Light bulb moment #2: Risks related to electronic banking
This month we want to shine some light on the risks related to electronic banking. While not a new topic for us, we feel compelled to return to it as we are still reading reports and hearing news stories of non-profits that have lost hundreds of thousands through fraud committed because of weak controls over electronic banking.
An article in “The Witness”, reported recently, that the “KwaZulu-Natal Blind and Deaf Society is struggling to keep its doors open after some R12m was emptied from the organisation’s bank accounts over a number of years”. It went on to report that “the Director is facing disciplinary procedures for allegedly not having sufficient oversight and management controls in place to have prevented the fraud. The society’s president, Justice Zak Yacoob, confirmed that an investigation was under way as alarm bells were raised when the Society attempted to transfer money only to be informed by their bank that the account was empty. It appears that the alleged perpetrator had sole access to the online banking. Justice Yacoob stated that this had surprised the Board as “Our auditors have given us clean audits year after year.”
Do you have sufficient controls over electronic banking?
It seems that everyone understands that two signatures are needed on every cheque and this requirement is often specified in the constitutions and/or finance policies and procedures of non-profit organisations. And yet there are still many organisations that allow just one person to action payments using electronic on-line banking, often the very same person who also does the bookkeeping!
How do you know that payments are being made into the intended suppliers’ bank account?
If there is insufficient consideration given to the controls necessary for entering and changing beneficiary details on the electronic banking system, the payments may instead be made fraudulently to an employee or their accomplice.
Cases, such as the one reported in “The Witness” above, where an individual is able to transfer substantial amounts of money fraudulently, unnoticed by management, the board or even the auditors for years, are arising too often.
How is this possible? Who is responsible? How can this be prevented?
Lack of adequate systems of internal control
A person who has control over the money of the organisation through the ability to make payments alone, without independent checking, is in a position to make an error or to defraud the organisation without detection, particularly if that person is also responsible for the financial recordkeeping and so able to cover up their actions.
The board (governing body) of the organisation is ultimately responsible for the affairs of the organisation, and so is responsible for ensuring that adequate systems of internal controls are in place. Whilst the board may then delegate this responsibility to management, it must still make the necessary enquiries to ensure that suitable controls are actually in place.
Prevention is better than cure – the principles of sound internal controls
The principles of sound internal controls include the separation of duties, individual accountability and independent checking. These principles can be applied as follows:
- No person should have access to money in the bank accounts of the organisation through electronic banking on their own. We advise organisations to make use of business banking facilities that ensure two people independently release all payments and authorise all new payment beneficiaries, or changes thereto.
- Responsibility for financial recordkeeping should not rest solely with those responsible for the authorisation of payments, transfers and beneficiaries. If it is not possible or practical to completely separate these responsibilities, we strongly recommend that regular independent checking is implemented in order to ensure that the organisation’s resources are being properly managed.
- Regular monitoring of up-to-date financial reports is critical. This provides an overarching control, for management and the board, as it gives the opportunity to identify, and follow up on, any unusual or unexpected transactions, trends or anomalies. Key reports are the comparison of actual income and expenditure against a thoughtfully created budget, the balance sheet and the cash flow projection. Also, be aware that excuses for a lack of up-to-date financial information could be a red flag.
When reviewing/strengthening internal controls over electronic banking, here are a few tips:
- Insist on obtaining a bank-originated proof of bank details from suppliers before loading onto, or changing, bank beneficiary details and ensure that this proof is retained as evidence supporting the details now held on the banking system.
- Ensure that this proof of bank details is provided to the releasers as evidence to confirm the addition of the supplier bank account details prior to the first payment being made to that supplier. Also, ensure that the releasers are aware of their responsibility to authorise new/changed supplier bank account details only when these can be verified against the bank-originated proof.
- Engage an independent person to carry out regular checks, including the:
- Confirmation that the bank balances shown in the records/reports agree to the bank statements for those bank accounts every month.
- Review of the general ledger and, in particular, of the balance sheet balances against independent information, such as statements from SARS or suppliers. The review should also identify and investigate anomalies, including large round amount payments.
- Verification of the latest additions and changes to electronic banking beneficiaries against bank originated documentation.
- Ensure that, at least in the larger organisations with multiple projects or cost centres, budget holders review transactions against the budgets for which they are responsible, to confirm that they represent genuine expenses of that project or cost centre.
- And remember – don’t rely on the auditors to detect fraud.
There is much to think about! Do get in touch with CMDS if we can assist you with developing appropriate internal systems and controls.