INtERNAl CONtROlS OvER ElEctRONic TRANSActiONS Why are

advertisement
Internal Controls over Electronic Transactions
1.
Whyareinternalcontrolsimportant?
x
ż
Asamatterofobligationtotheleadersoftheorganization–protecttheassets,reputation,
andpeopleoftheorganization
ż
Importanttoemployees–tobeprotectedfromfalseaccusation
ż
Importanttoconstituents–soundinternalcontrolpromotestrust
Someorganizationsminimizetheimportanceofinternalcontrol.
ż
We’retoobusy.
ż
We’retoosmall.
ƒ
ż
ż
2.
Wetrustouremployees.
ƒ
Weassumeyoutrustyourpeople–otherwisetheyshouldn’tbeemployees.
ƒ
Maintainingsoundinternalcontrolisnotapracticebasedonmistrust.
Havingsoundinternalcontrolnotonlyprotectstheorganization’sassets,italsoprotectsthe
reputationsofthoseinvolvedinadministeringtheassets.
Today’stopic:Internalcontroloverelectronictransactions
x
Internal control processes and systems designed to reduce the risk that embezzlement or
misappropriation could occur through electronic transactions and not be detected in a timely
manner
x
Internalcontrolcomesintwoprimaryforms:
x
3.
Capacityorsizeconcernscanbeaddressedbygivingthoughttomakingprocessesmore
efficient, using nonǦfinancial employees for certain roles, using volunteers where
appropriate,etc.
ż
Preventioncontrols–Designedto“keepsomethingbad”fromhappeninginthefirstplace
ż
Detectioncontrols–Intendedtoidentifyanoccurrence“afterǦtheǦfact”
Botharenecessaryinmaintainingsoundinternalcontrol.
Overarchingprinciplesforsoundinternalcontrol
x
Dualcontrol–Twoormorepeopleinvolvedintheprocess
4.
x
Segregationofduties–Individualsresponsibleforassetcustodyarenotalsoresponsibleforthe
relatedaccountingandreporting
x
Appropriate oversight and monitoring – Independent reviews of reconciliations, statements,
reports,etc.
Let’stalkaboutthedetails…
x
Oneprocessstarting(orcontinuing)togaintraction:
x
Remotedepositcapture(RDC)
ż
Theabilitytodepositacheckintoabankaccountfromaremotelocation,withouthavingto
physicallydeliverthechecktothebank
ƒ
ƒ
ż
Benefits
-
Checks clear faster and funds are available sooner, which result in improved cash
flow.
-
Laterdepositcutofftimes
-
Reducedcosts
-
Moreconvenient
Concerns
-
Riskofscanninganitemtwice(Hint:immediatelyendorsethechecks)
-
Securityconcernsbetweenthetimethecheckisprocessedandbeforeitisdestroyed
(often14days)
-
Datasecuritymeasures–thesystemcontainssensitivepersonalinformation
-
Compliancewithtermsofagreement
Internalcontrols
ƒ
ƒ
Problemscenario:Onepersonisresponsibleforcollectingandprocessingfunds.
-
Ariskofmisappropriationispresent(withorwithoutRDC).
-
Thisisespeciallyproblematicifthatpersonhasaccountingresponsibilitiesoverthe
funds.
Possiblescheme:skimming/stealing
ż
Solution:Ensureadequatedualcontrol
ƒ
Secure(processedandunprocessed)checksinalocationordevicerequiringdualaccess.
ƒ
Atleasttwopeopleshouldremovethechecksandbepresentduringprocessingthrough
thescanner.
ƒ
Endorsechecks to prevent duplicate deposit (check scanning equipment mayhave this
ability).
ƒ
Read the RDC service agreement…your banking institution may also have similar
requirementswrittenintotheagreement.
ƒ
Andremember!
-
x
Married persons or others with close personal relationships are considered “one”
personwhenitcomestodualcontrol.
IncomingACHorcreditcardpayments(includingwebǦbasedtransactions)
ż
ż
ż
ż
WhatexactlyisanACHtransaction?
ƒ
Payments received and processed by the Automated Clearing House (“ACH”), an
electronic network for financial transactions. ACH processes both credit and debit
transactions.
ƒ
Can occur in a variety of forms – web originated, personal account debit, telephone
originated, conversion of checks into ACH transactions (“back office conversion”), and
more.
Benefits
ƒ
Eliminatestimespentprocessingmanualpayments
ƒ
Moresecurethanphysicalreceiptifproperlysetup
Concerns
ƒ
Possibleunauthorizeduseofbankaccounts
ƒ
Divertingfundstopersonalaccounts
ƒ
Issuingfictitiouscreditstomerchantaccounts
Internalcontrols
ƒ
Problem scenario: One person sets up accounts, downloads (or initiates) transactions,
andreconcilesaccounts.
ƒ
Possiblescheme:Divertingfundstopersonalaccount
ƒ
Solution!
-
Segregateduties
(a) Separatedutyofinitiatingtransactionsfromtheaccounting
(b) Setupseparatedepositoryaccountsforelectroniccommerce(makesiteasierto
monitoractivity).
(c) Make sure the person authorized under the merchant services agreement to
makechangestothedepositoryaccountshasnoaccountingresponsibilities.
(d) Reviewcreditsissuedtomerchantaccountforpropriety.
Somesystemswillnotallowacredittoacreditcardnumberotherthantheone
used to initiate the transaction and some systems will not allow credits that
exceedpriorchargestothataccount.
(e) Donotsharepasswords.
x
Whataboutelectronicpayments?(Wire/ACH)
x
Problemscenario:Onepersonisresponsibleforinitiatingandauthorizingelectronicpayments.
ż
x
Possiblescheme:Paymentstoself,vendorsusedpersonally,orshellcompanies
Solution!
ż
Implementdualcontrol–
ƒ
ż
Segregateduties
ƒ
ż
Noonepersonshouldbeauthorizedtofullyexecutewiretransfersorsimilarelectronic
disbursementsalone.
The person(s) responsible for initiating or authorizing transactions should not be
responsiblefortherelatedaccounting.Ifyourelectronicdisbursementssystemisbuilt
intoyou”A/Pprocess,thesegregationofdutiesshouldbeanaspectofuserrights
assigned.
Also…
ƒ
Restrict the ability to transfer funds from “nonǦoperating” accounts outside the
organization.
ƒ
Consideraskingyourbanktosendanautomaticallygeneratedemailaftereachpayment
showingtheamountandtherecipientofthepayment.
-
This email should be received by someone outside of the payables and accounting
process.
ƒ
Haveaknowledgeablepersonnotdirectlyinvolvedinthedisbursementsprocessreview
thevendorlist:
-
Reviewvendorname,address,invoice/paymenthistory
-
Lookfor:
(a) Multiplevendorswiththesimilarnames
(b) Vendoraddressesthatappeartobepersonalhomeaddresses
(c) Multiple payments of the same dollar amount (especially round dollar amounts
oramountsjustbelowcertainthresholds)
(d) Significant payments to employees for other than normal travelǦtype
reimbursements
(e) Unfamiliarvendors(lookupontheinternet)
x
ƒ
Generate a report of changes to vendor information (monthly or other appropriate
interval).
ƒ
Bankmayofferan“ACHFraudFilter”–automaticallystopsallACHdebitsexceptthose
thecustomerspecificallypreǦauthorizes.
Whatis“positivepay”?
ż
A service, offered by nearly every bank. Matches the account number, check number, and
dollar amount of each check presented for payment against a list of checks previously
authorizedandissuedbytheorganization.
ż
Protectsagainstalteredchecksandcounterfeitchecks
ż
Itemsthatdonotmatcharenotcleared…theyareflaggedandtheorganizationisnotifiedof
thediscrepancies.
ż
Variation#1–Payeevalidationandpayeematch
ż
ƒ
Sameaspositivepay,exceptthefilealsocontainsthepayee’snameonthecheck
ƒ
Shouldidentifyalteredpayeenames
Variation#2–“Reverse”positivepay
ƒ
Checkspresentedforpaymenttothebankareprovidedtothecustomer.
ƒ
The customer has the opportunity to review the checks presented for payment and
determineiftheyshouldbepaidorreturned.
ƒ
Cheaperthantheotheralternatives,generallylesseffective
ż
x
Alwaysensurethattheprocessforpreparingthecheckfileanduploadingittothebankis
secureandnotsubjecttomanipulation.
Whataboutonlinebillpayment?
ż
Reducespaperandismoreenvironmentallyfriendly.
AND
ż
Itsavestimeandcostsovermanualprocesses.
ƒ
ż
Italsostreamlinestheapprovalprocess.
ƒ
Facilitates approvals and payment from people in multiple locations, including
traveling.
ż
Processgenerallyinvolvesscanning,faxing,oremailingbillstothepaymentprocessor.And
then,automatedprocessestakeoverǦinvoicesareroutedtopreǦdefinedapprovers.
ż
Thesetupoftheapprovalprocessiscritical…wanttoensuresimilarsegregationofduties–
thesamepersonresponsibleforfinalapprovalofpaymentshouldnotbethecheckpreparer
oraccountant.
ż
Someotherbenefits:
ż
x
ArecentarticleinTheWallStreetJournalstatedthatabusinesscheckcostsbetween$4
and$20tofullyprepareandprocessandthatthecostofwritingacheckcanbeasmuch
asfivetimesthecostofanelectronicpayment.
ƒ
Easiertostoreandretrieverecords
ƒ
Moresecurethanpaperchecks–bankaccountinformationisnotmakingitswaythrough
themailsystem
SomewellǦknownserviceproviders:
ƒ
http://www.bill.com/
ƒ
http://www.anybill.com/
Electronicpayrollprocessing
ż
Problemscenario
ƒ
ż
One person is responsible for all phases of payroll processing, including maintaining
personnel records, processingpayroll details,andtransmittingthedirectdepositfileto
eitheremployeesortothethirdǦpartypayrollprocessor.Nootherpartiescloselyreview
payrollreports.
Possibleschemes
ƒ
Fictitiousemployees
ƒ
Manipulationofpayamounts
ż
Solution!
ƒ
x
Segregateduties
-
Do not have one person responsible for all aspects of payroll maintenance,
preparation,andapprovals.
-
Thepersonresponsibleforexecutingdirectdeposittransactionsshouldbeseparate
from the person who prepares payroll and should review the payroll detail for
proprietybeforesubmittingthefilefordirectdeposit.
-
Payroll details should be reviewed by an appropriate (and independent) official for
each payroll, in a controlled manner. (Direct receipt of reports, direct download of
reports)
We’reevaluatingpotentialserviceproviderstohelpu•withtheseprocessingareas.
ż
Whatdowelookfor?
ƒ
Considerusingserviceprovidersthatcanproducea“SOC1”report.
ƒ
SOC=ServiceOrganizationControls
-
Report on Controls at a Service Organization Relevant to User Entities’ Internal
ControloverFinancialReporting
(a) Prepared in accordance with Statement on Standards for Attestation
Engagements(SSAE)No.16,ReportingonControlsataServiceOrganization
(b) Specifically intended to meet the needs of the management of “user” entities
(i.e.you)andtheuserentities’auditors(i.e.us)
(c) Evaluate the effect of the controls at the service organization on the user
organizations’financialstatements
(d) Therefore,theyare considereda componentoftheusers’internalcontrol…and
areusefultoauditorsinplanningandperforminganaudit.
ƒ
Twotypesofreports…
-
Type2(preferred)–
(a) Report on the fairness of the presentation of management’s description of the
service organization’s system and the suitability of the design and operating
effectivenessofcontrolsthroughoutaspecifiedperiod
-
Type1(goodbutnotgreat)–
(a) Report on the fairness of the presentation of management’s description of the
serviceorganization’ssystemandthesuitabilityofthedesignofthecontrolsas
ofaspecifieddate
-
ƒ
So…Type2includestestingtheoperatingeffectivenessofthecontrolsoveraperiod
of time. Type 1 does not…effectiveness of controls is generally tested based on a
muchsmallersampleandisonly“asof”apointintime.
Whyaretheyimportant?
-
Rapid and sustained growth in businesses outsourcing various functions to service
organizations, such as payroll processing companies, payment processors, cloud
computingproviders,etc.
-
Growthoftheseorganizationscontinuedthroughtherecessionascompaniesfaced
pressuretoimproveefficienciesandreducecosts.
-
Users submit (among other types of data) personal or confidential customer
informationtotheserviceorganization.
-
Financialtransactions…sorealmoneyisatrisk!
-
Responsibility over safeguarding that information remains with the user
organization.
-
SOC1auditsarefocusedonfinancialreportingrisksandcontrols(asspecifiedbythe
serviceprovider).
(a) These are most applicable when the service provider performs financial
transactionprocessing.Suchas:
i.
Payrollprocessing
ii. Transactionalprocessing(e.g.creditcardpayments)
iii. Assetmanagement
x
Whatdowelookforinthedocument?
ż
Anunmodified(unqualified)opinion
ż
Also pay attention to the stated control objectives, control activities, tests of operating
effectiveness,andresultsofthosetests.
ż
A SOC 1 audit is not the same as being compliant with the Payment Card Industry Data
SecurityStandardcompliance(“PCIDSS”).
ż
This is a set of requirements designed to ensure that all companies that process, store, or
transmit credit card information maintain a secure environment. (Regardless of size or
numberoftransactions)
ż
ASOC1auditismuch,muchmorecomprehensive.
x
WhataresomeotherthingsweshouldthinkaboutinthisageofeverǦincreasingelectronic
transactions?
ż
Besuretocontrolaccesstosystems…
ƒ
Itisveryimportanttoaddressproprietyofsystemaccessrights.
ƒ
Don’t allow persons with accounting or custody responsibilities to also be the system
administrator.
ƒ
Makesureassignedrightsareconsistentwithroles.Donotgiveaccesstoareasthatare
notnecessarytoperformthejob.
ƒ
Never,eversharepasswordswithothers.
-
Don’twritedownpasswords.
-
Don’ttypepasswordswhileothersarewatching.
-
Don’temailpasswords.
ƒ
Ifthe“other”persondoessomethinginappropriate,itisgoingtobedifficulttodefend
youractions.
ƒ
Considerchangingpasswordsonaregularbasis.
ƒ
But…we are human…if you inadvertently (or purposefully!)shareyourpassword…don’t
makeabadsituationworse.Comeclean,andgetitchanged!
Further…
ƒ
Immediatelyturnoffallaccessforterminatedemployees
ƒ
Practiceothersoundinternalcontrolactivities
-
Monitoring
(a) TopǦlevel official (or designee) [authorized signer] should receive the bank
statementsdirectly(unopened),reviewthebankstatementsandcheckimages,
andfollowǦuponunusualitems.
(b) Consideronlinereviewifphysicalreviewisnotdesiredorpracticable.
-
Independent(andtimely)reconciliationofbankaccounts
-
Reviewreconciliationsandcomparetobalancesinfinancialreports
ƒ
ƒ
x
-
Canassistnewemployeesinunderstandingtheirroles
-
Canalsoassistmanagementinreviewingprocessesforefficiencyandpropercontrols
Requirevacationdaysandrotatedutiesoccasionally.
EmergingAreas
ż
ż
Consider documenting in a flowchart significant processing areas looking for holes or
weaknesses.
Mobilegiving
ƒ
MakegivingaseasyasbuyingfromAmazon!
ƒ
Studiesindicatethat1outofevery3peopleintheU.S.usetheirmobiledeviceastheir
primarytooltoaccesstheinternet.
ƒ
PayPalreportsthatglobally,thetotalvalueofmobiledonationsinDecember2012was
242percentlargerthanDecember2011.
ƒ
http://www.scribd.com/doc/127510224/WhyǦMobileǦMattersǦAǦGuideǦtoǦtheǦMobileǦ
Web
ƒ
Givingbytextwhichisbilledstraighttocellphone–nopaperworkorformstocomplete
Crowdfunding
ƒ
Manysmall“microgifts”
ƒ
Goodforspecificprojects
ƒ
Kickstarter,Indiegogo–popularcrowdfundingplatforms
ƒ
Questionstoask:
-
Whatfeesarecharged?
-
Willtheplatformallowmetohavethedonors’information?
-
Howwilltheyusethatinformation?(Whatistheirprivacypolicy?)
-
Whenwillwereceivethefunds?(Howmanydayslater?)
-
Whatinternalcontrolsdoesthesiteprovidermaintaintoensurethatwewillreceive
allthefundswearesupposedtoreceive?
-
Considerstatecharitablesolicitationregistrationrequirements.
Thankgoodness.Wemadeit!Whatnow?
Ifyouhavethebasescovered–congratulations!Continuetobevigilant.
If you believe your organization is vulnerable in any of the areas discussed previously…start by
identifyingspecificrisks.
x
Developspecificcontrolstoaddresstherisks.
x
Trainandeducateemployees.
x
Implementthenewcontrols.
x
Monitor…followǦupwithstaffregularlytomakesurethecontrolsareconsistentlyapplied.
Download