3. Audit Requirements
This chapter outlines the audit requirements to be met by the implementation
team. They can be broadly categorized into two types; controls and documentation
of processes.
This chapters contains the following sections
3.1 Controls
This section contains the following topics
3.1.1 Controls during Software Installation
The following is the list of processes to be followed before the software
is installed on the main machine (the machine on which the bank will
carry on its daily operations):
- The plan for the installation should be distributed to all the concerned
people at the bank. This plan should explain how the software will be
put into operation. The progress and changes in the plan should be notified
regularly to all these people.
- The procedure for logging errors should be established. It should
state the steps involved for recording and tracking errors.
- A hand-off note of the system should be given to the data center
operations.
- The procedure for handling contingencies should be documented. The
concerned staff should be aware of the reports that have to be used,
if the system is not available due to hardware or software problems.
- Training for the Data Center operators, users and the System Administrator
should be completed.
- All sign-offs should be completed.
3.1.2 Controls during database Set-Up
The database set-up should take place in a well-controlled environment.
The characteristics of this controlled environment are as follows:
- If the data is to be uploaded automatically, a written approval should
be obtained from the Manager - Operations. This approval should be obtained
on the basis of the Database Design document and Conversion Plan Document
prepared for this purpose. These documents should form the references
for post-upload checks. Spread Sheet and Code translation tables used
for upload also have to be verified and approved. The automated upload
can be of two types. The input can be automated while the authorization
is manual or both input and authorization are automated. In either case,
a Maintenance Control List or List of Data uploaded should be taken immediately
after the upload, which has to be signed-off by the Manager-Operations.
- The data should be input only after the concerned person authorizes
the Software Data Input forms. Ideally, it should be prepared by the
maker, checked by a checker, entered by the input clerk and the data
input authorized by an authorizer.
- The entire database set-up should be signed-off by the bank s Internal
Control Unit before the financial conversion begins.
3.1.3 Controls during System Trial Run
A trial run has to be conducted by the users before the operations
go live. The objective of the trial run is to ensure that requirements
of the customer are met. The test plan for the trial run should be prepared
by the users themselves. The implementation team should only assist them.
The system trial run should be conducted in a controlled test environment.
The software and test data files should be protected from random development
changes during the trial run.
The documentation of the System Trial Run should consist of the following:
- The test plan for the Trial Run
- The data used for the Trial Run
- The results of the Trial Run
- Any variations and problems
- Any corrective actions taken
The System Trial Run should be signed-off by the internal auditors
of the bank. The basis for this sign-off is the documentation of the
Trial Run.
3.1.4 Controls while making a change to the Code
Any problem that needs a software fix should be recorded through the
POIROT.
When a program is to be modified at the site, two extra environments
should be maintained, as follows:
Development Environment where the programs should be modified, unit
tested and system tested by a member of the implementation team.
Acceptance Environment where trial runs of modified programs should
be conducted. The trial run should be completed before the program is
copied on to the main environment where the live operations are going
on.
A separate schema with skeletal data can be maintained for this purpose.
Note
No changes should be made directly onto the main
environment.
Access controls to the Development and Acceptance environments should
be limited to the members of the implementation team from Oracle Financial
Services.
The fix that has been put in has to be recorded in the POIROT.
3.2 Project Documentation
This section contains the following topics
3.2.1 Management Documentation
- A project plan, which defines the scope of the project, objectives,
budgets, task scheduling, time frames and deliverables, should be prepared.
- A progress report of the project should be documented and circulated
every fortnight.
- The minutes of the management review and discussion should be documented.
3.2.2 System Documentation
- Updated system documentation should be maintained. This should include:
- Enhancement specifications and approval
- Software inventory lists
- Training Manuals
- Operations Manual
- User Manuals
- Implementation Manual
- The test plan for System Trial Run
3.2.3 Software Installation
The details of installing Oracle FLEXCUBE are discussed in the ‘Oracle
FLEXCUBE Release and Installation’ document.