Checklists for Audit in Automated Environment (IS Audit) as per RBI circular

S.No Particulars YES/NO/NA

A.General IS Audit guidelines
1 Whether a documented and approved IS Audit guidelines/checklists are available?
2 Whether IS audit guidelines are consistent with the Information security of the
Organisation?
3 Whether the IS audit responsibilities have been assigned to a separate unit which is
independent of IT Department?
4 Whether Half yearly external IS audit is carried out?
5 Whether security audit is conducted as part of IS audit?
6 Whether Business Continuity plan, insurance of IT assets, data integrity etc. are made part
of external audit scope?
7 Whether the major observations brought out by previous Audit Reports have been
highlighted and brought to the notice of the Top Management?
8 Whether necessary corrective actions/compliances have been taken up on observations
given?
9 Whether adequate information/updates are provided to IS audit teams so as to enable
them to conduct audits effectively?
10 Whether IS audit team is encouraged to keep themselves updated?

B.Effectiveness of IS Policy
1 Whether a well-documented Organisation specific security policy is available?
2 Whether Inventory management of IT assets is made part of IS policy ?
3 Whether policies related to all the IT activities are listed in the security policy?
4 Whether Policy takes into account the all Legal & Regulatory requirements?
5 Whether the policy is approved and updated from time to time by the Board of Directors/
Top Management?
6 Whether the policy is communicated to all concerned Departments and is understood by
them?
7 Whether the following major security areas are covered in the IS Policy?
a) PC, LAN, MAN and WAN security?
b) Physical Security to IS establishments?
c) Handling of confidential information?
d) Handling of security incidents?
e) Privacy related issues for outside entities?
f) E-mail security?
g) Application security?
h) Interface Security?
i) Password Security?
j) Operating system security, web site security?
k) Database security?
l) Anti virus and piracy policy?
m) Archived and Backed up data security?
n) Procedures for handling incidence of security breach/ violation?
o) Disaster Recovery Plan/ Business Continuity Plan?
p) Persons responsible for implementing security policy and consequence for willful
violation of the Security Policy?
8 Whether a review process is in place for reviewing the IS policy at periodic intervals
and /or on any other major event?

C.Implementation of IT Security Policy

 1 Whether documented security policy is made available to all the levels of users to the
extent relevant to them?
2 Whether regular awareness programmes/ Trainings are conducted for security
awareness?
3 Whether the role of Information Security Officer with responsibilities for implementation
of the Security Policy has been assigned?
4 Whether detailed procedures for each policy statement are developed?
5 Whether suitable methodologies/security tools are adopted for implementation?
6 Whether the roles of the implementers are clearly defined?
7 Whether the budgetary allocation for implementation of IS security is assessed and
documented?
8 Whether on the basis of audit reports or any other vital information suggestions for
updating the security policies are conveyed to the right / appropriate management?
9 Whether new entrants are given adequate exposure to the security policy?
10 Whether in case breaches of security policy the root cause is analysed and preventive and
corrective actions are taken?
11 Whether incidence-reporting procedures have been followed?

D.Acquisition and Implementation of Packaged software

1 Whether Auditor has gained following knowledge and exposure about all Packaged
softwares before commencing the audit?
a) IT infrastructure and Environment in the Bank?
b) Different resources available in the IT department of the Bank?
c) Software products procured and implemented during the period?
d) Status of implementation (Complete/Partially complete/Incomplete)?
e) Whether any technical problems faced by users after implementation?

f) Any Errors noticed in processing transactions in the procured system?

g) Any Errors resulting in financial loss, regulatory / compliance issues, serious client
complaints etc.
2 Requirement identification and analysis for packaged software.
a) Is there and annual plan covering areas requiring computerisation/ advancement?
b) Is plan in line with the Banks overall IS Strategy?
c) Has a detailed plan been made by the IT Department, clearly providing the date of
commencement, activities involved, target date of final implementation and estimated
costs for each area identified?
d) Has a document been prepared clearly detailing the Functionality,Performance,
security, Operation risk mitigation, acceptance criteria and Interface requirement etc?

3 Vendor Selection Criteria.

a) Do the IT Department have a technology standard for product selection?
b) Does the Technology standard cover Architecture, Database standards,Interfaces and
API Standards and Security Standards etc?
c) Does the Bank have clearly laid down and approved guideline for selection of product
vendors?
e) Does the Vendor Selection guideline address the following:
· Market Presence?
· Years in operation?
· Technology alliances?
· Desired size?
· Client base and existing implementation?
· Support?
· Possibilities of partnership or strategic alliance?
· Source code availability?
 · Local Support in case of foreign vendors?
f) Has the selection criteria been decided by the IT Department in consultation with User
Departments?
g) Does the IT Department use scoring model for evaluating the products and vendor?

h) Do the scoring criteria consider the following factors:

· Extent of customization and work around solutions?
· Security Features?
· Technology fit?
· Performance & Scalability?
· No. of installations?
· Cost?
· Vendor Standing?
4 Vendor selection process:
a) Does the IT Department have a system to identify potential vendors?
b) Are reports of specialized independent rating agencies used for short listing Vendors?

c) Does the Bank have a system of floating formal RFP (Request for Proposal) for systems
with estimated budget exceeding a certain amount?
d) Is there any separate Cell/Team comprising of personnel from IT Department,
Functional Departments and Internal Audit Department in charge of vendor selection and
implementation?
e) Does Team use prepared check lists for?
-Product Evaluation
-Site Visits
-Client Reference
f) Is final evaluation and selection fully documented and the document clearly reflect the
rationale used for the selection?
5 Contracting with vendor:
a) Does the bank have approved terms and conditions for Product Licensing Agreements?

b) Does the Bank have a Service Level Agreement with Product Vendors for Support and
Maintenance?
c) Does the contract clearly segregate duties and responsibilities of the Bank and the
Vendor?
d) Does the contract include a clause to protect the Bank from the Vendor using the bank
data?
e) Does the contract clearly specify the product base lines?
6 Implementation of Packaged software:
a) Is variance analysis between the requirement and the selected product carried out and
documented?
b) Does the Bank’s policy provide for parallel run of previous system during the
implementation period?
c) Is there an agreed plan for implementation? Has the plan been approved by the Vendor
and IT Department?
d) Does the implementation plan clearly identify product customisation requirements,
user acceptance criteria and test for such customisation?
e) Does the implementation plan address data migration from previous systems?
f) Is there a list of areas which will be controlled by the Vendor during the implementation
phase?
g) Does Bank have a test environment to simultaneously allow familiarisation during the
implementation process?
h) If there are bugs and errors due to design flaws, are they escalated to higher levels?
 i) Is there a clearly identified data integration strategy during customisation period?
7 Post implementation issues:
a) Has the IT Department in consultation with User Department worked out Database
Controls?
b) Has IT Department introduced a system to track problems reported by Users,
escalation to vendor and their resolution?
c) Is there a system of measuring vendors’ support with the agreed service levels?
E.Development of software- In House/ Outsourced
i) In House
1 Is the Software audit (SA)-(Detailed guidelines given in RBI circular) conducted using pre-
designed formats at three levels i.e Program level , Application level and Organization
level?
2 Has IT department adopted any Standardised quality processes such as ISO, SEI CMM etc.,
for Software development?
3 Has Non compliance reported in such quality audit are properly attended to and rectified?

4 Whether a structure is in place for effective Software Audit so that reliable results can be
obtained?

ii) Outsourcing
1 For software development outsourcing, are there laid down criteria for selection of
vendors?
2 Whether formal outsourcing strategy for necessary interface with the vendor is in place?

3 Is the outsourcing activities evaluated based on the following practices?

a) What is the objective behind Outsourcing?
b) What are the in-house capabilities in performing job?
c) What is the economic viability?
d) What are the in-house infrastructure deficiencies and the time factor involved?
e) What are the Risks and security concerns in case of outsourcing?
f) What are the outsourcing arrangement and fall back method?
g) What are arrangements for obtaining the source code for the software?
4 Does the user department representative ‘Expert Officer’/ any other person visit the
vendor’s premises for reviewing the capability and quality of software development
activities?
5 Is there an Agreement entered by the Bank with the Vendor for completion of the
software development in time?

F.Physical Access controls

1 Is there any policy regarding physical access control and is a part of the security policy of
the organisation?
2 Whether access to server rooms by unauthorized persons are restricted?
3 Is there any specific mechanism to review the policy regularly?
4 Whether the policy on the following are appropriate?
a)Lay out of facilities
b)Physical and Logical Security
c) Safety
d) Access
e) Maintenance
f) Access controls for visitors
g) Safety and environmental requirements
h) Entrance and exit procedures
i) Lega & Regulatory requirements
 5 Whether the facility is located in least accessible area or / and access is limited to
approved personnel only?
6 Whether the physical access control procedures are adequate for employees, vendors,
equipment and facility maintenance staff?
7 Whether the access and authorization policies on the following adequate?
a) Entering / Leaving
b) Escort
c) Registration
d) Visitor passes
e) Surveillance cameras
8 Whether periodic review of access profiles is carried out?
9 Whether revocation, response and escalation process in the event of security breach
appropriate?
10 Whether security for portable and off-site devices adequate?
11 Whether control of visitors adequately addressed? Whether issues like registration, pass,
escort, logbook etc for check in and check out are handled properly?
12 Whether fire prevention and control measures implemented are adequate and tested
periodically?
13 Whether computing facilities are situated in a building that is fire resistant and wall, floor
and false ceiling are non-combustible?
14 Whether smoking restriction in computing facilities are in place?
15 Whether fire drill and training are conducted periodically?
16 Whether computing facilities are located above ground level? Whether water leakage,
seepage etc. are prevented?
17 Whether security awareness is created in the Organizatino regarding IS functions?
18 Whether UPS is available? If so, is it covered under maintenance?
19 Whether the main server room is locked and access is restricted?
20 Whether hazardous commodities are not stored in the IS area?
21 Whether appropriate access controls like password, swipe card, bio-metric devices etc.
are in place and adequate controls exist for storing the data / information on them?

22 Wherever access to the I S facility is enabled through ID cards / badges, etc ?

23 In case of outsourced software, whether all maintenance work is carried out only in the
presence of / with the knowledge of appropriate bank staff?
24 Based on criticality of the IS facility, are there video surveillance equipments to monitor
the movements of the personnel inside the facility?
25 Whether access violations are recorded, escalated to higher authorities and appropriate
action taken?

G. Application system Controls

i) Logical Access Controls
1 Does the software allow creation of user-IDs in the same name more than once?
2 Does the software encrypt the passwords one way and store the same in encrypted form?

3 Does the software display the password as it is keyed in?

4 Does the software lock the user-ID if it is used for 3 unsuccessful times to logon to the
system?
5 Does the software force the User to change the password at set periodical intervals?
6 Does the software maintain password history i.e., does not allow the same password to
be used again on rotation basis?
7 Are they used similar passwords on multiple servers?
8 Whether any access given to Administrator account by Third party users?
9 Can DBA change other’s password? If so is it reflected in the audit trail?
10 If a user-id record is deleted, does the software delete it physically or logically? Does the
software capable of producing a report of logically deleted User-IDs?
11 Does the software have provision to restrict different menu options to different user-IDs
based on user level (based on designation / powers, etc.)?
12 Does the software have provision for defining access rights to users such as, Read Only,
Read and Write, Modify, Delete, etc.?
13 Does the software tag each and every transaction with the user-IDs of maker and
checker?
14 Are the User-IDs reflected in the contents of the report printed?
15 Does the software allow automatic logical deletion of inactive users after certain period of
time?
16 Does the system maintain password length to be of minimum 6 or 8 characters or as
indicated in the password policy?
17 Does the system limit the maintenance of system control parameters to privileged user
level having sufficient authority only?
18 Whether any remote access permission is given on servers?
19 Whether they allowed unrestricted internet access on servers?
ii) Input Controls
1 Whether each transaction is recorded in such a way that it can be subsequently
established that it has been input (e.g. Transaction ID etc)?
2 Does the software have controls to ensure that all recorded transactions are,
a) Input to the system and accepted once and only once.
b) If transactions are rejected, they are reported.
3 Are there adequate procedures to investigate and correct differences or exceptions
identified?
4 If corrections are made to rectify differences, exceptions, duplicate transactions, missing
transactions and rejected items, are they approved (e.g., maker/ checker, exception
report etc.)?
5 Does the software have adequate controls to ensure that, data have been accurately
input (e.g. range checks, validity checks, control totals, etc.)
6 Verify the controls to ensure compatibility of data when they are input at two or more
modules and are correlated?
7 Verify the consistency/concurrency of user inputs, if two users are accessing the same
record at the same time?
8 Verify the controls over system-generated transactions through user processes (e.g.
verification of outputs containing system generated transactions and authentication by
branch officials).
iii) Processing Controls
1 Does software have adequate controls to ensure that all transactions input have updated
the files?
2 Are there adequate procedures for investigation and correction of differences or
exceptions identified by the controls over update for completeness and accuracy?

3 List out the events that cause the transaction to be generated (e.g. input of a parameter
such as a date, attainment of a condition, etc.), the key data used as a basis for the
generation, and the programmed procedures that perform the generation. (e.g., in the
interest calculation process, generally, the user will run the interest run job and the
system will take the customer balances (key data) and apply interest rates (key data) and
debit/credit the interest. The program, which performs these activities, should be logically
sound so that no processing errors are introduced).

4 Where applicable, whether the key data is authorised by appropriate level of users and
kept secure?
 5 For the programmed procedure that generates the data, if user controls are relied on to
check the accuracy of the generation process, are these controls adequate?

6 Are there adequate procedures to investigate and correct any differences or exceptions
identified by the controls over the completeness and accuracy of generation?

7 If the process has to be done only once, does the software ensure that the process is not
executed more than once?
8 Is there any day begin, day end process? If so, are these processes logically sound to carry
out the designed objectives completely and accurately?
9 Does the software ensure sequencing of processes? i.e., does the software ensure that
processes are not initiated out of sequence?
10 Whether the application is able to handle processing at peak times (e.g. is the application
capable of handling progressively increasing volumes)?
iv) Output Controls
1 Whether the format, contents, accuracy and utility of the reports generated by the
system are accurate?
2 Is there is any provision for generating exception transactions statement from the
system?
3 Whether outputs can be viewed/generated by users only on need to know basis. In other
words, check whether outputs cannot be generated by all and sundry users in the
system?
4 Whether the controls exercised by the users on the generation, distribution,
authentication and preservation of computer outputs are adequate?
5 Whether the application is keeping adequate controls over computer generated outputs
lying in print queue/spool?
6 Does the output contain key control information necessary to validate the accuracy and
completeness of the information contained in the report such as last document reference,
period, etc.?
7 If the data has to be transferred from one process to another process,Whether it is
ensured that no manual intervention is possible and no unauthorised modification to data
can be made?
v) Authentication Controls
1 If the data has to be transferred from one process to another process, verify if no manual
intervention is possible and no unauthorised modification to data can be made?

2 Does the software prevent the same user from performing both the functions of entering
a transaction and verifying the same?
3 If transactions are authorised manually, are there controls to ensure that a) they are
properly authorised by an independent and responsible official and b) no unauthorised
alterations are made to authorised transactions?
4 Whether hash total is used to verify the continued integrity of data? Is the total of the
items on data file regularly reconciled to an independently established total (e.g.
agreement to a manual control account or computer agreement to a control record) on a
suitable timely basis to ensure that there is no tampering of data?

5 Verify whether the entire record after commit can be physically deleted (it should not be
allowed)?
6 If the software keeps record of security items, are there adequate controls to ensure the
complete and accurate recording of security items in the system?
7 Are the programmed procedures, which utilise the security items in the system, logically
sound so that there are no errors?

H. Database Controls
1 Whether Database is physically secure and free of any corruption?
2 Whether Access to the database is restricted and permitted only to authorized personnel?

3 Whether Accuracy of the contents of the database is verified periodically?

4 Does the data base is technically verified periodically, in terms of storage space,
performance tuning and backup?
5 Whether Backups of the database are periodically retrieved and ensured that they are in
order?
6 Physical Access protection:
a) Is there joint responsibility of the user department and the IT Department for
administration of mission critical databases?
b) Does IT Department identify and segregate hardware hosting these databases and
whether these hardware resources have been year marked?
c) Does the IT Department have a laid down standards / conventions for database
creation, storage, naming and archival?
d) Are users denied access to the database other than through the application?
e) Whether use of triggers and large queries monitored to prevent overloading of
database and consequent system failure?
f) Are direct query / access to database restricted to the concerned database
administrators?
g) Are there controls on sessions per user, number of concurrent users etc?
h) Does the administrator maintain a list of batch jobs executed on each database,
severity of access of each batch job and timing of execution?
i) Is there a separate area earmarked for temporary queries created by power users or
database administrator based on specific user request?
J) Are database administrators rotated periodically?
k) In cases where customer data is provided to external service providers/ vendors does
the bank have confidentiality undertakings from these service providers/Vendors?

7 Integrity and accuracy:

a) Are there standard set of database control reports designed in consultation with the
user department for ensuring accuracy and integrity of the databases?
b) Are these reports run directly from the back end database periodically and the results
both positive and negative are communicated by the Administrators to Senior
Management Personnel?
c) Is there a system of periodic reconciliation between Sub databases and the GL
Database of the bank?
d) In cases where data is migrated from one system to another has the user department
verified and satisfied about the accuracy of the information migrated?
e) Are there entries directly made to the back end databases? If they are made under
exceptional circumstances, is there a system of written authorization?
f) If entries in the database are updated / deleted due to any exceptional circumstances
(e.g. during trouble shooting, etc.), are they approved in writing and recorded?

8 Administration & House keeping :

a) Does the System Administrator periodically review the list of users to the database? Is
the review documented?
b) Are inactive users deactivated?
c) Is there any back up schedule?
d) Are databases periodically retrieved from the back up in test environment and accuracy
ensured with the physical environment?
e) Are senior personnel from the user department involved in testing backup retrieval?

f) Is there periodic purging / archival of databases?

I.Network Management
1 Process related:
a) Is there an IS Policy document, which defines the minimum configuration for any
device/link on the bank’s network, including levels of encryption?
b) Are all platforms/links/devices in compliance with the guidelines? If not, has an
appropriate level of management reviewed the non -compliant parts of the network to
ensure that the risk levels are acceptable?
c) Wherever applicable, whether background and reference checks for both internal and
outsourced vendor staff who perform security-related functions for the product/service
under review are carried out?
d) Does the Bank have a Risk Acceptance process wherein all the identified risks are
documented and approved for any non-compliant issue that cannot be remedied and
where effective compensatory controls exist?
2 Authrization & security related:
a) Does the product/service authenticate (verifies) the identity of users (or remote
systems) prior to initiating a session or transaction? Have these Authentication
mechanisms been approved by then Bank’s IT Department?
b) Does the Bank have a comprehensive password construction, implementation and
management policy?
c) Do the Products/Services utilizing biometrics authentication only use biometrics for
local authentication?
3 Access related:
a) Is the access to highly privileged IDs (e.g., system administration access) strictly
controlled, audited and limited in its use?
b) Does the product/service support the requirement to limit individual user sessions to a
maximum of X minutes of inactivity using either session time out or a password protected
screen saver?
c) Does the product/service supports the ability to disable external customer user IDs
after X months of inactivity and deleted after Y months of inactivity unless they are
extended through the explicit written approval of the business?
d) For any products/services, which has been outsourced, Is there a process in place to
ensure that all platforms, services and applications are configured to meet Bank’s
Information Security Standards?
e) Does the product/service display the (A) date and time of last successful login and (B)
the number of unsuccessful login attempts since the last successful login?
f) Does the product/service support a periodic process to ensure that all user IDs for
employees, consultants, agents, or vendors are disabled after X days and deleted after Y
days from the day they were not used unless explicitly approved by the business?

g) Whether IT dept made Standardization of restricted websites?

4 Network Information security:
a) Have the Network data monitoring tools (e.g., sniffers, datascopes, and probes) utilized
by the product/service been approved by the Bank’s IT Department?
b) Is the approved Legal Affairs banner being displayed at all entry points where an
internal user logs into the product/service?
c) Have the remote control products used in a dial in environment been approved by the
IT Department explicitly?
d) Is it ensured that only software (applications / operating systems etc.) supported by the
vendors only are used? (Unsupported software could be vulnerable to attacks since the
vendors would not come up with the relevant patches)
e) Is the Anti-Virus software configured to check viruses even from the pendrive drive / CD
ROM drive?
f) Whether Antivirus is working effectively on Server & its periodical updation?
5 E mail/ Voice mail related:
 a) Is there a policy that covers e-mail & voice mail transmission of data?
b) Whether there are procedures, which require that all the incoming e-mail messages be
scanned for virus to prevent virus infection to the Bank’s network?

c) Whether all e-mails are identified with a user’s name or e-mail ID to facilitate tracking?
Whether e-mail ID allotted to a user is prevented from being used by another user?

d) Whether there are procedures to ensure that users do not send confidential or
sensitive information via e-mail? Whether the information transmitted through e-mail is
encrypted?
e) Whether all e-mails sent and received by employees via Bank’s network are treated as
Bank’s records? Is there procedure to monitor them?
6 PC Security related:
a) Does the LAN servers, mail servers, and microcomputers have IT Department approved
anti-virus products installed?
b) Are all product/service specific PCs secured against removal and theft commensurate
with the value of the computer and information it holds along with a process to report
any thefts to the IT Department?
c) Are all PCs having sensitive information protected with power on password to prevent
unauthorised access?
7 Audit Trails:
a) Does the financial transactions as well as additions, changes and deletions to client
demographic data/important statistics, get recorded in the product/service audit trail?

b) Does the audit trail for product/service record all identification and authentication
processes? Also Is there a retention period for the Audit trails
c) Is there a process to log and review all actions performed by systems operators,
systems managers, system engineers, system administrators, security administrators, and
highly privileged IDs.?
8 Information storage and retrieval:
a) Has all the media (File/Pendrives/Disks etc) under the control of the product/service
owner been marked with the classification and securely stored with access restricted to
authorized personnel only?
b) Is there a procedure in place that enforces and maintains a clean desk program, which
secures all critical information from unauthorized access?
9 Penetration testing:
a) Is it ensured that products/services that use the Internet for connectivity or
communications have undergone a successful penetration test prior to production
implementation?

b) Is there an intrusion detection system in place for all the external IP connections?

J.Maintenance
1 Back up and Recovery:
a) Whether a latest copy of backup of software (Operating System, RDBMS, application,
etc.) is taken and preserved at the user site?
b) Whether different types of data backup are taken periodically at specified intervals as
advised by the software developer / vendor?
c) Are there proper records for noting the media in which different data backups are
stored, data type, location where it is stored, date of backup, due date for recycle, etc?

d) Is one copy of data backup kept in an offsite location with proper records?
e) Does the database / system administrator at the user site carry out restoration testing
of these backups periodically? Is it recorded and authenticated?
e) Is there any archival policy and data housekeeping is as per this policy?
2 Hardware Mantenance:
a) Is there any Service Level Agreement between the hardware vendor and
IT Department?
b) Does the AMC with the vendor for maintenance of hardware
equipments is active and currently in force?
c) Does the user site have the names and photographs of the service personnel and are
they identified by the users before allowing them to handle the hardware?
d) Verify whether the hardware inventory is maintained at the user site. Ensure whether
the physical stock of hardware items matches with the hardware inventory?
e) Whether the hardware maintenance register is maintained, with full details such as
nature of trouble, date and time of reporting, name of the vendor, Engineer’s name, date
etc?
f) In case hardware are taken by the vendors for servicing / repair, does the user site
ensure that the equipment does not contain sensitive live data?
3 Training related:
a) Whether the Users are given adequate training on the application systems
functionalities?
b) Whether the Technical persons are given adequate training in the technical details of
the application system, to provide necessary trouble shooting / help to users?
c) Whether the Users are aware of the steps to be carried in case of contingency due to
nonavailability of systems?