Upload
bernard-webb
View
212
Download
0
Embed Size (px)
Citation preview
ISACA Malta – MFSA
MFSAThe Banking Unit’s
On-Site Inspection Function
ISACA Malta -MFSA
On-Site Supervision
•Risk-based approach•Review specific risk areas for ‘major’ banks•‘Top-down’ review for other institutions•Supervisory cycle of 24-30 months•On average two visits annually at each major institution•Once every 24-30 months at other institutions
ISACA Malta - MFSA
Inspection Plan
• Annual Plan set by the Unit
On the basis of:• Areas of concern identified through previous
on-site reviews• Risk areas or operations indicated through
off-site analysis of returns• Otherwise when up for regular review
ISACA Malta - MFSA
Specific Risk Areas
• Credit portfolio• Treasury/International Division• Deposit accounts/Prevention of Money Laundering• Corporate governance• IT issues• Internal Audit function• Risk management function• Documentary credits/ IBCs/Guarantees• Verification of off-site returns
ISACA Malta - MFSA
Objectives of IT Review
• Does not involve a technical review
• Evaluation of IT set-up
• Assessment of risk emanating from IT area
• Review of internal control procedures
• Adequacy of human resources and training
ISACA Malta - MFSA
Methodology
• Inspection questionnaire
• Interviews with internal audit
• Analysis of External Auditors’ Management Letter
• Analysis of policy documents related to the IT area
• Evidence of physical set-up of hardware
• Interview officials from each section within the IT Dept
• Perusal of related documentation
ISACA Malta - MFSA
On-Site Review
• Organisational chart of the Dept• Assess set-up to identify possible risks• Analyse functions performed by
different sections within the IT Dept• Identify shortcomings within each
section eg continuity risk, overlap of duties etc
ISACA Malta - MFSA
Policies and Procedures
• Policies on back-ups eg frequency, storage• Policies on e-mail eg archiving of messages• Policies on internet usage eg access • Policies on passwords eg changes, composition• Communication of policies eg distribution of
manual, bank circulars• Work procedures formalised by each section
within the Unit
ISACA Malta - MFSA
Hardware and software
• Control of physical access to main server/back-ups
• Mitigation of external attacks eg firewalls• Distinguish between in-house and external
applications• Perusal of maintenance agreements relating
to both hardware and software• Ensure all agreements are being renewed• Follow up on any problems encountered
ISACA Malta - MFSA
Back-ups and contingency planning
• Ensure that back-up policies are being followed
• Check on data safes and cabinets• Check on the existence of a disaster
recovery plan• Enquire whether plan has been tested• Ensure that any identified shortcomings have
been addressed
ISACA Malta - MFSA
• Addressing shortcomings
• Meeting with management
• Submission of inspection report
• Declaration from the institution’s directors
• Follow-up through correspondence, further on-site visits etc