Through the pandemic, electronic payment methods gained additional attention and became increasingly popular. Electronic payments offer convenience and time savings advantages, but they also present challenges such as security concerns and internal opportunities to circumvent established controls.
There are multiple methods and platforms available to execute electronic payment transactions. The following provides best practices for maintaining strong controls when utilizing online bill pay services, ACH payments, and wire transfers.
Regardless of the electronic payment method, it is essential to identify potential risks and continue to meet internal control objectives. Specifically, controls established to segregate the approval, processing, and authorizing of the related payment should continue to exist with electronic payments.
We do not intend the best practices identified below to be all-inclusive, but we hope the information will be a useful resource in this area.
Online Bill Payment
Many banks offer online bill payment services in addition to third party vendors, such as Bill.com.
Prior to contracting with a provider, ensure the bill payment service offers the necessary controls that allow your organization to meet its internal control objectives.
One of the key internal control objectives is the ability to obtain the desired level of segregation of duties. Specifically, bill payment services should provide a platform to ensure that two individuals are involved in the processing of the payment: one individual would process the payment, and the other individual would approve the payment. The individual approving the payment should not have the ability to make changes to the amount or recipient.
The following table provides a simple illustration of the bill payment process when using a check or an electronic payment.
|Individual||Physical Checks||Electronic Payments|
|Supervisor/Department Head||Approve invoices for payment||Approve invoices for payment|
|Accountant||Enter invoices in Accounts Payable system||Enter invoices in Accounts Payable system*|
|Accountant||Print checks for signature||Enter payment in bill pay system|
|Authorized check signer||Review supporting documentation and sign check||Review supporting documentation and approve payment in bill pay system|
|Accountant||Perform bank reconciliation||Perform bank reconciliation|
*Some online bill payment services integrate with the organization’s general ledger system. Therefore, manually entering invoices into the general ledger system may not be necessary.
In addition to controls regarding the segregation of duties, the organization should also consider the following when evaluating the use of online bill payment services:
- Ensure that each individual has a unique log-in and password.
- Determine if the bill payment service offers two-factor authentication as a security measure to protect against the risk of cyber fraud. Two-factor authentication typically requires the user to enter a security code that is received by text message, email, or by a token.
- Consider establishing a separate cash account that is utilized solely for making disbursements. This type of accounting is referred to as a disbursement clearing account.
- Ensure that the appropriate supervisor continues to document their approval on the face of the invoice.
- Determine how the invoice will be transmitted to the payment approver. For instance, will the invoice be stored electronically or continue to be stored on paper? Some services, such as Bill.com, allow for electronic storage of the invoice. Many accounting packages, including QuickBooks also support paperless storage.
- Most reputable online bill payment providers should undergo a SOC 2 audit. The SOC 2 report helps ensure the vendor has adequate information and IT security controls. The SOC 2 report also includes a suggestion for recommended user controls. Organizations should evaluate the SOC 2 report and implement the recommended user controls.
- Establish a strong working relationship with the vendor’s representative to ensure any control concerns can be addressed under their platform.
- Have management or another authorized representative generate vendor payment reports directly from the bill payment system to ensure that all payments are valid and properly approved. This practice helps prevent the risk that the individual processing the bill was also be the individual that approved the bill.
The most popular method of transferring money is through an Automated Clearing House (ACH), which is an electronic network used by financial institutions to process transactions in batches. The typical ACH transfer takes a couple of days to process and to clear the receiving financial institution.
Examples of ACH transfers include payroll direct deposit, automatic loan payment withdrawals, and online bill pay (see above). ACH payments can be setup as one-time or reoccurring transactions.
The following items should be considered when assessing controls surrounding ACH Payments:
- Work closely with your bank to determine what parameters currently exist around ACH payments for a particular account. Determine who can establish an ACH payment and if management approval is required. Determine if dollar thresholds have been established for ACH payments.
- Inquire regarding the bank’s ability to offer ACH Positive Pay. This service allows the organization to establish a list of approved vendors that are paid automatically. The organization can establish dollar threshold parameters. Any electronic transaction that occurs outside of these boundaries generates an alert so you can decide whether it is legitimate and approve or deny the transaction.
- Establish an ACH Debt Block feature to protect against unauthorized ACH payments for payments that are not authorized.
- Review online bank account activity frequently and ensure that any ACH payments are expected and approved.
- Consider using an ACH payment voucher form that is created internally. This form would allow the authorized check signer to document their approval. However, be aware that if ACH fraud was to occur, the initiator would most likely not submit a request to management for approval. Therefore, management should ensure that ACH payments on the bank statement are reviewed for validity.
Additionally, an organization’s typical check run cycle may include the processing of multiple ACH payments to various vendors. Therefore, consider establishing controls that allow the ACH preparer to initiate the transfer but require automated approval by the ACH approver before the bank processes the payment.
For example, the ACH initiator may process vendor ACH payments in the amount of $8,374. The authorized approver would then receive an email or call from the bank, which requires the authorized approver to enter the transaction amount of $8,374 in order to obtain dual approval and ensure all ACH payments have been reviewed. The approver should also ensure that supporting documentation regarding the ACH payments is reviewed prior to approving through the bank. An alternative to this process would be utilizing an online bill payment provider (see online bill payment section above).
Although not as common in small to midsize organizations, a wire transfer is sometimes required to transfer cash on the same day or send funds to an international account. There are transaction fees associated with wire transfers, which is one reason that wire transfers are typically used only when necessary.
Wire transfers can allow internal employees or external hackers to make fraudulent transfers to their own bank accounts.
The following controls can be implemented to reduce the risk of wire transfer fraud:
- Establish a formal policy that outlines the required wire transfer procedures and defines who can initiate and who can approve a wire transfer.
- Work closely with your bank to ensure the appropriate level of security over wire transfers is implemented for your organization. The bank should use passwords and callback controls. However, be aware that some employees are careless about disclosing passwords. And, with the advent of call forwarding, it is easy to program the phone number the bank is to call back for verification so that the number rings at the fraudulent employee’s extension. The bank employee has no real way of knowing whether he or she is talking to the appropriate callback verifier.
- Review online bank statement activity on a continual basis to quickly detect wire transfers that were not approved by the organization.
- Consider using a computer that is established only to conduct wire transfers. This practice reduces the risk of cyber fraud and opportunities for malware infection.
- Open a separate checking account that is used exclusively for wire transfers. Place the new account on “no check activity” status and make it a zero balance account.
Regardless of the methods or platforms you utilize for electronic payment transactions, do not neglect implementing a control process to prevent fraudulent activity. If you need assistance navigating controls for electronic payment transactions, contact a Hantzmon Wiebel team member today.
Disclaimer of Liability
Our firm provides the information in this article for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisors. Before making any decision or taking any action, you should consult a professional advisor who has been provided with all pertinent facts relevant to your particular situation. Tax articles in this blog are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided “as is,” with no assurance or guarantee of completeness, accuracy or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability and fitness for a particular purpose.