Navigating IT Audit in Banking

“Ensuring Cyber Resilience and Compliance”

Dr Shan Sokhanvar (CRISC, CISM, ISO27001 LA)

Founder and CEO of Rezilens

1
1 1
1- Let’s break the ICE and share out thoughts !

• What are your challenges to conduct IT audit?

• What are your expectations to achieve in Today’s workshop?

• A Scenario - What if a “Phishing Attack” targets your costumers

2
2 - Introduction to IT Audit in Financial Sector

• IT Audit is a systematic examination of organizations’ information technology

infrastructure, processes, and controls to ensure the confidentiality, integrity, and
availability of IS assets.

• It cover a broad range of areas, including cybersecurity, data management, software

applications, IT governance & infrastructure, compliance, integrity of financial data,
and effective risk management.

• “Financial Audits” focus on financial-related processes which includes examination

of financial statements, accounting policies, revenue, expenses, assets, etc.

3
3 - Types of IT Audits in Banking

Regulatory Compliance Audit Operational Audit

• A process ensuring that an organization • An examination of an organization's

adheres to laws, regulations, and the operations and processes to
relevant industry standards. evaluate efficiency & effectiveness.

• In banking, this involves compliance • In banking, it assesses the efficiency

with regulations such as Basel III and of IT operations, ensuring seamless
GDPR or Central Bank of Iran. transaction processing.

4
4 - Key Stages of IT Audit in Banking

Planning and Risk Assessment

Fieldwork and Testing

Analysis and Evaluation

Reporting

Follow-up and Continuous Monitoring

5
5 - Major Players

Board
Managers
Members

Auditors

6
6 – Roles and Responsibilities

Board of Directors Auditors (Internal/External) IT Managers & Leadership

Roles Responsibilities Roles Responsibilities Roles Responsibilities

Resource Review and Independence and Implementation Collaboration
Audit Planning
Allocation Approval Objectivity of Controls with Auditors
Risk Risk Corrective
Risk Oversight Assessment Communication
Management Management Actions
Stakeholder Audit Committee Compliance Incident
Evidence Collection Communication
Communication Engagement Review Response
Professional Resource Training and
Compliance Reporting
Development Management Awareness
Continuous Continuous
Oversight
Improvement Monitoring

7
7 - Standards and frameworks for IT audits in Banks

• ISACA’s ITAF, is a comprehensive and good-practice-setting reference which provides guidance on the
design, conduct, and reporting of IT audit and assurance assignments.
• ISACA's COBIT helps banks align their IT goals with business objectives, ensuring effective governance
and control over information and technology.
• Basel III Framework includes requirements related to risk management and capital adequacy. Banks
need to align their IT controls with Basel III standards.

• ISO/IEC 27001 provides a framework to strengthen the security of their information assets.
• NIST - CSF helps banks identify, protect, detect, respond, and recover from cyber threats.

• PCI DSS to handle card transactions & safeguard cardholder data via a secure payment.
• Val IT™ provides guidance on assessing and improving the value delivered by IT investments.

• ITIL helps Banks to leverage ITIL principles to assess and improve IT service delivery & support.
8
8 – An overview of ITAF

ITAF Standards
• Professional Standards: These standards emphasize the ethical conduct, independence, objectivity, and
professional competence required of IT assurance professionals.
• Performance Standards: These standards outline the responsibilities related to the performance of IT
assurance work.
• Reporting Standards: These standards deal with the communication of audit and assurance findings.

Key Aspects of ITAF Standards

• Adherence to Professional Ethics
• Continual Professional Development
• Quality Assurance
• Risk-Based Approach
• Evidence-Based Audit

9
9 – COBIT Vs. ITAF

Purpose and Focus

• COBIT 5:
Ø Focuses on governance and management of IT across the enterprise.
Ø Offers a holistic approach to value creation and alignment of IT with business objective
• ITAF:
Ø Concentrates on the assurance aspect of IT, guiding how IT audits should be performed.
Ø Emphasizes the standards, guidelines, and tools necessary for effective IT audit and assurance.
Components and Structure
• COBIT 5:
Ø Comprises five principles and seven enablers for effective IT governance and management.
Ø Includes processes with defined objectives, inputs, outputs, and activities.
• ITAF:
Ø Consists of a set of professional standards, guidelines, and tools and techniques for IT assurance.
Ø Focuses on the methodologies and practices for conducting IT assurance assignments.

10
9 – COBIT Vs. ITAF

Benefits and Outcomes

• COBIT 5:
Ø Helps organizations ensure effective use of IT, aligning it with business strategies and goals.
Ø Facilitates better risk management, resource optimization, and value delivery from IT investments.
• ITAF:
Ø Provides a standardized approach to IT auditing, enhancing the quality and effectiveness of assurance practices.
Ø Ensures that IT audit and assurance activities are conducted in a professional and ethical manner.

Application and Use

• COBIT 5:
Ø Used by IT managers, governance professionals, and business leaders.
Ø Applicable to organizations looking to align IT with business goals and manage IT-related risks.
• ITAF:
Ø Utilized by IT auditors and assurance professionals.
Ø Relevant for conducting IT audits, assessing IT controls, and providing assurance on IT systems and processes.

11
10 - Solutions and Tools for IT Audit

Type of Tool Purpose/Use Examples

General IT Audit Data analysis, compliance testing, risk assessment ACL, IDEA, SAS
Security Assessment Vulnerability scanning, network security assessments Nessus, Nmap,
Compliance Mgmt. Ensuring compliance with standards and regulations RSA Archer, ZenGRC,
Database Auditing Monitoring and auditing database activities MS SQL Server Audit
Network Monitoring Network traffic monitoring, protocol analysis, network anomalies SolarWinds
Log Mgmt & Analysis Collecting, monitoring, and analyzing logs from IT systems Splunk, LogRhythm,
Penetration Testing Simulating cyber attacks to assess system security Burp Suite, OWASP
Config. Mgmt. Ensuring correct and consistent system configurations Chef, Puppet, Ansible
Forensic Analysis Investigating cybersecurity incidents EnCase, FTK, Autopsy
Cloud Security Monitoring and auditing cloud environments CloudHealth,
Risk Mgmt. Tools Risk assessment and management, prioritizing risks RiskLens, Qualys
Business Continuity Ensuring business continuity and effective disaster recovery Datto, Zerto,

12
11 - Audit Reporting Principles

A. Clarity and Accuracy

• Clear Communication: Reports should be written in clear, concise, and understandable language, avoiding
technical jargon where possible to ensure comprehension by all stakeholders.
• Accurate Information: The information presented in the report should be accurate and based on evidence
collected during the assurance activity.

B. Completeness
• Comprehensive Coverage: The report should cover all significant aspects of the assurance activity, including
objectives, scope, methodology, findings, conclusions, and recommendations.
• Inclusive of Relevant Information: All relevant facts and information that impact the report's findings and
conclusions should be included.

C. Timeliness
• Prompt Reporting: Reports should be delivered in a timely manner to ensure that the information is relevant and
can be acted upon promptly by the stakeholders.

13
11 - Audit Reporting Principles

D. Objectivity
• Impartial Presentation: Reports must present findings and conclusions objectively, without bias or influence
from external parties.
• Fact-Based Conclusions: Conclusions should be based on the evidence gathered and analysis conducted during
the assurance process.
E. Confidentiality
• Respecting Privacy: Reports should maintain the confidentiality of sensitive information unless disclosure is
required by law or regulation.
• Secure Distribution: Distribution of the report should be controlled, ensuring it is only accessed by authorized
individuals.
F. Recommendations and Follow-Up
• Actionable Recommendations: Where applicable, the report should provide practical and actionable
recommendations to address identified issues.
• Follow-Up Actions: The report may also suggest follow-up actions or subsequent reviews to ensure that
recommendations are implemented.

14
12– A Sample IT Audit Report

Executive Summary
• Objective of Assurance Activity: To conduct a comprehensive IT audit of Bank XXXXX, focusing on cybersecurity,
compliance with financial regulations, and data integrity.
• Scope: The audit covered critical IT systems including online banking platforms, internal data processing systems,
customer data management, and compliance systems from XXX to XXX
• Methodology: The audit was conducted in alignment with ITAF standards and included risk assessment, controls
evaluation, testing procedures, and interviews with key IT and compliance staff.
• Key Findings:
[Link] Cybersecurity Measures: High-standard security in place, especially in online banking services.
[Link] Gaps in Reporting Systems: Identified non-compliance issues in some financial reporting systems.
[Link] Integrity Concerns: Potential vulnerabilities in customer data management were detected.
• Recommendations:
[Link] compliance gaps in financial reporting systems.
[Link] data integrity measures for customer data management.
[Link] and regularly update cybersecurity protocols.
15
12 - A Sample IT Audit Report

Audit Scope and Methodology

• Scope: Included online banking platforms, internal data processing, compliance systems, and customer data Mgmt.
• Methodology: Based on ITAF standards, incorporating regulatory compliance checks, cybersecurity assessments,
Detailed Findings and Analysis
1- Cybersecurity:
• Finding: Advanced security measures in online banking platforms, including encryption and multi-factor auth.
• Impact: Strong defense against cyber threats.
• Evidence:
• Penetration Test Results: No successful breaches in recent tests.
• Security Protocol Review: Encryption standards and authentication mechanisms comply with best practices.
2- Regulatory Compliance:
• Finding: Some financial reporting systems are not fully compliant with recent PCI-DSS guidelines.
• Impact: Risk of regulatory penalties and reputational damage.
• Evidence:
• Compliance Audit Reports: Discrepancies found in transaction reporting and customer due diligence processes.
• Regulatory Update Analysis: Systems have not been updated to align with the latest PCI DSS amendments.
16
12 - A Sample IT Audit Report

3- Data Integrity:
• Finding: Vulnerabilities in customer data management, potentially impacting data accuracy.
• Impact: Risks to customer trust and data reliability.
• Evidence:
• Data Quality Review: Inconsistencies found in customer address data across different systems.
• System Integration Assessment: Lack of effective data synchronization between the CRM system and loan
processing application.

And …..

17
 12 - A Sample IT Audit Report

Recommendations
1- For Cybersecurity:
• Regularly update and test security protocols to adapt to evolving cyber threats.
2- For Regulatory Compliance:
• Immediate update and alignment of reporting systems with PCI-DSS requirements.
• Conduct regular training for staff on compliance standards and updates.
3- For Data Integrity:
• Implement a robust data integrity framework, including regular audits and reconciliation processes.
• Upgrade system integration for seamless data flow and accuracy.
Conclusion
While XXXX demonstrates a strong commitment to cybersecurity, there are critical areas requiring attention, specifically in
regulatory compliance and data integrity. Addressing these areas will not only reduce the risk of regulatory penalties but also enhance overall
operational efficiency and customer trust.
Appendices
• Appendix A: Detailed Methodology and Test Results
• Appendix B: Compliance Standards and Regulations Overview
• Appendix C: Evidence and Supporting Documents
18
13 - Deep Insights Toward IT Audit

19
14 - A Best Practices to Manage Audit

20
15 - IT Audit a The Principle of Three Line of Defense

Third Line
Internal Audit
Second Line
(Including IT Audit)
Risk Management
First Line
and Compliance
Operational
Functions
Management

21
15 - IT Audit a The Principle of Three Line of Defense

Line of Defense Role and Responsibilities IT Audit's Role in Context Examples in IT Context
- Directly responsible for managing risks and - IT staff managing network security.
First Line: - Not directly involved, but IT
controls within their operational areas. - System administrators maintaining
Audit evaluates the
Operational - Implement and maintain control measures.
effectiveness of these
data integrity.
Management - Ensure day-to-day operational compliance - Employees adhering to IT policies in
practices.
with policies and procedures. daily operations.

- Develops and enforces risk management - IT risk management teams

Second Line: frameworks and compliance programs. formulating risk strategies.
- IT Audit assesses the
Risk Management - Monitors operational performance and - Compliance units ensuring IT
adequacy and effectiveness of
and Compliance compliance with internal policies.
the second line's oversight.
practices align with legal regulations.
Functions - Advises on risk management and regulatory - IT governance bodies setting
compliance. policies.
- Provides independent and objective - IT auditors reviewing the entire IT
assurance. infrastructure's security.
Third Line: - IT Audit, as part of the third
- Evaluates the effectiveness of risk - Independent evaluation of IT
line, independently assesses
Internal Audit management, control, and governance the entire IT risk management
compliance with standards like
(Including IT Audit) processes. and control environment.
ISO/IEC 27001.
- Reports to the highest levels of - Auditing IT disaster recovery plans
management and the board. and business continuity strategies. 22
16 - IT Audits Vs Assurance in Banking

Aspect IT Audit IT Assurance

To provide ongoing assurance that IT

To evaluate compliance of IT systems with
supports banking operations, strategic
Objective regulations and standards. Assess security,
objectives, and compliance with
effectiveness, and efficiency of IT controls.
regulations.

Involves periodic evaluations of IT systems,

Involves continuous monitoring and
controls, and operations. Includes
Scope & Activities evaluation of IT performance,
cybersecurity assessment, data integrity
effectiveness, and strategic alignment.
checks, and compliance audits.

Detailed audit reports identifying compliance Regular reports and advisories for
Output levels, risks, weaknesses, and strategic IT decision-making and
recommendations. demonstrating effective IT management.

23
16 - IT Audits Vs Assurance in Banking

Project-based, typically occurs at scheduled Ongoing and proactive, focusing on future

Nature
intervals or in response to specific issues. readiness and continuous improvement.
Compliance, security, and operational Overall effectiveness of IT in supporting
Focus Area
effectiveness of IT systems. business goals and managing risks.
IT auditors with expertise in banking A broader range of IT professionals including
Professionals
regulations, cybersecurity, and risk IT risk managers, compliance officers, and
Involved management. governance specialists.
Heavy focus on adherence to banking While ensuring compliance, also focuses on
Regulatory
regulations like Basel III, GDPR, anti-money aligning IT with evolving regulatory
Emphasis laundering directives. landscapes.
Less emphasis on aligning IT operations with Strong emphasis on aligning IT initiatives
Strategic Alignment strategic business goals. Focus is more on with the bank's strategic objectives and long-
control and compliance. term success.
Involves broader risk management,
Identifies and assesses risks in specific IT
Risk Management considering IT's role in the overall risk
operations and controls.
posture of the bank.
24
17- IT Audits Vs Due Diligence

Criteria Due Diligence IT Audit

To thoroughly evaluate a business or
To assess the effectiveness, security, and
Objective investment opportunity for risks and
compliance of IT systems and processes.
potential before a transaction.

Comprehensive appraisal covering Focused on evaluating IT infrastructure,

Scope & Activities financial, legal, operational, and security, data management, and IT
strategic aspects. governance practices.

Often conducted as part of a specific Can be a periodic review, compliance check,

Nature
transaction or investment decision. or part of a broader IT governance process.

A detailed report assessing risks, A report detailing the effectiveness,

Output opportunities, and issues related to the security, and compliance of IT systems,
transaction or investment. with recommendations for improvements.
25
17- IT Audits Vs Due Diligence

Professionals Financial analysts, legal experts, IT auditors, cybersecurity experts, and

Involved market consultants, etc. compliance specialists.

Focused on IT systems' compliance with

Broad, covering various aspects
internal policies and external
Purpose & Focus of the business or deal to inform
regulations, and their alignment with
decision-making.
business objectives.

Pre-transaction, for evaluating Periodic or as needed, to ensure ongoing

Application
business or investment decisions. IT systems integrity and compliance.

Decision-making in business Ensuring the integrity, security, and

Primary Use transactions (e.g., M&As, efficiency of IT systems and processes
partnerships, investments). within an organization.

26
18 - Central Banks’ Responsibilities

Aspect IT Audit for Banks Central Bank's Responsibility

- Ensure security and integrity of IT systems. - Establish and enforce IT-related regulations for
- Assess compliance with regulatory requirements. banks.
Objectives - Evaluate IT operations' efficiency and alignment with - Maintain stability and integrity of the banking
business goals. system.
- Cybersecurity and data protection.
- Setting guidelines and standards for IT risk
- IT governance and risk management.
Focus Areas - Regulatory compliance.
management and cybersecurity.
- Data protection and digital banking standards.
- Business continuity and disaster recovery.
- Reviewing and testing IT policies, procedures, and controls. - Monitoring banks' adherence to IT regulations.
Activities - Auditing IT risk management strategies. - Conducting sector-wide audits and inspections.
- Compliance auditing with laws and standards. - Crisis management and support.
Regulatory - Ensuring adherence to standards set by the central bank - Overseeing and ensuring that banks comply with
Compliance and other regulatory bodies. the established IT standards and regulations.
Reporting and - Reporting audit findings to internal management and - Receiving and reviewing reports from banks;
Accountability possibly regulatory bodies, including the central bank. taking action in case of non-compliance or risks.
Role in Crisis - Implementing disaster recovery and business continuity - Coordinating systemic responses and providing
Management plans specific to the bank. guidance in IT crises affecting the banking sector.
27
18 - Central Banks’ Responsibilities

Aspect of Oversight Responsibilities of Central Bank in Managing IT Audits

Setting Standards and Developing and issuing standardized IT audit frameworks and guidelines for banks to ensure a
Guidelines consistent and comprehensive approach to IT audits.
Regulatory Compliance Regularly reviewing IT audit reports from banks to ensure compliance with the set IT audit standards
Monitoring and addressing any deviations or non-compliances.
Risk Assessment and Conducting sector-wide IT risk assessments to identify and address systemic risks, and ensuring
Management banks have appropriate risk management strategies in place.
Training and Capacity Facilitating training programs and workshops for banks' IT auditors to enhance their skills and
Building knowledge in line with the latest IT audit practices and technological developments.
Collaboration and Maintaining open lines of communication with banks for guidance and support on IT audit matters
Communication and collaborating with other regulatory bodies for a unified approach.
Regular Updates and Periodically updating IT audit standards and guidelines to reflect changes in technology, emerging
Revisions risks, and international best practices.
Enforcement and Corrective Enforcing the implementation of IT audit standards and taking corrective actions in cases of non-
Actions compliance, including imposing penalties or requiring remedial measures.
Incident Response and Crisis Providing leadership and coordination in the event of major IT incidents or crises, ensuring that banks
Management are prepared and have effective incident response plans.
Implementing a quality assurance process to evaluate the effectiveness and thoroughness of IT
Audit Quality Assurance
audits conducted by banks, ensuring they meet the prescribed standard 28
19 – What Central Bank Must not Do !

Central Bank's Limitations Description

Not Performing Detailed IT Central banks generally do not conduct in-depth, hands-on IT audits for specific banks. This is
Audits of Individual Banks usually the responsibility of the banks' internal audit teams or external auditors.

Central banks are not involved in the day-to-day IT operations and management of individual
Not Managing Operational IT
banks. Operational IT management is the responsibility of each bank's internal IT department.

Not Designing Specific IT It is not the role of central banks to design, develop, or implement specific IT systems or
Systems/Solutions for Banks solutions for individual banking institutions.
Central banks should refrain from actions that might interfere with competitive dynamics in
Avoiding Interference in
the banking sector, such as showing preferential treatment towards certain technologies or IT
Competitive Practices
vendors.
Central banks do not directly manage or handle the customer data of individual banks. Data
Not Handling Individual
management is the responsibility of each bank under the framework of privacy laws and
Banks' Customer Data
regulations.
Imposing Specific The central bank pushing for specific IT solutions can lead to conflicts of interest and may
Solutions not suit all banks’ unique IT environments, potentially stifling innovation and customization.
29
The Next Step

To be Advised!
but

Loading …!

31
Ever Secure Ever Resilience
With Rezilens

[Link]
accounts@[Link]

32