Information System Audit in Indian Banks
Information System Audit in Indian Banks
CA Bharatish Ballal
Information systems and audit Information itself is an important asset in today’s business. If information is lost, modified, misused huge loss can occur to business. Hence information security becomes important for any business. Information system in business including that of banking is becoming technology oriented. Computers are being used in all the areas of business including that of financial accounting.
Internal controls used in a Computerized Information System (CIS) environment should aim at information security also. This aspect of internal control is mostly overlooked in a Financial Audit where evidence collection and evaluation is more important. Audit provides the assurance to stakeholders of business. Assurance provided by a financial audit is about financial statements, which are relied upon and based on which decisions are taken by many stakeholders. However there are risks associated in any business, which is not highlighted in a financial audit.
Operational Risk and Audit For example Basel II Accord mentions of ‘operational risks’ that are due to failure of system, process, procedure and human action/inaction (fraud) and legal restrictions, etc. in the operation of banks, some of which are not dealt in financial audit. The Basle committee has identified people, processes, systems and external events, as potential hazards for operations. Inadequacy and failure of any of them can result into events, which cause losses. Every business has to identify events of their relevance. The events may be similar in the same industry, but vary from an organization to organization. The whole exercise of the operational risk management is to identify potential events, which are likely to cause losses. Here is a list of some of the events, which could lead to operational risk (non exhaustive): Technology error Fraud and theft
CA Bharatish Ballal
Information systems and audit Information itself is an important asset in today’s business. If information is lost, modified, misused huge loss can occur to business. Hence information security becomes important for any business. Information system in business including that of banking is becoming technology oriented. Computers are being used in all the areas of business including that of financial accounting.
Internal controls used in a Computerized Information System (CIS) environment should aim at information security also. This aspect of internal control is mostly overlooked in a Financial Audit where evidence collection and evaluation is more important. Audit provides the assurance to stakeholders of business. Assurance provided by a financial audit is about financial statements, which are relied upon and based on which decisions are taken by many stakeholders. However there are risks associated in any business, which is not highlighted in a financial audit.
Operational Risk and Audit For example Basel II Accord mentions of ‘operational risks’ that are due to failure of system, process, procedure and human action/inaction (fraud) and legal restrictions, etc. in the operation of banks, some of which are not dealt in financial audit. The Basle committee has identified people, processes, systems and external events, as potential hazards for operations. Inadequacy and failure of any of them can result into events, which cause losses. Every business has to identify events of their relevance. The events may be similar in the same industry, but vary from an organization to organization. The whole exercise of the operational risk management is to identify potential events, which are likely to cause losses. Here is a list of some of the events, which could lead to operational risk (non exhaustive): Technology error Fraud and theft