Audit Plan

Audit Purpose
The purpose of this audit engagement is to conduct an information system audit of ABC Bank’s Data
Centre.

Scope
For this audit engagement, specific focus has been given to cover Infrastructure Audit and Access
Control System (Physical & Logical).

Objective
To gather and evaluate, adequate and relevant audit evidence required to form an audit opinion on
the reliability of information system of ABC Bank.

Audit Methodology
We will be conducting our audit in accordance with the Information System Audit Standards issued by
ICAI, IS Auditing Standards and Guidelines issued by ISACA, RBI Notifications, Circulars and
guidelines covering Information Systems Audit of Banks and other best practices.
We will use various CAATs for Exception Identification, Control Analysis, Error Identification,
Statistical Sampling, Fraud detection, Completeness of data, etc.
We propose to deploy a core team of 3 IS Audit personnel under the personal direction and liaison
of the Audit Leader.

Audit Dates
The audit will be conducted from 01/01/22 to 31/03/22.

Audit Team
The audit team consists of CA G, Audit leader and his Associates CA X, CA Y and CA Z.

Key Personnel
ABC Bank, has designated Mr. D, Audit Committee Chairperson as the Key Personnel of the Bank to
co-ordinate between us.

Audit Agenda
Our detailed Audit Plan is as follows:
1. Review of Bank’s business strategy, policies and statements
2. Review of Bank’s IT Policy
3. Review of Bank’s Information Security Policy
4. Review of bank’s internal control documentations
5. Review of SLAs and commercial agreements with technology vendors
6. Review of Internal Auditor’s reports for previous 4 quarters
7. Review of Management’s Risk Assessment documentations
8. Discussions with the IT department and user management
9. Discussions with Internal Audit Team
10. Review of Circulars issued by ABC Ltd relating to IT operations
11. Review of Environmental Access and Physical Access controls
12. Examination of processing controls using test data
 Audit Report

Objective of the Assignment

The primary objective of this Information Systems Audit assignment was to provide assurance to the
management of ABC Bank regarding their Data Centre with a specific goal of covering infrastructure
audit and access control system
(Physical & logical).

Scope of Review

Based on understanding of ABC's needs for conducting systems audit of Data Centre, it was decided
to primarily focus on covering infrastructure audit and access control system (Physical & logical). The
review was conducted with the objective of providing comfort on the adequacy and appropriateness of
controls and data so as to mitigate the system operational risks and ensure that the information
systems are implemented so as to provide a safe and secure computing environment. The
detailed scope of review \ methodology was also agreed to. Broadly the overall scope of review
primarily from security / controls point of view involved the following: Application controls at
various stages such as Input, Processing, Output, Storage, Retrieval and Transmission so as to
ensure Confidentiality, Integrity and Availability of data. Further, organization structure policies,
procedures and practices as mapped in the information systems focusing on efficiency / controls
were also reviewed.

Audit Methodology
We conducted our audit in accordance with the Information System Audit Standards issued by ICAI,
IS Auditing Standards and Guidelines issued by ISACA, RBI Notifications, Circulars and guidelines
covering Information Systems Audit of Banks and other best practices.
We used various CAATs for Exception Identification, Control Analysis, Error Identification, Statistical
Sampling, Fraud detection, Completeness of data, etc.

The Key tasks of our Audit plan are highlighted below:

1. Review of Bank’s IT Policy
2. Review of Bank’s Information Security Policy
3. Review of bank’s internal control documentations
4. Discussions with the IT department and user management
5. Discussions with Internal Audit Team
6. Review of Environmental Access and Physical Access controls
7. Examination of processing controls using test data

Audit Environment
We have conducted IS Audit at the IT department of ABC Bank in a simulated environment using a
Windows 10 Computer connected to Server with SCO UNIX as Operating System . We have also
visited and reviewed operations at two branches at Mumbai and Navi Mumbai
Audit Report

We issued a draft report outlining our issues and recommendations and obtained feedback from
the IT Department. Further, a meeting was held with IT department where the issues and
recommendations were discussed in detail. The IT Department has been very proactive in
incorporating our suggestions.
The report incorporates all the issues, which have been agreed and confirmed. This IS
Audit report includes the following annexures and has to be read in its totality:
1. Summary of Findings: Outlines all key issues with exposures
2. Specific Issues and recommendations: Issues which need to be implemented.
3. Issues identified which have been rectified by IT dept and the issues rectified as on date
4. Access control Review of Unix: Access Controls issues of Unix.

Overall Conclusions
Based on our review, our overall conclusions on specific areas are as follows:

Security and Access Controls

Our review of security and access controls at the IT Environment implemented in ABC Bank confirms
that appropriate security and access controls have been implemented by using related functions and
features of the
packages. Our test checks have revealed that systems of security and controls are reliable.
However, there are some areas where controls need to be strengthened and these are given in
annexure.

Further Action

We consider that the recommendations given in annexure to this report would be very useful for
facilitating business process controls of ABC Bank and will aid in improving the effectiveness of
Infrastructure and computer operations. We would like to affirm that the matters included in
this report are those which came to our notice during our review by following normal Information
System audit procedures by complying with globally applicable Information Systems Auditing
Standards, Guidelines and Procedures that apply specifically to Information Systems Auditing
issued by ISACA, USA and Security and Control Practices as outlined in COBIT 5 also issued
by ISACA as applied to ABC Bank operations for review of Application software and implementation.
Further, on account of limitations of scope and time, we have used sample test and test check
approach. Hence, certain areas, which are outside the scope of this review such as source code
review, implementation controls and general controls specific to branches are not covered.
Audit Plan
The audit plan would cover the following activities:
1. Discussions with the
 Internal Audit Team
 Systems\Implementation Team
 Users and user management
2. Review of Operating Systems (OS) documentation
3. Examination of OS access rights
4. Review of Oracle\SAP Manuals
5. Examination of selected Modules access profiles
6. Observation of the Users and the systems in operation
7. Review of access controls over Computers as relevant
8. Examination of computerised processing controls incorporated within the selected
modules.

The Key tasks of our Audit plan are highlighted below:

 Discussions with the IT department and user management
 Review of Circulars issued by ABC Ltd relating to IT operations
 Review of Environmental Access and Physical Access controls
 Review of Operating Systems (Unix) and RDBMS (Oracle) Manuals
 Examination of OS and RDBMS access rights
 Review of FALPS Package Technical and User Manuals
 Examination of access profiles and parameter settings in FALPS package
 Review of Application Controls in FALPS package
 Observation of the users and the system in operation
 Examination of processing controls in FALPS using test data
 Review of Reports and Audit Logs in System Software and FALPS package.