Pub. 11 2014 Issue 3

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G N E W M E X I C O R E A L I Z E D R E A M S 16 tem would cause an audit finding because of the failure to meet the requirement to ensure that the “secure environment is physically, logically, and procedurally protected.” In addition, almost every control in a PIN audit includes the statement “doc- umented procedures exist and are fol- lowed.” The most common finding is a lack of written procedures relating to controls and procedures surrounding PIN and encryption-key management. Most findings can be avoided by ensur- ing that processes in place are well doc- umented. PIN standards also require that PINs are entered and encrypted within the PIN encryption device (PED); however, many ATMPIN pads don’t meet this standard. A list of approved PEDs is available online. Procedures should ensure that all new ATMs contain approved PEDs as part of the purchasing and installation process. When an ATM is taken out of produc- tion, the encryption keys should be re- moved. Occasionally no evidence of the removal is available. However, proce- dures should include a formal process for taking ATMs out of production and removing the encryption keys. If a ven- dor performs this process, it should be required to provide some form of certifi- cation or evidence of key removal. How Can a PIN Audit Add Value to My Organization? The TR-39 covers numerous technical and operational areas. While the ques- tions are specific to the scope of the en- cryption management process, the areas involved can be used as a “temperature check” for many other critical functions in the organization. Policies and proce- dures, vendor management, the Gramm- Leach-Bliley Act, information security, segregation of duties, employee onboard- ing, system access rights, and physical security are all areas that are addressed (either directly or indirectly) during the audit. Organizations should talk to their auditor about approaching the audit as an opportunity to provide valuable feed- back regarding best practices and process improvement opportunities. n Francis Tam has more than 18 years of public accounting and consulting experience. Francis works with the local Moss Adams teams to provide IT audit and internal control guidance to banking and financial services com- panies. You can reach him at (310) 295-3852 or francis. tam@mossadams.com. You can also reach Kim Nunley in the NewMexico Moss Adams office at (505) 878-7229 or kim.nunley@mossadams.com n PIN SECURITY  continued from page 15 Offices in: Albuquerque, Santa Fe, Las Cruces Contact: John Attwood Vice President, Business Development 1-800-996-9000 www.ziatrust.com The bank manages the investment assets, we manage the trust administration. Does your bank offer trust services? If not, we’re your solution. 10 Trust Officers committed to providing the highest quality fiduciary service. We provide local Trust Administration. “New Mexico’s Premier Trust Company”