The committee appointed by the apex bank, which has studied the matter has classified the possible areas of audit interest in the Information System (IS) environment into 15 broad categories and prepared standardised checklists under each category to facilitate the conduct of computer audit.
The issues elaborated in the checklists would give a fair idea about areas that need to be controlled. These checklists would be only in the nature of guidelines and banks would be free to have more elaborate checklists to conduct IS audit suitable to the IT environment in which they operate and propose to operate, RBI said in its circular.
The seven-member Committee headed by AL Narasimhan, chief general manager-in-charge, Department of Banking Supervision, has classified the areas of risk in the IS environment into business strategy; long-term IT strategy; short-range IT plans; IS security policy; implementation of security policy; IS audit guidelines; acquisition and implementation of packaged software; development of software - in-house and outsourced; physical access controlsl; operating system controls; application systems controls; database controls; network management; maintenance; and internet banking.
While the benefits derived from this have been significant to the industry, this has also opened up a host of vulnerabilities, more so, on account of the special characteristics of banks/FIs as custodians of public money.
Operational risk, which includes the losses that may arise from failed systems or processes, is now an important topic of discussion in the new supervisory initiatives including the New Basel Accord.