Information Technology (‘IT’) Controls
The audit considerations for this aspect include:
Obtain IT related information from the bank for treasury operations and review, as appropriate, minutes of any committees responsible for overseeing and coordinating IT resources and activities to determine user involvement and organizational priorities.
Review organizational charts, job descriptions, and training programs to ascertain that the bank has a sufficient number of technology personnel and that these personnel have the expertise the bank requires.
Review MIS reports for significant IT systems and activities to ascertain that risk identification, measurement, control, and monitoring are commensurate with the complexity of the bank’s technology and operating environment.
Evaluate the separation of duties and responsibilities in the operation and data processing of treasury functions.
Evaluate the adequacy of input/output controls and reconcilement procedures for batch capture and image capture systems.
Review controls and audit trails over master file change requests (such as address changes, due dates, commission / interest rates, and service charge indicator) and also consider individuals authorized to make changes and potential conflicting job responsibilities and documentation/audit trail of authorized changes and procedures used to verify the accuracy of master file changes.
Assess adequacy of controls over changes to systems, programs, data files, and PC-based applications and consider procedures for implementing program updates, releases, and changes.
Check if controls are in place to restrict and monitor use of data-altering utilities and adequate process management to select system and program security settings (i.e., whether the settings were made based on using sound technical advice or were simply default settings).
Check whether controls are established to prevent unauthorized changes to system and programs security settings.
Evaluate the effectiveness of password administration for employee and customer passwords considering the complexity of the processing environment and type of information accessed and consider confidentiality of passwords – (whether only known to the employee/customer), procedures to reset passwords to ensure confidentiality is maintained, frequency of required changes in passwords, password design (number and type of characters), security of passwords while stored in computer files, during transmission, and on printed activity logs and reports.
Determine whether the bank has removed/reset default profiles and passwords from new systems and equipment and determine whether access to system administrator level is adequately controlled.
Check whether the data hands off process from one product processor to another or to any other system is conducted under a secure environment and without or with least but controlled manual intervention.