Controlling and Auditing Electronic Funds Transfers (EFTs)
Organizations of all types are making increasing use of Electronic Funds Transfers (EFTs). Whether it’s to pay employees, vendors or the government, to manage funds within / between financial institutions, or to accept card payments from consumers or other businesses, the prevalence of EFT is soaring.
And so are the risks, given that it’s essentially cash that is being transferred, using Internet-based transaction exchanges, taking place between different organizations that likely have wildly differing levels of control and security. The benefits of using EFT are clear, but they can quickly be overwhelmed by huge losses if important control measures are overlooked or ignored.
How can we ensure an appropriate level of control and security is in place for an organization using EFTs?
During this two day seminar, we’ll examine the risks associated with EFTs, as well as practical means to remediate them.
We’ll start with a review of common EFT models and their technology architectures, since understanding how these systems work is vital to controlling and auditing them. Based on this foundation, we can identify and evaluate the risks associated with various EFT processing scenarios.
We’ll then consider the wide variety of control mechanisms and measures available to mitigate these risks. These will include important general controls, such as governance over payment arrangements, network architecture, and security hardening practices. But we’ll also explore key business process controls, like payment reconciliation, transaction authorization limits, and required approvals, as well as approaches to monitoring and fraud detection. Finally, we’ll review audit testing techniques that can help determine the level of control compliance.
- Common EFT models and technology architectures, such as online banking with direct and recurring payments; Automated Clearing House (ACH) transfers; and Payment Card Industry card payments via web or point-of-sale devices.
- Risks to fund transfer integrity (i.e. completeness, accuracy, validity), confidentiality, and to a lesser extent, availability.
- Available control responses, ranging from technical measures, like encryption, and advanced authentication, to basic business controls, such as payment reconciliation processes and proper segregation of duties.
After completing this course, you'll be able to tackle EFT systems used by your organization or audit client, evaluate the controls in place and any risks remaining, and offer recommendations for their remediation.
The course will benefit anyone responsible for identifying and addressing the risks of EFT systems, including internal and external auditors, compliance and risk management, information security management and staff, and of course the business areas (e.g. finance, payroll, sales) responsible for transacting electronic funds transfers in their many forms and modes.
In-person, group discussion
1. Course Introduction
2. Understanding EFT
- Architectures and technology components
- Processing modes
- Relationships / obligations among EFT participants
- Roles for third parties
- Implications of payment cards
3. Assessing EFT Risks
- Common threats and vulnerabilities within various processing scenarios
- Practical evaluation of likelihood / extent of loss for confidentiality, integrity, availability
- Examples of real world EFT failures and their results
4. Case study: EFT Risk Assessment
5. Controlling EFT Security
- Governance components and requirements
- Key issues for Service Level Agreements (SLAs)
- Network architecture and security (e.g. isolating payment processing)
- Platform security requirements for access control
- Database architecture (location, access approach) and security
- Encryption for stored and transmitted data
- Monitoring for unauthorized access
- Testing and vulnerability management
- Overview of the Payment Card Industry Data Security Standard (PCI DSS)
6. Focus on Business Process Controls for EFT
- Governance components and requirements
- Payment reconciliation / balancing
- EFT limits, scheduling, out-of-band confirmation
- Required approvals and follow-up review
- Segregation of duties
- Monitoring for fraud
- Compensating for weak control environments
7. Case study: EFT Control Recommendations
8. Audit Approaches for EFT Control Compliance
9. Course Wrap-up