Fraud Prevention Process – Debit and Credit Card Transactions - Audit Work Program

Document Sample
Fraud Prevention Process – Debit and Credit Card Transactions - Audit Work Program Powered By Docstoc
					                     Fraud Prevention Process – Debit and Credit Card Transactions
                                         Audit Work Program

  Project Team (list members):

             Project Timing:                Date                           Comments
  Report Issuance (Local)
  Report Issuance (Worldwide)

Audit Objectives
To identify and evaluate the effectiveness of a debit and credit card service provider’s fraud prevention
process as it relates to the X system.

   Time                              Project Work Step                                  Initial            Index
             I. Planning Phase
             A. Planning meeting:
             1. Conduct a meeting with client to discuss and obtain management
             approval of scope, approach and timing of audit area.
             2. Determine the appropriate auditee contact(s).
             B. Prepare and distribute planning memo.

             C. Obtain an understanding of the audit area:

             1. Obtain and review policies and procedures for the department.
             2. Research any known best practices for the audit area and
             incorporate into the audit work and audit report, if appropriate.
             D. Prepare a preliminary document request list and distribute to
             auditee contact(s).
             E. Prepare and discuss expectations with team members.
             II. Fieldwork
             A. Conduct opening meetings with process owner to re-establish
             scope and timing of the review. Establish a schedule for status
             meetings and open-communication protocol. Determine the frequency
             of the business manager updates.
             B. Obtain the following:
             1. Organizational chart for the audited department (Fraud).
             2. Policies and procedures for the Fraud department and any other
             departments involved in fraud prevention/detection via the X system.
             3. A report of standard X system settings including, if possible, a
             description of the setting.
             4. A list of reports generated via the X system or utilized in the
             monitoring of fraudulent activities involving debit and credit cards
             including, if applicable, signature-based transactions.
             5. A copy of the latest report of the Fraud Department’s key
             performance measures.
             C. Gain an understanding of procedures for identifying and
             monitoring potentially fraudulent transactions.
             D. Observe and document (via flowcharts) the process for X and
             manual monitoring of fraudulent activity. Consider the following as a

  Source:                                                                 Page 1
 Time                                Project Work Step                              Initial            Index
          1. What are the system settings that identify and flag potentially
          fraudulent transactions?
          2. What is flagged, the transaction, the account, or both?
          3. What happens after a transaction (account) is flagged? Is the client
          contacted via phone or letter?
          4. What is the process for establishing the system settings?
          Determine if the Debit and Credit Card Service Provider is using X to
          its fullest potential.
          5. Are system settings credit union specific, or are they uniform
          regardless of the member credit unions? Determine if system settings
          are uniform across the various member credit unions.
          6. Are X system settings the same, regardless if transaction involves
          a debit or credit card?
          7. What about PIN and signature based transactions? Does X
          monitor both?
          8. How often are system settings reviewed? Who reviews them? Is
          there evidence of review? Determine if review efforts of X are
          9. Does X produce any management reports? If yes, what is done
          with these reports?
          10. Determine if a report is used to monitor PIN and signature-based
          11. What information is reviewed in the department to resolve
          potentially fraudulent transactions?
          12. What happens when a transaction (or account) is identified as an
          actual fraud? Is the credit union involved in the transaction contacted
          and/or is law enforcement notified?
          13. What manual monitoring of potential fraudulent transactions
          activities occur in the department?
          14. What KPIs are used to measure performance?
          15. What happens before, during, and after hours when identifying
          fraudulent transactions?
          E. If settings vary by credit union, select a sample of (insert number)
          client numbers and obtain their system settings for identifying
          potentially fraudulent transactions.
          1. Determine if system settings are consistent, or varied.
          2. Determine if system settings are appropriate for the member credit
          F. Compete documentation of work papers.
          G. Validate audit findings with the process owner.
          H. Hold regular team status update meetings to discuss progress of
          the audit. Communicate any roadblocks preventing completion of
          III. Reporting
          A. Prepare draft report.
          1. Ensure appropriate auditee reviews draft and that any action items
          have been discussed with auditee.
          B. Issue final report.
          1. Issue preliminary report to Management. At this point
          management/auditee should agree on the timing of implementing
          action items identified and agreed to in the report. Responsibility for
          implementation should also be assigned.
          2. Validate the completeness and accuracy of all audit report content.

Source:                                                               Page 2