ICQ provided October 13, 1998 by Deborah Ray (debray@ebicom.net) EFT AUDIT - INTERNAL CONTROL QUESTIONNAIRE Accounting and Processing ------------- 1. Is NBC's debit card system off-line or on-line? 2. Is a separate investigation unit in place to control customer inquiries, unposted items, rejects, differences, etc.? a) Do they periodically generate reports of outstanding items and aging for management? 3. Are adjustments (e.g., changes to deposits and reversals) to original retail EFT instructions received by an individual that does not have access to the data or customer files? Personal Identification Numbers (PINs) ------------- 1. Is access to PIN data and operations completely removed from functions preparing or issuing plastic cards? 2. Are new PINs entered into the system by personnel who do not open accounts or have access to customer account information? 3. Are PINs issued in an environment that precludes matching them to customer account numbers or access forms (e.g., plastics)? 4. Is access to a customer's account restricted after a small series(e.g., three) unsuccessful attempts to enter the correct PIN? 5. Do procedures prohibit PIN information from being released via telephone? 6. If access to PINs maintained on computer files must be accessed for maintenance purposes, are activities closely supervised and is each occasion logged? 7. When selecting PINs, are customers discouraged from using common words or sequence numbers that can easily identify the customer? (CheckCard Policy pg. 16 &17) 8. Are PINs mailed separately from cards? 9. Are undelivered PIN mailers properly handled? 10. Is the PIN mailer secure? 11. Is customer selection of the PIN kept private?1 12. Is a hard copy of PINs inaccessible to employees? 13. Are requests for reissue of PINs required to be in writing? 14. Is information on the need for PIN security provided to customers? 15. Are PINs coded and blocked from any displays or printed reports? 16. If PIN numbers are retained in master files, are they encrypted? 17. Are bank personnel who have custody of cards prohibited from also having custody of PINs at any stage (issuance, verification, or reissuance)? 18. If PIN information is to be transmitted, is it encoded? Plastic Cards 1. Is it against policy for the bank to mail unsolicited cards? 2. After a card is issued, is there follow-up to ascertain whether both card and PIN were received/utilized by the proper customer? 3. Are procedures such as hot card lists and expiration dates used to limit the period of exposure if a card is lost, stolen or purposely misused? 4. Does the bank make available a regular report of new and approved ATM cards? 5. Is an applicant's mailing address compared to the Customer Information File? 6. Are cards issued only on approved applications? 7. Are rejected applications returned to the proper person? 8. Are undeliverable/returned ATM cards forwarded to a special area for proper handling? 9. Are damaged cards properly destroyed? 10. Is a follow-up mailer used to verify receipt of cards and, where appropriate, PIN numbers? 11. Are cards and PINs prepared separately with random timing? 12. Are captured cards under dual control of persons not associated with bank operation card issuance or PIN issuance? 13. Is there a well-defined procedure for handling machine-retained cards from other institutions? Operational Controls ------------- 1. Are terminal and operator ID codes used for all types of retail EFT transactions? 2. Are access to and use of terminals used to change customer credit lines and account information adequately controlled? 3. Is each retail EFT transaction assigned a sequence number and terminal ID to provide an audit trail? 4. Are hot card and customer suspect lists regularly updated and distributed to each user location? 5. Are software and equipment maintenance personnel closely supervised? a) Are their activities logged? 6. Is access to the ATM system limited by user identification? 7. When passwords are issued and/or changed, are they recorded and distributed in such a way as to maintain their usefulness as a control mechanism? 8. Are all users restricted as to: a) What files they can access? b) What transactions they can initiate? c) Which banks they can access? 9. Are user levels of access and authority approved and periodically reviewed by management? 10. Are automatic time-out controls used, whenever practical? 11. Are passwords changed on a regularly scheduled basis? 12. Are passwords deleted when an individual leaves? 13. Are user passwords shared by other persons? 14. Are tests performed for: a) Withdrawal maximum? b) Transfer maximum? c.) Withdrawal from hot card account? d.) Automatic hot card? d) Withdrawal from dormant business account? e) f) Off-line limitations? 15. After testing, are sign-offs obtained that all funds withdrawn and cards issued have been returned? Agreements/Contracts ------------- 1. Are there written agreements for all POS arrangements? Contingency Planning ------------- 1. Are contingency plans reasonably comprehensive in relation to the volume and importance of the specific retail EFT activity to the bank's operation? 2. Do plans include restart and recovery procedures to ensure the continuity of transaction processing in the appropriate sequence? PREPARED BY: ________________________________________________ DATE: __________________________ SOURCES: ____________________________________________________ Primary Sources: ------------- FFIEC Information Systems Examination Handbook, 1996, Chapter 20. ("F")