National Automated Clearing House Association (NACHA) Rules echecks



Similar documents
National Automated Clearing House Association Rules echecks

Information Technology General Controls College of Natural Sciences

May 29, Members of the Legislative Audit Committee:

EQUIPMENT INVENTORY AUDIT MAY 21, INTERNAL AUDIT DEPARTMENT BOX ARLINGTON, TX

Agenda Item: 7.6 Prepared by: Mark Majek, Kathy Thomas, Deborah Bell, Tamara Cowen and Jaye Stepp Meeting Date: October 2014

May 2012 Report No

Health and Human. Services. Commission. InternalAutht Division. Internal Audit Plan. Fiscal Year 2016

Citywide Identity Management Follow up Report

Texas A&M University - Commerce: Review of Faculty Human Resources Processes PROJECT SUMMARY. Summary of Significant Results

THE UNIVERSITY OF TEXAS AT DALLAS Office of Audit & Compliance 800 West Campbell Rd., ROC 32, RICHARDSON, TX (972)

OFFICE OF THE STATE AUDITOR TWO COMMODORE PLAZA 206 EAST NINTH STREET, SUITE 1900 LAWRENCE F. ALWIN, CPA

Accounts Payable Audit

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Procure to Pay Process Audit

Emerging Strategies for Performance Auditing

TEXAS LOTTERY COMMISSION INTERNAL AUDIT DIVISION. An Internal Audit of INSTANT TICKET GAME CLOSING, RETURN & DESTRUCTION

911 Data Center Operations Performance Audit

DIA Network Security Management Follow up Report

Office of Internal Audit. Activity Report. For the period from March 16, 2014 to August 8, Internal Audit Team

ERIC M. WRIGHT, cpa, citp

Research Administration at the University of Maryland

Denver 311 Follow up Report

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

PeopleSoft IT General Controls

ACH Authorization Requirements

OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT

DIA Network Device Security Management Performance Audit

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

OFFICE OF AUDITS & ADVISORY SERVICES BEHAVIORAL HEALTH SERVICES CONTRACT MONITORING AUDIT FINAL REPORT

Assistant Ms. Sophie Miller-Gilliland Manager, Office of the President Saddleback College

O L A. Department of Employee Relations Department of Finance SEMA4 Information Technology Audit OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA

John Keel, CPA State Auditor. A Report on State Employee Benefits as a Percentage of Total Compensation. April 2014 Report No.

Police Records Management System IT General Controls Follow up Report

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Customer Service/311. CRM System. Project No. AU April 15, 2013

5500 Brooktree Road, Suite 104 Wexford, PA AN OVERVIEW OF ACH COPYRIGHT 2013, PROFITUITY, LLC

The University of Texas at Austin Campus Master Plan. Cesar Pelli & Associates Balmori Associates, Inc.

HUMAN RESOURCES PAYROLL

echeck.net Operating Procedures and User Guide

The University of Texas at Austin BYLAWS OF THE GRADUATE STUDENT ASSEMBLY. ARTICLE I Objectives

Identity Theft Prevention Policy

ASSESSMENT REPORT Federal PKI Compliance Report September 6, 2013

March 2007 Report No

Transcription:

National Automated Clearing House Association (NACHA) Rules echecks The University of Texas at Austin Office of Internal Audits UTA 2.302 471-7117

The University of Texas at Austin Internal Audit Committee Mr. William C. Powers Jr., Chair, President Dr. Steven W. Leslie, Executive Vice President and Provost Mr. Kevin P. Hegarty, Vice President and Chief Financial Officer Dr. Patricia L. Clubb, Vice President for University Operations Ms. Patricia C. Ohlendorf, Vice President for Legal Affairs Dr. Juan M. Sanchez, Vice President for Research Dr. Gage E. Paine, Vice President for Student Affairs Dr. Charles A. Roeckle, Deputy to the President Ms. Mary E. Knight, Associate Vice President and Budget Director Mr. Frank W. Maresh, CPA, External Member Mr. Rudolph H. Green, Director, University Compliance Services Mr. Cameron D. Beasley, University Information Security Officer Mr. Michael W. Vandervort, Director, Office of Internal Audits Director: Assistant Directors: Auditor IV: Auditor III: Auditor I: IT Auditors: Student Interns: The University of Texas at Austin Office of Internal Audits Michael Vandervort, CPA Kathey Mitchell, CIA, CGAP *Chris Taylor, CIA, CISA William Koenig, CIA, CGAP Brenda Guerrero Ashley Foster Cameosha Jones Caroline Poquez *Tod Maxwell, CISA, CISSP Brandon Morales, CISA, CGAP Victoria Hernandez Cameron Fletcher * denotes project members This report has been distributed to Internal Audit Committee members, the Legislative Budget Board, the State Auditor s Office, the Sunset Advisory Commission, the Governor s Office of Budget and Planning, and The University of Texas System Audit Office for distribution to the Audit, Compliance, and Management Review Committee of the Board of Regents. National Automated Clearing House Association (NACHA) Rules - echecks Project Number 799.12

TABLE OF CONTENTS Executive Summary... 1 Background... 2 Scope, Objectives, and Procedures... 2 Audit Results... 3 Conclusion... 3

EXECUTIVE SUMMARY The Office of Accounting provides individuals (typically students, faculty, and staff) the option of transferring funds via website using an electronic check (echeck) for payments to The University of Texas at Austin (UT Austin). Payments may include tuition, room and board, taxes, fees, and Bevo Bucks. Monetary transfers to UT Austin by echeck rather than by debit or credit card are processed through the Automated Clearing House (ACH) Network. The National Automated Clearing House Association (NACHA) is a not-for-profit trade association that oversees the ACH Network. 1 NACHA Operating Rules require each Originator of Internet-Initiated/Mobile Entries 2 to conduct annual audits to ensure that the financial information the Originator obtains from Receivers is protected by commercially reasonable security practices. For echeck transactions in this network, the role of the individual making the payment is that of the Receiver and the role of UT Austin is that of the Originator. The scope of this audit included the current controls associated with the Office of Accounting s echeck payment option. The audit objective was to determine compliance with NACHA 2012 Operating Rules for Internet-Initiated/Mobile Entries. Based on interviews with relevant staff, a review of policies and procedures, a review of applicable IT system documentation, and limited testing, Internal Audits concludes that the Office of Accounting s echeck payment option is in compliance with NACHA 2012 Operating Rules for Internet-Initiated/Mobile Entries. This audit was conducted as part of the Fiscal Year 2012 Audit Plan. 1 NACHA Website - https://www.nacha.org/ 2 Internet-Initiated/Mobile Entries are defined by NACHA as debit entries to a consumer s account based on an authorization from the Receiver to the Originator via the Internet or Wireless Network, excluding oral authorization via these channels. Page 1

BACKGROUND The Office of Accounting provides individuals (typically students, faculty, and staff) the option of transferring funds via website using an electronic check (echeck) for payments to The University of Texas at Austin (UT Austin). Payments may include tuition, room and board, taxes, fees, and Bevo Bucks. Monetary transfers to UT Austin by echeck rather than by debit or credit card are processed through the Automated Clearing House (ACH) Network. The National Automated Clearing House Association (NACHA) is a not-for-profit trade association that oversees the ACH Network. 3 The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. 4 For echeck transactions in this network, the role of the individual making the payment is that of the Receiver and the role of UT Austin is that of the Originator. Chapter 48 - Section V of the NACHA Operating Rules require Originators of Internet- Initiated/Mobile Entries 5 to conduct an annual data security audit ensuring the financial information that the Originator obtains from Receivers is protected by commercially reasonable security practices that include: Adequate levels of physical security to protect against theft, tampering or damage, Personnel and access controls to protect against unauthorized access and use, and Network security to ensure capture, transmission, storage, distribution, and destruction. For the fiscal year ending August 31, 2012, there were 83,206 echeck transactions collected through the Office of Accounting s webpages ( What I Owe, My Tuition Bill, and Institution Loans ). These transactions totaled approximately $145.7 million. At the time of the audit, UT Austin did not have a mobile device software application covered under NACHA rules and regulations. SCOPE, OBJECTIVES, AND PROCEDURES The scope of this audit included the current controls associated with the Office of Accounting s echeck payment option. The audit objective was to determine compliance with NACHA 2012 Operating Rules for Internet-Initiated/Mobile Entries. To achieve this objective, the Office of Internal Audits (Internal Audits) staff: Reviewed NACHA 2012 Operating Rules for Internet-Initiated/Mobile Entries; 3 NACHA Website - https://www.nacha.org/intronacha 4 NACHA Website - http://www.nacha.org/c/achns.cfm 5 Internet-Initiated/Mobile Entries are defined by NACHA as debit entries to a consumer s account based on an authorization from the Receiver to the Originator via the Internet or Wireless Network, excluding oral authorization via these channels. Page 2

Reviewed current UT Austin policies, procedures, and guidelines; Reviewed the current list of users with access to *DEFINE related echeck information; Reviewed supporting documentation; Interviewed staff from Information Technology Services and the Office of Accounting; and Performed limited testing of echeck transactions. This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and with Government Auditing Standards. AUDIT RESULTS NACHA requires that at a minimum, the audit cover the following sections of the NACHA Operating Rules: Physical security Personnel and Access controls Network security Although not required to be audited by NACHA, the following sections of the NACHA Operating Rules were included in the audit: Originating Depository Financial Institution Agreement Authorizations Authentication Fraudulent Transaction Detection Systems Verification of Routing Numbers Standard Entry Class (SEC) for web site (WEB) transactions Internal Audits determined that echeck access is adequately controlled and other control processes are in place. There were no exceptions. CONCLUSION Based on interviews with relevant staff, a review of policies and procedures, a review of applicable IT system documentation, and limited testing, Internal Audits concludes that the Office of Accounting s echeck payment option is in compliance with NACHA 2012 Operating Rules for Internet-Initiated/Mobile Entries. Page 3

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information