Fraud and cybercrime protection is of major importance for corporate treasurers. In the past year a new risk had to be added to the list: connectivity. Reports of banks being hacked and losing millions through unauthorised payments appeared more and more frequently and since protecting payment connectivity workflows was not a high priority item on the list of treasurers, it created damage in the industry.
GT News deals with the topic of how to protect payments in their article’ ‘Five tips for keeping your payments safe‘ on december 21st, 2016. We asked our expert Lionel Pavey to comment on the article and give us his own view on how to protect payments.
Safety of payments
As even medium size companies can easily have over 100,000 bank transactions per year, it is imperative for a company to ascertain the validity of all payments so that no fraudulent payments take place.
It is necessary to embed a clearly defined matrix within the company. This should follow a six-eye principle and be traceable within the payment system – invariably a bank payment system. The matrix should include the names of all those authorized; the amount they may authorize; the distinct legal entities they may represent etc. This data also needs to maintained and secured away from the payment centre (IT or legal department). If a new person needs to be added to the list who implements the procedure – Treasury or IT?
Types of payments
There are various workflows that will generate payments and these should be mapped and a complete process should be designed for each one – procurement system and creditors in the book keeping; financial obligations from the existing financing operations (loans, bonds etc.); tax on wages; social premiums; Value Added Tax (BTW); manual payments normally arising from expense claims and incidental purchases outside the normal procurement channel.
Validity of payments
Normal payments relating to creditors are relatively easy to follow – authorization has taken place in 2 different areas (procurement and book keeping). VAT requires data from book keeping for both debtors and creditors. Tax on wages and social premiums are normally presented just once a month either through the administration/controller channel or directly from HR. The biggest area of concern relates to manual payments.
These generally relate to purchases (normally one-off). The obvious question that arises is why is there a need for suppliers that are not in the existing procurement system? It is not impossible to ensure that there are preferred suppliers for all normal desires. Another source is repayments to debtors that are not balanced off against outstanding balances. If a company does not have dedicated software relating to the financing operations who, beyond the Treasury Department, can verify the amounts and dates? The area that requires the greatest vigilance relates to expense claims. Just because a line manager authorizes an expense claim does not mean that it is always compliant with company policy – this is an area where the onus should be on the controller to validate the integrity of the expense claim. Is the expense a genuine expense made in direct relationship to working for the company? An employee away on business and staying in a hotel is entitled to a meal at the expense of the company, but what is the policy towards alcohol and entertainment? Is the amount being claimed excessive and work related?
Integrity of bank systems
How secure is the bank system? When a batch is prepared for payment and an authorisation code produced, how is the code produced – what are the underlying factors that generate the code? Is it possible to alter the beneficiary’s account number after the batch has been produced? Would an alteration be seen by the system, resulting in an incorrect authorisation code? Banks generally do not provide a lot of information as to how their system generates codes.
Who can extract data from the bank systems? Does this occur daily? Are all entries processed the following day in the book keeping system? What happens to items that are not immediately reconciled?
With regard to standard procurement, it should be easy to construct a solid working system that can be followed at all times. Manual payments are a weak link and a serious amount of time and effort has to be used in constructing a strong framework that has to be enforced and maintained at all times.
Cash Management and Treasury Specialist