Online Banking, Cyber-theft and Internal Controls
Written by David T. Schwindt, CPA RS PRA Published: 15 August 2013
Over the past several years, we have become increasingly aware of the potential of theft occurring when associations are involved with online banking. One of the greatest areas of concern is in the area of fraudulent electronic funds transfers (EFT) and ACH transaction fraud. Cyber criminals are now targeting associations due to the ease of accessibility due to weak or non-existent controls. Many associations are implementing online activities without considering the necessity of additional internal controls. If the fraud can be traced to a security breach in the victim’s computer (for example, viruses, malware, [malicious software programs] and hijacking programs), the bank may be able to avoid responsibility for the recovery of the lost funds. The bank also may find that the customer is not in compliance with its security authentication procedures which also may impair the victim’s ability to recover lost funds.
Computer systems without effective firewalls and software protections to prevent criminals from accessing systems are at risk. In the past, cyber criminals primarily gained access through malware imbedded within email attachments. This was relatively simple to counter by simply not opening attachments from untrusted sources (though this assumes the sender also has good IT practices). These days, malware is more commonly found in website banner ads. Often these make their way onto reputable sites. For example, Facebook, The New York Times, and Yahoo! have all been victims of such poisoned ads. As such, one should never assume a site or email is safe. One should always install any software updates available (even if it sometimes means the inconvenience of restarting the computer). Even an up to date machine can be vulnerable if the user is tricked into providing confidential information to a malicious website. Phishing emails posing as legitimate messages from the bank or a website the association does business with will try to get the victim to enter the user-name and password or other sensitive information on a site that may look exactly like a legitimate site. As a general rule, no bank, email provider, government agency, or any other major institution will ever request personal information via email.
All systems, especially the computer used to conduct online banking, should be protected by a firewall and monitored with updated security software. Access to online banking computers should be based on least privilege (that is, “need to know”) limited access incorporating all the proper physical and logical access controls including policies and procedures. In smaller association settings, using a stand-alone computer that is not set up on a routing system to allow for wireless access may not be practical. Routers that require a security name are at risk by sophisticated hackers. Changing the association’s routers’ administrative and WiFi password from the default setting to something more secure can help prevent such attacks. If the equipment was issued by the association’s internet service provider, technical support should be able to help change this feature. If the association purchased its router from another vendor, it may be necessary to contact the manufacturer if there are questions about making these changes. Physical controls to the computer and proper passwords (including numbers, letters, and special characters) that are changed periodically are necessary.
An effective system of internal controls includes the segregation of responsibilities involving financial transactions. This is especially true when it comes to online banking activities. Auditors generally refer to duties that are not segregated as incompatible duties. An example of an incompatible set of duties would be a bookkeeper who manages all aspects of the accounting process including billings, deposits, signing checks, preparing bank reconciliations and preparing financial statements with little oversight by the manager or board. This person could have the opportunity to take funds from the association and conceal the theft by manipulating the financial records. Strong internal controls generally include segregating the duties of performing and reviewing financial transactions among association personnel, community manager and board members to establish a system of checks and balances to help prevent defalcations. Changes in board members, community managers, and accounting personnel require associations to constantly monitor the effectiveness of the system of internal controls. Many associations have strong controls as they pertain to traditional activities of paying bills by check. These same controls should be incorporated into the system when online activities are activated. One of the controls many banks use to deter cyber theft is to authenticate the online transaction by a phone call or email to the person designated to authorize the transaction. However, if the person designated to authorize the transaction is also the person who has the ability to perpetrate and conceal the transaction, such as the bookkeeper, this valuable control is diminished. It is sometimes not practical to have a person designated for an online transaction who is not a member of the financial team. However, the person authorizing the transaction should not be able to make entries or adjustments to the books and records. If possible, the person authorizing the transaction should be contacted by email notification on a separate computer with different log-on credentials. Regardless of the segregation of duties, monitoring and reconciling EFT/ACH accounts daily is important to quickly identify unauthorized transactions and to enable the association to possibly reverse fraudulent transactions. This type of control can clearly detect but not prevent fraud, but it can be effective.
The following steps may be effective in developing effective controls:
- Perform a risk assessment including external and internal cyber theft fraud attributes.
- Dedicate a computer or system for online banking.
- Log and monitor key computers or systems.
- Segregate online banking functions.
- Reconcile EFT/ACH transactions daily.
- Consider a clearing bank account and make transfers from a separate system.
- Work with the bank to develop and understand security authentication procedures.
- Work with the independent auditor to understand effective internal control procedures.
Many Banks are now scrambling to increase controls over layered security, anomaly detection, administrative controls and customer awareness. Homeowner’s associations should also be diligent in assessing and addressing cyber theft issues and related controls.
Responding to EFT fraud may require both technical and operating expertise. Trojan horse programs designed to facilitate these crimes are often difficult to detect and remove. In addition, an in-depth understanding of transaction and data flow throughout the EFT process will play a critical role in discovery. If associations have questions concerning this article, they may contact David T. Schwindt, CPA RS PRA at Schwindt & Company.
Schwindt & Company: (503) 227-1165