3. Audit Requirements

This chapter outlines the audit requirements to be met by the implementation team. They can be broadly categorized into two types; controls and documentation of processes.

This chapters contains the following sections

• Section 3.1, "Controls"
• Section 3.2, "Project Documentation"

3.1 Controls

This section contains the following topics

• Section 3.1.1, "Controls during Software Installation"
• Section 3.1.2, "Controls during database Set-Up"
• Section 3.1.3, "Controls during System Trial Run"
• Section 3.1.4, "Controls while making a change to the Code"

3.1.1 Controls during Software Installation

The following is the list of processes to be followed before the software is installed on the main machine (the machine on which the bank will carry on its daily operations):

• The plan for the installation should be distributed to all the concerned people at the bank. This plan should explain how the software will be put into operation. The progress and changes in the plan should be notified regularly to all these people.
• The procedure for logging errors should be established. It should state the steps involved for recording and tracking errors.
• A hand-off note of the system should be given to the data center operations.
• The procedure for handling contingencies should be documented. The concerned staff should be aware of the reports that have to be used, if the system is not available due to hardware or software problems.
• Training for the Data Center operators, users and the System Administrator should be completed.
• All sign-offs should be completed.

3.1.2 Controls during database Set-Up

The database set-up should take place in a well-controlled environment. The characteristics of this controlled environment are as follows:

• If the data is to be uploaded automatically, a written approval should be obtained from the Manager - Operations. This approval should be obtained on the basis of the Database Design document and Conversion Plan Document prepared for this purpose. These documents should form the references for post-upload checks. Spread Sheet and Code translation tables used for upload also have to be verified and approved. The automated upload can be of two types. The input can be automated while the authorization is manual or both input and authorization are automated. In either case, a Maintenance Control List or List of Data uploaded should be taken immediately after the upload, which has to be signed-off by the Manager-Operations.
• The data should be input only after the concerned person authorizes the Software Data Input forms. Ideally, it should be prepared by the maker, checked by a checker, entered by the input clerk and the data input authorized by an authorizer.
• The entire database set-up should be signed-off by the bank s Internal Control Unit before the financial conversion begins.

3.1.3 Controls during System Trial Run

A trial run has to be conducted by the users before the operations go live. The objective of the trial run is to ensure that requirements of the customer are met. The test plan for the trial run should be prepared by the users themselves. The implementation team should only assist them.

The system trial run should be conducted in a controlled test environment. The software and test data files should be protected from random development changes during the trial run.

The documentation of the System Trial Run should consist of the following:

• The test plan for the Trial Run
• The data used for the Trial Run
• The results of the Trial Run
• Any variations and problems
• Any corrective actions taken

The System Trial Run should be signed-off by the internal auditors of the bank. The basis for this sign-off is the documentation of the Trial Run.

3.1.4 Controls while making a change to the Code

Any problem that needs a software fix should be recorded through the POIROT.

When a program is to be modified at the site, two extra environments should be maintained, as follows:

Development Environment where the programs should be modified, unit tested and system tested by a member of the implementation team.

Acceptance Environment where trial runs of modified programs should be conducted. The trial run should be completed before the program is copied on to the main environment where the live operations are going on.

A separate schema with skeletal data can be maintained for this purpose.

Note

No changes should be made directly onto the main environment.

Access controls to the Development and Acceptance environments should be limited to the members of the implementation team from Oracle Financial Services.

The fix that has been put in has to be recorded in the POIROT.

3.2 Project Documentation

This section contains the following topics

• Section 3.2.1, "Management Documentation"
• Section 3.2.2, "System Documentation"
• Section 3.2.3, "Software Installation"

3.2.1 Management Documentation

• A project plan, which defines the scope of the project, objectives, budgets, task scheduling, time frames and deliverables, should be prepared.
• A progress report of the project should be documented and circulated every fortnight.
• The minutes of the management review and discussion should be documented.

3.2.2 System Documentation

• Updated system documentation should be maintained. This should include:
  • Enhancement specifications and approval
  • Software inventory lists
  • Training Manuals
  • Operations Manual
  • User Manuals
  • Implementation Manual
  • The test plan for System Trial Run

3.2.3 Software Installation

The details of installing Oracle FLEXCUBE are discussed in the ‘Oracle FLEXCUBE Release and Installation’ document.