PROJECT REPORT ON

AUDITING SWIFT
OPERATIONS IN A BANK
 Members:

S.No. Name DISA No. Signature

1. Mahesh Porwal(Head) 63327

2. Rajat Jain 63341

3. Chirag Saraf 63403

4. Dinesh Jain 63382

 INTRODUCTION

About Auditee Firm:

SabkaSaath Bank Ltd is a bank which was established in Ahmedabad on 4th

October, 1971 under the Chairmanship of Late Shri ABC and Managing
Directorship of Late Shri XYZ. The Bank started functioning in very small rented
premises at Maskati market in the area of about 15 X 16 feet.

The Bank got Banking License No. XXXYZ123 P on 30th October, 1986.

The Banks has got 'Scheduled Bank' status from RBI on 29th January, 2000 and
has also been registered under Multi State Societies Act, 1984. (Now MSCS
Act,2002).w.e.f.13/11/2000 with registration No. MSCS AB/23/2001.

Bank Has Started Diversified Activities Like,

Demat since 2001

Franking of Non-judicial Stamps of Gujarat State Govt. since 2005

RTGS & NEFT facility

Core Banking solution services

e-Payment of Taxes

Swift transactions .
About Audit Firm

PQRS & Associates (Chartered Accountants) is a 20 year old firm of Chartered

Accountants established in the year 2000 specializing in Information Systems
Assurance, Management Consultancy services. PQRS Associates is lead by Mr. MP
who is a qualified Chartered Accountant and has a Diploma in Information
systems audit. PQRS Associates also has a team of qualified and trained
Information System Audit personnel. PQRS has 4 partners who are CAs with DISA
qualification and one partner holding CISA qualification. It has been involved in
providing Information System Systems Assurance for both Public and Private
Sector in India as well as abroad in a wide domain consisting of IT Companies,
banks, Major Multinationals, Manufacturing Companies, E-commerce chains etc.
We have deployed our core team of 3Chartered Accountants, including one
partner to conduct the audit of Sabka Sath Bank.

The Core Audit team consists of:

1. Mr. PQ - Partner- CA with DISA qualification having 15 years experience in IS

audits,Project Post Implementation Assessments and Management consulting

2. Mr. MM – Qualified CA – Experience of 10 years working with Information

system implementation and IS audit

3. Mr. SVJ – Qualified CA – Experience of 10 years working with Information

system implementation and IS audit

4. Mr. AT – Qualified CA – Experience of 10 years working with Information

system implementation and IS audit

5. Mr. SD– Qualified CA – Experience of 10 years working with Information system

implementation and IS audit Audit team shall also use the services of Information
System Specialists and Audit assistants who shall be deputed to the assignment
based on specific requirement basis.
 2. AUDITEE ENVIRONMENT

The Society for Worldwide Interbank Financial Telecommunication (SWIFT),

legally S.W.I.F.T. SCRL, provides a network that enables financial institutions
worldwide to send and receive information about financial transactions in a
secure, standardized and reliable environment. SWIFT also sells software and
services to financial institutions, much of it for use on the SWIFTNet network, and
ISO 9362. Business Identifier Codes (BICs, previously Bank Identifier Codes) are
popularly known as "SWIFT codes".

SWIFT does not facilitate funds transfer: rather, it sends payment orders, which
must be settled by correspondent accounts that the institutions have with each
other. Each financial institution, to exchange banking transactions, must have a
banking relationship by either being a bank or affiliating itself with one (or more)
so as to enjoy those particular business features.

SWIFT has been criticized for its inefficiency, with the Financial Times observing in
2018 that transfers frequently "pass through multiple banks before reaching their
final destination, making them time-consuming, costly and lacking transparency
on how much money will arrive at the other end." SWIFT has introduced its own
improved service, called "Global Payments Innovation" (GPI), stating that as of
2018 it had been adopted by 165 banks, and was completing half of its payments
in under 30 minutes.
 3. Organisation Structure

The Sabka Sath group has a workforce of over 51,000 employees and serves
around nine million customers worldwide. It established its First Indian Branch in
Ahmedabad, and thereafter in Gurugram and Bengaluru. It group has 6 shared
service hub operations around the globe, a significant shared service hub
operation is in Bengaluru employing around 5000 Staff supporting their business
in other parts of the world as well.

The day to day activities is managed by the Chairman, who is also the Chief
Information Officer. It’s his responsibility to draft IT Policy and ensure compliance.
He is assisted by an Executive Director, an Executive President, 6 General
Managers and 3 Joint General Managers at Corporate level.
4. Technology Deployed
• System Software – The Company uses two operating systems: Microsoft
Windowsand MAC OS X.
• Database – MySQL is installed for management of database.
• Application Software – C++, Java, Oracle, Visual Basics, Software testing
tools such as Quick Test Pro, Selenium, Web Load Professional, etc.
• Cloud Computing
• Mainframes – IBM mainframe platform for reliable heavy duty data
processing.
• Network – LAN, WAN, IPT, VOIP Network security
 5. REGULATORY REQUIREMENTS

The following are the regulatory requirements that are complied with by Sabka
Sath

Practice Orientation Developed by Description

COBIT Process Information A process standard
Control and Systems Audit and for
Management Control Public Company
Association/ IT Accounting
Governance Oversight Board
Institute (ISACA/ (PCAOB).
ITGI) (www.isaca.org)
COSO Process Committee of Used by the Public
Enterprise Risk Sponsoring Company
Management Organizations of Accounting
the Treadway Oversight Board
Commission (PCAOB) as a guide
for SOX.
(www.coso.org)
ITIL IT Service UK Office of Detailed process-
Process Government oriented
Commerce approach to IT
services
management.
(www.itil.co.uk)
ISACA/ITGI Process and ISACA/ITGI Maps COBIT to ITIL
Harmonization Technology and ISO
Document Mapping 17799.
(www.isaca.org)
 Background
• SWIFT provides a network that enables financial institutions worldwide to send and
receive information about financial transactions in a secure, standardized and
reliable environment .

• As per RBI instructions, Concurrent Auditors shall verify in all SWIFT enabled
branches, all SWIFT logs generated by the system and reconcile 100 % for all
financial and non-financial messages received and sent.

• They also have to verify that all transactions / messages having implications on
both Fund, Non-Fund based exposures match with entries passed in CBS / EXIM on
daily basis.

• The operational processes of SWIFT are overseen by the audit and finance
committee of the board of directors. As security is central to SWIFT operations, the
committee mandates an external auditor to conduct an annual independent security
report in accordance with International Standard on Assurance Engagements (ISAE)
3402 “Assurance Reports on Controls at a Service Organization”, issued by the
International Auditing and Assurance Standards Board. 51 This security report
includes the auditors’ tests (observations and inspections) based on a set of controls
that relate to the SWIFT Security Control Policy (SSCP) and are structured along the
areas of: governance, confi dentiality, integrity, availability, and change
management. The results are used to mitigate risks that would prevent the
achievements of the company’s objectives.
Disseminating expert operations “know-how” is regarded as part of SWIFT’s
responsibility as an industry cooperative. In the next section, we provide an
overview of a further way in which SWIFT supports community engagement
through the organization of a major annual conference called Sibos.

• There has been very little academic or practitioner literature on SWIFT operations.
While we undertook fi eldwork at the operating centres, we have been necessarily
selective in our description of them. A notable exception is Jan Van Auseloos,
“Responsibilities of TTPs in trusted networks”, Information Security.
Why does it matter?

While all customers are responsible for protecting their own environments, SWIFT
established the customer security programme (CSP) in early 2016 to support customers in
the fight against a growing cyberthreat.

It is critical that customers prioritise the security network. Last April, SWIFT published a
detailed description of the mandatory and advisory customer security controls. This
framework describes a set of controls for its customers to implement on their local
infrastructure.

So, have Indian banks adopted the best practices to keep the network safe? The best
practices should be applied not only to the SWIFT infrastructure within banks, but the full
end-to-end transaction ecosystem within their firms, including payments, securities trade
and treasury. In the PNB case, one of its biggest failures was the missing link between
SWIFT and the bank’s backend software. This allowed fraudulent use of a key credit
instrument — letters of understanding or a loan request to another bank through the
SWIFT network — to transfer funds.

What lies ahead?

After the fraud, PNB adopted strict SWIFT controls. It has created a separate unit to
reauthorise most messages sent over SWIFT by branches. Many other banks are expected
to fast-track the integration between SWIFT and their backend systems. To strengthen
internal controls, the RBI has set April 30 as an “outer limit” for all public sector banks to
integrate SWIFT with core banking solutions. As for SWIFT, a spokesperson said: “First,
there is no indication that SWIFT’s own network or core messaging services have ever been
compromised. SWIFT cannot comment on particular incidents. However, it continues to
share insights into modus operandi and indicators of compromise with its customers.”
 HOW SWIFT WORKS
SWIFT users are grouped into three categories, each of which has access to different levels
of service from SWIFT: supervised financial institutions can send and receive all types of
messages; non-supervised entities active in the financial industry can send all type of
messages to supervised financial institutions but cannot send or receive payment messages
to or from other non-supervised entities; and closed user groups and corporate entities
have access to services as defined by the administrator of the closed user group or, for
corporate entities, according to criteria defined in the relevant service. Only members of
the first category – who are banks, securities broker dealers, and regulated investment
management institutions – would be eligible to be shareholders of SWIFT. 10 A closed user
group is a group that connects users in order to exchange a specific set of message types
that facilitates a particular business requirement. The administrator of the closed user
group has responsibility for defi ning the rules, the type of service, and the admissions
criteria for all the members in the group. The concept of a national or country-level voice is
threaded through SWIFT’s governance structure as an organizing principle. It can be seen
in the voting formula for directors, and is formalized for shareholders in national member
groups. For SWIFT users more generally, SWIFT has organized national user groups. These
groups “help ensure a coherent global focus by ensuring a timely and accurate two-way fl
ow of information between SWIFT and its users. ”Management of SWIFT is organized
among three groups (marketing, IT operations, and finance and administration) and two
functions (legal and human resources), across three regions (Americas, Asia-Pacific, and
EMEA (Europe, Middle East and Africa)). Marketing has a broad brief encompassing
product portfolio management, global communication, innovation, and standards. IT
operations is not only responsible for the day-to-day running of the SWIFT network but
also product development and security control. Finance and administration is responsible
for financial management, corporate planning, and pricing of products as well as all
internal support functions such as procurement, internal IT, and office management. This
bare description does not give full expression to how the cooperative spirit that governs
the day-to-day running of SWIFT manifests in practice. It is charged with balancing
multiple responsibilities: as a cooperative for the benefit of members; an arguably broader
remit and responsibility by virtue of compliance obligations vis-à-vis regulators; producer
of public goods through standards-setting activities; contractual obligations to its users;
and its role and authority in the financial services industry as a secure trusted third party
in the core industry infrastructure. The notion of a “cooperative” imbues SWIFT’s service
standards, standardsetting agenda, relationships, projects, and communications strategies
with a particular, almost quasi-governmental or public service orientation. Inwardly its
organizational culture still retains the almost family-like quality established by former CEO
Bessel Kok in the early years, while outwardly interactions are informed by its overarching
goal to maintain its reputation as trusted third party. This orientation is in evidence across
the organization, but perhaps in no respect more so than in SWIFT’s approach to
operations and security and in its annual practitioner community conference, Sibos. We
turn to these subjects in more detail later in this chapter but in the next section we place
SWIFT in context by reviewing financial telecommunication in relation to payment
infrastructures.
Methodology and Strategy adapted for execution of
assignment

Concurrent auditors need to ensure that ….

a) A report of all Swift messages sent by the branch during the day must be
generated at day end from the Swift system.

b) Acknowledged copies of all Swift messages sent, must be checked with the
aforesaid report and scrutinised in CBS/Exim to confirm that all underlying entries
in customers / BGL/ Contra accounts have been correctly put through.

c) This scrutiny must be done by an officer, other than the two officials who have
checked & authorised the messages.

d) After scrutiny, the signed report must be put up by the officer to the branch head
or section head for having scrutinised the day's swift messages in CBS/Exim.
STEP BY STEP GUIDE FOR SWIFT VERIFICATION IN WBCAS
 Documenting Observations and Findings
Information System Auditors must maintain proper documentation of their
work as these are the record of the work performed by them and the evidence
supporting their findings and conclusions.

Documentation is meant to –

• Prove the extent to which an Information System Auditor has complied with
guidelines and standards to assist in the planning, performance and review of
audits.

• Facilitate third party reviews

• Evaluate the quality assurance program of the Information System Audit

function. Information System Audit Process

• Extend support in circumstances such as insurance claims, fraud cases and

lawsuits. Assist in the professional development of the staff.

• Information System Auditors must ensure that at lease the minimum level of
documentation is maintained as a record of the planning and preparation of
the audit scope and objectives.
• Expedite Audit Program

• Audit steps performed and the evidence gathered.

• Audit observations, findings, conclusions and recommendations

• Complete Report issued.

• Facilities Supervisory review Information System Audit Process The extent

of the documentation maintained by an Information System Auditor depends
on the needs of the audit and would normally include:

• The Information System Auditor’s understanding of the area to be audited

and its environment.

• The understanding of the information processing systems and the internal

control environment

• The author and source of the audit documentation and the date of
completion.

• Audit evidence, its source and the date of completion.

• The auditee’s response to the recommendations.

 REFERENCES
• ICAI ISA Background material
• https://www.isaca.org/
• https://www.wikipedia.org/
• https://www.icai.org/
• Information Technology Act, 2008
• http://icisa.cag.gov.in/
• https://www.rbi.org.in/
 KEY DELIVERABLES

Our key recommendations comprise of:

1. Segment your network to restrict access from general IT to SWIFT

servers and within the SWIFT related servers.

2. Reduce attack surface by maintaining vulnerability patching and OS

hardening.

3. Physically secure the SWIFT environment.

4. Prevent compromise of credentials.

5. Manage identities and privileges.

6. Detect malicious activity inside the environment.

7. Plan for incident response for those activities.

 FINDINGS & RECOMMENDATIONS

Organization
1. Current organization plan that have been developed does not shows the
structure of the funds transfer.
2. Senior management somewhere are lacking in providing administrative
direction for operations of the funds transfer function.
3. Management was not informed of new systems design and available
hardware for the wire transfer system.

Operating Procedures
1. Agreements concerning wire transfer operations between the financial
institution and its hardware and software vendors, maintenance
companies, customers, correspondent banks, and the Federal Reserve
bank in effect and current are missing
2. Some incoming and outgoing payment orders and message requests
received in the wire transfer area, and are payment orders following
details were missing:
1. Time stamped or sequentially numbered for control?
2. Logged?
3. Reviewed for signature authenticity?
4. Reviewed for test verification, if applicable?
5. Reviewed to determine whether personnel who initiate funds
transfer requests have the authority to do so