Audit in CBS Environment - PowerPoint PPT Presentation

About This Presentation
Title:

Audit in CBS Environment

Description:

Audit in CBS Environment Session By: CA. Sanjay Gupta, Delhi Sanjay Gupta FCA, DISA, CISA, CRISC – PowerPoint PPT presentation

Number of Views:149
Avg rating:3.0/5.0
Slides: 30
Provided by: Sanja150
Category:

less

Transcript and Presenter's Notes

Title: Audit in CBS Environment


1
Audit in CBS Environment
  • Session By CA. Sanjay Gupta, Delhi

2
Disclaimers
  • These are my personal views and can not be
    construed to be the views of the ICAI or
    Regional Councils of ICAI.
  • These views do not and shall not be considered as
    professional advice

3
Session overview
  • Banking Infrastructure
  • Core Banking SystemCBS
  • Controls in CBS
  • Audit Processes with the use of Technology
  • Audit Checks Strategies

4
Banking Infrastructure
  • Hardware
  • Network
  • PCs
  • ATMs
  • Cash Vending Machines
  • Cheque collection Machines
  • Softwares
  • Basic Softwares / Operating Systems
  • Special Purpose and Approved utility Software
  • Firewall Intrusion Detection System
  • CBS
  • Support
  • Whether Outsourced?
  • Monitoring of Intrusions / Unauthorized
    installations

Sanjay Gupta FCA, DISA, CISA, CRISC
5
Session overview
  • Banking Infrastructure
  • Core Banking System
  • Controls in CBS
  • Audit Processes with the use of Technologies
  • Audit Checks Strategies

Sanjay Gupta FCA, DISA, CISA, CRISC
6
What is CBS
  • CORE stands for centralized online real-time
    environment In nutshell it means all the banks
    branches, Service Outlets (Automated or Manual),
    Back offices access application from centralized
    datacenters.
  • The core banking system is the set of basic
    software components that manage the services
    provided by bank to its customers through its
    branches( branch network) The banks customers
    can make their transactions from any branch,
    ATM, Internet, Phone at their disposal.

  • Cont


7
What is CBS?
  • The CBS is based on Services Oriented
    Architecture(SOA). It helps banks to reduce risk
    that can result from manual data entry and out-of
    date information. It also help banks to improve
    Service Delivery quality and time to its
    customer.
  • The software is installed at different branches
    of bank and then interconnected by means of
    communication lines like telephones, satellite,
    internet etc.

  • Cont


8
What is CBS?
  • Technology Research Company Gartner defines a
    core baking system as a back-end system that
    processes daily banking transactions, and posts
    updates to accounts and other financial records.
    Core banking system typically include deposit,
    loan and credit-processing capabilities, with
    interfaces to general ledger systems and
    reporting tools. Strategic spending on these
    systems is based on a combination of
    service-oriented architecture and supporting
    technologies that create extensible and agile
    architectures.

  • Cont..


Sanjay Gupta FCA, DISA, CISA, CRISC
9
What is CBS?
  • Advantages
  • Multi-channel(internet, phone) support
  • Multi currency support
  • Multiple Lingual Support
  • High Scalability
  • Cut into reusable module architecture

  • Cont

Sanjay Gupta FCA, DISA, CISA, CRISC
10
What is CBS?List of few Core Banking System in
India World over

Package Provider
Finacle Infosys
FLEXCUBE Oracle Financial Service Software(By iflex)
TCS BANCS Tata Consultancy Services(TCS)
Alnova Financial Solutions Accenture/ Alnova
SAP Banking Services SAP AG
Sanjay Gupta FCA, DISA, CISA, CRISC
11

Sanjay Gupta FCA, DISA, CISA, CRISC
12
Session overview
  • Banking Infrastructure
  • Core Banking SystemCBS
  • Controls in CBS
  • Audit Process with the use of Technologies
  • Audit Checks Strategies


Sanjay Gupta FCA, DISA, CISA, CRISC
13
Controls in CBS
  • Internal Controls have been embedded in CBS at
    Data Entry Level(through Validations)and at
    processing Level also. Apart from this the Bank
    prescribes certain Manual Controls to be adhered
    to by Bank officials. Hence, it is combination of
    both Manual and Automated controls which makes a
    safe system.
  • As an auditor our duty is to identify the areas,
    controls which are not consistent with the legal
    framework/ Banks Policy.

  • Cont

Sanjay Gupta FCA, DISA, CISA, CRISC
14
Controls in CBS
  • Various types of Controls are embedded at Various
    Level in CBS. To name a few
  • Application Controls
  • IT Administrative Controls Security
  • System Development Controls

  • Cont

15
Controls in CBS- Application Control
  • Authorization of a transaction as per Delegated
    Authority.
  • Data input( Validation) Controls
  • Accessibility in software Areas as per Employee
    Grade/ Powers
  • Product Level Controls
  • Prefixed Financial Parameters (Like Interest
    Rate, Penal Interest rates)
  • Fixed Tenure (Pre-defined terms Fixed
    Deposits/Service Types - Principle and Interest
    Repayment Type and Periodicity)
  • Tax and Regulatory compliance
  • Controlled Error Handling through Warning,
    Exception and Error

16
Controls in CBS-IT Admin. Control Security
  • Controls are associated with processing activity
  • It allows user to use the software as per Access
    Rights Table
  • Confirmation/ Prior Authorization for any outside
    software installation
  • To ensure encryption of Data
  • To ensure no changes are effected in IT Hardware
  • Logical Access Controls
  • Access to system/Menu as per the Category and
    Type of Branch/SOL
  • Single sign-on for all applications
  • Maker Checker Control
  • Security policies for all IT Assets(Incl.
    Hardware, Software, Databases etc.)

17
Controls in CBS- System Development Controls
  • Testing and Program Acceptance Controls
  • Amendments to Programs and maintenance of SOPs
    w.r.t. source code.
  • Generation of audit trail
  • Maintaining edit history
  • Transaction tracking system

18
Session overview
  • Banking Infrastructure
  • Core banking SystemCBS
  • Control in CBS
  • Audit Processes with the use of Technologies
  • Audit Checks Strategies

19
Audit Processes Use of Technologies
  • Posers
  • Why Audit processes require a drastic change as
    compared to traditional approach?
  • What are the changes in Banking Industries which
    makes Traditional Audit Approach a toothless
    weapon?
  • Under such a scenario what should be the
    Auditors Approach?
  • Which Techniques/ Technologies to be used?
  • After What and Why analysis a Question comes to
    our mind is but How to go Ahead?

20
Audit Processes Use of Technologies
  • Why Audit processes require a drastic change as
    compared to Traditional Approach?
  • Traditional Audit Approach
  • Verification of Documents Physically
  • Availability of Hard Copies for each transaction
  • Number of Transactions for Audit

21
Audit Processes Use of Technologies
  • What are the changes in Banking Industries which
    makes Traditional Audit Approach a toothless
    weapon?
  • Number of Transactions have risen sharply
  • Complexities and variety of Transactions are
    increasing at a rapid speed.
  • Increased Compliance requirements

  • Cont


22
Audit Processes Use of Technologies
  • Use of CBS
  • Processing is completely automized. Hence, a
    manual error in master Data updation has a huge
    effect on all the transactions of the same kind.
  • Processing is not visible
  • Lack of discipline in Access Control
  • Lack of Training for New software environment
  • Audit Trail may not be visible for all the type
    of transactions
  • Security aspects not verified/implemented
    properly

23
Audit Processes Use of Technologies
  • Under such a scenario what should be the
    Auditors Approach?
  • Substantive and Compliance Testing
  • Verification of Transactions as well as
    controls
  • Verification of System Generated Report
  • Generation of special purpose report based on
    Exception Logic through the use of SQL
  • Collection of data from CBS to verify Number and
    Nature of transactions processed during a period.

24
Audit Processes Use of Technologies
  • Broadly 3 main types of data files
  • 1.The transaction file which contains the
    transaction of the Bank.
  • 2. Master file which contains the needed
    information of items needed at the transaction
    time thus, details like Borrower/Depositors
    (Name, Address, etc) are in the master file.
  • 3. Parameter Files contains control elements to
    avoid high frequency of changes. Thus the
    Interest Rate, TDS rate and Service Tax rate
    which is known to change frequently will be in a
    set of files known as Parameter files
  • Master file and parameter files should be checked
    under any audit as these are sensitive areas for
    fraud and leakages.

25
Audit Processes Operational Controls
  • Start with SOD!
  • Whether all accounts ( Opening Closing) are
    duly authorized.
  • Whether officials other that branch have
    authority to record transactions in branch books
    ?

26
Audit Processes Operational Controls
  • Whether the Account Master and balance can
    modified / amended / altered except by authorized
    personnel ?
  • Whether Beginning of the Day and End of the Day
    register maintained ? Whether Time is properly
    entered and time and date are normal and during
    office hours only ?
  • No operation on Holidays !

27
Audit Processes Operational Controls
  • Whether the records of errors arising during the
    daily operations are reported ? And how they are
    being rectified. ?
  • Whether dummy accounts created using master
    creation still exist in the Branch ?
  • A sample verification of SDRs / FDRs should be
    carried out to ascertain whether lien is marked
    on such deposit receipts in the system.
  • Availability of command prompt ( Run cmd)
  • Access to group policies ( gpedit.msc) is
    restricted.
  • Access to Control Panel should be denied.

28
Audit Processes Operational Controls
  • Pursue access control matrix
  • Password Management and History
  • Cross verify the same with actual number of users
    in the search in the branch
  • Inactive users ids and guest ids
  • Review the process of activation of users
  • What about users transferred to other branches ?
  • Review access logs
  • Special emphasis on unsuccessful logon attempts

29
Audit Processes Physical Controls
  • Router/ Modem/ Network equipments Entry
    restricted to Branch Manager / authorized
    personnel
  • Ensure floppy/pen-drive access is not allowed on
    Nodes ( unless required )
  • Hardware Access Register
  • Software Patch Application Register
  • PC having internet access should be separate from
    CBS computers
  • ATM Cards/ Passwords envelops are stored in
    Secured Area under double lock
Write a Comment
User Comments (0)
About PowerShow.com