Security Control Aspects :
The key security control aspects that an auditor needs to address when undertaking audit in a computerised bank include:
Ensure that authorised, accurate and complete data is made available for processing.
Ensure that in case of interruption due to power, mechanical or processing failures, the system restarts without distorting the completion
of the entries and records.
Ensure that the system prevents unauthorised amendments to the programmes.
Verify whether “access controls” assigned to the staff-working match with the responsibilities as per manual. It is important for the auditor to
ensure that access and authorisation rights given to employees are appropriate.
Verify that segregation of duties is ensured while granting system access to users and that the user activities are monitored by performing an
activities log review.
Verify that changes made in the parameters or user levels are authenticated.
Verify that charges calculated manually for accounts when function is not regulated through parameters are properly accounted for and authorised.
Verify that all modules in the software are implemented.
Verify that exceptional transaction reports are being authorised and verified on a daily basis by the concerned officials. It is important for
auditor to understand the nature of exception and its impact on financials.
Verify that the account master and balance cannot be modified/amended/altered except by the authorised personnel.
Verify that all the general ledger accounts codes authorised by Head Office are in existence in the system.
Verify that balance in general ledger tallies with the balance in subsidiary book.
Verify that important passwords like database administrator and branch manager’s password are kept in sealed cover with branch manager so
that in case of emergency and the absence of any of them the passwords could be used to run the system promptly.
Since back up is taken at centralised location, Central Auditor should: o Check that the bank takes daily and monthly backups.The backup media should be duly labelled and indexed properly and should be maintained under joint custody.
o Ideally, daily backup should be taken in 6 sets, one for each weekday and 12 sets for each month end. Verify that backup register is maintained and updated.
Verify that the backup media is stored in fireproof cabinet secured with lock and key and also that the off-site backups are preserved for the emergency.
Verify that the anti-virus software of latest version is installed in servers/PCs of branches to prevent data corruption, and is beingregularly updated for new viruses.
Verify that security patches are applied to systems as and when they are released by the vendors / developers.
Verify that access to the computer room is restricted to authorised persons only.