Study unit 8.6 Flashcards
What is the EFT controls before payment
To prepare payment schedule
To sign reconciliation/payment schedule as proof of procedures performed
To approve payment
*review payroll/payment schedule for evidence of procedures performed
*unusual/abnormal items
What is the EFT controls effecting payment
Access controls
*access to EFT facility should be limited to A’s terminal
*strong physical access controls over A’s terminal with the dial up facility
*multi-level passwords from senior employees required to authorise transfer
*the ability to affect an EFT should be restricted to the user profiles of these senior employees only
*access to the different user profiles should be granted by means of unique user ID and password
*sound password controls should be in place
*once A accesses bank’s site on web, an OTP should be supplied by bank on A’s cell phone/e-mail
*time-out facilities
*limit number of log-on attempts
*bank identity terminal - call-back facility
*logging of unauthorised attempts to access
Least privilege:
*after identifying and authenticating user, a menu of functions available will appear on screen. Access to the specific functions on the menu will be limited/restricted through access tables which are linked to specific employees and their user IDs
Segregation of duties:
*3+ authorised employees should affect all EFT payments
- C and D, at their respective time, access the file of payments and review the file for reasonableness, access the MAF to verify details or view amendment logs, agree to supporting documentation
- Once C is satisfied with the payroll/payment schedule, C will select the first confirmation option on a system generated message which will be sent to D, informing D that the payment file is waiting for approval. C’s user ID and password should be required to effect the first confirmation
- Once D is satisfied with the payment file, D should click on the second confirmation, which cannot be activated before the first confirmation. D’s user ID and password should be required to effect the second confirmation, which will release the payment
- C and D should not have write access to the payment file
- The payment file will now be fully approved and should be automatically converted into a file compatible with the bank’s EFT software
Other validity controls:
*XYZ bank must identify the terminal at MNG by means of a call back facility/TINS
*after 3 unsuccessful attempts to access the EFT facility, there should be an automatic shutdown of the terminal
*an automatic timeout of the application should result after a specified period of time
*any violations of unauthorised access should be logged and followed up by management
Other contols:
*the net amount of salaries/creditor payments for the month should be transferred by EFT from the bank’s main bank account to a clearing account on a specific date each month. The individual payments to employees/creditors should then take place from the clearing account and not from the main bank account
*XYZ bank should acknowledge receipt of the payment information by way of SMS to both C and D
*as this is confidential information to be transferred, it should be encrypted
*use of firewalls is essential
*EFT transfers should be limited to a certain day and time
*a limit on the total amount that may be transferred within 24 hours and a limit on individual EFT payments should be agreed on with the bank
Edit checks
*Format testing/alphabetical/numerical check
*limit/reasonability testing
*validity testing
EFT controls for after payment
The system should supply an audit trail of all EFT payments made
The audit trail should be reconciled with the monthly payroll/payment file by A
Reconciliation of the clearing account and the main bank account should be timeously performed by independent personnel in accounting
These reconciliations should be reviewed and signed as approved by C
SMS confirmations to B and C
Compare payments of audit trail to supporting documents
