We are a regional financial services holding company with assets of approximately $14 billion. The examiner's wrote us up for never reviewing our Fraud and BSA applications (both Yellow Hammer), and our Director of Audit has tasked the IT Audit department with performing a quick 150 hour review. Biggest problem right now in planning is that our Director of Risk Systems has taken over the application and he really doesn't know the workings of the app from an operational standpoint (no idea what the core systems are, never reviews parameters for changes or whether they need tweaked, etc) and it's been a struggle getting information from him other than being handed over the client manual from the vendor.

All I'm trying to do is establish the risks from IT Audit standpoint for both apps. My main test is to compare changes to parameters and Analysis Definitions to make sure they are appropriate, while also evaluating the change management process. And the data integrity from the interfaces.

Can anyone provide additional insight on the risks to make sure I've covered everything? Would like to probe into some operational risks if time permits.

never worked with Yellow Hammer but like any app, I always start with who has adm rights and how are users added and deleted. I look at the whole flow of the data from start (input) to finish (output) to see gaps and changes that can be made to the data. If it like all other BSA apps it will have many feeds from wire systems to branch processing systems. I also would try to undrestand how the financial(operational) auditors are testing the BSA system and how they rely on the Yellow Hammer in their testing.
these are just some highlights to get you started to think about your assignment

Jack Henry has awesome documentation on the process, functions, controls, etc. It came in a series of documents which should have been provided when the account was initially set-up. You can contact JH/BSA, and also ask for a documentation package that you can provide to the regulator. It has a lot of great information including how the product works, why, controls, etc.

As I recall, we performed on of our YH verification tests by printing out a list of cash transactions over the trigger tracking limit set on YellowHammer (ours was $2500 cash in or out) from our teller system Vertex. We compared the teller system's list of cash transactions to those shown in YellowHammer to confirm the accuracy of the tracking system. Auditors were satisfied with testing methodology and results.

Break down the functions you are using into manageable bits and bytes and you'll likely be able to identify some simple testing solutions.

Thanks everyone! I just posted this to another forum erroneously, hopefully the repost is okay.

We are currently reviewing logical access on this application, which we have residing on an SQL server. Users are logging into the app using network/AD login, but are apparently remapped to a SQL credential - either rediuser or rediadmin. However, in trying to validate the permissions of each credential, the application administrator is unable to give us this evidence. Along with evidence of what credential each user is being mapped to? Can anyone offer assistance here?