No doubt you’ve heard that a chain is only as strong as its weakest link. In the world of electronic funds transfers (EFTs), this maxim holds doubly true. It applies to security systems and the networks they run on (including the Internet) as well as the users of those systems and networks. A security system can only defend a network if it offers sufficient coverage and controls. Absent such controls, users can, intentionally or accidentally, access, change or steal data that they are not authorized to see.
After all, it’s just bits of data travelling super-fast across transmission wires—or even through the air if there’s a wireless component along the way—in and out of servers…
In just one simple example, I know I feel a bit strange when I insert my “chip” credit card to pay for something and don’t need to sign for it; and I feel downright uneasy when I simply pass my card over the reader and don’t even have to enter my PIN. I do it anyway. My uneasiness isn’t due to a lack of trust in the systems in place. I understand there are significant potential risks associated with these activities, but I don’t understand those risks particularly well. Moreover, I don’t understand the systems themselves. Imagining expanding the example above across the entire Internet.
Increasingly, businesses and consumers are being asked to undertake transactions using interfaces that they do not understand. There is no easy way around this, since most people don’t even understand the basic workings of the computers, cellphones and kitchen gadgets they use on a daily basis. But that doesn’t mean organizations can’t implement controls to prevent or reduce the risk of data and financial loss and identity theft. In fact, businesses are bound by law to protect their data and that of their customers.
Regardless of their legal obligations, organizations need to control their paper and electronic financial transactions for the sake of their operations. As with controlling paper transactions, the two main reasons for keeping track of EFTs are accuracy and security. Accuracy is mainly a matter of accounting controls; security requires authorization and other technical controls. With paper transactions, we’re usually confident that our cash is not counterfeit and that the signatures on cheques haven’t been forged.
Unfortunately, conducting transactions electronically makes both accuracy and security more challenging. Accuracy with EFTs still comes down to accounting, but electronic security is an uphill battle against criminals both organized and unorganized, but all with various nefarious intentions.
The latest sample policy in Finance & Accounting PolicyPro offers a clear outline of EFT transmission procedures, including initiation, authorization and confirmation, as well as an EFT Requisition and Authorization Form and a template for an EFT payment record rubber stamp. FAPP offers numerous other sample policies to control all aspects of accounting. Information Technology PolicyPro, another key volume in First Reference’s Internal Controls Library, provides detailed sample policies on network security and other salient issues related to electronic commerce and operations.
Adam Gorley
First Reference Internal Controls, Human Resources and Compliance Editor
