On electronic news feeds, I consistently see headlines of scammers hitting it big through phishing and spear-phishing attacks. In a recent attack, scammers were able to siphon $47 million from a well-established bank. Oddly, banks have sophisticated technology to prevent this kind of loss, yet somehow, vulnerabilities still exist. So why do these losses happen and what could be done to avoid this type of loss?
Based on my experience, organizations suffer losses of this nature due to either overconfidence or arrogance because they often think “it won’t happen here.” The basis for many vulnerability gaps is that systems and processes are dynamic in nature and one or more changes circumvent existing data integrity and fraud prevention mechanisms resulting in unidentified and unmanaged risks.
The particular incident mentioned above was caused by a spear phishing scam. There are software packages like Fire Eye and Great Horn to help manage spear phishing risks, and these, along with a proper education and preventive control programs, can be implemented as part of a comprehensive solution. Prevention is important, but to ensure a comprehensive approach, you need this combined with detective and monitoring controls to minimize risk and optimize performance over time.
To reduce the risk of financial loss, if I were a treasurer or disbursement officer, I would enhance detective disbursement controls and continuous monitoring over disbursements to improve the end-to-end integrity of data. There are often tell-tale signs in data anomalies indicating that something is outside of the normal tolerances and patterns that continuous data analysis will immediately detect. These anomalies in your data are often the bread crumbs that you can proactively find through data integrity and fraud prevention efforts or reactively find after an incident has occurred. The motivation is always the same – minimize the risk of financial loss.
Enhanced Preventative, Detective Controls and Continuous Monitoring for Disbursements
Internal controls are your first line of defense in assuring that assets (cash in this case), are safeguarded against fraud, waste and abuse. A sound internal control process will clearly identify relevant objectives, risks and controls to mitigate those risks. Internal control objectives for cash disbursements ensure that cash is disbursed only upon proper authorization from management, for valid business purposes, and that all disbursements are properly recorded.
While it is not economically feasible to guarantee these objectives will be met at all times for all transactions, automated detective data analysis activities and continuous monitoring can help bridge the gap and provide reasonable assurance that these will be accomplished efficiently and effectively over time.
We have already discussed an anti-spear phishing program as part of the recommended approach. Combining this with a holistic approach with detective and monitoring controls over the disbursement process will significantly reduce your risk. I outline more about both types of controls below.
Segregation of Duties and Independent Verification
The key controls in cash processes are segregation of duties and independent verification.
Segregation of duties is both a preventive and detective control. The division of responsibilities validates each function’s execution and effectiveness. This increases the probability of detection, and simultaneously reduces the risk of financial loss. The custodial duties direct the actual cash flow, and must be separated from the cash recording duties.
Custodial duties include cash counting, endorsement, bank deposits, check stock custody, check printing, check signing, and delivery. The electronic fund transfer (EFT) application operator who processes and submits fund transfer requests is also a cash custodian.
The independent verification control, in a cash process, is verifying internal records of receipts and disbursements against externally sourced records. This detective control is commonly known as the bank accounts reconciliation. Obviously, there must be accurate and reliable internal records to begin with; and this is why the recording duties need to be separated from the custodial duties.
While all controls are preventive in design, others act as detective measures. This is particularly true for controls deployed at the later stages of process such as specific controls for large dollar disbursements. The bank accounts reconciliation is specifically a detective control and stop loss procedure.
What is Continuous Monitoring and Why is Continuous Monitoring Critical?
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational environment.
Over time, internal control activities may fail to be properly performed, changed, and/or omitted resulting in them becoming ineffective. In other words, monitoring helps ensure the control activities are present, and functioning, as intended to produce the desired results. This is especially true for outsourced processes, where third parties perform operations, and control activities. Beyond this, continuous monitoring allows for the communication of exceptions and ensures corrective actions have been taken and handled appropriately.
What kind of control/continuous monitoring should you have in place to prove validity of outgoing payments? Below is a list of key activities to consider.
- Monitor changes made for outgoing payment instructions (e.g. account numbers, addresses, etc.) and identify who can approve them from the payee.
- Monitor all payments made over your risk tolerance (dollar threshold), and how these trend vs. what was planned, and historical patterns – consider additional approval for those payments made over your risk tolerance and those that have had a recent change in master data.
- Confirm payment receipt from the payee for payments over your risk tolerance.
- Monitor activities of persons who set up and approve changes of payees for suspicious activity.
- Ensure appropriate segregation of duties especially when there have been significant organizational or recent process changes.
This list is not intended to be all encompassing. For monitoring and control solutions to be optimally effective, they have to be specifically adapted for current business operations. When you have concerns about minimizing losses of this magnitude, a disbursements and health check-up is a reasonably fast and worthwhile way to obtain fact based priorities and peace of mind. This includes understanding your risk tolerance, current and future state plans for processing of disbursements, segregation of duties, authorization, reconciliation, monitoring and reporting. Another advantage of this approach is that it focuses on disbursement of money, to protect against new schemes that have not been developed and executed by criminals.
Managing risk is a constant challenge for treasury operations, and a key component is a proper mix of preventive controls, detective controls, and continuous monitoring. Understanding and implementing access controls, segregation of duties, payment reconciliation, while also monitoring for these types of actions can help prevent these types of risks. For more information and to learn more about data analysis, visit our website.