Report of Independent Information Systems Auditors To the Management of NIC Bank Limited (NIC)

We have examined the accompanying assertions by the management of NIC regarding the effectiveness of the existing controls over the integrity, availability, security, and maintainability of the bank's e-Banking Services during the period January 1, 2005 to June 30, 2005, based on the availability, security, and maintainability principles in the Ernst & Young Cyber Process Certification Principles and Criteria, which are available at www.ey.com/security.

The assertion is the responsibility of the management of NIC. Our responsibility is to express an opinion on the aforementioned assertion based on our examination. The Ernst & Young Cyber Process Certification Principles and Criteria include four key areas: availability, security, integrity, and maintainability. Management's description of the aspects of the e-Banking Service of NIC covered by its assertion is attached.

Our examination was conducted in accordance with attestation standards established by recognized professionals bodies such as the CICA and AICPA (i.e. WebTrustTM, SysTrustTM) and, accordingly, included

(1) obtaining an understanding of the controls related to the integrity, availability, security, and maintainability of NIC's e-Banking Services,

(2) testing and evaluating the operating effectiveness of the controls, and

(3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of the inherent limitations of controls, errors or fraud may occur and not be detected.

Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of

(1) changes made to the system or controls,

(2) changes in processing requirements,

(3) changes required because of the passage of time, or

(4) a deterioration in the degree of compliance with the policies or procedures. It is our opinion, that according to management's assertion, NIC's e-Banking Services maintained effective controls over the integrity, availability, security, and maintainability of the bank's e-Banking service to provide reasonable assurance that:

• The system was available for operation and use at times set forth in service-level statements or agreements. The level of continuity services provided by NIC's e-Banking Services in the event of a major disruption are separately negotiated for each customer and specifically defined within the service-level statements or agreements,
• The entity discloses key security policies, complies with such security policies, and maintains effective controls to provide reasonable assurance that access to the electronic commerce system and data is restricted only to authorized individuals in conformity with its disclosed security policies,
• The system was protected against unauthorized physical and / or logical access, and
• The system could be updated when required in a manner that continued to provide for system availability and security during the period January 1, 2005 to June 30, 2005, based on the integrity, availability, security, and maintainability principles of the Ernst & Young Cyber Process Certification Principles and Criteria, is fairly stated in all material respects.

The Cyber Process Certification Seal of assurance on NIC's Web site constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance.

This report does not include any representation as to the quality of NIC's goods or services nor their suitability for any customer's intended purpose.

Ernst & Young Advisory Services Limited
Technology & Security Risk Services
Nairobi, Kenya
September 10, 2005