Internal Control Concerns Over Electronic Funds Transfers (EFT) and Automated Clearinghouse (ACH) Payments

We have been hired in numerous embezzlement cases over the past several years in which funds have been taken from dealerships and other businesses. Many of these problems occur as a result of the electronic commerce which occurs daily within dealerships.

At most new or pre-owned dealerships, more payments and receipts are taking place in the form of electronic transfers. Electronic transfers include any transaction which is initiated electronically and does not require the physical transfer of paper between the two parties. Such transactions would include Automated Clearing House (ACH) transfers, direct deposits, direct disbursements, bank wires and any other direct charges or deposits made to a checking or bank account.

More vendors, manufacturers and governmental entities are insisting transactions be done electronically. Generally, such transactions reduce mail costs, accounting clerical help, error rates and time for transactions to occur. Many dealerships are disbursing electronic floor plan payoffs, receiving credit card transactions and paying large payroll and sales tax deposits and vendor ACH payments on a routine basis.

You may ask, what is the big deal with electronic transactions?

To answer this, let me trace the systems most people have to process cash disbursements. Most organizations enter an on-demand or accounts payable transaction and, subsequently, have some type of approval of the transaction given by a management-level person. Once approval is made, a check is printed and approved/signed by the dealer or a trusted employee. Usually, a dealership with some internal controls in place prohibits the person printing the check from being the same person who also signs the check. Normally, a check signer outside of the accounting department will review the payee, the approval and the amount being paid on the check for reasonableness.

Many dealers also receive and review a previously-unopened bank statement. By doing so, a dealer may identify unusual checks and/or payees. These internal control systems have functioned for decades and, while not perfect, do give a dealer a good sense of their cash flow and related disbursements. These systems also give persons within the organization a high probability of noticing unusual or suspicious payments.

With electronic bank payments, virtually all of these systems are useless. Since checks requiring signatures are not utilized, no one in management sees the actual payee and the amount. Generally, the accounting department initiates the transaction. Often, the accounting department also approves the transaction. If the transaction is approved by someone outside of the accounting department, the approval notations on the electronic source are numeric and may appear as follows:

ACH000092582  25.132.22  6/02/09  COMMER00812

Obviously, this is not as clear as a check made payable to Commerce Bank, Account No. 00812 for $25,132.22 with the memo, “Lien payoff, Betsy Jones.” Upon review of the bank statement at month’s end, the electronic transaction appears as one of many with a numeric line-item.

Many dealers report, when we question certain transactions, that they are not “as comfortable” with these items as they were with paper checks. We find, as auditors, these transactions are not as clear as paper checks either.

It is pretty clear in reviewing bank fraud statistics that electronic commerce is increasing the number of fraudulent transactions. We have noted a dramatic increase in the number of theft and embezzlement schemes occurring which involve electronic transfers and transactions, especially in accounting departments.

The paperless world is great, but you must work to improve your internal control systems, policies and procedures in order to catch up with the electronic transactions occurring at your dealerships. Internal control systems are those procedures and segregations of duties which are put in place to help identify unusual, large or suspicious transactions.

To safeguard your assets, it is more important than ever to have someone well-versed in dealership accounting review your current procedures and policies. They should review your segregation of duties related to electronic transactions, set-up approval and corresponding review policies.

The extent of application of internal controls, supervision and review of electronic funds transfer (EFT) and ACH transactions will vary in complexity from business to business. Therefore, a simple checklist or a cookie-cutter approach in addressing the issue may be considered inadequate. Although a very incomplete list, below are a few thought-provoking items relating to cash transfer outflows.

System security and access control in processing EFT and ACH cash transfers:

• Are the computer and related programs located in a secure environment and locked when not in use?
• Are the computer programs relating to cash transfers accessible in any manner by unauthorized users (i.e., from other terminals in a network environment, the Internet or the physical workstation)?
• Are up-to-date lists maintained of users and their levels of access?
• Does appropriate management adequately supervise the physical security of the computers which have access to programs related to cash transfers?
• Is it possible that computer access passwords and other vital information have been leaked, whether intentionally or not, to others? Are passwords and other vital access information changed periodically? How is this documented?
• Are system records maintained to document logon attempts/session paths, etc., and are they reviewed by appropriate management? Does the system maintain logon violation records?
• Is the specific computer or terminal validated and documented by the system upon an attempted logon?
• Is input documentation reviewed and approved independently from the cash transfer process? How many approvals are required and how are they documented?
• Are prospective employees who will be involved in the cash transfers properly screened? Are they adequately bonded?
• Do processing periods ever become prolonged? Are employees leaving the computer during the transmission process?
• How are computer hardware and software problems documented related to the cash transfers?
• Who is supervising compliance with internal controls relating to these matters?

Internal control over processing EFT and ACH cash transfers:

• Is there a pre-approved listing of vendor numbers and bank account numbers for which designated cash transfers can be made to/from?
• Which employees are permitted to perform what type(s) of cash transfers? How is this monitored? Are there pre-approved dollar limitations?
• Is cash reconciled by an individual independent of having access to perform cash transfers?
• Is the cash reconciliation or review completed from the Internet or computer-generated statements that could have been easily manipulated prior to being reviewed?
• Does the cash reconciliation process include a detailed review of vendors, bank account numbers and other references relating to the cash transfers? Is supporting documentation reviewed?
• What is your exposure to unauthorized transactions occurring with your authorized vendors (e.g., an employee paying a personal debt with an identical vendor)?
• What is your exposure to "innocent-looking" payroll tax deposits made via cash transfers that are crediting unauthorized amounts of federal income tax to an employee's withholding account?
• Are recurring cash transfers reviewed to determine the ongoing propriety of the amount and the authorization of the expenditure?

These are only a few of the many internal control issues relating to the oversight and processing of EFT and ACH transactions. It is clear the number of electronic transactions is only going to increase over the next few years. Eventually, the receipt, approval and payment of invoices and the accounting for the same will all be done electronically. Although this represents a great time- and cost-saver, it will open the doors to internal fraud within your organization. People smart enough to evaluate the system and its weaknesses will have many opportunities for fraud within your store.

Start now to improve these systems before you learn the hard way.

Need a check-up?

Vol. 9, Issue 8