GP Easy Security Fixes: Customer Payments

[In this series, we’re looking at quick fixes to improve GP security.]

Full disclosure, controlling customer payments is not the easiest fix, but it’s really important.

While most people involved in accounting understand the basic risks around payables transactions, there is also a long history of fraud around receivables. In many cases, this involves intercepting payments and then manipulating the accounting records to hide the missing payments. Two common manipulations are lapping and write-off/discount adjustments.

Lapping involves intercepting a payment and then applying future payments, or payments from a different customer, to hide the stolen funds. GP provides extremely flexible options for applying, unapplying, and reapplying payments until receivables transactions are sent to history. Even in history, the RM Transaction Unapply tool present in the Professional Services Tools would allow unapplying historical receivables for reapplication.

There are multiple places in GP to control applying receivables so the easy fix to prevent lapping is to separate the receipt of payment from the entry of payments. A lockbox, including using GP’s lockbox functionality, is a great way to deal with this. If a lockbox isn’t available, a user should receive checks and either make copies for application or log the checks. A different user should be applying the payment. 

With write-off/discount adjustments, a user again intercepts a payment, but they hide that payment by writing off the related invoice. The customer doesn’t receive any indication that their check wasn’t properly applied. Identical in concept, a discount could be applied to eliminate the balance instead of using a write-off. 

Controlling maximum write-offs in GP is one way to reduce the risk of fraud. The maximum write-off amount is per customer and controlled via options in Customer Maintenance so limiting access to Customer Maintenance is crucial.

Receivables Setup can require a password to exceed the maximum write off, but that assumes the user can’t just change it via Customer Maintenance. Also, that password is a shared password stored in plain text in SQL so it’s not especially secure.

Separating receipt of payments from write-offs and discounts is still the best defense against fraud here. Additionally, regular reviews of write-offs and discounts to supplement other controls is important. 

If a user can gain physical access to customer payments there are many opportunities for fraud. These aren’t just theoretical opportunities either. Accounting literature is full of companies who have been hit by receivables fraud.  Don’t let your company be one of them.

You can find all of the fixes in this series at GP Easy Security Fixes.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.