120 likes | 284 Views
ISACA Malta – MFSA. MFSA The Banking Unit’s On-Site Inspection Function. ISACA Malta -MFSA. On-Site Supervision Risk-based approach Review specific risk areas for ‘major’ banks ‘Top-down’ review for other institutions Supervisory cycle of 24-30 months
E N D
ISACA Malta – MFSA MFSA The Banking Unit’s On-Site Inspection Function
ISACA Malta -MFSA On-Site Supervision Risk-based approach Review specific risk areas for ‘major’ banks ‘Top-down’ review for other institutions Supervisory cycle of 24-30 months On average two visits annually at each major institution Once every 24-30 months at other institutions
ISACA Malta - MFSA Inspection Plan • Annual Plan set by the Unit On the basis of: • Areas of concern identified through previous on-site reviews • Risk areas or operations indicated through off-site analysis of returns • Otherwise when up for regular review
ISACA Malta - MFSA Specific Risk Areas • Credit portfolio • Treasury/International Division • Deposit accounts/Prevention of Money Laundering • Corporate governance • IT issues • Internal Audit function • Risk management function • Documentary credits/ IBCs/Guarantees • Verification of off-site returns
ISACA Malta - MFSA Objectives of IT Review • Does not involve a technical review • Evaluation of IT set-up • Assessment of risk emanating from IT area • Review of internal control procedures • Adequacy of human resources and training
ISACA Malta - MFSA Methodology • Inspection questionnaire • Interviews with internal audit • Analysis of External Auditors’ Management Letter • Analysis of policy documents related to the IT area • Evidence of physical set-up of hardware • Interview officials from each section within the IT Dept • Perusal of related documentation
ISACA Malta - MFSA On-Site Review • Organisational chart of the Dept • Assess set-up to identify possible risks • Analyse functions performed by different sections within the IT Dept • Identify shortcomings within each section eg continuity risk, overlap of duties etc
ISACA Malta - MFSA Policies and Procedures • Policies on back-ups eg frequency, storage • Policies on e-mail eg archiving of messages • Policies on internet usage eg access • Policies on passwords eg changes, composition • Communication of policies eg distribution of manual, bank circulars • Work procedures formalised by each section within the Unit
ISACA Malta - MFSA Hardware and software • Control of physical access to main server/back-ups • Mitigation of external attacks eg firewalls • Distinguish between in-house and external applications • Perusal of maintenance agreements relating to both hardware and software • Ensure all agreements are being renewed • Follow up on any problems encountered
ISACA Malta - MFSA Back-ups and contingency planning • Ensure that back-up policies are being followed • Check on data safes and cabinets • Check on the existence of a disaster recovery plan • Enquire whether plan has been tested • Ensure that any identified shortcomings have been addressed
ISACA Malta - MFSA • Addressing shortcomings • Meeting with management • Submission of inspection report • Declaration from the institution’s directors • Follow-up through correspondence, further on-site visits etc