Financial technology (fintech) applications such as internet/mobile banking and electronic payment applications has disrupted the traditional "brick and mortar" banking that we all have been accustomed to over the years. The introduction of internet banking (a.k.a. online banking) and mobile banking brought about easy and convenient access to banking services and solutions that would have required users to be physically present in the banking halls. Some of the services that can be accessed via internet/mobile Banking apps are self account to account funds transfer, funds transfer to accounts within the same bank (intrabank transfer), funds transfer between accounts in two different banks (interbank transfer), Account Balance inquiry, Bills and utility Payment (e.g. electricity/energy bills, water bills, cable tv bills, govt tax payment, etc.), airtime and data subscription recharge, international funds transfer via SWIFT platform, cheque/check book requisition, ATM/debit card requisition, ATM/debit PIN issuance and reset, credit card requisition and PIN reset, hard/soft token (2nd factor authentication) request and reset, loan facility request and disbursement, among other services. Accessing these services via internet/mobile banking apps or other electronic payment applications is critical to maintaining strong customer base, market share and customer satisfaction, which is central to the sustainability of any banking business. Also, with the proliferation of Fintech firms with cutting edge solutions, the distinguishing factor will be how faster, convenient and reliable is the digital service channel as well as the competitiveness of transaction fees. Would you imagine a situation where these applications/solutions are not available/accessible to customers who need them and what will become of banking services of today. Of course, one cannot imagine how terrible banking service would be and how crowded most banking halls will be. There is no doubt that internet/mobile banking platforms deployed by financial institutions and Fintech companies have led to the decongestion of banking halls and have revolutionized banking services globally. From the comfort of their homes, offices or on the go, customers can access banking services and do their transactions without having any interface with their brick and mortar banks. While this solutions provided a lot of convenience and flexibility to customers, it also presents enormous security and privacy risk both to the financial institutions and their customers, which if not checked could lead to loss of funds (both to banks and customers) through fraud, customer data breaches, reputational/brand damage, among others. The greatest risk posed to internet/mobile banking and other e-payment applications are the risk of confidentiality, integrity and availability (CIA). Because the solutions are access through the internet and mobile phones, they could easily be compromised by hackers with malicious intentions where the solutions are not hardened with appropriate security controls and measures. Therefore, it is important that the solutions are reviewed/audited in line with the organization's information security policies, best practice standards and applicable regulatory requirements to forestall any compromise and protect both the bank and their customers from financial losses and data leakages.
To ensure a successful audit of internet/mobile banking app as well as other electronic payment applications, the audit team must understand the business environment in which they operating in and the prevailing conditions such as regulatory requirements, business requirements and stakeholders'needs. The audit team need to put together a robust Internet/Mobile Banking & Electronic Payment Application Audit Program to effectively identify risk inherent in the solution, existing controls that are mitigating the risk and their adequacy and procedures to test the controls to ascertain their effectiveness in mitigating identified risks. The audit program also highlights the objectives and scope of the audit based on initial assessments. Where controls are inadequate, the residual risk are identified and communicated to management for action. New and emerging risk can also be identified during the audit and form part of the audit findings, which will eventually feed into the risk register of the organization to enable tracking of the risk. Highlighted below are some of the areas of the internet/mobile banking applications and supporting IT infrastructure that should be reviewed to confirm the adequacy of controls to mitigate risk and ensure security of internet/mobile banking applications in addition to things to look out for in the course of auditing.
Here, the application controls are reviewed in line with business rules set through organization's information security policies, standard operating procedures and regulatory requirements to drive transactions and other services rendered through the application. Such business rules are not limited to risk-based transaction limits/thresholds (daily, weekly or monthly limits) for individual, corporates, MSMEs, etc. Other controls include authentication/authorization controls such as password security controls (Alphanumeric, special characters, length, ageing and complexity requirements), security questions and answers, geo tagging control, multti-factor authentication (MFAs such as One time passwords, tokens). The functional requirement of the application are validated during the audit to confirm that the application is fit for purpose and meeting the need of stakeholders (e.g., customers, investors, shareholders, suppliers, etc.). Revenue assurance review are also performed to confirm that all applicable transaction fees, interest charges and loan repayment deductions setup are working as expected to forestall instance of underpayment by customers or overpayment to the institutions. Given that applications such as internet/mobile banking Apps are not standalone systems but are usually integrated with the core banking/business solution of the financial institution or payment provider, the interface through which the Internet/Mobile Banking application is integrated with core banking/business application should be reviewed to ensure that it complies with security standard/leading practice for Web Service/Application Programmable Interface (API) such as Open Web Application Security Project (OWASP) top 10 API controls. In addition to the OWASP security standards, the Audit team should also ensure that valid digital certificate(s) signed by appropriate Certificate Authority (CA) are deployed on the web client interface of the Internet/Mobile Banking and other electronic payment applications for end-to-end encryption of transactions and communication/data exchange at all levels of the application. For detail Application Securtiy Audit Program, click here .
You will find detailed audit test procedures for the review of Oracle (8i, 9i, 10g, 11g, & 12c), Microsoft SQL Server and MySQL databases here .