{Governmental Client Training} June 20, 2016

Transcription

1 {Governmental Client Training} June 20, 2016

2 2 Online Banking Controls & Fraud Considerations Dan Block, CPA Rumzei Abdallah, CPA

3 Agenda 3 Online Banking Considerations What happened? 7 Controls Commonly Identified for Online Banking Fraud Examination vs Audit Fraud Case Study Things to look for Q&A

4 Online Banking Considerations 4 What happened? The complexities of cybersecurity have increased and become inherent in almost every organization causing these need to address these risks of fraud. The extent to which online and electronic banking transactions are used significantly increases the exposure to inappropriate and unauthorized transactions.

5 Online Banking Considerations 5 Examples of Internal Control failures that have led to fraud An external hacker obtained the password information to the bank account of a small community organization and withdrew small amounts that would likely be under approval thresholds. Fraudulent checks were created and cashed in the name of a midsize company. An internal staff circumvented controls and approved wire transfers to a personal account to the tune of millions of dollars. So now what?

6 Controls Commonly Identified for Online Banking Security 6 1. Access security 2. Volume limits 3. Limited payees and transfers 4. Positive Pay 5. Bank Reconciliations 6. Notification 7. Activity Logging

7 Pop Quiz 7 What is heartbleed? a) A computer virus that causes your computer to randomly shut down without saving changes, also known as the blue screen of death. b) An virus that sends all of your passwords to hackers, which they can then use to log into your bank accounts and withdraw funds. c) A security bug mistakenly written into security encryption that makes it possible for hackers to extract data from massive databases containing user names, passwords and other sensitive information. d) A Taylor Swift song about her most recent break-up

8 Pop Quiz 8 What is heartbleed? Answer: c) A security bug mistakenly written into security encryption that makes it possible for hackers to extract data from massive databases containing user names, passwords and other sensitive information.

9 Pop Quiz 9 Who was impacted?

10 1. Access Security 10 Accounts, IDs, and passwords should uniquely identify each employee. Significant passwords help protect against unauthorized hacking access. Changing passwords regularly helps both with employees who may share a password at one point in time as well as fighting against passwords that are compromised.

11 1. Access Security 11 Multifactor Authentication (MFA) Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction. SOMETHING YOU HAVE SOMETHING YOU KNOW LOGIN SUCCESS

12 2. Volume Limits 12 Limiting the amount of each transaction and the total transactions per day can protect against the potential loss if access is compromised. A logical limit would be to follow the tiered amounts typically prescribed in check signing policies.

13 3. Limited Payees and Transfers 13 Transfers: Written instructions with the financial institution should limit transfers to other accounts in the entity s name. Payees: Controls over adding payees should be commensurate with controls over adding vendors to AP software.

14 4. Positive Pay 14 Positive Pay was originally designed so that a company issuing checks would send a list of checks and the pertinent details (payee, amount, check number) to their bank. Then, when a check was presented on their account, the bank could confirm the details and thwart any bogus checks. Today, this service has expanded to include a variety of review points and options and remains an effective tool to mitigate fraud. The bank customer can have the option to review all unconfirmed checks presented online with defaults set to allow after 24 hours or deny. Positive Pay has been copied for ACH transactions and can be used in a similar fashion for electronic banking.

15 5. Bank Reconciliations 15 This may sound elementary, but MANY communities and businesses fail to include an online-only account in the same monthly reconciliation and closing processes as traditional bank accounts (i.e. a PayPal account).

16 6. Notification 16 Enforce a notification system that cannot be overridden by the person with the banking administrator login ID and password. For example, create an forwarding account that automatically notifies multiple employees (i.e. someone in accounting and someone in operations) whenever a payment is made or received.

17 7. Activity Logging 17 Many banks are providing access to activity logs for their online accounts. These can be used by management for routine reviews of employee activity. Additionally, internal and external auditors can develop data analysis techniques to comb these logs for unusual activity. Letting employees know that their activity is logged can provide a significant deterrent to fraudulent behavior. Electronic searches of the log files may confirm routine activities or expose anomalies worth investigating further.

18 Fraud Standards in an Audit 18 SAS 99 Misstatement arising from fraudulent financial reporting Misstatement arising from misappropriation of assets Fraud triangle Fraud Brainstorming Focus on direct and material impact on financial statements Valid A/R and revenue Adequate reserves for uncollectible accounts Adequate settlement estimates Risk for misappropriation due to: Lack of segregation of duties Lack of required approvals Inappropriate access/authorization to bank accounts Professional Skepticism

19 Audits v. Fraud Examinations 19

20 The Perfect Case Study Dixon, Illinois Population 15, Median household income - $38, Median house/condo value - $83, Total Primary Government Expenses of $15.6M

21 (Almost) Every Red Flag We Talked About 21 Long-term employee Started as in intern in high-school in 1970 Named Treasurer and Comptroller in 1983 Lack of internal controls Reconciled accounts Made deposits Requested funds Controlled the mail (PO Box) Embezzlement/index.php?cparticle=3&siarticle=2#artanc

22 Things to Look For Billing Schemes 22

23 Things to Look For Billing Schemes 23 Invoice Numbers Subtle changes Out of sequence Inconsistent Duplicate

24 Things to Look For Billing Schemes 24

25 Things to Look For Billing Schemes 25

26 Duplicates 26 Highlight your data Leave out employee at this point Go to conditional formatting Highlight Cells Rules Duplicate Values Click ok

27 Duplicates 27 All the duplicates will now be highlighted in the default color Sort your data by color

28 Duplicates 28 Manual Review More highlights = higher risk

29 Billing Out of Sequence 29 Invoice numbers out of sequence - (=IF(B4- B3>=0,"","OutSeq") 1) Sort the data by Invoice Number then Invoice Date B Invoice Invoice Invoice Invoice Invoice

30 Billing Out of Sequence 30 Invoice Invoice Invoice Out of Sequence Checks - (=IF(B4- B3>=0,"","OutSeq") 2) Insert a column next to the Invoice Date column. The column should be formatted as General 3) Start at the second row of data in your set. Insert the following formula: (=IF(B4-B3>=0,"","OutSeq") The B is replaced with whichever column the Invoice Date is in. The 4 and 3 is replaced with whichever rows are your second and first rows in your data set. 4) Highlight your new column and calculated formulas. Paste/Special values only so they don t change when you re-sort for any reason.

31 Plante & Moran, PLLC 31