IT audit scope required of external auditors of Financial Institutions

There have been many developments in the financial sector. IFRS9 has changed the way financial institutions manage and report credit risk. Increased automation means high risks of ICT. Now the central banks required financial institution external auditors to undertake comprehensive ICT security reviews.

The challenge is many external auditors don’t have the ICT review expertise locally. The result is using expatriates from their network firms abroad to do the work locally. This increases the overall cost of the audit even when it could have been handled internally. To save money, you can conduct the ICT security review yourself or ask your external auditors to work with Summit Consulting Ltd for local resources.

Below are the minimum requirements from the Bank of Uganda and Central Bank of Rwanda which we have been asked to undertake on behalf of external auditors. If you are an external auditor and want to deliver maximum value to your client at an affordable cost, contact us for support:

NO. Area of Review Summary of Minimum Proposed Areas to be Considered for Review
1 Review all Information Communication Technology (I.C.T) Systems within the Financial. Institutions including Core Banking System, operating system, applications, databases, servers and networking systems, and confirm whether they are robust to ensure data, integrity, confidentiality and availability and support the Institution’s strategy. 1. IT policies and procedures

  1. Establish whether there are adequate policies on ICT systems and confirm whether they were approved by the Board and are regularly reviewed to accommodate changes in the. Institution’s business environment
  2. Review the ICT policies in place against best practice requirements for adequacy
  3. Assess whether the policies give clear direction on the management, utilization, monitoring and security of ICT resources in the bank.
  4. Review the structure, staffing of the ICT Function/Department, staff qualifications: (a minimum of a degree in ICT is required) and experience to ascertain whether it is well, suited to support the Financial institution’s operations in relation to the size of the Institution.
  5. Review the policy and procedures to guide controls around authentication and identification into the systems.

2. User access management

  1. Assess adequacy of controls in place around user account creation and termination, user authentication into system, privileged user account management and segregation of duties management.
  2. Review the activity of the respective accounts and investigate any anomalies for any inappropriate access noted.
  3. Assess A.A.A. (Authentication, Authorization and Accounting) mechanisms for Electronic Banking Systems against best practice requirements
  4. Review availability of systems to assess whether there is a high system availability, adequate capacity, reliable performance, fast response time, scalability and swift recovery capability.
2 Review the Financial Institution’s Procurement process to ascertain whether the Institution got value for money during the purchase of new or upgrading of the: existing ICT systems 3. IT acquisition / procurement controls

  1. Establish whether competitive procurement was done and whether it complied with the Institution’s existing policies or best practice.
  2. Assess the extent of Board involvement in the changing or upgrading of the ICT system and ascertain whether Senior Management obtained Board approval in the various phases of the procurement process.

4.   Change management and system implementation controls

  1. Review the Change Management process to ascertain that changes to ICT systems were assessed, approved, implemented and reviewed in a controlled manner.
  2. Review the adequacy of the implementation process and ascertain whether at roll out of the new system, the user needs requirements were met.
  3. Establish whether the Board approved the budget for the purchase or upgrade of the various systems and ascertain whether the actual costs were within budget.
  4. Review the reasonableness of the costs incurred for purchase, deployment and maintenance of the various ICT systems in the financial institution.
3 Perform application controls testing which include configuration controls, sensitive access and segregation of duties control, interface controls, data integrity controls and obtain reasonable assurance on the accuracy and completeness of reports 5. Change management controls

  1. Review the Bank’s system change control procedures for adequacy as per best practice requirements.
  2. Test the controls in place for system change implementation as well as operating effectiveness of the controls for changes implemented in the key applications and databases for the period under review.
  3. Review all changes made to the core banking system, financial reporting systems, all systems interfaced with both, databases, operating systems, I.CT infrastructure and network components and assess whether they were logical and approved in line with bank’s  change controls and whether they were implemented as approved.

6.  Patch management controls

  1. Review whether the bank’s applications, databases operating systems and devices are fully patched against vulnerabilities.

7.  Electronic Banking application control reviews

  1. Review key bank transactional processes around Electronic Banking applications system for adequacy of input and output controls
  2. Assess data integrity, completeness and accuracy of the business transactions affecting the key balances i.e. loans and advances, customer deposit liabilities, payments and money transfer and treasury.

8. Service level management

  1. Review adequacy of service level agreements and information security controls for outsourced services supporting alternative banking channels such as mobile banking, A.T.M’s services, internet, banking, agent banking.

9. Interface controls

  1. Review interfaces that support data transfer to and from the core banking system to ensure:
  1. There is adequate segregation of duties over data origination, data input and data processing
  2. Data input into the system is validated
  3. Transaction are reconciled against source data for accuracy
  1. Identity non automated interfaces that pose a risk for unauthorised data manipulation
  2. Assess error handling capabilities (ability to detect erroneous data exchanges and flag the same) for system interfaces.
  3. Assess timely transfer and synchronisation of data transferred access systems interfaces
  4. Assess access controls for systems to prevent unauthorised manipulation of data transferred across system interfaces.
4 Review and assess whether balances resulting from all transaction’s I.T, systems are accurately captured and reported in the institution’s general ledger, the financial statements and returns submitted to the Bank of Uganda 10. General ledger balancing controls

  1. Review the transactions processed in the Core Banking System against balances recorded in the General Ledger for Key balances i.e. Loans and Advances, Customer Deposits, Payments and Money Transfer and Treasury for completeness and accuracy.
  2. Review how underlying data, used in generating the regulatory reports is generated from the associated systems.
  3. Assess any manual interventions to support the reporting process and how these may impact the completeness and accuracy of the data.
  4. Assess the compilation and review process over the report generation procedures.

11. Customer banking application controls

e.    Assess the adequacy of automated customer application banking controls are designed, implemented and their ongoing effectiveness with reward to the following;

  1. Computation of interest income, penalty fees and expenses
  2. Reasonableness of the penalty fees charged from customers.
  3. Security of product design parameters e.g. interest rates, tenure
  4. Aging and classification of loans
  5. Account dormancy management
  6. Suspension of interest for NPLs
  7. Application of standard charges
  8. Computing and posting foreign exchange gains/loss
  9. Loan portfolio review
  10. Assessment for inappropriate insider lending
  11. Detailed reviews of loan aging reports
5 Review I.T security controls including application security, privileged access, audit trails systems monitoring and maintenance, integrity and systems ability to recover from a disaster resulting into loss of data 12. Audit, logging and monitoring

  1. Review whether the audit logging capabilities had been enabled in the applications, databases, operating systems and network in the period under review
  2. Assess whether the audit logs are monitored on a periodic basis to detect unauthorised and inappropriate activities.
  3. Asses adequacy of the audit logging capabilities to verify that all relevant transactional data and system user activity is captured including activities of system administrators and senior management
  4. Assess whether proper Start of Day is maintained in the review of the audit logs
  5. Analyze audit logs and any other key transactional data on a sample basis against a pre-set criteria to identify and investigate unusual activity within the core banking systems and the peripheral applications

13. IT Operations

  1. Review the adequacy of procedures in place to manage job scheduling, data centre, physical security, data backup and recovery as well as network monitoring and security.
  2. Review controls to ensure accurate and complete execution of batch processes and scheduled task e.g. End- of-day/close-of-business procedures
  3. Assess access controls over the amendment of job scheduling and the processing parameters

14. Network security

  1. Assess adequacy of network design to ensure enhanced security e.g. proper segmentation, continuous monitoring, firewall etc.

15. Antivirus management

  1. Review the anti-virus systems in place to guard against malicious malware and viruses
  2. Assess whether the anti-virus software is up-to-date and covers all systems in the Institutions IT landscape.
  3. Assess whether anti-malware and anti-virus are applied to hand held Bring Your Own Device (BYOD) devices as well as any third party networks the Bank is connected to.

16. Business continuity management

  1. Assess the adequacy of the Institution’s Business Continuity Management program.
  2. Verify that the Financial Institution has in place and operating from an in-country Primary Data Centre. In addition, verify that the Institution has in place an in- country Disaster recovery site, test its functionality and confirm whether there is real time replication of data between the primary and backup servers
  3. Assess whether the BCM program has been tested in the period under review
  4. Assess whether the BCM program has in place ICT Disaster Recovery Components. Assess whether ICT Disaster Recovery Plan has adequate recovery procedures outlined for all critical systems and component within the Banks’s ICT landscape.
  5. Ascertain whether the institution’s branches regularly test the operability of the Disaster Recovery Sites.

17.  Vulnerability assessment

  1. Ascertain  whether a vulnerability test to assess adequacy of controls to prevent external attacks on the ICT systems include cyber- attacks has ever been done; if not, conduct one. The Financial Institution should thereafter conduct a system penetration test every three years to cater for Vulnerabilities arising from upgrades.

By making use of global best practice methodologies, we are confident that we will not only meet but exceed your expectations. We are excited at the prospect of working with you and your team and look forward to being appointed as your service provider.

 

Leave a Comment