ISA 402, Audit Considerations Relating to an Entity Using ...
Study Group on Information Systems Audit (ISA)X(1)S(z2gu54b5rj53yq2...Study Group on Information...
-
Upload
nguyenthuy -
Category
Documents
-
view
219 -
download
4
Transcript of Study Group on Information Systems Audit (ISA)X(1)S(z2gu54b5rj53yq2...Study Group on Information...
Study Group on Information Systems Audit (ISA)
WIRC of ICAI
Topic : Audit of CBS (Core Banking
Solutions ) Environment
Date : Saturday, 17th December 2016
Venue : ICAI Tower, BKC, Mumbai
Presented by : Mr. N. D. Kundu, CISA, ISA 27001
LA, Ex- Bank of Baroda,
Contact : [email protected]
Website : http://www.wirc-icai.org/isa.aspx
https://facebook.com/isastudygroup/
N D KUNDU
https://www.youtube.com/watch?v=-qFbJVEFuPo
What is CBS? Technology behind CBS Scope of IS Audit under CBS Types of IS Audit under CBS IS Audit of Branches under CBS Interest Concepts in CBS Specimen Audit Report of CBS Mapping with COBIT-5 Alternate Delivery Channels Various Menus & Commands Evaluation of Security & Controls in CBS Regulatory Guidelines
Central Server
Client Server Architecture
Single core application software
Multiple Middleware
Multiple applications for other services
Communication network
Delivery Channels
December 18, 2016 7
Application Software for Banking
Covering Basic Core functions like-- Deposits
- Advances
- Bills & Remittances
- General Ledger
All other Banking services interfaced in modular form.
Example – Finacle (Infosys), Flexcube (Oracle), Quartz, B@ncs24 (TCS)
Centralised Data Centre
Network & Communication
Core Application Systems
Other Infrastructures
Networking Devices- Routers, Firewall, Switches
Databases
Servers
Channel Integration Layer
Application Server
Channels
Database
OSFinacle OSUNIX (HP-UX, IBM-AIX and Sun Solaris)
Finacle Database `ORACLE 9i
Finacle ServicesConsist of Application libraries
Finacle Integration layer(Service Beans, Message beans, Message adapters and service client libraries)
Finacle Delivery Channels(Browser, Web-server, JSP, Servlets)
Srvice Layers
Infrastructure Services
DB Services Communication
Security & Audit
Scripting STP Engine
Common ServicesProducts & Masters
Transaction Posting
GL & Accounting
Functional ServicesCASA
Customer
Paymens/Remittances
Limits& Mandates
Deposits
TradeLoans Interest & Charges
Finacle Integration Layer
J2EE
Message InterfacesMQ /XML/SWIFTSDK - APIs
Finacle Channel layer
Branches`
Call Cente / Operations Centre Internet & other Mobile devices
CBS TECHNOLOGY PLATFORM
Unix
•Sun Solaris 9 Rel 5.9
•HP PA- RISC B 11.11
RDBMS
•Oracle9i 9.2 onwards
Browser
• universal client (IE 6.0 with sp1 onwards)
Other applications
connected on-line
Browser
based Teller
ATM/
POS
Phone
bankinge-Banking
Application and User level Security
Oracle & Unix variants
Database & OS Security
General Ledger | Transaction Manager | Multi-currency
External
Interfaces
Multilingual | Workflow | Report Writer | Signature Display
C U S T O M E RB A N K
Trade Finance Retail & Corporate
Deposits
Loans
Savin
gs/C
he
ckin
g
Curr
ent A
ccount
/
Overd
raft
s
Rem
itta
nces
| Help | Inventory | Memo Pad | Letter Generator | Audit Trail | Charges
Menu | Upload | Security Register | SWIFT | Purge | Clearing | Interest
Para
mete
rised
Tools and Utilities
Accounting
Backbone
Business
Rules
Services
OS & RDBMS
Customer
information
Web-based/ONS Connect-24
Gua
rant
ees
Pre
ship
men
t
Cre
dit
Doc
umen
tary
Cre
dit
Exp
ort B
ills
Impo
rt B
ills
CBS - Functional Architecture
CBS Retail & Corporate
Retail &
Corporate
Products
Term
Deposits
Term
Loans
Demand
LoansOverdraft
Current
Accounts
Savings/
Checking
Recurring
Deposits
Reinvestment
Deposits
Flexi Fixed
DepositsUser
definable
products
Fixed rates
DepositsUser
definable
products
User
definable
products
Floating Rate
Loans
Equated
Installment
Loans
Flexible
Repayment
Schedule
Current
Accoutn with
Overdraft
Sweeps &
Reverse
Sweeps
CBS- Trade Finance
Trade
Finance
Documentary
Credits
Bills
Bank
GuaranteesRemittances
Pre-shipment
Credits
Forward
Contracts
Inward
Inland/Foreign
Outward
Inland/Foreign
Inward
Inland/Foreign
Outward
Inland/Foreign
Inward
Outward
Three tier-architecture
Branch server may be required in some of the CBS systems
Channel integrator for integrating delivery channels Standard Middleware or any other suitable interface
software for payment systems
16
Tier Details
Web Web based user access; User access forms, screens
Application Application level requests, business logic
Database Handling of Database requests from application, Database management
17
Branch Terminals
Delivery Channels
Internet/MobileBanking
Data Centre
Tele banking/Call Centre
ATMs
RBI Applications
(RTGS/NEFT, etc)
Head Office
DR Centre
18
WEB SERVER
DATABASE SERVER
APP LICATION SERVER
Database
Refer RFP of BOM
Refer RFP of BOB
Refer RFP of AB
Basic Infrastructure Audit
Network Systems Audit
Application Systems Audit
Vulnerability Assessment & PT
Migration Audit
IS Audit of Branches
Special audit for revenue leakage etc.
Multiple levels of security
OS Level ◦ direct login to application menu
◦ no access to OS, OS and application level profile
Database level ◦ database protection from external updations,
check sum creation and validation
Application level ◦ menu level, user level, product level, account
level, transaction level
Customer of a Bank not only Branch
Any where Banking
Basic Modules- Current Deposit, Savings Deposit, Term Deposits, Loans, Advances, Bills, Remittances, General Ledger, Profit & Loss, Trade Finance (LC, BG etc.)
Multi-currency systems
Alternate Delivery Channels – ATM, Internet Banking, Mobile Banking, RTGS, Cash Management etc.
Every Transactions happening at CentralisedData Centre
A strong secure Communication infrastructure
Secure Network (Restricted Domain)
Closed User Group
Various Interfaces – Middleware
VLAN, Firewall, IDS, IPS
24X7 Connectivity
DATA CENTRE
Single Location where Data (information) is maintained for all the branches which are on CBS
Processes undertaken
• Parameterization Maintenance• Set up related processes• MIS related report handling• Batch processes like Interest Calculation, Charge Calculation, Statement Generation Etc.• End of Day and Beginning of Day operations• Back ups
Infrastructure
Environment – Temperature, humidity, rodent & Fire control
Structured Cabling
Network operation centre
Server Racks
Logical Access Control
Physical Access Control
Application Servers Database Servers ATM Server Internet Banking Server Web server Anti-virus/ Anti-malware server Domain controller Proxy Server Mail/ Exchange Server etc. Enterprise Management Server
Local Area Network
Virtual Area Network
Firewall
Networking Devices – Routers, Hubs, Switches, IDS, IPS etc.
Network Diagram
Leased Line
ISDN Line
VSAT Network
Multi-protocol level Switching
Network Security- OWASP
Intranet & Internet
Type of Firewall
Provide Network Security
Prevent Malicious entry into network
Placed in DMZ
Used for authentication
Control access to set of servers
Example- icicibank.co.in; bankofbaroda.co.in
Centralised Support
Help Desk
VOIP Connectivity
Resolving issues quickly
Functions incompatibility
Segregation of duties
System Administrators User Administration
- User creation- User Deletion/ modification
Branch/ SOL administration- Branch code or identity
Product Administration- New Product Code- Configuration of new product- Parameter setting (interest, codes etc.)
18 December 2016 34
Version control management
Separation of production & test environment
Development, testing & production movement
Project leader to Librarian
Moving correct version
Maintain version documentation
Record of Licenses
User manual
Requirement of changes on regular basis Change in the business processes Upgradation of technology Error/ bugs in the programme Implementation of new functionality Applicable to HW, SW, Communication
changes Well documented process, approval then
scheduling Updated documentation
Development, debugging, testing
Version number, documentation, implementation
Change management process – approval
Test in test environment
Thorough testing before handing over to librarian
Implement new/ changed programme as per schedule
Production & Test environment should be different
All functionality should be tested
Unit test, system test, integration test – all should be carried out
User with adequate experience should be involved in testing & document to be preserved.
Test version of application is beta
Development and testing team should not have access to production data
Project lead to librarian to production.
Help Desk DBA Network Admin
Security Admin
Tape Librarian
Help Desk ------ X X X
DBA X ------- X
Network Admin
X X ------ X
Security Admin
------ X
Tape Librarian
X X X --------
Abnormal system resource usage
Abnormal, slow response for application
Data corruption
Change in desktops
Changes in passwords
Virus infection
Security weakness detected
Placement of 'sniffing' hardware or software on network segment
December 18, 2016 40
All branches are directly connected to DC All transactions are happening at the servers in
DC No separate applications & Servers are available
at Branches Branch users are created through centralised user
creation process No password/ID should be shared with anyone at
any circumstances All control parameters are created/ maintained
centrally There are some limited application related
controls which is controlled at Branch Level.
NEW BRANCH STRUCTURE POST CBS
UNIVERSAL
TELLERS:
SINGLE POINT
REFERENCE
FOR
CUSTOMERS’
TRANSACTIONS
CUSTOMER
CARE
TEAM (CCT):
DEDICATED
TEAM
TO TAKE
CARE OF
CUSTOMERS’
NEEDS
CUSTOMER
SALES
OFFICERS
(CSO)
BACK OFFICE FUNCTIONS
FLOOR MANAGERFRONT
OFFICE
Customer master maintenance (CUMM)
Account master maintenance (ACM)
Interest master maintenance (INTTM)
Limit History maintenance (ACLHM)
EXCEPTIONS• Available for Financial and Non financial transactions• Done for online as well as batch• Three classifications
• Warning, Error and Exception• Over riding facility with reference to work class• Approval feature for over ridden exceptions• Inquiry and Report available based on criteria selections• Feature to ignore validations during batch process with specific reference to Debit/Credit transactions
SERVICE OUTLET (SOL)
• Place from where service is provided to the customer.• Could be branch itself or part of branch (Extncounter)• No limitations on the number of extension counters• Batch jobs can be set for a SOL/Group of SOL’s• Cash management SOL wise• Inquiries & Reports available for a SOL or a group of SOLs
SCHEME TYPE
• Broad classification of accounts based on characteristics, behaviour of accounts
• Predefined and 14 in number
Example: •Savings - SBA •Current - CAA •Overdraft – ODA•Term loans - LAA
• Parameter set up depends upon the scheme type.
SCHEME CODES
• Sub set of Scheme Types.• Can be referred as products • No limitations on the number of products for each scheme type• Number of Scheme codes is dependent on the products offered to various segments of customers • For consolidation purpose each of the account is linked to a GL sub head.
EMPLOYEE_ID
• Unique Identification code of an employee• Employee related data is captured• Employee ID is required •for creation of application users •for handling of inventory•for Teller cash handling•for identifying staff accounts
USER_ID
Used for:-Logging into application -Authorisation of Inventory movement -Creation of TOD
ROLE PROFILE
Used for:-Access to various products-Viewing of signatures-Define financial powers
WORK CLASS
• Classification of User for
-Giving access to menu options-Giving over riding powers for exceptions-Posting of transactions-Verification of non financial transactions
FREE USER
• who can access accounts of other SOLs• do operations on other SOL entities like Account, Bill etc
CAPTIVE USER
• can access only his branch entities for operations• only inquiries on entities of other branch allowed
OFFICE ACCOUNTS
• GL accounts of the bank for various purposes like• Income and Expenditure accounts• Asset and Liability account• Contingent liability account
• Classified as• Normal accounts• Pointing type of accounts• Inter SOL transaction accounts• Trading/Position/Balancing accounts• Proxy accounts• Partitioned accounts
• Exists in• Different currencies• For all SOLs
General Ledger
• Three tier structure
• No hard coding and no conditions for
defining GL or Sub-GL
• Consolidation of transaction
information at branch Level/ sub-GL
level - currency wise
• Bank level, branch level or cluster level
GL information can be generated
GL Head
GL Sub-Head
Account
CUSTOMER_ID
• Single point reference for all relation ship with the Bank• Unique identification number for the customer• Created during customer master creation• System generated /User enterable
Customer Information File
CIF:
• A unique customer ID is generated
to link all accounts
• Snapshot of all accounts for a
customer available
• Customer - customer relationship is
maintained
CBS Multi-Currency
• Multi Currency Accounting
• Multi currency transactions through
home currency or direct cross currency
• GL in home currency/ foreign currency
or in any other base currency
• Clearing in different currencies
• Profit and loss computation for daily
transactions
• Revaluation of position accounts
CBS Workflow
• Capability to chain menu options
• Automatic population of data while
chaining
• Attributes of fields Such as non-mandatory to
mandatory, default values, protection, echo/ no echo ..
• Screen Level Integration with other
applications (if required)
Customer Master Addition Account Opening Transaction Verification
Account Opening Wizard
Customer informationCustomer information &
A/c information
Minimum length Alphanumeric with special characters Restrictions on repeated use of same
characters Number of times before which a password
cannot be re-used Mandatory change of password on first login Mandatory change of password after ‘x’ days Special administration for holidays Facility to incorporate bank specific policy
through the Xtensibility tool kit
Unique identity for the user Mapping of role profile to user ID User has to be an “Employee” of the bank Login can be restricted to specific time limits /
only working hours Login can be restricted to specific menu options Login can be restricted on holidays Maker – Checker concept – Same user cannot
enter and authorize Currency based limits for Cash, Clearing and
Transfer transactions User can be restricted access to his own account Image access restrictions for dormant accounts
Restrict menu options based on user classification
Restrict menu options based on terminal classification
Parameter to automatically log-off a user if the time taken to select a menu option exceeds a limit
Restriction of products for which a user has access to Read , Write
Transaction Limits for Cash / Clearing / Transfer limits of user for Intra-Branch and Inter-Branch transactions
Transaction Limits for Cash / Clearing / Transfer limits for every currency under every product / account
Restriction on users from posting on their own accounts
Handling of exceptions for transactions based on definition of relevant controls
System generated unique Transaction / Part Transaction numbers
All debits to be posted before the credits Transaction completed only when the debits and
credits are balanced Restriction at product level to allow / disallow back
dated and value dated transactions
Product level restrictions on valid instrument types that can be used for that product
Maintenance of “Hot List” of all black listed instruments used in transactions
Check for “Stop Payments”, “Expired Checks”, etc
Ability to mark accounts as “Frozen” for Debit / Credit / Both, along with the reason for the Freeze
Ability to restrict user initiated transactions on certain products
Ability to link a reporting code for every Part Transaction
Ensure that the posting for all transactions is complete before commencing the Day End processes
Pending authorisations Transactions not posted/verified Inventory transactions not posted Unprinted TD’s/DD’s and advices Sum of account balances not zero Check for number of TODs Instrument hot Bills pending verification Operation on Lien account User cash/clearing/transfer Debit limit
Back and Value dated Transaction
Stale instrument
Account frozen
Cheque cautioned/not issued
Employee own account
Memo pad check
Sanction limit expired/exceeded
Customer Id mismatch Cr. And Dr.
Account below minimum balance
Sanction limit < minimum loan amount
Disbursement > sanction limit
Disbursement date > expiry date
Customer Id different for Loan and operative account
Detective – Inquiries and Reports General Inquiries Loans General Inquiry Guarantees, Bills, Accounts and Customer
Inquiry Specific Inquiries Transaction Exception Inquiry Hot Items Inquiry Account Abnormal Limit Inquiry Customer Unutilized Limit Inquiry Loans Overdue Position Inquiry A/c TOD Inquiry, A/c Turnover Inquiry Interest Table, Version, Slab Inquiry Limit Node and Financial Transaction Inquiry
Transaction Date
Account Involved along with the General Ledger code and Customer ID
Branch – Account Branch and User Branch
Amount – Account Currency and Exchange rate for multi currency transactions
User ID’s – Entered, Modified, Posted, Verified
Date – Transaction Date, Value Date
Time – Entry, Posting, Deletion
Module creating the transaction
Exceptions generated on the transaction along with override details, if applicable
Detailed online inquiries with flexible search facilities
View results online or print reports
Modification User ID and Checker User ID Modification Date and Checking Date with
time stamp Exceptions generated on the transaction
along with override details, if applicable Field level information of the “Before” and
“After” image of data Identification number of the entity that was
modified – Account Number, Customer ID, etc Detailed online inquiries with flexible search
facilities View results online or print reports
Interest Concepts Interest table code Customer preferential Interest Account preferential Interest Maximum Interest Minimum Interest Debit/ Credit interest flag Account pegging flag Interest on interest flag Interest on principal flag Interest demand date Interest application date Frequency of interest Limit level Flag
Name of the Employee
Employee No:
User-ID:
Creation Date:
Deactivation date:
Signature of Employee:
Created by/ Verified by
ISMS Policy
Security Procedures
Security Statement
Security Guidelines
Terminal restriction
Temporal restriction
Usage control
Navigation control
Data Entry Control
Configuration File
Login script
Concurrency control
Password policy- Minimum length, composition, validity, type, change frequency, deactivation, password history.
Device access – USB, CD, any external drive
Data Leak/ Loss prevention
Classification of data
Multi-factor authentification:◦ 1st factor – something you know
◦ 2nd factor – something you have
◦ 3rd factor – something you are
Information leakage is along the similar lines…
…after a little time you wouldn't
want what is left of it !!
Preventing information leakage
rests in your hands !!
Information Security Awareness
Temperature Control
Humidity Control
No inflammable material
Structured cabling
Fire extinguisher
Regular Fire drill
Alternate source of electricity
Communication sources
Guard, watchman, external service providers
Handbook of ADC Physical card maintenance Card & PIN not in same place Control in return card & PIN Regular reconciliation Card activation/ deactivation Cash loading & reconciliation ATM journal-ej Swallowed Card Rejected BIN Bunch note acceptor Cash recycler Master Key maintenance
Complete documentation of BCP/ DRP
User/ employee awareness
Periodic BCP drill- proactive control
Not mere scheduled cut-over
Alternate connectivity & other resources
Alternate power supply
Escrow arrangement
BCP for outsourced activities
Information security Policy Access control procedures Branch level server, if any Physical & environmental control Network security & control Local parameters in application level ATM operations Business continuity plan Audit Checklist APS for Branch
Does the Bank have a security policy
Approved copy available?
Employee awareness of security policy
Record maintenance for security incidents
Guidelines for handling security incidents
Password communication process
Sharing of password
Wrong password – account locking
Regeneration of password
Unlocking the password
Single sign-on.
December 18, 2016 84
Chose strong password
and never share it with
any one under any
circumstances
Passwords are key to
all your personal data
which needs to be
handled with utmost
caution
User management – UserID
Session management
External drive disabling
Branch level server security policy, if any
Connectivity issue
Physical & environmental controls
Network issues- cabling, ports, nodes
Individual detail entry
Proxy account monitoring
Inter-sol account reconciliation
Trading account
Charge-off account
Migration account
Dummy account
Sundry deposit a/c
Back dated/ value dated entries
Unreasonable parameterisation by mistakes
Maintenance of logs
Security Operations Centre.
Reports & Query
CBS interfaces
Sample audit reports
Sample infra-audit report
December 18, 2016 88
List of FDR having ROI > 11% All FCNR with ZERO ROI All FDR with ZERO ROI FDR with Period > 240 months All crop loan where ROI < 7% (except DRI) All LA172 accounts where security not attached All Staff loan where interest is credited All staff OD where interest is credited LA169-170 Next interest calculation date LA172 Next interest calculation date All OD, CC where Limit level Flag with ZERO ROI
December 18, 2016 89
List of deposit A/c with Dummy/ inoperative
List of Dormant A/c with conditions
List of Deposit A/c with 2 characters
All NRO with holding Tax rate Zero
All SOD with incorrect ROI
Loan Accounts with wrong interest application frequency
OD Account with ROI > 20%
Loan Account no of EMI > 360
Advances account with interest on principle in N
Advances with Int on Int is N
Advances with interest collect flag N
Deposit Account with interest pay flag as N
Limit Expiry Report
List of Cash deposit in NRE Account
Loan period less than EMI period.
December 18, 2016 90
TOD within BM power after 14 days
Cash transactions > 50,000 in a day
Transaction in an inactive a/c
Txn > 1 lac in newly opened a/c
Excess TOD beyond BM power after 5 days
Intersol Txn – staff A/c
Txn > 2 lacs in low profile A/c
Dr Txn in other office A/c
Txn in Dormant A/c
Dr Txn in sensitive office A/c
Cr > 50000 in staff A/c
Abnormal int rate in TD
Cash payent from office A/c
TOD beyond BM power > 5 days
Excess over sanctioned limit –OD property
Excess over sanctioned limit –OD Traders
Excess over sanctioned limit –LABOD
Back value dated Txn > 10 lacs
Intersol Txn > 50 lacs
High value Txn without cheque
Manual interest paid on FDR
Working group recommendation(Gopalakrishna Committee Report)