Bank Branch Audit in Computerised Information System (CIS) Environment

“Actually I have nothing to say, so my presentation should last only two to three hours” CA. Mukesh Saran,

Bank Branch Audit in Computerised Information System (CIS) Environment
An investment in knowledge always pays the best interest. - Benjamin Franklin

“There will be only one break during my presentation! Please pace your boredom accordingly”

This is just what we could read from scrolling through the papers -------• Almost entire dubbing of the movie “Race” was erased when a hard disk crashed at Sound city. So our heroes Anil & Saif had to redo the complete sound recording again. US Defence department has said it is forbidding Google from filming and depicting in details its Military bases. Govt connectivity with other universities across the globe. to upgrade hospitals to Meet Medical Council of India norms by developing software which would enable better access to books on medicines. Thinking of what to gift that special women in your life on International Women’s day? Forget Diamonds, give her a high-tech Gadget instead

• •

-- So when we are living in a Computerised Environment… .….. we have no option but to carry out the audit in the same Compterised Environment

• Developments in the Banking Sector • Information System Audit V/s Financial Annual Audit • Auditing in CIS Environment - AAS 29 • Effect of CIS Environment on Audit • Potential Risk Areas in Computerised Branches • Risk Assessment & Internal Control in CIS Environment • Practical Approach for Effective Audit of Computerised Branches

Developments in the Banking Sector
• The IT saga in Indian Banking commenced from the mid eighties of the twentieth century when the Reserve Bank took upon itself the task of promoting automation in banking to improve customer service, book keeping, MIS and productivity. This role played by the Reserve Bank has continued over the years. • Introduction of MICR based cheque processing – a first for the region, during the years 1986-88


Developments in the Banking Sector
• Computerisation of branches of banks – in the late eighties with the introduction of ledger posting machines (LPMs), advanced ledger posting machines (ALPMs), which have paved the way for installation of Core Banking solutions. • The setting up of the Institute for Development and Research in Banking Technology (IDRBT), Hyderabad in the mid nineties, as a research and technology centre for the Banking sector;

Developments in the Banking Sector
• The commissioning in 1999, of the Indian Financial Network as a Closed User Group. The network supports applications having features such as Public Key Infrastructure (PKI) which international networks such as S.W.I.F.T. are now planning to implement ; • Commencement of Certification Authority (CA) functions of the IDRBT for ensuring that electronic banking transactions get the requisite legal protection under the Information Technology Act, 2000;

Developments in the Banking Sector
• Ensuring Information Systems Audit (IS Audit) in the banks for which detailed guidelines relating to IS Audit were formulated and circulated; • Enabling IT based delivery channels which enhance customer service at banks, in areas such as cash delivery through shared Automated Teller Machines (ATMs), card based transaction settlements, NEFT, RTGS, etc.;

Developments in the Banking Sector





Information System Audit v/s Financial Audit
• • • • FINANCIAL AUDIT Audit Opinion on Financial Statement Postmortem Exercise Financial Accuracy Financial Audit is never Part of IS Audit. • • • • • • I S AUDIT Verification of System Control & Security Ongoing & Forward looking Exercise System Accuracy Output Analyser, Firewall, Vulnerability assessment tool CAAT available - ACL, IDEA, Excel IS Audit to some extent Part of Financial Audit

Auditing in Computerised Information System (CIS) Environment - AAS 29
• Mandatory Nature of AAS • Effect of CIS Environment on Audit • Sufficient knowledge (Skill & Competence) – CIS System – Plan – Supervise – Control - Review • AAS - 9 Using work of an Expert • AAS - 6 Risk Assessment and Internal Control


AAS 29…contd.
• Satisfaction about: – Adequate Procedure exist to ensure – data transmitted (entered) is correct and complete. – Cross verification of records – Reconciliation statements and control system between Primary & Subsidiary Ledger – Accuracy of computer compiled records are not assumed.


AAS 29…contd.
• Documentation – Audit Plan – Nature, timing and extent of Audit Procedure performed – Conclusion drawn from evidences – Electronic audit evidences also needs to be adequately and safely stored. – Electronic evidences should be retrievable in its entirety as and when required.


Effect of CIS Environment on Audit
• • • • Processing is Concentrated Audit Trails may be Undermined Human Judgment is bypassed Data are stored in Device-Oriented rather than HumanOriented forms
– – – – Invisible Data Stored data are Erasable Data are stored in a Compressed form Stored data are relatively accessible

• Computer Equipment is Powerful but Complex and Vulnerable

Effect of CIS Environment on Audit
Parameter Records Time to modify Audit Trail Data Manipulation Evidence Physical boundaries Expertise Old Way Manual More Exists and is Verifiable Difficult Can be collected Were identifiable Common Detection Techniques New Way Computerised Instantaneous May or may not exist Very Easy Difficult also fragile in nature No limit Additional technical knowledge MUST

Effect of CIS Environment on Audit
• Evaluate the Following Factors – Extent to which the CIS Environment is used to – Record – Compile –Analyse Accounting Info. – Internal Control in existence with regard to • Authorised, Correct and complete data (Input) • Processing of data • Analysis & Reporting (Output) – Impact on Audit Trail of Transaction


Typical Set-up of TBA Branches


Typical Set-up of CBS Branches


Risk involved in CIS Environment


Risk involved in CIS Environment
• • • • • • Branch – Cmputerised Auditor – Computer expert Branch – Manual Auditor – May or may not be computer expert Branch – Computerised Auditor – not a computer expert


Risk involved in CIS Environment
• Lack of Transaction Trails – e.g. Evidence of application of interest on deposit & advances – System Generated Entries • Uniform Processing of Transactions- i.e. If Error occurs it applies to all transaction • Lack of segregation of incompatible functions – i.e. Same person makes-checks, Same person deals with customer & create the Account masters/ parameters


Risk involved in CIS Environment
• Potential for Errors & Irregularities– Due to invisibility of data. – No visible evidence for unauthorised access/alter to data (ledger written with pencils) – Errors in System Handled transaction – No human intervention/observation hence remains undetected – Errors in Designing or modification of Programs can remain undetected.


Risk involved in CIS Environment
• Manual Controls in such system are dependent upon the Computer Generated Report. Any Error in Report will affect even the manual control. • CIS related Fraud – Unauthorised use – to modify, copy or use the data – Internet fraud – System Fraud


Risk Assessment & Internal Control
• Exceptional Transaction Report is reviewed and verified by the respective department • Review that Alteration in System Parameters, Application Parameters by authorised person only. • Access to computer rooms is restricted to authorised persons only • Whether user logs out of terminal when leaving the terminal / not on seat • General Maintenance of Computer hardware is reasonable • Whether daily, monthly, yearly , onsite , offsite backup is taken as per HO instruction

How to conduct Audit effectively in CIS Environment – Practical Approach
(indicative and not exhaustive)


CBS Software
Software Name FINACLE FLEX-CUBE B@NKS24 PROFILE Laser Panacea Developed / Maintained by INFOSYS IFLEX TCS SANCHEZ Laser Soft Banks in which Implemented PNB, OBC, ICICI etc. Kotak Mahindra Bank, YES Bank etc. SBI Group ING Vysya Bank Corporation Bank

Primary Steps of Audit in CIS Environment
• Interview the System Executive – Ascertain whether the branch has migrated to CBS during the current year – if yes check migration controls – To ascertain an overview of the system including hardware and networking configurations – Ascertain the nature and extent of IT infrastructure, Policies and CIS controls

Primary Steps of Audit in CIS Environment
• Whether officials, other than those of the branch, have authority to record transactions in it. • If so, what are the Branch Manager’s authorities? • If so, when does the Branch become aware of such transactions?
– Immediately /At predefined Intervals/End of Day (EOD) /Start of Next Day (SOD)


Primary Steps of Audit in CIS Environment
• How are the EOD/SOD processes managed? • Are communications problems faced which delay EOD/SOD processes? • What is the business impact of these delays/discontinuity? • What are offline periods? • How are the transactions in this period uploaded onto the central server?


Primary Steps of Audit in CIS Environment
• Ascertain
– Whether the system is designed to automatically pass entries for Income Recognition Norms? – Whether RBI norms of provisioning are incorporated into the system, including the current amendments? – Whether interest rate changes are incorporated correctly? • Normal reply “system is developed centrally at HO and branch has no control over it.”


Primary Steps of Audit in CIS Environment
• Ascertain – About access control levels and the system to ensure adherence to defined controls. – About SE’s role in ensuring such adherence. – About the modality of year-end process & how balances are carried forward – About this replies to the LFAR questions.


Primary Steps of Audit in CIS Environment
• Ascertain Management Practices • Are adequate summary-level reports available to management to allow monitoring of: – Transactions volume? – System problem logs? – Exceptions? – Unreconciled transaction? – Other customer or operational issues?


Primary Steps of Audit in CIS Environment
• Take oral and written assurance that:– System is implemented as designed – No modifications are made to the system. – All problems faced during implementation and post implementation are resolved – Problems faced have not affected the confidentiality, integrity and availability of the data.


Primary Steps of Audit in CIS Environment
• Conclusions of Discussions – Document findings and conclusions. – Assess whether control mechanisms explained and demonstrated are adequate. If they are not adequate then:
• Traditional audit will have to be performed • Due to the criticality of the data and reliance which is placed on the system, the Audit Report or LFAR would need to be suitably qualified.

– The conclusion should be based on the audit processes to be carried out by the auditor and not only on the discussions.

Review of Application Controls
• • • • • Password Management and history Unsuccessful log-on attempts Access Logs and reviews Virus detection and protection Inactive user-ids


Review of Physical Controls
• Server Room (TBA,PBA) Router/Modem (CBS) – Whether entry is Restricted and where it is located – Key should be with the manager


Review of Environmental Controls
• Air Conditioner – Check the AMC • Water seepage – Check the building condition • Fire Extinguisher – Date of refilling and expiry • Smoke Heat Detectors – Check the AMC

Review of Logical Controls
• User id creation, – Entered in register duly signed by user • User id deletion – Entered in register and signed by manager • User id of transferred staff – Deleted and entered in register and cross check it with attendance • User id and powers – Match it with office order

Review of Logical Controls
• Vendor id-created or not – Cross verify with vendor register • User ID for Master – When Branch is converted to verify from register • DBA having financial powers – Two user id should be given


Review of Logical Controls
• PASSWORDS • Check wheather users is required to change their passwords periodically. – Ideally it should be inbuilt within the software so no need of checking, and it should not accept previously used password • Sharing of password. – Declaration to be taken – Cross Verifying with attendance register and Access Log • Important passwords like DBA, Branch Managers are kept in sealed cover with Branch Manager – Check by Physical Verification

Review of Output Controls
• Hard Copy Print Out
– Normally Ignored

• Screen Saver/Automatic Log Off • Reports are signed
– Normally Ignored


Review of Back up
• Most Important Issue • Qualification • A simple activity ignored
Area Training Back Up Location Back Up Tested CBS Y N.A. N.A. N.A.. Y Y Offsite Y TBA PBA Y Y Offsite Y What to Check Interview Back up Register Locker with banks ????

• Read Only Access – Ask for an access to view data of branch – If access can not be given, then the fact should be documented and reported in the Audit Report / LFAR. – Use assistance of the SE to run any query on a situation
• If the SE is not able to provide assistance then decide whether mention is required in the Audit Report/LFAR

• Activity and Transaction Logs – Logs-Time, activity, user id – Clock Synchronisation – Operating System Logs – Firewall logs – Application System logs – SQL Logs – ATM Terminal access ID and Log
• Peruse transaction logs of “heavy days” (mostly, after consecutive bank holidays) and ascertain whether there were any noticeable errors

– Review Exception Transaction Report – Based on the review Auditor can decide on the areas which need greater verification. – Discuss the action taken on the events noted as exceptional.


• Exception Report
– – – – – – – – – – Debit /Credit balance change Maturity record deleted Inactive accounts reactivated Excess allowed over limit Debits to Income head accounts Overdue bills and bills returned Withdrawal against clearings Deposits accounts debit balance Temp O/D beyond sanction limit Standing instruction failed in day

• Income
– Obtain interest rates keyed into system and match with rates prescribed by Management – Obtain log of interest rate changes and match with changes prescribed by Management – Ensure that interest rate changes are duly authorised. – Test-check few calculations. – Obtain cases of interest defaults and ensure that reversals have been properly accounted.

• Advances
– Master File – Checking of the Parameters – Interest Rate – Drawing Power – Penal Interest – Standing Instructions – Stock Statement submission (some software) Who Creates and who is authorised (done by sample)


• Fresh Advances
– Trace the data entry of sanctioned loan parameters and conditions into the system. – Ensure that rate of interest and due date of interest are properly entered. Test a few transactions. – Review Control over Documentation through the system. – Inquire whether the system prompts for action sufficiently before renewal date. Test a few transactions.


• Identification of Potential NPAs
– Audit list of customers /accounts with high deposits within last week/ fortnight – Audit list of accounts with one due-date default and deposits within last week/fortnight. – Audit list of accounts with deposits within last week /fortnight and withdrawals in first week of April. – Trace whether these deposits are from facilities given at other branches. – This is possible if access is available to the data of other branches.

• Provisioning
– Obtain report of cases of defaults of principal and ensure that accounting entries are passed for provisioning. – Obtain exception reports to satisfy that no NPAs are missed / omitted by the Branch. – Obtain list of cases of
• Re-rolling of advances • Sanctioning of advances in branches • Utilising packing credit advances to clear border level NPA term loans and other advances through current accounts/ overdrafts/ cash credit accounts.


NPA Analysis • Issues
– – – – Is the classification correct Is the calculation correct Is the provisioning correct Is the revenue charged on such accounts

• How do we check
– Going through each account or sample – Applying Various criteria of classification – Relying on information provided by Branch

NPA Analysis • How Computerisation can help • If it is in built in the software at the master level which is difficult • So what should we do to save time
– – – – Import the files in excel ( PBA,TBA) Convert the files in required format (Delimit) Apply Vlook up to match data Apply Filter, Sort, Mathematical Functions

• Frauds • Obtain list of frauds that have taken place at branches. • Many frauds occur in new technology areas
– – – – ATM Net Banking Credit Card Cash Management


• Control over Impersonal/ Office Accounts • Accounts which are open by the bank for their own operational purposes and are of impersonal nature. • For instance:
– Sundry credit accounts – Sundry deposit accounts – Suspense – H.O. Account • Check whether these transactions are scrutinised by the branch for correctness and for prompt adjustment.

• Office Accounts • Review Suspense / Sundry/ Inter Branch Accounts. • Scrutinise list of Outstanding Entries • Many of the new products offered on the basis of Technology are dependent on the controls in these Office Accounts.


• ATM Transactions • Whether ATM cash has been verified periodically. • Whether ATM transactions are reconciled periodically. • Whether adequate control over physical inventories of ATM cards has been exercised.


• Whether all accounts (Opening & Closing) are duly authorised. • Whether all the GL accounts codes authorised by H.O. and are in existence in the system? • Whether Beginning of the Day and End of the Day register maintained? Whether Time is properly entered and time and date are normal and during office hours only? • Whether the Account Master and balance cannot be modified /amended /altered except by the authorised personnel? • Whether the records of errors arising during daily operations are reported? And how they are rectified? • Whether dummy accounts created using master creation still exist in the Branch • A sample verification of SDRs / FDRs should be carried out to ascertain whether lien is marked on such deposit receipts in the system.

Don’t Miss this!!!
• Have the figures, as at the year-end, in the control and subsidiary records been reconciled? • Balance reports e.g. GL Consistency report should be verified for balancing of books. And for those heads, which are not made live, balancing should still be verified with the help of balance books.


Miscellaneous Issues
• Registers
– – – – – – – – – – User id register Floppy register Checksum register Software problem register Machine breakdown Asset register containing details of hardware Manuals, guidelines Media stock movement register Hardware /software Register Parameter updation register

Miscellaneous Issues
• Insurance – Must be fully insured against all potential risks – Normally done at RO / ZO • AMC – AMC should be in force with contact no. of service provider. – Normally done at RO / ZO • Anti Virus – Licensed and updated version installed in all PCs – Normally done at RO / ZO

Miscellaneous Issues
• Internet – PC having internet connection should be separate from those used for banking – operations. • Vendor – Vendor’s contact number should be available and he should pay visits as agreed. – Vendor’s support should be ensured by Branch / RO / ZO.


Miscellaneous Issues
• Other Programmes – No extraneous software, games software, freeware should be loaded on PCs – This responsibility has to be shouldered by Branch Incumbent. • Floppy / CD / USB and other Removable Media – They should be disabled in all PCs except those used for backups or that of Manager. – Here too, the Manager should ensure this.


Miscellaneous Issues
• If there is a system break-down, has the branch made standby arrangements? • If there is a software bug which results in wrong calculation of interest charges or service charges ? If so, is that program deactivated and manual processing is taking place to ensure adherence to rules. • If a crucial report such as GL Tally report is not getting generated by the system, is the branch checking for data consistency by tallying total of account level balance list with respective account heads either manually or through use of SQL ?

Audit Conclusions
• Document all findings • Take adequate oral & written representations • Discuss findings • Submit report


Last but not the least
The procedure listed here before is not exhaustive but is suggestive. Stress has been given to those procedure, which has some connection with computerised accounting / CBS environment. Other procedures are generally same under CIS and Non – CIS / Manual environment and hence not listed.

Appreciation is a wonderful thing; it makes what is excellent in others belong to us as well” - Voltaire

Any Questions?

In the year 1994, the Reserve Bank of India formed a committee on "Technology Upgradation in the Payment Systems". The committee recommended a variety of payment applications which can be implemented with appropriate technology upgradation and development of a reliable communication network. The committee also suggested setting up of an Information Technology Institute for the purpose of Research and Development as well as Consultancy in the application of technology to the Banking and Financial sector of the country. As recommended by the Committee, the Institute for Development & Research in Banking Technology [IDRBT] was established by the Reserve Bank of India in 1996 as an Autonomous Centre for Development and Research in Banking Technology.
Back to Slide 6

SWIFT SWIFT is the Society for Worldwide Interbank Financial Telecommunication, a member-owned cooperative through which the financial world conducts its business operations with speed, certainty and confidence. More than 9,000 banking organisations, securities institutions and corporate customers in 209 countries trust us every day to exchange millions of standardised financial messages.

Back to Slide 7


The acronym 'RTGS' stands for Real Time Gross Settlement, which can be defined as the continuous (real-time) settlement of funds transfers individually on an order by order basis (without netting). 'Real Time' means the processing of instructions at the time they are received rather than at some later time. 'Gross Settlement' means the settlement of funds transfer instructions occurs individually (on an instruction by instruction basis). Considering that the funds settlement takes place in the books of the Reserve Bank of India, the payments are final and irrevocable.

Back to Slide 8


NDS asp#axzz1dDhPsm25Negotiated Dealing System – NDS

An electronic trading platform, operated by the Reserve Bank of India, used to facilitate the exchange of government securities and other money market instruments. The negotiated dealing system will also be responsible for hosting new issues of government securities.

Back to Slide 6



The Centralised Funds Management System (CFMS), is a system set up, operated and maintained by the Reserve Bank of India (hereinafter referred to as the ‘Bank’) to enable operations on current accounts maintained at various offices of the Bank, through standard message formats in a secure manner. The CFMS comprises two components – the Centralised Funds Enquiry System (CFES) and Centralised Funds Transfer System (CFTS). These have been made available through the following subsystems: - the Apex Level Server (ALS), - the Local Funds Management System (LFMS), - the Bank Level Funds Management System (BLFMS), and, - the Local Banks Funds Management System (LBFMS).
Back to Slide 6


National Settlement Solutions - Welcome to National Settlement Solutions (NSS), a national title insurance and title services company. From title insurance and escrow services to home loan settlements and refinancing, National Settlement Solutions combines the latest online technology with unparalleled personalized customer service to ensure successful, efficient transactions.

Back to Slide 6


SFMS df Structured Financial Messaging System (SFMS) is a secure messaging standard developed to serve as a platform for intrabank and inter-bank applications. It is an indian standard similar to SWIFT (Society for World-wide Interbank Financial Telecommunications) which is the international messaging system used for financial messaging globally. SFMS can be used practically for all purposes of secure communication within the bank and between banks. The SFMS was launched on December 14, 2001 at IDRBT. SFMS has a number of special features and it is a modularized and web enabled software, with a flexible architecture facilitating centralized or distributed deployment. The access control is through Smart Card based user access and messages are secured by means of standard encryption and authentication services conforming to ISO standards. RBI applications like Real Time Gross Settlement (RTGS), Negotiated Dealing System (NDS), Security Settlement System (SSS) and Integrated Accounting System (IAS) have interface with SFMS and RTGS uses SFMS for messaging. 73
Back to Slide 6

CMS Cash Management Services (banking) – CMS is a product under which collection and payments are effected at a high speed. – Customers can have their cheques/instruments collected from several up country centers and pool funds at a single point. – Customers can also use CMS to make payments at various locations all over the country. •How CMS Works – Collection of cheques from customers/dealers place by Bank’s courier or deposit of cheques by customer’s representative at our CMS centres. – CMS centres transmit information of instruments deposited to CMS Central Hub via WAN. – Central Hub collates the information received from CMS centres and sends out payment advices as per agreed terms. – The CMS Central Hub also generates customized MIS in respect of collections and payments and transmits the same 74 electronically every day. Back to Slide 6


National Electronic Funds Transfer (NEFT) system is a nation wide funds transfer system to facilitate transfer of funds from any bank branch to any other bank branch.

Back to Slide 8


How RTGS is different from National Electronics Funds Transfer System (NEFT)?
NEFT is an electronic fund transfer system that operates on a Deferred Net Settlement (DNS) basis which settles transactions in batches. In DNS, the settlement takes place with all transactions received till the particular cut-off time. These transactions are netted (payable and receivables) in NEFT whereas in RTGS the transactions are settled individually. For example, currently, NEFT operates in hourly batches there are eleven settlements from 9 am to 7 pm on week days and five settlements from 9 am to 1 pm on Saturdays. Any transaction initiated after a designated settlement time would have to wait till the next designated settlement time Contrary to this, in the RTGS transactions are processed continuously throughout the RTGS business hours.
Back to Slide 6

Auditing and Assurance Standard (AAS) 29
Auditing and Assurance Standard (AAS) 29, "Auditing in a Computer Information Systems Environment" issued by the Council of the Institute of Chartered Accountants of India 1. This Standard should be read in conjunction with the "Preface to the Statements on Standard Auditing Practices" issued by the Institute

The purpose of this Auditing and Assurance Standard (AAS) is to establish standards on procedures to be followed when an audit is conducted in a computer information systems (CIS) environment. For the purposes of this AAS, a CIS environment exists when one or more computer(s) of any type or size is (are) involved in the processing of financial information, including quantitative data, of significance to the audit, whether those computers are operated by the entity or by a third party.
Back to Slide 4

CA Controller Of Certifying Authorities - The Information Technology Act, 2000 was enacted by the Indian Parliament in June, 2000. It was notified for implementation in October, 2000 with the issuance of Rules under the Act. The purpose of the Act is to promote the use of digital signatures for the growth of E-Commerce and E-Governance.
Back to Slide 7

IDEA IDEA (originally an acronym for Interactive Data Extraction and Analysis) provides auditors, accountants, and systems and financial professionals with the ability to read, display, analyze, manipulate, sample, or extract data from data files from almost any source - mainframe to personal computers, including reports printed to a file. IDEA extends your reach by providing unique functions and features not found in generic software. IDEA combines considerable power of analysis with an extremely user-friendly Windows environment. This versatile tool is useful for any type of file interrogation and offers users the benefits of the following and other functionality
Back to Slide 10

Sign up to vote on this title
UsefulNot useful