The Royal Audit Authority (RAA) carried out the IT Audit of Core Banking Solution (TCS BaNCS) of the Bank of Bhutan Ltd (BoBL) and based on issues pointed in the audit findings, it provided five recommendations.
For one, BoB must develop and implement comprehensive long term policies and guidelines on system access management in addition to existing BoB’s user access management policy to ensure that business justified access is granted to users at all times.
RAA also recommended that BoB must develop and implement long term action plans related to business continuity plan (BCP), disaster recovery plan (DRP) and security awareness to ensure that BCP and DRP are effectively implemented during and after a disaster and adequate physical access controls should be instituted for data center (DC) and disaster recovery (DR) site in line with BoB’s DC physical security policy.
Recommendations include that BoB must tighten the internal control related to international transfers by incorporating the controls in the core banking solution (CBS) and institute proper accountability process for such lapses. The report also states BoB must formulate and implement policy statement on related party transactions in line with RMA’s prudential regulations, and it should be captured in CBS.
A five-step method was used for this audit which included planning, risk assessment, evaluation of internal controls, audit testing and conclusion and reporting. The audit report discussed both achievements brought in by the implementation of new CBS TCS BaNCS and the shortcomings it suffered. The report also contains recommendations targeted to improve and enhance CBS and its services.
The primary objective of the audit was to ascertain whether TCS BaNCS meets the business objectives of BoB with efficient institution of IT controls and focused on the business processes surrounding the system April 2016 to March 2017.
The new CBS TCS BaNCS has enabled BoB to introduce new and innovative products quickly reducing time-to-market while launching new products and services. While some positive changes were brought in by implementation of TCS BaNCS, the RAA while conducting the audit observed several lapses pertaining to input, validation and access controls.
However, most of them were corrected after the issue of draft report.
The Bank has changed its CBS from Oracle FLEXCUBE to TCS BaNCS in partnership with Tata Consultancy Services (TCS), which was implemented on April 1, 2016. With change in CBS, the BoB was able to introduce new and innovative products quickly reducing time-to-market while launching new products and services.
One important aspect of change in system is data migration and RAA’s review and analysis also showed that the bank had followed requisite procedures and data migration was correctly carried out.
Tshering from Thimphu