CVOCA

MIGRATION AUDIT IN BANKS

Mitesh Chheda January 1, 2023 Auditing & Ethics ⏱️ 5 min read

Information technology has been growing and changing rapidly. Organizations are constantly revamping (update or replace) their information technology architecture and the related support systems to take advantage of these new developments in order to arrive at better informed decisions. This could be business reasons for a data migration of existing data in legacy or disparate applications, operating system, storage devices, etc to a new environment.

A system may be new, but updating does not bring the wished results, if the migrated data itself cannot provide a strong and reliable basis for the further operation. A significant part of the problems which occur during the replacement of IT systems originate from the data migration between the old and the new systems or from the data cleansing process. It is important to emphasize, that defining the scope of the data to be migrated and the criteria of a successful migration is a business task of utmost priority. If this task is neglected, that can significantly increase the costs of later corrections.

Auditors plays a vital role helping organization in smooth migration. Therefore Auditors (majorly CA firms) are appointed to provide Data Migration Assurance to ensure completeness, accuracy, consistency, integrity, stability & smooth transition of data from the source system to the target system. Many a time Banks/Companies appoints independent vendor to carry out migration and Auditors role is expected to liaison with the vendor to gain knowledge in the migration strategy, plan the migration methodology and the tool used for the migration process and is required to review the activities pointing out the deficiencies in the early stages itself to plug in the deficiencies noted.

Migration Lifecycle

The major activities in a typical migration project are

  • Understanding the scope & planning,
  • Pre-migration audit,
  • Actual migration event
  • Post-migration audit.

The expectations from the Auditor –

  • To understand the business requirements of application, which will allow the Auditor’s team to refer to the business requirements specification and explore the application under- test (AUT).
  • Auditor needs to prepare Audit strategy document listing the resources to be deployed, the roles and responsibilities of the Bank’s team members, the execution methodology, reporting methodology, documentation deliverable.
  • Auditor shall provide graphs and reports using information about requirements coverage, planning progress, run schedules or defect statistics. Bank can make informed decisions on whether an application is ready to go live.
  • The auditor should review the Risk Assessment documents and Business Continuity Plans.
  • Review the Audit results with the Bank. Report the results of the Audit and make recommendations to the authorities that it should be accepted.
  • The Auditor is expected to use best in class industry proven safeguards that prevents the misuse of information and appropriately protect the confidentiality, integrity and availability of information systems.
  • Auditor is expected to successfully complete the Audit and submit comprehensive Final Report to enable the bank to refer to any details at a future date in case of faults/errors or maintenance/upgradation.

WHEN THIRD PARTY VENDOR IS APPOINTED FOR DATA MIGRATION

  • Assuming the Bank has entrusted some outside Vendor for data migration from the source system to the target system then the Auditor is expected to liaison with the vendor to gain knowledge in the migration strategy, plan the migration methodology and the tool used for the migration process and is required to review the activities pointing out the deficiencies in the early stages itself to plug in the deficiencies noted.
  • The Auditor is expected to understand & review the mapping of source data to target including the new fields sourced to the target system.
  • Assurance process should cover Pre migration and post migration assurance as per banks requirement.
  • To provide an assurance that 100% data for the critical fields have been properly identified and accurately and completely migrated to relevant data fields in the target system by understanding and validating the migration controls, performing independent verification of Data migrations.
  • Review back up procedure so as to ensure availability of data under conversion ensuring that and not limited to that the data is backed up before migration for future reference or any emergency that may arise out of data migration process.
  • To provide assurance on the consistency of data and ensuring that the field/data called for from the migrated environment is consistent with that of the original application/data.
  • To provide an assurance that the historical data covering all the modules are correctly & completely migrated into the target system.
  • The Auditor is expected to verify and review the error logs pertaining to the pre-migration /post migration period and must liaise with the vendor and make available to the bank a review on the root cause analysis and the actions taken.
  • Further to the detailed analysis, the Auditor is expected to identify the gaps in data migration & also covering requirements as detailed above and provide a ‘Data Migration Audit Report’ stating the gaps identified in the data migration audit.
  • Signoffs from the business teams for successful migration and decommissioning of the legacy data

The Final Compliance Report should include, but not be limited to, the following information.

1. Review of Data Migration Strategy/methodology followed by Vendor

2. Review of Data Field Mapping performed by Vendor

3. Review of Data Migration Tools/ Scripts configured/developed by the Vendor.

4. Review of Data Validation Performed by Vendor

5. Review of logs of data migration activity and confirming as to the identified errors have been rectified by Vendor

6. Review of Post Data migration activities including GL balance Verification Post Migration & before GO Live. No manual verification is part of the compliance report.

Thank you for reading this article. I hope it helped you in understanding the process involved in Data Migration.

Share on:

Related Posts

Auditing & Ethics
Disciplinary Procedures and Code of Ethics Of ICAI: A Recent Overview
Introduction: The Institute of Chartered Accountants of India (ICAI) is...
Auditing & Ethics
Overview Of Code Of Ethics
Ethics has to be inculcated in the habit and temperament...
Auditing & Ethics
Understanding NOCLAR: A Multifaceted Concept
Introduction: The revised Code of Ethics for professional accountants has...
Scroll to Top