Electronic transactions

Many agencies use electronic facilities for administrative activities such as payroll processing and banking. Electronic transactions may also be used for purchasing goods and services, and the sale or billing of agency goods or services.

The increased efficiency and accessibility of electronic transactions can facilitate corrupt conduct with the potential for greater financial loss and disruption to an agency. As agencies adopt this technology new security measures and checks should be in place to reduce the risk of corruption. This is particularly important when traditional security and verification methods (such as countersignatures and face-to-face identification) are not practical.

The improper use of electronic transactions can constitute corrupt conduct as defined in the Independent Commission Against Corruption Act 1988.


Corruption risks

A risk assessment of electronic transactions may identify some or all of the following corruption risks:

  • An employee gaining access to electronic records without proper authority or approval.
  • An employee making an electronic payment to a non-existent vendor.
  • An employee improperly transferring money from an agency account to an associate or an account under their control.
  • An employee using agency funds to purchase goods or services electronically for private benefit.

 

Managing corruption risks

As a minimum your agency should:

  • Introduce policy and procedures for electronic transactions that contain elements listed in the Policy Development Guide and Checklist (see Tips and tools below).
  • Include in the policy sanctions for any breach of the policy and procedures. 
  • Review the policy every two years.
  • Refer to electronic transactions in relevant corporate documents such as codes of conduct.
  • Train all relevant employees in the policy and procedures to ensure they are aware of their responsibilities.
  • Include electronic transactions as a risk to be assessed in the agency's internal audit and corruption risk management processes.

The following recordkeeping requirements should be included in the policy:

  • Processes for retaining emails of business value.
  • Automatically generating records for all electronic payments.
  • Including details of the officers who authorised and processed any electronic purchases and sales.
  • Recording changes to electronic payment delegations.
  • Conducting audits and reviews of authorities to access, alter or destroy records.

 

Risk management strategies

Following your risk assessment of electronic transactions you should consider these risk management strategies: 

  • Establishing protocols and controls for the secure transmission of credit card numbers or other codes.
  • Ensuring that internet-based payments are made only to secure sites.
  • Using digital signatures to verify the authenticity of electronically transferred information.
  • Establishing internal controls to authorise all payments.
  • Ensuring electronic transactions cannot be authorised and processed by the same person.
  • Periodically testing and checking confirmation procedures and data processing controls.
  • Ensuring the systems can automatically identify large and unusual transactions for review. 

 

Case studies

 Case study 1: Reclassification of data

In late 2004, a local council reported to the ICAC that a certain type of waste had been inappropriately reclassified in its electronic records. Most of the payments in question related to one contractor. 

The reclassification meant the council was being paid $20 a tonne for this waste instead of $30. The council estimates that, as a consequence, it lost $60,000 to $70,000.
 
A council employee admitted to making the changes in the computer system despite lacking the formal authority to reclassify the waste.

As a result of this incident, the council made important changes to the audit and control of its waste management computer system and dismissed the employee involved.

 Case study 2: Circumventing an electronic system
 

In 2008, the ICAC investigated reports of bribery and fraud at a large public sector agency. The allegations included the abuse of an electronic plant hire system designed to automatically place orders to subcontractors without the agency's employees knowing which subcontractors had received them.

Employees of the agency circumvented this system by assigning work to a contractor of their choosing by phone. They would then use the plant hire system to ensure that the work went to the relevant subcontractors. This allowed them to both direct work to companies they controlled and to receive bribes to allocate work to other subcontractors.
 
One employee who used the system was also a system administrator and consequently not subject to the controls that applied to other employees. She was found to have personally manipulated the system to obtain almost $400,000 in corrupt payments.

The ICAC made corruption prevention recommendations that focussed on fixing technical flaws in the plant hire system, increasing audit and review of the plant hire system and improving the supervision of individuals who use the plant hire system.


Frequently asked questions

Why is it important to consider corruption risks before an electronic system is implemented?

When an agency moves to an electronic system, it often involves marked changes to the underlying process. If the effects of these changes have not been appropriately considered then it may create opportunities for corrupt employees to exploit.

Electronic processes are sometimes less flexible than conventional paper-based ones. It may be that once an electronic process is established its technical limitations may make it difficult to change the process if a procedural weakness is discovered. 

Other than those already listed, what recordkeeping issues arise in an electronic operating environment?  

Two key issues relate to security and automation.

In regard to security, it should be noted that electronic files are only as safe as an organisation's IT systems. For instance, if there is a security weakness in an agency's web server then records may be altered or deleted before they are even filed.

The system automation may mean that record generation is no longer an inherent part of a process. For instance, the mere act of filling out a hardcopy form generates a record. However, an electronic record might not be generated because the information on the form was not actually saved but simply used in other process steps.

In general, automated systems should have automated recordkeeping. In the example described above, the saving of the form should be part of the process by which it is generated.

Will a reputable external IT professional be able address these issues? If so, should I leave these issues to them? 

IT consultants can be useful for providing technical advice and challenging agency assumptions.

However, agency employees who manage these systems also need to have a significant understanding of them, to ensure those safeguards are used appropriately.

In addition, a consultant's solutions may leave an agency exposed to corruption risks as they may not understand the responsibilities of the agency.

Significant liaison during the design phase between the IT professionals using the system and the agency employees managing them is essential. 

Resources


Relevant ICAC investigation reports

 

Other publications

  •  AS 2805: Electronic Funds Transfer (series 2000-2008), Standards Australia
  • Better Practice Guidelines: Fraud Control Volume 2 – Strategy, The Audit Office of NSW, Sydney, March 1994
  • Guide to better practice: e-ready, e-steady, e-government : e-government-or readiness assessment guide for government agencies, The Audit Office of NSW, Sydney, 2001. 

 

Relevant websites

Related topics on the ICAC website