Sample Forensic Audit Report I

ALM Functioning

Private and Confidential

1st March, 2021

Mr. John Doe
Managing Director
Fictional Bank Limited

Dear Sir,

Sub: Forensic Audit Report pf ALM System

1 We have conducted a forensic audit of the “ALM” software for ALM and
Basel reporting installed at Mumbai branch of Fictional Bank Limited. The
scope of the forensic audit was to examine the functionality of the software
and review the MIS provided and specify whether the software has been
implemented in a way to minimise fraud and misreporting to Reserve Bank of
India and other regulators.

2 The report is based on all information and explanations received by us, which
to the best of our knowledge and belief were original and authentic. In this
connection the following may please be noted.

2.1 The audit was focused on the software and the ancillary system it uses
and not the overall IT system being used by the client.

2.2 Our observations on implementation quality and fraud risk are based on
the terms of user license agreement, statutory requirement, our domain
expertise of ALM and Basel compliance, and software operation as on the
days of audit.

2.3 Our comments on fraud risk of system functioning are based on the
industry best practices checklist and our observation made during the
days of audit.

Prepared by: Arif Ahmed; MRN 055041

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 2
2.4 The software function was reviewed on site by a team of three auditors on
January 18th and 19th, 2021.

3 Our observations during the forensic audit have been detailed in the annexure
to the report and it forms a part of the audit report.

4 In our opinion, based on the information provided, explanation given,

evidence found and evaluated by us, and as described in paragraph number 3
of our audit report, the ALM software and the related environment does not
maintain data and system integrity, provide relevant and reliable information,
consume human and systems resources efficiently, achieves information
system goals effectively, meet operational requirements and addresses control
objectives securely, and carries high degree of fraud risk.

Signed in terms of our audit report of the even date,

For Chartered Accountants

Date: 1st March 2021 Arif Ahmed

Place: Kolkata

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 3

EXECUTIVE SUM MARY

We carried out forensic audit of ALM software as installed at the Mumbai branch
of Fictional Bank. The major findings of the audit are stated below:

1. The software has not been fully implemented and there are modules which
have not gone through user acceptance test, thus remaining exposed to
fraud.
2. Majority of the reports examined by us are defined by the user and there
are no checks to ensure logical or arithmetical accuracy of the report. For
example asset items can be included under liability head and balance sheet
is generated with mismatched total of asset and liability side.
3. A large number of regulatory reports are computed manually for
submission to regulatory authorities. It is to be noted that the Reserve
Bank of India has been insistent that regulatory reports should not have
manual intervention.
4. Most of the Basel II compliance reports are incomplete or erroneous.
Credit risk computation involves manual classification as these are not
generated from the Misys system. Ginni co-efficient provides a negative
value, which though theoretically possible, is not the case with the branch.
5. The vendor reported that the errors and inefficiencies are primarily caused
by improper General Ledger classification. We feel that this can be
partially responsible for erroneous report but does not justify inadequate
implementation of the software.
6. We suggest that the vendor be asked to provide a list of data they want to
be available from the core banking system so that the bank may review
these requirements to see if it is possible to incorporate them in the existing
system. It may be noted that the business volume of the branch is so low
that there should not be any major operational difficulty in achieving this
unless there are some restrictions related to the core banking system.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 4

Annexure I
(Refer Pt. 3 of Audit Report)
FORENSIC AUDIT OBSERVATIONS

1. Data Integrity
1.1. There is no provision of maker-checker control in the software. Single
user can post a transaction. Though in case of generation of reports,
this may be acceptable but it has serious implications in case of
defining the parameters and content of reports and administrative
functions like adding, modifying or deleting a user.
1.2. The format including content of the reports can be modified by a user
and no copy of the old structure remains in the system. Consequently,
if a report is generated for a date earlier than the date of modification
of the format, the report will be generated in the new format. Hence,
this copy of the report will not agree with the same report that was
generated before these modifications were carried out.
1.3. There is no separate test bed and all modifications are carried on the
production server directly. This can seriously compromise integrity of
the system.
2. Consistent Data Definition
2.1. A change at the general ledger level is not reflected automatically in
the report. Additionally if one report is mapped to the new general
ledger, other related reports do not automatically get updated.
Consequently each report has to be changed for every change in
general ledger structure or change in definition.
2.2. Necessity of changing every report can cause generation of redundant
and misleading reports. See paragraph 7 for example.
2.3. We did not find any approved standardised settings for parameters of
various reports. Thus similar reports may use different parameters and
generate different values against same item of report. Parameters for the
reports are set and reset by individual users. There is no procedure for

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 5
documenting change of parameters, name of person changing the same,
and reasons for such change.
3. Inefficient Resource Consumption
3.1. The current installation requires multiple entries of the same data to
generate various reports using the same dataset leading to wastage of
executive time. Some formats and contents prints unnecessary and
redundant information leading to wastage of stationery in addition to
inconvenient report handling.
3.2. Currently all system reports are bring validated manually leading to
additional executive time and inefficient practice.
4. Audit Trail
4.1. The audit trail to log system operation was not active, consequently
we cannot comment on the functioning of the same.
4.2. However, in case of extract, transport, and load (ETL) module, audit
trail was available for last 30 days and not earlier.
4.3. The vendors acknowledged that audit trail triggers have not been
deployed in the installation. These triggers causes audit trail of
specified functions to be maintained.
5. BRPD Asset Report
5.1. There is no integrity check carried out on the format of the report by
the system. During the test, a liability item was included in the asset
side and the system accepted the entry.
5.2. Further, in the report generated this item was reported as an asset at a
positive value. It may be noted that in cases where user demands
flexibility of grouping items of report as assets and liabilities, the
system should prefix a negative sign whenever items of asset or
liability group are reported under the other head.
5.3. The arithmetical treatment of any item of the report is to be defined by
the user. For example the user will have to define which all items are
to be added or subtracted to arrive at a total value. Thus the report is
virtually relegated to a spreadsheet with automated data retrieval. This
significantly increases the threat of misreporting.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 6
6. Balance Sheet Summary
6.1. Heading for balance sheet should be “For a date” instead of “From
date to date”. All figures are reported with four points after decimal.
6.2. Any head of asset or liability can be inserted multiple times in the
format and the report is generated including those multiple items. It
may be observed in figure 1, that “Central Bank of India” appears
twice in the same report.

Figure 1: Duplication of same ledger head

6.3. When an asset item is selected as a liability the corresponding value in

the report is zero. The item is also excluded from the liability side. The
system does not check whether total of asset and liability agree. It is
possible to generate report with different values for assets and
liabilities. This may be seen in figure 2 below.

Figure 2: Mismatch of Balance Sheet total

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 7
6.4. If the period defined includes a month end between the starting and
closing date, the system generates report with blank values as may be
seen in figure 3.

Figure 3: Blank report generated with in-period month end

7. BSR 4 Report
7.1. The total of deposit amount is not matching with the balance sheet
data. Figure 4 shows the BSR4 report of 30th June 2013 with deposit
value ₹795148 (000). However the monthly business position report
prepared by the bank for submission to Reserve Bank of India shows a
deposit value of ₹882085 (000) for the same date. This is seen in figure
5 overleaf. Value of deposit reported in structural liquidity report of
even date is ₹230199730.50 as may be seen in figure 6 overleaf.

Figure 4: BSR 4: Different value for deposit

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 8

Figure 5: Different value for deposit in monthly business position report

Figure 6: Mismatch in deposit value in structural liquidity report

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 9
8. BSR 2 Report
8.1. The report is generated by manually identifying the depositors to be
included against a specific criterion of the report. There is no system
based validation to ensure that all depositors have been included.
Figure 7 below shows the system of selecting against various
classification parameters.

Figure 7: Option for flexible parameter setting

9. CRR Report
9.1. It is possible to define CRR as negative percentage and the system
computes CRR requirement using this value. There is distinct lack of
integrity check across the software.
9.2. The CRR report mapping can be changed by the user, report
generated, and then erstwhile mapping restored.
10. Cash Transaction Report (CTR)
10.1. The threshold value can be defined by the report user and report
generated. This value should ideally be under the control of
administrator and user should not have any access to the same.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 10
10.2. Reserve Bank of India (FIU) requires consideration of both deposits
and withdrawals, whereas the report considers only deposits. Further
transactions within the bank are to be excluded from the scope of the
report, which is not provided for in the software.
10.3. Requirement of income tax department (AIR) is reporting the
aggregate of all cash deposits in the savings account for the year. The
report includes accounts even when the total cash deposit in the
savings account is below the limit specified by the user as may be seen
from figure 8.

Figure 8: Erroneous AIR

11. Dynamic Liquidity:

11.1. The bucketing requirement prescribed by Reserve Bank of India has
not been followed in the report template. There is a requirement of
buckets for next day, 2-7 and 8-14 days which are missing here.
11.2. The report dated 15th June 2013 displayed in figure 9 overleaf shows
an increase in non-sensitive loans and advances. It is unclear how a
bank would have loans and advances that are insensitive to interest
rate changes.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 11

Figure 9: Existence of non-sensitive loans and advances

11.3. The same report for 30th June 2013 shows no movement against the
same item, which is quite unusual. This is shown in figure 10.

Figure 10: No movement in non-sensitive column

11.4. There was no printing format defined for this report.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 12
12. Structural Liquidity Statement
12.1. It was possible to define any value for distribution of savings bank
balance across time bracket. The system did not prevent us from
entering a negative value or where the total of shares of each time
bracket exceeds 100. Further the system allowed us to have duplicate
time bands. Figure 11 below evidences these events.

Figure 11: No control for input validation

12.2. Further, the system computed the report using the erroneous value
including the negative value as may be seen from Figure 12 below:

Figure 12: Erroneous computation using negative value

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 13
12.3. We observed that when we changed values of the period parameter the
altered values were not being displayed immediately, although it was
being considered for the report. The correct values were displayed as
soon as we flushed the history from the browser. There appears to be
an error of refreshing for this report.
12.4. Once an advance is marked as non-performing, the entire balance is
shown as due in day 1. This evident in figure 13 shown below.

Figure 13: All NPA accounted for in Day 1

12.5. NPA codes are to be entered manually. During the audit we observed
that the total of advances included in ALM report did not agree with
the balance as per Misys. However upon entering of the missing code,
the balance agreed.
13. Investment report
13.1. No report is being generated. As confirmed by the vendor this report is
yet to be implemented.
14. Minimum balance report
14.1. This report includes accounts that are closed and with zero balance.
Computation of average balance is incorrect as the system inexplicably
excludes some Sundays while computing the number of days. It can be
seen from figure 14 overleaf that 2nd June, 2013 has been excluded
from computation and consequently despite having a balance of 8 all
along the average is 7.733

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 14
14.2. If any account is closed within a period, the average computation
continues to use the total number of days as the denominator.

Figure 14: All days of month not considered

15. DBS 1 Report:

15.1. This report is incomplete and does not populate figures for all
elements included in the report esp. off balance sheet items.
15.2. The problem of not including off balance sheet persisted even after
these were mapped in the report structure.
16. Monthly Business Position report
16.1. This report states that the values are in “Lacs” where the user has
asked for values in Thousands”. The error can be seen in Figure 15.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 15

Figure 15: Error in description of amounts

17. Basel II Compliance Reports

17.1. Vendor admitted that no user acceptance testing was done for these
reports. During the audit we observed numerous computational,
presentation, and conceptual errors in the reports.
18. Credit Risk Reports
18.1. The limit data for report is entered manually and not uploaded
automatically. Thus the report can be generated using limit values
defined by the user.
18.2. In view of the fact that the user has absolute control over the
parameters, the misreporting risk is extremely high.
18.3. The value of collateral is drawn from a Misys table which is not
populated completely. No report providing the list of collateral could
be generated from the system for verification.
19. Operational Risk
19.1. The chart showing capital computation for operational risk uses the
legend “Total Risk Weighted Assets” an irrelevant description of
elements required to compute capital for operational risk.
19.2. The report also provides value for one month only.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 16
20. Scenario Test
20.1. The software permitted us to go ahead with reporting when we
reduced current asset by 50% and marked it for redeposit but did not
specify where the redeposit is being made.
21. Concentration Risk
21.1. The system shows the measure for concentration risk but does not
relate it with computation of capital for the specific risk. This module
is being used to compute for credit rusk under various scenarios,
altered distribution of credit being one of them.
21.2. Ginni coefficient shows a value of -0.62 in figure 16 though it is
expected to remain between 0 and 1.

Figure 16: Ginni Coefficient reporting wrong value

21.3. Lorenz curve shown in figure 17 does not properly display the
cumulative distribution reported under top counter party report.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 17

Figure 17: Incorrect graphical presentation of Lorenz curve

21.4. Report of large credit to individual borrowers in excess of 15% of

regulatory capital with a minimum of 20 largest borrowers has not
being populated as can be seen in figure 18.

Figure 18: No data generated for individual borrower

21.5. The graphical representation of party wise concentration of credit

generated from the dashboard add up to more than 100 as may be
observed in figure 19 overleaf.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 18

Figure 19: Total percentage exceeds 100

21.6. In the counterparty wise exposure report, the percentage distribution is

computed based on the credit exposures included in the report and not
total credit exposure of the branch. This is evident from screen shots
shown in figure 20.

Figure 20: Erroneous computation of percentage

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 19

21.7. In the report for top counterparty concentration the report identifies
another branch of Fictional Bank as the top counterparty. Considering
Fictional Bank, Mumbai Branch as a separate entity, this may be a
correct accounting treatment. However using this as a separate entity
to identify credit concentration in open to dispute, esp. when the same
may not constitute an item of external exposure. This report can be
seen in figure 21.

Figure 21: Branch being recognised as counter party

22. Liquidity Risk

22.1. This module is not there in the installed version of the system
23. Liquidity Stress Test
23.1. The off balance sheet items are not mapped in the report
23.2. This report is not generated properly. When we generated the report
for a Saturday, it did not consider the Sunday as Day 1 and populated
the value from Day 2 onwards for the liability side. The figure 22
below is screen shot of a report generated for Sunday, 30th June 2013
showing zero values against day 1.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 20

Figure 22: Liquidity stress report Day 1 liability values as zero

23.3. However in the Structural Liquidity Statement generated for the same
date using the same time bucket shows figures against Day 1 as may
be seen in figure 23.

Figure 23: Day 1 figures in Structural Liquidity report

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 21
24. Market Risk
24.1. This module is not there in the installed version of the system
25. No Frill Account Report
25.1. This report is not being generated correctly. The report states that the
numbers are in “Thousands” whereas the number of no frill accounts
is only 12. Figure 24 shows a sample of the report.

Figure 24: Erroneous no frill account report

26. Data Import:

26.1. The system did not generate the report for industry concentration risk
for 31st March 2013 citing that ETL is not generated for the date as
may be seen from figure25. However other reports for the date could
be generated. If the error refers to a specific type of data, the same
should be identified clearly.

Figure 25: Popup claims ETL is not available whereas it was done for the date.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 22

27. Access Control - User Maintenance:

27.1. User maintenance system is vulnerable to exploitation. A new user is
created, modified and deleted by a single person. Similarly, access
rights modifications, and similar alterations can be made by a single
individual.
27.2. There is no formal methodology that maintains records of creation of
user, time of creation, purpose of creation, etc.
27.3. Presently there are 19 active users in the system. These include present
users at the Mumbai branch, vendor accounts, ids of some users from
other branches, and some test ids.
27.4. After creation of user-id, there is no documentation of creation of the
id by the creator and acceptance of the same by the user.
27.5. When there is any problem in access by the user like being locked out
because of unsuccessful login attempt, IT department resets the
password. No documentation for the same is maintained. The system
does not generate any report of the unsuccessful logins and
consequently these are not reviewed.
27.6. Users have not been advised on procedures for password maintenance.
Telephonic sharing of password was noticed during the audit.
27.7. As informed, user-ids used in the risk calculator and windows are the
same as that of the user-id in Misys.
28. Access Control - Policies and Audit:
28.1. Documentation with clear statement of access control requirements
for users and service providers has not been prepared.
28.2. The IT administrator has all transaction accesses in the system. He can
modify, add and delete all report parameters also.
28.3. Real VNC is on all the time though specific permission is necessary for
remote login to users.
28.4. Access logs with complete history for a defined period are not being
generated by the system and thus there is no review of access made

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 23
and identification of unauthorised accesses. This is particularly true if
one deletes a row from a report, no audit log is available for the same.
28.5. The software should be reviewed to ensure that security policies of the
bank are adhered to.
28.6. Access to the SQL prompt was available to the vendor and no record
of reason for access, time, purpose and activity performed using SQL
is being maintained.
28.7. The system does not maintain any password history.
29. Problem Management
29.1. No formal problem register is being maintained which would give
details of date of the problem, date of the reporting, date of attending
to it, date of resolution and how the problem was solved.
29.2. No vendor maintenance logs are maintained.
29.3. No summarised problem report is available for the senior management
highlighting the problem type and category, the number of occurrence
in each category, the percentage of resolved and unresolved problems,
the actual time lapsed in resolving problems as compared to the
standard, the number of days a problem was open and the cost to
correct each problem.
30. Suggestions
30.1. The vendor has claimed that the new version of the software has
already taken care of some of the problems observed in the installed
version. These problems that have been taken care of by the new
version should be specified and marked for compliance testing.
30.2. The vendor may be requested to define the data requirement for
generating the reports directly from the data drawn from the core
banking system. After receiving the specification, the bank should
examine the feasibility of accommodating such data in the existing
system. In case that is not feasible, a workaround should be identified
that will merge these additional data at the ETL stage.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 24
30.3. The vendor has asserted that some of the errors arise because of
inefficient GL mapping and codes. These may be specified by the
vendor and if necessary the GL code may be reviewed and updated.
30.4. All reports should go through a critical user acceptance testing.
30.5. Reports compliant to requirement of Reserve Bank of India as
identified in the licence agreement are mostly available but are
generally erroneous in content as the examples cited in this report
bears out. Consequently these reports are validated manually before
submission to statutory authorities to prevent misreporting. Other
reports for compliance are being generated manually.

Private and Confidential; Not for circulation

 Sample Forensic Audit Report I
ALM Functioning
Continuation Sheet 25

List of Figures

Figure 1: Duplication of same ledger head .................................................................... 6

Figure 2: Mismatch of Balance Sheet total .................................................................... 6
Figure 3: Blank report generated with in-period month end.......................................... 7
Figure 4: BSR 4: Different value for deposit ................................................................. 7
Figure 5: Different value for deposit in monthly business position report .................... 8
Figure 6: Mismatch in deposit value in structural liquidity report ................................ 8
Figure 7: Option for flexible parameter setting ............................................................. 9
Figure 8: Erroneous AIR .............................................................................................. 10
Figure 9: Existence of non-sensitive loans and advances ............................................ 11
Figure 10: No movement in non-sensitive column ...................................................... 11
Figure 11: No control for input validation ................................................................... 12
Figure 12: Erroneous computation using negative value ............................................. 12
Figure 13: All NPA accounted for in Day 1 ................................................................ 13
Figure 14: All days of month not considered............................................................... 14
Figure 15: Error in description of amounts .................................................................. 15
Figure 16: Ginni Coefficient reporting wrong value ................................................... 16
Figure 17: Incorrect graphical presentation of Lorenz curve....................................... 17
Figure 18: No data generated for individual borrower ................................................ 17
Figure 19: Total percentage exceeds 100..................................................................... 18
Figure 20: Erroneous computation of percentage ........................................................ 18
Figure 21: Branch being recognised as counter party .................................................. 19
Figure 22: Liquidity stress report Day 1 liability values as zero ................................. 20
Figure 23: Day 1 figures in Structural Liquidity report ............................................... 20
Figure 24: Erroneous no frill account report................................................................ 21
Figure 25: Popup claims ETL is not available whereas it was done for the date. ....... 21

Private and Confidential; Not for circulation