ATM Risk Management and Controls - EuroJournals

More documents

Recommendations

Info

166 European Journal of Economics, Finance and Administrative Sciences - Issue 21 (2010) ATM Risk Management ATM risk management is a ongoing process of identifying, monitoring and managing potential risk exposure considering as ATMs relates to payment systems. The following should be considered:- • General Supervision • Transaction Processing • System administration Identifying the Various Areas The management can identify the major area of risks by doing an analysis or statistical sampling of the information given below. They should be able to form an opinion from this information below:- a) Total number of ATM’s and their usage. b) Time logged on/Settlement time. c) Number of Cardholders. d) Number of Transactions, e.g. Withdrawals and transfers etc. e) Total amount withdrawn of transferred etc. f) Number of ATM reports generated etc. and may more areas. g) Overall review of ATM management resources etc. Only after management have identified these areas can the controls be increased, changed or modified. It is important to determine a reasonable estimate of the overall value of the ATM installation. Care should also be taken in determining the value of the installed software. Estimating the ATM Loss Estimating losses can be difficult, Dr Catherine P Smith (1987) indicated “that normally the loss could be due to human error, technical error or deliberate action such as fraud, misuse or unauthorised use of the ATM card etc.” Most financial institutions treat ATM losses unless it is major as a small loss unless it is a major fraud. Normally the loss is only a very small percentage when compared to the overall volume and amount transacted within the bank. Alvin A, Arens and James K Loebbecke ( 1988) indicated “that it is not possible to establish my dollar- value guidelines as it depends on a number of factors which the management analyses and forms a decision”. Upon management identifying the risks, audit techniques can be used to evaluate the consequences of fraud or misuse at the ATM prior to recommending improved controls. There are several exposures to losses inherent in an ATM installation, e.g. exposure occurs when a customer transfers funds over communication links; customer’s financial data are subjected to fraudulent interception at many points. What should be done is to find a way to reduce risks and threats to an acceptable level and to provide a method of recovery of ATM losses. ATM Security Measures Normally security measures are divided into 2 groups. Firstly to reduce the losses at the ATM and secondly to find a way to fund or recover these losses.
167 European Journal of Economics, Finance and Administrative Sciences - Issue 21 (2010) Measures to Reduce the Losses a). The ATM Audit Log The ATM audit log provides information that is recorded after the incident. The ATM audit log is useful as it identifies and diagnoses security violation. It traces figures contained in a report back to the point of processing and from processing to the source of the input. b). Encryption Encryption is an effective technique for protecting the ATM system. This technique is to make intercepted data useless to the interceptor by making it too difficult or too expensive to decipher. This means there is little risk if disclosure. c). Software Auditing R.M Richards and J. Yestingsmer (1986) indicated that “software audit techniques include a review of program listing, use to test input/output data with expected results and auditing of the ATM system processing program using error detectors built into the system. Tracing is software used by the auditor to identify which instructions were used in a program and in what order”. The advantage is that it helps to analyse the way in which the ATM program operates. Software auditing provides system integrity to management and also provides an opportunity for management to identify security and control weakness. There are several good security packages that can monitor an ATM software execution to detect possible tampering with the programs. These ATM utility programs provide the opportunity for management to examine that the ATM programs are being properly executed and are not being overridden or by-passed. By using the audit software, frauds and misuses can be detected in a timely manner. Controls In general the process should ensure Confidentiality, Integrity and Availability (CIA). This requirement should be addressed with controls implemented at different levels of the ATM implementation, such as General Application controls, business process controls, applications controls and Platform controls. 1. General ATM Operation and Organisation Controls The operation and organisational controls are designed to ensure that functions are segregated among individuals. There are two main important elements in an ATM system; firstly the magnetic card and secondly the PINs. Making of the PINs is not to be carried out by people who are processing the cards. Miklos A Vasarhelyi and Thomas W Lin (1988) indicated that “there should be segregation” in order to limit an individual to only one interface with the system. Most ATM systems rely heavily on programmed controls within the ATM system software; hence it is important to separate the system development individuals, e.g To separate:- • application testing from systems design and programming and • System software programming from application programming. Risks/Threats • Mailed cards being intercepted before reaching the authorised address. • Uncollected cards not only take up valuable space for storage but also pose a security risk to the bank through fraudulent use of these cards by bank staff.
Page 1 and 2: European Journal of Economics, Fina
Page 3 and 4: 163 European Journal of Economics,
Page 5: 165 European Journal of Economics,
Page 9 and 10: 169 European Journal of Economics,
Page 11: 171 European Journal of Economics,

ATM Risk Management and Controls - EuroJournals

Create successful ePaper yourself

Delete template?

Save as template?