OCHOA & REMILLETE ACCOUNTING FIRM

373 L. Santos St., Makati City, Philippines

oraccountingfirm@yahoo.com
525-6931 / 639-0119

Addressee: (Audit Committee of the Board of Directors of GALAXY BANK AND TRUST CORPORATION)

We have conducted an audit of the Assurance Credit Card, Incorporated’s (ACCI) credit card
application system, your company’s credit card service-provider. Our audit also included tests of
controls of ACCI’s data processing resources at its organization’s data center. In view thereof, we are
pleased to report our audit findings and opinion which will help the GBTC decide whether it will still
engage the credit card services of ACCI for the next three (3) years. Presented below is the Executive
Summary of our audit findings, recommendations, and our audit opinion.

AUDIT REPORT

EXECUTIVE SUMMARY

BACKGROUND

GALAXY BANK AND TRUST CORPORATION (GBTC), a banking institution, has used the same
credit card service organization for over a decade now. The financial institution utilized the credit card
application supplied by the Assurance Credit Card, Inc. (ACCI), a credit card service organization as
well as the data processing resources at its organization’s data center.

SCOPE OF AUDIT

In our IT audit of the controls of GALAXY BANK AND TRUST CORPORATION, the following
elements were audited:

 IT Access Controls
 Data Management System
 Administrative Security
 Security Management Control
1|Page
 OCHOA & REMILLETE ACCOUNTING FIRM
373 L. Santos St., Makati City, Philippines
oraccountingfirm@yahoo.com
525-6931 / 639-0119

 IT Security
 Operational IT functions, processes and activities

AUDIT OBJECTIVES AND RESULTS

The objective of this audit is to determine if the GALAXY BANK AND TRUST CORPORATION
should still engage with the credit card services of Assurance Credit Card, Incorporated (ACCI) for the
next three (3) years, and whether they can still assure the financial institution that their controls would
help offer quality services.

SUMMARY OF AUDIT FINDINGS

CONTROL CONTROL AUDIT FINDINGS, RESULTS AND ISSUES RECOMMENDATIONS

CATEGORIES POLICIES & GOOD WEAK CONTROLS/
TECHNIQUES CONTROL DEFICIENCIES
Access Restricting Systems programmers are Logical access to
Controls Access to given unrestricted access to production programs
Production the System Management and data in the
Programs Facility (SMF), which is the mainframe
primary audit trail in the environment should
MVS® operating system be granted only to
used at the service appropriately
organization. This facility is authorized
used to journal a wide individuals.
variety of system events,
including ACF2 access
control software
information

2|Page
 OCHOA & REMILLETE ACCOUNTING FIRM
373 L. Santos St., Makati City, Philippines
oraccountingfirm@yahoo.com
525-6931 / 639-0119

Data Output Outputs are The quality assurance Output information

accurate and department does not review should be tested for
complete output from each plastic accuracy in
card production run for embossing and
either embossing or encoding and check
encoding accuracy. Without that credit limits are
quality assurance or other being followed
review, incorrectly
embossed or encoded
credit cards could be
distributed to user
institution customers. A
possible ramification of an
encoding error is that the
daily withdrawal limit
located on track 3 of the
card’s magnetic strip could
be greater than the amount
intended
Program Restricting Although the service Authorization policy
Authorization Access to organization has a policy should be adhered
Modification that authorizes only strictly and system
of Programs appropriate individuals to security application
make program or other software, such as
modifications, only RACF® or ACF2®,
rudimentary password should be installed
protection exists to ensure
that the policy is followed.
System security application
software, such as RACF® or
ACF2®, is not installed to

3|Page
 OCHOA & REMILLETE ACCOUNTING FIRM
373 L. Santos St., Makati City, Philippines
oraccountingfirm@yahoo.com
525-6931 / 639-0119

help prevent unauthorized

modifications to application
software, data files, or
system software
Databases and Consistently Programmers are able to Logical access to
Files maintain write and authorize their production programs
adequate own program changes to and data should be
controls in be placed into production applied. System
databases without consistent review or validation tests
approval. Once a program should be routinely
is assigned to a performed.
programmer for
modification, the
completion of testing is
generally at the
programmer’s discretion.
System validation tests are
not routinely performed to
ensure that no source code
was accidentally deleted or
otherwise improperly
modified
Computer Review The service organization Physical access to
Center Security corporate does not have a designated computer equipment
policy about person who has and storage media
computer responsibility for should be limited to
security administering security. No properly authorized
formalized, documented individuals.
security procedures exist for
the assignment of key cards
allowing access to critical

4|Page
 OCHOA & REMILLETE ACCOUNTING FIRM
373 L. Santos St., Makati City, Philippines
oraccountingfirm@yahoo.com
525-6931 / 639-0119

operational areas, access to

application systems by
service organization
employees through the in-
house security system, or
control of programmer
access through the ACF2
access control software
Security violation reports
are not routinely reviewed,
passwords are not routinely
changed, terminated and
transferred employee
passwords and key cards
are not always removed or
modified on the
appropriate systems on a
timely basis, and an
excessive number of
individuals are capable of
performing password
maintenance
Operating Restrict The Authorized Program Changes to existing
System access to Facility (APF) is provided by software should be
operating IBM to control access to authorized, tested,
systems to libraries of programs that approved, and
avoid system can circumvent all security implemented
failures mechanisms of the properly.
operating system, including
the access control software.
Most APF authorized

5|Page
 OCHOA & REMILLETE ACCOUNTING FIRM
373 L. Santos St., Makati City, Philippines
oraccountingfirm@yahoo.com
525-6931 / 639-0119

libraries can be accessed

only by systems
programmers whose job it
is to maintain the programs
in those libraries. However,
one test library was APF
authorized and also allowed
application programmers
unrestricted access to it. As
a result, the possibility
existed that an application
programmer could run an
unauthorized program
System Review the The service organization
Development procedures does not have a
for consistently applied formal
performing systems development
post- methodology in place.
implementati Furthermore, written user
on reviews approval of systems prior to
implementation is not
always obtained by the
service organization,
program documentation is
not routinely prepared, and
program modifications are
sometimes placed into
production without
supervisory review or user
approval. As a result, there
is an increased risk that
Consistent
application of formal
systems development
methodology should
be implemented.
Systems approvals
from authorized
personnel should
always be required
before
implementation as
well as its
modifications. Post-
implementation
reviews and
appropriate tests
should be performed
to ensure

6|Page
 OCHOA & REMILLETE ACCOUNTING FIRM
373 L. Santos St., Makati City, Philippines
oraccountingfirm@yahoo.com
525-6931 / 639-0119

areas of user concern could achievement of user

be bypassed, important
control features could be
overlooked, and programs
may not be properly tested
or designed to meet user
specifications
Data Inputs Input data is Application programmers
accurate, have write access to a
complete, variety of production
authorized, source, parameter,
and correct. cataloged procedure, and
macro libraries. This access
is not logged by ACF2.
Thus, programmers could
make unauthorized changes
to the source code, which
might be placed into
production at a later time
Disaster Ensure that System and production
Recovery Plan DRP is tapes, which would be
adequate and required in the event of a
feasible for recovery of data processing
dealing with service, are not always
disasters maintained in the offsite
storage facilities. The
service organization
disaster recovery plan is
incomplete and lacking in
detail in a number of areas
IT Detailed, System validation tests are
specifications.
Logical access to
production source
should be granted
only to appropriately
authorized
individuals.
Administrative and
operational
procedures should be
established within the
service organization
data center to
reasonably assure
protection of physical
assets and continuity
of operations.
Documented job

7|Page
 OCHOA & REMILLETE ACCOUNTING FIRM
373 L. Santos St., Makati City, Philippines
oraccountingfirm@yahoo.com
525-6931 / 639-0119

Organization written not routinely performed. descriptions should

Structure instructions is No segregation of duties. accurately reflect
Controls; existing and Programmers do the assigned duties and
Separation of followed at all writing, authorization for responsibilities and
duties times. changes without approval, segregation of duty
Manuals and the completion of principles. All
necessary on testing. employees should
operating fully understand their
specific duties and
applications responsibilities and
are provided should carry out
and adhered those responsibilities
in accordance with
their job descriptions.

AUDIT OPINION

In our opinion, the GALAXY BANK AND TRUST CORPORATION should not engage with the
Assurance Credit Card, Incorporates (ACCI) anymore due to numerous deficiencies and weaknesses
occurring within the control environment which can harm or put the company into risks.

OCHOA & REMILLETE ACCOUNTING FIRM

Name of Auditing Firm

Harvey D. Ochoa & Jocelle D. Remillete

Signature over Printed Name of Audit Engagement Partner

March 8, 2019
Date of Audit Report

8|Page