Special Considerations in a CIS Environment :
As per SA 315, “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment”, the
overall objective and scope of an audit does not change in a Computer Information Systems (‘CIS’) environment. However, the use of a computer
changes the processing, storage, retrieval and communication of financial information and may affect the accounting and internal control systems
employed by the bank, accordingly, CIS environment may affect:
the procedures followed by the auditor in obtaining sufficient understanding of the accounting and internal control system;
the auditor’s evaluation of inherent risk and control risk through which the auditor assesses the audit risk; and
the auditor’s design and performance of tests of control and substantive procedures appropriate to meet the audit objective.
The auditor should evaluate, inter alia, the following factors to determine the effect of CIS environment on the audit:
the extent to which the CIS environment is used to record, compile and analyse accounting information;
the system of internal control in existence in the bank with regard to:
(i) flow of authorised, correct and complete data to the processing centre;
(ii) processing, analysis and reporting tasks undertaken; and
the impact of computer-based accounting system on the audit trail that could otherwise be expected to exist in an entirely manual system.
In today’s environment all banks have set up and implemented large scale computerisation projects, which has resulted in changes in the processing
and storage of information. Information generated by IT systems are also used for decision making. The importance, extent of use and complexity of a bank’s information systems affect the organisation and procedures employed by the entity to achieve adequate internal control. Thus, while the overall objective and scope of audit do not change simply because data is maintained on computers, the procedures followed by the auditor in his study and evaluation of the accounting system and related internal controls and the nature, timing and extent of his other audit procedures are affected in a CIS environment. The nature of audit evidence and the techniques used to evaluate them have also undergone a significant change. Audit procedures are now transformed from “Auditing around the computer” to “Auditing through the computer”.
The control concerns arising from the use of IT by a bank are similar to those arising when IT is used by other organisations. However, the matters
that are of particular concern to the auditor of a bank include the following:
The use of IT to calculate and record substantially, all of the interest income and interest expense, which are ordinarily two of the most important elements in the determination of a bank’s earnings.
The use of IT and telecommunications systems to determine the foreign exchange security and derivative trading positions, and to calculate and
record the gains and losses arising from them.
The extensive, and in some cases almost total, dependence on the records produced by IT because they represent only readily accessible source of detailed up-to-date information on the bank’s assets and liability positions, such as, customer loan and deposit balances.
The use of complex valuation models incorporated in the IT systems.
The models used to value assets and the data used by those models are often kept in spreadsheets prepared by individuals on personal computers not linked to the bank’s main IT systems and not subject to the same controls as applications on those systems.
The use of different IT systems resulting in the risk of loss of audit trail and incompatibility of different systems.
The use of multiple channels of delivery of services to a bank’s customers such as ATM, EFT, internet banking, card-based payment systems, etc.
The integrity of financial data moving through data interfaces between several systems.
Potential risk of management override of controls through privileged access to information systems.
Potential segregation of duty issues arising from access to multiple systems granted to users.
The extensive use of third party vendors (service organizations) to whom financial data processing activities or management of IT infrastructure is
outsourced.
Electronic Funds Transfer (‘EFT’) systems are used by banks both internally (for example, for transfers between branches and between automated
banking machines and the computerised files that record account activity) and externally between the bank and other financial institutions (for example, through the SWIFT network) and also between the bank and its customers through the internet or other electronic commerce media.
The auditor obtains an understanding of the core IT, EFT, telecommunication applications and the links between those applications. The auditor relates this understanding to the major business processes or balance sheet positions in order to identify the risk factors for the organisation and
therefore, for the audit. In addition, it is important to identify the extent of the use of self-developed applications or integrated systems, which will have a direct effect on the audit approach. (Self-developed systems require the auditor to focus more extensively on the program change controls).
When auditing in a distributed IT environment, the auditor obtains an understanding of where the core IT applications are located. If the bank’s Wide
Area Network (WAN) is dispersed over several countries, specific legislative rules might apply to cross-border data processing, in such an environment, audit work on the access control system, especially on access violations, is an important part of the audit. Further, if the system is hosted outside India, Auditor can obtain report of service organization as per SAS70 or equivalent work/report from that country.
RBI’s circular No -DBOD.COMP.BC.No.130/ 07.03.23/ 2000-01 dated 14th June 2001 on Internet banking in India – Guidelines, states in Para II on
Legal Issues as follows, “Considering the legal position prevalent, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about integrity and reputation of the prospective customer. Therefore, even though request for opening account can be accepted over Internet, accounts should be opened only after proper introduction and physical verification of the identity of the customer”.
RBI has issued guidelines to scheduled commercial banks on cyber security framework vide its circular no RBI/2015-16/418 DBS.CO/CSITE/BC.11/ 33.01.001/2015-16 dated June 2, 2016. As per this circular, banks are required to report promptly (Within 2 to 6 hours) the cyberattack incidents, in the format given in Annexure 3 of the aforesaid circular.
Banks should immediately put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board.
Confirmation in this regard should be communicated to Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Reserve Bank of India, Central Office, World Trade Centre-I, 4th Floor, Cuffe Parade, Mumbai – 400 005 at the earliest, and in any case not later than September 30, 2016.
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy.