Study Group on Information Systems Audit (ISA)

WIRC of ICAI

Topic : Audit of CBS (Core Banking

Solutions ) Environment

Date : Saturday, 17th December 2016

Venue : ICAI Tower, BKC, Mumbai

Presented by : Mr. N. D. Kundu, CISA, ISA 27001

LA, Ex- Bank of Baroda,

Contact : ndkundu@rediffmail.com

isastudygroup@gmail.com,

wirc@icai.in

Website : http://www.wirc-icai.org/isa.aspx

https://facebook.com/isastudygroup/

N D KUNDU

https://www.youtube.com/watch?v=-qFbJVEFuPo

What is CBS? Technology behind CBS Scope of IS Audit under CBS Types of IS Audit under CBS IS Audit of Branches under CBS Interest Concepts in CBS Specimen Audit Report of CBS Mapping with COBIT-5 Alternate Delivery Channels Various Menus & Commands Evaluation of Security & Controls in CBS Regulatory Guidelines

Central Server

Client Server Architecture

Single core application software

Multiple Middleware

Multiple applications for other services

Communication network

Delivery Channels

December 18, 2016 7

Application Software for Banking

Covering Basic Core functions like-- Deposits

- Advances

- Bills & Remittances

- General Ledger

All other Banking services interfaced in modular form.

Example – Finacle (Infosys), Flexcube (Oracle), Quartz, B@ncs24 (TCS)

Centralised Data Centre

Network & Communication

Core Application Systems

Other Infrastructures

Networking Devices- Routers, Firewall, Switches

Databases

Servers

Channel Integration Layer

Application Server

Channels

Database

OSFinacle OSUNIX (HP-UX, IBM-AIX and Sun Solaris)

Finacle Database `ORACLE 9i

Finacle ServicesConsist of Application libraries

Finacle Integration layer(Service Beans, Message beans, Message adapters and service client libraries)

Finacle Delivery Channels(Browser, Web-server, JSP, Servlets)

Srvice Layers

Infrastructure Services

DB Services Communication

Security & Audit

Scripting STP Engine

Common ServicesProducts & Masters

Transaction Posting

GL & Accounting

Functional ServicesCASA

Customer

Paymens/Remittances

Limits& Mandates

Deposits

TradeLoans Interest & Charges

Finacle Integration Layer

J2EE

Message InterfacesMQ /XML/SWIFTSDK - APIs

Finacle Channel layer

Branches`

Call Cente / Operations Centre Internet & other Mobile devices

CBS TECHNOLOGY PLATFORM

Unix

•Sun Solaris 9 Rel 5.9

•HP PA- RISC B 11.11

RDBMS

•Oracle9i 9.2 onwards

Browser

• universal client (IE 6.0 with sp1 onwards)

Other applications

connected on-line

Browser

based Teller

ATM/

POS

Phone

bankinge-Banking

Application and User level Security

Oracle & Unix variants

Database & OS Security

General Ledger | Transaction Manager | Multi-currency

External

Interfaces

Multilingual | Workflow | Report Writer | Signature Display

C U S T O M E RB A N K

Trade Finance Retail & Corporate

Deposits

Loans

Savin

gs/C

he

ckin

g

Curr

ent A

ccount

/

Overd

raft

s

Rem

itta

nces

| Help | Inventory | Memo Pad | Letter Generator | Audit Trail | Charges

Menu | Upload | Security Register | SWIFT | Purge | Clearing | Interest

Para

mete

rised

Tools and Utilities

Accounting

Backbone

Business

Rules

Services

OS & RDBMS

Customer

information

Web-based/ONS Connect-24

Gua

rant

ees

Pre

ship

men

t

Cre

dit

Doc

umen

tary

Cre

dit

Exp

ort B

ills

Impo

rt B

ills

CBS - Functional Architecture

CBS Retail & Corporate

Retail &

Corporate

Products

Term

Deposits

Term

Loans

Demand

LoansOverdraft

Current

Accounts

Savings/

Checking

Recurring

Deposits

Reinvestment

Deposits

Flexi Fixed

DepositsUser

definable

products

Fixed rates

DepositsUser

definable

products

User

definable

products

Floating Rate

Loans

Equated

Installment

Loans

Flexible

Repayment

Schedule

Current

Accoutn with

Overdraft

Sweeps &

Reverse

Sweeps

CBS- Trade Finance

Trade

Finance

Documentary

Credits

Bills

Bank

GuaranteesRemittances

Pre-shipment

Credits

Forward

Contracts

Inward

Inland/Foreign

Outward

Inland/Foreign

Inward

Inland/Foreign

Outward

Inland/Foreign

Inward

Outward

Three tier-architecture

Branch server may be required in some of the CBS systems

Channel integrator for integrating delivery channels Standard Middleware or any other suitable interface

software for payment systems

16

Tier Details

Web Web based user access; User access forms, screens

Application Application level requests, business logic

Database Handling of Database requests from application, Database management

17

Branch Terminals

Delivery Channels

Internet/MobileBanking

Data Centre

Tele banking/Call Centre

ATMs

RBI Applications

(RTGS/NEFT, etc)

Head Office

DR Centre

18

WEB SERVER

DATABASE SERVER

APP LICATION SERVER

Database

Refer RFP of BOM

Refer RFP of BOB

Refer RFP of AB

Basic Infrastructure Audit

Network Systems Audit

Application Systems Audit

Vulnerability Assessment & PT

Migration Audit

IS Audit of Branches

Special audit for revenue leakage etc.

Multiple levels of security

OS Level ◦ direct login to application menu

◦ no access to OS, OS and application level profile

Database level ◦ database protection from external updations,

check sum creation and validation

Application level ◦ menu level, user level, product level, account

level, transaction level

Customer of a Bank not only Branch

Any where Banking

Basic Modules- Current Deposit, Savings Deposit, Term Deposits, Loans, Advances, Bills, Remittances, General Ledger, Profit & Loss, Trade Finance (LC, BG etc.)

Multi-currency systems

Alternate Delivery Channels – ATM, Internet Banking, Mobile Banking, RTGS, Cash Management etc.

Every Transactions happening at CentralisedData Centre

A strong secure Communication infrastructure

Secure Network (Restricted Domain)

Closed User Group

Various Interfaces – Middleware

VLAN, Firewall, IDS, IPS

24X7 Connectivity

DATA CENTRE

Single Location where Data (information) is maintained for all the branches which are on CBS

Processes undertaken

• Parameterization Maintenance• Set up related processes• MIS related report handling• Batch processes like Interest Calculation, Charge Calculation, Statement Generation Etc.• End of Day and Beginning of Day operations• Back ups

Infrastructure

Environment – Temperature, humidity, rodent & Fire control

Structured Cabling

Network operation centre

Server Racks

Logical Access Control

Physical Access Control

Application Servers Database Servers ATM Server Internet Banking Server Web server Anti-virus/ Anti-malware server Domain controller Proxy Server Mail/ Exchange Server etc. Enterprise Management Server

Local Area Network

Virtual Area Network

Firewall

Networking Devices – Routers, Hubs, Switches, IDS, IPS etc.

Network Diagram

Leased Line

ISDN Line

VSAT Network

Multi-protocol level Switching

Network Security- OWASP

Intranet & Internet

Type of Firewall

Provide Network Security

Prevent Malicious entry into network

Placed in DMZ

Used for authentication

Control access to set of servers

Example- icicibank.co.in; bankofbaroda.co.in

Centralised Support

Help Desk

VOIP Connectivity

Resolving issues quickly

Functions incompatibility

Segregation of duties

System Administrators User Administration

- User creation- User Deletion/ modification

Branch/ SOL administration- Branch code or identity

Product Administration- New Product Code- Configuration of new product- Parameter setting (interest, codes etc.)

18 December 2016 34

Version control management

Separation of production & test environment

Development, testing & production movement

Project leader to Librarian

Moving correct version

Maintain version documentation

Record of Licenses

User manual

Requirement of changes on regular basis Change in the business processes Upgradation of technology Error/ bugs in the programme Implementation of new functionality Applicable to HW, SW, Communication

changes Well documented process, approval then

scheduling Updated documentation

Development, debugging, testing

Version number, documentation, implementation

Change management process – approval

Test in test environment

Thorough testing before handing over to librarian

Implement new/ changed programme as per schedule

Production & Test environment should be different

All functionality should be tested

Unit test, system test, integration test – all should be carried out

User with adequate experience should be involved in testing & document to be preserved.

Test version of application is beta

Development and testing team should not have access to production data

Project lead to librarian to production.

Help Desk DBA Network Admin

Security Admin

Tape Librarian

Help Desk ------ X X X

DBA X ------- X

Network Admin

X X ------ X

Security Admin

------ X

Tape Librarian

X X X --------

Abnormal system resource usage

Abnormal, slow response for application

Data corruption

Change in desktops

Changes in passwords

Virus infection

Security weakness detected

Placement of 'sniffing' hardware or software on network segment

December 18, 2016 40

All branches are directly connected to DC All transactions are happening at the servers in

DC No separate applications & Servers are available

at Branches Branch users are created through centralised user

creation process No password/ID should be shared with anyone at

any circumstances All control parameters are created/ maintained

centrally There are some limited application related

controls which is controlled at Branch Level.

NEW BRANCH STRUCTURE POST CBS

UNIVERSAL

TELLERS:

SINGLE POINT

REFERENCE

FOR

CUSTOMERS’

TRANSACTIONS

CUSTOMER

CARE

TEAM (CCT):

DEDICATED

TEAM

TO TAKE

CARE OF

CUSTOMERS’

NEEDS

CUSTOMER

SALES

OFFICERS

(CSO)

BACK OFFICE FUNCTIONS

FLOOR MANAGERFRONT

OFFICE

Customer master maintenance (CUMM)

Account master maintenance (ACM)

Interest master maintenance (INTTM)

Limit History maintenance (ACLHM)

EXCEPTIONS• Available for Financial and Non financial transactions• Done for online as well as batch• Three classifications

• Warning, Error and Exception• Over riding facility with reference to work class• Approval feature for over ridden exceptions• Inquiry and Report available based on criteria selections• Feature to ignore validations during batch process with specific reference to Debit/Credit transactions

SERVICE OUTLET (SOL)

• Place from where service is provided to the customer.• Could be branch itself or part of branch (Extncounter)• No limitations on the number of extension counters• Batch jobs can be set for a SOL/Group of SOL’s• Cash management SOL wise• Inquiries & Reports available for a SOL or a group of SOLs

SCHEME TYPE

• Broad classification of accounts based on characteristics, behaviour of accounts

• Predefined and 14 in number

Example: •Savings - SBA •Current - CAA •Overdraft – ODA•Term loans - LAA

• Parameter set up depends upon the scheme type.

SCHEME CODES

• Sub set of Scheme Types.• Can be referred as products • No limitations on the number of products for each scheme type• Number of Scheme codes is dependent on the products offered to various segments of customers • For consolidation purpose each of the account is linked to a GL sub head.

EMPLOYEE_ID

• Unique Identification code of an employee• Employee related data is captured• Employee ID is required •for creation of application users •for handling of inventory•for Teller cash handling•for identifying staff accounts

USER_ID

Used for:-Logging into application -Authorisation of Inventory movement -Creation of TOD

ROLE PROFILE

Used for:-Access to various products-Viewing of signatures-Define financial powers

WORK CLASS

• Classification of User for

-Giving access to menu options-Giving over riding powers for exceptions-Posting of transactions-Verification of non financial transactions

FREE USER

• who can access accounts of other SOLs• do operations on other SOL entities like Account, Bill etc

CAPTIVE USER

• can access only his branch entities for operations• only inquiries on entities of other branch allowed

OFFICE ACCOUNTS

• GL accounts of the bank for various purposes like• Income and Expenditure accounts• Asset and Liability account• Contingent liability account

• Classified as• Normal accounts• Pointing type of accounts• Inter SOL transaction accounts• Trading/Position/Balancing accounts• Proxy accounts• Partitioned accounts

• Exists in• Different currencies• For all SOLs

General Ledger

• Three tier structure

• No hard coding and no conditions for

defining GL or Sub-GL

• Consolidation of transaction

information at branch Level/ sub-GL

level - currency wise

• Bank level, branch level or cluster level

GL information can be generated

GL Head

GL Sub-Head

Account

CUSTOMER_ID

• Single point reference for all relation ship with the Bank• Unique identification number for the customer• Created during customer master creation• System generated /User enterable

Customer Information File

CIF:

• A unique customer ID is generated

to link all accounts

• Snapshot of all accounts for a

customer available

• Customer - customer relationship is

maintained

CBS Multi-Currency

• Multi Currency Accounting

• Multi currency transactions through

home currency or direct cross currency

• GL in home currency/ foreign currency

or in any other base currency

• Clearing in different currencies

• Profit and loss computation for daily

transactions

• Revaluation of position accounts

CBS Workflow

• Capability to chain menu options

• Automatic population of data while

chaining

• Attributes of fields Such as non-mandatory to

mandatory, default values, protection, echo/ no echo ..

• Screen Level Integration with other

applications (if required)

Customer Master Addition Account Opening Transaction Verification

Account Opening Wizard

Customer informationCustomer information &

A/c information

Minimum length Alphanumeric with special characters Restrictions on repeated use of same

characters Number of times before which a password

cannot be re-used Mandatory change of password on first login Mandatory change of password after ‘x’ days Special administration for holidays Facility to incorporate bank specific policy

through the Xtensibility tool kit

Unique identity for the user Mapping of role profile to user ID User has to be an “Employee” of the bank Login can be restricted to specific time limits /

only working hours Login can be restricted to specific menu options Login can be restricted on holidays Maker – Checker concept – Same user cannot

enter and authorize Currency based limits for Cash, Clearing and

Transfer transactions User can be restricted access to his own account Image access restrictions for dormant accounts

Restrict menu options based on user classification

Restrict menu options based on terminal classification

Parameter to automatically log-off a user if the time taken to select a menu option exceeds a limit

Restriction of products for which a user has access to Read , Write

Transaction Limits for Cash / Clearing / Transfer limits of user for Intra-Branch and Inter-Branch transactions

Transaction Limits for Cash / Clearing / Transfer limits for every currency under every product / account

Restriction on users from posting on their own accounts

Handling of exceptions for transactions based on definition of relevant controls

System generated unique Transaction / Part Transaction numbers

All debits to be posted before the credits Transaction completed only when the debits and

credits are balanced Restriction at product level to allow / disallow back

dated and value dated transactions

Product level restrictions on valid instrument types that can be used for that product

Maintenance of “Hot List” of all black listed instruments used in transactions

Check for “Stop Payments”, “Expired Checks”, etc

Ability to mark accounts as “Frozen” for Debit / Credit / Both, along with the reason for the Freeze

Ability to restrict user initiated transactions on certain products

Ability to link a reporting code for every Part Transaction

Ensure that the posting for all transactions is complete before commencing the Day End processes

Pending authorisations Transactions not posted/verified Inventory transactions not posted Unprinted TD’s/DD’s and advices Sum of account balances not zero Check for number of TODs Instrument hot Bills pending verification Operation on Lien account User cash/clearing/transfer Debit limit

Back and Value dated Transaction

Stale instrument

Account frozen

Cheque cautioned/not issued

Employee own account

Memo pad check

Sanction limit expired/exceeded

Customer Id mismatch Cr. And Dr.

Account below minimum balance

Sanction limit < minimum loan amount

Disbursement > sanction limit

Disbursement date > expiry date

Customer Id different for Loan and operative account

Detective – Inquiries and Reports General Inquiries Loans General Inquiry Guarantees, Bills, Accounts and Customer

Inquiry Specific Inquiries Transaction Exception Inquiry Hot Items Inquiry Account Abnormal Limit Inquiry Customer Unutilized Limit Inquiry Loans Overdue Position Inquiry A/c TOD Inquiry, A/c Turnover Inquiry Interest Table, Version, Slab Inquiry Limit Node and Financial Transaction Inquiry

Transaction Date

Account Involved along with the General Ledger code and Customer ID

Branch – Account Branch and User Branch

Amount – Account Currency and Exchange rate for multi currency transactions

User ID’s – Entered, Modified, Posted, Verified

Date – Transaction Date, Value Date

Time – Entry, Posting, Deletion

Module creating the transaction

Exceptions generated on the transaction along with override details, if applicable

Detailed online inquiries with flexible search facilities

View results online or print reports

Modification User ID and Checker User ID Modification Date and Checking Date with

time stamp Exceptions generated on the transaction

along with override details, if applicable Field level information of the “Before” and

“After” image of data Identification number of the entity that was

modified – Account Number, Customer ID, etc Detailed online inquiries with flexible search

facilities View results online or print reports

Interest Concepts Interest table code Customer preferential Interest Account preferential Interest Maximum Interest Minimum Interest Debit/ Credit interest flag Account pegging flag Interest on interest flag Interest on principal flag Interest demand date Interest application date Frequency of interest Limit level Flag

Name of the Employee

Employee No:

User-ID:

Creation Date:

Deactivation date:

Signature of Employee:

Created by/ Verified by

ISMS Policy

Security Procedures

Security Statement

Security Guidelines

Terminal restriction

Temporal restriction

Usage control

Navigation control

Data Entry Control

Configuration File

Login script

Concurrency control

Password policy- Minimum length, composition, validity, type, change frequency, deactivation, password history.

Device access – USB, CD, any external drive

Data Leak/ Loss prevention

Classification of data

Multi-factor authentification:◦ 1st factor – something you know

◦ 2nd factor – something you have

◦ 3rd factor – something you are

Information leakage is along the similar lines…

…after a little time you wouldn't

want what is left of it !!

Preventing information leakage

rests in your hands !!

Information Security Awareness

Temperature Control

Humidity Control

No inflammable material

Structured cabling

Fire extinguisher

Regular Fire drill

Alternate source of electricity

Communication sources

Guard, watchman, external service providers

Handbook of ADC Physical card maintenance Card & PIN not in same place Control in return card & PIN Regular reconciliation Card activation/ deactivation Cash loading & reconciliation ATM journal-ej Swallowed Card Rejected BIN Bunch note acceptor Cash recycler Master Key maintenance

Complete documentation of BCP/ DRP

User/ employee awareness

Periodic BCP drill- proactive control

Not mere scheduled cut-over

Alternate connectivity & other resources

Alternate power supply

Escrow arrangement

BCP for outsourced activities

Information security Policy Access control procedures Branch level server, if any Physical & environmental control Network security & control Local parameters in application level ATM operations Business continuity plan Audit Checklist APS for Branch

Does the Bank have a security policy

Approved copy available?

Employee awareness of security policy

Record maintenance for security incidents

Guidelines for handling security incidents

Password communication process

Sharing of password

Wrong password – account locking

Regeneration of password

Unlocking the password

Single sign-on.

December 18, 2016 84

Chose strong password

and never share it with

any one under any

circumstances

Passwords are key to

all your personal data

which needs to be

handled with utmost

caution

User management – UserID

Session management

External drive disabling

Branch level server security policy, if any

Connectivity issue

Physical & environmental controls

Network issues- cabling, ports, nodes

Individual detail entry

Proxy account monitoring

Inter-sol account reconciliation

Trading account

Charge-off account

Migration account

Dummy account

Sundry deposit a/c

Back dated/ value dated entries

Unreasonable parameterisation by mistakes

Maintenance of logs

Security Operations Centre.

Reports & Query

CBS interfaces

Sample audit reports

Sample infra-audit report

December 18, 2016 88

List of FDR having ROI > 11% All FCNR with ZERO ROI All FDR with ZERO ROI FDR with Period > 240 months All crop loan where ROI < 7% (except DRI) All LA172 accounts where security not attached All Staff loan where interest is credited All staff OD where interest is credited LA169-170 Next interest calculation date LA172 Next interest calculation date All OD, CC where Limit level Flag with ZERO ROI

December 18, 2016 89

List of deposit A/c with Dummy/ inoperative

List of Dormant A/c with conditions

List of Deposit A/c with 2 characters

All NRO with holding Tax rate Zero

All SOD with incorrect ROI

Loan Accounts with wrong interest application frequency

OD Account with ROI > 20%

Loan Account no of EMI > 360

Advances account with interest on principle in N

Advances with Int on Int is N

Advances with interest collect flag N

Deposit Account with interest pay flag as N

Limit Expiry Report

List of Cash deposit in NRE Account

Loan period less than EMI period.

December 18, 2016 90

TOD within BM power after 14 days

Cash transactions > 50,000 in a day

Transaction in an inactive a/c

Txn > 1 lac in newly opened a/c

Excess TOD beyond BM power after 5 days

Intersol Txn – staff A/c

Txn > 2 lacs in low profile A/c

Dr Txn in other office A/c

Txn in Dormant A/c

Dr Txn in sensitive office A/c

Cr > 50000 in staff A/c

Abnormal int rate in TD

Cash payent from office A/c

TOD beyond BM power > 5 days

Excess over sanctioned limit –OD property

Excess over sanctioned limit –OD Traders

Excess over sanctioned limit –LABOD

Back value dated Txn > 10 lacs

Intersol Txn > 50 lacs

High value Txn without cheque

Manual interest paid on FDR

Working group recommendation(Gopalakrishna Committee Report)