Are Your Internal Controls Strong Enough?

In today’s age of online commerce and digital financial networks, companies are struggling to prevent financial fraud. In Australia alone, cybercrime costs businesses over $1 billion every year, and this figure is on the rise.

If you’re a CFO or finance director, there are particular reasons for concern. Today’s cybercriminals are getting smarter by the day, and, more often than not, they’re financially motivated. They’re increasingly targeting their efforts at YOU and your accounts payable team because of their ready access to critical payments processes and information.

Cybercriminals are also continually evolving their methods and tactics. They’re not just using the latest technological tools to get their dirty work done. They’ve realised humans are the weakest link in security and are more frequently opting to use social engineering techniques to trick members of your accounts payable team into assisting in fraud without even knowing it.

This shift in tactics means you can no longer afford to see financial fraud prevention as an IT problem or something that can just be protected against using the best software or firewalls. You and your AP team are now on the frontlines of defence against a rising tide of cyber fraud, whether you like it or not.

“I’ve seen so many companies in Australia who say, ‘We’re not compromised, we’re OK, we have a firewall’ and I say, ‘So you’re monitoring, you’re actually looking for indicators of a compromise?’ and they say, ‘No, but we have antivirus and I’m sure if we get compromised, we’ll start getting alerts from that’. That’s not how it works.” – Charles Widdis, Cybersecurity Expert

But it’s not all doom and gloom. By implementing a comprehensive set of internal accounts payable controls, you can effectively defend against fraud and keep even the most sophisticated fraudsters at bay. Here’s a quick guide to get you started.

Creating a strong counter fraud culture

The companies most successful at preventing fraud have buy-in at the top and an organisational-wide awareness of fraud that’s especially robust in the finance and accounting departments.

There is a recognition within these organisations that while finding fraud can lead to negative attention, failing to prevent, detect or respond to fraud is usually far worse. There is also an acceptance that the absence of fraud doesn’t mean it’s not occurring and that fraud cannot always be prevented.

Together, these core understandings have a significant impact. They enable the discovery of fraud to be viewed positively instead of negatively, eliminating the stigma associated with finding fraud and increasing the likelihood employees will report suspicious incidents.

When building a robust counter-fraud culture, you first need to assess your company’s counter fraud maturity. The Commonwealth Fraud Prevention Centre’s guide offers a list of recommended questions to ask to help you establish your company’s maturity level.

Once you’ve established your organisation’s maturity level, you’ll need to find different activities to engage employees and drive change. The Commonwealth Fraud Prevention Centre guide, linked to above, provides practical example activities to follow.

Training to prevent social engineering scams

Fraudsters frequently impersonate trusted parties to trick employees into creating fraudulent payments. They’ll often impersonate a CFO, CEO, or vendor in spoofed or compromised emails to convince employees to send money to bank accounts controlled by the criminals.

But social engineering scams can present in various forms. A scam could be disguised to look like someone from within your organisation requesting to click on a link or make banking information changes. They can also look like an innocent email from a supplier requesting a bank account change or an email from a seemingly credible organisation with a link.

In a case that gained attention in recent years, cybercriminals successfully posed as the CEO and COO of a business. They sent a spoofed email, purporting to be from the CEO, requesting a large payment be made by the company’s financial controller.

A second email, claiming to be from the COO, was then sent to the financial controller containing a false email trail approving the CEO’s request for payment. Not realising the request was a scam, the business made two payments to the cybercriminal’s overseas bank accounts, totalling approximately US$500,000.

In an even more severe scam, the CFO and CEO of FACC, an Austrian supplier of parts to Airbus and Boeing, were targeted. The company lost nearly $87 million to a cybercriminal who tricked an accounting employee into transferring money to a foreign bank account for a fake purchase.

Training your employees to recognise potential scams like these is essential. But, it’s not enough. Developing a robust call-back process requiring employees to authenticate a payment request before sending funds is also necessary.

Segregation of duties

It can be challenging to imagine someone you work with is capable of committing a crime. But it’s longtime employees who’ve been given privileged and trusted access to several sensitive duties that are often the perpetrators of fraud.

Segregating duties is a simple but effective accounts payable control that can help prevent employees with malicious intent from defrauding your organisation. By segregating duties, no single employee can use their access and control to perpetrate fraud in the ordinary course of their responsibilities for self-gain.

To be most effective, no employee should control multiple aspects of the accounting process, no matter how long they have been employed. You’ll need to segregate the following duties:

  • custody of assets
  • record-keeping or bookkeeping
  • authorization
  • reconciliation

Here are a couple of examples:

  • An employee who sends payments should not also be responsible for verifying payments.
  • An employee responsible for bank reconciliation should not handle unclaimed property reporting or be a signer on a bank account.
  • An employee who is a check signer should not also authorize an invoice for payment on accounts on which they are also a signer.

Approval authority requirements

The purpose of the approval authority process is to prevent unauthorized, fraudulent purchases and stop employees from mistakenly making a payment to a scammer.

By requiring specific managers’ approval to authorize certain types of transactions, businesses can ensure all outgoing payments have been assessed and approved by the right person in your organisation.

The approver can check everything is in order by two or three-way approval. Two-way approval matches an invoice with a purchase order. Three-way approval goes a step further, comparing an invoice with a purchase order and the actually received quantities of goods or services.

Password hygiene

As the threat of fraud has become more widely known in recent years, companies have started requiring longer and more complex passwords. But this has had an unexpected impact.

Because individuals are accessing an ever-growing number of digital applications, a growing number of company systems are getting compromised as passwords get written down, stored in vulnerable places, and reused to remember them. According to a recent LastPass poll of 3250 individuals, 66% of those surveyed said that they mostly or always used the same password everywhere (personal and work).

It’s for this reason that training and high standards of password hygiene should be mandatory. Every employee should be required to use long, complex, and unique passwords for each separate application or system they use. They should also be required to use a reputable password manager that stores encrypted passwords to avoid passwords getting written down and stored in the wrong place.

Additionally, and where possible, Multi-Factor Authentication (MFA) should also be implemented for all applications, including e-mail.

Strengthening your internal controls to prevent financial fraud with software tools

Using the best spam filters and anti-virus software remains an integral part of your organisation’s fight against cybercrime. But these tools can’t protect from insider scams or social engineering scams like Business Email Compromise (BEC), which are the fastest-growing type of cybercrime.

Equally so, it’s critical to build a strong counter fraud culture, commit to ongoing fraud awareness and social engineering training, and implement the proper internal accounts payable policies and procedures. However, these controls aren’t quite enough to protect you from savvy insider and social engineering scams either. After all, they all rely on people who are susceptible to human error.

At eftsure, we’ve developed a unique Know your Payee (KYP) platform that helps CFOs and their finance teams efficiently and effectively protect against fraud throughout the payment lifecycle.

Real-time payment protection

It may sound surprising, but banks don’t independently match up names and BSB numbers with accounts when processing electronic payments.

They ignore the payee name, and as a result, you or someone on your accounts payable team may think they are paying the name on the screen but, if the account number belongs to someone else, the payment will not go to the intended recipient. Eftsure mitigates this risk by providing real-time fraud warning alerts at or prior point of payment.

Review a payment or ABA file before you pay
  • Simple ‘traffic light’ alert signals confirm you’re paying the correct account name and number and indicate the status of a three-way match: BSB and Account Number, Account Name, and ABN.
  • Payment alert signals indicate the risk of duplicate payments and payment threshold breaches.
Real-time alerts in your online banking
  • eftsure’s simple ‘traffic light’ alert system is available across all the major Australian banks on your online bank payment screen. A green thumb indicates a verified vendor with a three-way match between Bank Account Name, BSB and Account Number, and ABR data. A red thumb indicates a mismatch and is an indicator of error or fraud.

Vendor onboarding & Management

Most companies are unaware of the level of risk or error in their vendor master file (VMF). Supplier emails are being compromised every day, and fraudsters are sending emails with critical information such as supplier bank account details and invoices that can trick your AP team into making a payment.

eftsure’s Know your Payee (KYP) solution solves these problems by allowing you to automate the verification and onboarding of new suppliers and track details if they change. The solution also provides a real-time dashboard to view your up-to-date Vendor Master File (VMF) and master data status.