Safeguarding Your Independent School from Possible ACH Disbursement Fraud
By Michael Trapp, CPA, Director and Michael Talt, CPA, Supervisor
In recent years, we have worked with independent schools that have fallen victim to nefarious actions by hackers focused on the independent schools’ use of Automated Clearing House (ACH) payments. While the benefits of using ACH payments for disbursements are numerous (i.e., less expensive than using checks, automated and time efficient), without strong, established internal controls in place, it can be risky business.
Recently, we have seen a rise in social engineering schemes by bad actors, particularly at independent schools where internal controls were either not adequate to mitigate against potential illegal acts or were overridden by management.
Reviewing Current Controls and Implementing New Procedures
One of the responsibilities of the finance office is to safeguard the financial assets of an independent school. Management must be vigilant in an ever-changing cyber environment as hackers become more creative and devious in their efforts to access an independent school’s assets or information.
The inherent risks of making ACH payments that can never be fully avoided include identify theft and fraudulent payment information. However, the finance office can mitigate these risks by regularly reviewing existing internal controls and procedures for best practices and verifying that each disbursement follows established protocols. The suggestions below describe procedures that independent schools can use to strengthen controls.
- Verifying a change in vendor information – If you happen to receive an email from a vendor requesting that you change any payment information, the best course of action is to call a telephone number you know is legitimate and confirm the change over the phone with a known contact. Cybersecurity threats target both your independent school and the vendors your independent school uses. Confirming this change through a verified phone call is a necessary step to safeguard against potential theft. Once complete, this change should be reviewed and approved by a supervisor of the business office.
- Proper Approval of Disbursements – Ensure an appropriate member of the management team reviewed and approved the ACH funds transfer. Obtaining the proper approval of an ACH payment is important to ensure the disbursement is accurate and legitimate. If there are any concerns about the approval, contact the approver through another form of communication. For large and infrequent ACH disbursements, having a second approver is advisable.
- List of Approved Vendors – Confirm that the vendor you are about to release funds to is a well-known vendor to your independent school. Ensuring that the vendor is on an approved list of vendors significantly decreases the likelihood that an improper ACH payment will be made to an illegitimate payee. This list of vendors should be created and maintained by an appropriate member of the business office and approved annually by the Chief Financial Officer. It is also important to remove inactive vendors from this listing to avoid a misplacement of payment.
- Verification of Payment Received – Contact the vendor after payment is made to confirm receipt for specific threshold amounts. The transfer of funds through an ACH payment is almost instantaneous; having the vendor acknowledge receipt will help ensure the funds were released to the proper party.
Implementing Checks and Balances in the ACH Disbursement Cycle Impacting Independent Schools
Issues involving ACH payments that we have encountered during our most recent audits include:
- Authorizing the release of funds to fake vendor accounts which were prompted by malicious emails.
- Release of improper payments due to override of internal controls by management.
- Lack of following formal review policies.
The above incidents could have been prevented if the finance office had followed the policies in place at the independent school, along with implementing proper checks and balances of the ACH disbursement cycle. Due to these control weaknesses, independent schools lost funds that were not recoverable and had certain assets frozen.
Takeaway
Reviewing your independent school’s current processes is key to identifying possible weaknesses that exist within your ACH disbursement function. We recommend that this be done at least annually to verify that the internal controls in place are adequate and still relevant and that no other risks have been identified that need to be addressed.
Contact Us
We welcome the opportunity to discuss the above procedures and how they may be implemented within your independent school.
If you have any questions or would like to discuss the internal control structure surrounding ACH disbursements, please contact your PKF O’Connor Davies client service team or:
Robert Cordero, CPA
Partner
Independent School Practice Leader
rcordero@pkfod.com | 914.341.7031
Michael Trapp, CPA
Director
Independent School Practice
mtrapp@pkfod.com | 914.341.7640
Michael Talt, CPA
Supervisor
Independent School Practice
mtalt@pkfod.com | 914.341.7036