Rfp is audit-201300000000-0000-0

UNION BANK OF INDIA
REQUEST FOR PROPOSAL (RFP)
For IS Audit of Different Information Systems
Commencement of issue of RFPs : 13th
September 2012 at 1100 hours
Last Date for submitting queries : 19th
September 2012 till 1700 hours
Last date for receipt of Responses : 4th
October 2012 at 16.00 hours
Opening the technical proposals : 4th
October 2012 at 16.00 hours
Fees for RFP document (non-refundable) : Rs. 10,000.00
Bid Security : Rs. 5.00 Lakh
1

2
TABLE OF CONTENTS
1. SECTION I: INTRODUCTION : 4
1.1. ABOUT THE BANK : 4
1.2. PURPOSE OF RFP : 4
2. SECTION II:ELIGIBILITY CRITERIA 4
2.1. THE SERVICE PROVIDER SHOULD 4
2.2. THE SERVICE PROVIDER SHOULD NOT 5
2.3. SUPPORTING DOCUMENTS TO BE SUBMITTED: 5
3. SECTION III: SYSTEMS DESCRIPTION 6
3.1. DIFFERENT INFORMATION SYSTEMS : 6
I. CORE BANKING RELATED SYSTEMS: 6
II. IMPORTANT SYSTEMS HOUSED IN DATA CENTRE: 7
III. SYSTEMS HOUSED OUTSIDE DATA CENTRE: 8
3.2. OUTSOURCED ACTIVITIES : 8
4. SECTION IV : SCOPE OF WORK: 9
4.1. SCOPE OF WORK RELATED TO IS AUDIT: 9
4.2. AUTOMATED CONTINUOUS 100% TRANSACTION AUDIT : 12
4.3. CAATS : 13
5. SECTION V : TERMS OF EXECUTION OF WORK: 13
6. SECTION VI: TERMS AND CONDITIONS: 14
6.1. BID PRICE: 14
6.2. BID SECURITY: 14
6.3. CLARIFICATIONS ON THE RFP: 15
6.4. TWO PART OFFER: 15
6.5. NO ERASURES OR ALTERATIONS: 16
6.6. VALIDITY : 16
6.7. TECHNICAL PROPOSAL: 16

3
6.8. COMMERCIAL PROPOSAL: 17
6.9. PRICE COMPOSITION: 18
6.10. PAYMENT OF OTHER EXPENSES: 18
6.11. EVALUATION PROCEDURE: 18
6.12. RIGHT TO ALTER QUANTITIES 19
6.13. NO COMMITMENT TO ACCEPT LOWEST OR ANY TENDER 19
6.14. ROTATION OF AUDIT TEAM 19
6.15. PRICE FREEZING 19
6.16. PAYMENT TERMS 19
6.17. CANCELLATION OF THE ASSIGNMENT 20
6.18. LIQUIDATED DAMAGES 20
6.19. RFP OWNERSHIP 20
6.20. PROPOSAL OWNERSHIP 20
6.21. CONFIDENTIALITY 20
6.22. DISCLAIMER 21
7. SECTION VII: RFP RESPONSE FORMATS 22
A. FORMAT – I: LETTER TO THE BANK ON THE SERVICE PROVIDER’S LETTERHEAD 22
B. FORMAT – II: SERVICE PROVIDER PROFILE 23
C. FORMAT – III: CV OF PROFESSIONAL PERSONNEL 24
D. FORMAT – IV: REFERENCES OF IS AUDITS DONE FOR BANKS. 25
E. FORMAT –IV: REFERENCES OF CORE BANKING APPLICATION AUDITS DONE FOR
BANKS. 25
F. FORMAT – V: PROPOSED METHODOLOGY & WORK PLAN 26
G. FORMAT – VI: COMMERCIAL OFFER 27
H. FORMAT – VII: UNPRICED COMMERCIAL OFFER 29
Annexure I 31
Annexure II 33

4
1. Section I: Introduction :
1.1. About the Bank :
Union Bank of India,(the BANK) is a leading Nationalised Bank having its Central
Office at Mumbai, having it’s operations across India and International presence in
Hongkong. The Bank is engaged in banking activities. The Bank caters to its
customers from all fields, through its 3200+ branches, 4200+ ATMs and various
delivery channels. It has implemented a Centralised (CORE) Banking Solution with
Data Centre at Mumbai, DR site at Bengaluru and Near site at Mumbai. All the
branches are connected to the Data Centre, through a Wide Area Network by
leased lines / ISDN Lines / VSATs / GPRS.
1.2. Purpose of RFP :
This RFP seeks to engage a Service Provider who has the capability and experience,
to conduct the following:
Conducting Information Systems Audit including Application audit of Core Banking
Solutions and to make appropriate recommendations, as covered under the Scope
of Work. Carrying out risk analysis of all IT assets of the Bank and preparation of
Risk Matrix based on Guidelines issued by RBI and Govt. of India.
Giving scope document, guidelines and devising framework for continuous audit of
100% Transactions.
Providing scope document for procurement of CAATs and providing guidelines for
selection and use of CAATs by in-house IS Audit team.
The aim of the RFP is to solicit proposals from qualified bidders for undertaking
above detailed assignments. Interested eligible bidders may download the RFP from
Union Bank of India website www.unionbankofindia.com - Tenders/Bids/Auction or
from Govt. of India web site www.tenders.gov.in.
2. Section II:Eligibility Criteria
Only those service providers who fulfill the following criteria are eligible to
respond the RFP. Offers received from the service providers who do not fulfill all
or any of the following eligibility criteria are liable to be rejected.
2.1. The service provider should
i. be a current legal entity (Company /Firm /Organization/ independent
subsidiary) in India.
ii. be in business of Information System auditing in India at least for last
three years.
iii. be having an average annual turnover of Rs. 50 (fifty) crore or more for
each of the last three financial years
iv. be in net profit in at least two years out of last three financial years.
v. have conducted two Information System audits of data centers and
other IT Infrastructure of banks in India (including all the following

5
aspects), connected with a minimum 1000 branches, in any of the past
three years:
a) Vulnerability assessment of servers/security equipment/ network
equipment;
b) External attack and penetration test of equipments exposed to outside
world through internet;
(Conduct of audit of any one activity will not make the bidder eligible
to participate)
c) should have conducted application audit of Core Banking Solution in at
least one Bank with a minimum 1000 branches;
vi. have minimum 6 professionals with CISA/ CISM/ CISSP or similar
qualifications, who have associated/conducted at least one IS audit of
banks specified under sub-point 2.1.v above and should be on
permanent roll of the organization
2.2. The service provider should not
i. be a vendor for Software and/or Hardware components of the Bank at
Primary Data Center, Treasury and/or their respective DR Sites.
ii. be involved in implementing or managing Security and network
infrastructure of the Bank at Primary Data Center, Treasury and/or their
respective DR Sites.
(If involved in any specific activity which does not affect auditor’s
independence for current audit assignment may be considered at the
discretion of the Bank).
iii. have been blacklisted, as on the date of tender submission, by any
nationalised Bank / RBI /IBA or any other Central / State Government
department / agency.
Note: The service provider must comply with all the above mentioned criteria.
Non-compliance of any of the criteria will entail rejection of the offer summarily.
Photocopies of relevant documents/certificates should be submitted as proof in
support of the claims made. The Bank reserves the right to verify/evaluate the
claims made by the vendor independently.
2.3. Supporting documents to be submitted:
• Copies of certificates of Registration, Incorporation and commencement
of business, etc., as the case may be.
• Copies of the audited and published Financial reports for the past three
financial years.
• Letters from the organizations for which the service provider had
conducted Information Systems audit during past three years (the scope
of the assignment should have been clearly mentioned).
• Letters from the organizations for which the service provider had
conducted Core Banking Application Audit during past three years (the
scope of the assignment should have been clearly mentioned).
• Copies of the CVs of the Information Systems Audit professionals (CISA,
CISM, CISSP etc.,) as per the prescribed format.
• Self-declaration and certification to confirm compliance of “should
nots.”

6
3. Section III: Systems Description
3.1. Different information systems :
The Bank has different information systems, which are bifurcated into three
broad categories, as follows:
I. Core Banking related Systems:
Bank implemented a Centralized Core Banking Solution (CBS) and in the
process established Primary Data centre at Powai Mumbai, Near site at
Nariman Point, Mumbai and DR site at Bengaluru.
Bank has set up an Enterprise Wide Network covering all its 3200+
branches and offices spread across the country. The modes of
connectivity to the branches/offices are a combination of MPLS, leased
lines, ISDN Lines, VSATs, Radio frequency and other forms of
connectivity.
The Data centre houses multiple servers which connect to the enterprise
wide network, hold the critical Core Banking application and database
of financial and non-financial information pertaining to customers of the
Bank.
Along with CBS, Bank has also set up systems like ATM, Internet Banking,
Tele Banking, Mobile banking, SMS alerts, etc., electronic delivery
channels for providing customer service. All types of electronic delivery
channel Systems are seamlessly integrated with the Core Banking
systems, observing IT security norms.
Bank has 4200+ ATMs. All the ATMs of the Bank are connected to Bank’s
ATM Switch, which in turn, is integrated with Core Banking Systems.
Banks’ ATM switch is connected to NFS switch for ensuring ATM sharing
arrangements with other banks. All the ATMs of the Bank accept VISA /
Master cards. All the debit cards of the Bank are VISA / Master enabled.
Bank has also started issuing RUPAY enabled cards.
Internet Banking system has separate servers for connecting to the web,
housing the application and database and also connecting to the Core
Banking Solution.
Bank, in tie-up with NSDL provides depository services to its customers.
One DEMAT server is established at Data Center, Mumbai. Branches can
access the server and open DEMAT accounts for their customers. The
server is interfaced with Internet Banking system, so that the customer
can view and do online trading in their DEMAT account through Internet
banking
As a part of providing Value added services, Bank has tied up with some
broking companies – where by the customers can do online trading of
their shares – and also with many other service providers to facilitate
online utility bill payment, tax payments, e-commerce, etc.

7
Bank has set up its own Call centre to provide customer service both
through Inter-active Voice Response System (IVRS) and Customer service
executives. The Call centre’s application is also seamlessly interfaced
with Core Banking Solution.
In order to provide SMS Banking to the customers, Bank has set up a few
servers and interfaced them with the Core Banking Solution. Similarly
Bank has implemented Mobile Banking Facility.
In order to secure its Information assets, the Bank has drawn and
implemented its IT Security Setup, consisting of multiple layered
firewalls, Network based and Host based intruder detection systems,
Network Intrusion Prevention System, two factor authentication
systems, anti-virus systems, Patch Management system, Network Access
Control systems etc. Bank has also created VLANs, militarized and de-
militarized zones in the process.
Bank has outsourced monitoring of the datacenter, network, IT security,
ATMs and ATM switch and the respective service providers monitor the
respective systems using different tools.
II. Important Systems housed in Data Centre:
Bank has an overseas branch at Hong Kong, which is also under CBS. The
data centre houses the Servers relating to Hong Kong branch also.
Bank has established MIS package for generation of various reports
LAS (Lending Automation System) for Credit Processing & Monitoring.
Bank hosted its own intranet website – which is accessed by all the staff
working at different branches and offices for various information hosted
in the web site.
Bank has developed and established web-based systems such as OLTAS
and EASIEST – which help the branches to collect different direct and
indirect taxes. E-remit is another such web based system, which helps
the branches/customers in providing easy fund remittance facilities.
Bank established a separate system for providing “Cash Management
Services” to the customers.
Bank has implemented an Enterprise Application Integration system
(middleware) to seamlessly integrate Core Banking system with other
applications like, Union Parivar, SWIFT, Treasury package etc. DR site
for EAI is under development and is expected to be operational by Dec
2012.
Bank has implemented Document Management System. All offices
/branches of the Bank can access the server to search documents.
Bank has implemented Unified Communication System for web
conferencing between different offices.

8
Bank has implemented Digital Media Signage for centralized digital
marquee.
Government Electronic Payment Remittance for Civil Ministry
Matched Fund Transfer Price (MFTP) : Bank has purchased three modules
of Oracle Financial Services Analytical Application (OFSAA) viz. Fund
Transfer Pricing, Profitability Management and Asset Liability
Management and the same is under implementation. The FTP module
enables scientific transfer pricing of internal movement of funds and the
Profitability Management module would enable computation of
profitability under various dimensions after cost / income allocation.
This would facilitate performance evaluation of business units.
III. Systems housed outside Data Centre:
Bank has computerized integrated treasury system. It has DR set up at
Ernakulam. The Treasury system is integrated with systems such as
Reuters, Bloomberg, Payment system Gateway and also SWIFT.
Bank has established a Payment Systems Gateway and connected it to
RBI through INFINET. Bank uses many applications such as PDONDS,
CFTS, CFMS, SFMS, RTGS, NEFT, etc., through the Payment Gateway
System.
Bank uses SWIFT system for securely communicating the financial and
non-financial messages with its counterparts internationally.
Bank uses in-house developed software package at its Central Accounts
department, for consolidation of Bank’s Balance sheet and other
statements every quarterly and also for preparation/generation of
related reports there from.
Bank has a corporate email setup, IBM Lotus Notes Solution.
Bank has implemented PEOPLESOFT HRM package known as Union
Parivar.
Bank has established MICR Centres and manages clearing houses at six
centres – viz., Pune, Jamshedpur, Salem, Anand, Belguam and Kota.
Bank established a web based system for distribution of the clearing and
ECS data to the member banks.
Bank established a system for implementing the Image based Cheque
Truncation system at the National Capital Region of Delhi and Chennai.
Bank’s Internet web site.
3.2. Outsourced Activities :
Bank has a Credit Card system, which is outsourced to VIGPL for
providing end to end services. The services mainly include issuance &
maintenance of cards, maintaining credit card host for controlling

9
transactions, providing VAP and MIP connectivity and complying with the
VISA and Master mandates, PIN Security, Billing and reconciliation
thereof, providing interfaces with Bank for facilitating interaction
through Bank’s Call centre and also for facilitating withdrawal of Cash
through ATMs.
Bank outsourced issuance and maintenance of debit cards and prepaid
cards to E-funds. While provision of end to end services is outsourced in
respect of prepaid cards, the activities outsourced as regards debit
cards are card issuance & maintenance, providing VAP/MIP interface and
PIN security.
Bank outsourced Reconciliation of settlements arising out of ATM sharing
arrangements to Insolutions Global. They use their systems, up load the
data from the Bank, reconcile the data and provide all the reports as
per requirements.
Bank has deployed Point Of Sale (POS) terminals. Providing end-to-end
services relating to POS is outsourced to Financial Technologies. They
use their own systems and provide end-to-end services to the Bank.
4. Section IV : Scope of Work:
4.1. Scope of Work Related to IS Audit:
I. The Scope of work mainly relates to conducting of Information System
and Security Audit of different Information systems in use by the Bank,
as listed in Annexure no 1, including those systems used by other
agencies for providing services in respect of activities which are
outsourced. The IS Audit should be conducted as per the guidelines
given by RBI and Govt. of India.
IS Audit of each of the systems should broadly cover the following
aspects:
− Physical and Environmental controls
− Logical access Controls
− Operating System/database review including Vulnerability
Assessment
− Application Review
− Source code review (wherever source code is available)
− Business process Review
− Network and Security Review including VA and Penetration test
− Backup procedure Review
− Business Continuity/Disaster Recovery plans/practices
− Review of Outsourced Activities
− Virus protection and Patch management.
II. Vulnerability Assessment and Penetration Tests (VAPT) :
The scope also includes conducting Vulnerability Assessment and
Penetration Tests (VAPT) covering operating systems, database,
networking and Security Infrastructure and various on-line applications
facing customers as listed in Annexure 1 and all other assets listed in
Annexure 2.

10
III. Application Audit :
The scope further includes Audit of all the Applications used by the
Bank. Some critical applications are named here below:
• Core Banking Application – “FINACLE” of Infosys Ltd. The
application and Oracle Database servers are on AIX Unix
platform.
• Application for Internet Banking
• Application KASTLE, developed by 3i Infotech Ltd, being used at
our Treasury branch.
• Application purchased from CMC for our Demat operations.
• LAS
• MIS
• Peoplesoft
The audit of Applications will be with reference to :
Auditing Application Architecture
Study CBS and other applications for adequacy of Input
Processing and Output controls and conduct various tests to
verify existence and effectiveness of controls.
Review / audit the presence of adequate security features in CBS
application to meet the standards of confidentiality, reliability
and integrity required for the application supporting business
processes.
Logical access control, User maintenance and password policies
being followed are as per bank’s IT security policy.
Authorisation mechanism and control such as concept of maker
checker, exceptions, overriding exceptions and error conditions.
Controls over automated processing /updation of records, review
or check of critical calculations such as interest rates, levying of
various charges etc., review of the functioning of automated
scheduled tasks, batch processes, output reports design, reports
distribution, etc.
Review of all controls including boundary controls, input
controls, communication controls, database controls, output
controls, interfaces controls from security perspectives.
Review effectiveness and efficiency of the Applications. Identify
ineffectiveness of the intended controls in the software and
analyze the cause for its ineffectiveness. Review adequacy and
completeness of controls
Identify gaps in the application security parameter setup in line
with the bank’s security policies and leading applicable
practices.
Auditing, both at client side and server side, including sufficiency
and accuracy of event logging, SQL prompt command usage,
Database level logging etc.
Complete Review of Application Parameterization.
Backup/Fallback/Restoration procedures and contingency
planning.

11
Review of segregation of roles and responsibilities with respect
to application software to improve internal controls.
Review of documentation for formal naming standards, design
process for job roles, activity, groups and profiles, assignment,
approval and periodic review of user profiles, assignment and use
of super user access
Manageability with respect to ease of configuration, transaction
roll backs, time taken for end of day, day begin operations and
recovery procedures
Special remarks may also be made on following items- Hard
coded user-id and password, Interfacing of software with ATM
switch, EDI, Tele banking server, Web Server and Other
interfaces at Network level, Application level Recovery and
restart procedures
Sufficiency and coverage of UAT test cases, review of UAT
defects and tracking mechanism deployed by vendor and
resolution including re-testing and acceptance Review of
customizations done to the software and the SDLC policy
followed for such customization. Proposed change management
procedure during conversion, migration of data, version control
etc.
Review of Software benchmark results and load and stress testing
of IT infrastructure performed by the Vendors
Adequacy of Audit trails and meaningful logs
Adherence to Legal and Statutory Requirements.
Configuration of System mail
Adequacy of hardening of all Servers and review of application of
latest patches supplied by various vendors for known
vulnerabilities as published by CERT, SANS etc.
Application-level risks at system and data-level include, system
integrity risks relating to the incomplete, inaccurate, untimely or
unauthorized processing of data; system-security risks relating to
unauthorized access to systems or data; data risks relating to its
completeness, integrity, confidentiality and accuracy; system-
availability risks relating to the lack of system operational
capability; and system maintainability risks in terms of adequate
change control procedures.
As part of documenting the flow of transactions, information
gathered should include both computerized and manual aspects
of the system. Focus should be on data input (electronic or
manual), processing, storage and output which are of
significance to the audit objective.
Consideration should be given to audit of application interfaces
with other systems or interface of other system with application.
The auditor may perform procedures such as a walk-through test.
IV. The scope of work also includes:
Evaluating completeness of Information System Audit Policy and
Information Security Policy of the Bank
Evaluating completeness of procedures/ guidelines documents
Evaluating Bank’s IT Governance structure including IT Strategy,
IT Steering Committee etc.

12
Providing minimum baseline security standard / practices in a
checklist format to be implemented to achieve a reasonably
secure IT environment for technologies deployed at Union Bank
of India separately for different Information systems, covering
OS, Database, network equipments, security equipments and
other relevant aspects of IS Audit.
Evaluation of Hardware procurement and Maintenance Process.
V. The scope of work further includes guiding/helping the Bank staff in
putting in place the correct practices and conducting of a compliance
audit as explained in the Terms of execution of work.
VI. The scope of work also includes extending training to our IS Audit team
and to share with them all the formats, check lists, scoring sheets,
scripts etc. that will be used during the process of IS Audit. Bank’ IS
Audit team will be attached to the IS Audit team of the selected vendor,
during the course of audit, for obtaining on the job training. The IS
Auditor should explain, to the bank’s team, all the processes,
procedures involved in arriving at audit findings including interpretation
of outputs generated by various audit tools.
VII. The scope of work includes development of risk profile and drawing up
of risk matrix taking into account inherent business risk and
effectiveness of the control system for monitoring the risk. Preparation
of Risk Matrix should be based upon Risk Analysis of all the Information
Systems of the Bank, as per the guidelines issued by RBI and Govt. of
India, including following steps :
• Step 1: System Characterisation
• Step 2: Threat Identification
• Step 3: Vulnerability Identification
• Step 4: Control Analysis
• Step 5: Likelihood Determination
• Step 6: Impact Analysis
• Step 7: Risk Determination
The Risk Analysis / Risk Matrix will be based on Adequacy of internal
controls, business criticality, regulatory requirements, amount or value
of transactions processed, if a key customer information is held,
customer facing systems, financial loss potential, number of
transactions processed, availability requirements, experience of
management and staff, turnover, technical competence, degree of
delegation, technical and process complexity, stability of application,
age of system, training of users, number of interfaces, availability of
documentation, extent of dependence on the IT system, confidentiality
requirements, major changes carried out, previous audit observations
and senior management oversight.
4.2. Automated Continuous 100% Transaction Audit :
As per RBI guidelines, the Bank is in the process of implementing Continuous
100% Transaction Audit, in phased manner. A continuous audit approach will
allow internal auditors to fully understand critical control points, rules, and
exceptions. With automated, frequent analyses of data, they will be able to

13
perform control and risk assessments in real time or near real time. They can
analyse key business systems for both anomalies at the transaction level and for
data-driven indicators of control deficiencies and emerging risk. The selected
service provider has to suggest tools suitable for Bank’s IT environment, giving
scope document, guidelines and devising framework / roadmap for continuous
audit of 100% Transactions, in line with the guidelines issued by RBI.
4.3. CAATs :
Bank intends to procure suitable CAAT to
− Test transactions and balances, such as recalculating interest
− Analytically review procedures, such as identifying
inconsistencies or significant fluctuations
− Test Compliance of general controls: testing set-up or
configuration of the operating system, or access procedures
to the program libraries
− Sampling programs to extract data for audit testing
− Test Compliance of application controls such as testing the
functioning of a programed control
− Re-calculate entries performed by the entity’s accounting
systems
− Perform Vulnerability Assessment and Penetration testing
The selected service provider has to evaluate the Bank’s requirement and
preparation of a scope document for procurement of CAATs by the bank. They
should also prepare guidelines and framework for procurement and usage of
CAATs by the in-house IS Audit team. This will include suggesting various tools,
with reference to its applicability and usage, preparation of comparative
evaluation charts etc.
5. Section V : Terms of Execution of work:
Bank expects the service provider to conduct IS audit of the systems as
detailed in the Scope of work in three phases - covering the Core Banking
related systems in the first phase, other important systems housed in Data
Centre in the second phase and remaining systems /processes in the third
phase. Parallely the service provider should carry out the jobs related to
Risk Matrix, continuous Audits and CAAts. The service provider should
submit a detailed plan clearly indicating the tentative dates and estimated
time for IS Audit of each phase/system.
The selected vendor has to go through the audit reports of previous two
years and has to check whether all the observations are complied. They
have to comment on status of non-complied observations, while undertaking
fresh audit under this RFP.
During the course of audit, if the service provider observes any major
deficiencies, they should immediately bring such observations, deficiencies,
areas of improvement and suggestions for improvement to the notice of the
concerned persons. The service provider should also discuss with,

14
guide/help the Bank staff in implementation of the critical and important
suggestions.
At the end of each phase, the service provider should submit a detailed
report containing all the observations, deficiencies, areas of improvement
and suggestions for improvement, for each system separately.
Since it will take some time setting right the deficiencies, on the Bank
intimating them to do so, the service provider should conduct a compliance
audit, to confirm setting right of the deficiencies and implementation of the
suggestions. The service provider should submit a detailed report after
compliance audit.
The reports arising out of the scope of work, should be submitted as and
when audit of one system is completed or at the latest on completion of
each phase.
The assignment will be for conducting audit on time. Bank, at its option,
will review and entrust the assignment either in full or in part subsequently.
6. Section VI: Terms and Conditions:
6.1. Bid Price:
RFP document can be purchased against payment of Rs. 10,000.00 in
the form of a demand draft / Pay Order issued by a scheduled
commercial bank favoring Union Bank of India, payable at Mumbai.
Alternatively the RFP document can be downloaded from the Bank's
website www.unionbankofindia.co.in or from www.tenders.gov.in.
However, the service provider will have to pay, along with submission of
their offer, a non-refundable fee of Rs. 10,000.00 in the form of a
demand draft/ Pay Order issued by a scheduled commercial bank
favoring Union Bank of India, payable at Mumbai.
In the event of non-payment of the fee of Rs. 10,000.00 towards the
RFP form along with the submission of the offer, the offer will not be
considered.
6.2. Bid Security:
Service provider will have to provide a Bid security of Rs. 5.00 lakh
(Rupees Five lakh only) by way of either demand draft / Pay Order
issued in favour of Union Bank of India by a scheduled commercial bank
in India, payable at Mumbai or a Bank Guarantee of equivalent amount,
valid for a period of 6 months, issued by a Scheduled Commercial Bank
in favour of Union Bank of India.
The Bank reserves its right to reject the proposal, in the event of non-
submission of the bid-security money of Rs. 5.00 lakh.
No interest will be payable on the Bid Security amount.

15
The bid security amount will be forfeited if the vendor refuses to accept
purchase order or having accepted the purchase order, fails to carry out
his obligations mentioned therein.
The Bid Security will be refunded to the unsuccessful bidders only after
completion of the bid process.
The Bid security of the successful bidder would be refunded while
releasing the payment due after the last mile stone. Hence the
successful bidder has to ensure that validity of Bank Guarantee is
extended, till completion of the project.
6.3. Clarifications on the RFP:
i Queries/clarifications would not be entertained over phone.
ii All the queries and clarifications must be sought in writing to the email
id: caraje@unionbankofindia.com, satishs@unionbankofindia.com.
iii Service providers are also requested to collate queries and submit them
together seeking clarifications/responses from the Bank. It should be
ensured that all the queries and clarifications are communicated in
writing.
iv Service providers should indicate only one e-mail id, to which the
clarifications and other communications regarding the RFP can be sent.
6.4. Two Part Offer:
i One hard copy of the Technical Bid and One Copy of the Commercial Bid
must be submitted at the same time, giving full particulars in separate
sealed envelopes at the Bank’s address given below on or before the
schedule given above. The bidder should submit a soft copy of the
technical bid on a CD. Offers (Technical & Commercial) must be
submitted at the same time, giving full particulars in separate sealed
envelopes addressed to
The General Manager (CA&ID)
Union Bank of India,
IS Audit Cell, Central Audit & Inspection Department,
The Arcade, Tower 4, East Wing,
2nd
floor, World Trade Center,
Cuffe parade, Colaba, Mumbai 400004,
ii All the envelopes must be superscribed with the following information –
Type of Offer- Proposal for Conducting IS Audit- 2012-13 (Technical
Bid)
Type of Offer- Proposal for Conducting IS Audit- 2012-13
(Commercial Bid)
Due Date :
Name of Bidder :
Name of the Authorized Person :
iii All schedules, Formats and Annexures should be stamped and signed by
an authorized official of the bidder’s company.

16
iv The offers should either be hand delivered or dropped in the Tender box
at the given address on or before the bid submission date and time. Bids
sent by fax, e-mail, courier will not be considered for evaluation.
v Tender offers will be opened in the presence of the bidder
representatives who choose to attend the opening of tender on the
above-specified date, time and place. All bidders are advised to be
present at the time of bid opening. No separate intimation will be given
in this regard.
6.5. No Erasures or Alterations:
i The original offer (Technical Offer and Commercial Offer) shall be
prepared in indelible ink.
ii Technical details must be completely filled up. All the hand-written
details in the offer must be initialed by the persons or person who
sign(s) the proposals.
iii All the pages of the offer must be initialed by an authorized
representative with a round stamp of the bidding firm.
6.6. Validity :
i The offer should remain valid for a period of 180 days from date of
submission of the proposal.
ii At the option of the Bank, the vendor should extend the validity of
offers for such required period (s), as the Bank may require during the
evaluation process.
6.7. Technical Proposal:
• The Technical Proposal should be complete in all respects and contain
all the information asked for in this RFP document in an organised and
structured manner. All the details sought must be submitted in the
prescribed pro-forma only (as per the attached formats).
Additional/supporting documents, write-ups, etc., if any should be
furnished as separate files.
• The Technical Proposal should not contain any price information.
• The UNPRICED commercial proposal would be a replica of the
commercial proposal except the price. It must indicate all the details
except the price. It should be sufficient to ensure that all products and
services asked for are quoted along with the quantity of each item
quoted in the commercial proposal. The unpriced commercial proposal
should be part of technical proposal.
• The Bank, at its discretion, may not evaluate a proposal in case of non-
submission or partial submission of details sought.

17
• The Technical Proposal should comprise of following (as per the
formats):
o Letter in the prescribed format confirming compliance to the
Bank's terms and conditions (Format – I).
o Service provider Profile (Format – II)
o Details of Professional Personnel (Format – III)
o Details of reference sites –IS Audits(Format – IV(a))
o Details of reference sites – Core Banking Application
Audit(Format – IV(a))
o Proposed Methodology and work plan (Format – V)
o UNPRICED Commercial Offer as per Format - VII, which should be
replica of the Commercial proposal without price information
o Bid Price (by way of DD/PO drawn in favour of Union Bank of
India issued by a Scheduled Commercial bank payable at Mumbai)
o Bid Security amount (by way of DD/PO drawn in favour of Union
Bank of India issued by a Scheduled Commercial bank payable at
Mumbai or Bank Guarantee of equivalent amount issued by a
Scheduled Commercial bank and valid for 180 days)
o Supporting documents in separate file(s).
o Self-declaration and certification to confirm compliance of
“should nots”.
6.8. Commercial Proposal:
i The Commercial Proposal should be submitted in separate sealed
envelope, superscribed as “Proposal for Conducting IS Audit- 2012-13
(Commercial Bid)”
ii The Commercial Proposal should provide all relevant price information
in Indian Rupees only.
iii It should not contradict the unpriced Commercial proposal in any
manner.
iv The responses should be strictly as per the terms and conditions of this
RFP. Service Providers are advised not to attach or specify any terms
and conditions. The Bank reserves its right to reject the proposals
received with any additional terms and conditions specified by the
Service provider.
v The Commercial Proposal should be as per Format VI.
vi The prices mentioned in the commercial proposal should strictly be in
conformity with the price composition specified in point no. 6.9.
vii The Commercial Bid should include all taxes, duties, fees, and other
charges as may be levied under the applicable law as on the date of
submission of the proposal. However, the tax component of the prices
should be shown separately.
viii The total must be quoted in WORDS AND FIGURES. In case of discrepancy
between the words and figures, lower of the two would be considered as
the price quoted and the same will be binding on the vendor.

18
ix Commercial Offers of only those vendors, who qualify in Technical Bid
evaluation, will be opened.
6.9. Price Composition:
i The price quoted should be inclusive of following:
Professional Charges
Travel and Halting expenses, including local conveyance
Out of pocket expenses
All applicable taxes, duties and levies.
ii Work Contract tax, if any, applicable should be borne by the Service
provider.
iii The commercial offer shall be on a fixed price basis and in Indian
Rupees. No price variation should be asked for relating to increases in
customs duty, excise and/or any taxes, foreign currency price variation
etc., However, if there is any reduction in government levies/taxes,
during the validity of offer, the same shall be passed on to the Bank.
iv The costs of preparing the offer and of negotiating the contract will not
be borne by the Bank and, are not reimbursable. All costs and expenses
incurred by Respondents in any way associated with the development,
preparation, and submission of responses, including but not limited to;
the attendance at meetings, discussions, demonstrations, reference site
visits etc. and providing any additional information required by Union
Bank Of India, will be borne entirely and exclusively by the Respondent.
6.10. Payment of Other Expenses:
The selected vendor will have to visit various offices of the Bank, at
various locations like Mumbai, Bengaluru, Ernakulam, Pune , Chennai,
Delhi etc., during the course of IS Audit. The Bank WILL NOT pay any
expenses towards travelling, lodging and boarding of the members of IS
Audit team of the selected vendor. They will have to make their own
travel and stay arrangements.
6.11. Evaluation Procedure:
i The evaluation of technical proposals will be done by a team of officials,
which may include
scrutiny of eligibility criteria to determine the eligibility of
vendors;
scrutiny of the proposals to verify whether the same is in
accordance with the RFP terms; and
reference site feedback about the service.
ii In the process of scrutiny of the proposals, Bank may seek additional
inputs and clarifications as may be needed and also may request the
service providers to make a presentation. The request for such
clarifications and the response will necessarily be in writing.
iii Proposals found to be meeting the Bank’s requirements based on the
technical evaluation only will be considered for commercial evaluation.
Cost comparison will be on the basis of TCO (total cost of ownership).

19
6.12. Right to Alter Quantities
i The Bank reserves the right to alter quantities, revise/modify all or
any of the specifications, delete some items specified in this offer,
when finalizing its requirements or declare the RFP void, without
assigning any reason, before or after receiving the responses. That
is, the Bank reserves its right to add or remove the Information
systems in respect of which the IS Audit is to be conducted.
ii The Bank also reserves the right to get the IS audit done for some of
the systems only. In the event of change of quantities, the TCO
would be worked out after normalizing the Commercial Offer to suit
to the required systems. The amounts quoted for the line items in
the commercial proposal would form base for such normalization
process. The TCO worked out by the Bank after normalization, would
be binding on the service provider.
6.13. No Commitment to Accept Lowest or Any Tender
The Bank shall be under no obligation to accept the lowest or any other
offer received in response to this tender notice and shall be entitled to
reject any or all tenders without assigning any reason whatsoever.
6.14. Rotation of Audit Team
If the selected service provider has already carried out IS Audit of our
bank, the service provider should change the entire team and to depute
a fresh team.
6.15. Price freezing
i The final prices stated above, shall remain frozen for a minimum period
up to two years from the date of the purchase order.
ii Bank reserves its right to place repeat orders for the assignment in full
or in parts at the same price and terms, as per its requirements.
6.16. Payment Terms
The terms of payment will be as follows:
i No advance payment will be made along with the Purchase order.
ii First 20% of the total contract value will be payable on delivery of the
final report after completion of the IS audit of Information Systems
identified for first phase;
iii Another 20% of the total contract value will be payable on delivery of
the final report after completion of the IS audit of Information Systems
identified for second phase;
iv Another 20% of the total contract value will be payable on delivery of
the final report after completion of the IS audit of Information Systems
identified for third phase;

20
v Another 20% of the total contract value will be payable on delivery of
the final report after completion of the scope mentioned in Section IV
of scope of work and on submission of the deliverables there of and
vi Final 20% of the total contract value will be payable on completion of
the compliance audit of all the Information Systems and on submission
of reports thereof.
6.17. Cancellation of the assignment
The Bank reserves its right to cancel the assignment in the event of
one or more of the following conditions:
• Delay in commencement of the IS Audit beyond two weeks after the
assignment order.
• Delay in completion of all the three phases of the IS Audits beyond the
time specified in the assignment letter.
6.18. Liquidated Damages
i Notwithstanding the Bank's right to cancel the assignment, 0.5% of the
order value per week or part thereof would be payable to the Bank for
delay in the execution of this assignment order beyond specified
schedule, subject to a maximum of 5% of the value of the said phase.
ii Bank reserves it's right to recover these amounts by any mode such as
adjusting from any payments to be made by the Bank to the company.
iii The Bank, however may review and consider waiving imposing of
liquidated damages for delays beyond the control of the Service
Provider.
6.19. RFP Ownership
The RFP and all supporting documentation are the sole property of
Union Bank and should NOT be redistributed without prior written
consent of Union Bank. Violation of this would be a breach of trust and
may, inter-alia cause the vendors to be irrevocably disqualified. The
aforementioned material must be returned to Union Bank when
submitting the proposal, or upon request however, service providers can
retain one copy for reference.
6.20. Proposal Ownership
The proposal and all supporting documentation submitted by the service
providers shall become the property of the Bank. The proposal and
documentation may be retained, returned or destroyed as the Bank
decides.
6.21. Confidentiality
• This document contains information confidential and proprietary to the
Bank. Additionally, the service providers will be exposed by virtue of the
contracted activities to the internal business information of the Bank.

21
Disclosures of receipt of this RFP or any part of the aforementioned
information to parties not directly involved in providing the services
requested could result in the disqualification of the service providers,
premature termination of the contract, or legal action against the
service providers for breach of trust.
• Selected service provider will have to sign a legal non-disclosure
agreement with the Bank before starting the project.
6.22. Disclaimer
Subject to any law to the contrary, and to the maximum extent
permitted by law, Union Bank Of India and its officers, employees,
contractors, agents, and advisers disclaim all liability from any loss or
damage (whether foreseeable or not) suffered by any person acting on
or refraining from acting because of any information including forecasts,
statements, estimates, or projections contained in this RFP document or
conduct ancillary to it whether or not the loss or damage arises in
connection with any negligence, omission, default, lack of care or
misrepresentation on the part of Union Bank Of India or any of its
officers, employees, contractors, agents, or advisers.

22
7. Section VII: RFP Response Formats
A. Format – I: Letter to the Bank on the Service provider’s
letterhead
To
Central Audit & Inspection Department,
The Arcade,
Tower 4, East Wing, 2nd floor,
World Trade Center
Cuffe Parade, Colaba, Mumbai - 400 005
Dear Sir,
Sub: Response to RFP in connection with outsourcing IS Audit
With reference to the above RFP, having examined and understood the
instructions, terms and conditions, we hereby enclose our offer for
conducting IS Audit of the systems, as detailed in your above referred
inquiry.
We confirm that the offer is in conformity with the terms and conditions as
mentioned in your above referred RFP. We further confirm that the
information furnished in the proposal, annexures, formats, is correct. Bank
may make its own inquiries for verification and we understand that the Bank
has the right to disqualify and reject the proposal, if any of the information
furnished in the proposal is not correct.
We also confirm that the prices offered shall remain fixed for a period of
one hundred and eighty (180) days from the date of submission of the offer.
We also understand that the Bank is not bound to accept the offer either in
part or in full. If the Bank rejects the offer in full or in part, the Bank may
do so without assigning any reasons thereof.
We further understand that the finalized prices will be frozen for a period of
two years from the date of entrustment of assignment and that the Bank, at
its discretion may entrust the assignment again in full or parts at the same
price and terms as per its requirements.
Yours faithfully,
Authorized Signatories
(Name, Designation and Seal of the Company)
Date:

23
B. Format – II: Service Provider Profile
S.
No.
Particulars Response
1 Name of the Service Provider
2 Address for Communication
3 Contact Person 1
4 Phone / Mobile Number
5 Email id
6 Contact Person 2
7 Phone / Mobile Number
8 Email id
9 Experience in the business in India (No.
of Years)
10 Total Number of staff in India
11 No. of professionally qualified persons CISA CISSP CISM
12 Name of the professionally qualified
personnel indicating the respective
qualifications (service provider may
add more lines as per requirements)
CISA CISSP CISM
13 Business details in India for the last three financial years (copies of the
published audited financial statements should be annexed)
Year Turnover Service
Income
Operating
profit
Net
Profit
after
Tax
2008-09
2009-10
2010-11
14 Details of the organizations for which IS Audit was conducted in the
past three years(2009-2012)
Name of the Organisation Place Month & Year

24
C. Format – III: CV of Professional Personnel
(to be furnished on a separate sheet for each employee)
Name of the staff
Date of Birth
Professional Qualifications
Service in the firm from
Previous employment record Organization From to
Details of Key assignments handled
in the past three years
Organization Month & Year Details of assignment done

25
D. Format – IV(a): References of IS Audits done for Banks.
(The details of each assignment should be furnished on a separate page. The
details should relate to the assignments done during the past three(2009-2012)
years. We expect two references in the minimum)
1 Name of the Bank
2 Address
3 Name of the Contact Person
4 Designation
5 Direct Phone number
6 Mobile Phone
7 E-mail id
8 Month & Year in which IS Audit was
conducted
9 Names of professional personnel who
carried out that assignment
10 Brief particulars of the Systems for
which IS audit was done. (Scope of
Work)
E. Format –IV (b): References of Core Banking Application Audits
done for Banks.
(The details of each assignment should be furnished on a separate page. The
details should relate to the assignments done during the past three years. We
expect one reference in the minimum)
1 Name of the Bank
2 Address
3 Name of the Contact Person
4 Designation
5 Direct Phone number
6 Mobile Phone
7 E-mail id
8 Month & Year in which IS Audit was
conducted
9 Names of professional personnel who
carried out that assignment
10 Scope of Work

26
F. Format – V: Proposed Methodology & Work Plan
(Please mention the details of tasks you propose to do along with the
estimates of time lines for each task, the key personnel you intend to
engage for each of the tasks in the assignment and the deliverables for each
task. In other words, this sheet should provide the entire project plan)

27
G. Format – VI: Commercial Offer
To
The Arcade,
World Trade Center
Dear Sir,
instructions, terms and conditions, we hereby enclose our Commercial offer
for conducting IS Audit of the systems, as detailed in your above referred
inquiry.
Sr.
No
.
Details Professional
Fees
Taxes Total Cost
1 IS audit of Core Banking related
Systems
2 IS Audit of Other Systems in Data
Centre
3 IS Audit of Systems outside Data
Centre
4 Other Tasks mentioned in scope
of work
5 Any Other Cost (please specify)
Total Cost of Ownership (TCO)
TCO in words:
One Hundred Eighty (180) days from the date of submission of the offer.

28
part or in full. If the Bank rejects the offer in full or in part the Bank may do
so without assigning any reasons therefore.
Yours faithfully,
Date:

29
H.Format – VII: Unpriced Commercial Offer
To
The Arcade,
World Trade Center
Dear Sir,
instructions, terms and conditions, we hereby enclose our Unpriced
Commercial offer for conducting IS Audit of the systems, as detailed in your
above referred inquiry. We have not furnished any price information below.
Sr.
No
.
Details Profession
al Fees
Taxes Total Cost
1 IS audit of Core Banking related
Systems
Yes / No Yes / No Yes / No
2 IS Audit of Other Systems in Data
Centre
3 IS Audit of Systems outside Data
Centre
4 Other Tasks mentioned in scope
of work
5 Any Other Cost (please specify) Yes / No Yes / No Yes / No
Total Cost of Ownership (TCO) Yes / No Yes / No Yes / No
TCO in words: Yes / No
One Hundred Eighty (180) days from the date of submission of the offer.

30
part or in full. If the Bank rejects the offer in full or in part the Bank may do
so without assigning any reasons therefore.
Yours faithfully,
Date:

31
ANNEXURE I
List of Assets / Processes to be covered for IS Audit under this RFP:
Core Banking related Systems:
Enterprise Wide Network covering all its 3200+ branches and offices
spread across the country.
Bank’s Finacle Core Banking Solution including application, operating
system, databases, interfaces, DR site at Bengaluru and Near site at
Mumbai etc.
Electronic Delivery Channels like ATM, Internet Banking, Tele Banking,
Mobile banking, SMS alerts.
Bank’s ATM switch which is connected with 4200+ ATMs and interfaced
with CBS and also NFS switch, VISA and Master Card.
Internet Banking system
Online utility bill payment, tax payments, e-commerce, etc.
Call centre
SMS Banking and Mobile Banking services.
IT Security Setup, with multiple layered firewalls, Network based and
Host based intruder detection and prevention systems, two factor
authentication systems, anti-virus systems, Patch Management system,
Network Access Control systems etc. Bank has also created VLANs,
militarized and de-militarized zones in the process.
Outsourced activities for monitoring of the datacenter, network, IT
security, Mobile Banking, ATMs and ATM switch
Important Systems housed in Data Centre:
Server and Finacle application for CBS Hong Kong
Lending Automation System (LAS) with DR Site
Cash Management Services
Enterprise Application Integration system (middleware) with it’s DR site
Government Electronic Payment Remittance for Civil Ministry
Matched Fund Transfer Price (MFTP)
Systems housed outside Data Centre:
Integrated treasury system, including Reuters, Bloomberg and Payment
system Gateway, with its DR site at Ernakulam.
Payment Systems Gateway (PDO NDS, CFTS, CFMS, SFMS, RTGS, NEFT)
SWIFT system
Corporate email setup, IBM Lotus Notes Solution.
MICR Centres and manages clearing houses at six centres – viz., Pune,
Jamshedpur, Salem, Anand, Belguam and Kota. MICR Pune to be audited
on sample basis.
Cheque Truncation system at Delhi and Chennai.
Credit Card system, outsourced to VIGPL
Debit cards and prepaid cards (outsourced activity)
Reconciliation of settlements arising out of ATM
Point Of Sale (POS) terminals.
Bank’s internet web site.

32
ANNEXURE II
Assets not covered for IS Audit but to be covered by VAPT:
Depository services (DEMAT) and online trading services
MIS
Intranet
Document Management System
Web-based systems such as OLTAS, EASIEST, E-remit etc
Unified Communication System
Digital Media Signage
Asset & Liability Management
Reveleus package (Capital Calculator)
AMLOCK for Anti-Money Laundering
Central Accounts system
PEOPLESOFT HRM package known as Union Parivar
Channel Financing
In house developed small softwares

33
FORMAT OF BANK GUARANTEE
To
Union Bank of India
The Arcade, Tower 4, East Wing,
2nd floor, World Trade Center,
Dear Sirs,
In response to your invitation to respond to your RFP for _____ M/s
__________________ having their registered office at _____________ (hereinafter
called the ‘Vendor’) wish to respond to the said Request for Proposal (RFP) for self
and other associated vendors and submit the proposal for the supply, installation,
of PCs as per terms and conditions listed in the RFP document.
Whereas the ‘Vendor’ has submitted the proposal in response to RFP, we, the
____________ Bank having our head office ________________ hereby irrevocably
guarantee an amount of Rs. (Rupees only) as earnest money
deposit as required to be submitted by the ‘Vendor’ as a condition for participation
in the said process of RFP.
The earnest money deposit for which this guarantee is given is liable to be
enforced/ invoked:
1) If the Vendor withdraws his proposal during the period of the proposal validity;
or
2) If the Vendor, having been notified of the acceptance of its proposal by the
Bank during the period of the validity of the proposal fails or refuses to enter
into the contract in accordance with the Terms and Conditions of the RFP or
the terms and conditions mutually agreed subsequently.
We undertake to pay immediately on demand to Union Bank of India, the said
amount of Rupees only without any reservation, protest, demur, or
recourse. The said guarantee is liable to be invoked/ enforced on the happening of
the contingencies as mentioned above and also in the RFP document and we shall
pay the amount on any Demand made by Union Bank of India which shall be
conclusive and binding on us irrespective of any dispute or difference raised by the
vendor.
Notwithstanding anything contained herein:
Our liability under this Bank guarantee shall not exceed Rs. __________(Rupees
only).
This Bank guarantee will be valid upto _________ days; and
We are liable to pay the guarantee amount or any part thereof under this Bank
guarantee only upon service of a written claim or demand by you on or before
________________.
In witness whereof the Bank, through the authorized officer has sets its hand and
stamp on this _______________ day of __________________ at
_________________.

Rfp is audit-201300000000-0000-0

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Rfp is audit-201300000000-0000-0

Similar to Rfp is audit-201300000000-0000-0 (20)

More from Silas Musakali

More from Silas Musakali (6)

Recently uploaded

Recently uploaded (20)

Rfp is audit-201300000000-0000-0