other business process part 4 (IS Auditor’s Role in the Use of ATMs (•…
other business process part 4
Electronic finance (efinance) is an integral element of the financial services industry and enables providers to emerge within and across countries,
including online banks, brokerages and companies that allow consumers to compare financial services such as mortgage loans and insurance policies.
Nonfinancial entities have also entered the market, including telecommunication and utility companies that offer payment and other services.
• Lower costs
• Increased breadth and quality
• Widening access to financial services
• Asynchrony (time-decoupled)
• Atopy (location-decoupled)
By using credit scoring and other data mining techniques, providers can create and tailor products over the Internet without much human input and at a very low cost.
These mechanisms should be used within privacy law statements (regarding confidentiality and authorization) to gather diverse user information and set up profiles.
Automated Teller Machine
An ATM is a specialized form of the POS terminal that is designed for the unattended use by a customer of a financial institution
are becoming retail EFT networks, transferring information and money over communication lines.
the system must provide high levels of logical and physical security for both the customer and the machinery.
The ATM architecture has a physical network layer, a switch and a communication layer connecting the various ATM POS terminals.
Recommended internal control guidelines for ATMs,
apart from what has been provided for any EFT,
include the following:
• Written policies and procedures covering ,
disaster recovery credit
and check authorization,
• Reconciliation of all general ledger accounts related to retail EFTs and
review of exception items and suspense accounts
• Procedures for
PIN issuance and protection during storage
• Procedures fo
r the security of PINs during delivery and the
restriction of access to a customer’s account after a small number of unsuccessful attempts
• Systems designed, tested and controlled
to preclude retrieval of stored PINs in any nonencrypted form
and other software containing formulas, algorithms and data used to calculate PINs must be
subject to the highest level of access for security purposes.
• Controls over plastic card procurement,
which should be adequate and include a written agreement between the card manufacturer and the bank that details control procedures and methods of resolution to be followed if problems occur
Controls and audit trails of the transactions that have been made in the ATM.
This should include internal registration in the ATM, either in internal paper or digital media, depending on regulation or laws in each country and on the hosts that are involved in the transaction.
IS Auditor’s Role in the Use of ATMs
• Review physical security to prevent introduction of
• Review measures to establish proper
and maintenance of their
• Review file
maintenance and retention system to trace transactions.
to provide an audit trail.
of ATM transactions including:
– Review SoD in the opening of the ATM and recount of deposit.
– Review the procedures made for the retained cards.
encryption key change management procedures.
PHYSICAL SECURITY MEASURES
to ensure security of the ATM and the money contained in the ATM.
– Review the ATM card slot, keypad and enclosure to prevent skimming of card data and capture of PIN during entry.