Paying our home utility bills, credit card statements, or even sending money to friends and family has never been easier. I write less than 20 physical checks each year. I can logon to the bank website and pay all of my utility bills in less than 5 minutes. No check needs to be written and I can save the stamp. If I logon to my online credit card statement, I can review all of my transactions and have the payment directly withdrawn from my checking account within a day or two. Businesses and non-profit organizations may not be using online bill pay as often as I do personally. However, as I continue to work with organizations in Rapid City and surrounding areas, electronic payments are being used more frequently. Like any other payment, electronic payments need to be subject to appropriate internal controls.
Let’s assume your organization pays all bills with a physical check and has the following internal control procedures. Invoices are received and then reviewed and approved by the executive director, Mary. The invoices are then given to an administrative employee, Peter, to post to the general ledger and print the checks. The checks and invoices are then given to the finance manager, Paul, to sign the checks. Paul reviews each invoice and check before signing, to make sure the amounts agree, and then gives the signed checks to the receptionist to mail. These controls segregate the approval, posting, signing, and mailing of the checks, which mitigates any risk of the same person having absolute control over the entire process.
Now let’s assume the organization starts paying its electricity bill online each month. The electricity invoice is received and approved by Mary. The invoice goes to Peter to post to the general ledger. Peter posts the expense to the general ledger and uses the online bill pay function to make the payment. The physical checks go to Paul and follow the normal process as described in the previous paragraph.
What is wrong in this scenario? Peter has limited oversight regarding the electricity bill. He could pay the organization’s electricity bill and his personal electricity bill. It is possible to make an online payment for more than one utility account in the same transaction. As a result, there would be one entry to the general ledger and one expense on the bank statement, even though Peter paid two separate bills. Unless Mary remembers the exact amount of the electricity bill each month during her review of the bank statement, this scheme could go on for a while.
This example is fairly simple but illustrates the importance of ensuring the internal controls over cash disbursements follow the same process whether a physical check is printed, signed and mailed, or an electronic payment is made using some form of online bill pay. Hopefully, such fraudulent transactions would be caught during a review process, but without the correct processes, the fraud opportunity is available. Mitigating controls are not nearly as important as preventative controls.
A preventative control that could be implemented in this scenario would be Peter printing the payment verification and giving this to Paul along with the physical checks and invoices. Paul could agree the payment verification to the invoice during his review process. Alternatively, a dummy check could be generated for the electric bill so the expense is attached to a check number in the system and given to Paul for his review during the normal process.
If you have questions on your internal controls surrounding cash disbursements and electronic payments, feel free to contact the not-for-profit team at KT.