Audit Programs - ICT

8/3/2019 Audit Programs - ICT

1/15

ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST

RESULTS / WORK

PAPER REF.

Data centre

operations

To ensure that roles are well

defined, controls established

& followed to ensure propermanagement of ICT

resources.

ICT department should be independent of the user

departments, particularly the processing of

transactions.(Flexcube manual page 8)

Verify whether the ICT department is independent

of the user departments in particular the

accounting/finance department. Check that the ICTteam is not involved in processing of entries

neither inputting nor authorization of the

transactions.

Corruption of data and

loss/damage to other IT

resources by unauthorized

persons

Entry to the data centre is restricted to authorized

persons only. Entry of unauthorized persons should

recorded in a register indicating the following:

- the name of the visitor

- date and time of entry

- the purpose of visit

- the time of exit

- Signature/initial of the visitor.

The register must be reviewed and initialed by the

Manager, ICT.

(Flexcube manual page 8)

Is there strict control of entry & exit into the Data

Centre? Is there a register to record entry into the

Data Centre?

Review the register to confirm that it contains the

following information on people who enter the

Data Centre;

- the name of the person

- the date and time of entry- the purpose of the entry

- The time of exit.

- Signature/initial of the visitor

Check whether the register is reviewed and

initialed by senior personnel of ICT.

Corruption of data and

loss/damage to other IT

resources by unauthorized

persons

The list of authorized personnel into the Data

Centre must be displayed in the data Centre.

Visitors to the Data Centre must be accompanied

by authorized personnel at all times.

(Flexcube manual page 8)

Verify whether there is a list of authorized

personnel in the Data Centre. Are unauthorized

personnel in to the Data Centre always

accompanied by staff member and do they fill in

the required information in the entrance register?

Inefficiencies arising from

overlapping roles

The role of ICT is segregated into Business system

and Infrastructure system functions and there is no

overlapping of duties between the two units.

(ICT Continuity plan Chapter 2)

Review the organization chart of the ICT

department. Is there segregation of duties between

the Business Systems and Infrastructure system

teams? Check for any overlapping roles between

the two units.

Job description will be given to each staff member

of the ICT team outlining the responsibilities of

every ICT team member.

By reviewing sample of staff files ensure that the

roles are clearly defined for each staff member.

Check that job descriptions for each staff match

1


2/15

(HR procedure manual with the roles being undertaken by the staff.

2


3/15


RESULTS / WORK

PAPER REF.

Data centre

operations(Contd)

The ICT team will be continuously trained,

coached and guided in their designated roles.

Review that all ICT staff members are adequately

trained and experienced to handle their designatedroles.

Interruption to information

processing due to

inappropriately implemented

system changes.

System changes will be thoroughly tested prior to

implementation and user acceptance tests, UATs,

done prior to implementation. The UAT results

should be properly documented.

Any exceptions noted in the course of User

Acceptance Testing must be resolved before live

implementation of the system.

Users and data processing personnel should be

adequately trained to handle all new applications.

Check that changes to systems or implementation

of new systems are approved prior to

implementation.

Is adequate testing done prior to implementation.

Are user acceptance tests properly conducted and

documented?

Verify that any exceptions noted during the User

Acceptance Testing are resolved prior to live

implementation.

Are users and data processing personnel

adequately trained to use new applications?Business disruption when

new changes fails and

previous applications are not

maintained

Retain Copies of all previous versions of programs

and applications being replaced or upgraded.

Changes to any applications and programs should

be documented and authorized before

implementation. Thereafter post-implementation

review carried out and results analyzed.

Verify that a copy of the previous version of the

program is retained for use in the event of

problems arising with the amended version.

Are there controls over authorization,

implementation and documentation of changes to

operating systems? Are post implementation

reviews carried out, results documented and

analysed?

Ensure that staff are aware of

how to carry out various

activities

Manuals must be prepared for all applications and

systems in use at the Bank. Subsequent updates

must be done for all revisions and upgrades. Atleast a copy of the user manual must be kept off-

site.

Are user manuals prepared for all new systems

developed and revised for subsequent changes?

Ensure that copies of user/operations manual arekept off-site?

Unauthorized procurement of

ICT resources

All purchases of software and other ICT resources

must be appropriately approved.

For purchased software, check that approval is

obtained for purchase. Are there procedures

addressing controls over selection, testing and

acceptance of packaged software? Have these been

followed? Are vendor warranties still in force for

new software obtained?

3


4/15


RESULTS / WORK

PAPER REF.

Systems access

security

To ensure that information

systems are accessed byauthorized persons only. To

guard against the risk of

unauthorized access to the

banks information

resources.

The Information Security Policy details the

management (i.e choice, change and protection) ofpasswords. ( Information Security Policy 2.8)

Passwords should contain minimum 5 and a

maximum of 8 characters and should contain an

alphanumeric character. (Information Security

Policy 2.8.1)

Each user will be allocated a unique password and

a unique user account. (Information Security Policy

2.7.4)

Users who forget their passwords should fill the

System User Access Profile form, which is then

authorized by their departmental heads beforesubmission to ICT. (Information Security Policy

2.8.2)

Do formal procedures exist for the issue and

subsequent control of passwords?

Is proper password syntax being used i.e. minimum

5 and maximum 8 characters and include

alphanumeric characters.

Is each user allocated a unique password and user

account?

Are there satisfactory procedures for re-issuing

passwords to users who have forgotten theirs?

Unauthorized access to the

banks information resources

leading to corruption and

manipulation of information.

Staff members assigned user rights commensurate

to their roles as per job descriptions.

Flex-cube system must be changed before 30 days

while the Network passwords should be changed

before expiry of 45 days. Passwords change

prompts/ alerts are given before expiry of the

respective durations.

Application passwords must not be revealed or

shared with any other users.(Information security

policy 2.8.3 & 5.5)

A Security Violation Report is generated from

Flexcube and reviewed on a daily basis by the

Assistant Manager-ICT.( FCT Control manual page

17)

Check that system access compatibilities are

properly changed with regard to personnel status

change. Are individual job responsibilities

considered when granting users access privileges?

Verify that there are procedures in place to ensure

forced password change after 30 days for Flex-cube

and 45 days for the Network.

Do terminals automatically log-of after a certain

period of time. Check that there is a limit of invalidpasswords before the terminal closes down

Check for any case of password sharing by the ICT

personnel and obtain explanations for such.

Are invalid password attempts reported? Review

the reports.

4


5/15


RESULTS / WORK

PAPER REF.

Systems access

security(contd)

Unauthorized access to the

banks information resourcesleading to corruption and

manipulation of information

User access rights are promptly revoked when an

employee departs the service of the Bank. Userswho progress on leave are disabled promptly.

Users are re-instated on resumption of duty and

completion of a System Users Access & Profile

form.

Users are guided through password management

during their induction program when they join the

services of the bank. (Information Security Policy

2.8.1)

Check whether System access rights are promptly

revoked for all employees who leave the services ofthe Bank.

Verify that access rights for user who proceed on

leave are deactivated until resumption of duty. Do

the users fill in a System User Access & Profile

form on duty resumption? Check whether this form

is duly approved.

Review the training arrangements for staff in

designing, changing and protecting their passwords

to ensure restriction of access to systems by

unauthorized people.

Data control

procedures

To ensure transactions are

properly processed and that

output is complete and

accurate. Also to ensure that

data/information stored in the

banks systems is not

corrupted or destroyed

Flexcube System will not process any unauthorized

transactions.

End of day procedures cannot be commenced in

Flexcube system until all batches of transactions

have been authorized.

Violation report in Flexcube system provides

details of all exceptional activities performed by

the users during the day.

ICT team does not carry out any data input norauthorize transactions in the system. This

responsibility lies with the user departments.

Cut off times have been set and communicated to

all users to ensure that End of day process is

commenced and completed as scheduled.

The End of Day Process Checklist forms must be

completed every day by the End of day Teams.

Are all transactions properly authorized before

being processed through the system computer?

Check whether the system can detect batches or

transactions which are input but not authorized.

Are there established procedures to ensure that

transactions or batches are not lost, duplicated or

improperly changed?

Check whether an error log is maintained and

reviewed to identify recurring errors.

Are all errors reported to the user departments for

correction?

Are persons responsible for data preparation anddata entry independent of the output checking staff?

Verify that persons responsible for data entry are

prevented from amending master file data.

Review that users adhere to data cut-off times to

enable timely End of day runs.

Peruse the End of Day Process Checklist/sign off

forms file for the review/selected period to ensure

that all listed activities are duly completed.

5


6/15


RESULTS / WORK

PAPER REF.

Tapes and

Disks control/Back-up

control

To ensure that adequate

back-ups are regularly takento allow data and information

to be readily recovered as

necessary; therefore

minimum disruptions to

operations.

The Data Back-up policy defines the back-up

requirement for data to minimize exposure to lossof mission critical data.(Information Security

Policy Chapter 10 & The data Back-up Procedure

manual page 2)

The End of Day Process Checklist/sign-off forms

must be completed every day by the End of day

Team and reviewed by the Manager, ICT.

Review the procedure for taking back-up of system

and program files. Does the procedure specify theduration for retaining back-ups? Does the

procedure detail how to reinstall the back-ups?

Check that back-ups of all database related files are

taken regularly. Verify that daily back-ups are

taken? Check for evidence that daily End of Day

Procedures are executed and back-ups taken.

Who manages the End of day back-up team?

Business interruption in the

event of system failure and

unavailable back-ups. To

minimize the risk of businessinterruptions occasioned by

virus attacks on systems the

bank is running on.

Flexcube Data back-up is documented in the Data

Back-up procedure Manual and the End of Day

Process Checklist itemizes the EOD process.

(Flexcube data Back-up Procedure manual &Flexcube End of day Cycle procedure manual)

The ICT team should be adequately trained and

regularly appraised on data back-up processes.

All exceptions for data back-up must be approved

by the Senior Manager ICT.

Check that the back-up process is fully documented

and showing the following:

- date of data back-up

- type of data back-up( additional or full)- number of generations

- responsibility for data back-up

- extent of data back-up ( files/directories)

- data media on which the back-up data are

stored

- data back-up hardware and software (with

version number)

- data back-up parameters (type of data backup)

- storage location of back-up copies

Is the data back-up team adequately and regularly

trained on data back-up, data restoration process,

back-up media retention and storage?Review exceptions during the audit period when

daily back-ups were not taken. Obtain explanations

for such.

To minimize the risk of

business interruptions

occasioned by virus attacks

on systems the bank is

running on.

Copies of Back-up tapes and disks are sent for safe

custody at off-site locations while other copies are

stored in a fire proof safe inside the computer

room.

Ensure that back-ups are stored at an off-site

location away from the Data Centre.

Verify that back-up tape and disks are securely

stored at the off-site location? Does the off-site

location have adequate physical controls?

6


7/15


RESULTS / WORK

PAPER REF.

Tapes and

Disks control/

Back-up

control

(contd)

System recovery drawbacks

due to non-operational back-

ups causing delays in

information processing

Regular testing of back-ups must be done and

results documented.

Are back-ups regularly tested to ensure their

compatibility with the existing system? Have the

testing results been documented and reviewed?





A hierarchical back-up cycle is established as

follows:

- daily back-ups are retained for 2 weeks

- weekly back-ups are retained for 1 month

- monthly back-ups are retained for 1 year

- end of fiscal year and yearly data back-up isretained for the long-term ( Information Security

policy manual 10.3.1)

Check that back-ups are retained for appropriate

period as follows:

- two weeks for daily back-ups

- one month for weekly back-ups

- one year for monthly back-ups

- annual back-ups are retained for the long-term





Multiple back-ups should be generated for monthly

and annual back-ups and each copy stored in a

distinct archive storage location. ( Information

Security policy manual 10.3.1)

Ensure that multiple back-ups copies are taken for

monthly and annual back-ups and each copy stored

in a distinct archive storage location. Identify the

locations for each back-up copy.

7


8/15


RESULTS / WORK

PAPER REF.

Physical &

Environmentalcontrols

Loss resulting from fire, Smoking should be inside the Data Centre and near

all ICT installations.

Check that building material used around the Data

Centre is fire resistant. Ensure that wall and floorcoverings are non-combustible.

Check that smoking is prohibited in the Data

Centre or near any other IT installation.

Risk of loss resulting from

fire.

An automated Fire Suppression System has been

installed which will extinguish fire occurrences in

the Data Centre by release of Inergen Gas. ( ICTCP

3.6 (8) Environmental Control Systems)

The Fire Suppression System should be serviced

regularly and certificate of working condition filed.

(ICTCP3.6 Environmental Control Systems)

Check whether fire/smoke detectors have been

installed in the Data Centre and near all key

Electronic Data Processing areas.

Have fire extinguishers been installed? Are the fire

instructions clearly posted in conscipicous

locations?

Are fire drills and training regularly conducted?

Check whether the fire equipments are regularly

inspected and confirmed to be in workingcondition.

Review the maintenance agreements for the fire

equipments. Ascertain that they cover current

period.

To minimize the risk of loss

resulting water/floods

Major IT installation should be kept raised above

the floors to evade the risk of flooding.

The Data Centre is fitted with 2 sets of Air

Conditioners. ( ICTCP 3.6 (8) Environmental

Control Systems)

Check that all IT equipments are located above the

floor.

Is the Data Centre installed with Air Conditioners

which are in working condition? Review this?.

Check whether the Air conditioner is regularly

maintained/serviced?

Interruption to information processing due to electrical

power interruptions

The Data Centre is connected to an automaticGenerator Set and a 30KVA MGE Galaxy 3000

UPS connected to the mains supply and the

Generator set. ( ICTCP 3.6 (1) Utility Systems )

All PCs are primarily served by standalone UPS for

protection against any power failures. (ICTCP 3.6

(1) Utility Systems.)

Is there a reliable power supply to the Data Centreand other IT locations? Does the bank have an

alternative source of power such as a stand by

generator? Review whether the alternative power

supply is regularly serviced?

Check whether all computer equipments are

supported by stand by UPS.

Check the general tidiness of the Data Centre. Are

there littered papers around the area?

8


9/15


RESULTS / WORK

PAPER REF.

Virus control To minimize the risk of

business interruptionsoccasioned by virus attacks


running on.

The Information Security Policy details the manner

of dealing with viruses control. (InformationSecurity Policy section 2.13)

Is there a formal written anti-virus policy? Check

that the policy has been communicated to allemployees of the bank.

Unapproved software

causing corruption of

information hence losses

Software shall only be acquired from approved

vendors only. Exceptions to this rule must be

appropriately sanctioned and approved.(FA

procedure manual 1.1 procurements)

The bank has a standard list of permissible

software packages that users can run on their

computers and employees must not install other

software packages or permit automatic installation

routines on computers.( Information security policymanual 8.3)

Verify that there is an approved list of software

suppliers. Review that software obtained during the

audit period was sourced from these vendors. Was

any software obtained from unapproved suppliers?

Check for approval for such procurements. Are

only approved software installed on the banks

computer system?

Is there a master library for authorized software?Who controls access to this library?





running on.

All attachments to electronic mail messages should

be scanned with authorized virus detection

software package before opening and/or execution(

information security policy 5.12)

Employees should not open any attachments from

unknown senders without approval from the ICT

department ( Information security policy manual5.12)

Are directories periodically reviewed for any

suspicious files and reports documented? Check

that such reports are reviewed by the Senior

Manager ICT.

Check that suspicious files are quarantined and

deleted from the computer hard drive and network

drive.

9


10/15


RESULTS / WORK

PAPER REF.

Virus control

(Contd)


business interruptionsoccasioned by virus attacks


running on.

All computers must continuously run the current

version of virus detection which will beautomatically downloaded to each computer when

the machine is connected to DTBKs internal

networks.( Information Security Policy 8.6)

Verify that anti-virus software is installed on all

computers. Is the anti-virus software regularlyupdated for new virus definitions?

Verify that diskettes are formatted before re-use.

Have procedures been developed to restrict and

oversee the transfer of data between machines?

Check that staff members have been prohibited

from sharing machines.





running on.

If Users suspect infection by a virus, they must stop

using the involved computer, turn-off and

disconnect from all networks and call the ICT

department. .( Information Security Policy 8.8)

Has all staff been advised of the virus prevention

procedures? Check that staff members informs the

ICT team of any suspicion of virus infection





running on.

All files downloaded from the internet will be

screened with virus detection software prior to use.

(Information Security policy 7.5)

Are downloads from the internet controlled by

locking the hard drive and routing through the

network drive to prevent viruses (if any) from

spreading?

10


11/15


RESULTS / WORK

PAPER REF.

Use of the

internet

The bank has a policy

regarding the use of theinternet regulating the flow

of data and information.

The internet policy applies to all workers who use

the internet with DTBK computing or networkingresources. Internet users are expected to be familiar

with and comply with the policy.( Information

Security Policy 7.2)

Access to the internet will be provided to only

those employees who have a legitimate need for

such access. ( Information Security Policy 7.3)

Is there a policy regulating the use of the internet?

If so, has the policy been properly communicated tothe users and awareness being maintained?

Check whether access to the internet is limited to

authorized personnel only. Review prior

management approvals for internet access. Are

there unauthorized personnel accessing the

internet?



occasioned by virus attackson systems the bank is

running on.

DBTK firewalls routinely prevent users from

connecting with certain non-business web sites. .

( Information Security Policy 7.24)

Check whether firewalls (security systems used to

control and restrict internet use) have been installed

at the bank to protect the banks informationresources.





running on.

All non-text files (databases, software object code,

spreadsheets, formatted word processing package

files etc) downloaded from Non-DTBK sources via

the internet will be screened with virus detection

software prior to being used.( Information Security

Policy 7.5)

Review that all non-text files downloaded from the

internet are screened for viruses prior to being used.

Is there evidence of testing of non-trusted material

or software prior to use.



occasioned by virus attackson systems the bank is

running on.

The management reserves the right to examine

without prior notice all information passing

through or stored on the DTBK computers. .( Information Security Policy 7.25)

Does the management conduct random reviews of

electronic mails, files on personal computers, web

browser cache files, logs of web sites visited andother information stored on DTBK computers to

assure compliance with internal policies?

Review action taken in cases where violations are

observed.

11


12/15


RESULTS / WORK

PAPER REF.

Personnel

policies

To ensure that appropriate

personnel policies existallowing for segregations of

duties.

All new staff members are provided with job

descriptions and are sufficiently inducted into theICT Department. ( HR policies & Procedure

manual 7.4.1)

Are new employees recruited according to job

description and specifications? Are new personnelsufficiently trained/ inducted to handle their roles

as enumerated in their job descriptions?

Poor performance and hence

productivity by staff thus

adversely affecting overall

performance of the Bank

Staff members are given on-job training to enhance

their skills to enable them cope with the dynamism

of the ICT industry.

Review whether staff are regularly trained and

appraised to cope with the dynamism of the ICT

industry?

Check whether performance reviews are conducted

regularly?

Failure to discover

irregularities and

manipulations.

Roles should be separated in a manner that no one

person has unlimited access to the systems

Check that duties are sufficiently separated to

ensure no one person has uncontrolled access to the

system which could compromise system security?

Failure to discover

irregularities and

manipulations.

Periodic job rotation will be ensured and staff

members will take leave regularly. ( HR policies &

Procedure manual 13.1)

Are job rotations and cross training conducted

periodically? Is the rotation of duties of sufficient

duration to disclose any irregularities or

manipulations?

12


13/15


RESULTS / WORK

PAPER REF.

Insurance To ensure that there is

adequate insurance to coverequipment, software and

documentation, storage

media, replacement cost, data

loss and business loss i.e. to

minimize loss of earning

emanating from

failure/interruption of ICT

systems

All ICT resources must be adequately insured at all

times. The insurance should cover:- Equipment

- Software and storage media

- Loss of data and business interruption

Review the insurance file and ensure that adequate

insurance exists to cover:- equipment

- software

- storage media

- loss of data

- business loss interruption

Check whether the insurance is current.

Disaster

Recovery and

Business

continuityplans


disruption of business

operation should disasters

occur/strike.

The ICT Continuity Plan provides a written plan

outlining the ICT recovery strategy in the event of

an interruption on the continuous operations.( ICT

Continuity Plan Chapter 1 page 3)

Is there a comprehensive contingency/Disaster

Recovery plan which is documented? Has the

Disaster Recovery and Business Continuity Plans

been approved by the BOD? Does the contingencyplan provide for recovery and extended processing

of critical applications in the event of catastrophic

disaster?

Are all recovery plans approved and tested to

ensure their adequacy in the event of disaster?

Poor coordination of disaster

recovery efforts

The emergency Recovery Team comprises the

following members:

- General Manager, Finance & Operations

- General Manager, Regional Risk

- Senior Manager, ICT- Manager, Operations & Projects

- Manager, Administration

(ICT Continuity Plan 4.1 page 32)

Are disaster recovery teams established to support

the recovery effort? Are responsibilities of

individuals within disaster recovery team defined

and time allocated for completion of their tasks?

Check that the recovery plans are communicated tothe management and to all concerned personnel?

Poor coordination of disaster

recovery efforts

The information assets of the Bank are divided into

two main categories of Business systems and

Infrastructure systems.( ICT Contingency plan 2.1

& 2.2)

Does the recovery plan identify the key processing

priorities? Does the plan identify the key

information assets (Business Systems and

infrastructure systems) deployed at the Bank.

13


14/15


RESULTS / WORK PA

REF.

Disaster

Recovery andBusiness

continuity

plans (contd)

Interruption of businessactivities due to lack of an

alternative data processing

location.

The bank has implemented a Database server at acontingency site at Capital Centre Branch. The

server acts as a contingency server in case of

failure of the Primary Database server at the Head

Office( ICT Contingency Plan 3.3 page 20)

Verify that an off-site location has been identifiedand set-up for recovery operations. Has hardware

and software, and operating system been installed

at the off-site location? User profiles for the off-

site system should be created similar to those of

the main system.

The risk of the continuity plan

getting outdated

The ICT continuity Plan will be maintained every

six months. The Senior Manager ICT will ensure

that the plan is maintained and appropriately

updated every six months. ( ICT Continuity Plan

Chapter 5 page 34)

Review whether the disaster recovery plan is

tested regularly and results documented indicating

the level of preparedness? Check whether the

recovery strategy is periodically reviewed and

updated.

System

Change

Management

To avoid haphazard

implementation of system

change.

To ensure that development

and changes to programs are

authorized, tested and

approved prior to

implementation.

The change management procedure sets out a

systematic approach to dealing with change.

All persons requesting change must fill the System

Change Request (SCR) Form which is submitted

to ICT for review and onward transmission to

OpsCo for approval considerations.

The SCR form must contain the following

information:

- request date

- originating unit/department- Initial of Head of Department initiating

change.

- Description of proposed changes

- Benefits and justification of changes

- Expected impact of the Changes

All changes must be documented and backed up

immediately.

Is there a duly documented and approved change

management policy/procedure?

Review that person/department requesting the

system changes complete a System Change

Requests form and submitted to ICT for review. Is

the form reviewed and authorized?

Check that benefits and justification for system

change are indicated in the form and that approval

for change is obtained from OpsCo. ( Operations

Committee)Review that the proposed system change is clearly

described and ICT comments included in the

System Change Form.

Review that the details of the impact of non-

implementation of the change are clearly outlined

and considered.

Are all changes to programs and systems

documented and backed up immediately

14


15/15

15

Documents

Audit Programs - ICT