IS Inspection

World is Changing: Rapid Transformation Ahead

Banking has gone beyond the digital tipping point. The sector is
gathering momentum towards rapid and wide scale
transformation, driven by both fintech disruptors and a
responding wave of innovation investment from incumbents.

Currently, banks are pursuing competitive advantage through three

paradigms:
• Enhancing and extending enterprise efficiency through
technological transformation
• Improving customer propositions for greater revenue
• Changing culture by providing resources to increase collaboration
and innovation

2
Trends in Banking in 2016
Trends in Business: Globalization & Competition

Impact on Business in Impact on the IT and

General Finance Function

Increased pace of change Greater volatility : “real-time”

information is a necessity

Increased importance in strategy Greater importance of finance in

strategic decisions

Concentration of Core Competencies Need for financial evaluation of

strategic alliance

Increased complexity of business Enhanced responsibility for

risk managing total business risk like:
Credit Risk, Technological Risk,
etc.

9
What is IS Inspection

Independent review and examination of records

and activities to assess the adequacy of system
based controls, to ensure compliance with
established policies and operational procedures,
and to recommend changes in controls, policies,
or procedures.
Trends Business: Other Drivers

Drivers Impact on the IT and

Finance Function

New Organization Structure and Fewer Management Levels; Flatter

Requirements Organizations

Emergence of Information Economy; Greater involvement in trend analysis,

Focus on “Real Time”, accurate data data interpretation, value-added
services

Increasingly important role of Automation, centralization of

Computers/IT in the Business accounting & transaction
Processes processing; more scopes for
outsourcing

11
Changing Face of Information Technology (IT)

12
 Original
Global
Importer
Documents
Importer
Paperless
Bank Trade
Details
of export documentation

Electronic
Export
Payment Documents
LC issued
subject to eUCP
PAKISTAN
EDI

Singapore
Electronic
Documents
Created
Exporter’s Bank

3rd Party
Docs e.g. B/L
Feeds to assist
Document
creation
Exporter 13
 IT Risks
Internal
• IT Administration
External
• IT governance • Network security
• Internal vulnerabilities of systems • E-mail security
• Security administration • Application security
• E-mail control • Privacy
• Virus control • Internet access
• Application administration • Virus control
• Communications-LAN/WAN • Communications
• User management • Firewall
• User support and training configuration
• Disaster recovery planning • Hackers
14
Areas covered under IS inspection
IS Governance in the Bank
 Protection of Information Assets
 Logical Access Exposures and Controls
 Network Infrastructure Security

 Environmental Exposures and Controls

 Physical Access Exposures and Controls

 Business Application System Development, Acquisition,

Implementation and Maintenance
 Business Application Development and Maintenance Strategies
 Project Management Tools and Techniques
Business Continuity / Disaster Recovery Planning
 Disaster and disruptive Events and Business Impact Analysis (BIA)
 Selection of Recovery Strategies
 Componentes of an effective business continuity plan
 Recovery alternatives and Recovery / Continuity Plan Testing
Performing an IS Audit / Inspection
 Techniques for gathering evidence:
 Review IS organization structures
 Review IS policies, procedures and standards
 Review IS documentation
 Interview appropriate personnel
 Observe processes and employee performance.
Review Information Assets / Resources of the bank.
Review MIS to ensure the reliability, effectiveness and efficiency
Assess Internal controls for Confidentiality, Integrity and Availability
Evaluate system compliance with best international standards and
regulatory instructions.
Methodology was based on Control Objectives for Information and
related technologies (COBIT) devised by Information System Audit &
Control Foundation (ISACF), USA
Application Audit
1. Administration:
Focus on the overall ownership and accountability of the
application
Roles & Responsibilities - development, change approval,
access authorization
Legal or regulatory compliance issues

2. Inputs, Processing, Outputs: Looking for evidence of data

preparation procedures, reconciliation processes, handling
requirements, etc.
Run test transactions against the application
Includes who can enter input and see output
Retention of output and its destruction
Application Audit
3. Logical Security: Looking at user creation and authorization
as governed by the application its self
User ID linked to a real person
Number of allowable unsuccessful log-on attempts
Minimum password length
Password expiration
Password Re-use ability

4. Disaster Recovery Plan: Looking for an adequate and

performable disaster recovery plan that will allow the application
to be recovered in a reasonable amount of time after a disaster
Backup guidelines, process documentation, offsite storage
guidelines, SLA’s with offsite storage vendors, etc.
Application Audit
5. Change Management: Examines the process changes to an
application go through
Process is documented, adequate and followed
Who is allowed to make a request a change, approve a change and
make the change
Change is tested and doesn’t break compliance (determined in
Administration) before being placed in to production

6. User Support: One of the most overlooked aspects of an

application
User documentation (manuals, online help, etc.) - available & up to
date
User training - productivity, proper use, security
Process for user improvement requests
Application Audit
7. Third Party Services: Look at the controls around
any 3rd party services that are required to meet
business objectives for the application or system
Liaison to 3rd party vendor
Review contract agreement
SAS (Statement on Auditing Standards) N0. 70 - Service
organizations disclose their control activities and
processes to their customers and their customers’
auditors in a uniform reporting format
General Controls
Examining the environment the application exists
within that affect the application
System administration / operations
Organizational logical security
Physical security
Organizational disaster recovery plans
Organizational change control process
License control processes
Virus control procedures
Procedures for Testing and Evaluating IT Controls
Use of generalized audit software to survey the contents of
data files
Use of specialized software to assess the contents of
operating system parameter files
Flow-charting techniques for documenting automated
applications and business process
Use of audit reports available in operation systems
Documentation review
Observation
Inspection report structure and contents

An introduction to the report

The IS Inspection overall conclusion and
opinion
Inspection findings presented in separate
sections
The IS inspectors detailed findings in the form
of appendices and annexure
Auditing Around the Computer

The auditor ignores computer processing. Instead, the auditor

selects source documents that have been input into the system
and summarizes them manually to see if they match the output
of computer processing.

Audit around the computer only when:

(a) the audit trail is complete
(b) processing operations are straightforward
(c) systems documentation is complete and readily available 24
Auditing Through the Computer

The process of evaluating client’s software and hardware to

determine the reliability of operations that is hard for human
eye to view and reviewing of the internal controls in an IT
enabled system.

Audit through the computer

with:

(i) audit test data

(ii) parallel simulation
(iii) integrated test facility

25
 II. Auditing Technology for Information Systems
A. Review of Systems Documentation:
The auditor reviews documentation such as narrative descriptions, flowcharts, and
program listings. In desk checking the auditor processes test or real data through the
program logic.

B. Test Data:
The auditor prepares input containing both valid and invalid data. Prior to processing
the test data, the input is manually processed to determine what the output should look
like. The auditor then compares the computer-processed output with the manually
processed results.

C. Integrated-Test-Facility (ITF) Approach:

A dummy ITF center is created for the auditors.
• Auditors create transactions for controls they want to test.
• Working papers are created to show expected results from manually processed
information.
• Auditor transactions are run with actual transactions.
• Auditors compare ITF results to working papers.
Illustration of ITF Approach
Computer Operations Auditors

Actual ITF PrepareITF

Prepare ITF
Actual ITF Transactions
Transactions
Transactions Transactions
Transactions Transactions
AndResults
And Results

Computer
Computer
Application
Application DataFiles
Data Files
System
System ITF Data

Reports
Reports Reports
Reports Manually
Manually
WithOnly
Only WithOnly
Only Auditor Processed
With With Processed
ActualData
Actual Data ITFData
ITF Data Compares Results
Results
II. Auditing Technology for Information Systems
The test data and ITF methods both process test data through real programs. With
parallel simulation, the auditor processes real client data on an audit program
similar to some aspect of the client’s program. The auditor compares the results of
this processing with the results of the processing done by the client’s program
Computer Operations Actual Auditors
Actual
Transactions
Transactions

Computer
Computer Auditor’s
Auditor’s
Application
Application Simulation
Simulation
System
System Program
Program

Auditor Compares Auditor

Auditor
ActualClient
Actual Client
Report Simulation
Simulation
Report Report
Report
 II. Auditing Technology for Information Systems
E. Audit Software: Computer programs that permit computers to be
used as auditing tools include:
1. Generalized audit software: Perform tasks such as selecting sample
data from file, checking computations, and searching files for
unusual items.
2. P.C. Software: Allows auditors to analyze data from notebook
computers in the field.
F. Embedded Audit Routines: In-line Code – Application program
performs audit data collection while it processes data for normal
production purposes.
2. System Control Audit Review File (SCARF)–
Edit tests for audit transaction analysis are included in program.
Exceptions are written to a file for audit review.
II. Auditing Technology for Information Systems

 G. Mapping: Special software counts the number of

times each program statement in a program executes.
Helps identify code that is bypassed when the bypass is not
readily apparent in the program code and/or documentation.
Questions to be asked
 Are passwords difficult to crack?
 Are there access control lists (ACLs) in place on network devices to
control who has access to shared data?
 Are there audit logs to record who accesses data?
 Are the audit logs reviewed?
 Are the security settings for operating systems in accordance with
accepted industry security practices?
 Have all unnecessary applications and computer services been
eliminated for each system?
 Are these operating systems and commercial applications patched to
current levels?
 How is backup media stored? Who has access to it? Is it up-to-date?
 Is there a disaster recovery plan? Have the participants and
stakeholders ever rehearsed the disaster recovery plan?
Questions to be asked
 Are there adequate cryptographic tools in place to govern data
encryption, and have these tools been properly configured?
 Have custom-built applications been written with security in mind?
 How have these custom applications been tested for security flaws?
 How are configuration and code changes documented at every level?
How are these records reviewed and who conducts the review?
 Can computers or laptops be picked up and removed from the premises
by visitors or even employees?
 Does the website allow backdoor access into the client database? Can it
be hacked?
 Are long-distance calls restricted, or is it a free-for-all? Should it be
restricted?
 Are spam filters in place? Do employees need to be educated on how to
spot potential spam and phishing emails? Is there a company policy
that outgoing emails to clients not have certain types of hyperlinks in
them?