Electronic transaction systems

Many agencies use electronic systems for administrative transactions, such as payroll processing and banking. Electronic systems are also frequently used for ordering and purchasing goods and services or for selling, or billing for, agency goods or services.

In general, electronic transaction systems can provide benefits such as the automatic segregation of functions and in-built delegation limits. As agencies increasingly adopt this technology, however, new challenges can arise and security measures and checks should correspondingly be put in place. Controls are particularly important when traditional security and verification methods (such as counter-signatures and face-to-face identification) are not practical or no longer used.

Chief financial officer’s misappropriation of council funds
In 2017, the ICAC reported on its investigation into the conduct of the former chief financial officer (CFO) of a large local council, and a number of his colleagues, in relation to widespread and large-scale misappropriation of council funds and resources. The conduct involved false invoicing, inappropriate payments via payroll and superannuation, and misuse of council credit, store-charge and Cabcharge cards. Corrupt conduct findings were made against the CFOs and others. The investigation found that the corrupt conduct was possible because of a striking lack of fundamental controls in the council’s financial operations. The CFO was well placed to both perpetuate and exploit such failures. The council’s governance mechanisms, namely internal audit, external audit, and the audit committee, were not functioning effectively and therefore failed to detect and/or remedy these financial control failures. These failures included: unfettered discretion or authority, as the CFO (and others in the council’s finance division) had complete end-to-end control of numerous high-risk financial processes and exclusive visibility of the council’s finances problematic norms, as there were no processes in place to verify invoice authenticity before they were paid governance failings, as internal audit was not independent from management and council had no robust means to ensure internal audit recommendations were implemented external auditors did not report the identified control failings to those in the council charged with governance, and senior managers, the audit committee, and general manager did not ask for reports on the control failings identified in the audits. Recommendations were made to the council to improve its financial operations and the operation of its governance mechanisms, including that: the vendor master file be subject to appropriate segregation and review-based controls sufficient segregations be put in place in its invoice payment processes (including the introduction of a three-way match arrangement) to manage the risks associated with fraudulent payments operational managers be given visibility over, and involvement in, setting budgets and monitoring expenditure against these budgets adequate segregations be put in place across different financial processes the agency’s internal audit function operate independently from management by reporting functionally to its audit committee. `Source: Investigation into the conduct of the former City of Botany Bay Council chief financial officer and others, July 2017.`

Chief financial officer’s misappropriation of council funds

In 2017, the ICAC reported on its investigation into the conduct of the former chief financial officer (CFO) of a large local council, and a number of his colleagues, in relation to widespread and large-scale misappropriation of council funds and resources. The conduct involved false invoicing, inappropriate payments via payroll and superannuation, and misuse of council credit, store-charge and Cabcharge cards. Corrupt conduct findings were made against the CFOs and others.

The investigation found that the corrupt conduct was possible because of a striking lack of fundamental controls in the council’s financial operations. The CFO was well placed to both perpetuate and exploit such failures. The council’s governance mechanisms, namely internal audit, external audit, and the audit committee, were not functioning effectively and therefore failed to detect and/or remedy these financial control failures. These failures included:

unfettered discretion or authority, as the CFO (and others in the council’s finance division) had complete end-to-end control of numerous high-risk financial processes and exclusive visibility of the council’s finances
problematic norms, as there were no processes in place to verify invoice authenticity before they were paid
governance failings, as internal audit was not independent from management and council had no robust means to ensure internal audit recommendations were implemented
external auditors did not report the identified control failings to those in the council charged with governance, and senior managers, the audit committee, and general manager did not ask for reports on the control failings identified in the audits.

Recommendations were made to the council to improve its financial operations and the operation of its governance mechanisms, including that:

the vendor master file be subject to appropriate segregation and review-based controls
sufficient segregations be put in place in its invoice payment processes (including the introduction of a three-way match arrangement) to manage the risks associated with fraudulent payments
operational managers be given visibility over, and involvement in, setting budgets and monitoring expenditure against these budgets
adequate segregations be put in place across different financial processes
the agency’s internal audit function operate independently from management by reporting functionally to its audit committee.

Source: Investigation into the conduct of the former City of Botany Bay Council chief financial officer and others, July 2017.

Common corruption risks around electronic transactions include a public official:

gaining unauthorised access to electronic records
making an electronic payment to a non-existent vendor for the purpose of redirecting the money into a private account
improperly transferring money from an agency account to an associate or an account under their control.

It is essential to consider corruption risks in an electronic system for transactions, before the system is implemented. When an agency moves to a new electronic system, or upgrades an old one, it often involves marked changes to the underlying process for transactions that can create opportunities for corruption. Electronic processes are sometimes difficult to change once in place, for example, because the software needs to be rewritten, or employees do not know how to make the changes, so it is important to trial the system and check for flaws before it is officially adopted.

Developing a strategy

IT consultants can be useful for providing technical advice and challenging agencies’ assumptions, and their assistance may be essential for identifying and resolving some problems, especially vulnerabilities in system software. However, public officials who manage electronic systems also need to have a significant understanding of those systems to ensure that adequate controls are in place in keeping with policy, legislative and program objectives. A consultant's solutions may even leave an agency exposed to corruption risks they do not fully understand the responsibilities and objectives of the agency, or the way the electronic system is used in practice by staff.

Significant liaison during the design phase between the IT professionals creating or using a system, and the public officials who will manage the system, is essential. In fact, designing a system so it efficiently and effectively processes transactions, also helps to control corruption because good design can ensure recordkeeping, report generation for checking automated controls around delegations (that is, spending and approval thresholds), and password controls.

Agencies sometimes outsource management of an electronic transaction system to a third-party, but outsourcing itself carries risks. Outsourcing management of an electronic system does not make corruption risks disappear, and public agencies cannot outsource the management of these risks – they retain responsibility for dealing with them.

Once an electronic transaction system has been designed to meet your agency's operational objectives, consider the following measures:

establish protocols and controls for transmission of credit card data or other codes
ensure that internet-based payments are made only to secure sites
use digital signatures to verify the authenticity of electronically-transferred information
establish internal controls to authorise all payments
ensure electronic transactions cannot be both authorised and processed by the same person (that is, preventing end-to-end control over a process)
periodically test and check confirmation procedures and data processing controls
ensure the systems can automatically identify anomalies – such as large and unusual transactions – for review
maintain emails of business value
automatically generate records for all electronic payments
retain user details for authorisation and process purchases and sales
record any changes to electronic payment delegations
conduct audits and reviews of authorities to access, alter or destroy records.

Recordkeeping relating to computerised systems concerns two key issues: security and automation. With regard to security, electronic files are only as safe as an organisation's IT systems. For instance, if there is a security weakness in an agency's web server then records may be altered or deleted before they are even filed.

With regard to automation, a system’s vulnerability may mean generation of records is no longer an inherent part of a process. This is because the information for an electronic form in the system, or online, is not actually saved but simply used in other process steps. By contrast, in paper-based systems, the act of filling out a hardcopy form generates a record. In general, automated systems should include automated recordkeeping. Agencies can ask software design contractors to include this feature.

The ICAC has published a number of investigation reports that include a focus on corruption involving electronic transaction systems, including:

Investigation into the conduct of a university manager and others in relation to false invoicing (June 2015)
Investigation into the conduct of a TAFE NSW ICT manager (March 2016)
Investigation into the conduct of the former City of Botany Bay Council chief financial officer and others (July 2017).

The ICAC report, Safeguarding public money: The importance of controlling invoice payments (November 2014), also deals with the electronic payment of invoices.

Reviewed November 2018