20 APRIL 2018

SCHEDULE I - SCOPE OF WORK FOR

IMPLEMENTATION OF EAUDIT

Submitted To: Submitted By:

The First MicroFinanceBank Ltd. Mazars Consulting Pakistan

16th & 17th Floors, Habib Bank Tower, 10th Floor, NIC Building
Blue Area, Islamabad. Abbasi Shaheed Road
Karachi—75530
Pakistan

This document contains information that is proprietary and confidential to Mazars or its technical alliance partners, which shall not be disclosed outside
or duplicated, used, or disclosed in whole or in part for any purpose other than to evaluate Mazars. Any use or disclosure in whole or in part of this
information without the express written permission of Mazars is prohibited.

© 2017 Mazars All rights reserved.

 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

Contact Information
For any information or query related to this technical proposal, please contact:

Duncan Rahman
Partner

Mazars Consulting Pakistan

Email: duncan.rahman@mazars.pk

Tel: +92 21 3527 0134

Mob: +92 334 365 5685

10th Floor, NIC Building

Abbasi Shaheed Road
Karachi - Pakistan

Page | 2
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

Table of Contents

1 Project Implementation Approach ....................................................................................................... 4

1.1 Project Management ............................................................................................................................ 4
1.2 Delivery Teams...................................................................................................................................... 5
1.3 Project Delivery Phases......................................................................................................................... 6
1.4 Implementation plan ............................................................................................................................ 7
2 eAudit Overview and FMFB Requrements ........................................................................................... 9
2.1 eAudit Modules List .............................................................................................................................. 9
2.2 Technical Architecture and Design ....................................................................................................... 9
2.3 FMFB Business Requirements ............................................................................................................ 10
3 Project Financials ................................................................................................................................ 23
3.1 Bill of Quantity .................................................................................................................................... 23
3.2 Billing Plan........................................................................................................................................... 24

Page | 3
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

1 PROJECT IMPLEMENTATION APPROACH

Mazars’ approach centers on strong Project Management principles that encompass Project
Management Institute (PMI) principles, Mazars Delivery Framework (MDF) and the flexibility
required to manage IT solutions engagement. In recognition of Mazars’ project management
capabilities, the Nationwide Financial Literacy Program (NFLP) was awarded Project of the
Year award in 2012 by PMI.

The Mazars Program and Project

Management approach covers features
and areas like quality management, risk
management, change control, and issue
management, configuration
management. It manages a project over
standard phases: project definition,
project plan, project management and
control, and closing, with defined entry
and exit criteria to ensure built in
monitoring of the project progress

1.1 Project Management

Mazars Methodology centers on Project Management Office (PMO) overseeing the complete
life cycle of the project delivery. The PMO will provide a single, consistent integrated
approach for managing the overall project with the delivery work streams addressing specific
competencies and completion of the defined tasks.

FMFB is required to appoint project team from respective stakeholders, coordinated by

Project Manager who will be the point of contact for Mazars PMO. Project manager will
closely work with Mazars PMO for facilitation and assistance required from FMFB-P. Mazars
PMO will regularly apprise the project status to FMFB Project Manager, who will be
responsible to disseminate the information to relevant stakeholder within FMFB.

The PMO’s phasing structure is separate from the life cycle work streams and defined as
follows:

 Engagement Definition - occurs prior to the official start of an engagement and

provides the structure for developing a clear plan and good estimates in support of a
proposal. It concludes with a signed Statement of Work or contract and a detailed plan
for starting the engagement.

 Mobilize - addresses the detailed planning and set up activities typically performed at
the beginning of an engagement. This phase will be initiated as soon as the contract has
been finalized and signed and concludes with detailed plans to run the engagement.

 Plan - includes the activities necessary to review, update and finalize prior to full
engagement execution.

Page | 4
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

 Execute & Control - spans most of the engagement and involves the engagement
management tracking and updating that takes place while the majority of the life cycle
phases are being performed.

 Close - involves those activities necessary to complete transition of responsibilities and

to close and complete an engagement.

1.2 Delivery Teams

Mazars proposes a multi-disciplinary group of professionals, working through tightly
coordinated Delivery Teams. Each Team will be working towards meeting the goal of
successfully implementing eAudit application system at FMFB-P. The Delivery Teams for
this assignment are:

Project Manager

Advisory Panel PMO

Technical Lead Functional Lead

Functional
Technical Support Support Team
Team

QA Team

Training Team

 Functional Team – responsible understanding and documenting requirements of FMFB-

P. The will be led by experienced team leader possess extensive exposure in
implementing Audit Management systems at large scales banks in Pakistan. Team will
work closely with FMFB-P’s audit department to ensure all the requirements are tapped
and documented.

 Technical Team – responsible for configuring and customizing the eAudit system for
FMFB-P. The team will also liaise with the IT department of FMFB-P to propose
recommended IT infrastructure for the deployment of eAudit system.

 Quality Assurance – responsible for conducting testing of the customized eAudit

system prior to the delivery to FMFB-P. The team will ensure all the functionalities are
working as per FMFB-P requirements.

Page | 5
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

1.3 Project Delivery Phases

To manage the overall project, the project will be broken into five distinct phases, specifically
designed to manage and control the overall project delivery. The following diagram depicts
the overall project phases, which will be managed and coordinated by the PMO.

• Establish common
Understand • Conduct
Implement • 3 Months Warranty
understanding Walkthrough • Annual Support
• Provide data • Conduct UAT and
• Finalize Projectplans Templates to FMFB • Perform Mandatory users Training
Customization and
• Gather Static Data Configuration • Deploy eAudit
fom FMFB

Prepare Develop Support

Major Deliverables:

Mazars will be responsible for providing following deliverables under the contract:

1. eAudit – Enterprise Version License for FMFB-P

2. Mandatory Customization and Configuration
3. UAT and End User Training
4. Installation of Audit Software at FMFB-P head office, on Staging Server
5. User Training and Manuals
6. Warranty support for Three (3) months post installation of software on FMFB-P
Production Server.
7. Any other as contained in Service Level Agreement.

Page | 6
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

1.4 Implementation plan

Following is the tentative timeline of the project implementation which will be finalized in consultation with FMFB team upon the start of the
project and will be monitored and updated regularly.

Responsib 03 Months Post Go-live

Item Description W-1 W-2 W-3 W-4 W-5 W-6 W-7 W-8 W-9 W-10 W-11 W-12 W-13 Warranty
ility
MZ +
1 Kickoff Meeting
FMFB
MZ +
2 Finalization of Project Plan
FMFB
3 Static Data Creation
- Provide Data Template to FMFB MZ
- FMFB to provide data to Mazars FMFB
4 Mandatory Configuration/Customization
- Development of Audit Report, Risk
Assessment, Audit Rating
Mechanism MZ
5 Provide UAT Server
- Provide UAT Server Specification MZ
- Arrangement of UAT Server FMFB
Installation of eAudit Standard Version
6 with static data provided and mandatory
customization MZ
7 eAudit Walkthrough MZ
Make Customizations, identified in
8
walkthrough1

1Customization timeline depends on the extent of customization, exact timeline will be agreed with FMFB when customization list is finalized and upon
walkthrough & UAT.

Page | 7
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

Responsib 03 Months Post Go-live

Item Description W-1 W-2 W-3 W-4 W-5 W-6 W-7 W-8 W-9 W-10 W-11 W-12 W-13 Warranty
ility
9 Conduct Training in FMFB Head Office2
10 Conduct UAT3 MZ
11 Arrange Production Server FMFB
Installation of eAudit Application at
12
Production Server MZ
13 Go Live
14 Warranty Period FMFB
Customization will be
done at the end of
15 Customization (Non CFL items)
warranty period, if
required.

2 Mazars recommended training after UAT. However, it is moved before UAT on FMFB request.
3 Mazars will conduct UAT with FMFB team in one week whereas FMFB can continue UAT for 3 more weeks, if required, with support from Mazars

Page | 8
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

2 EAUDIT OVERVIEW AND FMFB REQUREMENTS

2.1 eAudit Modules List

eAudit is an Audit Management Software which is based on international standards and best
practices and has been designed and developed by experienced teams of Software
Developers, and Internal Audit / GRIC experts, with input and feedback from large financial
institutions, audit firms and utility companies. Following is the list of eAudit Module:

•Risk •Annual Audit •Engagement

•Admin
Assessment Planning Planning

•Audit Audit Follow-

•Audit Report
Execution up

2.2 Technical Architecture and Design

eAudit uses a Three-Tier architecture, consisting of:
 Presentation Layer,
 Application Layer,
 Data Storage Layer

Each tier is developed and integrated using open-source tools and technologies, selected
for their widespread use, ease-of-maintenance, readily available support, and robust
performance at all bandwidths. The following diagram depicts a high-level view of the
technical architecture of the solution. Each component and technology is described
further in the sections below:
User Database
Application Server
Interface

HTML5
CSS3
Javascript
AJAX
jQuery 2.1.x

Permissions Manager

Page | 9
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

2.3 FMFB Business Requirements

Following is the list of business requirement which FMFB Audit and Compliance
Departments have prepared and Mazars has provided response. The features against which
Mazar has provided a response in “Yes” will be provided with the software based on
conditions mentioned in the remarks.

Audit Department Requirements

S.No. BRD - Internal Audit Department Phase Mazars Remarks
Response
1 How efficiently the existing annual audit plan could Annual Audit Yes The audit supports annual
be incorporated after deploying E-audit application Plan planning in terms of man-days,
in terms of man-days, timings, personnel/staff etc. timings, personnel/staff etc.
2 Whether application can assess risk for Branch Annual Audit Yes Risk Assessment criteria can be
Audits, Management Audits, IS Audits etc. Plan setup/performed for Branch
Audits, Management Audits, IS
Audit etc.
3 To what extent the software will allow deviation from Annual Audit Yes The deviation in the annual plan
Audit Plan and who will approve the Plan is allowed. Any designated
deviation/exceptions? personnel like Regional Audit
Head etc. can be granted
approving rights.
4 Is there any MIS available of exception / deviation Annual Audit Partial Currently audit plan progress
from annual audit plan? Plan report is available. The data is
available to generate exception /
deviation, therefore the required
MIS can be made available.
5 The deviation/exception will include only unplanned Annual Audit Yes
assignments or assignments completed in excessive Plan
number of days?
6 Does leaves of key staffs are captured in the Annual Audit No
planning module. Plan
7 Whether application is able to perform risk Annual Audit Yes
assessment based on defined criteria/factors at time Plan
of formulation of overall audit plan ?
8 Whether the application has provisioning to plan the Annual Audit Yes
execution of the annual audit plan, date & quarter Plan
wise, No of audits, and plan length of time.
9 Does the Head of Audit (or delegated authorized Annual Audit Yes
persons) have access privileges to make necessary Plan
amendments?
10 Does application has the provisioning to track the Annual Audit Yes
stage wise tracking of the plan i.e. planning, field Plan
work, reporting and follow-up.
11 Whether application can calculate necessary man- Annual Audit No Assignment can be done through
days for each assignment and assign personnel to Plan application. Man-days is being
the audit area / location. recorded manually by team lead.
12 Will system track idle days of idle staff, and whether Annual Audit Yes
any report will be generated? Plan/
Engagement
Planning
13 Does application allow to allocate number of Annual Audit Yes
personnel needed to complete overall audit. Plan

Page | 10
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
14 Does Application have an option available to defer / Annual Audit Yes
cancel an Audit Assignment if assignment has Plan
commenced.
15 No Since man-days are being
maintained manually, that’s why
Will the system be able to perform man-days Annual Audit not able to provide man-days
working on monthly basis ? Plan working
16 How information will be carried forward for the future Assignment Yes The checklist/audit programs are
audits i.e. audit programs, process risks etc. planning available for any future use.
17 How e-audit application will cover audit scheduling Assignment Yes
functionality i.e Scheduling of audits, Staff resources planning
and tracking of progress against audit plan.
18 Does application have a provision to change the Assignment Yes Authorized person can amend the
Assignment Commencement and End date planning dates until the Final Audit report
manually to actual & Tentative Date? has been approved
19 Does application allows planning schedule facility for Assignment Partial At a given time only one auditable
multiple selection and assignment of different area. planning entity/branch can be selected for
engagement. Can be marked as
'Partial'. Multiple branches can be
audited in parallel. (Bulk
Planning)
20 Assignment of audit staff to field audit on need basis Assignment Yes Before release of report, further
and urgent assignment? planning assignments can be added. Team
Lead has authority to assign audit
staff to Field audit on need basis.
Hence no approval is required
21 What kind of Sampling techniques is being Assignment Yes Random and Interval sampling
performed by an application? planning techniques is currently available.
22 Does Sampling techniques are on the basis of Assignment Partial System do support sampling on
calculations and logics. planning the given population. The specific
calculations/logics can be
discussed and incorporated

23 What would be the sampling template? Assignment Yes Excel based template is available
planning to provide population for
conducting sampling
24 Does application provide facility & template to share Assignment No
the initial requirement list with the Auditee, and planning
during assignment as required?
25 Generation of pop-ups and sending follow-up letters Assignment Yes
and reminders (as per defined timeline in follow-up planning
procedures) to management / senior management
26 Commencement Memo: Assignment Partial Defined format of commencement
- Issuance of memos to management planning memo can be issued. Standard
format provided by FMFB will be
- different formats for different assignments developed in quotation.
- Pick (on command) units from Annual Audit Plan Customization required for
and audit period to be audited multiple formats.
27 Method of issuance of initial requisition (or during Assignment No
audit) to be issued to auditee? planning /
execution

Page | 11
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
28 Whether application can determine when different Dashboard Yes The completed areas are
audit steps under each area are completed, along available for review by team
with its report to applicable personnel for review on lead/back office review team.
dashboard and via automated email alerts, using our The email alerts can be
existing email system. This will also cover audit configured using existing email
progress/completion status. system.

29 Whether option is available is system to mark the Dashboard Partial The required data is available and
observations for elevation/review of the Board Audit can be extracted for
Committee? What type of view reports (or evaluation/review.
dashboards) will be available for AC? Will AC have
a separate dashboard?
30 Does system have a provisioning to generate MIS Dashboard Yes The required data is available and
related to commencement Memo issued during the can be extracted.
year.
31 Targets versus Actual; Audit assignments planned Dashboard Yes The required data is available and
versus actually conducted on monthly/quarterly can be extracted.
basis.
32 Timeframe sheet for all audit assignments? Yes The required data is available and
can be extracted. Team lead
enters actual time spent in
Does eAudit allows calculation of TATs (and working days and man days for
Deviations) as per our own formula and allows us to audit team.
change as and when required? Dashboard
33 Yes The required data is available and
Executive Summaries (or any other information) for can be extracted.
AC, through Dashboard Dashboard
34 Risk category wise observations categorizing Yes
numbers into H/M/L? Dashboard
35 What would be the workflow for preparation of Execution Yes Initially team member prepares
working papers, Audit Observation Sheet and its the working paper/audit
review? observation. Later team lead and
back office team reviews and
approve the working paper and
observations.
36 How application will monitor the status of corrective Execution Yes This can be done by uploading
actions including management responses against Management comments after
each observation? getting feedback from Auditee.
The access is also available for
auditee to provide his feedback.
37 Whether system has provisioning to mark single Execution Yes
type of observation i.e. regulatory compliance,
internal policy or both etc.
38 Is the concluded risk available as optional which can Execution Yes
be modifiable?
39 Whether the application contains options for multiple Execution Yes
audit programs, i.e audit scope, audit objectives,
test, audit reports and total population of all items.
40 Whether audit trail and record of work performed Execution Yes
and completed section is available.

Page | 12
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
41 Does automated serial number would be assigned Execution Yes
to each observation, which will be helpful in tracking
the observation?
42 Does the system has the provision to delete any Execution Yes
observation (from initial or final draft) and whether
any MIS of deleted observations will be maintained
by the system?
43 Does the Branch/Area Manager have right to Execution No Only audit team has rights to
amend/delete audit observation? amend/delete observation.
Auditee can only provide his
feedback through management
comments, responsible person,
target date etc.
44 Will it be mandatory for Branch/Area Manager to Execution Yes On the discretion of Audit Team,
provide comments for each observation? In case of the audit report can be released
non-provision of response, what will be the system without management comments.
response? Through follow-up module the
comments can be obtained after
report is released.
45 Whether all testing (audit workings) will be stored Execution Yes
and linked to any work programs.
46 Does all the links & cross references are system Execution Yes
generated and automatic numbering and crossing
references based on review of work paper.
47 Whether application assign unique numbering to set Execution Yes The documents can be traced
indexing of audit documents i.e. audit procedures, through providing system
exceptions, findings and other outputs. generated unique engagement
no.
49 In case of sending Audit Observation Sheet (AOS) Execution Yes In case response already
to management for getting responses, Export sheet provided the respective
of findings should not include management observation(s) excluded from the
responses already received? sheet.
50 Observations grid should have attachment Icon. Execution Yes
51 Is there any option available to extract department Execution Yes
wise / function wise working papers (e.g.
engagement letter, planning, sampling documents
etc.) associated to audit report.
52 Any provision available for separate folders for Execution Yes
working papers of each unit (or audit cluster
containing multiple units) and drop-down menu for
review of work performed if required?
53 Upload of complete evidences; nature and size of Execution Yes Evidences can be uploaded and
files since we will not be maintaining working papers linked to Working Papers
in hard form?
54 What would be the audit observation follow-up Follow-up Yes A Follow-up schedule is available
criteria along and its tracking mechanism. which will send emails to
Management and Responsible
Persons as per Schedule defined
55 Whether corrective actions against each observation Follow-up No On the discretion of Audit Team,
are mandatory to response. the audit report can be released
without management comments.
Through follow-up module the

Page | 13
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
comments can be obtained after
report is released.
56 Does the system allow a tracking mechanism and Follow-up Yes Aging report is available for
follow-up mechanism for open/follow-up tracking open / follow-up
observations? observations

A Follow-up schedule is available

which will send emails to
Management and Responsible
Persons as per Schedule defined
57 What would be observation closing criteria if a Follow-up Yes Auditor can upload evidence if
follow-up activity related to that observation has available.
been done?
58 MIS of follow-up OPEN/CLOSED items? Any Follow-up Yes
template available is system?
Review of Follow-up wok by Manager & Head
Audit?
59 Timelines for receiving responses and elevation to Follow-up Yes Timelines for receiving responses
Senior Management? can be entered against each
Observation / Recommendation.
These can be elevated to Senior
Management through Follow-up
Schedule
60 Will the Auditee be able to attach evidences for Follow-up Yes
Closure of observation?

Option available for attaching evidences, and

mandatory and non-mandatory fields?
61 Who will mark the observation as CLOSED? Follow-up Yes Authorized user from the audit
team which can be configured
62 Does application has the provisioning to generate Follow-up Yes System has the provision of
observation closure reports, its aging with graphical generating aging for outstanding
analysis view and long outstanding observations Observations / Recommendations
MIS.
63 Does Application have facility to allow Follow-up Yes
region/branch/department/activity/risk-rating wise
tracking and follow-up sheet for both (Open/closed)
observations?.
64 Does Mobile version of application is available? IT functional No
req.
65 Can application work in Offline Mode? IT functional Yes Excel based offline mechanism is
req. available
66 Does Mazars provide standard, configurable and Yes
modifiable Risk Assessment and Audit Planning IT functional
tailored to the bank’s requirements? req.
67 Does application allow APIs to integrate with other IT functional No
application if required in future. req.
68 What kind of License model shall be offered by Yes This is perpetual enterprise
Mazars. license for the use of Software
only by FMFB-P at any of its
IT functional locations/branches for its
req. operations without any limitations

Page | 14
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
or restrictions on the number of
named and concurrent users.

69 Can application be integrated with Email IT functional Yes

req.
70 Does application support database level encryption? IT functional Yes
req.
71 Whether application is platform independent i.e. IT functional Yes
Window/Linux etc? req.
72 Authentication mode – LDAP or application should IT functional Yes
manage credential locally? req.
73 Whether user credentials in E-Audit application are Yes
salted and having hashing algorithms? (If eAudit IT functional
application manages locally) req.
74 Is re-authentication required, if users access IT functional No
confidential information? req.
75 Whether SSL support feature should be enabled on IT functional Yes
application? req.
76 What kind of MIS facility will be provided? IT functional Yes Module wise MIS is available
req.
77 Does role base matrix is available in the system and Partial Role base matrix and workflow is
who has right to make necessary changes in the available in the system, however
role or workflow ? end user can not change?
Currently end usr cannot change
IT functional roles and workflow. Only Mazars
req. can change it.
78 What level of Database Support / access shall be Yes The database will be deployed at
given to FMFB? FMFB database server. The
IT functional authorized DBA will have
req. database level access.
79 Any dependency on hardware. Yes FMFB require to provide server
IT functional for deployment as per the
req. configuration provided.
80 Dependency on third party software IT functional No
req.
81 What is the architecture of an application IT functional Yes Architecture details are added in
req. SoW.
82 Does architectural diagram has been shared by IT functional Yes Provided in proposal and SoW.
Mazars req.
83 What is the Bandwidth requirement for an Yes Normal usage 128-256kb/s is
application? IT functional sufficient. Will require more if
req. large files uploaded as evidence
84 Does E-Audit compliant with any kind of security Yes Mazars follows Oracle's Java
standards. IT functional Secure Coding Standards and
req. Guidelines
85 Has Vulnerability assessment of an application ever Yes Banks where the solution has
been done. been implemented (HBL, UBL,
etc.) have done their own
IT functional vulnerability assessments as part
req. of the implementation.
86 What were the Identified vulnerabilities of an IT functional Yes As per last vulnerability
application and whether they have been addressed? req. assessment performed by HBL,

Page | 15
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
no vulnerabilities in application.

87 Does application support to upload / export all kind Yes

of supporting documents i.e. PDFs, audio/ video / IT functional
MS word, excel, PowerPoint, tif. req.
88 Does user can write notes on scanned document Yes Scanned document can be
and relate to the linked audit steps / audit IT functional uploaded and linked with
observation? req. respective observation.
89 Does Scanned document will be having referencing Yes The documents can be traced
and can be identified uniquely. through providing system
IT functional generated unique engagement
req. no.
90 Will it negatively impact any other banking IT functional No
application? req.
91 Does Application have a personal dashboard for Yes
each auditor that shows his/her status of all his IT functional
assignments and other relevant information? req.
92 Does Application have a capability to measure & IT functional No
monitor KPI’s of Internal Audit staff individually. req.

93 Does application have a library to store, audit IT functional Yes System stores audit reports and
reports, working paper templates, audit programs, req. working papers in database which
etc. can be accessed by authorized
users.
94 Do reports can be presented with graphs, charts and IT functional Yes
other visual presentations? req.
95 Does application allow hyperlinking, to provide IT functional Yes Unclear what is required. eAudit
reference between the source documents, audit req. allows uploading and referencing
plans, and other files? of attachments, supporting
documents and evidence files
where applicable.
96 Does application provide standard adhoc reporting IT functional No
template req.

97 Whether Mazars specify capacity planning in term of IT functional Yes Details already provided
hardware and data backup for the period specify by req. previously, storage requirements
FMFB to maintain data. provided for initial, 1 year data
and 3 year recommended data.
98 Does application offer Audit trail (i.e. user IT functional Yes Every activity is being captured in
authentication, events, system level changes or data req. database audit tables
changes)
99 Does application offer role based access control IT functional Yes If user have access on the MIS
over reports, inquiries, data etc). req. report, he can view the
information available. Role
based access is available on the
MIS.
100 Whether multiple users are allowed to made IT functional No In case of any change, a new
changes in a single document without enabling req. version need to be uploaded
version controlling feature. separately.

Page | 16
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
101 Do imported documents could not be overwritten or IT functional Yes The uploaded document cannot
replaced with existing / current document. req. be overridden. However, the
authorized user can delete any
uploaded document.
102 Whether attachment can be set in read only mode. IT functional Yes All attachments are read-only.
req.
103 Does application support third party encryption Yes Unclear what this means. Please
software. IT functional specify specific software and
req . purpose
104 Whether password access management can be Yes FMFB Active Directory password
aligned with FMFB password access guidelines IT functional policy will be applicable.
without initiating request for customization. req.
105 Whether Mazars shall provide patches on timely Yes
basis, with security patches given the utmost IT functional
urgency. req.
106 Will Mazars provide any help desk mechanism to Yes
assist technical support and troubleshoot of installed IT functional
system? req.
107 Mazars will share staff contact details i.e email id, Yes
mobile numbers etc. who can be contacted in case IT functional
of any support required. req.
108 Will Mazars provide onsite rapid support based on IT functional Yes
the criticality of the problem req.
109 Does Mazars shall provide technical document for IT functional Yes
the system and its component. req.
110 Does application have at least 4 hierarchy levels? Yes Current levels are Group, Region,
IT functional District, Entity. Levels can be
req. renamed as required.
111 Will there be data replication between Production IT functional N/A FMFB IT team will be responsible
and DR? req.
112 How will you ensure HA? IT functional N/A FMFB IT team will be responsible
req.
113 Provision of role switch, role transfer or assigning IT functional N/A FMFB IT team will be responsible
backup? req.
114 How it will be meet regulatory guidelines and Misc. Yes Comply with the regulatory
Internal audit standards. guidelines and Internal audit
standards and being in used by
leading banks of Pakistan since
2004
115 How this application will cover risk assessment Misc. Yes Provision is available to
functionality along with provision to remove or add add/remove risk
risk categories whenever required? factors/categories.
116 How E audit will prepare electronic working papers Misc. Yes eAudit will prepare electronic
which may include work papers, audit programs, working papers, audit programs,
templates, managers review, logs and review templates, managers review, logs
notes/comments etc. and review notes/comments etc.
electronically and will be saved in
database
117 How application should comply with SBP Misc. Yes Comply with the regulatory
outsourcing guidelines. guidelines and Internal audit
standards and being in used by
leading banks of Pakistan since
2004.

Page | 17
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
118 What kind of after sale support & service will be Misc. Yes Complete Support and
provided by Mazars. Maintenance Agreement shared
with FMFB.
119 Does mandatory fields have to be marked with “ * ”. Misc. Yes All mandatory fields in the
application are marked with "*"
120 Please share updated detailed project Misc. Yes It is shared in SoW and further
implementation plan. detailed Plan will be shared after
project kick-off.
121 Whether software has the capability to have a Misc. No
database of bank’s applicable policy and
procedures, which audit staff can study/review for
reference?
122 In case, FMFB has a centralized database/portal of Misc. Yes
such database of policy/procedures, then will the
system be able to access that portal?
123 Do scanned documents can uniquely be identified, Misc. Yes The documents can be traced
with audit program step and applicable through providing system
observations? generated unique engagement
no.
124 Does audit work programs are printable. Misc. Yes
125 Does application has comprehensive search Misc. Yes
functionality available.
126 How will the system help in compiling IRAF for each Misc. Yes Need to be discussed, Report
unit and consolidated IRAF? format to be provided by FMFB
127 Maintenance and Updation of repository of audit Misc. Yes Maintenance and Updation of
observations? repository of audit observations is
Repository of control deviations / suggestions / available.
policy gaps highlighted in different reports? Also
reflecting in Dashboard?
128 Will the system be able to calculate Net NPL (%age) Misc. Yes
for unit on monthly basis?
129 Auditee Portal: Misc. Yes
AOS for Branch Manager and Area Manager
response
Draft/Final Audit Reports
Follow-up status and updation of responses
Issues filtering for Senior Management meeting
Option for summaries of any types
130 Misc. Yes
Whether any templates for Audit Committee papers
is available in the system? Whether reports/analysis
for AC can be prepared on defined parameters?
131 Rights for development of new and updation of Misc. Yes Audit Programs can be added /
existing audit programs? updated through the system by
the authorized user.

Frequency for updation of audit programs and

compliance / testing sheets?
132 System based signatures? Misc. Yes
133 Misc. No
Manpower summary (including vacancy status)

Page | 18
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
135 What would be the standard template of audit Reporting Yes Existing standard template will be
reports and whether multiple templates be tailored to meet the existing audit
available? report of FMFB.

136 Whether each work paper’s section includes audit Reporting Yes
observation, cause, risks, recommendation,
management responses, IAD comments etc. which
is transformed into an audit report.
137 Can any risk be aggregated bank wide with Reporting Yes
applicable linkages link to the respective
departments, processes, audit type?
138 Can any particular risk category be aggregated, and Reporting Partial Risk can be aggregated on
MIS be generated? Functional area-wise. This
aggregation can be used to
assign audit rating
139 Whether a risk scoring model will be available in Reporting Partial Default risk is available for
system to be able to calculate risk scoring, via risk respective test. Auditor can
likelihood, risk impact and over exposure, and override on judgmental basis.
whether the system calculated risk can be modified
using provision of auditor’s professional judgement?
140 Does application contain graphical representation Reporting Yes Data is available, hence MIS can
review by risk groups, risk category etc. be generated on the provided
format
141 Does application has a provisioning to highlight Reporting Yes
controls/observation against risk i.e. one to many or
many to one.
142 There should be criteria and calculation of audit Reporting Yes FMFB existing rating mechanism
rating as per internal audit policy/procedures. will be discussed and provided.
143 Does audit observations (in AOS) have link with Reporting Yes
audit reports for automatic preparation of reports
i.e. draft & final reports with applicable watermarks.
144 Does auditee have an access to give response Reporting Yes
against each observation for corrective action plan
along with respective timelines?
145 Will system has capacity to highlight Repeated Reporting Yes
observations?
146 Closed observation being raised again – can system Reporting Yes Authorized user can open closed
highlight that? observation during follow-up.
System will highlight it as repeat
Observation
147 How observations will be drafted if audit step is not Reporting Yes General steps will be provided
defined in the checklist/ audit program? along with checklist. Later these
test can be made part of standard
checklist.
148 Right to change the template of Audit Observation Reporting No
Sheet and Audit Report?

149 Can multiple user access the same audit Reporting Yes All authorized users of audit team
observation sheet for review and comments? will have access on respective
audit observation for review and

Page | 19
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
comments. Multiple users can
access and update the
observations if assigned.
150 TATs calculation of audit assignments from the Reporting Yes
stage of audit commencement till final report
issuance?
151 Segregation of auditee portal; area/region wise for Reporting / Yes
viewing and correspondence? Confidentiality of Dashboard
each area/region to be maintained?

Modification of area/region due to business

expansion?
152 Since special assignments include fraud Fraud / Yes Such assignments can be added
investigations are not planned assignments, how the special through un-planned assignment
system eAudit would facilitate the execution of such Investigations option.
assignment from engagement planning to follow-up?
153 Planning, execution and reporting of Crop/Livestock other Yes All checklist based assignments
insurance assignment? assignments can be performed through eAudit.
154 FMFB will deliver observations of previous audits for other Yes
data conversion into the system. assignments

155 User-configurable interface to read data either Integration Yes Available post go-live by July
directly from the core-banking and other with other 2018
management information system database or from a MISs
connected data-warehouse in real or near-real time,
based on pre-defined rules.

156 Data Analytics capability from the perspective of Data Yes Available post go-live by July
auditing the data. e.g. trend analysis, low/high Analytics 2018
transaction amount and volume analysis, and other
types.

157 Capability of capturing relevant information such as Data Available post go-live by July
trial balance, historic & economic trends to calculate Analytics 2018
planning materiality based on data provided from the
database. Capability of providing historic view of lost
revenue, fraud & forgery losses, other losses
recorded as part of internal/external audits,
compliance or other inspections.

158 Capability to perform automated test of controls on Test of Yes Available post go-live by July
sample or entire population. Capability to flag controls 2018
exceptions for further investigation based on
predefined parameters.

159 Capability of flagging suspicious activity, unusual Reporting Yes Available post go-live by July
trends & alteration of controls with real time 2018
reporting based on predefined rules.

160 Automated substantive testing such as checking Substantive Yes Currently eAudit is not integrated
NADRA verisys confirmation, client geo tagging tests with NADRA, but this can be
exceptions, land records etc.; discussed during requirement
analysis.
As long as geo tags and any

Page | 20
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

S.No. BRD - Internal Audit Department Phase Mazars Remarks

Response
other information is part of the
transaction record, Mazars can
look at defining rules for
highlighting these.
161 Automated comparison of summarized data in core Substantive Yes Available post go-live by July
banking / ERP with underlying source data entered tests 2018
or captured via digital entry forms

162 Real time reporting of exceptions to the auditors Reporting Yes Available post go-live by July
based on pre-defined rules for discussion and 2018
closure with management

Compliance Department Requirements

BRD – Compliance Mazars Remarks

Response
1 On site review of Branches may covers;
FMFB to prepare and
System based Compliance Checklist (covering key areas Banking
setup Compliance
Operations, Advances, Service Quality & other general areas)
Yes Checklist
Real time Testing of checklist Yes
Real time Collection of evidences Yes
Proper soft archival of evidences Yes
System generated report (with option to attach relevant evidences &
Annexures) Yes
Area / Region wise Executive summary Yes
System based Compliance Risk Rating (covering four areas Banking
Operations, Advances, Service Quality & other general areas) Yes
2 Follow-up for ML, Compliance & SBP inspection Reports etc may
includes;
System based time bound follow up Yes
Open / close triggers Yes
Work flow for follow up (branches may be engaged for follow up through
dedicate use IDs) Yes
Branch, Area / region wise summary with open / close status Yes
3 Regulatory & Statutory Alerts, SLAs / Agreement expiry etc
Database for alerts Yes There may be some
System Based Mechanism for auto generated alerts for timely reporting Yes customization required
Ability to update confirmation status into the system Yes which will be determined
Department wise reports Yes after analyzing
Able to calculate delays Yes requirements in detail.

Summary of Reports.

Yes
4 Follow up for Circulars / Memos/SOPs
Data base for circular with key requirements, responsible function,
timeline given for resolution/implementation Yes
Time line for completion Yes

Page | 21
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

BRD – Compliance Mazars Remarks

Response
Compliance Status Yes
Open / close status Yes
Department wise summary, Yes
5 Compliance Self Assurance Report (CSAR)
Data is available, hence
System based collection and consolidation of CSAR from the Branches/
CSAR can be generated
Areas & Head office functions
Yes on the provided format
Risk rating of CSAR, Yes
Reporting of Non compliance events Yes
Data is available, hence
summary can be
Summary of reports.
generated on the
Yes provided format

Page | 22
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

3 PROJECT FINANCIALS

2.1 Bill of Quantity

Total Price Total Price
Item # Item Description without Taxes with Taxes
eAudit License Fee
1
Non-transferrable Enterprise License for unlimited users 3,000,000 3,390,000
within FMFB-P
Implementation of AMS software and all related
2 services:
 Requirement Analysis and Configuration 500,000 565,000
 Training
 Deployment on FMFB-P Staging Server

GRAND TOTAL 3,500,000 3,955,000

Annual Maintenance / Support Fee

3
Payable at the start of the support year. Begins after end 480,000 542,400
of warranty period.

Note:
 Price quoted above are in Pakistan Rupees and inclusive of all taxes.
 Customization, if required by FMFB-P will be charged at PKR 10,000 per Man-day.
 Invoices will be sent to FMFB-P according to the following billing plan, and payments
are due within 14 working days of receipt of such invoices.

Page | 23
 Implementation of Audit Management System
SOW for FMFB-P Bank Limited

3.1 Billing Plan

Fee Amount (PKR) Fee Amount (PKR)
Deliverables % age without Tax with Tax
eAudit License Fee – On contract Signing 60 1,800,000 2,034,000

eAudit License Fee – On UAT Sign-off 40 1,200,000 1,356,000

Implementation Fee – at the completion of
100 500,000 565,000
warranty period
Annual Maintenance / Support Fee at the 100 480,000 542,400
start of support year

Page | 24