e-Banking/Internet Banking Procedures :
1. Identify the bank’s current and planned e-Banking activities and review theb bank’s public Internet Websites. Consider whether the bank provides the following types of services:
a. Telephone banking.
b. Retail Internet banking services.
c. Corporate/ wholesale Internet banking services.
d. Internet services provider (ISP).
e. Brokerage services over the Internet.
f. Insurance service over the Internet.
g. Trust services over the Internet.
h. Account aggregation.
i. Electronic bill payment.
j. Other activities (e.g. Web portals, financial calculators, crossmarketing arrangements and alliances, unique services, etc.).
2. Review prior audit reports related to e-Banking, including compliance, information technology, and other examination areas that may be relevant.
3. Determine if material changes have been made to e-Banking products, services, or operations since the last examination and if any significant
changes are planned in the near future.
4. Determine if the bank operates the Web site(s), e-Banking system(s) or core data processing system(s) internally and whether any activities are
outsourced to a vendor. Identify the location of the following operations:
a. Design and maintenance of the bank’s public Web site or home page.
b. Computer/ server for the bank’s public Web site.
c. Development and maintenance of the bank’s electronic banking system(s).
d. Computer/ server for the bank’s e-Banking system(s).
e. Customer service (e.g., call center) for electronic banking services.
f. Electronic bill payment processing or other ancillary services.
5. If the bank operates the e-Banking system or core data processing system in-house, review the topology (schematic diagram) of the systems and
networks, and determine whether there is a direct, on-line connection between the bank’s core processing systems and the electronic banking system.
6. If the bank operates the e-Banking system or core data processing system in-house, review the transaction processing flows between the e-Banking
system and the bank’s core processing systems and identify key control points. Determine whether information is exchanged in a real-time, batch
(overnight), or hybrid processing mode. In case the bank uses the services of any professional agency for any part of the work, the auditor should
apply the standards laid down in SA 402, “Audit Considerations Relating to an Entity Using a Service Organisation”.
7. Determine the adequacy of risk management for e-Banking activities given the level of risk to the institution; following procedures are to be valuated:
a. Adequacy of policies and procedures governing e-Banking activities.
b. Adequacy of internal controls and security for e-Banking activities.
c. Adequacy of audit coverage for e-Banking activities.
d. Adequacy of monitoring and compliance efforts.
e. Adequacy of vendor and outsourcing management.
f. Adequacy of Board and management oversight.
8. Determine the impact of any deficiencies on the financial condition of the organization.
9. Determine the extent of supervisory attention needed to ensure that any weaknesses are addressed and that associated risk is adequately
managed.