I usually get this question from aspiring IS auditors: “How do you audit a system that you have never used before?”
Well, everyone starts from somewhere! My previous information systems internal audit experience was heavily vested in the financial services industry, and the major focus was on auditing core banking systems (CBS).
There are various types of core banking systems in the market, but the approach can be customized to any core banking system that your organization is using. Therefore, the following control tests may apply to whichever CBS your organization is using.
Because the financial services industry is highly regulated, prior to the commencement of your IS audit, you need to dedicate time to read and have a deeper understanding of the various regulations that supervised financial services organizations are supposed to comply with. These organizations include banks, fintechs, telecommunication companies, credit reference bureaus (CRBs), mobile money service companies, microfinance organizations, investment groups, etc. In this case, you have to understand the regulatory requirements from the central bank of your country, financial institutions acts (FIA), the Securities and Exchange Commission (SEC), and regulations from other agencies, like insurance regulatory authorities and revenue authorities, that oversee financial institutions activities.
Depending on your scope and the audit objectives, you can then determine the control tests that you will perform on the areas you have identified for review. These may include:
- Review the organizational policies, procedures and standards regarding the operation and backend administration of the CBS.
- Most system projects fail or become problematic depending on how they started, so much attention is needed at the beginning of everything. If the CBS is outsourced, review the service level agreement (SLA) or contract you have with the vendor and focus on reviewing the vendor support service provision (whether the set matrices are met and whether penalties for violation of agreed-upon matrices/T&Cs are implied). As you review the SLA further, ensure that the right to audit clause exists, with terms, nature of subscription and frequency for license renewal, and ensure that a non-disclosure agreement (NDA) or confidentiality agreement is signed or a clause exists in the contract (and versioning, if applicable).
- Review the application support, scripting/development and timelines for CBS versioning and how maintenance communication is done. Prior to the purchase of the CBS, confirm whether a business case was developed and review approvals. Confirm whether the CBS passed UAT and whether a post-implementation review (PIR) was done after six months. Ensure that training of users was or is continuously done and the vendor provided both technical and non-user manuals. It is also important to attest to Service Provider certification.
- Review the approved corporate settings, backend engine administration or parameter configuration of the CBS versus the extracted reports from the CBS.
- Understand the institution’s product requirements (loans, overdrafts, deposits, savings etc.), and inspect the core banking system to verify whether each product requirement is configured as-is in the CBS. Use your data analytics tool to re-compute rates charged on each product to ensure transparency on fees charged and accuracy in configurations. Review the change management procedures, too.
- It is also important to review where the CBS is hosted (on the cloud, hybrid cloud or on-premises) to find out the data privacy and protection requirements for hosting customers’ PII. You will also need to confirm the security of the primary data center and recovery sites for business continuity purposes.
- Test the logical access controls to the application (e.g., review the number of current system users /active accounts and deactivated accounts versus the updated staff list). Review the rights of each user profile. Also, in the move to establish accountability, review to verify that segregation of duties (SoD) or authorizer controls exist. Additionally, review whether system parameter changes are implemented after approval from respective users.
- Review the capacity management practices to ensure proper planning for IT resources.
- Review whether there are any manual reconciliations done before entering financial data in the core banking system, because garbage in = garbage out. This will enable you to give assurance on data integrity and accuracy.
- Ensure that the institution defined the know your customer (KYC) details in its onboarding forms to ensure that you understand the type of data the bank collects, processes and archives. In the same regard, review the bank’s privacy policy and privacy notice to understand how it handles PII. Review how often customer details are updated in the application.
- Review the backup schedules, how the start of day (SOD) and end of day processes (EOD) are done, monitor unposted/unsupervised transactions and how they are traced back to the initiator or supervisor, and review restoration timelines.
- Review the business continuity plan (BCP) and disaster recovery plan (DRP) for both your organization and that of the CBS service provider.
- Among the modules and menus of the CBS, review whether there is an embedded audit module (EAM) on the CBS and how often the logs are reviewed by the InfoSec Team or staff in charge.
- Review the organization’s change management program and validate whether all necessary security controls have been implemented on the CBS and on the application.
- Review the security of other applications, channels, merchants or APIs that integrate with the CBS. Additionally, find out which new technology and cybersecurity threats need to be urgently addressed to protect the entire organization from cyberattacks at an acceptable level.
The list of controls that you can test on the CBS is endless, depending on your audit scope and objective. Therefore, as an IS auditor, it is your responsibility to develop a comprehensive audit program that will add value and provide credible assurance for your organization.