Internal Control ConcernsOctober 01, 2009
Trillions of dollars of Electronic Fund Transfers (EFT) and Automated Clearinghouse (ACH) transactions are consummated daily throughout the world and becoming more and more voluminous in dealerships. Improper implementation of internal controls, as well as a lack of supervision and review of actual EFT and ACH transactions, could potentially result in financial disaster for your dealership from fraudulent activity. Do you know who is transferring cash in your dealership and where it is going? Who is reviewing such transactions and internal controls? Are your internal controls adequate and properly functioning in respect to cash transfers?
The extent of application of internal controls, supervision, and review of EFT and ACH transactions will vary in complexity from business to business. Therefore, a simple checklist or "cookie cutter" approach in addressing the issue may be considered inadequate. Although a very incomplete list, we have provided a few thought-provoking items relating to cash transfer outflows:
System Security and Access Control in Processing EFT and ACH Cash Transfers
- Is the computer and related programs located in a secure environment and locked when not in use?
- Are the computer programs relating to cash transfers accessible in any manner by unauthorized users (i.e., from other terminals in a network environment, internet or the physical workstation)?
- Are up-to-date lists of users and their levels of access maintained?
- Does appropriate management adequately supervise the physical security of the computers that have access to programs related to cash transfers?
- Is it possible that computer access passwords and other vital information have been leaked, whether intentionally or not, to others? Are passwords and other vital access information changed periodically? How is this documented?
- Are system records maintained to document logon attempts/session paths, etc. and are they reviewed by appropriate management? Does the system maintain log-on violation records?
- Is the specific computer or terminal validated and documented by the system upon attempted log-on?
- Is input documentation reviewed and approved independently of the cash transfer process? How many approvals are required and how are they documented?
- Are prospective employees that will be involved in the cash transfers properly screened? Are they adequately bonded?
- Do processing periods ever become prolonged? Are employees leaving the computer during the transmission process?
- How are computer hardware and software problems documented related to cash transfers?
Who is Supervising Compliance With Internal Controls Relating to These Matters?
Internal Control Over Processing EFT and ACH Cash Transfers:
- Is there a pre-approved listing of vendor numbers and bank account numbers for which designated cash transfers can be made to/from?
- Which employees are permitted to perform what type(s) of cash transfers? How is this monitored? Are there pre-approved dollar limitations?
- Is cash reconciled by an individual independent of having access to perform cash transfers?
- Is the cash reconciliation or review completed from internet or computer-generated statements that could have been easily manipulated prior to being reviewed?
- Does the cash reconciliation process include a detailed review of vendors, bank account numbers and other references relating to the cash transfers? Is supporting documentation reviewed?
- What is your exposure that unauthorized transactions are occurring with your authorized vendors (i.e., an employee paying a personal debt with an identical vendor)?
- What is your exposure that innocent looking payroll tax deposits made via cash transfers are crediting unauthorized amounts of federal income tax to an employee's withholding account?
- Are recurring cash transfers reviewed to determine the on going propriety of the amount and the authorization of the expenditure?