Systems Audit

A systems audit is an evaluation of an organization's information systems to ensure they are secure, efficient, and aligned with business objectives. It involves assessing the controls, processes, and technologies in place to identify risks, ensure compliance, and improve system performance.

Get Free Consultation

Information Systems Audit in Indian Banks

Bill Gates once remarked, "For 21st Century Banking is essential, not Banks."

The landscape of banking in India has dramatically evolved with the growing reliance on Information Technology. IT has transitioned from being a supportive function to becoming the central controller of business processes, and it continues to shape the core operations of banks.

The adoption of technology has not only enhanced operational efficiency but also provided greater flexibility in service delivery. The era of fixed banking hours is over; banking services are now available around the clock through ATM networks and internet banking. This shift has led to significant improvements in productivity, bringing the vision of a customer-centric banking experience closer to reality. The day when Bill Gates’ prediction fully materializes is not far off.

However, with the advent of technology, new risks and challenges have emerged. Issues such as viruses, hacking, and fraud are becoming more frequent, and service disruptions due to power failures and system outages are increasingly common.

Several factors contribute to these challenges, including the lack of process re-engineering when implementing new technologies, failure to address changes in control structures, inadequate awareness and training, excessive reliance on vendors, and, most critically, the absence of a comprehensive Information Systems Audit.

This article aims to explore the essential framework of Information Systems and technology audits in Indian banking.

The Basics

Historically, the term "audit" has been linked to financial records. The dictionary defines an audit as "the verification of financial transactions and checking them to ensure they align with the organization's policies and procedures." However, the scope of auditing has expanded, now encompassing all business processes. Today, auditing means "verifying the processes that generate and process business transactions." The term "transaction" has also broadened, referring to any action that changes data or produces an output—such as a management decision, technology deployment, or customer service.

What is the Difference Between Information Systems Audit and Financial Audit?

The automation of systems through Information Technology brings both benefits and challenges, leading financial audit services to recognize the need for Information Systems Audit. This type of audit emerged as a tool to enhance the advantages of technology while mitigating its potential drawbacks. Despite sharing some common ground, Information Systems Audit differs significantly from financial audits.

The key difference lies in the approach. A financial audit is a retrospective activity. It examines transactions that occurred during a specific period, for example, from the last audit to the current one or from April 1st to March 31st of the previous financial year. Its primary focus is verifying the accuracy of transactions based on predefined business rules for processing. In other words, it evaluates past processes. On the other hand, Information Systems Audit focuses on the controls applied to business processes through technology, with an eye on their future impact on transactions.

Financial audits are concerned with the "amount of transactions," whereas Information Systems audits focus on the "process of transactions." For example, a financial audit would check the accuracy of the balance in a customer account, whereas an Information Systems Audit would focus on how the software computes that balance. In short, a financial audit examines quantitative values, while an Information Systems Audit looks at the qualitative aspects of the process.

A financial audit can be conducted without considering technology, treating it as a "black box" by verifying inputs and outputs for consistency (referred to as "Around the Computer Audit"). However, an Information Systems Audit cannot be conducted without considering the technology involved.

Both types of audits can use Computer Assisted Audit Tools and Techniques (CAAT), but the tools differ. For instance, CAATs for financial audits might include tools like ACL, IDEA, and SOFTCAAT, while CAATs for Information Systems Audits may include output analyzers, firewalls, and vulnerability assessment tools.

Types of Information systems audits

Information systems encompass various processes related to receiving, storing, retrieving, processing, communicating, and destroying the information assets of a business. These systems also integrate different technologies that enable the deployment of information processes, such as networked ATMs, wireless LANs, interactive websites, and branchless banking (anywhere banking).

The technology systems developed for banking operations need to be deployed carefully. Traditionally, banks have been targets of attacks because "that's where the money is." Misuse and abuse of banking technology have already been reported globally, highlighting various security concerns related to technology deployment. Since technology itself is neutral in providing services, it is the "man behind the machine" that must be controlled. Information systems audits focus on verifying the controls in place.

Depending on the technology deployment, there can be several types of Information Systems (IS) audits. Some examples include:

Software Audit: This involves auditing the software before it is implemented to identify any control weaknesses. There are different types of software audits based on how the software is acquired:

Audits of acquired packaged software
Audits of acquired developed software
Audits of in-house developed software

Implementation Audit: This audit focuses on the implementation of software across business locations to be used by customers directly or through employees. The banking application software requires setting specific parameters before implementation, and adjustments during use are necessary due to changes in environmental conditions such as regulatory or statutory requirements.

Operations Audit: The use of information technology needs to be monitored and controlled to prevent misuse or fraud. Establishing secure procedures and auditing their compliance is crucial. Some specific operations audits include:

Branch operations audit
ATM operations audit
Network administration audits
System access audits
EDI and remote login audits
Software development process audit
Software testing audits

Firewall and Network Audits: When banks use networks to communicate with external entities, firewalls must be implemented and audited to ensure the security of these communications.

Internet Banking and Web Server Audits: Internet banking allows customers to access bank databases over the internet, making it essential to protect access. While firewalls can prevent unauthorized access, it is equally important to prevent misuse by authorized users. The audit of internet banking focuses on secure identification, authentication, and authorization procedures to ensure proper data access.

Business Continuity Management Audits: Business continuity planning and disaster recovery procedures are monitored by the business continuity management (BCM) department. As banks often have multiple offices located in different geographical areas, BCM needs may vary between branches. Auditing the accepted business continuity management processes is an essential part of IS audits.

PKI Audits: Public Key Infrastructure (PKI) is becoming a common feature in banking. Managing private keys issued to authorized employees and ensuring their secure storage is critical.

Combination Audits: Sometimes, audits may combine multiple areas. For example, an EDI audit may include both software development and deployment, or an ATM operations audit may also incorporate the implementation audit.

This list is just an illustration of the types of IS audits, and it is not exhaustive. Depending on the specific needs and IT usage of an organization, the scope of an IS audit can be defined accordingly.

Standards for IS Audit

The widespread use and complexity of information technology has made it challenging to fully master all aspects of technology. Therefore, it is crucial that a skilled and knowledgeable individual conducts the Information Systems (IS) audit. The Information Systems Audit and Control Association (ISACA) has established standards for IS audits, which auditors should adhere to. These standards, outlined below, encapsulate the key elements of the IS audit process that auditors must follow.

Responsibility, Authority, and Accountability: The roles, responsibilities, authority, and accountability of the IS audit function must be documented in an audit charter or engagement letter. This document typically outlines the scope of the audit.
Professional Independence: The IS auditor must maintain independence in both attitude and appearance when performing audits. This means that auditors should not accept assignments where they have any personal interests or prior involvement in the project.
Organizational Relationship: The IS audit function must be sufficiently independent from the audited area to ensure an objective audit. There should be functional independence between the audit management and the management of the audited area.
Code of Professional Ethics: The IS auditor must adhere to the professional ethical guidelines set by the Information Systems Audit and Control Association.
Due Professional Care: Auditors should exercise due care and comply with relevant auditing standards during all stages of their work.
Skills and Knowledge: The IS auditor must possess the necessary skills and expertise to perform the audit, particularly for technology audits, where it’s unrealistic for one person to know every aspect of the latest technology.
Continuing Professional Education: The IS auditor must stay updated and maintain their technical knowledge through continuous professional development.
Audit Planning: The auditor must plan the IS audit work carefully to meet the audit objectives and comply with relevant professional standards.
Supervision: The audit staff should be properly supervised to ensure that audit objectives are met and professional standards are adhered to.
Evidence: Sufficient, reliable, relevant, and useful evidence must be gathered throughout the audit to support the findings and conclusions. The audit should include thorough analysis and interpretation of this evidence.
Report Content and Form: At the end of the audit, the IS auditor must provide a report in an appropriate format. The report should include the scope, objectives, audit period, and details about the audit work performed. It must also specify the organization, intended recipients, and any restrictions on sharing the report. The report should highlight the audit findings, conclusions, recommendations, and any reservations or qualifications the auditor may have regarding the audit.
Follow-Up: The IS auditor must review and assess relevant past audit findings, conclusions, and recommendations to determine if corrective actions have been implemented in a timely and appropriate manner.

Risk based audit

Typically, the audit process assures management that the auditee is adhering to the procedures set by the organization. However, the risk-based audit approach goes beyond mere compliance. It assesses procedures and instances of non-compliance as potential risks to the organization’s information assets. This approach is more proactive in Information Systems (IS) audits, as the dynamic nature of technology may render some procedures inadequate or overlook complex risks.

The auditor examines both the technology and the business processes that rely on it, then creates a control matrix to evaluate how the controls help mitigate risks. This process aids in understanding the management's risk perception and can highlight any discrepancies in how risks are viewed. For instance, a risk that seems minor initially could escalate into a major issue. For example, the risk posed by a virus may appear low in a standalone local area network (LAN) or server, but it becomes much higher if any node is connected to the Internet.

A highly effective strategy for management is to establish a comprehensive risk management and monitoring program, supported by an incident response system to address potential threats promptly.

Outsourcing and Audit

Banks typically do not consider Information Technology as their core business function, which often leads to outsourcing various IT services to vendors with the necessary expertise and capacity. However, since banks own the assets managed through technology provided by these vendors, it is important to address security concerns before outsourcing. In addition to performance, confidentiality, reliability, and continuity, the ability for the bank's appointed auditor to audit the vendor's processes that manage the bank's assets should be included as a clause in the outsourcing agreement.

Moreover, there should be predefined procedures in place to monitor vendor performance. For example, if the maintenance of the bank's hardware is outsourced with a 99% uptime requirement, the bank should implement internal procedures to track uptime and downtime, and audit compliance with these procedures should be part of the operational audit.

However, not everything related to technology can be outsourced. For instance, User Acceptance Testing (UAT) of purchased software cannot be outsourced, as it is an internal business function and the bank is best positioned to define the software's requirements. Additionally, software development requirements are often fluid, and the testing vendor can only test against the specifications provided, which may not cover all necessary business scenarios. Similarly, the development of Information Security Policies and procedures cannot be effectively outsourced, as they must be tailored to the organization's culture. For example, if password sharing is a common practice within the organization and no remedial measures are in place, creating a policy will be ineffective. Similarly, if systems administrators are not given the flexibility to attend to late hours, they may resort to sharing passwords to avoid creating records.

While banks may choose to outsource the Information Systems Audit function, it is crucial to ensure that the outsourced auditor adheres to established standards and possesses the necessary expertise. The best professionals often come at a premium cost, so defining clear requirements is essential to ensure the best value at competitive prices.

Self Audits

To support the audit function, bank management may implement a Self-Audit or Control Self-Assessment conducted by functional managers. This approach can be especially beneficial for operational audits. Given the widespread nature of the bank's technology, it may not be feasible to use the 'Workshop method,' making the questionnaire approach a common choice for Self-audits.

A key aspect of the questionnaire approach is that the questions must be designed in a way that ensures the functional manager has the necessary knowledge to respond accurately. For instance, if the questionnaire asks, "Has adequate capacity UPS been provided?", the person answering should be able to understand and evaluate what constitutes "adequate capacity," how to verify its adequacy, and whether the relevant acquisition and implementation documents are accessible.

Internal IS Audit Function

Given the specialized expertise required, the bank may choose not to have an internal audit function dedicated to the entire technology domain. Typically, internal auditors with basic training can manage operational IT audits, as these audits focus primarily on ensuring compliance with predefined procedures and usually have a shorter audit cycle. More complex technological audits, which have longer intervals, should be handled by properly trained IT auditors. These auditors can be deployed on an as-needed basis, since there may not be a constant demand for full-time resources. Depending on the bank's size and geographical spread, it is advisable to start with a small team of technical auditors and expand it as needed to handle the IT audit requirements.

Some common confusions

According to the RBI's guidelines, Indian banks have implemented Information Systems (IS) audit functions with the help of both internal and external auditors. However, some confusion has been observed in certain cases.

The scope of an IS audit encompasses the entire spectrum of technology, making it difficult to define a precise scope. For example, in one instance, an advertisement requested quotes for an audit covering both software and operations, yet overlooked implementation and conversion audits. These audits—software audit, implementation audit, conversion audit, and operations audit—are distinct from one another and require different scopes. A conversion audit, for example, is primarily a financial audit, while the others fall under IS audits.

Operations audits are often based on internal control questionnaires, which is an improper blend of technology and financial audits. In reality, operations audits can be categorized into two types: 1) banking operations audits in a computerized environment, and 2) technical operations audits of the bank or branch. The former is a financial audit, while the latter is an IS audit. The operations audit questionnaire includes questions about technology (e.g., "Are proper access controls in place?") as well as banking-related issues (e.g., "Are dormant accounts flagged correctly? Is interest being applied correctly?"). These banking-related questions are irrelevant if the software and implementation audits have been performed correctly. If these audits have not been conducted, then the scope should be expanded to include these areas, but the management has not accounted for the additional time required.

The background of the auditor also plays a role in the confusion. A banking auditor may focus on identifying quantitative errors in technology audits (e.g., incorrect interest amounts), while an IT auditor may not fully grasp the importance of these financial indicators in an implementation audit. Additionally, each type of auditor perceives risks differently. For instance, a banking auditor may view incorrect interest calculations as a high-risk issue due to potential losses, while an IT auditor may consider it a lower risk due to compensating controls, such as day book checks.

Conclusion

Information systems have greatly enhanced the ability of banks to improve their services through technology. However, to understand and mitigate the risks associated with the use of technology, IS audits have become essential. Banks must address the potential risks and challenges that arise in the absence of such audits. To establish an internal IS audit function, banks can begin by creating a small department of qualified auditors. During this initial phase, the IS audit function can be outsourced to expert vendors, with internal auditors collaborating with them for oversight and support.