Kw¤úDUvi e¨envi Kiv| 6.23.65 Kw¤úDUv‡i m¤úvw`Z †jb-†`‡bi †eªK-Avc Ges nvjbvMv` wcÖ›U Kwc h_vwbq‡g †PwKs I msi¶Y bv Kiv| 6.23.66 Administrative Password hv Manager KZ©„K msiw¶Z bv ivLv| 6.23.67 Departmental Control Funtion Check List (DCFCL ) h_vwbq‡g cwicvjb bv Kiv| 6.23.68 kvLvq Av‡qi cwigvb e„w×i j‡¶¨ kvLvq `xN©w`‡bi †jb-†`b wenxb c‡o _vKv †QvU †QvU w¯’wZi wnmvemg–n wewa ewnf©–Zfv‡e Avq Lv‡Z ¯’vbvšÍiKiY|

Internal Control and Complaince Policy and Procedures-2018 -77-

ICC Policy and Procedures-2018 6.23.69 kvLvi Kx †iwRóvi h_vh_fv‡e cwicvjb bv Kiv| 6.23.70 kvLvq Av‡MÐqv¯¿ I †Mvjv mPj I Kvh©Ki bv _vKv| 6.23.71 mvBb‡evW©/†bvwUk †evW© bv jvMv‡bv| 6.23.72 nvjbvMv` QywUi †iwRóvi (wjf †iKW© †iwRóvi) mwVKfv‡e cwicvjb bv Kiv Ges †bvwUk †ev‡W© wmwU‡Rb PvU©vi bv jvMv‡bv| 6.23.73 kvLvq mvK©–jvi B‡ÛKm †iwRóvi nvjbvMv` bv Kiv| 6.23.74 jKv‡ii fvov mwVKfv‡e Av`vq bv Kiv| 6.23.75 miKvix ivR¯^ mwVKfv‡e wbY©q I Zv wbqwgZ cwi‡kva bv Kiv| 6.23.76 GKB kvLvq Kg©iZ Kg©KZ©v/Kg©Pvix‡`i †¶‡Î cÖwZ wZb eQi AšÍi AšÍi e`jxi Av‡`k msµvšÍ cÖavb Kvh©vj‡qi wb‡`©kbv cvjb bv Kiv| cÖ‡hvR¨ †ÿ‡Î Re †iv‡Ukb bv Kiv| 6.23.77 g–jZex wnmve (óvd) †_‡K wecyj cwigv‡b UvKv †bqvi ci `xN©w`b ch©šÍ mgš^q bv Kiv| 6.23.78 g–jZex wnmve (Av`vm©) Lv‡Z `xN©w`b ch©šÍ Amgwš^Z w¯’wZ mgš^q bv Kiv| 6.23.79 Avwg© †cbkb Lv‡Z `xN© w`b †_‡K c‡i _vKv Amgwš^Z w¯’wZ mgš^q bv Kiv| 6.23.80 AvÂwjK Kvh©vjq KZ©„K eivÏK…Z KwZcq wbqš¿Y‡hvM¨ e¨q Lv‡Z ev‡RU AwZwi³ LiP Kiv Ges h_vh_ KZ©„c‡¶i KvQ †_‡K Aby‡gv`b bv †bqv| 6.23.81 GgI/GbwR wnmv‡ei nvjbvMv` mgš^q m¤•wK©Z mb`cÎ msMÖn bv Kiv| 6.23.82 AvšÍtkvLv Rgv/LiP weÁwß (AvBwewmG/AvBwewWG/GgIwmG/GgIwWG) mg~n MÖnY Kivi mv‡_ mv‡_B †imcÛ bv Kiv| 6.23.83 Bmy¨Kvix kvLvi Kg©KZ©v KZ©„K h_vh_fv‡e ¯^v¶iwenxb AvBwewmG/AvBwewWG/ GgIwmG/GgIwWG †imcÛ Kiv| 6.23.84 †PK eB wiKzBwRkb w¯ø‡c wnmveavixi ¯^v¶i cix¶v Kiv e¨wZ‡i‡K †PK eB Bmy¨ Kiv| 6.23.85 wWwW/wUwU G¨vWfvBR MÖvn‡Ki nv‡Z cÖ`vb Kiv| (C) FY welqK cÖavb Awbqg ( ML) -(Credit risk wfwËK) †hgb t 6.23.86 eÜKx `wjj m¤úv`b bv Kiv| 6.23.87 F‡Yi wecix‡Z mxgvwZwi³ A_© cÖ`vb| 6.23.88 e¨emv cÖwZôv‡bi mvBb‡evW© Ges e¨vs‡Ki wbKU `vqe×Zvi mvBb‡evW© bv jvMv‡bv| 6.23.89 eÜKx m¤•wËi g–j `wjj, evqv `wjj, AviGm, wmGm, GmG, GmG wgD‡Ukb Ges gvV ciPv/weAviGm LvwiR ciPv MÖnY bv Kiv|

Internal Control and Complaince Policy and Procedures-2018 -78-

ICC Policy and Procedures-2018 6.23.90 nvj bvMv` LvRbvi iwk` bv †bqv| 6.23.91 eÜKx m¤•wËi mvBU cШvb I †gŠRv bKmv bv †bqv| 6.23.92 DwK‡ji gZvgZ I eÜKx `wj‡ji WªvdU Kwc bv †bqv| 6.23.93 gvwmK gRy` gv‡ji óK wi‡cvU© bv †bqv| 6.23.94 gÄyixc‡Îi kZ© †gvZv‡eK FY wnmve mvgwqK mgš^q bv Kiv| 6.23.95 mxgvwZwi³ `vq, †Ljvcx F‡Yi wKw¯ Av`v‡qi †¶‡Î, FYmxgv bevq‡bi †¶‡Î †Kvb Awbqg Kiv| 6.23.96 cÖKí F‡Yi †¶‡Î gÄyixcÎ/wewb‡qvM Pzw³ jsNb K‡i exgv, †eZb fvZv I Ab¨vb¨ LiP cÖ`vb Kiv| 6.23.97 eÜKK…Z m¤•wËi †iwRwóªK…Z `wjjvw` h_vmg‡q mswkÐó mve-†iwRwóª Awdm †_‡K msMÖn bv Kiv| 6.23.98 gÄyixc‡Îi kZ©vbyhvqx mwVKfv‡e `wjjcÎ/exgv BZ¨vw` m¤•v`b bv K‡i Rvgvb‡Zi Dci e¨vs‡Ki AbyK’‡j mwVKfv‡e PvR© m„wó/wbqš¿Y cÖwZôvKiY e¨wZ‡i‡K FY weZiY/ D‡Ëvjb cÖ`vb Kiv| 6.23.99 wmwm †cÐR I nvB‡cv F‡Yi †¶‡Î †gqv‡`vËx‡Y©i ci D‡Ëvjb cÖ`vb| 6.23.100 DCFCL Abyhvqx Check list ˆZix K‡i FY bw_‡Z msi¶Y bv Kiv| 6.23.101 cÖ‡hvR¨ †¶‡Î eÜKx m¤•wËi wel‡q †ccvi weÁwß cÖKvk bv Kiv| 6.23.102 50 jÿ UKv I cÖ‡qvR¨ †¶‡Î eÜKx m¤úwËi wel‡q AvBbMZ gZvgZ I eÜKx/ AcÖZ¨vnvi‡hvM¨ Avg-†gv³vibvgv `wjjmn Ab¨vb¨ `wjvw` cÖavb Kvh©vj‡qi AvBb wefvM KZ©„K †f‡UW bv Kiv| 6.23.103 kvLv KZ©„K gvgjvi wWD †WU Wv‡qix cwicvjb bv Kiv| 6.23.104 eÜKx m¤úwËi g~j¨vqb cÎ MÖnY bv Kiv| 6.23.105 eÜKx `wj‡j kvLvi GKRb Kg©KZ©v ¯^v¶x wnmv‡e bv _vKv| 6.23.106 gÄyixc‡Îi kZ©vbyhvqx mg¯ SuywK Kfvi K‡i exgvcÎ MÖnY bv Kiv| A‡bK‡¶‡Î ïay gvwb wiwmÞ Kfvi †bvU MÖnY Kiv nq| wKš‘ cwjwm MÖnY bv Kiv| 6.23.107 eÜKx `wj‡j ZvwjKvf’³ AvBbRxexi ¯^v¶i bv _vKv| 6.23.108 `wjjvw`i iwk` `wjj`vZv KZ©„K wWmPvR© bv Kiv| 6.23.109 FYMÖnxZvi BKz¨BwU mwVKfv‡e e¨envi bv Kiv| 6.23.110 cÖ‡hvR¨ †¶‡Î nvj bvMv` wmAvBwe wi‡cvU© MÖnY bv Kiv (m‡ev©”P 60 w`b c~‡e©i)| 6.23.111 GmGgG/†kÖYxweb¨vwmZ nIqvi Dc‡hvMx FY wnmve †kÖYxKiY bv K‡i my` Avq Lv‡Z ¯’vbvš iKiY| GQvov cÖavb Kvh©vjq/evsjv‡`k e¨vsK Gi wb‡`©kbv jsNb K‡i

Internal Control and Complaince Policy and Procedures-2018 -79-

ICC Policy and Procedures-2018

AwbqwgZfv‡e my` AwbwðZ wnmve n‡Z Avq Lv‡Z ¯’vbvš iKiY| 6.23.112 eÜKx m¤•wËi/¯’vcbvw`i w¯’iwPÎ MÖnY bv Kiv| 6.23.113 FDR/APS/ABS/MIS/MDS BZ¨vw` Gi wecix‡Z FY cÖ`vbKv‡j h_vh_ gvwR©b bv †i‡L FY weZiY Ges †jRvi/†iwRóv‡i wj‡qb gvK© bv Kiv ev cvZv cwieZ©‡bi mgq wj‡qb gvK© bv Kiv| 6.23.114 PvR© `wjjvw` mwVKfv‡e c–iY bv Kiv Ges h_vh_ ó¨v¤• bv jvMv‡bv| Signature cix¶v bv Kiv| 6.23.115 mn‡hvMx Rvgvb‡Zi gvwjKvbvq ÎæwU msµvšÍ DwK‡ji gZvgZ fvjfv‡e bv †`‡LB FY weZiY| 6.23.116 mn‡hvMx Rvgvb‡Zi avivevwnK `wjj-ciPvw` A_©¨vr Chain Documents MÖnY e¨wZ‡i‡K FY cÖ`vb/weZiY| 6.23.117 F‡Yi LwZqvbmg–n h_vh_fv‡e mylgKiY (Balancing) n‡q‡Q wKbv Zv hvPvB Kiv QvovB Report Kiv| 6.23.118 Mortgage m¤úwËi `wjj/AvswkK m¤úwËi `wjj †Mvc‡b n¯ÍvšÍi| Mortgage property Gi `Lj m¤ú‡K© kvLvi `vwqZ¡cÖvß Kg©KZ©/Kg©Pvix‡`i D`vmxbZvi d‡j m¤•wË nvZQvov n‡q hvIqv| 6.23.119 ev‡RU AwZwi³ FY weZiY Kiv| 6.23.120 Awc©Z FY gÄyix ¶gZvi AwZwi³ FY weZiY Kiv| 6.23.121 FY cÖ‡mwms wd Av`vq bv Kiv|

6.24 Serious Lapses (SL) :

¸iæZi Awbqg ( SL ) nj H mg¯Í Awbqg hvi d‡j e¨vs‡Ki mg–n ¶wZ BwZg‡a¨ msNwUZ n‡q †M‡Q A_ev AwZkxNªB msNwUZ n‡Z cv‡i| †h kvLvq SL †kÖYxf~³ Awbqg cvIqv hvq †m¸‡jv Riæix wfwˇZ cÖ‡qvRbxq e¨e¯’v bv †bqv n‡j e¨vs‡Ki mg–n ¶wZ nIqvi m¤¢vebv _v‡K Ges GB Rb¨ Riæix wfwˇZ e¨e¯’v MÖnY Kiv Acwinvh©| cÖavbZt wb¤œwjwLZ †jb‡`bmg–n ¸iæZi Awbqg ( SL ) wnmv‡e †kÖYxf’³ t

(K) †h mg¯Í Awbq‡gi d‡j Fraud I Forgery msNwUZ n‡q‡Q, (L) †h mg¯Í Awbq‡gi djkÖ“wZ‡Z A`–i fwel¨‡Z e¨vsK ¶wZMÖ¯’ nIqvi cÖPzi m¤¢vebv we`¨gvb Ges (M) †h mg¯Í Awbq‡gi Rb¨ Ri“ix wfwˇZ DשZb KZ©„c‡¶i cÖkvmwbK e¨e¯’v MÖnY Kiv cÖ‡qvRb nq|

Internal Control and Complaince Policy and Procedures-2018 -80-

ICC Policy and Procedures-2018

(I) mvaviY e¨vswKs welqK ¸iæZi Awbqgt (Asset Liability Risk, Money Laundering Risk, Internal Control & Compliance Risk wfwËK) t †h †Kvb ai‡Yi RvwjqvwZ/cÖZviYv/Awbq‡gi gva¨‡g e¨vs‡Ki Avw_©K ¶wZ mvab| †hgb t-

6.24.1 kvLvi bM` A_© KvD›Uvi/fë †_‡K mwi‡q †djv ev Kvh©w`em †k‡l mswkÐó wnmve †WweU bv K‡i †PK/fvDPvi kvLvi bM` A‡_©i Ask wnmv‡e a‡i ivLv| 6.24.2 bM` A‡_©i evwÛ‡j †bv‡Ui msL¨v Kg †i‡L A_© AvZ¥mvr Kiv| 6.24.3 MÖvn‡Ki bM` A_© MÖnY K‡i Zv kvLvi bM` MÖnY ewn‡Z I MÖvn‡Ki wnmv‡e Rgv bv K‡i AvZ¥mvr Kiv| 6.24.4 kvLvi bM` MÖnY ewn‡Z KvUvKvwU/NlvgvRv/AwZwjLb/DcwiwjL‡bi gva¨‡g MÖvn‡Ki RgvK…Z bM` A_© Ab¨ wnmv‡e Rgv K‡i AvZ¥mvr Kiv| 6.24.5 GK kvLv †_‡K Ab¨ kvLvq/e¨vs‡K wg_¨v K¨vk †cÖiY †`wL‡q AvZ¥mvr Kiv| wdwWs kvLv †_‡K bM` A_© G‡b kvLvq Rgv bv K‡i A_© AvZ¥mvr Kiv| wdwWs kvLv †_‡K bM` A_© G‡b mswkÐó AvBwewmG/GgIwmG K‡qKw`b †imcÛ bv K‡i mvgwqK AvZ¥mvr Kiv| 6.24.6 M„nxZ we`y¨r, cvwb, †Uwj‡dvb, M¨vm wej BZ¨vw`i UvKv mswkÐó wnmv‡e Rgv bv K‡i I f~qv weeiYx †cÖiY K‡i A_© AvZ¥mvr Kiv| GQvov D‡jÐwLZ wejmg–‡ni RgvK…Z A_© D³ w`e‡mB mswkÐó wnmv‡e Rgv bv K‡i c‡K‡U †i‡L cieZx©‡Z Rgvc–e©K mvgwqK AvZ¥mvrKiY| 6.24.7 AvšÍ t kvLv †mbvjx e¨vsK wjt/evsjv‡`k e¨vsK wnmv‡e f~qv †WweU K‡i Ges †Kvb wnmv‡e f~qv †µwWU K‡i A_© AvZ¥mvrKiY| 6.24.8 h_vh_ g–j¨ MÖnY QvovB †c‡g›U AW©vi, wmwKDwiwU wiwmÞ, wWwW, wUwU BZ¨vw` Bmy¨i gva¨‡g A‰eafv‡e e¨vs‡Ki UvKv AvZ¥mvr Kiv| 6.24.9 MÖvn‡Ki ¯^v¶i Rvj K‡i/Wzwcø†KU †P‡Ki gva¨‡g cÖZviYvg–jKfv‡e MÖvn‡Ki wnmve n‡Z A_© D‡Ëvjb Kiv| e¨eüZ †PK eB‡qi wiKzBwRkb di‡gi cwie‡Z© Ab¨ di‡gi (we-dig) gva¨‡g †PK eB Bmy¨/MÖnY K‡i MÖvn‡Ki wnmve †_‡K RvwjqvwZi gva¨‡g A_© AvZ¥mvr Kiv ev MÖvn‡Ki wnmv‡e wg_¨v Rgv †`wL‡q A‰ea D‡Ëvj‡bi gva¨‡g A_© AvZ¥mvr Kiv| 6.24.10 GIGd Ges GmGm KvW© e`wj‡q/mwi‡q wnmve †_‡K A‰eafv‡e A_© D‡Ëvjb Kiv| 6.24.11 †P‡Ki g~j AsK cwieZ©b K‡i wnmve †_‡K A‰eafv‡e D‡Ëvjb Kiv|

Internal Control and Complaince Policy and Procedures-2018 -81-

ICC Policy and Procedures-2018 6.24.12 Af¨šÍixY Lv`¨ msMÖ‡ni Ges cvU µq wej ev Abyiƒc †h †Kvb we‡ji wecix‡Z GKvwaKevi g~j¨ cwi‡kva †`wL‡q A_© AvZ¥mvr Kiv| 6.24.13 f~qv I Rvj wWwW, wUwU, GgwU BZ¨vw`i wecix‡Z cwi‡kva †`wL‡q A_© AvZ¥mvr Kiv A_ev ¯’vqx wb‡`©k I cÖPwjZ ixwZbxwZ AbymiY bv K‡i wWwW/wUwU BZ¨vw` cwi‡kv‡ai d‡j RvwjqvwZ msNUb| 6.24.14 LwZqv‡b BRv (we,Gd) Kivi mgq A‰eafv‡e w¯’wZi cwigvb i`e`‡ji gva¨‡g A‰eafv‡e A_© D‡Ëvjb Kiv| 6.24.15 wnmve f~qv Rgv †`wL‡q UvKv cÖ`vb Ges mswkøó wnmve †WweU e¨wZ‡i‡K †P‡Ki g~j¨ cÖ`vb| 6.24.16 UªvÝdvi fvDPv‡ii gva¨‡g f~qv Znwej ¯’vbvšÍi| 6.24.17 †jRvimg–n Ges wewfbœ wnmve LvZ f~qv e¨v‡jwÝs Kiv| 6.24.18 wewfbœ wnmve n‡Z Rgvw¯’wZi AwZwi³ UvKv D‡Ëvjb cÖ`vb| 6.24.19 Af¨šÍixY/evsjv‡`k e¨vsK/evwYwR¨K/ewnt wbix¶v cÖwZ‡e`‡bi f~qv cwicvjb| 6.24.20 †iwRóvi/ dvBbvbwmqvj †÷U‡g›U f~qv f~w³i gva¨‡g †PK cwi‡kva †`wL‡q A_© AvZ¥mvr Kiv| 6.24.21 wbKvk ewnf©–Z GjvKvq Ab¨ e¨vs‡Ki †PK, †c-AW©vi, †c-wúc, Gm,Avi BZ¨vw` Bbóªy‡g›U bM` A‡_©i gva¨‡g msMÖ‡ni †¶‡Î bM` A_© Zvr¶wbKfv‡e mswkøó wnmv‡e Rgv bv K‡i mvgwqK AvZ¥mvr ev Ab¨ wnmv‡e Rgv K‡i ¯’vqx AvZ¥mvr Kiv| G msµvšÍ †Kvb wnmve cwicvjb bv Kiv A_©vr jR‡g›U fvDPvi Qvo bv KiY| 6.24.22 bM` cwi‡kva/n¯ÍvšÍi mx‡j ZvwiLwenxb c~‡e© cwi‡kvaK…Z †PK, wWwW, GdwWwW, †c-AW©vi, †c-w¯øc, Gm,Avi BZ¨vw` Bbóªy‡g›U mwi‡q G‡b f~qvfv‡e cybivq cwi‡kv‡ai gva¨‡g A_© AvZ¥mvr Kiv| GKBfv‡e Kg©KZ©v KZ©„K K¨v‡Ý‡jkb wenxb ev bM` cwi‡kva/n¯ÍvšÍi mxjwenxb c~‡e© cwi‡kvaK…Z Bbóªy‡g›U f~qvfv‡e cybt cwi‡kv‡ai gva¨‡g AvZ¥mvZ Kiv| 6.24.23 MÖvn‡Ki bM` A_© MÖnY K‡i Zv kvLvi bM` MÖnY ewn‡Z fyw³ bv w`‡q I mgcwigvb A_© mswkÐó MÖvn‡Ki wnmv‡e fvDPvi wenxb fyqv fyw³ w`‡q Ges D³ fyqv fyw³ n¯ÍvšÍi fvDPv‡ii gva¨‡g mgš^q †`wL‡q A_© AvZ¥mvr Kiv| 6.24.24 NlvgvRv/AwZwjLb/KvUvKvwU/DcwiwjLb Gi gva¨‡g K¨vk cwRkb cwieZ©b K‡i bM` A_© AvZ¥mvr Kiv| 6.24.25 Wzwcø†KU Pvex ˆZix K‡i wm›`y‡Ki bM` A_© mwi‡q †djv|

Internal Control and Complaince Policy and Procedures-2018 -82-

ICC Policy and Procedures-2018 6.24.26 hyw³msMZ KviY e¨ZxZ mvm‡cÝ wnmve, mvwÛª †WUim Av`vm© LvZ n‡Z bM` A_© D‡Ëvjbc–e©K cieZx©‡Z mgš^q K‡i mvgwqK AvZ¥mvZKiY wKsev Ab¨ wnmv‡e mgš^q †`wL‡q ¯’vqx AvZ¥mvZKiY | 6.24.27 KZ©„c¶ KZ©„K RvixK…Z wb‡`©k/e¨vs‡Ki cÖPwjZ wbqg cvj‡b Pig Ae‡njvRwbZ Kvi‡Y e¨vs‡Ki Avw_©K ¶wZ mvab BZ¨vw`| 6.24.28 A_© AvZ¥mv‡Zi D‡Ï‡k¨ e¨vs‡Ki wewfbœ LvZ /wnmve †WweU K‡i Ab¨ Lv‡Z/wnmv‡e A_© ¯’vbvšÍi Kiv| 6.24.29 GwcGm/wWwcGm wnmv‡ei wecix‡Z FY cÖ`vb Kiv n‡q‡Q wKš‘ FY w¯’wZ mgš^q bv K‡i D³ wnmvemg–‡ni w¯’wZ cwi‡kva Kiv|

(II) FY welqK ¸iæZi Awbqg t ( Credit Risk wfwËK) †hgb t

6.24.30 gÄyix e¨ZxZ FY cÖ`vb, ¶gZv ewnf©–Zfv‡e FY gÄyix, cÖK…Z FYMÖnxZvi cwie‡Z© †jUvi Ae A_wiwU e¨ZxZ Z…Zxq e¨w³i gva¨‡g FY cÖ`vb, bvevjK/g„Z e¨w³i bv‡g FY cÖ`vb, c~‡e©i Abv`vqx FY †Mvcb K‡i ev ¸iæZ¡c~Y© Z_¨ †Mvcb K‡i FY MÖnY Ges cÖ`vb, †cø†R gvj ¸`vgRvZ bv K‡i FY cÖ`vb, gvivZ¥K ÎæwUc~Y© RvgvbZ MÖnY Ges F‡Yi e¨envi m¤ú‡K© wg_¨ cÖZ¨qbcÎ cÖ`vb BZ¨vw`| 6.24.31 Abby‡gvw`Z I f~qv FY weZi‡Yi gva¨‡g A_© AvZ¥mvr Kiv| 6.24.32 †cø†Ri gvjvgvj gÄyixc‡Îi kZ©vbyhvqx ¸`vgRvZ bv K‡i (¸`vgRvZ Kiv n‡q‡Q †`wL‡q) Kg IRb/cwigvb I wb¤œ gv‡bi gvj ¸`v‡g MÖnY K‡i Avw_©K myweav cÖ`vb Ges †cø†Ri/wj‡gi gvjvgvj Abby‡gvw`Z †Wwjfvix †`qv, †cøR /wj‡gi gv‡ji Dci e¨vs‡Ki wbqš¿Y cÖwZôv bv Kiv I ¸`v‡g gv‡ji NvUwZ nIqv| 6.24.33 FY e¨e¯’vcbvq mwVK Ges wewa †gvZv‡eK mgqgZ h_vh_ c`‡¶c bv †bIqvi d‡j cÖ`Ë FY Zvgv`x F‡Y cwibZ nIqv| 6.24.34 f~qv/†ebvgx A‰ea FY cÖ`vb Ges cÖ`vbKv‡j FYMÖnxZvi e¨emv cÖwZôv‡bi Aw¯ÍZ¡ bv _vKv| 6.24.35 Abby‡gvw`Z/AwbqwgZfv‡e e¨vsK M¨vivw›U Bmy¨ Kiv| 6.24.36 RvgvbZ/mnvqK Rvgvb‡Zi cÖPwjZ wewa weavb jsNb K‡i AwZ g~j¨vq‡bi gva¨‡g evowZ FY cÖ`v‡b FYMÖnxZv‡K mnvqZv Kiv| 6.24.37 F‡Yi wecix‡Z eÜKx m¤úwËi `wjjvw` (we‡kl K‡i g~j `wjj) h_vh_fv‡e bv †bqv Ges kvLvq mwVKfv‡e msi¶Y bv Kiv I †mBd Bb, †mBd AvDU †iwRóv‡i Gw›Uª bv Kiv|

Internal Control and Complaince Policy and Procedures-2018 -83-

ICC Policy and Procedures-2018 6.24.38 eÜKx m¤úwËi `Ljx ¯^Z¡/miKvi KZ©„K AwaMÖnYK…Z/Awc©Z m¤úwË wKbv Zv wbwðZ bv n‡q FY weZiY Kiv| 6.24.39 eÜKx `wjj/Avg-†gv³vibvgv `wj‡ji eÜKxK…Z m¤úwËi Zdwmj/Rwgi cwigvb gÄyixc‡Îi mv‡_ Mowgj _vKv| 6.24.40 F‡Yi `vq Av`v‡qi j‡¶¨ `v‡qiK…Z gvgjv Av`vjZ KZ©„K e¨vs‡Ki MvwdjwZi Kvi‡Y LvwiR Kiv n‡j| A_© FY Av`vjZ AvBb-2003 Bs Abyhvqx wbw`©ó mg‡q g~j gvgjv/Rvix gvgjv `v‡qi bv Kivi Kvi‡Y Av`vjZ KZ©„K LvwiR Kiv n‡j| 6.24.41 F‡Yi mnvqK RvgvbZ I eÜKx m¤úwË c~‡e© Ab¨ †Kvb e¨w³/cÖwZôv‡bi wbKU n¯ÍvšÍi/`vqe× Av‡Q wKbv Zv wbwðZ bv n‡q FY gÄyix I weZiY Kiv| 6.24.42 CC Hypo, OD Hypo BZ¨vw`i †¶‡Î Cheque mswkÐó FY/OD wnmv‡e Posting bv K‡iB f~qv †cvwós gvK© K‡i RvwjqvwZi gva¨‡g A_© AvZ¥mvr| 6.24.43 RvwjqvwZi gva¨‡g gÄyixK…Z F‡Yi †P‡q †ekx FY weZiY †`wL‡q A_© AvZ¥mvr Kiv| 6.24.44 F‡Yi wecix‡Z wj‡qbK…Z Rvgvb‡Zi g~j¨ FY mgš^q e¨ZxZ FYMÖnxZv‡K cÖ`vb ev wj‡qbK…Z RvgvbZ FYMÖnxZv‡K †dir †`qv|

(III) ˆe‡`wkK evwYR¨ I ˆe‡`wkK gy`ªv welqK ¸iæZi Awbqgt( Foreign exchange risk wfwËK) †hgb t 6.24.45 L/C (FYcÎ) †Lvjvi †¶‡Î Awc©Z mxgv AwZµg K‡i Aby‡gv`b wenxbfv‡e FYcÎ †Lvjv| 6.24.46 GjwmG dig Gi Kvóg cvicvm Kwc/wej Ae †jwWs/UªvK iwk`/wegvb fvov iwk`/†ijI‡q iwk` BZ¨vw` mswkÐó we‡ji UvKv Av`vq e¨wZ‡i‡K Avg`vbx KviK‡K n¯ÍvšÍi Kiv A_ev cÖ‡hvR¨ †¶‡Î we‡ji UvKv Av`vq e¨wZ‡i‡K M¨vivw›Ui gva¨‡g gvj Qvo Kiv‡bvi my‡hvM †`Iqv| 6.24.47 f~qv fvDPv‡i †jb‡`‡bi gva¨‡g A‰eafv‡e Gjwm/GjwR BZ¨vw` gvwR©b wnmve †_‡K A_© AvZ¥mvr Kiv| 6.24.48 ˆe‡`wkK we‡ji g~j¨ cwi‡kv‡ai mgq cÖavb Kvh©vj‡qi AvšÍ©RvwZK wefvM‡K Abby‡gvw`Zfv‡e ewa©Z wewbgq nv‡e †WweU K‡i Ab¨ Lv‡Z Rgv †`wL‡q A_© AvZ¥mvr Kiv| 6.24.49 e¨vK Uz e¨vK FYcÎ †Lvjvi †¶‡Î Avg`vbxKvi‡Ki ˆea e‡ÛW Iqvi nvDR jvB‡mÝ Av‡Q wKbv Ges Dnvi aviY¶gZv mvgÁm¨c~Y© wKbv Ges KviLvbvi Drcv`b ¶gZv I ißvbx FYc‡Îi †gqv` Ges FYc‡Îi kZ©vbyhvqx wba©vwiZ mgq mxgvi g‡a¨ ißvbx

Internal Control and Complaince Policy and Procedures-2018 -84-

ICC Policy and Procedures-2018 m¤úv`b Kiv m¤¢e wKbv Dnv h_vh_fv‡e hvPvB bv K‡i e¨vK Uz e¨vK FYcÎ †Lvjv| 6.24.50 f~qv AvB,we,wci gva¨‡g A_© AvZ¥mvr Kiv| 6.24.51 ˆe‡`wkK †jb‡`‡bi †¶‡Î Av`vqK…Z Av‡qi UvKv cy‡ivcywifv‡e Avq Lv‡Z Rgv bv K‡i Ab¨ wnmv‡e Rgvi gva¨‡g A_© AvZ¥mvr Kiv| 6.24.52 ißvbx we‡ji wecix‡Z mswkøó ißvbx m¤úv`‡bi ciI wcwm `vqmn Ab¨vb¨ †gqv‡`vËxY©/gÄyixcÎ †gvZv‡eK wb‡`©wkZ `vq Amgwš^Z †i‡L Ges Avg`vbx we‡ji g~j¨ cwi‡kva bv K‡i ißvbxKvi‡Ki AwaK bM` A_© cÖ`vb Kiv| 6.24.53 f~q/ÎæwUc~Y© ißvbx wej µq †`wL‡q ißvbxKviK‡K A‰ea Avw_©K myweav cÖ`vb Kiv| 6.24.54 wWgvÛ F‡Yi `vq/AwbqwgZ `vq _vKv m‡Z¡I cÖavb Kvh©vj‡qi Aby‡gv`b e¨wZ‡i‡K bZzb K‡i cybivq e¨vK Uz e¨vK FYcÎ †Lvjv| 6.24.55 †jvKvj e¨vK Uz e¨vK FYc‡Îi wecix‡Z gvjvgvj mieiv‡ni/KviLvbvq †cŠQvi welq hvPvB bv K‡i Avg`vbxKviK/ mieivnKvixi †hvMmvR‡k we‡j GK‡m‡ÞÝ cÖ`v‡bi gva¨‡g e¨vsK n‡Z A‰ea Avw_©K myweav †`qv| 6.24.56 ißvbxi †¶‡Î wej Ae †jwWs/wegvb fvov iwk` wej‡¤^ Dc¯’vwcZ nIqv m‡Z¡I DשZb KZ©„c‡¶i Aby‡gv`b e¨wZ‡iK ißvbx wej µq/Kv‡jKk‡b cvVv‡bv Ges H wej Kv‡jKk‡b †`wL‡q ißvbxKviK‡K cieZx© Avw_©K myweav cÖ`vb| 6.24.57 ißvbx wej µq/Kv‡jKk‡b †cÖi‡Yi ci Dnv kvLvq †dir Avm‡j/`xN©w`‡bI g~j¨ cÖvwß bv n‡j ißvbx c‡Y¨i Ae¯’v I Ae¯’vb hvPvBc~e©K gvj †dir Avbvi c`‡¶c bv †bqv| 6.24.58 wjg m„wói †¶‡Î Awbqg msNwUZ n‡j Ges wjgK…Z gvjvgvj mwVKfv‡e ¸`vgRvZ bv Kiv| 6.24.59 Abby‡gvw`Zfv‡e Bb‡WgwbwU e‡Ûi gva¨‡g gvj Lvjv‡mi my‡hvM †`qv| 6.24.60 Avg`vbx `wjj hvPvB bv K‡i Discrepent document Gi wecix‡Z Acceptence w`‡q †`qv| 6.24.61 ‰e‡`wkK gy`ªv wbqgbxwZ D‡cÿv K‡i ‡jb‡`‡bi d‡j e¨vs‡Ki †Kvb Avw_©K ÿwZ mvwaZ n‡j| 6.24.62 wbqgbxwZi e¨Z¨q NwU‡q ˆe‡`wkK †iwgU¨vÝ msµvšÍ †jb‡`b| 6.24.63 ‡i¸‡jUix A_wiwU Ges AÎ e¨vs‡Ki cÖPwjZ wbqgbxwZ/RvixK…Z mvK©yjvi D‡cÿv K‡i cÖavb Kvh©vj‡qi wewfbœ wefvM/mv‡K©j Avwdm/AvÂwjK Kvh©vjq/ mvewmwWqvwiR/ BmjvwgK DB‡Ûv Ges kvLv ch©v‡q †Kvb KvR m¤úv`‡bi †cÖwÿ‡Z e¨vs‡Ki Avw_©K ÿwZ n‡j A_ev ÿwZi m¤¢vebv cwijwÿZ n‡j|

Internal Control and Complaince Policy and Procedures-2018 -85-

ICC Policy and Procedures-2018

Information Technology (IT) Audit Manual

Internal Control and Complaince Policy and Procedures-2018 -86-

ICC Policy and Procedures-2018

______Information Technology (IT) Audit Manual

7. Information Techonology (IT) Audit

7.1 An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

7.2 IT audits are also known as "automated data processing audits" and "computer audits". They were formerly called "electronic data processing audits", and high level ‘ system audit’ .

7.3 Purpose/ Objectives of IT Audit

7.3.1 The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties.

7.3.2 The IT audit aims to evaluate the following:  Will the organization's computer systems be available for the business at all times when required? (Known as availability)

Internal Control and Complaince Policy and Procedures-2018 -87-

ICC Policy and Procedures-2018  Will the information in the systems be disclosed only to authorize users? (known as security and confidentiality)  Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity)

In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.

7.4 Types of IT Audits

7.4.1 Others describe the spectrum of IT audits with five categories of audits: a) Systems and Applications:. b) Information Processing Facilities. c) Systems Development:. d) Management of IT and e) Enterprise Architecture: Client / Server, Telecommunications, Intranets, and Extranets

7.4.2 Moreover, some lump all IT audits as being one of only two types: " general control review " audits or " application control review " audits.

Internal Control and Complaince Policy and Procedures-2018 -88-

ICC Policy and Procedures-2018 7.5 Elements of IT Audit Strategy

18

7.6 IT Audit process

19

18 https://www.isaca.org/Journal/archives/2016/volume-4/Pages/elements-of-an-is-it-audit-strategy-part-1.aspx?utm_referrer= 19 https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=698

Internal Control and Complaince Policy and Procedures-2018 -89-

ICC Policy and Procedures-2018 7.6.1 The following are basic steps in performing the Information Technology Audit Process 1. Planning 2. Studying and Evaluating Controls 3. Testing and Evaluating Controls 4. Reporting 5. Follow-up 6. Reports

7.7 The Scope of the IT General Controls Audit Includes:

7.7.1 IT General Controls Evaluating the existence and effectiveness of internal controls in place over the Information Security Program and related information technology processes as they relate to the security, confidentiality, and integrity of sensitive customer information. Access Controls – Core Processing System Access Controls – LAN/WAN Data Classification/Handling and Encryption Patch/Update Management Malware Protection Physical and Environmental Security – Data Center Mobile Security Project Management/System Change Management Intrusion Prevention & Managed Network Device Administration Remote Access Remote Deposit Capture Backup and Tape Management Disaster Recovery and Business Continuity Management Websites Online Banking & Bill Payment Phone Banking ACH/Wire Transfer Security

Internal Control and Complaince Policy and Procedures-2018 -90-

ICC Policy and Procedures-2018 Access Controls – Branch Capture/Imaging System Identity Theft Prevention 7.7.2 The Scope of the Information Security Program Audit Includes: Information Security Program Information Technology Risk Assessment Information technology administration/strategic planning Information security training and awareness Information technology audit/independent review program Vendor Management/Service Provider Oversight Incident Response Program 7.7.3 Additional control areas can be added to the scope of the audit.

7.8 IT Audit Role:

7.8.1 Information Security officer , system auditor or any other concerned person undertake periodic penetration tests of the system, which may include: a) Attempting to guess passwords using password-cracking tools. b) Searching for backdrop traps in the programs. c) Attempting to overload the system using DDoS (Distributed Denial of Service) &DoS (Denial of Service) attacks. d) Checking of commonly known holes in the software, specially the borrower and the e- mail software , exist. e) Checking the weakness of the infrastructure f) Taking control of ports. g) Cause of application crash. h) Injecting malicious codes to application and database servers.

7.8.2 Advising the Audit Committee and senior management on IT internal control (General Control & Application Control ) issues

IT Auditor evaluate the use of ICT in Banking activities and identify its importance , associated problems and report all to Audit Committee and Senior Management .

Internal Control and Complaince Policy and Procedures-2018 -91-

ICC Policy and Procedures-2018

7.8.3 Performing IT Risk Assessments 7.8.3.1 The process of identifying the risk to system security and determining the probability of occurrence, the resulting impact and additional safeguards those would mitigate the risks. 7.8.3.2 Auditors Tasks- IT Auditor will find out - 7.8.3.2.1 Are there appropriate risk mitigation measures like operating schedule for the users transaction limit, transaction frequency limit ,fraud checks, AML checks, etc. depending on the risk perception, unless otherwise mandated by the Bangladesh Bank? 7.8.3.2.2 Does the Bank establish a process to log the information system related problems and incidents, and also ensure real time security log for unauthorized access? 7.8.3.2.3 Is there any system to monitor all types of account holders, especially internal? [IT Risk Assessments Details are in Annexure – 8 ]

7.9 Performing: 1. Institutional Risk Area Audits 2. General Controls Audits 3. Application Controls Audits 4. Technical IT Controls Audits

7.9.1 Institutional Risk Area Audits : Risk area of the branches is to be audited. Risk areas are - Credit Risk, Market Risk, Liquidity Risk, Operational Risk & Group Risk, Management risk, Compliance risk.

7.9.2 General Control Audits : It may include –

Internal Control and Complaince Policy and Procedures-2018 -92-

ICC Policy and Procedures-2018 7.9.2.1 Physical Securities –

The objective is to prevent unauthorized access and damage of information assets and protection and it can be achieved by creating several physical barriers around business premises. Physical barriers are Physical access, Environment, Fire protection, UPS etc. - Definition of security parameters, locating facilities, - To minimize traffic across perimeters, - Alarmed fired doors - Physical barriers that penetrate false floors/ceilings, entrance controls - Visible identification - Responsibility to challenge unescorted strangers, - Location of back up equipment at safe distance, - Prohibition of recording equipment, - Redundant power supplies, - Access to cabling authorization procedures removal of property clear desk /screen policy, etc.

7.9.2.2 Business Continuity Plan :— Business continuity describes the processes and procedures an organization must put in place to ensure that- - Mission-critical functions can continue during and after a disaster. In this sense, the concept is interchangeable with disaster recovery plan (DRP). - Business continuity, however, also addresses more comprehensive planning that focuses on long term or chronic challenges to organizational success. 7.9.2.3 Potential business continuity problems may include the - - Illness or departure of key team members, - Supply chain breakdowns,

Internal Control and Complaince Policy and Procedures-2018 -93-

ICC Policy and Procedures-2018 - Catastrophic failures or critical malware infections. - Business continuity planning should be corporate-wide strategy. - Business continuity planners should assess Business continuity across all lines of business. - The business continuity function often resides in the risk management organizational structure. - The IT department should have personnel responsible for developing and maintaining the department’s business continuity plans. Planning’s includes - Data Backups, Restore procedures, Offsite Storage.

7.9.3 Disaster Recovery Plan: – - IT disaster recovery plan is a structural approach for responding to unplanned incidents that threaten an IT infrastructure, which includes Hardware, Software, Networks, Processes and People. - IT disaster recovery plans provide step by step procedures for recovering disrupted systems and networks, and help them resume normal operations - The goal of this process is to minimize any negative impacts to comply operations. - The primary objective of disaster recovery planning is to protect the organization in the event that all or part of its operations and/or computer services is rendered unusable. - Approaches are Business Resumption Plans, BRP Testing, and alternate processing.

7.10 Change Management– An effective change management discipline is arguably the most critical requirement of a successful IT organization. Change management is- - A set of standardized processes designed to administer all changes to the IT production environment. - The ultimate goal of this discipline is to minimize the impact of change- related incidents on IT service levels.

Internal Control and Complaince Policy and Procedures-2018 -94-

ICC Policy and Procedures-2018 - Ensuring this goal is achieved can help lower the total cost of IT while increasing the value of IT to the organization. - How changes are made to information system applications and - Supporting infrastructures, Program change controls, Tracking, Change approvals

7.11 Auditor’s checking– According to the prescribed checklist, (Annexure –8) Auditor will perform audit for above relevant controls/ factors.

7.12 Application Audit: • Administration • Inputs, processing, outputs • Logical Security • Disaster Recovery plan • Change Management • User Support • Third party Services

7.13 Administration. IT Auditor will find out- Weather- - There is any duty list for the applicators - Roles and responsibilities are set for the applicators - Any development and changes in the system running or changed system installed are taken permission from Authority. - Access authorizations are taken for the applicators - Legal and regulatory compliances done in proper. 7.14 Inputes, Processing, Outputs

Looking for evidence of data preparation, procedures, reconciliation, process handling requirements, etc.

Internal Control and Complaince Policy and Procedures-2018 -95-

ICC Policy and Procedures-2018

7.15 Run test transactions against the application- 7.15.1 Integrated test facilities (ITF) – Also known as dummy Companies, include records of the dummy entities in audit production files. 7.15.2 The IS Auditor can make the system process either live transactions or test transactions during regular processing runs and have these transactions update the records of the dummy entity. The operator enters the test transactions simultaneously with live transactions that are entered for the processing. The auditor then compasses the output with the data that have been independently calculated previously to verify the correctness of the computer processed data. 7.16 Includes- can enter input and see output- Input Controls – 7.16.1 Data entry controls These controls are related to the input screens on the data entry operators. The basic premise of these controls is that the data entry personnel OR over-the counter Front- end executives can be trained only to a limit. This because of fast changing process, higher manpower turn over and out sourcing of data entry. Therefore system manager have to take onus of making the system “Idiot Resistant” if not “ Idiot proof. 7.16.2 System Edits 7.16.2.1 It is important to have a basic understanding of how the software processes a screen. The first order of business for the software is to process the data entered and apply the edits that are appropriate. Until this first requirement is satisfied, the program will not let you go to any other program.

7.16.2.2 Edits in the on-line data entry process provide control over the entry and maintenance of the information on the CIS database. All data entering the CIS database must be validated to ensure the edits serve the following functions: • Maintain data integrity

Internal Control and Complaince Policy and Procedures-2018 -96-

ICC Policy and Procedures-2018 • Prevent entry of illogical data • Ensure adherence to regulations • Control benefit disbursement • Provide quality reports Edits are may be -  Move one, multiple, or all files from one folder to another  Delete one, multiple, or all files from a folder  You can choose to send to recycle bin or delete permanently  View all programs on the machine and uninstall a program.  View all files in a folder and delete, rename, or open a file  Run a windows Run command inside the application  Explore your file system using the folder map and open a specific folder.

7.16.3 Segregation of duties – - Avoid single person can abuse authority without detection - Separation of duties is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual. Fraud will still occur if there is collusion. To be certain that you have identified all separation of duties issues, you will first need to create an information flow diagram for every function within each area of the organization.

Internal Control and Complaince Policy and Procedures-2018 -97-

ICC Policy and Procedures-2018 7.16.4 Transaction authorization Authorization controls involve the process of granting or denying access to a network resource, converting the data to an automated form, and entering the data into the application in an accurate, complete, and timely manner. Testing of authorization controls includes examining the data input process and determining if controls exist for ensuring:  Data are authorized prior to being entered;  Access restrictions exist to prevent unauthorized personnel from obtaining blank source documents to record unauthorized information and insert the document into production with authorized documents;  Supervisory or independent reviews of the source document occurs before its data is entered into the automated system;  Data entry terminals are only accessible to authorized users for authorized purposes;  Users are limited to what transactions they can enter;  Master files are configured to assist with identifying unauthorized transactions;  Exception reports are generated and reviewed before transactions are posted; and  Duties are appropriately segregated among staff.

7.16.5 Auditors checking’s impute control– Weather- - Only allowed Inputter can impute Data . - Supervisory or independent reviews of the source document occurs before its data is entered into the automated system; - Data entry terminals are only accessible to authorized users for authorized purposes; - Users are limited to what transactions they can enter; - Data are authorized prior to being entered; - Prior the data entered and apply the edits that are appropriate. - Information flow diagram for every function within each area of organization. - Access restrictions exist to prevent unauthorized personnel from obtaining blank source documents to record unauthorized

Internal Control and Complaince Policy and Procedures-2018 -98-

ICC Policy and Procedures-2018 information and insert the document into production with authorized documents; - Master files are configured to assist with identifying unauthorized transactions; - Exception reports are generated and reviewed before transactions are posted; - Only system analyst (Vendor) with the approval of authority are given responsibility ( must be escorted ) for any change in the systems used also process the data entered and apply the edits , that are appropriate .During the function system analyst , he must be escorted. - There is a Duty list, according to which in putter/data entry operator are working. Duties are appropriately segregated among staff. Information flow diagram for every function within each area of organization. - Transactions are checked & authenticated by the authorizer.

7.17 Processing controls- 7.17.1 Audit Trails– - Audit Trails is a series of records of computer events, about an operating system, an application, or user activities. - It assists in detecting security violation, performance problems, and flaws in applications. - Audit trails help Auditors to obtain activity on a computer system and also help system administrators ensure that the system resources have not been attacked by Hackers, Insiders, or Technical problem. - What activities is logged .how are log files protected from manipulation. 7.17.2 Interface controls An ICD (Interface Control Document) may describe: - the inputs and outputs of a single system, - the interface between two systems or subsystems, - the complete interface protocol from the lowest physical elements (e.g., the mating plugs, the electrical signal voltage levels) to the highest logical levels (e.g., the level 7 application layer of the ISO model), or some subset thereof. The purpose of the ICD is to communicate all possible inputs to and all potential outputs from a system for some potential or actual user of

Internal Control and Complaince Policy and Procedures-2018 -99-

ICC Policy and Procedures-2018 the system. The internal interfaces of a system or subsystems are typically not documented in an ICD, but rather in a system design document (such as a software design document).

7.17.3 Control totals 7.17.3.1 Definition - A control total is a figure calculated by the system, adding the values in one of the fields in a segment. This field is called the Control totals key figure field . It must be a numeric type field. For example, if the control totals key figure field is Local Currency Amount in an FI line item segment, then the system adds up all values in the Local Currency Amount field, and that is the control total. 7.17.3.2 Use - You use control totals to verify the integrity of the contents of the data that has been extracted. - You must be familiar with the data in your R/3 applications to use the control totals figure calculated for the first extract. You compare this control total figure with a figure you calculate or estimate manually, or by using other means - You can use the control totals figures of two extracts that are based on the same segments to verify that the data has not changed since the last extract. - By default, the system calculates the control totals figure based on all the values in the Control totals key figure field. - Sometimes adding all the values in a single field does not provide you with sufficient information. For example, if the control totals key figure field is an Amount field in a line item of a document, and it contains debit and credit amounts, then the resulting control totals figure may be zero. This is a positive indication that the credit amounts are equal to the debit amounts. However, this does not provide you with the actual sum of the debits or credits.

Internal Control and Complaince Policy and Procedures-2018 -100-

ICC Policy and Procedures-2018

7.17.3.3 Auditor’s checking’s for processing control – Whether- 7.17.3.3.1 Any sign /evidences left behind from which auditors can find any misstatement, security violation, performance problems, and flaws in applications. 7.17.3.3.2 It (Audit Trails) ensure that the system resources have not been attacked by Hackers, Insiders, or Technical problem. 7.17.3.3.3 Any problems in Internal& external connectivity of systems, that is to communicate all possible inputs to and all potential outputs from a system for some potential or actual user of the system. 7.17.3.3.4 In Auditing, totals (Control Totals) developed on” Key” Data Fields in input records , and on the number of records processed to ensure that data have been properly transmitted , converted ,and processed .

7.18 Output controls – 7.18.1 Reconciliation -Reconciliation Tasks The Reconciliation Tasks application combines one or more link rules and, if necessary, a task filter, and one or more comparison rules into a reconciliation task. This application also lets you specify how the system reports results for comparison rule evaluations- all results, failed reconciliations. You also schedule execution of the reconciliation task in the reconciliation tasks application Tasks in the Reconciliation Process- The system reconciles Data Set 1 and Data Set 2 by performing a rule- based compare operation defined in a reconciliation task. You use Reconciliation module applications to define a reconciliation task and

Internal Control and Complaince Policy and Procedures-2018 -101-

ICC Policy and Procedures-2018 to schedule the reconciliation task to run. After the reconciliation task runs, you can view result soft he reconciliation in the Asset Link Results and Asset Reconciliation Results applications. You use the following steps to set up and execute reconciliation: 1. Set up a task filter. A task filter is optional. 2. Define one or more link rules. 3. Define one or more comparison rules. Comparison rules are optional. 4. Set up a reconciliation task and schedule execution of the task. 5. View results of the reconciliation. 6. If appropriate, resolve discrepancies and document how you resolve them. 7.18.2 Distribution - The output sub system provides functions that determine the content of data that will be provided to users, the ways data will be formatted and presented to users, and the ways data will be prepared for and routed to users. The major components of the output system are the software and personnel that determine the content , format ,and timeliness of data to be provided to users , the various hardware devices used to present the formatted output data to users ( e,g, Printer ,terminal , voice synthesizers ) and the hardware , software , personnel that rout the out to users . - When output has been produced, it should be secured to prevent loss or unauthorized removal, especially if the output contains negotiable instruments. For example -user / client services group employees might collect output reports, film or cartridges, and hold them pending collection by users. They should collect the output promptly and store it securely. - Control must be in place to ensure that output is dispatched on a timely basis. Managers could make wrong decisions if they do not promptly receive reports that notify them important changes in say, their organizational financial positions. Regular review should be undertaken, therefore, to ensure that output has been collected or distributed on timely basis.

Internal Control and Complaince Policy and Procedures-2018 -102-

ICC Policy and Procedures-2018 7.18.3 Access Only authorized persons are allowed to access the computer and handle the out put works i.e measures are to be taken that only authorized users are able to perform actions or access information in a network or a work station. In the fields of physical security and information security, access control is the selective restriction of access to a place or other resource.[1] The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization . Locks and login credentials are two analogous mechanisms of access control. 7.18.4 Auditors checking are for output control – Whether – - System reports all results - The Applicator should know how to resolve if any failure in reconciliation - Inter branch transaction, clearings, cash balances etc are checked & found no differences. - Major components of data preparation e,g, hardware ,software personnel worked properly and efficiently. - Output is complete, accurate distributed to authority in timely manner and preserved for future reference. System reports all results - Access is controlled strictly.

7.18.5 Auditor’s checking’s for above Security threats whether-  Strong passwords are used  Password stored in a secured location or committed to memory.  Computer Screen is protected by screen saver password  Password always changes within 30 days  Parameter in the system to allow maximum number of invalid log on attempts  Report vulnerable computers to Authority.  Be aware of any one around you –and what they are doing –

Internal Control and Complaince Policy and Procedures-2018 -103-

ICC Policy and Procedures-2018  Any curious person very often come around the computer operator  Confidential work done confidentially  Any suspended or terminated staffs are ever allowed in computer room or still working in the Branch  Previous passwords of such suspended or terminated staffs are removed from the computer  Computer room or server room is glass protected and under lock and key.  Any authorization list is maintained and reviewed on regular basis  Visitors (contract employees, vendor programmers/analyst, maintenance personnel, client and any relatives) are restricted or escort during visit in the computer room>Previous passwords of staffs left branch or transferred are removed from the computer  Ever hold the door for unidentified individuals  Branch confidential documents are kept under lock and key  Report suspicious activities to IT Security

7.19 Disaster recovery plan 7.19.1 IT disaster recovery plans a structural approach for responding to unplanned incidents that threaten an IT infrastructure, which includes Hardware, Software, Networks, Processes and People. 7.19.2 The primary objective of disaster recovery planning is to protect the organization in the event that all or part of its operations and/or computer services is rendered unusable. 7.19.3 Auditor’s checking 7.19.3.1 Looking for an adequate and performable disaster recovery plan that will allow the application to be recovered in a reasonable amount of time after a disaster, 7.19.3.2 Backup guidelines, process documentation, offsite storage guidelines, SLA,s with offsite storage vendors, etc.

Internal Control and Complaince Policy and Procedures-2018 -104-

ICC Policy and Procedures-2018 7.20 Change management 7.20.1 Change management is a set of standardized processes designed to administer all changes to the IT production environment. The ultimate goal of this discipline is to minimize the impact of change-related incidents on IT service levels. 7.20.2 Auditor’s checking 7.20.2.1 Examines the process changes to an application go through 7.20.2.2 Process is documented, adequate and followed 7.20.2.3 Who is allowed to make a request a change? 7.20.2.4 Change is tested and doesn’t break compliance (determined in administration) before being Placed in production.

7.21 User support 7.21.1 Be your initial point of contact for all IT queries; 7.21.2 Centrally administer all support requests; 7.21.3 Provide first line support and fixes where possible; 7.21.4 Escalate issues as and when required to relevant technical unit. 7.21.5 Auditor’s checking 7.21.5.1 User documentation (manuals, online half, etc.) available & up to date 7.21.5.2 User training –productivity, proper use, security 7.21.5.3 Process for user improvement requests.

7.22 Third party services 7.22.1 The need to assure that services provide by third parties (suppliers, vendors and partners) meet business requirements requires an effective third party management process. This process is accomplished by clearly defining the roles, responsibilities and expectations in third party agreement as well as reviewing and monitoring such agreements for effective compliance. 7.22.2 Effective management of third party services minimizes the business risk associated with non-performing suppliers. 7.22.3 Control over the IT process management third party services that satisfies the business requirement for IT of providing satisfactory third

Internal Control and Complaince Policy and Procedures-2018 -105-

ICC Policy and Procedures-2018 party services whilst being transparent about benefit, cost and risks by focusing on establishing relationships and bi lateral relationships and bi lateral responsibilities with qualified third party service- providers and monitoring the service delivery to verify and ensure adherence to agreements by:  Identify and categorizing supplier services  Identifying and mitigating supplier risk  Monitoring.

7.22.4 Auditor’s checking 7.22.4.1 Looking at the controls around any third party services that are required to meet business objectives for the application or system.- - Liaison to 3 rd party vendor - Review contract agreement - Service organizations disclose their control activities and process to their customers and their -customers auditors in a uniform reporting format.

7.23 Technical IT controls Audit 7.23.1 Technical controls used for the IT system e.g., built-in or add-on security product that supports- 7.23.2 Identification and authentication , 7.23.2.1 Identification is the process whereby a network element recognizes a valid users identity .Authentication is the process of verifying the claimed identity of a user. A user may be a person, a process, or a system (e.g., an operations system or network element) that accesses a network element to perform tasks or process a call. A user identification code is a non-confidential auditable representation of a user .Information used to verify the claimed identity of a user can be based on a password, Personal Identification Number (PIN) b, smart card , biometrics ,token ,

Internal Control and Complaince Policy and Procedures-2018 -106-

ICC Policy and Procedures-2018 exchange of keys , etc. Authentication information should be kept confidential. 7.23.2.2 If users are not properly identified then the network element is potentially vulnerable to access by unauthorized users. If strong identification and authorization mechanisms are used, then the risk that unauthorized users will gain access to a system is significantly decreased. 7.23.2.3 The exploitation of the following vulnerabilities as well as other identification and authentication vulnerabilities will result in the threat of impersonating a user. 7.23.2.4 Computer Intruders have been known to compromise PSN assets by gaining unauthorized access to network elements .It possible for a person impersonating an authorized user to cause the full range of threats. The severity of the threat of impersonating a user depends on the level of privileged that is granted to unauthorized user. 7.23.3 Auditor’s checking Whether-  Weak authentication method are used ;  The potential exists for users to bypass the authentication mechanism;  The confidentiality and integrity of stored authentication information is not preserved , and  Authentication information which is transmitted over the network is not encrypted

7.24 Discretionary or mandatory access control 7.24.1 When auditing logical security the auditor should investigate what security controls are in place, and how they work? In particular, the following areas are key points in auditing logical security:

7.24.1.1 Passwords : Every company should have written policies regarding passwords, and employee’s use of them. Passwords should not be shared and employees should have mandatory

Internal Control and Complaince Policy and Procedures-2018 -107-

ICC Policy and Procedures-2018 scheduled changes. Employees should have user rights that are in line with their job functions. They should also be aware of proper log on/ log off procedures. Also helpful are security tokens, small devices that authorized users of computer programs or networks carry to assist in identity confirmation. They can also store cryptographic keys and biometric data. The most popular type of security token (RSA’s Secure ID) displays a number which changes every minute. Users are authenticated by entering a personal identification number and the number on the token. 7.24.1.2 Termination Procedures: Proper termination procedures so that old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted for. 7.24.1.3 Special User Accounts : Special User Accounts and other privileged accounts should be monitored and have proper controls in place. 7.24.2 Auditor’s checking’s -checking to be done as per check list (Annexure –8)

7.25 Residual information protection 7.25.1 Residual Inforamtion protection (RIP) requires memory allocation to be overwritten with a known pattern of bits before memory is allocated to a new resource. Meeting RIP standard can contribute to improve security, however overwriting the memory allocation can slow performance. After the common criteria compliance enabled option is enabled, the overwriting is required. 7.25.2 The operating system must erase any storage resources (resisters, RAM areas, disk sectors, data structures etc.) before they are allocated to a new subject (user, process), to avoid information leaking from one subject to the next.

Internal Control and Complaince Policy and Procedures-2018 -108-

ICC Policy and Procedures-2018 7.25.3 This function is also known in the literature as “object reuse” or “stored as sanitation “ 7.25.4 There is an important difference between whether residual information is erased when a resource is (1) Allocated to a subject or (2) Defalcated from a subject 7.25.5 In the first case, residual information can sometimes be recovered after a user believes it has been deleted, using specialized “undelete “tools. 7.25.6 Auditor’s checking- Whether- - Retrieve company confidential printed documents done immediately - Shred all company confidential documents. - Lock all company confidential documents - Report suspicious activities to your superior

7.26 Encryption methods 7.26.1 The process of encryption involves converting plain text into a series of unreadable characters known as the cipher text. If the encrypted text is stolen or attained while in transit, the content is unreadable to the viewer. This guarantees secure transmission and is extremely useful to companies sending/receiving critical information. Once encrypted information arrives at its intended - That is not accessible to programmers or outside users. - Furthermore, management should attest that encryption policies ensure data protection at the desired level and verify that the cost of encrypting the data does not exceed the value of the information itself. - All data that is required to be maintained for an extensive amount of time should be encrypted and transported to a remote location. - Procedures should be in place to guarantee that all encrypted sensitive information arrives at its location and is stored properly. - Finally, the auditor should attain verification from management that the encryption system is strong, not attackable and compliant with all local and international laws and regulations. - Recipient, the decryption process is deployed to restore the cipher text back to plaintext - The auditor should verify that management has controls in place over the data encryption management process. - Access to keys should require dual control; keys should be composed of two separate components and should be maintained on a computer

Internal Control and Complaince Policy and Procedures-2018 -109-

ICC Policy and Procedures-2018

7.26.2 Computer assisted audit tools: All by the computers. However, it is important to turn the audit system ON. It is important to work with the computers that are used in business today have the ability to capture system activity that shows details of the work performed IT Department to tailor and secure the audit system and audit logs. Best practices include the use of automated audit analysis tools (Use of CAAT,s in IT Audit.) to manage the audit systems as well as the audit logs or records that are generated by the audit system and determine significant events and trends. These tools (like other monitoring mechanisms) must be fine-tuned over time to eliminate false alarms and ensure that significant occurrences are made known. These audit analysis tools should provide the audit log reports in a human-readable and intelligible format that will facilitate the internal systems review process of audit logs.

7.27 RISK ASSESSMENT 7.27.1 Risk is a function of the Likelihood of a given Threat sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat’s exercise of vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the IT assets and resources affected (e.g., the criticality and sensitivity of the IT system components and data). • Step- 1:System Characterization • Step- 2:Threat Identification • Step- 3:Vulnerability Identification • Step- 4:Control Analysis • Step- 5:Likelihood Determination • Step- 6:Impact Analysis • Step- 7:Risk Determination • Step- 8:Control Recommendations • Step- 9:Results Documentation. Steps- 2, 3, 4, and 6 can be conducted in parallel after Step-1 has been completed.

7.27.2 STEP-1: SYSTEM CHARACTERIZATION 7.27.2.1 In assessing risks for an IT system, the first step is to define the scope of the effort. In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. Characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, and provides information (e.g., hardware, software, system connectivity, and

Internal Control and Complaince Policy and Procedures-2018 -110-

ICC Policy and Procedures-2018 responsible division or support personnel) essential to defining the risk. 7.27.2.2 System-Related Information 7.27.2.2.1 Identifying risk for an IT system requires a keen understanding of the system’s processing environment. The person or persons who conduct the risk assessment must therefore first collect 7.27.2.2.2 System-related information, which is usually classified as follows: o Hardware o Software o System interfaces (e.g., internal and external connectivity) o Data and information o Persons who support and use the IT system o System mission (e.g., the processes performed by the IT system) o System and data criticality (e.g., the system’s value or importance to an organization) o System and data sensitivity.

7.27.2.2.3 Additional information related to the operational environmental of the IT system and its dataIncludes, but is not limited to, the following: • The functional requirements of the IT system • Users of the system (e.g., system users who provide technical support to the IT system; application users who use the IT system to perform business functions) • System security policies governing the IT system (organizational policies, federal Requirements, laws, industry practices) • System security architecture 7.27.2.2.4 The level of protection required to maintain system and data integrity, confidentiality, and availability. • Current network topology (e.g., network diagram) • Information storage protection that safeguards system and data availability, integrity, and confidentiality • Flow of information pertaining to the IT system (e.g., system interfaces, system input and output flowchart) • Technical controls used for the IT system (e.g., built-in or add-on security product that supports identification and authentication, discretionary or mandatory access Control, audit, residual information protection, encryption methods) • Management controls used for the IT system (e.g., rules of behavior, security planning) • Operational controls used for the IT system (e.g., personnel security, backup, contingency, and resumption and recovery operations; system maintenance; off-site storage; user account establishment and deletion procedures; controls for

Internal Control and Complaince Policy and Procedures-2018 -111-

ICC Policy and Procedures-2018 segregation of user functions, such as privileged user access versus standard user access) • Physical security environment of the IT system (e.g., facility security, data center policies) • Environmental security implemented for the IT system processing environment (e.g., controls for humidity, water, power, pollution, temperature, and chemicals).

7.27.3 STEP-2: THREAT IDENTIFICATION 7.27.3.1 A threat is the potential for a particular threat-source to successfully exercise a particular Vulnerability. IN determining the likelihood of a threat, one must consider threat sources, potential vulnerabilities, and existing controls.

Threat: The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

7.27.3.2 Threat source identification: Threat -Source : Either (1) intent and method targeted at the international exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability. Common Threat Source: • Natural Threats-Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. • Human Threats-Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, and unauthorized access to confidential information). • Environmental Threats- Long-term power failure, pollution, chemicals, liquid leakage.

7.27.3.3 Motivation and Threat Actions Motivation and the resources for carrying out an attack make humans potentially dangerous Threat-sources. Table presents an overview of many of today’s common human threats, their Possible motivations, and the methods or threat actions by which they might carry out an attack. This information will be useful to organizations studying their human threat environments and Customizing their human threat statements.

Human Threats: Threat-Source, Motivation, and Threat Actions

Threat-Source Motivation Threat Actions Hacker, Cracker - Challenge - Hacking - Ego - Social Engineering - Rebellion - System intrusion, break-ins - Unauthorized system access

Internal Control and Complaince Policy and Procedures-2018 -112-

ICC Policy and Procedures-2018

Computer criminal - Destruction of - Computer crime (e.g., cyber information stalking) - Illegal information - Fraudulent act (e.g., replay, disclosure impersonation, interception) - Monetary gain - Information bribery - Unauthorized data - Spoofing alteration - System intrusion Insiders - Curiosity - Assault on an employee (poorly trained, - Ego - Blackmail disgruntled, - Intelligence - Browsing of proprietary malicious, - Monetary gain information negligent, - Revenge - Computer abuse dishonest, or - Unintentional errors - Fraud and theft terminated and - Information bribery employees) - omissions (e.g., data - Input of falsified, corrupted entry dataInterception - error, programming - Malicious code (e.g., virus, error) logicbomb, Trojan horse) - Sale of personal information - System bugs - System intrusion - System sabotage - Unauthorized system access

An estimate of the motivation, resources, and capabilities that may be required to carry out a Successful attack should be developed after the potential threat-sources have been identified, in order to determine the likelihood of a threat is exercising system vulnerability.

7.27.4 Some IT related Threats ( Security threats & countermeasures): Malicious software: 2.27.4.1Viruses: - Malicious (Deserve to harm anybodies ) code embedded in e-mail messages that are capable of inflicting ( suffer ) a great deal of damage and causing extensive frustration - Stealing files containing personal information - Sending emails from your account - Rendering your computer unusable - Removing files from your computer.

What you can do - Do not open un known attachments to e-mails: - Received from unknown individuals - That in anyway appear suspicious - If uncertain, contact IT Security - Report all suspicious e-mails to IT security.

Internal Control and Complaince Policy and Procedures-2018 -113-

ICC Policy and Procedures-2018

2.27.4.2Phishing Activity of getting so to give their personal details over the internet in order to steal money from them. . An online scam whereby e-mails are sent by criminals who seek to .Steal your identity, rob bank accounts or takeover your computer.

What you can do – - Stop - do not react to phishing plays consisting of upsetting or exiting information - Look – look closely at the claims in the email and carefully review all the links and web address - Do not- reply the emails requesting - Report- suspicious activity to contact.

2.27.4.3Unauthorized system access - Individuals maliciously obtain unauthorized access to computers, applications confidential information, and other valuable assets - Not all guilty parties are unknown some can be co workers - Unauthorized system access can result in theft damage of vital information assets What we can do - Use strong password for all account - Commit passwords to memory – If not possible store all passwords in a secure location - Never tell anyone your password - Never use default passwords - Protect your computer with a password protected screen saver - Report suspicious individuals/activities to contact - Report vulnerable computer to your department

2.27.4.4 Shoulder Surfing The act of covertly observing employees actions with the objective of obtaining confidential information

What we can do - Be aware of any one around you –and what they are doing – - Do not perform work involving confidential organization information if you are unable to safeguard yourself from shoulder surfing .etc.

2.27.4.5 Disgruntled employees Upset// troubled employees with an intend to harm other employees or organization

What we can do – - Contact superiors, if you suspect your employee is disgruntled and potentially dangerous - Be observant others and report suspicious / inappropriate behavior to superiors

Internal Control and Complaince Policy and Procedures-2018 -114-

ICC Policy and Procedures-2018 - Exercise extreme care when aware of unfriendly termination

2.27.4.6 Unauthorized facility access- Individuals maliciously obtain unauthorized access to offices with the objective to steal equipment, confidential information and other valuable organization assets

What we can do – - Do not hold the door for unidentified individuals - Do not leave anything of value exposed in your office/ work space – lock all organizational confidential documents in desk drawers. - Escort any of your own visitors throughout the duration of their visit

2.27.4.7 An employee who is not necessarily facilities access

What we can do – - Retrieve your company confidential printed documents immediately - Shred all company confidential documents. - Lock all company confidential documents - Report suspicious activities to your superior

2.27.4.8 Malicious software: Spyware Any technology that aid in gathering information about you or the organization without their knowledge and consent What you can do - Do not click on options in deceptive (misleading) /suspicious popup windows - Do not install any software without receiving prior approval from IT Security - If you experience slowness /poor computer performance or excessive occurrence of pop up windows contact IT Security

7.27.5 STEP-3: VULNERABILITY IDENTIFICATION- 7.27.5.1 The technical and nontechnical vulnerabilities associated with an IT system processing environment can be identified via the information gathering techniques. The interviews and in developing effective questionnaires to identify vulnerability that may be applicable to specific IT systems (specific version of a specific operating system).

7.27.5.2 Documented vulnerability sources that should be considered in a through vulnerability analysis include –  Previous risk assessment documentation of the IT system assessed  The IT systems audit reports, system anomaly reports, security review reports, and system test and evaluation reports  Vulnerability lists, vulnerability database.

Internal Control and Complaince Policy and Procedures-2018 -115-

ICC Policy and Procedures-2018

7.27.5.3 Table presents examples of vulnerability/threat pairs .

Vulnerability Threat-Source Threat Action Terminated employees` Terminated employees Dialing into the company`s system identifiers (ID) are network and accessing not removed from the system company proprietary data

Company firewall allows Unauthorized users (e.g., Using telnet to XYZ server inbound telnet, and guest ID hackers, terminated and browsing system files is enabled on XYZ server employees, computer with the guest ID criminals, terrorists) The vendor has identified Unauthorized users (e.g., - Obtaining flaws in the security design hackers, disgruntled unauthorized of the system; however, new employees, computer - access to sensitive patches have not been criminals, terrorists) system applied to the system - files based on known - system vulnerabilities Data center uses water Fire, negligent persons Water sprinklers being sprinklers to suppress fire; turned on in the data center tarpaulins to protect hardware and equipment from water damage are not in place.

7.27.5.4 Recommended methods for identifying system vulnerabilities are the use of vulnerability Sources, the performance of system security testing, and the development of a security requirements checklist.

7.27.5.5 Development of Security Requirements Checklist A security requirements checklist contains the basic security standards that can be used to systematically evaluate and identify the vulnerabilities of the assets (personnel, hardware, Software, information), non-automated procedures, processes, and information transfers Associated with a given IT system in the following security areas: • Management • Operational • Technical.

Table lists security criteria suggested for use in identifying an IT system’s vulnerabilities in each security area.

7.27.5.6 Security Criteria

Internal Control and Complaince Policy and Procedures-2018 -116-

ICC Policy and Procedures-2018 Security Area Security Criteria • Assignment of responsibilities Management • Continuity of support Security • Incident response capability • Periodic review of security controls • Personnel clearance and background investigations • Risk assessment • Security and technical training • Separation of duties • System authorization and reauthorization • System or application security plan Operational • Control of air-borne contaminants (smoke, dust, chemicals) Security • Controls to ensure the quality of the electrical power supply • Data media access and disposal • External data distribution and labeling • Facility protection (e.g., computer room, data center, office) • Humidity control • Temperature control • Workstations, laptops, and stand-alone personal computers Technical Security • Communications (e.g., dial-in, system interconnection, routers) • Cryptography • Discretionary access control • Identification and authentication • Intrusion detection • Object reuse • System audit

Output from Step-3: A list of the system vulnerabilities (observations) that could be exercised by the potential threat-sources

7.27.6 STEP-4: CONTROL ANALYSIS 7.27.6.1 The goal of this step is to analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of threat’s exercising a system vulnerability. Because the risk assessment report is not an audit report, some sites may prefer to address the identified Vulnerabilities as observations instead of findings in the risk assessment report.

7.27.6.2 To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment, the implementation of current or planned controls must be considered. For example, a vulnerability (e.g., system or procedural weakness) is not likely to be exercised or the likelihood is low if there is a low level of threat-source interest or

Internal Control and Complaince Policy and Procedures-2018 -117-

ICC Policy and Procedures-2018 capability or if there are effective security controls that can eliminate, or reduce the magnitude of, harm.

7.27.6.3 Control Methods Security controls encompass the use of technical and nontechnical methods. Technical controls are safeguards that are incorporated into computer hardware, software, or firmware (e.g., access control mechanisms, identification and authentication mechanisms, encryption methods, intrusion detection software). Nontechnical controls are management and operational controls, such as security policies; operational procedures; and personnel, physical, and environmental security.

7.27.6.4 Control Categories The control categories for both technical and nontechnical control methods can be further classified as either preventive or detective. These two subcategories are explained as follows:

• Preventive controls inhibit attempts to violate security policy and include such controls as access control enforcement, encryption, and authentication. • Detective controls warn of violations or attempted violations of security policy and • Include such controls as audit trails, intrusion detection methods, and checksums. • The Implementation of such controls during the risk mitigation process is the direct result of the Identification of deficiencies in current or planned controls during the risk assessment process (e.g., controls are not in place or controls are not properly implemented).

7.27.6.5 Control Analysis Technique

As discussed previous, development of a security requirements checklist or use of an available checklist will be helpful in analyzing controls in an efficient and systematic manner.

The security requirements checklist can be used to validate security noncompliance as well as compliance. Therefore, it is essential to update such checklists to reflect changes in an organization’s control environment (e.g., changes in security policies, methods, and requirements) to ensure the checklist’s validity.

Output from Step-4List of current or planned controls used for the IT system to mitigate the likelihood of vulnerability’s being exercised and reduce the impact of such an adverse event

Internal Control and Complaince Policy and Procedures-2018 -118-

ICC Policy and Procedures-2018 7.27.7 STEP-5: LIKELIHOOD DETERMINATION 7.27.7.1 To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment; the following governing factors must be considered:

• Threat-source motivation and capability • Nature of the vulnerability • Existence and effectiveness of current controls. 7.27.7.2 The likelihood that a potential vulnerability could be exercised by a given threat-source can be described as high, medium, or low. Table below describes these three likelihood levels.

7.27.7.3 Likelihood Definitions

Likelihood Level Likelihood Definition High The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. Medium The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability. Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

Output from Step-5Likelihood rating (High, Medium, Low)

7.27.8 STEP-6: IMPACT ANALYSIS 7.27.8.1 The next major step in measuring level of risk is to determine the adverse impact resulting from a successful threat exercise of vulnerability. Before beginning the impact analysis, it is necessary to obtain the following necessary information

• System mission (e.g., the processes performed by the IT system) • System and data criticality (e.g., the system’s value or importance to an organization) • System and data sensitivity.

7.27.8.2 This information can be obtained from existing organizational documentation, such as the mission impact analysis report or asset criticality assessment report. A mission impact analysis (also known as business impact analysis [BIA] for some organizations) prioritizes the impact levels associated with the compromise of an organization’s information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets. An asset criticality assessment identifies and prioritizes the

Internal Control and Complaince Policy and Procedures-2018 -119-

ICC Policy and Procedures-2018 sensitive and critical organization information assets (e.g., hardware, software, systems, services, and related technology assets) that support the organization’s critical missions.

7.27.8.3 Therefore, the adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: integrity, availability, and confidentiality. The following list provides a brief description of each security goal and the consequence (or impact) of its not being met:

7.27.8.3.1 Loss of Integrity. System and data integrity refers to the requirement that information be protected from improper modification. Integrity is lost if unauthorized changes are made to the data or IT system by either intentional or accidental acts. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. In addition, violation of integrity may be the first step in a successful attack against system availability or confidentiality. For all these reasons, loss of integrity reduces the assurance of an IT system.

7.27.8.3.2 Loss of Availability. If a mission-critical IT system is unavailable to its end users, the organization’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impeding the end users’ performance of their functions in supporting the organization’s mission.

7.27.8.3.3 Loss of Confidentiality. System and data confidentiality refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from the jeopardizing of national security to the disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, or legal action against the organization. Some tangible impacts can be measured quantitatively in lost revenue, the cost of repairing the system, or the level of effort required to correct problems caused by a successful threat action. Other impacts (e.g., loss of public confidence, loss of credibility, damage to an organization’s interest) cannot be measured in specific units but can be qualified or described in terms of high,

Internal Control and Complaince Policy and Procedures-2018 -120-

ICC Policy and Procedures-2018 medium, and low impacts. Because of the generic nature of this discussion, this guide designates and describes only the qualitative categories—high, medium, and low impact.

7.27.8.3.4 Magnitude of Impact Definitions

Magnitude of Impact Impact Definition High Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. Medium Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury Low Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest

7.27.8.3.5 Quantitative versus Qualitative Assessment In conducting the impact analysis, consideration should be given to the advantages and disadvantages of quantitative versus qualitative assessments. The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. The disadvantage of the qualitative analysis is that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult.

The major advantage of a quantitative impact analysis is that it provides a measurement of the impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls. The disadvantage is that, depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear, requiring the result to be interpreted in a qualitative manner. Additional factors often must be considered to determine the magnitude of impact.

These may include, but are not limited to • An estimation of the frequency of the threat-source’s exercise of the vulnerability over a specified time period (e.g., 1 year) • An approximate cost for each occurrence of the threat-source’s exercise of the • Vulnerability

Internal Control and Complaince Policy and Procedures-2018 -121-

ICC Policy and Procedures-2018 • A weighted factor based on a subjective analysis of the relative impact of a specific threat’s exercising a specific vulnerability

Output from Step-6Magnitude of impact (High, Medium, or Low)

7.27.9 STEP-7: RISK DETERMINATION 7.27.9.1 The purpose of this step is to assess the level of risk to the IT system. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of- • The likelihood of a given threat-source’s attempting to exercise a given vulnerability • The magnitude of the impact should a threat-source successfully exercise the vulnerability • The adequacy of planned or existing security controls for reducing or eliminating risk.

To measure risk, a risk scale and a risk-level matrix must be developed.

2.27.9.2 Risk-Level Matrix The final determination of mission risk is derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact. Table below shows how the overall risk ratings might be determined based on inputs from the threat likelihood and threat impact categories. The matrix below is a 3 x 3 matrix of threat likelihood (High, Medium, and Low) and threat impact (High, Medium, and Low). Depending on the site’s requirements and the granularity of risk assessment desired, some sites might use a 4 x 4 or a 5 x 5 matrix. The latter can include a Very Low /Very High threat likelihood and a Very Low/Very High threat impact to generate a Very Low/Very High risk level. A “Very High” risk level may require possible system shutdown or stopping of all IT system integration and testing efforts. The sample matrix in Table7.1 shows how the overall risk levels of High, Medium, and Low are derived. The determination of these risk levels or ratings may be subjective. The rationale for this justification can be explained in terms of the probability assigned for each threat likelihood level and a value assigned for each impact level. For example, • The probability assigned for each threat likelihood level is 0.1 for High, 0.5 for Medium, 1.0 for Low. • The value assigned for each impact level is 10 for High, 50 for Medium, and 100 for Low. 2.27.9.3 Risk-Level Matrix Threat Impact Likelihood Low (100) Medium (50) High (10) High (0.1) High Very high Extremely High

Internal Control and Complaince Policy and Procedures-2018 -122-

ICC Policy and Procedures-2018 100X 0.1 = 10 50 X 0.1 = 5 10 X 0.1 = 1

Medium (0.5) Medium High Very High 100 X 0.5 = 50 50 X 0.5 = 25 10 X 0.5 = 5 Low (1.0) Low Medium High 100 X 1 = 100 50 X 1= 50 10 X 1= 10 Risk Scale: High ( >1 to 10); Medium ( >10 to 50); Low (50 to 100)

2.27.9.4 Description of Risk Level Table describes the risk levels shown in the above matrix. This risk scale, with its ratings of High, Medium, and Low, represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk scale also presents actions that senior management, the mission owners, must take for each risk level.

2.27.9.5 Risk Scale and Necessary Actions

Risk Level Risk Description and Necessary Actions High If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible. Medium If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Low If an observation is described as low risk, the system’s approved authority must determine whether corrective actions are still required or decide to accept the risk.

2.27.9.6 Description of Risk Level 2.27.9.6.1 Describes the risk levels shown in the above matrix. This risk scale, with its ratings of High, Medium, and Low, represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk scale also presents actions that senior management, the mission owners, must take for each risk level.

Output from Step-7: Risk level (High, Medium, Low)

Internal Control and Complaince Policy and Procedures-2018 -123-

ICC Policy and Procedures-2018 2.27.9.6.2 If the level indicated on certain items is so low as to be deemed to be "negligible" or non-significant (value is <1on risk scale of 1 to 100), one may wish to hold these aside in a separate bucket in lieu of forwarding for management action. This will make sure that they are not overlooked when conducting the next periodic risk assessment. It also establishes a complete record of all risks identified in the analysis. These risks may move to a new risk level on a reassessment due to a change in threat likelihood and/or impact and that is why it is critical that their identification not be lost in the exercise.

7.27.10 STEP-8: CONTROL RECOMMENDATIONS During this step of the process, controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are provided. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks: • Effectiveness of recommended options (e.g., system compatibility) • Legislation and regulation • Organizational policy • Operational impact

Internal Control and Complaince Policy and Procedures-2018 -124-

ICC Policy and Procedures-2018

Inspection Manual (Inspection by the Controlling Office)

Inspection Manual (Inspection by the Controlling Office)

8. Inspection

Internal Control and Complaince Policy and Procedures-2018 -125-

ICC Policy and Procedures-2018 Inspection is an important appraisal involving examination, measurement, testing and comparison of task whether it is performed in accordance with applicable rules, regulations, policies and procedures to be complied with.

8.1 Objectives of Inspection:

8.1.1 Inspection is a crucial element of direct control mechanism over branches by bank management. It is generally done once in every 12 months. The main purpose of internal inspection is to scrutinize working of the branch and various departments of the bank with the objective of helping the bank in keeping a watch on safe and useful deployment of funds. It ensures that the operating units scrupulously follow the laid down systems and procedures and if found otherwise, to initiate prompt corrective steps. 8.1.2 Inspection is not a faultfinding mechanism but is a developmental tool. It is an early warning signal system for undesirable trends in operations. It is a whistle blowing mechanism.

8.2 Types of Inspection: 8.2.1 Inspection by Zonal Office; 8.2.2 Inspection by Circle Office; 8.2.3 Inspection by Concern GM; 8.2.4 Inspection by Head Office.

8.3 Functions of Inspection:  Preparation and execution of the annual inspection plan.  Conducting inspection periodically/surprise basis.  To ensure spot rectification where possible.  Preparation and submission of inspection report.  Preparation of executive summary on major findings during the inspection.  Collection of required information from other units.  Detecting deviations in compliance and preventing fraud and forgeries.  Ensuring reliability of accounting data and reporting to the proper authority.  Examination of documents and books of accounts of account and evaluating branch efficiency.  Ensuring compliance with the audit observations through follow-up.

Internal Control and Complaince Policy and Procedures-2018 -126-

ICC Policy and Procedures-2018  In case of Shariah base banking, Implementation of the Shariah principles.

8.4 Inspection procedures used in Agrani Bank Limited: 8.4.1 As properly structured and governed financial organization, it is necessary to maintain transparency in all activities of the Branch Offices. For this reason, controlling/supervising needs to be strengthened. 8.4.2 Inspection at Branch level by the circle Office/ Zonal Offices on a regular basis is necessary. 8.4.3 If any negligence /delay are shown in the supervising system, i.e. weak internal control system, various fraud/forgery and irregularities will be created.

8.5 Outline of Inspection Function: 8.5.1 Instructions were issued for submitting report on surprise Branch Office inspection by the controlling executive in order to strengthen branch supervising activities Vide MD:NIKO:03:84/161 dated 14 February 1988 and MD:NIKO:03:84/318. 8.5.2 Embezzlement and reduced customer service may result from not taking effective action on Branch Inspection by the concerned controlling executives. 8.5.3 In this regard, Branch Inspection was redesigned issuing MD: NIKO: 03:84/27 dated 07October 1997 in line with the memorandum No. AM/ABI/BANK-5/11(35)/87/134 dated 10 February 1988 issued by Ministry of Finance. 8.5.4 Subsequently, Surprise Branch inspection was again redesigned issuing MD: NIKO: 03:84/06 dated 19 February 2000. 8.5.5 The latest system is as follows:- Inspection by the Controlling Office

Executive/ Inspection Report Spot Action Officer Program submission to be Taken

Internal Control and Complaince Policy and Procedures-2018 -127-

ICC Policy and Procedures-2018

1. Corporate 1) Circle Head/Responsible • If any serious Branch -once in General Manager of concerned lapses or fraud every two Corporate branch will send their forgery detected at month own inspection report the time of (Annexure-01). In case of inspection then the 2. Zonal Office Circle, the circle head will head of the – Once in every collect the inspection report of Circle/Responsible three Month concerned Zonal Head GM of concerned (Annexure-01). Then Circle corporate branches 3. Non will also analyze the report and will take Corporate will make a summary report administrative Circle Head/ Branch – Two (Summary report of branch action against General or more inspection) as per format based responsible person Manager branches every on Zonal Head’s report. All on the spot. month reports should be submitted to the Head of ICC with a copy to • The GM also the concerned DMD on informs it to the quarterly basis by the 15 th of Concerned DMD the next month. and Head of ICC without making 2 The Head of ICC will submit any delay. the summary report to the Audit Committee of the Board on Quarterly basis. 1. Branch • Main copy of the report to • If any serious located at town- be submitted to concerned lapses or fraud once in every circle head by 7 th of the next forgery detected at month month by the Zonal Head. the time of inspection then the 2. Minimum • Zonal Head will not send zonal Head will 1/3 rd of the any report except fraud take administrative branches under forgery reporting to ICC. action without Zone once in making any delay. Zonal Head every month i,e every quarter all • He /she will inform of the branches that matter to be visited. simultaneously to the Concerned Circle GM and Head of ICC.

For Circle Head and Zonal Head Inspection Check list no. Annexure -1 will be used.

8.6 Rules to be followed during inspection:

During Branch inspection, the following documents/functions have to be scrutinized and reviewed:

Internal Control and Complaince Policy and Procedures-2018 -128-

ICC Policy and Procedures-2018 8.6.1 Cash Management : Cash Management of Branch i,e opening and closing balance checking, cash keeping, mutilated cash management etc. 8.6.2 Administration: 8.6.2.1 Checking of Attendance Register, Duty List and job rotation. 8.6.2.2 Expenditure against budget 8.6.2.3 Leave records examination 8.6.2.4 Employees Code of Conduct. 8.6.2.5 Cleanliness of branch premises, Signboard, Security measure taken. 8.6.2.6 Customer service Quality. 8.6.2.7 Different Target achievement status (Branch Office’s deposits, advances, foreign trade/business and profit position) 8.6.3 Other activities: 8.6.3.1 IT Security Management 8.6.3.2 Password Managemet 8.6.3.3 Loan Documentation checking (preparation of LDCL and Safe in Safe out register) 8.6.3.4 Loan recovery position of Top 20 loan defaulters/Classified loans. 8.6.3.5 Compliance with head Office Instruction Circulars regarding banking transactions. Check whether balance confirmation letters have been sent to the customers. Creating awareness of Branch Offices to adjust loan outstanding entries and balancing of accounts, Register/Ledger need to be taken to resolve audit objection and to be maintained close liaison with lawyers for settlement of filed cases. 8.6.3.6 Team Spirit of Branch functions 8.6.3.7 Recovery position of the unadjusted demand loan/LIM against imports of garments industry 8.6.3.8 The head of Zonal Offices will send at least 20 accounts balance confirmation letter during inspection and check the correctness of responses received. These 20 accounts will be selected: - Top 10 balance accounts (by Value) - Five accounts where deposits and withdrawal had been made on the same date 8.6.3.9 Unreconciled entries 8.6.3.10 DCFCL inspepction 8.6.3.11 LDCL inspection 8.6.3.12 QOR inspection

Internal Control and Complaince Policy and Procedures-2018 -129-

ICC Policy and Procedures-2018 8.6.3.13 Compliance of audit objections (Internal, Bangladesh Bank, Commercial Audit) 8.6.3.14 Any other matter that seem to be inspected, etc.

8.7 Reporting Procedures/Rules:

8.7.1 If any serious lapses are observed during inspection, this has to be communicated to the Managing Director & CEO and concerned DMD/Circle GM with a copy to Head of ICC. 8.7.2 Within 7 days of inspection, Inspection report has to be sent to concerned Branch Office, one copy to concerned Circle Office/ Controlling Office. 8.7.3 Circle Head/Responsible General Manager of concerned Corporate branch will send their own inspection report (Annexure-01). In case of Circle, the circle head will collect the inspection report of concerned Zonal Head (Annexure-01). Then Circle will also analyze the report and will make a summary report (Summary report of branch inspection) as per format based on Zonal Head’s report. All reports should be submitted to the Head of ICC with a copy to the concerned DMD on quarterly basis by the 15 th of the next month. 8.7.4 The Head of ICC will submit the summary report to the Audit Committee of the Board on Quarterly basis through the Audit Monitoring Division of ICC.

8.8 Follow up procedures of Inspection Report:

8.8.1 Circle Office will take appropriate steps to resolve the irregularities mentioned in the Zonal Head’s Report. 8.8.2 When irregularities are observed during inspection or when no guidelines for Branch Office development are observed, this has to be mentioned in the report and subsequently, compliance/progress has to be ensured. 8.8.3 During Branch inspection by the Head of Zonal Office and for increasing deposit of the Branch Office, the head of Zonal Office will meet at least 5 (five) depositors and 2 (two) large borrowers in this report he will make and the comments on loan and indicate the outcome of the meeting.

Internal Control and Complaince Policy and Procedures-2018 -130-

ICC Policy and Procedures-2018

Internal Control and Complaince Policy and Procedures-2018 -131-

ICC Policy and Procedures-2018

Audit Monitoring & Controlling Manual

Internal Control and Complaince Policy and Procedures-2018 -132-

ICC Policy and Procedures-2018

Audit Monitoring & Controlling Manual

9. Monitoring

Monitoring is an on-going process usually directed by the management to ensure that processes are working as intended. Monitoring is an effective control within a process. Supervising activities in progress to ensure they are on-course and on-schedule in meeting the objectives and performance targets.

9.1 Monitoring Activities and Corrective Measures:

9.1.1 The effectiveness of the Bank’s internal control should be monitored on an ongoing basis. Key/high risk items should be identified and monitored as part of daily activities.

9.1.2 Internal control deficiencies, whether identified by business lines, internal auditors, or other control personnel should be reported in a timely and prompt manner to the appropriate management level and addressed immediately.

9.1.3 The ICC will report material control deficiencies to the Audit Committee of the Boad with specific recommendations.

9.1.4 Quartarly summery of QOR, DCFCL, LDCL and Inspection Report must be sent by Cercel Head / Concern GM of Corporate Beanch the Head of ICC for Audit Monitoring and Controlling Division, which will review the same.

9.1.5 The Audit Monitoring and Controlling Division will review the QOR, LDCL, DCFCL, Inspection Report and Exceptions report (if any); in addition to the line management the Audit Monitoring and Controlling Division will instruct the branch to rectify the exception and report the same. If deemed necessary, the Head of ICC will instruct the ICT (A Team of Audit Monitoring and Controlling Division comprised of 3-4 members) to carry out an audit on the specific deviation.

9.1.6 Depending upon the gravity of the deviation the ICT will report the matter to the Head of ICC and ultimately to Audit Committee of the Board with a copy to the MD for necessary action and rectification through the concern controlling office.

9.1.7 On a quarterly basis, ICC will submit a report to the Audit Committee of the Board on the type/nature of the discrepancies.

Internal Control and Complaince Policy and Procedures-2018 -133-

ICC Policy and Procedures-2018 9.1.8 In addition to the above, the ICC will depute the ICT on routinely, but also on surprise dates, to branches/departments to carry out sample checks on the items mentioned in the DCFCL, LDCL, QOR, Inspection Report.

9.2 Objectives of Audit Monitoring and Controlling Division:

9.2.1 To conduct effective monitoring on the proper implementation of various control tools; 9.2.2 DCFCL, QOR, LDCL and Self-Assessment Anti-Fraud Internal Control Checklist in all branches and divisions/departments at head office of the bank to strengthen internal check and internal control system of the bank; 9.2.3 To conduct effective monitoring for timely submission of regulatory returns as per the calendar of returns to avoid regulatory imposition; 9.2.4 To prepare the risk grading of bank branches based on the two broad risk parameters, i.e., control risk and business risk parameters; 9.2.5 Help to prepare a risk based internal audit plan for the bank at the end of each year on the basis of risk grading of the branches, along with audit frequency. 9.2.6 To prepare Annual Health Report of the bank as a regulatory compliance; 9.2.7 To prepare the summary report on the DCFCL, Loan Documentation Checklist (LDCL) and Quarterly Operations Report (QOR) and submit to the Head of ICC on a quarterly basis for onward submission to Audit Committee of the Board. 9.2.8 To monitor the effectiveness of the bank’s internal control system; 9.2.9 To report to the Head of ICC about major deviations, if any found by ICT. 9.2.10 To update various control tools (DCFCL, QOR, LDCL and Self-Assessment Anti-Fraud Internal Control Checklist, etc.) as and when required by Bangladesh Bank. 9.2.11 To identify, assess and control the risks involved in manifold operational activities of the bank and prepare the Self-Assessment Anti-Fraud Internal Control Checklist and place for signature by the MD and CEO and counter signature by the Chairman of the Audit Committee of the Board for submission of the same to the Department of Offsite Supervision of Bangladesh Bank

9.3 Application of Monitoring System: 9.3.1 Departmental Control Function Checklist (DCFCL) 9.3.1.1 The guideline/procedure deals with matters relating to

Internal Control and Complaince Policy and Procedures-2018 -134-

ICC Policy and Procedures-2018 review/verifications of departmental functions to ensure that prescribed procedures are being followed by each department.

9.3.1.2 All departments are required to check whether the prescribed controls are being observed and laid down procedures are not overlooked & relaxed.

9.3.1.3 Departmental Managers, Branch Managers and Zonal Heads will review the DCFCL to ensure that control functions are performed and documented in the control sheets at the prescribed frequencies i.e. daily, weekly, monthly and quarterly.

9.3.1.4 The DCFCL Checklist should be retained with the branch/ departments for future inspection by Internal Control Team and Senior Management Team.

9.3.1.5 As per Head Office circular no. ICC/AMD/74 dated 13/07/14 a specific checklist is designed for Circle Head’s/ Zonal Head’s Branch visit, DCFCL is Branch’s daily Weekly, Monthly function checklist; Loan Documentation Check List LDCL, IT security management checklist , Credit Risk Management and Foreign Exchange Check List are department wise quarterly checklist.

9.3.1.6 Individual items in the Departmental Control Function Checklists (DCFCL) are assigned for risk rating by giving scores. Scores will be derived from these DCFCL QOR, LDCL, IT, CRM and FEx.) Checklists will be divided and added in two format of Risk assessing (Business Risk and Control Risk)

9.3.1.7 Reporting pattern of DCFCL, LDCL and QOR has been changed vide Head Office Circular No: AMD/DCFCL/36/18 dated:01/04/2018

9.3.2 Loan Documentation Checklist (LDCL- Annexure -4):

The checklist deals with matters relating to security document action for sanctioning and drawdown credit facilities to ensure that prescribed documentation is being obtained to safe guard the Bank’s legal charge.

9.3.3 Quarterly Operations Report (QOR –Annexure-5):

9.3.3.1 This guideline/ procedure relates to reporting of operational functions of each branch / centre under the following heads on the enclosed format: i. Policies, Procedures and Controls; ii. Protection of Valuables; iii. Proofs/Verifications and Internal Checks; iv. Personal and Supervision and

Internal Control and Complaince Policy and Procedures-2018 -135-

ICC Policy and Procedures-2018 v. Premises Management; vi. Confirmation on Regulatory Compliance. 9.3.3.2 A report will be prepared in duplicate copies by each branch in the prescribed format; one copy is to be dispatched to the Line Management and another copy to the Internal Control Team by 10th of the following month i.e. 10th April, July, October and January each year. 9.3.3.3 The items, which are not applicable to individual Branch or Department, should be marked as N/A and no signature is required against the items marked as N/A. 9.3.3.4 Any deviation in the quarterly operations report must be reported in a separate exception report. 9.3.3.5 All concerned are advised to adhere to the requirements as outlined in each of the above head for review by the Line Management quarterly and by Internal Control/Audit, as and when they visit the branch.

9.4 Annual Health Report of the Bank

9.4.1 Annual Integrated Health Report

Audit Monitoring and Controlling Division will prepare health report on annually, for onward submission to the Audit Committee of the Board, Bangladesh Bank, Inspection Team and other regulatory Bodies. For this purpose, ICC will collect Financial Health Score, ICC Health Score, and Image & Reputation Health Score from the BoD, Annual Report of bank, and External Audit report respectively.

9.4.2 Objectives of Annual Health Report 9.4.2.1 The assessment of the soundness of bank that reflects over all position of bank's performance is not only important for bank itself, but also for all stakeholders of bank.

9.4.2.2 The “Annual Health” Report reflects the financial, reputational and sustainability position of bank, based on the most recent data of bank itself. The purpose of the report is to provide stakeholders with a basic over view of the general health of bank.

Internal Control and Complaince Policy and Procedures-2018 -136-

ICC Policy and Procedures-2018

9.4.3 Methodology of Assessing Health ((Detail in Annexure-D & D1) : 9.4.3.1 The health of bank may be judged from different points of view, but emphasis has to be given to the feasibility of the aspects considered for health analysis and its quantification. Taking these two conditions into consideration, the health of bank is assessed from a three dimensional view points, viz. Financial Health, Internal Control & Compliance Health and Image & Reputation Health. Depending on the nature of business, the Board of Directors will decide on the weight of the sectors, and inform the same to Bangladesh Bank before preparing report.

9.4.3.2 Bank will determine weight of the sectors based on their portfolio nature with the approval of the Board and shall determine 'Health Score 'using following model:

Sectoral Sectoral Achieved Weighted Health Sector Score Weight Sectoral Score Score Financial Health Range0-100 w1 g1 w1g1 ICC Health 0-100 w2 g2 w2g2 Image& 0-100 w3 g3 w3g3

Health Score = w1g1+w2g2+ w3g3 a. If the health score is 90% and above, it will be marked ‘Excellent’, b. If the health score is 80% and above but below 90%, It will be marked as Very Good, c. If the health score is 70% and above but below 80%, it will be marked as Good, d. If the health score is 60% and above but below 70%, it will be marked as Satisfactory e. If the health score is below 60%, it will be treated as arginal.

9.4.4 Frequency of Health Analysis The health analysis of the bank to be done on yearly basis as a regulatory compliance, and analysis should be made immediately after completing an accounting year.

9.4.5 Reporting Line and its Approval Process The yearly-integrated health report of the bank is to be submitted to the Board of Directors for approval and review.

Internal Control and Complaince Policy and Procedures-2018 -137-

ICC Policy and Procedures-2018

Audit Compliance Manual

Internal Control and Complaince Policy and Procedures-2018 -138-

ICC Policy and Procedures-2018

Audit Compliance Manual

10. Compliance

Compliance refers to operating the bank in conformance with applicable laws, regulations, policies, standards, guidelines, etc. applicable to all institutions in its category, and responding fully and in a timely manner to supervisory criticism and orders to take corrective action issued by applicable regulatory authorities or law enforcement bodies. In this context, compliance also refers to preventive actions taken to mitigate compliance risk, which is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation as a result of failure to comply with applicable rules.

10.1 Overview:

10.1.1 The Compliance unit of ICC will be responsible to ensure that the Bank complies with all regulatory requirements while conducting its business. They will maintain liaison with the regulators at all level and notify the other units regarding regulatory changes. If required, this unit would contact regulatory authorities for proper clarification on a particular issue and notify this to the concerned departments accordingly.

10.1.2 If any major deviation is identified by the regulatory authority, they must ensure to bring the matter to the knowledge of the Audit Committee of the Board, as well as to Managing Director & Chief Executive Director of the Bank. Major issues to be considered for proper functioning of ICC include commitment from branch and divisional heads, standard operating process, regular discussion at management level to review compliance, adequate maintaining of ICC and appointment of experienced officers in the technical areas.

10.2 Establishment of a Compliance Culture

10.2.1 Bank should have strong compliance culture when throughout the organization employees are encouraged to comply with policies, procedures and regulation.

Internal Control and Complaince Policy and Procedures-2018 -139-

ICC Policy and Procedures-2018

10.2.2 Even an individual at the lowest echelon should be empowered to speak up without the fear of reprisal if he/she identifies something non-compliant. 10.2.3 The Board of Directors and the senior management must establish compliance a culture within the banking organization that emphasizes and demonstrates to all levels of personnel the importance of internal control. 10.2.4 In order to establish a compliance culture the BoD& senior management must promote a high ethical and integrity standard. 10.2.5 In re-enforcing ethical values the banking organization should avoid policies and practices that provide in advertent incentive for in appropriate activities. Examples of such policies and practices includes undue emphasis on performance targets or operational results, particularly short term ones that ignore long term risks and compensation schemes that overly depend on short term performance

10.3 Independence of Compliance Functions

The status of the compliance unit should be ensuring the appropriate authority and independence. For independence, the following issues to be considered: 10.3.1 The compliance unit should have a separate status within the bank 10.3.2 This may be described in the bank’s compliance policy 10.3.3 The document should be communicated to all the staff of the bank 10.3.4 The role and responsibilities of the unit should have to be specified; 10.3.5 The independence of the unit should be ensured; 10.3.6 The relationship with other risk management units and with the internal audit function should have to be clearly defined; 10.3.7 In cases where compliance requirements carried out by staff of other departments, in such circumstances their responsibilities should have to be clearly allocated; 10.3.8 The unit should have rights to access to information necessary and all staff should co- operate in supplying information; 10.3.9 If any breaches of the compliance policy is found the unit should have power to suggest for necessary action to the senior management; 10.3.10 Its unit to express and disclose its findings freely to Audit Committee of

Internal Control and Complaince Policy and Procedures-2018 -140-

ICC Policy and Procedures-2018

the Board and if necessary, the Board of Directors. 10.4 Compliance Process

10.4.1 For the banks, Bangladesh Bank is the primary regulator, which governs their activities. In addition, National Board of Revenue, Registrar of Joint Stock Companies and Firms, Bangladesh Securities and Exchange Commission, Ministry of Finance, Ministry of Commerce, Ministry of Environment, Ministry of Home Affairs, etc. are different types of regulatory bodies whose directives have a significant impact on any bank’s business.

10.4.2 The internal control system should always take into account the bank’s internal processes to meet regulatory requirements before conducting any operation.

10.4.3 The internal control system of the bank must be designed in a manner that the compliance with regulatory requirements is recognized in each activity of the bank. The bank must obtain regular information on regulatory changes and distribute among the concerned departments, so that they can take the necessary action to adapt to such changes.

10.4.4 Regulatory requirements are to be incorporated into the work process to ensure full compliance.

10.4.5 The Bank has to ensure that all guidelines received from the regulatory authority are properly disseminated among the relevant departments.

10.4.6 A particular unit (if possible Internal Control) should be responsible for receiving regulatory guidelines, maintaining proper record and distribution among all relevant units.

10.4.7 If required this unit would contact regulatory authorities for proper clarification on a particular issue and notify this tothe concerned departments accordingly.

10.4.8 When regulatory inspection is conducted on the operation of the Bank, this unit should work as point of contact.

Internal Control and Complaince Policy and Procedures-2018 -141-

ICC Policy and Procedures-2018

10.4.9 After receiving audit report, concerned office must ensure correction of the said objection.

10.4.9.1 Corrective measures are to be taken and the appropriate response is to be made on a timely fashion. Corrective measure means objections raised by the auditors to be attended in time and in appropriate manner. 10.4.9.2 If concerned branch manager and respective officials fail to comply in stipulated time and ground, a notice will be given to them by giving one month time for Corporate, A.D & A-Grade, 3 Weeks for B-Grade, 2 Weeks for C & D-Grade Branch for the rectification/compliance of objections raised. 10.4.9.3 If failed to comply, then 2 nd reminder letter will be given to the manager/respective officials by giving 1 week time limit for further compliance. 10.4.9.4 Then a final 7 days notice will be given to the controlling office to take necessary action for rectification/compliance. 10.4.9.5 Then following administrative actions will be taken for non- compliance after exhausting above all time limit. a) Firstly explanation letter will be issued, b) If the compliance is not satisfactory, then caution letter will be given. c) If bank falls in financial loss for further failure of compliance, the matter to be treated as deemed to be serious lapses. A letter will be given to HRPDOD with a recommendation of increment held up of related officials/manager/zonal head. d) If bank faces any major financial loss due to non-compliance, it will be presented to MANCOM for taking necessary action against the respective officials/manager/zonal head. e) If possible the Audit team will instruct/ guide branch management for spot compliance/ rectification of minor/ serious/ major lapses detected.

Internal Control and Complaince Policy and Procedures-2018 -142-

ICC Policy and Procedures-2018

10.4.10 If any major lapse is identified by the regulatory authority they must ensure that the Audit Committee of the Board is also notified along with the senior management of the branch. 10.4.11This unit must arrange appropriate training for employees so that employees are aware of the regulations that are necessary to accomplish their job . 10.5 Regulatory Compliance:

10.5.1 The directives of the regulatory bodies like Bangladesh Bank, Ministry of Finance, Office of the Income Tax Commissioner and the Office of the Registrar of Joint Stock Companies and Firms etc. shall be complied properly. 10.5.2 In this regard, the Internal Control & Compliance has been established to ensure that all instruction policies and regulations pertaining to the Bank’s activities and functions are: a) Circulated to the appropriate parties (should ensure by the controlling office, circle, zone) ; and b) Archived by them for future reference and use (should ensure by the controlling office, circle, zone)

10.6 Functions of Compliance:

10.6.1 To receive audit and inspection report from audit and inspection unit and Bangladesh Bank/Commercial Auditors; 10.6.2 Ensuring compliance of regulatory requirement and Bangladesh Bank Inspection Reports/Commercial Audit Reports / Internal Audit Reports etc.; 10.6.3 Preparing compliance report of the Board and Audit Committee for decisions; 10.6.4 Compiling all relevant circular and guidelines and maintaining strong liaison with the regulatory authorities; 10.6.5 Arrange of meetings for reduce the numbers of audit objections; 10.6.6 Timely dissemination of all regulatory updates to concerned department; 10.6.7 Providing training & guidance on regulatory issues, etc.

Internal Control and Complaince Policy and Procedures-2018 -143-

ICC Policy and Procedures-2018

10.7 There are five interrelated components to ensure strong internal control over organization’s activities namely:

(1) Control environment; (2) Control activities; (3) Risk assessment; (4) Information and communication, and (5) Monitoring. A structure of Internal Control Process is presented in the following diagram. Internal control process Monitoring

Control activities

Risk assessment

Control Environment

10.8 Information and Communication System

10.8.1 Every organization should devise a strong internal control environment as it is the foundation for all other components of IC. The components of control environment include management philosophy and operating style, integrity and ethical values, competence, the Board of Directors or audit committee and organizational structure and assignment of authority and responsibility.

10.8.2 The risk assessment component of the internal control framework structure consists of the identification and analysis of relevant risks that may prevent the attainment of the company’s objectives and the formation of plan to determine how to manage the risk. Since economic, industry regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the diverse risks associated with change. Information must be identified, processed, and communicated so that appropriate personnel may carry out their responsibilities.

Internal Control and Complaince Policy and Procedures-2018 -144-

ICC Policy and Procedures-2018

10.8.3 The scope and frequency of separate evaluation will depend primarily on an assessment of risks and the effectiveness of ongoing procedures. Internal control deficiencies should be reported upstream, the serious matters must be reported to the Audit Committee of the BoD and MD & CEO.

10.8.4 The Internal Control System (ICS) is intertwined with the Bank’s operating activities and exists for fundamental business reasons. IC becomes most effective only when controls are built into the entity’s infrastructure and are a part of the essence of the enterprise. It is an integrated process where everyone in an organization has responsibility in different capacities.

10.9 Responsibilities of the Management for Compliance

10.9.1 The Managing Director & CEO is ultimately accountable and should own the system. 10.9.2 More than any other individual, the chief executive should uphold integrity, ethics and other factors of a positive control environment.

10.10 Responsibilities of The Board of Directors for Compliance 20

10.10.1The bank’s Board of Directors is responsible for supervising the total process of the bank’s compliance work. 10.10.2All banks should have a compliance policy of their own approved by BoD, which will be a formal document, for establishing a permanent and effective compliance function. 10.10.3At least once a year, the board or audit committee of the board should review the scope of compliance policy whether it is working effectively or not. 10.10.4A bank’s compliance policy will not be effective unless the board of directors promotes the values of honesty and integrity throughout the institution.

20 BRPD Circular No. 11 (2013)

Internal Control and Complaince Policy and Procedures-2018 -145-

ICC Policy and Procedures-2018

10.10.5They should also act proactively for implementing the policy, ensuring that the compliance issues are resolved effectively and expeditiously by senior management within the expected timeframe. 10.10.6The board may delegate these tasks to its audit committee, if necessary.

10.11 Responsibilities of Senior Management for Compliance 21

10.11.1 The bank’s senior management is responsible for establishing compliance policy approved by BoD, which contains the basic principles to be followed and explains the main processes through which compliance risks are to be identified and managed through all levels of the institution. 10.11.2 Transparency should be promoted by making a distinction between general standards for all employees and rules that only apply to specific groups. 10.11.3The duty of senior management is to ensure that the compliance policy is observed for ensuring appropriate, corrective and disciplinary action has taken in the events of breaches are identified. 10.11.4 Senior management should have plans how to address any shortfalls in policy, procedures, implementation or execution, and to see how effectively existing compliance risks have been managed, as well as, look for the need for any additional policies or procedures to deal with new compliance risks identified as a result of compliance risk assessment any time in a financial year; 10.11.5 They should report it to the Board of Directors or Audit Committee of the Board if necessary, about the management of compliance risk. 10.11.6 In case of any significant material non- compliance they should report immediately to the Board of Directors or Audit Committee in cases like, failures that may drag down to a significant risk of legal or regulatory sanctions or fines, financial loss, or loss to reputation.

21 BRPD Circular No. 03 (2016)

Internal Control and Complaince Policy and Procedures-2018 -146-

ICC Policy and Procedures-2018

10.12 Responsibilities of the Head of Compliance 22

10.12.1 Bank should have an executive with overall responsibility for coordinating the recognition and supervision of the bank’s compliance risk and for supervising the activities of other compliance officers. 10.12.2 The nature of the reporting line or other functional relationship between officer exercising compliance responsibilities and the Head of Compliance will depend on how the bank has chosen to organize its compliance functions. 10.12.3 Compliance officers placed in business units or in subsidiaries may have a reporting line to operating business unit management or local management. 10.12.4 It is also mentionable that such officers may have a reporting line to the Head of Compliance as regards their support units (e.g. legal, financial control, risk management). 10.12.5 However, these units may work closely with the Head of ICC to ensure that he can perform his responsibilities effectively.

10.13 Responsibilities of the Audit Committee

10.13.1 The Audit committee is often typically held responsible for overseeing the financial reporting process and internal control system. 10.13.2 It also reinforces the internal control system and the internal and external audit through encouraging the communication between the members of the Board of Directors, senior management, the internal audit department, the external auditor and the supervisory authority. 10.13.3 It confirms the initial audit charter and audit plan as well as the resources required and receive the internal auditor’s recommendations and management’s plan for implementation. 10.13.4 The audit committee regularly discusses the institution’s risk areas and has to report these findings to the Board of Directors.

22 BRPD Circular No. 03 (2016)

Internal Control and Complaince Policy and Procedures-2018 -147-

ICC Policy and Procedures-2018

10.14 Responsibilities of the Risk Management Committee 23

10.14.1 Risk Management Committee will comprise of five members from the members of Board of Directors and will be nominated for three years. 10.14.2 The company secretary will be the member secretary of that committee. 10.14.3 During the implementation of strategic plan and policies developed by BoD, Risk Management Committee will take steps for the mitigation of risks efficiently. 10.14.4 Risk Management Committee will monitor, identify and quantify risks and will make arrangement for building up necessary capital and provisional reserve for the mitigation of risks (viz. credit risk, foreign exchange risk, internal control and compliance risk, money laundering risk, ICT risk, operational risk, interest risk, liquidity risk and other risks).

10.15 Responsibilities of the Internal Auditors:

10.15.1 By conducting an extensive audit throughout the year and reporting their findings in an appropriate manner internal audit team help management to address and resolve different risks and irregularities in business operation. 10.15.2 Internal Auditor should write a section in the audit report regarding the all compliance issues of the branch/division. 10.15.3 Internal Auditors are controlled by the Audit and Inspection Unit/Division and also the Auditors who are posted in circle office, they are accountable to the Head Office Audit and Inspection Division under the ICC of Agrani Bank Limited.

10.16 Internal Audit Compliance:

10.16.1 Instruction Regarding Audit Compliance:

Categorization of audit objections, preparation of audit report and compliance of audit report, etc. are being followed vide MD’s memorandum No. MD: NIKO: 03:84/42 dated 15 August 1993 after revising the vide MD’s

23 BRPD Circular No. 11 (2013)

Internal Control and Complaince Policy and Procedures-2018 -148-

ICC Policy and Procedures-2018

memorandum No. MD: NIKO: 03:84/74 dated 02 July 1985 and MD’s memorandum No. MD: NIKO: 03:84/203 dated 30 June 1986.

10.16.2 Definition of Nirikha ParipalanPatra -1(NIPP-1):

10.16.2.1 NIPP-1 is a prescribed printed form for using to write down the internal audit objections by the internal auditors during the audit period. 10.16.2.2 This form contains serial number of objections, description of audit objections and compliance of the manager of the branch. 10.16.2.3 The concerned manager of the branch sends the audit compliance of the audit objections by using NIPP-1 to the Audit Compliance Division. 10.16.2.4 NIPP-1 is only used for Minor Irregularities (MI).

10.16.3 Compliance with Nirikha Paripalan Patra-1 (NIPP-1):

10.16.3.1 A reminder letter is issued by the Audit compliance unit to the concerned Branch/Offices for sending compliances/ responses within a specified time frame. If the responses are not received within the specified time frame, monitoring functions will not be stopped/ delayed. 10.16.3.2 When primary response from the branch Office is received before issuing letter for compliance, in that case, concerned section of Audit compliance unit will monitor any unsettled irregularities mentioned in the Audit Report, the Format of the manager’s compliance with NIPP-1.

10.16.4 Definition of NIPP-2 (ka):

10.16.4.1 It means Nirikha Paripalan Patra-2. It is a kind prescribed printed form ordered by MD: Circular/20/07, dated 02/09/2007.

Internal Control and Complaince Policy and Procedures-2018 -149-

ICC Policy and Procedures-2018

10.16.4.2 This form contains serial number of lapses, types of lapses, details of lapses and auditors remarks. Auditors prepare NIPP-2 (ka) in three sets for the serious lapses/major lapses. 10.16.4.3 Previous audit objections which were not resolved up to current audit are mentioned in the First part of NIPP2. 10.16.4.4 The serious lapses and major lapses identified in the current audit are mentioned in the second part of NIPP-2 (ka). 10.16.4.5 The original copy of NIPP-2 (ka) is kept for use by the Audit Compliance unit/Division and the second and third copies are kept at the concerned Branch Office for Bangladesh Bank and Branch Office’s own use.

10.16.5 Definition of NIPP-2 (kha):

10.16.5.1 It means Nirikha Paripalan Patra-2 (kha). It is a kind prescribed printed Form ordered by MD: Circular 03:84/43 dated 15/08/93 & MD: Circular/20/07 dated 02/09/2007. 10.16.5.2 This Form contains serial number, lapses number, types of lapses, details of lapses, compliance done by manager and zonal head’s remarks. 10.16.5.3 After receiving DO Letter with NIPP-2 (kha) from the Compliance unit, Branch Office will prepare Compliance/response to the DO Letter within 15 calendar days from the date of the receipt using the Format and send it to the concerned Zonal Office. 10.16.5.4 Zonal Office will verify the Branch Office’s responses and after verification, the response together with the Zonal Office’s comments will have to be sent to the Compliance unit within the above mentioned 15 calendar days.

10.16.6 2.2.7 Compliance with Response to Nirikha Paripalan Patra-2 (NIPP-2, Ka, Kha):

10.16.6.1 Auditors prepare NIPP-2 in three sets for the serious lapses and major lapses.

Internal Control and Complaince Policy and Procedures-2018 -150-

ICC Policy and Procedures-2018

10.16.6.2 Previous audit objections which were not resolved up to current audit are mentioned in the first part of NIPP-2. 10.16.6.3 Due care is taken when these unresolved audit objections are mentioned so that any or all unresolved audit objections are mentioned in the NIPP-2. 10.16.6.4 The serious lapses and major lapses identified in the current audit are mentioned in the second part of NIPP-2. 10.16.6.5 The original copy of NIPP-2 is kept for use by the Audit Compliance unit and the second and third copies are kept at the concerned Branch Office for Bangladesh Bank and Branch Office’s own use.

10.16.6.6 Following the above procedure, the original copy of NIPP -2 is sent to the Compliance Division by the Audit Team.

10.16.6.7 The Audit & Inspection Division forwards it to the Compliance unit.

10.16.6.8 The concerned section of the Compliance Unit will prepare Demi Official (DO) Letter where summary of audit objections and other relevant information are mentioned.

10.16.6.9 This DO letter is sent to the Head of the concerned Branch office.

10.16.6.10 DO Letter contains the serious lapses. Summary of the Audit Report is sent to the concerned Circle Office/Zonal Office/Branch Office for taking necessary actions. 10.16.6.11 After receiving the DO letter from the Compliance unit, the Branch Office will prepare Compliance/response to the DO letter within 15 calendar days from the date of the receipt using the Format and send it to the concerned Zonal Office. 10.16.6.12 Zonal Office will verify the Branch Office’s responses and after verification, the response together with the Zonal Office’s

Internal Control and Complaince Policy and Procedures-2018 -151-

ICC Policy and Procedures-2018

comments will have to be sent to the Compliance unit within the above mentioned 15 calendar days.

10.16.6.13 The Zonal office will scrutinize the compliance of the concerned Branch.

10.16.6.14 Necessary steps/guidance will be given by the Zonal Office to resolve the Audit objections.

10.16.6.15 Steps have to be taken to prevent the repetition of the same nature of objections in the subsequent audits. 10.16.6.16 After regularizing of the audit objections mentioned in the audit report a compliance report is sent to the Head of ICC within specified timeframe. 10.16.6.17 If this compliance report is not sent within the stipulated time, the main objective of the audit is not achieved. 10.16.6.18 For this reason, the concerned section of the Compliance Division will take steps for receiving response through issuing of reminder letter, if necessary. 10.16.6.19 A special report has to be prepared for the serious lapses where the Bank is facing financial loss or there is a possibility to incur financial loss in the future. 10.16.6.20 This special report has to be placed before the Head of ICC. 10.16.6.21 Head of ICC shall place the report to the Audit Committee of the Board and the MD & CEO for taking administrative action. 10.16.6.22 The MD & CEO shall take administrative action against guilty Officers/employers as per general practices of the Bank and has to be ensured accountability and corporate good governance within the organization.

10.17 Settlement of Audit Objections 10.17.1 Internal audit objections settlement and file close: 10.17.2 Spot rectification:

Internal Control and Complaince Policy and Procedures-2018 -152-

ICC Policy and Procedures-2018

During audit, some irregularities are rectified on the spot. The Audit team must give emphasis on rectification of errors or omissions on the report.

10.17.3 Meeting Prior Submission: At the closing day of the audit there must be a meeting with the head of Branch/Office and the Audit team members. In this meeting generally discussion are held on the objections raised by the auditors during the audit period. If the branch office can satisfy the auditor, then on the basis of consensus the objections may be settled; while the unsettled objections are brought into the Audit report.

10.17.4 After audit settlement: The procedures after audit settlement are as follows:

Action for Guilt: Ensuring the steps needed to be taken by the Management/ Controlling Office regarding the persons found guilty for non-compliance, violation of laws of the land and policy, rules & regulation of the Bank. After initiating or taking required administrative punitive action (such as show cause, suspension and legal action) the matter will hand over to MANCOM. Then MANCOM will decide the further action needed to be taken onward.

Audit objections are being classified in to four categories: i) Minor Irregularities; ii) Major Lapses; iii) Serious Lapses.

10.18 Settlement of Minor Irregularities (MI) and File Close:

10.18.1.1 Minor irregularities are identified by the auditor and mentioned in NIPP-I. 10.18.1.2 Branch Office will prepare Compliance/response within 15 calendar days from the date of the receipt using the Format and send it to the concerned Zonal Office. 10.18.1.3 Zonal Office will verify the Branch Office’s responses.

Internal Control and Complaince Policy and Procedures-2018 -153-

ICC Policy and Procedures-2018

10.18.1.4 After verification, the response together with the Zonal Office’s comments will have to be sent to the Audit compliance Division within the above- mentioned 15 calendar days. 10.18.1.5 The Compliance Division/ Unit will raise the issue to line management i.e., Head of ICC, MD & CEO for settlement of the objections.

10.19 Settlement of Major Lapses (ML) and File Close:

10.19.1.1 For settlement of administrative objections Audt and Inspection Division (AID) will raise the issue to Head of ICC and ultimately to audit committee, if required. 10.19.1.2 When recovery or compliance made by branch regarding major lapses, Compliance Division will decide the settlement of the objections. 10.19.1.3 When unsettled objections or irregularities are reported in the present audit report, then previous objections are considered as transferred to the present report and subsequently previous file is closed. 10.19.1.4 However, if any objection/major lapses are reflected in the next audit report two times consecutively or it is found the major lapses are not settled in the reasonable time then this type of major lapses will be deemed to be serious lapses. 10.19.1.5 Auditors must always be careful to identify this type of lapses. 10.19.1.6 Any mistake or failure to recognize the major lapses goes against the auditors. 10.19.1.7 Punitive actions for Deemed to be serious lapses are the same as the action to be taken in cases of serious lapses.

10.20 Settlement of Serious Lapses (SL) and File Close:

10.20.1.1 For settlement of administrative objections, AID will raise the issue to Head of ICC and Audit Committee will give the decision. 10.20.1.2 If required the matter will be raised to Board Meeting of the Bank. 10.20.1.3 When recovery or compliance made by branch regarding serious lapses, the Compliance Division will decide the settlement of the objections.

Internal Control and Complaince Policy and Procedures-2018 -154-

ICC Policy and Procedures-2018

10.20.1.4 ICC must places all SL to the Board Audit Committee for decision. 10.20.1.5 Without the concent of Audit Committee any SL cannot be solve. Audit Committee’s decision is the final. 10.20.1.6 When unsettled objections or irregularities are reported in the present audit report, then previous objections are considered as transferred to the present report and subsequently previous file is closed.

10.21 Issuing Demy Official (DO) Letter:

10.21.1.1 After receiving the Audit Report by the Audit Compliance Division, a DO letter has to be issued to Branch Offices/Division /Offices within 15 days for sending compliance/response. 10.21.1.2 In the DO letter, a specific date for sending compliance /response has to be mentioned.

10.22 Placement of Special Note:

10.22.1 Special note has to be placed for serious lapses with specific recommendation fixing the persons and his/her (s) responsibility along with the punitive measures to be taken. 10.22.2 This office note requires the approval of the line management. 10.22.3 The time frame for sending responses after rectifying /complying with the irregularities is as follows:

Branch Grade Time frame A grade branch office 20 days B grade branch office 15 days C and D grade branch Office 10 days.

10.22.4 After obtaining approval from the MD & CEO administrative action against guilt Officers/employers as per general practices of the Bank and has to be ensured accountability and corporate good governance within the organization.

Internal Control and Complaince Policy and Procedures-2018 -155-

ICC Policy and Procedures-2018

10.23 Government Commercial Audit Compliance:

10.23.1 Audit is conducted in the branch offices of the Agrani Bank Limited as well as Head Office, Divisional Offices, Circle Offices, Zonal Offices by the office of the Director General, Directorate of the Government Commercial Audit of CAG. 10.23.2 Branch Offices of the Bank are audited by the offices of the Deputy Director of Dhaka, Chittagong, Rajshahi, Khulna and Sylhet Government Commercial Audit. 10.23.3 At present Branch Offices of Sylhet and Barisal Divisions are audited by the Offices of the Deputy Directors. 10.23.4 Government Commercial Audit is usually conducted on the period of two years, sometimes three/four/ five year's period. 10.23.5 Head Office/ Corporate Branch Offices are audited every year. 10.23.6 If required, Circle Offices and Zonal Offices are audited by the concerned Directorate of the Government Commercial Audit. 10.23.7 Audit Objections of the Government Commercial Audit are categorized into two classes. (1) Ordinary Objections are categorized as Ordinary Objection or ordinary clause and (2) the serious financial objections are categorized as Advance Objection or Advance clause .

10.23.8 Monitoring and Follow-up:

The following steps are taken to expedite the compliance audit by the Audit Compliance Division.

10.23.9 Ordinary Objections:

10.23.9.1 The responses to the ordinary objections of the concerned offices have to be reviewed within 30 calendar days from the date of receipt of responses. 10.23.9.2 If it is found after review that ordinary objections are not settled, a first reminder letter has to be issued within next 7 working days. 10.23.9.3 Thirty (30) calendar days will be allowed in the first reminder letter to settle/ resolve the ordinary objections. 10.23.9.4 If the ordinary objections are not settled within the above time frame, a second reminder letter has to be issued within next 7 working days and a further 10 working days will be allowed for compliance.

Internal Control and Complaince Policy and Procedures-2018 -156-

ICC Policy and Procedures-2018

10.23.9.5 The copies of the second remainder letter have to be sent to Circle office/ Zonal office. 10.23.9.6 If the situation does not improve, a third reminder letter has to be issued within next 7 working days giving a final 10 working days for compliance. 10.23.9.7 The copies of the third reminder letter have to be sent to Circle or Zonal office. 10.23.9.8 Closed correspondence has to be maintained until settlement. 10.23.9.9 Head of ICC may put up the matter to Audit Committee of the Board and Management for administrative action 10.23.9.10 The BoD and the senior management would establish a code of ethics that all levels of personnel must sign and adhere too.

10.23.10 Advance Objections/ Clauses:

10.23.10.1 The responses to the advance objections of the concerned offices have to be reviewed within 30 calendar days from the date of receipt of responses. 10.23.10.2 If it is found after review that advance objections are not settled, a first remainder letter has to be issued within next 7 working days. 30 calendar days will be allowed in the first reminder letter to settle or resolve the advance objections. 10.23.10.3 If the advanced objections are not settled within the above time frame, a second reminder letter has to be issued within next 7 working days and a further 10 working days will be allowed for compliance. 10.23.10.4 Copies of the second remainder letter have to be sent to Circle office and Zonal office. 10.23.10.5 If the situation does not improve, a third reminder letter has to be issued within next 7 working days giving a final 10 working days for compliance. The copies of the third reminder letter have to be sent to Circle or Zonal office.

Internal Control and Complaince Policy and Procedures-2018 -157-

ICC Policy and Procedures-2018

10.23.10.6 Closed correspondence has to be maintained until settlement. 10.23.10.7 The head of the Audit Compliance Division can put up the matter to the Head of ICC for resolve the objection. 10.23.10.8 The summary of the time frame for sending reminder letters and compliance thereon is shown as follows:

Responses have to be reviewed : Within 30 calendar days Issuance of first Reminder letter : Within next 7 working days Days allowed for compliance : Within next 30 calendar days Issuance of Second reminder Letter : Within next 7 working days Days allowance for compliance : Within next 30 calendar days Issuance of Third reminder Letter : Within next 7 working days Days allowance for compliance : Within next 10 calendar days

10.23.11 Commercial Audit Objections Settlement and File Close:

a) Spot rectification: During audit some irregularities can be rectified on the spot. The audit team must insist on rectification of errors or omissions on the spot, when possible, and report accordingly.

b) Discussion meeting: At the closing day of the audit there must be a meeting between the head of the branch and the audit team members. As a result of this discussion, some irregularities may be mitigated.

c) After audit settlement: Audit objections are being classified into two categories:  Ordinary Objections (Nominal Objections)  Advance Objections (Serious Objections)

10.23.11.1 Ordinary Objections: i. Are settled when the Bank gives written evidence of corrective action within a certain time, with supporting/logical documents to the auditor. ii. When the auditor is not convinced by the corrective action taken by the branch, then a bi-party meeting will be arranged for the settlement of the objections raised. The

Internal Control and Complaince Policy and Procedures-2018 -158-

ICC Policy and Procedures-2018

Bank will remain present in the meeting with supporting documents for onward settlement of the objections in question. iii. Following the above procedures, if the auditors are convinced, then they will issue an office order regarding the settlement of the audit objections.

10.23.11.2 Advance objections: i. The concerned branch is to provide a written confirmation of corrective action with related supporting documents, viz., photocopies of vouchers, A/c Statements, certificate of compliance, etc. and the auditors, if convinced by these, will issue a circular letter regarding the settlement of the audit objections. ii. When the stipulated time has expired and the auditor is not convinced by the corrective action taken, then a tri- party meeting will be arranged for the settlement. The Bank will remain present in the meeting with supporting documents for onward settlement of the objections in question. iii. After following the above procedures subject to the full satisfaction of the auditors, they will issue an office order regarding the settlement of the audit objections.

10.24 Bangladesh Bank Inspection Compliance:

10.24.1 Bangladesh Bank as the regulatory authority of the nationalized commercial Bank conducts inspection/audit in to order to ensure whether Bangladesh Bank’s policies/ guidelines are implemented / followed by the Bank. This inspection is usually conducted annually on the branch offices and divisions of the Head office. Bangladesh Bank inspects the Branch offices in the following four categories:

Internal Control and Complaince Policy and Procedures-2018 -159-

ICC Policy and Procedures-2018

 Agriculture Loan Inspection  Detailed Inspection  Special Inspection on certain issue  Foreign trade transaction inspection

10.24.2 Bangladesh Bank Inspection objections settlement and file close:

10.24.2.1 Compliance made by the branch with logical documents for the settlement of Audit objections is required. On receipt, of the compliance certificate from the branch manager with zonal head and circle heads counter signature, the Audit Compliance Division will give decision of final settlement of the objections.

10.24.2.2 When unsettled objections/irregularities are found and reported in the present Inspection report of Bangladesh Bank then automatically previous objections are transferred and considered as file closed.

10.24.2.3 For the settlement of long outstanding objections, the Audit Compliance Division will arrange a meeting with Bangladesh Bank and the Agrani Bank Limited’s top management. During discussion some objections are settled and others are reviewed (If Bangladesh Bank isnot convinced) Bangladesh Bank will issue re-notice for unsettled objections. The Audit Compliance Division will inform the concerned branch regarding the settled objections.

10.24.3 Special Inspection on specific issue:

10.24.3.1 Bangladesh Bank conducts special inspection/ investigation when they receive objections from the customers or any other parties or any branch office of Branches ‘daily irregular activities. Bangladesh Bank also conducts investigation into irregularities that may be mentioned in the newspaper.

10.24.3.2 After investigation, a detailed description of the objections/ complaints, specifying the guilty officers/ employees is mentioned with suggestion for taking administrative action.

10.24.3.3 If the Bank thinks or if the Bank has difference of opinion on the same issue, investigation is done by the Audit & Inspection Division.

10.24.3.4 With the approval of the line management necessary steps can be taken against the concerned employees by the Head of ICC.

10.24.4 Inspection regarding Foreign trade Transactions:

10.24.4.1 Foreign trade inspection Division of Bangladesh Bank inspects the authorized dealer branch offices of the Bank.

Internal Control and Complaince Policy and Procedures-2018 -160-

ICC Policy and Procedures-2018

10.24.4.2 Head of ICC will receive the file through the Managing Director about this inspection. 10.24.4.3 The Audit Compliance Division collects the responses from the concerned branches/ offices and then sends those responses to Bangladesh Bank. 10.24.4.4 If necessary, the Audit Compliance Division monitors subsequent actions regarding the file.

10.25 External audit Compliance:

10.25.1 As per section 24 of Bangladesh Bank Nationalization order 1972 and subsequently Banking companies act 1991, at least two chartered accountant firms established under the Bangladesh Chartered Accountants Order, 1973(Presidential Order 2 of 1973) as auditors of the Bank to conduct the audit. 10.25.2 The Audit firm conducts the audit, examines the financial statement and other schedule /notes of the accounts of the Bank. After the audit is completed, the Audit firm submits their auditor’s report along with the financial statements. 10.25.3 Settlement of objections rose by Audit Firm appointed by Board and file close: The management of Agrani Bank Limited will take necessary action centrally under the coordination of the Head of ICC to resolve the objections raised by the Audit firm appointed by the Board.

10.26 Audit Clearance:

10.26.1 Audit clearance of Agrani Bank’s executives/officers/employees is necessary during Preparatory Leave before retirement/Retirement and clearance at the time of Annual salary Increment and Promotion. 10.26.2 The Audit Compliance Division issues audit clearance against the Memorandum of HR Department when executives/officers/employees of the Bank plan to go Preparatory Leave/Full retirement. 10.26.3 Audit clearance is also issued against the Memorandum regarding annual salary increment/ promotion of the employees of the Bank. This division issues audit clearance after judging the documentations.

Internal Control and Complaince Policy and Procedures-2018 -161-

ICC Policy and Procedures-2018

11. Conclusion:

11.1 Agrani Bank Limited is playing a key role in the acceleration of development of Bangladesh economy. It is one of the prime institutions for economic uplift of the people of Bangladesh. It is one of the main vehicles for developing Bangladesh economy as a whole. There are crises as well as achievements in the journey of long 42 years of banking since independence.

11.2 The bank as a development partner must be transparent. So, there is a need to pursue a systematic examination of books and records in order to ascertain or verify and to report upon the facts regarding its financial operation and result thereof. In this regard there is a direction of Bangladesh Bank that the banks should have their own Internal Control and Compliance manual. Bangladesh Bank sets out some guidelines, in pursuance of those, Agrani Bank Limited developed the ICC manual for its Internal Control and Compliance purpose.

11.3 In this manual the procedures, rules and guidelines are constructed in such a way that the related officials under ICC can easily use it as reference in discharging their duties and responsibilities perfectly and efficiently. Moreover, it may be treated as a guide line for others.

11.4 We believe that this Policy&Procedure-2016[Internal Audit (Risk Based) Manual, Audit Compliance Manual, Audit Monitoring and Controlling Manual and IT Manual] will strengthen Internal Control system of our Bank and will play a vital role towards achieving our goal for a modern and vibrant Agrani Bank Limited.

11.5 This is not the final work. In fact, this is a continuous process. There will be always an option for change to cope with the need of the time.

______

Internal Control and Complaince Policy and Procedures-2018 -162-

ICC Policy and Procedures-2018

First Edition: It is to be disclosed that ICC Manual-2013 was earlier prepared by the following committee under the leadership of Mr. Mubarak Hossain, General Manager and the then Head of ICC of Agrani Bank Ltd. The members of the committee of ICC Manual -2013 were as under: 1. Chairman : Mr. Mobarak Hossain (General Manager and Head of ICC) 2. Member Secretary : Mr. Md. Shahidul Islam (Asstt. General Manager) 3. Member : Mr. Rafiqul Islam, Senior Officer (Auditor) 4. Member : Mr. Md. Shahidul Islam, Senior Officer (Auditor) 5. Member : Mr. Md. Anowar Hossain, Senior Officer (Auditor)

Second Edition:

Following Committee under the guidance of Mr. Md. Monowar Hossain FCA, General Manager and Head of ICC, Agrani Bank Limited have worked for preparation of ICC Manual-2015 considering recommended changes. The members of the committee are as under: 1. Chairman : Mr. Md Monowar Hossain (General Manager and Head of ICC) 2. Member Secretary : Mr. Md. Hafizur Rahman (Deputy General Manager) 3. Member : Mr. Md. Abu Sohel, Principal Officer 4. Member : Mr. Jyotirmoy Sarker Sameer, Principal Officer 5. Member : Mr. Md. Abdul Jalil, Senior Officer (Auditor)

Third Edition:

It is to be disclosed that following Committee members under the guidance of Md. Monowar Hossain FCA, Head of ICC, Agrani Bank Limited have worked for the preparation of ICC Policy & Procedure-2016 [Internal Audit (Risk Based) Manual, Audit Compliance Manual, Audit Monitoring and Controlling Manual and IT Manual]considering “Guidelines on Internal Control and Compliance in Banks -2016’’ is circulated by Bangladesh Bank BRPD circular letter no-03 dated 08/03/2016.

The members of the committee are as under: 1. Chairman : Mr. Md. Monowar Hossain (General Manager and Head of ICC) 2. Member Secretary : Mr. Md. Hafizur Rahman (Deputy General Manager) 3. Member : Mr. Jyotirmoy Sarker Sameer, Principal Officer 4. Member : Mr. Md. Labib Uddin, Senior Officer 5. Member : Mr. Md. Abdul Jalil, Senior Officer (Auditor)

Foutrh Edition:

Following Committee under the guidance of Mr. Md. Monowar Hossain, FCA General Manager and Head of ICC, Agrani Bank Limited have worked for preparation of ICC Policy and Procedures-2018 [Internal Audit (Risk Based) Manual, Audit Compliance Manual, Audit Monitoring and Controlling Manual and IT Manual] considering recommended changes.

The members of the committee are as under: 1. Chairman : Mr. Md Monowar Hossain FCA (General Manager and Head of ICC) 2. Member Secretary : Mr. Hossain Iman Akanda (Deputy General Manager) 3. Member : Mr.Md. Johurul Islam, Senior Principal Officer 4. Member : Mr. Jyotirmoy Sarker Sameer, Principal Officer 5. Member : Mr. Mohammad Mahbubul Haque, Principal Officer

For actively participating in the task of doing the needful the committee also thanks (ICC Team) Mr. Md.Abdul Aziz Dewan, Deputy General Manager; Mr. Md. Ruhul Amin Chowdhury, Deputy General Manager; Mr.Md. Shahidul Islam, Deputy General Manager and Mr.Md. Abul Kashem, Deputy General Manager;

We believe that if this ICC Policy and Procedures is followed strictly, the Bank will steadily progress and develop effectively and efficiently. ____ THE END ___

Internal Control and Complaince Policy and Procedures-2018 -163-

ICC Policy and Procedures-2018

Annexures of ICC

Internal Control and Complaince Policy and Procedures-2018 -164-

ICC Policy and Procedures-2018 Contents of Annexures

SL. Particulars Pages No.

Audit Monitoring and Controlling Division 167-316 1 Annexure 1 Circle Head and Zonal Head Inspection Check list 167 2 Annexure-2 Credit Management Checklist 172 3 Annexure-3 (a) Departmental Control Functional Checklist-Daily 178 (b) Departmental Control Functional Checklist-Weekly 206 (c) Departmental Control Functional Checklist-Monthly 208 4 Annexure -4 Loan Documentation Checklist (LDCL) 214 5 Annexure -5 Quarterly Operational Report 220 6 Annexure -6 Control Function Risk Rating 227 7 Annexure -7 Report of Internal Control Team (ICT) 232 8 Annexure-8 IT and Security Management Checklist 233 9 Annexure-9 (a) Checklist for Import L/C 236 (b) Checklist for Back to Back L/C 237 (c) Checklist for Export L/C 238

Audit & Inspection Division 240-246 10 Annexure -10 Previous Audit Objection’s False Compliance 240 11 Annexure -11 Responsibility period wise Grip Loans/Irregularities 241 12 Annexure -12 Position of Year wise Agriculture Loan 242 13 Annexure -13 Position of Year wise Expired General Loan 243 14 Annexure -14 Position of Period wise Unsettled Certificate case 244 15 Annexure -15 Position of year wise under trial money suit for collection of general loan 245 16 Annexure -16 To perform Audit task effectively responsibilities of the Audit Team 246

Audit Compliance Division 247-185 Internal Audit 247-254 17 Annexure-17 Monthly Statement of Audit Objections 247 18 Annexure -18 Nirikha Paripalon Patra (NIPP)-1 248 19 Annexure -19 Nirikha Paripalon Patra (NIPP)-2 249 20 Annexure-20 Audit Objections Identified in Internal Audit 250 21 Annexure-21 Audit Clearance regarding Annual Salary Increment 251 22 Annexure-22 Branch Inspection Report 252

External Audit 255-256 23 Annexure-23 Audit Objections identified in Statutory Audit/ External Audit 255 24 Annexure -24 Response and Certification to the External Audit Report 256 Commercial Audit 257-266 25 Annexure 25- Unsettled audit objections 257 26 Annexure-26 Rectification/ Regularization/Settlement of External Audit 258 27 Annexure-27 Responses to the Government Commercial Audit Objectives 259 28 Annexure-28 Minutes of the joint Meeting 260 29 Annexure-29 Resolving ordinary Audit Objections 261 - 165 -

ICC Policy and Procedures-2018

SL. Particulars Pages No. 30 Annexure-30 Standing Committee Meeting 262 31 Annexure-31 Commercial Audit Objections and Settlement 263 32 Annexure-32 Statutory Audit Objections/ Settlement Summary 264 33 Annexure-33 Format of the monthly Statement sent to the Ministry & Division Offices 265 34 Annexure-34 Audit Objections identified in Statutory Audit/ External Audit 266 Bangladesh Bank Inspection 267-273 35 Annexure-35 Bangladesh Bank detailed Inspection Report 267 36 Annexure-36 Bangladesh Bank detailed Inspection Report 268 37 Annexure-37 Closing Bangladesh Bank Details Branch Inspection 269 38 Annexure-38 Audit Objections identified in Bangladesh Bank 270 39 Annexure-39 Proforma-1 of NIPP-1 to be used by the manager 271 40 Annexure-40 Proforma-2 of NIPP-2 to be used by auditor 272 41 Annexure-41 Proforma-3 of NIPP-3 to be used by ACD 273 Others 274-316 42 Annexure-A Branch Audit Rating 274 43 Annexure-B Foreign Trade and Foreign Exchange Checklist for Auditors 281 A. Import Related Irregularities (Cash L/C) 281 B. Import Related Irregularities (Back to Back L/C) 282 C. Export Related Irregularities 283 D. Foreign Remittance Related Irregularities 283 44 Annexure-C FY-MÖnxZv Iqvix FY msµvšÍ wbixÿK‡`i e¨env‡ii Rb¨ QK ÕKÕ 284

45 Annexure- D & D 1 - e¨vs‡Ki Health Report ˆZix K‡í cÖ‡hvR¨ QK I wb‡`©kbvmg~n 285 46 Anexure –E IT Audit Repoting Sheet 297-316

- 166 -

ICC Policy and Procedures-2018

Annexure: 01 Agrani Bank Limited ...... Branch

Circle Head and Zonal Head Inspection Check list

Y( √) / Sl. Administration Remarks N (×) 1 Whether security measure of the branch is adequate 2 Whether attendance register is maintained properly 3 Whether office staffs are residing within 30 minutes distance place. 4 Whether Office staffs are maintain dress code of the bank 5 Whether non clerical staffs are wearing office dress. 6 Whether the leave register is maintained properly 7 Whether the duty list of all officers and staff is up to date. 8 Whether the job rotation is effected 9 Whether any employee is posted in the branch for the period over 3 years 10 Whether branch cleanliness ( both inside and outside ) is maintained properly 11 Whether the branch signboard is having proper colour and size and hanged in proper place etc. Y( √) / Sl. Remarks Cash N (×) 1 Whether cash is found correct 2 Whether cash is within safe limit 3 Whether soiled and mutilated notes are admixtured with issue notes 4 Whether Notes are kept as per (sorting ,stitching & packet ting) instruction. Whether long outstanding balance of mutilated notes i.e any initiative is taken for changing 5 those notes. Whether vault is safe enough or as per specifications ie concrete(RCC) wall & floor , pore less, 6 under CCTV coverage , door alarmed bell , chap door & grilled etc. 7 Whether Vault register is maintained properly Whether the balance of Prize bond is physically counted and found correct. Prize bonds are 8 recorded in the register. 9 Whether scroll register is maintained. 10 Whether token register is maintained. 11 Whether the Key register is updated. 12 Whether cash remittance register is maintained properly. 13 Whether cash receipt and payment seal are maintained properly. Whether cash related posters ie mutilated note changing poster, note ( Tk. 100 ,500 , 1000 note 14 ) identification poster etc are hanged properly.

Y( √) / Sl. Deposit Banking Remarks N (×) 1 Whether the required information /papers are obtained during account opening and posting in software properly ( Test checking ). - 167 -

ICC Policy and Procedures-2018

2 Whether the thanks letter are sent to the customer and the introducer. 3 Whether the account statements are sent to the customers 4 Whether the stop payment register is maintained properly 5 Whether the cheque book issue register is maintained properly 6 Whether the party concerned received the cheque him/herself (Sample checking ) 7 Whether the managers approval is taken in issuing duplicate cheque book on Form 'B' 8 Whether the dormant accounts are identified and transferred to the respective code of the banking software. 9 Whether inoperative accounts are become operative by party’s application with close monitoring of Manger GB . 10 Whether receive / deposits print of computer listing/ register are checked jointly with related vouchers. 11 Whether signature of both inputter and authorizer are taken on every voucher. 12 Whether the double supervision is made for the big transactions 13 Etc.

Y( √) / Remarks General Banking N (×) 1 Whether DD/Pay 0rder/Pay-Slip/SR block is balanced every day Whether DD/TT/MT/PO/PS/SR payable register balance and related heads figure in computer 2 are same. Whether the OBC/IBC register / related heads in computer are maintained and monitored 3 properly Whether the computer print of transfer sheet is checked with concerned voucher jointly and 4 recorded/ maintained properly. Whether accounts of the parties working / residing in abroad are monitored by Manager GB 5 time to time. Whether deceased accounts are marked stop payment and under close observation of Manager 6 GB. 5 Whether the stock of security stationery is found correct 6 Whether MICR cheque requisition and receiving are done in time. 7 Whether the test Keys are maintained and used properly 8 Whether the daily vouchers are checked jointly by inputter and authorizer / Manager GB .

Y( √) / Sl. Accounts Remarks N (×) Whether computer print of General Ledger (GL) is checked ( product wise total Dr. / Cr. 1 Of GL checked with transaction print of all product.) daily and kept in a file. 2 Whether GL balance and ledger balances of different heads are same. Whether every day’s computer generated list of voucher is checked and kept with 3 vouchers. Whether the daily statements of affairs and CMO/CNG A/c Extract are sent correctly and 4 regularly Whether the sundry creditor/sundry debtor register/ head in software is maintained 5 properly 6 Whether the expenditure under different heads are excess over budget . 7 Whether the statements are sent to Zonal and Head 0ffice as per schedule 8 Whether the audit reports are complied timely and properly - 168 -

ICC Policy and Procedures-2018

9 Whether any entry remains long outstanding and is there any steps taken.

Y( √) / Sl. Loans and Advances Remarks N (×) 1 Whether pre sanction visit of shop/ firm and collaterals are carried out. Whether Loan is assessed earlier – considering cash flow and stock position, party’s 2 dealing in loan account, balance sheet (if required), CIB report etc. 3 Whether charge documents are stamped and filled up properly. 4 Whether insurance premium is paid regularly. Whether the loan documents are obtained as per sanction advice before disbursing the 5 loan and party wise loan documentation checklist (LDCL) is filled up and kept with loan file. 6 Whether Safe-in-Safe out register is maintained properly 7 Whether the stock statement of Hypothecation is obtained regularly Whether the Pledge Go down Key movement register is maintained. Proper Pledge go down management (Stock resister is maintained properly, frequent pledge go down visit 8 performed, on receipt of recovery in loan account proportionate amount of DO issued etc).are done. Whether accrued interest on loans advances are transferred to respective income 9 account after every quarter is ensured. 10 Whether the cash deposit, transfer voucher, cheque payment voucher, interest application

voucher are posted in loan accounts and checked/supervised by the Manager/Officer-in-charge

11 Applied interest rate in accounts and sanctioned interest rate are the same 12 Whether the insurance register is maintained properly 13 Whether the suit file register is maintained properly. 14 Whether the confidential limit register is maintained properly. 15 Whether the loan recovery assignment is distributed among the officers/staff 16 Whether the loans are out of time barred. 17 Whether before filing and after filing of suit steps are taken in time.

Y( √) / Sl. Foreign Exchange Remarks N (×) 1 Whether the foreign currency is found correct on physical verification 2 Whether LC commission is recovered properly 3 Whether LC margin is collected properly Whether the inward foreign bill and PAD is presented for lodgment/payment/ acceptance 4 forthwith 5 Whether the necessary action is taken forthwith for reconciliation of PAD outstanding. 6 Whether LIM ledger is correctly and regularly maintained, verified and balanced 7 Whether the LIM is created as per rules Whether the necessary measures have been taken for auction or reminder has been issued 8 to importer for adjustment of LIM outstanding 19 Whether the recoverable bills are reviewed periodically Whether the records of shipping guarantee issued by the branch are retained and reviewed 10 as per norms

- 169 -

ICC Policy and Procedures-2018

Whether the initiatives for adjustment of outstanding of guarantees have been taken and 11 whether the correspondence is ongoing with the customers for un-reconciled shipping guarantee

12 Whether FBP,FBC, FDBC accounts are balanced and verified regularly

Whether the PCC register and ledger are maintained, verified and balanced properly and 13 regularly

14 Whether the necessary measures have been taken for adjustment of overdue PCC

15 Whether the customer is informed of the fate of the remittance

Y( √) / Sl. Remarks IT management N (×)

Whether -

1. Server /Router/ Switch room is under lock and key and Cables are secured.

2. Server computer ,Computers at work stations are protected by screen saver password. Confidentiality of user ID and Admin password is maintained cautiously. Extra/unused passwords are removed from the computer i.e. passwords of employees who are 3. transferred deactivated immediately. Active authorizer/user’s list is maintained in a register. The length of password at least 6 characters and combination of uppercase/ lowercase of 4. alphabets, number & special characters There is other internet connection with banking & T-24 software which is strictly 5. prohibited. Every days voucher are checked with computer printed sheets. For T -24 software initial 6 of both authorizer and inputter are taken on vouchers. Transfer vouchers passed / Inter branch transactions (on us/of us) are checked jointly by 7 inputter and authorizer/ manager GB. The product wise summary balance of GL and ledger balance of respective heads are 8 checked by Manager GB.

9 Cheque serial entry list and deletion list are kept with every days voucher.

Every cancellation of cheque/voucher posting is done by maintaining delegation of 10 powers.

11 For payment of remittance following are the precautions maintained or not : Whether - 12 -User ID/ password given by Exchange House changed immediately and be treated as admin password.

13 National ID/Passport copy and system generated Money Receipt are kept with vouchers.

Any delay in reimbursement, whether the matter is under close supervision of Manger 14 GB? Account opening and post opening management – i Whether - i. Necessary papers with PP size photo etc. are taken, Data entry in computer is done ii properly is checked. ii. Thanks Letters are given and after receiving Thanks Letter by the client cheque is iii issued and the client him / herself received the cheque.

- 170 -

ICC Policy and Procedures-2018

Self-Assessment of anti-fraud internal control Y( √) / Sl. Remarks (Internal Control and Compliance) N (×) Is the branch is equipped with skilled IT knowledge based personnel to handle banking 1 soft wares viz. T24,CNG/CMO/CIB/BATCH/Classification Statement/Bexi/Infinity/Agrani solution/BFTN.etc. Whether any attempt of fraud /incidents of fraud in the branch in the last months from 2 previous visit.

3 Precautionary measures for controlling fraud -

i) Whether- Security stationery keeping is proper

ii) - Job rotation and Duty list implementation is done

iii) - Password handling (confidentiality, complexity, changeability) is proper.

iv) -Implementation of mandatory leave

v) - Every day and every voucher checking’s done with computer print supplementary.

-Proper formalities are maintained in account opening/check book issuing and other vi) general banking operations. vii) - sitting arrangement of staffs is safe enough to protect fraud.

Whether- All officers and staffs are gone through ICC manual and the branch manager 4 review its implementation time to time. Whether- QOR,LDCL, DCFCL submitted by the branch to Zonal and Head offices in 5 time. Whether- Risks identified by Risk Based Audit are commented upon and taken steps 6 for mitigation. Whether- Staffs are performing job with due diligence ie, doing duties as per office 14 order, using delegation of power, works done are documented, handover takeover of charges when applicable. Measures taken for the Rectification /Mitigation of Fraud /Irregularities detected by 15 both External and Internal Audit and responsible personnel’s are attached /punished for the consequence.

16 Is there any left out fraud attempts not identified by any audit.

17 Complaints at branch level are properly recorded and attended.

Does any suspicious account operation detected and reported to BAMELCO/ 18 CAMELCO.

19 Life style of staffs is under close observation.

20 Mechanisms are maintained to monitor staff accounts to prevent fraud.

Y( √) / Sl. Miscellaneous Remarks N (×) Whether i There is any alternative/2nd hand to operate every sector/part of the branch?

- 171 -

ICC Policy and Procedures-2018

ii Any up dated Anti-Virus, installed in each server and computer, Branch Manager has taken steps to protect IT related fraud as per Instruction circular iii no.ICC/ AMD 111/13 dated 20/11/13 ( Check list no. – 8 )

Annexure: 02 Agrani Bank Limited ...... Branch Credit Management Checklist

Sl. Issues Total scores Score yes no obtain A. BUSINESS RISK 300 MARKS A) Pre-sanction visit of  Shop  Primary Security/Stock 12.50  Business firm Sub Total 12.50 B) Organizational Structure for managing Credit Risk 1. The Branch has adequate experienced 5.00 /trained staff to handle Credit Portfolio 2. Proper Duty allocation is made 5.00 3. Reporting lines are laid down and there is 5.00 proper monitoring to ensure compliance. Sub Total 15.00 C) Borrowers Selection 1. Borrowers are selected considering 6C’s (character, capital, collateral, capacity, 7.50 Condition, Commonsense) 2. Whether borrower is a habitual defaulter/market reputation, have any 7.50 successor etc. Sub Total 15.00 D) CIB Report 1. Latest CIB report to be analyzed 7.50 2. Confidential report is collected from local bank 7.50 branches. etc. Sub Total 15.00 E) Collaterals Collaterals have been properly 1. valued (Valuation done in prescribed form) 7.50 2. verified (confirmed in the legal opinion, 7.50 genuineness of title deeds, possession) 3. Physical visit done by Branch 10.00 Manager/Authorized Officer Sub Total 25.00 F) CRG Credit Risk grading done considering 1. all facilities under CRG assigned a risk grade 10.00

- 172 -

ICC Policy and Procedures-2018

Sl. Issues Total scores Score yes no obtain 2. Data collection check list and limit utilization 10.00 form duly filled up 3. Risk grading score sheet/ Risk grading form 10.00 duly filled up

4. Financial Risk, Business, Industrial Risk, 30.00 Management Risk, Security Risk, Relationship Risk, analyzed properly 5. Loan proposal are sanctioned considering Risk 10.00 Grading with due importance. Sub Total 70.00 G) Credit Assessment 1. Commencement of business relationship stated in the proposal 2.50 2. All facilities given to the borrower assessed annually 2.50 3. Customer detail particulars included in the credit Application 5.00 4. Purpose and amount with type of loan proposed by the borrower should be stated 2.50 5. Pre-sanction Inspection report is in place. 2.50 6. Experience of borrowers, business skills, management & success are properly reviewed in credit proposal. 5.00 7. Borrowers rating in the industry arrested along with overall industry concerns and borrowers strength and weakness relative to its competitors are identified 2.50 8. Industry position along with supplier and risk is analyzed 7.50 9. Borrowers Credit worthiness is established by review of 3 years historical financial statements/past track record i.e. any advice report marked in last Audit Reports . 7.50 10. Earnings from relationship are properly assessed in the credit proposal 2.50 11. Cash flow analysis Justification Clients 7.00 ability to the pay are reflected in the credit proposal 12. Credit Proposal clearly mentions current 7.50 outstanding against all limits. 13. Credit facilities availed from other bank clearly stated in the proposal and opinions are obtained. 5.00 14. Credit facilities are based on evaluation of 5.00 the borrower needs. 15. Possible risk identified in the credit 5.00 assessment and risk mitigation factors clearly mentioned in the credit proposal - 173 -

ICC Policy and Procedures-2018

Sl. Issues Total scores Score yes no obtain 16. Account conduct of the borrower and his 5.00 allied concern are done. 17. Syndicate loans have been analyzed the risk and returns in the same manner as directly sourced loans. 2.00 18. Amount & Tenures should be justified based on the projected repayment ability and loan purpose. 1.00

19. Adequacy used the instant of Insurance coverage assessed. 1.00 20. Policy Compliance clearly stated in the loan proposal 2.00

21. Changes in the pricing facilities are highlighted in the proposal. 2.00 Sub Total 82.50 H) Disbursement Process 1. Credit Administration Department checks 2.50 collateral. 2. Legal Counsel ensures the Bank’s security interests 2.50 are perfect. 3. Standard Loan facility documentation are used. 2.50 4. Relationship Manager and Credit Administration 5.00 Department jointly sign documentation checklist before disbursement. 5. Credit Administration Department issues 5.00 Satisfactory Security Certificate/ Security Clearance Certificate before disbursement. 6. Authorized Officers as per Bank Policy disburse 2.50 facilities. 7. All disbursement are covered by approved credit 5.00 lines. 8. Excess over Limit (EOL) are allowed under pre- 2.50 fact credit approvals 9. Insurance policy is current and renewed on a timely 2.50 basis. 10. The Bank has authorization to debit client’s account 2.50 in order to keep policy in force. Total 32.50 I) Valuation of Collateral 1. Credit Administration Department 2.50 independently controls and matches the value of Cash Collateral which are lien to the Bank and against which borrowings are allowed as per approval. 2. Value of 1nventory and Machineries supplied 5.00 by client cross-checked. 3. Department ensure receivables actually 2.50 exist and that past due, disputed and other items - 174 -

ICC Policy and Procedures-2018

Sl. Issues Total scores Score yes no obtain with impaired collateral value are identified and removed from the collateral pool. 4. Value is sourced from independent appraisals 5.00 addressed to the bank. Sub Total 15.00 J) Custodial duties 1. Business Units keep credit files under proper 2.50 control and use is restricted to authorize individuals. 2. Cash collateral such as Fixed Deposit Receipt, 5.00 Script, Bonds, Marketable Securities and Security Documentation etc. are held under control in fireproof vault. 3. Two custodians and their alternates are 2.50 identified in writing. 4. Safe in and safe out Register is properly 2.50 maintained to track of their movement. 5. Release of collateral or debt obligation 2.50 instruments requires appropriate approvals. 6. Inventory is held in a warehouse for financing 2.50 against pledge under bank control. Sub Total 17.50

B. CONTROL RISK 275 MARKS H) Compliance 1. Branch maintains diary of Bangladesh Bank 14.00 circulars, HO Circulars, guidelines related to credit. 2. All required Bangladesh Bank returns are 7.00 submitted in the correct format in due time. Sub Total 21.00 I) Credit Monitoring 1. Excess Over Limit (EOL), and expired credit 3.50 limit are assessed by Branch Manager on a regular basis. 2. Drawing power excesses and collateral 7.00 shortfall are assessed by Branch Manager on a regular basis. 3. Covenant violations and documentation 7.00 deficiencies are examined by Branch Manager on a regular basis to ensure that discrepancies are being acted upon appropriately. 4. Overdrafts/CC facilities are monitored on a 7.00 regular basis by Branch Manager to ensure accounts turn over. 5. Usages of borrowed funds `are confirmed 7.00 through financial statement analysis.

- 175 -

ICC Policy and Procedures-2018

Sl. Issues Total scores Score yes no obtain 6. Branch conducted financial analysis on a 7.00 regular basis and monitor changes in the client’s financial condition. 7. Branch Manager/ Credit in-charge regularly 7.00 monitor the performance of the clients business as well as repayment and prepare a Status Report. 8. Extensions of credit limits expiry dates if 7.00 circumstances warranted by analyzed by Branch Manager. 9. Credit Department separately maintains files 7.00 on credit limits expiry dates. 10. Borrower is communicated well ahead of time 3.50 as and when the installments becomes due. 11. Timely renewal of limits is ensured by Credit 3.50 Department informing Marketing Department two months ahead of expiry limit dates. 12. Late payment is recorded and communicated to 3.50 the senior management. Sub Total 70.00 J) Early Alert Process 1. Control mechanism exists to ensure that 10.00 calls/ inspections are made regularly on clients & documented. 2. Regular inspections conducted to confirm 11.00 that bank’s security/collateral is secured. Sub Total 21.00 K) Credit Recovery & Monitoring of NPL account 1. Branch has taken initiatives to manage directly 5.25 the accounts with sustained deterioration (a Risk rating of Sub Standard(6) or worse) 2. Classified Loan Review on a quarterly basis to 5.25 update the status of the recovery plan and modify the bank strategy as appropriate. 3. Wherever required proper legal action taken 5.25 against Bank’s asset. 4. Court cases are regularly follow up and 5.25 necessary steps are taken for early resolution. Sub Total 21.00 L) NPL Provisioning and write off 1. CIB Reporting and Borrowers classification 6.00 done in line with Bangladesh Bank guidelines. 2. Loan Loss Provisions made in line with Bangladesh 6.00 Bank guidelines . 3. Eligible security value of mortgaged property 6.00 as per guidelines. 4. Appropriate authorities approve exceptions, 6.00 waiver of interest and reschedule/ compromise, settlement, where applicable Bangladesh Bank approvals are also obtained. - 176 -

ICC Policy and Procedures-2018

Sl. Issues Total scores Score yes no obtain 5. Appropriate authorities approve write-offs in 6.00 line with Bangladesh Bank guidelines. Sub Total 30.00 P) Approval Process 1. Relationship/Marketing Department originates 10.00 the Credit Proposal 2. Each Borrower has an individual unique 10.00 control number. 3. Clearance of Credit Administration has been 11.00 taken for renewal proposal regarding documentation & compliance of covenants. 4. Time frame is stipulated to decline the Credit 10.00 Application and intimation to the Client for more information and documents. 5. All credit approvals are given on a one-obligor 10.00 basis. 6. Renewal proposal has been properly reviewed 12.00 and financial projections of earlier proposal have been considered by the Credit committee. Sub Total 63.00 Q) Approval Transaction Record 1. Credit Administration Department enters all 14.00 credit facility amounts into MIS-Database. 2. Standard Sanction Letter is delivered to 10.50 Borrowers per approvals and is properly filed. 3. Proper MIS is maintained and timely reported 10.50 to Management. 4. Concerned Department keeps a historical 7.00 record of all disbursement. 5. Accounting and system controls ensure that out 7.00 standings are posted to the correct account and properly summarized for management decision-making. Sub Total 49.00 TOTAL CONTROL RISK 275.00 GRAND TOTAL 575

(Manager Credit/Advance in Charge) (Zonal Head)

Reference : a) ABL Existing Practice b) Core Risk Inspection Report Performed by Bangladesh Bank.(DB1-2 (DIV-5)/65/2016-689) c) Branch Audit Rating (Annexure-A)

- 177 -

ICC Policy and Procedures-2018

NAME OF THE BRANCH: Annexure- 3 DEPARTMENTAL CONTROL FUNCTION CHECKLIST -DAILY (a)

1. GENERAL BANKING

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 A. CASH MANAGEMENT 1. Cheques/With Teller/Paying A drawal slip/ Cashier

(a) cash debit Cash voucher to be Transac crossed tion checked with payment register & Computer Print (CP) payment list by the tellers (Independent) 1. Daily cash Cash in A received and charge/DM (B) payments made including online payment are checked.

178

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1. Exceptions, Supervisor A. such as, teller (C) limit, posting restrictions, insufficiency, etc. to be checked instantly against source document (Vouchers /limit register/Postin g restriction register). 1. A/C No. & Supervisor / A. Amount of pay Cash Officer (e) in slip to be cross checked with Receiving Register & CP receiving list. Cash in 1. Physical cash Cash in Charge hand A. balance is (Local (f) cross-checked currency) and tally with affairs 1. Holding of GB in A. cash within charge/DM (g) Safe limit 1. Mutilated note Cash in Charge A. separately kept (h) and recorded in the separate register.

179

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1. Fly leaf of the Cash in Charge A. branch is used (i) each and every bundle of currency notes Cash in 1. Selling and In-charge hand A Buying of GB/FEX/DM (Foreign (j) Foreign Currency) Currency and recording in the register under dual control. 1. Physical cash GB In charge/ A balance is DM (k) checked with

affairs.

B.SECURITY MEASURES OF THE BRANCH 1. Security In-charge B. guards are alert GB/FEX/DM (a) at the branch premises 1. Security alarm In-charge B. is active in the GB/FEX/DM (b) branch. 1. Fire In-charge B. extinguisher is GB/FEX/DM (c) available in the branch. 1. Close Circuit In-charge B. Cameras with GB/FEX/DM (d) TV are active in the branch.

180

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1. Entry into cash In-charge GB/FEX/DM B. cabins is not permitted to (e) unauthorized users.

1. Joint custody In-charge GB/FEX/DM B. of cash and valuables is in (f) force meticulously.

C. SECURITY FORM 1. Prize bonds are GB In charge/ C. recorded DM (a) mentioning the

Prize Bond number in the register /sheet 1. Checking of GB In charge/ C. physical stock DM (b) of security form and prize bond with GL and prize bond register. 1. Physical GB In charge/ C. verification of DM (c) stamps in hand (with denomination) with GL and register.

181

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 Sanchayp 1. Receiving and GB In charge/ atra C. recording of DM (d) SP block from feeding branch/BB are done properly. 1. Selling of GB In charge/ C. Sanchaypatra DM (e) and encashment of SP are recorded properly. 1. Claiming GB In charge/ C. reimbursement DM (f) against encashment SP in time. 1. Physical GB In charge/ C. verification of DM (g) SP block with SP stock register and validation of above transaction are done.

182

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 Security 1. Security forms GB In charge/ Form C. issued DM registered is (h) maintained properly and authenticated by joint custodians.

1. Indent security GB In charge/ C. forms is made DM as per actual (i) needs of the branch.

1. The security GB In charge/ C. forms (Drafts / DM Pos are (j) branded with the branch name before being brought into use

183

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1. All the packets GB In charge/ C. containing DM security forms (k) are opened, verified and recorded in the register under authentication of joint custodians.

1. All the GB In charge/ C. invoices are DM neatly filed for (l) verification.

1. Release of C. security forms

for uses is (m done only after ) authentication of joint custodians.

184

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 D. ACCOUNT OPENING ACTIVITIES 1. Complete GB In charge/ D. identification of DM the account (a) holder’s (person/compan) are incorporated in the account opening form and genuineness (by giving thanks letter/RJSC office visit) of address/registrati on is confirmed.

1. KYC, TP was GB In charge/ D. filled up DM cautiously (b)

1. Opening of GB In charge/ D. various deposit DM (c) accounts by following applicable rules and information input in banking software are proper.

185

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1. The account D. holder himself (d) took the

Cheque book E. CLEARING HOUSE 1.E Scanning GB In charge/ Banglade (a) image of DM/BM sh received Automat instruments. ed 1.E Marking of GB In charge/ Clearing BACH in High DM/BM House (b) value and (BACH) regular value. 1.E Release GB In charge/ reprocess to DM/BM (c) Central Clearing Department (CCD). 1.E Checking GB In charge/ settlement DM/BM (d) position of BACH 1.E Inform GB In charge/ returned DM/BM (e) instruments information to the client 1.E Validation of GB In charge/ (f) above DM/BM activities by Supervisor BACH delegation (receiving and printing). 186

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1.E Scrutiny of GB In charge/ (g) BACH DM/BM (checking of cheque series, routing number, account number, transaction number, amount of the instruments, manual and electronic endorsement of both high value and regular value instruments) 1.E Accepting of GB In charge/ (h) Instruments. DM/BM Clearing 1. Whether Clearing staff does and E. outward dones (i) cheque is scaned, and amount mentioned is correct or not. 1. Crossing, Clearing staff E. Clearing and (j) Endorsement seal on outward cheque is confirmed.

187

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1. Cheque return Clearing staff E. is done within (k) the stipulated time 1. Cheque Clearing staff E. amount and (l) MO amount is same 1. Vouchers are Clearing staff E. posted before (m confirming ) return on the same date 1. ID password of Clearing staff E. the branch is (n) secured 1. Preparation of Clearing staff E. batch ticket, (o) MO preparation, sealing on instruments, check entry etc are done

188

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1.E Debit customer GB In charge/ . account upon DM/BM (p) getting positive

payment advice from the customer in Case of need.

F. REMITTANCE 1.F Receiving of GB In charge/ Outward (a) instruments, DM/BM bill for recording in collection the register and (OBC) sending of instruments for collection under dual control 1.F Return GB In charge/ (b) information of DM/BM instruments are informed (if any) to the client.

189

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 Inward 1.F Receiving and GB In charge/ bill for (c) recording are DM/BM collection done in the (IBC) register under dual control. Payment complying Relevant Procedures Bills and 1.F Issuance and GB Incharge/ Remittan (d) encashment of Pay DM/BM Order, Pay Slip ce and Demand Draft upon complying relevant policy and procedure of the bank and recording the same in the register under dual control. 1.F Balancing the GB In charge/ (e) leaf of security DM/BM blocks on Regularly basis. 1. Effective steps GB In charge/ Remittance F. are taken for (f) making of entry in B.P account 1. No deviations DM/BM F. are observed in (g) conduct of bill business and local collections

190

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1. Branches are GB In charge/ F. reporting (h) dishonored cheque through informing Zonal Office accordingly. G. SAFE DEPOSIT LOCKERS 1. Number of keys Credit In G. issued to charge/ customers is (a) reconciled to record of lockers and Agreement Form 1. The Locker In G room is neatly charge/BM (b) maintained befitting the status of the bank.

1. Applications for In charge G safe deposits /BM (c) articles are filed.

1. Safe custody In charge G ledger and /BM (d) register are maintained as per instructions and balanced at stipulated periodicity.

191

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 1. Signature in In charge G locker access /BM (e) slips are verified and authenticated.

1. All locker In charge G agreements are /BM (f) duly filed in and executed?

1. Charges as laid In charge G down have been /BM (g) recovered in respect of all eligible cases.

1. Effective steps In charge G are taken to /BM (h) recover arrears in locker rent?

1. Access register In charge G is maintained / /BM (i) signatures of hirer obtained and verified before following operations as per instructions?

2. CREDIT OPERATION A. CREDIT RELATED

192

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 2. Preparation of Dealing A. loan proposal officer/s and sending to Name & (a) sanctioning Design authority for approval upon Credit In complying charge/ relevant policy DM/BM and procedure of the bank. 2. Credit In charge/ A. Prepare CRG /up to date CRG of (b) the client.

DM/BM 2. Obtaining CIB A. report / up to date clean CIB (c) report/ CIB reporting. 2. Receiving Credit In sanction letter charge/ A. from sanctioning authority and (d) accordingly advice to the client. 2. Execution DM/BM A. required papers and documents as (e) per sanction letter sanction.

193

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 2. Credit In charge/ A. Prepare LDCL and sending to (f) ICC

2. DM/BM A. Maintain safe in and safe-out register under (g) dual control.

Credit In 2. Maintain due charge/ A. date diary for insurance and (h) SRO token of the branch. 2. Credit In charge/ A. Prepare loan sanction (i) checklist

2. Follow up and DM/BM supervision of A. credit exposure of the branch (j) regularly for keeping loans and advances /assets as standard. 2. Credit In A. Follow up the charge/ overdue and NPL loans (k) regularly.

194

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 DM/BM 2. Monitoring, A. supervision and follow up of all (l) court cases (if any). 2. Credit In A. charge/ Ensure timely (m renewal of loans. )

DM/BM 2. Rescheduling of A. classified loan accounts (if any) (n) as per BRPD circular of BB. 2. Credit In A. Prepare of CL charge/ Statements as per BRPD (o) circular of BB 3. IT SECURITY MANAGEMENT

A. IT SECURITY GENERAL

3. PC/Laptop are IT in A protected by charge/GB (a) screen saver Manager password

195

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 3. Un authorized IT in A and temporary charge/GB (b) staffs are not Manager involved in any posting and there is no one man show in the branch .

3. Before leaving IT in A Br. every charge/GB (c) PC/Server is Manager logged off & switched off –

3. USB ports are IT in A used for mouse charge/GB (d) & key boards Manager only. Other ports are strictly prohibited.

3. T24/SWIFT/Ban IT in A king charge/GB (e) Software/Remiitt Manager ance related PC’s are strictly prohibited of any net connection,

196

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 3. Computer room IT in A is under CCTV charge/GB (f) coverage & lock Manager and keys.

3. Personal IT in A modems are charge/GB (g) strictly Manager prohibited in any PC of the branch.

3. Printed IT in A Supplementary charge/GB (h) of various Manager section Audit Trails are checked with vouchers after banking hour

3. Same person IT in A was not user and charge/GB (i) authorizer Manager

3. Accept over IT in A write & cheeque charge/GB (j) payment without Manager option is not performed.

197

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 3. Unused IT in A password is not charge/GB (k) exists and Manager passwords used are complex and changed frequently.

3. Password’s IT in A confidentiality is charge/GB (l) maintained (not Manager shared) strictly.

3. Extra IT in A precautionary charge/GB (m measures are Manager ) taken for ON US /OF US or WBTT deposit and payment.

3. Daily TT issue IT in A and Payment charge/GB (n) report file print Manager taken & kept with signature.

B. PRECAUTION FOR PAYMENT UNDER WBTT

3. WBTT issue and IT in B. payment charge/GB completed Manager (a) within4.30 P.M

198

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 3. Beneficials A/C IT in B. opening, Thanks charge/GB Letter return & Manager (b) TP Updated

3. In case of ABL IT in B. Beneficiary`s charge/GB personnel Manager Precautio (c) consent n for payment 3. Suspicious IT in under B. activities charge/GB WBTT informed to Manager (d) concerned authority 3. During IT in B. authorization - charge/GB account no. and Manager (e) amount is confirmed.

3. Day Start and IT in B. Day End balance charge/GB is examined and Manager (f) every GL head balance is confirmed.

3. Any two times – IT in B. posting( TT charge/GB issue, NG Manager (g) posting) are not done –checked and confirmed.

199

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 3. Before payment IT in B. test (ABCZ) charge/GB given on Manager (h) IBCA/MOCA has been confirmed For Account 3. Full test IT in B. examined before charge/GB Payment payment Manager (i)

3. Scroll No. of IT in B remittance charge/GB (j) maintained Manager

3. Tally payment IT in B detailed with charge/GB respond advices Manager .(k maintained GB ) managers / CD in charge

C. PRECAUTION FOR PAYMENT CASH OVER COUNTER

3. Information IT in C. given by charge/GB Cash Beneficiaries Manager Over (a) such as Name of Counter sender, sending payment country , name of beneficiary checked

200

ICC Policy and Procedures-2018

RESPONSIBI 1 1 2 3 4 5 6 7 8 9

PROCESS FUNCTIONS 31 LITY 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 0 3 3. Ist user IT in C. ``Commit’’ 2 nd charge/GB user Manager (b) ``Authorize’’ sured

3. Any suspicious IT in C activity charge/GB informed to Manager (c) higher authority instantly 4. FOREIGN EXCHANGE BUSINESS/ TRANSACTION

1

RESPONSIBILITY 1 2 3 4 5 6 7 8 9 PROCESS FUNCTIONS 3 3 0 3 1 0 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2

A. GENERALS MATTERS OF FOREIGN EXCHANGE BUSINESS/ TRANSACTION 4.A.(a) Credit report of the buyer and Dealing officer/s supplier obtained Name & Design

4.A.(b) Business relation are built with Dealing officer/s familiar business firm Name & Design

Generals 4.A.(c) L/C issued for the goods Dealing officer/s Matters of concerned and permitted for L/C Name & Design Foreign Exchange Business/ 4.A.(d) L/C opening under legal (actual) Dealing officer/s Transactio n a) PI /Indent Name & Design b) within delegation of power c) obtaining permission from competent authority(by giving actual information without hiding any information) and 201

ICC Policy and Procedures-2018

1

RESPONSIBILITY 1 2 3 4 5 6 7 8 9 PROCESS FUNCTIONS 3 1 0 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 d) not exceeding IRC/ERC limit 4.A.(e) Insurance Policy Dealing officer/s Performed with reputed Name & Design insurance company 4.A.(f) Contact done under INCOTERM Dealing officer/s Name & Design

4.A.(g) Goods are transported by reputed Dealing officer/s transport company Name & Design

4.A.(h) Goods are inspected Dealing officer/s by internationally Name & Design reputed inspection company at boarded point 4.A.(i) Contact Dealing officer/s performed with reputed Name & Design exporter/Sellers 4.A.(j) In case of more than one Dealing officer/s Transport Company engaged Name & Design there should be imposed of PSI. 4.A.(k) PAD and IFBC recovered within Dealing officer/s due date Name & Design

4.A.(l) Documents are checked as per Dealing officer/s prescribed checklist (e , g Name & Design checklist for import & export L/C ,discrepancy checklist, back to back L/C checklist, cautions for back to back L/C etc.)

202

ICC Policy and Procedures-2018

1

RESPONSIBILITY 1 2 3 4 5 6 7 8 9 PROCESS FUNCTIONS 3 1 0 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 B. IMPORT

Import 4.B. (a) Opening of LC by obtaining FEX In- stipulated margin/cash security. charge/DM/BM

4.B.(b) LC commission FEX In- /charge realized properly. charge/DM/BM 4.B.(c) LC opened with valid IRC/other FEX In- charge/DM/BM

4.B.(d) Related papers and documents are FEX In- obtained. charge/DM/BM

4.B.(e) Compliance of other terms and FEX In- conditions as charge/DM/BM Stipulated in HO sanction letter.

4.B.(f) Importer’s signature verified by EX In- the concerned branch officials of the branch in Pro-Proforma charge/DM/BM Invoice/Indent /LC application form etc.

C. EXPORT

Export Clean exportdocuments purchased. 4.C.(a) FEX In- charge/DM/BM

4.C.(b) ERC is preserved in file. FEX In-

charge/DM/BM

203

ICC Policy and Procedures-2018

1

RESPONSIBILITY 1 2 3 4 5 6 7 8 9 PROCESS FUNCTIONS 3 1 0 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0

4.C.(c) Financial facilities are given against FEX In- defective/fake Export Bill. charge/DM/BM

4.C.(D) Effective steps are taken against FEX In long no payment of Export proceeds and steps are taken to charge/DM/BM return exported goods.

4.C.(e) Proper steps are taken for FEX In repatriation of Foreign currency charge/DM/BM against Export Bill.

4.C.(f) Sufficient steps are taken to FEX In adjust overdue Export Bill charge/DM/BM

4.C.(g) In case of fewer amounts recovered FEX In against Export no permission is charge/DM/BM taken from B.B.

4.C.(h) Specimen signature of shipping FEX In company agent and Air ways charge/DM/BM company officers are preserved. 4.C.(i) Requisite interest and commissions FEX In are recovered. charge/DM/BM

4.C.(j) Sending of EXP form 2 nd , 3 rd FEX In copy to BB and 4 th copy to office charge/DM/BM record is maintained/done. 4.C.(k) When export made with in due FEX In time issued Exp form collected charge/DM/BM and cancelled. 4.C.(l) Concerned Heads of accounts are FEX In balanced. charge/DM/BM

204

ICC Policy and Procedures-2018

1

RESPONSIBILITY 1 2 3 4 5 6 7 8 9 PROCESS FUNCTIONS 3 1 0 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0

D. FOREIGN REMITTANCE

4.D.(a) Foreign remittance realized and FEX In credited to the respective account charge/DM/BM under dual control upon complying relevant rules and regulation of the bank.

4.D.(b) Make payment all Foreign FEX In Remittance (Inward charge/DM/B Foreig Remittance) with F.C account by M n complying all applicable rules and Remitta regulations of the bank. nce 4.D.(c) Issue miscellaneous out ward FEX In remittance under dual control upon charge/DM/B complying relevant rules and M D regulation of the bank.

4.D.(d) Correspondent via SWIFT with Dealing Foreign correspondenc e for officer/s Name miscellaneousPurpose. & Design

205

ICC Policy and Procedures-2018

Annexure- 3 (b) Agrani Bank Limited ...... Branch DEPARTMENTAL CONTROL FUNCTION CHECKLIST (DCFCL)- "WEEKLY For the Month of...... PROCESS FUNCTIONS Responsibility 1stWEEK 2ndWEEK 3rdWEEK 4thWEEK 5thWEEK Initial Date Initial Date Initial Date Initial Date Initial Date Display up to date schedule of charges of the bank. Opening of various deposit accounts by following applicable rules and Account regulations,preserving the same and opening loading within Banking software. Branch Manager activities Contact Point Verification (CPV) to be done as per HO instructions. Branch Manager

Realization of security deposit, lock GB In- Locker Account and insurance premium as per HO charge/DM/BM instructions.

Bill s and Balancing the leaf of security blocks GB In- Remittance on regularly basis. charge/DM/BM

Reconciliation Reconciliation of online GL transaction with other branches and GB In- HO has been done upon complying charge/DM/BM relevant policy and procedure of the bank.

Reconciliation of balance of deposit GB In- account maintained with other bank. charge/DM/BM

Outward bill for Inform return information of GB In- collection instruments(if any)to the client. charge/DM/BM (OBC)

Credit 1. CIB reporting Operations 2. Execution required papers and documents as per HO sanction.

3. Maintain safe-in and safe-out Branch Manager register under dual control.

206

ICC Policy and Procedures-2018

PROCESS FUNCTIONS Responsibility 1stWEEK 2ndWEEK 3rdWEEK 4thWEEK 5thWEEK Initial Date Initial Date Initial Date Initial Date Initial Date Monitoring, 1. Follow up the overdue and follow up and NPL loans regularly. supervision 2. Monitoring, supervision and follow up of all court cases(if any). 3. Ensure timely renewal of Branch Manager loans. 4. Rescheduling of classified loan accounts(if any as per BRPD circular of BB. 5. Prepare of CL Statements as per BRPD circular of BB.

Returns, Prepare weekly returns as per HO & Credit in charge statements BB guidelines. /BM and reporting

207

ICC Policy and Procedures-2018

Annexure-3(c)

Agrani Bank Limited Branch Name:...... Departmental Control Functional Check List (DCFCL) “Monthly ” Statements For the Month of...... PROCESS FUNCTIONS Responsibility Date of Initial Checking

Branch Manager OVERALL Ensure proper cleanliness of the CLEANLINESS OF THE branch premises as per HO BRANCH PREMISES instructions.

ATTENDANCE OF THE Ensure timely attendance of all Branch Manager BRANCH EMPLOYEES employees of the branch.

Ensure 24 hours duty of security guard.

Ensure duty of Gunman during office hour.

Ensure CCTV coverage for24 hours. Branch Manager/ Manager Branch

Ensure adequate Fire Extinguisher in Operation branch premises.

Ensure generator backup during

office hour. Testing of security alarm of the

branch.

Checking of duty of security guard by SAFETY, SECURITY the branch officials during holiday. MEASURES AND PREMISES Emergency contact number i.e. Police PROTECTION station, Fire station, RAB, Hospital etc .are available in branch.

Maintain complaint box in a visible place

Display up to date schedule of charges of the bank.

Holding of BAMLCO meeting COMPLIANCE OF ANTI regularly BAMLCO MONEY LAUNDERING ACTIVITIES Review and reporting of CTR &STR GB In- and maintaining hard copy there of. charge/DM/BM

208

ICC Policy and Procedures-2018

Annexure-3(c)

Agrani Bank Limited Branch Name:...... Departmental Control Functional Check List (DCFCL) “Monthly ” Statements For the Month of...... PROCESS FUNCTIONS Responsibility Date of Initial Checking CHEQUE BOOKS, Physical verification of undelivered PRINTING cheque books and printing and GB In- STATIONERY AND security stationery is to be done by charge/DM/BM SECURITY dually. STATIONERY

LOCKER ACCOUNT Realization of security deposit, locker GB In- rent and insurance premium as per charge/DM/BM HO instructions. Wide publicity is given to availability In charge/ of Lockers. BM Steps are taken to break open locker In charge/ in case of long overdue of rent? BM Custodian's keys and keys of unrented In charge/ locker are held by two different BM BILLS AND officials?Balancing the leaf of security blocks GB In- REMITTANCE on regularly basis. charge/DM/BM Reconciliation of online GL transaction with of the branches and GB In- HO has been done up on complying charge/DM/BM relevant policy and procedure of the RECONCILIATION bank. Reconciliation of balance of deposit GB In- account maintained with other bank. charge/DM/BM

1. Balancing of ledgers and books of accounts regularly.2. Charging of

interest, service charge and depreciation .3.Realization of VAT and AIT as per instructions of ACTIVITIES OF Branch Manager ACCOUNTS concerned Government office. DEPARTMENT 4.Interest paid to deposit account. Monthly provision made against expenses. 5.Review and reversal of contraentries.6.Checkingandreviewofi nterestproductsheet.

REPORTS/ RETURNS Ensure submission of monthly reports Branch Manager /STATEMENTS to HO and regulatory bodies and preserved in the file.

209

ICC Policy and Procedures-2018

Annexure-3(c)

Agrani Bank Limited Branch Name:...... Departmental Control Functional Check List (DCFCL) “Monthly ” Statements For the Month of...... PROCESS FUNCTIONS Responsibility Date of Initial Checking CREDIT OPERATIONS CIB reporting Execution required papers and documents as per HO sanction. Branch Manager Maintain safe-in and safe-out register under dual control. Maintain due date diary for insurance and SRO token of the ranch.

MONITORING Follow up the overdue and NPL ,FOLLOW UP AND loans regularly.

SUPERVISION Monitoring ,supervision and follow up of all court cases(if any). Branch Manager Ensure timely renewal of loans. Rescheduling of classified loan accounts (if any) as per BRPD circular of BB. Prepare of CL Statements as per BRPD circular of BB.

Upload ISS Reporting Format from Bangladesh Bank’s Web Portal

Collect the relevant information for ISS Reporting and correctly fill up the Concerned ISS INTEGRATED fields of ISS Reporting Reporting SUPERVISION Get the report checked by the Official(s) SYSTEM(ISS) concerned officials REPORTING Submit the same to the Manager for confirmation and upload in the Bangladesh Bank’s Web Portal on or before10 th of the following month..

210

ICC Policy and Procedures-2018

Annexure-3(c)

Agrani Bank Limited Branch Name:...... Departmental Control Functional Check List (DCFCL) “Monthly ” Statements For the Month of...... PROCESS FUNCTIONS Responsibility Date of Initial Checking Check the Integrated Supervision System (ISS) of the branch.

Deficiency, if detected report to Branch Manager concerned division/department of HO. Upload the Integrated Supervision System(ISS) Report to Bangladesh Bank’s Web Portal and submit back-up copy(ExcelSheet)to HO within10 th of the following month.

RETURNS, Prepare monthly returns as per HO Credit In-charge STATEMENTS AND and B .Bank guidelines. /BM REPORTING Client’s applications for issuance of In charge/ DEBIT CARD Card are forwarded to Card Division BM for Approval. ATM Loading of cash in ATM after In charge/ accessing previous balance. BM

Passing necessary entries soon after In charge/ loading and unloading. BM

FOLLOWUP OF Follow-up of long outstanding entries In charge/ OUTSTANDING in Sundry Deposit/ Suspense/Clearing BM ENTRIES Suspense remittance etc.

Follow-up of outstanding entries in In charge/ inter branch/Inter bank reconciliation. BM

CONTROL FUNCTION Control returns for expenses incurred GB In charge/ beyond discretionary powers are DM submitted. Control over payments in In charge/ charges/Establishments expenses BM Monitoring/Checking). In case of leave on loss of In charge/ pay/unauthorized absence of staff are BM reported to the controller. Restrictive practices of staff and In charge/ indiscipline staff including BM misbehavior with customers and court cases pertaining to staff reported to controllers for follow-up action.

211

ICC Policy and Procedures-2018

Annexure-3(c)

Agrani Bank Limited Branch Name:...... Departmental Control Functional Check List (DCFCL) “Monthly ” Statements For the Month of...... PROCESS FUNCTIONS Responsibility Date of Initial Checking STATEMENT All periodical returns are submitted in In charge/ SUBMISSION time. Daily H.O Extract and Draft BM schedules are dispatched without delay. Various IBR Memos recorded as and In charge/ when received and attended to BM promptly. High value enquiry Memos/IBR Memos are death with under the personal attention of BM. DESPATCH Letters received are opened in the In charge/ MAINTAING presence of authorized official and BM entered in inward mail Register/Schedules and distributed against acknowledgements.

Prompt disposal is entered. Disposals In charge/ are marked of, with date under BM authentication. FURNITURE FIXTURE Fixed Assets register/Ledger are GB In charge/ maintained properly and depreciation BM / entries are passed as per HO Guidelines.

All furniture's and fixtures are GB In charge/ numbered, accounted for and DM receipted for delivery to officials. INCOME LINKAGE All the income leakage are detected in GB In charge/ the earlier audit reports and the BM current report is recovered in full. (Score to be awarded in appropriate to the % of recovery to the total income leakage detected).

Interest application process for GB In charge/ deposits and advances is carried out BM promptly and the appropriate rate of interest is charged. No unauthoriesed concession is observed in interest applied/service charges.

Various service charges are recovered GB In charge/ as per extant circulars issued from time BM to time.

212

ICC Policy and Procedures-2018

Annexure-3(c)

Agrani Bank Limited Branch Name:...... Departmental Control Functional Check List (DCFCL) “Monthly ” Statements For the Month of...... PROCESS FUNCTIONS Responsibility Date of Initial Checking All system generated reports/interest GB In charge/ application in ledgers are checked and BM authorized.

213

ICC Policy and Procedures-2018

Annexure: 04

Agrani Bank Limited. ______Branch

LOAN DOCUMENTATION CHECKLIST (LDCL)

STATUS: Individual / Proprietorship / Partnership / Limited Company A/c No. First obtain General Documents; then identify the Collateral, Facility and obtain specific documents listed hereunder. Leave out documents not called for by the terms of the Credit Approval and Facilities Advice Letter (Sanction Letter).

Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT No. DOC. RECEIVED LOCATED IN

A. GENERAL DOCUMENTS 1. Letter of Borrower requesting for new facilities / renewal 2. Authority of Borrow to Borrower (Letter of authority from partners in case of partnership concern and resolution in case of limited company) – with list of Partners/Directors

3. Form XII certified by RJSC regarding list of existing Directors for limited company 4. Facilities Advice Letter: accepted unconditionally by Borrower

5. Demand Promissory Note

6. Letter of Continuity 7. Deed of Partnership (for Partnerships; Borrower / third party), By-Laws etc.

8. Memorandum and Articles of Association (for limited company Borrower / third party) with Certificate of Incorporation

9. Letter of Arrangement

10. Letter of Disbursement

11 Revival Letter (Form I & II)

B. LIEN OF ACCOUNT 1. Resolution to lien account proceeds (for Third Party partnerships and limited cos.)

2. Letter of Lien and Set- Off (Pledge Agreement)

C. PLEDGE OF DEPOSIT/S. PATRA 1. Resolution to deposit (for Third Party partnerships and limited company)

2. Fixed Deposit Receipts / Sanchaya Patra / Bonds endorsed by holder(s) 214

ICC Policy and Procedures-2018

Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT No. DOC. RECEIVED LOCATED IN

3. Letter of Guarantee by depositor (if the deposit stands in the name of Third Party)

4. Letter of Lien and Set Off (Pledge Agreement)

5. Letter of Authority for encashment of Sanchaya Patra/ Fixed Deposits

D. PLEDGE OF SHARES 1. Resolution to deposit (for Third Party partnerships and limited company)

2. Share certificates 3. Blank transfer forms for each share certificate (Form 117)

4. Memorandum of Deposit of Shares 5. Letter of Guarantee by the shareholder (if the share stands in the name of person other than the borrower) 6. Irrevocable letter of authority for collection of dividends, bonus etc. addressed by the shareholder to the relevant company.

7. Notice of pledge by the shareholder to the relevant companies.

E. PLEDGE OF INVENTORY

1. Letter of Pledge / Pledge Agreement

2. Letter of Disclaimer (if required) 3. RJSC Search Report (for limited company partnerships; Borrower / third party)

4. RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC 6. Modification of Letter of Pledge / Pledge Agreement of Inventory 7. RJSC Form 19, and receipt of filing with RJSC

8. Insurance Policy with EBL as jointly insured

F. HYPOTHECATION OF INVENTORY 1. Resolution to hypothecate inventory (for Third Party partnerships and limited cos.)

2. Letter of Hypothecation of Inventory / Hypothecation Agreement

215

ICC Policy and Procedures-2018

Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT No. DOC. RECEIVED LOCATED IN

3. RJSC Search Report (for limited company. partnerships; borrower/third party)

4. RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC Modification of Letter of Hypothecation of 6. Inventory 7. RJSC Form 19, and receipt of filing with RJSC

8. Insurance Policy - jointly insured

G. TRUST RECEIPT

1. Trust Receipt Agreement

H. HYPOTHECATION OF RECEIVABLES/BOOK DEBTS

1. Resolution to hypothecate receivables / book debts (for Third Party partnerships and limited company)

2. Letter of Hypothecation of Receivables / Book Debts (Hypothecation Agreement) 3. RJSC Search Report (for limited company/registered partnerships; borrower/third party) 4. RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC 6. Modification of Letter of Hypothecation of Receivables 7. RJSC Form 19, and receipt of filing with RJSC

I. HYPOTHECATION OF MACHINERY AND EQUIPMENT 1. Resolution to hypothecate inventory (for Third Party partnerships and limited cos.)

2. Letter of Hypothecation of Machinery and Equipment / Hypothecation Agreement

3. RJSC Search Report (for limited company. partnerships; borrower/third party)

4. RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

216

ICC Policy and Procedures-2018

Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT No. DOC. RECEIVED LOCATED IN

6. Modification of Letter of Hypothecation of Machinery & Equipment 7. RJSC Form 19, and receipt of filing with RJSC

8. Latest list of machinery & equipment 9. Insurance Policy with EBL as jointly insured

J. ASSIGNMENT OF RECEIVABLES 1. Resolution to assign receivables (for Third Party partnerships and limited cos.)

2. Deed of Assignment of receivables 3. Notification and acknowledgement of assignment and confirmation of receivables from the debtor

K. MORTGAGE 1. Letter of nomination of third party mortgagor from Borrower with attested specimen signature of the mortgagor

2. Resolution to mortgage and guarantee (for Third Party partnerships and limited company)

3. Copy of valid ID (for Third Party individual mortgagor)

4. Personal Guarantee from Third Party mortgagor 5. Original title deeds of mortgagor and previous owners (Bia- Deed)

6. C.S., S.A. and R.S. Parchas 7. Mutation Parchas in mortgagor’s name, certified by Assistant Commissioner of Land

8. Duplicate carbon receipt for mutation case

9. Letter of no objection of lessor for mortgagor to mortgage (for leasehold property)

10. Land development tax receipt of the immediately preceding Bengali year

11. Municipal holding tax receipts for property in municipalities 12. Building/factory plan with letter of approval

13. Real Estate Appraisal / Valuation report

217

ICC Policy and Procedures-2018

Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT No. DOC. RECEIVED LOCATED IN

14. RJSC Search Report (for limited company/registered partnerships; borrower/third party)

15. Memorandum of deposit of title deeds (for equitable mortgages) with legal counsel’s approved draft. 16. Mortgage Deed and registration receipt endorsed by mortgagor (for legal/Registered mortgage) along with Power of Attorney 17. RJSC Form 18, and receipt of filing with RJSC if property in the name of ltd cos.

18. Certificate of registration from RJSC 19. Modification of Memorandum of deposit of title deeds 20. RJSC Form 19, and receipt of filing with RJSC

21. Income Tax Clearance Certificate as required for Registration Non Encumbrance Certificate from Land 22. Registrar

Sl. DESCRIPTION REQD DATE OF DATE EXPIRY ORIGINAL DOC TAKA AMOUNT No DOC. RECEIVED LOCATED IN

L. GUARANTEE 1. List of Directors/Partners with specimen signatures, certified by company secretary or chairman or managing partner (for limited company and partnerships) 2. Resolution to guarantee (for limited company and partnerships) 3. Net Worth Statements (NWS) for individuals/guarantors

4. Letter of Guarantee

5. Letter of Counter Indemnity

M. TERM LOAN AGREEMENT 1. Term loan agreement between Borrower and ABL

2. Draft Term Loan Agreement approved by Head of Credit Risk Management Division and Legal Counsel.

N. SECURITY SHARING AGREEMENT

1. Security Sharing Agreement

2. Draft Security Sharing Agreement approved by Head of Credit Risk Management Division and Legal Counsel.

O. SYNDICATION

1. Accepted Mandate Letter

218

ICC Policy and Procedures-2018

2. Accepted Term Sheet

3. Information Memorandum

4. Participation letters

5. Facilities Agreement

6. Powers of Attorney of participants

7. Accepted Fee Letter

8. Legal counsel’s opinion

9. Head of Credit Risk Management and Legal Counsel’s approval of documents.

P. OTHER DOCUMENTS

DEPARTMENT/UNIT NAME DATE SIGNATURE

RELATIONSHIP MANAGER:

CREDIT ADMINISTRATION:

219

Annexure -5 ICC Policy and Procedures-2018 Agrani Bank Limited ______Branch QUARTERLY OPERATIONS REPORT

Date:

From: Branch Manager………..

To: General Manager and Head of ICC

Copy: Divisional Head, Audit Monitoring Division

Quarterly Operations Report for the Quarter Ended on ………………..

A. POLICIES, PROCEDURES AND CONTROLS 95 MARKS

A.1. Central Bank: 30 MARKS

The Branch/Centre was last audited by the Central bank on ………………….. We confirm that adequate corrective actions have been initiated to remove the deficiencies other than the following papers of their Audit Report.

Audit Paras Original Target Date Revised Number of Rectification Target Date

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A. 2. INTERNAL CONTROL (LOCAL) : 35 MARKS The Branch’s/Centre’s operational functions were also last audited by the Internal Control on ...... We confirm that adequate corrective actions have been initiated to remove the deficiencies other than the following paras of the report. Audit Paras Target Date Revised Number of Rectification Target Date

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A. 3. REGULATORY COMPLIANCE: 30 MARKS

We confirm that regulatory requirements in Bangladesh as outlined by Bangladesh Bank / other Govt Ministry have been complied with except the following: Sl. No Compliance Risk Legislation Remarks

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

220

ICC Policy and Procedures-2018

A. 4. CLOSED CIRCUIT TELEVISION (CCTV): 30 MARKS (This para will be used if branches are having CCTVs at their premises) We confirm that operations and recording of day’s activities in CCTV installed in the branches and ATM’s where applicable have been checked regularly. The recorded cassettes are being controlled as per instructions from the MD’s / GM’s office.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A. 5. Computer ACCESS ( if available) : 35 MARKS a. We confirm that a full review of “Access Levels” is made to ensure that no conflicts exist and no official is holding both IDs to input transactions and Authorise such transactions. b. We also confirm that Administrator Passwords are held in dual custody and the both custodians review the Administrator Journal Report and the Audit Trail Report (which reports all user access maintenance) and investigate all activities on a daily basis.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.6. CUSTOMER SERVICES STANDARDS: 05 MARKS The Customer Services Standards of all departments have been checked and documented as per guidelines from Head Office/ Regional Office. The shortfalls detected during the last quarter have been/will be removed within the target set.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.7. DEPARTMENTAL CONTROL FUNCTIONS CHECK LISTS : 05 MARKS a.The DCFCLs were completed and documented as per Head Office Guidelines by the concerned departments which are being/have been verified by the designated independent officials on ______b. We confirm that no shortfalls have been identified by the Independent Reviewer and/or the shortfalls identified by him/her are being rectified and will be completed by ______under advice of the Head of Compliance.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.8 INTERNAL CHECKS : 05 MARKS We confirm that all Internal Checks as per Head Office Guidelines applicable to us are being undertaken by the Independent officials designated in writing. All papers and the reviewer’s certificates are retained under the control of the Unit Head/Branch Manager/Designated official for future review by the Bangladesh Bank audit team/ Internal Control Team.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

221

ICC Policy and Procedures-2018

A.9. COMPLAINTS: 05 MARKS We confirm that complaint letters received from Customers were dealt with in terms of Head office guidelines. All complaints in the form of statement including pending complaints of previous quarter have been forwarded to Head of Internal Control Team for his review. *(Strike out which is not applicable)

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.10. RECOVERY OF COSTS: 20 MARKS We confirm that the costs of telex/swift/telegrams/telephone/fax and other charges have been recovered from the Customers/Correspondents where applicable and credited to the appropriate Recoveries Accounts under Expenses Head.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.11. FRAUDS, FORGERIES & OPERATING LOSSES: 10 MARKS Following transaction(s) involving Frauds/Forgeries/Other Operating Losses has/have been detected during the quarter ended on ______and reported to Head Office / zonal office/ Bangladesh Bank / Internal Control unit Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.12. RETURNS: 05 MARKS We confirm that returns to Head Office /Zonal Office Bangladesh Bank including those under Calendar of Returns have been submitted within the schedule dates except the following:

Title of Return Due Date Reasons for Delay Sent on Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.13. LEGAL: 10 MARKS We confirm that legal matters are being monitored by us as per Head office/ Zonal Office / internal control units. Return for this half-year ended March/September has been submitted to Internal Control department on ……………… Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

A.14. COMMUNICATIONS: 05 MARKS Following meetings were held during this quarter to improve communication among the members of Officer/Staff. We enclose a copy of the minutes of the meetings held for information and record. Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

222

ICC Policy and Procedures-2018

A.15. FIXED ASSETS: 20 MARKS

Subject of discussions/or Suggestions/Outcome/ Date & Time Agenda in brief Recommendations We confirm that: a) Quarterly as on December, March, June and September all items of Fixed Assets deployed to the branch have been included in the respective departmental lists and physical check of all departmental Fixed Assets has been undertaken and verified with the departmental inventories. b) The entries passed through Profit and Loss A/c in respect of sale of Fixed Assets for the half year ended March/September have been reviewed to ensure that no entry is outstanding in the books . th st c) Returns as on 30 September and 31 December showing the Fixed Assets sold during October to September and January to December have been prepared & reviewed for tax purposes. st th d) Fixed Assets of the centre as on 31 March and 30 September have been physically checked by the independent officers designated by Internal Control team / Zonal Office.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B. PROTECTION OF VALUABLES

B.1. CHANGE OF KEYS: 10 MARKS st We confirm that the Key Register is being maintained as per prescribed procedure and keys were 1 changed with the duplicates on ______August ______Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.2 SAFE CUSTODY: 10 MARKS We confirm that Safe Custody items are being maintained under dual custody and the Last complete independent physical verification of Safe Custody items as per Head Office/ Zonal Office’s instructions was undertaken on ______. We enclose a copy of the certificate received from the designated reviewer(s). ______CUSTODIAN(S)

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.3 SAFE DEPOSIT LOCKERS: 10 MARKS

We confirm that keys to unrented lockers are kept in sealed envelopes under dual control and spare locks and surrendered keys pending change of locks and keys are controlled by two independent custodians who have no access to locker custodian’s key(s). We also confirm that Semi-Annual and Annual Internal Checks are conducted at the prescribed frequencies and by the independent designated officials.

CUSTODIAN – 1 CUSTODIAN – 2 (Item 3 applies to branches/centres where lockers are installed.)

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

223

ICC Policy and Procedures-2018

B.4. CONTROLLED & RECORD STATIONERY: 05 MARKS

All Controlled Stationery are being kept under dual custody and Bulk/Working Stocks are being verified as per instructions from Head Office / Zonal Office Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.5 RECORD STATIONERY 05 MARKS a) The record register is maintained and records preserved properly. b) Effective control over records is observed so as to prevent any pilferage of records. c) All obsolete records are destroyed as per extant instructions with controller’s approval. d) Stationery registers and ledgers are maintained up to date e) All stationery items received are recorded and arranged in good condition .

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.6. TEST KEYS: 05 MARKS TEST/KEYS/CODE BOOKS are being maintained as per requirements.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.7. SIGNATURE BOOKS AND BRANCH DOCUMENTS: 05 MARKS

a) All signature books of branches & correspondent banks are being maintained as per requirements. b) Branch document register is maintained as per instructions in force. c) The key register is maintained as per extant instructions.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

B.7. CASH/TC/SPS ETC. 50 MARKS Cash/TCs/Prize Bonds / Foreign Monies / Sanchaya Patras / Wage Earners’ Development Bonds are being dealt with as per requirements – Physical verifications also being carried out at the frequencies prescribed. Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

C.PROOFS/VERIFICATIONS: 05 MARKS C. 1 . All accounts in GL/ Subsidiary ledger were proved and verified during the quarter except the following accounts. Title of GL Difference Date Last Target Date/ Account Amount Reconciled Date Reconciled

We confirm that all outstanding entries in General Suspense (Assets & Liabilities) are being followed up for early st th th liquidation. We enclose the statements of General Suspense Accounts as at 31 March/30 June/30 st September/31 December for your perusal. Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

224

ICC Policy and Procedures-2018

C.2. DIFFERENCE ACCOUNTS: We enclose a summary showing the outstanding in Difference Accounts. The entries relating to differences are being investigated. All unresolved entries will be adjusted in terms of approval of Head office/ Zonal Office.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

D. PERSONNEL & SUPERVISION

D.1. Following transfers/movements were affected during the quarter 20 MARKS (both Officers and Unionized Staff). Name from Period worked Transferred W.E.F. ____ (Dept.) In this department to (Dept.) (Date)

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

D.2. LEAVE PROGRAMMES: 20 MARKS

1. Officers/staff are being granted leave as per leave programme. (Exception are given below):

Name Category of Staff Numbers of days accumulated

2. Unionized staff have leave entitlement within the prescribed limit of 93 days. Exceptions having leave accumulation over the limit of 93 days are given below:

Name Number of days accumulated over limit 3. Arrangements have been made to allow all employees including Management Staff to avail of 10 days uninterrupted leave or half of annual leave entitlement, whichever is lesser in terms of service rules.

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

D.3 TRAINING PROGRAMME 20 MARKS Following Officers / staffs are undergoing training / have undergone training during the quarter.

Name Name of Duration of Course Participant Course attended Course Conducted by

Signature of Respective officer/In charge with Seal Signature of Branch Manager with Seal

225

ICC Policy and Procedures-2018

E. PREMISES MANAGEMENT

E.1. FIRE/SAFETY STANDARDS: 30 MARKS

a) Following items have been checked during the quarter ended March/June/September/December ______. Fire/Safety Procedure Ref: Standard Achieved/Shortfalls detected i) ii) iii) iv) b. Half-yearly Self Audit of Fire/Safety Standards was undertaken and the return submitted to you for the period st st ended 31 January / 31 July ……. in a separate letter on ……….  c. We confirm that:

i) Fire Drill was carried out half-yearly on ……….. and ……… in terms of Emergency Evacuation Standards of Fire / Safety procedures. ii) Security Drill was carried out regarding Audible Tellers Counter Alarm Protective System and was duly documented. iii) Recording of the arrival and departure time of all personnel occupying the Premises outside working hours and after banking hours are being documented/reviewed in the Registers maintained for these purposes. d. All electric wirings were checked by M/s ………………………………….. on …………………… and certificates obtained and kept in file for future audit / inspection. We enclose a copy of the certificate for our record.

e. The premises were inspected on holidays by the officers on rotation. Immediate action was taken on shortfalls detected through the checklist maintained which is retained after taking appropriate action as applicable for future audit/inspection.

(Branch Manager) (Zonal Head)

226

ICC Policy and Procedures-2018

Annexure-06 Agrani Bank Limited Audit Monitoring Division (AMD) Head Office, Dhaka Control Function Risk Rating [This Annexure will be used by ICT Team, they will also use formats (soft copy) developed by AMD].

Name of the Branch ......

1.Risk Assessment:

Risk Assessment ha/ s to be carried out at two stages i) Off site – For formulation of Audit Plan ii) On site – During the course of Audit. The assessment formats for both off sight and on sight are same. For assessing risk - different formats/work sheets are used. Formats are;- i) Branch Profile – This format includes branch’s - address , location, type( AD/non AD and computerized or not) , Affairs & GL statement’s figures , NPA management information , profitability etc. ii) Score Sheets – This sheet includes the accumulated scores from different work sheets of both Business and Control Risk items. iii) Work Sheets for business risk – a) Credit risk assessment work sheet b) Earning risk assessment work sheet c) Liquidity risk assessment work sheet d) Strategy and business environment assessment work sheet e) Operational risk assessment work sheet iv) Work Sheet for Control Risk – a) Credit risk assessment work sheet b) Internal control risk assessment sheet c) Compliance risk assessment work sheet d) Management risk assessment work sheet

Scoring :

All parameters to be assessed are summarized under "Business Risks" and "Control Risks". To assess the level of Inherent Business risk and control risk for the different unit of the branch are assessed separately to be as Low/Medium/High risk. Risk assessment rating (RA rating) table for the branch as depicted in Figure 1.

227

ICC Policy and Procedures-2018

Figure-1

Max. Score Awarded Score Awarded Score Awarded Score Year-1 Year-2 Year-3 Inherent Business risk 1. Credit Risk 450 2. Liquidity Risk 50 3. Earning Risk 100 4. Operational Risk 300 5. Strategy and Business Environment Risk 150 Total 1050 Percentage 100 Level of Inherent business risks of branch Control Risks 1Credit 385 2. Internal Control 510 2. Management 50 3. Compliance 105 Total 1050 Percentage 100 Level of Control Risk of branch Level of Composite Risk branch Risk assessment rating of branch

2.Steps for awarding scores are as follows:

Step I : Based on the observations during Audit, Quantify the breaches under each parameter in percentage. .Step II : Quantify the breaches as a percentage of Total Advances. Step III: Award scores based on level of risk as follows: Maximum Marks Level of risk 5 10 15 20 Low/Good 4-5 (71%+) 8 - 10(71%+) 11-15(71%+) 14-20(71%+) Medium/Satisfactory 2-4(41-70%) 4-7(41-70%) 6 or 10(41-70%) 8-14(41-70%) High 0-2(up to 40%) 0-4 0-6 0-8 25 30 40 Low/Good 17-25(71%+) 21-30(71%+) 27-40(71%+) Medium/Satisfactory 11-17(41-70%) 13-20(41-70%) 17-27(41-70%) High 0-10 0-12 0-16

Discretion is being given to the auditor (s) to award the marks within the range specified for each level depending upon their onsite judgment.

Level of Risk:

The Level of risk is to be determined separately for ‘Business Risks’ and ‘Control Risks The levels will be linked to the scores and will be determined as follows:

Level of Risk Scores as a% of Total Low Risk 70% and above Medium Risk 40% up to 70% High Risk Below 40%

Score Sheet — Summary

(i) Score Sheet — Summary needs to be compiled as per following sheet , based on the scores awarded as per point no. 2 above. The parameters which are not applicable in a branch, the maximum marks for the same may be reduced from the total marks.

228

ICC Policy and Procedures-2018

Score Sheet Summary

Business risk

SL # Particulars Marks % Level Maximum Marks Awarded of Risk

A. Credit Risk (CR) 1 Port folio Quality and Composition 150 2 Pre-sanction Credit Process a) Quality of appraisal 195 b) Quality of Assessment 65 c) Sanction 20 d) Organizational Structure for managing CR 20 Total Marks for Credit Risk (A) 450 B. Earning 100 C. Liquidity 50 D. Strategy and business Environment 1 Business achievement 80 2 Profitability 50 3 Market Share 20 Marks for Strategy and business Environment(D) 150 E. Operational Risk 1 Fraud prevention and Follow-up effects 40 2 Documentation and compliance with terms 50 3 Exercise of Delegated Authority 15

Accounting System/Balancing of Books/Computer Audit (Only for 4 Computerized Branch) 145 5 Anti money laundering related issues 30 6 Customer service 20 Total Marks for Operational Risk (E) 300

Total marks for Business risk 1050

229

ICC Policy and Procedures-2018

230

ICC Policy and Procedures-2018 c) Determine the composite risk level using composite risk matrix .

The composite risk of the branch/ activity has to be determined separately for each year. Composite risk reflects the combined effect of both business and control risk of the branch/activity .: There will be five levels of composite risk: Low, Medium, High, Very High and Extremely High risk as shown below: High A B C High Risk Very High Risk Extremely High Risk

Risk Risk Medium D E F Medium Risk High Risk Very High Risk

Inherent Business Low G H I Low Risk Medium Risk High Risk Low Medium High Control Risk

Composite Risk Matrix for the year 2012

Particulars Score awarded Total Score Level of Risk Category

Business Risk

Control Risk

Composite Risk

Risk Matrix High A (High) B (Very High) C (Extremely High)

Medium D (Medium) E (High) F (Very High)

Business Risk G (Low) H (Medium) I (Very High) Low

Low Medium High

Control Risk

Composite Risk Matrix for the year 2011

Particulars Score awarded Total Score Level of Risk Category

Business Risk

Control Risk

Composite Risk

Risk Matrix A (High) B (Very High) C (Extremely High) High F (Very High) D (Medium) E (High) Medium Business Risk G (Low) H (Medium) I (Very High) Low

Low Medium High

Control Risk

231

ICC Policy and Procedures-2018

Annexure: 07 Agrani Bank Limited Audit Monitoring Division Head Office, Dhaka Deputy General Manager Agrani Bank Audit Internal Control & Compliance Division Head Office Dhaka

Sub: Inspection Report of Internal Control Team (ICT)

Dear Sir, Internal Control Team (ICT) has inspected the…………….. Branch office/ Offices on………………and found major deviations and other doubtful transactions in reviewing of Departmental Control Functional Checklist (DCFCLs) and operations Report. During our inspection, the following issues were observed and are listed below:

Branch name Comments 1. DCFCL 2. Branch security & Administrative System 3. Cash 4. Deposit Banking 5. General Banking 6. Accounts 7. Loan & Advance 8. Foreign Exchange Trade 9. Others

Name of the Inspection Officer / Officers:

Signature & Date:

232

ICC Policy and Procedures-2018

Agrani Bank Limited Annexure: 08 ------Branch IT and Security Management Checklist

Sl. Particulars Yes/No (if Allocated Obtained Remark No Marks Marks No. explain the (150) reason) A. Business Risk 75 Marks Whether - 1 Server computer is protected by screen saver password. 5 2 Computers at work stations are protected by screen saver 5 password. 3 Confidentiality of user ID and Admin password is maintained 5 cautiously. Extra/unused passwords are removed from the computer i.e. passwords of employees who are transferred deleted immediately. Active authorizer/user’s list is maintained in a register. 4 Pass words are complex (may be combination of numeric and 5 alphabetic). Password changed at regular interval.

5 There User ID Maintenance Registrar with access privileges duly 5 approved by the appropriate authority/ Br. Manager 6 The length of password at least 6 characters and combination of 5 uppercase, lowercase, number & special characters 7 There is a unique User ID and a valid password for each user 5

8 The same person is in putter and authorizer of the same transaction 5

9 Daily T-24 Securities- 5 i) Clearing suspense account is in zero balance ii) Catch all balance is NIL iii) At the end of day total cash is transferred to vault by making Till is zero. iv) When there is no work in T-24 Windows, it is not been open and after necessary work windows been signed off. v) Consolidated SB/CD/STD head balance is in zero position. 10 WEB based Q- Remittance:-Precaution for payment (Both 5 account payee and cash over counter) Ref. I. C letter no. FRD/003/15 dated 20/05/15

For Account Payee Payment :- i) Before payment Test (ABCZ) given on IBCA/ MOCA is confirmed. ii) Payment is not made before full test examined iii) Scroll no. of remittance have sequence iv) At the end of the day GB manager/ CD in charge tallied payment detail with respond advices. v) User ID and Passwords are not been shared. vi) First user committed and second user authorized .In any case same person never used same password at a time vii) Any suspicious activities found are reported to IT Security (IT Division) instantly. For cash over counter payment :- i) Information given by beneficiary such as name of the sender, sending country, name, NID no. and amount are same no deviation found.

233

ICC Policy and Procedures-2018

Sl. Particulars Yes/No (if Allocated Obtained Remark No Marks Marks No. explain the (150) reason) 11 WBTT (Web Based TT) . Ref. I.C no. BSUCD/43/15 dated 5 20/05/15: i) WBTT payment completed within 4.30 pm. ii) Beneficiary’s account opening, thanks letter receiving/ return and TP is checked. iii) ABL Personnel when Beneficiary, consent of him is taken. iv) Any suspicious activities found are reported to IT Security (IT Division) instantly v) For WBTT user ID and password are in fixed and in saved position. vi) TT issue, TT payment and cheque payment according to the number of branches concern is tallied with register. 12 Every cancellation of cheque/voucher posting is done with 5 maintaining delegation of powers. 13 No payment is done by using without cheque option (though 5 having cheque) of party’s request at T -24 software. 14 Accept override done without prior permission of manager 5 /authority (which is strictly prohibited). 15 For payment of remittance following are the precautions 5 maintained or not : i Whether - -User ID/ password given by Exchange House changed immediately and be treated as admin password. - Password changed at regular interval. ii Whether PDF advice sent by Head Office is secured and printing is done in presence of Manager GB. iii National ID/Passport copy and system generated Money Receipt are kept with vouchers. iv Any delay in reimbursement, whether the matter is under close supervision of Manger GB. B. Controlled Risk 75 Marks 16 Server /Router/ Switch room (safe room) is under lock and key, 5 Cables of LAN are secured. 17 Computer monitors are kept in out of clients view. 5

18 Router and other networking equipment are kept in safe and Air 5 conditioned atmosphere. 19 There is other net connection with banking & T-24 software and 5 there are other Modem/Pen drive connected in any USB port. 20 Every days voucher are checked with computer printed sheets. For 5 T -24 software initial of both authorizer and inputter are taken on vouchers. 21 Transfer vouchers passed / Inter branch transaction (on us /of us) 5 is checked jointly by inputter and authorizer/ manager GB. 22 Manager GB is examined a whole day posting at random basis. 5

23 The summary balance and ledger balance of respective heads are 5 checked by Manager GB. 24 During monthly/half yearly/yearly closing Computer generated 5 interest sheet (accrued interest on loans and advances and interest payable on deposits) are checked jointly and interests are posted at respective head. 25 Cheque serial entry list and deletion list are kept with every days 5 voucher. For Cheque serial entry in T -24 software no legacy number is used during. 26 Un authorized and Temporary staff is not involved/allowed in any 5 transaction.

234

ICC Policy and Procedures-2018

Sl. Particulars Yes/No (if Allocated Obtained Remark No Marks Marks No. explain the (150) reason) 27 Life style of staff concerned is under close supervision of the 5 Manger. (If any suspicious activity found, his user ID is to be cancelled). 28 Account opening and post opening management – 5 Whether - i. Necessary papers with PP size photo etc. are taken; Data entry in computer is done properly is checked. ii )During account opening data entry completed in T-24 and signature is captured iii). Thanks Letters are given and after receiving Thanks Letter by the client cheque is issued and the client him / herself received the cheque. 29 Miscellaneous 5

Whether

i i) There is any alternative/2nd hand to operate every sector /part of the branch? ii Any up dated Anti-Virus, installed in each server and computer, whether it is connected with internet or LAN iii Quality of posting, online checking, passing & security of voucher monitored properly? iv FDR account under Lien is marked as Lien.

v At the end of the day MO/NG Extract in soft copy uploaded and sends it to Reconciliation division. 30 Before leaving the branch precautions to be taken by the 5 Branch Manager i Whether – Computers/Server (Both Monitor and CPU) switched off properly and the main switch is off. ii Back up is taken in CD, kept in distance secured places and back up taken in least two computers of the Br. iii Server / computer room is under lock and key etc.

Moreover, other instructions are given in IC No. IT&MIS/33 Dated 13/04/2016 are followed cautiously .

(Online Bastobayon Kormokorta) (Branch Manager)

Reference : a) ICT Policy-2015

b) IT Related Circular (wb‡`©k cwicÎ bs- AvBwU GÛ GgAvBGm/33 ZvwiLt13/04/2016)

235

ICC Policy and Procedures-2018

236

ICC Policy and Procedures-2018

237

ICC Policy and Procedures-2018

AGRANI BANK LIMITED Annexure-09c ------Branch CHECKLIST FOR EXPORT L/C (AS PER MASTER CIRCULAR NO. IT&FCMD/77/13 DATED 14/08/2013 ON EXPORT TRADING )

Bill of Exchange

After sight bill Sl. Name of The Exporter

No. 707. date etc.) etc.) date Time bill bill Time nominated Firm Firm nominated After date bill bill date After Paying Bank Bank name Paying Commercial Invoice Invoice * Commercial Marine Insurance policy Insurance Marine Goods Country of Origin Origin of Country Goods Bill of Lading /Air bill** /Air bill** Lading Bill of be reached to Beneficiary. reached to be Credit report of Issuing Bank Bank Issuing report of Credit Industry capacity be considered considered be capacity Industry At sight sight At Authenticity of Advising letter of of letter Advising of Authenticity Demand Demand – Must be Under MT-700/701, any MT-700/701, Must – Under be Payment terms (sight/deferred) and terms (sight/deferred) Payment Pre Shipment Inspection by Buyers by Inspection Shipment Pre amendment that should be be that should under MT amendment Health Certificate , Quality certificate , Quality Certificate Health (quantity, unit price, shipment &expiry &expiry price, shipment unit (quantity, Local chamber of commerce certificate commerce of chamber Local 9 of UCPDC Export LC/Standby Credit UCPDC LC/Standby Export of 9 Message received by SWIFT be checked checked be by SWIFT received Message Advising Bank beArticle- judged. Under Bank Advising Geneuinity of Advising/Transferring of of Advising/Transferring of Geneuinity / Nominating , checked be LC letter ,Whether name LC Bank Transferring be or not /Transferred Transferable etc.. from SWIFT confirmed 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

1

2

3

4

5

6

7

8

9 238

ICC Policy and Procedures-2018

239

ICC Policy and Procedures-2018 Audit and Inspection Division

Annexure: 10

AGRANI BANK LIMITED

…………………………… BRANC Statement of Previous Audit Objection’s False Compliance

Brief description Name, designation & Description of Auditor’s Previous Audit of compliance current work place of Sl Previous Audit observation Report’s Objection by branch signatory of the audit no. Report’s regarding false serial no. against audit objection’s false objection compliance objection compliance officer 1 2 3 4 5 6

Signature: Audit Team Leader/ Member.

240

ICC Policy and Procedures-2018

Annexure: 11

AGRANI BANK LIMITED …………………………… BRANCH …………………………………………

Statements of responsibility period wise grip loans/Irregularities Name , Cause of Loan Loan Sl Description Disburse designation of Loan Present Security hold/ sanction expired no. of loan ment Date loan disburse limit balance of loan Disburse authority date person policy 1 2 3 4 5 6 7 8 9 10

Loan Officer Manager

241

ICC Policy and Procedures-2018

Annexure: 12

AGRANI BANK LIMITED …………………………… BRANCH ………………………………………… Position of Year wise Agriculture Loan Date ……………..

Sl Year Crops Allotted Total Total Collected Outstand Outstanding Related Number of no. Name amount disburse borrower Amount ing borrower amount Filed amount number Amount number with Certificate certifica Case te case/sui t filed 1 2 3 4 5 6 7 8 9 10 11

Related amount Reason for Time Time Fake Borrower Fake Loan name / Remarks with unsettled certificate barred barred quantity ( if Amount present certificate case file case Loan Loan any) work place unsettled quantity amount of Disburse (if any) manager 12 13 14 15 16 17 18 19

Field staff Officer/Rural loan Officer Manager

242

ICC Policy and Procedures-2018

Annexure: 13

AGRANI BANK LIMITED …………………………… BRANCH ………………………………………… (FROM 1972 TO TILL NOW)

Position of Year wise Expired General Loan & without Trade organization Borrower

Outstanding Number of without Outstanding Number of borrower Year balance on Audit Trade organization balance on Remarks on Audit Date date Borrower Audit date

1 2 3 4 5 6

Officer Manager

243

ICC Policy and Procedures-2018

Annexure: 14

AGRANI BANK LIMITED …………………………… BRANCH …………………………………………

Position of Period wise unsettled Certificate Case

Number Related Period Reason for case unsettled of case amount with case More than 6 months unsettled case quantity More than 01 year unsettled case quantity

More than 02 years unsettled case quantity More than 03 years unsettled case quantity

More than 04 years unsettled case quantity More than 05 years unsettled case quantity

Auditor Manager Officer

244

ICC Policy and Procedures-2018

Annexure: 15

AGRANI BANK LIMITED …………………………… BRANCH …………………………………………

Position of year wise under trial money suit for collection of general loan Number of Related Period under trial amount on Reason for case unsettled case Audit date

More than 6 months under trial case More than 01 year under trial case

More than 02 years under trial case

More than 03 years under trial case More than 04 years under trial case More than 05 years under trial case

After earlier Audit unsettled case quantity & related amount.

245

ICC Policy and Procedures-2018

Annexure: 16 AGRANI BANK LIMITED AUDIT & INSPECTION DIVISION Head Office, Dhaka.

To perform Audit-task effectively Audit-Team responsibilities are distributed below:

Name of the Branch : Name of the Zone : Letter No. & Date : Audit Date :

Details of distributed works among Audit team leader & team members

Auditor’s Name Assigned Duties Signature

Mr……………………………………………………………….

( Audit Team Leader) Mr……………………………………………………………….

( Audit Team Member) Mr……………………………………………………………….

( Audit Team Member) Mr……………………………………………………………….

( Audit Team Member) Mr……………………………………………………………….

( Audit Team Member) Mr……………………………………………………………….

( Audit Team Member)

Audit Team Leader

. This Audit task distribution copy must be attached with the Audit Report.

246

ICC Policy and Procedures-2018

Audit Compliance Division

Internal Audit

Annexure: 17 Agrani Bank Limited Audit Compliance Division Head Office, Dhaka

Monthly Statement of Audit Objections for the month of………………………………… Unsettled report up Audit Total Settlement Position at the end SL. Audit Report to previous month Report no. of during the of current month received Audit month No. of No. of during the report reports Objections month 1 2 3 Ka 3 Kha 4 5 6 Ka 6 Kha 7 ka 7 Kha 1 Internal Audit & Inspection 2 Bangladesh Bank Inspection 3 Govt. Commercial Audit 4 Others (Special Inspection Cell, Complain Cell, Vigilance etc. ) Total

N.B. In the Bangladesh Inspection Report, no. of irregularities is not shown due to explanatory and qualitative description, hence, number of report is shown. Column No. 3 kha and 7 kha are not possible to fill in with information.

Senior Principal Officer Assistant General Manager Deputy General Manager

247

ICC Policy and Procedures-2018

Annexure: 18

Agrani Bank Limited. Audit Compliance Division Compliance with Nirikha Paripalon Patra (NIPP)-1 For Ordinary/ Major Irregularities

Audit date: ………………….Branch Office

SL. No Description of Irregularities Branch Manager’s Response / Compliance

Audit team member / Team Leader Branch Manager’s Signature & Date

248

ICC Policy and Procedures-2018

Annexure: 19

Agrani Bank Limited Audit Compliance Division Compliance with Nirikha Paripalon Patra (NIPP)-2 For Serious Lapses

Audit date: ………………….Branch/ Office

SL. No. No. of Audit Steps taken by Branch Manager/ Steps taken by For use by Head Objection Compliance Comments of the Zonal Head Office Branch’s Compliance

Signature & Date Signature & Date SS no. SS no.

249

ICC Policy and Procedures-2018

Annexure: 20

Agrani Bank Limited Audit Compliance Division Head Office, Dhaka

Monthly Statement of Audit Objections identified in Internal Audit & Inspection Report For the month of ……………………………………………

SL Name Unsettled Report up Audit Total Settled during this Position at the end of no. of the to previous months report no. of month current month Audit received Audit Report No. of No. of during report No. of No. of No. of No. of report Objection this report Objection unsettled unsettled month report Objection

1 2 3(a) 3(b) 4 5 6(a) 6(b) 7(a) 7(b)

Total

Senior Principal Officer Assistant General Manager Deputy General Manager

250

ICC Policy and Procedures-2018

Annexure: 21

Agrani Bank Limited. Audit Compliance Division Head Office, Dhaka Memorandum no.……………………………………………………. Date: Sub: Audit Clearance regarding Annual Salary Increment

(Ref. Memorandum no NIBABI/Prosha/……………./…………../…………dated…………….)

SL. No. Officers’ Name Working Place Last Audit date Comments

1 2 3 4 5

Principal Officer Senior Principal Officer/In charge Assistant General Manager

251

ICC Policy and Procedures-2018

Annexure: 22

Branch Inspection Report

Administration Yes No 1 Whether security measure of the branch is adequate 2 Whether attendance register is maintained properly 3 Whether the leave register is maintained properly 4 Whether the duty list of all officers and staff is up to date. 5 Whether the job rotation is effected 6 Whether any employee is posted in the branch for the period over 3 years

Cash Yes No 1 Whether cash is found correct 2 Whether cash is within safe limit 3 Whether the balance of Prize bond is found physically counted and recorded in the register 4 Whether scroll register is maintained. 5 Whether token register is maintained. 6 Whether the Key register is updated. 7 Whether cash remittance register is maintained properly. 8 Whether Vault register is maintained properly 9 Whether cash receipt and payment seal are maintained properly. Deposit Banking Yes No 1 Whether the required information /papers are obtained ( sample checking) 2 Whether the thanks letter are sent to the customer and the introducer 3 Whether ledger balancing/daily computer sheet is checked regularly 4 Whether the account statements are sent to the customers 5 Whether the stop payment register is maintained properly 6 Whether the cheque book issue register is maintained properly 7 Whether the managers approval is taken in issuing duplicate cheque book on Form 'B' 8 Whether the dormant accounts are identified and transferred to the separate ledger 9 Whether the dormant ledgers are balanced regularly 10 Whether the double supervision is made for the big transactions

252

ICC Policy and Procedures-2018

General Banking Yes No 1 Whether DD/Pay 0rder/Pay-Slip/SR block is balanced every day 2 Whether DD/TT/MT/PO/PS/SR payable register is balanced regularly 3 Whether the 0BC/IBC register is maintained and monitored properly 4 Whether the transfer book is written and maintained properly 5 Whether the stock of security stationery is found correct 6 Whether the test Keys are maintained and used properly 7 Whether the daily vouchers are checked by the manager and Zonal 0fficer regularly Accounts Yes No 1 Whether Cash Book-cum-General Ledger is written and checked daily 2 Whether the Profit & Loss Ledger is written and checked daily 3 Whether the voucher register is maintained up to date and checked regularly 4 Whether the daily statements of affairs and MO/NG A/c Extract are sent correctly and regularly 5 Whether the sundry creditor/sundry debtor register is maintained properly 6 Whether the expenditure excess over budget has been incurred 7 Whether the ledger is balanced periodically within bank's rules 8 Whether the statements are sent to Head 0ffice as per schedule 9 Whether the audit reports are complied timely and properly 10 Whether any entry remains long outstanding

Loans and Advances Yes No 1 Whether the loan documents are obtained as per sanction advice before disbursing the loan. 2 Whether Safe-in-Safe out register is maintained properly

3 Whether the stock statement of Pledge and Hypothecation is obtained regularly 4 Whether the Pledge Godown Key movement register is maintained properly 5 Whether the cash deposit, transfer voucher, cheque payment voucher, interest application voucher in the loan ledger are checked/supervised by the Manager/0fficer-in-charge 6 Whether the insurance register is maintained properly 7 Whether the suit file register is maintained properly. 8 Whether the confidential limit register is maintained properly. 9 Whether the loan recovery assignment is distributed among the officers/staff 10 Whether the loan ledgers are balanced periodically as per schedule Foreign Exchange Yes No 1 Whether the foreign currency is found correct on physical verification 2 Whether the foreign banks test keys are maintained and used by Branch Manager/0fficer-in-charge/departmental in- charge under joint control 3 Whether LC commission is recovered properly 4 Whether LC margin is collected properly

253

ICC Policy and Procedures-2018

5 Whether the inward foreign bill and PAD is presented for lodgment/payment/ acceptance forthwith 6 Whether the necessary action is taken forthwith for reconciliation of PAD outstanding. 7 Whether LIM ledger is correctly and regularly maintained, verified and balanced 8 Whether the LIM is created as per rules 9 Whether the necessary measures have been taken for auction or reminder has been issued to importer for adjustment of LIM outstanding 10 Whether the recoverable bills are reviewed periodically 11 Whether the records of shipping guarantee issued by the branch are retained and reviewed as per norms 12 Whether the initiatives for adjustment of outstanding of guarantees have been taken and whether the correspondence is ongoing with the customers for un- reconciled shipping guarantee 13 Whether FBP,FBC, FDBC accounts are balanced and verified regularly

14 Whether the PCC register and ledger are maintained, verified and balanced properly and regularly 15 Whether the necessary measures have been taken for adjustment of overdue PCC

16 Whether the customer is informed of the fate of the remittance

17 Whether the foreign currency and traveler's cheque are balanced regularly

Comments of Team Leader/Audit Team

Sl.No. Irregularities Comments

254

ICC Policy and Procedures-2018

Audit Compliance Division External Audit Annexure: 23

Agrani Bank Limited. Audit Compliance Division Head Office, Dhaka

Monthly Statement of Audit Objections identified in Statutory Audit/ External Audit For the month of ……………………………………………

SL Name Unsettled Report up Audit Total Settled during this Position at the end of no. of the to previous months report no. of month current month Audit received Audit Report No. of No. of during report No. of No. of No. of No. of report Objection this report Objection unsettled unsettled month report Objection

1 2 3(a) 3(b) 4 5 6(a) 6(b) 7(a) 7(b)

Total

Senior Principal Officer Assistant General Manager Deputy General Manager

255

ICC Policy and Procedures-2018

Annexure: 24

Agrani Bank Limited ------Branch ------Zonal Office

Deputy General Manager Letter No. Agrani Bank Limited Date:

Audit Compliance Division Head Office Dhaka Through Zonal Office

Sub: Response and Certification to the External Audit Report for the Year ended December 31, 20-.

Dear Sir,

This is to certify that all the external audit objections have been adjusted/ settled/ regularized except for the objections enclosed in the Annexure-ka herewith.

The objections mentioned in the above Annexure-ka have been again included in the subsequent external audit report/ internal audit report/ Bangladesh Bank Inspection Report and our efforts and follow up will continue to regularize/ adjust/ settle the objections.

This is to ensure that our efforts will continue until adjustment/ regularization/ settlement of all unresolved/ unsettled objections are met which were raised in the latest External Audit Report.

Second Officer’s Name Branch Manager’s Name Zonal Head’s Name & Signature & Signature & Signature SS no. SS no. SS no.

256

ICC Policy and Procedures-2018 Commercial Audit

Annexure: 25 Agrani Bank Limited ------Branch/Office Sub: Statement of unsettled audit objections as of December 31, 20 identified by the External Auditors. The following audit objections have been included in the subsequent Audit Report. Our effort for resolving audit objections will continue.

Para no.-- of Para no. -- of Brief description Branch Zonal Head’s unsettled External Internal/External of Objections Comments/ Comments Audit Objections Audit Objections Compliances dated 31-12-- mentioned in the subsequent Audit Report dated 31- 12-- 1 2 3 4 5

Second Officer’s Name Branch Manager’s Name Zonal Head’s Name & Signature & Signature & Signature SS no. SS no. SS no.

257

ICC Policy and Procedures-2018

Annexure: 26

Agrani Bank Limited ------Branch/Office

Sub: Statement of rectification/ regularization/settlement of objections raised by the external audit for the year ended------and submission to Ministry of Finance. Para no. Description of Objections Bank Comments Ministry of Finance Comments 1 2 3 4

Second Officer Branch Manager Head of Zonal Office

258

ICC Policy and Procedures-2018

Annexure: 27

Agrani Bank Limited. ------Branch/Office

Responses to the Government Commercial Audit Objectives

Branch name: Audit year: Irregularities Heading of Taka involved in Taka realized after Taka bad debts at Way of para no. -- of Objections objections (party audit (party wise) present (party regularization Objections wise) Total taka Total taka in agri/ wise). Total taka of loan/ in agri Woven Woven Loans in agri/ Woven irregularities, Loans Loans for example: rescheduling, renewal, interest waived, written off, etc. Party Involved Principal Interest Principal Interest Interest name Taka 1 2 3 4 5 6 7 8 9

Ka.) Enclose loan account statement if the objected amount in full is not recovered. For Agricultural Loan and if it exceeds 20 loans, a certificate should be enclosed. Sanction letter/ attested copy of IBBCC and countersigned by the Head of Zonal Office needs to be enclosed for rescheduling/ renewal/ interest waived/ written off loans. Forward documentary evidences for taking steps.

Kha.) Use additional sheet for giving full details, if required.

259

ICC Policy and Procedures-2018

Annexure: 28

Agrani Bank Limited

Commercial Audit:

Branch name: …………………………………………………………………………. Audit year: ……………………………………………………………………………. Minutes of the Joint Meeting held on…………….at………………………….Zonal Office

Para Heading of Objections & Bank’s Comment Decision of the Joint no. involved Taka Meeting

Senior Principal Officer Assistant General Manager

260

ICC Policy and Procedures-2018

Annexure: 29

GOVERNMENT OF THE PEOPLE’S REPUBLIC OF BANGLADESH Office of the Director General Government Commercial Audit Dhaka

No. Date:

To Managing Director Agrani Bank Head Office Motijheel C/A Dhaka

Sub: Suggestion of the joint meeting for resolving ordinary audit objections mentioned in the audit report for the year/ period ended…………………………Ordinary clauses nos.………..have been consolidated as settled in the Joint Meeting held on………..

It is requested to Inform this office immediately regarding the steps taken to resolve unsettled clause nos.……………………………………………………………………………………………………… …………………………………………………………………………………………………………… …………………………………………………………………………………..

Audit & Accounts Officer Sector-1, Audit-2 Date: CC: Copies are sent for information and taking necessary step 1. General Manager 2. …………………. 3. …………………

Audit & Accounts Officer Sector-1, Directorate of ------

261

ICC Policy and Procedures-2018

Annexure: 30 Agrani Bank Limited.

Ministry’s name:

Audit Report:

Statement for discussion in the Standing Committee meeting of the Government accounts to be held on……. Para no. Organization’s Para & page no. of Brief description Brief description Comments of the name & audit report and of audit of the latest Audit Office based Accounts’ year headlines of audit objections response of the on the latest objections/ Organization/ response of the comments Ministry Organization/ Ministry

Deputy General Manager General Manager Managing Director Secretary (Division) (Ministry of Finance)

262

ICC Policy and Procedures-2018

Annexure: 31

Agrani Bank Limited. Audit Compliance Division Head Office, Dhaka

Statement regarding Commercial Audit Objections and Settlement For the month of………………………………….. Figure in lac SL.no. Bank/Financial Unresolved Objection Balance up to previous month Institution’s Ordinary Advance Draft Included in name Annual Report(AR) Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka 1 2 3 4 5 6 7 8 9 10

Current month resolved nos. & amount No. of objections raised in current month & amount Ordinary Advance Draft Included in Ordinary Advance Draft Included in (AR) (AR) Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka Nos. Taka 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Total Unresolved Objection Balance No. of case filed and amount Comments Ordinary Advance Draft Included in Certificate Artharin Case (AR) Case Nos. Taka Nos. Taka Nos.. Taka Nos. Taka Nos. Taka Nos. Taka 27 28 29 30 31 32 33 34 35 36 37 38 39

263

ICC Policy and Procedures-2018

Annexure: 32 Agrani Bank Limited. Audit Compliance Division Head Office, Dhaka

Statutory Audit Objections/ Settlement summary For the period from………………to …………………..

Classification 01/01…balance Jan/…june/…… 01/07……Balance Previous Involved Objection Involved No. of Involved Unresolved Involved Unresolve Taka nos. Taka settlement Taka Objection Taka d (figure (figure (figure at ending (figure Objection in lac) in lac) in lac) in lac) nos. Theft/ Robbery Embezzlement Deficit Waste Payment violating Law Failure to collect Government money Other irregularities Total

Comments on payment violating law: Audit objections regarding payment of salary, medical allowance, fringe benefit, lunch subsidy, bonus accrual, house rent deduction, excess bonus paid, washing allowance, ex-gratia, etc.

Senior Principal Officer Assistant General Manager Deputy General Manager

264

ICC Policy and Procedures-2018

Annexure: 33

Agrani Bank Limited. Audit Compliance Division Head Office, Dhaka

Format of the monthly Statement sent to the Ministry & Division Offices (Memorandum No (MCD/Branch-11/80/748/02 date 23/06/2002) Statement for the month of………………………………… (Information based on the month of …………………………..)

Ka) Information on Audit Objection Ministry/ Audit Taka in Nos. of Nos. of Balance Remarks Organization’s objection lac Comments on settlement Sheet name nos. Board sheet Ministry of Finance, Government commercial Audit on Agrani Bank

Kha) List of serious audit objections/ fraud-forgery/ embezzlement, etc. N.B: ……………Nos. of new audit objections have been raised/ identified during this month .

Senior Principal Officer Assistant General Manager Deputy General Manager

265

ICC Policy and Procedures-2018

Annexure: 34

Agrani Bank Limited. Audit Compliance Division Head Office, Dhaka

Monthly statement of Audit Objections identified in Statutory Audit/ External Audit For the month of ……………………………………………

SL Name Unsettled Report up Audit Total Settled during this Position at the end of no. of the to previous months report no. of month current month Audit No. of No. of received Audit No. of No. of No. of No. of Report report Objection during report report Objection unsettled unsettled this report Objection month 1 2 3(a) 3(b) 4 5 6(a) 6(b) 7(a) 7(b)

Total

Senior Principal Officer Assistant General Manager Deputy General Manager

266

ICC Policy and Procedures-2018

Bangladesh Bank Inspection

Annexure: 35

Agrani Bank Limited. ………………….Branch

Responses to the Bangladesh Agricultural Loan Inspection Report For the year/ period ended………………………………

BB Agri Inspection Summary of the Response of the Comments of the For use of Report objection of BB Concerned branch head of Zonal Bangladesh Page Para Agri Inspection office office/ Bank Report against branch office’s response 1 2 3 4 5

Second Officer Branch Manager Head of Zonal Office

267

ICC Policy and Procedures-2018

Annexure: 36

Agrani Bank Limited. Audit Compliance Division Head Office, Dhaka

Board/ Board Audit Committee’s Advice on Bangladesh Bank Detailed Inspection Report For the year/ period ended………………………………

Main Report of BB Brief description of Comments of Comments of the Remarks Page Para special objections/ branch office/ Board irregularities Zonal office/ Head office 1 2 3 4 5 6

Senior Principal Officer Assistant General Manager Deputy General Manager

268

ICC Policy and Procedures-2018

Annexure: 37

Agrani Bank Limited. ………………….Branch ……………………..Zonal Office Deputy General Manager Letter no. Agrani Bank Limited. Dated: Internal Control & Compliance Division Head Office, Dhaka

Sub: Certificate in regard to Closing Bangladesh Bank details branch Inspection File, Audit conducted based on the year / period ended……………..

Dear Sir, This is to certify that all the audit objections have been regularized/ adjusted/ certified except for the following objections mentioned in the Bangladesh Bank details branch Inspection Report: Brief description of audit Steps taken by branch office Date of subsequent inclusion of objection & clause against audit objections the previous unsettled objections

2. This is further to certify that our efforts will continue until full settlement of the objections mentioned in the Bangladesh Bank details branch Inspection report for the year / period ended…………….. 3. Under the above circumstances, recommendation/ suggestion is issued to close Bangladesh Bank details branch inspection file for the year / period ended……………..

Thanking you. Yours faithfully, Second Officer Branch Manager Comments of the Head of Zonal office:

269

ICC Policy and Procedures-2018

Annexure: 38

Agrani Bank Limited. Audit Compliance Division Head Office, Dhaka

Monthly statement of Audit Objections identified in Bangladesh Bank Inspection Report For the month of ……………………………………………

SL Name Unsettled Report Audit Total Settled during this Position at the end of no. of the up to previous report no. of month current month audit months received Audit report No. of No. of during report No. of No. of No. of No. of report objection this report objection unsettled unsettled month report Objection 1 2 3(a) 3(b) 4 5 6(a) 6(b) 7(a) 7(b)

Total

Senior Principal Officer Assistant General Manager Deputy General Manager

270

ICC Policy and Procedures-2018

Annexure: 39 (Proforma-1)

Form No-1422-11

Agrani Bank Limited. Nirikha Paripalan Patra (NIPP) -1 ------Branch For Minor/ Major Lapses

Date of audit report------Page No.

Serial Description of lapses Compliance by the manager no.

Member / Leader of Audit Team Date and Signature of Manager

271

ICC Policy and Procedures-2018

Annexure: 40 (Proforma-2)

Agrani Bank Limited. Nirikha Paripalan Patra (NIPP) -2 ------Branch For Serious/ Major Lapses Page No.

Date of audit report------(For Auditor’s use only) ( MD:Circular/20/7 dated 02/09/2007 )

Serial Nature of Description of lapses Auditor’s remark no. lapses

Member / Leader of Audit Team

272

ICC Policy and Procedures-2018

Annexure: 41 (Proforma-3)

Form No.-1423-12 Page No.

Agrani Bank Limited. Nirikha Paripalan Patra (NIPP) -3

------Branch For Serious / Major Lapses (For Audit Compliance Division’s use only)

Date of audit report------

(MD’s Sharak No.-NIKO: 03:84/43 date 15/08/1993 and MD: Circular/20/7 date 02/09/2007)

Serial Lapse Nature of Description of Compliance by the Zonal head’ no. no. lapses lapses manager remark. (SL/ML)

Signature and date Signature and date

Code No-13-09657

273

ICC Policy and Procedures-2018 Annexure- A Agrani Bank Limited ...... Branch Branch Audit Rating

A. INTERNAL CONTROL AND COMPLIANCE RISK MANAGEMENT RATING A 1. Administration

A.1(a) Security Measures of the Branch. Allotted Score Score Obtaine d i) Security guards are alert at the branch premises. Yes 2.5 10 No 0 ii) Security alarm is active in the branch. Yes 2.5 No 0 iii) Fire extinguisher is available in the branch. Yes 2.5 No 0 iv) Close Circuit Cameras with TV are active in the branch. Yes 2.5 No 0 A.1(b) Branch Administration Allotted Score Score Obtaine i. Officials in the Branch Working More than 3 Years Yes 2 10 No 0 ii. Timely attendance and unauthorized absence are not in the Yes 2 branch. No 0 iii. Leave register maintained properly. Yes 2 No 0 iv. Duty list is there and staff s are working according to the Yes 2 duty list. No 0 v. Job rotation is affected. Yes 2 No 0 A.2. General Banking Allotted A.2.(a) Physical Cash (Opening/Closing) Verification With Score Obtained Score Statements of Affairs And Vault Position. Found as per denomination in cash position /statements of affairs Yes 03 10 No 0 Soiled and mutilated notes are/not admixture with issue notes Yes 02 No 0 Whether vault is/not safe enough or as per specifications i.e. Yes 05 concrete (RCC) wall & floor , pore less, under CC TV coverage No 0 , door alarmed bell , chap door & grilled etc. A.2.(b) Holding Of Excess Cash Over Safe Limit Allotted Score Obtained Score Not exceed 10 10

Exceed for long time/most of the time 8

274

ICC Policy and Procedures-2018

Cash is not within safe limit and always limit exceeded. 0

A.2.(c) Holding Of Mutilated/Torned Notes In Safe Allotted Score Obtained Score Found nil 10 10 Holding 1%-<3 % out of total cash 8 Holding 3%-<5 % out of total cash 5 Holding 5% or more out of total cash 0 Allotted A.2.(d) Stock position of Prize bond and Stamps. Score Obtained Score Prize Bond found as per statements of affairs Yes 5 10 No 0 Stamps in hand found as per statements of affairs Yes 5 No 0 A.2(e) Branch Performance Allotted Score Obtained Score i. Deposit target achieved 100% or above Yes 2 10 No 0 [Scores to be given ii. Profit target achieved 100% or above Yes 2 proportionately according to No 0 achievement. As for iii. Loan & Advance target achieved 100% or above Yes 2 example Target No 0 achieved 90% score iv. Foreign Remittance target achieved 100% or above Yes 2 will be 1.8 out of 2]. No 0 v. Non-Interest income target achieved 100% or above Yes 2 No 0 Allotted A.2(f) Payment Made Against Advance Dated Or Against Score Obtained Score Stale Cheque

In no cases 10 10

Up to five cases 7 More than five cases 0

A.3 DCFCL Checklists and Other Control function of the branch Allotted Score Obtained Score

a) DCFCL has been followed up properly by Branch Yes 3 15 Manager/ designated officers at the noted frequencies: No 0 a) Daily b) Weekly c) Monthly and d) Quarterly. b) Branch has prepared Quarterly Operation Report (QOR) Yes 2 in light of BB Guidelines and duly sent the Report to the No 0 Head of ICC. c) Branch has prepared and started functioning of Loan Yes 2 Documentation Checklist as per ICC guidelines. No 0 d) Branch has launched L/C checklist to reduce operational Yes 2 risk No 0

e) Outstanding entries of suspense A/C and inter- branch Yes 2 transaction are monitored and followed up on monthly basis. No 0

275

ICC Policy and Procedures-2018

f) Manager/concerned officers are allowed authority/ Yes 2 delegation of power to perform daily activities. No 0 g) Are reconciliations of Inter-branch accounts Yes 2 monitored by the branch regularly? No 0 A.4 Compliance status of the Branch Allotted Score Obtained Score Compliance of audit objection above 70% 10 10 Compliance of audit objection from 50% to 69% 8 Compliance of audit objection from 30% to 49% 5 Compliance of audit objection less than 30% 0

A.5 Lapses Status of the Branch (Serious Lapses) Allotted Score Obtained Score No serious Lapses Found by Audit Team 10 10 Up to 10% serious Lapses against total no of lapses detected. 8

From 11% to 15% serious Lapses detected. 5 More than 15% serious Lapses detected. 0

A.6 Fraud / Forgery Status of the Branch Allotted Score Obtained Score No such Cases found during Inspection time 10 10 Found during Inspection time 0

A.7 Settlement of Serious And Major Lapses Against Last Allotted Score Obtained Audit Findings Score

Settlement above 80% 10 10 Settlement from 60% to 79 % 8 Settlement from 40% to 59% 5 Settlement below 40% 0 A.8 Customer Service Status of the Branch Allotted Score

New account opening more than 20% from the position of last 10 10 audit/inspection and Deposit target has been achieved (above 95%) New account opening up to 10% 08

Account close about 05%- 9% of total no of account in the 05 branch or compliant by customer more than 5 Nos. from last audit. Deposit target has not been achieved and Account close above 0 10% or compliant by customer more than 10 Nos. from last audit

B. CREDIT RISK MANAGEMENT RATING B.1. Incomplete Charge Documents/ Found Blank And Allotted Score Score Obtained Without Stamp/ Valuation of Collateral not Verified Properly.

276

ICC Policy and Procedures-2018

No such case found 10 10 Up to 05 cases 8 06 to 10cases 5 More than10cases 0

B.2 Monthly Basis Stock Report As Per HO Sanction. Allotted Score Obtained Score No such case found 10 10 Pending up to 15cases 8 Pending more than 15cases 0

B.3 Maintenance of Safe-In And Safe-Out Register /Loan Allotted Score Obtained Documentation Checklist. Score

Maintained properly and found up to date 10 10 Maintained but not up to date 7 Not maintained 0 B.4 Insurance Coverage. Allotted Score Obtained Score All most all loans are insurance covered 10 10 Up to 05 cases not covered. 8 06 to10 cases not covered. 5 More than 10 cases not covered. 0

B.5 Obtained Of Original Title Deed/Certified True Copy Allotted Score Obtained Along With SRO Token/Deed Ticket For Score Registered/Mortgaged Property . Done in all applicable cases 10 10 Pending any instance 0 C. MONEY LAUNDERING PREVENTION MEASURES RATING.

Account Opening and transaction analysis with TP. Allotted Score Obtained Score i) Complete identification of the account holder’s Yes 4 20 (person/company) are incorporated in the account opening form and genuineness (by giving thanks No 0 letter/RJSC office visit) of address/registration is ii) KYC,confirmed. TP was filled up cautiously. Yes 4

No 0 iii) The account holder himself took the Cheque book. Yes 2 No 0 iv) Big transactions are monitored jointly (Double Yes 2 Supervision) and matched with TP No 0

v) BAMELCO is assigned and trained. All concerned are Yes 3 aware about Money laundering/ Terrorist Financing Prevention Measures. No 0 vi) All money laundering related circulars/guidelines are Yes 3 kept in a file/cabinet No 0

277

ICC Policy and Procedures-2018

vii) Money laundering related meetings was held with Yes 2 regular intervals (Meetings minutes kept in a file). No 0 D. ICT RISK AND OTHER ANTI -FRAUD CONTROL MANAGEMENT RATING

Protect/ Prevent fraud and Forgery Allotted Score Obtained Score i) Every day’s vouchers are checked with print copy of Yes 2 20 supplementary (Audit Trails). No 0 ii) “Complaint Box” exists in the branch. Yes 2 No 0 iii) Balance Confirmation Certificate is sent to the customer on Yes 2 half-yearly/ yearly basis No 0 iv). There is no other internet/other modem connection in any Yes 2 PC. No 0 v.) Computer/ Software access controlled i.e. confidentiality, Yes 2 complexity and changing of password are done at regular interval No 0 etc. There is no existence of unused password vi)Branch management is sincere and aware of the following Yes 3 subjects: No 0 a) Fraud/ Forgery b) Operating losses c) Communications iv) Branch has taken necessary steps to protect the Yes 7 followings: a) Change of keys b) Safe Deposit Lockers c) Controlled Stationary d) Test Keys e) Signature Books No 0 f) Cash/TC/SPs/Bond g) Balancing of books and accounts.

E. FOREIGN EXCHANGE RISK MANAGEMENT RATING

Foreign Exchange Risk Mitigation Measures Allotted Score Obtained Taken. Score Branch has launched L/C checklist to reduce operational risk and Yes 06 20 physical visit/verification of LC products /goods are done. No 0 SWIFT-user ID Password confidentiality should be maintained Yes 04 strictly. No 0 Other net connection / modem are strictly prohibited in Yes 06 Remittance/ SWIFT related PC’s. No 0 Only authorized and trained officers are allowed to use Yes 04

278

ICC Policy and Procedures-2018

Remittance/ SWIFT related PC’s. No 0 F. ASSETS-LIABILITY MANAGEMENT

F.1 Status of Assets and Liabilities of the Branch Allotted Score Obtained Score Loan and Advance against Deposit percentage above 70 and up Yes 10 10 to 80 having NPL less than 5% No 0 Advance against Deposit percentage above 60% and up to 70 Yes 8 having NPL less than 10% No 0 Deposit target achievement below 95% and Loan Classified above 10% 0 No F.2 Non Performing Assets Management. Allotted Score Obtained Score

Identification of NPA/SMA done properly as per guidelines. Yes 3 10 No 0 Accounts have been identified as SMA are being properly Yes 2 monitored. No 0 Timely lodging of claims/ Timely follow up for recovery. Yes 3 No 0 Timely legal action taken and prompt execution of decrease (for Yes 2 avoiding time barred) No 0

F.3 Classification Loan Recovery Allotted Score Obtained Score 10 10 Recovery 100% of Targeted Amount 8 Recovery 80%-90% of Targeted Amount 6 Recovery 60%-79% of Targeted Amount 4 Recovery 50%-59% of Targeted Amount 0 Below 50% G. ENVIRONMENTAL RISK RATING

Environmental Risk Management Allotted Score Obtained Score a. Cleanliness of the Branch premises up to the standard i.e. Yes 3 15 Branch staff are working in healthy and safe environment No 0 b. Dress code is maintained by the branch staffs Yes 3 No 0 c. Advances are not made to environmental hazard Yes 3

279

ICC Policy and Procedures-2018

sectors/firms No 0 d. Energy savings bulbs are using and Maximum use of Yes 3 natural light and air No 0 e. For communication purpose maximum use of electronic Yes 3 device and minimum use of papers No 0

Auditors Overall Comments for gradation of the Branch considering core Allotted Score Obtained risk areas (ICC, CRM, AML, ICT, Forex, Assets liability Management Score &Environmental Risk) 300

Excellent above 90%

Very Good 80%-89%

Good 60%-79%

Satisfactory 50% -59%

Poor below 50%

280

ICC Policy and Procedures-2018

Annexure-B Agrani Bank Limited ...... Branch Check list for Foreign Trade and Foreign Exchange Audit

A. Import Related Irregularities (Cash L/C):

1) LC opened without prior permission/approval of competent authority. 2) Insertion of false/fake information and hiding of correct information in L/C proposal or fact sheet of existing liabilities of the importer. 3) L/C opened exceeding the delegation of power. 4) L/C/LCAF issued without obtaining up-to-date renewed IRC of the Importer. 5) Import of goods exceeding IRC limit. 6) L/C opened against illegal PI/Indent. 7) L/C opened without collecting Credit Report of the foreign supplier/exporter. 8) HS code and/or correct HS code not mentioned in LCAF and/or import L/C. 9) L/C opened without justifying over and/or under invoicing matter. 10) 3rd /4 th copy of LCAF (with L/C copy) not forwarded to CCI&E in time. 11) L/C opened without L/C margin/with partial L/C margin/with less L/C margin. 12) L/C opened without L/C commission, VAT/ with partial L/C commission, fee. VAT/ with less L/C commission. 13) Existence of overdue L/C, SG, IFBC, LIM, PAD, LTR and D/L liabilities. 14) Handing over of customs purpose copy of LCAF and Transport documents (B/L, Airway bill, T/R, R/R, S/R) to importer or to their C&F agent without taking payment against the related import bill/consignment. 15) Issue of S/G against non-negotiable/copy of import documents for release of imported goods without taking payment against thereof. 16) Steps not taken to recover overdue PAD/LIM/LTR liabilities. 17) Margin not recovered before creation of LIM and goods under LIM not pledged duly. 18) Excessive delay in transfer of PAD liabilities to LTR in case of LTR facilitate borrower. 19) Issuance of shipping guarantee without recovery of related margin/ fee/commission etc. 20) Requisite interest/commission is not recovered against funded and non- funded import liabilities (L/C, S/G, IFBC, PAD, LIM, LTR, D/L). 21) Payment made against import documents before receiving B/E and/or overdue B/E. 22) L/C /LG margin amount misappropriated by creating false voucher. 23) Copy of CRF (Clean Report of Findings) and the related final invoice and packing list duly endorsed by the CRF company are not preserved in the file. 24) IMP 2 nd copy and Bill of Entry /customs certified invoice not matched. 25) Bill of Entry not preserved in file. 26) Original IMP & LCA form (Exchange Control Copy) not submitted or reported to Bangladesh Bank in time. 27) L/C is opened for the importer who is defaulter of Bill of Entry /customs certified invoice submission in time. 28) While issuing guarantee against internationally reported bank’s counter guaranties commission and other charges are not recovered.

281

ICC Policy and Procedures-2018

29) L/C is opened without attestation of importers signature on LCAF. 30) Signature with seal of Authorized Bank Officer not taken on LCAF. 31) Importer’s signature is not identified on LC agreement/L/C application. 32) L/C is opened without taking Income Tax Declaration papers form the importer. 33) Irregularities in stamping of LCA. 34) Loan processing fee on LIM/LTR/Demand loan is not recovered. 35) Balancing of different heads of account in foreign exchange is not done. 36) Issuance of L/C ignoring overdue liabilities.

B. Import related irregularities (Back to Back L/C):

1) BTB L/C issued exceeding prescribed percentage of FOB value of the Master L/C/ Export Contract. 2) Payment of import bills under BTBL/C not made on/or before maturity date. 3) Copy of Bill of Entry is not preserved in related BTB LC file. 4) Tax free Imported goods under BTB L/C and Bonded Ware House facilities are not stocked in Bonded Ware House or non-existence of the same in the Bonded Ware House 5) Statement / Information of stock lot goods under BTB L/C and BWH are not reported to related Customs Bond Commissionerate office to avoid any future possible complicacy. 6) BTB L/C is opened without considering – • Valid Bonded Ware House License. • Capacity of the Bonded Ware House • Production Capacity of the Factory. • Validity of the Export L/C. • Sufficient Shipment validity/ period of the Master L/C/ Export Contract. • Defective / Discrepant clause of the Master L/C/ Export Contract. 7) BTB L/C is opened without considering existence of party’s demand loan/other irregular liabilities. 8) BTB L/C is opened without permission / approval of head office, in case of existence of party’s demand loan/other irregular liabilities. 9) Accepting local import bills under local L/C without inspecting delivery / storage of the imported goods to importer’s factory. 10) Irregularities in payment of import bill- 11) Payment made against accommodation bills. 12) In case of late export/failure of export payment of import bills are delayed avoiding creation of demand loan which facilitates opening of further BTB L/C in favor of a irregular parties/Importer and which also deprived the bank from interest income. 13) Non matching of Bill of Entry. 14) Non attestation of signature of importer in LCAF and LCA. 15) Signature with seal of bank authorized officers in LCAF is not taken. 16) L/C opened without recovering stamp duty, without taking latest CIB and copy of income tax declaration of the importer. 17) Non- Balancing of concerned Heads of Accounts.

282

ICC Policy and Procedures-2018

C. Export Related Irregularities:

1) Valid ERC not preserved in file. 2) Authenticity of issuance/ Advising / transferring of export L/C are not checked. 3) Financing the exporter irregularly against purchase of discrepant/ defective/fake Export Bill. 4) Steps are not taken to return back exported goods in own country against refuse/rejected export bills. 5) Facilitating the exporter irregularly /illegally by holding defective/irregular /discrepant export bill longtime and to send it to the Foreign Bank after regularization. 6) Excess CM paid (in case of garments industry) / excess fund disbursed to the exporter against export bill (FBP/IBP/FDBC) without adjusting /recovering related liabilities /overdue liabilities there against. 7) Proper steps are not taken for repatriation of exports proceeds against export bill/overdue export bill. 8) Irregularities in sending Export Bill to importers’ bank. 9) Sufficient steps are not taken to adjust overdue Export Bill. 10) Discount allowed against export bill without prior permission/approval of Bangladesh Bank or Post-Facto approval from Bangladesh Bank. 11) Specimen signature of authorized official of shipping company / shipping agent/air agent/transport agent is not preserved. 12) Requisite fees, commissions’ charges and interest are not recovered. 13) Excess commission (more than 5%) and Brokerage Charges are paid. 14) Improper cash incentive allowed against Export. 15) Requisite charges/fees against advising/transfer of export L/C are not recovered. 16) Export bill precede not repatriate in time. 17) Hiding information of overdue export bill in “Statement of overdue export bills” send to BB quarterly. 18) Not to send “Statement of overdue export bills” to BB quarterly. 19) Columns of Exp Form and/or Exp Register are not filled up properly. 20) To accept Exp Form without confirming customs officers signature. 21) Non sending of 2 nd , 3 rd copy of EXP form to BB and non-preserving of 4 th copy of the same for office record. 22) Non collection and cancellation of issued Exp Form against which export is not implemented. 23) Non checking/ ensuring existence of telephone/mobile/fax no. of the issuer of the Transport Documents. 24) Requisite charges for issuance of Exp/PRC /CNF certificate and loan processing fees against import and export loans disbursed are not recovered. 25) Concerned Heads of Accounts are not balanced.

D. Foreign Remittance Related Irregularities: 1. Cash in Hand (F.C) are not preserved properly. 2. Irregularities in connection with opening of F.C account. 3. Irregularities in connection with release / endorsement of F.C for foreign travel, education, treatment, seminar, conference, workshop and ERQ purpose. 4. Non-adjustment of suspense account balance created in payment of Foreign Taka draft. 5. Non- collection of FDD (clean) in time. 6. Concerned Heads of Accounts are not balanced.

283

ICC Policy and Procedures-2018

Annexure-C QK K Ask (kvLvi Rb¨ cÖ‡hvR¨) AMÖYx e¨vsK wjwg‡UW kvLvi bvg------FY msµvšÍ Z_¨vw`/weeiYxt- µwgK bs FY MÖnxZvi bvg F‡Yi FY gÄyix bs, ZvwiL, FY mycvwikKvix I weZiYKvix FY ‡gqv` DËx©‡Yi ZvwiL FY weZiYKvjxY mg ‡q M nxZ„ `wjjvw`, PvR© `wjj I Rvgvb ‡Zi weeiYx I wVKvbv cÖK…wZ FYmxgv I gÄyiKvix e¨e¯’vcK/bevqb/cybtZdkxjKvix e¨e¯’vc‡Ki bvg I I F‡Yi †kÖYx web¨vm

KZ…©cÿ eZ©gvb wVKvbv 1 2 3 4 5 6 7

cÖv_wgK RvgvbZ mn ‡hvMx RvgvbZ M„nxZ PvR© `wjj (gRyZ gvjvgvj I mg~‡ni weeiYx, †`vKv‡bi Z_¨) `wjj h_vh_ AbyK~j AvBbMZ Rwgi cwigvY, Rwgi eZ©gvb g~j¨, `Ljx ÷¨v¤ú jvMv‡bv gZvgZ I Z_¨ Zdwmj I M„nxZ g~j ¯^Z¡, FY cÖ`vbKvjxb mg‡q n‡q‡Q wKbv `wjj I cP©v g~‡j¨i Z_¨

FYwU gvgjvaxb n ‡j Zvi Z_¨ FYwU m¤ú ‡K© eZ©gvb e¨e¯ vc’ ‡Ki mvwe©K g~j¨vqb wbixÿvKvjxb mg ‡q †jRvi w¯’wZ 8 9 10 11 12 13 14 Av`vjZ, Rvwi gvgjv wbjvg gvgjv 33(5), gvgjvi bs, `v‡qi Kiv Rvwi Kiv ïbvbx 33(7) ZvwiL I n‡j Zvi n‡j Zvi ch©v‡q avivq ivq gvgjvi `vex b¤^i I c~Yv½ _vK‡j n‡j AsK ZvwiL Z_¨ Zvi Z_¨ mvwU©wd‡KU

e)

msMÖn , ‡ LvwiR Kiv Z n Z

BZ¨vw`i ‡ Z_¨ hvRb Ki hvRb ‡ †bqv n‡q‡Q (ZvMv`v/‡bvwUk/`vwqZ¡ (ZvMv`v/‡bvwUk/`vwqZ¡ n‡q‡Q †bqv †cøR FY n‡j ¸`vg e¨e¯’vcbv mwVK mwVK e¨e¯’vcbv n‡j¸`vg FY †cøR Gi AvIZvq FY weZiY Kiv n‡q‡Q Kiv weZiY FY AvIZvq Gi F‡Yi Pvwn`v g~j¨vqb Kiv n‡q‡Q Kiv g~j¨vqb Pvwn`v F‡Yi hvPvB F‡Yi†jb‡`b M„nxZ B‡Zvc~‡e© cÖv_wgK I mn‡hvMx RvgvbZ m¤ú‡K© m¤ú‡K© RvgvbZ mn‡hvMx I cÖv_wgK bw_‡Z n‡q‡Q|(wi‡cvU© Kiv cwi`k©b Target Power, of Delagation ms e¨e¯’v Av`v‡qi FY mg‡q wbav©wiZ BZ¨vw`) e›Ub cieZx© gvgjvi I Kiv `v‡qi gvgjv wQj h_vh_ Kvh©µg NvUwZ †Kvb `wj‡j/`wjjvq‡b PvR© (we¯ÍvwiZ) Av‡QwKbv| wQj| (cª‡qvR‡b Avjv`v kx‡U Z_¨ Z_¨ kx‡U (cª‡qvR‡b Avjv`v wQj| gU©‡MR `wjj bw_‡Z msiÿ‡Yi Z_¨ Z_¨ msiÿ‡Yi bw_‡Z `wjj gU©‡MR Kiv nq nq Kiv msiÿY Av‡Q wKbv) wKbv) Av‡Q msiÿY wi‡cvU©wQj wmAvBwe AbyK~j

284

ICC Policy and Procedures-2018

Annexure-D HEALTH REPORT

Guidelines for the preparation of “HEALTH REPORT ”

In accordance with the Bangladesh Bank Guidelines of “Managing Core Risk in Banks on Internal Control and Compliance Risk”, Internal Control and Compliance Division is required to prepare annual report on the health of the Bank which is to be submitted to Audit Committee of the BOD and a Circulation Copy to the Managing Director for perusal and further onward submission to the Board of Directors of the Bank as a regulatory compliance.

To comply with the above guidelines, this health report on the Bank overall activities for the year 20xx has been prepared, as well. While assessing the health of the Bank, emphasis has been given on the progress of achievement of the Bank long range visions set by the Management.

In order to built up necessary infrastructure. In the year 20xx, the Bank has added nos. of branches to its ever expanding network, making presence of nos. of branches across the country. In the meantime, The Bank has become a group by expanding its business into nos. of wholly owned subsidiaries (Securities Limited, Capital Limited and Exchange Limited). Thus, the volume of business of the Bank has increased considerably. Bank has diversified its activities beyond traditional corporate banking and trade financing into Primary Dealership, OBU, Retail Banking, SME Banking, Internet Banking etc., which has made the Bank as one of the largest banking company in terms of products and services in the country.

The health of a bank may be judged from different points of view, but emphasis has been given to the feasibility of aspect and quantification. Taking these two conditions into consideration, Health of the Bank has been assessed from the view point of three dimensions, viz. Financial Health, Internal Control & Compliance Health and Image & Reputation Health. The hunch behind the segregation of health of the Bank into the above points of view is that these areas will ultimately cover the overall health sectors of the Bank. If the overall health is found sound then it may be assumed that the bank will achieve its long term goal with sustainable growth.

While analyzing financial health, emphasis has been given to the dynamism of the bank ‟s performance in different areas of operational activities, which have been highlighted in various financial statements of the bank.

In assessing Internal Control and Compliance Health of the Bank, emphasis has been given to internal control structure of the Bank and its effectiveness, while compliance health is assessed considering the compliance culture of the Bank and its achievements. In evaluating compliance health, attention has been given to the issues like, whether the bank is able to meet regulatory requirements and the compliance and non-compliance status of inspection reports submitted by regulatory bodies.

In assessing Image and Reputation health, attention has been given to the eminence of Board and Management of the Bank, expansionary mode of brand image and CSR (Corporate Social Responsibility) Activities.

In preparation of this health report, both the quantitative and qualitative aspects have been taken into consideration. The evaluation of major components of Health of the Bank is based upon four categories of ranking like Excellent, Very Good, Good and Satisfactory and the Bank has received a status of “X ” ranking in the health assessment for the year of 20xx .

The Health of the Bank has been assessed from the view point of Financial health, Internal Control and Compliance health and Image and Reputation health. To assess the overall health position of these three health sectors, ICC Division has worked out a Health Grading Score sheet based on quantification of certain parameters of each health sector. In our analysis, the average score “90-100” means Excellent, “80-89” means Very Good, “70-79” means Good and “60-69” means Satisfactory. In the assessment, the overall health position of the Bank for the year 20 has been assessed “ ”.

Detailed break-up of the Health assessment is furnished as under:

HEALTH RESULTS Health Sector Score Obtained Remarks Financial Health 81 out of 100 Very Good Internal Control & Compliance Health 96 out of 100 Excellent Image & Reputation Health 93 out of 100 Excellent Overall Health 270 out of 300 Very Good Average 90 out of 100 Excellent

285

ICC Policy and Procedures-2018

A. Financial Health: (Prepared under supervision of Chief Financial Officer and approved by ECB)

In analyzing the Financial Health, several parameters like Earnings, Liquidity, Solvency, Asset Quality, Deposits and Loans and Advances have been considered. The Bank has received an overall Financial Health score of out of 100, which means the financial health of the Bank, is “ ” . Hence, we are depicting below the parameter-wise financial health position of the Bank for the year ended December 31, 20xx. The detailed of these scores are also followed by enclosed health grading Score sheet.

Name of Parameter Score Obtained Remarks Earnings 21 out of 30 Good Liquidity Health 4 out of 5 Good Capital Adequacy & Solvency 9 out of 10 Excellent Deposit Health 19 out of 25 Good Loans and Advances Health 28 out of 30 Excellent Total out of 100

a. Earnings: Healthy Banks are generally profitable, and earn money. To assess the relative profitability of the bank, we have considered five earning criteria, namely- Operating Profit Growth, Net Interest Income Growth, Non-Interest Income Growth, Return on Assets (ROA) and Return on Equity (ROE). These indicators measure how profitable the bank is for its size, and a bank with higher trend in these areas tend to be a healthier bank. In our analysis, 00% weight has been allocated to Earning history of the Bank and the Bank has received a score of 21 out of 30, which means earning health of the Bank is “ ” . 1. Operating Profit Growth: The operating profit of the Bank from 20 to 20 (three years back) was BDT , BDT , BDT respectively. The Operating Profit growth from the year 20 to 20 was negative (+/- 00%), from the year 20 to 20 it was +/- 00% and from the year 2000 to 2000 it was +/-00%, while the growth from the year 20 to 20 was %. In our analysis, a score of 10 has been allocated for 25% & above growth and 3 for below 15% growth and thus the bank has scored for its 00% growth in the year 20 (year under review). 2. Net Interest Income (NII) Growth: Interest Income is the main source of Income of a bank, which solely depends upon the volume of standard loans and advances. Net Interest Income is derived by deducting Interest expenses from Interest Income. The larger the volume of Net Interest Income, the healthier will be the operating income. Net Interest Income Growth for the year 20 was 00%, while for the years 20 and 20 it recorded negative growth of (00%) and (00%) respectively. However, since 20 Net Interest Income (NII) growth of the bank has been showing a positive trend (in 20 it was 00% and in 20 00%). In Financial health grading sheet, we have given 5 score to Net Interest Income Growth of 20% & above and 2 score for below 10% growth. Bank has achieved a score of 5 for 78.53% growth in Net Interest Income in the year 20 .

3. Non Interest Income (Non-II) Growth: Non-Interest Income is the ancillary source of Income of the Bank. Non-Interest Income generally stems from the sources, namely: Income from fees, commission, charges, exchange gain, brokerage and other operating Income. The Growth of Non-Interest Income for the year 20 to 20 was 00%, 00% and 00% respectively. In Health grading score, assigned 2 score to the growth of “below 20%” and 5 score for 40% and above. The Bank receives the score of 00 out of 00 for achieving the growth of 00 % for the year 20 .

4. Return on Assets (ROA): We have used the statistics of „Return on Average Asset ‟ which is equal to the earnings of the bank, divided by its assets. A higher ROA trend indicates a healthier bank. Return on assets of the bank from the year 20 to 20 was 00%, 00% and 00% respectively. In the Financial health grading sheet, we have assigned 5 score to ROA of 00%-00% and the Bank scored 1 for having ROA of 0.88% in the year 20 .

5. Return on Equity (ROE): „Return on Equity ‟ is equal to the earnings of the bank, divided by its average Equity Capital. A higher ROE indicates healthier signs. Return on Equity of the bank for the year 20 to 20 was 00%, 00% and 00% respectively. Assigned 5 score to ROE of 25% and above and the Bank scored 00 for having ROE of 00% in the year 20 . b. Liquidity: Bank ‟s liquidity policy is designed to ensure that it can meet its obligations all times as they fall due. The liquidity management within the Bank focuses on overall balance sheet structure and the control, within prudent limits, of risk arising from the mismatch of maturities of the balance sheet and from exposure to un-drawn commitments and other contingent obligations. The management of liquidity risk within the Bank is undertaken within limits and other policy 286

ICC Policy and Procedures-2018 parameters set by ALCO. The compliance is monitored and co-ordinate by Bank ‟s treasury, both in respect of internal policy and regulatory requirements. Liquidity analysis in a Bank examines whether the bank is maintaining adequate CRR and SLR, whether Loan-Deposit Ratio at required level, dependency on inter-bank borrowing at a tolerable level and overall un-drawn commitments within reasonable range etc. or not . Distributed 5 score for Liquidity position for the year 20 (year under review) and the Bank has received 00 score, which means that the bank has been maintaining very good A–D ratio. However, excess SLR was maintained in 20 (year under review) due to operation in the Primary Dealership (PD) market, which made the bank ‟s dependency on money market higher, in order to maintain adequate liquidity.

1. CRR & SLR : Bank had been maintaining Cash Reserve Ratio (CRR) & Statutory Liquidity Reserve (SLR) as per regulatory requirements. In the year 20 (year under review), CRR was 00% against mandatory limit of 6.50% and Statutory Liquidity Ratio was 00% against 19.50%. In analysis a score of 3 can been allotted to CRR & SLR position of the Bank and the Bank received a score of 00, out of 3 which indicates that the bank maintained excess SLR in the year 20 (year under review). Bank ‟s borrowing from inter-bank call money market is high due to participation in the government bills/bonds.

2. Advance-Deposit Ratio (A-D ratio) : A-D ratio is the indicator that entails what should be the Bank ‟s ideal level of loans and advances against its deposit, and to what extent the bank will be exposed to money market dependency. A-D ratios of the Bank in the year 20 to 20 were 00%, 00 and 00% respectively. In analysis the A-D ratio in the year 20 (year under review) is (00%), though the bank is a (primary dealer) of the government securities and participation in auction of the govt. bills/bonds is mandatory. For the purpose of analysis, a score of 2 has been allocated for an ideal A– D ratio 80%-85% and the Bank received a score of , out of 2 for maintaining A-D ratio of 00% in the year 20 (year under review). (Add graphic presentation if needed). c. Capital Adequacy/Solvency: A measure of a bank's financial health is its capital/asset ratio, which is required to be above a prescribed minimum. In assessing solvency health, three parameters, namely Core Capital to RWA ratio, Capital Adequacy Ratio (as per Basel- II/III regime) and Capital Growth have been considered, and the Bank has received a score of out of 10, which means the Capital Adequacy position of the Bank was “ ” as on the assessment period.

1. Capital Growth: Capital requirement is a bank ‟s regulation which sets a framework on how banks must handle its capital. The categorization of assets and capital is highly standardized so that it can be risk weighted and weights are defined by risk-sensitivity ratios, whose calculation is dictated under the relevant Capital Accord. The growths of capital of the Bank over the years 20 to 20 were 00%, 00% and 00% respectively. For the purpose of analysis a score of 2 has been allotted to Capital growth of 20% and above and the Bank scored out of 2 for capital growth of % in the year 20. (Year under review)

2. Core Capital (Tier-I) to RWA ratio: As per existing regulation of Bangladesh Bank (Basel-II), the Bank(please write the name of the bank) is required to maintain Core Capital (Tier-I) ratio of 5% against Risk Weighted Assets (RWA). The Bank has been maintaining Core Capital (Tier-I) in accordance with the regulatory requirements. In the year 20 , the risk-weighted assets were BDT lac against which the requirement was BDT lac (5.00% of RWA). The Bank maintained 00% (BDT lac) of the risk-weighted assets against the mandatory requirement of 5.00%. In the analysis a score of 5 has been assigned to core capital (Tier-I) ratio of 10% and above and the bank has received the score of 00 for maintaining Core Capital (Tier-I) at % in the year 20 .(year under review)

3. Basel-II Requirement: In line with the contents of BRPD Circular # 35 dated December 29, 2010 issued by Bangladesh Bank (BB), the bank (please write the name of the bank) is required to compute Minimum Capital immediately after completion of each quarter. During the year 20 , the bank computed and reported capital on the basis of Basel II regime. Under this capital accord, the minimum total Capital Adequacy Ratio has to be 10.00% of Risk Weighted Assets (RWA) and the Bank maintained 00% as on the same date. For the purpose analysis a score of 3 has been assigned to maintain capital adequacy ratio of above 10% (as per Basel- II) and the Bank has received the score of 00 for maintaining Capital Adequacy Ratio of 00% in the year 20 . d. Deposit: Deposit is considered as the life blood of banking operation and a weapon for making maximum profit by deploying it in a high yielding investment and mixing it up in a cost effective mode. So, deposit management is, therefore, important. Effective deposit management entails optimum deposit mixture that leads to minimize cost of fund and optimize spread. In assessing deposit health, four parameters namely Deposit Growth, Deposit Mix, Cost of Fund and the ratio of core Deposit to Total Deposit have been considered, and MTB has received a score of 00 out of 25 in 20 , which means the 287

ICC Policy and Procedures-2018

Deposit health of the Bank is “ ” . 1. Deposit Growth: Deposits, representing the largest portion of total liabilities, account for 00%, showing an increase/decrease of 00%, or BDT 00.00 lac from the year 20 . Over the past three years, the bank(please indicate your bank name) was able to increase its deposit portfolio more than (00%) from BDT 00.00 lac in the year 20 to BDT 00.00 lac in the year 20 (year under review). It is apparent that deposit growth of the Bank is in increasing/decreasing trend (on an average basis) over the last three years. For the purpose of analysis distributed 5 score for deposit growth of 25% and above and 2 for less than 15% growth and the bank scored for deposit growth of 00.00% in the year 20 .(year under review)

2. Deposit mix : While reviewing deposit mix of the Bank from the year 20 to 20 , it is observed that the high cost deposit mix (FDR) is 00%, 00% and 00% respectively to total deposit. For the purpose of analysis distributed 5 score for an Ideal high cost deposit mix of 31% - 55% and the bank has scored for the deposit mix of 00.00% in the year 20 . (year under review)

3. Cost of fund: Cost of fund is one of the most important indicators to measure the soundness of the fund management. Lower cost of fund will enlarge the spread and thus maximize profit. In the years 20 to 20 , Cost of Fund of the bank was 00.00%, 00.00% and 00.00% respectively. It has been observed that there is a significant improvement in reduction/increase of Cost of Fund in 20 (year under review), compared to 20 . The scenario can further improve by increasing more low cost deposit in the deposit mix. For the purpose of analysis a score of 10 can be distributed for an ideal cost of fund ranging 6% - 8% and the bank has received for having 00.00 % as cost of fund in the year 20 (year under review).

4. Core Deposit to Total Deposit: While reviewing deposit mix of the bank for the year 20 to 20xx, it is observed that the Core deposits are 00.00%, 00.00% and 00.00% respectively to total deposits. For the purpose of analysis a score of 5 has been allocated for an ideal ratio of core deposit ranging 81%-100% and the bank has received 5 for having 00.00% as Core Deposit to Total Deposit.

(Add graphic representation if needed) e. Loans and Advances:

Financial Health of the Bank largely depends upon the volume, diversification and portfolio quality of loans and advances, which have been disbursed by deploying customers ‟ deposits. In assessing loans and advances health of the bank, five parameters, namely - Loans and Advances Growth, Segment-wise concentration, Sector-wise concentration, Large Loan concentration and Asset Quality have been considered. For the purpose of the analysis 30 score for Loans and Advances Health of the Bank and the Bank has scored , which means Loans and Advances health of the Bank is “ ” .

1. Loans & Advances Growth: In the years 20 to 20 , the amount of loans & advances of the Bank was at BDT 00.00 lac, BDT 00.00 lac, and BDT 00.00 lac respectively, and the growth rates were 00.00%, 00.00% and 00.00% respectively. For the purpose of the analysis a score of 5 has been allotted for an ideal growth ranging 25% - 30% and the bank has scored for achieving the growth of 00.00% in the year 20 (year under review).

2. Segment-wise Concentration of Loans and Advances: According to its nature, all kind of post-import finance is highly risky now a days , because of weak control of the Bank over the business movement of the client/importer. During the year 20 , Bank ‟s investment in post-import finance (LTR+PAD) was 00.00% of total loans & advances, while the same was 00.00% in the year 20 . For the purpose of the analysis a score of 5 has been allotted for an ideal segment-wise concentration below 15% and the bank has received for having segment-wise concentration of 00.00% in the year 20xx .

3. Sector-wise Concentration of Loan and Advances: Bank ‟s Loans and Advances to Sector (please indicate the highest investment sector) is around BDT 00.00 lac, which is 00.00% of total Loans and Advances. More specifically, Loans and advances to(please indicate the specific types such RMG/Ship Building etc.) industries is BDT 00.00, which is 00.00% of Total Loans and Advances. Bank ‟s concentration in a particular sector in this respect is at satisfactory/unsatisfactory level. For the purpose of the analysis a score of 5 has been allotted for an ideal sector-wise concentration ranging 20% - 30% and the bank has received score for having sector-wise concentration within 00%, in the year 20 .

4. Large Loan Concentration: Bank sanctioned & disbursed large loan (10% or more of total capital, as defined under BRPD circular # 05, dated 2005) of BDT 00.00 lac (including non-funded loans), which is 00.00% of total loans and advances against BB ‟s set limit of 56%, which is quite satisfactory/unsatisfactory. However, this concentration in the last year (20 ) was 52.73%. In our analysis a score of 5 has been allotted for an ideal Large Loan concentration below/high 00% and the bank has received 4 score for having Large Loan concentration of % in the year 20xx 288

ICC Policy and Procedures-2018

5. Asset Quality (NPL Management): At the end of year 20xx, the Bank ‟s total loans and advances were up by 00.00% over 20 (preceding year) , showing an increase/decrease of BDT 00.00 lac. Despite this growth, loans classified as “substandard and below” was below 00.00%, i.e 00.00(actual rate)%, which is at satisfactory level and 00.00% less/higher than that of previous year. The NPL of 20 was 00.00%. For the purpose of the analysis a score of 10 has been allotted for an ideal NPL ratio of below 3% and the bank has received score for having NPL ratio of 00.00% in the year 20xx. (Add graphic representation if required)

B. Internal Control and Compliance Health:( Prepared under supervision of Head of Audit and approved by ACB) Bank ‟s internal control system is designed to facilitate effective and efficient operations and to ensure the quality of internal and external reporting and compliance with applicable laws and regulations. In devising internal controls, the Bank has taken into account the nature and extent of the risk, the likelihood of its occurring and the cost of controls. A system of internal control is designed to manage, but not eliminate, the risk of failure to achieve business objectives and provide a reasonable, but not absolute, assurance against the risk of material misstatement, fraud or losses.

Analyzing Internal Control and Compliance health of the Bank encompasses the level of compliance of Board and Audit Committee decisions, Management Committees decisions, applicable laws, regulations and internal policies and regulatory requirements. The Bank has received an overall Internal Control and Compliance Health score of out of 100 , which means that the Internal control and compliance health of the Bank was " " as on December 31, 20 . The details of scores are followed by the enclosed health grading Score sheet. a) Internal Control Health: In analyzing Internal Control health, five following parameters have been considered and the Bank received out of 50 which indicate that the Internal Control system of the Bank is Excellent . Detailed score is as under:

Name of Parameter Score Obtained Remarks Implementation Status of Board of Directors' decision Implementation status of Audit Committee's decision Implementation Status of MANCOM decision % of Audit conducted to estimated Plan during the year Implementation Status of ALCO decision Implementation Status of WCM decision Total

Board and Audit Committee’s Roles in the Bank : The effectiveness of the Bank ‟s internal control system is reviewed by the Board and the Audit Committee. The Executive Committee or Board of Directors receives regular reports on significant risks facing the Bank and how they are being controlled. In addition, Bank ‟s independent auditors present reports to the Audit Committee that include details of significant internal control matters, which they have identified. The Board of Directors of the Bank approves and reviews the overall business strategies and policies of the Bank. The Board of Directors of the Bank has formed Audit Committee, and the Audit Committee performs its roles in accordance with applicable rules and regulations.

Implementation status of Board’s Instruction : During the year 20 Board meetings were held times and decisions were taken by the Board of Directors, out of which were implemented and the implementation status is %.

Implementation status of Audit Committee’s Decisions: During the year 20 , Audit Committee met 00 times and took 00 decisions, out of which 00 decisions were fully complied with. The percentage of compliance is 00%.

Management Committee: The Bank has established SMT, the meetings of which are presided over by Managing director of the Bank. SMT reviews and recommends all policies and strategies, which are forwarded to the Board for approval/ratification. The Senior Management will review the reports of Internal & External Audit, reports of regulatory bodies and take appropriate steps in compliance process to remove the irregularities.

Implementation status of SMT Decisions : During the year 20 , SMT arranged 00 ( in words ) meetings and took decisions out of which are fully complied with and decision related to of the bank is under process of implementation. The percentage of compliance is 00.00%.

289

ICC Policy and Procedures-2018

Implementation status of Asset-Liability Committee Decision: Asset-Liability Committee (ALCO) regularly meets to address factors, such as the change in interest rate, market conditions and carries out liability maturity gap analysis and re-pricing of products. During the year 20 , ALCO meetings were held times. The committee took a total of decisions, out of which decisions were fully complied with. The percentage of compliance is 00.00%.

Implementation Status of WCM Decisions: In order to bring effectiveness in the process of Management Information System (MIS) and Internal Control System of the bank on the activities of various Divisions/Departments of Corporate Head Office (CHO) as well as the branches, CHO arranges meetings on weekly basis, which are attended by heads of different Divisions/ Departments of CHO and managers of different branches (as guest attendees). Under the chair of Managing Director & CEO, regular Weekly Communication Meeting (WCM) is held at CHO to review the progress of Divisional/Departmental activities/ implementation of action points/decisions taken by the management, and the future course of action is taken.

During the year 20 , the weekly communication meeting was held times taking 00 decisions, out of which 00 decisions were fully implemented, and the remaining 00 decisions are under process of implementation. Percentage of Implementation status is 00.00%.

Internal Audit and its rectification status: The audit program/schedule is developed and duly approved by the competent authority at the very beginning of the year, and audits are conducted accordingly. In the year 20 , audit of 00 branches of the bank (out of 00 branches) has been completed, and the percentage of audited branches is 00.00%. The audit of the remaining 00 branches has been completed this year(year of report preparing). During this period, the audit team raised 00 objections, and 00 objections were rectified. The percentage of rectification is 00.00%. Apart from it, special audit on different Department/Divisions of Head office and different risk areas were conducted as per Management instructions and requirements, in 20 (year under review) . b). Compliance Health: In assessing compliance health, the Bank has emphasized on the compliance status of all regulatory observations and time management. For the purpose of the analysis the following 5 indicators have been considered to assess compliance health of the Bank and the Bank has received a score of 00 out of 50, which means Compliance health position of the Bank is “ ”.

Name of Parameter Score Obtained Remarks Implementation of Core risk Guidelines Basel-II Implementation Status External Audit Compliance Bangladesh Bank Audits Compliance Internal Audit Compliance Good Governance Total

Implementation Status of BB’s Core Risk Guideline: Bangladesh Bank ‟s Inspection teams conducted inspection on 05 Core Risk areas of the Bank out of 06 Core Risk areas and raised 50 observations/ suggestions, out of which 00 have already been complied with. The percentage of rectification is 00.00%, which is satisfactory. The concerned divisions have been advised to rectify the remaining objections.

Basel-II compliance status: As per new capital accord, the Bank is required to maintain a regulatory capital of 10% of RWA, against which the Bank is maintaining 00.00%.

Bangladesh Bank’s inspection and its compliance position: Bangladesh Bank submitted 00 reports on the branches of the Bank during the year 20 . As per BB ‟s report, the number of objections was 00 out of which 00 objections were rectified as on 31.12.20 and the percentage of Compliance is about %.

External Auditor’s report and its compliance position: In the year 20 , External auditors made 00 observations on the bank ‟s activities for the year 20 , which have been complied.

Internal Audit & inspections & its Compliance: During the year 20 , the internal Audit team detected 00 objections, out of which 00 objections were rectified and 00 objections are yet to be rectified. Percentage of rectification is 00%. Close persuasion is going on to rectify all the pending Audit objections.

290

ICC Policy and Procedures-2018

Good Governance: The Bank has meticulously followed and complied with all regulatory instructions issued time to time by Securities and Exchange Commission as well as Bangladesh Bank, vide different notifications and circulars regarding ensuring good governance in the institutions, in the year 20 .

From the above analysis, it is evident that the Internal Control and Compliance health of the Bank is .

C. Image & Reputation Health:(Prepared by External Auditor) Better image and reputation increase the confidence of the stake holders, which ultimately increases market Value of the Bank. The valuation of image and reputation is difficult but not totally impossible. We have tried to assess „ Image and Reputation health’ of the Bank by quantifying following parameters and the Bank has received a score of 00 out of 100, which indicates “ ” Image and Reputation Health. Detailed analysis of Image and Reputation health is followed by attached score sheet.

Name of Parameter Score Obtained Remarks Board Image Management Image Branding Corporate Social Responsibilities Activities Service to Customer Suits filed by the counterparties Imposition of Penalties by the regulatory bodies Total

For the purpose of the analysis, we have considered Board Image, Management Image, Branding, CSR Activity, suit filed against the Bank and Imposition of Fine by Regulatory bodies(such as Bangladesh Bank, SEC, The Honorable Court etc.) as the measures of Image and reputation health, where negative score has been allocated for suit filed against the bank and imposition of fine by the regulatory bodies.

Board Image: Bank Limited is sponsored and directed by renowned and respected business personalities in the country, who are also the owners of some leading conglomerate of the country and have become iconic and legendary in their own business arena, and thus the image of the Board has upgraded the image of the Bank also. The Board of Directors of the Bank is always supportive for the Bank Management and providing continuous guidance towards achievement of . Apart from this, the Board has also ensured good governance in all respect of the Bank. In our analysis a score of 20 has been assigned to Board Image and the Bank has received the score of 00 out of 20 .

Management Image: The senior Management of the bank has also outstanding image in the banking sector. The Bank has employed CEO who is held in high esteem in the banking arena. The senior management in the core management team, has also enhanced the image and reputation health of the Bank. The Bank is managed professionally in all respect by ensuring good corporate governance, better customer services and compliance of regulatory requirements over the years. The rights of all stakeholders are duly protected. The disclosure of information is duly made as per regulatory requirements, and also for the valued shareholders. The Bank has received a score of 00 out of 20 for strong Management Image.

Branding: Unique Branding is one of the finest ways to reach the mass people. The branding activities of the Bank are increasing gradually, and to this effect the Bank has set up bill-board and signage in commercially important places with a view to be „the bank of choice ‟ of the people. The people of the country are familiar with the brand of , yet a lot of things need to be done to enhance its brand value. In our analysis it is found that the Brand Value of the Bank is “ ” and has received a score of 00 out of 20.

Corporate Social Responsibilities: is imbued with the spirit of Corporate Social Responsibility (CSR), and has contributed to education, sports, art and culture, charitable, educational and healthcare institutions across the country in the form of donation and sponsorship. had always been by the side of the common and less advantaged people of the society in natural catastrophes; like flood, cyclone, cold waves or any other national crisis. has launched loan products for the poor farmers and SME customers and planned to introduce more banking products and CSR programs for the poor of the society. The Bank has received a score of 00 out of 10 in CSR Activities. 291

ICC Policy and Procedures-2018

Services to Customer: Bank Limited is committed to provide best customer services. In addition to providing customer services from the branches (over the counter) the bank is rendering manifold personalized and prompt services to the customers, which include ATM services, KIOSK, Card services, POS, internet banking, SMS banking etc. According to our observations, the customers of Bank Limited are satisfied at the services provided to them. Bank employees are also “ ” to that cause, nevertheless, there is always room for development. For the purpose of the analysis, the Bank has received a score of 00 out of 10 for customer service.

Suits filed by the counterparties: In quantifying Image and Reputation health we have also considered the position of suits filed against the Bank, and assigned 10 score for maximum 4 suits, and no score for 20 or more suits filed against the Bank, by the counterparties. During the year 2014, 10 suits were filed by the counterparties, and the bank has received a score of 00 out of 10.

Imposition of Penalties by the regulatory bodies: In our analysis we have considered whether any sort of penalty has been imposed on the bank by the regulatory bodies or not and assigned a zero (0) score for imposition of any penalty/fine. During the year 20 the bank did not have any imposition of penalty by the regulatory bodies, and it has received a score of 00 out of 10.

D. Conclusion: The analysis as made above shows that the financial health of the bank is “ ”; internal control & Compliance Health of the bank is “ ” and image and reputation health is “ ”. To bring more sustainability and soundness in the overall health of the Bank, it is required to exert utmost efforts to improve the financial health of the Bank, by utilizing the infrastructure, brand image and reputation of the Bank. Following observations/ suggestions are made to sustain the overall health of the bank at excellent level: - 1. Cost of fund should be reduced by introducing wide range of low cost liability products in order to increase NIM. 2. Dependency on inter-bank money market to be reduced by mobilizing more deposits. 3. Sources of low cost deposit to be increased, instead of concentrating on a limited number of persons/organizations to minimize the risk of withdrawal of big chunk of deposit by them at any time. 4. High cost deposit to be deployed in high yielding asset portfolio for matching cost with the revenue. 5. Quality of Front desk service of the Bank should be improved for Image building and business growth. 6. Core Risk Guidelines of CRM should be implemented properly in order to maintain Asset quality at desired level. Special attention to be made for improvement of Treasury Management in order to reduce ALM risk. 7. Operational risk of the Bank may be reduced by employing skilled manpower as well as by imparting need based training.

(This is a pro-forma Annual Health Report. All the banks are advised to customize this report according to their business volume and operation technique except grading calculation.)

292

ICC Policy and Procedures-2018

293

ICC Policy and Procedures-2018

294

ICC Policy and Procedures-2018

295

ICC Policy and Procedures-2018

296

ICC Policy and Procedures-2018

AGRANI BANK LIMITED Anexure -E ……………………………..Br.

IT Audit Reporting Sheet

Audited by…………………………………………………...... & ...... Dt…………………......

1. Infrastructure:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Status Risk Level (Likelihood Determination) (Score=5) High Risk=≤10% Yes=1, No=0 Likelihood Impact (Degree Yes/No Medium Risk= (>10 to 50%) of Loss) Low Risk= (>50% to 100%) Infrastructure High=0.1 High=10 Medium=0.5 Medium=50 [ This Risk Level represents Low=1.0 Low=100 Likelihood Risk]

1 Status of voltage fluctuation. 2 Electric wiring (Proper wiring / Concealed wiring). 3 Does the Generator provide sufficient output? 4 Is there proper electrical grounding at the branch? 5 Are all computers and devices connected with UPS? Composite Risk of Infrastructure

297

ICC Policy and Procedures-2018

Magnitude of Impact Definitions:

Magnitude of Impact Impact Definition High Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources, (2) may significantly violate, harm or impede an organization’s mission, reputation or interest, (3) may result in human death or serious injury. Medium Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resource, (2) may violate, harm or impede an organization’s mission, reputation or interest or (3) may result in human injury. Low Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation or interest.

Risk Level Matrix:

Threat Likelihood Impact Low Medium High (100) (50) (10) High (0.1) High Very High ExtremelyHigh (100×0.1=10) (50×0.1=5) (10×0.1=1) Medium (0.5) Medium Medium Very High (100×0.5=50) (50×0.5=25) (10×0.5=5) Low (1.0) Low Medium High (100×1.0=100) (50×1.0=50) (10×1.0=10)

Risk Scale: High (>1 to 10); Medium (>10 to 50); Low (>50 to 100)

Risk Scale and Necessary Actions:

Risk Level Risk Description and Necessary Actions High If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible. Medium In an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Low If an observation is described as low risk, the system’s DAA must determine whether cor rective actions are still required or decide to accept the risk.

298

ICC Policy and Procedures-2018

2. Manpower:

Sl Threat Impact & Risk of Threat Source Control Present Control Status Risk Level

Source (Likelihood Determination) (Score=10) High Risk=≤10% Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Loss) Low Risk= (>50% to 100%) Manpower High=0.1 High=10 Medium=0.5 Medium=50 [ This Risk Level represents Likelihood Risk] Low=1.0 Low=100 1 Do the users know Branch Banking Software/T-24 Software? 2 Does 2nd Officer know Branch Banking Software?/ T-24 Software? 3 Does GB in-charge know Branch Banking Software? /T-24 Software? 4 Does Advance in-charge know Branch Banking Software? /T-24 Software? 5 Is there any plan to build computer skilled manpower? 6 How many persons know Branch Banking Software? 7 Is there any job description of the computer related employees? 8 Is there roster for IT personnel? 9 Is life style of IT personnel is normal/abnormal? 10 Were related employees given adequate training on IT? Composite Risk of Manpower

299

ICC Policy and Procedures-2018

3. Hardware:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status High Risk=≤10% (Score=5) Yes=1, Medium Risk= No=0 (>10% to 50%) Likelihood Impact Yes/No Low Risk= (Degree ofLoss) (>50% to 100%) Hardware High=0.1 High=10

Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents

Likelihood Risk] 1 Are the computers and related equipments at proper working condition? 2 Is there any obsolete item kept in the branch (With Brand, model and serial number)? 3 Status of cleanliness in and outside of the HW equipments. 4 Status of connections of the HW equipments? 5 Are printers connected with UPS? (Circular No. IT/82 Dated: 15.10.08) Composite Risk of Hardware

300

ICC Policy and Procedures-2018

4. IT Security (Physical):

Sl Threat Impact & Risk of Threat Source Control Present Control Risk Level Source (Likelihood Determination) Status High Risk=≤10% (Score=5) Yes=1, Medium Risk= No=0 (>10% to 50%) Likelihood Impact Yes/No Low Risk= (Degree ofLoss) (>50% to 100%) IT Security High=0.1 High=10

(Physical) Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents

Likelihood Risk] 1 Is the Branch Banking software running on the PC placed in a glass enclosure with lock and key, maintained by a responsible person of the bank/branch? 2 Is the computer room strong and safe enough? 3 Is there password protected screen saver for each PC activated after 1 minute of inactivated 4 Is there enough physical security for the network equipment’s? 5 Is there list of Authorized Personnel who can enter computer room and is the server room air conditioned? Composite Risk of IT Security (Physical)

301

ICC Policy and Procedures-2018

5. Environment:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status High Risk=≤10% (Score=2) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Low Risk= Loss) (>50% to 100%) Environment High=0.1 High=10 Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents Likelihood Risk] 1 Is there doors are fire alarmed. Location of backup equipment at safe distance, Prohibition of recording equipment in the computer room and Redundant power supply? 2 Is the computer room is air conditioned, dust free, damp free, fire protected and no chance of watering? At the end of the day during departure Branch Manager is confirmed that power switches are off /computer room is under lock and key. Composite Risk of Environment

302

ICC Policy and Procedures-2018

6. Fire Protection:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status High Risk=≤10% (Score=3) Yes=1, Medium Risk= No=0 (>10% to 50%) Likelihood Impact Yes/No Low Risk= (Degree of Loss) (>50% to 100%) Fire Protection High=0.1 High=10

Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents

Likelihood Risk] 1 Is Power supply of PCs switched off before leaving the branch 2 Is there any fire extinguisher with expiry date placed beside the power distribution board, maintaining and reviewing properly on an annual basis 3 Is there proper earthling of electricity Composite Risk of Fire Protection

303

ICC Policy and Procedures-2018

7. Passwaord:

Sl Threat Impact & Risk of Threat Control Present Control Risk Level Source Source (Likelihood Determination) Status High Risk=≤10% (Score=10) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Low Risk= Loss) (>50% to 100%) Password High=0.1 High=10

Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents

Likelihood Risk] 1 Do Officials maintain the confidentiality of their own password? 2 Are Passwords of employees who were transferred deleted? 3 Is the system restricted from being accessed specially sensitive data/fields?

4 Does anyone leave computer while log in? 5 Are passwords complex?Is the length of password at least 6 characters and combination of uppercase, lowercase, number & special characters? 6 Is password always changed within 30 days (the maximum validity period of password) cycle 7 Is there parameter in the system to allow maximum number of invalid logon attempts specified properly according to the IT security policy (maximum 3 consecutive times) 8 Is there allowable terminal inactive time for users, set accordance with the bank's policy 9 Is there defined Operating time schedule for users where necessary? 10 Is there the audit trail available to review the user profile for the maintenance purpose? Composite Risk of Password

8. User ID Maintenance: 304

ICC Policy and Procedures-2018

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status High Risk=≤10% (Score=5) Yes=1, Medium Risk= No=0 (>10% to 50%) Likelihood Impact Yes/No Low Risk= (Degree of (>50% to 100%) Loss)

User ID High=0.1 High=10 [ This Risk Level Maintenance Medium=0.5 Medium=50 represents Low=1.0 Low=100 Likelihood Risk]

1 Are there a unique User ID and a valid password for each user? 2 Is there any method to ensure that the User ID locked up after 3 unsuccessful log in attempts? 3 Is there any control to ensure that user ID and password are not same? 4 Is there User ID Maintenance Form with access privileges duly approved by the appropriate authority? 5 Is the access privileges changed/locked within 24 hours in case of user's status changed or left the bank? Composite Risk of User ID Maintenance

9. Input Control:

305

ICC Policy and Procedures-2018

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status High Risk=≤10% (Score=3) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Low Risk= Loss) (>50% to 100%) Input Control High=0.1 High=10

Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents

Likelihood Risk] 1 Is the software not allowed the same person to be maker and checker of the same transaction? 2 Every cancellation of cheque is done with maintaining delegation of power .No payment is done by using without cheque option of party’s request at T-24 Software 3 Every days vouchers are checked with computer printed sheet. Monthly/ Half yearly/ Yearly closing computer generated Intt, sheets are checked also. Composite Risk of Input Control

306

ICC Policy and Procedures-2018

10. Net Security:

Sl Threat Impact & Risk of Threat Source Control Present Control Risk Level Source (Likelihood Determination) Status High Risk=≤10% (Score=10) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Low Risk= Loss) (>50% to 100%) Net High=0.1 High=10

Security Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents

Likelihood Risk] 1 Is the cabling structured? Condition of cabling – very good / good / bad? 2 Are all the network users familiar with this operating and security procedures? 3 Does each user have a unique User name and a valid password? 4 Is there one person or a group of administration responsible for the security of the network? 5 Is the sensitive information/data kept in restricted area in the networking environment? 6 Are there unauthorized access and Electronic tampering strictly controlled for maintaining network security? 7 Is the security of the network under dual administrative control? 8 Is there any firewall existing on the network for any external connectivity? 9 Is there any arrangement of redundant communication links for WAN? 10 Is there the system to detect the unauthorized intruder for network? Composite Risk of Net Security

307

ICC Policy and Procedures-2018

11. Virus:

Sl Threat Impact & Risk of Threat Control Present Control Risk Level Source Source (Likelihood Determination) Status High Risk=≤10% (Score=4) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Low Risk= Loss) (>50% to 100%) Virus High=0.1 High=10

Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents

Likelihood Risk] 1 Is there any most recent Anti -Virus, installed in each server and computer whether it is connected with internet or LAN? 2 Is the anti -virus software always updated with the latest virus definition file? 3 Are all users of the system well trained and informed about computer viruses and their prevention mechanism? 4 Is there any procedure in places that which requires all incoming e -mail messages are scanning for viruses to prevent virus infection to the bank's network? Composite Risk of Virus

308

ICC Policy and Procedures-2018

12. Internet &E-mail:

Sl Threat Impact & Risk of Threat Source Control Present Control Risk Level Source (Likelihood Determination) Status High Risk=≤10% (Score=2) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Low Risk= Loss) (>50% to 100%) Internet & High=0.1 High=10

E-mail Medium=0.5 Medium=50 [ This Risk Level Low=1.0 Low=100 represents

Likelihood Risk] 1 Is there any procedure that all internet connections are routed through a Firewall for PCs connected to network? Composite Risk of Internet & E-mail

309

ICC Policy and Procedures-2018

13. Business Continuity & Disaster Recovery Plan:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status High Risk=≤10% (Score=4) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Loss) Low Risk= Business High=0.1 High=10 (>50% to 100%) Continuity & Medium=0.5 Medium=50

Disaster Low=1.0 Low=100 [ This Risk Level Recovery Plan represents Likelihood Risk] 1 Is there any Business Continuity Plan (in line with business) for IT in place? 2 Are the followings included in the BCP (a) Action plan for i) During office hours disaster ii) Outside office hours disaster iii) Immediate and long term action plan in the line with business, (b) Emergency contact, address and phone numbers including vendors (c) Grab list of items such as backup tapes, laptops etc. 3 Is there any disaster recovery site map? 4 Is there any procedure to review the existing BCP at least once a year? Composite Risk of Business Continuity Plan

310

ICC Policy and Procedures-2018

14. Backup/Restore:

Sl Threat Impact & Risk of Threat Source Control Present Control Status Risk Level Source (Likelihood Determination) (Score=3) High Risk=≤10% Yes=1, No=0 Likelihood Impact Yes/No Medium Risk= (Degree of (>10% to 50%) Loss) Backup/ High=0.1 High=10 Low Risk= Restore Medium=0.5 Medium=50 (>50% to 100%)

Process Low=1.0 Low=100 [ This Risk Level represents Likelihood Risk] 1 Is there any replacement arrangement when departure and illness of key member is occurred? 2 Are all Backup is kept in CD and Backup is taken at least two computers of the branch? 3 Are backup copies of information stored off-site at a geographically separate and safe environment and Backup restore process is tested at least once in a year? Composite Risk of Backup & Restore Process

311

ICC Policy and Procedures-2018

15. Software:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status High Risk=≤10% (Score=1) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Loss) Low Risk= Software High=0.1 High=10 (>50% to 100%) Medium=0.5 Medium=50

Low=1.0 Low=100 [ This Risk Level

represents Likelihood Risk] 1 Is there any unauthorized/illegal/banned software in the PCs of the branch? Composite Risk of Software

312

ICC Policy and Procedures-2018

16. Banking Software Management:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status (Score=8) High Risk=≤10% Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Low Risk= Loss) Banking High=0.1 High=10 (>50% to 100%)

Medium=0.5 Medium=50 Software [ This Risk Level Management Low=1.0 Low=100 represents Likelihood Risk] 1 Is daily transaction list including cheque list properly checked with voucher and signed by the competent person? 2 Is the last transaction number of the two previous days checked at the beginning of the day by Branch Incumbent? 3 Is Summary Balancing of account head (transaction balance, master balance, GL balance) tallied with General Ledger and preserved / filed properly with remarks column ‘OK’? 4 Is statement of daily affairs printed and verified with GL and Is monthly balancing checked with manual GL and preserved properly? 5 Are SS cards scanned properly? 6 Is Daily backup kept in branch computer / Zip drive / Pen drive preserved under direct supervision of Branch Incumbent and preserved at different location? 7 Do Branch Manager monitor balance / transaction flow of the accounts of the relatives / friends of computer operators? Does Branch user monitor balance of dormant accounts time to time? 8 Do the User / Second Officer involve physically by giving his high level Password at the time of adding / changing / deleting any password? Has the operations limit of withdrawal been set up? Composite Risk of Net Security

313

ICC Policy and Procedures-2018

17. SWIFT:

Sl Threat Impact & Risk of Threat Source Control Present Control Risk Level Source (Likelihood Determination) Status High Risk=≤10% (Score=5) Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Loss) Low Risk= SWIFT High=0.1 High=10 (>50% to 100%) Medium=0.5 Medium=50

Low=1.0 Low=100 [ This Risk Level

represents Likelihood Risk] 1 Does PC connect software exist? Are there two Security Officers assigned? 2 Do Security Officers maintain confidentiality of their own password? 3 Have operator’s permission been limited? 4 How many times message is checked? 5 Does message register exist (input and output messages)? Composite Risk of SWIFT

314

ICC Policy and Procedures-2018

18. ATM:

Sl Threat Impact & Risk of Threat Source Control Present Control Risk Level Source (Likelihood Determination) Status (Score=10) High Risk=≤10%

Yes=1, No=0 Medium Risk= Likelihood Impact Yes/No (>10% to 50%) (Degree of Loss) Low Risk= ATM High=0.1 High=10 (>50% to 100%) Medium=0.5 Medium=50 Low=1.0 Low=100 [ This Risk Level represents Likelihood Risk] 1 Is there separate PIN and card officers? Is card and PIN preserved separately? 2 Is there card and PIN distribution register? 3 Are undelivered card/PIN submitted to the manager after 30 days? 4 Does the branch maintain / preserve the authorization form (does signature exist)? 5 Check transaction frequency / volume done by the branch officials with ATM card? 6 Does the branch maintain confidentiality of PIN for opening ATM booth for cash loading? 7 Is there register for cash loading and unloading? 8 Does the branch keep a key of ATM booth’s cassettes safely? Does the branch preserve summarized sheet (photocopy)? Is statement of cash dispensed preserved? 9 Does the branch preserve photocopy of TT/IBCA in the ATM file after authorized signature? 10 Does the branch preserve ATM related circular/instructions circular and letter properly? Composite Risk of ATM

315

ICC Policy and Procedures-2018

19. Miscellaneous:

Sl Threat Source Impact & Risk of Threat Source Control Present Control Risk Level (Likelihood Determination) Status (Score=5) High Risk=≤10%

Yes=1, Medium Risk= No=0 (>10% to 50%) Likelihood Impact Yes/No (Degree of Loss) Low Risk= Miscellaneous High=0.1 High=10 (>50% to 100%) Medium=0.5 Medium=50 Low=1.0 Low=100 [ This Risk Level represents Likelihood

Risk] 1 Do all the employees have clear understanding on IT Policy and aware of the IT Audit Manual? 2 Do branch officials maintain IT related circulars separately, discuss, and have clear understanding on the subject matters?

3 Has the branch taken appropriate measures to address the recommendations made in the last Audit Report? 4 Are there unnecessary data / files in the HD of the branch computers? 5 Is there any major violation of IT Policy of the bank? Please specify.

Composite Risk of ATM

......

Signature (Manager) 2nd Officer Auditor (Leader) Auditor

316