Audit in CBS Environment Session By CA Sanjay
Audit in CBS Environment Session By: CA. Sanjay Gupta, Delhi Sanjay Gupta FCA, DISA, CRISC
Disclaimers • These are my personal views and can not be construed to be the views of the ICAI or Regional Councils of ICAI. • These views do not and shall not be considered as professional advice Sanjay Gupta FCA, DISA, CRISC
![Session overview § § § Banking Infrastructure Core Banking System[CBS] Controls in CBS Audit](http://slidetodoc.com/presentation_image_h/ed246d8853c6b1a3649ff59c6a756995/image-3.jpg "Session overview § § § Banking Infrastructure Core Banking System[CBS] Controls in CBS Audit")
Session overview § § § Banking Infrastructure Core Banking System[CBS] Controls in CBS Audit Processes with the use of Technology Audit Checks & Strategies Sanjay Gupta FCA, DISA, CRISC
Banking Infrastructure § § § Hardware q Network q PCs q ATMs q Cash Vending Machines q Cheque collection Machines Softwares q Basic Softwares / Operating Systems q Special Purpose and Approved utility Software q Firewall & Intrusion Detection System q CBS Support q Whether Outsourced? q Monitoring of Intrusions / Unauthorized installations Sanjay Gupta FCA, DISA, CRISC
Session overview § § § Banking Infrastructure Core Banking System Controls in CBS Audit Processes with the use of Technologies Audit Checks & Strategies Sanjay Gupta FCA, DISA, CRISC
What is CBS § “CORE” stands for “centralized online real-time environment” In nutshell it means all the bank’s branches, Service Outlets (Automated or Manual), Back offices access application from centralized datacenters. § The core banking system is the set of basic software components that manage the services provided by bank to its customers through its branches( branch network) The bank’s customers can make their transactions from any branch, ATM, Internet, Phone at their disposal. Cont… Sanjay Gupta FCA, DISA, CRISC
What is CBS? § The CBS is based on Services Oriented Architecture(SOA). It helps banks to reduce risk that can result from manual data entry and out -of date information. It also help banks to improve Service Delivery quality and time to its customer. § The software is installed at different branches of bank and then interconnected by means of communication lines like telephones, satellite, internet etc. Cont… Sanjay Gupta FCA, DISA, CRISC
What is CBS? § Technology Research Company Gartner defines a core baking system as a back-end system that processes daily banking transactions, and posts updates to accounts and other financial records. Core banking system typically include deposit, loan and credit-processing capabilities, with interfaces to general ledger systems and reporting tools. Strategic spending on these systems is based on a combination of service-oriented architecture and supporting technologies that create extensible and agile architectures. Cont. . Sanjay Gupta FCA, DISA, CRISC
What is CBS? § Advantages: q Multi-channel(internet, phone) support q Multi currency support q Multiple Lingual Support q High Scalability q Cut into reusable module architecture Cont… Sanjay Gupta FCA, DISA, CRISC
What is CBS? List of few Core Banking System in India & World over: Package Provider Finacle Infosys FLEXCUBE Oracle Financial Service Software(By iflex) TCS BANCS Tata Consultancy Services(TCS) Alnova Financial Solutions Accenture/ Alnova SAP Banking Services SAP AG Sanjay Gupta FCA, DISA, CRISC
Sanjay Gupta FCA, DISA, CRISC
![Session overview § § § Banking Infrastructure Core Banking System[CBS] Controls in CBS Audit](http://slidetodoc.com/presentation_image_h/ed246d8853c6b1a3649ff59c6a756995/image-12.jpg "Session overview § § § Banking Infrastructure Core Banking System[CBS] Controls in CBS Audit")
Session overview § § § Banking Infrastructure Core Banking System[CBS] Controls in CBS Audit Process with the use of Technologies Audit Checks & Strategies Sanjay Gupta FCA, DISA, CRISC
Controls in CBS § Internal Controls have been embedded in CBS at Data Entry Level(through Validations)and at processing Level also. Apart from this the Bank prescribes certain Manual Controls to be adhered to by Bank officials. Hence, it is combination of both Manual and Automated controls which makes a safe system. § As an auditor our duty is to identify the areas, controls which are not consistent with the legal framework/ Bank’s Policy. Cont… Sanjay Gupta FCA, DISA, CRISC
Controls in CBS § Various types of Controls are embedded at Various Level in CBS. To name a few q q q Application Controls IT Administrative Controls & Security System Development Controls Cont… Sanjay Gupta FCA, DISA, CRISC
Controls in CBS- Application Control § Authorization of a transaction as per Delegated Authority. § Data input( Validation) Controls § Accessibility in software Areas as per Employee Grade/ Powers § Product Level Controls q Prefixed Financial Parameters (Like Interest Rate, Penal Interest rates) q Fixed Tenure (Pre-defined terms Fixed Deposits/Service Types - Principle and Interest Repayment Type and Periodicity) q Tax and Regulatory compliance q Controlled Error Handling through Warning, Exception and Error Sanjay Gupta FCA, DISA, CRISC
Controls in CBS-IT Admin. Control & Security § Controls are associated with processing activity § It allows user to use the software as per Access Rights Table § Confirmation/ Prior Authorization for any outside software installation § To ensure encryption of Data § To ensure no changes are effected in IT Hardware § Logical Access Controls q q q Access to system/Menu as per the Category and Type of Branch/SOL Single sign-on for all applications Maker & Checker Control § Security policies for all IT Assets(Incl. Hardware, Software, Databases etc. ) Sanjay Gupta FCA, DISA, CRISC
Controls in CBS- System Development Controls § Testing and Program Acceptance Controls § Amendments to Programs and maintenance of SOPs w. r. t. source code. § Generation of audit trail § Maintaining edit history § Transaction tracking system Sanjay Gupta FCA, DISA, CRISC
![Session overview § § § Banking Infrastructure Core banking System[CBS] Control in CBS Audit](http://slidetodoc.com/presentation_image_h/ed246d8853c6b1a3649ff59c6a756995/image-18.jpg "Session overview § § § Banking Infrastructure Core banking System[CBS] Control in CBS Audit")
Session overview § § § Banking Infrastructure Core banking System[CBS] Control in CBS Audit Processes with the use of Technologies Audit Checks & Strategies Sanjay Gupta FCA, DISA, CRISC
Audit Processes & Use of Technologies § Posers: 1. Why Audit processes require a drastic change as compared to traditional approach? 2. What are the changes in Banking Industries which makes Traditional Audit Approach a toothless weapon? 3. Under such a scenario what should be the Auditors’ Approach? 4. Which Techniques/ Technologies to be used? 5. After What and Why analysis a Question comes to our mind is “but How to go Ahead? ” Sanjay Gupta FCA, DISA, CRISC
Audit Processes & Use of Technologies § Why Audit processes require a drastic change as compared to Traditional Approach? q Traditional Audit Approach: § Verification of Documents Physically § Availability of Hard Copies for each transaction § Number of Transactions for Audit Sanjay Gupta FCA, DISA, CRISC
Audit Processes & Use of Technologies § What are the changes in Banking Industries which makes Traditional Audit Approach a toothless weapon? q Number of Transactions have risen sharply q Complexities and variety of Transactions are increasing at a rapid speed. q Increased Compliance requirements Cont… Sanjay Gupta FCA, DISA, CRISC
Audit Processes & Use of Technologies q Use of CBS: § Processing is completely automized. Hence, a manual error in master Data updation has a huge effect on all the transactions of the same kind. § Processing is not visible § Lack of discipline in Access Control § Lack of Training for New software environment § Audit Trail may not be visible for all the type of transactions § Security aspects not verified/implemented properly Sanjay Gupta FCA, DISA, CRISC
Audit Processes & Use of Technologies § Under such a scenario what should be the Auditors’ Approach? q q q Substantive and Compliance Testing Verification of Transactions as well as controls Verification of System Generated Report Generation of special purpose report based on Exception Logic through the use of SQL Collection of data from CBS to verify Number and Nature of transactions processed during a period. Sanjay Gupta FCA, DISA, CRISC
Audit Processes & Use of Technologies Broadly 3 main types of data files 1. The transaction file which contains the transaction of the Bank. 2. Master file which contains the needed information of items needed at the transaction time thus, details like Borrower/Depositors (Name, Address, etc) are in the master file. 3. Parameter Files contains ‘control’ elements to avoid high frequency of changes. Thus the Interest Rate, TDS rate and Service Tax rate which is known to change frequently will be in a set of files known as ‘Parameter files’ Master file and parameter files should be checked under any audit as these are sensitive areas for fraud and leakages. Sanjay Gupta FCA, DISA, CRISC
Audit Processes – Operational Controls • Start with SOD! • Whether all accounts ( Opening & Closing) are duly authorized. • Whether officials other that branch have authority to record transactions in branch books ? Sanjay Gupta FCA, DISA, CRISC
Audit Processes – Operational Controls • Whether the Account Master and balance can modified / amended / altered except by authorized personnel ? • Whether Beginning of the Day and End of the Day register maintained ? Whether Time is properly entered and time and date are normal and during office hours only ? • No operation on Holidays ! Sanjay Gupta FCA, DISA, CRISC
Audit Processes – Operational Controls • Whether the records of errors arising during the daily operations are reported ? And how they are being rectified. ? • Whether dummy accounts created using master creation still exist in the Branch ? • A sample verification of SDRs / FDRs should be carried out to ascertain whether lien is marked on such deposit receipts in the system. • Availability of command prompt ( Run –cmd) • Access to group policies ( gpedit. msc) is restricted. • Access to Control Panel should be denied. Sanjay Gupta FCA, DISA, CRISC
Audit Processes – Operational Controls • Pursue access control matrix – Password Management and History • Cross verify the same with actual number of users in the search in the branch – Inactive users ids and guest ids • • Review the process of activation of users What about users transferred to other branches ? Review access logs Special emphasis on unsuccessful logon attempts Sanjay Gupta FCA, DISA, CRISC
Audit Processes – Physical Controls • Router/ Modem/ Network equipments – Entry restricted to Branch Manager / authorized personnel • Ensure floppy/pen-drive access is not allowed on Nodes ( unless required ) • Hardware Access Register • Software Patch Application Register • PC having internet access should be separate from CBS computers • ATM Cards/ Passwords envelops are stored in Secured Area under double lock Sanjay Gupta FCA, DISA, CRISC
- Slides: 29
