IT AUDIT CHECKLIST

Assessmen t Category
Assessment Items / Testing Procedures Status Findings

Review access control policies and procedures to ensure they are documented and regularly
updated.
Evaluate user account management processes, including account provisioning, deprovisioning,
and role assignment.
Test user authentication mechanisms, including password strength, complexity requirements,
Access Control and multi-factor authentication.
Verify the effectiveness of access controls through sample testing, including attempting
unauthorized access to sensitive data and functions.
Review access logs and audit trails to ensure they capture relevant information and are
regularly monitored for suspicious activities.
Assess the resilience of the system architecture, including redundancy, failover mechanisms,
and geographic distribution.
Review system uptime and downtime records to identify any patterns of instability or prolonged
outages.
Test failover mechanisms and disaster recovery plans to ensure timely restoration of critical
System Availability banking services.
Evaluate capacity planning processes to ensure the system can handle peak transaction
volumes without degradation in performance.
Verify the effectiveness of load balancing mechanisms to distribute traffic evenly across servers
and prevent overloading.
Review transaction processing policies and procedures to ensure they are documented and
consistently followed.
Assess the accuracy and integrity of financial transactions through sample testing and
reconciliation with external records.
Test the system's ability to process various types of transactions (e.g., deposits, withdrawals,
Transaction Processing
transfers) accurately and efficiently.
Verify the implementation of audit trails to track changes to financial data and user activities.

Review authorization controls to ensure that transactions are approved by authorized personnel
based on predefined limits and criteria.
Review compliance with relevant banking regulations (e.g., BSP, AMLC etc) and industry
standards (e.g., ISO 27001, NIST, COBIT).
Assess the effectiveness of internal controls and governance structures to ensure regulatory
Compliance and Regulatory Requirements
compliance.
Test the effectiveness of controls related to customer due diligence, anti-money laundering
(AML), and know your customer (KYC) requirements.
Conduct vulnerability assessments and penetration testing to identify and remediate security
vulnerabilities.
Assess the effectiveness of antivirus software and endpoint security controls to mitigate
Cybersecurity Controls malware threats.
Test security configurations, patches, and updates to ensure they are applied in a timely
manner and are consistent across systems.
Review incident response plans and procedures to ensure timely and effective response to
security contracts
Review incidents.and service level agreements with third-party vendors to ensure they meet
security and compliance standards.
Assess the security posture of third-party systems and integrations that interact with the core
banking system.
Verify that third-party access to sensitive data and systems is appropriately restricted and
Third-Party Risk Management / Vendor Management monitored.
Third-Party Risk Management / Vendor Management
Review the due diligence process for selecting and onboarding third-party vendors to assess
their security and compliance capabilities.
Test the effectiveness of controls related to vendor risk assessment, monitoring, and oversight.

Test disaster recovery plans and procedures to ensure the timely restoration of critical banking
services.
Review business continuity plans to identify key processes and resources necessary to
maintain operations during disruptions.

Disaster Recovery and Business Continuity Assess the adequacy of backup facilities and redundant infrastructure to support business
continuity objectives.
Verify that personnel are trained and equipped to execute disaster recovery and business
continuity plans effectively.
Review the testing and maintenance of disaster recovery and business continuity plans to
ensure they remain current and effective.
Review documentation of system configurations, architecture, and technical specifications.
Assess change management processes to ensure that changes to the core banking system are
properly authorized, tested, and documented.
Verify the integrity of version control systems and release management procedures to prevent
Documentation and Change Management unauthorized changes.
Test the effectiveness of change controls through sample testing, including reviewing change
requests, approvals, and implementation records.
Assess the availability and accessibility of documentation to authorized personnel, including
system administrators, developers, and auditors.

Account Management

Loan Credit Management

Documentation and Change Management
Test the core banking system's ability to create, modify, and close customer accounts. Ensure accurate processing of transactions like deposits, withdrawals, and transfers.

Review the system's functionality for managing loan applications, approvals, disbursements, and repayments. Test calculations for interest rates and fees.
rawals, and transfers.
 IT AUDIT CHECKLIST
Assessmen t Category SubCategory
Assessment Items / Testing Procedures

Review account creation policies and procedures to ensure they are documented and adhere to
regulatory requirements.
Verify that appropriate customer due diligence (CDD) and know your customer (KYC) checks
are performed during the account opening process.

Test the accuracy and completeness of customer information collected during account creation.
1. Account Creation / Maintenance
Assess the timeliness and accuracy of updates to customer account information, including
changes in contact details, account preferences, and beneficiary details.
Review the segregation of duties to prevent unauthorized individuals from creating or modifying
accounts without proper authorization.

Review access control policies and procedures to ensure they are documented and regularly
updated.

Evaluate role-based access controls (RBAC) to ensure that users are granted access to only
the functionality and data necessary to perform their job functions.
2. Access Control and Authorization
Test the effectiveness of access controls through sample testing, including attempting
unauthorized access to sensitive account information and transactions.
Verify that access permissions are reviewed and updated regularly based on changes in job
Account Management roles or responsibilities.
Test the core banking system's ability to create, modify, and
close customer accounts. Ensure accurate processing of Assess the segregation of duties to prevent conflicts of interest and unauthorized access to
transactions like deposits, withdrawals, and transfers. sensitive functions, such as account approvals and fund transfers.
Review user authentication mechanisms, including password policies, multi-factor
authentication (MFA), and biometric authentication.
Test the strength and complexity of user passwords to ensure they meet established security
requirements.
3. User Authentication
Verify the implementation of MFA for high-risk transactions or access to sensitive account
information.
Assess the effectiveness of account lockout mechanisms to prevent brute force attacks and
unauthorized access attempts.
Review password reset procedures to ensure they follow a secure process for identity
verification and authentication.
Review account termination policies and procedures to ensure they are documented and
consistently followed.
Verify that accounts are deactivated promptly upon request from customers or due to inactivity
or suspicious activity.
Assess the completeness and accuracy of account closure processes, including the transfer of
4. Account Termination and Deactivation: remaining balances and closure notifications to customers.
Test the effectiveness of controls to prevent unauthorized reactivation of closed or deactivated
accounts.
Review the retention and disposal of customer account information to ensure compliance with
data protection regulations and internal policies.
Verify the system supports all offered account types (e.g., checking, savings, loans).
Test if account features and restrictions are configured correctly for each type.
Review loan origination policies and procedures to ensure they are documented and comply
with regulatory requirements.

1. Loan Originaztion / Account Types

 Verify that proper authorization is obtained for loan origination activities, including credit
approvals and loan disbursements.
1. Loan Originaztion / Account Types
Test the accuracy and completeness of customer information collected during the loan
application process.

Assess the adequacy of customer due diligence (CDD) and know your customer (KYC) checks
performed during loan origination.
Review the segregation of duties to prevent conflicts of interest and unauthorized access to
sensitive loan origination functions.
Test various account transactions like deposits, withdrawals, transfers, and fees.

Verify accurate calculation of interest rates and application of service charges.

Verify the accuracy and completeness of loan data entered into the core banking system,
including loan terms, interest rates, and repayment schedules.
2. Transaction Processing
Test the effectiveness of controls to prevent unauthorized changes to loan data, such as interest
rate adjustments or loan restructurings.
Assess the timeliness and accuracy of loan servicing activities, including loan disbursements,
repayments, and fee assessments.
Review the reconciliation of loan accounts to ensure that balances and transactions are
accurately recorded and reconciled with supporting documentation.
Verify that loan disbursements are authorized according to approval workflows

Test if disbursement methods (e.g., direct deposit, check) function correctly.

2.1 Disbursement
Ensure proper integration with accounting systems to reflect loan funding.

Test various loan repayment scenarios (e.g., full payment, regular installments).
Loan Credit Management
Review the system's functionality for managing loan Verify accurate calculation of interest, principal, and late fees.
applications, approvals, disbursements, and repayments. Test 2.2 Repayment
calculations for interest rates and fees.
Ensure integration with automated clearing houses (ACH) functions properly for electronic
payments.
Verify the system generates reports on loan performance and delinquencies.

Test if user-defined criteria can be used for generating loan watchlists.

2.3 Monitoring and reporting
Ensure timely alerts for missed payments or potential defaults.

Verify the system supports various loan restructuring options (e.g., repayment extensions,
interest rate adjustments).
Test proper authorization workflows for approving loan restructuring requests.

Verify the system tracks delinquent loans and generates collection notices.
3. Loan Restructuring and Collection
Test functionality for assigning delinquent accounts to collection agents.

Ensure clear audit trails document collection activities and communication with borrowers.

Test generation of accurate and detailed account statements.

Verify statements include transaction details, balances, and interest earned.

4. Account Statements Verify the accuracy and completeness of loan portfolio data maintained in the core banking
system, including loan classifications, risk ratings, and provisioning levels.
 4. Account Statements

Test the effectiveness of controls to monitor and manage credit risk exposure, including
concentration risk, industry exposure, and collateral valuation.
Verify that appropriate credit risk assessment techniques are used to evaluate loan applications
and determine creditworthiness.
Test the accuracy and completeness of credit risk data maintained in the core banking system,
including credit scores, risk ratings, and loss history.
5. Credit Risk Management
Assess the effectiveness of controls to mitigate credit risk, such as loan collateralization, credit
enhancements, and loan covenants.
Review credit risk monitoring and reporting processes to ensure timely identification and
escalation of deteriorating credit quality.
Status Findings