SOX - WEB PAY System Controls 1541

  • My firm has an in-house web pay system (created by the IT dept) that is being used in limited capacity. Some of the users have full access to enter and process payment but a lot of the users are restricted due to inability to use the system correctly thus live checks are sent to the firm. These lives checks are open in the mailroom sent to another dept to post in web pay and then to accounting. There is no administrator for the system and reconciliation of the web pay system is not being done at this point in time. I would like to build some controls around the system. What controls should be place? Has anyone dealt with web pay controls? Any insight is much appreciated.

  • Certainly separation of duties controls are in order. With the separation of duties comes restricted access, your IT dept should be able to run queries that list what users have what access, reviewing that intermittently will give you comfort that only those who should use it are using it. If you haven’t already, consider password controls, such as minimum length, characters, numbers, and letters, etc. Also, you probably would want someone, independent from day to day workings if possible to reconcile the Web Pay system to the processed checks.
    Pretty basic, but hopefully I helped you a little.

  • Jason has shared some good recommendations and below are a few more ideas below: %0A1. While almost all folks are honest and ethical in their work conduct, you have to design controls to prevent someone from being tempted in taking advantage of weak controls. So you want separation of duties, autonomy levels (supervisors to handle large USDUSDUSD), check and balances, and other classical audit controls built in. You can work these in over time without having to scrap your web payment system. %0A2. As Jason recommends, I’d recommend some form of manual reconciliation with the automated system. If it’s too expensive to hire someone, as least start sampling and spot checking some to ensure that at least some % of the checks are being reviewed. %0A3. The customers themselves can be an audit trail. If anyone complains of differences or unusual activity (e.g., paid check was endorsed to someone else), always investigate these as clues for abnormal activity.%0A4. From an IT standpoint, you want the best practices including: SSL encryption (even if it’s an Intranet application), strong password controls, capture of security audit records, etc.%0A5. You may want to train the inexperienced users to avoid having to mail items off-site to a processing center where there might be less control%0AFrom experience, it’s always tough to tighten controls after the fact. I’d recommend setting up a planned approach and phasing in controls gradually so that the business flow from this process is not impacted. Good luck on this process.

  • Hi,
    In addition to the suggestions offered by others who have posted, you might consider a very high level internal control assessment.
    For example,
    Consider the volume of checks received by mail (INPUT to Mailroom), determine that PROCESSing controls are sufficient, and implement a reconciliation on the back end (OUTPUT from Mailroom) to the ‘other’ department, eventually flowing to your Accounting group.
    Thus, INPUT = PROCESS = OUTPUT. At the most fundamental level, if adequate internal controls (key controls) are implemented at these ‘touch points’, you will have a better chance of reducing likelihood of fraud.
    It sounds like some segregation of duties already exists since three groups (Mailroom staff, ‘Web-Pay’ input personnel, and Accounting are involved in receiving, data input, and Accounting for checks received by the firm.
    At the entry point when received in the mailroom, it might be a good idea to immediately endorse the checks ‘For Deposit Only’ upon receipt so that live checks cannot be further negotiated improperly or cashed at the bank.
    A good internal control technique for consideration would be to create and use a Check Receipt Log to track basic information…check number, amount, date received, and payee/customer account number.
    The Check Log described above could be reconciled in Accounting to the monthly Bank Statement to ensure that all checks are received, deposited, and accurately recorded.
    This reconciliation procedure addresses a number of financial statement assertions (Completeness, Accuracy, Existence or Occurence, Presentation and Disclosure) and would likely be considered a ‘key control’ in the overall cash receipts and Accounting business processes.
    For more guidance, you can simply search on Cash Handling procedures on the internet and I’m sure you will find other useful information and leading practices.
    Hope this further helps,

  • Milan – that was excellent 🙂
    P.S. One more thing I saw needed is a focus on safeguarding privacy and customer information protection. The article describes some of the consequences of a recent incident impacting up to 26.5 million veterans. Secure server technologies are a must

Log in to reply