End of all other Statutes

Indian culture of destiny acceptance was always frowned upon by me as an act of lethargy camouflage.  I had to roll back my thoughts after an event which thrust me in the forefront due to acts other than my own. A politician died. A girl posted remarks on the social network. She was arrested by the police. A magistrate exposed the charges as wrong. A student challenged Section 66A of the Information Technology Act.(hereinafter known as IT Act)  This was all in the year 2012. Now here is where I come in for something I did in December 2000. I had written a book entitled ‘Guide to Information Technology Act 2000. It was sold out in two months to professionals as well as students.

‘Since I have used your book very often to lecture my fellow advocates, I thought of you’ said one Magistrate over the phone. The half hour conversation was summarized in my head that there were so many cases filed under the IT Act would need 27 years to clear assuming no more are filed in future. Suddenly a statute relegated to student’s curriculum and library only became a front runner. They expected me to provide them a ‘fast-track’ solution for this since I was the only author-consultant combination in the field of Information Technology! This is when I contemplated my view on Destiny. Did I suddenly become the Hero problem solver or a grass eating scapegoat?


I told the Magistrate ‘I need to know just one point, how did the cases under this statute pile up? I expected perhaps two low profile cases for every high profile one and at this rate from the year 2000 there should have been not more than a dozen.’ The man on the other end of the line laughed ‘All cases are under this statute only.’ I was dumbfounded. He promised to email me the list of cases ‘on the Board’ of that day with some additional details to permit me to understand the situation.


Note from author: The following cases are purposely ridiculous to show how provisions of a statute can be twisted. Though the case may be thrown out, it causes distress to the charged persons. The cases could have been better made under other statutes.


The following list was emailed to me. Names of the parties are hidden.

Case under: section 43 a of the IT Act.
Case of: Multinational Company vs. Software application provider
Section in brief: Unauthorised Access.
Case in brief: A junior in the payroll section did not have access to Top management files but he could view them and when Union negotiations came to table, he tabled some embarrassing findings such as ‘entertainment allowances’ paid to some attractive persons working under the top management. Since the accidental access was granted by a bug in the software,  the company who coded the software was sued.

Case under: section 43 b of the IT Act.
Case of: A Company vs. Hardware server (Computer server)
Section in brief: Downloading data without permission
Case in brief: Disaster recovery centre was to be opened by a VIP. Upon his pressing of a button the data from other city miles away was to be backed up. However nothing happened after he pressed the proverbial button. After a cursory glance it was reported that since the server had already backed up the data it would not do it again. Since no permission was granted to the server to download data before the VIP had opened the facility, the hardware (server) was sued. The server machine (!) was not re-presented by a Lawyer so the court had to provide one – after all, rules of the court need to be followed.

Case under: section 43 c of the IT Act.
Case of: Shopping Mall vs. Customers with cold (Names of the parties are hidden)
Section in brief: Introduces virus
Case in brief: A customer with severe and infectious cold went shopping in a mall. As he handed over cash he also handed over his virus. Many cashiers manning the computers, immediately fell sick. Since computer users were affected by the customer induced virus, they could not use the allocated computer to perform their allotted duty. Hence the customer was arrested.

Case under: section 43 d of the IT Act.
Case of: Retail Shop vs. Unidentified rioters (Names of the parties are hidden)
Section in brief: Damages, computer, software or data
Case in brief: Riots had broken out and before the party could down its shutters, a stone crashed through the display window and hit the computer which had stock and sales data. Since the computer repair person said it would take two days to repair the computer, the shop was forced to close down as stock and rates were all bar coded. (Other Indian Penal Code or Criminal provision was not used) As all the elements mentioned in the section were damaged, viz. computer, software and data,  the company felt this was the most appropriate section to charge under!

Case under:   section 43 e of the IT Act
Case of:  A large company vs. Local electrician
Section in brief:   disrupts or causes disruption of any computer, computer system or computer network
Case in brief: In a newly constructed building, a company was one of the few early occupants. In one office, some electrical work was in progress and the electrician started a machine needing high voltage. It tripped the electricity in the entire building. Since the work of this company was ‘disrupted’, they made a case against the electrician!

Case under:   section 43 f of the IT Act
Case of:  Employee of a company vs. Security guard of that same company
Section in brief:   denies or causes the denial of access to any person authorized to access any computer system or computer network by any means
Case in brief: As per the instructions to the security, the guard stopped an employee without Identity card. Since he was a computer user who lost one day leave/salary, he sued the guard for preventing him from using his computer! (he was posted in the mail room and not any important position) 

Additional case u/s 43f

Case under:   section 43 f of the IT Act
Case of:  A company vs. State Electricity Board
Section in brief:   denies or causes the denial of access to any person authorized to access any computer system or computer network by any means
Case in brief: Though it was usual to accept power outages periodically other than on pre-determined day of the week in most parts of India, a company which got fed up with the lack of service, decided to sue the Board on the grounds that their employees were denied access to their computer since there was no power and only the State Electricity Board was responsible for denial of power and eventually, denial of access to the computer!

Case under:   section 43 g of the IT Act
Case of:  Govt. vs. Network service provider
Section in brief:   provides any assistance to any person to facilitate access to a computer in contravention of the provisions of the IT Act
Case in brief: A network service provider followed all KYC rules before connecting a subscriber who then hacked into various Government Websites. Even before he was charged, the service provider was charged because without the assistance of the network service provider, the hacker would not have had internet access in the first place!

I reported to the magistrate that during the passage of this Act, 5 other Acts were simultaneous amended which started a trend. The emphasis is on the word amendment which is not ‘replacement’. The cases show that the accusers have ‘replaced’ other Acts by IT Act.

Now don’t you feel that sections other than section 66A need review?

Swiss issue over Bank Accounts

When my son returned from school, he was pretty upset. Sensitive issues were conveniently dropped in my lap on the argument of it being a ‘man to man’ resolvable issue although his age was still in single digit. After delicate probing it transpired that all his classmates who until that day respected him were now making fun of him and it seems I was the cause. I mused, I had ensured his school was not for the elite  where the cars would have been in the unaffordable range for me. Now what did I do or not do to reflect on the social standing for my son? He made it stark clear in a direct way only children can. ‘I told my friends you have banks as clients and so you can open accounts in many many Banks.’ He was right. Being a consultant to Banks, I used to open business accounts in those Banks to get my fees fast by direct transfer. ‘You have accounts in Nationalised Banks, Private sector Banks and even co-operative Banks but not a single one in a Swiss Bank like some other Indian Uncles.’ he cried. I did not imagine that this sociopolitical issue would result in a prestige issue.

‘Son, did you realize that the Swiss account holders mentioned in the news are those with black money? I am a grandson of a Judge so law abiding actions are automatic for us.’ I did not tire him with the concept of Tax Deducted at Source (TDS) which ensured I followed the law. ‘Tell your clients to give you money soiled in coal so you too have black money’ came the innocent reply. I could not help but smile but felt sad that now having black money was an important social status than any other legitimate one like social leader or even sacrifice for the country.

‘Are Swiss Banks only for those who do not follow the law?’ he asked. Given the kind of publicity and their penchant of secrecy, more law offenders were their account holders but the Banks were genuine Banks is what I told him. I brought him uptodate that the policy change of secrecy is what resulted in the names of account holders being released. ‘If the amount is brought into India then will the flight of deposits of the Bank upset the balance of the Bank and make it sick?’ he asked in genuine concern. I replied, ‘Possibly’ as I imagined the Bank Chairman of a Swiss Bank trying hard to convince his authorities that he or rather his Bank was healthy. Perhaps in the history of the country a Bank may have to put up with this kind of test. I wonder what it may do to their currency later.

‘So, when are you opening an account in the Swiss Bank?’ he did not let go. ‘Why don’t I get you a Swiss chocolate instead and you drop the topic?’ I tried to bribe his silence. Once he said Okay, I jumped to get out of the door for the chocolate. As I reached for the door, he said, ‘Err Dad, can you get 40 pieces?’ I was aghast.’ 40 pieces will make you sick’. ‘Not for me Dad, for the whole class. I can tell you went to open an account and the Bank gave you chocolates as account opening gift and they will all keep quiet.’

Made Value, Attracted Tax (MVAT)

 ‘How big is your shirt pocked?’ asked the voice on the line before even either of us could say hello. For one second I thought my tailor had gone mad asking me what he is supposed to know. Then I recognized the voice of my friend who wanted to buy a house in my area from the same builder. ‘Do you want dimensions in inches or centimeters?’ I had accepted his quirkiness over time. ‘No.’ he almost shouted. ‘How much cash you cram in your shirt pocket?’ I was puzzled. In this day of plastic money and e-money, my friend was asking how much cash I can carry? ‘Maybe a hundred in tens or five hundred in hundreds’ I meekly tried to hide the allowance of conveyance my wife permits me. ‘That is exactly what I told the blokes sent by the builder. They are asking me to payRs.9.58 lacs for a flat I purchased in 2009. You think I carry that much cash in my pocket? is what I told them.’ I wondered, ‘It took him so long to realize he undercharged you or is he trying to fleece you now regretting he did not do it in 2009?’ I asked. ‘MVAT’ came the reply that shattered all suspicions to clear the picture. I pacified him by assuring to visit the builder’s office in the next hour because the ‘blokes’ of the builder were refusing to budge without the cash.

Anticipating our argument the builder slid a laminated copy of a news report stating that the VAT had to be paid. While I peered through my thick specs for a an answer in the news report, the builder started crying. ‘All I do is arrange the bricks in a manner that gives privacy and security so where did I create value? Perhaps I created profit for myself but definitely not value’ I knew he was just trying to distract an intelligent study when the solution struck me. ‘It does not say the buyer has to pay for it’. I threw the laminated paper on his desk and almost said, ‘ I rest my case’. Now even my friend’s brain was in overdrive. ‘Even I was not the first buyer and took it just at the time of completion from an investor so he must pay and not me.’ Now even I was amazed at this and looked at my friend with pride!

While we postponed the payment to a future date of a meeting of the residents of my friend’s building, I wondered what to anticipate if VAT was to be levied on principle of  value creation. I remembered by first year of college when we were introduced to time, place and form value. Based on this, the picture was so horrific that I would have to triple or quadruple my income to just retain my middle class standard of living. You can surely expect in future the following to be covered under VAT. It may be outlandish but so was the VAT on builders!

VAT on Bank Deposits : Because value is added directly to the deposit over time.

On vegetable vendor: Because vendor gives place value – bringing produce from farm to your house.

On Beauty Parlor: For adding beauty value to my wife. (Service tax which is currently levied will be replaced by VAT)

On salary: Since salary adds value to your style of living.

On your daily Newspaper: Because it adds value to your awareness.

On your haircut: Because it adds value to neatness of your head.

On Schools/Colleges etc.: Because it adds market value to your child by increasing his/her earning capacity. (service tax if any will be removed to prevent double taxation)

On every employed person/self employed: Because they add value to society by their work. (Criminals also included because it is due to them that the law enforcers have value) Effectively, the ‘profession tax’ now confined to Maharashtra will be all India.

And finally

On every parent: Who put values and culture in their child to add value as a member of society.

Politicians will be spared: Not because of being in position but because, what value do they create?

Problem Variable

I wrongly thought it to be just a boring beginning of the year partner’s weekly  meeting in the CA firm, when most staff was busy at audit sites which assured just procedural problem solving not demanding much cerebral effort. Imagine the jolt I received when I saw more than a dozen partner’s faces glaring at me as if I had committed a blunder to dissolve the firm. Frankly, the post lunch session had a drowzy effect and I had not paid much attention to the topic under discussion even though it was heated which I had dismissed as some people having a habit of making mountains out of molehills.

‘Huh?’ I asked everybody in general. ‘Can you specify what point you want me address?’ I feigned alertness. ‘All our Information Technology company audits are taking longer even after your inovative through the computer audit techniques.’ The prospect of my excess of 4000 hours of involvement last year being discounted angered me. ‘From SQL and Oracle to SAP and ERP, I have personally tested last year to save us more than 40% of audit time at each site. If there is a new module perhaps I may have to design but nothing to get worked up.’ I tried to assure them. ‘Simple salary vouching is taking longer by 300%’ spoke the eldest of our partners. ‘Don’t be silly’ I remarked, ‘it is so simple that we assign it to the junior most of the audit team.’

‘Have you heard of the variable element in the salary’ asked one in contempt. In equal icy tones I answered, ‘Dearness allowance is around for donkey’s years and my Audit techniques have accounted for them.’ Realising my ignorance he slid a newspaper across the table and if I was not sitting I would probably have fainted. Now a whole section of salary is variable and that too not standard across the board. It is as per the circular of the management and knowing how (un)clear circulars are, the nightmare was just beginning to get defined. ‘Even the audit team leader cannot audit this simple function correctly and  the signing partner has to personally do that’ complained one equally senior partner. I excused myself asking time to study how overnight the salary definition had turned upside down. The ending note of the meeting was a warning to all through me that though today, only the IT industry has variable salary, tomorrow all shareholders will demand full salary be variable – after all bread and butter is the greatest motivation! So, all our audits are likely to suffer the same drop in efficiency!

I started jotting down. Long ago, bonus was paid if the company made a profit. Then Union negotiations especially in the loss making public sector made bonus a right; not contingent upon profitability. Then came the performance bonus where seniors patted themselves on their back with huge amounts. The definition of ‘performance’ varied and it had no connection with the profitability of the company sometimes. Now, salary itself was largely variable from top to bottom. Hetherto, only the very top had the cream as a variable but now even the juniors had a variable and that too not cream but bread and butter.

Just then the receptionist announced the unsceduled appearance of one senior relative. I had just introduced a suitable boy for matrimonial purposes for his daughter. Perhaps he has come to give me the good news of confirmation and hopefully with some Indian sweets I thought. The issues in the partner’s meeting had increased my acidity. As the senior man came,  instead of a happy disposition I sensed anger. ‘You know I am a retired man’ he began. ‘As a middle class Maharastrian, I wanted my daughter to get married to a man whose income is assured by way of salary and not variable due to business.’ I sat up. It was that dreaded word of the day again – variable. He continued his lament, ‘we were about to announce the engagement on the auspicious day next Wednesday when he told us that he had to take a 50% salary cut due to non expected performance of his company. You had assured us that since he was in the IT sector, it would be raining assured money.’ Whoops, I had introduced a boy from the IT sector and here was a visible impact. I called for a cold drink for the heated man and profousely apologised for being ignorant that salaries are now variable. He left wondering loudly if I was completing annualy my manadatory ‘continuing professional education’(CPE).

As he left, my overtime began. People from all sectors came with their unique problems due to the variable salary concept. After the end of a marathon 48 hour consultation with more than 70 persons, I began summarising the issues to draft common replies to people with common problems.

My old student asked: If sharing of profit is the basis of salary, is there any difference between employee and partner?

System designer of a company asked: What controls can I build in a salary module if neither percentages are standard across the board or even categories nor the determinant? For some, it is increase in turnover while others are linked to profit and more complex are those who are linked to whims of the senior management.

Union leader of Class IV (peons/delivery boys) workers asked: How can my members be held for any performance? All they do is deliver packets and tea/coffee. They have no say in business decisions. So, will it be right to claim that their mere attendance should be determinant for bonus even if the company is under performing?

Just passed CA student asked: Should I go into practise or employment? What is more variable in income terms? Vagaries of practice or performance determined by hundreds of employees?

Association of industries asked: Can you help design Accounting standards which are flexible to permit us to use any which shows better performance?

Crafty Chairman asked: Can you design an accounting policy which shows I have performed well but my juniors have not?

All salaried employees asked: For our Income Tax returns, can we classify our income under business and claim expenses like conveyance, depreciation, carry forward losses etc.?

Marriage website: We are under pressure to have a new classification regardless of  religion or qualification or industry or profession for a category of employed persons with no variable salary. Is there any industry where variable salary is not paid to employees? Is is worthwhile to make such a category for the remaining industry or do you think that all companies will make most salary as variable?

Bank General Manager in charge of credit asked: Till date we were classifying salaried borrowers as low risk. Should we classify them equivalent to businessmen or professionals?

Neighborhood Grocer asked: Should I continue monthly credit to salaried customers or is the variable element in salary also upwards?

Snap CBS System Audit

Today, Core Banking is an environment accepted more by passage of time than by the features it boasts. Auditors cannot afford to ignore the aspect of Core Banking and their associated risks. Since Banking is the only sector where the System Audit is mandatory, Auditors have to read much beyond the Accounting and Auditing standards and remain alert on the recommendations and notifications of the Reserve Bank of India. Today, Core Banking System Audits are governed by the following main contributions from the Reserve Bank of India.
* 'Information System Audit Policy for Banking and Financial Sector dated October 2001 issued by RBI.'
* 'Internet Banking in India' dated 14/6/2001 issued by RBI.
* 'Information Technology Act 2000' and subsequent amendments.
* 'Storage of Electronic Records in Banks' issued by Indian Institute of Bankers in July 2006.
* Jilani Committee
* Narsimhan Committee – Second
* Vasudevan Committee
* Internet Banking Committee
* Working Group for Information System Security for the Banking & Financial Sector headed by Dr. R.B. Burman, ED. RBI
* Committee on Computer Audit under the Chairmanship of Shri A.L. Narsimhan, Chief General Manager, Institute of Chartered Accountants of India SBI, Citi Bank and ICICI Bank.

It would stand in good stead for all Bank Auditors to have perused these documents before commencement of Bank Audit in any role.

No matter how complex any discipline is, it is based on logic. Core Banking Safety is also based on some logic. If one can deduce the commonality of the elements one would be able to reduce the concerns addressed to a handful and any auditor would be able to go even beyond the specifications of the various RBI Circulars by assimilation the spirit of the various circulars and committee recommendations.

Core Banking Environment Defined
Core Banking Environment in India is akin to Centralised Data Management. In such an arrangement, the server or servers are located at one place called the Data Centre. All data as well as the application software is located here. Branches and Administrative offices are connected by some network. Earlier, leased line network was the popular one. However, being costly, other media have followed, such as VPN (Virtual Private Network which is through the internet) Wireless, VSAT (Very Small aperture terminal which uses satellite). A diagrammatic representation of a typical Core Banking Environment is shown here.

Logical Objectives of Core Banking Audit
The logical objectives of Core Bank Audit can be boiled down to 3Cs.
* Continuity
* Confidentiality
* Correctness
One can also claim these to be ‘RISKS” of Core Banking.

Continuity: Service to the Customers (account holders) of the Bank is the main reason why the computerization has taken place. Therefore, the Bank needs to take various measures to ensure that there is no disruption of service. If there is accidental disruption of service, what measures can be taken. Also, (more important) within what period of time will the normal services be restored. It would not be out of place to mention here that the ‘disruption period’ is very often not estimated. A concise example of continuity of service especially in a Core Banking Environment would be the disruption of communication. As seen in the diagram, each Bank is expected to have a ‘back-up’ network system. Once the primary network is down, the back-up network is expected to become active and continue the service to the customers. Of course, some Companies (unfortunately none of them Banks) have even the ‘active-active’ position where both networks continue to remain active to obviate even one second of disruption. How this aspect is addressed during audit can be seen when we list later in this paper, various activities to for the attainment of this objective.

Confidentiality: Data of the customer is confidential and should not be leaked into unauthorized hands. To ensure this, one way would be to ensure that access to the Bank’s database is given to authorized personnel only. A further filter would be ‘need to know’ policy where entire data access is not granted to persons whose job card does not justify so. This is why there are access levels in the application software.

Correctness: Correctness should be assured for every voucher entered as well as every processing and calculation. ‘Validations’ during data entry where the issued cheque number is matched with the distinctive number of cheques issued to the account holder is one stark example of data validation. Being a computer, the calculation of Interest earned and interest paid is expected to be accurate. However, this may not be so is the experience of some of the system auditors because, after all, it is a human who has written the processing code and he may have faltered and the Quality Control department may also not have detected it.

Addressing the Risks of Core Banking
Risk based audit is the recommended angle of audit of the times. Adapting it to Core Banking would be a natural extension which covers better the critical concerns especially in the area of a technology as new as core Banking. Addressing the risks is given below in the format of a checklist. These are merely illustrative and should serve the reader as incentive for development of more actions customized to the CBS environment under audit because each environment will most certainly have its own unique aspects having large implications on audit.

Does the Bank have the following policies is your first step of query. Mere existence of such a policy means some thought has gone into the matter and logically, execution is expected. However, in the days of outsourcing, we have noted that policy is created by a consultant merely for satisfaction of some regulatory checklist and consigned to the bottom drawer. In such a case, ‘non’ adherence’ to Bank’s own policy are some findings you can highlight in your report.
1. Information Technology (IT) Security Policy
2. Business Continuity and Disaster Recovery Policy. This should be at the level of Data Centre as well as the branches.
3. Escalation policy. Here, how to ensure the seniors are made abreast of issues/problems is what the policy spells in detail.
Risk of Continuity.
Data Centre(DC) Set-up
Risk defined: Neighborhood and Old building or buildings with non-maintained structure or with old electrical connections may endanger the safety of the computers in the Data Centre.
The Risk discussed : The physical location and condition of the building, its neighborhood bearing impact on the DC is covered here to explore the risks that are currently faced and might be faced in the future along with the caution notes if any. The intention is to explore the assurance of safety of the equipment implying continuity of service as well as confidentiality of data of the customers and that of the Bank.
Illustrative Checklist points:
1. Building housing the Data Centre should be sound if not new.
2. State of the building and electrical connections should be sufficiently safe and the building should not have a recent record of short circuit triggered fires.
3. If the location of the DC is on the last floor of the building, leakage prevention actions taken to prevent rain leakages should be examined.
4. Is there any high risk structure next door like a chemical company, Petrol Pump etc.?

Management of Data Centre and DR Site
Risk defined: The investment of the Bank in the assets of the Data Centre comprising of the Computer Hardware and environmental control can be protected and exploited only if these are managed prudently.
The Risk discussed: The management of this asset of the Bank has implications on efficiency and efficacy of the Bank's investment in the Data Centre. Therefore it is of value to evaluate the management practices to achieve this end. The personnel allocated for this critical department are the ones who determine the smooth functioning of this service to the branches and customers.
Illustrative Checklist points:
1. Does the Bank have an IT Committee which meets regularly and minutes its working?
2. Does the Management Chart of the IT Department display proper division of work with representation of each work centre for each shift? Work Centres in Data Centre are normally: Data Base Administrator, Application Controller, Network/Communications engineer.
3. Is there adequate level of seniority of the team as well as of the Head of the Department? (because the head reports directly to the CEO/MD of the Bank)
4. Is the general rotation policy of the Bank also followed here? There is merit in the rotation system and technical ability/knowledge is no excuse for such a critical policy to be abandoned.
5. Is the staff of the Data Centre involved in the primary function of their appointment? It is often seen that lack of technical knowledge on part of the senior executives forces the staff to perform other functions of Banking such as clearing or trouble shooting of clearing on a daily basis. This distracts them from their primary task.

Data Centre Layout & Control
Risk defined: Layout of the Data Centre is critical for the physical access and safety of the Hardware of the Data Centre.
The Risk discussed: The Hardware control of the assets of the Data Centre is one aspect of security and control of the data of the Bank and continuity. Security and environmental protection imply safe and continuous service to the branches and thus, customers.
Illustrative Checklist points:
Physical Access Controls
1. Does the DC have clear demarked zone of RED/YELLOW/GREEN status?
2. Is the entrance to the RED Zone (Server farm) restricted by biometric reader?
3. Is there sufficient security to ensure protection of the Costly equipment and equally costly data within?
4. Does the Bank ensure technical inputs of the IT department in the choice of vendor for IT?

Network Security Control
Risk defined: Network management in core Banking environment is critical for the communication with the branches which also translates to the success of core Banking but the failure of which implies low customer service as well as risk of transaction.
The Risk discussed: The Servers at the Data Centre do contain the software as well as data. However, the branches have no use of this data unless it is delivered to them through the network of the Bank. Choice of network providers and their uptime play a crucial role in a good network.
Illustrative Checklist points:
1. Is there sufficient staff to monitor the network to be ‘up’ for 24 hours?
2. Does the DC have a software which indicates the links to be down BEFORE the Branch phones and informs them? Free/Demo versions of software a commonly known to be used. But some are manually driven like the PING software. Either these are manually activated or automatic. Manually active or automatic. Manually activated procedures are good assurances for network condition appraisal especially of the Secondary / Back up network. To monitor the primary network this way would mean the operator does nothing the whole day but PING each branch in turn. If such an action is made automatic, then this would eat up the band with and the Bank would create its own denial of service.
3. Is the network down time logged to demand either refund where the promised uptime is not delivered by the service?
4. In case of repeated downtime affecting Service or reliance on only one network making the operations risky, does the IT committee contemplate change and have an evaluation procedure before the change?

Disaster Recovery (DR) and Business Continuity (BC)
Risk defined: Absence of proper DR and BC actions creates the risk of continuity of business in case of loss of data from the Main Server or Data Storage units of the DC or communication between the DC and the branches.
The Risk discussed: Despite best efforts by the Bank and Bank's vendors, there are certain circumstances which may render the best of efforts unsuccessful and the Data Centre may not perform the expected function of connectivity. In such circumstances, if there is a Disaster Recovery (DR) site located away from the Data Centre and confirming to internationally accepted standards, the branches can connect to the DR site and business continuity (BC) is achieved. Some initial points are mentioned below but a detailed coverage is done in a separate section of this report.
Illustrative Checklist points:
1. Does the Bank have a Disaster Recovery Centre as defined in the Bank’s DR and Continuity Policy?
2. Is the location of the DR Centre in a place that is in a different seismic zone? DR Centre in the same city is not a DR Center but a back-up centre.
3. Is the DR Centre properly manned and if so, are the personnel rotated to ensure they are alert?
4. If the DR Centre is not manned, then what arrangements are made to ensure the DR Centre can be activated remotely?
5. When was the last time DR Centre tested and is there a detailed report with full comparison of response time – actual against the expected? DR Centre testing at least once a year is a comfort assurance frequency.

Risk of Confidentiality
Logical Access Control
Risk defined: Application access control is the second level of control to ensure safety of data. Various control techniques are available and the implemented ones have to be evaluated for their appropriateness. How the Bank ensures unauthorized persons do not have access to the application system and database
The Risk discussed: Since the access to the servers is possible from physically remote locations of the Bank network, it is necessary to also secure the servers from an access outside the DC. This control is possible by a strong password algorithm.
Illustrative Checklist points for Logical access Control:
1. Logical Access would mean the USER ID and PASSWORD given to authorized users consisting of staff, auditors etc.
2. What is the policy of granting new user ID for newly appointed staff? Is it to your satisfaction to prevent accidental grant of access?
3. Are the transfers and retirements handled with equal security to ensure an ex-staff does not have access after his period of service?
4. How are the passwords granted to temporary users like Auditors and Software Engineers who have come to the Bank for maintenance and trouble shooting?
5. Is there a mechanism to ensure one person does not have more than one user ID?
6. Who decides the level of access in the application system? In your opinion, is this person the one with the best knowledge to perform this function?
7. Does the Application have a password quality control to ensure the password is alpha numeric preferably with special characters (@#$%^) and does the application control the periodic change of the passwords of all users as per the policy of the Bank?

Server Farm Security and management
Risk defined: Proper server farm management achieves the objective of ensuring only authorised access as well as environment control conducive for the servers and related hardware located in the server farm.
The Risk discussed: The server farm contains the costly hardware of servers and other networking equipment in addition to the priceless data of the account holders of the Bank. Physical protection and ensuring uptime (continuous service) is the crux of management of the server farm. This section therefore contains the relevant points in this regard.
Illustrative Checklist points for Server Farm Security Management:
Since authorized physical access is covered in the earlier points, protection to the servers other than unauthorized access is covered here.
1. Is the server room constructed with the right materials? Fireproof material is what the RBI Committee Report on Computer Audit recommends. (The para nos of the Report are mentioned in the box alongside)
2. Is the temperature and humidity controlled to the specifications of the hardware vendor? If exceeded, then the hardware may not last its average life span and even endanger the continuity of service.
3. Is a Heat Rise detector (found absent in most installations) and Smoke Alarm system installed in the Server Room of the Data Centre?
4. Is the Fire Extinguisher of outside the server room of sufficient size and composed of Carbon Dioxide? (Remember the foam type is not of use here as it corrodes the circuits whenever used)

Risk of Correctness
Computing Management Security
Risk defined: Computers are mere tools. They have to be managed well otherwise there is risk of data mismanagement, wrong processing or even total loss of data.
The Risk discussed: This point deals with the ‘process or methodology’ adopted by the Bank for proper use of the system. Such points are ‘around’ the computer which determines the success of execution of the system.
Illustrative Checklist points
1. What is the system of ensuring there is periodic check on the interest calculation levied and charged by the Bank? Often it is found that the Data Centre believes the Branch is in a better position to do this check while the Branches believe that since the interest ‘run’ is performed by the DC, it is their responsibility of test check.
2. Whenever interest rates are changed or new products introduced, is it tested in the test server and are the results recorded and stored and released to the production server only after proper satisfaction of the intended results? It is not uncommon to find last minute announcements precluding the IT Department from doing any testing since the new products are to be released within 12 hours. Such non testing is highly risky.
3. Is the ‘Version change’ from the vendor claiming to have solved all problems of the Bank needs tested in detail before installation on the production server?
4. Is there a system for detection of security intrusion? And if so, what is the escalation policy? (Escalation policy is to evaluate the degree of the problem and accordingly the next senior person is to be updated – sometimes the more serious problem requires by-passing the immediate senior)

Change and Problem Management
Risk defined: ‘Change’ of a passage of time ensures the Bank is with the demand of the present but the absence of which spells as a risk of being outdated.
The Risk discussed: Since most Banks purchase readymade software application, there is every possibility that over a period of time there might be some changes which the Bank desires which is currently not available in the delivered application. The reasons may be various, ranging from new service (like ATM) or a change in regulations. Though the aspect of change in regulations is admitted to be covered by the vendor in the AMC, the change management policy needs to be developed if not already done.
Illustrative Checklist points
1. Is there a change management policy is place? Absence of change management policy, the environment of the Bank is non conducive to observation of shortcomings and may be running a high risk and even revenue losses.
2. Is the Application software needs encoded and not in a position where the program lines can be changed?
3. Has the Bank conducted Software Audit before installation? Has such an exercise resulted in a ‘GAP’ Report where the Bank’s requirements are not available as per the Bank’s policy?
4. Are the serious incidents of Application software logged and action taken with the vendor after investigation on setting/parameter confirmation?

Conclusion
Core Banking system audit cannot be ignored because of the new role it plays in the aspect of Correctness, Confidentiality and Continuity in the Bank. However, the issues to check the mitigation of such risks are not too technical for the auditor to verify.

Index Search

‘Your generation was really a labour intensive one’ remarked my son after reading the financial paper. There was a time when I was proud that he began reading financial papers while his classmates did not even know what paper was subscribed in their house. But now after hearing his remarks, I was beginning to have my doubts on my pride. In explanation to his remark he elaborated, ‘To compare the standard of living between countries your generation calculated a basket of food cost in each country and made your conclusion’. ‘Today, we have just one dish – a burger and we arrive at a conclusion so fast’. I had read that news and it did have me seething with frustration as to how such a single dish so predominantly American could be a worldwide index and that too of currency! I distinctly remember the first 50 years of independence when any American asked if Big Mac was available, I proudly replied that we had such an Indian alternative that Big Mac would not find any place here. But history had no place for a small Indian’s Pride. When I asked my friends in the currency market how the Big Mac achieved such a status, each of them laughed so much that tears were rolling down their cheeks. I really did not know if they were laughing at the concept of this index or my ignorance. So I did some calls and got myself an appointment with the magazine which had done the survey using Burgernomics.

‘You look older than a Management Finance student on summer training’ spoke the head of the Economics Desk of the Magazine. I introduced myself as an old student re-learning basic economics. He guffawed; confirming that economic theories radically changed every two decades. ‘All I want to know how Big-Mac achieved the status of an index’ I went straight to the point. ‘I can explain this easily’ he smiled. ‘We used to spend so much time gathering the prices of food-basket in each country that by the time we concluded, the prices had changed. So, instead of 16 items in the basket, we all agreed to have one and being a large multinational…’ He trailed off explaining how the MIS report of just one corporate was food for their research which could be concluded over a weekend.

‘Did you not consider the single product index has its disadvantages that may mislead you?’ I asked in genuine concern. With a wave of flourish of his left hand he dismissed my concern quoting ‘cost of perfect information’, implying that his exercise would not be too off the mark. Now I had to jitter him. ‘India is not a beef eating country so you do not have the Big-Mac. But your substitute of Maharaja Burger also may not be correct.’ Now his sleepy eyes opened. ‘What do you mean?’ he was angry. ‘Even a non-veg like me does not prefer the Maharaja Burger as it tastes too much of potatoes while I am charged for the non-existent meat’. I explained. ‘I would rather eat the Vada Pav as millions others do’ I dropped the bomb. ‘It is an Indian answer to the burger’ I tried to explain. He was flustered. ‘But … but everything inside the bread is dry while burger has the Mayo..’ I shook my head like a parent, ‘Are we speaking of food taste or index which should be more representative?’ I explained further, ‘While the Maharaja Burger costs $1.62, the vada pav costs 25 cents, making our currency more undervalued than that reported by you.’ Now I had him in my grip as he was visibly sweating.

‘What … what should we do the next time? Monitor Vada Pav for India?’ he asked my help. ‘If popular Indian snack is what you are searching for, then you should have picked the bhel’ I was leading him on the road of confusion. ‘The chutney messes my stomach’ he said like a true non-Indian. ‘Are you not interested that the daily consumption of this light snack is more than 5.7 tons in India? It also generates employment for 27,000 persons. With such impressive figures, this light snack deserves heavy attention is what I feel. I dropped the anchor in his port of regret. With his head in his hands, he groaned at the prospect of re-calculation. ‘What will you do for the choice of snacks in other Asian countries?’ I needled him. He looked aghast. ‘Burgers are not eaten popularly in many countries’ I explained introducing him to the really popular snacks in those countries.

I admitted to him that Japan is a country really difficult to understand. Even Fritto Lays did not make any sale there until they introduced Squid flavoured wafers. So, he would need an expert on Japan if some snack had to be selected.

‘Why did you not choose another multinational like coca cola instead?’ I asked innocently. With head reeling he tried to focus on my face ‘Uh’ is all he managed to say. ‘But even there you may perhaps have been mis-led in India itself.’ I continued. ‘Here, the Ice Gola is more popular and believe me, a whole lot cheaper.’ Now I had him almost prostrate touching my feet nearly calling me Guru. ‘What do you suggest we should have done?’ he asked my advice.

‘I think you should have called an expert on food. If you had watched the right channel, you would have found one Mr. Andrew Zimmerman who eats the local exotic food. From Mongolia to the interiors of Amazon forest, he eats the exotic and bizarre. He is more suited to advice you.’ I left with this advice knowing fully well that the next survey would do away with burgernomics at least. Would they then call it ‘Zimmernomics’ or would they call it ‘Bizzarenomics’? Now that would surely put a TV host in the Economics Textbooks for the next generation.

Sovereign Risk

Every March we are attacked with new circulars from the Central Bank tweaking the definition of Non Performing Asset (NPA) which seems a minor change to the layman but so complicated to the Bankers and Statutory Auditors that they have to hold Seminars and issue guidance notes to ensure the intention and spirit (sometimes conflicting) are executed. Imagine our surprise when events far away as crossing of 3 seas have such an impact as to feature in the Headlines of all local newspapers. When my son read it, he was curious to compare his college notes on risk and the real world. ‘Dad, for years together, the Bankers considered sovereign risk as low risk. Do you think they will have to re-think the classification in light of the news of today?’ He was referring to the two decade earlier Bankers classification of borrowers either owned by the Government or support by the Government or Loans guaranteed by the Government. Bankers considered these as ‘safe’ until of course some events occurred and no longer was this followed but my son’s text book was not yet updated in this matter. ‘Son, Nigeria and some South American countries had issues of repayment of Bonds and other debts to which the Bankers had wizened up in the last decade of the last century.’ ‘Is the drop of a single alphabet ‘A’ such a big issue?’ he asked. I was tempted to regale him on the well worn cliché of typing a letter without just a single alphabet not working on the machine but decided against boring him. ‘If triple A is perfection then even a single drop means you are imperfect and to add insult to the injury is that these countries are not reaching double A plus from something lower but are being DEMOTED. Demotion is embarrassment to anyone’ I explained my point of view.

‘Hmm…France..’ my son’s muse was aloud. I braced for the impact of his whirring thoughts which always seem to lead anywhere but the expected. Practicably came the first salvo. ‘If this rating drop eventually leads to drop in currency rates then the French Perfumes may get as cheap as the American and we can use them daily like cologne’. ‘I guess so’ I replied meekly not wanting to express ignorance of the perfume snob knowledge or the difference between cologne and perfume in the first place. ‘And you too can have the advantage of hosting parties with the world famous French wine and even uncork a champagne or two without much of a dent in your budget’. He was such a caring son that any father would love to have. Now I took off in his direction. ‘France is also known as the capital of the world for fashion. So, designer clothes will also be more affordable.’ I snickered knowing fully well that the single dress of Rs.1.5 lacs would perhaps cost little less than Rs.1 lac which would still be unaffordable to the middle class of India.

‘The writing was on the wall for more than a century yet all ignored the fate of France’ thus spoke my intelligent son. ‘Pray, what did the scholars of the world ignore that you have noted in your nascent student age?’ I asked. ‘Have you seen French cuisine?’ he asked. ‘One eats not look at the cuisine’ the foodie in me was now insulted. ‘What I mean is that have you seen the size of the food they put on the serving plate?’ he elaborated. Trying to recall a mental picture I did admit him to be right. Plates were of normal size, but the food though artistically laid out was admittedly too small for my palate. I recalled distinctly that it took 3 main courses to fill me up where a single would have sufficed under an Indian meal. ‘So, nearly a century of such small helping was a prediction of France entering the class of poor nations.’ Was the grand conclusion we made at that point. We both recalled the glorious days of Louis XIV and of course Queen Marie Antoinette who hosted parties which were unparalleled the world over. What a come down for this country is what saddened us.

‘What do the Banks do when a loan account turns non-performing?’ asked my son. ‘I think they sell the asset and recover their dues like if you default on payment of your car or house, they auction it off’ I educated him. ‘If it is a company then normally, it is taken over buy another company’ ‘And if a country is NPA….’ he mused. At that moment except for my heartbeat everything screeched to a halt. I just could not think of a reply. ‘Is this the modern way to take-over a country?’ he asked in all innocence. Not a bad chain of thoughts I mused. All that effort in the Second World War taken by Herr Hitler and his troops would have been saved and he would just have taken over the economy overnight and enjoyed sitting in the French sunset sipping French wine instead of the smoky dusty War that he had to endure. ‘If this is modern warfare, all you cyber crime detectors were wrong in predicting that the Cyber War is the modern war’ he reminded me of one of my lectures on Ethical Hacking I had given in the recent past. ‘It could also be a fall out of the currency war when the target was earlier China and the attempts of US failed, so they may have aimed at a softer target now. Ever since the Euro currency was a reality, the US$ felt the heat especially when it began to be valued more than it and all major invoiced out of US were being quoted in Euros.. The Foreign Exchange expert in me erupted. ‘You meant this could be a currency war?’ my son opened wide his eyes.

‘While we had earlier equated sovereign risk as no risk or the lowest of risk, what shall take its pace?’ my son had to ask the impossible to answer question. I could not reply an economic answer though there was a philosophical one that at the end of one’s life, all risks come to an end.

Though the father and son conversation came to end there, I still did not have an answer about the status of ‘Sovereign Risk’. I had to phone my Banker friend who was heading the Risk Management Department of his Bank. He laughed and laughed telling me that no-one uses the term Sovereign Risk anymore. Eurozone was already in the ICU and now the risk was more Zonal than Country. I was still puzzled so I asked who I can ask for a better elaboration.

He answered, ‘Monica Lewinsky knows sovereign risk the best’.

Hardship Allowance

‘What role can a strategy management consultant play in designing H.R. Packages?’ I asked the CEO of the HR consultancy firm who had called on me in my office at the fag end of the day. He looked so harassed that I feared his state of mind, concluding that perhaps he wrongly strayed into my office instead of my neighbor in my office
complex. ‘It is this new allowance introduced by our country’s airline that has started the snowball of problems even in other sectors’ he cried. ‘How can allowance of the airline like overnight allowance to cabin crew apply to plastic bucket manufacturer?’ ‘Not that,’ he sobbed, ‘hardship allowance is the one.’ Now I had to do some research on what this allowance was all about. The newspaper of the day (see inset) was a sufficient introduction.

‘So what is the chaos’ I asked. ‘The list is long’ he answered and rattled off the following:

1. Shift workers in shifts other than General Shift face hardship of conveyance, food and sleep. Therefore the first and last shift workers demand hardship allowance.

2. Married men posted out of town in bachelor accommodation face the hardship of cooking on their own and washing their own clothes etc. so they …..

3. Persons forced to work in ‘dry’ areas face the hardship of lack of sleep due to absence of alcohol and thus….

4. Drivers on the payroll of companies also ask for hardship allowance when their boss goes out and they cannot eat from either the subsidized canteen or their favorite restaurant.




5. Bus drivers find it hard to drive during the office rush so…..








6. Airline pilots get rich food on duty and are surrounded by beautiful hostesses which makes life period of non-duty a hardship therefore…..









7. Chefs of 5 and 7 start restaurants also have to create and taste artistically cooked and presented dishes every day. The rich food in the long run gives rise to diseases related to rish intake therefore this hardship should be recognized.



8. Bar tenders also face hardship when they have to perform their duty. The smells and taste of so much alcohol goes to their head and yet they have to show they are sober which is not easy and therefore hard. So…….



9. Bus drivers in Mumbai also demanded an additional ‘Monsoon Hardship allowance’ since they were taught to drive busses and not sail them every monsoon in the rivers of Mumbai.

I stopped him, saying ‘I get the drift’. He was now blubbering, ‘The limit is when even in the same chair and same timings, people are asking for hardship allowance just because their boss is harsh and fires them often. They call this hard work. Now my HR budgets are haywire and companies may actually face closure.’

Since it was really not my cup of tea I had to seek time to think and asked him to see me the next day.

After I went home and found the usual complaints of the wife I realized that now even I need hardship allowance just to stay married.