Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.

Slides:

Advertisements

Similar presentations

Banking Contracts Why, How and When, Requirements for Bank Accounts Office of the State Treasurer Ryan Pitroff Banking Services Manager.

Advertisements

Petty Cash/Change Fund Policies & Procedures

WELCOME TO THE INDUSTRIAL COMMISSION SELF-INSURANCE SEMINAR.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identify the key elements of a strong system of internal control.

Financial and Managerial Accounting John J. Wild Third Edition John J. Wild Third Edition McGraw-Hill/Irwin Copyright © 2009 by The McGraw-Hill Companies,

Petty Cash/Change Fund Policies & Procedures

BACK TO BASICS Indiana Prosecuting Attorneys Council May 2013.

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Travel and Expense Management Scenario Overview

Fraud and Internal Control

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

Accounting Principles, Ninth Edition

Security Controls – What Works

October 1, 2005 (Rev. 10/06) Statewide Electronic Commerce Program (SECP) Electronic Funds Transfer Enrollment Process For agencies and eligible entities.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Copyright © 2007 Prentice-Hall. All rights reserved 1 Internal Control & Cash Chapter 8.

Office of Inspector General (OIG) Internal Audit

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

How To Prepare For A Procurement Audit Shabrel Hoyt-Davis Texas Comptroller of Public Accounts Procurement Review October 3, 2007.

MasterCard Site Data Protection Program Program Alignment.

Electronic Funds Transfer Enrollment Process For agencies and eligible entities desiring to participate in the State Controller’s Master Services Agreement.

Overview of NPG Social Responsibility Audit Process

Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.

Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Financial Resource Management Recommended Best Practices Training for Volunteers and Support Groups.

PTA Treasurer Training Pam Grigorian August 20, 2015.

Approval by Board and Completing the Application Packet.

2015 ANNUAL TRAINING By: Denise Goff

Cash Handling Cash Handling Policies and Procedures May 27, 2015.

Online Course This online course takes approximately 30 minutes to complete. You must successfully pass the exam with an 80%. Cash Management Training.

Chapter Four Internal Controls, Accounting for Cash, and Ethics © 2015 McGraw-Hill Education.

Chapter 7 Internal Control and Cash

Best Practices: Financial Resource Management February 2011.

Internal Control and Accounting for Cash Chapter Six McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Internal Control 7. Management Issues Related to Internal Control OBJECTIVE 1: Identify the management issues related to internal control.

AICP New England 13 th Annual Education Day PRIVACY Jenny Erickson Vice President, Legislative and Regulatory Affairs The Life Insurance Association of.

Local Agency and Student Services Accounts. What is the difference in a Local Agency and a Student Services account? A local Agency account is self generated.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Fraud and Risk in the Electronic Payment Space Michelle Marshall-Thompson VP, Fraud/Risk Officer FirstMerit Merchant Bankcard.

Chapter 9: Introduction to Internal Control Systems

Student Activity Funds Procedures and Findings MGFOA October 22, 2015 Melanson Heath Certified Public Accountants John J. Sullivan, CFE.

1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Chapter 8 Auditing in an E-commerce Environment

BUSINESS CLARITY ™ PCI – The Pathway to Compliance.

An Overview THE AUDIT PROCESS. MAJOR PHASES IN AN AUDIT Client acceptance and retention Establish terms of the engagement Plan the audit Consider internal.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Chapter Four Internal Controls, Accounting for Cash, and Ethics © 2015 McGraw-Hill Education.

Avoiding Unauthorized Purchases An unauthorized purchase is a purchase committing agency funds without prior approval. Training provided by Texas Juvenile.

The Law Offices of Sheila Deselich Cohen. Generally subject to the Employee Retirement Income Security Act of 1974 (“ERISA”). Two main types of plans:

Presented by: Sharon Pender Louisiana State PTA Treasurer.

Training FINANCE LOCAL SCHOOL ACCOUNTING Learning the Value of Internal Controls “Make it Important to You” Montgomery Public Schools.

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

Payment card industry data security standards

Regulatory Compliance

Internet Payment.

Obligations of Educational Agencies: Parents’ Bill of Rights

Chapter 7 Part 1 Internal Control

Financial Accounting, Fifth Edition

Vendor Management & Business Value

Red Flags Rule An Introduction County College of Morris

Unit 11 October 22, 2017.

Purchasing Contracts Training

Virginia Sheriffs’ Institute New Sheriff Orientation

Presentation transcript:

Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA

Washington State Auditor’s Office Overview This session will cover use of third party vendors, including:  Risks  Requirements  Solutions

Washington State Auditor’s Office 3 Receipting CashiersEmployeeCounterCash, checkReceipt reportThird party vendorNon-employee Website, P.O. Box, drop box Check, credit cardRemittance report

Washington State Auditor’s Office 4 For third party receipting status, the relationship with the vendor involves more than simply receiving the payment. Government – vendor relationship

Washington State Auditor’s Office 5 Risks Customer Receipting interface Credit card system Vendor’s bank account Public depository

Washington State Auditor’s Office 6 Risks: Evaluate the legal agreement

Washington State Auditor’s Office Risk summary The risks involved in third party receipting include:  Multiple vendors, multiple solutions (even with the same vendor), each with its own risks  Legal Agreements (standard or customized)  PCI non-compliance fees  Data breach  Theft / loss of funds  Redirecting funds to other bank accounts  Bank or vendor default  Cyber theft

Washington State Auditor’s Office 1.Where do you accept payments through a third party vendor? 2.What risks are you concerned about in your environment? 8 Small group discussion questions

Washington State Auditor’s Office Requirements Third party receipting involves two primary requirements: 1.Timely and intact deposit in a PDPC approved public depository 2.Contractual compliance

Washington State Auditor’s Office Timely deposit 10 Deposits that go through a vendor’s bank must meet timeliness requirements.  Best practice: Direct remittance from the credit card system to the local government’s PDPC approved depository  OK practice: Remittance from vendor’s bank account to local government’s PDPC approved depository within one day, or five days if the treasurer authorizes an exception  Service and receipting provider exception: Up to a month

Washington State Auditor’s Office 11  Service is primary purpose  Digital Signatures  Collection Agencies  Food Service Permit Testing  Also performs receipting Service and receipting providers

Washington State Auditor’s Office 12 Merchant services agreement Local government Customer Vendor Receipting interface Credit card system Public depository Vendor agreement Merchant services agreement

Washington State Auditor’s Office 13 Payment facilitator Local government Customer Vendor Receipting interface Payment facilitator Credit card system Payment facilitator's bank Public depository Vendor agreement Payment facilitator agreement

Washington State Auditor’s Office 14 Vendor Local government Customer Vendor Receipting interface Credit card system Vendor’s bank account Public depository Vendor agreement

Washington State Auditor’s Office 15 Reserves, in most cases, are not allowable.  Withholding  Unauthorized accounts Intact deposits

Washington State Auditor’s Office Reserves and withholding contract language Selected sections from the standard PayPal agreement:

Washington State Auditor’s Office 17 Payment card industry standards

Washington State Auditor’s Office Group discussion questions 18 The nature of your third party vendor agreements contributes significantly to your risks. 1.Does your local government have any vendor agreements where the funds are deposited in a third party vendor’s bank account? 2.Does your local government complete a PCI SAQ (PCI Self Assessment Questionnaire)?

Washington State Auditor’s Office Solutions 19 Ways of addressing the risks with third party vendors include:  Contractual language  PCI compliance verification  External reviews  Insurance, bonds  Oversight and monitoring

Washington State Auditor’s Office 20 Controls Customer Receipting interface Credit card system Vendor’s bank account Public depository PCI security compliance PCI self assessment questionnaire Independent third party review Cyber security insurance Contractual language Insurance, bonds Independent third party review Remittance review

Washington State Auditor’s Office Contracts 21 Contracts have three areas of inconsistency or concern: 1.Remittance of proceeds 2.Payment card industry (PCI) compliance 3.Reserves

Washington State Auditor’s Office 22 This is not a substitute for legal advice. Please consult your legal advisor! Here are a couple of examples of language that could be used in a contract with a vendor:  Vendor shall be responsible for establishing and maintaining an information security program that is designed to (i) ensure the security and confidentiality of Customer Data, (ii) protect against any anticipated threats or hazards to the security or integrity of Customer data.  Customer shall be responsible for maintaining security for its own systems, servers, and communications links as necessary to (a) protect the security and integrity. Sample contract language

Washington State Auditor’s Office 23 This is not a substitute for legal advice. Please consult your legal advisor!  Vendor shall cause a Third Party review of its operations and related internal controls to be conducted annually by its independent auditors. Vendor shall provide to Customer, upon request, one copy of the audit report resulting from such review.  Vendor shall maintain for its own protection crime insurance coverage for its personnel. Sample contract language (continued)

Washington State Auditor’s Office 24 This is not a substitute for legal advice. Please consult your legal advisor!  …during the term of this Agreement and at its expense, acquire and maintain in full force and effect, a fidelity bond that ensures that every officer, director, Subcontractor or employee who is authorized to act on behalf of the vendor for the purpose of receiving, processing and depositing funds pursuant to this Agreement shall be bonded to provide protection against loss. The bond must be signed by an approved surety (or sureties)… Sample contract language (continued)

Washington State Auditor’s Office 25  Reconcile remittance reports to bank deposits.  Monitor reasonableness of remittances received. Are you getting everything you should?  Monitor banking fees. Are they appropriate? Management oversight Activity must be monitored regardless of contract language.

Washington State Auditor’s Office 26 What types of controls are you using to address the risks associated with third party receipting vendors? Solutions

Washington State Auditor’s Office 27  For further guidance, please consult the following resources:  Local Government Performance Center – Third Party Receipting: ss?mid=6&rid= ss?mid=6&rid=18501  GFOA Best Practice: Accepting Payment Cards and Selection of Payment Card Service Providers (GFOA, October 2009): payment-cards-and-selection-payment-card-service- providershttp:// payment-cards-and-selection-payment-card-service- providers Resources

Washington State Auditor’s Office 28 Questions

Washington State Auditor’s Office 29 Contacts Peg Bodin Local Info Systems Audit Manager (360) Kelly Collins Director of Local Audit (360) Website: