1 / 54

Bank Audit under CBS Environment

Deepak Bholusaria, FCA Member, Banking Research Group, NIRC of ICAI deepak@bholusaria.com. Bank Audit under CBS Environment. Objective of this presentation. Beginner’s guide to Audit under Core Banking Solution. Giving rough idea as on how CBS works and its architecture.

tomai
Download Presentation

Bank Audit under CBS Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deepak Bholusaria, FCA Member, Banking Research Group, NIRC of ICAI deepak@bholusaria.com Bank Audit under CBS Environment

  2. Objective of this presentation • Beginner’s guide to Audit under Core Banking Solution. • Giving rough idea as on how CBS works and its architecture. • What kind of Controls are built in CBS environment? • What kind of reports a CBS system generates which may help in audit of Branches? • Brief overview of sample audit checks.

  3. Lets brush up basics of CBS

  4. What is CBS? Core banking solution refers to a : • Common IT solution, wherein • A central shared database support the entire banking application. • Based on client-server architecture

  5. What is CBS? • Business processes in all the branches of a bank update a common database in a central server located at Data centre, which gives a consolidated view of the bank’s operations • Branches function asdelivery channels providing services to the customers of the bank.

  6. Components of CBS Major components are: • Data centre • Network connectivity • CBS application software • Hardware at branch and data centre • Delivery channels • Disaster recovery site • A strong business continuity plan

  7. CBS Architechture Central Server Branch router Branch Router Branch Router Node Node Node Node Node Node Node Node Node

  8. System Architechture (General) • Front End • Provide Screens and Forms to Users Web Server • Contains Application • Business Logic Running • Processes requests from Servers • Access the Database Server Application Server (APS) • Hosts RDBMS • Processes requests from APS • Store Date in External Storage Database Server (DBS)

  9. CBS Setup • The branch confines itself to creating manual documents capturing data required for input into software, internal authorization, initiating Beginning-of-day (BOD) operations, End-of-day (EOD) operations, reviewing reports for control and error correction.

  10. CBS Setup • All data processing, storage, backup, report generation, inter branch account reconciliation are done centrally.

  11. CBS and Auditor’s role

  12. Risk Assessment & Controls (AAS-6) Branch auditors’ should satisfy himself that: • Audit risk is at acceptably low level. • Adequate procedures exist to ensure data transmitted is complete and correct. • Cross-verification of records, reconciliation statement and various controls exist between online and offline records.

  13. Role of Auditor in CBS Environment Branch auditors’ role is divided into following: • Software/CBS Application related Control Checks. • Review of Controls and implementation of CIA principles. • Management practices • Checking manual documents which is the basis for input into the system.

  14. CIA Principle • Confidentiality • Information is shared amongst authorised personnel (Maker – Checker concept) • Integrity • Information is authentic and complete. Information is sufficiently accurate to rely upon. • Availability • Systems responsible for delivering, storing and processing information are accessible when needed.

  15. How to check CIA principles?

  16. Controls in CBS Branches Answer lies in • Existence of Controls; and • Review of their implementation Types of controls: • Operational Controls • Physical Controls • Environmental Controls

  17. Operational Controls • Start with SoD! • Whether all accounts (Opening & Closing) are duly authorised. • Whether officials other than branch have authority to record transactions in branch books? SoD means Segregation of Duties

  18. Operational Controls • Whether the Account Master and balance can be modified /amended /altered except by the authorised personnel? • Whether Beginning of the Day and End of the Day register maintained? Whether Time is properly entered and time and date are normal and during office hours only? • No operation on Holidays !

  19. Operational Controls • Whether the records of errors arising during daily operations are reported? And how they are rectified? • Whether dummy accounts created using master creation still exist in the Branch • A sample verification of SDRs / FDRs should be carried out to ascertain whether lien is marked on such deposit receipts in the system. • Availability of command prompt (Run-Cmd) • Access to group policies (gpedit.msc) is restricted

  20. Access Controls (as part of operation controls) • Pursue access control matrix • Password Management and History • Cross verify the same with actual number of users in the branch • Inactive user ids and guest Ids • Review the process of activation of users • What about users transferred to other branches? • Review access logs • Special emphasis on unsuccessful logon attempts

  21. Physical Controls • Router / Modem/Network equipments – Entry restricted to Branch Manager / authorised personnel • Ensure floppy/Pen-drive access is not allowed on Nodes (unless required for RTGS etc.) • Hardware Access Register • Software Patch Application Register • PC having internet access should be separate from CBS computers • ATM Cards/Passwords envelopes are stored in Secured Area under double lock !

  22. Enviornment Controls • Power back ups – ONLINE UPS • Any downtime register maintained? • How transactions are recorded in case of downtime? • Machinery Breakdown register. • Insurance/AMC of machinery and equipments • Fire extinguisher is installed and active.

  23. Is it necessary to be IT savvy?

  24. Is it necessary to be IT savvy? • YES! • Because, there are no short cuts to success! • Because, being IT savvy is “IN” thing! • Its is demand of the hour!

  25. Audit Risk Analysis in CBS Risk Branch: Computerised Auditor : Not computer expert Branch : Manual Auditor : May or may not computer expert Branch : Computrised Auditor: Computer expert

  26. Audit areas and checks

  27. Manual Check vis-à-vis Software Check

  28. Sample Checks, controls and verification

  29. Application Level Controls & Checks • System generated transaction numbers noted on the vouchers. • Vouchers have been initialled by same operators who entered vouchers • Vouchers have been initialled by same officer who authorised on screen. • Overdue Terms Deposits/LCs are parked in separate heads in GL by the system • Zero Balance accounts in system

  30. Application Level Controls & Checks • Unconfirmed entries (Exception reports) • Suspense accounts • Application of Interest applied by systems (separate reports are available) • Change in Drawing Powers (Exception report) • Cheque book issuance charges are automatically charged • Charges for stop payment are automatically charged

  31. Application Level Controls & Checks • Daily review of ToD – Whether with in the power of branch? • If not, has it been reported to HO and approved/ratified by HO

  32. Opening of Accounts The auditor has to verify from parameters that: • Whether correct product is chosen • Correct Drawing Power is entered (for advances) • The master data is complete and correct • Check Maker-Checker control has been exercised

  33. Opening of Accounts Special Checks: • Interest rate parameters checking in case loans sanctioned at special rates • Correct scheme ID has been entered. • Log register for changes in scheme IDs • Authorization from the controlling authority to open the account and the interest rate

  34. Opening of Accounts Special Checks: • Duplication of Customer IDs • Interest rate variation/exception reports for Deposits as well as Advances • Drawing Power variation/exception report

  35. Verification of Interest • Penal Interest is fed into the system as per sanction/review letter • Correct Product is chosen/selected • Alteration of Special Rates (for deposits as well as Advances) effected at Branch Level. Check relevant register • Manual Check for manual recovery: • Loan processing charges • LC, BG charges • Godown Inspection charges

  36. Verification of Interest • Whether TDS enabled or not? • Check for 15G/15H cases

  37. Other Parameters • Standing instruction charge (Global) • Stop payment instruction charges (Global) • Cheque book charges (Global) • Account closing charges (Global) • Password change parameters (Global) • Authorization of users • Authorization for exceptional transactions • Penal Interest Parameters

  38. Classification of Advances • Generally there is Separate Software for classification • Classification generally done manually by Branch in Customer Master • Report of irregular Advances • Report of likely NPA – June 10, September 10 December 2011 and March 11 • Exception Report on changes in NPA parameters

  39. Inter Branch/HO account • In CBS, Intermediate accounts should generally shown NIL Balances. Analysis in case of balance in these accounts • Tally HO account tallied with HO Statement and confirmed by HO • SOL Transactions – Reconciliation

  40. General Ledger and Balancing • If there is a balance in system suspense account, it indicates that some posting is incomplete in the CBS system. This has to be corrected to arrive at final TB. • ATM's security control may be reviewed, like access to ATM is secured by double lock, cash replacement procedures, rejected bin cash counting process, network security

  41. General Ledger and Balancing • All the sub ledger accounts are in built in the system and cross checked and tallied by the system itself • Trial balance extraction is automatically done by the system • The auditor has to ensure thatAll the system control accounts are NIL.

  42. Impersonal / Office Account • Sundry credit accounts • Sundry deposit accounts • Suspense accounts Check for ghost entries and correctness of these accounts.

  43. System Level Controls • Operating System / RDBMS manual / installation guidelines • Computer Manual • DIT guidelines in separate file • User ID Register • Duty Roaster • Password expiration • Antivirus updation

  44. Exception Reports

  45. Exception/Variation Reports • Interest rate variation • Irregular advances • Advances pending renewal • Cash deposits/withdrawal beyond a defined limit • CC/OD exceeding DP • Errors in day book

  46. Exception/Variation Reports • Debit /Credit balance change • Maturity record deleted • Inactive accounts reactivated • Excess allowed over limit • Debits to Income head accounts • Overdue bills and bills returned • Withdrawal against clearings

  47. Exception/Variation Reports • Deposits accounts debit balance • Temp O/D beyond sanction limit • Standing instruction failed in day

  48. Error Reports • CBS provides a number of in-built checks to prevent unauthorized data entry, mis­match of data, entry not posted, entry truncated while processing, errors during process etc. These are provided by way of EoD execption reports for corrective action. These reports can be verified and checked for action taken at the year end.

  49. Tips

  50. Tips and tricks • Understand and feel the CBS system by using Auditor login (Read only/view only access). • Go through User Manuals • Explore intranet of bank • Use Excel as Audit Tool

More Related