E-Payments

Bye Bye Cheques, Hello Fraud

In the corporate accounts payable world payment by cheque is becoming a thing of the past. Gone are the days of preparing cheques, having them signed by two busy executives and then sending them to the cashier’s office for post or collection. Gone is the long wait for a cheque sent through snail mail. No more, the hassle of sending someone to a client to collect a cheque Friday evening after the banks have closed. Gone is the fear of the cheque bouncing. The miracle of electronic bank transfers is here to stay. All a debtor has to do is enter his bank website and with a few keystrokes, money owed is immediately transferred to a supplier’s bank account.

Highly efficient, but unfortunately, e-payments are wide open to abuse. Not by outside hackers but by insiders entrusted with their processing.

The key element in a bank website electronic transfer process is the payee bank account number. Therein lies a major internal control weakness. With the naked eye, it is extremely difficult to identify a bank account owner through the bank account number. How many people have the number of their own bank account in their heads? Very few. How many people have the numbers of other people’s bank accounts in their heads? Nobody. With a few key strokes the bank account number that an e-payment should be made to can be changed to another bank account number. When printing out the e-payment for internal control purposes, an abuser ensures the name of the correct payee appears on the document. Anybody looking at the document may see the correct payee name but will be unable to identify the incorrect bank account number.

As cheques go by the wayside, so too do internal controls associated with the cheque signing process. When sent for signature, cheques should have the source documents attached. If the cheque signers do not see an invoice, a purchase order and a goods/services received stamp they can match to the cheque, they will not sign it. Two signatures on a payment is another typical control that has all but disappeared. A bank website e-payment system may include a second password authorization but in practice that authorization is invariably provided without question. Even if it is not given automatically how does a skeptical second password holder identify a changed bank account number?

Abuse of e-payments can be a fraud in and of itself. The processor of e-payments might decide to simply transfer funds to his or her bank account. However, this type of fraud will quickly come to light once a bank reconciliation is performed. E-payment abusers will not want to get caught so easily. E-payments then become the instrument through which another fraud is very easily liquidated. That

could be any of a number of payroll frauds or accounts payable frauds. Any fraud whereby an excuse is invented to justify a payment that appears to be sent to one bank account but is actually sent to another.

A typical variation of a ghost employee payroll fraud works as follows: A company pays the salaries of its employees through e-transfers. A weekly employee leaves the company. The processor of the payroll e-payments decides to keep the exemployee on the payroll for another week or two. When executing the payroll e-payments, the processor changes the bank account number of the exemployee to his/her own bank account number. On printing the payroll e-payments for internal control purposes, the abuser will ensure he maintains the name of the ex-employee on the document. The real name will not be noticed among a list of hundreds of names on a payroll. A very cautious abuser will change the bank account number back to what it should be but most will not bother as the risk of somebody recognizing an incorrect bank account number is virtually nil.

One of the few ways this type of e-fraud can be brought to light is thorough the use of number sorting computer programs. Known in the internal auditing trade as data mining programs, they compare the bank account numbers that e-payments have been made to with bank account numbers they should have been paid to. Unfortunately, many bank website e-payment systems maintain a record of electronic transfers for one month only. After one month the record of the fraud disappears forever. This represents yet another extremely dangerous internal control breakdown associated with electronic payments.

All the internal controls in the world will not prevent e-payment abuse from occurring; however the following should mitigate the risk:

· Timely bank account reconciliations.

· Separation of duties. Separate payroll and accounts payable processors from e-payment processors. Separate bank account reconciliators from e-payment processors.

· Change of responsibilities. Change e-payment processors at least once per year.

· Regular internal audit focus on the e-payment process.

· Negotiate with your bank the maintenance of e-payments records for at least two years. If this is not possible, consider installing an IT program that duplicates e-payment entries to the bank website.

· High level (CFO, Controller, Treasurer) second password authorization of e-payments.

· Normally e-payments are processed in batches. Before authorizing e-payments, the second password holder should insist on seeing each transaction one by one. He/she should insist that each transaction has source documents attached. The idea here is that a second password holder should approach e-payments no differently from how he/she approaches putting a second signature on a cheque.

· Ensure e-payment processors take their vacations.

Cheques are vulnerable to abuse through signature or endorsement falsifications. However, a cheque is a physical document that is visible to the naked eye. Not everybody is an expert forger and if they are, there is a high risk their forgery will be visible to someone. An electronic bank transfer is a virtually invisible transaction that provides a very low risk opportunity to a processor intent on abusing it.