Upload
pirabakar-mahendran
View
222
Download
0
Embed Size (px)
Citation preview
7/30/2019 priyanndb_1.0
1/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E0
Cheque Book Management
7/30/2019 priyanndb_1.0
2/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E1
Cheque books stock entry
CPU BA (Banking Assistance)
(CPU Inputter)
Officer In charge
(CPU Authorizer)
Blank cheque books
received by the CPU
Received cheque books
stock detail Approve stock entry
details.
Enter stock entry
Get approval for stock
entry.
Print stock received
receipt
Updated stock registry
7/30/2019 priyanndb_1.0
3/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E2
Issuing of Cheque Book
Branch BA(Banking Assistance)
(CPU Inputter)
Officer In charge
(CPU Authorizer)
Send the customer
request to CPU for
a cheque book
N1: Customer can request a cheque by fax/letter/formN2: Forward the request to Branch Manager if the account status is not RegularN3: The inputter writes down the cheque books details in a manual registry before printing the cheque books.
Request letter
N1
Verify the signature
and the current
account status
Approve the cheque
book request
Print the cheque
book
Enter cheque books
request details.
Authorized cheque books
records
Printed Cheque
book
Authorize
chequebook issue
Issue the cheque
book to the
customer
Authorized cheque
books
Unauthorized cheque
book recordsVerified request
N3
N2
7/30/2019 priyanndb_1.0
4/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
CH01 Check type field can be omitted whenregistering received check stock details in the
system.
Medium
Test Reference T-CH10
Observation When banking assistance receiving blankcheck books , they need to register the stock
details in the system. Banking assistance has
to mention the check types (privilege
cheque/normal cheque ) whenever they
registering the received stocks, however it
can be omitted by the banking assistance.
When banking assistance issuing a checks
books to customers, the check type field
would be blank, if the type was blank at thecheque receiving stage.
Implications The cheque book count in either category
would be erroneous in the system. Therefore,
issuing cheques to customers would not be
properly supported by the system.
Recommendations Check type field must be set as necessary
field when registering check stocks in the
system.
Managements
Comments
3
Check type field canbe left as blank.
Blank check type
field.
7/30/2019 priyanndb_1.0
5/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E4
Executive Summary
Cheque Book Management
When banking assistance receiving blank cheque books he has to register them in the stock inventory system. Banking assistance has to mention
check type and stock series in the system. Cheque type can be privilage cheque/normal cheque .However this cheque type field can be omitted bythe banking assistance when registering check books. As the result it makes difficult to count different type of cheque in the stock.
7/30/2019 priyanndb_1.0
6/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E5
Bank Draft
7/30/2019 priyanndb_1.0
7/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E6
Issuing of bank draft
Customer CPU In putter CPU Authorizer
Check customer
bank draft request
N1: Customer can request bank draft by letter /fax/application from
Bank draft received
by customer
Enter bank draft
request
Getting approval for bank
draft request Approve the bank draft
request
Print bank Draft
Approved Bank draft
N1
Customer requesting
a bank draft
Bank draft request is
received
Eligible bank draft
request
Issuing bank draft
to customer
7/30/2019 priyanndb_1.0
8/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E7
BD01 Bank draft validity period can be less the 180days
High
Test Reference T-BD13
Observation When banking assistance issuing bank draft
to customers the validity period need to bemention in the bank draft slips. In this period
only the bank draft slips can be utilized for
encasement . The NDB bank define 180
days as validity period for the bank draft,
however system allows to produce bank draft
less then 180 days validity dates.
Implications This will violating the business rules of the
NDB bank policy. If customer received with
less validity period of bank draft then theyhave very short time to encashment the bank
draft, as the result customers would
dissatisfy about the bank and it could affect
the reputation of the bank .
Recommendations System should not allow to produce bank
draft slips with less validity period.
Managements
Comments
Bank draft only valid
for 100 days
Only 100 days
validly bank draft
7/30/2019 priyanndb_1.0
9/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E8
Executive Summary
Bank Draft
Bank draft validity period has been set as180 days for NDB bank. However this 180 day validity period can edited by the banking assistance when
issuing to customer therefore it is only has limited time period to encash the bank draft.
7/30/2019 priyanndb_1.0
10/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E9
Pay orders
7/30/2019 priyanndb_1.0
11/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E10
Issuing of pay orders
Customer CPU In putter CPU Authorizer
Check customer
pay order request
N1: Customer can request bank draft by letter /fax/application fromN2:
Bank draft received
by customer
Enter pay order
request
Getting approval for pay order
request Approve the pay order
request
Print pay order
Approved Bank draft
N1
Customer requesting
pay order
Pay order request is
received
Eligible pay order
request
Issuing bank draft
to customer
7/30/2019 priyanndb_1.0
12/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E11
PO01 Pay orders validity period can be less the 180days
High
Test Reference T-PO14
Observation When banking assistance issuing pay orders
to customers the validity period need to bemention in the slips. The pay orders slips can
be utilized for encasement only in this period.
The NDB bank define 180 days as validity
period for the pay order ,however system
allows to produce pay orders less then 180
days.
Implications This will violating the business rules of the
NDB bank policy. If customer received with
less validity period of pay orders then theyhave very short time to encash the pay
orders. As the result customers would
dissatisfy about the bank services and it
could affect the reputation of the bank .
Recommendations System should not allows to produce pay
orders slips. with less validity period.
Managements
Comments
Pay order valid
for 100 days
only .
Pay order valid for
100 days.
7/30/2019 priyanndb_1.0
13/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E12
Executive Summary
Pay order
Pay order validity period has been set as180 days for NDB bank. However this 180 day validity period can edited by the banking assistance when
issuing pay order to customer therefore it is only has limited time period to encash the bank draft.
7/30/2019 priyanndb_1.0
14/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E13
Telegraphic Transfer
7/30/2019 priyanndb_1.0
15/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E14
Payments Through Telegraphic Transfer
Customer CPU In putter CPU Authorizer
Check customer
Telegraphic Transfer
request
N1: Customer can request Telegraphic Transfer by letter /fax/application from/e-windows systemsN2:
Enter customer
Telegraphic transfer
request
N1
Customer requesting
for Telegraphic
Transfer
Eligible Telegraphic
Transfer
Telegraphic request is
received
Approve customer
Telegraphic request
Getting approval for customer
Telegraphic Transfer request
Print debit advice of
payments to customer
Telegraphic transfer
Approved Telegraphic
TransfersPayment receipt
received by the
customer
Issue debit advice
7/30/2019 priyanndb_1.0
16/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
TT01Benifeciery account number can be omittedwhen making payments through telegraphic
transfer.
High
Test Reference T-TT06
Observation When banking assistance paying out moneyto their customers invoice through electronic
fund they need to mention the beneficiary
name, account number and destination bank
details in the transfer, however account
number is not set as mandatory field for the
transaction therefore it could be omitted
when making the payments through
telegraphic transfer.
Implications If account number is not mention in thetelegraphic transfer instruction then the
payment will not be executed correctly.
Recommendations Beneficiary account number should be set as
mandatory field when making payments
through telegraphic transfer.
Managements
Comments
15
Beneficiary account
number can be
omitted.
Beneficiary account
number can be left
as blank.
7/30/2019 priyanndb_1.0
17/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
TT02Benifeciery bank name and its SWIFT codecan be omitted when making payments through
telegraphic transfer.
High
Test Reference T-TT12
Observation When banking assistance paying out moneyto their customers invoice through electronic
fund they need to mention the beneficiary
name, account number and destination bank/
SWIFT code details in the transfer, however
bank name /SWIFT code is not set as
mandatory field for the transaction therefore
it could be omitted when making the
payments through telegraphic transfer.
Implications If bank name /SWIFT is not mention in thetelegraphic transfer instruction then the
payment will not be executed correctly.
Recommendations Bank name/SWIFT code should be set as
mandatory field when making payments
through telegraphic transfer.
Managements
Comments
16
Beneficiary bank name
and SWIFT code can
be blank
Beneficiary bank name
and SWIFT code can
be omitted.
7/30/2019 priyanndb_1.0
18/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
TT03 Outward remittance currency format can beLKR format when making payments through
telegraphic transfer.
High
Test Reference T-TT10
Observation Telegraphic transfer facility provide customerscan pay their invoice to their foreign clients in
their currency format, therefore the currency
field must contain only the foreign currency not
the LKR currency format. However system
allow to set a telegraphic transfer in LKR
format currency as well.
Implications Currency can be set in LKR format for the
telegraphic transfer imply it is violating the
business rules of the NDB bank policy.Recommendations Currency field must only contain foreign
currency except LKR format.
Managements
Comments
17
Credit currency can
be LKR format.
Currency can be
LKR format.
7/30/2019 priyanndb_1.0
19/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
TT03 Outward remittance currency format can beLKR format when making payments through
telegraphic transfer.
High
Test Reference T-TT10
Observation Telegraphic transfer facility provide customerscan pay their invoice to their foreign clients in
their currency format, therefore the currency
field must contain only the foreign currency not
the LKR currency format. However system
allow to set a telegraphic transfer in LKR
format currency as well.
Implications Currency can be set in LKR format for the
telegraphic transfer imply it is violating the
business rules of the NDB bank policy.Recommendations Currency field must only contain foreign
currency except LKR format.
Managements
Comments
18
Credit currency can
be LKR format.
Currency can be
LKR format.
7/30/2019 priyanndb_1.0
20/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E19
RTGS Fund Transfer
7/30/2019 priyanndb_1.0
21/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E20
Payments Through RTGS Transfer
Customer CPU In putter CPU Authorizer
Check customer
RTGS Transfer request
N1: Customer can request RTGS Transfer by letter /fax/application from/e-windows systemsN2:
Enter customer RTGS
Transfer request
N1
Customer requesting
for RTGS Transfer
Eligible RTGS Transfer
RTGS request is received
Approve customer
RTGS request
Getting approval for customer
RTGS Transfer request
Print debit advice of
payments to customer
RTGS transfer
Approved RTGS
TransfersPayment receipt
received by the
customer
Issue debit advice
7/30/2019 priyanndb_1.0
22/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
RT01Benifeciery account number can be omittedwhen making payments through transfer.
High
Test Reference T-TT06
Observation When banking assistance paying out money
to their customers invoice through electronicfund they need to mention the beneficiary
name, account number and destination bank
details in the transfer, however account
number is not set as mandatory field for the
transaction therefore it could be omitted
when making the payments through RTGS
transfer.
Implications If account number is not mention in the
RTGS transfer instruction then the payment
will not be executed correctly.
Recommendations Beneficiary account number should be set as
mandatory field when making payments
through RTGS transfer.
Managements
Comments
21
7/30/2019 priyanndb_1.0
23/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
RT02Benifeciery bank name and its SWIFT codecan be omitted when making payments through
RTGS transfer.
High
Test Reference T-TT12
Observation When banking assistance paying out moneyto their customers invoice through RTGS
fund they need to mention the beneficiary
name, account number and destination bank/
SWFT code details in the transfer, however
bank name /SWIFT code is not set as
mandatory field for the transaction therefore
it could be omitted when making the
payments through RTGS transfer.
Implications If bank name /SWIFT is not mention in the
RTGS transfer instruction then the payment
will not be executed correctly.
Recommendations Beneficiary account number should be set as
mandatory field when making payments
through RTGS transfer.
Managements
Comments
22
7/30/2019 priyanndb_1.0
24/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
RT03 Outward remittance currency format can beforeign currency format when making payments
through RTGS transfer.
High
Test Reference T-TT10
Observation RTGS transfer facility provide customers can
pay their invoice to their Local clients in LKR
currency format, therefore the currency field
must contain only the LKR currency not the
foreign currency format. However system
allow to set a RTGS transfer in foreign format
currency as well.
Implications Currency can be set in LKR format for the
telegraphic transfer imply it is violating the
business rules of the NDB bank policy.
Recommendations Currency field must only contain LKR
currency not foreign currency format.
Managements
Comments
23
NDB B k PLC
7/30/2019 priyanndb_1.0
25/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E24
Sweep Facility
A li ti C t l R iNDB B k PLC
7/30/2019 priyanndb_1.0
26/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E25
Setup Maintenance Sweep Facility
Customer Brach CPU Inputter CPU Authorizer
Check customer
Maintenance Sweep
Facility request
N1: Customer can request Maintenance Sweep Facility by letter to Brach Manager /Regional ManagerN2:
Stamp Received date
and time and verify
custom signature
N1
Customer requesting
for Maintenance
Sweep Facility
Eligible customer
request
Customer request
is received
Approve customer
Maintenance Sweep
Facility setup
Getting approval for
Sweep Facility request
Forward customer
Sweep Facility
request Setup customer
Maintenance Sweep
Facility request
A li ti C t l R iNDB Bank PLC
7/30/2019 priyanndb_1.0
27/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E26
Setup Surplus Sweep Facility
Customer Brach CPU Inputter CPU Authorizer
Check customer
Surplus Sweep Facility
request
N1: Customer can request Surplus Sweep Facility by letter to Brach Manager /Regional ManagerN2:
Stamp Received date
and time and verify
customer signature
N1
Customer requesting
for Surplus Sweep
Facility
Eligible customer
request
Customer request
is received
Approve customer
Surplus Sweep Facility
setup
Getting approval for
Sweep Facility request
Forward customer
Surplus Sweep
Facility request Setup customer
Surplus Sweep Facility
request
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
28/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E
SW01Inappropriate rules can be chosen whenexecuting the sweep facility .
High
Test Reference T-SW06
Observation When banking assistance setting up the
sweep facility according to the customer
requirement they need to mention the rules
as well. The rules field has been set as
mandatory field, however rules field display
inappropriate parameters to setting up the
sweep facility therefore inappropriate rules
can be applied when setting the sweep
facility.
Implications If the incurrent rules are applied when setup
the sweep facility then then changes in the
sweep facility will not be executed correctly.
Recommendations Only irrelevant parameters should be
displayed in the rules field.
Managements
Comments
27
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
29/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E28
Executive Summary
Sweep Facility
When making sweep setup for customer requirement the rules need to be chosen. The rule can be MAIN/SURP however irrelevant parameters
also displayed by the system. If any of the irrelevant parameter chosen as rules then sweep setup wont work properly. As the result only relevant
parameters only must display for rules.
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
30/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)
NDB Bank PLC
E29
Current Account
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
31/71
Application Controls Review
Information Technology Risk and Assurance (ITRA)E 30
Opening Current Account
Customer Branch CPU
Banking Assistance Manager
Request to open acurrent account
Mandate Check documentsand mandates
Deposit
Authorized
Current account
Get approval from
Manager
Enter current
account details to
the system
Current account
updated
Scan and verify the
signature enter into
the system.
Approved request
Approved current
account
Scan documentsMake deposit in newly
open current account
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
32/71
pp
Information Technology Risk and Assurance (ITRA)E 31
Closing of Current Account
Customer Branch CPU
Manager Banking Assistance
Request to close acurrent account
N1: Cash pay out to the customers.N2: Letter informing closing of account to customer
Accept the accountclosing request letter
Update GL
Authorized account
closing
Request letter Enter accountclosing details
Store account
closing details
Approved account closing
request
Get approval from
manager
Closed accounts details Enter
N2
N1
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
33/71
Information Technology Risk and Assurance (ITRA)E
CA01 Current account can be open for minorcustomers.
Low
Test Reference T-CA33
Observation Minor customers only have eligibility to open
a saving account in NDB bank, they dont
have facility to open a current account atNDB bank, however system does allows to
open a current account for minor customers
as well.
Implications Business rules
Recommendations System should prevent to open a current
account for minor customers
Managements
Comments
32
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
34/71
Information Technology Risk and Assurance (ITRA)E 33
CA02 Current NRFC account can be opened in LKRformat.
Medium
Test Reference T-CA14
Observation Foreign customers are eligible to open a
current NRFC accounts at NDB bank. The
NRFC account currency field must be inforeign currency format and not in the LKR
format, however system does allow to open a
current NRFC account with LKR as currency
format.
Implications
Recommendations System should prevent to open a NRFC
current account with currency as LKR format.
ManagementsComments
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
35/71
Information Technology Risk and Assurance (ITRA)E 34
Standing Orders
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
36/71
Information Technology Risk and Assurance (ITRA)E 35
Setup standing orders
Customer Branch CPU Inputter CPU Authorizer
Customer
request for
standing orders
N1: Customer can request standing orders through letter/formN2: Incomplete customer request will be returned to branch for completeness.
Authorized customer
standing order s
Get approval from
CPU authorizer
N1
Check completeness
of standing order
request
Receivedcustomer request
Approved
standing order
Enter customer
standing orders
request.
Email requesting
CPU to setup a
standing order.
Received standing
order request
N2
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
37/71
Information Technology Risk and Assurance (ITRA)E
ST01 All the charges codes are not displayed in thesystem, when executing charges for a customer
standing order request.
Low
Test Reference T-ST24
Observation When setting a standing order, there will be a
small charges will be getting from customerto execute the request. Charges codes can
be vary according to the customer standing
order request, however system does not
display all the available charges codes (SO6)
to set a standing orders charges.
Implications There is a high possibility that the banking
assistance can enter wrong charge code
when executing the standing orders request
for customer request
Recommendations All the standing order charges codes must be
display by the system when executing the
standing order for customer request.
Managements
Comments
36
SO6 standing order charge code
not displayed by drop down
menu
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
38/71
Information Technology Risk and Assurance (ITRA)E
ST02 Irrelevant work profile parameters aredisplayed in the system when setting a standing
orders through SLIPS.
Low
Test Reference T-SA33
Observation When banking assistance uploading the
standing orders through SLIPS system theyneed to choose work profile parameter as
one, however the system display irrelevant
parameters for work profile option.
Implications If banking assistance wrongly choose
different parameters for work profile when
executing the standing orders through SLIPS
then the customer standing order request will
not be executed successfully.
Recommendations System must display only one as work
profile option when executing the standing
orders through SLIPS.
Managements
Comments
37
Work profile parameters can be
inaccurate information.
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
39/71
Information Technology Risk and Assurance (ITRA)E 38
Customer Creation
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
40/71
Information Technology Risk and Assurance (ITRA)E 39
Customer Creation
Customer Banking Assistance (In Putter) Banking Manager (Authorizer)
Fill madedate form
and provide required
documents
N1: Customer provide NIC/Birth Certificate/Company Registration as an identity proof.N2: Copies of customer documents will be forwarded to CPU for storage purpose.
Filled mandate form
and documents
Authorized customer
Check mandate form
and documents.
Enter customer
details in the
system
Get approval from
Branch Manager
Approved Customer
request
N1
N2
Application Controls ReviewNDB Bank PLC
C t A d t
7/30/2019 priyanndb_1.0
41/71
Information Technology Risk and Assurance (ITRA)E 40
Customer Amendment
Customer Banking Assistance (In Putter) Banking Manager (Authorizer)
Customer request to
make edition of theirdetails.
Customer
documents
Authorize customer
edited details.
Check customer
documents.
Edit customer
details in the
system
Get approval from
Branch Manager
Approved Customer
request
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
42/71
Information Technology Risk and Assurance (ITRA)E
CC01Passport number and legal document numbercan be different for foreign customers.
High
Test Reference T-CC06
Observation Whenever banking assistance registering a
foreign customers they have to enter
passport number and legal documentnumber for customer registration. However
system does allow to enter different numbers
as passport and legal document numbers.
Implications Customer passport number can be different
from legal document number ,which can
make inaccuracy data being stored in the
database about the customer information.
Recommendations System should validated foreign customer
passport characters with legal document
characters.
Managements
Comments
41
Passport legal ID
number PP12345678
Passport number is
PP123456
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
43/71
Information Technology Risk and Assurance (ITRA)E
CC02System does allow to register less the18years old person as an individual customer.
High
Test Reference T-CC06
Observation When inputting new individual customers to
the system banking assistance need to input
date of birth of the customers for initialregistration. Individual customer need to be
adult and atlease18 years older person
,however system does allow to open an
individual customer who is less then 18
years old.
Implications It is not comply with NDB business rules
allow to open an individual customers who is
less than 18 years old.
Recommendations System should not allow to open an
individual customers who age is less than 18
years old.
Managements
Comments
42
Date of birth is 01 of
May 2000 and age
is less then18.
Individual customer
age is less the 18.
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
44/71
Information Technology Risk and Assurance (ITRA)E
CC04 Customer can be create with inaccuratedate of birth and NIC number.
High
Test Reference T-CC06
Observation When banking assistance registering a
individual/ foreign customer in the system
they need to input date of birth of thecustomers because it is a mandatory field,
however the system not validating date of
birth with NIC numbers logic format.
Therefore system does accept customers
with wrong date of birth and NIC number.
Implications The NDB bank need to sent crib report to
central banks every month about customer
details who fail to pay their due lone fee in
given time period, however if NDB sent thewrong customer details (Date of birth and
NIC number) then crib wont be executed
successfully.
Recommendations System should validate NIC number with
date of birth.
Managements
Comments
43
NIC number not
validating with date
of birth.
Date of birth is not
validating with NIC
number.
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
45/71
Information Technology Risk and Assurance (ITRA)E
CC05 Customer email address can be inaccuratewhen creating the new customers to the system.
High
Test Reference T-CC35
Observation When banking assistance registering a new
customers to the system, banking
assistance need to mention the customerscontact details(email address) in the system.
However customer email address can be
inaccurate.
Implications If NDB introduces a new services and they
want to promoted their new service to
customer through email, then the
promotional message will not be reached to
customers who have wrong email address in
the system.
Recommendations System should validate email address with
standard email address.
Managements
Comments
44
Wrong email
address as
customer address
Wrong email
address as
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
46/71
Information Technology Risk and Assurance (ITRA)E
CC06 Customer telephone number can beinaccurate when creating a new customers to the
system.
High
Test Reference T-CC34
Observation When banking assistance registering a new
customers to the system, banking assistanceneed to mention the customers contact
details( telephone number) in the system.
However customer telephone number can be
inaccurate.
Implications If NDB bank want to contact a customer for
business purpose. Then it is not possible for
NDB bank to contact the customer who has
wrong telephone number in the system.
Recommendations System should validate telephone numbers
with valid srilankan telephone number
standards.
Managements
Comments
45
Incorrect phone
number as abcd
Customer phone
number is incorrect.
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
47/71
Information Technology Risk and Assurance (ITRA)E
CC03 Date of birth and initial is being used as NICnumber for minor customers
High
Test Reference T-CC06
Observation Whenever minor customer need to be
registered in the system by banking
assistance they need to fill NIC number fieldfor identification. However minor customers
they do not have NIC number because they
are less the 18 years old as the result their
date of birth and initial is being used as NIC
number for them.
Implications
Recommendations It is not comply with NDB business rules
allow to open an individual customers who is
less than 18 years old.
Managements
Comments
46
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
48/71
Information Technology Risk and Assurance (ITRA)E 47
Customer Creation
47
Application Controls ReviewNDB Bank PLC
CC01P t b d l l d t b
7/30/2019 priyanndb_1.0
49/71
Information Technology Risk and Assurance (ITRA)E
CC01Passport number and legal document numbercan be different for foreign customers.
High
Test Reference T-CC06
Observation Whenever banking assistance registering a
foreign customers they have to enter
passport number and legal documentnumber for customer registration. However
system does allow to enter different numbers
as passport and legal document numbers.
Implications Customer passport number can be different
from legal document number ,which can
make inaccuracy data being stored in the
database about the customer information.
Recommendations System should validated foreign customer
passport characters with legal documentcharacters.
Managements
Comments
48
Passport legal ID
number PP12345678
Passport number isPP123456
Application Controls ReviewNDB Bank PLC
CC02System does allow to register less the18
7/30/2019 priyanndb_1.0
50/71
Information Technology Risk and Assurance (ITRA)E
CC02System does allow to register less the18years old person as an individual customer.
High
Test Reference T-CC06
Observation When inputting new individual customers to
the system banking assistance need to input
date of birth of the customers for initialregistration. Individual customer need to be
adult and atlease18 years older person
,however system does allow to open an
individual customer who is less then 18
years old.
Implications It is not comply with NDB business rules
allow to open an individual customers who is
less than 18 years old.
Recommendations System should not allow to open anindividual customers who age is less than 18
years old.
Managements
Comments
49
Date of birth is 01 of
May 2000 and age
is less then18.
Individual customer
age is less the 18.
Application Controls ReviewNDB Bank PLC
CC04 Customer can be create with inaccurate
7/30/2019 priyanndb_1.0
51/71
Information Technology Risk and Assurance (ITRA)E
CC04 Customer can be create with inaccuratedate of birth and NIC number.
High
Test Reference T-CC06
Observation When banking assistance registering a
individual/ foreign customer in the system
they need to input date of birth of thecustomers because it is a mandatory field,
however the system not validating date of
birth with NIC numbers logic format.
Therefore system does accept customers
with wrong date of birth and NIC number.
Implications The NDB bank need to sent crib report to
central banks every month about customer
details who fail to pay their due lone fee in
given time period, however if NDB sent thewrong customer details (Date of birth and
NIC number) then crib wont be executed
successfully.
Recommendations System should validate NIC number with
date of birth.
Managements
Comments
50
NIC number not
validating with date
of birth.
Date of birth is not
validating with NIC
number.
Application Controls ReviewNDB Bank PLC
CC05 Customer email address can be inaccurate
7/30/2019 priyanndb_1.0
52/71
Information Technology Risk and Assurance (ITRA)E
CC05 Customer email address can be inaccuratewhen creating the new customers to the system.
High
Test Reference T-CC35
Observation When banking assistance registering a new
customers to the system, banking
assistance need to mention the customerscontact details(email address) in the system.
However customer email address can be
inaccurate.
Implications If NDB introduces a new services and they
want to promoted their new service to
customer through email, then the
promotional message will not be reached to
customers who have wrong email address in
the system.Recommendations System should validate email address with
standard email address.
Managements
Comments
51
Wrong email
address as
customer address
Wrong email
address [email protected]
Application Controls ReviewNDB Bank PLC
CC06 Customer telephone number can be
7/30/2019 priyanndb_1.0
53/71
Information Technology Risk and Assurance (ITRA)E
CC06 Customer telephone number can beinaccurate when creating a new customers to the
system.
High
Test Reference T-CC34
Observation When banking assistance registering a new
customers to the system, banking assistanceneed to mention the customers contact
details( telephone number) in the system.
However customer telephone number can be
inaccurate.
Implications If NDB bank want to contact a customer for
business purpose. Then it is not possible for
NDB bank to contact the customer who has
wrong telephone number in the system.
Recommendations System should validate telephone numberswith valid srilankan telephone number
standards.
Managements
Comments
52
Incorrect phone
number as abcd
Customer phone
number is incorrect.
Application Controls ReviewNDB Bank PLC
CC03 Date of birth and initial is being used as NICHi h
7/30/2019 priyanndb_1.0
54/71
Information Technology Risk and Assurance (ITRA)E
CC03 Date of birth and initial is being used as NICnumber for minor customers
High
Test Reference T-CC06
Observation Whenever minor customer need to be
registered in the system by banking
assistance they need to fill NIC number fieldfor identification. However minor customers
they do not have NIC number because they
are less the 18 years old as the result their
date of birth and initial is being used as NIC
number for them.
Implications
Recommendations It is not comply with NDB business rules
allow to open an individual customers who is
less than 18 years old.
Managements
Comments
53
Application Controls ReviewNDB Bank PLC
CC01Passport number and legal document numberHigh
7/30/2019 priyanndb_1.0
55/71
Information Technology Risk and Assurance (ITRA)E
p gcan be different for foreign customers.
High
Test Reference T-CC06
Observation Whenever banking assistance registering a
foreign customers they have to enter
passport number and legal documentnumber for customer registration. However
system does allow to enter different numbers
as passport and legal document numbers.
Implications Customer passport number can be different
from legal document number ,which can
make inaccuracy data being stored in the
database about the customer information.
Recommendations System should validated foreign customer
passport characters with legal documentcharacters.
Managements
Comments
54
Passport legal ID
number PP12345678
Passport number isPP123456
Application Controls ReviewNDB Bank PLC
CC02System does allow to register less the18High
7/30/2019 priyanndb_1.0
56/71
Information Technology Risk and Assurance (ITRA)E
y gyears old person as an individual customer.
High
Test Reference T-CC06
Observation When inputting new individual customers to
the system banking assistance need to input
date of birth of the customers for initialregistration. Individual customer need to be
adult and atlease18 years older person
,however system does allow to open an
individual customer who is less then 18
years old.
Implications It is not comply with NDB business rules
allow to open an individual customers who is
less than 18 years old.
Recommendations System should not allow to open anindividual customers who age is less than 18
years old.
Managements
Comments
55
Date of birth is 01 of
May 2000 and age
is less then18.
Individual customer
age is less the 18.
Application Controls ReviewNDB Bank PLC
CC04 Customer can be create with inaccurateHigh
7/30/2019 priyanndb_1.0
57/71
Information Technology Risk and Assurance (ITRA)E
date of birth and NIC number.High
Test Reference T-CC06
Observation When banking assistance registering a
individual/ foreign customer in the system
they need to input date of birth of thecustomers because it is a mandatory field,
however the system not validating date of
birth with NIC numbers logic format.
Therefore system does accept customers
with wrong date of birth and NIC number.
Implications The NDB bank need to sent crib report to
central banks every month about customer
details who fail to pay their due lone fee in
given time period, however if NDB sent thewrong customer details (Date of birth and
NIC number) then crib wont be executed
successfully.
Recommendations System should validate NIC number with
date of birth.
Managements
Comments
56
NIC number not
validating with date
of birth.
Date of birth is not
validating with NIC
number.
Application Controls ReviewNDB Bank PLC
CC05 Customer email address can be inaccurateHigh
7/30/2019 priyanndb_1.0
58/71
Information Technology Risk and Assurance (ITRA)E
when creating the new customers to the system.High
Test Reference T-CC35
Observation When banking assistance registering a new
customers to the system, banking
assistance need to mention the customerscontact details(email address) in the system.
However customer email address can be
inaccurate.
Implications If NDB introduces a new services and they
want to promoted their new service to
customer through email, then the
promotional message will not be reached to
customers who have wrong email address in
the system.Recommendations System should validate email address with
standard email address.
Managements
Comments
57
Wrong email
address as
customer address
Wrong email
address [email protected]
Application Controls ReviewNDB Bank PLC
CC06 Customer telephone number can bei t h ti t t th Hi h
7/30/2019 priyanndb_1.0
59/71
Information Technology Risk and Assurance (ITRA)E
inaccurate when creating a new customers to the
system.
High
Test Reference T-CC34
Observation When banking assistance registering a new
customers to the system, banking assistanceneed to mention the customers contact
details( telephone number) in the system.
However customer telephone number can be
inaccurate.
Implications If NDB bank want to contact a customer for
business purpose. Then it is not possible for
NDB bank to contact the customer who has
wrong telephone number in the system.
Recommendations System should validate telephone numberswith valid srilankan telephone number
standards.
Managements
Comments
58
Incorrect phone
number as abcd
Customer phone
number is incorrect.
Application Controls ReviewNDB Bank PLC
CC03 Date of birth and initial is being used as NICn mber for minor c stomers
High
7/30/2019 priyanndb_1.0
60/71
Information Technology Risk and Assurance (ITRA)E
number for minor customersg
Test Reference T-CC06
Observation Whenever minor customer need to be
registered in the system by banking
assistance they need to fill NIC number fieldfor identification. However minor customers
they do not have NIC number because they
are less the 18 years old as the result their
date of birth and initial is being used as NIC
number for them.
Implications
Recommendations It is not comply with NDB business rules
allow to open an individual customers who is
less than 18 years old.
Managements
Comments
59
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
61/71
Information Technology Risk and Assurance (ITRA)E 60
Over Draft
Application Controls ReviewNDB Bank PLC
Over Draft Granting
C t B h C C dit O ti
7/30/2019 priyanndb_1.0
62/71
Information Technology Risk and Assurance (ITRA)E 61
Customers Branch
(Branch Manager)
Consumer Credit Operation
Request for over
draftCheck account
over draft limit and
interest rate
Authorized overdraft
requestAuthorize over
draft
Block fund in the
customer account
Update the account
details (T24)
Eligible over draft
requestRequest letter
Update
Application Controls ReviewNDB Bank PLC
OD01 Over draft granted slips can be printed by thebanking assistance before it get approval from High
7/30/2019 priyanndb_1.0
63/71
Information Technology Risk and Assurance (ITRA)E 62
banking assistance before it get approval from
branch authorizer.
High
Test Reference T-RE15
Observation When banking assistance paying out money
to customer request, if the customer requestis over the limit then it will ask for an
override, however if the override accepted by
the banking assistance subsequently system
will print the over draft slips to customer
before the request being approved by the
branch authorizer.
Implications If banking assistance accidently granted the
money more than the over draft limit amount
then it wont be caught immediately.
Recommendations System should allows to print over draft slips
by banking assistance after it get approval
from branch authorizer.
Managements
Comments
Available area for sale.
Creating a new block with 300 purches.
Newly created block is available for reservation
which is bigger than the whole extent.
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
64/71
Information Technology Risk and Assurance (ITRA)E 63
Application Controls ReviewNDB Bank PLC
OD02 Over draft can be granted without any limitrestriction
High
7/30/2019 priyanndb_1.0
65/71
Information Technology Risk and Assurance (ITRA)E 64
Test Reference T-RE15
Observation When banking assistance paying out cash to
customer over draft request., if the over draft
request is over the limit then it asked for
override approval from the manager to issue
money to customer ,however system does
allow to grant over draft facility without any
limit restriction.
Implications Banking assistance can grant any amount of
cash to customer request without any
limitation of the over draft.
Recommendations System should allows to print over draft slips
by banking assistance after it get approvalfrom branch authorizer.
Managements
Comments
Available area for sale.
Creating a new block with 300 purches.
Newly created block is available for reservation
which is bigger than the whole extent.
Application Controls ReviewNDB Bank PLC
Executive Summary
7/30/2019 priyanndb_1.0
66/71
Information Technology Risk and Assurance (ITRA)E 65
Over Draft
When Over draft slips is getting printed before branch authorizer authoring it. Therefore when money payout only authorizer can noted the
overdraft.
System allows to grant overdraft without any limitation. When issuing overdraft limit need to be created however system allows for over draftwithout any limit restriction.
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
67/71
Information Technology Risk and Assurance (ITRA)E 66
Cheque Clearing
Application Controls ReviewNDB Bank PLC
Outwars Clearing
Customers Branch CPU Lanka Clear
7/30/2019 priyanndb_1.0
68/71
Information Technology Risk and Assurance (ITRA)E 67
Slips and Cheque Eligible slips &
cheque
CRN received bycustomers
Scan cheque
and slips
Enter cheque data to
the system(CITS)
Burn a CD (Cheque
Image and Data)
Clearing Process
Receive return
cheque CD
Check with CRN &Lanka clear report
Printing CRN
(Cheque return
notification)
CRN generated
CRN sent to CPU
Inform customer
Cheque text
feild
CD sent to Lanka Clear
for Clearance
Return cheque CD to
CPU
Burning
cheque image
Collect slips
and cheque
Slips and cheque
sent to CPU
Application Controls ReviewNDB Bank PLC
Inward Clearing
Lanka Clearing CPU Branch
7/30/2019 priyanndb_1.0
69/71
Information Technology Risk and Assurance (ITRA)E 68
Inward cheque CD CD received
by CPU
Return cheque CD
CIT sub system Scrutinize the
cheques
Return cheque
(T24)
Enter cheque
details (T24 )
Confirm Return
cheques of branch
Account updating
Account updating
Uploaded cheque
image
Eligible
cheques
(return
cheque of
branch)
Confirmed
return cheque
CD sent to
Lanka Clear
Application Controls ReviewNDB Bank PLC
7/30/2019 priyanndb_1.0
70/71
Information Technology Risk and Assurance (ITRA)E 69
SLIPS (Srilanka Inter Bank Payment System)
Application Controls ReviewNDB Bank PLC
Incoming SLIPS Transfer
Banking Assistance CPU
7/30/2019 priyanndb_1.0
71/71
Information Technology Risk and Assurance (ITRA)E 70
Download inwardsfile & report
copying Files copyinginto SLIPS
destination
Approve the SLIPS
upload
Updated the account
SLIPS files
uploaded into
T24 system.
Accounts get
updated
Get approval for SLIPS
upload.
Getting SLIPS
uploading files
Inwards filescopying into flash
drive
Flash drive givento help desk
N1: Inwards files are downloaded through LCPL(Lanka Clear private Limited ) VPN
N1