Vast volumes of money pass through public administration in South Australia on a daily basis. Thousands of small and large purchases are approved, invoices dispatched, payments processed, goods and services received.
The use of electronic invoicing and accounts payable systems have transformed the speed and efficiency of this voluminous and constant activity, an activity that is widely recognised as being highly vulnerable to misuse and corruption.
About a decade ago South Australian government agencies began using an e-invoicing system called Basware which is now used to electronically process more than two million invoices annually. South Australian councils are also using various electronic invoicing systems to process a large volume of transactions.
Systems like Basware undoubtedly improve organisational efficiency by simplifying and streamlining electronic payments and invoice processing - but how do they effect risks and vulnerabilities inherent in the exchange of money for goods and services?
Despite claims to the contrary, it would be foolhardy to trust that such systems will help eliminate corruption or dishonest accounting. E-invoicing does not so much eliminate the risks and vulnerabilities, as change the way financial and accounting systems can be manipulated. In some respects they may make it easier to engage in corruption. Information security expert David Porter has said:
Technology has also become a double-edged sword. Its speed, power, pervasiveness, mobility and anonymity offer attractive opportunities to individual’s intent on committing fraud, money laundering and other forms of financial crime.1
Basware itself irreverently acknowledged this in a 2016 marketing campaign which involved sending their customers fake invoices on April fool’s day. The company used the campaign to raise awareness about corruption and error in electronic purchase to pay (P2P) systems, and to demonstrate how easy it can be to scam accounts payable departments, especially for employees in positions of trust.2 The campaign was accompanied by a white paper entitled Fraud Prevention: Avoiding the F-Word in P2P, with numerous suggestions on how to avoid fraud risks.
Basware’s need to warn customers about the possible fraudulent use of its products demonstrates that these systems were not principally designed for fraud protection. Prevention and detection of courrption is an organisation’s own responsibility. Agencies cannot rely on their electronic systems to obstruct corrupt conduct.
The Independent Commissioner Against Corruption has been made aware of instances in which the electronic financial systems of government agencies have been gamed by corrupt individuals. Electronic payment systems come with their own risks and weaknesses, and so organisations should stringently manage user access. All organisations must balance security and usability.
The ICAC is not alone amongst statutory authorities concerned by the increasing risks associated with electronic payment systems. The Auditor General’s 2016-17 annual report also recommends caution with e-systems:
As systems are used more, and new systems replace existing manual processes, controlling access to them and ensuring that the access granted matches the user’s role becomes increasingly important.
Agencies need to have a controlled process in place to grant access to their systems. This should include formal approval for access and consider the level of access that users need to perform their roles. User access should be sufficient for employees to perform their roles efficiently. It should, however, also ensure appropriate controls remain over financial transactions and access to information.
Segregation between roles should be built into user access, ensuring individual users do not have excessive access. To do this, agencies need to understand the roles of the users and the structure of the user profiles for their systems, so that they can match what access someone needs with the right user access profile in the system.3
Electronic invoicing and finance systems considerably improve the speed and efficiency of business. However, many systems have few inbuilt internal controls, so that too much reliance on these system controls and procedures leaves agencies at risk of corruption.
Ultimately digital systems still rely on people, policies and trust, and people are consistently referred to as electronic security’s weakest link.4 Public authorities should beware of becoming complacent with their technological systems and factor in how people interact with such systems to mitigate the risk of their misuse.
This article was published in Issue #2 - May 2019 of ICAC's Integrity Matters newsletter.