With the pace of technology changing at lightning speed, the way we work is shifting also. The insurgence of artificial intelligence (AI) and continued automation has meant that technology is driving many of our decisions.
When systems are updating and advancing, we often assume that the processes remain the same. But what if the controls have subtly changed or disappeared altogether? What if management could now override controls, unwittingly perhaps, due to the advances in technology?
In the last year, we have seen, in our capacity as external auditors, the technology around online banking change. While in most cases this has had no impact on financial controls, there have been several charities that have been impacted by this.
In this article, we specifically focus on the controls around online payments. We go through the pitfalls in technology and what a charity must check to ensure that the risk of management override of controls is mitigated.
We begin by understanding how a charity pays their stakeholders: namely their staff, via the payroll, and their suppliers for their charity’s costs. Typically, a charity will pay their staff in one Bankers’ Automated Clearing Services (Bacs) payment.
Similarly, for suppliers, charities will pay their suppliers by one Bacs payment – perhaps weekly or biweekly, depending on the level of activity. A Bacs payment is one bulk-payment transaction which is comprised of multiple payees, rather than raising lots of individual online payments (as we will be familiar with for our own personal banking).
All payee details, including bank account numbers and sort codes, are stored in the charity’s secure accounting system. A bulk payment, or Bacs payment report, is generated from the accounting system.
This report should then link either directly into the charity’s online banking system or be linked into a payment platform which feeds directly into the online banking software.
The accounting system should usually flag, via exception reporting, if a new payee has been added or if the bank account details of a payee have changed. This means that the charity’s reviewer or authoriser can simply review these exceptions and be confident that the payee details of the staff or suppliers remain authorised, and the same as the previous report. Controls will be in place within the accounting system to add or amend payee details.
Tech moves, risks follow
While these controls are in place in the accounting system, and the initial Bacs payment report is reviewed and authorised, there can be opportunities for intervention at the next step prior to the payment being made.
Some payment platforms or online banking systems are not directly linked to the accounting system, so the Bacs report must be manually imported by a .txt file or a PDF file.
As we know, .txt files can be typed over and PDFs can be easily edited. Thereby, the staff member who is uploading the Bacs file could alter the report to change amounts, add a payee or change account details.
There is a risk here that the report that has been authorised could then be manipulated. There is often no exception reporting within online banking or the payment platforms. There is potential for a staff member to amend these reports prior to the payment being sent.
As technology continues to develop, the strength of payment platforms emerges. But it has materialised that some platforms require a .txt file to import the Bacs report. The .txt file that can be easily typed over and amended. This opens the door to potential fraud.
Do you know how your charity’s payments work end-to-end? Are there any opportunities for manipulation within that process? Are the authorisers comfortable that each payee and amount due is genuine? Has the payment technology changed and, if so, does this impact this process? These are key questions for all charities to address.
With the changes to technology, it is easy to lose sight of the basics. Financial controls around payments are critical for all charities. These must be considered carefully on a periodic basis as technology continues to advance and systems develop.
Emma Gabe is a senior manager at HaysMac
