Scribd
Upload
323 views13 pages

IS Audit Checklist

The document outlines action items related to IT governance, policy, security, operations, auditing, business continuity planning, and outsourcing for an organization. Key actions include forming an IT strategy committee, defining roles and responsibilities, developing policies on information security, risk assessment, change management, backups and testing business continuity plans, and oversight of outsourced operations. The action items are intended to strengthen IT management and controls.

Uploaded by

Surbhi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
323 views13 pages

IS Audit Checklist

The document outlines action items related to IT governance, policy, security, operations, auditing, business continuity planning, and outsourcing for an organization. Key actions include forming an IT strategy committee, defining roles and responsibilities, developing policies on information security, risk assessment, change management, backups and testing business continuity plans, and oversight of outsourced operations. The action items are intended to strengthen IT management and controls.

Uploaded by

Surbhi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Action Items

Type Of Information Document Data


Document Title Action Items
Date of Release 11/29/2019
Document Owner
Document Author
Version No. 1.0
Document
Confidential
Classification
Department

1. IT Governance

2. IT Policy
3. Information Security

4. IT Operations
4. IT Operations

5. IS Audit

6. Business Continuity Planning


6. Business Continuity Planning

7. IT Services Outsourcing
Actions
1.1 IT Strategy Committee
Identify IT strategy committee members
Formally designate the roles for CTO & CIO (CTO & CIO can be the same person) and
assign members
Form IT Strategy Committee
The Chairman of the committee shall be an independent director and CTO & CIO should
be part of the committee
Plan an IT Strategy Committee meeting to communicate IT strategy to all stakeholders

Records Minutes of meeting and action item and communicate to all the stakeholders

The IT Strategy Committee should meet at an appropriate frequency but not more than
six months should elapsed between two meetings
1.2 Roles and Responsibilities
Roles and Responsibilities of IT strategy committee
IT policy: in line with the objectives of their organization
Roles and Responsibilities of senior executive to ensure implementation of IT policy

Periodic assessment of IT training


IPv6 platform migration
3.1 IS Policy
Identification and classification of information asset
Segregation of functions
Role based Access Control
Personnel Security
Physical Security
Maker-Checker
Incident Management
Trails
Public Key Infrastructure
3.2 Cyber Security
Board approved cyber security policy
3.3 Vulnerability Management
A strategy for managing and eliminating vulnerabilities and such strategy may clearly be
communicated in the Cyber Security policy

3.4 Cyber Security Preparedness indicator


Development of indicators to assess the level of risk/preparedness

Indicators should be used for comprehensive testing through independent compliance


checks and audits carried out by qualified and competent professionals.
3.5 Cyber Crisis Management Plan
Board approved cyber crisis management plan/strategy
CCMP should address the following four aspects:
i. Detection
ii. Response
iii. Recovery
iv. Containment

3.6 Sharing of information on cyber security incidents with RBI


Report all types of unusual security incidents
3.7 Cyber Security awareness among stakeholders/Top Management/Board
High level of awareness among staff at all levels
3.8 Digital Signature
Use Digital signatures to protect the authenticity and integrity of important electronic
documents and also for high value fund transfer.
3.9 IT Risk Assessment
Conduct Risk Assessment of IT systems at least on a yearly basis
Risks and determine appropriate levels of controls necessary for mitigation of risks
The risk assessment should be brought to the notice of the Chief Risk Officer (CRO), CIO
and the Board of the HFC and should serve as an input for Information Security auditors

3.10 Mobile Financial Services


Mechanism for safeguarding information assets that are used by mobile applications to
provide services to customers
3.11 Social Media Risk
HFCs using Social Media to market their products should be well equipped in handling
social media risks and threats
3.12 Training
Training and information security awareness
periodically updating programme
Mechanism to track the effectiveness of training programmes through an assessment /
testing process
Maintain an updated status on user training and awareness relating to information
security
4.1 Acquisitions and development of Information Systems (New application software)
and change management
Identify system deficiencies and defects at the system design, development and testing
phases
Establish a steering committee, consisting of business owners, the development team
and other stakeholders to provide oversight and monitoring of the progress of the
project, including deliverables to be realized at each phase of the project and
milestones to be reached according to the project timetable

4.2 Change Management


Board approved change management policy
4.3 IT Enabled Information Management System
4.4 MIS reports
A dashboard for the Top Management summarising financial position
System enabled identification and classification of Special Mention Accounts and NPA

The MIS should facilitate pricing of products, especially large ticket loans
The MIS should capture regulatory requirements and their compliance
Financial reports
Reports relating to treasury operations
Capacity and performance analysis of IT security systems
Fraud Analysis
Incident reporting, their impact and steps taken for non -recurrence of such events in
the future
4.5 MIS for supervisory requirements
“”Read Only” access be provided to RBI Inspectors
5.1 IS Audit should form an integral part of Internal Audit system of the HFC
IS Framework - refer to guidance issued by Professional bodies like ISACA, IIA, ICAI in this
regard
IS Audit framework should be approved by the board
adequately skilled personnel in Audit Committee who can understand the results of the IS
Audit
5.2 Coverage
Effectiveness of policy and oversight of IT systems
Evaluating adequacy of processes and internal controls
Recommend corrective action to address deficiencies and follow-up
Evaluate the effectiveness of business continuity planning, disaster recovery set up and
ensure that BCP is effectively implemented in the organization
Compliance of all the applicable legal and statutory requirements
5.3 Personnel
IS Audit may be conducted by an internal team of the HFC
In case of engagement of external professional service providers, independence and
accountability issues may be properly addressed
5.4 Periodicity
The periodicity of IS audit should ideally be based on the size and operations of the HFC
but may be conducted at least once in a year
5.5 Reporting
The framework should clearly prescribe the reporting framework, whether to the Board
or a Committee of the Board viz. Audit Committee of the Board (ACB)
5.6 Compliance
Management is responsible for deciding the appropriate action to be taken in response to
reported observations and recommendations during IS Audit
5.7 Computer Assisted Audit Techniques
Mix of manual techniques and CAATs for conducting IS Audit
6.1 Business Impact Analysis
Identify critical business verticals, locations and shared resources to come up with the
detailed Business Impact Analysis
The entity shall clearly list the business impact areas in order of priority
6.2 Recovery Strategy/Contingency Plan
The BCP should come up with the probabilities of various failure scenarios
Evaluation of various options should be done for recovery and the most cost-effective,
practical strategy should be selected to minimize losses in case of a disaster

6.3 Backup sites


Consider the need to put in place necessary backup sites for their critical business
systems and Data centres
6.4 BCP tests
Conduct BCP tests either annually or when significant IT or business changes
The test should be based on ‘worst case scenarios’
The results along with the gap analysis may be placed before the CIO and the Board
7.1 The contractual agreement
Monitoring and oversight of the service provider
Access to books and records / Audit and Inspection
For technology outsourcing, requisite audit trails and logs for administrative activities
should be retained and accessible to the HFC based on approved requests
Provide the HFC with the right to conduct audits on the service provider whether by its
internal or external auditors
The contractual agreement may include clauses to allow the Reserve Bank of India or
persons authorized by it to access the HFC’s documents, records of transactions, and
other necessary information given to, stored or processed by the service provider within
a reasonable time

7.2 Outsourcing operations


The Board of Directors of HFCs is responsible for effective due diligence, oversight and
management of outsourcing and accountability for all outsourcing decisions
7.3 Role of IT Strategy Committee
Governance mechanism
Approval authorities for outsourcing depending on nature of risks and materiality of
outsourcing
Risk management policies and procedures
Undertaking a periodic review of outsourcing strategies and all existing material
outsourcing arrangements
Evaluating the risks and materiality of all prospective outsourcing based on the
framework developed by the Board
Periodically reviewing the effectiveness of policies and procedures
Communicating significant risks in outsourcing to the HFC’s Board on a periodic basis

Ensuring an independent review and audit in accordance with approved policies and
procedures
Ensuring that contingency plans have been developed and tested adequately
Ensure that their business continuity preparedness is not adversely compromised on
account of outsourcing
Action Owner Implementation Status Comments

You might also like