Professional Documents
Culture Documents
ALM Functioning
Dear Sir,
1 We have conducted a forensic audit of the “ALM” software for ALM and
Basel reporting installed at Mumbai branch of Fictional Bank Limited. The
scope of the forensic audit was to examine the functionality of the software
and review the MIS provided and specify whether the software has been
implemented in a way to minimise fraud and misreporting to Reserve Bank of
India and other regulators.
2 The report is based on all information and explanations received by us, which
to the best of our knowledge and belief were original and authentic. In this
connection the following may please be noted.
2.1 The audit was focused on the software and the ancillary system it uses
and not the overall IT system being used by the client.
2.2 Our observations on implementation quality and fraud risk are based on
the terms of user license agreement, statutory requirement, our domain
expertise of ALM and Basel compliance, and software operation as on the
days of audit.
2.3 Our comments on fraud risk of system functioning are based on the
industry best practices checklist and our observation made during the
days of audit.
3 Our observations during the forensic audit have been detailed in the annexure
to the report and it forms a part of the audit report.
Place: Kolkata
We carried out forensic audit of ALM software as installed at the Mumbai branch
of Fictional Bank. The major findings of the audit are stated below:
1. The software has not been fully implemented and there are modules which
have not gone through user acceptance test, thus remaining exposed to
fraud.
2. Majority of the reports examined by us are defined by the user and there
are no checks to ensure logical or arithmetical accuracy of the report. For
example asset items can be included under liability head and balance sheet
is generated with mismatched total of asset and liability side.
3. A large number of regulatory reports are computed manually for
submission to regulatory authorities. It is to be noted that the Reserve
Bank of India has been insistent that regulatory reports should not have
manual intervention.
4. Most of the Basel II compliance reports are incomplete or erroneous.
Credit risk computation involves manual classification as these are not
generated from the Misys system. Ginni co-efficient provides a negative
value, which though theoretically possible, is not the case with the branch.
5. The vendor reported that the errors and inefficiencies are primarily caused
by improper General Ledger classification. We feel that this can be
partially responsible for erroneous report but does not justify inadequate
implementation of the software.
6. We suggest that the vendor be asked to provide a list of data they want to
be available from the core banking system so that the bank may review
these requirements to see if it is possible to incorporate them in the existing
system. It may be noted that the business volume of the branch is so low
that there should not be any major operational difficulty in achieving this
unless there are some restrictions related to the core banking system.
Annexure I
(Refer Pt. 3 of Audit Report)
FORENSIC AUDIT OBSERVATIONS
1. Data Integrity
1.1. There is no provision of maker-checker control in the software. Single
user can post a transaction. Though in case of generation of reports,
this may be acceptable but it has serious implications in case of
defining the parameters and content of reports and administrative
functions like adding, modifying or deleting a user.
1.2. The format including content of the reports can be modified by a user
and no copy of the old structure remains in the system. Consequently,
if a report is generated for a date earlier than the date of modification
of the format, the report will be generated in the new format. Hence,
this copy of the report will not agree with the same report that was
generated before these modifications were carried out.
1.3. There is no separate test bed and all modifications are carried on the
production server directly. This can seriously compromise integrity of
the system.
2. Consistent Data Definition
2.1. A change at the general ledger level is not reflected automatically in
the report. Additionally if one report is mapped to the new general
ledger, other related reports do not automatically get updated.
Consequently each report has to be changed for every change in
general ledger structure or change in definition.
2.2. Necessity of changing every report can cause generation of redundant
and misleading reports. See paragraph 7 for example.
2.3. We did not find any approved standardised settings for parameters of
various reports. Thus similar reports may use different parameters and
generate different values against same item of report. Parameters for the
reports are set and reset by individual users. There is no procedure for
7. BSR 4 Report
7.1. The total of deposit amount is not matching with the balance sheet
data. Figure 4 shows the BSR4 report of 30th June 2013 with deposit
value ₹795148 (000). However the monthly business position report
prepared by the bank for submission to Reserve Bank of India shows a
deposit value of ₹882085 (000) for the same date. This is seen in figure
5 overleaf. Value of deposit reported in structural liquidity report of
even date is ₹230199730.50 as may be seen in figure 6 overleaf.
9. CRR Report
9.1. It is possible to define CRR as negative percentage and the system
computes CRR requirement using this value. There is distinct lack of
integrity check across the software.
9.2. The CRR report mapping can be changed by the user, report
generated, and then erstwhile mapping restored.
10. Cash Transaction Report (CTR)
10.1. The threshold value can be defined by the report user and report
generated. This value should ideally be under the control of
administrator and user should not have any access to the same.
11.3. The same report for 30th June 2013 shows no movement against the
same item, which is quite unusual. This is shown in figure 10.
12.2. Further, the system computed the report using the erroneous value
including the negative value as may be seen from Figure 12 below:
12.5. NPA codes are to be entered manually. During the audit we observed
that the total of advances included in ALM report did not agree with
the balance as per Misys. However upon entering of the missing code,
the balance agreed.
13. Investment report
13.1. No report is being generated. As confirmed by the vendor this report is
yet to be implemented.
14. Minimum balance report
14.1. This report includes accounts that are closed and with zero balance.
Computation of average balance is incorrect as the system inexplicably
excludes some Sundays while computing the number of days. It can be
seen from figure 14 overleaf that 2nd June, 2013 has been excluded
from computation and consequently despite having a balance of 8 all
along the average is 7.733
21.3. Lorenz curve shown in figure 17 does not properly display the
cumulative distribution reported under top counter party report.
21.7. In the report for top counterparty concentration the report identifies
another branch of Fictional Bank as the top counterparty. Considering
Fictional Bank, Mumbai Branch as a separate entity, this may be a
correct accounting treatment. However using this as a separate entity
to identify credit concentration in open to dispute, esp. when the same
may not constitute an item of external exposure. This report can be
seen in figure 21.
23.3. However in the Structural Liquidity Statement generated for the same
date using the same time bucket shows figures against Day 1 as may
be seen in figure 23.
Figure 25: Popup claims ETL is not available whereas it was done for the date.
List of Figures