There is a relatively small body of controls in use for electronic payments be­tween business partners, because these payments typically have been be­tween related parties or parties having done business with each other in significant volume over a long period of time. This familiarity has been sub­stituted for control points. Nonetheless, given the large amounts of money in­volved and the rapidly expanding use of electronic payments, this is an area in need of the most stringent possible controls. A reasonable set of controls over the standard electronic payment process is noted in Exhibit 1, with additional supporting controls noted later in this section.

The controls shown in the flowchart are described in the bullet points that follow, in sequence from the top of the flowchart to the bottom.

• Restrict access to master vendor file. For those electronic payments being made automatically by the accounting software, it is important to keep tight control over changes to the vendor master file, since someone could access the file and alter the bank account information to which payments are being sent.
• Require signed approval document for manually initiated electronic payments. In a high-volume payment environment, nearly all electronic payments are routed through the accounting software, which handles the payments automatically. However, since a manually initiated pay­ment falls outside the controls already imposed on the regular accounts payable process, the addition of an approval document is mandatory, preferably requiring multiple approval signatures.
• Verify ACH debit filter with bank. If the business arrangement with a supplier is for the supplier to initiate an ACH (Automated Clearing House) debit from the company’s account, rather than the company ini­tiating the transfer to the supplier, then the company should verify that it has authorized the bank to allow a specific supplier to debit an account.
• Require password access to payment software. It is necessary not only to enforce tightly limited access to the software used to initiate electronic payments, but also to ensure that passwords are replaced on a frequent basis. This is a critical control, and should be rigorously enforced.

Exhibit 1 System of Controls for Wire Transfers

• Require additional approvals. Additional approvals are useful in some electronic payment situations. Certainly a very large payment is grounds for an additional approval step, as would also be the case for a large check payment. Another approval should be required whenever a new supplier is set up for electronic payment, since this is an excellent spot to detect the initiation of payments to a shell company. The additional approval could be linked to the generation of a credit report on the sup­plier, to verify its existence as a valid business entity. The highest level of control over electronic payments would be to require dual approvals for all such payments, though this may prove too onerous for ongoing business operations.
• Require an end-of-day payments review. A standard detection control should be to have a third party who is unrelated to the electronic pay­ments process review all payments made at the end of each day. This review should encompass a comparison of authorizing documents to the actual amounts paid, as well as verification that payments are made to the correct supplier accounts.

Pages: 1 2