Facebook Twitter Linked In
Panacea InfoSec

Introduction

Information Technology is changing the nature of accounting activities. The replacement of manual operations by automated systems has brought out the drastic changes in banking operations. It has largely influenced the banks whose activities are largely in the nature of financial transactions. While the computerization brings in the advantages of efficiency, speed and economy in transaction processing and minimises the risks and the opportunities of frauds, it places new challenges before the auditors in the era of paperless on-line transaction processing environment. The Information System (IS) Audit has gained the importance in the context of accelerated pace of computerization taking place in banking sector word-wide. IS audit sometimes referred to as computer audit or EDP audit is generally lacking in banks. The objectives of IS audit is to ensure adequate security and control measures, maintaining data integrity, achieving the goals of organisation effectively and result in efficient use of resources in Computerised Information Systems (CIS). It covers all aspects of information processing in a computerised environment including related manual processes and supporting infrastructure.

Even though computerization leads to improvement in customer service, housekeeping, decision-making, productivity and profitability, it need not be construed as a panacea for all the problems being faced by the banks. Uncontrolled and unsecured technology based banking operations may lead to loss of vital data, and may compromise other security aspects. It may lead to computer related frauds and abuses.

Information Technology offers an easy and efficient way to collect, store, process and transmit information. When vital business decisions are made on the basis of this information, it becomes imperative to ensure that right information is available at the right time to the right people and that is not accessed or altered by unauthorized persons. This requires that the information stored on computer systems and transmitted on networks be protected. It becomes more important when this information represents financial data or confidential information, the misuse of which may result into loss to the organisation.

The information-processing environment has undergone drastic change with implementation of computer networks where the information can be accessed from different locations. Today the networking has become an integral part of any Enterprise Solution to share the computer and data resources efficiently. All these developments pose potential threats for unauthorized access of information breaking locational barriers. The authentication of the users assumes an importance and requires technology based access control solutions to prevent the misuse of the information.

Technological advances in the Information Technology will continue with greater speed to increase our ability to acquire, store, process and network the data. As a result more and more information will be shared in day-to-day functioning of banks, making IT the very lifeblood of banking. Hence the issues related to security and control can never be overlooked. The issues related to security of computer hardware, software, systems, application software, data and its communication need to be considered in a holistic manner.

Security related issues are very important in today's Internet environment. Internet banking and e-commerce related activities are already in place in many countries including India where banks have to provide secure and efficient means of funds transfer. The Central Banks have to play an important role to ensure implementation of efficient payment and settlement systems.

The survival of the banks and financial institutions is often dependent on the quality, adequacy, integrity and timely availability of its Information resources. Protecting information and the infrastructure that processes and maintains this information becomes critical to the continuity of the business operations. Security of information resources must include assessment of I.T. risks and placing proper controls and safeguards to offset/reduce possible threats as well as to ensure timeliness, availability, integrity and other measures of robustness. The organisations have to have a robust security policy as general guiding principles to ensure confidentiality, integrity and availability of Information Systems. All the security procedures should be guided by the security policy.

Setting up a secure Information System goes beyond mere computerization of manual process. The system should safeguard its assets and maintain data integrity. It should help in achieving the organization's goals. A secure information system is expected to have well laid down procedures and controls, which are backed by commitment from the top management. It is required to monitor periodically that these procedures and controls are in place to ensure that the information stored on these systems is dependable. This periodical monitoring is achieved by IS Audit.

The objective of audit does not change whether it is a manual or a computerised environment, only the approach of audit changes. IS Audit is a process of collecting and evaluating evidence to determine whether a computer system could safeguard its assets (hardware, software, and data) through adoption of adequate security and control measures, maintain data integrity, achieve goals of the organization effectively and result in efficient use of resources available.

Thus, IS Audit is an independent appraisal activity which identifies security and processing risks in Computerized Information System and evaluates related manual and system controls to ensure security, functionality and reliability of hardware, operating system and application software, and to ensure integrity, confidentiality and availability of data. It has also to ensure availability and adequacy of technical environment.

Data integrity implies that data having certain attributes like completeness, accuracy, timeliness, effectiveness and reliability are consistently maintained during input processing, communication, storage and retrieval.

One of the objectives of IS Audit is to evaluate the effectiveness of controls. Hence it is utmost important for IS Auditors to understand the nature of the controls. A control is defined as a system that prevents, detects or corrects undesirable events. An undesirable event is an event, which arises if unauthorized, inaccurate, incomplete, ineffective or inefficient input enters the system. Control consists of a set of interrelated components that function together to achieve some overall purpose. Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events would be prevented or detected and corrected. Consider an example of access control. Here access control itself is not a control. It becomes a control only if a system ensures that unauthorized person is prevented to access the system by means of physical and technological based controls like use of user ID and password and permissions to assess particular database or application or part of it. All these components of access control should be in place and effective. Thus we must consider the reliability of a control from system's point of view.

Each organization should identify the events and circumstances whose occurrence could result in a loss to the organization. These are called exposures. Controls are those acts, which the organization should implement to minimize the exposures. There are four types of controls.

  1. Deterrent controls - Deterrent Controls are designed to deter people, internal as well as external, from doing undesirable activities. For example, written policies including the punitive measures may deter people from doing undesired activities.
  2. Preventive Controls - Preventive Controls prevent the cause of exposure from occurring or at least minimize the probability of unlawful event taking place. For example, security controls at various levels like hardware, software, application software, database, network etc.
  3. Detective Controls  - When a cause of exposure has occurred, detective controls report its existence in an effort to arrest the damage further or minimize the extent of the damage. Thus detective controls limit the losses if an unlawful has occurred. Certain fire precautions like smoke detectors, heat detectors fall into this category. Even IS Auditing function can many times be treated as a detective control.
  4. Corrective Controls  - Corrective Controls are designed to recover from a loss situation. For example, Business Continuity Planning is a corrective control. Without corrective controls in place the Bank has risk of loss of business and other losses due to its inability to recover essential IT based services, information and other resources after the disaster has taken place.

IS Auditors should see that at least one control exists to cover each unlawful event likely to occur. If the unlawful event is covered by a control, auditor must evaluate whether the control is operating effectively. If more than one control covers an unlawful event (i.e. redundant control exists), auditors must see that all operate effectively.

Audit Benefits

Contact us