Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
IT audit

IT audit

Ratings: (0)|Views: 63 |Likes:
Published by routraykhushboo

More info:

Published by: routraykhushboo on Mar 26, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less

03/26/2011

pdf

text

original

 
IT audit (information technology audit) assumes greater importance in the context of accelerated pace of computerization taking place in banking sector. Even thoughcomputerization gives many benefits, it need not be a solution of all problems faced by thebanking industry.IT audit or EDP (electronic data processing) audit could be defined as a process of collecting andevaluating evidence to determine whether a computer system could safeguard assets throughadoption of adequate security and control measures, maintain data integrity, achieve goals of the organization effectively and result in efficient use resources available.Audit TrailAudit trails controls attempt to ensure that a chronological record of all events that haveoccurred in a system is maintained. This record is needed to answer queries, fulfill statutoryrequirements, deter irregularities, detect consequences of error and allow system monitoring.Two sorts of audit trail must be maintained. The accounting audit trail and the operations audittrail.Accounting audit trailThe accounting audit trail shows the nature the source and nature of data and processes thatupdate the database. The sort of data that need to be maintained are as follows:1.
 
Identify the would user of the system2.
 
Authentication of the information supplied3.
 
Action privileges requested4.
 
Terminal identifiers5.
 
Start and finish time6.
 
Number of login attempts7.
 
Resources provided/denied8.
 
Action privileges allowed/deniedSimilar audit trail requirements are also required at the database system levelThis allows the management or auditor to create time series of events that occurs when a userattempts to gain access to and employ system resources. Periodically the audit trail should beanalyzed to detect any control weakness in the system. The accounting audit trail must allow amessage to be traced through each node in the network.Some examples of data items that might be kept are:
y
 
U
nique identifier of the source code
 
y
 
U
nique identifier of the person/process authorizing dispatch of the message
y
 
Time & date at which message is dispatched
y
 
M
essage sequence number
y
 
U
nique identifier of each node in the network that the message traversedOperations Audit TrailThe operations audit trail in the communication subsystem is especially important, as theperformance & ultimately the integrity of the network dpend on the availability of comprehensive operations audit trail data.
U
sing this data, a network supervisor can identifyproblem areas in the network and reconfigure the network accordingly . some examples of datato be kept are:
y
 
No. of messages traversed through each link
y
 
No. of messages traversed through each node
y
 
ueue lengths at each node
y
 
No. of errors occurring on each link or at each node
y
 
L
og of system restartsJilani committee recommendations related to computer auditIn view of the need felt to review the existing system of internal controls, inspection and auditin banks, the RBI constituted a working group to review the internal controls, inspection andaudit system in banks under the chairmanship of Shri Rashid Jilani, then the chairman of PunjabNational Bank.The recommendations of the committee are:
y
 
There is a need for formal declaration of system development methodology,programming, documentation standards to be followed by the bank, in the absence of which quality of system maintenance as well as improvement would suffer. EDP auditorsshould verify compliance in this regard.
y
 
Entire domain of EDP activities (from policy to implementation) should be broughtunder the scrutiny of inspection/audit department. Financial outlay as well as activitiesto be performed by EDP department should be reviewed by senior management atperiodical intervals.
y
 
Efforts should be made to develop a team of competent motivated EDP personnel. It isbeneficial to have a collective development of system consisting of many personsinstead of a few in order to take care of situation of exodus of key personnel. Also there
 
is need for setting up an EDP audit division within inspection and audit department of abank which specializes in EDP audit functions.
y
 
M
ore emphasis to be given for total system development rather than ad hocimplementation for ensuring effective working and control of EDP applications.
y
 
Banks are racing against time while up gradation & implementing EDP applications. Insuch a scenario, they may not be in a position to develop software packages in houseresulting in seeking outside vendors help in software development. In such cases, therelationship and role of EDP department with outside software vendors needs to beclearly defined. Also it needs to be ensured that, these packages developed by outsidevendors conform to standards and specifications and meet all requirements of audit.
y
 
EDP auditors technical knowledge should be augmented on a continuing basis throughdeputation to seminars/conferences, supply of technical periodicals and books etc.
y
 
C
ontingency plans and procedures in case of system failure of system should beintroduced or tested at periodic intervals. EDP auditor could put such contingency planunder test during the audit for evaluating the effectiveness of such plans.
y
 
Due to increase in use of online applications, the EDP auditor must place greateremphasis on information security controls than physical security. Further, as the setrules and security standards will be different from each application he should ensurethat proper control measures are used in different types of applications.
y
 
EDP auditor should be concerned with controls over access to computer programmesand data and should examine in detail the adequacy of controls over access to computerprogrammes and data and should examine in detail the adequacy of controls to preventany unauthorized changes/interruptions/access to data or programs.
y
 
In all application systems, there should be a system of generating exception reportswhich is automatically triggered when a control point is violated and such reportsshould form a part of 
M
IS report so that deviations could be brought to notice of seniormanagement for ratification/rectification on an ongoing basis. EDP auditor should verifywhether all the exception reports have been put up to immediate senior managementand ratification is obtained for such deviations.
U
se of IT in auditSimilar to the use of IT in other functional areas of the bank, we can also think of deployingcomputer-based systems in the inspection & audit department. Auditing is always likely toinclude the following elements:1.
 
U
nderstanding the business and the related systems of the branch/office being audited2.
 
Recording the systems3.
 
Determining the appropriate audit approach and planning the audit

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->