Post on 07-Mar-2018
Audit in Audit in
Core Banking System (CBS) Core Banking System (CBS)
EnvironmentEnvironment
ByBy
CA. Nitant TrilokekarCA. Nitant Trilokekar
Internet: nptbanking.blogspot.comEmail: nitanttrilokekar@yahoo.com
Sept 24, 2011
Views expressed in this presentation are the personal opinions of the presenter and have no implication on the views or stand of either the Institute of Chartered Accountants of India or the firm with whom the paper reader is associated.
In the presentation are slides which are screen dumps of actual work sites. Certain areas are screened out to protect the confidentiality of the data holder and the clients. There are presented here to show how ‘unbelievable’ circumstances can actually exist. They are not dispalyed to form opinion of either the user or the software provider.
Number of audits over the yearsNumber of audits over the years1.1. Statutory AuditStatutory Audit
2.2. Revenue Audit Revenue Audit (Income and Exp. Audit)(Income and Exp. Audit)
3.3. Inspection Inspection
4.4. Snap AuditSnap Audit4.4. Snap AuditSnap Audit
5.5. RBI AuditRBI Audit
6.6. Foreign Exchange AuditForeign Exchange Audit
7.7. Concurrent Audit Concurrent Audit (Fall out of big bull operation)
8. Semi annual audit of big branches
9. Information Systems audit
Change in the environmentChange in the environment�� LiberalizationLiberalization
•• International BanksInternational Banks
•• Private Sector BanksPrivate Sector Banks
�� Core BankingCore Banking
•• Anywhere BankingAnywhere Banking
•• ATMATM
•• SMS BankingSMS Banking
•• Internet BankingInternet Banking
Banks have become more technology driven. Technology can no longer remain outside audit purview.
Today’s proficiency demand in a CAToday’s proficiency demand in a CA
�� Income Tax actIncome Tax act
�� Companies ActCompanies Act
�� Contract ActContract Act
�� Sale of Goods ActSale of Goods Act
�� Partnership ActPartnership Act�� Partnership ActPartnership Act
�� Excise, Sales tax, Turnover TaxExcise, Sales tax, Turnover Tax
�� Audit StandardsAudit Standards
�� EtcEtc
�� Information Technology ActInformation Technology Act
What do you mean by CORE BANKING ?
� 50/50Hint
A : It is a misspelling. It is Chor Banking B: Fundamental programming skill is
needed for Banking software
C : It covers only Basic Banking functions D : Problems of connectivity led to core
development of networking infrastructure
What do you mean by CORE BANKING ?
C : It covers only Basic Banking functions
Types of IS AuditTypes of IS Audit
�� ITGCITGC--Information Technology Information Technology General ControlGeneral Control
•• ISACA ISACA -- CISACISA
•• OWASP Risks (The Open Web OWASP Risks (The Open Web Application Security Project)Application Security Project)Application Security Project)Application Security Project)
�� Network AuditNetwork Audit
�� VAPTVAPT-- Vulnerability analysis and Vulnerability analysis and Penetration auditPenetration audit
Due to Computerisation what happens to errors vis-à-
vis the manual environment?
50/50Hint
�
A : Errors magnify without much notice
vis the manual environment?
C : Errors are classified as ‘BUGS’.D : Only the programmer is held
responsible for the errors
B: Errors are few due to Alpha, Beta
Testing and UAT
Importance of maintenanceImportance of maintenance
�� Enlargement of errors due to Enlargement of errors due to automationautomation
• Loss
• Data Integrity
1111
• Data Integrity
• Confidentiality
• Lack of availability
• Poor performance
Application RiskApplication Risk1. Weak Security
2. Unauthorised access/changes to data
3. Unauthorised Remote Access
4. Inaccurate Information
5. Erroneous of falsified data input
6. Misuse by authorised end users
7. Incomplete processing
1212
7. Incomplete processing
8. Duplicate transactions
9. Untimely processing
10. Communications systems failure
11. Inadequate testing
12. Inadequate training
13. Inadequate support
14. Insufficient Documentation
In scope of audits other than Concurrent Audit
Programmers’ password should be in the launched
application to permit emergency action. Is this correct
practice?
50/50Hint
�
A : Yes. A developer’s password
helps even if the team changes
practice?
C : Programmer is a Doc who heals
so access at all times is useful
D : Programmers should not have
access to ‘on-site’ applications
B: Programmers have access only till
complete sign off
�� Levels of AuthorisationLevels of Authorisation
�� Programmers access restriction after Programmers access restriction after launchlaunch
�� File/Database access restrictionFile/Database access restriction
Network restrictionNetwork restriction
2. Unauthorised access/changes to data
1717
�� Network restrictionNetwork restriction
�� Operating system restriction (launch Operating system restriction (launch application system after login) application system after login)
Central Giga Switch
Application & Database servers at DC
Back-up server at DR Centre
Giga Switch
2 MBPS Connectivity
Central Office
Understanding CBSUnderstanding CBS
1. Unauthorised Remote Access Switch
E1 Links
ISDN Backup
128 Kbps(2)
Router
1. Unauthorised Remote Access
After all the Alpha and Beta testing and UAT, is there
any possibility of wrong reports or inaccurate restults
from the application system?
50/50Hint
�
A : No. So much testing eleminiates
such a possibility.
from the application system?
C : Only when the tests are actually
not done, there is a possibility.
D : When the programmers are
testers, there is a possiblity.
B: The possibility exists.
4. Inaccurate Information
�� End user not understanding data End user not understanding data featuresfeatures
�� Download of data for further Download of data for further processingprocessing
2424
processingprocessing
�� Link of different databasesLink of different databases
�� Departmental databases with Departmental databases with different time framesdifferent time frames
�� Resultant failure to communicate Resultant failure to communicate information to chief decision makerinformation to chief decision maker
5. Erroneous or falsified data input
�� Field validation Field validation (date/number/decimals)(date/number/decimals)
�� Validation of manually processed Validation of manually processed entryentry
�� Validation of parameters used for Validation of parameters used for
2626
�� Validation of parameters used for Validation of parameters used for processing (interest rate) processing (interest rate)
�� Processing control (double Processing control (double processing)processing)
�� Database link managementDatabase link management
Usually done at branch levelUsually done at branch level�� New account openingNew account opening
•• Account IS opened without cashAccount IS opened without cash
•• filled by branch (KYC)filled by branch (KYC)
6. Misuse by authorised end- users
�� Access authorised but objective not Access authorised but objective not in line with delegated duty in line with delegated duty
�� Aiding Industrial espionageAiding Industrial espionage
�� Victim of social networkingVictim of social networking
•• Off lineOff line
•• On lineOn line
•• Misrepresentation Misrepresentation
2929
Can interest application of just one
� 50/50Hint
A : Impossible
C : If the department does not exist at time of coding
D : Accidentally possible
department of one branch be skipped in CBS?
B: If manually triggered per department it is possible
7. Incomplete processing
Batch processing based errorBatch processing based error
�� File not processedFile not processed
�� Transaction(s) not processed Transaction(s) not processed
Timing mismatch of process triggerTiming mismatch of process trigger�� Timing mismatch of process triggerTiming mismatch of process trigger
�� Data out of range (loop limitation)Data out of range (loop limitation)
3535
8. Duplicate Transaction processing
�� Non set up of validations before Non set up of validations before process triggerprocess trigger
�� Multiple database links most Multiple database links most vulnerablevulnerablevulnerablevulnerable
�� Error correction routines not Error correction routines not accommodated for processes already accommodated for processes already done in the intervening perioddone in the intervening period
�� Non validation of entry dataNon validation of entry data
3636
Can any entry be passed in a closed account of
� 50/50Hint
A : Impossible
D : Accidentally possible
a depositor in a CBS?
B: Manual control is needed
C : Possible
A/c closed with Balance = Non A/c closed with Balance = Non
tallied books of accounttallied books of account
9 Untimely Processing
�� Cut off time mismatchCut off time mismatch
�� Manual intervention of transaction Manual intervention of transaction filesfiles
�� Manipulation of system clock for Manipulation of system clock for �� Manipulation of system clock for Manipulation of system clock for some other legitimate some other legitimate purposes/hardware problem purposes/hardware problem
4343
When Basic Banking is ignored, system When Basic Banking is ignored, system
cannot help the user.cannot help the user.1. TOD of Rs. 2 lacs is granted in SB account
2. Account is overdrawn by Rs. 8,000
3. Account is not operational since 29/3/2007. Last credit in account is
on 22/3/2007- As on inspection date, nearly 5 months have elapsed.
Since this facility is granted in savings account, the warning for health Since this facility is granted in savings account, the warning for health
deterioration cannot be obtained from the system.
4. Account is in Debit from 2/3/2007. TOD interest is charged on
31/3/2007 and 30/6/2007. It was not charged at monthly intervals.
This account is classified as NPA from 31/3/2007. Yet the account continues the status of ‘Normal/Operative’. Due to this, interest and other charges continues to be debited to this account in violation of the RBI rules on the subject.
�
In a Core Banking environment, if one or more of
the branches are not able to network with the DC,
can the DC close books of the Bank for the day?
50/50Hint Day end for Bank
means entry cannot be re-entered for the same day later.
A : No. The entries will not be
completed. (eg. Interbranch)
C : Data is re-entered in nearest branch
and then day end is executed.
D : After the branches are connected,
the day end is done again.
B: The non-connected branches are
ignored for day closure
What do you call the place where all the Bank’s
� 50/50Hint
A : Server Farm B: Data Centre (DC)
C : Network Operating Centre (NOC)
D : All of the above
Computer servers are kept ?
D : All of the above
Will the Auditor be held liable in case of
Gross System Related errors ?
� 50/50 Hint
A : Only if the CA is DISA B: Not liable if it a programming
error
C : LiableD : Not liable in case of Network
related errors/frauds
Gross System Related errors ?
C : Liable
Which Committee Report of Reserve Bank is
the determining report for IS Audit ?
� 50/50 Hint
A : Jalani Committee Report B: Tandon Committee Report
C : Chitale Committee Report D : Marathe Committee Report
the determining report for IS Audit ?
A : Jalani Committee Report
?
Which Committee Report of Reserve Bank has
mentioned in reference, book by Trilokekar?
� 50/50 Hint
A : Ghosh committee Report B: Burman Committee Report
C : Talwar’s Committee Report D : Marathe Committee Report
mentioned in reference, book by Trilokekar?
B: Burman Committee Report
Transaction processingTransaction processing
�� Exception reportsException reports
�� Make sure some type of errors are Make sure some type of errors are given high error statusgiven high error status
�� Does any body check whether all Does any body check whether all eligible accounts are processed for eligible accounts are processed for eligible accounts are processed for eligible accounts are processed for interest or charges?interest or charges?
�� Was the interest master changed as Was the interest master changed as indicated in the circular of HO? indicated in the circular of HO?
�� Is the ATM cash tallied daily or who Is the ATM cash tallied daily or who is doing it?is doing it?
Some tips for Bank auditorSome tips for Bank auditor
�� New accounts opened New accounts opened –– view account view account statement for money laundering.statement for money laundering.
�� Cash register: report above particular Cash register: report above particular amount.amount.
�� Ensure that the NPA accounts do not Ensure that the NPA accounts do not impact the P&L account of the branch. impact the P&L account of the branch. impact the P&L account of the branch. impact the P&L account of the branch. (see next slide)(see next slide)
�� Survey the Survey the chequecheque return register using return register using the available filter.the available filter.
Difference in General Ledger (Current) Difference in General Ledger (Current)
See it to believe it See it to believe it –– but ignoredbut ignored
Clearly given by the
software. Yet Bank
officials, statutory
auditors .. All ignore
it. BOOKS ARE NOT
BALANCED