PKF O'Connor Davies Accountants and Advisors
PKF O'Connor Davies Accountants and Advisors
Insights

Safeguarding Your Organization from Possible ACH Disbursement Fraud

By Michael Trapp, CPA, Director and Michael Talt, CPA, Supervisor

In recent years, we have worked with not-for-profit organizations that have fallen victim to nefarious actions by hackers focused on the organizations’ use of Automated Clearing House (ACH) payments. While the benefits of using ACH payments for disbursements are numerous (i.e., less expensive than using checks, automated and time efficient), without strong, established internal controls in place, it can be risky business.

Recently, we have seen a rise in social engineering schemes by bad actors, particularly at organizations where internal controls were either not adequate to mitigate against potential illegal acts or were overridden by management. 

Reviewing Current Controls and Implementing New Procedures

One of the responsibilities of the finance office is to safeguard the financial assets of an organization. Management must be vigilant in an ever-changing cyber environment as hackers become more creative and devious in their efforts to access an organization’s assets or information.

The inherent risks of making ACH payments that can never be fully avoided include identify theft and fraudulent payment information. However, the finance office can mitigate these risks by regularly reviewing existing internal controls and procedures for best practices and verifying that each disbursement follows established protocols. The suggestions below describe procedures that organizations can use to strengthen controls.

  • Verifying a change in vendor information – If you happen to receive an email from a vendor requesting that you change any payment information, the best course of action is to call a telephone number you know is legitimate and confirm the change over the phone with a known contact. Cybersecurity threats target both your organization and the vendors your organization uses. Confirming this change through a verified phone call is a necessary step to safeguard against potential theft. Once complete, this change should be reviewed and approved by a supervisor of the business office.

  • Proper Approval of Disbursements – Ensure an appropriate member of the management team reviewed and approved the ACH funds transfer. Obtaining the proper approval of an ACH payment is important to ensure the disbursement is accurate and legitimate. If there are any concerns about the approval, contact the approver through another form of communication. For large and infrequent ACH disbursements, having a second approver is advisable.

  • List of Approved Vendors – Confirm that the vendor you are about to release funds to is a well-known vendor to your organization. Ensuring that the vendor is on an approved list of vendors significantly decreases the likelihood that an improper ACH payment will be made to an illegitimate payee. This list of vendors should be created and maintained by an appropriate member of the business office and approved annually by the Chief Financial Officer. It is also important to remove inactive vendors from this listing to avoid a misplacement of payment.

  • Verification of Payment Received – Contact the vendor after payment is made to confirm receipt for specific threshold amounts. The transfer of funds through an ACH payment is almost instantaneous; having the vendor acknowledge receipt will help ensure the funds were released to the proper party.

Implementing Checks and Balances in the ACH Disbursement Cycle Impacting Organizations 

Issues involving ACH payments that we have encountered during our most recent audits include:

  • Authorizing the release of funds to fake vendor accounts which were prompted by malicious emails.
  • Release of improper payments due to override of internal controls by management.
  • Lack of following formal review policies.

The above incidents could have been prevented if the finance office had followed the policies in place at the organization, along with implementing proper checks and balances of the ACH disbursement cycle. Due to these control weaknesses, organizations lost funds that were not recoverable and had certain assets frozen.

Takeaway

Reviewing your organization’s current processes is key to identifying possible weaknesses that exist within your ACH disbursement function. We recommend that this be done at least annually to verify that the internal controls in place are adequate and still relevant and that no other risks have been identified that need to be addressed.

Contact Us

We welcome the opportunity to discuss the above procedures and how they may be implemented within your not-for-profit organization. 

If you have any questions or would like to discuss the internal control structure surrounding ACH disbursements, please contact your PKF O’Connor Davies client service team or:

Robert Cordero, CPA
Partner
rcordero@pkfod.com | 914.341.7031

Michael Trapp, CPA
Director
mtrapp@pkfod.com | 914.341.7640

Michael Talt, CPA
Supervisor
mtalt@pkfod.com | 914.341.7036