- The purpose of this procedure is to provide an overview of the risk of loss through fraud and to highlight the key principles for minimising this threat.
- Fraud can be triggered internally or external to the organisation. The main defences against internal fraud are robust documented financial processes, implementation and compliance with appropriate internal controls, segregation of duties, clarity and transparency of accountability and reporting and strong governance. These defences have been provided and reinforced by a series of 20 financial procedures that have been implemented over the two years following the formation of the MCF.
- External fraud can be triggered either through the security breach of IT systems or through deception of staff from communications which seek to divert funds to a location from which they are subsequently misappropriated.
- The main types of fraudulent communications are:
- Those which purport to come from senior members of the organisation requiring urgent same day transfer of funds. This “impersonation” fraud has become much more sophisticated in recent years, particularly as fraudsters have become able to hack into e-mail accounts and social media, learning how senior officials behave when communicating with staff. This type of fraud is nearly always, although not exclusively, enacted through e-mailed communications.
- Those which purport to come from suppliers advising changes to their banking details. Again, these have normally arrived by e-mailed communication although fraudsters have recently realised greater success through written communications on company headed notepaper which are sent through the post.
- Those which purport to come from the fraud departments of MCF’s bankers advising of a scam and either requesting sensitive account details e.g. PIN numbers or to transfer funds to a safe account. These often come through telephone calls made to staff, often at times chose to maximise the pressure for making a rash response (usually Friday afternoons).
- Protections against the above risks are laid out in MCF financial procedures 4, 5 and 6. The key principles are as follows:
- No payments are made unless they are supported by the appropriate financial documents (normally supplier invoices), which have been duly authorised in accordance with financial procedure 1 delegated authorities.
- Any request to change recipient bank details must be independently verified through telephone contact with known officials from the supplier concerned. This process is fully detailed under financial procedure 4 – supplier maintenance.
- The same principles must be applied in respect of written communications received from beneficiaries. The grants team must be alert to this risk and take action to verify the request through phoning the beneficiary or his/her representative.
- Communications purporting to be from anti-fraud departments from MCF bankers are, by their nature, particularly invidious. In all cases, these communications must be validated through contacting the MCF’s relationship manager at the bank concerned who will be able to confirm the veracity of the communication.Under no circumstances would any member of the banks’ staff ever request details of PIN numbers or passwords used to make payments from bank accounts.Staff must also take care to recognise that fraudsters will often hang on to the line after the staff member has hung up. This means that any subsequent call to the bona fide bank contact number will be automatically picked up by the fraudster. Any subsequent call made to the bank must be made from a different line.
- IF ANY MEMBER OF STAFF HAS ANY DOUBT ABOUT REQUESTS TO MAKE PAYMENTS OR CHANGE PAYMENT ACCOUNT DETAILS, THEY MUST CONSULT THEIR LINE MANAGER OR A MEMBER OF THE FINANCE DEPARTMENT FOR ADVICE. THE FINANCE DIRECTOR WILL ALWAYS BE AVAILABLE TO PROVIDE GUIDANCE AS REQUIRED.
- Integrity of MCF data, and access thereto, is managed effectively by the UGLE IT department. A summary of the key controls is given in appendix 1 to this document.
- These controls are replicated by IP technologies, which is responsible for the hosting of the SUN accounting software and databases.
Roles and Responsibilities
- The finance director is responsible for implementing policies and procedures which recognise the risk of fraud and identity the means for effective mitigation.
- Departmental managers are responsible for ensuring that any financial transactions that are initiated and/or processed through their departments are subject to the appropriate financial procedures.
- Departmental managers are responsible for ensuring that new and existing members of their teams are aware of, and comply with the financial procedures that are relevant to their areas of operation. These are summarise in the matrix provided in appendix 2 to this document.
- Departmental managers are responsible for completing new user/leavers forms for access to IT systems.
- HR department is responsible for ensuring that new staff induction packs include reference to the MCF financial procedures with a requirement that those identified as being relevant to the new member of staff by the departmental manager are read by the new starter and complied with.
- This procedure will be formally reviewed and reissued within a two-year period.
|Prepared by:||C J N Angus||17 Aug 2018|
|Approved:||SLT||4 Sept. 2018|
|Implemented:||C J N Angus||11 Sept. 2018|
A Security measures taken by UGLE
B Matrix of financial procedures for staff induction by department
Summary of UGLE IT controls to prevent unauthorised access to IT systems and data, and to mitigate against the impact of any potential breach
- Access to file shares/files/folders is controlled by UGLE, requiring approval from departmental managers.
- User access to systems is controlled by new user/leaver forms and procedures.
- Data and key systems are hosted in a secure server room for which access is controlled and monitored by an access register and CCTV.
- All laptops are encrypted.
- Regular penetration tests (at least annually) are carried out on the Oracle environment. Results are analysed and remedial action taken as appropriate.
- Defence against “zero-day” attacks has been hardened through the roll out of Paulo Alto Traps. These utilise “machine learning” and compliment traditional antivirus protection.
- Cutting edge enterprise level perimeter firewall technology is maintained at all times.
- Automated feeds into perimeter firewalls have been provided in order to more effectively identify new external threats to the IT infrastructure.
- Centralised patching of desktop Windows Operating systems and major 3rd party applications is provided.
- External perimeter mail services are continually managed with built in antivirus and spam prevention.
- Organisational data is backed up hourly and replicated overnight to an off-site datacentre.
- Hourly replication of the SAN storage is made to a secure off-site location during business hours.
- Disaster recovery for the Oracle environment is in place and supported by Database Administration supplier (Data Intensity). The system design is based upon a 48 hour recovery time objective (RTO).
Matrix of financial procedures for staff induction by department
|Financial procedure||Masonic Grants||Charity Grants||Finance||Relief Chest||Other Departments||SLT|
|1. Delegated Authorities||Yes||Yes||Yes||Yes||Yes||Yes|
|2. Budgetary Control||Yes||Yes|
|3. Grants processing through GAMES||Yes||Yes|
|4. Supplier maintenance||Yes||Yes||Yes||Yes||Yes||Yes|
|5. Purchase invoice processing||Yes||Yes||Yes||Yes||Yes||Yes|
|6. Payment processing||Yes||Yes|
|14. Bank mandates||Yes||Yes|
|19. This procedure||Yes||Yes||Yes||Yes||Yes||Yes|