Bank audit under computerised environment

“Bank Branch Audit Under

Computerized Information

System Environment”

CA Sandesh Mundra

[email protected]

“We must be the change we wish to see in the world”

---- Mahatma Gandhi ----

Sandesh Mundra & Associates

If you have gone through the If you have gone through the

THE TIMES OF INDIA THE TIMES OF INDIA

You would know:-You would know:-

1.1. Almost entire dubbing of the movie “Race” was erased when a Almost entire dubbing of the movie “Race” was erased when a hard disk crashed at Sound city. So our heroes Anil & Saif had to hard disk crashed at Sound city. So our heroes Anil & Saif had to redo the complete sound recording again.redo the complete sound recording again.

2.2. US Defence department has said it is forbidding Google from US Defence department has said it is forbidding Google from filming and depicting in details its Military bases.filming and depicting in details its Military bases.

3.3. Govt to upgrade hospitals to Meet Medical Council of India norms Govt to upgrade hospitals to Meet Medical Council of India norms by developing softwares which would enable better access to by developing softwares which would enable better access to books on medicines and better connectivity with other books on medicines and better connectivity with other universities across the globe.universities across the globe.

4.4. Ahmedabad Times – “Thinking of what to gift that special women Ahmedabad Times – “Thinking of what to gift that special women in your life on International Women’s day? Forget Diamonds, give in your life on International Women’s day? Forget Diamonds, give her a high-tech Gadget insteadher a high-tech Gadget instead

ThisThis is just what I could read from scrolling through the paper --------------- So when is just what I could read from scrolling through the paper --------------- So when we are living in a Computerised Environment………..we have no option but to we are living in a Computerised Environment………..we have no option but to

carry out the audit in the same Compterised Environmentcarry out the audit in the same Compterised Environment

THE TIMES OF INDIA

THE TIMES OF INDIA

Structure of PresentationDevelopments in the Banking SectorInformation System Audit V/s Financial Annual AuditAuditing in CIS Environment - AAS 29Effect of CIS Environment on AuditPotential Risk Areas in Computerized BranchesRisk Assessment & Internal Control in CIS EnvironmentPractical Approach for Effective Audit of Computerized Branches


Q . A mechanical, electrical and computer engineer were riding together to an engineering seminar when the car suddenly began jerking and shuttering.The mechanical engineer, said, "I think the car has a faulty carburetor."The electrical engineer said, "No, I think the problem lies with the alternator."


Ans.

The computer engineer said, "I know, let`s stop the car, all get out of the car and get back in again!“


Information System Audit V/s Financial Annual Audit

FINANCIAL AUDITAudit Opinion on Financial StatementPostmortem ExerciseFinancial Accuracy

CAAT available is ACL, IDEA, Excel

IS Audit to some extent Part of Financial Audit

I S AUDITVerification of System Control & SecurityOngoing & Forward looking ExerciseSystem AccuracyOutput Analyzer, Firewall, Vulnerability assessment toolFinancial Audit is never Part of IS Audit.


BANKING SECTORBANKING SECTOR

The IT saga in Indian Banking commenced from the mid eighties of theThe IT saga in Indian Banking commenced from the mid eighties of thetwentieth century when the Reserve Bank took upon itself the task oftwentieth century when the Reserve Bank took upon itself the task ofpromoting automation in banking to improve customer service, bookpromoting automation in banking to improve customer service, bookkeeping, MIS and productivity. This role played by the Reserve Bank keeping, MIS and productivity. This role played by the Reserve Bank

has continued over the years.has continued over the years.

• Introduction of MICR based cheque processing – a first for the region, during the years 1986-88

Sandesh Mundra & AssociatesSandesh Mundra & Associates

Banking Sector Banking Sector Developments…………..Developments…………..

• Computerisation of branches of banks – in the late eighties with the introduction of ledger posting machines (LPMs), advanced ledger posting machines (ALPMs), which have paved the way for installation of Core Banking solutions.

• The setting up of the Institute for Development and Research in Banking Technology (IDRBT), Hyderabad in the mid nineties, as a research and technology centre for the Banking sector;

• The commissioning in 1999, of the Indian Financial Network as a Closed User Group. The network supports applications having features such as Public Key Infrastructure (PKI) which international networks such as S.W.I.F.T. are now planning to implement ;


Banking Sector Banking Sector Developments…………..Developments…………..

• Commencement of Certification Authority (CA) functions of the IDRBT for ensuring that electronic banking transactions get the requisite legal protection under the Information Technology Act, 2000;

• Ensuring Information Systems Audit (IS Audit) in the banks for which detailed guidelines relating to IS Audit were formulated and circulated;

• Enabling IT based delivery channels which enhance customer service at banks, in areas such as cash delivery through shared Automated Teller Machines (ATMs), card based transaction settlements etc.;


• Providing detailed specifications to banks on the configuration of systems relating to critical inter-bank payment system applications such as Real Time Gross Settlement (RTGS) System, Negotiated Dealing System (NDS), Centralised Funds Management System (CFMS) etc.

• Setting up connectivity of all clearing houses of the country so as to enable the introduction of the National Settlement System (NSS).

• The Reserve Bank has set out its Vision document which provides a bird’s eye view of the plans for IT development in the medium term, with the required focus on corporate governance. The Vision document has been divided into four major focus areas as follows: – IT for regulation and supervision– IT and IDRBT– IT for the Financial Sector– IT for Government related functions


EVOLUTIONEVOLUTION

BRANCH COMPUTERISATION

MANUAL BANKING

CBS – BRANCH BANKING, ATM, INTERNET BANKING ETC.


Auditing in Computerized Information System (CIS) Environment (AAS – 29)

Mandatory Nature of AASEffect of CIS Environment on AuditSufficient knowledge (Skill & Competence) – CIS System

Plan – Supervise – Control - Review

AAS -9 Using work of an ExpertAAS - 6 Risk Assessment and Internal Control


So we as Chartered Accountants need to act very very smartly……………..


CBS - SOFTWARES

Software Name

Developed / Maintained by

Banks in which Implemented

FINACLE INFOSYS PNB, OBC, ICICI etc.

FLEX-CUBE IFLEX Kotak Mahindra Bank, YES Bank etc.

B@NKS24 TCS SBI Group

PROFILE SANCHEZ ING Vysya Bank

Laser Panacea Laser Soft Corporation Bank Sandesh Mundra & Associates

AAS- 29 (contd)

Satisfaction about: Adequate Procedure exist to ensure – data transmitted (entered) is correct and complete.

Cross verification of records

Reconciliation statements and control system between Primary & Subsidiary Ledger

Accuracy of computer compiled records are not assumed.


AAS – 29 (contd)

DocumentationAudit PlanNature, timing and extent of Audit Procedure performedConclusion drawn from evidencesElectronic audit evidences also needs to be adequately and safely stored.Electronic evidences should be retrievable in its entirety as and when required.


Effect of CIS Environment on Audit

Evaluate the Following FactorsExtent to which the CIS Environment is used to – Record – Compile –Analyze Accounting Info.

Internal Control in existence with regard to• Authorised, Correct and complete data (Input)

• Processing of data

• Analysis & Reporting (Output)

Impact on Audit Trail of Transaction


Risk involved in CIS Environment

Lack of Transaction Trails – e.g. Evidence of application of interest on deposit & advances – System Generated Entries

Uniform Processing of Transactions- i.e. If Error occurs it applies to all transaction

Lack of segregation of incompatible functions – i.e. Same person makes-checks, Same person deals with customer & create the Account masters/ parameters



Potential for Errors & Irregularities- Due to invisibility of data. No visible evidence for unauthorized access/alter to data (ledger written with pencils)Errors in System Handled transaction – No human intervention/observation hence remains undetected Errors in Designing or modification of Programs can remain undetected.



Manual Controls in such system are dependent upon the Computer Generated Report. Any Error in Report will affect even the manual control.

CIS related Fraud

Unauthorized use – to modify, copy or use the data

Internet fraud

System Fraud




Risk Assessment & Internal Control

Review of latest I S Audit Report.

Review of Documented Information System Policy

User Account ManagementLog Register

User Rights assigned based need to know, need to do basis

User log in blocked/ cancelled for employee who are on leave or transferred


Risk Assessment & Internal ControlPassword

Secrecy about Password, Secrecy of Manager’s Password, Secrecy of Super user PasswordPassword changed frequentlyConstitution of Password i.e. strength of Password is based on Length, character (Numeric, Alphanumeric, Special Character).

The Effective User & Password Management will give reasonable assurance that the system is accessed by Authorised PersonsMaker Checker concept (Dual Control)Avoidance of Conflicting duties (Separate post of System Administrator). Sys Admn. Should not be involved in day to day operation


Risk Assessment & Internal ControlExceptional Transaction Report is reviewed and verified by the respective departmentReview that Alteration in System Parameters, Application Parameters by authorised person only.Access to computer rooms is restricted to authorised persons onlyWhether user logs out of terminal when leaving the terminal / not on seatGeneral Maintenance of Computer hardware is reasonableWhether daily, monthly, yearly , onsite , offsite backup is taken as per HO instruction


Effectively conducting Audit in CIS Environment

–Practical Approach

The discussion in following slide is indicative and not exhaustive.

We CA’s are really practical………


Getting StartedTaking note of Level of Computerization

CBS – TBA - ALPM

Acquaints with the System – through Application Manual – Closing Circulars etc.Auditing around computer or Auditing through Computer

Auditing through computer not yet possible – why ? Data base is not made available to auditors, CAAT Tools are not made Available. Approach available is Auditing with the help of computer system – i.e. with the help of Reports generated from the system.

Verify the year end procedure prescribed by HO. Verification of this procedure gives many assurances for cutoff procedures required to prepare Final Accounts.


Advances

Accounts Master Verification (Test Check) Classification – Priority- Non Priority, Installments Repayment Terms Value of Security Drawing Power Rate of Interest Documentation of Verification of above


Income Verification

Review the procedure for interest application. If the interest application needs to be operated manually

ensure that the interest is applied for each month and for each type/scheme of advances

No Gap of days between two interest application (i.e. interest is applied for 365/366 days)

Verify the parameters of interest application.- if applicable.

Verify the parameters of penal interest application Review interest application in the fixed/floating

interest Term Loan


Income Verification

Verify the parameters of system collected bank charges Folio charges, Minimum balance charges, Cheque Book

charges, DD Commission etc. Test Checking of Interest Manually in case of large account

and compare with computer generated amount Test Checking of other bank charges in few representative

account. Verify that the modification in interest is carried out as per HO

Circular / Instruction throughout the year Suggest that the branch should keep documentation of

interest application. i.e. on which date interest is applied and with what parameters.


Expenditure Verification

Review the procedure for interest application. No Gap of days between two Saving interest application (i.e.

interest is applied for 365/366 days) Verify the parameters of interest application. Verify that the same is changed from time to time as

per HO instruction Review the procedure for interest application in case

of premature withdrawal of time deposit Review interest application in the fixed/floating

interest time deposit Test Checking of Interest Manually in case of large

account and compare with computer generated amount


OperationsWhether lien is marked in the system against fixed deposit pledged with the bankWhether all the GL Accounts code authorised by HO are in existence in the systemWhether balance in GL tallies with the balance in Subsidiary book

This is even required in CBS System.To verify generate a list of all personal accounts and make summation of all types of say deposit and compare the same with Balance sheet


OperationsReview the day end Report/ Exception Report for

Change in MastersNew Master CreationsChanges in ParametersTransaction in dormant accountDebit to Income HeadOverdue bills and bills returnExcess/Adhoc Allowed or Temp OD AllowedAgainst clearing AllowedStanding Instruction failed in a dayDebit balance in deposit account


ReportsCC/OD Balance Report

Relevant Column Is Drawing Power, Irregularity, IRAC Norms Details Old & New

Collaterals And Securities - Alert Report For Matured SecuritiesCredit Balance In Expense AccountTransaction Above Threshold LimitDemand Loan Irregularity ReportException Report For Interest Rates VariationInterest Rate Changes – Loans


ReportsReport On Irregularity Due To Excess Drawing Statement For Irregular Overdue Loan AcReport On Irregularity Due To Interest ApplicationIrregular Cash-credit And Overdrafts AccountsMaturing Accounts Amount DiscrepancyMonthly Return Of Irregular Term LoansReport Of Back Value Dated TransactionsReport On Maturing Securities / Scripts


ReportsThe Reports Generated by System Gives correct picture only when

The parameters in Account masters are given correctly e.g. EMI details, Installment detail etcThe Report is generated by giving correct parameters e.g. date, A/c Number, A/c Type etcApply analytical test before relying upon the reportUnderstand the details given in report and basis of calculationWhen relying upon System Generated Report and When based on this report the Auditor is Reporting in LFAR Report or other report mention the source of Information i.e. the name of the System Generated Report.


The procedure listed here after is not exhaustive but is suggestive. Stress has been given to those procedure, which has some connection with computerized accounting / CBS environment. Other procedures are generally same under CIS and Non – CIS / Manual environment and hence not listed.


THANK YOU

Economy & Finance

Bank audit under computerised environment