Information System Audit, IS Audit, Banks

Information System Audit (IS Audit)- Best explained

Leave a Comment / Bank Audit / By

Introduction

In the present context, Information System Audit is very much warranted, because the entire Banking Industry totally relies upon Information Technology, which is otherwise considered to be its backbone.  

On the one hand, it involved a huge expenditure on the Banks in the initial stages like building necessary software, and computer peripherals and providing training to their staff, etc., the Banks have increased their customer base and improved their business multifold,

>

It would be possible for the Banks to retain the Progressive Growth only by improving their Customer Service which would rather generate more leads to their business.  It goes without saying that Customer Service totally depends on the System functions of the Banks, which necessitates examining the Information System at periodic intervals to keep goods going.  It is also considered a vital part of Risk Based Internal Audit (RBIA) in Banks.

>

In view of the above, the Information System Audit has momentum and has become absolutely essential in the Banking Industry.  To accomplish this task, the Inspecting Officer should remain updated with the knowledge of handling Computers and their basic requirements.  Here I have given elaborately the procedure for conducting an Information System Audit.

>

The Internal Auditing Official should verify the following:

Physical Security Verification

  • whether the Branch maintaining Records of Invoices, Hardware Configuration Register, and Installation Report file is maintained and updated from time to time as and when computer peripherals are received at the Branch?
  • are the Computer Peripherals available as per the Office Furniture and Fixtures (OFF) Register and the same are numbered serially?
  • whether unusable computer peripherals disposed of as per instructions of Higher Offices?

Uninterrupted Power Supply System and Network Equipment

  • Whether UPS (Uninterrupted Power Supply) room and Network equipment (Hub, Modem, Router, etc. room is in a secluded place and entry is restricted to unauthorized persons?
  • Is the Network equipment properly mounted as per guidelines?
  • whether the UPS Room/Network equipment room have an adequate ventilation facility and is air-conditioned to avoid malfunctioning of the UPS/Network equipment and also to elude any fire hazard?
  • whether Branch Staff adequately trained to extinguish the fire in case of an accident in the Branch?
  • Smoke Detectors are installed in the Branch at appropriate places and the same are they in proper working condition?
  • whether the above are covered under AMC and the representatives are visiting the Branch to attend to the AMC work as per Contracted terms.
  • whether the Branch maintaining records of such visits?  
  • Is proper power connection available and earthing done properly for the computer peripherals?
  • whether no other electrical equipment other than the computer peripherals connected to UPS?
  • whether Annual Maintenance Contract is available for the UPS/Network equipment?
  • whether records of visits of the AMC representatives properly held and he visits the Branch and carries out the maintenance work regularly as per the Contract and in case of any breakdown?
  • Are eatables and water are strictly not allowed in the UPS/Network equipment room?
  • Data Cabling is satisfactory and free from all trouble like rat-biting and human damage?
  • whether proper care been taken while laying down the data cable and electrical cable to ensure that both of them are not crossing each other?
  • is labeling of the data cable properly and prominently done so that identification becomes easy?

Observance of Policy Guidelines:

  • whether the staff adequately trained in IT handling?
  • whether the staff is aware of the IT Policy of the Bank?
  • whether staff handling the computers lock their PCs when not in use or they move out of their workplaces?
  • whether Power-on Passwords are set in nodes?
  • whether Password Secrecy absolutely followed in the right spirit?
  • whether the Branch installed unauthorized Software in nodes and stand-alone PCs?
  • whether the USB Ports disabled in all PCs/Nodes except in one Node with due authorization of Higher Offices?
  • whether remote access in all Nodes are denied/disabled?
  • whether approved Anti-virus is installed and enabled in all PCs/Nodes?
  •  whether Unauthorized Nodes are not connected to unapproved/external networks like Broadband, dial-up connections, wi-fi networks, etc.?
  • whether the Nodes are not used by unauthorized persons?
  • whether only one stand-alone PC is connected to an Internet connection?
  • whether the Branch is taking immediate steps to rectify telephone line faults and is maintaining cordial relations with the service provider?

Password Security:

  • staff are provided User IDs and Passwords immediately upon their reporting for duty at the Branch?
  • whether the staff have adequate knowledge of Password secrecy and is the same being strictly followed?
  • Is the staff maintaining absolute secrecy of Passwords and the same is not being shared?
  • whether the User Ids are disabled whenever the concerned staff proceeds on leave or training or for any other purpose and not available in the Branch for the entire day?

Training and Knowledge 

Training Class Room
  • whether all the staff of the Branch been imparted the necessary training in handling the systems and Core Banking Solutions?
  • are all the staff of the Branch able to attend to the system related to issues of the customers and provide necessary solutions?
  • whether all the staff members of the Branch have adequate knowledge about the User/ Operation Manuals for Core Banking Solution packages of the Bank in the local network of the Bank?
  • Are the staff aware that the IT/CBS circulars are available in the Intranet/local network system of the Bank?

Availability of Records

  • whether necessary requests made to Higher Offices for temporarily upgrading the powers from a lower level in the event of absence/leave of a staff member in the higher level?
  • whether pre-migration records/data (data before CBS migration) preserved and traceable in case of any dispute by an account holder or a query from any Government agency?
  • whether documents entered in the DMS (Document Maintenance System) are up-to-date?  (The Auditor may conduct a random check on this score.)
  • Is scanning of Specimen Signature cards up-to-date, and properly done (Right Specimen Signature Card to Right account no.) and there are no backlogs observed? (The Auditor may conduct a random check on this score.)
  • whether Day-end reports are generated without fail, verified, duly authenticated by the concerned authorized Officials of the Branch, and the same are preserved?

Alternative Delivery Channels

ATM Machine
 
  • whether the Branch is replenishing Cash in ATMs attached to the Base Branch as and when required and the ATM users are not returning empty-handed for want of Cash in ATMs?
  • Whether the ambiance of the ATM is good and if any uplifting is required, the same may be incorporated in the Audit Report?
  • whether proper cleanliness in the ATM Room maintained?
  • Is the Branch taking the Journal Print log as per the instructions of Higher Offices and the same are maintained properly for verification?
  • Whether the Cash Balance in the ATM is tallied during cash loading and difference if any, are reconciled immediately?
  • whether the dual combination number locks of the ATM Cash Chest placed in a closed cover and stored in the double lock for both Custodians separately?
  • whether the dual combination number locks changed at frequent intervals as per instructions of Higher Offices?
  • whether Admin Functions properly carried out after loading of Cash in the ATM?
  • whether the dispensing test is done every time while loading cash?
  • whether the ATM is properly covered under AMC and has adequate Insurance?
  • whether the AMC service provider visits the ATM for maintenance work and in case of troubleshooting and proper Visit Log reports are maintained and produced for verification?
  • Whether the AMC Service provider is accompanied by an authorized Official of the Branch during his visit and any changes in the settings made by the Engineer is being monitored by the Branch Official?
  • Is the CCTV camera mounted at an appropriate place in the ATM room and the Branch taking backup of footage and the same preserved for future use, in case of need?
  • whether adequate security measures in the ATM Lobby have been taken care of by the Branch?
  • whether the Branch deployed a Security Guard for the ATM?
  • Is the ATM lobby free from any kind of unauthorized devices?
  • whether the ATM lobby have proper locking arrangements?
  • whether power cables, LAN cables, etc. are in concealed position?

Disaster Management

  • whether Disaster Management Policy is strictly adhered to and all the required arrangements have been made?
  • whether the Branch has formed a Business Continuity Team consisting of Branch staff and they know their role and responsibilities?
  • whether the Branch is maintaining proper and updated records of contact numbers and e-mail IDs of the AMC providers, Local Police Station, Fire Station, and Ambulance Services on hand?

Rectification and Reply

  • whether the Branch rectify all the irregularities observed in the previous Information System Audit Reports?
  • whether the Branch submitted its reply to the Higher Office concerned?
  • Is the reply submitted by the Branch convincing and is the Report closed?

Closure of the IS Audit Report

Once the concerned Higher Offices receive the reply for the above IS Audit Report, considering the rectification of the irregularities pointed out therein, it will be placed before the concerned competitive authorities for closure and the Branch/Office shall be informed about the closure or otherwise.

>

>

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top