SlideShare a Scribd company logo

Bankauditin it env

Download as PPT, PDF
Dr Vijay Pithadia Director
Dr Vijay Pithadia Director
EducationTechnologyBusiness
1 of 46
Bank Audit in IT Environment – A Presentation for ICAI CA KAVITA GORWANI
During the past few years Information Technology has made rapid inroads into our lives in a way we could ever imagine.
Mom, When is my Happy Download Day?
How many times have I told you! You were not downloaded. You were born…
we are currently developing an insatiable appetite for instant information made possible by Information Technology. Information Technology has completely changed the way, we lead our lives.
Everyday one trillion dollars worth of money is transacted over the global networks. Money equal to 200 per cent of India’s GDP over a whole year moves over the global financial networks in a single day. Information technology forever transformed the way – all businesses operate, – the way the communication and innovation takes place and – the way value is delivered to the customers.
The wide spread use and ongoing development of Information Technology has affected business immeasurably. And that is the reason; the audit environment has also undergone a chemical change.
Banking Applications Today ♦ Partial Branch Automation Software ♦ Total Branch Automation Solution ♦ Core Banking Solution ♦ Anywhere Any-Time Banking through – ABB at Branches – On-Line ATMs – Tele-Banking
Partial Branch Automation Software ♦ All modules in a branch do not use same database i.e. either some of the modules are not computerised or separate application for separate modules e.g. one application for deposits (SB,FD,RD) and another for Loans and Advances (CC,OD,TL,) both using separate databases
Total Branch Automation Solution ♦ All modules – computerised & running live ♦ A branch on TBA uses its own database. It resides on branch server. Branch accesses through LAN. ♦ Application is installed either separately on each PC in the branch or on the branch server and accessed through LAN ♦ Branch responsible for securing Data, taking backups etc. ♦ Examples – BancMate (PNB, BOR, Allahabad Bank, Vijaya Bank), Veermati(BOB, Dena Bank), Nelito, Bankmaster(SBI & Associates)
Core Banking Solution: ♦ Most advanced version of branch computerisation ♦ All Branches on CBS use single database ♦ Web-enabled application and database on Central data server ♦ Branches access application and database through web-site ♦ Examples: Finacle (PNB, OBC, BOR), b@ncs24 (SBI and associates) etc.
The basic tenet of Audit remains the same-i.e. reliability and integrity of data. Use of IT does not give rise to new audit objectives nor does it change the same. But the role, focus and scope of audit has certainly changed in the changed environment .
The changed environment forces the auditors • to review their audit processes and procedures in the light of changes brought by technology in the ways of doing business and resultant risks. It requires auditors to upgrade their professional skills with the adequate knowledge of IT systems • to apprehend their impact on Bank’s business and audit process in its right spirit and • also to use it while discharging duties as auditor.
♦ The controls in both the environments are different. ♦ Auditor has to consider – Impact of Information systems on Internal Control – Impact of Information Systems on Audit Physical Environment Vs e-Environment
♦ Where an adequate system of internal control is in force, the auditor is entitled to apply appropriate test checks. ♦ In a computerized environment, most of the controls can be programmed into the system like Input Authorisation, Sequence check, Limit check, Range check, Validity check, Maker-checker check etc. Impact of Information systems on internal control
♦ Information systems and information systems controls allow an auditor to carry out 100% check of transactions for certain parameters instead of carrying out sample tests provided the auditor has evaluated the programmed controls and is satisfied that – The controls are designed and working as contemplated. – The controls were in use throughout the period under review. Impact of Information systems on internal control
♦ Another considerable issue is the new form of records- electronic records, resulting in evaporation of paper trail of transactions. ♦ In the e-environment, business events are – identified, – captured, – measured, – categorized, – aggregated and – recorded in e-form without any paper documentation. Impact of Information systems on internal control
♦ It results in an inherent inability to implement traditional Internal Controls like – traditional segregation of Duties, – Paper/Visible Audit Trails, – Visible Authority in the IS, – Physical Control over records etc. Impact of Information systems on internal control
♦ Changes in Evidence Collection – System logs instead of Paper Audit trails – Use of Audit tools (CAATs) ♦ More emphasis on System Evaluation; – Program change control, Acceptance testing; – Carrying out actual testing of Applications to evaluate Controls; – Evaluating the effectiveness of IS Controls Impact of Information systems on Audit
♦ Continuous Auditing Techniques like Integrated Test Facility ♦ System Efficiency Testing through logs ♦ System Security Testing ♦ Review of Network, OS, and other System logs ♦ Review of Exception Reports Impact of Information systems on Audit
♦ Unauthorised access into the system ♦ Authorised access to programme for unauthorised purpose e.g. modification, destruction, copying / using data stored in computer. ♦ Ample scope for changing the data before input. ♦ In the systems with weak control, it is easy to insert virus into the computer system by use of computer floppy or other means to access to system. ♦ When terminal is kept open and user leaves the terminal without logging out, unauthorised access by immediately following the person / otherwise ♦ Programmed errors difficult to find ♦ Programmed error might have far reaching implications Potential Risk Areas in computerised environment
Arithmetic accuracy and uniform processing of transactions that reduces the audit risk as there is no need to maintain and verify balancing ledgers and no need to verify postings if there is a fool proof computer system. Further, the system calculates interest automatically and chances of error are limited. The clerical errors ordinarily associated with manual processing are virtually eliminated. Advantages over manual system
♦ A single person now performs many control procedures that were performed by different persons in manual system. Thus, it compromises some times, the basic principle of segregation of duties and allows performance of incompatible functions. ♦ The lack of transaction trail and audit evidence is the biggest challenge for auditors. The electronic evidences are very fragile. In so many cases, where a complex application system performs a large number of automated operations and transactions, to find a complete transaction trail is very difficult. ♦ Proper documentation is also a challenge, which auditors need to cope up with in the computerised environment. Some of the audit evidence may be in the electronic form, some of them are not capable of being retrieved again as they are generated once only. As required by the AAS 29, “The auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required.” Challenges
After the AAS 29 on Auditing in a Computerised Information Systems (CIS) environment became operative for all audits related to accounting periods beginning on or after 1st April 2003, the responsibility of the bank branch auditor has increased manifold. As per AAS 29, the overall objective and scope of an audit does not change in a CIS environment, however, the use of a computer changes the processing, storage, retrieval and communication of financial information and may affect the accounting and internal control systems employed by the entity. AAS 29
Therefore, an auditor needs to check the various controls implemented throughout the system and their existence. A CIS Environment may affect: ♦ The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems. ♦ The auditor’s evaluation of inherent risk and control risk through which the auditor assesses the audit risk. ♦ The auditor’s design and performance of tests of control and substantive procedures appropriate to meet audit objective. ♦ Auditors need to be satisfied about existence of adequate security control in the Computer System as also about implementation of these controls by the bank. AAS 29
♦ All the transactions put through need to be continuously monitored for their integrity and compliance with control requirements. Two key controls in any IT environment are: 1. Application Controls: 2. Information System Controls: Controls in Information System Environment
These are the controls that exist within the application software, which puts through the transactions at the branch level. ♦ For example, permitting of overdrawing in any account, which should be permitted only by the authorized person and none else. Application Controls
♦ PAST ♦ PRESENT – Logical Access Controls • User IDs and Passwords, PINs, Security Cards – Physical Access Controls • Bio-metric devices – Environmental Controls – Data Security Controls • Encryption, digital signatures Lock Guard Security: Scenario
Networked Domain / Intranet Internal Threats Through: Employees / Vendors/ Ex-Employees etc. Reasons: Sabotage / Revenge/ Money Methods: Virus/ Trojan, Denial of service attack / Trap door/ Spoofing/ Destruction etc INCREASING RISK Environmental / Physical Threats E.g. Fire / Storms/ Earthquake Manual TBA CBS External Threats Through: Hackers/ competitors / criminals etc. Reasons: Sabotage / Revenge/ Money Methods: Virus/ Trojan, Denial of service attack / Trap door/ Spoofing/ Destruction / social engineering etc Information Security Risk in a Bank
These are certain key security control aspects that a branch auditor needs to address when undertaking audit of a computerised branch: Evaluate Reliability of Accounting & Internal Control Systems ♦ Ensure that authorised, correct and complete data is made available for processing. ♦ Ensure that system provides for timely detection and correction of errors. ♦ Ensure in case of interruption due to power, mechanical or processing failures, the system restarts without distorting the completion of the entries and records. ♦ Ensure the accuracy and completeness of the entries and records. ♦ Ensure system provide adequate data security against fire and other calamities, wrong processing, frauds etc. ♦ Ensure that the system prevents unauthorised amendments to the programmes. ♦ Ensure that the branch provides for safe custody of source code Important Security Control Aspects
Security and Control Issues Relating to Parameters ♦ Verify whether “User levels” assigned to the staff-working match with the responsibilities, as per manual. It is very important for the auditor to ensure that access and authorisation rights given to various employees are proper because unauthorised access rights given to any employee can jeopardise the whole security and control system. Verify that branch parameters are properly set. ♦ Verify that changes made in the Parameters or user levels are authenticated. ♦ Verify that charges calculated manually for accounts when function is not regulated through parameters are properly accounted for and authorised. ♦ Verify that all modules in the software are implemented. Important Security Control Aspects
Security and Control Issues Relating to operations ♦ The maker can’t be the checker of the transaction. Verify that transactions are not created and authorised by the same persons. ♦ Verify that Beginning of the Day and End of the Day register is properly maintained and Time is properly entered and time and date are normal and during office hours only. Important Security Control Aspects
♦ Exception reports are the major audit tool. Anything that is not allowed in the normal course of business is reflected in the exceptional reports. Verify that exceptional transactions report where details of dishonoured cheques, large withdrawals, overdrawn accounts etc. are recorded are being authorised and verified on a daily basis by the branch officials. The Exception Report generally contains the following details, though it varies from software to software: – Debit /Credit balance change – Maturity record deleted – Inactive accounts reactivated – Excess allowed over limit – Debits to Income head accounts – Overdue bills and bills returned – Withdrawal against clearings – Deposits accounts debit balance – Temporary O/D beyond sanction limit – Standing instruction failed in day Important Security Control Aspects
♦ Verify that inoperative or dormant accounts are operated only after authorisation by supervisor. ♦ Verify that balances are downloaded on PC daily from the server. ♦ Verify that the Account Master and balance cannot be modified/amended/altered except by the authorised personnel. If any other person can do it then it means a serious security threat exists. ♦ Verify that branch has posted a System Administrator and there is system of changing the system administrator at periodic intervals. ♦ Check that the record of errors arising during daily operations are reported and properly dealt with. It Important Security Control Aspects
♦ Verify that interest indicators are correctly given for all types of account. Ensure that interest rate applied is as per the sanction order. ♦ It is also very important for the auditor to test check interest by manual checking in case of a large account and compare it with computer generated amount. Sometimes it happens that the programme for all types of accounts does not give correct interest logic and there may also be inaccuracy in interest calculation due to faulty programming. There is no need of checking all the accounts. It is enough if at least one account of all the account types is checked for accuracy of interest application. ♦ Verify that all standing instructions/ stop payment instructions are properly updated in the system. Important Security Control Aspects
♦ Verify that lien is marked in the system against fixed deposits pledged for taking loans, so that no payment could be made against them without cancellation of lien. ♦ Verify that all accounts (Opening & Closing) are duly authorised. ♦ Verify that all creation and cancellation of lien in the computer are properly authorised. ♦ Verify that all the GL accounts codes authorised by HO are in existence in the system. ♦ Verify that balance in GL tallies with the balance in Subsidiary book. Computerised environment doesn’t necessarily means that these are automatically tallied. Important Security Control Aspects
♦ Verify that periodical updating of drawing power is done in the computer. If it is not updated in the computer regularly, the actual drawing power and the drawing power entered in the computer may vary and the system may allow unauthorised overdrawing. ♦ Verify that charges like folio charges; minimum balance breach charges etc are collected/charged in the account by the system for all eligible accounts. There is no need of checking all the accounts. It is enough if at least one account of all the account types is checked for accuracy of interest application. Important Security Control Aspects
Security Issues Relating to User IDs and Passwords ♦ Verify that passwords are changed at regular intervals and the staff of branch does not know Manager’s password because whole of the computerised system works on the authorisations and passwords only. ♦ Verify that important passwords like DBA, branch managers are kept in sealed cover with branch manager, so that in case of emergency and the absence of any of them the passwords could be used to run the system properly. Important Security Control Aspects
♦ Verify that passwords of staff on long leave are deactivated, so that nobody else could make the unauthorised use. ♦ Verify that no two or more same user id’s exist in the same branch. ♦ Verify that dummy accounts created using master creation should not exist in the Branch. ♦ Verify, whether staff that are transferred/ retired still have user id in the system? Important Security Control Aspects
Security and Control Issues Relating to Backups ♦ Verify that the branch takes daily and monthly backups. The backup media should be duly labelled and indexed properly and should be maintained under joint custody. ♦ Ideally, daily backup should be taken in 6 sets, one for each weekday and 12 sets of month end. ♦ Verify that one time backup of programme is taken and preserved. The backup should be updated for every change in the programme. Important Security Control Aspects
♦ Verify that backup register is maintained and updated. ♦ Verify that backup is tested for readability on a regular basis. Record of verification and testing should be properly maintained. ♦ It is desired that backup is restored in some other system for checking data readability. ♦ Verify that procedure to take Interim Backups is followed by the branch. Important Security Control Aspects
♦ Verify that the backup media is stored in fireproof cabinet secured with lock and key. ♦ Verify that offsite backups are preserved for the emergency. ♦ Verify that yearly data is downloaded in optical disk drive/CDROM. ♦ It is important to see that old records are preserved on floppy, or CDROM/ Hardcopies. ♦ Where an extra server is installed for copying the data, auditors should verify that disk mirroring is taking place properly. Important Security Control Aspects
Security and Control Issues Relating to Reports/Registers ♦ Verify that user id register, password register, floppy register, and Checksum register are maintained and updated. ♦ Verify that the reports generated by the system are checked and signed by the officer. ♦ Verify that asset register containing details of all the computers and peripherals are maintained at the branch. ♦ Verify that manuals, CPPD guidelines are readily available at the branch. ♦ The backup media should be duly labelled and indexed properly and should be maintained under joint custody. Ideally, daily backup should be taken in 6 sets, one for each Important Security Control Aspects
Insurance ♦ Verify that Insurance policy of computers is on record. ♦ Verify that Annual Maintenance Contract of UPS/Computers are renewed on due date. ♦ Vendors ♦ Verify that user ids created by the Vendor doesn’t exist in the system. ♦ Verify that list of standard directories/files is available at the branch. ♦ Verify that vendor’s contact numbers are easily available with the branch. ♦ Verify that software vendors are allowed to port new versions with approval of ITD/ nodal offices only. Important Security Control Aspects
General ♦ Verify that the antivirus software of latest version is installed in servers/PCs of branches to prevent data corruption, and is being regularly updated for new virus definitions. ♦ Verify that access to the computer room is restricted to authorised persons only. ♦ Verify that the users log out every time they leave the terminal. It has been observed that the bank staff leave terminal without logging out and the terminal is exposed to serious security threats. ♦ Verify that unauthorised software/games doesn’t exist in the system, these could be source of virus and data corruption. Important Security Control Aspects
CA KAVITA GORWANI Thanks for being nice & giving a patient hearing

Recommended

Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Dr. Sanjay Sawant Dessai
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized EnvironmentDr. Sushil Bansode
 
Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Sharah Ayumi
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1Cheng Olayvar
 
Chapter 4 : Auditing and the information technology environment
Chapter 4 : Auditing and the information technology environmentChapter 4 : Auditing and the information technology environment
Chapter 4 : Auditing and the information technology environmentKugendranMani
 

Recommended

Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Dr. Sanjay Sawant Dessai
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized EnvironmentDr. Sushil Bansode
 
Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Sharah Ayumi
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1Cheng Olayvar
 
Chapter 4 : Auditing and the information technology environment
Chapter 4 : Auditing and the information technology environmentChapter 4 : Auditing and the information technology environment
Chapter 4 : Auditing and the information technology environmentKugendranMani
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Yasir Khan
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
Chapter 6
Chapter 6Chapter 6
Chapter 6Nur Dalila Zamri
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment Chris Nicole Apat-Orcullo, CPA
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Audit and Assurance
Audit and AssuranceAudit and Assurance
Audit and AssuranceMuhamadSyawal7
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Ed Tobias
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013Barun Kumar
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it envDr Vijay Pithadia Director
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnvDr Vijay Pithadia Director
 

More Related Content

What's hot

Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Yasir Khan
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Ed Tobias
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013Barun Kumar
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 

What's hot (20)

Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems Audit
 
Chapter 6
Chapter 6Chapter 6
Chapter 6
 
Information System audit
Information System auditInformation System audit
Information System audit
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Audit and Assurance
Audit and AssuranceAudit and Assurance
Audit and Assurance
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and audit
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 

Similar to Bankauditin it env

Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptxinfantemiliya18
 
Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized EnvironmentVadivelM9
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
 
Introduction to computerised accounting
Introduction to computerised accountingIntroduction to computerised accounting
Introduction to computerised accountingItisha Sharma
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
Core Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersCore Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersShikha Gupta
 
eBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPeBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPAbhishek Ranjan
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITComputer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITShahzeb Pirzada
 

Similar to Bankauditin it env (20)

Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it env
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnv
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnv
 
Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptx
 
Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized Environment
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
 
Introduction to computerised accounting
Introduction to computerised accountingIntroduction to computerised accounting
Introduction to computerised accounting
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
Real time Audit
Real time AuditReal time Audit
Real time Audit
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
Introduction to caat
Introduction to caatIntroduction to caat
Introduction to caat
 
Core Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersCore Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computers
 
eBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPeBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPP
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITComputer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
 

More from Dr Vijay Pithadia Director

Lecture 3 pay for performance and financial incentives
Lecture 3 pay for performance and financial incentivesLecture 3 pay for performance and financial incentives
Lecture 3 pay for performance and financial incentivesDr Vijay Pithadia Director
 

More from Dr Vijay Pithadia Director (20)

Lecture 6 training development
Lecture 6 training developmentLecture 6 training development
Lecture 6 training development
 
Lecture 5 interviewing candidates
Lecture 5 interviewing candidatesLecture 5 interviewing candidates
Lecture 5 interviewing candidates
 
Lecture 4 employee testing and selection
Lecture 4 employee testing and selectionLecture 4 employee testing and selection
Lecture 4 employee testing and selection
 
Lecture 2 job aanalysis
Lecture 2 job aanalysisLecture 2 job aanalysis
Lecture 2 job aanalysis
 
Lecture 1 introduction to hrm dessler
Lecture 1 introduction to hrm desslerLecture 1 introduction to hrm dessler
Lecture 1 introduction to hrm dessler
 
Performance management
Performance managementPerformance management
Performance management
 
Hr dev performanceappraisal
Hr dev performanceappraisalHr dev performanceappraisal
Hr dev performanceappraisal
 
Dessler hrm12e ppt_11
Dessler hrm12e ppt_11Dessler hrm12e ppt_11
Dessler hrm12e ppt_11
 
Lecture 3 pay for performance and financial incentives
Lecture 3 pay for performance and financial incentivesLecture 3 pay for performance and financial incentives
Lecture 3 pay for performance and financial incentives
 
Session plan
Session planSession plan
Session plan
 
Seminar presentation
Seminar presentationSeminar presentation
Seminar presentation
 
Processing cooperatives
Processing cooperativesProcessing cooperatives
Processing cooperatives
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
 
History of the cooperative movement
History of the cooperative movementHistory of the cooperative movement
History of the cooperative movement
 
Dairy cooperatives
Dairy cooperativesDairy cooperatives
Dairy cooperatives
 
Cooperative
CooperativeCooperative
Cooperative
 
Consumer cooperative
Consumer cooperativeConsumer cooperative
Consumer cooperative
 
Capitalism and socialism
Capitalism and socialismCapitalism and socialism
Capitalism and socialism
 
Banking cooperative
Banking cooperativeBanking cooperative
Banking cooperative
 
Assignment 1
Assignment 1Assignment 1
Assignment 1
 

Recently uploaded

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 

Recently uploaded (20)

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 

Bankauditin it env

  • 1. Bank Audit in IT Environment – A Presentation for ICAI CA KAVITA GORWANI
  • 2. During the past few years Information Technology has made rapid inroads into our lives in a way we could ever imagine.
  • 3. Mom, When is my Happy Download Day?
  • 4. How many times have I told you! You were not downloaded. You were born…
  • 5. we are currently developing an insatiable appetite for instant information made possible by Information Technology. Information Technology has completely changed the way, we lead our lives.
  • 6. Everyday one trillion dollars worth of money is transacted over the global networks. Money equal to 200 per cent of India’s GDP over a whole year moves over the global financial networks in a single day. Information technology forever transformed the way – all businesses operate, – the way the communication and innovation takes place and – the way value is delivered to the customers.
  • 7. The wide spread use and ongoing development of Information Technology has affected business immeasurably. And that is the reason; the audit environment has also undergone a chemical change.
  • 8. Banking Applications Today ♦ Partial Branch Automation Software ♦ Total Branch Automation Solution ♦ Core Banking Solution ♦ Anywhere Any-Time Banking through – ABB at Branches – On-Line ATMs – Tele-Banking
  • 9. Partial Branch Automation Software ♦ All modules in a branch do not use same database i.e. either some of the modules are not computerised or separate application for separate modules e.g. one application for deposits (SB,FD,RD) and another for Loans and Advances (CC,OD,TL,) both using separate databases
  • 10. Total Branch Automation Solution ♦ All modules – computerised & running live ♦ A branch on TBA uses its own database. It resides on branch server. Branch accesses through LAN. ♦ Application is installed either separately on each PC in the branch or on the branch server and accessed through LAN ♦ Branch responsible for securing Data, taking backups etc. ♦ Examples – BancMate (PNB, BOR, Allahabad Bank, Vijaya Bank), Veermati(BOB, Dena Bank), Nelito, Bankmaster(SBI & Associates)
  • 11. Core Banking Solution: ♦ Most advanced version of branch computerisation ♦ All Branches on CBS use single database ♦ Web-enabled application and database on Central data server ♦ Branches access application and database through web-site ♦ Examples: Finacle (PNB, OBC, BOR), b@ncs24 (SBI and associates) etc.
  • 12. The basic tenet of Audit remains the same-i.e. reliability and integrity of data. Use of IT does not give rise to new audit objectives nor does it change the same. But the role, focus and scope of audit has certainly changed in the changed environment .
  • 13. The changed environment forces the auditors • to review their audit processes and procedures in the light of changes brought by technology in the ways of doing business and resultant risks. It requires auditors to upgrade their professional skills with the adequate knowledge of IT systems • to apprehend their impact on Bank’s business and audit process in its right spirit and • also to use it while discharging duties as auditor.
  • 14. ♦ The controls in both the environments are different. ♦ Auditor has to consider – Impact of Information systems on Internal Control – Impact of Information Systems on Audit Physical Environment Vs e-Environment
  • 15. ♦ Where an adequate system of internal control is in force, the auditor is entitled to apply appropriate test checks. ♦ In a computerized environment, most of the controls can be programmed into the system like Input Authorisation, Sequence check, Limit check, Range check, Validity check, Maker-checker check etc. Impact of Information systems on internal control
  • 16. ♦ Information systems and information systems controls allow an auditor to carry out 100% check of transactions for certain parameters instead of carrying out sample tests provided the auditor has evaluated the programmed controls and is satisfied that – The controls are designed and working as contemplated. – The controls were in use throughout the period under review. Impact of Information systems on internal control
  • 17. ♦ Another considerable issue is the new form of records- electronic records, resulting in evaporation of paper trail of transactions. ♦ In the e-environment, business events are – identified, – captured, – measured, – categorized, – aggregated and – recorded in e-form without any paper documentation. Impact of Information systems on internal control
  • 18. ♦ It results in an inherent inability to implement traditional Internal Controls like – traditional segregation of Duties, – Paper/Visible Audit Trails, – Visible Authority in the IS, – Physical Control over records etc. Impact of Information systems on internal control
  • 19. ♦ Changes in Evidence Collection – System logs instead of Paper Audit trails – Use of Audit tools (CAATs) ♦ More emphasis on System Evaluation; – Program change control, Acceptance testing; – Carrying out actual testing of Applications to evaluate Controls; – Evaluating the effectiveness of IS Controls Impact of Information systems on Audit
  • 20. ♦ Continuous Auditing Techniques like Integrated Test Facility ♦ System Efficiency Testing through logs ♦ System Security Testing ♦ Review of Network, OS, and other System logs ♦ Review of Exception Reports Impact of Information systems on Audit
  • 21. ♦ Unauthorised access into the system ♦ Authorised access to programme for unauthorised purpose e.g. modification, destruction, copying / using data stored in computer. ♦ Ample scope for changing the data before input. ♦ In the systems with weak control, it is easy to insert virus into the computer system by use of computer floppy or other means to access to system. ♦ When terminal is kept open and user leaves the terminal without logging out, unauthorised access by immediately following the person / otherwise ♦ Programmed errors difficult to find ♦ Programmed error might have far reaching implications Potential Risk Areas in computerised environment
  • 22. Arithmetic accuracy and uniform processing of transactions that reduces the audit risk as there is no need to maintain and verify balancing ledgers and no need to verify postings if there is a fool proof computer system. Further, the system calculates interest automatically and chances of error are limited. The clerical errors ordinarily associated with manual processing are virtually eliminated. Advantages over manual system
  • 23. ♦ A single person now performs many control procedures that were performed by different persons in manual system. Thus, it compromises some times, the basic principle of segregation of duties and allows performance of incompatible functions. ♦ The lack of transaction trail and audit evidence is the biggest challenge for auditors. The electronic evidences are very fragile. In so many cases, where a complex application system performs a large number of automated operations and transactions, to find a complete transaction trail is very difficult. ♦ Proper documentation is also a challenge, which auditors need to cope up with in the computerised environment. Some of the audit evidence may be in the electronic form, some of them are not capable of being retrieved again as they are generated once only. As required by the AAS 29, “The auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required.” Challenges
  • 24. After the AAS 29 on Auditing in a Computerised Information Systems (CIS) environment became operative for all audits related to accounting periods beginning on or after 1st April 2003, the responsibility of the bank branch auditor has increased manifold. As per AAS 29, the overall objective and scope of an audit does not change in a CIS environment, however, the use of a computer changes the processing, storage, retrieval and communication of financial information and may affect the accounting and internal control systems employed by the entity. AAS 29
  • 25. Therefore, an auditor needs to check the various controls implemented throughout the system and their existence. A CIS Environment may affect: ♦ The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems. ♦ The auditor’s evaluation of inherent risk and control risk through which the auditor assesses the audit risk. ♦ The auditor’s design and performance of tests of control and substantive procedures appropriate to meet audit objective. ♦ Auditors need to be satisfied about existence of adequate security control in the Computer System as also about implementation of these controls by the bank. AAS 29
  • 26. ♦ All the transactions put through need to be continuously monitored for their integrity and compliance with control requirements. Two key controls in any IT environment are: 1. Application Controls: 2. Information System Controls: Controls in Information System Environment
  • 27. These are the controls that exist within the application software, which puts through the transactions at the branch level. ♦ For example, permitting of overdrawing in any account, which should be permitted only by the authorized person and none else. Application Controls
  • 28. ♦ PAST ♦ PRESENT – Logical Access Controls • User IDs and Passwords, PINs, Security Cards – Physical Access Controls • Bio-metric devices – Environmental Controls – Data Security Controls • Encryption, digital signatures Lock Guard Security: Scenario
  • 29. Networked Domain / Intranet Internal Threats Through: Employees / Vendors/ Ex-Employees etc. Reasons: Sabotage / Revenge/ Money Methods: Virus/ Trojan, Denial of service attack / Trap door/ Spoofing/ Destruction etc INCREASING RISK Environmental / Physical Threats E.g. Fire / Storms/ Earthquake Manual TBA CBS External Threats Through: Hackers/ competitors / criminals etc. Reasons: Sabotage / Revenge/ Money Methods: Virus/ Trojan, Denial of service attack / Trap door/ Spoofing/ Destruction / social engineering etc Information Security Risk in a Bank
  • 30. These are certain key security control aspects that a branch auditor needs to address when undertaking audit of a computerised branch: Evaluate Reliability of Accounting & Internal Control Systems ♦ Ensure that authorised, correct and complete data is made available for processing. ♦ Ensure that system provides for timely detection and correction of errors. ♦ Ensure in case of interruption due to power, mechanical or processing failures, the system restarts without distorting the completion of the entries and records. ♦ Ensure the accuracy and completeness of the entries and records. ♦ Ensure system provide adequate data security against fire and other calamities, wrong processing, frauds etc. ♦ Ensure that the system prevents unauthorised amendments to the programmes. ♦ Ensure that the branch provides for safe custody of source code Important Security Control Aspects
  • 31. Security and Control Issues Relating to Parameters ♦ Verify whether “User levels” assigned to the staff-working match with the responsibilities, as per manual. It is very important for the auditor to ensure that access and authorisation rights given to various employees are proper because unauthorised access rights given to any employee can jeopardise the whole security and control system. Verify that branch parameters are properly set. ♦ Verify that changes made in the Parameters or user levels are authenticated. ♦ Verify that charges calculated manually for accounts when function is not regulated through parameters are properly accounted for and authorised. ♦ Verify that all modules in the software are implemented. Important Security Control Aspects
  • 32. Security and Control Issues Relating to operations ♦ The maker can’t be the checker of the transaction. Verify that transactions are not created and authorised by the same persons. ♦ Verify that Beginning of the Day and End of the Day register is properly maintained and Time is properly entered and time and date are normal and during office hours only. Important Security Control Aspects
  • 33. ♦ Exception reports are the major audit tool. Anything that is not allowed in the normal course of business is reflected in the exceptional reports. Verify that exceptional transactions report where details of dishonoured cheques, large withdrawals, overdrawn accounts etc. are recorded are being authorised and verified on a daily basis by the branch officials. The Exception Report generally contains the following details, though it varies from software to software: – Debit /Credit balance change – Maturity record deleted – Inactive accounts reactivated – Excess allowed over limit – Debits to Income head accounts – Overdue bills and bills returned – Withdrawal against clearings – Deposits accounts debit balance – Temporary O/D beyond sanction limit – Standing instruction failed in day Important Security Control Aspects
  • 34. ♦ Verify that inoperative or dormant accounts are operated only after authorisation by supervisor. ♦ Verify that balances are downloaded on PC daily from the server. ♦ Verify that the Account Master and balance cannot be modified/amended/altered except by the authorised personnel. If any other person can do it then it means a serious security threat exists. ♦ Verify that branch has posted a System Administrator and there is system of changing the system administrator at periodic intervals. ♦ Check that the record of errors arising during daily operations are reported and properly dealt with. It Important Security Control Aspects
  • 35. ♦ Verify that interest indicators are correctly given for all types of account. Ensure that interest rate applied is as per the sanction order. ♦ It is also very important for the auditor to test check interest by manual checking in case of a large account and compare it with computer generated amount. Sometimes it happens that the programme for all types of accounts does not give correct interest logic and there may also be inaccuracy in interest calculation due to faulty programming. There is no need of checking all the accounts. It is enough if at least one account of all the account types is checked for accuracy of interest application. ♦ Verify that all standing instructions/ stop payment instructions are properly updated in the system. Important Security Control Aspects
  • 36. ♦ Verify that lien is marked in the system against fixed deposits pledged for taking loans, so that no payment could be made against them without cancellation of lien. ♦ Verify that all accounts (Opening & Closing) are duly authorised. ♦ Verify that all creation and cancellation of lien in the computer are properly authorised. ♦ Verify that all the GL accounts codes authorised by HO are in existence in the system. ♦ Verify that balance in GL tallies with the balance in Subsidiary book. Computerised environment doesn’t necessarily means that these are automatically tallied. Important Security Control Aspects
  • 37. ♦ Verify that periodical updating of drawing power is done in the computer. If it is not updated in the computer regularly, the actual drawing power and the drawing power entered in the computer may vary and the system may allow unauthorised overdrawing. ♦ Verify that charges like folio charges; minimum balance breach charges etc are collected/charged in the account by the system for all eligible accounts. There is no need of checking all the accounts. It is enough if at least one account of all the account types is checked for accuracy of interest application. Important Security Control Aspects
  • 38. Security Issues Relating to User IDs and Passwords ♦ Verify that passwords are changed at regular intervals and the staff of branch does not know Manager’s password because whole of the computerised system works on the authorisations and passwords only. ♦ Verify that important passwords like DBA, branch managers are kept in sealed cover with branch manager, so that in case of emergency and the absence of any of them the passwords could be used to run the system properly. Important Security Control Aspects
  • 39. ♦ Verify that passwords of staff on long leave are deactivated, so that nobody else could make the unauthorised use. ♦ Verify that no two or more same user id’s exist in the same branch. ♦ Verify that dummy accounts created using master creation should not exist in the Branch. ♦ Verify, whether staff that are transferred/ retired still have user id in the system? Important Security Control Aspects
  • 40. Security and Control Issues Relating to Backups ♦ Verify that the branch takes daily and monthly backups. The backup media should be duly labelled and indexed properly and should be maintained under joint custody. ♦ Ideally, daily backup should be taken in 6 sets, one for each weekday and 12 sets of month end. ♦ Verify that one time backup of programme is taken and preserved. The backup should be updated for every change in the programme. Important Security Control Aspects
  • 41. ♦ Verify that backup register is maintained and updated. ♦ Verify that backup is tested for readability on a regular basis. Record of verification and testing should be properly maintained. ♦ It is desired that backup is restored in some other system for checking data readability. ♦ Verify that procedure to take Interim Backups is followed by the branch. Important Security Control Aspects
  • 42. ♦ Verify that the backup media is stored in fireproof cabinet secured with lock and key. ♦ Verify that offsite backups are preserved for the emergency. ♦ Verify that yearly data is downloaded in optical disk drive/CDROM. ♦ It is important to see that old records are preserved on floppy, or CDROM/ Hardcopies. ♦ Where an extra server is installed for copying the data, auditors should verify that disk mirroring is taking place properly. Important Security Control Aspects
  • 43. Security and Control Issues Relating to Reports/Registers ♦ Verify that user id register, password register, floppy register, and Checksum register are maintained and updated. ♦ Verify that the reports generated by the system are checked and signed by the officer. ♦ Verify that asset register containing details of all the computers and peripherals are maintained at the branch. ♦ Verify that manuals, CPPD guidelines are readily available at the branch. ♦ The backup media should be duly labelled and indexed properly and should be maintained under joint custody. Ideally, daily backup should be taken in 6 sets, one for each Important Security Control Aspects
  • 44. Insurance ♦ Verify that Insurance policy of computers is on record. ♦ Verify that Annual Maintenance Contract of UPS/Computers are renewed on due date. ♦ Vendors ♦ Verify that user ids created by the Vendor doesn’t exist in the system. ♦ Verify that list of standard directories/files is available at the branch. ♦ Verify that vendor’s contact numbers are easily available with the branch. ♦ Verify that software vendors are allowed to port new versions with approval of ITD/ nodal offices only. Important Security Control Aspects
  • 45. General ♦ Verify that the antivirus software of latest version is installed in servers/PCs of branches to prevent data corruption, and is being regularly updated for new virus definitions. ♦ Verify that access to the computer room is restricted to authorised persons only. ♦ Verify that the users log out every time they leave the terminal. It has been observed that the bank staff leave terminal without logging out and the terminal is exposed to serious security threats. ♦ Verify that unauthorised software/games doesn’t exist in the system, these could be source of virus and data corruption. Important Security Control Aspects
  • 46. CA KAVITA GORWANI Thanks for being nice & giving a patient hearing