Nepali Financial Institutions and the need for Information System Audit

Analysing the present scenario of Financial Institutions of Nepal most of them don’t prefer to do Information System Audit. It is institution’s carelessness that makes their system vulnerable which implies a direct effect on Institutional Confidentiality, Integrity and Availability of data.

What’s the main reason behind bank’s crucial information being stolen so easily?

It revealed that majority of the bank had not audited their Information System regularly which led to the increase in these types of cyber-crimes.

IS audit can be used to test the transparency of Information Technology used in the bank. It should be on a regular basis like a financial audit. Just like to ensure every account are correct, finances are regularly audited by hiring an external auditor. Similarly, to ensure confidentiality, integrity, and availability of crucial data and to be technically secured covering all the loopholes IS audit is done.

Even though this audit is considered significant globally, technically it is not the same here in Nepal. It is mandatory for banks in abroad countries to perform IT Audit just as they maintain agility of every monthly, quarterly, half-yearly or annual accounts’ details.

Information System audit has different variations. For instance, ‘SO 27001’ is done to make sure that the customer’s personal information (Confidentiality) is protected and bank’s overall system is secured. For data security standard we have PCI-DSS) and for mobile, internet banking certifications it is enacted by Protection and Advocacy for Beneficiaries of Social Security (PABSS). Hence, several problems appear when Nepalese banks fail to conduct this type of audit related to Information Technology. Banks/Financial Institutions are not being able to get standardized ‘ISO 27001’ audit as per their willingness due to lack of skillful professionals.

Among different banks in Nepal, Standard Chartered, NABIL, Himalayan and Nepal Investment Bank are regularly conducting PCI-DSS and PABSS standard tests. Some of the Nepalese Bankers who are top level management at the Commercial bank said, “They had also proposed to do the audit, starting from this year.” They told that due to lack of skilled experts, none of the Nepalese banks are able to meet the ‘ISO 27001’ standards. They further explained that the hacker committing ‘Fraud’ are more cunning and the technology used by them seemed more advanced than data encryptions used in banking software.

We specified that Nepalese banks have to bring in experts from India or other countries for IS audit in order to get ISO certifications. This makes IT audit very expensive where different institution have refused and failed to do IS audit. We also informed that Indian IT companies charge 15-20 lakhs rupees for a regular audit but it costs 40-60 lakhs rupees to do an ISO audit that meets International guidelines. We concluded that banks therefore now need to do an ISO level audit. We said, “International level IT auditing needed to be done in order to know what is happening inside bank, ahead of theft.”

Nepalese bank has ‘alert system’ only for money withdrawals information. According to him, banks need to have a technology for alerting them before hackers steal that if an international level IT Audit Company can be established with the help of government and private collaboration where it would provide relief to all the institutions. “Nepalese are no less in technology,” he proclaimed, “We have the potential to establish an IT audit company within the country.”

If a severe problem identified during this stage of the audit, a corrective action plan drawn up so they tackled without having to wait for the full report, where they should appear as non-compliances. Ideally, an audit should assess compliance with every mandatory measure in scope. In many instances, this isn’t going to be realistic, in which case, reviews focus on high-risk areas: a single location, business head, system, and software. Whenever workload is still too much given your resources, consider sampling, focusing on the critical security controls.

 It is the general opinion of most firms, especially at the top level management, that their Devices are secure. However, only ways to determine whether this is true is by performing a thorough audit of computer systems. But most companies don’t make it a habit of conducting regular security audits, if they perform them at all.

We should know what is and what isn’t a significant issue goes to the very core of understanding Cyber Secure. While assumptions can be correct, in multiple cases, they dead wrong. Perform regular security audits on your organization’s network to be sure.

The importance of information security is to ensure data confidentiality, integrity, and availability. Confidentiality of data means protecting the information from disclosure to unauthorized parties. Information such as bank account statements, trade secrets, and personal information should be kept private and confidential. Protecting this information is a significant part of information security.

LEAVE A REPLY

Please enter your comment!
Please enter your name here