Joint Standard 1
Service Description for an Independent Assessment Service of compliance with the
FINANCIAL SECTOR REGULATION ACT, 2017 (ACT NO. 9 OF 2017)
Joint Standard 1 of 2023 – IT Governance and Risk Requirements for Financial Institutions
1 Introduction
The Financial Services Conduct Authority (FSCA) and South African Reserve Bank Prudential Authority have jointly published the Joint Standard 1 of 2023 for Information Technology (IT) Governance and Risk Management Requirements for Financial Institutions.
The Joint Standard 1 (Joint Standard) sets out the principles and minimum requirements for information technology (IT) governance and risk management that financial institutions (as defined in the Joint Standard) must adhere to in order to comply with the Joint Standard. It is the responsibility of the governing body of a financial institution falling under the FSCA to ensure that they meet the requirements set out in this Joint Standard by November 2024 and on an ongoing basis.
2 Overview of the Service
In order to assist financial institutions in addressing the requirements the Joint Standard, PTC and associates have developed a compliance assessment service designed to provide education about the Joint Standard 1 and assess at a high level the extent of compliance of affected organisations with the Joint Standard.
The purpose of the Joint Standard Compliance Assessment Service (JSCAS) is to provide an independent high-level assessment of the extent of compliance with the Joint Standard and to develop an action plan to address any identified compliance gaps. The service is conducted by experienced IT governance and risk management consultants in conjunction with a specially designed JSCAS Tool in partnership with representatives from the organisation being assessed.
3 Scope of the Service
The scope of the high-level assessment service includes the following:
· Establishing a project charter including identification of appropriate stakeholders and key milestones
· Development of a project plan
· Execution of the high-level assessment based on the project plan and the following Joint Standard requirements as defined in sections 5 to 15 of the Joint Standard:
Ø Roles and responsibilities
Ø IT strategy
Ø IT risk management framework
Ø Oversight of IT risk management
Ø IT operations
Ø Handling of sensitive or confidential information
Ø Risks associated with financial products and financial services
Ø IT programme and/or project management
Ø IT resilience and business continuity
Ø IT assurance
Ø Notification and reporting requirements
Optional executive one hour briefing, half-day or full-day workshop on the contents of the Joint Standard for affected stakeholders.
4 JSCAS Tool
The JSCAS Tool is designed to address the areas listed in the scope above and can be tailored to cater for the size and complexity of the organisation. The tool also includes rating and effectiveness scales which enable effective and appropriate reports to be provided. An overview of the JSCAS Tool is available in conjunction with this service description.
5 Deliverables
An Independent Assessment Report will be provided which will include:
· An independent and objective review of the current state of compliance with the Joint Standard;
· A list of observation and findings;
· Recommendations for addressing any compliance gaps identified during the assessment.
6 Consultancy effort and duration of a JSCAS project
The typical consultancy effort required for conducting the assessment service is from 1 to 5 billable days. The duration is dependent on the size and complexity of the organisation, the availability of stakeholders and information required for responding to assessment which is conducted at a high-level (accepting evidence provided without detailed review of the evidence) but will typically only take place over 1 to 3 weeks.
A more detailed evaluation which would include validating every piece of evidence of compliance individually is available subject to negotiation.
7 Benefits of the Assessment Service
The benefits of the service and assessment tool include:
· The incorporation of subject matter knowledge relating to IT governance and risk management as covered in the Joint Standard into a concise, purpose-built assessment service which enables organisations to identify their current status of alignment in a much shorter time than it would take using a non-integrated approach;
· A cost-effective approach to identifying shortfalls against the Joint Standard, thereby enabling financial institutions to implement measures for complying with the standard by the required date of November 2024.
8 Costs
The costs for an assessment are based on the following:
· Consultancy fees based on the size and complexity of the organisation, from 1 to 5 days of billable services delivered;
· Optional Licence Fee for use of the Joint Standard 1 Compliance Assessment Tool on an ongoing basis.
9 Next steps
Please contact Dr Peter Tobin (peter@p-t-c.co.za) of PTC or a PTC associate to discuss your specific needs or to receive a formal service proposal.
DOCUMENT ENDS
Document correct as at 14 may 2024.