Audits of Core Banking Solutions

AUDIT IS THE PROCESS OF
EVALUATING THE ADEQUACY OF

CONTROLS AND ALSO ENSURING
RELEVANT APPLICATION MODULES
DEAL COMPREHENSIVELY WITH
BUSINESS PROCESS .
1. REVIEW OF SECURITY POLICY
2. REVIEW OF BUSINESS CONTINUITY PLANNING AND BCP POLICY
3. REVIEW OF SYSTEMS DEVOLOPMENT AND CHANGE MANAGEMENT
PROCEDURES AND PROCESS
4. NETWORK VULNERABILITY ASSESSMENT OF EFFECTIVENESS OF
INTRUSION DETECTION SYSTEMS
5. EVALUATION OF CONTROLS IN OPERATING SYSTEMS
6. CONTROL IN DATABASES
7. TESTING OF APPLICATION MODULES OF THE CORE BANKING
SOLUTUINS
8. REVIEW OF SYSTEM LOGS
9. AUDIT OF ATM AND RTGS/NEFT, AUDIT OF INTERNET BANKING
RESERVE BANK OF INDIA HAS MANDATED
THAT EVERY BANK SHOULD HAVE A SECURITY
POLICY WHICH IS APPROVED BY THE
MANAGEMENT. THERE SHOULD BE
AWARENESS OF CONTENTS OF THE SECURITY
POLICY AMONGST EMPLOYEES .THE SECURITY
POLICIES APPLIES TO THE ENTIRE
ORGANISATION AND ITS EMPLOYEES,
CUSTOMERS AND ALSO TO THE RELEVEANT
THIRD PARTIES .
 FORMULATION OF A SECURITY COMMITTEE TO
MANAGE INFORMATION OF SECURITY WITHIN THE
ORGANISATION
 ASSET MANAGEMENT
 HUMAN RESOURCES
 PHYSICAL ENVIRONMENT
 COMMUNICATIONS AND OPERATIOIN
MANAGEMENT
 MEDIA HANDLING
 ACCESS CONTROLS
 NETWORK ACCESS POLICY
 OPERATING SYSTEM ACCESS CONTROL
BCP IS A PROCESS BY WHICH THE BANK
ENSURES THE MAINTENANCE AND RECOVERY
OF OPERATIONS. OBJECTIVES OF BCP ARE
 MINIMIZING FINANCIAL LOSSES
 CONTINUE TO SERVE CUSTOMERS WITHOUT
INTERRUPTION
 KEEP UP THE IMAGE OF BANK CLEAN
BCP SHOULD TAKE INTO CONSIDERATIONS
CRITICAL BUSINESS FUNCTIONS AND
PRIORITIZE THEM. THE PLAN SHOULD COVER
THE FOLLOWING IMPORTANT AND CRITICAL
PROCESSES:
 BRANCH OPERATIONS
 ADMINISTRATIVE OPERATIONS
 INTERNET BANKING
 ATM OPERATIONS
 RTGS / NEFT
 ALL OTHER ALTERNATE DELIVERY CHANNELS
SYSTEM DEVEOLOPMENT REFERS TO THE PROCESS OF
DEVOLOPING SOFTWARE WHICH WOULD PRODUCE
THE REQUIRED OUTPUT FROM THE INPUT
PROVIDED OF COURSE , USING THE NECESSARY
HARDWARE AND COMMUNICATION SYSTEMS.
OBJECTIVES OF AUDIT WOULD INCLUDE REVIEWING
THE FOLLOWING :
 WHWTHER THE SYSTEMS ARE IMPLEMENTED WITH
ADEQUATE INTERNAL CONTROLS
 WHETHER THE BUSINESS FUNCTIONALITY IS
COMPREHENSIVE
THE SYSTEM AUDITOR MUST VERIFY WHETHER
CONSTANT NETWORK VULNERABILITY
ASSESMENTS HAVE BEEN PERFORMED BY
COMPETENT PEOPLE. SIMILARLY, IT IS ALSO
IMPORTANT TO ENSURE THAT INTRUSION
DETECTION AND INTRUSION PREVENTION IS
TAKEN CARE OF. THERE ARE TOOLS AGAIN
WHICH COULD BE USED BY COMPETENT PEOPLE,
WHO WOULD EVALUATE THE STRENGHT OF THE
NETWORK AND DETECT IF THERE ARE ANY WEAK
POINTS, WHICH CAN BE EXPLOITED BY AN
INTRUDER.
OPERATING SYSTEM IS A SET OF COMPUTER
PROGRAMS THAT MANAGE THE HARDWARE AND
SOFTWARE RESOURCES OF A COMPUTER . IT IS
THE RESPONSIBILITY OF THE SYSTEM
ADMINISTRATOR TO ENSURE THAT ALL PATCHES
APPLICABLE TO THE PARTICULAR OPERATING
SYSTEM ARE APPLIED AND ALSO ENSURE THAT
UNNECESSARY SERVICES AND FACILITIES ARE
DISABLED. AN ADMINISTRATOR GUIDE IS
AVAILABLE WITH EVERY OPERATING SYSTEM AND
IT PROVIDES ALL IMPORTANT INFORMATION
INCLUDING IMPLICATIONS OF SECURITY
SETTINGS. PROPER TESTING IS REQUIRED BEFORE
APPLYING ANY PATCHES .
WHEN ANY OF THE SERVICES LIKE SOFTWARE
DEVOLOPMENT , DATABASE MANAGEMENT,
NETWORK MANAGEMENT ARE OUTSOURCED ,
REVIEW OF THE SERVICE LEVEL AGREEMENT
TO ENSURE THAT INTEGRITY, AVAILABILITY
AND CONFIDENTIALITY ARE TAKEN CARE.
SERVICE LEVEL AGREEMENTS SHOULD
PROVIDE FOR A SYSTEMS AUDITABILITY
CLAUSE, SO THAT BANKS WILL HAVE THE
RIGHT TO HAVE SYSTEMS AUDIT CONDUCTED
OF THE THIRD PARTY SERVICES.
LOGS AS ALREADY MENTIONED ARE REPORTS
GENERATED BY THE SYSTEM
AUTOMATICALLY. HOWEVER , IT NEEDS TO BE
MENTIONED THAT THEY GENERATE
AUTOMATICALLY ONCE IT IS PROGRAMMED
TO DO SO. AUDITORS SHOULD REVIEW THE
SYSTEM LOGS. THE SYSTEMS LOGS COULD BE
CLASSIFIED AS ;
 OPERATING SYSTEM LOGS
 APPLICATION LOGS , AND
 DATA BASE LOGS
THIS PROCESS CONSISTS OF INDEPENDENTLY
ENSURING THAT COMPUTER SYSTEMS
PRODUCE THE REQUIRED OUTPUT FROM THE
GIVEN INPUT. EACH OF THE MODULES NEEDS
TO BE TESTED . THE AUDITOR NEEDS TO BE
KNOWLEDGABLE OF THE BUSINESS PROCESS
OF EACH OF THE MODULES .
e.g. SAVINGS BANK ACCOUNT, CURRENT
ACCOUNT, FIXED DEPOSITS, LOANS, BILLS
ETC
 THE BANK WOULD BE REQUIRED TO PROVIDE
SEPARATE SYSTEMS COMPLETE WITH COPY OF
THE CORE BANKING SOLUTIONS SOFTWARE ,
DATA BASE , MASTER FILES , ETC
 THE AUDITOR SHOULD REQUEST THE BANK TO
CREATE AT LEAST 2 USER ID’S AND PASSWORDS.
THE SOFTWARE HAS TO BE THE EXACT REPLICA
OF THE ONE RUNNING IN THE LIVE ENVIRONMENT
i.e. VERSION NUMBER SHOULD BE THE SAME
 THE AUDITOR WILL VERIFY ALL THE APPLICATION
MODULES ONE BY ONE TO VERIFY THE
COMPLETENESS OF THE FUCTIONALITY, BUILT IN
CONTROLS IN THE SYSTEM AND CONTROLS IF
ANY OUTSIDE THE SYSTEM
THIS AUDIT ALSO NEED TO BE DONE AND
THESE HAVE BEEN CONSIDRED SEPARATELY .
THAT MEANS INFORMATION SYSTEM AUDIT OF
OUTSOURCING ACTIVITIES SHOULD FORM
PART OF THIS AUDIT OF CORE BANKING

Audits of Core Banking Solutions

Uploaded by

Copyright:

Available Formats

Audits of Core Banking Solutions

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audits of Core Banking Solutions

Uploaded by

Copyright:

Available Formats

AUDIT IS THE PROCESS OF

EVALUATING THE ADEQUACY OF

You might also like