རྒྱལ་གཞུང་རྩིས་ཞྩིབ་དབང་འཛིན།

ROYAL AUDIT AUTHORITY

IT Audit Report on Core Banking

System in BDBL

April 2019

Reporting on Economy, Efficiency & Effectiveness in the use of Public Resources

DISCLAIMER NOTE

The audit was conducted in accordance with the International Standards of Supreme
Audit Institutions (ISSAIs). The review was confined to Finacle Core Banking Solution in
Bhutan Development Bank Limited. The audit was based on the audit objectives and
criteria determined in the audit plan and programme prepared by the Royal Audit Authority
and the findings are based on the information and data made available by the Bhutan
Development Bank Limited.

This is also to certify that the auditors during the audit had neither yielded to pressure,
nor dispensed any favour or resorted to any unethical means that would be considered
as violation of the Royal Audit Authority’s Oath of Good Conduct, Ethics and Secrecy.
 རྒྱལ་གཞུང་རྩིས་ཞྩིབ་དབང་འཛིན།
ROYAL AUDIT AUTHORITY
Bhutan Integrity House
Reporting on Economy, Efficiency & Effectiveness in the use of Public Resources

RAA/TAD/BDBL(ITA-CBS)/2018-19/882 Date: 5/4/19

The Chief Executive Officer

Bhutan Development Bank Limited
Thimphu

Subject: IT Audit Report on Core Banking System of BDBL

Sir,

Enclosed herewith please find the IT Audit Report on ‘Core Banking System of BDBL’
covering the period 01 April 2017 to 30 September 2018. The Royal Audit Authority (RAA)
conducted the audit in line with the mandates enshrined in the Constitution of Kingdom of
Bhutan and Audit Act of Bhutan 2018. The audit was conducted in accordance with the RAA’s
Performance Audit Guidelines, which is in consistent with the International Standards of
Supreme Audit Institutions on performance auditing (ISSAI 3000).
The objectives of the audit were to assess the effectiveness of system migration in achieving
the organisation goals including accuracy and completeness of data migration, effective
incorporation of compliance requirements, and adequacy and effectiveness of IT controls in
Finacle CBS.
The report has been prepared based on the review of available documents, analysis of data, and
discussion with relevant officials of the BDBL. The report contains positive initiatives,
shortcomings and deficiencies as well as recommendations aimed at improving the system.
The draft report was issued on 07 February 2019 to the BDBL for factual confirmation,
comments and feedbacks. Responses received have been incorporated as well as provided in
the report as Annexure 1.
In line with the directives of the Parliament, the RAA has instituted a system to fix the
accountability on the officials responsible to implement recommendations provided in the
Performance Audit Reports. Therefore, we would request the BDBL responsible for
implementation of each recommendation to submit duly completed and signed Management
Action Plan and Accountability Statement (attached) to the RAA. In the event of non-
submission of the same, the RAA shall fix the responsibility for implementation of the
recommendations on the Head of the Agency.
The RAA will follow up implementation of the recommendations based on the Management
Action Plan and Accountability Statement. Failure to comply will result in taking appropriate
actions, which may include suspending audit clearances to the accountable official(s).
The RAA would therefore appreciate receiving a Management Action Plan Report for
implementation of audit recommendations with definite timeframe on or before 14 July
2019 along with the signed Accountability Statement.
 We take this opportunity to acknowledge the officials of BDBL for rendering necessary co-
operation and support which facilitated timely completion of the audit.

Copy to:
1. Hon’ble Lyonchhen, Royal Government of Bhutan, Thimphu;
2. Hon’ble Gyalpoi Zimpon, Office of Gyalpoi Zimpon, Thimphu;
3. Hon’ble Speaker, National Assembly of Bhutan, Thimphu;
4. Hon’ble Chairperson, National Council of Bhutan, Thimphu;
5. Hon’ble Opposition Leader, National Assembly of Bhutan, Thimphu;
6. Hon’ble Chairperson, Public Accounts Committee, National Assembly of Bhutan,
Thimphu (enclosed five copies);
7. General Manager, Information Technology Department, BDBL;
8. Assistant Auditor General, Follow-up and Clearance Division, RAA;
9. Assistant Auditor General, Policy, Planning and Annual Audit Report Division,
RAA;
10. Office copy; and
11. Guard file.

“Every individual must strive to be principled. And individuals in positions of responsibility must even strive harder.”
- His Majesty the King Jigme Khesar Namgyel Wangchuck

P.O. Box: 191 | Kawangjangsa | Thimphu | Bhutan |Tel: +975-2-322111/328729/328730/324961 | Fax: +975-2-323491
Website: www.bhutanaudit.gov.bt | Email: [email protected] and [email protected]
 MANAGEMENT ACTION PLAN REPORT

Audit Estimated Responsibility Entrusted to:

Recon Action Taken or Estimated
Recommendation in Completion
No. To be Taken Implementation Date
brief Date
Name &
EID no.
Designation

Field receipts
management should
4.1
be incorporated in
Finacle CBS

BDBL should
institute robust IT
4.2
controls in Finacle
CBS

BDBL should meet

and comply strictly
4.3 with all the
compliance
requirements

BDBL should
establish problem
4.4
management
mechanisms

1
 ACCOUNTABILITY STATEMENT
IT AUDIT ON CORE BANKING SYSTEM OF BDBL

Supervisory
Personal Accountability
Accountability
No. Recommendations
Name & Name &
EID No. EID No.
Desig. Desig.

Field receipts management should be

4.1
incorporated in Finacle CBS

BDBL should institute robust IT

4.2
controls in Finacle CBS

BDBL should meet and comply

4.3 strictly with all the compliance
requirements

BDBL should establish problem

4.4
management mechanisms

(s/d)

CEO, BDBL

2
 TITLE SHEET

1. Title of the Report : IT Audit on Core Banking Solution in BDBL

2. AIN : 15742

3. Audited Entity : Bhutan Development Bank Limited

4. Audit Period : April 2017 to September 2018

5. Audit Schedule : 27 September 2018 to 10 December 2018

: 1. Kinley Zam, 200801105, Sr. Audit Officer

6. Audit Team : 2. Tashi, 20130101140, Audit Officer
: 3. Leki Seldon, 20170709430,Auditor II
7. Advisor : Sonam Delma, 200301048, Asstt. Auditor General

Sonam Wangmo, 200401104, Asstt. Auditor

8. Supervisor :
General

9. Overall Supervisor : Chimi Dorji, 9610060, Deputy Auditor General

3
 ACRONYMS AND ABBREVIATIONS

AIN Audit Identification Number

BCP Business Continuity Plan
BDBL Bhutan Development Bank Limited
CASA Current Account & Savings Account
CBS Core Banking Solution

CIF Customer Information File

DC Data Centre
DR Site Disaster Recovery Site
DRP Disaster Recovery Plan
FD Fixed Deposit
FOB Farmers Outreach Banking
GL General Ledger
IT Information Technology
NPL Non-Performing Loan
OD Overdraft Account
PAR Portfolio At Risk
PSO Product Service Officer
RAA Royal Audit Authority
RD Recurring Deposit

4
 TABLE OF CONTENTS

EXECUTIVE SUMMARY ..................................................................................................................... 1

Chapter 1: About the Audit .............................................................................................................. 3

1.1. Mandate ........................................................................................................................... 3
1.2. Audit Standards................................................................................................................ 3
1.3. Audit Objectives ............................................................................................................... 3
1.4. Audit Approach ................................................................................................................ 3
1.5. Audit Scope ...................................................................................................................... 3
1.6. Audit Methodology .......................................................................................................... 4
Chapter 2: Introduction ................................................................................................................... 5

2.1. Background on BDBL ........................................................................................................ 5

2.2. Core Banking Solution in BDBL......................................................................................... 6
Chapter 3: Findings .......................................................................................................................... 8
Part 1: Initiatives and Positive Developments ............................................................................ 8
Part 2: Shortcomings and deficiencies ........................................................................................ 8
3.2.1 System Migration ............................................................................................................. 8
3.2.1.1. Inadequate control over system migration ............................................................. 8
3.2.1.2. Field receipt management was not fully supported in Finacle CBS ....................... 11
3.2.2 IT Controls ...................................................................................................................... 13
3.2.2.1. Non-enforcement of draft IT policies..................................................................... 13
3.2.2.2. Procedural lapses in creating user accounts .......................................................... 14
3.2.2.3. Inadequacies in user account management .......................................................... 16
3.2.2.4. Access privileges given not as per the roles and responsibilities .......................... 18
3.2.2.5. Delay in deactivation of user accounts of former employees ............................... 20
3.2.2.6. Loan payoff amount in two screens are different ................................................. 21
3.2.2.7. Incorrect report generation by Finacle CBS ........................................................... 24
a. Unreconciled difference in trial balance generated by Finacle CBS .............................. 24
b. NPL reports were not generated for five months after migration ................................ 25
c. Incorrect generation of Product Service Officer-wise Portfolio At Risk report ............. 26
d. Accounts with zero balance reflected in Non-Performing Loan report ......................... 27
3.2.2.8. Wrong master data mapping in the system .......................................................... 27

5
 3.2.2.9. Non-review of audit logs and trails ........................................................................ 28
3.2.3 Compliance Requirements ............................................................................................. 29
3.2.3.1. Non-incorporation of RMA and BDBL requirements ............................................. 29
a. Interest rates not applied as per prescribed rates ........................................................ 29
b. Non-compliance to maximum loan term period ........................................................... 31
c. Variation in scheme parameter of maximum loan amount .......................................... 33
d. Inconsistencies in maximum age set as scheme parameter.......................................... 35
3.2.4 Disorganised IT helpdesk and problem management ................................................... 37
3.2.5 Inadequate training and knowledge transfer ................................................................ 38
Chapter 4: Recommendations ....................................................................................................... 40

4.1. Field receipt management should be incorporated in Finacle CBS ............................... 40

4.2. BDBL should institute robust IT controls in Finacle CBS ................................................ 40
4.3. BDBL should meet and comply strictly with all the compliance requirements ............. 41
4.4. BDBL should establish problem management mechanisms .......................................... 41
Chapter 5: Conclusion .................................................................................................................... 42

6
 IT Audit of CBS in BDBL

EXECUTIVE SUMMARY
The Royal Audit Authority (RAA) conducted the “IT Audit on Core Banking Solution in
Bhutan Development Bank Limited” as mandated by the Constitution of the Kingdom of
Bhutan and Audit Act of Bhutan 2018. The audit was conducted following Performance Audit
Guidelines, which is in line with the International Standards of Supreme Audit Institutions
(ISSAI 3000).
The objectives of the audit were to assess the effectiveness of system migration in achieving
the organisation goals including accuracy and completeness of data migration, effective
incorporation of compliance requirements, adequacy and effectiveness of IT controls in Finacle
CBS.
With the increased use of IT in Banks and with the aim to bring operational efficiencies,
transform as a bank, and overcome the limitations of the legacy system, the Bhutan
Development Bank Ltd. (BDBL) in 2017 implemented Finacle Core Banking Solution (CBS)
with a “big-bang” implementation strategy. BDBL has the mandate to provide financial
services to enhance rural prosperity, alleviate poverty, and bring in socio-economic
development.
Recognising the role of BDBL to accelerate socio-economic development in the country and
understanding the criticality of Finacle CBS in this, the Royal Audit Authority decided to carry
out the IT audit of CBS in BDBL covering the period 01.04.2017 to 30.09.2018.
During the course of audit, the RAA found positive accomplishments, which included
anywhere and anytime banking to its customers through integration of all delivery channels
(ATMs, Internet, SMS, Mobile banking), gaining more control over data thereby enhancing
service delivery to customers. Besides, positive initiatives included commitment of the top
management towards the implementation of Finacle CBS, formation of CBS functional team
comprising of officials from IT and business, establishing the Disaster Recovery (DR) site and
conducting DR drills.
Apart from positive achievements, the RAA also observed deficiencies and shortcomings that
are summarised below:
i) There was no defined and approved system migration methodology to serve as blueprint
for system migration from ABS to Finacle CBS.
ii) Field receipts management for Farmers outreach Banking (FOB) was found not fully
supported in Finacle CBS.
iii) Draft IT policies were found not enforced.
iv) Weaknesses in user account and access management have led to 10 employees with
more than one user account, 15 generic or unidentifiable user accounts, 18 instances of
access rights being wrongly assigned. Moreover, the access rights of former employees
were not deactivated in the system.
v) Loan payoff amounts were not same in the loan register and loan payoff menu screens
of Finacle CBS.
vi) The reports generated by Finacle CBS was incorrect with cases such as unreconciled
differences in the trail balance and wrong information reflected in portfolio at risk
reports and non-performing loan reports.

Reporting on Economy, Efficiency and Effectiveness 1

IT Audit of CBS in BDBL

vii) There were non-compliances to RMA’s compliance requirements and BDBL’s

prescribed manuals and notifications while providing loan services.
viii) Proper problem management was not established as a result the root causes to system
problems were not identified and permanent solution was not applied.
These lapses were largely caused due to inadequate control over system migration. Inadequate
and ineffective IT controls is the main cause for incorrect information generated by Finacle
CBS. Weaknesses in supervisory control also seems to be one of the causes to non-compliances
to RMA requirements.
Consequently, these had impacted the bank financially and might do so even in the future.
Therefore, the BDBL should seriously address these lapses and root causes in order to render
the system effective and credible. To address these lapses, the RAA have provided four
recommendations as follows:
a) incorporate field receipts management in Finacle CBS,
b) institute robust IT controls in Finacle CBS,
c) comply strictly with compliance requirements,
d) establish problem management mechanisms.
While the RAA appreciates the prompt and immediate corrective actions taken by BDBL based
on the draft report, the RAA hopes that BDBL will make further improvements to the system,
design and implement IT controls and mechanisms for efficient and effective business
operations. The BDBL should effectively enforce the Finacle SOP 2018 and ICT Security
Policy 2018 to ensure that the audit findings and the recommendations are addressed as assured.

2 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

CHAPTER 1: ABOUT THE AUDIT

1.1. Mandate
The Royal Audit Authority (RAA) conducted the “IT Audit on Core Banking Solution in
Bhutan Development Bank Limited” as mandated by Article 25 of the Constitution of the
Kingdom of Bhutan to audit and report on the economy, efficiency, and effectiveness in the
use of public resources.
Further, Chapter 5, Section 69 of the Audit Act of Bhutan 2018 stipulates, “The Authority shall
carry out performance, financial, compliance, special audits and any other form of audits that
the Auditor General may consider appropriate.”

1.2. Audit Standards

The RAA conducted this audit in accordance with the International Standards of Supreme
Audit Institutions on performance auditing (ISSAI 3000). The RAA followed audit procedures
as prescribed under RAA’s Performance Audit Guidelines and IT audit manual to maintain
uniformity and consistencies of approaches in auditing.

1.3. Audit Objectives

The audit objectives were
1. To determine the effectiveness of system migration in achieving the organisation goals
including accuracy and completeness of data migration;
2. To assess the effective incorporation of compliance requirements;
3. To ascertain the adequacy and effectiveness of IT controls in Finacle Core Banking
System (CBS).

1.4. Audit Approach

Since the BDBL has implemented the Finacle CBS with the Bank’s vision of being a customer-
focused bank, the audit approach used was result-based approach. Through the result-based
audit approach, the RAA drew an objective tree to derive audit questions and the audit focussed
on assessing the efficiency and effectiveness of the Finacle CBS.

1.5. Audit Scope

The IT audit of Finacle CBS covered the period from 01 April 2017 to 30 September 2018 in
BDBL.
The audit examined the CBS implemented by BDBL and business processes surrounding the
CBS. The audit covered general IT and application controls related to the system including
operations, business continuity & disaster recovery, and compliance to laws and regulations
governing BDBL. Additionally, recognising the risks involved in system migration, the audit
also covered the data migration from ABS to Finacle CBS.

Reporting on Economy, Efficiency and Effectiveness 3

IT Audit of CBS in BDBL

1.6. Audit Methodology

The RAA applied the following methodologies to gather information, analyze data and derive
conclusions.
i. Examined legislation, rules and regulations, policies governing Financial Institutions;
ii. Studied the Banking Manual and Credit Manual of BDBL;
iii. Conducted a background study on CBS and its workings, and Finacle CBS;
iv. Reviewed system documents and any other document related to Finacle CBS;
v. Studied the limitations of Ascend Banking System, the system used by BDBL prior to
implementation of Finacle CBS;
vi. Drew Process-flow diagrams for processes such as creating users, opening bank
accounts, and processing loans;
vii. Held several rounds of discussion with the project team involved in the implementation
of Finacle CBS;
viii. Conducted walkthrough of the system to observe and understand the activities
performed in Finacle CBS and to assess the adequacy of rules and regulations, and
policies incorporated in Finacle CBS;
ix. Test checked and examined the IT controls implemented in the Finacle CBS;
x. Analysed data in Finacle CBS using IDEA1 to determine the integrity and accuracy of
data, to assess the correctness of interest calculation, and to ascertain the reliability of
the reports generated;
xi. Visited regional offices of Gelephu and the branch offices of Gelephu, Phuentsholing,
and Thimphu, and conducted interviews to collect information on their understanding
of Finacle CBS and awareness of BDBL’s policies;
xii. Performed analysis of user access levels of different officials;
xiii. Visited the Disaster Recovery site in Phuentsholing and the Data Centre in Thimphu to
determine the level of physical and environmental security controls implemented at
these sites; and
xiv. Carried out comparative analysis of ABS data against data in Finacle CBS to ascertain
the accuracy and completeness of data migration.
xv. Selective review of hard copy documents relating to transactions in the system to check
the authenticity of the transactions in the systems,

1
Interactive Data Extraction and Analysis (IDEA) is an auditing tool used by RAA for data analysis

4 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

CHAPTER 2: INTRODUCTION
The banking sector in Bhutan has come a long way. As recent as the early 2000s, the traditional
model for growth has been through branch banking along with the computerization and
automation of individual bank branches. Similarly, even the Bhutan Development Bank Ltd.
(BDBL) had automated its branches through the implementation of Ascend Banking System
(ABS) in 2007.
With huge mandate to provide financial services to enhance rural prosperity, alleviate poverty,
and bring in socio-economic development and the Bank’s vision to become a customer focused
Bank, it is imperative for BDBL to enhance productivity, increase efficiency, and reduce
operational costs. In order to achieve these goals and overcome the limitations of ABS, the
BDBL in 2017 implemented Finacle Core Banking Solution2 (CBS); a centralised system
linking all the branches together for efficient and effective financial service delivery.
As Finacle CBS stores customers’ banking information, it is important that BDBL protect this
information from unauthorized disclosure, errors, manipulation, loss, and other irregularities.
In order to achieve this, the BDBL should embed robust IT controls and compliance
requirements in the system.
Therefore, recognising the role of BDBL to accelerate socio-economic development in the
country and understanding the criticality of Finacle CBS in this, the Royal Audit Authority has
decided to carry out the IT audit of Core Banking Solution in BDBL. The audit particularly
emphasised on effectiveness of system migration in achieving organisation goals, data
migration, incorporation of compliance requirements, and effectiveness of IT controls in
Finacle CBS.

2.1. Background on BDBL

The Royal Charter assimilated Bhutan Development Bank Limited on 31 January 1988, with
assistance of the Asian Development Bank (ADB) to function as a development finance
institution (DFI). In 2010, the bank obtained a license enabling BDBL to function as a domestic
development bank with cheque facilities. The Royal Government of Bhutan (RGoB) owns 96%
of paid up share capital.
The head Office is located in Thimphu with three Regional Offices in Paro (western region),
Gelephu (central region) and Trashigang (eastern region). The Bank has 35 branches
nationwide with 24 Gewog field offices and around 200 community centers. This is depicted
in Figure 1. Figure 1: Organizational Structure

Head office 3 Regional 35 Branches

in Thimphu offices

200
24 Geog
Community
Field Offices
Centers

2
A Core Banking Solution (CBS) is networking of branches, enabling customers to operate their accounts, and
avail banking services from any branch enhancing customer convenience through anywhere and anytime
banking.

Reporting on Economy, Efficiency and Effectiveness 5

IT Audit of CBS in BDBL

The services offered by the Bank are banking services and credit products and the details of
the services are given in Figure 2.
Figure 2: Services offered by the bank

•Corporate Banking
Banking •Reatail Banking Products
Services •Remittances
•Value Added Services

Credit
•34 different kinds of Loans
Products

The mandates of BDBL are the following:

 Provide micro, small and medium financial services for the development and
modernization of agricultural, commercial and industrial enterprises in the country;
 Enhance income of the people thereby improve standard of living through provisions
of financial services;
 Provide financial services for private sector development;
 Alleviate poverty;
 Provide technical and advisory services to the enterprises;
 Mobilize external and internal funds for investments.

2.2. Core Banking Solution in BDBL

Since 2007, the BDBL had been using the Ascend Banking System (ABS), from Southtech
Limited, Dhaka Bangladesh, which supports both its banking and microfinance services. Apart
from Accounting/GL, ABS integrated Current Account and Savings Account (CASA),
Deposit, Credit, Customer Information Modules, Micro-Finance Module for Group Lending,
Transaction Switching Interface (TSI) module for ATM Service, SMS and Internet Banking
Services.
However, ABS is designed on distributed database architecture, which means that ABS has to
be installed on every workstation in the branches and each branch will have maintained its own
version of the system and data. This led to a host of problems and limitations as listed below:
i. It became cumbersome and inefficient for BDBL to consolidate data and obtain an overall
picture of the Bank’s operations at any point of time, which impeded decision-making.
ii. Each branch functions as a separate entity. For example, customers opening account has
its own customer ID in that branch only. If the same customer visits another branch and
opens an account there, he will get a new Customer ID of that branch leading to multiple
customer IDs for the same customer in one bank. Thus, 3600 view of customer
information was not possible.
iii. There were inconsistent and inaccurate data.

6 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

iv. Updating ABS in all the workstations of 35 Branches and 12 extension offices became
time consuming.
v. Integrating third party applications such as Mobile app was difficult due to its distributed
architecture and with no standard Application Programming Interface (API) available.
vi. The vendor makes the changes or customization, if any, in ABS and does not allow in-
house customization.
In order to overcome these limitations and having obtained banking license in March 2010, the
BDBL embarked on the implementation of Finacle CBS jointly with Nelito Systems, and went
live in June 2017, with a “big-bang” implementation strategy. Finacle is a CBS from Edge
Verve Systems, a wholly owned subsidiary of Infosys.
CBS is networking of branches, which enables customers to operate their accounts, and avail
banking services from any branch of the Bank, regardless of where he maintains his account.
CBS also integrates all third party services such as Internet and mobile banking. Thus, with
Finacle CBS, the customers of BDBL can avail banking services anywhere and anytime
without going to the bank.
Finacle CBS is a complete web-enabled solution and its salient features are:
1. Centralised Database: The data of all the branches are stored at a centralized location in
Thimphu making it easier for the IT staff to handle any changes and back office functions.
2. Enhanced Features: It offers enhanced features (including security patches), which are
monitored and implemented centrally by ICT Department, and access are given on a need-
to-know basis only.
3. Effective MIS: With the data being centralised, Finacle CBS can generate any information
or report without depending on the branches, for effective decision-making.
4. Total integration of Channels: Finacle CBS can integrate all the existing and envisaged
banking channels through Finacle integrator or Connect 24. Thus, automating a majority of
the tasks, and reducing the staff burden and giving them ample time for customer on
boarding.
5. One Customer: Every customer of the branch is now a customer of the bank with a unique
customer ID across the bank.
6. Straight through Processing: A transaction can occur electronically without any human
intervention.
7. Retail Functionalities: The software encompasses all the retail functionalities like savings,
current, cash credit, overdraft, term deposits, term loans, and safe deposit vault etc. The
security features include maker-checker concept, audit trail etc.

Reporting on Economy, Efficiency and Effectiveness 7

IT Audit of CBS in BDBL

CHAPTER 3: FINDINGS
This chapter is divided into two parts: Part 1 highlights the positive initiatives and Part 2
discusses the shortcomings and deficiencies in Finacle CBS of Bhutan Development Bank
Limited (BDBL).

Part 1: Initiatives and Positive Developments

The implementation of Finacle CBS has resulted in providing anywhere and anytime banking
to its customers through integration of all delivery channels (ATMs, Internet, SMS, Mobile
banking). It has also resulted in gaining more control over data and reducing the workload of
ICT Department with easier and convenient troubleshooting and system maintenance.
Apart from the aforementioned benefits, the BDBL put in efforts and brought in achievements
for the implementation of Finacle CBS, which are as summarised below:
i. Top Management Commitment to the implementation of Finacle CBS;
ii. The formation of CBS functional team comprising of officials from IT and business;
iii. Establishing the Disaster Recovery (DR) site using Bhutan Telecom’s infrastructure;
iv. Conducting disaster recovery drills by ICT Department.

Part 2: Shortcomings and deficiencies

While recognizing the positive contributions made after implementing Finacle CBS, the RAA’s
review also revealed areas that require further improvements, as detailed in this section. The
findings were made based on review of available system documents and analysis of data using
Computerised Aided Auditing Tools (CAAT) i.e. Integrated Data Extraction and Analysis
(IDEA3).The findings are broadly categorized into three; system migration, compliance
requirements and IT controls.

3.2.1 System Migration

Having obtained the banking license in 2010 and with the aim to bring operational efficiencies,
transform as a bank, and overcome the limitations of the legacy system, the BDBL
implemented the Finacle Core Banking System (CBS) in June 2017 with “big-ban” migration
strategy. Until May 2017, BDBL was using the Ascend Banking System (ABS), which was
holding back BDBL in innumerable ways, and it became cumbersome and costly to maintain
the legacy system.
The RAA ascertained the adequacy of system migration process, and the accuracy and
completeness of data migration, and noted the following issues.

3.2.1.1. Inadequate control over system migration

System migration is the process of moving from the old IT system to a newer IT system in
order to gain competitive edge and enhance performance (Figure 3). The migration is carried

3Interactive Data Extraction and Analysis Software is an auditing software used by RAA

8 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

out to keep up with the current/future technologies and involves huge financial and human
resources.
Figure 3: System migration (Source: http://www.axistechnical.com/dos-donts-legacy-system-migrations/)

With enormous benefits of a core banking system, system migration is inevitable but it also
comes with considerable risks. Therefore, it is imperative for BDBL to mitigate and manage
these risks properly and successfully. BDBL should take a holistic view during system
migration with a proper plan in place and observe due processes.
With scheduled downtime of six days, big bang migration strategy was adopted by BDBL to
migrate from ABS to Finacle CBS and the following activities were carried out by BDBL
during system migration.
a) Representatives from across the business were involved;
b) Branch readiness and implementation environment were assessed;
c) Total account balances were noted and tallied with general ledger;
d) Metadata (characteristics of the data content such as field name, data type, length, table
name, etc.) of Finacle CBS were noted;
e) Mock migrations (mock loads) and mock tests have been performed for one branch and
general ledger;
f) Pre-migration record count (static data) was verified against the post-migration record
counts. For example, the total number of clients in ABS was verified against the total
number of clients in Finacle CBS.
Yet the aforementioned processes were found to be inadequate as evidenced by the
documentation maintained for the same. There was no proper migration plan including
identification of data conversion required and test plans. Specifically, the following were
observed:
i. Documentation were incomplete with regard to data mapping of ABS to Finacle CBS
and there was no examination of data quality of ABS prior to migration. It was not clear
which data fields were transformed and which ones were cleaned and which were not
available in the old system and had to be generated during transformation;
ii. There was no evidence of content analysis and profiling being carried out and hence, it
was not clear which product schemes have been merged in the new system, and which

Reporting on Economy, Efficiency and Effectiveness 9

IT Audit of CBS in BDBL

accounts were not migrated; Figure 4: Data migration

iii. There was no evidence of a test plan or test
report or any testing conducted during and
after migration to ensure that correct
processes are followed, and that complete
and accurate data is migrated to the new
Finacle CBS;
iv. Similarly, it can be construed that there was
no testing conducted to ascertain the reliability of reports generated and if the reports
can be generated. This is evidenced by the fact that the Finacle CBS could not generate
the reports to follow-up on Non-Performing Loans for five months after the system
migration. Product Service Officers (PSO) were unable to conduct proper follow-up on
these loans. This had contributed to the huge loss incurred by BDBL in 2017.
v. Reconciliation was conducted at branch level after migration but only the term deposits
were reconciled and not for other accounts (Savings, Current, Overdrafts, loans) to
confirm the accuracy of the account balances in the new Finacle CBS;
vi. Data validation and overall reconciliation was not conducted at bank level and not
reconciled against general ledger at overall bank level;
vii. There was no migration audit conducted by internal audit or an external party to ensure
that only reliable and complete data is uploaded to Finacle CBS. As a result, it is seen
that IT team are busy attending to resolving the identified errors and problems on a
daily basis at the time of audit.
These show that there was no defined and approved system migration methodology to serve as
blueprint and it could be construed that BDBL did not have a holistic overview of system
migration. Inadequate control over system migration process could lead to dire consequences
such as:

 Loss of important data required for operation of the bank;

 Wastage of time and effort required for data correction which could have negative impact
on bank employees leading to increased hours and stress.
Furthermore, the RAA performed data reconciliation of ABS against the Finacle CBS in order
in order to ascertain the completeness (account count) and accuracy (account balances) of the
data migration. Results of all comparative analysis of data migration revealed that all the bank
accounts and its account balances have been migrated properly from ABS to Finacle CBS.
The BDBL in their response stated that the ICT Department had initiated the data
cleansing however cumbersome due to the limitation of data in ABS and the nature of the
Bank’s clientele (Customers are all scattered and the update of their information became
difficult). For that matter, BDBL has issued office orders and formed a taskforce to
follow-up on the cleansing activities.
Further, it was explained that the product schemes were mapped from ABS to be
migrated to Finacle CBS and agreed that the list of accounts not migrated would be
maintained for future reference. Test cases were developed and periodic reviews were
conducted amongst the CBS team members to track the project progress. Further, BDBL

10 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

explained that although the branches could not generate reports, the ICT Department
had ensured that the information required were extracted and emailed to all the
branches. A team was identified to initiate correction of all the impacted accounts and
the branches had rectified the same.
The BDBL argued that the data validation and reconciliation were carried out at branch
level and not at bank level as the reconciliation at branch level would mean the same at
bank level. Moreover, only account balances were confirmed and not number of accounts
were not reconciled, as accounts with zero balances were not migrated.
The BDBL clarified that system migration audit was not carried out due to lack of
internal expertise and even though the BDBL had floated Request for Proposal twice, no
response was received for the same.
While the RAA acknowledges the efforts of the BDBL, it is to reiterate that a holistic approach
to system migration was not adopted with a system migration strategy. The BDBL should be
mindful of having a strategy in place before implementing any major ICT initiatives.

3.2.1.2. Field receipt management was not fully supported in Finacle

CBS
When implementing a new IT system and most particularly an IT software, that is readily
available in the market, it is important to identify all business operations and incorporate it in
the new IT system. Similarly, BDBL should also carry out a requirement analysis, assess the
new IT system’s suitability and select the most appropriate software that is the right fit for
BDBL’s business operations. Additionally, the new IT system should be customised to
incorporate those core functions, which were not initially available in the system. Thus, Finacle
CBS should adequately support BDBL’s business operations. With the implementation of a
new system, it is also anticipated that business operations will be re-engineered to bring in
efficiencies and enhance performance.
However, during the review, the RAA found that Finacle CBS is not used for the rural banking
and credit operations in the field known as Farmers’ Outreach Banking (FOB), which is a core
business of BDBL; instead, hand written field money receipts are still being used.
The RAA noted that the services such as deposits, withdrawals and loan EMI repayment
collections are offered by visiting the rural communities at the pre-determined place (Geog
Centers, Community Centers, or Lhakhangs), on a regular basis using the traditional method
(hand written money receipts). The field officials update the transactions in the system once
they are back in branch offices within three days.
Furthermore, in the earlier ABS system, the inventory of the money receipts was maintained
and the money receipt booklet was issued to the field official concerned within the system.
Each field official has an individual field account and the official, on return, will deposit the
total collection in his own individual field account. The clients’ accounts are updated
corresponding to the money receipt that is automatically loaded in ABS system as the inventory
is maintained in ABS.
In contrast, the RAA observed the following practices:

Reporting on Economy, Efficiency and Effectiveness 11

IT Audit of CBS in BDBL

i. The inventory of the money receipts is not maintained in Finacle CBS, instead a manual
register is kept to record the money receipt booklets received from head office and
issued to the field officials;
ii. As there is no inventory of money receipt maintained in Finacle CBS, the field receipt
numbers are entered manually by the official thereby opening the system to more
human errors;
iii. The total field collections by all field officials in a branch is deposited in the sundry
account of the branch and the clients’ accounts are then updated. As per accounting
norms, sundry account is used when the accounting head of the amounts are
unidentified and in principle, the use of sundry account here is not clear and wrong as
the clients’ accounts are already identified;
iv. If there are any mistakes or errors while updating the clients’ accounts, all the field
officials who have deposited the total collections into sundry account have to re-verify
their work leading to duplication of effort and inefficiencies;
v. With no real time transaction in Finacle CBS, the loan repayments collected in the field
are-backdated while the banking services such as withdrawals and savings were not
backdated. Although backdating any financial transaction is wrong, it was understood
that loan repayment transactions are backdated not to penalise the rural clients.
Additionally, it is not known if the decision to allow backdating came from the
management or with the Board’s approval;
vi. In addition, not backdating savings will lead to client losing interest on savings for the
period from the date the amount was collected by the field official until the updated
date in the system. Similarly, not backdating withdrawals will lead to bank incurring an
expense on interest as the withdrawal transaction was updated after the actual
withdrawal.
Nonetheless, the ICT Department explained that the inventory of field receipts functionality is
being customised and will soon be rolled out to the branches. However, it is still noted that the
Finacle CBS cannot be used in the field to provide FOB services. With more than 90% rural
clients (or 27% of total share of products being catered to rural clients), FOB service is a core
business function of BDBL and FOB service should have been customised and incorporated in
Finacle CBS before the implementation of system. Although this requirement was identified at
the initial stage as ‘field collection module’, the same was not customised in Finacle CBS nor
was an alternative solution implemented to cater to FOB service. The customisation was
limited to entering the receipt numbers while updating the clients’ accounts and the
management had accepted the same.
This has led to BDBL still using field money receipts and field receipts are considered as a risk
area in the internal control framework. This is also evident from the office orders issued by
BDBL instructing officials not to overwrite on the field receipts and from the Auditors’ Report
2017 wherein emphasis was given on overwriting on the field receipts and non-updation of
clients’ accounts on time or otherwise.
The financial service delivery to the rural population is still being delivered using the
conventional method through hand written money receipt despite implementing Finacle CBS.

12 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

Not being able to use Finacle CBS for FOB service has resulted in rural clients not being aware
of the latest status of their loan and savings accounts, which could also have a negative impact
of increasing their indebtedness and reducing the Bank’s efficiency and effectiveness.
The BDBL in their response clarified that three custom menus were developed and
deployed to cater the field receipt inventory from head office to branch and from branch
to staffs. However, there was some technical glitches when using the receipts functionality
of Finacle CBS in the branches.

The issue has now been fixed and all the functionality required has been put in place and
a process flow document was circulated to all users for reference. Moreover, field advance
account of individual field officials will be used to deposit the total field collections instead
of sundry account.

Regarding the backdating of transactions, a standing order was issued by the

management stating that the loan accounts has to be updated within three days by
backdating. The BDBL explained that the savings accounts are not backdated due to
buffer interest (interest calculated and applied daily on the balance but paid at the end
month) as there was a problem of recalculation in the earlier ABS system and this same
practice is continued in Finacle CBS.

During the exit meeting, the BDBL expressed that it may not be possible for the bank to
incorporate the whole of Farmers Outreach Banking (FOB) processes in Finacle CBS as
it will entail using third party integration, which will necessitate huge cost to the bank.

The RAA is pleased with the initiatives taken to enhance the field receipt management in the
system and also recognises and accepts that the whole of FOB services cannot be brought
online.
However, the BDBL should ensure that the customisations related to field receipt management
is fully implemented to ensure that risks related field receipts are minimised. The compliance
of assurance will be verified in the follow-up audit.

3.2.2 IT Controls
IT controls are policies, procedures and mechanism that provide reasonable assurance that the
IT used by an organization operates as intended, that data is reliable and that the organization
is in compliance with applicable laws and regulations. In a way, IT controls are automated
internal controls in the system. It is important to ensure the IT controls are embedded and
functioning effectively in the system.
Thus, the RAA assessed the adequacy and effectiveness of IT controls in Finacle CBS and
noted the following.

3.2.2.1. Non-enforcement of draft IT policies

IT policies ensure the protection of the organisation’s assets (including IT equipment, IT
infrastructure and business-critical data) from unauthorized access, disclosure, damage, loss
and unavailability. Having implemented Finacle CBS, it is critical for BDBL to have IT

Reporting on Economy, Efficiency and Effectiveness 13

IT Audit of CBS in BDBL

policies in place that provide directions on IT operations and information security. As

information security is both management and technical issue, the management should ensure
the endorsement and enforcement of IT policies.
In this regard, the BDBL had carried out the following activities:
a) 20 IT policies were drafted;
b) A core group was formed by the management to review and discuss these policies;
c) These policies underwent three reviews;
Nevertheless, the approval and endorsement of these IT policies by the BDBL board is still
pending, even though these drafts were ready for endorsement since July 2018. These drafts
were not endorsed because the BDBL board meeting occurs quarterly and the ICT Department
was unable to put this in the agenda of the last meeting.
Non-enforcement of IT policies in BDBL could have the following consequences:
 No proper security measures to ensure the protection of the IT systems such as Finacle
system from unauthorized access or physical damage;
 Lack of employee awareness and training on policy and procedures when using Finacle
CBS which could lead to information loss, system errors, data misuse/abuse;
 Obscurity when dealing with accountability issues;
 No transparency of the disciplinary actions (whether it’s fair, correct penalty) taken
against an employee suspected of committing a breach;
 IT systems threats will not be addressed (no strategies to mitigate from these threats, or
how to recover);
It has also led to weak IT controls in BDBL as apparent from the observations noted in the
subsequent sections.
The BDBL stated that the management has taken note of the observation and accordingly
BDB ICT Security Policy and Finacle SOP 2018 was implemented which will streamline
and address major processes and procedures.

The RAA appreciates the initiative taken to implement the ICT policies and Finacle standard
operating procedures and the RAA also found that the policies were endorsed with effect from
January 2019. The RAA would like to stress that BDBL should effectively enforce the policies
and operating procedures to enhance the security and operations of the system.

3.2.2.2. Procedural lapses in creating user accounts

User accounts/IDs allow BDBL employees to access and use the Finacle CBS to perform their
day-to-day activities. As these accounts/IDs allows employees to use business-critical data in
the Finacle CBS, it is imperative that BDBL takes a consistent and systematic approach for the
user ID creation in order to mitigate risks associated with false user account creations.
The current procedures of BDBL entails the following steps while creating a user ID:
a) Supervisor of the employee whose user ID is to be created will email the ICT
Department along with the User ID Creation Form;

14 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

b) User ID Creation Forms has details such as the employee name, employee ID, date of
ID creation, the signature of the employee, signature of the recommending authority,
and signature of the IT administrator who creates the account;
c) After creating the user ID, the IT official informs the employee whose user ID is created
via email;
d) IT official documents this email correspondence, attach it with the User ID Creation
Form and store/secure it for future references.
Despite these procedures, the RAA also noted procedural lapses, which need to be addressed:
i. User ID Creation Form did not accompany the email correspondences.
ii. In some instances, emails requesting a change in user access privileges did not contain
the requesting employee’s signature. However, the request was approved, and access
was given.
iii. Documentation was incomplete; information such as recommending authority’s details
and signatures were missing in the forms as shown in Figure 5.
iv. The details and signatures of the IT official who created the user ID was missing in the
forms as illustrated in Figure 5. The details and signatures of an employee who could
verify the account creation as a witness was missing as well.
Figure 5: Incomplete user ID form

Such incidences imply that proper verification is not carried out and due diligence is not
followed for user creation procedure by the officials concerned. Incomplete user ID creation
forms and unverified emails being processed and subsequently getting approved for user ID
creations might have the following effects:

Reporting on Economy, Efficiency and Effectiveness 15

IT Audit of CBS in BDBL

 Any employee could seek a change in access privileges and obtain it. This will
enable the employee to access, alter, modify, delete business critical data that they
are prohibited from accessing;
 If an email account of an existing employee is hacked, a hacker can send a request
for a user ID creation for a fake employee using this email account in-order to
gain access to the Finacle CBS and bank data.

This had also resulted in employees having more than one user IDs and unauthorised users in
Finacle CBS.
The BDBL stated that management has taken note of the observation and accordingly
BDB ICT Security Policy and Finacle SOP 2018 was enforced which will streamline and
address major processes and procedures. The BDBL assured that user creation and user
access forms were developed in the Finacle SOP 2018, and these forms would be used to
address the procedural lapses in creating user accounts.

The RAA noted and verified the user creation and access forms that has provision for assigning
access for officiating and temporary access. As assured, BDBL should streamline the user
creation procedures to avoid unauthorised users in Finacle CBS.

3.2.2.3. Inadequacies in user account management

User IDs are login names or usernames to identify a user/employee and allow access to a
computer system, in this case the Finacle CBS. It is used in conjunction with a password and
is the most common authentication mechanism in a computer system.
User IDs must be unique. In other words, each user ID must be associated with a single
employee so that IT administrators can efficiently manage the overall operations of the
computer system and track user activities effectively. Thus, no employee should have more
than one user ID.
Further, for the user IDs to be consistent and unique, user ID generating process must follow a
particular naming convention. These naming conventions can be according to employee ID,
CID or employee name. BDBL user IDs are generated based on the xxx protected number xxx.
Hence, generic or unidentifiable user IDs should not be used which cannot be tagged to a single
employee.
The RAA analysed all the user IDs in Finacle CBS and found the following deficiencies:
i. There were ten employees assigned with more than one user ID thereby defeating the
purpose of having one unique identifier (user ID) per user. Specifically, there were more
than one user ID created for two IT officials and one user ID of one IT official is the
employee ID of the research officer. Likewise, there were two user IDs of an assistant
general manager and one of her user ID is the employee ID of the personal assistant of
Dy. CEO.
ii. 15 generic or unidentifiable IDs such as ‘FIVUSR’,’AUDIT1’, etc. were discovered.
These should not be permitted as a means of granting access to Finacle CBS because
generic ID makes it difficult to identify individuals and fix accountability if fraudulent
activities are performed under these user accounts. Table 1 shows the generic IDs in

16 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

Finacle CBS.
Table 1. List of generic or unidentifiable IDs
SI.No User ID User Name User inactive?
1 0001 AUDIT1 No
2 AUDIT1 audit1 No
3 FIBATUSER FIBATUSER No
4 FINACLECRM CRMUSER No
5 FIVUSR FIVUSR No
6 MIG1 MIGRATION USER1 No
7 MIG2 MIGRATION USER 2 No
8 MIG3 MIGRATION USER 3 No
9 MIG4 MIGRATION USER 4 No
10 MIG5 MIGRATION USER 5 No
11 MIG6 MIGRATION USER 6 No
12 MIG7 migration user 7 No
13 MIG8 MIGRATION USER 8 No
14 UBSADMIN No
15 UBSROOT No
iii. 13 user IDs were found in the system that were not created based on the naming
convention proposed by BDBL as shown in Table 2. This defeats the purpose of having
a consistent naming convention.
Table 2. User IDs not as per convention
SI.No User ID User Name User Inactive?
1 0001 AUDIT1 No
2 1208554 GINA DEVI No
3 AUDIT1 audit1 No
4 BDB1001 Neera Acharja No
5 BDB1002 Kezang Choden No
6 BDB53 sonam letho No
7 BDBAUD1 External Auditer No
8 BDBC001 kezang choden No
9 BDBCCIT01 Kezang Choden No
10 BDBIT01 Kezang No
11 BDBIT02 Chinnasamy Kandasamy No
12 BDBIT03 IT No
13 CCIT01 Chinnasamy Kandasamy No

Upon enquiry with IT officials, it was known that generic IDs such as MIG1, MIG2 were
created at the time of system migration and are no longer in use. Similarly, other IDs such as
BDB1001, BDBC001 were created for the IT officials who do not have employee ID. Finally,
user IDs such as AUDIT1, BDBAUD1 were created for external auditors who required access
to the Finacle CBS.
Inadequacies in user account management indicate that due diligence is not followed to either
assign one user account to a single employee or maintain unique user IDs or disable temporary

Reporting on Economy, Efficiency and Effectiveness 17

IT Audit of CBS in BDBL

user IDs once their functions are completed. Having multiple user IDs and generic IDs will
make it difficult for the IT administrators to efficiently assign rights, track user activity and
manage overall operations of the Finacle CBS. This could also increase difficulty in fixing
accountabilities in case of malicious activities performed in the system.
The BDBL explained that generic IDs were created at the time of data migration, which
are now disabled. Further, some user IDs are default system user accounts, which are
used for Finacle system related administration and the users do not have access to these
accounts. Furthermore, all other user IDs are now disabled and with Finacle SOP in
place, proper process and procedures will be followed for the user access management as
earlier users were created without no clear-cut standards.

The RAA verified and found all irrelevant user accounts reflected in the report were disabled
and deleted. As agreed, the BDBL should ensure that proper user account management is
maintained in order to minimize the risk of compromising integrity, confidentiality and
availability of Finacle data. Further, the BDBL should ensure due diligence in user account
management and that no employee is assigned more than one user ID and follow proper
naming convention to avoid generic IDs in the system.

3.2.2.4. Access privileges given not as per the roles and responsibilities
Access privileges or access rights of employees to Finacle CBS should be assigned in
accordance to their roles and responsibilities in order to limit fraudulent practices. For instance,
a teller should not have access to loan functions whereas a loan officer will have those access
privileges. The access privileges should be changed as the employee’s responsibilities changes.
The purposes of limiting access to data and information are to ensure (1) users have only the
access needed to perform their duties, (2) access to sensitive resources is limited to only those
for which it is required to carry out their job functions, and (3) employees are restricted from
performing incompatible functions or duties beyond their responsibility.
The RAA tested the adequacy of access privileges assigned within the system by comparing
the employees’ designation against the role assigned in Finacle CBS using IDEA software. The
analysis showed that the assigned responsibilities and rights assigned in the system do not
match for 18 employees. This indicates that while creating user IDs and granting access to the
system, the actual responsibilities of the users were not considered. These instances are shown
in Table 3.
Table 3. Employee responsibility and their access rights to the system do not match
User account
SI. Employe Role Assigned in Designatio Department/Divisi status Active
No User ID e ID System n on in the system
ADMINISTRATO
1 BDB0810 0810 R HRA HRM Yes
Account
2 BDB0216 0216 AGM Officer TMB Yes
Customer
3 BDB0376 0376 AGM Desk Asstt. Customer Care Yes
BANKING OFF- Customer
4 BDB0723 0723 A Desk Asstt. Phuentsholing Yes

18 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

User account
SI. Employe Role Assigned in Designatio Department/Divisi status Active
No User ID e ID System n on in the system
BRANCH Legal
5 BDB0061 0061 MANAGERD Officer NPA Unit Yes
BRANCH Project
6 BDB0086 0086 MANAGERD Officer CC, Operation Yes
BRANCH
7 BDB0318 0318 MANAGERD Teller Haa Yes
BRANCH Customer
8 BDB0787 0787 MANAGERD Desk Asstt. Trongsa Yes
LOAN OFFICER-
9 BDB0065 0065 C Accountant CSIFD Yes
LOAN OFFICER-
10 BDB0206 0206 C Teller Doksum GFO Yes
LOAN OFFICER-
11 BDB0397 0397 C Teller Gelephu Yes
LOAN OFFICER-
12 BDB0480 0480 C Teller TMB Yes
LOAN OFFICER-
13 BDB0581 0581 C Teller Buli GFO Yes
Network &
LOAN OFFICER- Security
14 BDB0459 0619 C Adm. ICT Dept. Yes
LOAN OFFICER- Customer
15 BDB0454 0454 D Desk Asstt. C Care Yes
Asstt.
General
16 BDB0198 0219 SYSTEM Manager F&T D Yes
Project
17 BDB0727 0727 COMPLIANCE Officer Western Yes
Bank G.
18 BDB0111 0111 HEAD TELLER Asstt. TMB Yes

As can be seen from Table 3, an employee working in Human Resources is given the
administrator role in Finacle CBS, which is not in line with the employee’s responsibilities.
Similarly, a customer desk employee and a teller are given the branch manager access in
Finacle CBS. A network/security administrator is also assigned with a role of loan officer in
the system. Additionally, these cases also suggest that user access to Finacle CBS are not
reviewed and updated periodically.
Moreover, the user access level data maintained with ICT Department is incomplete or not
updated as roles such as AGM, compliance, manager, OGM, System, Treasury officer, Credit
AGM assigned to system users are not present in the list.
Assigning rights without considering users’ responsibilities could lead to intentional or
unintentional errors and opening rooms for fraud and malpractices.
The BDBL explained that with transfer of staffs or change of responsibilities, the user roles are
changed in the system. In some exceptional case lower work class are assigned higher working
class to facilitate faster services.
The BDBL further commented that users assigned wrong access rights have been rectified in the
system and the bank is in the process of assigning proper work class as per the approved Finacle
SOP – 2018.

Reporting on Economy, Efficiency and Effectiveness 19

IT Audit of CBS in BDBL

The RAA noted that the user accounts in the observation were updated (either deleted or
updated the user role). However, BDBL should revise the user roles and its assignment to
appropriate officials along with a monitoring mechanism in place. There should be procedures
to update the user access as soon as an official is transferred or separated. While noting the
manpower shortage and the need to deliver services, BDBL should deliver faster services but
not at the cost of security.

3.2.2.5. Delay in deactivation of user accounts of former employees

Each BDBL employee during their employment period are given an account with certain level
of privileges (as per their job requirement) to access certain set of sensitive information and
data to perform their day-to-day activities. These user accounts should be carefully monitored
and managed by the IT administrators, and deactivated when an employee voluntarily resigns,
superannuates or is terminated. Therefore, these accounts of former employees should be
deactivated to avoid unauthorized access to sensitive information and reduce the risk of
undetected fraudulent activities in the system.
In order to ascertain whether the accounts of former employees were disabled, RAA obtained
a list of employees relieved from their duties during the financial year 2017-2018 and verified
against the latest list of all the deactivated accounts using IDEA software. During this
verification, the RAA observed the following:
i. Of the 52 employees who had left the bank in 2017-18, 15 user accounts were not
deactivated in the system. The access rights and user accounts were neither revoked nor
disabled.
ii. 36 Former employee user accounts were deactivated only after 29 to 1173 days from
their relieving date. The deactivation date (4th and 5th October 2018) reflected that the
deactivation was done during the time of audit and when the RAA asked for list of
deactivated users in the system. This clearly represents negligence from the IT
administrators and higher authorities of BDBL in enforcing secure IT access policy.
Figure 6 show delays in the deactivation of former employee’s account in the system.
The user account of one former employee was deactivated after 39 months (1173 days)
while 18 user accounts were deactivated within 6 months.
Figure 6: Delay in deactivation of former employees’ user accounts

1
Employee User
Accounts

8
9
18

0 10 20 30 40 50
Deactivated within (Months)

iii. Out of 10 suspended employees, user accounts of three employees were still active in
the system. Table 4 shows details of these three employees
Table 4. List of suspended employees who were not deactivated in the system.

20 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

Sl Branch/ Suspended
# EMP ID Designation Division CID Number dated Remarks
Bank G. Embezzlement
1 BDB0345 Officer Main Branch 11705001883 08/11/2016 case
Project Embezzlement
2 BDB0357 Officer L/Zingkha 11306001129 25/11/2016 case
02-03-2017 to Embezzlement
3 BDB0297 Teller Wamrong 11514004521 01-04-2017 case
Delays and not deactivating former employees had occurred due to the following:
 Lack of proper monitoring and management of user accounts;
 Negligent attitude on the part of the IT administrators and officials concerned to
deactivate the accounts directly; and
 Lack of proper procedures on handling accounts of suspended and terminated
employees.
A disgruntled employee (recently terminated or suspended) is a threat agent. If their accounts
are not deactivated or disabled immediately after their separation, these disgruntled employees
may:
 try to access, steal, alter or delete important and sensitive bank data such as credit card
numbers, account names, transaction summary, etc;
 transfer funds illegally;
 leak/sell information to malicious outsiders such as hackers which will assist the
hacker in successfully bypassing the security features in the system;
 social engineers can easily deceive or trick unhappy employees for information that
can be used to hack the system or cause damage to the reputation of the bank.
These might affect the functioning of BDBL and in worst-case scenarios; it can cause a severe
financial loss from which BDBL may not be able to recover. This will also cause a huge PR
disaster and customers may lose faith and confidence in the bank prompting them to switch
banks.
The BDBL responded that the user administration were maintained at the SSO (Single
Sign On) admin and FINCORE level. User creation and deletion were done at the SSO
level and the users deleted in the SSO level cannot access any of the functions at
FINCORE level. The employees in the list above were already deleted in the SSO level
but not at FINCORE level and they do not have access to the system. Additionally, the
BDBL mentioned that, with Finacle SOP 2018 in place, the whole user access
management process is being implemented.
While the RAA verified and found the users listed in the observation were indeed deleted, the
BDBL should establish proper procedures between HR and ICT Departments to deactivate the
user accounts of former employees. BDBL should ensure that employees who are no longer
with the bank do not have access to the system to avoid unnecessary risks to integrity and
confidentiality of the information.

3.2.2.6. Loan payoff amount in two screens are different

Processing controls provide an automated means to ensure that data are processed and
calculations, if any, are performed as per rules and standards without any omission or double-

Reporting on Economy, Efficiency and Effectiveness 21

IT Audit of CBS in BDBL

counting. For instance, applicable interest rates should be used while calculating interest for
bank accounts, which should accrue at the end of each month. In the same way, the loan payoff
amount should be calculated correctly and the same amount should be displayed in the ‘Loan
General Details’ and ‘Loan Pay Off Process’ screens of Finacle CBS. Thus, it is important to
assess the adequacy of processing controls in a banking system like Finacle CBS.
During the assessment, the RAA noted differences in the loan payoff amount of the same loan
account in ‘Loan General Details’ and ‘Loan Pay Off Process’ screens of Finacle CBS. Loan
payoff amount is the total outstanding loan balance of a loan that is used to pay off the loan.
One specific case is presented in case study 1.

Case Study 1: Different loan pay off amount for the same loan account

The RAA, while comparing loan pay amount through ‘Loan Pay Off Process’ and
‘Loan General Details’ pertaining to a loan on Agri. & Animal Husbandry, noted that
the payoff amount vary from one another. The payoff amount in ‘Loan Pay Off
Process’ in is Nu. 234,343.15 (Figure 7) while the payoff amount in ‘Loan General
Details’ is Nu. 232,485.78 (Figure 8) resulting in difference of Nu. 1,857.37.
Figure 7: Loan pay off Process screen Figure 8: Loan general details screen

From the case study presented above, it can be transpired that Finacle CBS does not calculate
and display the loan payoff amount correctly in one of the screens. The cause of this seem to
be bugs in the system and it was known that patches were applied to the system. Nonetheless,
it is apparent that the application of patches (fixes) had still not resolved the problem. It can be
deduced that the consultant hired for such specific problems had not fixed the problem yet.
Consequently, due to such problems, the bank officials were instructed to use the payoff
amount displayed in ‘Loan Pay Off Process’ when clients come to close their loan account as
the interest up to that date is calculated in ‘Loan Pay Off Process’ and not in ‘Loan General
Details’. However, some bank officials had inadvertently closed off loan accounts using the
loan payoff amount in ‘Loan General Details’. ‘Loan General Details’ screen only calculates
and displays the loan payoff amount since the last interest run date or the last month’s interest
and not up to the current date of viewing. The resultant effect was that the loan balance is
shown as zero while the remaining interest is still being reflected for some loan accounts. An
instance is presented under case study 2.

22 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

Case Study 2: Loan balance zero but payoff amount shown as credit balance

The resultant effect of different loan pay off amounts displayed in two screens of
the same account was studied. The RAA found that a seasonal loan account was
closed through the ‘Loan General Details’ screen in September 2018 and the loan
balance made zero but the loan pay off amount was shown as Nu. 9,802.80 as of 06
December 2018 as portrayed in Figure 9. This was because the payoff amount in
‘Loan General Details’ was calculated till August 2018 while the loan balance
(loan payoff) was made zero on 18 September 2018. The remaining interest
calculation of 1 day was not actually paid off and thus, was reflected as Nu.
9,802.80 as of 6 December 2018.
Figure 9: Loan balance is zero but the payoff amount is reflected as Nu. 9802.80

Due to such wrong processing, the clients were asked to payoff again which is harassment to
the clients. In some cases where the resultant payoff amount was small, the bank officials cited
being hesitant to inform the clients and had paid off the amount themselves. Such wrong
processing of data and its resultant effect will lead to client losing trust in BDBL and ultimately,
BDBL may lose its client base.
The BDBL responded that Finacle CBS has different menus from where loan collections
can be carried out and the cases mentioned in the observation can be attributed to users
using the wrong screens (using HLASPAY instead of HPAYOFF) when paying off and
closing a loan account. At times, the payoff figure is different in ‘loan general detail’
screen and ‘payoff’ (HPAYOFF) screen due to the way in which interest is accrued,
booked and applied. The ‘payoff’ screen shows the total interest accrued on the day of
checking while the ‘loan general details’ shows the interest applied on the last demand
date. The account has to be paid off from ‘payoff’ (HPAYOFF) menu so that the interest
accured and booked till date is applied and collected.

The RAA agrees with BDBL’s response and found ‘Loan payoff and account closure’ guideline
drafted but BDBL should identify and rectify all such cases and intimate RAA through the

Reporting on Economy, Efficiency and Effectiveness 23

IT Audit of CBS in BDBL

Management Action Plan Report. There is also a need to raise awareness to the users on the
use of menus of Finacle CBS.

3.2.2.7. Incorrect report generation by Finacle CBS

Being a widely used core banking system, it is expected that Finacle CBS will generate accurate
and correct reports that can be relied upon to make business decisions. The reports generated
has to be customised to suit BDBL’s requirements and tested for completeness and accuracy.
Since reports are consumed to make informed decisions, the reports generated should be
complete, accurate and ultimately, reliable.
On the contrary, while verifying the correctness and completeness of reports generated, the
following anomalies were noted as detailed below.

a. Unreconciled difference in trial balance generated by Finacle CBS

Finacle CBS generates general ledger and trial balance of each branch and at bank level.
These reports are important and critical input to prepare the financial statements of
BDBL. Having recognized its importance, the correctness and accuracy of such
documents are reckoned as a necessity. Thus, it is of utmost importance that the general
ledger and trial balance generated be error free and accurate.
The RAA examined the financial statements generated by Finacle CBS and observed
accounting errors in the trial balance of some branches of the bank. As per accounting
norms, debit and credit amount of trial balance should tally. On the other hand, the
credit and debit do not tally thereby generating an unreconciled difference in trial
balance.
The review of monthly trial balance of BDBL’s Thimphu Main Branch commencing
from June 2017 till September 2018 showed mismatches between debit and credit
amount thereby resulting into differences as shown in Table 5. Likewise, there were
mismatch between debit and credit amount for 23 branches of the bank until October
2018. Except for Thimphu Main Branch and Trashiyangtse Branch Office, the ICT
Department recently resolved these errors in the trail balance of other branches.
Table 5. Difference in debit & credit amount in trial balance of Thimphu Main Branch
Month Debit Amount (Nu.) Credit Amount (Nu.) Difference Amount (Nu.)
Jun-17 19,110,977,258.38 19,120,096,906.60 -9,119,648.22
Jul-17 18,920,879,613.28 18,929,984,262.40 -9,104,649.12
Aug-17 19,346,450,975.28 19,355,653,424.59 -9,202,449.31
Sep-17 20,408,320,372.61 20,400,790,211.16 7,530,161.45
Oct-17 19,218,050,892.59 19,217,475,338.32 5,75,554.27
Nov-17 19,609,517,533.33 19,618,627,700.46 -9,110,167.13
Dec-17 19,872,721,969.83 19,883,269,139.68 -10,547,169.85
Jan-18 17,880,620,402.59 17,891,132,859.23 -10,512,456.64
Feb-18 18,122,065,559.62 18,132,641,794.34 -10,576,234.72
Mar-18 18,657,437,313.61 18,667,987,994.52 -10,550,680.91
Apr-18 18,093,883,944.28 18,104,536,334.22 -10,652,390

24 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

Table 5. Difference in debit & credit amount in trial balance of Thimphu Main Branch
Month Debit Amount (Nu.) Credit Amount (Nu.) Difference Amount (Nu.)
May-18 18,919,239,578.59 18,929,873,201.05 -10,633,622.46
Jun-18 19,547,830,802.90 19,558,595,121.86 -10,764,318.96
Jul-18 19,344,688,654.64 19,355,406,950.22 -10,718,296
Aug-18 19,275,962,032.51 19,286,511,222.66 -10549190.15
Sep-18 18,988,575,946.32 18,988,015,477.81 560,469

The reason for mismatch between debit and credit balance was stated to be problems
with summation. Although the trend of mismatch between the debit and credit balance
is decreasing, the debit and credit amounts of trial balance for Thimphu Main Branch
and Trashiyangtse Branch do not match.
As trial balance is part of the accounting cycle, such inaccuracies cannot be relied upon
and will only impede the preparation of BDBL’s financial statements as more time and
effort is needed to correct the errors. This also raises question of the correctness of the
bank’s financial statements.
The BDBL in their response explained that the difference in the trial balance
occurred due to inter SOL (inter branch) transactions not happening properly
after go-live which was resolved towards the end of October 2018 only. However,
BDBL stated that the difference in trial balance has no effect at the bank level as
the debit and credit were matching.

The RAA verified trail balance of December 2018 of Thimphu Main Branch and found
that the same was rectified. Nevertheless, the reports generated by Finacle CBS
should be tested properly in the future.

b. NPL reports were not generated for five months after migration
Non-Performing Loans (NPL) reports is an important report of BDBL to assist the
management to assess the list of non-performing loans of the bank and to conduct
follow-up on such loans.
Due to inadequacies in system migration, proper testing of reports generated by Finacle
CBS was not conducted and hence, NPL reports were not generated for five months.
This had major consequences as loan repayments could not be collected on time and
impacted the income of the bank.
The BDBL responded that the report testing was conducted in short period due to
involvement of the entire CBS task force in Finacle CBS. The BDBL also explained
that after migration branches were not able to generate report through IP/VPN
network as the reports were tested in high speed LAN at Head Office premise. The
CBS team generated the required reports from the backend for business
continuity.
The BDBL assured that the issue was now fixed with the deployment of patches
and following reports are now corrected and fine-tuned.
a. PAR Report (PSO-Wise/Branch Wise)

Reporting on Economy, Efficiency and Effectiveness 25

IT Audit of CBS in BDBL

b. NPL Report (Loan Asset Classification Report)

c. Ledger Report
d. Field Collection Report
e. Loan Register Report
f. Trial Balance & GL Reports
The RAA recognises the fact that system migration is huge task and the IT resources
were engaged in system migration but reports such as Non- Performing Loans report
is an integral part of the business and it should be tested properly. Nonetheless, the
RAA verified and found the reports corrected.

c. Incorrect generation of Product Service Officer-wise Portfolio At

Risk report
The verification of Product Service Officer (PSO) wise Portfolio At Risk (PAR) report
disclosed that the report reflects names of those PSOs who are either transferred or
resigned and no more under the branch.
For instance, in Gelephu Branch, the PSO who is no longer under the Branch is still
reflected in PSO-wise PAR report at the time of audit as shown and highlighted in
Figure 10. This error was corrected instantly.
Figure 10: Wrong PSO reflected in PAR report of a branch

Likewise, in Phuentsholing Branch, three PSOs’ names were reflected in the PSO-wise
PAR report even when they were no longer under Phuentsholing Branch.
The BDBL responded that during migration, all accounts were migrated with
USBRoot users and the responsibility lies with the respective branch office to
transfer portfolio of staffs.

Such incorrect generation of reports indicates the need for due diligence by the
branches and the BDBL should institute a proper monitoring mechanism in place.

26 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

d. Accounts with zero balance reflected in Non-Performing Loan

report
There were also instances of accounts with zero balance being reflected in Non-
Performing Loan (NPL) reports. This is a clear indication of lack of adequate controls
in the system. Such instances will not only increase the number of loan accounts that
are non-performing but also mislead the decision makers.
Inaccuracies in reports confirm that the Finacle CBS is not able to generate correct and
reliable reports. Although a consultant was hired to create customized reports and fine
tune existing customised reports, errors still persist in the reports generated by Finacle
CBS.
Control weaknesses in Finacle CBS to correctly generate reports, has led to unbalanced
trial balance, incorrect PSO-wise PAR and NPL reports. These will subsequently
impede effective monitoring, may result in making wrong decisions and could impact
the income of the Bank.
The BDBL stated that loan account with zero balance does not have any negative
impact on the profitability of the banks and all accounts with zero balance have
been excluded from non-performing loan report.

The BDBL further explained that the accounts with zero balance were found
active due to non-closure of account from CAACLA & HCAAC after loan
repayment.

NPL reports generated should be correct and only non-performing loans should be
reflected. Although the zero balance does not impact on the profitability, it does
increase the number of accounts which are non-performing. It is observed repeatedly
that account closure procedures are not properly followed and BDBL should
train/remind their officials on account closure procedures properly and familiarise the
users on the different menus in Finacle CBS. Further, BDBL should initiate to close all
such accounts wherein zero balances are reflected.

3.2.2.8. Wrong master data mapping in the system

Master data is a list of data, which is used as a common point of reference, and it removes
duplicates and standardises data (mass maintaining). Master data is an authoritative source of
data. List of Dzongkhags, Gewogs, departments/regional offices under an organisation are
examples of master data. Master data has to be mapped with its corresponding sub data
correctly. In this context, the Gewogs have to be mapped to its Dzongkhags correctly. Since
master data are used as reference data, it is all the more important to map it correctly with the
corresponding sub data.
However, the RAA observed that gewogs were not correctly listed according to their
Dzongkhags. Particularly, the Gewogs under Bumthang and Chhukha Dzongkhags do not
match to its Dzongkhags. Instead, the Gewogs under Bumthang were reflected under Chhukha
Dzongkhag and vice-versa as shown in Figure 11.

Reporting on Economy, Efficiency and Effectiveness 27

IT Audit of CBS in BDBL

Figure 11: Gewogs of Bumthang Dzongkhag mapped against Chhukha Dzongkhag

Wrong master data mapping has led to such instances of inaccurate and unreliable data in
Finacle CBS.
The BDBL accepted and stated that the error has occurred during migration and this too
only for dzongkhags that were mapped to wrong gewog. The error has been rectified and
the issue stands resolved as of date.

The RAA has verified and found that the errors were corrected however, in future the BDBL
should map master data properly as master data is used as a reference data.

3.2.2.9. Non-review of audit logs and trails

Surveillance of the business-critical data in Finacle CBS can be carried out through audit trails
and logs. Audit logs and trails can provide a means to help accomplish several security
objectives, including individual accountability, reconstruction of events (actions performed on
the Finacle CBS), intrusion detection and identification of system errors. In general,
application-level audit trail monitors and logs user activities and error events.
With enough time, even the best controls put in place to prevent malicious system activity can
be circumvented with appropriate proficiency. In such events, audit trails and logs form an
essential component to enforce accountability. It has a capacity to detect unauthorized
intrusions or trace activities of a system user by relating a process or action with a specific user.

The damage that occurred from an incident can be assessed by reviewing audit trails, thereby
enabling system administrator to locate how, when and why such incident occurred or who
caused the incident. Accordingly, audit logs & trails can also help to reconstruct events after a
problem has occurred. Audit trails form a considerable part of the front-line defence for fraud
and embezzlements detection and prevention. Thus, audit logs and trails should also be
periodically analysed to detect any control weaknesses in the system

During the assessment of audit logs and trails, RAA observed that Finacle CBS generates audit

28 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

logs and trails of all the user actions and error events on the system. Though the system
maintains logs of various events, RAA noted that the existing logs/trails were inadequate due
to the following reasons:
i. The audit logs and trails were not monitored or reviewed to gain insights into the system
activities since its inception;
ii. Integrity and authenticity of the audit trails and logs could not be verified or established;
iii. No assurances that audit trails could be reconstructed for accountability.

Without a review of audit trail data, malicious activities, system errors and intrusions could go
undetected and defeat the very purpose of maintaining the audit trails/logs. This could
consequently compromise the very expensive Finacle CBS and disrupt the bank from
functioning.

The BDBL argued that the Finacle application audit logs can be checked post incidents
to find out the cause while for the network infrastructure, with ICT Security Policy 2018
in place, all logs will be enabled as per security policy and reviewed on periodic basis to
check and detect intrusion to the internal systems. (Network security policy).

The RAA maintains that the Finacle application audit logs should be reviewed sporadically not
only for detective measure and post incident management but also as a preventive measure to
avoid security incidences in the first place.

3.2.3 Compliance Requirements

3.2.3.1. Non-incorporation of RMA and BDBL requirements

The Royal Monetary Authority issues guidelines on different types of loans, which requires
adherence by the Banks. Similarly, the BDBL has to abide by the compliance requirements of
the RMA and has accordingly issued the banking manual and credit manual and other such
notifications. Such compliance requirements or parameters specified in the guidelines, manuals
and notifications should be set in the Finacle CBS and is being set in the scheme parameter
screen in Finacle CBS.
As these parameters are used for processing loan transactions, it is of utmost importance that
these parameters be set in controlled environment with access given to authorised individuals
and duly verified by competent officials. Moreover, these parameters should be changed only
when there is a change in the policies or rules.
The RAA test checked the parameters defined in the Finacle CBS against the prevailing rules
and noted the following anomalies.

a. Interest rates not applied as per prescribed rates

Interest rates are specified by RMA and through notifications given by the BDBL
management based on RMA’s directives. The BDBL had issued a notification vide
BDB/CEO-02/2016/8037 dated September 23, 2016 with revised interest rates which
would be effective from October 2016. Later, the BDBL had issued another notification

Reporting on Economy, Efficiency and Effectiveness 29

IT Audit of CBS in BDBL

vide Office Order no. BDB/CEO-02/2017/1961 dated April 4, 2017 with the new
revision of interest rates.
The RAA ascertained whether these revisions in interest rates have been incorporated
in the system (Scheme Parameter setting screen). It was found that the system not only
maintains history on interest rate revision but also the latest revised interest rates were
captured correctly.
The RAA further verified the loan data of Finacle CBS to confirm that the revised rates
are applied in the actual loan transactions. For the purpose of verification, the loan
accounts opened from October 2016 was taken into consideration.
The analysis revealed 1056 active loan accounts wherein the interest rates applied was
other than the prescribed interest rates. The summary of those instances are given below
in Table 6.

Table 6. Interest rate applied other than prescribed rate

Prescribed Prescribed No. of loan accounts
interest rate as of interest rate as (levied neither A nor
SI.No. Product Type 1/10/2016 (A) of 1/04/2017(B) B)
Agri & Animal Husbandry
1 Loan 10.55 10.25 825
2 Consumer Loan 9.75 9.50 19
3 Education Loan 11.50 10 1
4 General Trade Loan 12.50 12.25 9
5 Group Seasonal Loan 10 10 2
6 Group Term Loan 10 10 1
Manufacturing/
7 Industrial Loan 11.30 11.30 11
Micro enterprise Loan
8 (BCCI Scheme) 12.00 12.00 82
9 Overdraft Gen 12.00 12.00 44
10 Personal Loan 13.50 13.50 27
11 Seasonal Loan 11.55 11.55 10
12 Small Scale Industrial Loan 11.50 11.30 2
13 Transport Loan 12.50 12.50 6
14 Working Capital (OD) 12.00 12.00 17
Total 1056
As apparent, the Table 6 shows that interest rates were not applied as per the prescribed
interest rates for 1056 loan accounts. Most instances were observed in Agriculture &
Animal Husbandry Loan with 825 loan accounts.
Unexpectedly, the RAA also found 116 active loan accounts with zero interest rate,
which were opened after October 2016. The summary is given in Table 7.
Table 7. Loan Accounts with Interest Rate Zero
SI. No. Product Type No. of loan accounts
1 Agri & Animal Husbandry Loan 32
2 Consumer Loan 8
3 Education Loan 1
4 General Trade Loan 4
5 Group Seasonal Loan 2
6 Group Term Loan 1

30 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

Table 7. Loan Accounts with Interest Rate Zero

SI. No. Product Type No. of loan accounts
7 Manufacturing/Industrial Loan 1
Micro enterprise Loan (BCCI
8 Scheme) 1
9 Overdraft Gen 32
10 Personal Loan 7
11 Seasonal Loan 9
12 Small Scale Industrial Loan 2
13 Working Capital (OD) 16
Total 116
It is evident from Table 6 and Table 7 that the BDBL has been applying inconsistent
interest rates to its clients due to lack of proper monitoring and supervision. Levying
interest rates other than the prescribed rates may result in the following:
 bank losing income when the interest rate is lower than prescribed;
 client paying more when the interest rate is higher than prescribed.
The BDBL argued that the interest rates for loans are based on credit manual
2015, base rate and MLR and on loan tenor. BDBL further mentioned that system
users could have entered the wrong rates in some cases. It was explained that in
ABS some loan schemes such as loan against fixed deposit, loans for invoked
guarantee, loan to purchase shares, etc. were opened under product code of
personal loan. Further, the 116 loan accounts with zero interest are all closed.

The RAA would like to stress that the interest rates of 1056 loan accounts were
compared and extracted against the rates defined by the BDBL (Notifications issued on
September 23, 2016 and April 4, 2017) and taking into account the loan tenor also.
Only 75 out of 1056 loan accounts were found corrected and the remaining 981 loan
accounts provided under Appendix I will be verified in the follow-up audit.

While the BDBL found that the 116 loans accounts with zero interest were closed
accounts, the RAA would like to clarify that the comparative analysis was carried out
on bank accounts by selecting the account status that are shown as active. This again
indicates that proper account closure procedures were not followed and as stressed
earlier, the BDBL should sensitise their officials on account closure procedures and
the different menu screens of Finacle CBS.

b. Non-compliance to maximum loan term period

The RAA conducted the comparative analysis of maximum loan term period set in
Finacle CBS against the loan term period defined in the requirements.
The analysis showed differences as tabulated in Table 8.

Reporting on Economy, Efficiency and Effectiveness 31

IT Audit of CBS in BDBL

Table 8. Variance in loan term period

Maximum Loan Term Maximum
Sl. Scheme Period as per Credit Loan Term set
No. Code Name of Loan Product Manual/RMA in Finacle
guidelines CBS
1 LA718 Small Scale Industry loan 5 years 10 years
2 LA719 Transport Loan 5 years 15 years
3 18 years 3
LA711 Industrial/Manufacturing Loan 10 years months
4 LA 703 Construction Loan 5 years 15 years
5 CL802 Commercial Housing Loan 20 years 12 days
6 LA725 Working Capital Loan 1 year 10 years
7 LA713 Personal loan 5 years 15 years
8 LA706 Consumer loan 5 years 15 years
9 LA721 EDP loan 10 years 5 years
As evident from the Table 8 that most of the loan term periods set in the Finacle CBS
is double or triple the actual loan period in the compliance requirements. Surprisingly,
the maximum loan term parameter set for commercial housing loan is just 12 days.
Such non-adherences indicate weaknesses in the procedures of setting parameters in the
Finacle CBS and that these parameters are not closely monitored for compliance.
Setting just 12 days also raises the question of how the commercial housing loans are
processed. The RAA further extracted the commercial housing loan details from the
loan data of Finacle CBS to ascertain the maximum loan term. The analysis revealed
that there is no commercial housing loan accounts with maximum term period of 12
days indicating that the parameter for commercial housing loan is changed as and when
required.
As the parameters were not set as per the compliance requirements, the RAA also
verified the maximum loan term in the loan data of Finacle CBS. Only those loan
accounts that have been opened from April 2017 till the period of audit (September
2018) has been taken in consideration as the change in loan term period came into effect
only from April 2017.
The RAA expected to find only those instances of loan accounts whose parameter
setting was incorrect to start with. However, the extraction result also revealed loan
accounts wherein the parameter setting was correct but the maximum term period was
not as per compliance requirements in the actual loan transactions.
The total number of instances of loans period sanctioned above the required period are
summarized in Table 9.
Table 9. Instances of variances in loan term period
No. of Remarks
Maximum loan
Term Maximum accounts
period as Term set in exceeding
SI. Scheme per rule (in Finacle CBS maximum
No. Code Name of Loan Product years) (in years) loan term
Agri & Animal Set correctly in the
1 LA701 Husbandry Loan 10 11 to 60 39 scheme parameter
2 LA707 General Trade Loan 5 6 to 10 7 screen in Finacle
3 LA709 Group Term Loan 5 9 to 15 3 CBS but existence

32 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

No. of Remarks
Maximum loan
Term Maximum accounts
period as Term set in exceeding
SI. Scheme per rule (in Finacle CBS maximum
No. Code Name of Loan Product years) (in years) loan term
Micro Enterprise of loan accounts
4 LA712 Loan(BCCI scheme) 3 5 38 exceeding defined
5 LA722 Purchase of share/equity 5 7 1 loan term in the
6 LA715 Seasonal Loan 1 2 to 11 4 requirement
7 LA706 Consumer Loan 5 10 3
Housing Loan
8 CL802 Commercial 20 21 12
Manufacturing/Industrial
9 LA711 Loan 10 11 1
10 LA713 Personal Loan 5 6 to 15 7
Small Scale Industrial
11 LA718 Loan 5 6 to 10 3
12 LA719 Transport Loan 5 6 to 10 6
Total 124
As apparent from Table 9, there are 12 different types of loans with 124 loan accounts
where the maximum loan term was more than the required term.
The maximum loan term parameter for agriculture and animal husbandry loan was set
correctly in the scheme parameter-setting screen but there were 39 loan accounts
wherein the maximum loan term exceeded 10 years ranging from 11 to 60 years. For
consumer loans, as the parameter set was 15 years, there were three consumer loan
accounts with maximum term period of 10 years, which is double of the required period
of five years.
This imply that the parameters were changed as and when convenient to process loans.
The BDBL accepted and stated that the general scheme parameters maintenance
(GSPM) mistake pointed out has been rectified. For non-conforming accounts, the
users made mistake during the account opening by setting the wrong number of
instalments, which only increases the loan term period. It was explained that to
avoid such mistakes, an exception handling message has been set in the system that
will be block the user from making such mistake.

As assured, during the exit meeting, the BDBL should prepare a process flow document
for setting number of instalments in line with the term period which should be provided
in the Management Action Plan Report.

Furthermore, BDBL should require its branches to correct the variances in the loan
term period and to provide the same in the Management Action Plan Report, which will
be verified in the follow-up audit. The loan accounts exceeding the allowable maximum
loan term are detailed in Appendix II.

c. Variation in scheme parameter of maximum loan amount

With the exception of group term, personal and consumer loans, the maximum loan
amount sanctioned depends on the source of return and on the value of the collateral.

Reporting on Economy, Efficiency and Effectiveness 33

IT Audit of CBS in BDBL

As per RMA’s Guideline on Consumer Loan, every individual consumer loan account
should have a maximum limit of Nu. 500,000. Similarly, the personal loan amount limit
should be Nu. 500,000 and group term loan should be Nu. 150,000.
The loan amount parameter is set as it should be in the scheme parameter setting of
Finacle CBS as shown in Table 10.
Table 10. Loan amount limit set correctly as per compliance requirements
Maximum loan Maximum loan amount set in Finacle
amount as per Credit CBS
Scheme Manual/RMA Min. Amount
Code Name of Product guidelines (Nu.) Max. Amount (Nu.)
LA706 Consumer loan Upto 500000 5,000.00 500,000.00
LA713 Personal loan Upto 500000 100.00 500,000.00
LA719 Transport loan N/A 1,000.00 99,999,999,999,999.99
LA711 Industrial/Manufacturing Loan N/A 100.00 99,999,999,999,999.99
LA717 Service & Tourism Loan N/A 100.00 99,999,999,999,999.99
LA 703 Construction loan N/A 100.00 99,999,999,999,999.99
CL802 Commercial housing loan N/A 1,000.00 99,999,999,999,999.99
LA726 Staff loan N/A 1,000.00 2,500,000.00
LA709 Group Term Loan 150,000.00 1,000.00 150,000.00
LA 712 Micro Enterprise Loan N/A 100.00 300,000.00
LA730 Cooperative Loan N/A 100.00 300,000.00
LA715 Seasonal Loan N/A 100.00 99,999,999,999,999.99
LA707 General Trade Loan N/A 100.00 99,999,999,999,999.99
LA725 Working Capital Loan N/A 1,000.00 99,999,999,999,999.99

Although the parameter was correctly set for loan amount limit, the analysis of loan
data showed 536 loan accounts, which exceeded the loan amount limit as shown in
Table 11.
Table 11. Instances of variances in maximum loan amount
Max. amount as per Maximum loan amount
SI. Scheme compliance requirement range exceeding the No. of loan
No. Code Name of Product and set in Finacle CBS requirement in loan data accounts

1 LA706 Consumer Loan 500,000.00 1,075,825.00 1

2 LA709 Group Term Loan 150,000.00 160,000.00 to 300,000.00 500
3 LA713 Personal Loan 500,000.00 530,000.00 to 5,012,000.00 35
Total 536
Most instances were observed in group term loan type with 500 loan accounts having
more than the maximum amount prescribed. For one consumer loan, the loan given was
as high as Nu. 1,075,825.00 which is double the permissible limit of Nu. 500,000.
Likewise, a personal loan account was sanctioned Nu. 5,012,000.00 which is 10 times
the maximum loan amount of Nu. 500,000.
These show that the requirement for loan amount limit was not complied with and the
parameter was initially not set as per the compliance requirement. These also indicate
weak supervisory controls and monitoring mechanism in processing loans and setting
loan parameters.

34 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

The BDBL responded that for the group loan schemes, the maximum ceiling for
the loan was increased from 150,000 to 300,000 but was not parameterized in the
scheme level and no validation was set for the maximum loan amount in the
system. For loan amount 1,075,825.00 showing as consumer loan is due to user
opening a transport loan under that scheme by mistake which is now rectified by
transferring the scheme from consumer to transport loan.
The BDBL further explained that for few personal loans were actually invoked
bank guarantee converted to loan by users despite having a loan scheme. Few
personal loans were disbursed over the set limit of 500,000 as the users were not
aware of maximum limit. Henceforth, system validation message has been set
where the users will not be able to proceed with account opening for loan limit
exceeding the maximum limit.
The RAA verified and found that the error message has been set and the loan accounts
has been corrected. It appears that the users are not aware of the different loan schemes
and thus, there is a need to sensitise the users on the same and fix accountability where
necessary, as it is the users’ job responsibility to have an in-depth knowledge on
BDBL’s products.

d. Inconsistencies in maximum age set as scheme parameter

With non-compliances to loan term period and amount limit, the RAA also verified the
maximum age limit of loan applicants. There is no mention of age limit in the
compliance requirements except that the applicant has to be at least 18 years of age. In
the case of senior citizen fixed deposit, the applicant has to be 65 years and above.
As there is no mention on the maximum age of the applicants, the age limit should be
set as ‘99’ in the scheme parameter screen in Finacle CBS. However, upon verification,
it was observed that the maximum age limit set varies from one loan scheme to another
as shown in Table 12.
Table 12. Variances in maximum age limit of loan applicants
Age set as Scheme Parameter
in Finacle CBS
Scheme Code Scheme Description Min. Age Max. Age
LA706 Consumer loan 18 56
LA713 Personal loan 18 75
LA710 Housing loan 18 75
LA719 Transport loan 18 66
LA720 Home settlement loan 18 56
LA723 Loan against fixed deposit 18 77
CL803 Manufacturing/Industrial loan 18 65
LA716 Service loan 18 68

As shown, the age limit for consumer loan was set to 56 years yet there is no basis for
setting it as 56 and the reason cited was that the maximum working age is until 56 and
hence the age limit for consumer loan was set as 56. It was observed that the age limit
is changed as and when convenient, and when an applicant’s age exceeds the maximum
age set in Finacle CBS. One such case is presented below.

Reporting on Economy, Efficiency and Effectiveness 35

IT Audit of CBS in BDBL

Case in point: Changing the age limit in Finacle CBS

A user requests the ICT Department to disable/change the age limit, as the applicant’s age is
higher than the age set in Finacle CBS through email as shown in figure 12.
Figure 12: Request for disabling the age limit

The IT official makes the changes and the other IT official verifies the change in the system
as given in figure 13 and 14.
Figure 13: IT makes the change Figure 14: IT verifies the change made

It can be deduced from the case study presented above that the ICT Department makes
changes based on an email. There is a risk of basing the changes to be made just on an
email as emails could be hacked. Moreover, accepting changes as and when requested
could lead to frequent and unauthorised changes being made which could result in loan
manipulation.
Non-compliances to loan term period, amount and age limit, and frequent ad-hoc
changes to such scheme parameters would invite unnecessary room for manipulation.
Users may not process loan uniformly in the absence of clear policy, procedures and
monitoring mechanism for parameter setting.
The BDBL responded that age limit in parameter was set based on the request, as
there was no clear-cut process and procedures in place but with the
implementation of Finacle SOP 2018, any changes required will be made as per
the Change Control process Management.

36 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

The RAA verified and found that a ‘Scheme Creation’ form was developed to create
any scheme or make changes to a particular scheme. In the future, the BDBL should
ensure a strong monitoring mechanism in place to meet compliance requirements of
the bank.

3.2.4 Disorganised IT helpdesk and problem management

Quite often organizations relying on IT will experience some level of disruptions to their
operation. Most of the system users do not have the requisite knowledge and expertise to deal
with such problems and disruptions. In such cases, the IT helpdesk should troubleshoot and
respond to end-user problems or requests, maintain incident logs, and determine the best
manner to resolve the incidents. Moreover, the IT helpdesk should track the frequency of
incidents occurrences, identify the recurrent incident and find out the root cause to such
incidents. In addition, there should be a problem escalation process in place to escalate the
problems when it cannot be directly resolved.
The BDBL had established the CBS functional team comprising of officials from the business
and IT side to guide the users when they face any user related problems. If the CBS team cannot
resolve the problems, it is escalated to the consultant. The consultant in turn resolves the
problem and shares the solution to the rest of the ICT Department for knowledge transfer.
However, the RAA observed that although the helpdesk function tries to resolve the incidents
reported by the users as soon as possible, the incidents are not logged. This shows that the
helpdesk functionality is just limited to resolving incidents as and when it occurs. In other
words, the helpdesk provides event based or reactive services and not proactive services.
Without incident logs, the helpdesk do not currently
i. track the frequency of incidents;
ii. identify recurrent incidents;
iii. categorise the incidents;
iv. perform root cause analysis of such incidents to identify the underlying problem;
v. correct the underlying problem through proper problem management to prevent future
incidents and stabilise the system.
The resultant effect is that the IT officials are spending their major efforts on resolving the
reported incidents and not on stabilising the system.
The BDBL responded that after migration, the management sought expertise from other
sources and ultimately hired Finacle Technical Consultant to resolve reported issues and
to stabilize the system. Additionally, the ICT department had assigned three ICT officials
as helpdesk for resolving the issues submitted by the branches but periodic monitoring of
such calls has been challenging due to multiple tasks carried out by ICT department.

With regard to issues reported to Nelito system (CBS implementation Partner), separate
tracker was maintained to monitor the status. For any bugs in the system, ICT officials
logs the problem with TechOnline and monthly status reports are shared on periodic
basis.

Reporting on Economy, Efficiency and Effectiveness 37

IT Audit of CBS in BDBL

With Finacle SOP 2018, ICT department is implementing online support system, which
will track of issues reported; there will be knowledgebase section for the users and
separate section for internal ICT officials to see help for quick solutions/ recurring
problems.

The RAA appreciates the prompt action taken by ICT Department, more specifically, the
initiative to develop an online helpdesk portal to report, record, and track incidences. The ICT
Department should conduct an analysis on frequently recurring issues to arrive at a permanent
solution.

3.2.5 Inadequate training and knowledge transfer

In order to improve the effectiveness of the system through reduced errors and increased
productivity, it is essential to provide training to all users including the IT technical team. The
RAA noted the following with regard to user training and knowledge transfer.

 138 system users out of 572 including managers and supervisors were not trained.
Having a supervisory role in the system, the managers should have been trained which
would lead to lesser instances of errors.
 Some users were trained in February 2017 while the actual implementation of Finacle
CBS was in June 2017. By then, the users had already forgotten to navigate the system
and it became cumbersome for them to operate and use the system even for simple
banking operations. Users cited having to consult the CBS functional team constantly
to operate the system.
 There were 56 to 57 participants for each batch of training. The effectiveness of any
training decreases with the increase in number of participants
 Even with the training provided, most of the system users did not know how to run the
interest in the system. There were incidences of users running interest for all the bank
accounts instead of running interest for individual bank account. This had actually
resulted in overdue being reflected even for those bank accounts that were not due. The
impact is resource intensive because users spend long hours reversing the interest or
rescheduling the loan and having to recheck all the loan accounts to correct the errors.
 Besides trainings on the operations of the system, the BDBL had issued directives and
raised the security awareness of the system users. However, the RAA observed that
users share their login credentials (username and password).
These indicate that the end user training was inadequate which may result in users making
inadvertent errors and IT technical team spending time to guide the users and troubleshoot the
problems.
The BDBL responded that the management tried its best to ensure all the employees of
the bank are trained on the Finacle system without disrupting operations of the bank.
With the large number of employees and limited trainers, the user trainings had to be
carried out in batches over the span of more than 3 months.
In February 2018, the management identified six officials (2 from each region) from branches
and were trained on the operational process to streamline the workflow processes, bring

38 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

consistency and uniformity in Finacle CBS. These officials were then sent to all branches to train
the users in their branches under their respective region.
ICT department circulates operational process and manuals as and when new product is
being added to the system and training on the Finacle CBS operation is given as and when
bank recruits a new employee.

Furthermore, with the Finacle SOP 2018 and ICT Security Policy 2018 in place, ICT
department has started creating awareness and sensitization on the security aspects in
Finacle.

The RAA acknowledges the effort put by BDBL management and the BDBL should further
prioritize capacity building for smooth functioning of the business.

Reporting on Economy, Efficiency and Effectiveness 39

IT Audit of CBS in BDBL

CHAPTER 4: RECOMMENDATIONS
Based on the issues pointed out under Part 2 in chapter 3, the RAA has provided four
recommendations aimed at enhancing efficiency and effectiveness of Finacle CBS. The
recommendations are as discussed below:

4.1. Field receipt management should be incorporated in Finacle CBS

With the mandate to enhance rural prosperity and alleviate poverty, BDBL is the principle
vehicle for financial inclusion in the country through Farmers Outreach Banking (FOB). The
RAA found that field receipts was not customised in the system even though this requirement
was identified before the implementation of Finacle CBS.
Therefore, considering the risk of using field receipts, there should be proper control over field
receipts and BDBL should automate the inventory management of field receipts in Finacle
CBS.

4.2. BDBL should institute robust IT controls in Finacle CBS

Robust IT controls provide reasonable assurance that Finacle CBS operates as intended thereby
increasing the trust and confidence of the bank’s employees towards the system. This will
ultimately result in retaining old customers and attracting new customers due to reliable system
in place. Currently, the BDBL does not have adequate and robust IT controls in Finacle CBS.
BDBL should institute and enforce robust IT controls in the system to maintain the integrity
and reliability of the system at all times. Specifically, BDBL should:
 endorse and implement IT policies to ensure that effective IT controls are in place;
 institute monitoring mechanism in order to avoid multiple user accounts for one
employee, generic user accounts, follow proper naming convention and deactivate
those users who are no longer with the bank;
 ensure access control mechanism to assign access rights and privileges based on ‘need
to know’ and ‘least privilege’ principles in order to mitigate the risk of unauthorised
access, data modification, disclosure, or loss;
 implement strong input validation controls so that the system does not accept garbage,
duplicates, invalid data, and process data incorrectly or illogically;
 implement adequate processing controls to prevent erroneous, incorrect calculations
and variations;
 ensure accurate and complete reports are generated to prevent errors and inconsistencies
as incorrect reports have financial implications on the bank;
 apply strong validation controls over master data since master data are important files
used as references and input for processing transactions;
 establish review mechanism for audit logs and trial;
 identify and rectify the flaws in the system; and

40 Reporting on Economy, Efficiency and Effectiveness

 IT Audit of CBS in BDBL

 initiate data cleaning of Finacle CBS database to remove inaccurate and incomplete
data.
Although every employee plays a role in strengthening the organization’s internal control system,
the responsibility for establishing and maintaining the control environment rests with the
management.

4.3. BDBL should meet and comply strictly with all the compliance
requirements

The RAA noted several instances of non-compliances to RMA and BDBL’s regulations. In
order to address these non-compliances the BDBL should ensure strict compliance by
leveraging the Finacle CBS. In particular BDBL should:
 maintain the master copy of all (both past and current) the compliance requirements;
 institute proper procedures to set the parameters of all its products; and
 institute appropriate monitoring mechanism for setting scheme parameters in Finacle
CBS.
The impact of such non-compliances might be reputational risk, which might lead to losing
clients and business, the BDBL should ensure strict compliance to regulations.

4.4. BDBL should establish problem management mechanisms

Effective problem management has the potential to reduce incidents, proactively prevent
problems through trend analysis and identification of root cause, and provide permanent
solutions to problems so that repeat occurrences are all but eliminated.
BDBL should maintain incident logs and perform analysis to find and resolve the underlying
problems. IT helpdesk could identify frequently occurring user related incidents and resolve it
either through trainings or dissemination of user guides. In addition, root cause analysis should
be performed and permanent solution should be applied to the commonly occurring system
related incidents. This should also lead to improved productivity of the IT helpdesk support
through resolution of problems effectively and in a timely manner.

Reporting on Economy, Efficiency and Effectiveness 41

IT Audit of CBS in BDBL

CHAPTER 5: CONCLUSION
Recognising the role of BDBL to accelerate socio-economic development in the country and
understanding the criticality of Finacle CBS in this, the Royal Audit Authority decided to carry
out the IT audit of CBS in BDBL. The audit of CBS focussed primarily on accuracy and
completeness of data migration, effective incorporation of compliance requirements, and
adequacy and effectiveness of IT controls in Finacle CBS.
Finacle CBS is one of the most widely used CBS and is capable of bringing in operational
efficiencies and transformational change in the bank. With the implementation of Finacle CBS,
BDBL now has a centralised database thereby reducing the workload of ICT Department to
maintain the system and enhancing efficiencies. Moreover, anytime, anywhere banking is
possible as the third party services and delivery channels can be easily integrated with Finacle
CBS.
Notwithstanding the positive effects of Finacle CBS, the RAA observed several shortcomings
and deficiencies that require further improvements. These lapses were largely caused due to
inadequate control over system migration. Inadequate and ineffective IT controls is the main
cause for incorrect information generated by Finacle CBS. Weaknesses in supervisory and
monitoring control also seems to be one the causes to non-compliances to RMA requirements.
While the RAA appreciates the prompt and immediate corrective actions taken by BDBL based
on the draft report, the BDBL should seriously enforce the ICT Security Policy 2018 and
Finacle SOP 2018 in order to render the system effective and credible.
The RAA hopes that BDBL will make further improvements to the system, design and
implement IT controls and mechanisms for efficient and effective business operations
considering that BDBL has spent time and effort, and the fact that Finacle CBS has the potential
to bring in transformational change to the bank.

42 Reporting on Economy, Efficiency and Effectiveness

APPENDIX
ANNEXURE
 AIN: 15742

www.bhutanaudit.gov.bt