IS Audit in Banks

Information Systems Audit in Indian Banks

Bill Gates once said, "For 21st Century Banking is essential not Banks".

The business processes for Indian banking have undergone a paradigm shift with the increasing dependence on Information Technology. The IT has moved from support function to process controller and is still moving forward forming the basis of business operations.

Deployment of technology has not only enabled banks to perform efficiently but also offer flexibility in the services offered. Days of definite banking hours have gone, banking services are available 24x7 through ATM networks and Internet Banking. The productivity has been improved. The vision of Customer of Bank has come true and days are not far when the Bill Gates statement will come true.

However with the introduction of technology new risks and liabilities have been introduced into the system. The threats of virus, hackers, frauds are realizing frequently. Non-availability of services due to failure of power supply and therefore computers, is not unheard of.

There are various reasons for these problems like; absence of Process re-engineering due to deployment of technology, non addressing control structure changes, lack of awareness and training, dependence on vendor and most importantly absence of proper Information systems Audit.

The purpose of this article is to discuss the broad structure of Information Systems and technology audits for Indian Banking.

The Basics.

Traditionally the word audit has been associated with accounts. The dictionary meaning of the word Audit is: "Verification of records of financial transactions and inspecting them for being in accordance with organization's policies and procedures". However today it has broaden its meaning to include all the aspects of business processes to mean the "Verification of processes that originates and puts through the business transactions". The word transaction has also has broad meaning as; "Any input into the process that changes the status of data or provides output". It could be a decision by management, deployment of technology, or providing services to the customer.

What is the difference between Information Systems Audit and Financial Audit?

Automation of systems with the help of Information technology has its own rewards and penalties that have led the financial audit services to take cognizance of it and Information System Audit immerged as a tool to maximize the advantages and to provide a shell for avoidance of disadvantages. However Information System Audit differs from financial and other types of audit.

  • Primary difference is in approach. Financial audit is Post-mortem activity. It verifies the transactions put through the system during predefined period of time. e.g During the previous audit till the date of current audit, or During previous financial year 1st April to 31st March. It focuses on the validity of transactions based on the predefined set of business rules for transaction processing. In other words it verifies the processes in past upto here. The information systems audit focuses on controls in the business process that has been applied through the technology and its impact on the transactions from now and in future.

  • Financial audit focuses on the 'amount transactions' whereas Information System audit focuses on the process of transaction. e.g. The financial audit will focus on the Balance in customer account to understand if the value arrived is accurate or not. The information system audit will focus on the process of computing balance as implemented by software and not the actual value. In short financial audit looks for Quantitative value and Information systems audit looks for Qualitative value.

  • Financial audit can be conducted by ignoring the technology i.e. treating the technology as black box and verifying the input and output for known consistencies. (Also called as "Around the Computer Audit"). Information systems audit cannot be conducted without considering technology.

  • Both the audits can be conducted using CAAT - Computer Assisted Audit Tools and Techniques, but these tools are different in either case. e.g ACL, IDEA, SOFTCAAT etc are examples of Financial Audit CAAT, whereas Output Analyzers, Firewall, Vulnerability assessment tools are CAAT for Information systems audit.

Types of Information systems audits.

Information systems covers various processes associated with the receiving, storing, retrieving, processing, communicating and destroying the information assets of the business. It also covers various technologies converged for enabling deployment of Information processes. e.g. Networked ATMs, Wireless LAN, Interactive Website, Branchless banking (Any Where banking) etc.

The Technology systems that are designed and developed for carrying out the information of and for Banks needs to be deployed very carefully. Traditionally Banks have been subject to attack because "That is where the Money is". The misuse and abuse of banking technology has already been reported worldwide which has brought out various security issues in Technology deployment. Since technology is indifferent in giving services, it the 'man behind machine' that needs to be controlled. The Information systems audits are focused on verification of controls.

Based on the technology deployment there could be various IS Audits. Some of them illustrated below;

  • Software Audit: Audit of the software to be used for the business processes need to be audited before implementation in order to bring out the control weaknesses. Depending upon the acquisition processes there could be different audits viz.
    • Acquired Packaged Software
    • Acquired developed software
    • In-house developed software
  • Implementation Audit: The software needs to be implemented across the business locations for final use of the customers - directly or through employees. Banking application software needs setting of parameters before implementing the software, and also during the use due to changes in the environmental conditions like regulatory and/or statutory requirements etc.
  • Operations Audit: Use of information technology needs to be controlled for preventing misuse/frauds. Hence defining the secure procedures and auditing their compliance is essential. Depending upon the product there could be different operations audits, viz.
    • Branch operations audit
    • ATM operations audit
    • Network administration audits
    • System access audits
    • EDI and remote login audits
    • Software development process audit
    • Software testing audits
  • Firewall and network audits: Where Banks are using the networks that communicates with external entities for information receiving and transmission, a firewall needs to be implemented and audited for ensuring security of communications.
  • Internet banking and web server audits: Internet banking allows the access to the Banks database over the Internet, hence it is essential to protect the access. Firewall can help in preventing unauthorized access, however prevention of misuse by the authorized person is necessary. Audit of Internet Banking focuses on secure procedures of identification, authentication and authorization of users and providing proper access to the data.
  • Business continuity management audits: Business continuity planning and Disaster recovery procedures clubbed and constantly monitored by the business continuity management department. Since the Banks have more than one office located at geographically dispersed areas, the need for BCM is also different for each office/branch. However the audit of accepted process of Business continuity management is essential part of information system audit.
  • PKI Audits: Use of Public key infrastructure is going to be common feature of Banking. Management of private keys issued to the authorized employees and secure storage of the same is essential.
  • Combination audits: There could be combination of one or more audits illustrated above. e.g. EDI audit may consider development and deployment of software, or ATM operations audit may include the implementation audit also.

This is an illustrative list and not the entire domain of IS Audit. Depending upon the need and use of IT, one can define scope for IS Audit.

Standards for IS Audit.

The spread and diversification of use of information technology has really made it difficult to master the complete knowledge of technology. Hence it is essential that a proper skilled and knowledgeable person perform the IS Audit. Information Systems Audit and Control Association (ISACA) has defined the standards for IS Audits to be followed by auditors. These standards, described below in brief, provide the essence of the IS Audit process an auditor needs to follow.

  • Audit Charter
    • Responsibility, Authority and Accountability: The responsibility, authority and accountability of the information systems audit function are to be appropriately documented in an audit charter or engagement letter. It generally defines the scope of audit also.
  • Independence
    • Professional Independence : In all matters related to auditing, the information systems auditor is to be independent of the auditee in attitude and appearance. i.e. Auditor should not undertake the assignment where he/she has any interest or have worked on the project earlier.
    • Organizational Relationship: The information systems audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit. The auditee management and Audit management should be functionally independent.
  • Professional Ethics and Standards
    • Code of Professional Ethics: The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association.
    • Due Professional Care: Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor's work.
  • Competence
    • Skills and Knowledge: The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work. This is true particularly for technology audits since one person cannot master entire gamut of latest technology.
    • Continuing Professional Education : The information systems auditor is to maintain technical competence through appropriate continuing professional education.
  • Planning
    • Audit Planning: The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards.
  • Performance of Audit Work
    • Supervision: Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met.
    • Evidence: During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
  • Reporting
    • Report Content and Form: The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report is to state the scope, objectives, period of coverage and the nature and extent of the audit work performed. The report is to identify the organization, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions and recommendations and any reservations or qualifications that the auditor has with respect to the audit.
  • Follow-Up Activities
    • Follow-Up: The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner.

Risk based audit.

Generally audit process provides the assurance to the management that the auditee is following the procedures defined by the management. However risk-based audit approach goes beyond just compliance scope and tries to evaluate the procedures and non-compliance as potential risk for the organization's information assets. This is more pro-active approach for I S Audit, since because of the nature of technology, procedures might be insufficient or may not consider complex risks.

The auditor analyses the technology and business processes using that technology and prepares a control matrix that points the impact of control on the risk mitigation. It helps in analyzing the management's perception about the risks and can point out possible risk perception discrepancies. A risk initially perceived as minor may actually lead to disaster. e.g. Risk due to virus might be low in case of independent LAN/server, but multiplies in many folds, moment any node is connected to the Internet.
A most proactive approach for the management is to have a Risk management and monitoring program in place implemented through incidence response mechanism.

Outsourcing and Audit.

Deployment of Information Technology is not a main business domain for Banks, hence there is a tendency to outsource many functions to vendor who has capacity and expertise to handle such functions. However since Bank owns the assets handled by the technology provided by vendors, it is prudent to address the security issues before outsourcing. Apart from performance, secrecy and fidelity, continuity etc., auditability of the vendor's processes that are housing the Bank's assets, by the Bank appointed auditor should be the clause in the outsourcing agreement.

Also there should be predefined and agreed upon procedure for monitoring the performance. e.g. if the annual maintenance of Bank's hardware has been outsourced with 99% business hours uptime requirement, the Banks should devise a internal procedure to maintain the record of uptime or downtime of the system. Auditing of compliance of such procedures should be part of operation's audit.

However everything covered by the technology cannot be outsourced. e.g. User Acceptance testing of the acquired developed software cannot be outsourced, since it is the internal business function and the requirements from the software are best known to the bank. Also it has been traditionally proven fact that the software development requirements are never fixed and final, hence the testing vendor will perform the testing only for the specifications provided to the development vendor. Another part that cannot be effectively outsourced is the development of Information Security Policy and procedures, since these needs to be developed taking into consideration the culture of the organization. e.g. Password sharing, if organization do not provide de-learning mechanism where password sharing has been common feature, making policy will be ineffective. Or if the systems administrator has not been given immunity from attending office late, he will share the password in order to avoid creating of record by opening sealed envelope containing his/her password.

Bank may decide to outsource the I S Audit function. In this case it is necessary to ensure that the I S Auditor will be following the standards defined above and have necessary expertise to carry out the audit. The best professionals comes at best cost, hence to define the requirements is the key to get best at competitive prices.

Self Audits.

In order to supplement the audit function banks management may come up Self Audit or Control self assessment by the functional managers. This can be particularly useful in case of operational audits. Considering the geographical spread of bank's technology it may not be possible to follow the 'Workshop method' hence the questionnaire approach is generally used for Self-audits. The point to be noted in the questionnaire approach is that the defining questions should ensure that necessary knowledge is being provided to the functional manager. For example, if the questionnaire asks "whether adequate capacity UPS has been provided?", then the person answering should know, What is adequate capacity? How to ensure it is adequate? Are the UPS acquisition and implementation documents accessible?

Internal IS Audit Function.

Considering the expertise required, Bank may decide not to have internal audit function for the entire technology. Generally the internal auditors with minimum training requirements can handle Operational I S Audits, since these audits mainly focuses on compliance of predefined procedures and inherently has short audit cycle. The properly trained I S auditors should handle complex technological audits that have longer periodicity. The auditors for this can be deployed as and when required, since there may not be a full time workload available. Depending upon the size and spread, it is prudent to build the team of technical auditors starting with small team, to conduct the I S Audits.

Some common confusions.

Based on the RBI's guidelines Indian Banks have implemented IS audit function with help of Internal and external auditors. However there has been some confusion observed in some cases.

The scope of IS audit covers entire gamut of technology and thus proper scope cannot be defined. e.g. an advertisement requested quote for the scope covering Software audit as well as operations audit, but ignored the implementation and conversion audit. Software audit, Implementation audit, conversion audit and operations audit are different types requiring different scope. Conversion audit is mainly financial audit where as other audits are IS audits.
Operations audits are generally considered based upon the internal control questionnaire, which is improper mix of technology audit and financial audit. Actually operations audit can be of two types 1. Banking operations audit in computerized environment and 2. Technical operations audit of Bank/branch. Former is financial audit whereas later is I S Audit.
Operation audit questionnaire has questions covering technology (Does proper access controls provided?) and also banking (Does dormant accounts flagged properly? Or Interest being applied correctly?). Both these questions are irrelevant if Software audit and Implementation audit has been carried out properly. If not the scope need to cover these factors, but the management has not considered the person hour requirements for the same.
Auditor's background also adds to it. An auditor from Banking background tends to point out quantitative errors in technology audit, (e.g. quantum of interest is incorrect) whereas auditor from IT background fails to understand the significance of quantitative indicators in implementation audit. Also there is difference in risks perceived by these two auditors. Former may consider incorrect interest as high risk due to losses, where as later may perceive as low risk due to compensating controls of day book checking.

Conclusion. The information systems have provided enormous leverage to the Banks in improving the services by deploying the technology. However in order to understand and address the risks arising out of use of technology, I S audit has become a necessity and Banks need to address the risks and issues arising out of absence of it. In order to build the internal I S audit function once can start with small department of qualified auditors. In the meantime the I S Audit function can be outsourced to expert vendors with internal auditors working with them.