IT Audit Scope for Commercial Banks

1. Background:
ABC Bank Limited is a banking business entity which believes and establishes good management
practices. We believe in continuous improvement initiatives. We value our customers' trust very
highly in every aspect. IT systems are the most important tool to ensure that a smooth, disciplined
and efficient operation is established in internal processes and customer relation services. For
maintaining a sound management process, it is necessary to evaluate IT systems and processes
periodically and rectify the identified deficiencies. As IT is an ever evolving and complex technology, it
needs special care in planning, operating, evaluating and improving IT operation. ABC Bank Limited
gives high importance in continuous improvement of IT services.
2. IT Landscape of ABC Bank Limited:
ABC Bank Limited has implemented XYZ for operating the core banking processes.
[Give an overview of IT systems and IT infrastructure items that have been deployed and are relevant
to the scope of audit. This overview will give the auditors an understanding of where they are going to
audit.]
3. Objectives of this IT Audit:
We believe that our IT infrastructure is well operated and well managed. However, as a disciplined
management practice, we want to objectively determine whether our IT risk management, control and
governance processes ensure reasonable assurance that:
a.
Integrity, confidentiality and availability of data and IT systems are adequate
b.
Data processing is accurate and complete
c.IT resources are optimally utilized
d.
IT services are aligned with the business adequately.
4. Audit Criteria:
1.
2.
3.
4.
5.

Bangladesh Bank policies for banking products and processes (automated)

Bangladesh Bank ICT Guideline 2015
Bank's IT Security Policy
PCI-DSS v3 for card operations security
[ISO-27001 for information security, ISO-22301 for business continuity - optionally]

5. Audit Scope:
The scope of audit is specified in the sections below.
5.1. Core Banking System (CBS) Controls
The auditors should assess the effectiveness and efficiency of the automated banking process.
The assessment should cover the CBS and all other banking applications interfacing with CBS. It
should cover the following control areas covering Corporate and Retail banking modules and
other interfacing systems. The auditors must confine their criteria to assess any process, system
or control within the audit criteria mentioned in Section-4.
Page 1 of 5

a. Service charge and interest income

Review the process logic and configuration data for all loans and advance products,
e.g., term loans. Check the service charge, interest calculation and settlement logic of
the configured products. Review the loans and advance product lifecycle in the system
for compliance and security.
b. Interest expense
Review the process logic and configuration data for all deposit products, e.g., FDR,
DPS, savings, etc. Check the interest calculation and settlement logic as well. Product
lifecycle management in the system should be reviewed.
c. General Ledger vs. Sub-ledger consistency & auxiliary systems
Evaluate the controls to ensure the GL keeping consistent with all relevant
sub-ledgers.
Evaluate interface controls for debit and credit card systems
Evaluate interface controls for BEFTN
Evaluate interface controls for SWIFT systems
Evaluate interface controls for internet banking systems
Evaluate interface controls for mobile banking systems
Review the Trade Finance process controls
Check the management process of the suspense account
d. Segregation of duties / dual control
Check whether all sensitive transactions are under dual control in the system. Also
find out whether any of such controls can be bypassed. Check whether any alteration
of a product or service charge is properly authorized in the system before it can be
used in transactions.
e. Limit of authority
Check whether application users' transaction approval limits are consistent with official
role and delegation. Limit controls should be checked for both users and products.
f.

Data-processing Controls
Check whether the CBS proper input validation controls and data processing controls.
Input controls are expected to eliminate or minimize input errors/incompleteness and
unauthorized entries.
Data processing controls are expected to comply with business processes and
policies. Inconsistency and incompleteness in data processing are to be eliminated.
Include the review of accuracy level of loan classification process and foreign
exchange valuation process.

g. Reporting Controls
Check whether the CBS delivers the reports in compliance with business requirements
and banking regulations. Evaluate whether reporting facilities are controlled and
authorized by appropriate level of management.
Also, evaluate the data loading and reporting controls in the reporting system (e.g.,
data warehouse) and check whether there are possibilities of inaccurate reporting.

Page 2 of 5

The auditors should articulate convincing business risks associated with the reported findings.
The recommendations should be convenient to form clear rectification plans.
There are NN branches and each branch a local system. The audit team should test XY branch
servers.
5.2. Penetration Testing (Servers & Network)
An automated vulnerability assessment needs to be performed over a group of servers. The
auditors also have to perform a penetration testing on those servers from inside the network as
well as outside (internet). The test results have to be presented both in technical and nontechnical ways to IT and management respectively in a manner that corrective actions may be
formed easily. The auditors also should provide easy-to-follow recommendations to form action
plans.
The VA/PT has to be performed on XY servers and MN network devices (routers & firewalls).
N servers have Windows OS, M have Linux and P have Unix platform
X servers have databases (Oracle on T, MySQL on V & SQL Server on D servers)
Y severs have Web service hosting the web-based applications
However, the auditors would not be allowed to alter any system configuration. The plan has to be
discussed and agreed with IT management before it can be undertaken.
5.3. User Access Control / Application Security
The auditors should assess the effectiveness and efficiency of the user access management
process in use. The assessment should cover the core banking applications and all other backoffice applications. It should cover the following control areas.
a. User identity management
Check whether user creation process can prevent an officer to have multiple user IDs
in the system in whatever technical way. Check whether a user ID can be mapped to
an officer without any dispute. Check whether a user ID is only created after proper
authorization and deactivated immediately upon employee's departure from service or
role.
b. Password management
Check whether adequate provisions have been effectively maintained to prevent
password guessing and disclosure through password complexity and periodic
changes. Evaluate the strength of password policies deployed.
c. Privilege management
Check whether users' privileges in the system were authorized by the appropriate
personnel and comply with the official role. Check whether privileges are changed or
deactivated upon the change of a person's role with immediate effect.
d. Segregation of duties
Check whether any SOD conflict matrix is in use to identify which privileges should not
be given to the same person. Check where there are already any privileges given to
users which fall under conflicting privileges and rate as highly risky.
e. Privileged account control (super users / admin accounts)
Page 3 of 5

Review the use of super user accounts in the applications, databases and OS. Check
whether any significant action done by super user accounts can be attributed to an
official.
f.

Audit trail
Check the adequacy of content, preservation and monitoring of system audit logs.
Check the preservation and usefulness of audit trails for business applications,
databases and OS. Check whether audit trail can be reliably used in computer
forensics, if the need arises.

The auditors should articulate convincing business risks associated with the reported findings and
identify the root causes which would be used to design and implement preventive controls. They
should also suggest realistic and good control practices for each finding.
The auditors should assess the security controls of the server OS, databases used for banking
and other back-office applications. They should identity whether any backdoors are open in the
servers which may be misused by successful intruders.
5.4. Data Center & Network Security
Data Center(s) is the most important IT facility which houses the most important IT assets. Its
security is considered with utmost importance.
The auditors would evaluate the security measures and residual security exposures of the data
center, DR site, IT networks deployed covering both office and branch connectivity.
The auditors should test and report whether the network and data centers are optimally utilized
for the business. The use of internet and rented network links also need to be evaluated to
ensure the best interest of the bank.
5.5. Subsidiary Systems
There is an HRMS application which has employee database, payroll, leave and attendance
management modules.
5.6. Card Operations
This scope also includes ATM network security. Both physical and logical security are included in
the scope.
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.

Card Application process

Card Production/Procurement process
PIN Generation process
Card and PIN Delivery process
Card Activation and Blocking processes
Card Usage controls & interaction with ATMs
Card and PIN Re-issuance/Renewal process
Customer, card and PIN data management
Billing process
Settlement process
Accounting and Reconciliation process
Segregation of duties (SOD) in Operation
User access control
Page 4 of 5

n. Network and transmission security

o. VA/PT of card servers
p. Compensating controls
5.7. IT Operations & Maintenance
IT operations and maintenance is a very important area to ensure smooth IT service delivery.
New system development or acquisition (SDLC) is a vital process for ensuring that the IT systems
are aligned with business needs. The auditors should evaluate the processes and controls for
effectiveness and efficiency and report on the deficiencies (if any).
a.
b.
c.
d.
e.
f.
g.
h.
i.

Change management
Capacity management
Downtime management
System and network monitoring process
Backup and recovery management / BCP
IT helpdesk and users' issue resolution
New system development or acquisition process and UAT
Segregation of duties in IT operations & maintenance
Software license management

The auditors should recommend best practices in these areas which are realistic and feasible for
the bank.
6. Auditors' Competency:
The team has to include at least one CISA and have adequate knowledge, skills and experience of
auditing IT systems in the banking sector in Bangladesh. At least, one team member should have
experience of participating in core banking system. All the individual auditors in the team must have
adequate competence to conduct the assigned part of the audit.
7. Completion Timeline:
The auditors should discuss with ICCD and IT to develop an audit schedule which is feasible and
useful. But, the whole audit should be completed within four months period. However, the auditors
may publish the audit results in multiple audit reports progressively to focus on areas of similar nature
at a time.

Page 5 of 5