In the ever-evolving digital era, Information Technology (IT) has become the backbone of operations in many industries, including banking. Modern banks rely on robust and reliable IT systems to support their operations, from basic transactions to complex data analytics. Therefore, it is crucial for banks to have strong controls over their IT infrastructure, and Information Technology General Controls (ITGC) play a significant role. ITGC serves as a pillar of strength that helps banks navigate the digital landscape with confidence and reliability.
ITGC refers to a set of procedures and policies designed to ensure the integrity, reliability, and security of IT systems and data. ITGC encompasses various aspects, including access controls, change controls, operational controls, and system development management.
Why ITGC Is Important for Banking?
Banking is an industry highly regulated by strict laws and regulations, demanding high standards of security and accuracy. At the same time, banking is also a target for cyberattacks, making IT security a top priority. With an increasing number of transactions conducted electronically, cybersecurity threats become more tangible. If customer data or financial information were to leak or be stolen, it could damage the bank’s reputation and result in significant financial losses.
Moreover, banking requires operational efficiency to conduct transactions swiftly and accurately. Without effective ITGC, banks may encounter hindrances in transaction processes, errors in reporting, or even financial losses.
ITGC comprises several key components that banking institutions need to understand to run secure and efficient operations:
- Access Controls: Ensure that only authorized individuals can access systems and data. This includes authentication, authorization, and audit trails.
- Change Controls: Monitor changes to systems and applications to ensure that all modifications have been tested and approved before implementation.
- Operational Controls: Ensure that day-to-day operations run smoothly, including data backup, disaster recovery, and routine maintenance.
- System Development Management: Oversee the development, testing and the implementation of new systems or updates to existing systems.
Implementation of ITGC in Banking
The implementation process of ITGC in the banking industry involves a series of careful and structured steps:
- Access Controls: Banks must ensure that sensitive information such as customer data and financial transactions can only be accessed by authorized parties. This is done by implementing multi-factor authentication, access control policies, intrusion detection systems, and logging and monitoring mechanisms. The presence of access logs and system monitoring can also be used to detect suspicious activities.
- Change Controls: Every change in IT systems should be recorded, tested, and approved before implementation. This is to prevent errors that can disrupt operations or create security vulnerabilities.
- Operational Controls: This includes backup and restore policies, hardware maintenance, system performance monitoring, and disaster recovery procedures to ensure operational continuity.
- System Development Management: Monitor the process from initial system development until its launch, ensuring that all code and infrastructure are analyzed thoroughly for potential risks. Processes such as needs analysis, design, and testing should be tightly managed to ensure quality and security.
Common Findings in ITGC Audits in Banking and Their Remediation
Some common findings that often arise in ITGC audits include:
- Weaknesses in Access Controls: Many banks have weaknesses in controlling access to their systems and data. Access granted may not align with individuals’ roles, opening up potential security risks. To mitigate this, banks need to refine access control policies and their implementation, as well as provide employee training on the importance of information security.
- Lack of Change Controls: Some banks have not fully adopted change control principles, resulting in errors or disruptions. Changes to systems are not always followed by adequate testing, increasing the risk of vulnerabilities. To address this, banks need to implement change tracking systems and hold review sessions before each implementation. All changes should be documented, tested in a controlled environment, and applied after approval.
- Inadequate Maintenance or Neglect of Routine Maintenance: Outdated or poorly maintained IT infrastructure can be vulnerable to attacks. Additionally, periodic maintenance is often neglected, leading to potential operational failures. Therefore, banks need to schedule routine maintenance and regularly upgrade their systems.
- Failure in Backup and Recovery: Sometimes, banks lack adequate disaster recovery procedures. On the other hand, while many banks have such plans, they may not have tested them or updated them for an extended period. To mitigate this, banks need to establish comprehensive disaster recovery plans and regularly test them to ensure their effectiveness.
These ITGC findings in the banking sector can relate to core transaction functions such as interest calculations, loan processing, transaction recording, and more. Some advanced findings resulting from inadequate ITGC may include:
- Inaccuracies in Interest Calculations: Banking systems may have errors in logic or configurations that result in inaccurate interest calculations for customer accounts.
- Errors in Loan Processing: Systems may not process loan applications correctly, or there may be flaws in the automation of loan approvals, resulting in the granting of credit that does not meet criteria.
- Insufficient Transaction Authorization: Transactions may not require adequate authorization or verification before execution, increasing the risk of errors or misuse.
- Failure to Comply with Data Privacy Policies: Systems may not comply with data privacy policies, which can negatively impact the bank’s reputation or result in significant fines.
- Transaction Errors: Errors may occur in transaction processing, such as duplicate fund transfers or transactions that do not align with customer instructions.
In all of these cases, active involvement from management is crucial. Management must support the IT team, understand associated risks, allocate necessary resources to mitigate those risks, and communicate the importance of compliance and controls to the entire organization. Awareness and commitment from management will help ensure successful and sustainable risk mitigation. By identifying and mitigating ITGC findings and with active support from management, banks can strengthen their IT infrastructure, enhance customer trust, and ensure smooth and secure operations.
ITGC is a critical element in maintaining the security, integrity, and operational efficiency in the banking industry. Through the effective implementation and maintenance of ITGC, banks can reduce security risks, enhance customer trust, and ensure operational smoothness. Regular evaluation of ITGC enables a bank to identify areas needing improvement. Audit findings should be followed up by management with recommended improvements and initiatives.
Furthermore, banking regulations by the Financial Services Authority (OJK) through POJK number 11/POJK.03/2022 regarding the Implementation of Information Technology by Commercial Banks, especially article 55 paragraph (2), also require banks to conduct a reassessment of the internal audit function of IT implementation at least once every three years using independent external services. SW Indonesia has years of experience in providing professional services to banking companies in Indonesia. SW Indonesia continues to develop competence and capacity to support clients in the banking industry, including ITGC audit services, internal audit function reassessment of IT implementation, cybersecurity, and other services.
