Internal Control Questionnaires and Verification Procedures

Cash Dispensing Machines

  1. Is daily access to the automated teller machine (ATM) made under dual control?

  2. When maintenance is being performed on a machine, with or without cash in it, is a representative of the bank required to be in attendance?

  3. Are combinations and keys to the machines controlled (if so, indicate controls)?

  4. Do the machines and the related system have built-in controls that:

    1. Limit the amount of cash and number of times dispensed during a specified period (if so, indicate detail)?

    2. Capture the card if the wrong PIN (Personal Identification Number) is consecutively used?

  5. Does the machine automatically shut down after it experiences recurring errors?

  6. Is lighting around the machine provided?

  7. Does the machine capture cards of other banks or invalid cards?

  8. If the machine is operated “off line,” does it have negative file capability for present and future needs which includes lists of lost, stolen, or other undesirable cards which should be captured?

  9. Is usage of an ATM by an individual customer in excess of that customer’s past history indicated on a “suspicious activity” report to be checked out by bank management (three uses during the past 3 days as compared with a history of one use per month)?

  10. Have safeguards been implemented at the ATM to prevent disclosure of a customer’s PIN during use by others observing the PIN pad?

  11. Are “fish-proof” receptacles provided for customers to dispose of printed receipts, rather than insecure trashcans, etc.?

  12. Does a communication interruption between an ATM and the central processing unit trigger the alarm system?

  13. Are alarm devices connected to all automated teller machines?

  14. For on-line operations, are all messages to and from the central processing unit and the ATM protected from tapping, message insertion, modification of message, or surveillance by message encryption (scrambling techniques)? (One recognized encryption formula is the National Bureau of Standards Algorithm.)

  15. Are PINs mailed separately from cards?

  16. Are bank personnel who have custody of cards prohibited from also having custody of PINs at any stage (issuance, verification, or reissuance)?

  17. Are magnetic stripe cards encrypted (scrambled) using an adequate algorithm (formula) including a total message control?

  18. Are encryption keys, i.e., scramble plugs, under dual control of personnel not associated with operations or card issuance?

  19. Are captured cards under dual control of persons not associated with bank operation card issuance or PIN issuance?

  20. Are blank plastics and magnetic stripe readers under dual control?

  21. Are all cards issued with set expiration dates?

  22. Are transaction journals provided that enable management to determine every transaction or attempted transaction at the ATM?

Previous: Cash on Hand Next: Cash Items