For many professional associations, reputation is fundamental to their continued success. Organisations must be at the forefront of best practice given that they require of their members to operate under the same high standards. For an association to fall foul of the many online and payment scams around, such as phishing emails or supplier detail frauds, could be exceptionally damaging and not only for the organisation itself, but also for members.
Despite an increased focus on fraud prevention over the past few years, a significant number of frauds still occur as a result of poor controls over online payments. It is important that all trustees and staff understand the controls in place and ensure segregation of duties wherever possible – and this while other challenges are evolving, such as understanding the changing needs and preferences of members, the requirement to continue to develop the digital offering to members, and keeping up with members’ perception of themselves as customers.
To ensure your controls are effective and to minimise risk, a set of recommended tests appears below.
- Segregation of duties between setting up and authorising payments: one user should set up a payment and a separate user authorise the transaction. One individual should not be able to set up and authorise a transaction alone.
- Dual authorisation of payments: all transactions should require a minimum of two individuals to authorise. Some organisations implement a limit and only require dual authorisation for larger payments. If this is the case, the approach should be approved by the trustees.
- Dual authorisation of setting up new users: dual authorisation should be required to set up all new users and to make changes to access rights within the online banking system. This is important to prevent the set up of a false user to bypass the dual authorisation process.
- Access to BACS: all users must have unique log in details and passwords, and these should not be shared. We often find details are shared when new staff join an organisation, or where there are temporary staff in the finance team.
- Change in payment details (internal): changes to account details (bank account number and sort code) should be actioned by one user and approved by a separate user, who should check any backing documentation against the amended details.
- Change in payment details (external): any notification of a change to supplier details should be verified by contacting a known individual at the supplier’s organisation, even if the request to change is sent on the supplier’s headed paper. To do this, use contact details already held and do not use any included in the request documentation.
- BACS payment reviews (general expenditure): prior to authorising the online payment, a spot-check should be performed reviewing the bank account and sort code for the supplier. Such details should be agreed to the purchase invoice and these checks should be evidenced by signature.
- BACS payment reviews (staff expenditure): payroll reports should be reviewed prior to payments being authorised. Often a BACS payment will be set up to send monies to pension providers and HMRC in the same batch. The individual payments need to be agreed back to payroll reports before authorising.
- Bank mandate: a review of the bank mandate should be performed to ensure that payment authorisation limits for online banking are in line with the bank mandate.
- Exception reporting: reviewing exception reports from your finance system and online banking system is a good way to monitor changes to supplier details within the accounting software, along with any changes to details in the online banking system. Changes should be reviewed to ensure the appropriate procedures have been followed.
- Ask the question “What happens when someone goes on holiday?”: the answers given will often highlight potential ways your controls and system can be bypassed.
It is important that controls are in place not only for supplier payments but also for payments to staff.
The Charity Commission has recently issued an alert due to several reports of fraudsters impersonating members of staff.
Any requests to change payroll or staff details should be confirmed before being amended. Charities should not rely solely on email.
Siobhan Holmes is not for profit senior manager at haysmacintyre
This content has been supplied by a commercial partner. haysmacintyre sponsors the Sector Focus series.