INFORMATION SYSTEM AUDIT (IS AUDIT)

INFORMATION SYSTEM AUDIT IN BANKS:



Information System Audit

In the present day's context, Information System Audit is very much warranted, because the entire Banking Industry totally relies upon Information Technology, which is otherwise considered to be its backbone.  

On the one hand, it involved a huge expenditure on the Banks in the initial stages like building necessary software, and computer peripherals and providing training to their staff, etc., the Banks have increased their customer base and improved their business multifold,

It would be possible for the Banks to retain the Progressive Growth only by improving their Customer Service which would rather generate more leads to their business.  It goes without saying that Customer Service totally depends on the System functions of the Banks, which necessitates examining of the Information System at periodic intervals to keep good going.  It is also considered as a vital part of Risk Based Internal Audit (RBIA) in Banks.

In view of the above, the Information System Audit got momentum and has become absolutely essential in the Banking Industry.  To accomplish this task, the Inspecting Officer should remain updated with the knowledge of handling of Computers and their basic requirements.  Here I have given elaborately the procedure for conducting Information System Audit.

The Internal Auditing Official should verify the following:

Physical Security verification:

  • whether the Branch maintaining Records of Invoices, Hardware Configuration Register, and Installation Report file is maintained and updated from time to time as and when computer peripherals are received at the Branch?

  • whether the Computer Peripherals are available as per the Office Furniture and Fixtures (OFF) Register and the same are numbered serially?
  • whether unusable computer peripherals are disposed of as per instructions of Higher Offices?

Uninterrupted Power Supply system and Network Equipment:

  • whether UPS (Uninterrupted Power Supply) room and Network equipment (Hub, Modem, Router etc. room is in a secluded place and entry is restricted to unauthorized persons?
  • whether the Network equipment are properly mounted as per guidelines?
  • whether the UPS Room/Network equipment room is having an adequate ventilation facility and is air-conditioned to avoid malfunctioning of the UPS/Network equipment and also to elude any fire hazard?
  • whether Branch staff are adequately trained to extinguish the fire in case of any accident in the Branch?
  • whether Smoke Detectors are installed in the Branch at appropriate places and the same are in proper working condition?
  • whether the above are covered under AMC and the representatives are visiting the Branch for attending to the AMC work as per Contracted terms.
  • whether the Branch is maintaining records of such visits?  
  • whether proper power connection is available and earthing done properly for the computer peripherals?
  • whether no other electrical equipment than the computer peripherals are connected to UPS?
  • whether Annual Maintenance Contract is available for the UPS/Network equipment?
  • whether records of visits of the AMC representatives are properly held and he visits the Branch and carries out the maintenance work regularly as per the Contract and in case of any breakdown?
  • whether Eatables and water are strictly not allowed in the UPS/Network equipment room?
  • whether Data Cabling is satisfactory and free from all trouble like rat-biting and human damage?
  • whether proper care has been taken while laying down the data cable and electrical cable to ensure that both of them are not crossing each other?
  • whether labeling of the data cable is properly and prominently done so that identification becomes easy?

OBSERVANCE OF POLICY GUIDELINES:

  • whether the staff is adequately trained in IT handling?
  • whether the staff is aware of the IT Policy of the Bank?
  • whether staff handling the computers lock their PCs when not in use or they move out of their workplaces?
  • whether Power-on Passwords are set in nodes?
  • whether Password Secrecy is absolutely followed in right spirit?
  • whether the Branch has installed unauthorized Software in nodes and stand-alone PCs?
  • whether the USB Ports are disabled in all PCs/Nodes except in one Node with due authorization of Higher Offices?
  • whether remote access in all Nodes are denied/disabled?
  • whether approved Anti-virus is installed and enabled in all PCs/Nodes?
  •  whether Unauthorized Nodes are not connected to unapproved/external networks like Broadband, dial-up connections, wi-fi networks, etc.?
  • whether the Nodes are not used by unauthorized persons?
  • whether only one stand-alone PC is connected to an Internet connection?
  • whether the Branch is taking immediate steps to rectify telephone line faults and is maintaining cordial relations with the service provider?

PASSWORD SECURITY:

  • whether staff are provided User Ids and Passwords immediately upon their reporting for duty at the Branch?
  • whether the staff are having adequate knowledge of Password secrecy and the same is being strictly followed?
  • whether the staff is maintaining absolute secrecy of Passwords and the same is not being shared?
  • whether the User Ids are disabled whenever the concerned staff proceeds on leave or training or for any other purpose and not available in the Branch for the entire day?

 TRAINING AND KNOWLEDGE:


Training Class Room


  • whether all the staff of the Branch has been imparted the necessary training in handling the systems and Core Banking Solutions?
  • whether all the staff of the Branch is able to attend to the system related to issues of the customers and provide necessary solutions?
  • whether all the staff members of the Branch are having adequate knowledge about the User/ Operation Manuals for Core Banking Solution packages of the Bank in the local network of the Bank?
  • whether the staff are aware that the IT/CBS circulars are available in the Intranet/local network system of the Bank?

AVAILABILITY OF RECORDS:

  • whether necessary requests are made to Higher Offices for temporarily upgrading the powers from a lower level in the event of absence/leave of a staff member in the higher level?
  • whether pre-migration records/data (data prior to CBS migration) are preserved and are traceable in case of any dispute by an account holder or a query from any Government agency?
  • whether documents entered in the DMS (Document Maintenance System) are up-to-date?  (The Auditor may conduct a random check on this score.)
  • whether Scanning of Specimen Signature cards are up-to-date, properly done (Right Specimen Signature Card to Right account no.) and there are no backlogs observed? (The Auditor may conduct a random check on this score.)
  • whether Day-end reports are generated without fail, verified, duly authenticated by the concerned authorized Officials of the Branch, and the same are preserved?

ALTERNATIVE DELIVERY CHANNELS:

ATM Machine


  • whether the Branch is replenishing Cash in ATMs attached to the Base Branch as and when required and the ATM users are not returning empty-handed for want of Cash in ATMs?
  • whether the ambiance of the ATM is good and if any uplifting is required, the same may be incorporated in the Audit Report?
  • whether proper cleanliness in the ATM Room is maintained?
  • whether the Branch is taking the Journal Print log as per the instructions of Higher Offices and the same are maintained properly for verification?
  • whether the Cash Balance in ATM is tallied during cash loading and difference if any, are reconciled immediately?
  • whether the dual combination number locks of the ATM Cash Chest placed in a closed cover  and stored in the double lock for both Custodians separately?
  • whether the dual combination number locks are changed at frequent intervals as per instructions of Higher Offices?
  • whether Admin Functions are properly carried out after loading of Cash in ATM?
  • whether the dispensing test is done every time while loading cash?
  • whether the ATM is properly is covered under AMC and adequate Insurance?
  • whether the AMC service provider visits the ATM for maintenance work and in case of troubleshooting and proper Visit Log reports are maintained and produced for verification?
  • whether the AMC Service provider is accompanied by an authorized Official of the Branch during his visit and any changes in the Settings made by the Engineer is being monitored by the Branch Official?
  • whether the CCTV camera is mounted at an appropriate place in the ATM room and the Branch is taking backup of footages and the same are preserved for future use, in case of need?
  • whether adequate security measures in the ATM Lobby have been taken care of by the Branch?
  • whether the Branch has deployed Security Guard for the ATM?
  • whether the ATM lobby is free from any kind of unauthorized devices?
  • whether the ATM lobby is having proper locking arrangements?
  • whether power cables, LAN cables etc. are in concealed position?

DISASTER MANAGEMENT:

  • whether Disaster Management Policy is strictly adhered to and all the required arrangements have been made?
  • whether the Branch has formed a Business Continuity Team consisting of Branch staff and they know their role and responsibility?
  • whether the Branch is maintaining proper and updated records of contact numbers and e-mail ids of the AMC providers, Local Police Station, Fire Station, and Ambulance Services on hand?

RECTIFICATION AND REPLY:

  • whether the Branch has rectified all the irregularities observed in the previous Information System Audit Reports?
  • whether the Branch has submitted their reply to the concerned Higher Office?
  • whether the reply submitted by the Branch is convincing and the Report is closed?

No comments:

Featured Post

WHAT ARE CHATBOTS? ADVANTAGES AND DISADVANTAGES OF CHATBOTS

  Chatbots are the computer program that is designed to interact with human users by engaging into conversations through messaging and voice...

Powered by Blogger.