By Karen Dringenburg, CPA, Senior Accountant and Andrew Brock, CPA, Senior Manager at Blue & Co.

Are you a not-for-profit entity considering implementing ACH transactions? Or are you wondering if your current policies and internal controls are sufficient? If so, this guide is for you! Here are key considerations and recommended policies for managing ACH transactions effectively:

• Establish an Approved Vendor Policy: Create and maintain an approved vendor list that includes verified routing information. Payments should only be made to this verified information, and any changes must be carefully reviewed and authenticated.
• Review and Approve Transactions: Implement a method for reviewing and approving all ACH and wire transfer transactions. ACH transactions should be scrutinized at least as thoroughly as checks due to their potential risks.
• Limit Wire Transfers: Adopt a policy to prohibit wire transfers unless absolutely necessary. Wire transfers are costlier and offer same-day guaranteed funds, which makes it more challenging to reverse in cases of fraud.
• Adhere to Signer Policies: Ensure ACH transactions follow the same approval procedures as check payments, aligning with your existing check signer policy.
• Consider Positive Pay Services: Positive pay services add another approval step to the process. While banks charge for this service, the added protection often justifies the expense.
• Segregate Duties: Maintain robust segregation of duties – you do not want someone with sole power to initiate ACH transactions to also have the ability to make entries into books. The individual initiating ACH transactions also should not perform bank reconciliations.
• Enable Bank Notifications: Set up bank notifications for ACH payment initiations. Ideally, these notifications should go to someone without authority to initiate payments, providing an additional review layer.
• Stay Current on Cybersecurity Training: Regularly educate employees on cybersecurity to prevent fraud. For instance, ensure staff recognize phishing attempts, such as fake emails from executives requesting urgent payments.
• Keep Accurate Records: Retain all documentation related to ACH payments, including invoices and approval records, and ensure they are accessible for review.

We hope these items are helpful in your consideration of ACH transactions. If you have any additional questions, we encourage you to reach out to the not-for-profit team here. If any of these items spark questions surrounding your current information technology (IT) environment, you can also contact us about doing an IT assessment of your organization.