other business process part 4 (IS Auditor’s Role in the Use of ATMs (•…
other business process part 4
IS Auditor’s Role in the Use of ATMs
encryption key change management procedures.
– Review the ATM card slot, keypad and enclosure to prevent skimming of card data and capture of PIN during entry.
PHYSICAL SECURITY MEASURES
to ensure security of the ATM and the money contained in the ATM.
of ATM transactions including:
– Review the procedures made for the retained cards.
– Review SoD in the opening of the ATM and recount of deposit.
to provide an audit trail.
• Review file
maintenance and retention system to trace transactions.
• Review measures to establish proper
and maintenance of their
• Review physical security to prevent introduction of
Automated Teller Machine
Recommended internal control guidelines for ATMs,
apart from what has been provided for any EFT,
include the following:
Controls and audit trails of the transactions that have been made in the ATM.
This should include internal registration in the ATM, either in internal paper or digital media, depending on regulation or laws in each country and on the hosts that are involved in the transaction.
• Controls over plastic card procurement,
which should be adequate and include a written agreement between the card manufacturer and the bank that details control procedures and methods of resolution to be followed if problems occur
• Systems designed, tested and controlled
to preclude retrieval of stored PINs in any nonencrypted form
and other software containing formulas, algorithms and data used to calculate PINs must be
subject to the highest level of access for security purposes.
• Procedures fo
r the security of PINs during delivery and the
restriction of access to a customer’s account after a small number of unsuccessful attempts
• Procedures for
PIN issuance and protection during storage
• Reconciliation of all general ledger accounts related to retail EFTs and
review of exception items and suspense accounts
• Written policies and procedures covering ,
and check authorization,
disaster recovery credit
the system must provide high levels of logical and physical security for both the customer and the machinery.
The ATM architecture has a physical network layer, a switch and a communication layer connecting the various ATM POS terminals.
are becoming retail EFT networks, transferring information and money over communication lines.
An ATM is a specialized form of the POS terminal that is designed for the unattended use by a customer of a financial institution
These mechanisms should be used within privacy law statements (regarding confidentiality and authorization) to gather diverse user information and set up profiles.
By using credit scoring and other data mining techniques, providers can create and tailor products over the Internet without much human input and at a very low cost.
• Atopy (location-decoupled)
• Asynchrony (time-decoupled)
• Widening access to financial services
• Increased breadth and quality
• Lower costs
Electronic finance (efinance) is an integral element of the financial services industry and enables providers to emerge within and across countries,
Nonfinancial entities have also entered the market, including telecommunication and utility companies that offer payment and other services.
including online banks, brokerages and companies that allow consumers to compare financial services such as mortgage loans and insurance policies.