Assignment On:

IS Audit and Inspection: Planning, Setting the Scope, and Preparing IS Audit for
any System Based Banking Operations

Name of the Participant Rakibul Islam Talukder

Name of the bank Bank Asia
Designation Assitant Officer
Department Internal Control and Compliance

Table of Contents:

Introduction 2
Discussion 2
Planning / Pre-Audit activities 6
Appendices (Bibliography & other 7
References.)

Page 1 of 7
 Introduction
An information technology audit, or information systems audit, is an examination
of the management controls within an Information technology (IT) infrastructure.
The evaluation of obtained evidence determines if the information systems are
safeguarding assets, maintaining data integrity, and operating effectively to
achieve the organization's goals or objectives. These reviews may be performed in
conjunction with a financial statement audit, internal audit, or other form of
attestation engagement. An effective information system audit leads the
organization to achieve its objectives and an efficient information system uses
minimum resources in achieving the required objectives.
The primary functions of an IT audit are to evaluate the systems that are in place
to guard an organization's information. Specifically, information technology
audits are used to evaluate the organization's ability to protect its information
assets and to properly dispense information to authorized parties.
 Discussion
As per guidelines on internal control & compliance in banks issued by
Bangladesh Bank on February, 2016 IS auditors evaluate risk management
practices to determine whether the bank’s IS-related risks are properly managed.
IS auditors should conduct audit on overall information and related technological
security aspects covering the followings:
a. IT Asset Management i. IT Strategies, IT budget
j. Audit trails &Data Privacy
b. IT Service & Facility Management
Protection Management
c. Physical (client/server interface,
k. IT Service Contract &
telecommunication, server, data storage,
Agreements and Vendor
intranet, internet) & Environmental
Management
Security
d. User & Access Management l. IT Risk Management
e. Database Access & Network Security m. Data Integrity &Transaction
Management control
f. Data Center Security n. Data Retention & Disposal
o. System Acquisition,
g. Change & Patch Management
Development Management

Page 2 of 7
 p. Business Continuity & Disaster
h. Problem & Incident Management
Recovery
The spectrum of IT Audit should cover the issues mentioned in the Board approved ICT
guidelines of the bank in line with ICT guidelines issued and updated by Bangladesh
Bank.
Circular and other instructions issued in this regard will also come under purview of IT
Audit to ensure data security. However IT Audit at least cover the following areas for
overall data security.
i. System Design
ii. Application/ Software Security
iii. Information Processing Facilities
iv. System Development Facilities
v. Network Security
vi. IT System (client/server interface, telecommunication, server, data storage, intranet,
internet) Physical Security
vii. IT System (server, data storage, intranet, internet) Access control/Security viii. Data
Disposal and Copyright (if any)
ix. Disaster Recovery & Business Continuity Plan
x. Overall Management
Information System Audit
The following are basic steps in performing the Information Technology Audit Process

1. Planning 2. Studying and Evaluating Controls 3. Testing and Evaluating Controls 4.

Reporting 5. Follow-up 6. Reports

To determine the likelihood of a future adverse event, threats to an IT system must be

analyzed in conjunction with the potential vulnerabilities and the controls in place for the
IT system. Impact refers to the magnitude of harm that could be caused by a threat’s
exercise of vulnerability. The level of impact is governed by the potential mission
impacts and in turn produces a relative value for the IT assets and resources affected
(e.g., the criticality and sensitivity of the IT system components and data).

• Step- 1:System Characterization

Page 3 of 7
• Step- 2:Threat Identification
• Step- 3:Vulnerability Identification
• Step- 4:Control Analysis
• Step- 5:Likelihood Determination
• Step- 6:Impact Analysis
• Step- 7:Risk Determination
• Step- 8:Control Recommendations
• Step- 9:Results Documentation.
Audit scope will vary according to the nature or category of audit. IT Security Audit is
done to protect entire system from the most common risk which includes the following:

 IT General Controls: Evaluating the existence and effectiveness of internal

controls in place over the Information Security Program and related information
technology processes as they relate to the security, confidentiality, and integrity of
sensitive customer information. E.g. Access Controls on Core Processing System,
network, Physical and Environmental Security – Data Center, Disaster Recovery and
Business Continuity Management, Identity Theft Prevention
 Performance problems and flaws in applications
 Improper alteration or destruction of data (information integrity)
 Access to confidential data
 Transaction authorization
 Segregation of duties
 System Edits
 Data entry controls
 Logical Security
 Unauthorized access of the department computers & branches
 Password disclosure compromise
 Virus infections
 Open ports, which may be accessed from outsiders (Unrestricted modems &
unnecessarily open ports)
IT Audits may be conducted to:

Page 4 of 7
 To ensure integrity, confidentiality and availability of information system(s) and
resources.
 To investigate possible security vulnerabilities and incidents in order to ensure
conformance to the Bank’s security policies.
 To ensure software systems deployed conforms to the Bank’s software
implementation policy
 To ensure changes made to any systems conforms to the Bank’s Change
Control/Change Management policy
 To ensure regular Backup of data and business critical system is taken &
preserved.
 To ensure Restore of both data and full system is carried out on a regular basis, so
that data integrity can be ensured and the Bank can be prepared for any possible
disaster
 To monitor user or system activity where appropriate
 To investigate security incidents as when required.
An IT audit is different from a financial statement audit. While a financial audit’s
purpose is to evaluate whether an organization is adhering to standard accounting
practices, the purposes of an IT audit are to evaluate the system’s internal control design
and effectiveness. This includes, but is not limited to, efficiency and security protocols,
development processes, and IT governance or oversight.

Installing controls are necessary but not sufficient to provide adequate security. People
responsible for security must consider if the controls are installed as intended, if they are
effective if any breach in security has occurred and if so, what actions can be done to
prevent future breaches.

These inquiries must be answered by independent and unbiased observers. These

observers are performing the task of information systems auditing. In an Information
Systems (IS) environment, an audit is an examination of information systems, their
inputs, outputs, and processing.

Page 5 of 7
Planning / Pre-Audit activities
Auditors must make certain assumptions when bidding on a project, such as having
access to certain data or staff. But once the auditor is on board, don’t assume anything;
everything should be spelled out in writing, such as receiving copies of policies or system
configuration data. These assumptions should be agreed to by both sides and include
input from the units whose systems will be audited.

Nobody likes surprises. Involve the business and IT unit managers of the audited systems
early on. This will smooth the process as a dispute over the auditor’s access. Consider the
case of one respected auditing firm that requested that copies of the system password and
firewall configuration files be e-mailed to them.

Some activities mentioned here under to ease the process:

1. Team Leaders should specify restrictions, such as time of day and testing methods to
limit impact on production systems. Most organizations concede that denial-of-service or
social engineering attacks are difficult to counter, so they may restrict these from the
scope of the audit.
2. Make sure the auditors conform to the policy on handling proprietary information. If
the organization forbids employees from communicating sensitive information through
non-encrypted public e-mail, the auditors must respect and follow the policy. The audit
report itself contains proprietary data and should be handled appropriately, hand
delivered and marked proprietary and/or encrypted if sent through e-mail.
3. Give the auditors an indemnification statement authorizing them to probe the network.
The Audit officer will be responsible for internal Audit within the department and
operations of branches. When requested and for the purpose of performing an audit, any
access needed will be provided to members of Internal Audit team.
This access may include:
 User level and/or system level access to any computing or communications device
 Access to information (electronic, hardcopy, etc.) that may be produced,
transmitted or stored on respective Dept. equipment or premises
 Access to work areas (Data Center, DR site, NOC, labs, offices, cubicles, storage
areas, etc.)
Page 6 of 7
 Access to reports / documents created during internal audit.
 Interactively monitor and log traffic on the Bank’s corporate network in
conjunction with Bank’s WAN connectivity provider
 Moving machines involved in an incident to a safe location for analysis or to
ensure evidence is captured and preserved securely
 All sorts of System(s) and user activity logs/ audit trails to verify that privileges
were used only for their intended and approved purposes.
 User level and/or Admin level access to any computing or communications
devices
 Network or host scans and obtain any applicable information
 Audit rights of access to any Service level agreement or Annual maintenance
contract with External parties or Internal parties as when appropriate
 External or internal parties premises to justify the ability of the service provider
before engaging them to provide any service for the Bank(s) interest.
 All types of licenses/IPR (intellectual property rights) related documents or logs
aligned with any software or hardware used in Bank’s ICT infrastructure.

Appendices (Bibliography & other References.)

IT SECURITY AND INFORMATION SYSTEM AUDIT IN BANKS by Mohammad Ziaullah Khan
-  June 17, 2017
Internal ICC Policy & Procedures
Guidelines On Internal Control & Compliance In Banks by Bangladesh Bank, February,
2016

Page 7 of 7