* Implementing controls: The first and most important safeguard is to implement controls. Controls in a computerised environment can act as a check against frauds. Controls are broadly of five types: Management controls, organisational controls, operational controls, environmental controls and application controls.
(i) Management controls are to be implemented at the bank management level. These include the establishment of a fraud-prevention policy framework, drafting of a sound security policy, establishing a policy for business continuity planning and disaster recovery management and establishing a framework for systems development methodology.
The security policy, that is a management statement, emphasises, inter alia, the aspect of safeguarding security of banks’ information systems.
In a computerised environment, if security is lost, all is lost. Specifically, banks have to address five important security-related issues, namely, confidentiality (making information available only to authorised users), integrity (information received in transmission to appear exactly as that sent or stored), availability (information stored/ transmitted over communication networks being available whenever required, to the extent desired, within specified time limits), authenticity (implementing systems for establishing the bona fides of parties in an electronic transaction) and non-repudiability (ensuring that the parties cannot deny authorising a transaction or deny sending/receiving messages over the Internet). The use of encryption and digital signatures can improve security in a computerised environment.
Security can also be strengthened at banks by implementing COBIT (Control Objectives for Information and related Technology) that has been developed by the ISACA (Information Systems Audit and Control Association). ISACA is a recognised global leader in IT governance, control and assurance.
COBIT, which is a generally applicable and accepted standard for good IT security and control practices, provides a reference framework for management, users, Information Systems audit, control and security practitioners.
(ii) Organisational Controls include a segregation of duties between programmers, operators, etc. so as to prevent breaches like unauthorised/manipulated input.
Of the other three, operational and environmental controls check physical access to computer resources (control of air conditioning, humidity, etc) while application controls are built in for checking lapses (payment of excess interest on deposits, for example). By ensuring that such computer controls are in place, banks can keep computer fraudsters at bay.
Banks have also to identify the role of audit in strengthening computer-related security, and comply with the supervisory, regulatory,and legal framework. Each of these important safeguards is discussed below.
Identifying the role of audit in strengthening computer-related security audit has a major role to play in strengthening computer-related security in banks. Auditing in a computerised environment involves, among other things, the test-checking of controls to ensure that such controls are actually functional.
The Working Group to review the Internal Control and Inspection /Audit System in Banks (Jilani Committee), that was set up by Reserve Bank of India (RBI), has outlined the scope of computer audit in checking data integrity, security and control measures such as system development/maintenance, data security/access and contingency planning. Security aspects such as the soundness of access controls and the system of generating exception reports, should be part of the auditor’s checklist.
One major development in audit is the availability of General Audit Software such as Audit Command Language (ACL).
ACL is a powerful auditing software that can be used for developing Computer Assisted Audit Tools or CAATS. CAATS can be effectively employed by bank auditors in investigation of frauds as they provide opportunities to detect indicators of frauds while reviewing large transaction volumes. An important type of audit that is being employed at banks is Information Systems (IS) Auditing. IS Audit is a systematic process of objectively examining the information systems and environment. The report of the RBI ’Working Group for Information Systems Security for the Banking and Financial Sector’ on the ’Information Systems Audit Policy’ including Information Systems Security Guidelines’, discusses various aspects of IS Audit such as the objectives, approaches and methodology as well as skills the IS auditors will require to possess.
Establishing a culture of compliance within the supervisory, regulatory and legal framework is important for banks.
The instructions contained in various circulars/guidelines issued by RBI and those issued internally by the banks’ controlling offices, must be adhered to. In India, the Information Technology Act (2000), has been instituted to facilitate and set up a regulatory structure for the Internet and E Commerce based on UNCITRAL (United Nations Commission on International Trade Law). This important Act provides a broad legal framework for individuals and institutions operating in a computerised environment in India. The Act deals with a range of issues including digital signatures, electronic records and offences.
While the Information Technology Act does not specifically address cyber fraud, it defines computer-related offences such as tampering with computer source documents, and hacking with computer system, and prescribes punishment. The enactment of this Act can act as an effective deterrent against bank frauds.
The author is a faculty member and general manager at RBI’s Bankers Training College in Mumbai. The views expressed here are personal. The author can be reached at sganesh@rbi.org.in