Internal Controls over Electronic Transactions 1. Whyareinternalcontrolsimportant? x ż Asamatterofobligationtotheleadersoftheorganization–protecttheassets,reputation, andpeopleoftheorganization ż Importanttoemployees–tobeprotectedfromfalseaccusation ż Importanttoconstituents–soundinternalcontrolpromotestrust Someorganizationsminimizetheimportanceofinternalcontrol. ż We’retoobusy. ż We’retoosmall. ƒ ż ż 2. Wetrustouremployees. ƒ Weassumeyoutrustyourpeople–otherwisetheyshouldn’tbeemployees. ƒ Maintainingsoundinternalcontrolisnotapracticebasedonmistrust. Havingsoundinternalcontrolnotonlyprotectstheorganization’sassets,italsoprotectsthe reputationsofthoseinvolvedinadministeringtheassets. Today’stopic:Internalcontroloverelectronictransactions x Internal control processes and systems designed to reduce the risk that embezzlement or misappropriation could occur through electronic transactions and not be detected in a timely manner x Internalcontrolcomesintwoprimaryforms: x 3. Capacityorsizeconcernscanbeaddressedbygivingthoughttomakingprocessesmore efficient, using nonǦfinancial employees for certain roles, using volunteers where appropriate,etc. ż Preventioncontrols–Designedto“keepsomethingbad”fromhappeninginthefirstplace ż Detectioncontrols–Intendedtoidentifyanoccurrence“afterǦtheǦfact” Botharenecessaryinmaintainingsoundinternalcontrol. Overarchingprinciplesforsoundinternalcontrol x Dualcontrol–Twoormorepeopleinvolvedintheprocess 4. x Segregationofduties–Individualsresponsibleforassetcustodyarenotalsoresponsibleforthe relatedaccountingandreporting x Appropriate oversight and monitoring – Independent reviews of reconciliations, statements, reports,etc. Let’stalkaboutthedetails… x Oneprocessstarting(orcontinuing)togaintraction: x Remotedepositcapture(RDC) ż Theabilitytodepositacheckintoabankaccountfromaremotelocation,withouthavingto physicallydeliverthechecktothebank ƒ ƒ ż Benefits - Checks clear faster and funds are available sooner, which result in improved cash flow. - Laterdepositcutofftimes - Reducedcosts - Moreconvenient Concerns - Riskofscanninganitemtwice(Hint:immediatelyendorsethechecks) - Securityconcernsbetweenthetimethecheckisprocessedandbeforeitisdestroyed (often14days) - Datasecuritymeasures–thesystemcontainssensitivepersonalinformation - Compliancewithtermsofagreement Internalcontrols ƒ ƒ Problemscenario:Onepersonisresponsibleforcollectingandprocessingfunds. - Ariskofmisappropriationispresent(withorwithoutRDC). - Thisisespeciallyproblematicifthatpersonhasaccountingresponsibilitiesoverthe funds. Possiblescheme:skimming/stealing ż Solution:Ensureadequatedualcontrol ƒ Secure(processedandunprocessed)checksinalocationordevicerequiringdualaccess. ƒ Atleasttwopeopleshouldremovethechecksandbepresentduringprocessingthrough thescanner. ƒ Endorsechecks to prevent duplicate deposit (check scanning equipment mayhave this ability). ƒ Read the RDC service agreement…your banking institution may also have similar requirementswrittenintotheagreement. ƒ Andremember! - x Married persons or others with close personal relationships are considered “one” personwhenitcomestodualcontrol. IncomingACHorcreditcardpayments(includingwebǦbasedtransactions) ż ż ż ż WhatexactlyisanACHtransaction? ƒ Payments received and processed by the Automated Clearing House (“ACH”), an electronic network for financial transactions. ACH processes both credit and debit transactions. ƒ Can occur in a variety of forms – web originated, personal account debit, telephone originated, conversion of checks into ACH transactions (“back office conversion”), and more. Benefits ƒ Eliminatestimespentprocessingmanualpayments ƒ Moresecurethanphysicalreceiptifproperlysetup Concerns ƒ Possibleunauthorizeduseofbankaccounts ƒ Divertingfundstopersonalaccounts ƒ Issuingfictitiouscreditstomerchantaccounts Internalcontrols ƒ Problem scenario: One person sets up accounts, downloads (or initiates) transactions, andreconcilesaccounts. ƒ Possiblescheme:Divertingfundstopersonalaccount ƒ Solution! - Segregateduties (a) Separatedutyofinitiatingtransactionsfromtheaccounting (b) Setupseparatedepositoryaccountsforelectroniccommerce(makesiteasierto monitoractivity). (c) Make sure the person authorized under the merchant services agreement to makechangestothedepositoryaccountshasnoaccountingresponsibilities. (d) Reviewcreditsissuedtomerchantaccountforpropriety. Somesystemswillnotallowacredittoacreditcardnumberotherthantheone used to initiate the transaction and some systems will not allow credits that exceedpriorchargestothataccount. (e) Donotsharepasswords. x Whataboutelectronicpayments?(Wire/ACH) x Problemscenario:Onepersonisresponsibleforinitiatingandauthorizingelectronicpayments. ż x Possiblescheme:Paymentstoself,vendorsusedpersonally,orshellcompanies Solution! ż Implementdualcontrol– ƒ ż Segregateduties ƒ ż Noonepersonshouldbeauthorizedtofullyexecutewiretransfersorsimilarelectronic disbursementsalone. The person(s) responsible for initiating or authorizing transactions should not be responsiblefortherelatedaccounting.Ifyourelectronicdisbursementssystemisbuilt intoyouA/Pprocess,thesegregationofdutiesshouldbeanaspectofuserrights assigned. Also… ƒ Restrict the ability to transfer funds from “nonǦoperating” accounts outside the organization. ƒ Consideraskingyourbanktosendanautomaticallygeneratedemailaftereachpayment showingtheamountandtherecipientofthepayment. - This email should be received by someone outside of the payables and accounting process. ƒ Haveaknowledgeablepersonnotdirectlyinvolvedinthedisbursementsprocessreview thevendorlist: - Reviewvendorname,address,invoice/paymenthistory - Lookfor: (a) Multiplevendorswiththesimilarnames (b) Vendoraddressesthatappeartobepersonalhomeaddresses (c) Multiple payments of the same dollar amount (especially round dollar amounts oramountsjustbelowcertainthresholds) (d) Significant payments to employees for other than normal travelǦtype reimbursements (e) Unfamiliarvendors(lookupontheinternet) x ƒ Generate a report of changes to vendor information (monthly or other appropriate interval). ƒ Bankmayofferan“ACHFraudFilter”–automaticallystopsallACHdebitsexceptthose thecustomerspecificallypreǦauthorizes. Whatis“positivepay”? ż A service, offered by nearly every bank. Matches the account number, check number, and dollar amount of each check presented for payment against a list of checks previously authorizedandissuedbytheorganization. ż Protectsagainstalteredchecksandcounterfeitchecks ż Itemsthatdonotmatcharenotcleared…theyareflaggedandtheorganizationisnotifiedof thediscrepancies. ż Variation#1–Payeevalidationandpayeematch ż ƒ Sameaspositivepay,exceptthefilealsocontainsthepayee’snameonthecheck ƒ Shouldidentifyalteredpayeenames Variation#2–“Reverse”positivepay ƒ Checkspresentedforpaymenttothebankareprovidedtothecustomer. ƒ The customer has the opportunity to review the checks presented for payment and determineiftheyshouldbepaidorreturned. ƒ Cheaperthantheotheralternatives,generallylesseffective ż x Alwaysensurethattheprocessforpreparingthecheckfileanduploadingittothebankis secureandnotsubjecttomanipulation. Whataboutonlinebillpayment? ż Reducespaperandismoreenvironmentallyfriendly. AND ż Itsavestimeandcostsovermanualprocesses. ƒ ż Italsostreamlinestheapprovalprocess. ƒ Facilitates approvals and payment from people in multiple locations, including traveling. ż Processgenerallyinvolvesscanning,faxing,oremailingbillstothepaymentprocessor.And then,automatedprocessestakeoverǦinvoicesareroutedtopreǦdefinedapprovers. ż Thesetupoftheapprovalprocessiscritical…wanttoensuresimilarsegregationofduties– thesamepersonresponsibleforfinalapprovalofpaymentshouldnotbethecheckpreparer oraccountant. ż Someotherbenefits: ż x ArecentarticleinTheWallStreetJournalstatedthatabusinesscheckcostsbetween$4 and$20tofullyprepareandprocessandthatthecostofwritingacheckcanbeasmuch asfivetimesthecostofanelectronicpayment. ƒ Easiertostoreandretrieverecords ƒ Moresecurethanpaperchecks–bankaccountinformationisnotmakingitswaythrough themailsystem SomewellǦknownserviceproviders: ƒ http://www.bill.com/ ƒ http://www.anybill.com/ Electronicpayrollprocessing ż Problemscenario ƒ ż One person is responsible for all phases of payroll processing, including maintaining personnel records, processingpayroll details,andtransmittingthedirectdepositfileto eitheremployeesortothethirdǦpartypayrollprocessor.Nootherpartiescloselyreview payrollreports. Possibleschemes ƒ Fictitiousemployees ƒ Manipulationofpayamounts ż Solution! ƒ x Segregateduties - Do not have one person responsible for all aspects of payroll maintenance, preparation,andapprovals. - Thepersonresponsibleforexecutingdirectdeposittransactionsshouldbeseparate from the person who prepares payroll and should review the payroll detail for proprietybeforesubmittingthefilefordirectdeposit. - Payroll details should be reviewed by an appropriate (and independent) official for each payroll, in a controlled manner. (Direct receipt of reports, direct download of reports) We’reevaluatingpotentialserviceproviderstohelpuwiththeseprocessingareas. ż Whatdowelookfor? ƒ Considerusingserviceprovidersthatcanproducea“SOC1”report. ƒ SOC=ServiceOrganizationControls - Report on Controls at a Service Organization Relevant to User Entities’ Internal ControloverFinancialReporting (a) Prepared in accordance with Statement on Standards for Attestation Engagements(SSAE)No.16,ReportingonControlsataServiceOrganization (b) Specifically intended to meet the needs of the management of “user” entities (i.e.you)andtheuserentities’auditors(i.e.us) (c) Evaluate the effect of the controls at the service organization on the user organizations’financialstatements (d) Therefore,theyare considereda componentoftheusers’internalcontrol…and areusefultoauditorsinplanningandperforminganaudit. ƒ Twotypesofreports… - Type2(preferred)– (a) Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectivenessofcontrolsthroughoutaspecifiedperiod - Type1(goodbutnotgreat)– (a) Report on the fairness of the presentation of management’s description of the serviceorganization’ssystemandthesuitabilityofthedesignofthecontrolsas ofaspecifieddate - ƒ So…Type2includestestingtheoperatingeffectivenessofthecontrolsoveraperiod of time. Type 1 does not…effectiveness of controls is generally tested based on a muchsmallersampleandisonly“asof”apointintime. Whyaretheyimportant? - Rapid and sustained growth in businesses outsourcing various functions to service organizations, such as payroll processing companies, payment processors, cloud computingproviders,etc. - Growthoftheseorganizationscontinuedthroughtherecessionascompaniesfaced pressuretoimproveefficienciesandreducecosts. - Users submit (among other types of data) personal or confidential customer informationtotheserviceorganization. - Financialtransactions…sorealmoneyisatrisk! - Responsibility over safeguarding that information remains with the user organization. - SOC1auditsarefocusedonfinancialreportingrisksandcontrols(asspecifiedbythe serviceprovider). (a) These are most applicable when the service provider performs financial transactionprocessing.Suchas: i. Payrollprocessing ii. Transactionalprocessing(e.g.creditcardpayments) iii. Assetmanagement x Whatdowelookforinthedocument? ż Anunmodified(unqualified)opinion ż Also pay attention to the stated control objectives, control activities, tests of operating effectiveness,andresultsofthosetests. ż A SOC 1 audit is not the same as being compliant with the Payment Card Industry Data SecurityStandardcompliance(“PCIDSS”). ż This is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. (Regardless of size or numberoftransactions) ż ASOC1auditismuch,muchmorecomprehensive. x WhataresomeotherthingsweshouldthinkaboutinthisageofeverǦincreasingelectronic transactions? ż Besuretocontrolaccesstosystems… ƒ Itisveryimportanttoaddressproprietyofsystemaccessrights. ƒ Don’t allow persons with accounting or custody responsibilities to also be the system administrator. ƒ Makesureassignedrightsareconsistentwithroles.Donotgiveaccesstoareasthatare notnecessarytoperformthejob. ƒ Never,eversharepasswordswithothers. - Don’twritedownpasswords. - Don’ttypepasswordswhileothersarewatching. - Don’temailpasswords. ƒ Ifthe“other”persondoessomethinginappropriate,itisgoingtobedifficulttodefend youractions. ƒ Considerchangingpasswordsonaregularbasis. ƒ But…we are human…if you inadvertently (or purposefully!)shareyourpassword…don’t makeabadsituationworse.Comeclean,andgetitchanged! Further… ƒ Immediatelyturnoffallaccessforterminatedemployees ƒ Practiceothersoundinternalcontrolactivities - Monitoring (a) TopǦlevel official (or designee) [authorized signer] should receive the bank statementsdirectly(unopened),reviewthebankstatementsandcheckimages, andfollowǦuponunusualitems. (b) Consideronlinereviewifphysicalreviewisnotdesiredorpracticable. - Independent(andtimely)reconciliationofbankaccounts - Reviewreconciliationsandcomparetobalancesinfinancialreports ƒ ƒ x - Canassistnewemployeesinunderstandingtheirroles - Canalsoassistmanagementinreviewingprocessesforefficiencyandpropercontrols Requirevacationdaysandrotatedutiesoccasionally. EmergingAreas ż ż Consider documenting in a flowchart significant processing areas looking for holes or weaknesses. Mobilegiving ƒ MakegivingaseasyasbuyingfromAmazon! ƒ Studiesindicatethat1outofevery3peopleintheU.S.usetheirmobiledeviceastheir primarytooltoaccesstheinternet. ƒ PayPalreportsthatglobally,thetotalvalueofmobiledonationsinDecember2012was 242percentlargerthanDecember2011. ƒ http://www.scribd.com/doc/127510224/WhyǦMobileǦMattersǦAǦGuideǦtoǦtheǦMobileǦ Web ƒ Givingbytextwhichisbilledstraighttocellphone–nopaperworkorformstocomplete Crowdfunding ƒ Manysmall“microgifts” ƒ Goodforspecificprojects ƒ Kickstarter,Indiegogo–popularcrowdfundingplatforms ƒ Questionstoask: - Whatfeesarecharged? - Willtheplatformallowmetohavethedonors’information? - Howwilltheyusethatinformation?(Whatistheirprivacypolicy?) - Whenwillwereceivethefunds?(Howmanydayslater?) - Whatinternalcontrolsdoesthesiteprovidermaintaintoensurethatwewillreceive allthefundswearesupposedtoreceive? - Considerstatecharitablesolicitationregistrationrequirements. Thankgoodness.Wemadeit!Whatnow? Ifyouhavethebasescovered–congratulations!Continuetobevigilant. If you believe your organization is vulnerable in any of the areas discussed previously…start by identifyingspecificrisks. x Developspecificcontrolstoaddresstherisks. x Trainandeducateemployees. x Implementthenewcontrols. x Monitor…followǦupwithstaffregularlytomakesurethecontrolsareconsistentlyapplied.