Audit in CBS Environment

1
Audit in CBS Environment

• Session By CA. Sanjay Gupta, Delhi

2
Disclaimers

• These are my personal views and can not be
  construed to be the views of the ICAI or
  Regional Councils of ICAI.
• These views do not and shall not be considered as
  professional advice

3
Session overview

• Banking Infrastructure
• Core Banking SystemCBS
• Controls in CBS
• Audit Processes with the use of Technology
• Audit Checks Strategies

4
Banking Infrastructure

• Hardware
• Network
• PCs
• ATMs
• Cash Vending Machines
• Cheque collection Machines
• Softwares
• Basic Softwares / Operating Systems
• Special Purpose and Approved utility Software
• Firewall Intrusion Detection System
• CBS
• Support
• Whether Outsourced?
• Monitoring of Intrusions / Unauthorized
  installations

Sanjay Gupta FCA, DISA, CISA, CRISC
5
Session overview

• Banking Infrastructure
• Core Banking System
• Controls in CBS
• Audit Processes with the use of Technologies
• Audit Checks Strategies

Sanjay Gupta FCA, DISA, CISA, CRISC
6
What is CBS

• CORE stands for centralized online real-time
  environment In nutshell it means all the banks
  branches, Service Outlets (Automated or Manual),
  Back offices access application from centralized
  datacenters.
• The core banking system is the set of basic
  software components that manage the services
  provided by bank to its customers through its
  branches( branch network) The banks customers
  can make their transactions from any branch,
  ATM, Internet, Phone at their disposal.
• 
  Cont
• 
  

7
What is CBS?

• The CBS is based on Services Oriented
  Architecture(SOA). It helps banks to reduce risk
  that can result from manual data entry and out-of
  date information. It also help banks to improve
  Service Delivery quality and time to its
  customer.
• The software is installed at different branches
  of bank and then interconnected by means of
  communication lines like telephones, satellite,
  internet etc.
• 
  Cont
• 
  

8
What is CBS?

• Technology Research Company Gartner defines a
  core baking system as a back-end system that
  processes daily banking transactions, and posts
  updates to accounts and other financial records.
  Core banking system typically include deposit,
  loan and credit-processing capabilities, with
  interfaces to general ledger systems and
  reporting tools. Strategic spending on these
  systems is based on a combination of
  service-oriented architecture and supporting
  technologies that create extensible and agile
  architectures.
• 
  Cont..
• 
  

Sanjay Gupta FCA, DISA, CISA, CRISC
9
What is CBS?

• Advantages
• Multi-channel(internet, phone) support
• Multi currency support
• Multiple Lingual Support
• High Scalability
• Cut into reusable module architecture
• 
  Cont

Sanjay Gupta FCA, DISA, CISA, CRISC
10
What is CBS?List of few Core Banking System in
India World over

Package Provider
Finacle Infosys
FLEXCUBE Oracle Financial Service Software(By iflex)
TCS BANCS Tata Consultancy Services(TCS)
Alnova Financial Solutions Accenture/ Alnova
SAP Banking Services SAP AG
Sanjay Gupta FCA, DISA, CISA, CRISC
11

Sanjay Gupta FCA, DISA, CISA, CRISC
12
Session overview

• Banking Infrastructure
• Core Banking SystemCBS
• Controls in CBS
• Audit Process with the use of Technologies
• Audit Checks Strategies

Sanjay Gupta FCA, DISA, CISA, CRISC
13
Controls in CBS

• Internal Controls have been embedded in CBS at
  Data Entry Level(through Validations)and at
  processing Level also. Apart from this the Bank
  prescribes certain Manual Controls to be adhered
  to by Bank officials. Hence, it is combination of
  both Manual and Automated controls which makes a
  safe system.
• As an auditor our duty is to identify the areas,
  controls which are not consistent with the legal
  framework/ Banks Policy.
• 
  Cont

Sanjay Gupta FCA, DISA, CISA, CRISC
14
Controls in CBS

• Various types of Controls are embedded at Various
  Level in CBS. To name a few
• Application Controls
• IT Administrative Controls Security
• System Development Controls
• 
  Cont

15
Controls in CBS- Application Control

• Authorization of a transaction as per Delegated
  Authority.
• Data input( Validation) Controls
• Accessibility in software Areas as per Employee
  Grade/ Powers
• Product Level Controls
• Prefixed Financial Parameters (Like Interest
  Rate, Penal Interest rates)
• Fixed Tenure (Pre-defined terms Fixed
  Deposits/Service Types - Principle and Interest
  Repayment Type and Periodicity)
• Tax and Regulatory compliance
• Controlled Error Handling through Warning,
  Exception and Error

16
Controls in CBS-IT Admin. Control Security

• Controls are associated with processing activity
• It allows user to use the software as per Access
  Rights Table
• Confirmation/ Prior Authorization for any outside
  software installation
• To ensure encryption of Data
• To ensure no changes are effected in IT Hardware
• Logical Access Controls
• Access to system/Menu as per the Category and
  Type of Branch/SOL
• Single sign-on for all applications
• Maker Checker Control
• Security policies for all IT Assets(Incl.
  Hardware, Software, Databases etc.)

17
Controls in CBS- System Development Controls

• Testing and Program Acceptance Controls
• Amendments to Programs and maintenance of SOPs
  w.r.t. source code.
• Generation of audit trail
• Maintaining edit history
• Transaction tracking system

18
Session overview

• Banking Infrastructure
• Core banking SystemCBS
• Control in CBS
• Audit Processes with the use of Technologies
• Audit Checks Strategies

19
Audit Processes Use of Technologies

• Posers
• Why Audit processes require a drastic change as
  compared to traditional approach?
• What are the changes in Banking Industries which
  makes Traditional Audit Approach a toothless
  weapon?
• Under such a scenario what should be the
  Auditors Approach?
• Which Techniques/ Technologies to be used?
• After What and Why analysis a Question comes to
  our mind is but How to go Ahead?

20
Audit Processes Use of Technologies

• Why Audit processes require a drastic change as
  compared to Traditional Approach?
• Traditional Audit Approach
• Verification of Documents Physically
• Availability of Hard Copies for each transaction
• Number of Transactions for Audit

21
Audit Processes Use of Technologies

• What are the changes in Banking Industries which
  makes Traditional Audit Approach a toothless
  weapon?
• Number of Transactions have risen sharply
• Complexities and variety of Transactions are
  increasing at a rapid speed.
• Increased Compliance requirements
• 
  Cont
• 
  

22
Audit Processes Use of Technologies

• Use of CBS
• Processing is completely automized. Hence, a
  manual error in master Data updation has a huge
  effect on all the transactions of the same kind.
• Processing is not visible
• Lack of discipline in Access Control
• Lack of Training for New software environment
• Audit Trail may not be visible for all the type
  of transactions
• Security aspects not verified/implemented
  properly

23
Audit Processes Use of Technologies

• Under such a scenario what should be the
  Auditors Approach?
• Substantive and Compliance Testing
• Verification of Transactions as well as
  controls
• Verification of System Generated Report
• Generation of special purpose report based on
  Exception Logic through the use of SQL
• Collection of data from CBS to verify Number and
  Nature of transactions processed during a period.

24
Audit Processes Use of Technologies

• Broadly 3 main types of data files
• 1.The transaction file which contains the
  transaction of the Bank.
• 2. Master file which contains the needed
  information of items needed at the transaction
  time thus, details like Borrower/Depositors
  (Name, Address, etc) are in the master file.
• 3. Parameter Files contains control elements to
  avoid high frequency of changes. Thus the
  Interest Rate, TDS rate and Service Tax rate
  which is known to change frequently will be in a
  set of files known as Parameter files
• Master file and parameter files should be checked
  under any audit as these are sensitive areas for
  fraud and leakages.

25
Audit Processes Operational Controls

• Start with SOD!
• Whether all accounts ( Opening Closing) are
  duly authorized.
• Whether officials other that branch have
  authority to record transactions in branch books
  ?

26
Audit Processes Operational Controls

• Whether the Account Master and balance can
  modified / amended / altered except by authorized
  personnel ?
• Whether Beginning of the Day and End of the Day
  register maintained ? Whether Time is properly
  entered and time and date are normal and during
  office hours only ?
• No operation on Holidays !

27
Audit Processes Operational Controls

• Whether the records of errors arising during the
  daily operations are reported ? And how they are
  being rectified. ?
• Whether dummy accounts created using master
  creation still exist in the Branch ?
• A sample verification of SDRs / FDRs should be
  carried out to ascertain whether lien is marked
  on such deposit receipts in the system.
• Availability of command prompt ( Run cmd)
• Access to group policies ( gpedit.msc) is
  restricted.
• Access to Control Panel should be denied.

28
Audit Processes Operational Controls

• Pursue access control matrix
• Password Management and History
• Cross verify the same with actual number of users
  in the search in the branch
• Inactive users ids and guest ids
• Review the process of activation of users
• What about users transferred to other branches ?
• Review access logs
• Special emphasis on unsuccessful logon attempts

29
Audit Processes Physical Controls

• Router/ Modem/ Network equipments Entry
  restricted to Branch Manager / authorized
  personnel
• Ensure floppy/pen-drive access is not allowed on
  Nodes ( unless required )
• Hardware Access Register
• Software Patch Application Register
• PC having internet access should be separate from
  CBS computers
• ATM Cards/ Passwords envelops are stored in
  Secured Area under double lock