Internal controls fight technology-related fraud
The ability to accept and make online payments offers obvious benefits to municipalities that are under constant time and budgetary pressures. It may also be subject to fraud attempts that can dodge traditional internal controls. Fortunately, measures are available to combat these risks.
Making online disbursements
Many municipalities are now paying certain bills online, rather than mailing payments. Of course, the ability to make online payments essentially makes the employee who does so a check signer who can, in turn, make unauthorized payments. Similarly, the employee who oversees direct deposit payroll transactions may choose to pay “ghost” employees, give unauthorized raises or otherwise divert funds.
If your municipality makes these types of online disbursements, ensure that all payments are subject to an independent review by a different employee. The reviewer can check payments online or examine the bank statements for discrepancies. The reviewer should also study payroll reports that come directly from the payroll system (vs. coming from the employee who oversees payroll). The reviewer should be aware that those two employees might be working together to commit fraud. Your bank might offer verification services to confirm that payments are authorized before they clear.
One of the most significant changes in municipalities’ revenue cycles in recent years has been the adoption of systems that allow online payments for services, taxes, and fees. These payments generally are deposited directly into the municipality’s bank account.
The risk is that the employee responsible for the online payment system could redirect the ultimate destination of payments. If the accounting department records income based on bank deposits, this fraud could go undetected. To close this control gap, make sure you take the added step of reconciling the bank deposits against online income from the receipt system.
Many municipalities possess their citizens’ credit card information and other personal data, making them potential targets for both internal and external hackers and fraud. Imagine the consequences if criminals were to access confidential data. It could be disastrous in terms of remedial costs, legal liability and reputational damage.
Perhaps the most effective privacy control is adherence to the Payment Card Industry (PCI) Data Security Standard (DSS). DSS applies to all entities that store, process or transmit credit cardholder data and outlines technical and operational system requirements to protect that data. Although DSS is not technically a law, several states have enacted legislation mandating compliance with some of its provisions.
The DSS requirements vary depending on the number and type of credit card transactions an organization conducts, both online and offline. It is a good idea, though, to take steps to comply with the strictest requirements, including:
- Installing and maintaining a firewall to protect cardholder data,
- Encrypting the transmission of cardholder data,
- Restricting access to cardholder data with unique IDs and on the basis of “need to know,” and
- Using and regularly updating antivirus software.
Although it is not a requirement, PCI also strongly recommends “segmenting” (or isolating) the cardholder data environment from the rest of the network. (To learn more, visit https://www.pcisecuritystandards.org.)
As a general reminder, in Michigan, if a municipality accepts or makes online payments, such as payments through the automated clearing house or credit card transactions, certain written policies are required and must be adopted, by resolution, by the governing body.
- Electronic transactions of public funds – if bills are paid electronically, the governing body must adopt a resolution in accordance with Public Act 738 of 2002; MCL 124.301 – 124.305.
- Credit card purchases – if a municipality pays bills using a credit card, a separate resolution must be adopted by the governing body in accordance with Public Act 266 of 1995; MCL 129.241 – 129.247.
- Credit card receipts – if a municipality accepts credit cards as a form of payment, a resolution must be adopted by the governing board in accordance with Public Act 280 of 1995; MCL 129.221 – 129.224.
The overall purpose of these laws and the resolutions created through them are to ensure municipalities establish solid internal control structures before allowing electronic transactions. This will help prevent, or detect and correct, fraud or errors.
Proceed with caution
There is no turning back from the technological advances municipalities are currently enjoying. The key is to remain vigilant against the evolving risk of fraud.
If your municipality does not have appropriate policies in place and you would like help establishing sound policies, contact your Yeo & Yeo professional.