G.

T
Core Banking System Audit Checklist
No List of activities Yes /No Comment

1 Flexibility and Configurability

1.1 Can the solution be configured easily, or does that
require a professional services team?
1.2 What is the CBS software version? These controls
might include software updates, configuration
changes, or other compensating controls.
1.3 Is there an application test server?
1.4 Does the implementation plan clearly identify
product customization requirements, user
acceptance criteria and test for such
customization?
1.5 In cases where source code is given by the Vendor,
has the IT department done a technical conversion?
1.6 If there are bugs and errors due to design flaws,
are they escalated to higher levels in Software
Vendors’ organization and the bank?
1.7 Does Bank have a test environment to
simultaneously allow familiarization during the
implementation process? Have errors identified
during the implementation phase been documented
and the root cause of the errors analyzed and
confirmed by the Software Vendor?
1.8 Does Functions of IT department is clearly defined
and documented in CBS environment
2 API Integration & Open Banking
2.1 Does the core system use open architecture via
accessible APIs?
2.2 What APIs, if any, have you built for use with
the core system?
2.3 How does the core system integrate with the
software and systems we currently use?
3 Business Intelligence & CRM
3.1 Does the CRM offer the ability to add relationship
data?
3.2 Can you view the information by household as well
as individual account holder?
3.3 Can you easily push out customer data and
targeted offers to your front-line staff?
3.4 Can you easily segment your customers for focused
marketing?
3.5 Does the core system provide a centralized
customer view?
4 Ease of Use
4.1 What makes the core system easy to use?
4.2 Are users given adequate training on the
application systems functionalities?How fast can
new employees typically be trained on the core?
4.3 Is the core system as intuitive from a system
administrator perspective and, if so, why?
4.4 Does the software ensure the sequencing of
processes? i.e., does the software ensure that
processes are not initiated out of sequence.
5 Modern Technology Platform
5.1 Can you view the whole banking relationship with a
single login?
5.2 How often do you implement platform upgrades?
5.3 Is there an annual maintenance contract for
software and is it currently in force?
5.4 Are the application change requests initiated by
users in a structured change request form (CRF)?
5.5 Are the change requests subjected to a feasibility
study and approved by management before
affecting the changes in the software?
5.6 Do you verify if the changes are updated in the
user, technical, operations, and all other relevant
manuals to reflect the current state of the software?
5.7 After making changes, are they tested adequately in
the test environment before implementation (unit
testing, integrated testing, regression testing, etc.)?
6 Built-in Compliance Tools
6.1 How does your internal compliance team stay on
top of new regulations in banking?
6.2 What sort of support/education/webinars do you
offer to prepare customers for upcoming changes?
6.3 What kind of alerts or workflow enhancements are
built into the system to ensure compliance?
6.4 Is gap analysis between the requirement and the
selected product carried out and documented?
6.5 Does the gap analysis document act as the basis for
further implementation plans?
7 Security
7.1 What are your security protocols?
7.2 How do you monitor/guard against new types of
 attacks?
7.3 What sort of backup and business continuity do you
offer?
7.4 How experienced is your security team and what
are their credentials?
7.5 Does the system authenticate (verifies) the identity
of users before initiating a session or transaction?
Have these Authentication mechanisms been
approved by then Bank’s IT Department?
7.6 Do you have strong control over the states of CBS
Bank user right?
7.7 Does the software have adequate controls to ensure
that, data have been accurately input (e.g. range
checks, validity checks, control totals, etc.)?
8 Exceptional Service
8.1 Are you actively investing in this core system?
8.2 What is your average contract length?
8.3 How do you measure the quality of your customer
service?
8.4 How many customers does each account manager
support, and how often would we expect to interact
with them?
8.5 Does the IT Department have a technology
standard for product selection? Does the
Technology standard cover architecture, Interfaces,
and API Standards?
8.6 Is there a core team comprising of personnel from
the IT Department, Functional Departments, and
the Internal Audit Department in charge of vendor
selection and implementation?