Automation and Computerisation
Computerisation results in changes in the processing and storage of information and affects the organisation and procedures employed by the entity to achieve adequate internal control. The auditor should ensure whether there exists any policy for computerisation and automation. The auditor is also required to comment whether any progress has been made during the period under review. Progress may be in the nature of conversion of partially computerised bank into fully computerised, or increasing the level of computerisation and thereby making the work simpler.
Pursuant to circular DBS.CO.PP.BC.11/11.01.005/2001-2002 dated 17 April 2002, ‘Long Form Audit Report to the Management by Central Statutory Auditors of Banks’, the Central Statutory Auditors should address their Long Form Audit Report to the Chairman of the Bank concerned and a copy thereof should be forwarded to the designated office of the Reserve Bank of India. Some of the key aspects as regards to automation and computerisation which should be covered are as follows. Regarding computerisation, the auditors are required to comment on the following aspects:
Existence of Computerisation and Automation Policy; progress made during the year under review.
Critical areas of operations not covered by automation.
Number of branches covered by computerisation and the extent of computerisation.
Procedures for back-ups, off-site storage, contingency and disaster recovery and adherence thereto.
Existence of Systems/ EDP audit; coverage of such audit.
Electronic Banking; existence of systems and procedures; monitoring; regular updation of technology; method of review and audit of procedures.
Suggestions, if any, with regard to computerisation and automation.
The central statutory auditor may in addition to performing specific work to comment on the above points may also review the adequacy and appropriateness of the Information Security Policy and report any shortcomings or suggestions for improvement in the computerisation and automation in the LFAR based on the discussions with the Management and IT personnel and leveraging on the work performed whilst undertaking audit procedures. The auditor may also report in his LFAR whether the approved Information Technology Security Policy is in place and communicated to all the branches for implementation.
The auditor is also required to comment whether the critical areas are covered by automation and the application used therein together with the fact as to whether the systems are developed in-house or acquired from external vendors. Generally, critical areas like treasury and loans are supported by subsystems which are interfaced to the General Ledger. The auditor needs to make sure that there is a formal process of reconciliation of these sub- systems with the GL on a periodical basis. Further, the relevant application and access controls as prevalent to the CBS should also be followed for these subsystems.
The auditor should also report the number of branches covered by computerisation and the extent of computerisation. The extent of computerisation may include inquiring whether the branch is fully or partially computerised. For this purpose auditor will have to go through the LFARs of the branches. In case of private sector banks and foreign branches, the central statutory auditor may inquire and verify about the level of branch automation when he conducts branch visits.
The bank should have a documented procedure for off-site backup. The auditor should enquire about the adequacy of the procedures followed for the recovery of data in case of contingency and disaster including details of the data backup policies for its systems and data, disaster recovery plans, periodicity of backups and details of offsite locations.
The auditor should report whether the bank has the system of conducting Systems audits periodically to assess the effectiveness of the software, hardware and operations to identify any changes required therein. The auditor also needs to review these reports to assess the impact of IT issues, if any, on the audit of the bank and his scope of work.