Essential IT Controls for Preventing Cash Fraud

• Author: Robert Marley,J. Lowell Mooney
• Published date: 01 January 2015
• Date: 01 January 2015
• DOI: http://doi.org/10.1002/jcaf.22019

49

© 2015 Wiley Periodicals, Inc.

Published online in Wiley Online Library (wileyonlinelibrary.com).

DOI 10.1002/jcaf.22019

f

e

a

t

u

r

e

a

r

t

i

c

l

e

Robert Marley

and J. Lowell Mooney

Cyber-thieves know the exact location of your

organization’s cash. What is not certain is whether

you are working harder than the thieves to pro-

tect your organization’s most vulnerable asset.

This article encourages organizations to assess

the controls they have in place around their cash

operations. It describes in detail a variety of gen-

eral controls over cash, including adequate seg-

regation of duties, explicit authorization approval

requirements, and physical access controls. The

article then describes several information technol-

ogy (IT) application controls (including lockboxes,

positive pay, ACF Fraud Blocker, and zero balance

accounts) that can help you protect your organiza-

tion’s cash against fraud and cyber-attack.

© 2015 Wiley Periodicals, Inc.

E ssential IT Controls for Preventing

Cash Fraud

“In the old days,

thieves would physi-

cally break into an

organization and

steal whatever valu-

ables they could find

laying around. Tech-

nology has changed

the way organiza-

tions are robbed.

Today, cyber-thieves

can identify pre-

cisely what is avail-

able and where it is

located, simply bid-

ing their time until

a control weakness

provides them with

the opportunity to

grab it.”

—Mike Morris, IT

Security Partner, Porter

Keadle Moore, LLC

When asked about their

organization’s ability to defend

against cyber-threats, more than

half the individuals surveyed,

including those working at large

financial institutions, gave their

organizations a grade of “C” or

below (as cited in Morris, 2014 ).

What grade would you give your

company or organization?

The purpose of this article

is to help you take action to

protect your organization from

cyber-threats targeting your

most vulnerable asset: cash.

Specifically, we discuss the

information technology (IT)

controls needed to manage cash

transactions more securely in an

online environment. We apply

a strategy known as defense-in-

depth, an approach whereby an

organization builds successive

and mutually reinforcing layers

of IT-based security controls

that work together

to secure the orga-

nization’s electronic

transactions. This

article proceeds as

follows: First, we

identify who is gen-

erally responsible for

the internal controls

over cash and cash

operations. Then, we

identify and briefly

describe the funda-

mentals of two com-

monly used technol-

ogy-based internal

control frameworks.

Finally, we review

several cash manage-

ment technologies,

identifying how organizations

can embed widely available IT-

based controls to deter fraud.

WHO IS RESPONSIBLE FOR

INTERNAL CONTROL OVER

CASH TECHNOLOGY?

According to the Associa-

tion of Corporate Treasurers,

cash and cash operations is one

of the five core functions of the

corporate treasurer (Association

of Graduate Careers Advisory

Services [AGCAS], 2014 ). Yet