Bank Audit in Computerised Environment :
An Illustrative Checklist
This Annexure is divided in two parts, viz., Part I deals with Bank Audit in Computerised Environment while Part II deals with Automatic Teller Machines. The checklists given therein does not form part of the Guidance Note and is only illustrative in nature. Members are expected to exercise their professional judgement while making its use depending upon facts and circumstances of each case.
Existing Installation
Auditors need to verify the system software and version being operated at the Branch. It is advised to obtain the licensed copy of the software along with the documentation provided by the vendor and compare the same with the software running in the live environment. To carry out verification, auditor may look into the following:
a) The software register to check whether all the software in use is entered and maintained desktop-wise.
b) Note the Name and Version of software currently in use.
c) It is the latest version of the software authorised by the Central Office of the Bank to be used.
d) Installation of the software is in accordance with the directions issued by the Central Office.
e) All the modules of the software are properly installed and are working. If any module is not in use presently, reason has to be ascertained and documented.
f) Physical verification of the copies of the software, documentation and manuals was carried out by Internal / Concurrent / Statutory Auditors.
g) The existence of Annual Maintenance Contract is in operation and was duly renewed on the expiry date.
Purchases
Computerisation is a constant process of development and improvement over the previous technology. In this process Banks also upgrade their hardware’s and software installed to improve efficiency and provide better service to the customers. There has being a phase of such improvements, where branches operating on Automatic Ledger Posting Machines (ALPM) were upgraded to semi-computerised branches and then to fully computerised branches. The fully computerised branches are now in the process of being upgraded to fully networked branches. The phase is not over and there are still ALPM branches, which are in the process of upgradation. Auditors, in many branches might come across the purchases made for new softwares during the concerned Financial Year. To achieve the desired level of satisfaction that the purchase process was in accordance with the guidelines of the Central Office and installation was carried out under the supervision of the appropriate personauditor may verify the
following:
a) Software register is duly updated with new purchases.
b) Purchase Order was duly filed and purchase was properly authorised and software was obtained from authorised vendor only.
c) The license of the software, warranty obtained and registration with the manufacturer is completed.
d) Installation was inspected and completed in the prescribed order.
e) Purchase was at reasonable value.
Logical Access Controls
To ascertain that assets are safeguarded and data integrity is maintained by the computer system, auditors may verify the following:
a) Does security policy address specific capabilities of operating systems and require that the available security features be implemented?
b) Is there a security officer appointed in writing?
c) Does the security officer ensure that available features have been implemented?
d) Is there a process in place for granting access levels?
e) Do users have only the minimum access level needed to do their job?
f) Are Users’ access restricted to specific applications, menus within applications, files, and servers?
g) Is file maintenance a separate access privilege?
h) Is maintenance restricted to a minimum number of persons and is it properly approved and reviewed?
i) Is the password file encrypted?
j) Are methods in place to detect security violations?
k) Can security restrictions be overridden?
l) Are access levels periodically reviewed by the internal auditor?
m) Are procedures implemented to limit access to workstations after normal working hours?
n) Is modem access protected by a secure system, such as call back?
o) Are modem numbers changed periodically?