Platforms, Processes, and Fraud Prevention#Technology
by Casey ThompsonRead time:
Existing systems like a district’s enterprise resource planning (ERP) platform can be crucial in preventing fraud, provided they’re set up to track roles and permissions and document applicable processes.
Roles, tasks, and permissionsLet’s back up a step.
The process of fraud-risk mitigation actually starts by assigning roles and granting the appropriate permissions to people in these roles.
Think of the people in your district’s business office as actors in a play. Each has a part in the overall scenario, each has their lines, and each has their actions.
No one in a play would ever consider speaking someone else’s lines, or walking stage left when someone else is supposed to be walking stage left, and no one takes it upon themselves to say every line or fight both sides of a stage duel.
In your business office, everyone has a role, everyone has things they have to do, and everyone else depends on them performing that role and those actions, and nothing more or less.
Taking this metaphor to its conclusion, the key task for the organization is to write the “screenplay,” to identify roles and outline who does what.
This is done by defining tasks and granting permissions.
Learn more: Use Task-Based Permission to Tighten Edtech Security
Tasks are what you think they are: Actions that people are permitted to carry out in the course of executing business. Tasks should be:
- Narrowly defined;
- Thoroughly described;
- Appropriately assigned; and
- Built with parameters, or “guardrails,” so there’s a balance between flexibility and restraint.
Permissions are also self-evident: They’re the ability to perform tasks within tools, granted by system admins or other authorities.
Districts can significantly reduce fraud risk by appropriately assigning roles and granting permissions. But what can happen to undo all that good work?
- Tasks or permissions are assigned to the wrong people
- Tasks or permissions are not communicated to the right people after they’ve been granted
- Tasks are improperly defined and described, leading to uncertainty and overreach
- Too many permissions are concentrated with one person
- Permissions and associated items (like passwords) are shared indiscriminately
- Tasks and permissions are not updated and documented in a central location that can be accessed only by appropriate individuals
If this sounds like your district, don’t feel bad. A 2013 study found that 44% of employees have access rights that aren’t germane to their current role. It happens.
Also, laxity surrounding tasks and permissions doesn’t constitute fraud, nor does it automatically lead to fraud. It merely creates the conditions under which fraud can take place–especially if you’re not actively reducing the possibility of fraud within your district by leveraging existing processes and systems.
Let’s look at those systems and processes, starting with systems.
Your ERPYour district’s enterprise resource planning software can be the vehicle for granting permissions, assigning tasks, monitoring task completion and tracking permission use.
A properly functioning ERP can document who has permission to complete tasks, and who is actually completing them. If there are people who aren’t directly involved, either as the person performing them or an administrator, that’s an opportunity to pare down the number of permissions associated with that task.
Also, if one person has a significant number of permissions, that should be examined as well, paying special attention to their role and the tasks they complete.
Finally, your ERP can show whether people who do not have permission to complete a task are working on these tasks.
Permission issues don’t automatically equal malfeasance. Violators may be new or part of a security group that has been collectively assigned a task, or a task may have been delegated to them on an ad-hoc basis. But it’s something to look at.
To help with that, schedule reminders within your ERP to regularly review user roles, tasks, and permissions, to ensure that “permission creep” doesn’t overspread your district.
Your ProcessesYou only get out of an ERP what you put into it, and if what you put in is the byproduct of poorly thought-out processes, your ERP isn’t going to be much help.
Processes need to reflect a “trust but verify” mindset. Trust your employees to do the right thing, but verify that they do.
A good approach to process design in a financial office has been outlined by the accounting firm CliftonLarsonAllen:
- Seperate duties for approving charges, maintaining vendor files, and processing payments.
- Break up vital processes and segregate duties; for instance, don’t have the same person handle vendor information changes and vendor payment.
- Require dual, independent verification of changes in important processes.
- Consider implementing data-based procedures to identify outliers or trends indicative of fraud.
- Develop reporting that details changes to vendor information, and have it approved by someone other than the employee responsible for changing vendor information.
- Maintain an accurate vendor master file.
Districts and edtech software are adept at limiting access to student data. And what applies to student data applies to a district’s financial data housed in its ERP: Only those who absolutely have to see the data to do some phase of their job should have access.
Anything other than this is an invitation to fraud.
|Casey Thompson Web & Digital Media Manager|