Assignment On:

IS Audit and Inspection: Planning, Setting the Scope, and Preparing IS Audit for
any System Based Banking Operations of Your Bank

Name of the Participant

Name of the bank
Designation

 Table of Contents.
List of Figures.
 Introduction
Information System Audit is the process of collecting and evaluating evidence to
determine whether a computer system has been designed to maintain data
integrity, safeguard assets, allows organizational goals to be achieved effectively
and uses resources efficiently.
An effective information system audit leads the organization to achieve its
objectives and an efficient information system uses minimum resources in
achieving the required objectives.
The objective of undertaking an IT audit is to evaluate a bank’s computerized
information system (CIS) in order to ascertain whether the CIS produces timely,
accurate, complete and reliable information outputs, as well as ensuring
confidentiality, integrity, availability and reliability of data and adherence to
relevant legal and regulatory requirements. IT auditors evaluate the adequacy of
internal controls in computer systems to mitigate the risk of loss due to errors,
fraud and other acts and disasters or incidents that cause the system to be
unavailable
 Discussion
IS auditors evaluate risk management practices to determine whether the bank’s
IS-related risks are properly managed. IS auditors should conduct audit on overall
information and related technological security aspects covering the followings:
a. IT Asset Management j. IT Strategies, IT budget
k. Audit trails &Data Privacy
b. IT Service & Facility Management
Protection Management
c. Physical (client/server interface, l. IT Service Contract &
telecommunication, server, data storage, Agreements and Vendor
intranet, internet) Management
d. & Environmental Security m. IT Risk Management
n. Data Integrity &Transaction
e. User & Access Management
control
f. Database Access & Network Security
o. Data Retention & Disposal
Management
p. System Acquisition,
g. Data Center Security
Development Management
 q. Business Continuity & Disaster
h. Change & Patch Management
Recovery
i. Problem & Incident Management

Information System Audit

Audit objectives will vary according to the nature or category of audit. IT Security Audit
is done to protect entire system from the most common security threats which includes
the following:

 Network vulnerabilities and intrusions

 Performance problems and flaws in applications
 Improper alteration or destruction of data (information integrity)
 Access to confidential data
 Unauthorized access of the department computers & branches
 Password disclosure compromise
 Virus infections
 Denial of service attacks
 Open ports, which may be accessed from outsiders (Unrestricted modems &
unnecessarily open ports)
IT Audits may be conducted to:
 To ensure integrity, confidentiality and availability of information system(s) and
resources.
 To investigate possible security vulnerabilities and incidents in order to ensure
conformance to the Bank’s security policies.
 To ensure software systems deployed conforms to the Bank’s software
implementation policy
 To ensure changes made to any systems conforms to the Bank’s Change
Control/Change Management policy
 To ensure regular Backup of data and business critical system is taken &
preserved.
 To ensure Restore of both data and full system is carried out on a regular basis, so
that data integrity can be ensured and the Bank can be prepared for any possible
disaster
 To monitor user or system activity where appropriate
 To investigate security incidents as when required.
An IT audit is different from a financial statement audit. While a financial audit’s
purpose is to evaluate whether an organization is adhering to standard accounting
practices, the purposes of an IT audit are to evaluate the system’s internal control design
and effectiveness. This includes, but is not limited to, efficiency and security protocols,
development processes, and IT governance or oversight.

Installing controls are necessary but not sufficient to provide adequate security. People
responsible for security must consider if the controls are installed as intended, if they are
effective if any breach in security has occurred and if so, what actions can be done to
prevent future breaches.

These inquiries must be answered by independent and unbiased observers. These

observers are performing the task of information systems auditing. In an Information
Systems (IS) environment, an audit is an examination of information systems, their
inputs, outputs, and processing.

Planning / Pre-Audit activities

Auditors must make certain assumptions when bidding on a project, such as having
access to certain data or staff. But once the auditor is on board, don’t assume anything;
everything should be spelled out in writing, such as receiving copies of policies or system
configuration data. These assumptions should be agreed to by both sides and include
input from the units whose systems will be audited.

Nobody likes surprises. Involve the business and IT unit managers of the audited systems
early on. This will smooth the process as a dispute over the auditor’s access. Consider the
case of one respected auditing firm that requested that copies of the system password and
firewall configuration files be e-mailed to them.

Some activities mentioned here under to ease the process:

1. Team Leaders should specify restrictions, such as time of day and testing methods to
limit impact on production systems. Most organizations concede that denial-of-service or
social engineering attacks are difficult to counter, so they may restrict these from the
scope of the audit.

2. Make sure the auditors conform to the policy on handling proprietary information. If
the organization forbids employees from communicating sensitive information through
non-encrypted public e-mail, the auditors must respect and follow the policy. The audit
report itself contains proprietary data and should be handled appropriately, hand
delivered and marked proprietary and/or encrypted if sent through e-mail.

3. Give the auditors an indemnification statement authorizing them to probe the network.

The Audit officer will be responsible for internal Audit within the department and
operations of branches. When requested and for the purpose of performing an audit, any
access needed will be provided to members of Internal Audit team.

This access may include:

 User level and/or system level access to any computing or communications device
 Access to information (electronic, hardcopy, etc.) that may be produced,
transmitted or stored on respective Dept. equipment or premises
 Access to work areas (Data Center, DR site, NOC, labs, offices, cubicles, storage
areas, etc.)
 Access to reports / documents created during internal audit.
 Interactively monitor and log traffic on the Bank’s corporate network in
conjunction with Bank’s WAN connectivity provider
 Moving machines involved in an incident to a safe location for analysis or to
ensure evidence is captured and preserved securely
 All sorts of System(s) and user activity logs/ audit trails to verify that privileges
were used only for their intended and approved purposes.
 User level and/or Admin level access to any computing or communications
devices
 Network or host scans and obtain any applicable information
 Audit rights of access to any Service level agreement or Annual maintenance
contract with External parties or Internal parties as when appropriate
 External or internal parties premises to justify the ability of the service provider
before engaging them to provide any service for the Bank(s) interest.
 All types of licenses/IPR (intellectual property rights) related documents or logs
aligned with any software or hardware used in Bank’s ICT infrastructure.

Appendices (Bibliography & other References.)

IT SECURITY AND INFORMATION SYSTEM AUDIT IN BANKS by Mohammad Ziaullah Khan  - June 17, 2017