The IS Audit of a commercial bank is all about the evaluation of overall control mechanism of Information Communication Technology system of the organization to determine whether they produce timely, accurate, complete and reliable information in conformity with the management goals and objective of the bank. The scope of the evaluation of the control mechanism or scope of IS Audit are listed as below:
(a) Evaluation of Information Technology General Control (ITGC)
(b) Evaluation of Core Banking System Application
(c) Evaluation of Network and Communication Control
(d) Evaluation of System Development/Procurement.
Evaluation of Information Technology General Control (ITGC):
Following are the points associated with the evaluation of the control of the ITGC.
i. Evaluation of ICT management control.
ii. Evaluation of ICT system administration control.
iii. Evaluation of ICT acquisition and change management control.
iv. Evaluation of ICT operational control.
v. Evaluation of ICT System logical access control.
vi. Evaluation of ICT physical equipment including server and hardwares and environmental control.
vii. Evaluation of business continuity planning control.
viii. Evaluation of ICT based system third party service providers control.
ix. Evaluation of ICT end-user computing control.
x. Evaluation of data integrity, security, non-repudiation, authenticity control.
Evaluation of Core Banking System Application Control
Following are the points associated with the evaluation of the control of the Core Banking Application.
i. Evaluation of application security control.
ii. Evaluation of input control.
iii. Evaluation of business rules and processing control.
iv. Evaluation of performance of application.
v. Evaluation of output control.
vi. Evaluation of exception handling control.
vii. Evaluation of master file and standing data control
Evaluation of Network and Communication Control
i. Evaluation of general network control.
ii. Evaluation of performance / integrity control.
iii. Evaluation of remote access control.
iv. Evaluation of physical security control.
v. Evaluation of logical security control.
vi. Evaluation of performance of overall network and recommendation of remedies.
Evaluation of System Development/Procurement.
i. Evaluation of general control.
ii. Evaluation of planning control.
iii. Evaluation of design and development /Procurement process control.
iv. Evaluation of implementation control.
v. Evaluation of maintenance control.
vi. Evaluation of post implementation review control.