T Core Banking System Audit Checklist No List of activities Yes /No Comment
1 Flexibility and Configurability
1.1 Can the solution be configured easily, or does that require a professional services team? 1.2 What is the CBS software version? These controls might include software updates, configuration changes, or other compensating controls. 1.3 Is there an application test server? 1.4 Does the implementation plan clearly identify product customization requirements, user acceptance criteria and test for such customization? 1.5 In cases where source code is given by the Vendor, has the IT department done a technical conversion? 1.6 If there are bugs and errors due to design flaws, are they escalated to higher levels in Software Vendors’ organization and the bank? 1.7 Does Bank have a test environment to simultaneously allow familiarization during the implementation process? Have errors identified during the implementation phase been documented and the root cause of the errors analyzed and confirmed by the Software Vendor? 1.8 Does Functions of IT department is clearly defined and documented in CBS environment 2 API Integration & Open Banking 2.1 Does the core system use open architecture via accessible APIs? 2.2 What APIs, if any, have you built for use with the core system? 2.3 How does the core system integrate with the software and systems we currently use? 3 Business Intelligence & CRM 3.1 Does the CRM offer the ability to add relationship data? 3.2 Can you view the information by household as well as individual account holder? 3.3 Can you easily push out customer data and targeted offers to your front-line staff? 3.4 Can you easily segment your customers for focused marketing? 3.5 Does the core system provide a centralized customer view? 4 Ease of Use 4.1 What makes the core system easy to use? 4.2 Are users given adequate training on the application systems functionalities?How fast can new employees typically be trained on the core? 4.3 Is the core system as intuitive from a system administrator perspective and, if so, why? 4.4 Does the software ensure the sequencing of processes? i.e., does the software ensure that processes are not initiated out of sequence. 5 Modern Technology Platform 5.1 Can you view the whole banking relationship with a single login? 5.2 How often do you implement platform upgrades? 5.3 Is there an annual maintenance contract for software and is it currently in force? 5.4 Are the application change requests initiated by users in a structured change request form (CRF)? 5.5 Are the change requests subjected to a feasibility study and approved by management before affecting the changes in the software? 5.6 Do you verify if the changes are updated in the user, technical, operations, and all other relevant manuals to reflect the current state of the software? 5.7 After making changes, are they tested adequately in the test environment before implementation (unit testing, integrated testing, regression testing, etc.)? 6 Built-in Compliance Tools 6.1 How does your internal compliance team stay on top of new regulations in banking? 6.2 What sort of support/education/webinars do you offer to prepare customers for upcoming changes? 6.3 What kind of alerts or workflow enhancements are built into the system to ensure compliance? 6.4 Is gap analysis between the requirement and the selected product carried out and documented? 6.5 Does the gap analysis document act as the basis for further implementation plans? 7 Security 7.1 What are your security protocols? 7.2 How do you monitor/guard against new types of attacks? 7.3 What sort of backup and business continuity do you offer? 7.4 How experienced is your security team and what are their credentials? 7.5 Does the system authenticate (verifies) the identity of users before initiating a session or transaction? Have these Authentication mechanisms been approved by then Bank’s IT Department? 7.6 Do you have strong control over the states of CBS Bank user right? 7.7 Does the software have adequate controls to ensure that, data have been accurately input (e.g. range checks, validity checks, control totals, etc.)? 8 Exceptional Service 8.1 Are you actively investing in this core system? 8.2 What is your average contract length? 8.3 How do you measure the quality of your customer service? 8.4 How many customers does each account manager support, and how often would we expect to interact with them? 8.5 Does the IT Department have a technology standard for product selection? Does the Technology standard cover architecture, Interfaces, and API Standards? 8.6 Is there a core team comprising of personnel from the IT Department, Functional Departments, and the Internal Audit Department in charge of vendor selection and implementation?