S.

No Date Module Areas

Audit Groups and Audit

1 24-Jan-19 Admin Sub-Groups

2 24-Jan-19 Admin User Profiles

3 24-Jan-19 Admin User Profiles

4 24-Jan-19 Analytics Data Sets

28-Jan-19 Planning (Sajjad,

1 Anwar Alam, Qamar) Annual Planning

28-Jan-19 Planning (Sajjad,

2 Anwar Alam, Qamar) Annual Planning

28-Jan-19 Planning (Sajjad,

3 Anwar Alam, Qamar) Periodic Planning
 28-Jan-19 Planning (Sajjad,
4 Anwar Alam, Qamar) Annual Planning

28-Jan-19 Planning (Sajjad,

5 Anwar Alam, Qamar) Annual Planning

28-Jan-19 Planning (Sajjad,

6 Anwar Alam, Qamar) Annual Planning

28-Jan-19 Planning (Sajjad,

7 Anwar Alam, Qamar) Annual Planning

MISA (Jehangir,
1 28-Jan-19 Audit Program
Fahad

MISA (Jehangir,
2 28-Jan-19 Risk Assessment
Fahad

MISA (Jehangir, Fieldwork /

3 28-Jan-19 Fahad Observations

MISA (Jehangir,
4 28-Jan-19 Draft / Final Report
Fahad

MISA (Jehangir,
5 28-Jan-19 Admin
Fahad

MISA (Jehangir,
6 28-Jan-19 Follow-up
Fahad

MISA (Jehangir,
7 28-Jan-19 Audit Report
Fahad

Most Significant
MISA (Jehangir,
8 28-Jan-19 Findings (MSF) Report
Fahad for BACC
MISA (Jehangir, Audit Report - Audit
9 28-Jan-19 Fahad Rating
 Shariah
1 29-Jan-19 Audit
(Shahzad)

Shariah
2 29-Jan-19 Audit Program
(Shahzad)

Shariah
3 29-Jan-19 Audit Program
(Shahzad)

Shariah
4 29-Jan-19 Risk Assessment
(Shahzad)

Shariah
5 29-Jan-19 Engagement Planning
(Shahzad)

Shariah
6 29-Jan-19 Draft / Final Report
(Shahzad)

1 30-Jan-19 Branch Process

2 30-Jan-19 Branch Process

Engagement Planning
3 30-Jan-19 Branch - Population and
Sampling

Engagement Planning
4 30-Jan-19 Branch - Population and
Sampling

Engagement Planning
5 30-Jan-19 Branch - Checklist, Population
and Sampling

Engagement Planning
6 30-Jan-19 Branch - Checklist, Population
and Sampling

7 30-Jan-19 Branch Fieldwork / Observations

8 30-Jan-19 Branch Checklist

9 30-Jan-19 Branch Fieldwork / Observations

10 30-Jan-19 Branch Fieldwork / Observations

11 30-Jan-19 Branch Fieldwork / Observations

12 30-Jan-19 Branch Fieldwork / Observations

13 30-Jan-19 Branch

14 30-Jan-19 Branch Fieldwork / Observations

14 30-Jan-19 Branch Audit Report - Audit Rating

15 30-Jan-19 Branch Audit Report

16 30-Jan-19 Branch

17 30-Jan-19 Branch MIS Report

1 31-Jan-19 Quality Assurance Process

2 31-Jan-19 Quality Assurance Process

3 31-Jan-19 Quality Assurance Workflow

Planning (Risk Assessment /

4 31-Jan-19 Quality Assurance Annual / Periodic Planning)

Planning (Risk Assessment /

5 31-Jan-19 Quality Assurance Annual / Periodic Planning)
 31-Jan-19 Quality Assurance QA Review

7 31-Jan-19 Quality Assurance Engagement Planning

8 31-Jan-19 Quality Assurance Engagement Planning

9 31-Jan-19 Quality Assurance Fieldwork

10 31-Jan-19 Quality Assurance Draft Report

11 31-Jan-19 Quality Assurance Final Report

12 31-Jan-19 Quality Assurance Final Report

13 31-Jan-19 Quality Assurance Follow-up

14 31-Jan-19 Quality Assurance QA Report

15 31-Jan-19 Quality Assurance Knowledge Library

1 1-Feb-19 Credit Risk Review Process

2 1-Feb-19 Credit Risk Review Audit Universe

3 1-Feb-19 Credit Risk Review Annual Planning

4 1-Feb-19 Credit Risk Review Risk Assessment

5 1-Feb-19 Credit Risk Review Engagement

6 1-Feb-19 Credit Risk Review Risk Assessment

7 1-Feb-19 Credit Risk Review Engagement Planning

8 1-Feb-19 Credit Risk Review Audit Execution

9 1-Feb-19 Credit Risk Review New Report

1 4-Feb-19 Investigation Process for Investigation /

Whistle Blow

2 4-Feb-19 Investigation
3 4-Feb-19 Investigation
Process for Investigation /
Whistle Blow
Process for Investigation /
Whistle Blow

4 4-Feb-19 Investigation

Process for Investigation /

Whistle Blow

5 4-Feb-19 Investigation

Process for Investigation /

Whistle Blow

6 4-Feb-19 Investigation Process for Investigation /

Whistle Blow
7
ATM Scheming

8 4-Feb-19 Investigation

ATM Scheming
9 4-Feb-19 Investigation ATM Scheming

10 4-Feb-19 Investigation
Dispute Resolution Unit
11 4-Feb-19 Investigation

Incident Tab

12 4-Feb-19 Investigation

Execution Tab

13 4-Feb-19 Investigation

Execution Tab
14 4-Feb-19 Investigation

Execution Tab
15 4-Feb-19 Investigation
Review Grid

All Audits

All Audits

All Audits
 eAudit Requirement Sessions

Discussions

NBP has the following Audit Groups

1. Financial Audit (Branch)
2. Information System Audit (IS Audit)
3. Shariah
4. Credit Risk Review (CRR)
5. Planning & Development (PMD)
6. Group Audit
7. Investigation

Audit Sub-Groups will be required for each Audit Group

1. Information System Audit --> Data Centre, Application

Authorization Matrix is required to provide user rights and preveliges

to the Auditor to different options and functions of the Audit System

Field Name / Label Audit Group should be renamed to Audit Type

Data Sets and Data Stratas were shown on how to integrate the data
from other NBP systems and Excel

A Team Lead having performed audit Engagement for one Branch

cannot do Audit for the same Branch until one year or certain time has
passed.

If a team or Team member is allocated on more than 1 engagement

with overlapping dates, does the system given any report that this
auditor is allocated on more than 1 engagement on the same dates

An alert should be provided if Audit Teams / Auditors are overlapping

in different engagements in Periodic Plan if Proposed dates are shifted
Entity Size is required to appear in Annual Audit Plan. Annual planning
is done from the size of the entity (Values are 1,2,3,4,5)

Calculation of Man Days

New Report is required where Auditor / Audit Team is engaged during

the fiscal year with Engagement Dates and Number of Days on an
Engagement

Distance from Audit Office / Regional Office or Coordination Office

In case Auditor goes from Audit Office Karachi to Hyderabad and from
Hyderabad to Sukkur, he will go in one go, his travel will be from KHI to
Hyderabad and then from Hyderabad to Sukkur

Information Systems Audit type is Working Paper based as there is no

fixed Findings

Presently There is no risk assessment done for entities related to MISA.

The Auditee determines the number of application and mention the

critical applications. Branch itself categories the application according
to the H,M,L and audit team then select randomly from the provided
category.

Frequency of the audit is one Audit within the Year

NBP required a combination of factors to automatically ascertain the

risk type as High, Medium, Low

The generated audit report should be based on the standard template

provided by the client

How overseas users have the access of the system

Follow-Desk (FUD) is done by processing in charge in NBP

PDF generate report should be protected, as such contents cannot be

copied and pasted anywehre

NBP require Most Significant FIndings (MSF) report for BACC

Presently all IS Audit are done from Head Office, No Branch visit
Risk Based Audit based on Risk Factors
1. One Branch is Year (Annual Audit)
2. Snap Audit (For new Branch or converted Branch)

1. Checklist Based for Branches

2. For Group, Regions and Finances Branches there is it will be Working
Paper

No Sampling as Audit is done for 100% Population

Risk Based Audit based on Risk Factors

1. One Branch is Year (Annual Audit)
2. Snap Audit (For new Branch or converted Branch)

Team Lead can prepare and review the Draft / Final Report
Draft Report is processed after Audit is completed
Five Working days for Management Comments and then Final Report
is processed
Twenty working days after issue of Final Report, Compliance report
and clearence certificate is provided by Branch

NBP is required to provide their Report format for Shariah

Segration of Portfolis on the basis of point number 5 along with

Analysed and Un-Analysed Data
Basic Findings are available
Instance will come from Sample

Option should allow Team Lead to upload Population at any time

Reducing the Sample size from the Population the remaining should
become part of Disclaimer
Population=100, Sample=70, If sample reduced by 30, then new
Sample will be 40 and 30 will become part of Disclaimer

If No data is avaiable for population and sample on that EP Activity,

then team Lead can upload the population in excel for that EP Activity

Two Different types of CheckList

1. Divide Chapters among Portfolios
2. Another Checklist is Sub-bifurcation of SAP GL Accounts

Another type of Check list is Balance Sheet for checking SAP GL

Account heads for checking the SAP GL Balances
A Full SAP GL balances should be available in the system to check
balances of SAP GL Accounts
Additional Columns will be provided in (Excel Template) SAP GL which
will have conttra balances and portfolio analysis

Approval is required to increase man days

If any change in Checklist, then it will be reflected in next engagement

New Exception can be added in the Engagement and will become part
of checklist after proper approval.
Parameters of Observation Type to be provided by NBP

Parameters of Responsibility to be provided by NBP

One Observation per one Test

Select Sample to make the Instance which will make the Finding

If 3 different types of audit are done for a branch, can the team lead
review Findings, Instances of all three audits when doing the Annual
Audit

A New Dropdown is required for Categorization of Major Control Lapse

(MCL)
Multiple MCL can be added on one Observations
MCL dropdown should be optional

NBP is required to share the Audit rating for Branch

NBP is required to share Branch Audit Report format

Presently Data is taken from MIS Portal
MIS Report require to analyze branches for SAP GL (Analytical Criteria
will be discussed)

Quality Assurance is an assessment for all modules starting from Risk

Assessment, Annual Plan, Periodic Plan, Engagement Planning, Draft
and Final Report
Examples: High Risk Branches, Branches not done previous year should
be done, Reason for not auditing certain Branches, Shufffling of teams

For Risk Assessment, Annual Plan and Periodic Plan, QA is done after
they have been approved.
A Checklist is used to provide QA Observations / Comments based on
the Checklist items of each module
Observations can be made on each checklist by inputter which is
approved by reviewer
How Travel / Budget Policies can be viewed to ascertain the
correctness of the caluclated values
Observations can be made on items like Travel Policy and Budget
policies whether the calculated values are correctly calculated or not

Inputs from Wing Head will report to Divisional Head (3 Divisions) and
further escalated to Group Chief

No process is stopped or halted incase of assessment done by QA. The

Planning team can go forward with their routine work
Example: Work on Annual Plan can start even if QA is being performed
on Risk Assessment
Similarly, Periodic Plan can start even if QA is being done on Annual
Plan

Comments of inputter can be amended by Reviewer

Process: QA Inputter, QA Reviewer

Two types of QA options are required (On-going and Post Audit - After
Final Report is released)
Suggesstion is to have 2 Tabs for QA in Engagement Planing module;
On-Going QA and Post Audit QA
Same Checklist will be followed for On-going and Post Audit
On-going QA will be done my Audit Office and Head Office Wings
Post QA will be done by QA wing
A Checklist is used to provide QA comments based on the Checklist

The Observation entered on Checklist will have a dropdown field of

different types of violations
No QA requird for Fieldwork

On-going QA - This is done after Release of Draft Report and before

Release of Final Report
QA will be done after Draft Report is released - Reffered as Ongoing QA
Draft Report will be sent to QA
A Tab will be provided on Draft Report stage which will be enabled
after Draft Report is Released
Checklist related to Draft Report will appear

Post QA - This will be done after Final Report is released - Reffered as

Post QA
Final Report will be sent to QA
A Tab will be provided on Final Report stage which will be enabled
after Final Report is Released
Checklist related to Final Report will appear

Incase, On-Going QA is in process after releasing of Draft Report,

system should check and not allow to Release Final Report until On-
Going QA report has been released
No QA requird for Follow-up

Separate QA Report for On-going QA and Post QA

Report format to be shared by NBP
Once all checklists of QA (On-going and Post QA) are completed and
marked as Reviewed, then QA Report can be released

All released Reports in Knowledge Library should be shown with an

additional field indicating whether Post QA has been completed on
that Audit report or not

Two different types of Reviews BRR and CRR

100 M above BRR
20 M 100 M CRR
Less than 20M Consumer
Audit Group will be Credit Risk Review
Audit Sub-Group will be CRR, BRR, Portfolio
Audit Period is at a particular cut-off date.
Audit Period Start and End Dates will be same
Planning Method is Risk Based and Risk Assessment is done Party-wise
for CRR and BRR
Risk Assessment is done on Corporate party-wise
Engagement is done Corporate Party-wise

Status of Party / Classification, Rating, In case Audit for a particular

Branch / Party is not done in previous year, then Audit should be done
in current year
Reference Number should be auto-generated.
Format: BRR/Audit Office/Branch/Partyname/Serial Number
Observation which is closed after discussing with Auditee should not
be printed in Final Report

Separate report for Key Observations for multiple Engagements

Investigation, Whistle Blow, ATM Scheming, Dispute Resolution Unit,
Compliant

For Investigation a Proforma is preparred and is assigned to the

Investigation officer
Investigation has to be done in 7 days or more depending on the
severity
Investigation is completed
Charges are framed and sent to Region / Head Office

Charges framed as sent to Region for Vetting

Region verifies the Charges and sends a separate letter to the dept /
person having done the fraud
Dept / Person then provides their management comments confirming
that the Charges framed are correct (Management Comments).

An additional Status of Vetting is required during Execution and before

Report is Released
This will be during Execution stage
Mazars Propose a second Execution Reviewer will be added in Assign
Team Member as a Vetter who will vet the charges framed.
He can accept or decline which will go back for updation

After Charges are vetted / verified then Final Report is Released / Sent
to Institution Fraud Division, Disciplinary Wing, Risk Management and
Compliance Group
Complaints are received from different sources
ADC Frauds, Branchless Banking

System should have provision of uploading Transaction record of 2

cards to be entered and provide difference in 2 cards on same date,
same bank same ATM Terminal
Card 1 History, Card 2 History, and unique transactions between both
the cards
Report is sent to Risk Management and Compliance Group

First ATM Settlement is investigated and not resolved then it is sent to

Dispute Resolution Unit for collecting secondary evidence
Additional Fields are required :
1. Name of Entity (Already available in system)
2. Date of Branch / Entity Opening: (Date to be Entered Manually)
3. Name of Present Manager: (Text)
4. Date of Posting: (Date Field entered Manually)
5. Name of Previous Manager: (Text)
6. Date of Posting: (Date Field entered Manually)
7. Name of Manager in whose incumbency Fraud was committed
8. Name of Operation Manager:
9. Date of Posting:
10. Name of previous Operation Manager
11. Date of Posting
12. Name of Operation Manager in whose incumbency Fraud was
committed
13. Details of RMT with date of Posting: (Atleast 4 Regional Head)
14. Modus Operandi: (Available in System)
15. Date of Detection of Fraud: Date
16. Who Detected the Fraud:
17. How the Fraud was detected:
18. Quantum of Fraud Estimated financial impact on bank
19. Recovery if any
20. Details of Disciplinary Action
21. Roles of Regional / Head Office Personal
21a. Branch,
21b. Regional Office
21c. Regional Data Centre
21d. Regional Audit Office
21e. Group / CRBG
21f. Concerned Groups at Head Office

Additional Fields are required which will be provided by NBP

Charges are framed during Investigation for persons of NBP
For Suspected Staff, following fields are required (Tabular format)
1. Name
2. Employee ID
3. Designation
4. Provident Fund Number
5. Date of Retirement
6. Nature (Negligent / Crimimal)
7. Tenure (Period of Posting in the Branch - From and To Date)
8. Charges Framed (Text)

Additional Fields required related to::

Details of cases referred to law enforcement agencies:
1. Name of Agency
2. FIR Number with Date
3. Arrested on Bail if an
4. Recovery in shape of Property
Additional Fields required related to:
1. Details of Frauds / Forgeries previously committed in Branch
2. Any other information
3. Remmarks
A column is required for Aging on Investigation Review Grid from Date
of Reporting till to-date, until Report is Released

Categorization of Diarized Items - Require a list of Categorization of

Diary Items to be added in Observation in Follow-up.
Resolved the observations within 30 days after release of Final Report
otherwise it will become part of diarization

Clearance Certificate process - issued by Audit Office after all

Observations are resolved
Observations should be recolved within 30 or 60 Days of Release fof
Final Report (Compliance Certificate can also be issues conditionally
incase some Observations cannot be resolved over a lengthy period of
time
Special Letter should be uploaded in the System after Release of Final
Report having Critical Outstanding Observation
udit Requirement Sessions

After/Before
Mazars Comments Category Go-Live

Audit Groups and Audit Sub-Groups are

departments of Audit Group
They are used to link the Auditor to a
particular Group. However, the Auditor can
perform Audits for other Groups as well

NBP has been asked to provide their current

Audit Groups

Authorization Matrix

Field Labels can be changed using Labels

option in the system which will impact the
label throughout the system

Data in NBP is scattered in different systems

in use like CBA,SAP ORACLE, SAPFORG SPM
NBP currently uses Excel to get the data
from different systems
NBP might use this option at a later stage

This is built in the system that Same team

lead cannot do audit for the same branch
next year.
System selects a different team lead, but
NBP can override if required
This will depend on the parameter
Minimum Time Span between audit set on
Audit Sib-Group

The system proposed draft plan will not put

any auditor in overlapping assignments.
It can be manually done by planner as an
override

This is not available at this stage. However, it

can be done
This can be done

Calculation of Man Days include Holidays,

Gazzetted Holidays (Entered through
Holiday Calendar).
Holidays and Travel Days to be shown
separately on Annual Plan

NBP to provide report format

This is parameter set on Audit Area on

selecting Entity Type = Branch. From where
the Auditor belongs (From regional office) to
the Branch
Travel Distance could be editable at Annual
Planning Level

Mazars proposes that NBP should also do

the Risk Assessment of Entities related to
MISA by entering atmost 1 Risk Factor

Needs further understanding

Will be done manually and judgementally as
at present

NBP to provide report format for MISA

require some charts in the report for which
criteria will be provided

Overseas users would have official emails

and login credentials. Need to confirm from
NBP

A new role will be created in the system for

Follow-up Desk (FUD)
Follow-up report is prepared by NBP which
will be shared with Mazars

PDF generate report should be protected, as

such contents cannot be copied and pasted
anywehre

Format to be shared

NBP is required to share Branch Risk Rating

for IS Audit
Risk Assessment Criteria will be provided by
NBP

Some Branches will have Working Paper and

Checklist both
 Customization
Mazars Comments Status
 eAud

S.No Date Requirements

1 Risk rating (Understand NBP’s Risk Rating calculations)
2 Diarization
Financial and non-financial data information transfer to Front Office for
3 auditing (Integration with other banking systems)
Business Intelligence (BI) Reports (Formats and Understanding from
4 NBP)
5 Data Analytics features (Formats and Understanding from NBP)
Optimal view of statistics of the entity being audited
Capability to perform data sampling for data analysis work (Sampling
6 Techniques)
7 CAAT’s shall be incorporated/integrated in system
Separate module for Quality Assurance (QA) (Understanding of QA
8 module)
Selection of audit reports for QA.(QA Module)
Updation of QA feedback against each audit report (QA Module)
9 Business Portfolio Analysis
10 Types of transactions
Financial audit – branches (Planning Method - Risk Based,
11 Frequency, Adhoc) (Fieldwork Method - Checklist based, Working
Paper, Item based)
12 I.S. audit – branches, ITCS / Technology Centre, Regions, HO
13 Special audit
15 Group audit
16 I.S. Application
17 Overseas audit
18 Big Advances / CRR
19 Audit Reporting
Data Analytics features (Formats and Understanding from NBP)

20 Generation of audit report (all chapters) (Formats for each type of audit)

21 Generation of Special Letter during audit (Format)

Risk Rating of auditable entities (branches, regions, groups divisions, IT

22 applications, IT centres, subsidiaries, other Offices / functions, etc.)

REPORTS
Branch-Region wise Statement of Short/Non-recovery of income &
23 excess payments (summary & detail)
Branch-Region wise Statement of Shortage of Pledged Stocks
24 (summary & detail)

25 Branch-Region wise Statement of F&F cases (summary & detail)

 Branch-Region wise Statement of Overdue CCs of all audit types
26 (summary and detail)
27 Detail of Diarized findings of Head Office level
28 Summary of Diarized findings at Head Office level
29 Summary of Diarized findings at Regional level
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 eAudit Requirement Sessions

After/Before
Suggestion Module Category Go-Live
 Customization
Mazars Comments Status