External Audit of Information Technology Systems of Banks and Financial Institutions

[Logo: Bank of Tanzania]

THE GOVERNOR Cable: 41024 "BENKUU" Tel. Gen: 255 22 2234494/7 Dir: 255 22 2233021/22 Facsimile: 255 22 34085 E-mail: governoroffice@bot.go.tz

BANK OF TANZANIA 2 Mirambo Street P.O. Box 2939 11884 DAR ES SALAAM

FA.44/56/02/Vol. II/F.32

October 26 2016

To all Banks and Financial Institutions

EXTERNAL AUDIT OF INFORMATION TECHNOLOGY SYSTEMS OF BANKS AND FINANCIAL INSTITUTIONS

Section 22(4) of the Banking and Financial Institutions Act, 2006 ("the Act") requires every bank or financial intuition to appoint annually an independent auditor approved by the Bank to undertake the annual audit of the relevant bank or financial institution. The auditor so appointed has the right, under section 22(5) of the Act to submit directly to the Bank of Tanzania (the Bank) such reports as he considers necessary to bring to the attention of the Bank for purposes of improving the operations of banks or financial institutions in the United Republic of Tanzania.

In terms of regulation 10 of the Banking and Financial Institutions (External Auditors) Regulations, 2014 (the Regulations) the external auditor is required to immediately report to the Bank if, during the course of the audit, he becomes aware of:

1. any serious breach of or non-compliance with the provisions of the Act, the Bank of Tanzania Act, Foreign Exchange Act, Anti Money Laundering Act, or Regulations, guidelines, circulars or directives issued by the Bank or any other relevant legislation;

2. any criminal offence involving fraud or other dishonesty committed by a bank or financial institution or any of its officers or employees;

3. any losses incurred which have caused the bank or financial institution to be undercapitalized;

---

TERMS OF REFERENCE FOR EXTERNAL AUDITORS OF BANKS AND FINANCIAL INSTITUTIONS

In addition to normal financial audit, external auditors shall enhance the scope of review of IT systems in banks and financial institutions as part of their annual audit. The objective of the expanded scope is to ascertain that financial statements and returns submitted to the Bank of Tanzania are supported by genuine, complete, accurate, properly authorized transactional data. In addition, all income, expenses, lending and deposits should be accounted for.

In this regard, the external auditors will be required to:

1. review IT Governance practices in place to assess their adequacy; the existence of IT risk assessment and role of IT Steering Committee (if any) and the Board of Directors;

2. review information systems within the financial institutions including core banking system, operating systems, applications, databases, servers and networking devices and confirm whether all systems and applications are robust enough to ensure data integrity, confidentiality and availability;

3. perform application controls testing which include configuration controls, sensitive access and segregation of duties controls, interface controls, data integrity controls and obtain reasonable assurance on the accuracy and completeness of reports;

4. review and assess whether balances resulting from all transactions and data processed within the institution's IT system are accurately captured and reported in the institution's General Ledger, the Financial Statements and Returns submitted to the Bank of Tanzania; and

5. review IT security controls including application security, privileged access, audit trails, system monitoring and maintenance, vulnerability assessments and penetration testing, controls over program and system changes, integrity and systems ability to recover from unexpected shutdowns and ability to recovery from a disaster resulting in loss of data. The business continuity practice in its totality should be reviewed.

The external auditors will submit to the Bank within three months after the close of the calendar year, detailed reports outlining: -

• Executive summary
• Background and methodology
• Scope
• Findings
• Recommendations with prioritized actions and timelines

---

4. any serious irregularities which may jeopardize the rights of a depositor or creditor of a bank or financial institution; or

5. circumstances that make him unable to confirm ability of the bank or financial institution to settle claims of depositors or creditors out of its assets.

Financial Statements of a bank or financial institution can only be "true and fair" if they are derived from a credible IT system. Therefore, an external audit report should ordinarily contain information on the results of audit on the institution's IT system.

Under regulation 9 of the Banking and Financial Institutions (External Auditors) Regulations, 2014, the Bank may require an external auditor to submit directly to the Bank such additional information in relation to his audit as the Bank may consider necessary; and carry out any other special investigation and submit a report on any of the matters arising therefrom.

In view of the foregoing, the Bank hereby instructs all external auditors of banks and financial institutions to conduct audits on banks and financial institutions' IT systems beginning the audit for year ending 31st December 2016 going forward. The audit shall be conducted as per the attached terms of reference. Accordingly, external auditors shall submit to the Bank a separate report on IT audit within 3 months after the end of calendar year, with details as per the terms of reference hereto attached.

Banks and financial institutions shall remunerate the auditors for such additional duties as stipulated under regulation 9(2) of the Banking and Financial Institutions (External Auditors) Regulations, 2014.

Sincerely,

[Signature]

Prof. Benno Ndulu GOVERNOR

cc: To all External Auditors of Banks and Financial Institutions