Information System Audit in Indian Banks

CA Bharatish Ballal

Information systems and audit

Information itself is an important asset in today’s business. If information is lost,

modified, misused huge loss can occur to business. Hence information security
becomes important for any business.

Information system in business including that of banking is becoming technology

oriented. Computers are being used in all the areas of business including that of
financial accounting.

Internal controls used in a Computerized Information System (CIS) environment

should aim at information security also. This aspect of internal control is mostly
overlooked in a Financial Audit where evidence collection and evaluation is more
important.
Audit provides the assurance to stakeholders of business. Assurance provided by a
financial audit is about financial statements, which are relied upon and based on
which decisions are taken by many stakeholders. However there are risks associated
in any business, which is not highlighted in a financial audit.

Operational Risk and Audit

For example Basel II Accord mentions of ‘operational risks’ that are due to failure of
system, process, procedure and human action/inaction (fraud) and legal restrictions,
etc. in the operation of banks, some of which are not dealt in financial audit.
The Basle committee has identified people, processes, systems and external events,
as potential hazards for operations. Inadequacy and failure of any of them can result
into events, which cause losses. Every business has to identify events of their
relevance. The events may be similar in the same industry, but vary from an
organization to organization. The whole exercise of the operational risk management
is to identify potential events, which are likely to cause losses. Here is a list of
some of the events, which could lead to operational risk (non exhaustive):
Technology error
• Fraud and theft
• Legal, Regulatory non compliance,
• Transaction risk

Processes, people and systems are closely linked with information systems. Even
measurement and recognition of external events need information systems.
Therefore, under the new Accord, the job of an audit and control practitioner shall
become more onerous and challenging.

Therefore a financial audit cannot assure that the information system is foolproof as
financial auditor is not expert in information technology. Hence an expert should
provide an opinion that information system is risk-free. This is where Information
System Audit (IS Audit) comes into picture.

Meaning of IS audit

Information systems audit is a part of the overall audit process, which is one of
the facilitators for good corporate governance. While there is no single universal
definition of IS audit, Ron Weber has defined it as "the process of collecting and
evaluating evidence to determine whether a computer system (information
system)

• Safeguards assets

• Maintains data integrity

• Achieves organizational goals effectively and

• Consumes resources efficiently."

Key Challenge in IS Audit

IS audit often involves finding and recording observations that are highly
technical. Such technical depth is required to perform effective IS audits. At the
same time it is necessary to translate audit findings into vulnerabilities and
businesses impacts to which operating managers and senior management can
relate. Therein lies a main challenge of IS audit.
Scope of IS Audit

IS auditing is an integral part of the audit function because it "supports the

auditor's judgment on the quality of the information processed by computer
systems." Initially, auditors with IS audit skills are viewed as the technological
resource for the audit staff. The audit staff often looks to them for technical
assistance. Within IS auditing there are many types of audit needs, such as
• Organizational IS audits (management control over information
technology),
• Technical IS audits (infrastructure, data centers, data communication),
• Application IS audit (business/financial/operational),
• Development/implementation IS audits (specification/ requirements,
design, development and post-implementation phases)
• Compliance IS audits involving national or international standards.
The IS auditor’s role has evolved to provide assurance that adequate and
appropriate controls are place. Of course, the responsibility for ensuring that
adequate internal controls are in place rests with management. Audit’s primary
role, except in areas of management advisory services, is to provide a statement
of assurance as to whether adequate and reliable internal controls are in place
and are operating in an efficient and effective manner. So, whereas management
is to ensure, auditors are to assure. The breadth and depth of knowledge
required to audit information technology and systems is extensive. For example,
IS auditing involves the:
• application of risk-oriented audit approaches
• use of computer assisted audit tools and techniques(CAATs)
• application of standards (national or international) such as ISO-9000/3 to
improve and implement quality systems in software development
• understanding of business roles and expectations in the auditing of
systems under development as well as the purchase of software
packaging and project management
• Evaluation of complex Systems Development Life Cycle (SDLC) or new
development techniques (e.g., prototyping, end-user computing, rapid
systems or application development).
 • Evaluation of complex technologies and communications protocols
involves electronic data interchange, client servers, local and wide area
networks, data communications, telecommunications and integrated
voice/data/video systems.

Elements/components of IS Audit

An information system is not just a computer. Today's information systems are

complex and have many components that piece together to make a business
solution. Assurances about an information system can be obtained only if all the
components are evaluated and secured. The proverbial weakest link is the total
strength of the chain. The major elements of IS audit can be broadly classified:

1. Physical and environmental review--This includes physical security, power

supply, air conditioning, humidity control and other environmental factors.
2. System administration review--This includes security review of the operating
systems, database management systems, all system administration procedures
and compliance.
3. Application software review--The business application could be payroll,
invoicing, a web-based customer order processing system or an enterprise
resource planning system that actually runs the business. Review of such
application software includes access control and authorizations, validations, error
and exception handling, business process flows within the application software
and complementary manual controls and procedures. Additionally, a review of
the system development lifecycle should be completed.
4. Network security review--Review of internal and external connections to the
system, perimeter security, firewall review, router access control lists, port
scanning and intrusion detection are some typical areas of coverage.
5. Business continuity review--This includes existence and maintenance of fault
tolerant and redundant hardware, backup procedures and storage, and
documented and tested disaster recovery/business continuity plan.
6. Data integrity review--The purpose of this is scrutiny of live data to verify
adequacy of controls and impact of weaknesses, as noticed from any of the
above reviews. Such substantive testing can be done using generalized audit
software (e.g., computer assisted audit techniques).
It is important to understand that each audit may consist of these elements in
varying measures; some audits may scrutinize only one of these elements or
drop some of these elements. While the fact remains that it is necessary to do all
of them, it is not mandatory to do all of them in one assignment. The skill sets
required for each of these are different. The results of each audit need to be seen
in relation to the other. This will enable the auditor and management to get the
total view of the issues and problems. This overview is critical.

Features of IS Audit in banks

The significance of IS Audit has been considered by RBI and has made
mandatory now for all computerized banks to get their system audited by an
Information System Auditor. RBI has stipulated that such IS Auditor should have
adequate qualification like CISA of ISACA of US or DISA of ICAI (The Institute of
Chartered Accountants of India)
RBI also has provided a checklist of such IS Audits to be undertaken by IS
Auditors of Banks
Most of the Indian Banks have entrusted the job of IS Audit to qualified persons.
IS Audits in banks are basically categorized into
• Core IS Audits
• Non-Core IS Audits
• Migration audits
o Pre-migration
o Post-migration
• ATM audits
In a Core IS Audit done at Centralized Data Center level .Entire Information
System of bank is audited. All the aspects of IS Audit explained in the earlier
sections are attended by the IS Auditor
Non-core IS audit done at branch level of a bank and only branch transactions
are checked. Physical security controls at the branch are checked to the fullest
extent. Controls as to password management at the branch level are also
checked. Other aspects as to operating system or packages are checked only for
the changes in parameters at branch level.
In a pre-migration audit, usually before migration to Core Business Solution
(CBS) environment, IS auditor verifies the integrity of data being transferred to
CBS
In a post-migration audit, usually done by a person not involved in CBS
implementation, integrity of data transferred to CBS are verified
In ATM audits, only the security of ATM and integrity of its processing is verified
by the IS auditor.
Non-core audits, ATM audits at branch level are some times covered by branch
financial auditors, concurrent auditors or inspectors or even by statutory auditors
at present in many banks.

Shortfalls in the present information system audits at branch level in Indian banks

Many a deficiencies are noticed in the present system of IS Audit. Some of

these can be categorized as follows.
• Some of the branches in Indian banks still have legacy systems and
hence entire system is not fully integrated into CBS, thus creating lot of
interface and integrity problems. IS audits do not cover entire system in
such situations and are not effective.
• Most of the branches of many banks have migrated to CBS environment
with Big Bang approach without proper planning and in a haste, which
has created lot migration problems and most importantly inconvenience to
customers. Some of the IS audits conducted do not cover such migration
problems.
• Most of the CBS vendors have implemented packages that are not suited
to Indian conditions making it difficult for the employees at branch level to
clearly understand the implication of each and every operation in CBS. IS
auditors some times are not fully aware of the intricacies of the System.
• The training provided to employees at branch level is inadequate,
particularly with reference to security aspects of information system. IS
auditors observation in such cases need not fix accountabilities.
• Support provided by the CBS vendors, external agencies, and service
providers is also not satisfactory in many cases. In the absence of such
 support the deficiencies observed need not fix accountabilities on
employees.
• In nutshell, it can be said that IS audit has become more of a compliance
exercise, particularly at branch level in banks.

Need for a holistic approach to IS Audit in branches of banks

It seems Managements of banks totally rely on the Vendors as to security

aspects of information systems even at branch level. However time and again
it has been proved that information system is vulnerable to any kind of
attacks from any corner of the world. The weakest link might in any branch of
a bank.
The feedback or action taken with reference to observations by IS Auditors is
not prompt indicating the negligent attitude to such audits by banks. There is
a need to make banks understand the importance of such audits in branches.
Instead of conducting many types of computer audits or IS Audits, banks can
undertake only one complete IS audit which would bring out the correct
situation as to information system security and efficiency and effectiveness at
branch level.
The CBS vendors should interact with branches where real action takes place
instead at Corporate Offices or Board Rooms, so that their software really
becomes user friendly and effective.

Conclusion

As mentioned earlier the key challenge in IS audit is to translate audit findings

into vulnerabilities and businesses impacts to which operating managers and
senior management can relate.

The information system in banks is bound to become more complex. The

need for information system security is going to be acute with more
vulnerabilities surfacing. The demand for information system audit would be
on the rise. The role of Information System Auditor will become more
significant for banks. Hence the findings of IS Auditor would have to be
translated into vulnerabilities or impacts on businesses that branch managers
or Management of the bank consider and act upon. This requires a more
holistic and integrated approach to IS audit than just ticking a checklist.