Professional Documents
Culture Documents
OF
DISA 3.0 COURSE
CERTIFICATE
This is to certify that we are attending the DISA 3.0 course training being conducted at:
ICAI DLH portal, Virtual Branch From 10th October 2020 to 27th October 2020 and we have the
required attendance.
We hereby confirm that we have adhered to the guidelines issued by DAAB, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
Date:19-10-2020
Table of Contents
12. Conclusion
PROJECT REPORT
ABC Banking Group, a global player in the Banking and Financial Service Industry has ventured
into the implementation of Robotic Process Automation (RPA) system into their Business. After
evaluation of various technology vendors they partnered with “Fully Automate”, to implement
the RPA into their business. The company used to rely on outsourced labour force for a lot of
processing jobs which has now been automated using the RPAs. RPAs have been introduced in
fields ranging from payroll administration, customer service, account opening, KYC etc.
The company was being faced with the problem of High volumes, errors in manual processes
and high volume variability in their operations. This required them to launch recruiting process
three to four months in advance, bring staff onboard a month or so early, train them, utilize
them during the surge in work, and then scale back. The frequent recruitment drives lead to
draining a lot of Senior management’s time as well as adding to their operational costs. These
factors contributed to the ABC’s decision of introducing RPA into their business processes.
Since the RPA has now been fully implemented into the ABC Group’s systems, the company
intends to obtain an Post implementation Independent Assessment of their Robotic Process
Automation systems implemented for their Indian Operations through IS audit to assess,
analyse and evaluate whether the defined objectives set at the start of automation were
successfully met, and also pave way for improvements to the existing systems with reference to
their hubs in India. The company also intends to identify any risks associated with their existing
Robotic Process Automation systems so as to establish necessary controls and checks into the
system.
B. Project Report (solution)
1. Introduction
ABC group has a unique portfolio of specialized businesses offers a full range of financial
products and services, including mortgages, credit cards, corporate lending, asset finance, and
more sophisticated investment banking products.
They aim to become the best bank in the world for customers driven by regional trade and
capital flows; providing support to local and global businesses, and connecting with growth
opportunities across Asia Pacific and beyond. The Indian market is expected to play a
prominent role in the growth of ABC Bank in the Asia Pacific domain.
Organization Structure:
The ABC group has a workforce of over 51,000 employees and serves around nine million
customers worldwide.
ABC group established its First Indian Branch in Mumbai, and thereafter in Gurugram and
Bengaluru. ABC group has 6 shared service hub operations around the globe, a significant
shared service hub operation is in Bengaluru employing around 5000 Staff supporting their
business in other parts of the world as well.
Organization structure at the Top Level of ABC Group
Technology Infrastructure:
ABC currently operates six data centers globally, including two in Australia and one each in New
Zealand, Singapore, Indonesia and Taiwan. Its technology team has virtualized 40 percent of
ABC‘s infrastructure, with a view to hosting 80 percent of its services in a private cloud
environment through encrypted data storage in cloud mechanism.
ABC has now implemented Robotic Process Automation system into its business for a wide
range of functions including KYC, Account opening and closing, Credit card approval, report
automation, compliance etc.
The Focus of ABC is on improving the financial wellbeing of their customers; having the right
people who listen, learn and adapt; putting the best tools and insights into their hands; and
focusing on those few things that really add value to customers and doing them right the first
time.
ABC aims to ensure risk management and accountability as central to everything they do and
they have a dedicated Risk Division which is responsible for global risk management framework.
ABC Group’s Internal audit division is an integral part of their governance process and acts as a
catalyst in paving way for continuous improvements.
M/s MPMS ASSOCIATES, is a 20 year old firm of Chartered Accountants established in the
year 2000 specializing in Information Systems Assurance, Management Consultancy
services. MPMS Associates is lead by Mr. MP who is a qualified Chartered Accountant and
has a Diploma in Information systems audit. MPMS Associates also has a team of qualified
and trained Information System Audit personnel. MPMS has 4 partners who are CAs with
DISA qualification and one partner holding CISA qualification. MPMS have been involved in
providing Information System Systems Assurance for both Public and Private Sector in India
as well as abroad in a wide domain consisting of IT Companies, banks, Major Multinationals,
Manufacturing Companies, E-commerce chains etc. We have deployed our core team of 3
Chartered Accountants, including one partner to conduct the audit of ABC group.
Audit team shall also use the services of Information System Specialists and Audit assistants
who shall be deputed to the assignment based on specific requirement basis.
2. Auditee Environment
ABC Bank has adopted world class technology and industry leading best practices in their
business to ensure maximization of customer satisfaction and stakeholder value.
ABC Bank has spent the past year refining a well-developed program of work in an emerging
field known as Robotic Process Automation (RPA), whereby tasks previously conducted by
employees are now done by increasingly intelligent software that learns on the job.
Much of the robotic work was initially being conducted in ABC’s network of so-called captive
centres or hubs in India, the Philippines and China, and is currently incorporating the RPAs
into their operations in Australia as well. They have adopted RPA not as a job reduction
strategy, rather it was a move to refocus human workers on new areas which can add value to
the organization. All the redundant, time-consuming, rule-based tasks are performed through
RPAs whereby the employee time is directed towards higher-value and more rewarding tasks.
The Bank has licenced “Fully Automate”- a global leader in the RPA horizon to implement the
new technology into their business. Currently about 40 processes have been moved to RPA,
out which about 11 processes which are fully implemented in their Indian Operations are
covered in the audit scope based on the Management’s requirements.
The Information Security policy of ABC is well laid out clearly defining the information security
requirements of:
i. Confidentiality: Protecting sensitive information from disclosure to unauthorised individuals
or systems;
ii. Integrity: Safeguarding the accuracy, completeness, and timeliness of information;
iii. Availability: Ensuring that information and vital services are accessible to authorised users,
when required.
Other principles and security requirements such as Authenticity, Non-repudiation,
Identification, Authorisation, Accountability and auditability is also addressed in the
Information Security policy.
At ABC Banking Group considering the security requirements, Information Security policies
have been framed based on a series of security principles. Some of the Information Security
policies relevant RPA system perspective and their needs have been addressed below:
a. New Technology Adoption
• Introduction of new technology and deployment of application & Infrastructure shall go
through Risk assessment and sign off process before implementation in production. The risks
associated with adoption of new & emerging technologies shall be assessed and approved.
b. Log and Audit Trail Policy
• Log and Audit Trail Policy enables creation of quicker and cleaner audit reports, and ensures
that steps that lead to a specific problem are retraceable, be it an error in the RPA
system’s/bot's performance, malicious code or other misuse by an employee. RPA platforms
should offer full audit logs that trace and record every action the software bots and the users
perform within the automation.
c. Encryption Policy
•In the current environment of increasingly open and interconnected systems and networks,
network and data information security are essential. This policy describes cryptography as a
tool for satisfying a wide spectrum of the Information Security Management System (ISMS)
needs and requirements. As per this policy, it is important to choose an RPA product that
stores sensitive information encrypted in a secure database.
As per their policy the Organization Structure of their Information Technology Department of
Indian operations is designed as below:
Regulatory Requirements:
• Compliance with terms/conditions and license requirements for the usage of RPA Systems or
any other proprietary information/material shall be maintained
• Cross border movement of data shall be in accordance with legal and regulatory requirements
• Records shall be retained and managed based on legal and regulatory requirements
3. Background
Robotic Process Automation (RPA) system/Bot implementation in ABC Banking group was
guided by their requirement for managing the variability in operational volumes across periods.
The implementation team for RPA for Indian Operations was headed by the General Manager
Group Hubs working together with the Managing Director the Bengaluru Hub and a very
experienced team of professionals and technology experts were identified to steer the
implementation operations. The identified technology was easy to use and could be learned
easily by the operations team, and not necessarily require technology expertise.
ABC adopted pilot automation in few processes first and thereafter expanding to other areas
after building the confidence and belief in their teams. As per the Service level Agreement, their
technology partner- Fully Automate provided them with on-site consulting support to help
accelerate their learning. “Fully Automate” trained one group and then moved to another
group as the first one gained momentum.
The management of the ABC Group seeks assurance from the IS audit team about their RPA
system on the following:
Ascertain the degree of success from RPA implementation, evaluate whether the project
has met its goals set and manage the expectations of stakeholders.
Evaluate efficacy of all elements in working solution to identify potential areas for
improvement and optimize the benefits delivered
Assess potential risks to business post implementation and develop controls
Assess how well the project is managed and identify shortcomings if any for future
improvements.
4. Situation
The introduction of RPA has changed Technology Environment of the company bringing with it
a series of new risks which need to be identified, assessed and addressed. There are multiple
aspects of process automation which lead to an elevated risk exposure as compared to a typical
IT Application. To name a few from an audit perspective, there are changes in process risk
definitions post automation, changes to job roles and access security, application change
management considerations, strategy and governance of RPA environment, etc. RPA being a
new area for the Stakeholders as well as the Business environment as a whole, there is a need
to engage experts to assess various risks and controls in the system post implementation. The
Internal Audit Division of ANZ is Globally Located and managed under the Group Internal Audit
Officer, which has already done the Assessment, pre and post implementation of the RPA in
different countries. In order to have an Independent assessment the company proposes to have
an external IS audit of the Robotic Process Automation System.
RPA has been designed to respond to Bank Being the Center of the Economy is
queries from customers in real time in closely governed and needs to adhere to lot
relation to Account information, of compliances. RPA generates various
Application status, Balance Information reports to be submitted to regulators with
etc. by extracting information from the 24/7 availability and highest accuracy
data system based on rules set for each improving quality of compliance process
query
ACCOUNTS PAYABLE
CREDIT CARD PROCESSING
Optical character recognition (OCR) reads
RPA validates the customer information
the vendor information from digital copy
from credit card application by
of invoices and provides information to
communicating to multiple systems
RPA system. RPA will validate the
simultaneously to validate the information
information with the information in the
like required documents, background
system and process the payment. If any
checks, credit checks and take the decision
error occurs, RPA will notify the executive
of the basis of rules to approve or
for resolution.
disapprove the credit card application.
MORTGAGE LOAN PROCESSING KYC PROCESS
Process of approving mortgage loan goes RPA system collects, screens and
through various checks like credit checks, validates the customer data, and flags
repayment history, employment verification and in case of any missing/unauthentic KYC
inspection. RPA performs this process based on information in the account. RPA tracks
specific set of rules and checks, thereby accounts with missing KYC and sends
accelerates the process of Mortgage loan automated notification and schedules
processing by providing fast and accurate inputs calls for the required document
to the Credit Department. submissions.
GENERAL LEDGER
FRAUD DETECTION
RPA system integrates data from
RPA system helps in detection of potential fraud multiple legacy systems and validates it
by using the “if then” method and flags them to against the rules set and reports in
concerned departments for their action. required format to be updated in the
Eg: If there are multiple transactions made General Ledger.
within a short time, then the RPA identifies the
account and flags it for a potential threat ACCOUNT CLOSURE PROCESS
The audit of RPA system shall mainly focus on the major areas where RPA has been
implemented by engaging control and substantive tests using appropriate Computer Assisted
Audit Tools and Techniques (CAAT) as and when required.
ABC Group- India shall appoint one Senior IT Officer part of the implementation team, and
Operations head to co-ordinate for finalizing the initial work plan and shall continue to work
with the Audit team as and when required till the completion of Assignment. The company shall
make available necessary systems, software, software resources and support facilities for
completing the assignment within the appointed time. During the course of audit the following
resource shall be made available:
In tune with the terms and scope of the Assignment, the methodology shall be adapted in
compliance with the IS Audit and Assurance Standards of the Information Technology
Assurance Framework by ISACA.
A core team of 5 IS audit Professionals shall be deployed for this assignment in batches
of 2 or 3 as per the skill sets required at each stage, under the personal direction and
liaison of our partner Mr. MP.
A detailed and systematic audit procedure shall be finalized after completing initial
review of the documentation and discussion with the IT Department Personnel and
users
Structured Methodology
The following Structured Methodology shall be adopted for achievement of the objectives of
audit:
Audit Plan:
Based on the requirements of ABC Group and Scope of Audit, Audit Plan shall cover the
following:
Discussions with the Internal Audit team, Systems/Implementation Team, Users and
Management. Review of the Policies, organization structure, IT steering committee and
Strategy committee minutes, User Manual and installation documents of RPA system etc.
3. Design Evaluation
To evaluate the design of Controls into the RPA system and the exception handling process.
Performing gap Analysis of expected and actual outcomes of the RPA system implementation.
4. Legal and Regulatory Review
Evaluate the procedures followed for Change management in the RPA system in
accordance with changes in Legal and regulatory environment.
Review the RPA system security and protection requirements.
To assess the effectiveness of operations through controls testing and substantive testing. To
test more of preventive controls and exception-based-testing. Assessment of Logical access
Controls, Environmental Controls, Physical Access controls etc. Some of the key Risks
considered for the audit plan are automation Strategy, Business Continuity, Data protection and
security, Solution and infrastructure architecture, Business processes and Project execution.
Analysis of business processes based on event logs to identify trends, patterns and details
contained therein in the logs created by the information system. Process mining is performed
using an Event Log created by a RPA system or the Bot. Process mining assumes the existence
of an event log where each event refers to a case, an activity, and a point in time.
Audit Program
2 Assess Application level Risks and Review controls implemented to combat the
controls implemented in the RPA following risks
system at the System and Data level system integrity risks relating
to the incomplete, inaccurate, untimely or
unauthorized processing of data;
system security risks relating to
unauthorized access to systems or data;
data risks relating to its completeness,
integrity, confidentiality and accuracy;
system-availability risks relating to the lack
of system operational capability; and
system maintainability risks in terms of
adequate change control procedures.
Evaluate the risk and control considerations
using Checklists
5 Business Continuity plan with respect Review the documented BCP in respect of
to RPA system recovery of RPA system in an event of break
down
Review the Backup procedures
6 Review of Customer Care RPA System Check if appropriate action is taken on the
exception logs generated and timely
resolution provided to customers and the
same is adequately documented.
Discussion with the IT development team
and review Development documents with
the help of an expert if required, to
understand the rules set for the RPA system
in Customer care Department and test
check from logs if the objectives have been
fully implemented.
7 Review of Compliance and Report Review the rules set for Compliance report
Automation process RPA System generation through Robotic Process System
Review if the reports generated are
reviewed by appropriate personnel from
the compliance department before final
submission to authorities and the process is
logged/documented.
13 Review of RPA system in General Check interface of RPA system with other
Ledger Updation systems from where data is to be extracted
to be posted to the General Ledger
14 Review of Exception logs of the RPA Review if the company has appropriate
system generated processes monitoring process for exception handling
Use CAAT tools like CASE ware Idea to
analyse patterns and trends in Exception
handling to see if there is any deficiencies in
the initial source code developed
Review of the Change Management Review systems in place like approving authority,
system established by the organization documentations etc. in respect of the following
15
Raising Change Request
Prioritizing change requests
Carrying out Changes
System Document Maintenance
Testing changes
Releasing changes
Record Maintenance
8. Documents reviewed
9. References
For Successful execution and completion of the assignment, the following references were
used:
10. Deliverables
We draw Management attention to one of the major risks associated with RPA systems, ie.,
Cyber security and resilience. There may be chances of Abuse of privileged access, mismanaged
access entitlements and disclosure of sensitive data by personnel who are associated with the
maintenance and change management process of the RPA which must be closely monitored by
the Bank. The company may also look into the possibilities of integrating RPA system into the
internal Audit functions.
Any RPA system requires proactive measures to manage the changing Business processes and
constant review of risk and control profile of the Organization. A healthy dose of risk
management can allow software robots to become trusted enablers in an organization’s digital
transformation journey.
CHECKLIST FOR AUDIT
Sl No. AREA
a Does the RPA governance risk and control framework continue to align with business
strategies?
b Has an operating model been established to govern, manage, operationalize and scale
the program and life cycle of RPA system ?
c Is the workforce knowledgeable about the processes and controls for which they are
responsible?
d Has the impact of RPA on the organization been factored into the Internal Audit plan?
A Has a consistent, end-to-end methodology been established to manage the RPA life
cycle
B Has exception handling of the processes handled by RPA system/bots been conducted
to monitor performance and manage any encountered exceptions (e.g., technical or
operational)?
C How is the RPA vendor management integrated into an enterprise vendor
management program, including evaluation of third-party risk and software security?
VALUE MEASUREMENT
A Have key performance indicators (KPIs) and key risk indicators (KRIs) been defined to
proactively assess the RPA program’s health(e.g., engagement and acceptance,
efficiencies gained, development pipeline and training)?
B Has the return on investment been measured (e.g., cycle time, transactions processed
and capacity gains) and socialized to challenge the speed and targets for further
automation?
ALIGNMENT AND CHANGE
A Has the organization planned accordingly for the new competencies required to
sustain the RPA program strategy?
B Has organizational training and education been deployed (and how frequently) to
provide the necessary skills uplift (e.g., awareness, foundations and development)?
C Have new learning paths, job descriptions and workforce planning changes been
defined to promote the program’s sustainability?
TECHNOLOGY
A Has the organization effectively collaborated with the RPA vendor to agree upon
licensing, communication channels, interaction points and service-level agreements
(e.g., software issues, configuration management, enhancements and defects)?
B Has the organization challenged the compatibility of RPA with the underlying
architecture and infrastructure (e.g., synchronization,server changes, entitlement
management, business continuity and disaster recovery)?
C Has a controlled, non-production innovation and test lab been established to
challenge the feasibility of the integration of RPA with further emerging technologies?
D Has a knowledge-management repository been established to capture relevant RPA
lessons learned, accelerators, enablers and
artifacts to promote organizational consistency?
ENTERPRISE INTEGRATION
ON
1 Reliability, authenticity and accuracy of output Based on test checks performed on the output
generated by RPA system the same is found to be in order
3 Whether the data used by the RPA system is Yes the data in encrypted as necessitated by the
properly encrypted to prevent any Information Security Policy. However we
misappropriation as per the IS policy of ABC recommend use of credential vault to store the
bank. encrypted passwords of the RPA system.
4 Review of Exception handling in Customer Notification of Exceptions are being sent to the
Service System RPA customer service supervisor only and no mail is
being marked to the Customer service manager.
5 Review of Fraud Detention logs generated by RPA system Bot in Fraud Detection Process flags
the RPA system over 500 cases on a weekly basis. As noticed by
the exception handling review done by the
Credit control department, it is seen that about
60% of the cases, the department personnel has
marked that it is normal occurrence in the
account. This may be due to incorrect
parameters set in configuration
6 Deficiencies in RPA system in Credit control and RPA system in Credit Management is not fully
monitoring utilized. Sending reminders for periodical
submission of Stock statement and Receivables
statement to Business and institutional clients is
not automatically enabled in the RPA system.
7 Uniqueness of CIF numbers for each customer It was seen that 2 CIF numbers were created by
for all accounts held by him not ensured the RPA system for same person, one taking
Aadhar Card as base document and other with
the PAN. This is due to lack of controls designed
to check duplication in records.
8 Creation credentials in RPA Yes, each bot is assigned with separate Login
ID’s and passwords.
9 Definition of parameters for marking 15G/15H Instances were noted where RPA system has
receipt on Deposit accounts updated Form 15G/H for deposit account
holders whose cumulative annual Interest is
higher than the maximum amount not
chargeable to tax
10 Review of access controls and security of RPA Upgradation of Security solutions to provide
system and servers. extra layer of protection to data and RPA
system access. Also considering the sensitivity
of information processed by the system the
security settings may be upgraded to latest
security solutions available in the market. ABC
currently has access through Swiping employee
cards, logical access control in the form of
passwords and Usage logging enabled for RPA
system servers.
IT GENERAL CONTROLS
16 a) Whether periodic maintenance check is done for UPS YES, Register for Record of maintenance
& Batteries? and breakdowns is being maintained.
However the record is not seen updated.
b) Record of Breakdowns is maintained, and any
breakdowns incidents occurred during the year.
17 Periodic back up of Emails sent by RPA system and YES maintained and found in order
whether same is stored such that it can be retrieved as
and when required
18 Maintenance of Report Backups and backups of System YES maintained and found in order
logs of RPA systems
19 Is easy access to Main switch available, to switch off Yes, Main switch is available near
power in case of emergency to avoid any damage to IT Manager’s Cabin in branches and hubs
assets including RPA system? and Access is easy.
23 Whether input power to Server is continuously ON for Yes, Power to SERVER is being supplied
regular updates in Robots for better performance of RPA. continuously, so that regular updated to
the system will not get disturbed, which in
turn lead to better functioning of RPA.
MANAGEMENT REPONSE TO FINDINGS IN THE DRAFT AUDIT REPORT
Sl No Audit Findings Management Response
1 Register for Record of maintenance and a Noted for compliance
breakdown is being maintained. However
the record is not seen updated.
2 RPA system Bot in customer service process Recommended for updation of Manager’s
notifies the incomplete transactions due to email id as well
various exceptions only the Customer
service supervisor by mail.
3 RPA system Bot in Fraud Detection Process Recommended to reassessing the parameters
flags over 500 cases on a weekly basis. As to the IT Development and change
noticed by the exception handling review management team
done by the Credit control department, it is
seen that about 60% of the cases, the
department personnel has marked that it is
normal occurrence in the account. This may
be due to incorrect parameters set in
configuration
4 RPA system in Credit Management is not Recommended for checking the incorporation
fully utilized. Sending reminders for of the same into RPA system to the IT
periodical submission of Stock statement Development and change management team
and Receivables statement to Business and
institutional clients is not automatically
enabled in the RPA system.
5 It was seen that 2 CIF numbers were Noted for corrections in duplicates validation
created by the RPA system for same controls
person, one taking Aadhar Card as base
document and other with the PAN.
9 Scope for improving Security in relation to The recommendations made are being
password management of RPA system considered for implementation
Sd/-
CA MP,FCA,DISA
Place- Mumbai Managing Partner
Date: 19.10.2020 MPMS Associates
Mno. XXXXXX
FRN.00XXXXX
MPMS Associates
Chartered Accountants
IS AUDIT REPORT
on
Post Implementation Audit of Robotic Process Automation System of ABC Banking Group-
Indian Operations
Objectives of the Assignment
The primary objective of this Information Systems Audit Report assignment was to provide
assurance to the management of ABC Banking Group on the Confidentiality, Integrity,
Availability of Information and adequacy of controls in the Robotic process Automation system
implemented by the Bank in their Hubs and Branches in India and comment on the following
key aspects:
The degree of success from RPA implementation, evaluate whether the project has met
its goals set and manage the expectations of stakeholders.
Evaluate efficacy of all elements in working solution to identify potential areas for
improvement and optimize the benefits delivered
Assess potential risks to business post implementation and develop controls
Assess how well the project is managed and identify shortcomings if any for future
improvements.
We have conducted the audit at the Bengaluru Shared Service Hub and Branches in Mumbai,
Gurugram and Bengaluru.
Based on the understanding of ABC Bank’s needs for conducting the Post implementation audit
of their Robotic Process Automation System, primarily focus of audit was on the adequacy,
appropriateness of the System and identification of any risks associated therein and also
ensuring the Confidentiality, Integrity of the data processed in the RPA enabled environment.
The detailed scope of review/consultation was decided in consultation with the Top
Management at their Global Level and the Managing Director and Operations Director of the
Bengaluru Hub.The scope of review primarily was from security/controls, regulatory
compliance and benefit realization perspective and involved the following:
Audit Environment
We have conducted IS Audit at the Shared Service hub and branches of ABC Bank in India using
a Windows 7 Computer connected to the Bank’s Server with a read only access to the softwares
by using various CAAT tools for Data Analysis. We have also visited and reviewed operations at
all branches and conducted discussions with the personnels of the User Departments.
Audit Reports
We issued a draft report outlining our observations, issues and recommendations and obtained
feedback from the Management. Further, a meeting was held with Senior Management and IT
Department represented by Mr. ASD, Managing Director of the Indian Operations, Mr. RTG,
CTO, Mr. DFG, CIO and Mr. JKL, AGM (Finance and Accounts) where the issues and
recommendations were discussed in detail.
The report incorporates all the issues, which have been agreed and confirmed. This IS Audit
report includes the following annexures and has to be read in its totality
1. Key Audit Findings, their risk implication, and the management responses
2. Security and Access Control Review of RPA system
Overall Conclusions
Based on our review, our overall conclusions on specific areas are as follows:
Our review of security and access controls at the IT Environment and specifically RPA system as
reviewed by us and as implemented by ABC confirms that appropriate security and
access controls have been implemented and the same are in operation. Our test checks have
revealed that systems of security and controls are reliable.
However, there are some areas where controls need to be strengthened and these are given in
Annexure 2.
Our review of business process validations and data integrity controls covering all the
corefunctions of ABC as facilitated by RPA system such as interest computation, KYC checking,
Account Opening, Closing Report Automation etc. confirms that all related data have been duly
captured, processed and stored correctly andcompletely subject to some instances which have
been listed out in the Key audit findings as Annexure 1 to this report.
However, there are cases of deficiencies in input control validations, further scope of
automation etc which have come to our notice during the process of review, and are
highlighted in annexure 1.
Further Action
We consider that the recommendations given in annexure to this report would be very useful
for facilitating business process controls of ABC and will aid in improving the effectiveness of
RPA system. We would like to affirm that the matters included in this report are those which
came to our notice during our review by following normal Information System audit procedures
by complying with globally applicable Information Systems Auditing Standards, Guidelines and
Procedures that apply specifically to Information Systems Auditing issued by ISACA, USA and
Security and Control Practices as outlined in COBIT 2019 also issued by ISACA as applied to ABC
operations for review of RPA system implementation.
Further, on account of limitations of scope and time, we have used sample test and test check
approach. Hence, certain areas, which are outside the scope of this review such as source code
review, implementation controls and general controls specific to branches are not covered.
Sd/-
CA MP,FCA,DISA
Place- Mumbai Managing Partner
Date: 19.10.2020 MPMS Associates
Mno. XXXXXX
FRN.00XXXXX
UDIN: 20XXXXXXXA12345
Annexure 1
Key Audit Findings
1 RPA system Bot in Medium The RPA system to be Noted for compliance
customer service process programmed to mark mail copy to
notifies the incomplete the Manager-Customer relations
transactions due to for better accountability and
business exceptions only monitoring of the exception
the Customer service situations
supervisor by mail.
2 RPA system Bot in Fraud Medium The Programmer may be asked to The parameters set is
Detection Process flags review the parameters set for being sent for review.
over 500 cases on a weekly flagging transactions as
basis. As noticed by the unnecessary flags can add to
exception handling review manual work in processing the
done by the Credit control same by concerned department
department, it is seen that which defeats the purpose of the
about 60% of the cases, the bot.
department personnel has
marked that it is normal
occurrence in the account.
This may be due to
incorrect parameters set in
configuration.
3 RPA system in Credit Medium In order to ensure Compliance and Noted for
Management is not fully continued loan facility improvements in the
utilized. Sending reminders maintenance of business accounts, system.
for periodical submission of the RPA system can be
Stock statement and programmed to send reminders by
Receivables statement to mail/automated telephone call to
Business and institutional customers to submit the
clients is not automatically Stock/receivable statements 5-7
enabled in the RPA system days before the due date.
4 It was seen that 2 CIF High Necessary control checks to be Noted for compliance.
numbers were generated programmed into the RPA system
by the RPA system for same to flag Name and Date of birth
person, one taking Aadhar matching instances so that
Card as base document and secondary checks can be enabled
other with the PAN. to avoid such instances in future.
5 Instances were noted High Controls need to be programmed Noted for compliance
where RPA system has to ensure that 15G/H be marked
updated Form 15G/H for as yes only for Account holders
deposit account holders whose projected interest for the
whose cumulative annual year on deposit accounts is less
Interest is higher than the than set amount.
maximum amount not
chargeable to tax
Annexure 2