Presentation is loading. Please wait.

Presentation is loading. Please wait.

Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.

Published byCorey Nash Modified over 7 years ago

Similar presentations

Presentation on theme: "Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA."— Presentation transcript:

1 Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA

2 Washington State Auditor’s Office Overview This session will cover use of third party vendors, including:  Risks  Requirements  Solutions

3 Washington State Auditor’s Office 3 Receipting CashiersEmployeeCounterCash, checkReceipt reportThird party vendorNon-employee Website, P.O. Box, drop box Check, credit cardRemittance report

4 Washington State Auditor’s Office 4 For third party receipting status, the relationship with the vendor involves more than simply receiving the payment. Government – vendor relationship

5 Washington State Auditor’s Office 5 Risks Customer Receipting interface Credit card system Vendor’s bank account Public depository

6 Washington State Auditor’s Office 6 Risks: Evaluate the legal agreement

7 Washington State Auditor’s Office Risk summary The risks involved in third party receipting include:  Multiple vendors, multiple solutions (even with the same vendor), each with its own risks  Legal Agreements (standard or customized)  PCI non-compliance fees  Data breach  Theft / loss of funds  Redirecting funds to other bank accounts  Bank or vendor default  Cyber theft

8 Washington State Auditor’s Office 1.Where do you accept payments through a third party vendor? 2.What risks are you concerned about in your environment? 8 Small group discussion questions

9 Washington State Auditor’s Office Requirements Third party receipting involves two primary requirements: 1.Timely and intact deposit in a PDPC approved public depository 2.Contractual compliance

10 Washington State Auditor’s Office Timely deposit 10 Deposits that go through a vendor’s bank must meet timeliness requirements.  Best practice: Direct remittance from the credit card system to the local government’s PDPC approved depository  OK practice: Remittance from vendor’s bank account to local government’s PDPC approved depository within one day, or five days if the treasurer authorizes an exception  Service and receipting provider exception: Up to a month

11 Washington State Auditor’s Office 11  Service is primary purpose  Digital Signatures  Collection Agencies  Food Service Permit Testing  Also performs receipting Service and receipting providers

12 Washington State Auditor’s Office 12 Merchant services agreement Local government Customer Vendor Receipting interface Credit card system Public depository Vendor agreement Merchant services agreement

13 Washington State Auditor’s Office 13 Payment facilitator Local government Customer Vendor Receipting interface Payment facilitator Credit card system Payment facilitator's bank Public depository Vendor agreement Payment facilitator agreement

14 Washington State Auditor’s Office 14 Vendor Local government Customer Vendor Receipting interface Credit card system Vendor’s bank account Public depository Vendor agreement

15 Washington State Auditor’s Office 15 Reserves, in most cases, are not allowable.  Withholding  Unauthorized accounts Intact deposits

16 Washington State Auditor’s Office Reserves and withholding contract language Selected sections from the standard PayPal agreement:

17 Washington State Auditor’s Office 17 Payment card industry standards

18 Washington State Auditor’s Office Group discussion questions 18 The nature of your third party vendor agreements contributes significantly to your risks. 1.Does your local government have any vendor agreements where the funds are deposited in a third party vendor’s bank account? 2.Does your local government complete a PCI SAQ (PCI Self Assessment Questionnaire)?

19 Washington State Auditor’s Office Solutions 19 Ways of addressing the risks with third party vendors include:  Contractual language  PCI compliance verification  External reviews  Insurance, bonds  Oversight and monitoring

20 Washington State Auditor’s Office 20 Controls Customer Receipting interface Credit card system Vendor’s bank account Public depository PCI security compliance PCI self assessment questionnaire Independent third party review Cyber security insurance Contractual language Insurance, bonds Independent third party review Remittance review

21 Washington State Auditor’s Office Contracts 21 Contracts have three areas of inconsistency or concern: 1.Remittance of proceeds 2.Payment card industry (PCI) compliance 3.Reserves

22 Washington State Auditor’s Office 22 This is not a substitute for legal advice. Please consult your legal advisor! Here are a couple of examples of language that could be used in a contract with a vendor:  Vendor shall be responsible for establishing and maintaining an information security program that is designed to (i) ensure the security and confidentiality of Customer Data, (ii) protect against any anticipated threats or hazards to the security or integrity of Customer data.  Customer shall be responsible for maintaining security for its own systems, servers, and communications links as necessary to (a) protect the security and integrity. Sample contract language

23 Washington State Auditor’s Office 23 This is not a substitute for legal advice. Please consult your legal advisor!  Vendor shall cause a Third Party review of its operations and related internal controls to be conducted annually by its independent auditors. Vendor shall provide to Customer, upon request, one copy of the audit report resulting from such review.  Vendor shall maintain for its own protection crime insurance coverage for its personnel. Sample contract language (continued)

24 Washington State Auditor’s Office 24 This is not a substitute for legal advice. Please consult your legal advisor!  …during the term of this Agreement and at its expense, acquire and maintain in full force and effect, a fidelity bond that ensures that every officer, director, Subcontractor or employee who is authorized to act on behalf of the vendor for the purpose of receiving, processing and depositing funds pursuant to this Agreement shall be bonded to provide protection against loss. The bond must be signed by an approved surety (or sureties)… Sample contract language (continued)

25 Washington State Auditor’s Office 25  Reconcile remittance reports to bank deposits.  Monitor reasonableness of remittances received. Are you getting everything you should?  Monitor banking fees. Are they appropriate? Management oversight Activity must be monitored regardless of contract language.

26 Washington State Auditor’s Office 26 What types of controls are you using to address the risks associated with third party receipting vendors? Solutions

27 Washington State Auditor’s Office 27  For further guidance, please consult the following resources:  Local Government Performance Center – Third Party Receipting: http://portal.sao.wa.gov/PerformanceCenter/#/addre ss?mid=6&rid=18501 http://portal.sao.wa.gov/PerformanceCenter/#/addre ss?mid=6&rid=18501  GFOA Best Practice: Accepting Payment Cards and Selection of Payment Card Service Providers (GFOA, October 2009): http://www.gfoa.org/accepting- payment-cards-and-selection-payment-card-service- providershttp://www.gfoa.org/accepting- payment-cards-and-selection-payment-card-service- providers Resources

28 Washington State Auditor’s Office 28 Questions

29 Washington State Auditor’s Office 29 Contacts Peg Bodin Local Info Systems Audit Manager (360) 464-0113 Peggy.Bodin@sao.wa.gov Kelly Collins Director of Local Audit (360) 902-0091 Kelly.Collins@sao.wa.gov Website: www.sao.wa.govwww.sao.wa.gov

Download ppt "Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA."

Similar presentations

Banking Contracts Why, How and When, Requirements for Bank Accounts Office of the State Treasurer Ryan Pitroff Banking Services Manager.

Banking Contracts Why, How and When, Requirements for Bank Accounts Office of the State Treasurer Ryan Pitroff Banking Services Manager.
Petty Cash/Change Fund Policies & Procedures

Petty Cash/Change Fund Policies & Procedures
WELCOME TO THE INDUSTRIAL COMMISSION SELF-INSURANCE SEMINAR.

WELCOME TO THE INDUSTRIAL COMMISSION SELF-INSURANCE SEMINAR.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Identify the key elements of a strong system of internal control.

Identify the key elements of a strong system of internal control.
Financial and Managerial Accounting John J. Wild Third Edition John J. Wild Third Edition McGraw-Hill/Irwin Copyright © 2009 by The McGraw-Hill Companies,

Financial and Managerial Accounting John J. Wild Third Edition John J. Wild Third Edition McGraw-Hill/Irwin Copyright © 2009 by The McGraw-Hill Companies,
Petty Cash/Change Fund Policies & Procedures

Petty Cash/Change Fund Policies & Procedures
BACK TO BASICS Indiana Prosecuting Attorneys Council May 2013.

BACK TO BASICS Indiana Prosecuting Attorneys Council May 2013.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
Fraud and Internal Control

Fraud and Internal Control
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Accounting Principles, Ninth Edition

Accounting Principles, Ninth Edition
Security Controls – What Works

Security Controls – What Works
October 1, 2005 (Rev. 10/06) Statewide Electronic Commerce Program (SECP) Electronic Funds Transfer Enrollment Process For agencies and eligible entities.

October 1, 2005 (Rev. 10/06) Statewide Electronic Commerce Program (SECP) Electronic Funds Transfer Enrollment Process For agencies and eligible entities.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Copyright © 2007 Prentice-Hall. All rights reserved 1 Internal Control & Cash Chapter 8.

Copyright © 2007 Prentice-Hall. All rights reserved 1 Internal Control & Cash Chapter 8.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Similar presentations

Ads by Google