System Audit Report Pnsb-old CA Pune

8/7/2019 System Audit Report Pnsb-old CA Pune

1/41

2. BRANCH PROFILE .43. OBSERVATIONS RELATED TO BRANCH 53.1. SYSTEMS SECURITY ASPECTS 53.2. CONTINUITY OF OPERATIONS ASPECT 133.3. DISASTER MANAGEMENT ASPECT 183.4. BRANCH PARAMETER VERIFICATION AND CONTROL ASPECT 203.5. CONFIGURATION MANAGEMENT ASPECTS 223.6. CHECKING METHODS OF BRANCH EMPLOYEES AND REPORTS VERIFiCATION 263.7 OTHER CHECKING METHODS 273.8 DATA CONSISTENCY CHECKS 323.9 PERSONNEL AND TRAINING ASPECTS 333.10 ENVIRONMENTAL ASPECTS 35ANNt.-x.UREA LIST OF PARAMETERES IN THE BRANCH 38ANNEXURE B HARDWARE CONFIGURATION REP0RT 39ANNEXURE B HARDWARE CONFIGURATION REPORT 40ANNEXURE C SOFTWARE CONFIGURATION REPORT 41


2/41

' 1 1 . EXECUTIVE SUMMARYWe have conducted the computer Environment and Procedures Audit atMain Branch as per our proposal submitted to you earlier. The audit was conductedfrom ts" Feb 2008 to is" Feb 2008.Following are the major findings. These observations and findings have been discussedwith the concerned officials of the branch during the audit period. Importance of theseobservations was explained to them to enable them to initiate corrective action, asapplicable. Entire audit was conducted as a constructive one and not merely as faultfinding exercise.Audit report has been prepared keeping in view the RBI guideline that the bank should be ableto take review of the situation subsequently using the questioner.Importance of following Major aspects were elaborated during the visit:

- J Version Control- J Access Control- J Operational Control- J Backup / Business Continuity Controls- J Data Integrity- J Checking / Record Maintenance

Enclosed report may be referred for all details.1.1. Broad Status of Computerisation:The branch had started its operations on Shreebhushansoftware using DOS as its operating system and FoxProThe software has been developed by JJIThardware of the branch hasbeen supplied by AIKEN Computers Beed ..

Online Bankingas its database.Majority of the

1.2 Findings and Observationsa. Access Control and User Management Aspects

Server is placed in a separate room, which is kept clean and Physical accessto the server is restricted by providing lock to server room, but Server room isused as store room for keeping consumables , reports , old hardware &Stationery, etc. which is not correct. We were informed that normally out side floppies are not used in the branchexcept for clearing, however, risk of using the same by inadvertence orotherwise cannot be denied. We suggest to load the clearing data on floppydrive from the manager's cabin so as to ensure access control.

b. Operational Control Aspects There are guidelines / circulars issued by the bank for the management of ITrelated issues. However, they were hardly read by the concerned staff. It isgenerally taken for granted that such circulars are only for DBA ManyCirculars were not traceable in the branch, thus far away the possibility of itsreading. The staff members are familiarised with the software only by practice. It ispossible that the staff is not well conversant with many of the facilitiesavailable in the software. It is general tendency to call for help from the HO-IT department for very small issues which in fact, could be sorted out at thebranch level itself. The branch staff need to go through the manual &circulars. We suggested that meeting of staff members be called say, once ina month, and necessary readings be made in common. This wilJ imprqve theconfidence level of the staff. / _;' '" ; : : ' , 1 "

/


3/41

Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEED Dates of Visit : 18/02/2007 to 18/02/2007MAIN BRANCH BEED

c. Backup I Business Continuity Aspects

The Backup is being taken on ZIP Disk which has not been changed sincelong time t. Necessary watch be kept on the disk to confirm its reliability

Backup media has never been checked for its readability by the branch staffThis work is done at the IT department when back up is loaded there.

Branch personnel have not made themselves well acquainted with BusinessContinuity and Disaster Recovery Plan. Mock trials be taken to ensure thatbranch functioning will not suffer heavily due to disaster.

Sufficient training should be given to users on IT Awareness; BankingSoftware in use and management of IT related issues. This will facilitate thestaff to avoid calling the IT department at the HO for small issues.

Enclosed report may be referred for all details.


4/41

2,. BRANCH PROFILEA, General Information

1. Name & address of the branch Main Branch - Beed.2. Branch Head Mr. M V Pargaonkar3. Name of Accountant I ABM Mrs. K J Kulkarni4. Number of Staff 21Managers / Officers 5

Clerks 12Sub Staff 45. Duration of Audit 18th Feb to 18th Feb 2008.6. Avg. No.of Vouchers per day 700-8007. Advances: (as on 18-2-2008) 290914884.878. Deposits: (as on 18-2-2008) 403345233.429. No. of SB AlCs 14930No. of CA A/Cs 1021No. of CCI 00 AlCs 193No. of Other Advances AlCs 1483No. of Other Deposit AlCs 1148210. Audit Team CA. Mandar BhideCA. Dinesh Kasture

(8) BRANCH COMPUTERISATION STATUS1. EOD, BOD, Backup carried out by Officer J_ ----_ ---_----, _-----,--_-----._-_--_ ..2. New Users & powers granted b_y Branch Mana_ger _ _ _ o j----.3. Changes of charges, interest IT Department Head Office.rates etc. done by4. Hardware Vendor AIKEN Computers5. Software Vendor & Version JJIT - KF.21 Net 3.126. UPS make & capacity Champion - 3kv * 3 numbers7. Modules fully implemented8. Modules partially implemented TOO -Interest rate,9. Modules purchased but not NAimplemented10. Date of parallel runs No Parallel run.11. Date of live runs 14-9-1998

Chobe & Mate AssociatesPune.


5/41

DETAILED REPORT:

l.egend on Asterisk - - in the Serial Number Column

,'*(One Asterisk) indicates a Weak Control.(Two Asterisks) indicate an observation with Fair significance.(Three Asterisks) indicate that this is a Crucial Observation.

3. OBSERVATIONS RELATED TO BRANCH3.1. Systems Security Aspects

3 . Do the server / pes / NoTerminals have virusprotectionmechanisms?

Are outside floppiestested for viruses?

A virus may corruptthe data as well asprograms also.

Antivirus softwareshould be invoked atthe time of bootingthe machines.

The same should belegal, licensed & up-to-date.

All floppies must betested for VirusesJ"~~~ : ' : " : ' ::"tbefore being used C ~ J : i : .PCslTerminals:C'I(

N.A.

Recommendation_.Sr. Control Check ObservationNo.1 . Is access to computer No

restricted?

Is physical access to Reportedly Yesserver roomrestricted?

2. Are locks available for YesServer room

If yes, are originalkeys kept with proper Yesofficials?

Are duplicate keys yeskept with propercontrols?

Physical access tocomputer systems byoutsiders should beprohibited.

Only authorisedpersons should beallowed access to theplace to guardagainst accidental orintentional damage tosystem or the data.

The server should bekept in server roomwith lock & keyarrangement.

Key Systemresources should bekept under lock andkey to restrict thephysical access.

Outsiders should notknow the location ofserver room. Theboard need to beremoved.



6/41

Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEED

Dates of Visit: 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

Control Check Observation Recommendation

No system log as such.But reportedly

4. Is there anyavailableunsuccessfulattempts?

log Noforlogin

After howattempts thegets locked?manyuser N.A.

Is there any definedprocedure for N.A.unlocking the user?If yes, is it followed? N.A.

5. Are passwordschanged periodically?***

6. Is the secrecy of Reportedly yespasswordsmaintained?Are changes in thepasswords noted in N.A.any register?

Is writing passwords N.A.in the said registeravoided?

Is password maturityfacility available in the Nosoftware is used?

The terminal shouldget locked aftercertain number ofunsuccessful loginattempts to defeatany unauthorisedaccess attempts.

There should be welldefined anddocumentedprocedure forunlocking suchierminel.

SA I DBA shouldkeep an eye on suchattempts. It should be ensuredthat the passwordsare changed at leastfortn ightly.

Frequent changing ofpasswords narrowsdown the chances ofunauthorised access. Password is like asignature. Secrecyneed to maintained.

A record of changingthe passwords shouldalso be maintainedwithout noting theactual password in it.


7/41

1 - -~~?-'"~A--re--im-p-o-rt-a-n-t-------+-N-O----------------4-.-T-h-e--s-e-a-Ie-d--e-n-v-e-Io-p-e~

passwordsenclosed should be kept at ain a sealed envelope safe place with lockand kept in safe and key and the keyscabinet under the should be kept withbranchmanager's the manager.supervision? Such written!

passwords should beupdated wheneveractual passwords arechanged on thecomputers. In case of absence ofconcerned persons,manager can decideto ensure continuityof operations with theuse of passwordskept In sealedenvelope.

Control Check Observation Recom mendation

8. Are the guidelinesavailable forpasswordmanagement?

Guidelines issuedbyIT Dept but Nosuchguidelines aretraceable in branch

Bank should issuecomprehensiveguidelines forpasswordmanagement.

9 . Is recordof userManagement - Add IChange/ delete /disable / enablemaintained?

No Such record, underproper control, willhelp the Manager inproper UserMgt.

10. Is the list of standard Nodirectories / filesavailable at thebranch?If available, is theexisting programfile(s), size(s) tallywith the standard list?

Are extraneousprograms other than Reportedly yesthe standard listtotally absent on thesystem?

List of standard files,directories with filesize, etc. should beavailable at thebranch. In case of troubleshooting by vendor,the action taken byvendor should beexplained by him tothe officer of thebranch and it shouldbe recorded. The vendor shoulddelete the extra /temporary filescreated duringtrouble-shooting. This is to ensure thatno extraneous filesare resident on thesystem.

11. Are directories at the Nobranch regularlyreviewed to locateany unauthorized orsuspicious file?

DBA should reviewall directories tolocate anyunauthorized orsuspicious file.

Chobe & Mate Associates Page 7


8/41

Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTO. BEEDDates of Visit: 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

***

Sr. Control Check ObservationNo.12. Do users log out Noevery time they leavethe terminal?

13. Is auto lock available Nofor the software?

Are magnetic objectsas radio etc. avoided Reportedly yesnear the terminals?

After how much idletime the terminal getslocked?Who can open thesame?

15. Do error/ warning/ Yes - Fieldother messages fromthe software containsfile/ field name/s?16. Are PCs / terminals Yeslocated away fromelectromagneticsource such aselevator motors orpower cables?

14. Is OS access atprompt available onServer?Other PCs

Yes - DOS, Novell4.11

Yes (2 PC's-Windows)

Recommendation

Users are advised tolog-out of theapplication beforethey leave theterminal. When the applicationmenu is left open,there are chancesthat an unauthorisedperson can accessthe system andcommit anunauthorisedtransaction. Autolockingadvisable. IS

An access toOperating System(OS) prompt maygive the user powerto access the data /software.

Error messagecontaining field willhelp in solvingproblem. Proper distanceshould be maintainedbetween data cablesand power cables. There is a possibilityof data corruption incase these cablesare very close toeach other. PCs / Terminalsshould be kept awayfrom electromagnetic/ magnetic sources.


9/41

computer Envi ronment & Procedures Audi t ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEED Dates of Visit: 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

s -. Control CheckNlo.

Observation Recommendationt--------j---::---.,---:------:---,---:--t------------+------------ ...17. Are the hash-total/Nochecksum testsused?

18. Are User-ids unique? Yes

19. Are the employees on Noleave, temporarilydisabled?

20. Are the dummy Yesnames for the usersstrictly prohibited inuser maintenance?

21. Are transferred, Noresigned employeeusers removed asusers from thesystem?

Is the bypassingthese tests strictlyprohibited?If these tests arerequired to bebypassed for genuinereasons, is such anoccasion recorded?Are there bankguidelines availableabout checksumprocedures & recordand are theyfollowed?

Wheneveroccasionchecksumanoffailure /

non-printing occurs,the same should berecorded and signedby the officer-in-charge. Also thevendor should notmake available anycommands /programs to thebranch staff for hash-total regeneration. Organisationguidelines must beavailable forChecksum aspect.

No two users on thesame applicationshould have same 10 . Such facility isavailable in thesoftware, but was notused.

Users, who are onleave, must bedisabled temporarilyfrom the system. Users, other thanauthorizedemployees of theorganisation, shouldnot be available onany computer. The user-ids oftransferred, resignedusers must not beavailable In theapplication.


10/41

_____y----------.,-------------,------------,S~'. Control Check ObservationNo.22. Is database yesmodification by

vendors (to maintaindata integrity), at thebranch avoided?

If no, is it done withproper authorisation?

If yes, is properrecord of suchchanges maintained?

Recommendation Direct Modification ofraw database shouldnot be done at alleven by IT Dept.person. If, needed inemergency, the sameshould be recorded. Branch Managershould be presentduring suchmodification exercise.

If required in extremecases, the sameshould be done withproper writtenauthorisation.

23. Is the SIW change at Yesbranch level avoidedby the vendor?

Software changes /fixes at branchesshould not be allowedat all.

Such

If No, give details.

createchanges will

differentand maydifferentin the

versionsintroducemistakessoftware.

25. Are Bootable floppies No! media available?

26. Are hand-written Yesadditions!modifications avoidedin all printouts?

24. Is storage of anybranch database onthe local nodes! PCsavoided?

If not, is the access tosuch raw database iscontrolled?

If No, are theyauthenticated?

Is any record of suchmod ificationsmaintained?

Reportedly Yes The branch databaseif available on localnodes! PCs could betampered. The PC on whichbackup of the data isstored should haveaccess controlmechanism likepassword.

A computer can bebooted through suchfloppies / media. Ifavailable, the samemust be kept underproper control.

Hand-writtenmodifications inprintouts should beavoided. They willlead to inconsistencyof data.

If required to bedone, they must beauthenticated by theoperator and officerand their record mustbe maintained forfollow-up.


11/41

Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTO. BEED

Dates of Visit : 18/02/2007 to 18/02/2007MAIN BRANCH - BEED-----------------------------------

Is I.T. departmentinvolved in any data Noprocessing activitiesin the branch?If yes, is there anyrecord of the workdone by the I.T. dept.Maintained at thebranches?

Sr. Control Check ObservationNo.r---+-------------+------------------~--------------~27. Are I-Cards provided No

to all users?28. Are Authorisation Noletters issued to all

users?

29. Do exceptional Yestransactions requireauthorization?

30. Is Auto log of all the Yes - but notusers logged in on a monitored.particular dayavailable andmonitored by the SA /DBA?

31_ Is I.T. department Yesdefined as active userin the software?

Recommendation

I-Cards are means ofidentification of users Authorization lettersbe issued to stafffixing theirresponsibilities &authorities in respectof computeroperations.Alternatively.appoint-ment letters maycontain thisinformation.

All exceptionaltransactions shouldrequire authorisationof supervisory leveland the same shouldget printed ontransaction list andExceptionalTransaction Report.

Such log is essentialto trap anyunauthorisedtransactions. User profiles shouldbe available in printformat and list formatunder controlledenvironment.

I.T. dept should betreated as one of theoutsiders for dataprocessing activity atthe branches.

A record of all theactivities undertakenby the officials of I.T.dept should bemaintained by thebranches.

Such records shouldbe authenticated bythe officials of I.T.dept. as well as thebranch officials.


12/41

Sr. Control CheckNo,-------,--------------,-----------.,.--------------,Observation32_ Is the purged data Nostored on anystandalone PC?

33. Is there proper Yespassword syntax inform?

34.

35.

36.

Is physical access tosuch data controlled?

Is the purged dataprotected from anymodification?

Are there satisfactoryprocedures forreissuing passwordsto users who haveforgotten theirs?

Are the user levelsassigned in line withuser status in theBranch?

Is anti-virus policy orguideline issued bythe Bank followed?Is all staff beenadvised of the viruspreventionprocedures?

No

Yes

No such policy issuedby Bank

Is anti virus inspectionenabled?

Recommendation

Standalone PCshaving database ofthe branch should besubject to physicaland logical accesscontrol similar to thelive data. Access to purgeddata should be givenonly to the few users. No amendment tosuch data should beallowed. Access to the datashould be recorded. We suggest to issueDetail Circular onPasswordManagement andtime schedule befixed for itsimplementation.

A record of reissue ofpasswords should bemaintained whichshould beauthenticated by theuser whose passwordis so changed. Password reissuefacility should begiven to the branchmanager in thesoftware.

The user mustchange suchreissued passwordimmed iately. User levels andpassing authoritiesassigned to the usersin the softwareshould be in line withthe status of the userin the branch and_p_olicyof the Bank. Written antiviruspolicy serves as adeterrent to thepractices exposingthe bank's system All Staff need to bewell conversant withvirus threats &preventionprocedures.

Paae 12


13/41

3.2. Continuity Of Operations AspectSr. Control Check ObservationsNo.

2.

Recommendation

1. Is back up of data Yestaken daily at the endof the day? Day-end backup ofdata must be takendaily.

~'---r-----------------+----------------~----------------~Is off-site back up Reportedly Yespreserved to ensurecontinuity ofoperations withminimum disruption incase of emergencieslike fire?

Is offsite backup ofoperating system, At Head Office.application softwaremaintained?

Is data on the backup Nomedia taken out of thepremises for anypurposes other thanmaintenance at off-site?If yes, is there anyauthorisation for andrecord of the same?

3 .

Branch shouldpreserve a copy ofthe latest softwareand data at an Off-site location (saynearby branch, ITdept.) at apredeterminedfrequency.

In case of damageof on-site data andback up, the off-siteback up can berestored and theoperations can becontinued.

The backup med iashou Id never betaken out ofprermses except inauthorised andrecorded cases.

4. Is Back-up taken onboth the hard disk(e.g. zoom back up)and floppies I tapes?

Yes - ZIP Drive It is advisable to takeback up on both themedia.

5. Is back up of latestversion of applicationsoftware alsomaintained properly?

Latest version ofsoftware must also be .available on backupmedia.

At IT Dept HeadOffice

6. Are back-up mediawrite-protected? No Backup mediashould be writeprotected after useto protect frominadvertentoverwriting.

Is Backup takenbefore anymaintenance activity(Hardware orSoftware) takesplace?

Backup of datashould be takenbefore anymaintenanceactivity.

7.**

Reportedly Yes


Page 13


14/41



9.

computer area.

Sr. Control CheckNo.

Observations Recommendation

8. Is back-up mediatested periodically? Backupshould be mediatestedYes periodically toensure itsusefulness in case itis required.

Are back-up media Reportedly Yeskept securely awayfrom electromagneticdevices?

Back up should bekept away from anyelectromagneticdevice to avoid anydata error.

Are the guidelines Reportedly Yesfrom HO about takingback-ups followed? Back up should bekept away from anyelectromag neticdevice to avoid anydata error.

Are the back-ups kept Yesaway from originaldata?

10.

11.

12. How manygenerations of back-ups are maintained?

Backupshould beoutsidemediastoredthe

No generations ofback-up maintained. More than 3generations aregenerally preferred toassure the continuityof the work.13. Are monthly/Quarterly / Yearlyback-ups keptseparately?

No Periodical back-upsshould bemaintainedseparately.Is backup mediastored in a fireproofcabinet secured withlock and key?

14.***

No All back-up mediashould be stored in afireproof cabinet withlock and key system. A periodic check ofthe available mediashould be made toascertain the identityand existence of themedia.


15/41

Control Check Recommendation-------,------------,---------~--------~Observations

15. Is back-up registermaintained? Not Properlymaintained. No dataavailable fromOctober 2007.

No

No

No

No

Only for PC's.

Backupshouldregister

bemaintained givingdetails about Date,Time, Data Size,Number of files,Name of the personetc.

This register helps inkeeping track of thelocation, existenceand quality of themedia.

Such log affixes theresponsibility fortaking back up aswell as helps Intracing any lapses inthe procedures.

Labeling enables toidentify correctmedia in case ofback up andrestoration. Absenceof which may resultin wrong datarestoration,

Label on mediashould containdetails such asunique identificationnumber, Date ofinitial use and thedescription of thecontents.

Labeling should bedone on the mediaitself, instead on thecover of the media.

Spare Computer,printer may beprovided, dependingupon volume andimportance of thesite.

UPS backup timeand power should betested regularly onsome slack days soas to ensure itssmooth work in caseof power failure.

UPS should be usedonly for theequipments forwhich it is meant.

16. Is there a log / reportof back up taken / nottaken on any day?

17. Is labeling of mediaproperly done?

18. Is there any backuparrangement availablefor the hardware?

19. Is the UPS testedperiodically?**

Is UPS used foressential equipmentonly?

20.

Page 15


16/41


17/41

Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEEDDates of Visit: 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

Observations Recommendationontrol Checkr.No.29. Is alternate Reportedly yes

arrangement of staffdone in case of need?

- - - - - - - , - - - - -- - - - - - - - - - - - - .- - - - - - - - - - - - - - - - - - ,- - - - - - - - - - - - - - - - ~

30. Are appropriate Reportedly yes but norecords maintained for record traceable atfirst time master data the time of audit.conversion?Are relevant records -i.e. manual &computerised datacompared forcorrectness andauthenticated byappropriate person -are available?Are records checkedand authenticated andmaintained, everytime new version ofthe s/w is loaded?

31. * Is offsite backup of allinstructions /

Manual was nottraceable.

operation manualmaintained?

Training to 2 otherEmployees asalternatearrangement isrequired.

Substitute computerstaff should alsohave properexposure so as toensure continuity ofwork In case ofabsence of regularstaff.

Appropriate recordof the conversionprocess should bemaintained.

Offsite backup ofdocuments shouldbe maintained by theI.T. dept.


18/41

Disaster Management Aspect

Sr.No.1.

Control Checks

Are the hardware andsoftware problems beingnoted in detail in aregister?

Are these registers up todate?


No. They havemaintained servicereports of vendors in afile.

No

Recommendation

All HIW and SIWrelated problemsshould be recorded ina register asprescribed by theorgan isation. Maintenance of proper'Complaint Book' willensure effective follow-up.

In case, the userscome across anyproblem, the sameshould be informed tothe Vendor and shouldbe entered In the'Complaint Book'. The recorded problemshould becommunicated to theVendor by Telephoneand also supported bysending a copy of thecomplaint to Vendor &IT Dept. The sameshould be informed tothe branch-in-chargeat the earliest and dulysigned by him. The same complaintbook should be usedby the branch forrecording anyimprovement requiredin the software.

LT. Dept. shouldperiodically review thestatus and assess thequality of the servicerendered by theVendor in resolving theproblem inconsultation with theVendor and Branch -In-charge. Branch should ensurethat Vendor updatesrelevant columns inthe 'complaint book'after the problem issolved with hisauthorisation. The organisationshould define theprocedures for

Page 18


19/41

Recommendationontrol Checks---------+-----------+----------1---------- -----management ofhardware and softwarerelated problems andthe same should befollowed.

Branch should ensurepreventivemaintenance visits bythe Vendor on aperiod ic basis as perthe AnnualMaintenance Contract.

Periodic checks of thesystem will prevent theoccurrence of theproblem, thereby

Is the Vendor, as per the YesAnnual MaintenanceContract doingpreventive maintenanceof hardware?

2

ensuringdowntimesystem. The branch shouldmaintain proper recordas per the proceduresdefined by theorganisation.

minimumof theDoes the Branchmaintain record ofpreventive andcorrective maintenance?

Yes

Branch In-charge / ITDepartment shouldaddress this issueeffective Iy bydiscussing with theVendor. Periodical meetingshould be arrangedamong IT Dept.,Branch and Vendor toassess theperformance.

Does the Vendor attendto the problems on atimely basis?- Hardware

3.

Yes- Software IT Dept. - HO

Branch should displayand update ContactPerson(s), Contactaddress, Fax number,and Telephonenumbers of thevendor(s) in thebranch.

This enables anyemployee to easilycontact the Vendor inthe absence of theDBA or in case of anyemergency.

Are the contact details of Yesall Vendors easilyavailable in the branchpremises for contactingin case of anemergency?

4.

In case of largepremises, such mapshould be available inthe branch as well asat Regional Office.

Is location map available Nowith equipment details?5.*

Page 19hobe & Mate Associates


20/41

Control Checks RecommendationNo"6. Are the guidelines or Reportedly Yes .HO should issue*-J:* disaster contingency guidelines for actionsplan received from H.O. to be taken in case ofspecifying actions to be different types oftaken in case of disasters.emergencies?r--7. * Is it tested at predefined Reportedly once in a frequency? year8. Is the staff familiar with No Such mock tests* the procedure to be should be takenfollowed in case of periodically.disaster?

3.4. Branch Parameter Verification And Control Aspect

Sr. Control ChecksNo. The parameter settingsin the system play animportant role inrevenue andexpenditure of theOrganisation and alsoaffects all businesstransactions. (Forexample: Interest Rateparameter setting) The same should beauthenticated andauthorised by theconcernedDepartmental Officer.

Responsibility shouldbe assigned toDepartmental Officer toupdate criticalparameter values. Records of changesmade in parametersshould be maintainedand monitored.

Recommendationbservationsi. Is access to YesParameters restricted?

Is responsibilityassigned to update thecritical parameter Yesvalues?

2. Are parameters set Yesproperly? It will ensureauthenticity of theparameters. All parameter changesshould be supported bycirculars

3. Are all parameter No. Parameter log is alsochanges supported by not available.proper documents /parameter change log?

It will ensureauthenticity of theparameters. All parameter changesshould be supported bycirculars

Chobe & Mate AssociatesPune. Page 20


21/41



Sr r . Control Checksu'io.

Observations Recommendation

4.

5.

Are there any Noguidelines from HOabout originalparameter setting?

Is record of interest Reportedly yesrates maintained?

Parametermaintenance?Parameter record?Are these guidelinesfollowed?

Are the interest ratesrequired to be given for Noeach account?If yes, how the sameare verified andcontrolled?

The Head Office shouldgive written guidelinesto the branch. Anychanges required to bemade In parametersshould also be notifiedto the branch.

The interest rates setfor each account shouldbe documented andauthorised byresponsible officials. It is recommendedthat "Parameter Listing"should be generatedfrom the system alongwith the status ofauthorisation.


22/41

3h!~a Configuration Management Aspects

I Sr.No.

- Application SIW

ObservationsAll Hardware is ownedby Head office. So alldetails are availableat HO only.

- - - - - - - - - - 1 1 1 - - - - - - - - - - - - -

No Record at Branchlevel

No Record at Branchlevel

No separate AMC forBranch.

No Separate AMC forBranch.

Recommendations Maintenance of anAsset registerfacilitates properidentification of theasset. It ensuresproper control andmonitoring of any /sale / disposal /transfer / physicalexistence of theassets. The flow of incomingand outgoing assetsshould be controlledand recorded in anasset register. Separate files shouldbe maintained forcomputer relatedinvoices, AMCs,insurance etc.

This is to ensure thatthe asset, which ispurchased and paidfor, exists in thebranch and all assetsare backed by properinvoice. This is to ensure thatthe softwarepurchased has beeninstalled and noillegal software existsin the branch. AMCs help inprompt services bythe vendor.Preventivemaintenance canalso be ensured.This ensuresminimum systemdowntime .

AMes help Inprompt services bythe vendor. Thisensures minimumsystem downtime.

Control Checks1. Is an Asset Registercontaining details ofall the computers andperipherals beingmaintained?

Is the SIW registermaintainedcontaining all detailsofSIW?

2. Do hardwareinvoices match withthe actual physicalinventory?Registers/ Records

3. * Do software invoicesmatch with theModules installed?- System SIW

4. Are AMCs ofhardware active andcontinually renewedfor HIW, stabilizer,UPS, AlC?

Are AMCs ofsoftware are activeand continuallyrenewed?

5.


Page 22


23/41

Observations Recommendations- s ~ -I ~\ijo"

Control Checks

6. Is insurance coveravailable for- Hardware- Infrastructure?Are insurancepolicies available for- Hardware- InfrastructureAre these policiesare live- Hardware- Infrastructure

Insurance cover isavailable but at HOlevel & that too BlanketPolicy.

Insurance shouldcover the exposuresremaining afterapplication ofcontrols.

Insurance policiesmust be live,comprehensive andavailable on site.

Proper type ofinsurance applicableto IT resourcesshould be available.

It is recommendedthat the branchshould inquire aboutother coversavailable under theElectronicEquipment Policy.

Are there anyspecific problems? No

Are the availablehardware devices inworking condition?

Reportedly yes.

8. Does vendor's user Not availablemanual exist in thebranch?

Does Bank's usermanuals, ITDepartment Not 100%guidelines and otherdocumentation existin the branch?

All user manualsrelated to theapplication softwareand other computer-relateddocumentation givenby the vendor shouldbe preserved forreference.

9. Are the manuals up- Reportedly yesto-date?

Manuals must beupdated as andwhen updations takeplace in hardwareand software.

Up-to-date manualswill act as a trainingand reference aid tousers.

It should be ensuredthat the manuals areread by and referredby the concernedstaff.

This will reduce thedependence upon

1O . Are the manuals read Reportedly Yes.by the concernedstaff?


24/41


25/41


Dates of Visit: 18/02/2007 to 18/02/2007MAIN BRANCH - SEED

--------------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~---s- Control Checks Observations RecommendationsNo ..16.* Is there a defined No defined procedure Branch being the

procedure for but reportedly actual user of thecommunicating the communication is done software shouldrectification I through letters. always be taken intoenhancements confidence about therequired in the changes required insoftware to the the software,IT/EDP department? formally.

The branch officialsAre the changes should be trainedlmade in the latest communicated aboutversion of the Reportedly yes the changes in thesoftware new version of thecommunicated to the software via writtenbranch by the EDP/IT communication.department beforeloading the version atthe branch?


26/41

Computer Environment & Procedures Audit Repor tPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEEDDates of Visit: 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

. : ~ " s " Checking Methods of Branch Employees and Reports VerificationSr. Report Name Signed by Countersigned RemarksNo. by1. Transaction list Not Printed

2. Supplementary/ clerk officer Printed dailyDaily Subsidiary

3. Cash Book & clerk officer Printed dailyJournal/ Day Book

4. G.L. Not Printed**5 . Ledger Balances in Not Printed** Savings / Current /

CC-OD accounts(It can be either alist or a dump onfallback PC)/Cut Book

6. Exception Not Printed*** Statement / Officeroverride report

7 . Debit balances In Printed Monthlysavings / currentaccounts

8. Report of cheque Manual Registerbooks issued

9. CC / 00 against Not printed* clearing &overdrawnaccounts statement

10. Trial Balance No Sign No Sign Reportedly Printedavailable available daily but couple of

reports were notavailable at thetime of verification.


27/41

'---------Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEED


. ' v . 7 Other Checking MethodsSl;" .. Control Checks Observations RecommendationNo.'1 Does every operator When there is no

put authorisation on thevouchers, it is verydifficult to trace any

a) Rubber stamp Yes transaction to theperson entering it andperson authorising it.b) Transaction Yesnumber generated

by the system &

c) Initials on all Occasionallyvouchers under hisI her name on allvouchers?

2. Are there procedures Yes Appropriate checks** to ensure that all the like document counts,vouchers have been transaction sequence

recorded in the no. should besystem? employed to ensurethat all the vouchers

have been processedin the branchmechanisationsoftware.

3. Are all exceptional Yes ExceptionalTransactions transaction reportChecked with must be checked andsupporting authenticated by thedocuments e.g. limit branch manager withbook? the help of supportingdocuments.

Such guidelinesAre there any should be issued byprocedures defined the C.O. and shouldfor handling, be followed.checking andcontrollingmismatches ofexceptionaltransactions?


28/41

Computer Envi ronment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEED

Dates of Vis it : 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

--s r. Control Checks Observations Recommendationl i \ lI t D .-_.4. Does signature It is essential toscanning document have completecontain: control on signature

scanning module. It was also observedSignature of official in that the signaturespresence of whom Yes scanning was notaccountholders has complete.signed? Signature scanningshould be done ondaily basis and no** Signature of official It is through Login id backlog should bewho has scanned the left.signature?

** Signature of official Through Passing idwho has checked thescanned signature?Is access tosignature scanning Reportedly Nomodule restricted?

5. Are Account ledgers Yesprinted at periodicalintervals & boundproperly?6. Are compulsory Yes Standard list of reportsreports defined? to be printed shouldbe clearly defined andintimated by the HeadOffice.7. Are the persons Yes The duties of theresponsible for official should be sochecking the reports arranged to ensureindependent of the segregate the dutiespersons responsible of maker, checker andfor data entry? authorizer.S. Are all compulsory It is observed that Certain compulsoryreports taken daily, Reports are not been reports such aschecked, printed regularly & supplementary,authenticated and, not even checked & exceptionalfiled properly? authenticated. transactions, day-endcontrol report etc.should be taken dailyand properly checked,authenticated andfiled.


29/41

S~'" Control Checks Observations Recommendation"10. ,9, Are modifications No Back-office Modifications to back

made in back office transactions, office informationinformation checked? should requiresupervisor's

authorisation and itshould be monitoredregularly,

Do back office Ideally supervisor'sand manager'smodifications require password should besupervisor's known only toauthorisation? restricted officials.

Is any record for thesame maintained?

10. Are all non-financial Reportedly yestransactionschecked?Do non-financialtransactions require Yessupervisor'sauthorisation?Is any record for the Yessame maintained?

11. Is physical storage of Yes The storage of thereports appropriate? reports should bedone by providing

appropriate space andstorage media.

12, Are there any reports HO Reconciliation, All the requiredprepared manually Bank Reconciliation. reports should bethough all the related defined in thedata is available in software. Generationthe system? of reports manuallyleads to duplication of

work and possibility oferror.

13. Are there any Nosoftware modulesunutilized?

14. What care is taken if It was told that at any Presence of SA & twoany operator is given time more than or more employeesworking beyond 2 persons available during working afterworking hours / on in the branch. working hours / onholidays holidays reduces theprobability of any

intentional!unintentionaltempering of thesoftware/ data

Branch official shouldalways accompany ITstaff or any otherperson working late atthe branch.

Chobe & Mate Associates Page 29


30/41

Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEEDDates of Visit : 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

s r. Control Checks Observations Recommendation~o"~jr- Are month end Yes,J, reports kept in boundvolume?16. Is manual register No Such register gives anmaintained to record exhaustive list of theerrors in the software problems. Itsoftware? helps in takingappropriate follow up

----- with the vendor.17. Are the errors Reportedly yesreported to higherauthorities inappropriate manner?' IS. Are in-operative No record of in-accounts in the operative accountsbranch maintained maintained in branch.manually?19. Are any reports No Day begin and Daydefined for day end reports gives vitalbeginning process? health check of thesystem. They shouldbe generated, printed,

If yes, are the same authenticated andproperly filed.Authenticated?Maintained?

Are there any reports Trial Balance, Daydefined for the day book.end process?

If yes, are the same Daily transactions need*** to be checked &properly authenticated by thea) Authenticated? Yes officials so as to verifyb) Maintained? the correctness ofYes operations in the day.


31/41

Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEEDDates of Visit: 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

r = ~ ~ " Control Checks Observations RecommendationIi\!o.20. Are hard copy reports:

@ HeadedYes. . Page numbered Yes

II Dated Yese Identified by Yesreport/program

number Adequatelytotaled/control Yes

totaled Designed to give Noan "End of

Report" messageif not obvious?

21. Are the defined No Mechanised branchesprocedures and should have a branchresponsibilities for mechanisation manualchecking of printouts to guide the branchfollowed? officials for their day-to-day work. It also

helps in affixing theresponsibility.

22. Is the balancing of Reportedly yes Various accountsbooks and checking balances should beof data integrity done reconciled daily.regularly? The branch shoulddevelop its own

integrity checks andapplied regularly tothe data.


32/41

~'Uj;Data Consistency ChecksConsistency of daily transactions with G.L.

'Account Date 1: 15-02-2008 Debit Credit transactions Date 2: 16-02-2008Head Bal. As per G. L. transactions as as on 16-02-2008 Bal. As per G.L.

on 16-02-2008 as as per Day Bookper Day Book

Rs. Rs. Rs. Rs.[---S8 64190264.98 997047 717817 63911034.98CA 8318949.75 1694167 1540137 8164919.75CC 111820125.92 908170 1022923 111705372.92~~--"-~--Short 4600771.50 1334 7208 4594897.50termconsumerdurableloanMedium 20627396.28 15783 25000 20618179.28termvehicleloansFD 239868273.25 345091 406333 239929515.25Consistency of Account balance with G.L.:

Headof Account Master balance as per GL Balance as on RemarkCut Book as on 16-02- 16-02-200852008 Rs. Rs.S B 63911034.98 63911034.98 Tallied

CA 8164919.75 8164919.75 TalliedCC 111705372.92 111705372.92 TalliedShort term 4594897.50 4594897.50 Talliedconsumerdurable loanMedium term 20618179.28 20618179.28 Talliedvehicle loansFD 239929515.25 239929515.25 Tallied

ACCURACY OF CALCULATION OF INTEREST WAS CHECKED FOR FOLLOWINGNUMBER OF ACCOUNTS.r: - Alc No.ype of Account Int. Period Products Int.

Correct YIN AmountCorrectYIN

Saving Account 5493 6 monthly Y YSaving Account 6638 6 monthly Y YCash Credit 265 Monthly y yCash Credit 318 Monthly y yFixed deposit 59507 Monthly Y YFixed deposit 61066 Monthly Y Y

----


33/41

3.9 Personnel and Training Aspects

Sr. Control CheckNo.

Observations Recommendation1. Is proper training (on thesystem as well as

application) given to thestaff?By the organisation- Operators- OfficersBy hardware vendor- Operators- OfficersBy software vendor- Operators- Officers

NoNo

No

No

2.*

Does training recordsexist at the branch?

No. Available at HO Branch shouldmaintain trainingrecords containingdetails like the typeof training,duration etc. of allthe staff who areworking in thebranch .

Training recordshelp the branch in-charge to assign atrained person forthe critical jobs asand when the needarises .

Transfers ofofficials of oneinstallation to othercan be managedeffectively.

3. Is the branch having a Noformally designatedofficer to look aftercomputer operations?(system administrator/DBA)Is the official who worksas SA/DBA properlytrained to complete his /her duties?

No



34/41


35/41

: !; 110Environmental Aspects,--~----,------------,---------,-------- -----_Sr. Control Check Observationsf \ !o.

Recommendation

"I. Is the cleanliness of the NoComputer Installation /Room satisfactory at firstsight?

2. Are the premises dusted Yesand cleaned daily?

Generalcleanliness of theComputer Areashould besatisfactory.

3. Are the PCs / Terminals Nocovered after businesshours?

4. Are the dusts gathering Yesitems such as curtains,carpets etc. avoided atinstallation?

5.**

mom? NoAre these practicesfollowed? No

Are there boards/signssuggesting Removal ofShoes, No smoking,Avoidance of Drinkingand Eating etc. near oraround computers?At least in the server

No Eatables shouldnot be kept nearPCs, Sever andUPS.

6. Is the record for Noconsumablesmaintained?

7 . Is air-conditioning Yesprovided?At least in the console Yesmom/ server room

If yes, is the cooling Reportedly yeseffect sufficient?

Proper ventilationis essential for theserver as well asUPS batteries. AC and Fanshould beprovided forserver urgently.

8. Is electrification as per Reportedly yesspecifications of orapproval by the headoffice of theorganisation?

9. Is three-phase Yesconnection available?

10. Is there separate phase Nofor computers?



36/41


37/41

Computer Environment & Procedures Audit ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEEDDates of Visit : 18/02/2007 to 18/02/2007MAIN BRANCH BEED

I ~ s u ' " Control Check--------------------~ -~--.-.~

Recommendation

same

--~-~----------4---------+--------~20. Are Heat Detectors fitted Noin the installation?Are the same N.A.operational?

Observations

;, Are smoke detectors Nofitted in the installation?thereoperational?

Are fire extinguishersavailable and in workingcondition?

N.A.

* Is everybody aware ofuse of the fire Reportedly yesextinguisher?Are fire alarms availableand in working Noconditions?Is the trial of the fire N.A.alarm taken once in awhile?

21. Are fire preventioninstructions/Emergencypower switch offinstructions posted inthe branch?

***No


38/41



Annexure A LIST OF PARAMETERES IN THE BRANCH

._-_..._,--- Type of Parameter Correct R e m a r k - iSr. ParameterNo. Parameter actually set-- _1 OBC charges Upto Rs500- Upto Rs500-Re.5 Re.5

500-1000 - 500-1000 -

IRS.10 RS.101001-5000 - 1001-5000 -RS.20 RS.20 I5001-10000 - 5001-10000 -RS.30 RS.30100001-100000 100001-100000- Rs. 3 per - Rs. 3 perthousand thousandabove 100000 - above 100000 -Rs.2.5 per 1000 Rs.2.5 per 1000

Max. Rs. 3000 Max. Rs. 3000--.-.- 1-. .2. Issuance of Duplicate RS.25 RS.25

Draft3. Stop Payment Charges Rs. 10 RS.101--.4. Local Cheques - Inward RS.65 RS.65

Clearing Charges ( only_-------_ for return ) -~5. Min. Bal. in SB Alc- with cheque book 1000 1000- without cheque book 300 300 - =-~.----6. Min. Bal. in Current Alc- with cheque book 3000 3000- without cheque book7. Saving Bank Interest rates

I- Public 3.50 3.50- Staff 4.50 4.50 -j. Premature penal rate for 1% 1%._--- Term Depositt- - ::- . . .9. SB Min. Int. to be applied Rs.1 Rs.1for10. Charges for Min. balance

not maintained.-_.. ._11. Interest TOO Current 3%p.a. 3%p.a. _ J2. Cheque Bounce charges RS.65 RS.65.


39/41

Computer Environment & Procedures Audit ReportI'OORNAWADI NAGRIK SAHAKARI BANK LTD. BEED

Dates of Vis it : 18/02/2007 to 18/02/2007MAIN BRANCH - BEED

Annexure B HARDWARE CONFIGURATION REPORTA!I Other Details are available at Head Office

I

IiI-i,

---_.; ; ewiai 1 2 3 4 5h;ll,mloer

._ "

, :~_I,II !1l ipment Main Server Standby Nodes PC (Disk) UPSI ' J i ( 8 ) me Server/ (Diskless)Node

I'I'!1l':iglJlration-_ .... _ .._------

, . ~ i . J I ; , . : i l n t i t y 1 2 12 5 5--"----'


40/41

Computer Environment & Procedures Audi t ReportPOORNAWADI NAGRIK SAHAKARI BANK LTD. BEED


Annexure B HARDWARE CONFIGURATION REPORTAll Other Details are available at Head Office

~;erial 5 6 7 8 9il~umber

-.~-rquipment Passbook printer Printer Scanner HUB Oat DriveName

---Configuration 3 4 1 4Quantity

~.-~--\(ieD1dorName

Status Active--

PurchaseDate--Entry inAsset

IRegister -YIN

lnvoiceExists YINAMCI

WarrantyDetails --

InsuranceDetails

iIII-IIIII -Ii

Status: 0 = Operational; D = Down; I = Idle; A = Abandoned.


41/41



Annexure C SOFTWARE CONFIGURATION REPORTAll Other Details are available at Head Office

Serial Number 1 2 3 4Name of the Shribhushan - OnlineSoftware Banking SoftwareConfiguration KF.21 Net 3.12Version No.Quantity 1Vendor Name JJITStatus 0Purchase DateEntry in AssetRegister - YINExistence ofInvoice YINAMC I WarrantyDetails

Status: 0 = Operational; D = Down; I = Idle; A = Abandoned.

Documents

System Audit Report Pnsb-old CA Pune