[In this series, we’re looking at quick fixes to improve GP security. ]
When we look at controls, every company, even the smallest companies, even organizations that don’t really know what controls are, uses the most ubiquitous of controls, bank reconciliation. It’s one of the few regular, independent checks of what goes on in a company. I’ve seen senior accountants get fired for poor bank reconciliation management and I’ve seen awful bank reconciliations as a symptom of deeper problems in a company that ultimately failed spectacularly.
As a result, it makes sense to ensure that users who perform bank reconciliations are independent from transactions. A review of bank reconciliations isn’t enough. It’s easy to hide transactions from a review.
Bank reconciliation really needs to be performed by someone with an independent attitude not tied to transactions. Ideally, it should performed daily to provide the greatest benefit, but even the traditional monthly reconciliation, but provides and effective control if done right. Finding the right position to reconcile bank accounts can be tough for organizations. Often the person best positioned to perform the reconciliation is also the person in the best position to manipulate the results.
In Dynamics GP, the window is Reconcile Bank Statements and it is the only item included in the task TRX_FIN_008*. By default this does NOT include posting, but would allow a user to make adjusting entries, just not post them. Adjusting entries in GP bank rec are designed for things like bank fees or interest, items that are typically first reported on the bank statement, but they can be used for almost anything. Bank rec users should not have access to other types of bank transactions. Additionally, a policy of forcing adjustments to be made outside of bank reconciliation provides another measure of safety.
The real keys are to first ensure that this task is not combined into other roles that allow transactions against bank accounts and second to ensure that when a user is a assigned a role with bank rec included, they are not also assigned transactional roles.
Bank reconciliation is a core control. Ideally, it’s performed daily, to be as timely as possible, and by someone not involved in transactions for some level of independence.
You can find all of the fixes in this series at GP Easy Security Fixes.