ATM Risk Management and Controls - EuroJournals
ATM Risk Management and Controls - EuroJournals
ATM Risk Management and Controls - EuroJournals
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
167 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
Measures to Reduce the Losses<br />
a). The <strong>ATM</strong> Audit Log<br />
The <strong>ATM</strong> audit log provides information that is recorded after the incident. The <strong>ATM</strong> audit log is<br />
useful as it identifies <strong>and</strong> diagnoses security violation. It traces figures contained in a report back to the<br />
point of processing <strong>and</strong> from processing to the source of the input.<br />
b). Encryption<br />
Encryption is an effective technique for protecting the <strong>ATM</strong> system. This technique is to make<br />
intercepted data useless to the interceptor by making it too difficult or too expensive to decipher. This<br />
means there is little risk if disclosure.<br />
c). Software Auditing<br />
R.M Richards <strong>and</strong> J. Yestingsmer (1986) indicated that “software audit techniques include a review of<br />
program listing, use to test input/output data with expected results <strong>and</strong> auditing of the <strong>ATM</strong> system<br />
processing program using error detectors built into the system. Tracing is software used by the auditor<br />
to identify which instructions were used in a program <strong>and</strong> in what order”. The advantage is that it helps<br />
to analyse the way in which the <strong>ATM</strong> program operates.<br />
Software auditing provides system integrity to management <strong>and</strong> also provides an opportunity<br />
for management to identify security <strong>and</strong> control weakness. There are several good security packages<br />
that can monitor an <strong>ATM</strong> software execution to detect possible tampering with the programs.<br />
These <strong>ATM</strong> utility programs provide the opportunity for management to examine that the <strong>ATM</strong><br />
programs are being properly executed <strong>and</strong> are not being overridden or by-passed. By using the audit<br />
software, frauds <strong>and</strong> misuses can be detected in a timely manner.<br />
<strong>Controls</strong><br />
In general the process should ensure Confidentiality, Integrity <strong>and</strong> Availability (CIA). This<br />
requirement should be addressed with controls implemented at different levels of the <strong>ATM</strong><br />
implementation, such as General Application controls, business process controls, applications controls<br />
<strong>and</strong> Platform controls.<br />
1. General <strong>ATM</strong> Operation <strong>and</strong> Organisation <strong>Controls</strong><br />
The operation <strong>and</strong> organisational controls are designed to ensure that functions are segregated among<br />
individuals. There are two main important elements in an <strong>ATM</strong> system; firstly the magnetic card <strong>and</strong><br />
secondly the PINs. Making of the PINs is not to be carried out by people who are processing the cards.<br />
Miklos A Vasarhelyi <strong>and</strong> Thomas W Lin (1988) indicated that “there should be segregation” in order<br />
to limit an individual to only one interface with the system.<br />
Most <strong>ATM</strong> systems rely heavily on programmed controls within the <strong>ATM</strong> system software;<br />
hence it is important to separate the system development individuals, e.g<br />
To separate:-<br />
• application testing from systems design <strong>and</strong> programming <strong>and</strong><br />
• System software programming from application programming.<br />
<strong>Risk</strong>s/Threats<br />
• Mailed cards being intercepted before reaching the authorised address.<br />
• Uncollected cards not only take up valuable space for storage but also pose a security risk to the<br />
bank through fraudulent use of these cards by bank staff.