IS-Audit/Branch_01

The Gopalganj Central Co-operativeBank Ltd.Gopalganj

ISAUDIT–CBSBRANCH
NameoftheBranch : JALALPUR

Information System(IS) Audit Cell, Head Office, Bihar State Cooperative Bank Ltd. Patna-4
RBICode:

Name&DesignationofBranchHead: Prashant Kr. Arya(B.I.)

NumberofATMattachedtotheBranch: One (1)

Dateof ISAudit : From: To

Name&DesignationofAuditor(s): ANJAN BISWAS (PARTNER)

InstructionsforAuditor
1. Checklistmust be filled by the Auditor
2. TheChecklistcoversmajorareasoffocusforISAuditors.However,theseare
onlyindicativeoftheprocessesandcontrolsinvolvedthereinandtheIS
AuditorsshouldrefertotheBank’sinstructions,issuedfromtimetotimefor guidance.
3. Auditortoensurecompletionofreportinallrespectincludingsignaturesofall concerned.
4. OneCopyofthereportshouldbeimmediatelyforwardedtoISAuditCell, inspection
dept.,HeadOffice,

InstructionsforBranch
1. BranchtoensureSPOTRECTIFICATIONofmaximumirregularitiespointedby
the Auditorduring his stay.
2. Branchshould ensurerectificationofallirregularitieswithin30 daysfromthe dateof
Audit.

Page1 of 11
 IS-Audit/Branch_01

1.ComplianceofPreviousAudits
Yes/No
Sl. Irregularity
No.
1 INFORMATIONSYSTEM (IS) AUDITReport is
rectified andclosed?
If no, provide detailsofpendingirregularities:

2.MaintenanceofHardware

Sl. Irregularity
No.

1 WhetheradequatenumberofPCs/nodesare Yes Sr Pcs/nodes (Nos) Remarks

no
available?.
1. Pcs
2 scanner
3 printer
4 Note counting
machine
If no, provide details thereof:

2 Doesbranchmaintainaninventoryofall No Only Hardware Inventory has been maintained

Hardware&Software items? by the branch
If no, providedetails/reasons thereof:
3 DoestheHWentries ofInventory Registertally Yes
physicallywith the HWpresent inthe branch?
If no, provide detailsof details ofdiscrepancies&reasons thereof:
4 Has the branch labelled theHW with unique Yes
inventorynumber
If no, provide details /reasons thereof:
5 Whether PostDelivery Inspectionofthe Yes But no Inspection record maintained at branch.
Hardwaredelivered duringlast 12 months has
beendonebyRegional Office?
If no, thenprovidedetailsthereof:
7 Whetherany oldsystemsarelying unutilised at the Yes
branch?
If yes,provide details thereof:
8 Whetherrecordof AMC /WarrantyofHW items Yes Such record maintained at HO level. The Bank
alongwithcontact numbers ofthe concerned has AMC for ATM only.
vendorismaintained at the branch?
9 If the AMCof HWis not inforce, whetherthe Yes No such information /record provided.
branch has intimatedthe sametoRITC .
If no, then providedetails/reasonsthereof:
10 Whetherpreventive maintenanceof branch Yes There is no such arrangement for preventive
Hardware is donebythe vendor? maintenance of Hardware.
11 Whetherthe replacementspares are completely Yes The AMC arrangement is only for ATM
accountedbythe support/serviceengineer as perthe machine. The vendor has to replace spares
AMCarrangement? without any charges expect some parts(ie,lock of
ATM if password forgotten)

Page2 of 11
 IS-Audit/Branch_01
12 Whether branch hasmadeany paymentfor Yes
replacementofany spares(otherthanpartsnot
consideredforfreereplacementin warranty/ AMC
agreement)forthe systemunder AMC/ Warranty?

If yes,provide complete details thereof:

13 Are Call-reportsmaintainedfor allfaults, Yes No such reports available
preventiveand correctivemeasuresfor
HardwareandSoftware items?
14 Whetherthe IT relatedinvoices, delivery challans, Yes
SiteVisit Reports(SVRs), installation reports,
preventivemaintenancereportsetc.are
properlymaintained &filed?
15 Whetherthe Vendorcomplaint register is Yes No Such register maintained
maintained properly with callentriesanddetails of
attendanceandredressof complaints?
If no, providedetails/reasonthereof;
16 Whetherany desktop/printer istakenonrent? No
17 On returningof rented desktopafter branch use, No desktop has been taken on Rent during the
whetherthe data has beenwipedout? period under Audit.
CompliancetoPC&LaptopPolicy
18 Whetheranyun-authorised/unlicensed Software
has been installed? IfYes, givedetails:
S. No Software Usedfor No of Machines
1 MS office Word processing, data analysis, create
and deliver presentation
2 Adobe Acrobat DC viewing, printing, signing, sharing, and
annotating PDFs
3

19 Whether Branch has recordingdetails of Desktop/ Yes No such Register maintained

Laptoptaken outof the branch inventoryregister?

3.UPS/Network/ServerRoom
Yes/No
Sl. Irregularity
No.
20 Whetherthirdpartypersonnelarealways No The Bank staff has not been issued such
accompaniedbythe Bankstaff, in case of access instruction.
toothersystems?
21 Whetherthe Branch has structured LANcabling Yes Satisfactory
with datacablesin wiringclosetphysically labelled?

22 WhetherNetworkingequipments are placed in the No

air conditioned environment?
23 WhetherUPS/Networkroomlocationissecured? Yes
(Awayfromentrance, customerarea etc.)
24 WhetherUPS Cabinhassufficientventilationto take Yes
care of acid fumes/ heatemission?
25 Whetheranyother electricalequipmentlike, tubes, No
fans etc.areconnected to UPS
If Yesprovide details/reasons thereof:
26 Whetherthe electricalpowerfor critical Yes
equipmentslike PC, Communication rack, CCTV
camera and consoleetc.isroutedthrough UPS?

Page3 of 11
 IS-Audit/Branch_01
If no, providedetails/reasons thereof:
27 Whetheroldrecord,computerstationeryand other No
combustible items arekeptinthe UPS/
Networkroom
If yes,then provide details/reasonsthereof:
28 Whetheradditional/extranetworkpointis No
providedinthe customerarea of ATM Room/
branch bankinghallwhichcan beeasily accessed?
If Yes, provide details/reasons thereof:
29 WhetherTerminal/nodes are switchedoff when not Yes
in use?
If no, providedetails/reasons thereof:
30 Whether Routers/Switches/Modems are securely Yes
installedinracks, havinglockingarrangements?
If no, provide details /reasons thereof:
4.LogicalAccessManagement
Yes/No
Sl. Irregularity
No.
31 Whetherusers,listedinthe“Log Report of Yes
UsershavingLoginAccessIfno then, provide
followingdetails (Use additionalSheetif required)

SrNo Name User Capabilitylevel User ID Emp.code ReasonforMismatch

Type Ideal Assigned InUPM

32 Whetherrecords are availablein User-Id register Yes User-Id register provided for verification.
with proper authentication regardingaddition/
creation/activation/change/updation/
disablementof User-Ids?
If no, provide details /reasons thereof:
33 Whether full list of users generated from the Yes Satisfactory.
‘Finacle’tallywiththelistof userscontainedinthe
User-IDregisterof the Branch?
If no, providedetailsofsuchusers:
34 Whether“Sign-onRe-setrequest”with signature of No Recorded Properly.
the concerneduser,time and date are
properlyrecorded.
35 Isaccessappropriatelychangedonatimelybasis Yes Properly done.
when employee is transferred /on leave /retired/
terminated?
If no,providedetails/reasons thereof:
36 Login Branchdetails of thestaffemployee of the Yes Satisfactory
branch in Finacleis the same as currentbranch?
37 Whetheranyinstance of successfultransaction / No No such event found.
logins usingFinacle user-id of the employee who
was/is onleaveobserved?
If yes,provide detailsthereof:
38 Whetheranyinstance of transaction/login in No No such event found.
Finacle byanyemployee, when the branch was
closed/on a holiday?(CheckRandomlyfor such
logins on holidays / Sundays)
If Yes, provide details/reasonsthereof;

Page4 of 11
 IS-Audit/Branch_01
39 Whetherany User/Operatorhas been provided No
withthe privilege ofhigherlevel?
If yes,provide detailsthereof:
40 WhetherMULTIPLEIDsarebeingusedbyany No
user?
If yes,provide detailsthereof:

5.IncidentManagement
Yes/No
Sl. Irregularity
No.
41 WhetheranyPC wasreportedinfected with virus in No No such information or record available.
the past? Ifyes, provideissue reporting/action
taken details.
S. No Date Nature ActionTaken

42 Whetheranyinstance of theftof anyIThardware No No such information or record available.

itemhas been noticed? Ifyes, provideissue
reporting/action taken details
S. No Date Nature ActionTaken

43 Whetheranyrepeated instance of failure/crash of No No such information or record available.

IT/networkequipments? Ifyes, provideissue
reporting/action taken details
S. No Date Nature ActionTaken

44 Whetheranyinstance of powerfailureand No No such information or record available.

subsequentlossof businesscriticaldata? Ifyes,
provideissue reporting/action taken details

S. No Date Nature ActionTaken

45 Whetheranyinstance of Unavailabilityof IT No No such information or record available.

resources, which has resulted in business loss?
Ifyes, provideissue reporting/action taken details.

S. No Date Nature ActionTaken

46 Whetheranymajorbreakdown /delayin No No such information or record available.

replacingITequipmenthasaffected branch
operations?
Ifyes, reasonsthereof alongwith theaction taken.

S. No Date Nature ActionTaken

47 WhetherIncidentmanagementregisteris maintained Yes No Such Register maintained by the Branch or

bythe branch? HO

6.CommunicationsandOperationManagement

Page5 of 11
 IS-Audit/Branch_01

Sl. Irregularity
No.
48 WhetherHelpDesk, C B S I n f o r m a t i o n s i t e , Yes
Bank’s circularsiteetc.areaccessibleatallthenodes?
49 Whetheroperatorsputtheirinitialon vouchers for Yes Satisfactory
havingenteredthesame?
50 Whetherofficers manuallyinitialthe vouchers/ Yes Satisfactory
transactions whichtheyauthorise onscreen?
51 Is systemgenerated Queuenumbers noted onthe Yes Satisfactory
vouchers bythe persons enteringthe same?
52 WhethersystemgeneratedJournalnumbersis Yes Properly done
notedon the vouchers bythe personsauthorising
the same?
53 WhetheranyFailed batchesexistfor more than No No such instance observed.
One-day?
If Yes ,submitdetailsthereof:
54 WhetherPhysicalcashis beingverified atthe time Yes Verified.
ofEODunder proper record?
If no, submit details thereof:
55 DoestheBranchmaintainupdated“Down-time” No No such register maintained
registerfor:PCs &Network?
56 WhetherPhysicalcashistallied with CGL Cash Yes Tallied
&BGL Cash?
If no, submit details thereof:
57 WhetherProxy Accountof the Branchis Zero? Yes
If no, submit details thereof:
58 WhetherSuspense Account:BC/DD tobeissuedis Yes
Zero?
If no. submit details thereof:

7.EnvironmentControls

Sl. Irregularity
No.
LegalRisk
59 Whetherrecords inelectronic and paperbased Yes
formatare preserved and secured?
60 Whetherthe Branch is in aposition tofurnish the Yes
historicaldataof acustomerfor legalpurposes at
times of need?
OrganisationRisk
61 WhetherProperOffice orderhas been issued for No
assigningproperlydefinedandsegregatedjob
responsibilities?
62 Whetherallthe Staff of thebranch haveworking Yes
knowledgeofthe CBS Software?
If no, providedetailsofemployeesnot havingworkingknowledgeof CBSsoftware:
63 Whetherthe staff is awareof: Yes The Bank should arrange awareness program or
a) Maintainingabsolutesecrecyof password. training
b) IT/Email/PCPolicyof the bank
c) Fire drills
d) BCP
e) DRPreparednessin caseof system/network
notavailable
EnvironmentalSecurity

Page6 of 11
 IS-Audit/Branch_01
64 Does the branch keepthe computersystems clean Yes
anddustfree?
ElectricalLines
65 WhethertheElectricalwiringisconcealedandis Yes
nothangingfromceilings or nodes?
If No, providedetails/reasonthereof:
66 Whether any network equipment is placed No
outsidenetworkroom/mountedrackswithout
lockand key?
If Yes, provide details/reasonthereof:
67 Whetheranyworkdeskhasbeenprovidedinside the No
networkroom?
DataCabling&Connectivity
68 AreRedundantcommunicationlineslikeISDN Yes
(forleasedlineconnectivity)/ RF(forVSAT
connectivity) provided inthe Branch ?
69 Does the connectivity automatically switched Yes
over to ISDN / RF in case of Leased Line /
VSATlinkfailure?
FireProtection
70 Are the Fire-extinguishers fitted at strategic points No Serious Irregularity, need immediate action
viz. serverroomand UPSroom?
If No, providedetails/reasonthereof:
71 Are theBranch personnel aware of the fire No Not Applicable
extinguisher usage procedures?
72 Whethermockfire drillis beingcarried out? No Not Applicable
Date of lastdrillconducted:
If No, providedetails/reasonthereof:
73 Is t h e refillingoffireextinguishersdonebefore the No Not Applicable
expirydate?
LastRefilling valid upto:
If No, providedetails/reasonthereof:
VideoSurveillance
74 Whetherthe surveillance camera installedcover the Yes The Bank has installed ….. CC Tv Camera,
entirebranch operationalareaincluding criticalarea which cover all critical area.
of operation like Strongroometc?
75 Whetherthe accessto CCTV console operation is Yes
password protected?
76 Whethera backup of CCTV recordings istaken on No Backup should be taken at regular interval.
a regularbasis?
77 Whetherbackup ofthe CCTV recordings has No No Backup taken
beenrestored &tested?
78 Whether Branch Head knows aboutthe operation Yes
of console ?
79 Whether Branch Headcancontinuouslymonitor Yes Satisfactory
CCTV Console?
80 Whetherthe backup capacityof the CCTV DVR No CCTV DVR is of…….TB Memory sufficient to take
systemis 90 days? backup for 90 days

8.ITOperationsRisk

Sl. Irregularity
No.
SystemsSecurity
81 Whetheraccesstoexternaldevices(CD/DVD/ Yes
USBetc)has beenblocked?
If No, providedetails/reasonthereof:
Page7 of 11
 IS-Audit/Branch_01
82 Whetherremotelogin is blocked in allPCs? No
If No, providedetails/reasonthereof:
83 Are anyunnecessaryshared drives/folders No On Test check we found unnecessary folder.
presentintheserver?
84 Is the Screen saversetwithpassword option in Yes
serverand nodes?
85 Are theScreensaversprovided byMicrosoft/ Yes
DITonlyused?
86 IP Messaging, Foxpro, MS Office, Other Yes
applicationsrelatingto clearingetc do notexist in
server
If No, providedetails/reasonthereof:
87 Whereveruse ofUSBportis required,whether the Yes Access to external device has not been blocked
consentof RegionalOffice is obtained before
requestingCBS POfor openingof port?
AntiVirus
88 WhetherlatestAnti-Virus approved by Bank is Yes On Test check we found some PC are operating
loadedon allPCs onCBS Network? without Antivirus or expired Antivirus
If No, providedetails/reasonthereof:
RiskofManualInterventionsintheprocessoftransactions
89 Whetherallmodulesrequired for smooth Yes
functioningofthe branch are functional? If not,
mention the unimplemented modules with
reasonsfornon-implementation.
S. No Software Module/Functionality Reasonfor NonImplementation

90 WhetherSoftware moduleprocesses require No Inter branch reconciliation, NPA Provisioning,

manualintervention? Overdue Intt Provision, Investment Income
require manual intervention
If Yes, provide details/reasonthereof
91 Does the Branch ensure alternate controls in case Yes Maker and Checker are different persons
ofprocessesrequiringmanualintervention?
If No, providedetails/reasonthereof:
92 Is theIssue ofDemand Drafts/Bankers Yes Satisfactory
Cheque / InterOffice Instrument mechanised?
93 Is the issue ofTermDepositReceipts mechanised? Yes Properly issued with all particulars
UninterruptedPowerSupply
94 Whetherthe branchis havinga dedicated Yes
earthingfor computer equipments?
95 Whetherthe Preventive maintenance of UPSis Yes No such arrangement with any vendor
carried outbythe vendors as perthecontract?
96 Whetherbackup fromUPSis sufficient? Yes
97 WhetherDGsetisprovided inthe eventof extended Yes
poweroutage?
98 Whetherthe generatorishavingadequate Yes
capacitytohandle UPSload?
If No, providedetails/reasonthereof:
LogicalSecurity&AccessControl
99 Do the Userslog-outof theapplication / client Yes
beforeleavingtheseat?
Internet
100 Whetherexternalmodem, datacards, etcare No Satisfactory
beingusedinthe branchtoaccessInternet.
If Yes provide details /reasonthereof:

Page8 of 11
 IS-Audit/Branch_01
101 IfInternetconnection is available inthe branch then Yes Satisfactory
whetherthe same is isolatedfromthe CBS
network?
If No, providedetails/reasonthereof:
102 No confidential/sensitive information is stored in No Satisfactory
the InternetPC.
103 Are incominge-mails checked regularly? Yes

ScanningandUploadingofSignatures
104 Does the branchhave anypendingsignature for Yes
Scanning?
If Yes, provide details/reasonthereof:
105 Do the uploaded signaturesshow the proper Yes
image? (CheckRandomly)
If No, providedetails/reasonthereof:

106 Are the scannedimages linkedto accounts Yes

properly?(CheckRandomly)
If No, providedetails/reasonthereof:
107 Linking/uploadingofsignatures and Yes
authorisationof uploaded signatures are performed
bytwo differentpersons?

9.Product/ServiceRisk
Yes/No
Sl. Irregularity
No.
RTGS/NEFT
108 Userapplication forms for NEFTare Yes
obtainedandfiledsecurely?
109 Before enteringNEFT transactions,does the Yes
branch ascertainsthe IFSCcode of the
beneficiarybranchandconfirms thatthe branch is
participatingin NEFT?
110 Initiation of transaction and Authorisation/ Yes
Release of transaction are done bydifferent users?
111 Does the branch verifies alltheincoming& Yes
outgoingreports ofvariousNEFT transactions
daily?
If No, providedetails/reasonthereof:
CustomerService
112 Are therefrequentcustomercomplaints relating to No No Such register or Information provided
IT/ISmatters?
If Yes, provide details/reasonthereof:
113 Are Customercomplaintsdealtwith promptly and Yes
redressed ?
114 DoestheBranchhaveimplemented No
“SingleWindow‟System?
115 Whethercustomercentric facilitieslike printing Yes
of Passbook, Statementof accounts,TDR
receipts,letter of thanks etc, arefunctioning
properly?
If No, providedetails/reasonthereof:

10.BusinessContinuityPlan

Page9 of 11
 IS-Audit/Branch_01
Sl. Irregularity
No.
116 Whether Branch maintainsrecord of all Yes
ImportantTelephone Numbers of various
Vendors,RITCand CBS ProjectOffice etc.?
117 WhetherISDNline isin workingconditioninthe Yes
branch?
118 WhetherISDNbills are paid up-to-date? Yes
119 Is the branch aware of software feature of Yes
performingessentialoperationsfromother
branch /office incase of linkfailures?
120 Branchhas properprocedures totackle the Yes There is no such awareness or proper plan to
computerrelated incidentsefficientlyandto tackle such situation
maintainrecords.
121 Adequate stockof computerconsumableslike Yes
computerstationery, printerribbons, pre-printed
stationery, etc., are held?

11.OutputControl
Yes/No
Sl. Irregularity
No.
Whetherfollowingreports are printed, checked byAuthorised person&sequentially preserved?
122 Cash Transaction Report Yes
123 ClearingInward & Outward Yes
124 Whetherthe responsibilityof printing&checking Yes
of ExceptionalReports of has properlybeen
assignedbythe Branch head through office
order?
If No, providedetails/reasonthereof:
Arefollowing reports areprinted, checked byAuthorized Person & sequentially preserved on dailybasis:
125 ExceptionalNon-financialTransaction Yes
126 Exceptional Financial Transaction Report Yes

127 LogReportof Users with Login Access Yes

12.ATMOperations
Yes/No
Sl. Irregularity
No.
128 Does the branch keeptheinstantCards/PIN Yes
Mailersfor InternetBanking/ATM DebitCard
safelyunderdualCustodyand maintain proper
record of their entryandissue tocustomers?
If No, providedetails/reasonthereof:
129 Are thereanyoverdrawnbalance inanyaccount No
(SB/CA) due toATM Cardtransactions?
If yes,provide details/reasonthereof:
130 ATMJournalPrintLogPrints arestoredsecurely date Yes
wise(Applicable for ATMLinkBranch)?
If No, providedetails/reasonthereof:
134 Applications for ATM cards areprocessedand Yes
preserved properly?
135 Are thereanylongpendingATM card applications. No

If Yes, provide details/reasonthereof:

Page10 of 11
 IS-Audit/Branch_01
136 Are theATM cards andPINmailers kept Yes
separatelyina secure manner?
If No, providedetails/reasonthereof:
137 ATMcards and PINmailers aredelivered to Yes
customersas perlaid downprocedures.(ATM cards
and PINs areto behandledbytwo different
Officers)?
If No, providedetails/reasonthereof:
138 Branchdoesnothave personalised ATM cards No
pendingdeliveryfor alongtime?
139 Are theATM cardscollected fromthe No
customersbeforeclosure ofthe accounts?
140 Does the branchproperlyfollows the procedures Yes
laid downin respectof reported lostcards and
expiredcards?
141 Are Cardoperations stopped inthe caseof Yes
‘Frozenaccounts’?
142 Requestsforre-issueforcardsreported lost, Yes
damaged etc are dealt withpromptly?
If No, providedetails/reasonthereof:
143 Requestsfor 'PINreset'fromcustomers are handled Yes
promptly?
144 Appropriate chargesarecollectedfrom Yes
customersforserviceslike issue ofRepin, Duplicate
card etc?
If No, providedetails/reasonthereof:

Explanationofthebranch, ifitisclassifiedunderVeryHigh/HighRiskCategory

Sl ObservationsofAuditor/Pointsdiscussed CommentsofDepartmentin-charge
1 Preventive measure for Hardware should be in Place.
2 Licensed software should be used.
3 Access to external device should be blocked
4 Fire Extinguisher Should be Installed
5 Incident Register should be maintained
ExplanationfromtheISAuditor,ifnoExitMeetingisConducted

Signature ofBranchHead Signature ofISAuditor

Date:

Page11 of 11