ISACA Malta – MFSA

MFSAThe Banking Unit’s

On-Site Inspection Function

ISACA Malta -MFSA

On-Site Supervision

•Risk-based approach•Review specific risk areas for ‘major’ banks•‘Top-down’ review for other institutions•Supervisory cycle of 24-30 months•On average two visits annually at each major institution•Once every 24-30 months at other institutions

ISACA Malta - MFSA

Inspection Plan

• Annual Plan set by the Unit

On the basis of:• Areas of concern identified through previous

on-site reviews• Risk areas or operations indicated through

off-site analysis of returns• Otherwise when up for regular review

ISACA Malta - MFSA

Specific Risk Areas

• Credit portfolio• Treasury/International Division• Deposit accounts/Prevention of Money Laundering• Corporate governance• IT issues• Internal Audit function• Risk management function• Documentary credits/ IBCs/Guarantees• Verification of off-site returns

ISACA Malta - MFSA

Objectives of IT Review

• Does not involve a technical review

• Evaluation of IT set-up

• Assessment of risk emanating from IT area

• Review of internal control procedures

• Adequacy of human resources and training

ISACA Malta - MFSA

Methodology

• Inspection questionnaire

• Interviews with internal audit

• Analysis of External Auditors’ Management Letter

• Analysis of policy documents related to the IT area

• Evidence of physical set-up of hardware

• Interview officials from each section within the IT Dept

• Perusal of related documentation

ISACA Malta - MFSA

On-Site Review

• Organisational chart of the Dept• Assess set-up to identify possible risks• Analyse functions performed by

different sections within the IT Dept• Identify shortcomings within each

section eg continuity risk, overlap of duties etc

ISACA Malta - MFSA

Policies and Procedures

• Policies on back-ups eg frequency, storage• Policies on e-mail eg archiving of messages• Policies on internet usage eg access • Policies on passwords eg changes, composition• Communication of policies eg distribution of

manual, bank circulars• Work procedures formalised by each section

within the Unit

ISACA Malta - MFSA

Hardware and software

• Control of physical access to main server/back-ups

• Mitigation of external attacks eg firewalls• Distinguish between in-house and external

applications• Perusal of maintenance agreements relating

to both hardware and software• Ensure all agreements are being renewed• Follow up on any problems encountered

ISACA Malta - MFSA

Back-ups and contingency planning

• Ensure that back-up policies are being followed

• Check on data safes and cabinets• Check on the existence of a disaster

recovery plan• Enquire whether plan has been tested• Ensure that any identified shortcomings have

been addressed

ISACA Malta - MFSA

• Addressing shortcomings

• Meeting with management

• Submission of inspection report

• Declaration from the institution’s directors

• Follow-up through correspondence, further on-site visits etc