Audit in Audit in

Core Banking System (CBS) Core Banking System (CBS)

EnvironmentEnvironment

ByBy

CA. Nitant TrilokekarCA. Nitant Trilokekar

Internet: nptbanking.blogspot.comEmail: nitanttrilokekar@yahoo.com

Sept 24, 2011

Views expressed in this presentation are the personal opinions of the presenter and have no implication on the views or stand of either the Institute of Chartered Accountants of India or the firm with whom the paper reader is associated.

In the presentation are slides which are screen dumps of actual work sites. Certain areas are screened out to protect the confidentiality of the data holder and the clients. There are presented here to show how ‘unbelievable’ circumstances can actually exist. They are not dispalyed to form opinion of either the user or the software provider.

Number of audits over the yearsNumber of audits over the years1.1. Statutory AuditStatutory Audit

2.2. Revenue Audit Revenue Audit (Income and Exp. Audit)(Income and Exp. Audit)

3.3. Inspection Inspection

4.4. Snap AuditSnap Audit4.4. Snap AuditSnap Audit

5.5. RBI AuditRBI Audit

6.6. Foreign Exchange AuditForeign Exchange Audit

7.7. Concurrent Audit Concurrent Audit (Fall out of big bull operation)

8. Semi annual audit of big branches

9. Information Systems audit

Change in the environmentChange in the environment�� LiberalizationLiberalization

•• International BanksInternational Banks

•• Private Sector BanksPrivate Sector Banks

�� Core BankingCore Banking

•• Anywhere BankingAnywhere Banking

•• ATMATM

•• SMS BankingSMS Banking

•• Internet BankingInternet Banking

Banks have become more technology driven. Technology can no longer remain outside audit purview.

Today’s proficiency demand in a CAToday’s proficiency demand in a CA

�� Income Tax actIncome Tax act

�� Companies ActCompanies Act

�� Contract ActContract Act

�� Sale of Goods ActSale of Goods Act

�� Partnership ActPartnership Act�� Partnership ActPartnership Act

�� Excise, Sales tax, Turnover TaxExcise, Sales tax, Turnover Tax

�� Audit StandardsAudit Standards

�� EtcEtc

�� Information Technology ActInformation Technology Act

What do you mean by CORE BANKING ?

� 50/50Hint

A : It is a misspelling. It is Chor Banking B: Fundamental programming skill is

needed for Banking software

C : It covers only Basic Banking functions D : Problems of connectivity led to core

development of networking infrastructure

What do you mean by CORE BANKING ?

C : It covers only Basic Banking functions

Types of IS AuditTypes of IS Audit

�� ITGCITGC--Information Technology Information Technology General ControlGeneral Control

•• ISACA ISACA -- CISACISA

•• OWASP Risks (The Open Web OWASP Risks (The Open Web Application Security Project)Application Security Project)Application Security Project)Application Security Project)

�� Network AuditNetwork Audit

�� VAPTVAPT-- Vulnerability analysis and Vulnerability analysis and Penetration auditPenetration audit

Due to Computerisation what happens to errors vis-à-

vis the manual environment?

50/50Hint

�

A : Errors magnify without much notice

vis the manual environment?

C : Errors are classified as ‘BUGS’.D : Only the programmer is held

responsible for the errors

B: Errors are few due to Alpha, Beta

Testing and UAT

Importance of maintenanceImportance of maintenance

�� Enlargement of errors due to Enlargement of errors due to automationautomation

• Loss

• Data Integrity

1111

• Data Integrity

• Confidentiality

• Lack of availability

• Poor performance

Application RiskApplication Risk1. Weak Security

2. Unauthorised access/changes to data

3. Unauthorised Remote Access

4. Inaccurate Information

5. Erroneous of falsified data input

6. Misuse by authorised end users

7. Incomplete processing

1212

7. Incomplete processing

8. Duplicate transactions

9. Untimely processing

10. Communications systems failure

11. Inadequate testing

12. Inadequate training

13. Inadequate support

14. Insufficient Documentation

In scope of audits other than Concurrent Audit

1. Weak Security

1. Weak Security contd

Programmers’ password should be in the launched

application to permit emergency action. Is this correct

practice?

50/50Hint

�

A : Yes. A developer’s password

helps even if the team changes

practice?

C : Programmer is a Doc who heals

so access at all times is useful

D : Programmers should not have

access to ‘on-site’ applications

B: Programmers have access only till

complete sign off

�� Levels of AuthorisationLevels of Authorisation

�� Programmers access restriction after Programmers access restriction after launchlaunch

�� File/Database access restrictionFile/Database access restriction

Network restrictionNetwork restriction

2. Unauthorised access/changes to data

1717

�� Network restrictionNetwork restriction

�� Operating system restriction (launch Operating system restriction (launch application system after login) application system after login)

Central Giga Switch

Application & Database servers at DC

Back-up server at DR Centre

Giga Switch

2 MBPS Connectivity

Central Office

Understanding CBSUnderstanding CBS

1. Unauthorised Remote Access Switch

E1 Links

ISDN Backup

128 Kbps(2)

Router

1. Unauthorised Remote Access

3. Unauthorised Remote Access

VPN layoutVPN layout

2020

Cisco routers Cisco routers -- encryptionencryption

2121

After all the Alpha and Beta testing and UAT, is there

any possibility of wrong reports or inaccurate restults

from the application system?

50/50Hint

�

A : No. So much testing eleminiates

such a possibility.

from the application system?

C : Only when the tests are actually

not done, there is a possibility.

D : When the programmers are

testers, there is a possiblity.

B: The possibility exists.

4. Inaccurate Information

�� End user not understanding data End user not understanding data featuresfeatures

�� Download of data for further Download of data for further processingprocessing

2424

processingprocessing

�� Link of different databasesLink of different databases

�� Departmental databases with Departmental databases with different time framesdifferent time frames

�� Resultant failure to communicate Resultant failure to communicate information to chief decision makerinformation to chief decision maker

5. Erroneous or falsified data input

�� Field validation Field validation (date/number/decimals)(date/number/decimals)

�� Validation of manually processed Validation of manually processed entryentry

�� Validation of parameters used for Validation of parameters used for

2626

�� Validation of parameters used for Validation of parameters used for processing (interest rate) processing (interest rate)

�� Processing control (double Processing control (double processing)processing)

�� Database link managementDatabase link management

Major allowed to open minor accountMajor allowed to open minor account

Usually done at branch levelUsually done at branch level�� New account openingNew account opening

•• Account IS opened without cashAccount IS opened without cash

•• filled by branch (KYC)filled by branch (KYC)

6. Misuse by authorised end- users

�� Access authorised but objective not Access authorised but objective not in line with delegated duty in line with delegated duty

�� Aiding Industrial espionageAiding Industrial espionage

�� Victim of social networkingVictim of social networking

•• Off lineOff line

•• On lineOn line

•• Misrepresentation Misrepresentation

2929

Dummy accounts are fraud conduits alsoDummy accounts are fraud conduits also

Account Master confirmsAccount Master confirms

Can interest application of just one

� 50/50Hint

A : Impossible

C : If the department does not exist at time of coding

D : Accidentally possible

department of one branch be skipped in CBS?

B: If manually triggered per department it is possible

Can interest application be skipped?Can interest application be skipped?

7. Incomplete processing

Batch processing based errorBatch processing based error

�� File not processedFile not processed

�� Transaction(s) not processed Transaction(s) not processed

Timing mismatch of process triggerTiming mismatch of process trigger�� Timing mismatch of process triggerTiming mismatch of process trigger

�� Data out of range (loop limitation)Data out of range (loop limitation)

3535

8. Duplicate Transaction processing

�� Non set up of validations before Non set up of validations before process triggerprocess trigger

�� Multiple database links most Multiple database links most vulnerablevulnerablevulnerablevulnerable

�� Error correction routines not Error correction routines not accommodated for processes already accommodated for processes already done in the intervening perioddone in the intervening period

�� Non validation of entry dataNon validation of entry data

3636

Can any entry be passed in a closed account of

� 50/50Hint

A : Impossible

D : Accidentally possible

a depositor in a CBS?

B: Manual control is needed

C : Possible

ECS credit given to closed a/c sECS credit given to closed a/c s

Cash accepted in closed a/c Cash accepted in closed a/c --11

Cash accepted in closed a/c Cash accepted in closed a/c --22

A/c closed with Balance = Non A/c closed with Balance = Non

tallied books of accounttallied books of account

9 Untimely Processing

�� Cut off time mismatchCut off time mismatch

�� Manual intervention of transaction Manual intervention of transaction filesfiles

�� Manipulation of system clock for Manipulation of system clock for �� Manipulation of system clock for Manipulation of system clock for some other legitimate some other legitimate purposes/hardware problem purposes/hardware problem

4343

When Basic Banking is ignored, system When Basic Banking is ignored, system

cannot help the user.cannot help the user.1. TOD of Rs. 2 lacs is granted in SB account

2. Account is overdrawn by Rs. 8,000

3. Account is not operational since 29/3/2007. Last credit in account is

on 22/3/2007- As on inspection date, nearly 5 months have elapsed.

Since this facility is granted in savings account, the warning for health Since this facility is granted in savings account, the warning for health

deterioration cannot be obtained from the system.

4. Account is in Debit from 2/3/2007. TOD interest is charged on

31/3/2007 and 30/6/2007. It was not charged at monthly intervals.

This account is classified as NPA from 31/3/2007. Yet the account continues the status of ‘Normal/Operative’. Due to this, interest and other charges continues to be debited to this account in violation of the RBI rules on the subject.

�

In a Core Banking environment, if one or more of

the branches are not able to network with the DC,

can the DC close books of the Bank for the day?

50/50Hint Day end for Bank

means entry cannot be re-entered for the same day later.

A : No. The entries will not be

completed. (eg. Interbranch)

C : Data is re-entered in nearest branch

and then day end is executed.

D : After the branches are connected,

the day end is done again.

B: The non-connected branches are

ignored for day closure

What do you call the place where all the Bank’s

� 50/50Hint

A : Server Farm B: Data Centre (DC)

C : Network Operating Centre (NOC)

D : All of the above

Computer servers are kept ?

D : All of the above

Will the Auditor be held liable in case of

Gross System Related errors ?

� 50/50 Hint

A : Only if the CA is DISA B: Not liable if it a programming

error

C : LiableD : Not liable in case of Network

related errors/frauds

Gross System Related errors ?

C : Liable

Which Committee Report of Reserve Bank is

the determining report for IS Audit ?

� 50/50 Hint

A : Jalani Committee Report B: Tandon Committee Report

C : Chitale Committee Report D : Marathe Committee Report

the determining report for IS Audit ?

A : Jalani Committee Report

?

Which Committee Report of Reserve Bank has

mentioned in reference, book by Trilokekar?

� 50/50 Hint

A : Ghosh committee Report B: Burman Committee Report

C : Talwar’s Committee Report D : Marathe Committee Report

mentioned in reference, book by Trilokekar?

B: Burman Committee Report

Basic KYC missing Basic KYC missing –– no excuseno excuse

CBS=ABB CBS=ABB ∴∴Signatures imp.Signatures imp.

Transaction processingTransaction processing

�� Exception reportsException reports

�� Make sure some type of errors are Make sure some type of errors are given high error statusgiven high error status

�� Does any body check whether all Does any body check whether all eligible accounts are processed for eligible accounts are processed for eligible accounts are processed for eligible accounts are processed for interest or charges?interest or charges?

�� Was the interest master changed as Was the interest master changed as indicated in the circular of HO? indicated in the circular of HO?

�� Is the ATM cash tallied daily or who Is the ATM cash tallied daily or who is doing it?is doing it?

Some tips for Bank auditorSome tips for Bank auditor

�� New accounts opened New accounts opened –– view account view account statement for money laundering.statement for money laundering.

�� Cash register: report above particular Cash register: report above particular amount.amount.

�� Ensure that the NPA accounts do not Ensure that the NPA accounts do not impact the P&L account of the branch. impact the P&L account of the branch. impact the P&L account of the branch. impact the P&L account of the branch. (see next slide)(see next slide)

�� Survey the Survey the chequecheque return register using return register using the available filter.the available filter.

Closed accounts with balancesClosed accounts with balances

Difference in General Ledger (Current) Difference in General Ledger (Current)

See it to believe it See it to believe it –– but ignoredbut ignored

Clearly given by the

software. Yet Bank

officials, statutory

auditors .. All ignore

it. BOOKS ARE NOT

BALANCED

Thank you

Q & A?

Thank you