A. General

1. Role of management

Check Points		Specific sample questions
a. Sophistication of operations, and prevention of financial irregularities and EDP problems	Does the management place high priority on the sophistication of operations, and prevention of financial irregularities and EDP problems?	Does the management understand the level and reliability of business operations? Is the handing over of important items such as cash and securities by the branch manager/department head to his/her successor precise and accurate? Has the bank reinforced prevention measures for on-line problems? Are the sophistication of operations and prevention of financial irregularities and EDP problems clearly reflected in annual policies, the staff performance awards system, and business training? Is due consideration given to staff rotation so that one person is not in the same position for an unduly long period of time? Is the management promoting the automation of business operations?

B. Business Operations

1. Organization and system

Check Points		Specific sample questions
a. Internal rules and manuals	Does the bank have in place internal rules and manuals enabling accurate and timely processing of operations?	Does the bank have in place internal rules and manuals that cover cash handling, record-keeping, and double-checking? Does the bank amend internal rules and manuals on business operations in a timely manner?
b. Operation guidelines set by the head office	Are there uniform operation procedures throughout the bank guided by the head office?	Is there a department in charge of operation guidance? Do branches receive operation guidance regularly? Does the department in charge of operation guidance cooperate with the audit department?
c. Crime prevention measures	Are the bank's crime prevention measures adequate?	Are the head office and branch lobbies equipped with surveillance cameras? Does the bank regularly conduct crime prevention drills? Does the bank frequently change cash transport routes?

2. Control of cash and important keys

Check Points		Specific sample questions
a. Cash and certificates	Does the bank have in place a system for the handling of cash and certificates to thereby effectively prevent any problem?	Does the bank strictly reconcile cash outstanding and certificates with book entries and keep them in a safe/vault? Are dishonored bills strictly handled? Are the causes of any cash overages/shortages thoroughly investigated? Are the staff in charge of supplying cash to CDs and ATMs closely supervised? Has the bank introduced an automatic banknote examining system?
b. Important documents and sensitive forms	Are important documents and sensitive forms kept under strict control?	Are important documents and sensitive forms kept in strict custody? Are the stocks of important and sensitive forms kept by tellers collated daily with ledgers by managers, and are stocks kept in a safe/vault collated at least monthly? Has the bank established rules for processing marred forms?
c. Important keys and seals	Are important keys and seals always kept under strict control?	Are the seals of branch managers and department heads kept under strict control? Are important keys specified? Has the bank appointed specific persons to be in charge of the custody and handling of important keys? Does the ledger controlling important keys correspond with the records for the handing over of important keys to successors by branch managers and department heads?
d. Safes and vaults	Are safes and vaults opened and closed in the presence of at least two officers with appropriate authority, thus ensuring a double-checking system?	Are safe/vault combinations kept under strict control? Is there a ledger for the opening/closing of vaults? Are the inside doors of vaults locked during business hours? Does the bank have in place a system whereby (1) the vault and cash boxes kept in it are opened and closed in the presence of at least two officers and (2) no one person may have access to all vault doors and cash boxes?

3. Authorization for exceptional transactions

Check Points		Specific sample questions
a. Managers' authorization card	Is the usage of managers' authorization cards appropriate? Are checks conducted adequately before and after use of these cards?	Does the bank utilize managers' authorization cards to restrict access to the operating system for processing exceptional transactions (transactions where exceptions to the daily business rules have been made for the convenience of customers)? Are the users of managers' authorization cards systematically restricted? Is the use of managers' authorization cards recorded in a ledger according to transaction and approved by an authorized officer? Are transactions using managers' authorization cards double-checked each day through printouts by an authorized person?
b. Authorization of overdrafts	Are overdrafts treated as exceptional transactions and authorized under strict control?	Are overdrafts approved by managers beforehand and recorded in the overdraft authorization ledger? Are interest rate guidelines regarding overdrafts established, and are overdrafts that are de facto loans approved by managers beforehand? Does the bank regularly monitor and review the business performance of customers to whom an overdraft payable through check and bill clearing is permanently approved?
c. Expedient treatment	Is expedient treatment carefully conducted based on the principles of keeping a comprehensive record and early completion?	Is expedient treatment (any special accommodations, e.g., cash payments without authorized seals) recorded and given prior approval by managers? Does the bank encourage early completion of any special accommodations? Are cash deliveries and fund transfers in response to telephone requests conducted based on the principle of prior withdrawal from customer accounts and same-day completion?

4. Other operations

Check Points		Specific sample questions
a. Operations handled by the liaison division	Are delivery and receipt of cash and securities strictly conducted between the liaison division and the customers and bank cashiers?	Are the issuance and collection of receipts under strict control? Is cash collected by the liaison division accurately handed over to a bank cashier through delivery and receipt ledgers? Are bankbooks, CD cards, and certificates received after the closing of accounts kept in the custody of managers and processed the following day? Do branch managers monitor and check bankbooks and certificates deposited for an excessive period of time?
b. Cancellation codes and CD cards	Does the bank promptly set and clear cancellation codes? Are CD cards always kept under strict control?	Does the bank promptly set and clear cancellation codes and process the reissuance of bankbooks and CD cards? Are CD cards in branch custody kept under strict control? Are identification codes for CD cards kept under strict control?
c. Special deposits and receivables/ payables	Is there a possibility of special deposits and receivables/payables being used to disguise de facto credits and financial irregularities?	Is there frequent accounting of special deposits and receivables/payables that can be processed under different accounts? Is the handling of de facto credits such as the issuance of self-addressed checks that are payable through check and bill clearing strictly limited? Are de facto credits approved by the branch manager or head office department head? Does the bank monitor the accounting of special deposits and receivables/payables and check transactions that are not processed for a long period thereafter?
d. Advance payments arising from money transfers	Does the bank consider the credit risk accompanying advance payments arising from money transfers?	Does the bank receive in advance all necessary request forms for advance payments arising from money transfers from customers? Are funds to be transferred secured on the business day previous to the specified transfer date by using such methods as pooling funds in special deposits? Does the bank regularly examine the credit standing of customers requesting money transfers and terminate contract renewal when necessary?

C. EDP Risk (Including High-Priority Distributed [Client/Server] Systems and PC Systems Not Linked to the Networks [Stand-Alone PCs])

1. Organization and systems

Check Points		Specific sample questions
a. Internal rules and manuals	Does the bank have in place internal rules and manuals concerning planning, development, and operation of EDP systems?	Does the bank have internal rules and manuals concerning the planning, development, and operation of EDP systems? Does the bank review its internal rules and manuals in line with actual business operations?
b. Segregation of duties and job description	Does the bank segregate duties and clarify job descriptions?	Does the bank clearly define job responsibilities and persons in charge? Does the bank segregate the planning/development function from the operations function? Does the bank segregate computer operators, data receipt/input operators, and librarians?
c. Staff training	Does the bank conduct staff training programs and give consideration to job rotation?	Does the bank conduct staff training on a regular basis? Does the bank conduct job rotation (both within and outside the systems division) periodically? Does the bank conduct staff exchanges between planning/development sections and user sections?
d. Management of subcontractors	Is there a possibility that lax controls on subcontractors will trigger illegal conduct such as leaking confidential information, fraud, or other problems?	Does the master contract clearly define the duty of confidentiality? Is access to important data limited with respect to subcontractors? Does the bank monitor the progress of subcontracted work and examine goods and supplies?
e. EDP system auditing	Does the bank have in place an auditing system, and is the system applied effectively?	Is the EDP audit section independent from other sections? Are audits conducted according to prearranged plans? Are audit results reported to management?

2. Crime and disaster prevention measures, and backup system

Check Points			Specific sample questions
a. Crime prevention measures	Does the bank take measures to prevent unauthorized entry of persons or entry of persons with dangerous objects into the computer center and rooms?		Is security clearance status checked when entering and leaving the computer center/rooms? Are important keys (e.g., keys to computer rooms and to the magnetic tape [MT] library) strictly controlled? For security, does the bank conceal the location of computer rooms and the MT library?
b. Disaster prevention measures	Does the bank take measures to minimize damage to computer equipment in the event of disasters such as fire and earthquakes?	(1)Fire prevention measures	Are the computer center/rooms and MT library fireproof? Does the bank have in place fire alarms and extinguishers?
		(2) Earthquake prevention measures	Are the buildings that house the computer center/rooms and MT library structurally sound? Does the bank take measures to prevent computer equipment from moving about or falling over?
		(3)Water leakage prevention measures	Does the bank take measures to prevent water leakage? Does the bank have in place a water leakage detector?
c. Backup system	Does the bank take measures to minimize the impact of system breakdown?	(1)Systems and lines	Does the bank have in place substitute computers, peripheral equipment, communications devices, and terminal devices? Are major network lines duplicated? Does the bank have a hot-standby system?
		(2) Important software and data files	Does the bank have backups of important software and data files (including those managed by PCs)?
		(3) Electric power	Does the bank have in place an electric power generator for backup? Is the generator regularly inspected?
d. Recovery system	Does the bank clearly define delegation of responsibility and procedures in emergencies?		Does the bank have in place internal rules and manuals for the computer center and branches in the event of system failure? Does the bank conduct regular emergency drills in divisions operating computers?

3. System planning and development

Check Points		Specific sample questions
a. Planning and approval procedures for automation proposals	Does the bank have appropriate planning and approval procedures in line with management policy? Are the opinions of the related divisions reflected in the procedures?	Are the planning and approval procedures with respect to development proposals clearly defined? Are proposals to change the production system implemented after full discussion and approval according to fixed procedures? Does the bank compile medium- and long-term development plans? Does the bank have in place an interdepartmental deliberation group to discuss development proposals such as an EDP committee?
b. Development management	Does the bank fully monitor development projects and appropriately control their progress?	Are staff in charge and their responsibilities in each development project clearly defined? Is the progress of development projects monitored and controlled? Is the progress of development projects regularly reported to management?
c. Standardization	Does the bank define development procedures in detail in manuals and ensure that they are understood by concerned parties?	Are full specifications made available for system development projects? Are specifications standardized in format and content?
d. Testing	Is the credibility of the system fully secured by conducting running tests and reviews as planned?	Has the bank been successful through sufficient testing and review, in preventing system shutdowns which might affect customers and serious miscalculations in risk management data used for making management decisions? Has the bank compiled testing plans? Does the user section participate in the running tests?

4. Management of operations

Check Points		Specific sample questions
a. Normal operations	Are operations carried out according to a prescribed work schedule?	Are operations carried out according to approved work schedules and directions? Does the responsible officer check operating records such as work logs? Does the bank have in place an operation system run by an appropriate number of staff members?
b. System problems	Does the bank record system problems and promptly take steps to design countermeasures to prevent reoccurrence?	Does the bank compile and report record slips that indicate problems? Does the bank trace the cause of the problem and take countermeasures to prevent reoccurrence? Does the bank regularly analyze the nature of problems?
c. Magnetic tapes (MTs)	Does the bank keep, deliver, and receive MTs strictly in accordance with handling procedures?	Does the bank strictly control entry into and exit from the MT library? Does the bank compile MT ledgers and delivery/receipt records? Does the bank regularly check the stocks of MTs?
d. Restrictions on file access	Is the bank successful in preventing leakage of confidential information and tampering with data by restricting access to transaction data and to the program library recorded on magnetic disks of the production system?	Does the bank restrict access to data files? Is the production program run and registered after approval? Are the data of important files encrypted?
e. Equipment	Does the bank have measures in place to prevent failures by promoting regular inspections of equipment and reports of operation?	Does the bank conduct regular inspection of equipment at the computer center? Is the operational status of equipment reported to supervisors? Does the bank have a maintenance support contract with manufacturers for the accounting system and major information systems?

5. Measures to prevent illegal use

Check Points		Specific sample questions
a. Internal systems	Does the bank have measures in place to prevent illegal use of terminals and transmitted data on important internal on-line systems?	Is the user's identification confirmed when using terminals? Does the bank restrict the range of transactions effected on the terminals of EDP systems, and has the bank adopted an approval procedure for exceptional transactions? Are important transmitted data encrypted?
b. Customer link services	Does the bank have measures in place to prevent fraudulent conduct in fund transfers conducted through direct links between customer terminals/computers and the bank's computer?	Does the bank analyze customer suitability and reliability before entering into a contract? Are customers identified using security codes? Does the bank have in place measures to prevent security code leakage? Is the amount of fund transfer per transaction limited?
c. New services	When offering new services using new information technology, does the bank analyze the inherent risks and implement countermeasures?	Is user identification confirmed for telephone banking services? Is the bank equipped with security measures for fund transfer services using the Internet?
d. Computer viruses	Does the bank have countermeasures against invasion of important PC systems by illegal programs such as computer viruses?	Does the bank clearly define operating rules such as prohibiting usage of unidentified programs? Does the bank utilize virus detection programs?