Question

Betty and Tony are concerned that clients may be potential targets for internal and external fraud based on this media release. As their ERP is more than 10 years old, they feel their internal controls are outdated and do not want you to review their current system of controls. Betty and Tony have requested that you focus your research on current threats to the online dating industry and methods of mitigation of these threats. The current process for new clients and accounts receivable at LFL is as follows:

• When a new client joins LFL they complete an online application entering all personal details and bank account details.
• As part of this application process the customer provides consent to debit the fees from their credit card.
• A range of different services apply, hence differing costs are associated with these packages. The client selects the appropriate services and acknowledges these fees are subject to change.
• Any employee in the new accounts team may create the new customer profile. Once the profile is entered into the system the dating matches are generated. The credit card details are forwarded to the accounts receivable clerk for processing.
• The information for each potential date is sent by email to the new customer to select a possible candidate. The information includes; name, date of birth, job title, hobbies and interests, suburb of residence, client ID, and a photo.
• If the customer wants extra information on their potential dates, they may contact the customer relationship team for this.
• The current process for accounts receivable requires the accounts receivable clerk to upload customers credit card details to the banking application for the monthly processing of client payments. The account receivable clerk will generate invoices and payment confirmations to distribute via email to customers.
• LFL has a number of business bank accounts, hence the ERP system allows the accounts receivable clerk to nominate bank account for receipt of credit card payment.

Using the information provided to you, prepare a business report to Betty and Tony addressing the following:

1. Critical analysis of five (5) possible internal control weaknesses relating to LFL's systems that allow fraud to occur and the impact these weaknesses could have on the organisation. (2.5 marks)
2. Recommendation of specific application controls LFL could implement to minimise the impact of each of the potential weaknesses you have identified above. Note that your client is seeking practical controls they can implement in the coming months, not theoretical controls;

Answer 1

THE 5 POSSIBLE INTERNAL CONTROL WEAKNESSES RELATING TO LFL'S SYSTEMS THAT ALLOW FRAUD TO OCCUR AND THEIR IMPACTS ARE :

1) THE EMPLOYEES IN LFL HAS ACCESS TO ALL THE PERSONAL INFORMATION OF THEIR CLIENTS INCLUDING CLIENT ID AND THEY CAN MISUSE IT FOR THEIR PERSONAL BENEFITS.

2) THE ACCOUNTS RECEIVABLE CLERK HAS ACCESS TO CREDIT CARD DETAILS OF ALL THE CLIENTS AND HE/SHE CAN MISUSE IT FOR PERSONAL BENEFITS.

3) THE INFORMATION SENT BY LFL TO THEIR NEW CUSTOMERS INCLUDE CLIENT ID , DATE OF BIRTH & ADDRESS WHICH IS A MATTER OF CONCERN FOR THE COMPANY.

4) THE ACCOUNTS RECEIVABLE CLERK HAS ACCESS TO BANKING APPLICATION TO UPLOAD THE CREDIT CARD DETAILS FOR MONTHLY PROCESSING OF CLIENTS PAYMENTS AND THERE IS NO CHECK ON HIS WORK BY SOME OTHER EMPLOYEE OF LFL ON HIM.

5) LFL HAS A NUMBER OF BUSINESS BANK ACCOUNTS & THE ACCOUNTS RECEIVABLE CLERK HAS AUTHORITY TO NOMINATE THE BANK ACCOUNT FOR RECEIPT OF CREDIT CARD PAYMENTS. THE POSSIBLE RISK IN THIS PROCESS IS THAT THE CLERK CAN EVEN NOMNATE HIS PERSONAL BANK ACCOUNT DETAILS FOR RECEIPT OF CREDIT CARD PAYMENTS FROM CUSTOMERS

THE PARCTICAL APPLICATION CONTROLS LFL COULD IMPLEMENT TO MINIMISE THE IMPACT OF EACH OF THE POTENTIAL WEAKNESSES ARE:

1) THE EMPLOYEES IN LFL SHOULD NOT HAVE ACCESS TO CLIENT ID. THE CLEIRNT ID MUST BE ENCRYPTED AND MUST NOT BE VISIBLE TO ANY EMPLOYEE OF THE COMPANY.

2) THE ACCOUNTS RECEIVABLE CLERK SHOULD NOT HAVE ACCESS TO CREDIT CARD DETAILS OF CUSTOMERS. THE CREDIT CARD DETAILS ONCE ENTERED BY CUSTOMERS IN THE ONLINE APPLICATION FORM MUST BE ENCRYPTED IN THE LFL COMPUTER SYSTEM AND MUST NOT BE VISIBLE TO ANY EMPLOYEE OF THE COMPANY.

3) THE INFORMATION SENT BY LFL TO THEIR NEW CUSTOMERS MUST NOT INCLUDE CLIENT ID , DATE OF BIRTH & ADDRESS AS THIS INFORMATION IS NOT REQUIRED BY THEIR CLIENTS INSTANTLY AS THEY REVIEW FOR THIER DATES. THIS INFORMATION CAN BE EASILY MISUSED BY ANYONE ONLINE.

4) THE ACCOUNTS RECEIVABLE CLERK'S WORK MUST BE AUTHORISED BY SOME OTHER EMPLOYEE OF LFL SO THAT THERE WILL BE MAKER CHECKER ENVIRONMRNT AND THE CHANCES OF FRAUD SHALL BE LESS.

5) LFL SHOULD HAVE ONLY ONE BUSINESS BANK ACCOUNT INORDER TO RECEIVE CREDIT CARD PAYMENTS FROM THEIR CUSTOMERS SO THAT THERE WILL BE NO ROOM FOR ACCOUNTS RECEIVABLE CLERK TO COMMIT FRAUD AND RECEIVE MONEY INTO HIS PERSONAL BANK ACCOUNT.