Other News

Important Controls For ACH Payments

Lisa A. Ritter, CPA, CFE, CITP
Automated Clearing House (ACH) electronic payments are bank to bank payments made in batches and processed through the ACH network. They are generally used to pay vendors, make employee direct deposits, or receive money from other businesses. All ACH transactions are overseen by the National Automated Clearing House Association (NACHA).

As with all online payment and money transactions, ACH payments are a target of social engineers.  Social engineers manipulate employees into performing actions or divulging confidential information they should not. This is best countered with documented internal controls and training for employees. Employees should be trained at the time of hire and at least annually.  Internal controls for ACH transactions should include:

  • segregation of duties
  • information security
  • a payee verification process and
  • active monitoring

Segregation of duties for ACH payments includes having one person input the payment and having a separate person verify and approve the payment. Segregation between the accounting and approval functions should also be in place.

Restricted access to banking information is an important security measure. Any ACH related forms should not be publicly accessible, and sensitive material shared over emails should be encrypted.  The ability to edit banking information should be limited and have specific protocols in place.   Electronic payment files should be set to read only.  Dollar limits and ACH blocks on selected accounts are also important controls as well as multi-factor authentication.

Staff should always verify any account information given. This could be a video call if the payee or employee would be recognizable or by phone. Contact information should be on file and confirmed if changed. Active monitoring consists of checking the ACH payment remittance receipt, reviewing bank accounts daily, and reviewing payee lists for approved ACH payments.

ACH transactions are generally a safe and inexpensive way to pay vendor invoices and make direct deposits.  NACHA estimates that fewer than 0.03% of ACH transactions are returned as unauthorized. ACH payments were approximately $29 billion in 2021 according to NACHA.  While these transactions are relatively safe, errors can be made, and appropriate care should be taken.

An ACH payment can be reversed under certain circumstances, but NACHA has strict reversal rules.  Reversals must occur within 5 business days of the transaction, and a reversing file should be submitted to your bank within 24 hours of discovering the error.  Furthermore, only certain situations qualify for approval of the reversal.   Reversals can be approved if the payment was for the wrong amount, made to an incorrect payment recipient, or if a duplicate transaction occurred. Partial amount reversals are not permitted. Not all transactions can be reversed.   For example, if a fraudster impersonates an employee and asks for a change in bank routing number that your company inappropriately approves and processes, you may have difficulty recovering the funds.

You should review your bank’s policies regrading ACH transactions and fees. For example, your bank may not waive insufficient funds charges if an ACH to be reversed resulted in a negative balance.

If you have any questions about appropriate controls for ACH transactions, feel free to reach out to us for additional information.

Auditing Standards Board Update

These New Audit Standards May Require Your Attention







Partner Lisa Ritter has published an article in the Pennsylvania CPA Journal on SAS (Statements on Auditing Standards) Nos. 134 through 140. These standards are:

  • SAS No. 134 – Auditor Reporting
  • SAS No. 135 – Omnibus SAS
  • SAS No. 136 – Employee Benefit Plan ERISA Audits
  • SAS No. 137 – Other Information
  • SAS No. 138 – Amendements to the Description of the Concept of Materality
  • SAS No. 139 – Amendments to Incorporate Changes from SAS 134
  • SAS No. 140 – Amendments to Incorporate Changes from SAS 134 and 137

For more information you can review the article here: https://www.picpa.org/articles/journal-articles/article/a-a-article/2022/03/18/pa-cpa-journal-these-new-audit-standards-may-require-your-attention 

Information Technology

Cybersecurity Training Resources







Research suggests as much as 91% of cyber-attacks are via email directed at employees.  This statistic would suggest that employee training is one of the most effective ways to combat security threats.  Unfortunately, many organizations do not have in-house IT staff or other resources to provide that training.

In some cases, employee training may be available through cyber- security insurance that an organization has already purchased.  For those organizations that find the premiums for cybersecurity insurance are too high, they may find that mandatory security awareness training can reduce premiums along with the use of best practices like multi-factor authentication and data and device encryption.  It might be worthwhile to contact your insurance agent to find out what discounts might be available and to inquire about training.  This is an area that changes quickly so reviewing cybersecurity polices will need to be completed more frequently than traditional types of policies.

Other training options include purchasing solutions from companies such as KnowBe4, NINJIO and Barracuda.  KnowBe4 provides cybersecurity awareness training and simulated phishing attacks. There are also some free tools and resources available on the KnowBe4 website at www.knowbe4.com.  NINJIO provides cybersecurity training and encourages employee competition through quizzes and points awarded.  Barracuda provides an array of services including threat prevention as well as incident response solutions and security awareness training.

The Cybersecurity and Infrastructure Security Agency provides free resources including a ransomware guide with instructions on how to prevent a cyberattack at  CISA MS-ISAC Ransomware Guide. The guide links to a one page document entitled, “ Avoiding Social Engineering and Phishing Attacks”  that is written in plain English and could be provided to employees.  Other resources at this site include a guide on “Using Caution with Email Attachments”, and a Guide on “Good Security Habits”.

The Cyber Readiness Institute offers a free program and starter guide to help small and medium-size organizations prepare for attacks.  The site offers a series of flyers on topics such as “Managing the Relationship with Your Outside Cybersecurity Provider”, and videos on security education and Awareness at  Security Education & Awareness: Preventing Ransomware – Cyber Readiness Institute.

The United States Secret Service publishes several items including a one-page guide to business compromised e-mail accounts and guides on preparing for a cyber incident.   Materials include brochures on email compromise that could be provided to employees at the United States Secret Service.

Given the current risk, cyber security training is extremely important at this time.  Any progress you make in this area will benefit your organization.

Firm News

Passionate About Quality: A Quality Control Update

Lisa A. Ritter, CPA, CFE, CITP








Lisa A. Ritter, CPA, CFE, CITP
Quality Control Partner

Maher Duessel is in the middle of the annual test of our system of quality control.  We are passionate about providing quality services, and we expend significant resources ensuring that quality.  The elements of our quality control system include the following:

  • Leadership responsibilities including tone at the top
  • Compliance with relevant ethical requirements
  • Compliance with polices for acceptance and continuation of client relationships
  • Human Resources policies
  • Engagement performance including compliance with auditing and accounting standards
  • Monitoring of each element of quality control

I would like to thank a very talented team for assisting with the annual process this year including the following who assisted with the inspection:

  • Jennifer L., CruverKibi, CPA, Partner
  • Amy C. Lewis, CPA, Partner
  • Robert A. Belicose, Jr., CPA, Principal
  • Janet L. Feick, CPA, Senior Manager
  • Michelle L. Hoke, CPA, Senior Manager
  • Jonathan C. Mentzer, CPA, Senior Manager
  • Peggy Jo Revay, CPA, Senior Manager
  • Dustin D. Starr, CPA, Senior Manager
  • Natalie Caponi, CPA, Manager
  • James Contrella, CPA, Manager
  • Kristen E. Moss, CPA, Manager
  • Sara Reed, CPA, Manager
  • Allison R. Bozman, CPA, Manager
  • Patrick J. Kline, CPA, Senior Auditor

Michelle Buskey has taken the lead on this project.  Her contributions are invaluable. Partners Elizabeth (‘Betsy’) E. Krisher, CPA, CGFM, and Brian T. McCall, CPA, CGFM also provided significant support to the process, along with administrative support from Kim Phillips, and I am grateful for all of their assistance.

In addition to the annual testing we complete, every three years we engage an independent accounting firm to review the quality of our work.   We will undergo that process approximately one year from now. The results of external reviews are always located on our website here.