Audit in CBS Environment :

Checks & Strategy

Certificate Course on Concurrent Audit of Banks
organized by Internal Audit Standards Board, ICAI

Session By: CA. Rajeev Bansal, Yamuna Nagar

CA. Rajeev Bansal, Yamuna Nagar

Disclaimers
 These are my personal views and can not be
construed to be the views of the ICAI, IASB of
ICAI, NIRC of ICAI or Rajeev Lakshmi Bansal &
Co., Chartered Accountants

 These views do not and shall not be considered

as professional advice

CA. Rajeev Bansal, Yamuna Nagar

Session Overview
 Checks & Strategies for Concurrent Auditors

 Risk Assessment and Auditors Response to

Assessed Risk

 Overview of Information Technology Security

Standards

CA. Rajeev Bansal, Yamuna Nagar

Checks & Strategies
 For effective Audit, Concurrent Auditors [CCA]
must possess knowledge of bank’s internal
Processes and understanding of Core Banking
System.

 Based on the experience CCA should develop

various checks and should devise certain
strategies to carry out audit effectively.

 Such approach helps auditors for quality

reporting.
CA. Rajeev Bansal, Yamuna Nagar
Checks & Strategies
 In next few slides we will review and discuss
few Checks and Strategies that can be
developed.

 Checks & Strategies discussion is bifurcated

in three major parts.
 Check Point / Event / Transaction Type
 What to Verify
 Source from where the details will be
available

CA. Rajeev Bansal, Yamuna Nagar

Few Checks & Strategies - 1
Check Point:
Transactions processed in Account where Scanned
Signature is not available

What to verify:
Alternate source of Signature verification to be
verified

Source:
Tailormade report generated through SQL based on
Criteria Debit Transactions with “Tran Date” is
earlier than “Signature upload” date.
CA. Rajeev Bansal, Yamuna Nagar
Few Checks & Strategies - 2
Check Point:
Debits to Account without Cheque
What to verify:
Finacle maintains cheque series for each account. If
Cheque No. other than the one assigned to Account is
entered the system throws an error. However, it also
allows user to process transactions where cheque is
not available.
The transactions should be closely monitored to verify
whether all such transactions are genuine.

Source:
Report generated through SQL / Daily Transaction
Report containing Cheque Details.
CA. Rajeev Bansal, Yamuna Nagar
Few Checks & Strategies - 3
Check Point:
Transactions in Dormant Account
What to verify:
Finacle does not allow any transactions in Dormant
Account. If any transaction is carried out after lifting
of Dormancy Flag the transactions should be closely
verified.
Source:
AFI Menu (Finacle) and Tailormade Report based
on SQL for all the cases where Dormancy Flag is
lifted. (Report generated from CUMM Updation -
Finacle)
CA. Rajeev Bansal, Yamuna Nagar
Few Checks & Strategies - 4
Check Point:
Credit to NRE & FCRA Account
What to verify:
As per FEMA Guidelines NRE Account can only be
credited after verifying source of Credit and
compliance with the guidelines.
In the same way as per FCRA provisions FCRA
Account can be credited only after compliance with
FCRA guidelines.
Source:
FTR Report (Finacle) generated or Tailor made
Report generated through SQL Script.
CA. Rajeev Bansal, Yamuna Nagar
Few Checks & Strategies - 5
Check Point:
Value Dated Transactions
What to verify:
Value Dated Transactions affect the Interest
computations. Hence, it needs to be checked
whether the Value Dating is properly done or not.

Moreover, whether both the legs of Transactions

have been value dated or not needs to be verified.
Source:
Exception Report

CA. Rajeev Bansal, Yamuna Nagar

Few Checks & Strategies - 6
Check Point:
Manual Debits to Income Account, Interest Paid
Accounts
What to verify:
Transactions for recognition of income are generally
processed by System. However, where entries have
been passed as Debit to Income Account or manual
credit to Income Account, the transactions need to
be thoroughly looked into.
Source:
Exception Report or AFI Command

CA. Rajeev Bansal, Yamuna Nagar

Few Checks & Strategies - 7
Check Point:
Cancelled Inventories

What to verify:
List of Inventories marked as cancelled or
misprinted as per system should be checked
physically to ensure that there is no misuse of
inventory.

Source:
IMI Menu (Finacle), Tailormade SQL Report

CA. Rajeev Bansal, Yamuna Nagar

Few Checks & Strategies - 8
Check Point:
DD / FD Printed more than once
What to verify:
There may be the case where in the customer has lost
original copy of DD / FDR. In addition to it, there may
be a case wherein confirmation for having printed the
DD / FDR is given to CBS but the DD / FDR is not
printed properly. In such circumstances there will be
two numbers against one entry. Auditor should ensure
that DD / FDR stationery is not misused under the
pretext of Lost / Misprinting.
Source:
IMI Menu (Finacle), Tailormade SQL Report
CA. Rajeev Bansal, Yamuna Nagar
Few Checks & Strategies - 9
Check Point:
Accounts with Interest Code as “0” and Interest
Collection Flag as “N”
What to verify:
Accounts with Interest code as “0” or Collection Flag
as “N” will not be charged for Credit Facilities.

It should be verified whether the genuine accounts

are only having these parameters. E.g. Interest is not
charged in NPA Accounts.
Source:
Tailormade report generated through SQL Script
CA. Rajeev Bansal, Yamuna Nagar
Few Checks & Strategies - 10
Check Point:
Accounts where TDS Flag is set as “N”

What to verify:
In such accounts system will not deduct tax at
source. It needs to be ensured that only valid
accounts (where approval of Income Tax Dept. is
available).

Source:
Tailormade report generated through SQL Script

CA. Rajeev Bansal, Yamuna Nagar

Few Checks & Strategies - 11
Check Point:
Accounts where TDS Exemption is marked at CUST
ID Level
What to verify:
Cases where TDS exemption is marked at CUST ID
Level, the system will not deduct TDS for all the
accounts opened under the said CUST ID.

The option is generally used for Government Accounts,

Banks & Financial Institutions who exempted from TDS
Provisions.
Source:
Tailormade report generated through SQL Script
CA. Rajeev Bansal, Yamuna Nagar
Few Checks & Strategies - 12
Check Point:
Debit against uncleared effects
What to verify:
It means Cheque passed against Funds in Clearing
(wherein the zones have not been released) and
effective credit is not passed on in clients’ Account.

It amounts to granting / accommodation to client and

calls for requisite approvals.
Source:
Exception Report.

CA. Rajeev Bansal, Yamuna Nagar

Few Checks & Strategies - 13
Check Point:
Interest Rate Modifications
What to verify:
Cases where Interest rates have been modified
should be closely looked into.

Source:
Tailormade report generated through SQL Script

CA. Rajeev Bansal, Yamuna Nagar

Session Overview
Checks & Strategies for Concurrent Auditors

Risk Assessment and Auditors Response

to Assessed Risk

Overview of Information Technology Security

Standards

CA. Rajeev Bansal, Yamuna Nagar

Risk Assessment - Introduction
Introduction:
Risk assessment seeks to identify which business
processes and related resources are critical to the
business, what threats or exposures exists, that can
cause an unplanned interruption of business
processes, and what costs accrue due to an
interruption.
Risk:
A risk is the likelihood that an organisation would
face a vulnerability being exploited or a threat
becoming harmful.
Cont …
CA. Rajeev Bansal, Yamuna Nagar
Risk Assessment - Introduction
Vulnerability
 Vulnerability is the weakness in the system safeguards that
exposes the system to threats.
 Missing safeguards often determine the level of vulnerability.
Determining vulnerabilities involves a security evaluation of
the system including inspection of safeguards, testing, and
penetration analysis.
Threats
 A threat is an action, event or condition where there is a
compromise in the system, its quality and ability to inflict
harm to the organisation. Threat is any circumstance or
event with the potential to cause harm to an information
system in the form of destruction, disclosure, adverse
modification of data and denial of services.
Cont …
CA. Rajeev Bansal, Yamuna Nagar
Risk Assessment - Introduction
Attack
 Attack is a set of actions designed to compromise
confidentiality, integrity, availability, reliability or any other
desired feature of an information system. Simply, it is the
act of trying to defeat IS safeguards. The type of attack
and its degree of success will determine the consequence
of the attack.
Exposure
 An exposure is the extent of loss the organization has
to face when a risk materializes. It is not just the
immediate impact, but the real harm that occurs in the
long run. For example, loss of business, failure to
perform the system’s mission, loss of reputation,
violation of privacy and loss of resources.
CA. Rajeev Bansal, Yamuna Nagar
Threats in Computerized Environment

Communi- Theft
cation Failure Errors

Disgruntled
Employee Attacks Power Loss

Malicious Code Natural

Downtime Disaster

CA. Rajeev Bansal, Yamuna Nagar

Risk Management Cycle
Steps:
 Risk Identification

 Risk Assessment

 Risk Mitigation

CA. Rajeev Bansal, Yamuna Nagar

Risk Identification through Questions
 What could go wrong?
 How could we fail?
 What must go right for us to succeed?
 Where are we vulnerable?
 What assets do we need to protect?
 Do we have liquid assets or assets with
alternative uses?
 How could someone steal from the
department?

CA. Rajeev Bansal, Yamuna Nagar

Risk Assessment
 Risks Assessment should be based on Internal
Ratings to each Processes / Activity based on the
risks associated with it.
 Risk Assessment is based on probability which can
be classified as High, Medium and Low. Scores
should be assigned to each probability e.g. High is
assigned 10, Medium is 5 and Low is assigned 2.
 Coupled with Probability, impact should be
included to give a fairer Weighted Average Result to
the processes / activity.
 Each process and activity should be analyzed and
weighted rating should be assigned
CA. Rajeev Bansal, Yamuna Nagar
Responding to Risk – through Risk Mitigants

The analysis of Risk Assessment result gives the

idea regarding total risks associated with Business
Operations. However, the Banks can mitigate few of
the risk thereby decrease the Total Risk proportion.

What are the techniques for Risk Mitigants

Insurance
Outsourcing
SLA (Service Level Agreements)
Change in Processes
Increase in Internal Controls

CA. Rajeev Bansal, Yamuna Nagar

Examples of Few Risks, its Assessment and
Responses / Action for mitigating
Risks Mitigates
Cash Minimum Cash should be kept with
Robbery happens in Morning where Cashier during the said period
staff count is low

Clearing There should be second Level check

Details of Pay-in-slip are not checked for transaction above prescribed
properly with system Generated limit.
report thereby crediting fund in
wrong customer account

Clearing UV checking should be done for

Fraudulent instrument received in cheques above prescribed limit .
collection MICR band verification should be
carried out on MICR system
CA. Rajeev Bansal, Yamuna Nagar
Examples of Few Risks, its Assessment and
Responses / Action for mitigating
Risks Mitigates
Intra Day TOD System will display an error message
Total of IntraDay TOD and SL- DP whenever the total group liability
exceeds the parent limit node exceeds the Parent Limit. The error
cannot be overwritten & hence under
any given circumstances , the total
group liability will not exceed the
Parent Limit
Intra Day TOD A daily irregularity report would be
Account is not regularized before the generated
End of Day ( EOD)

CA. Rajeev Bansal, Yamuna Nagar

Session Overview
Checks & Strategies for Concurrent Auditors

Risk Assessment and Auditors Response to

Assessed Risk

Overview of Information Technology

Security Standards

CA. Rajeev Bansal, Yamuna Nagar

Information Technology Security
Standards
 Every Profession has a unique repository of
knowledge, which lends credence to its
specialization. The knowledge often forms the
basis to define commonly accepted practices.

 IS Audit Standards provide audit professional

a clear idea of the minimum level of
acceptable performance essential to
discharge their responsibility effectively.

CA. Rajeev Bansal, Yamuna Nagar

ISO 27001 – Information Security
Management Standard (ISMS)
 The standards lay down principals of implementing
Information Security Systems within the organization.

 The Standard prescribes documentation for each

action taken for establishment of Management
Control, ISMS Management Procedure, Document
Control etc.

 ISMS focus mainly on Ten (10) areas. Major areas of

focus are Security Policy, Asset Classification &
Control, Access Control, Business Continuity
Management, Compliance etc.

CA. Rajeev Bansal, Yamuna Nagar

Control Objectives for Information
Related Technology (COBIT)
 COBIT is a set of best practices (framework)
for Information Technology management
created by Information Systems Audit and
Control Association (ISACA).

 COBIT covers four domains viz.

 Plan & Organize
 Acquire & Implement
 Deliver & Support
 Monitor & Evaluate

CA. Rajeev Bansal, Yamuna Nagar

Information Technology Infrastructure
Library (ITIL)

 The ITIL is so named as it originated as a

collection of books (standards) each covering
a specific ‘practice’ within IT Management.

 It mainly focuses on IT Service Management.

CA. Rajeev Bansal, Yamuna Nagar

Health Insurance Portability and
Accountability Act (HIPAA)

The HIPAA was enacted by the US Congress in

1996. The Standards are meant to improve the
efficiency and effectiveness of the Nation’s health
care system by encouraging the widespread use
of electronic data interchange in the US Health
care system.

CA. Rajeev Bansal, Yamuna Nagar

Guidance on Control (COCO)
 The “Guidance on Control” report known as
CoCo was produced in 1999 by the Criteria
of Control Board of the Canadian Institute of
Chartered Accountants.

 CoCo does not cover any aspect of

information assurance per se. Coco is
“Guidance”, meaning that it is not intended
as “Prescriptive minimum requirements”

CA. Rajeev Bansal, Yamuna Nagar

 Thank You

CA. Rajeev Bansal

Rajeev Lakshmi Bansal & Co
e-mail: carajeevbansal@yahoo.com

CA. Rajeev Bansal, Yamuna Nagar