7. Audit Report ACH Payment
7. Audit Report ACH Payment
INTERNAL AUDIT REPORT Operational Audit ACH Payment Fraud January 2021 December 2021 Issue Date: March 30, 2022 Report No. 2022-01 ACH Payment Fraud TABLE OF CONTENTS Executive Summary ............................................................................................................................................... 3 Audit Scope and Methodology ............................................................................................................................. 7 Schedule of Findings and Recommendations ....................................................................................................... 8 Appendix A: Risk Ratings ......................................................................................................................................18 Appendix B: Fraud Examples ................................................................................................................................19 2 ACH Payment Fraud Executive Summary Internal Audit (IA) completed a targeted audit of the processes that contributed to eight payments totaling $572,682.79, being wired into fraudulent bank accounts. The payments were for the Port of Seattle's (Port's) Opportunity Youth Initiative and were intended for the Seattle Parks Foundation (Seattle Parks) and the Urban League of Metropolitan Seattle (Urban League). The purpose of the audit was to identify the control breakdowns that allowed the fraud to occur and to recommend ways to reduce the likelihood of future misappropriations. Using a targeted approach, we evaluated both preventive and detective internal controls, segregation of duties, and change management processes for the period January through December 2021. The criminal aspect of this case was handed off to the Port Police for their continuing investigation. Through a control design failure, over the course of four months, the Port made eight Automated Clearing House (ACH) payments to fraudulent parties. For Seattle Parks, two payments were processed for $135,678.02 and were unrecoverable by the Port's bank, Wells Fargo. A third payment for $48,084.93 was returned by Wells Fargo, as the fraudulent bank account had been closed. For Urban League, five payments were processed for $388,007.38. As of the time of this report, an unknown amount of funds in a fraudulent account, were frozen by Citibank, upon being contacted by Port Police. The funds were targeted for Urban League. Both cases appear to be the result of Business Email Compromise1. A genuine email account, of a staff level employee, at both Seattle Parks and Urban League was compromised. The fraudster, using the compromised email account and copying fraudulent domain names, that appeared to be other Seattle Parks and Urban League employees, requested a change to banking information. For example, a fraudulent email was received on October 4th, 2021. The email appeared to be from a Seattle Parks Foundation employee's email account. The parties involved in the fraud also set up a fraudulent email account for the director at the Seattle Parks Foundation using [email protected]. Seven Port employees failed to identify the fraudulent domain name, that the tone and font in the emails had changed, that the emails used improper grammar, and that the emails were now requesting changes to banking information. Additionally, the first fraudulent payment of $91,593.09, to a PNC Bank account, was returned to the Port with a reason code of: "ACCOUNT FROZEN/RETURNED PER OFAC REQUEST". The Office of Foreign Assets Control ("OFAC") of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. This was a red flag that was not appropriately acted on by Port employees. The fraudster then emailed the Port and said, "the ACH you sent last week have returned due to the account AuditKindly confirm respond and we will send you ACH details to resend the payment." Standard Port Controls were not followed, and employees unknowingly worked with the fraudster, responding several times to [email protected]. Accounting and Financial Reporting (AFR) then proceeded to transfer funds to the fraudster's accounts. This front-end failure underscores the need for certain employees to attend basic cybersecurity training. According to Human Resources' training records, five out of seven Port employees who directly or indirectly received the fraudulent emails, had not attended the Port's required cybersecurity training in 2021. However, the key control failure that allowed this fraud to occur, was a process that put the burden of verifying and approving supplier banking changes, on an Administrative Professional within AFR's Core Services Team, who worked remotely during this time, with inadequate oversight. The Notes section in PeopleSoft Financials system on how the verification was performed, was not completed as intended. Our testing found that 58 employees at the Port had the ability to add or change supplier information, and 1 https://www.interpol.int/en/Crimes/Financial-crime/Business-Email-Compromise-Fraud 3 ACH Payment Fraud supplier contact information was poorly maintained; contact name, phone number, and email address were often missing. Procedurally, all changes had to be verified and approved by the AFR Core Services Team, before becoming live in the PeopleSoft system. Numerous red flags were missed, however, the fundamental flaw that allowed this fraud to occur was the key control failure described above. A more detailed timeline is provided in the Background section of this report. We have categorized our findings into the five issues listed below. Additionally, we have provided recommendations on how to potentially correct these control deficiencies within the body of this report. 1. (High) Internal Controls to validate changes to supplier information, including banking information, were not functioning as intended. Supervisory oversight needed improvement for this critical role. 2. (High) Procedures to confirm the authenticity of supplier requested bank account changes were not placed at the appropriate level. 3. (High) Fifty-eight Port of Seattle employees had the ability to add and modify supplier information, including sensitive banking information, although these changes do not go live in PeopleSoft until the AFR Core Services Team approves them. Adequate controls did not exist to assure that supplier information, including banking and contact information, was entered accurately, consistently, and correctly. Additionally, with the high number of users, the risk of internal fraud increases, because an employee could change bank account data, putting the onus on one individual to approve these changes. 4. (High) Detective controls to identify fraudulent activity and payments did not exist. Instead, the Port was only notified of the fraud by the client, approximately two months after the fact. 5. (Medium) The methodology to assure that vulnerable employees received required training was not functioning effectively. Our review of training records indicated that, of the seven Port employees who either directly or indirectly received the fraudulent emails, only two had completed the Port's mandatory Information Security Awareness training in 2021. Additionally, Port-wide, only 51 percent or 1,036 of the 2,041 employees had completed the annual training. These issues are discussed in more detail beginning on page eight of this report. Glenn Fernandes, CPA Director, Internal Audit Responsible Management Team Rudy Caluza, Director, Accounting and Financial Reporting Dan Thomas, Chief Financial Officer Ron Jimerson, Chief Information Security Officer Pete Ramels, General Counsel / Chief Compliance Officer Katie Gerard, Senior Director, Human Resources Dave Soike, Chief Operating Officer Nora Huey, Director, Central Procurement Office Bookda Gheisar, Senior Director, Equity, Diversity & Inclusion 4 ACH Payment Fraud Background Business Email Compromise (BEC) fraud, is a type of social engineering scam where criminals deceive company employees into transferring money to them. In this particular case, criminals gained access to a staff user account at Seattle Parks and at Urban League through malware or other security vulnerabilities. They then used these exploits to convince Port employees to electronically transfer funds to them. An effective fraud prevention strategy includes a multi-layered approach, where all employees participate. Training programs should be designed to increase employee fraud awareness. Internal reporting structures should be established and understood so that appropriate mitigation steps are taken. However, most importantly, an internal control structure must be in place to reduce the liklihood of fraud, including a detection strategy to quickly identify the fraud if it occurs. The following is a timeline of the Seattle Parks Foundation fraud: Date Event October 4, 2021 A phishing email from a compromised email address at Seattle Parks and a fraudulent domain name using SeattlePraksFoundation, are sent to an employee in the Port's Equity, Diversity & Inclusion Office, offering a five percent (5%) discount if payment is made through ACH that week. The fraudster also requests changes to bank name, and account/routing number. October 5, 2021 The fraudster provides updated bank information via email. (PNC Bank Account ending in 2567). October 7, 2021 After receiving email instructions to change the bank, routing, and account number, the first (ACH) payment is made for $91,593.09. It is returned on October 13, 2021, by PNC bank with the reason code of "ACCOUNT FROZEN/RETURNED PER OFAC REQUEST." October 13, 2021 The fraudster emails the Port and communicates that the ACH payment was "returned due to the account Audit" and requests payment to be sent again to a new account. AFR (Disbursements) communicates that payment will be re-sent the next day. Fraudster provides a different bank name, account number, and routing number (Dollar Bank ending in 0014). October 14, 2021 The first fraudulent ACH payment is re-issued to Dollar Bank for $91,593.09. November 2, 2021 The second fraudulent ACH payment is sent to Dollar Bank for $44,084.93. December 9, 2021 Wells Fargo notifies the Port's Treasury Department that the ACH payment for $48,997.39 was declined because the account had been closed. December 9, 2021 In less than an hour of being notified that the ACH payment had been returned, Port Employees submit a request to change the bank account, back to the original fraudulent PNC Bank Account. December 9, 2021 Michelle Benetua, the Director of Strategic Partnerships and Programs, Seattle Park Foundation, states via email "We've had some fraud issues lately, so just want to clarify where you're sending it." December 10, 2021 Michelle Benetua, via email states "Please wait until Monday before doing anything. PNC is not our bank!!" December 14, 2021 Fraud is reported to Wells Fargo, Port Police, and the Federal Bureau of Investigation, through the Internet Crime Complaint Center. The fraud is also reported to the State Auditor's Office as required by RCW 43.09.185. 5 ACH Payment Fraud The following is a timeline of the Urban League of Metropolitan Seattle fraud: Date Event December 6, 2021 A phishing email from a compromised email address at Urban League and fraudulent domain name using UrbanIeague (L changed to I), is sent to an employee in the Port's Equity, Diversity & Equity Office notifying them that the Key Bank Account was closed and unable to receive payments. The fraudulent domain name was very hard to spot without changing the font. The Port employee unknowingly forwards the phishing email to two other Port employees. The fraudster then expresses a sense of urgency and sends a falsified bank letter (Appendix B) that requests the change in banking information to Citibank. (Citibank Account # ending in 1236) The letter has several indicators of fraud including the wrong spelling of Citibank and grammatical issues. The change is entered into PeopleSoft by Port employees and approved without following Port procedures. December 7, 2021 A Port employee confirms back to the compromised email address, copying the fraudulent domain names, that the banking information has been changed and approved. December 9, 2021 The first payment of $66,234.70 is sent to the fraudulent Citibank account. December 13, 2021 A Port employee sends an email to the compromised email address, copying the fraudulent domain names, and notifies the fraudster that payment has been made. The fraudster asks if payment was made to their Chase Account (The fraudster is referencing the wrong bank; Chase instead of Citibank). The fraudster then thanks the Port employee for updating the banking information and asks her to confirm payment date for the attached invoice. That attached invoice shows Chase Bank, Routing # 271070801, and Account # ending 1236, which are the routing and account numbers for the fraudulent Citibank account. December 14, 2021 A second payment of $14,250 is sent to the fraudulent Citibank account. January 4, 2022 A third payment of $9,850 is sent to the fraudulent Citibank account. January 18, 2022 A fourth payment for three separate invoices for a total of $243,126.16 is sent to the fraudulent Citibank account. January 25, 2022 A fifth payment for four separate invoices for a total of $54,546.52 is sent to the fraudulent Citibank account. January 28, 2022 Mansour Camara, Chief Financial Officer at Urban League emails the Port, inquiring about payments. January 31, 2022 The Port contacts Mansour Camara, who indicates that the Citibank account is fraudulent. 6 ACH Payment Fraud Audit Scope and Methodology We conducted the engagement in accordance with Generally Accepted Government Auditing Standards and the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and conduct an engagement to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our engagement objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our engagement objectives. In some cases, we used a judgmental method to determine the samples selected for our audit test work, in those cases, the results of the work cannot be projected to the population as whole, as we did not select a statistical sample. The period audited was January 2021 through December 2021 and included the following procedures: Evaluation of bank account change management processes and internal controls Reviewed policy and procedural documentation (AC-18 Supplier Management Policy and Procedures as of 2/28/2020) and assessed whether they were clear and generally easy to understand. Interviewed both management and staff to determine whether they were familiar with and understood roles and responsibilities. Inquired with staff and management to obtain their assessment of the breakdowns and their assessment of what could have been done to prevent the fraud. Obtained information security awareness training records for the 12-month period ending December 31, 2021. Separated the records between those individuals who completed and those who did not complete "general phishing" training. Analyzed email data between the fraudsters and Port employees to identify the timing of the fraudulent requests and time frame that Port Policies were not followed. Assessment of segregation of duties Obtained a list of Port employees with the ability to edit/modify supplier data and a list of employees with the ability to approve supplier updates. Interviewed AFR management to obtain an understanding of roles and responsibilities and internal controls. Reviewed CPO documentation regarding supplier set-up procedures. Evaluated department roles, including the appropriateness of approval functions. Validated that quarterly user access controls were performed. Evaluation of fraud preventive and detective controls Fraud Preventive Controls: Evaluated in the above two procedures. Fraud Detective Controls: Researched the best practices of detective controls for electronic supplier payments. Inquired with management and staff, and reviewed relevant documents to determine whether there were a process and controls established for monitoring, reconciling, and detecting unusual/irregular ACH payment activities and/or banking/ACH information changes. Conducted process walkthroughs to identify controls/gaps in the process and evaluate the effectiveness of key controls, if any established. Obtained and analyzed the data of suppliers' banking/ACH information changes requested/made to the PeopleSoft Financials system for the recent 12 months. Reviewed the procedures currently being taken by the AFR/AP managers to re-validate banking information changes made for the recent 16 months with supplier representatives. 7 ACH Payment Fraud Schedule of Findings and Recommendations 1) Rating: High Internal Controls to validate changes to supplier information, including banking information, were not functioning as intended. Supervisory oversight needed improvement for this critical role. Numerous people can make changes to supplier data, including banking information, however, those changes do not go live in the PeopleSoft Financials system until approved by the AFR Core Services Team (aka Vendor Management Team). The Administrative Professional tasked with approving these changes was not performing the appropriate verification of changes as required. When documented processes are not followed or enforced, internal controls typically do not operate as intended and the likelihood of fraud and errors increase. Listed below are essential control requirements that were noted in the AC-18 Supplier Management Policy and Procedures, but were not followed: Requirement(s): "All requested changes will be reviewed and approved by the AFR Vendor Management TeamIf you received the request by mail, fax or text message or email, verify it with a phone call." "To ensure appropriate internal controls, Supplier approvers independently verify adds or updates to specific changes to Supplier data." Status: This was the primary control that failed. If a call had been correctly placed as required, the supplier would have indicated that their bank had not changed. Requirement(s): "Before entering any changes into PeopleSoft Financial system, AP staff must validate any change to payment instructions, banking information, address changes or contact information by contacting the department or buyer that is managing the vendor/invoice or by contacting the vendor directly." Status: Management indicated that this practice was not followed. The policy also includes the following language: "Failure to follow this Policy and Protocols: A staff member who fails to follow the policy and protocols can be held accountable and subject to disciplinary action." While true, management should not abdicate responsibility for this control failure. We would like to emphasize that segregation of duties between those inputting the data and those approving the data is still important and should be maintained. Recommendations: We recommend AFR management develop an oversight function to identify, when critical requirements, such as confirming bank account changes, have not been performed. We also suggest that management update any policies that are no longer followed. To aid in authenticating bank information, AFR management should consider investing in a software service that assists in bank verification by providing account holder name, bank name, account holder tax ID number, etc. This vital information will provide the verifier at the Port, the appropriate tools to authenticate changes and additions to bank account information. 8 ACH Payment Fraud Management Response/Action Plan: Recommendations: We agree. Management oversight has been strengthened to ensure that compliance with existing protocols is well documented for all critical validations such as bank account changes. The documentation is stored centrally and reviewed regularly. Extract reports from the Supplier data files are also generated weekly for manager review, including the comments section that documents the validation steps taken for completeness. DUE DATE: Completed Policy updates will be made including for any new protocols implemented. DUE DATE: In-progress, 5/31/2022 A bank account verification service solution is being reviewed with demos already provided by two potential providers. Such a service would augment, not replace, current validation control protocols in place. DUE DATE: 4/30/2022 (Vendor selection) Audit Observations: We provide the following for accuracy in understanding. The finding states that numerous people can make changes to supplier data, including banking information. To ensure clarity, it is important to note that the referenced fifty-eight employees are not broadly dispersed across the Port. Rather, they are primarily in the central procurement office administering the procurements and having the most reliable direct communication lines with the Supplier for key supplier information. This is explained with completeness in management's response to Finding 3 below. It is correctly indicated that the Accounts Payable staff no longer perform the validation tasks as noted in the finding above. To strengthen internal controls through operational segregation of duties, the validation tasks were reassigned to a separate operation within the Accounting & Financial Reporting (AFR) Department. The change was instituted to separate the operations that administer payments to Suppliers, from the operations that administer the Supplier payment/ACH information. This separate validation function has been performed for the past several years independently in this manner and in accordance with a detailed procedural checklist. The policy will be updated to reflect this change, while also to reflect recent enhancements that have been implemented. 9 ACH Payment Fraud 2) Rating: High Procedures to confirm the authenticity of supplier requested bank account changes were not placed at the appropriate level. A well-designed process places the approval function at a level commensurate with the individual(s) responsibility. The more critical the approval, the more reliance and responsibility the organization gives that individual(s). This is similar in concept to the Port's Delegation of Authority, where Port Commission delegates to the Executive Director, who then redelegates this responsibility to specific positions/employees with the authority to enter contractual obligations within predefined limits. The delegation schedules give increased authority to positions/individuals higher in the company because the company relies on their expertise, background, and decision making to a greater extent. According to the AC-18 Supplier Management Policy and Procedures, "Under no circumstances will AFR staff initiate a vendor/employee payment, refund to a customer, or change to an employee's or vendor's banking or tax withholding information based upon instructions received via an email (internal or external) by phone call, by fax, or by text messages without independently validating the requested change." However, a contributing factor to the fraud was excessive reliance placed on less experienced staff, which allowed them to perform a critical review. The skills required to perform this essential review did not align with the individual's position within the organization. An Administrative Professional had the responsibility to validate and approve supplier requests for all bank accounts changes. This individual approved approximately 82% of changes in the previous year; a Records Management Specialist approved the remaining 18%. Additionally, according to Human Resource records, the Administrative Professional had not attended the Port's required Information Security Awareness training, in both calendar years 2020 and 2021. Recommendations: We recommend assigning the approver validation function to an individual with the appropriate skillset, background, and knowledge. This individual should also receive the appropriate training on a regular basis as a requirement of their job. Management Response/Action Plan: Recommendations: We agree in part. We agree that key to any team or individuals performing work effectively is adherence to clearly established policy and procedures, which does exist at the Port, and having the necessary skill sets along with ongoing training. Administrative Professionals at the Port prove themselves to be a very capable and valuable resource. The refinements pursued should not preclude opportunities for and the ability to leverage the talents of Administrative Professionals, by reference to their position or capabilities in the Port organization. Ongoing training and enhanced oversight, as recommended, would support success in this arena. DUE DATE: Completed Audit Observations: We provide the following for accuracy in understanding. In addition to the Administrative Professional, a Records Management Specialist, both in a separate AFR Core Services operation, perform the Supplier validation and approval responsibilities. 1 0 ACH Payment Fraud 3) Rating: High Fifty-eight Port of Seattle employees had the ability to add and modify supplier information, including sensitive banking information, although these changes do not go live in PeopleSoft until the AFR Core Services Team approves them. Adequate controls did not exist to assure that supplier information, including banking and contact information, was entered accurately, consistently, and correctly. Additionally, with the high number of users, the risk of internal fraud increases, because an employee could change bank account data, putting the onus on one individual to approve these changes. A shared module between Purchasing and Accounts Payable in the PeopleSoft Financials system was used to capture supplier information. The people, companies, and even internal employees from whom a company buys, or contracts goods and services are called "Suppliers." When suppliers are added, basic information is updated into the module including physical address, payment options that establish defaults for payment processing, and remit to and pricing locations. The Port has established segregation of duties, which are an important control. However, both the individual inputting the data and the individual approving the data, need to do their respective jobs correctly. A critical piece of information is contact phone number, which is essential, so sensitive information, such as a change to banking account data, can be verified; however, this was not a required field in PeopleSoft. Per the AC-18 Supplier Management Policy and Procedures, if a supplier requests a change using email, staff validates the authenticity of the request via a phone call, using the contact information in the supplier module. Conversely, if the request is made via phone call, it is validated through email. We obtained contact data for suppliers who had changes to banking data, for the period January 1, 2021, through January 24, 2022, and noted that a Port Administrative Professional had approved 216 and a Record Management Specialist had approved 47 of the 263 total changes. However, most of these changes did not have phone numbers entered and only a few had email addresses entered. A lack of information makes validating the authenticity of the request more difficult. A supervisory review, to validate that the information was complete and accurate, did not appear to be occurring. Recommendations: We recommend reducing the number of individuals, who have system access to request additions or modifications to supplier information. We also recommend structuring the supplier module of the PeopleSoft system, so that certain fields are required to be entered (supplier phone number/ email address), either via system controls, if possible, or else via policy. Management Response/Action Plan: Recommendations: We agree. A controls centric LEAN process improvement project was immediately initiated. This involved the Central Procurement Office and Accounting & Financial Reporting Department, facilitated by the Office of Strategic Initiatives (OSI) certified LEAN specialists. The team identified and is continuing to implement several enhancements, two of which parallel the recommendations. Changes have been instituted to the ACH bank account request initiation and verification process. It refines this function to a small, centralized team of about 4 or 5 charged with this responsibility. The team includes the manager and lead of the AFR accounts payable operations who make direct contact with the Supplier and then enter and initiate the requests. The requests continue to be administered by the manager and team of the AFR core services operations to independently validate and approve or deny requested additions and changes. The work is performed in conformance with established protocol, is monitored, and will be augmented with ongoing training. 1 1 ACH Payment Fraud DUE DATE: Completed Changes have been implemented to make the collection of key Supplier information a requirement and at an early point during the procurement process. The objective is that any requests to setup or change Supplier information cannot be initiated unless the required information is obtained and entered to initiate the request process. The substance of this control was implemented earlier on first through procedural controls where requests not containing the required data is denied and returned to the requester. A PeopleSoft Financials system modification that automates the inability to submit and initiate requests if the required Supplier information is not entered in the data fields online, has since been programmed. Testing was completed and this system-driven control has been timely implemented. This action strengthens controls to assure completeness in the Supplier data files for key information. DUE DATE: Completed Audit Observations: We provide the following for accuracy in understanding. It is important to note that the referenced fifty-eight employees are not broadly dispersed across the Port. Moreover, they do not have the ability to add or modify any Supplier data in the system, but to only enter information to initiate requests to do so, which are then independently vetted for propriety and approved or denied accordingly. These employees are predominantly in the Central Procurement Office (CPO) and, hence, are knowledgeable and in the best position to leverage the Port's established communication lines directly with Suppliers to obtain key information through their procurement and contracting relationships. The other few are in the Accounting & Financial Reporting (AFR) Department necessary to administer the data. Nevertheless, as detailed above in alignment with the recommendations, changes have been instituted to the ACH bank account request initiation and verification process by refining this function to a small, centralized team charged with this responsibility. ACH banking information is also no longer viewable by anyone other than a member of this limited team. The Port of Seattle has internal controls in place that are generally strong and have proven to be effective over the past many years. System controls in place include: (1) Suppliers can be paid only if approved to be setup and active in the system through a formal validation process; (2) A Supplier is automatically rendered unapproved and cannot be transacted against when Supplier information is entered and requested to be changed until approved through formal validation; (3) Separate system access privileges exist between the ability to "request" versus the responsibility to "approve or deny" requests, and no one individual can be assigned both roles for internal controls purposes; and (4) On a monthly basis, Suppliers with no payment activity in the previous 12 months are set to "Inactive" status, which disables the ability to make payments to them until approved again through a direct phone contact with the Supplier for revalidation of ACH information. As for process controls: (1) A formal policy is in place delineating clear expectations and control protocols to be followed; (2) Detailed guidance is in place that provides a step-by-step checklist to guide compliance with policy including directly calling Suppliers to verify ACH banking additions and changes; (3) Clear segregation of duties is in place where requesters have no edit privileges to unilaterally add or change bank account data; (4) Standard PeopleSoft system protocol is followed to enter to initiate requests for Supplier information changes, similar to other system facilitated requests such as purchase requisitions which are approved by a central procurement team; (5) Change requests are vetted independently for propriety and only if approved, they become effective; (6) The team vetting requests has no ability to enter, update or change Supplier data information, only to approve or deny. Additionally, immediate and strengthened engagement with the Information Security Department has been 1 2 ACH Payment Fraud implemented. This includes a protocol that in the event of any suspicion on the credibility of email communication involving a financial transaction, the Information Security Department is immediately alerted to further investigate the situation. This will assure the ability to quickly identify and stop suspicious communications to mitigate exposing funds to any risk. Information Security will also assist the Information Communications & Technology Department (ICT) integrate an advanced technology to incorporate a more secure and confidential messaging protocol once this decision is finalized. Moreover, internal controls can be expected to provide reasonable, and not absolute, assurance to mitigate risk exposures. The human element is a factor and can become a point of failure in any well-designed internal control environment. When the procedural compliance failure was identified involving the payment fraud, immediate stop-gap exposure mitigation measures were instituted. All ACH payments were immediately halted, and revalidations of banking information were instituted. All ACH payments are required to be compared to a complete listing of all Suppliers that had banking information additions or changes between September 2020 to-date January 2022. For any pending ACH payments that match, the Suppliers are directly called by phone to again affirm the validity of the banking information change. Also, all banking information additions and changes require two separate calls by different operations. This provides assurance that the human element does not present a single point of failure. Through this immediate risk mitigation protocol, no further exposures have been identified to-date. It is also important to note that the Port is proactive and has in place an insurance policy that will cover such losses involving criminal activity after a $25k deductible for each of the two situations. A claim has been filed. 1 3 ACH Payment Fraud 4) Rating: High Detective controls to identify fraudulent activity and payments did not exist. Instead, the Port was only notified of the fraud by the client, approximately two months after the fact. Ideally, processes are well established to prevent fraud from occurring, however, such preventative controls may not completely reduce the risk of misappropriation or errors. Therefore, detective countermeasures can also help identify when fraud has occurred, disrupt additional fraud, and reduce the consequences. Detective countermeasures are not as cost effective as prevention countermeasures. However, if detected early, the impact of fraud can be significantly reduced. We identified some existing detective controls within the ACH payment process, including the Senior Disbursements Manager's daily review of the Accounts Payable journal against payments, the monthly bank reconciliation that agrees payment details, and the review of the Wells Fargo report that identifies remittance irregularities, such as the supplier's bank account cancellation. However, these controls do not necessarily detect fraud. If fraud detection controls had existed, management could have identified the breakdown earlier. Instead, both fraud instances were only identified when the suppliers alerted the Port, about 60 days after the initial ACH payments to the fraudsters. See below: Seattle Parks Foundation October 7, 2021: The first fraudulent ACH payment is sent to the fraudulent PNC bank account. December 10, 2021: Seattle Parks Foundation sends the following email, "Please wait until Monday before doing anything. PNC is not our bank!!" ~ Michelle Benetua, Director of Strategic Partnerships and Programs, Seattle Parks Foundation. Urban League December 9, 2021: The first fraudulent ACH payment is sent to the fraudulent Citibank account. January 31, 2022: Urban League notifies the Port that Citibank was not their bank and that Urban League had recently had a similar issue (someone impersonating an Urban League employee via email). If this communication had not occurred, the fraud would likely have continued. Recommendations: We recommend implementing general detective controls based on best practices, to detect abnormalities with banking/ACH information changes. These might include: 1. Sending a confirmation notification of any changes to the supplier. This would include banking changes and address changes; if an address changes, it should go to both the old and new addresses. 2. Implementing a management review/sign-off of paperwork/validations for all banking/ACH information changes, utilizing a system generated exception report, to determine if they have met expectations. 3. Monitoring daily ACH payment activity details for abnormalities and timely corrective action, using a fraud focus. 1 4 ACH Payment Fraud Management Response/Action Plan: Recommendations: We agree, with clarification as provided below. Although a primary focus continues to be enhancements to strengthen preventative controls, we acknowledge benefits to implementing effective detective controls as well. We look forward to working with Internal Audit to explore any such measures that would offer a reliable protocol to detect fraud. We explored sending a system generated notification triggered by any changes made to the Supplier company. While this is possible to do, this potential detective control relies on Suppliers to be diligent to read their email and, most importantly, reply back to the Port. Bank account pre-noting which auto-generates and sends an email notification to Suppliers is also dependent on replies back to serve as effective detective controls. DUE DATE: Under review, 4/30/2022 (Decision) An exception report has been implemented to enhance visibility and management oversight. A central SharePoint library is used to store the documented efforts involving the administration and independent validation of requested additions or changes to Supplier banking information. DUE DATE: Completed Daily review of bank statement activity, investigating and resolving ACH returns, and pre-review of ACH payments pending release will continue, to assure timely attention for corrective action along with an enhanced fraud focus. DUE DATE: Completed 1 5 ACH Payment Fraud 5) Rating: Medium The methodology to assure that vulnerable employees received required training was not functioning effectively. Our review of training records indicated that, of the seven Port employees who either directly or indirectly received the fraudulent emails, only two had completed the Port's mandatory Information Security Awareness training in 2021. Additionally, Port-wide, only 51 percent or 1,036 of the 2,041 employees had completed the annual training. Training is one element an organization can implement to raise awareness of fraud and the various ways fraud schemes occur. In 2021, the Port required all employees to complete security awareness training. Every employee initially received the training upon hire, thereafter employees were required to complete an annual refresher training. We requested a report from Human Resources (HR) of the Port employees who completed the security awareness training (ICT Information Security Awareness Learning Needs) in 2021 and determined that 1,036 employees completed the training. Another HR report listed 2,041 active employees as of 12/31/2021. Therefore, slightly more than half the Port employees received the training in 2021. Below are the descriptions of some of the topics covered: General Phishing: Explains the differences between spam, phishing, and spear phishing; what you can do to minimize the risk of a phishing attack; and how to identify indicators of a phishing email. Spear Phishing: Covers why spear phishing poses a threat to the Port, the three types of spear phishing emails, and the indicators of a spear phishing email. Business Email Compromise (BEC) Scams: BEC Scams covers topics on identifying BEC scams, differentiating between the three main types of BEC scams, and reporting a suspected attack. Insider Threats: Covers topics on the danger insider threats pose, the three types of insider threats, and what to do if you observe suspicious activity. The first set of emails received from the fraudster contained poor grammar, possessed a sense of urgency (offered a five percent discount if paid that week), included two unexpected requests to change bank account detail, was received from a slightly modified email than usual (font changed) and copied a coworker where the email address was misspelled ([email protected] this was actually a domain created by the fraudster to imitate the real email address). These are all elements of a phishing email and may have been identified by Port staff if training had been completed. The second set of emails exhibited similar characteristics as the first but were harder to spot because of the upper case "I" used in "UrbanIeague.com", but also included a poorly written bank letter (See Appendix B), a sense of urgency, and grammar errors. Recommendations: We recommend that all Port employees (and contractors) that are involved in the process of creating, modifying, or requesting changes to supplier banking information, receive additional focused training on cybersecurity and the risks related to Business Email Compromise scams twice per year. If training is not taken, we recommend that user access be disabled until completed. We also recommend that all employees (and contractors) that use a Port computer or have a Port email account, be required to complete the existing Security Awareness Training and we recommend developing a system to assure individuals complete such training by the due date. Management Response/Action Plan: Recommendations: We agree. After technical issues with the updated Learning Management System (LMS) tool at the Port of Seattle are resolved through the Human Resources (HR) Department, we expect to see a more accurate listing of individuals who have received annual awareness refresher training. In addition, the Port has recently 1 6 ACH Payment Fraud invested in a more robust cyber awareness training solution through the Information Security Department aimed at user behavior patterns which concentrates training in the areas most needed. The Information Security Department is also currently developing an internal process to monitor and track awareness training based on data from the new training platform. DUE DATE: In-progress, 6/30/2022 Since this incident, Information Security has conducted advanced training for all teams in the Accounting & Financial Reporting (AFR) Department at their request, which was focused on Business Email Compromises. Similar training is scheduled for all teams in the Central Procurement Office (CPO) including CPO-Purchasing, CPO-Construction, and CPO-Service Agreements. DUE DATE: Completed & Ongoing training throughout the year Information Security will continue to offer its monthly cyber awareness seminars, routine messaging, and special learning events to ensure a Port-wide content awareness campaign. This is in addition to the department's Port intra-net site hosted resources aimed at broadly educating Port staff. Information Security will continue to conduct Phishing exercises, including one recently conducted among 2,244 Port email recipients which has broadened awareness throughout the organization. DUE DATE: Completed & Ongoing training throughout the year 1 7 ACH Payment Fraud Appendix A: Risk Ratings Findings identified during the audit are assigned a risk rating, as outlined in the table below. Only one of the criteria needs to be met for a finding to be rated High, Medium, or Low. Findings rated Low will be evaluated and may or may not be reflected in the final report. Financial Internal Commission/ Rating Compliance Public Stewardship Controls Management High probability Missing or not Non-compliance for external audit Requires with Laws, Port High Significant followed issues and / or immediate Policies, negative public attention Contracts perception Partial controls Partial Potential for compliance with external audit Requires Medium Moderate Laws, Port issues and / or attention Not functioning Policies negative public effectively Contracts perception Functioning as Low probability intended but Mostly complies Does not for external audit could be with Laws, Port require Low Minimal issues and/or enhanced to Policies, immediate negative public improve Contracts attention perception efficiency 1 8 ACH Payment Fraud Appendix B: Fraud Examples Email using "[email protected]" Fraudulent bank letter: 1 9
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.