Hiring the Right Auditor to Perform Your Third-Party Sender ACH Audit
When you think about your health, having the right professional on tap plays a critical role. For example, you wouldn’t consider going to a dermatologist for a heart condition because while both are medical professionals, the best advice and results will come from a professional having a specific focus, credentials, and experience. The same is true when you’re considering the health of your payments process and selecting an Automated Clearing House (ACH) auditor.
Not all third-party senders are the same, and neither is their ACH compliance audit.
An ACH audit serves as a check-up on your compliance with the Nacha Operating Rules, the rules that govern all ACH payments. Nacha, the governing body that oversees the ACH Network, develops these rules with network participants (i.e., sending and receiving banks). While the rules set the stage for how you make payments, they can be complex, and an ACH audit allows you to address areas that may need additional support to help your business function more efficiently and with less risk.
While for many, the word audit brings to mind an exhausting and technical process, those who have been through an ACH audit with OAS know that it can be painless. In fact, an audit should be a positive experience where you learn more about your business, what you do well, and what you can improve upon.
So, how do you achieve that nirvana of a painless ACH audit? In short, it’s about hiring the right auditor. But how do you know who fits your needs? What are the qualities and qualifications you should be looking for?
At the highest level, your auditor must be analytical, detailed, a critical thinker, independent, objective, and leverage both soft and technical skills. In addition, you want to find someone who understands your vision, has strong insights, makes definitive decisions, and can communicate all of this to you in an accessible way. But these are the qualities of many consultants, so what sets an ACH auditor apart? We see it as three critical qualifications:
- Accreditation – An Accredited ACH Professional (AAP) is an individual that possesses a comprehensive knowledge of all areas of the ACH Network. Financial institution examiners and regulators recognize the AAP credentials as identifying those highly skilled in the electronic payments profession.
- Industry Experience – Adding on to the foundational AAP Accreditation tip, let’s talk about industry experience. Look for an auditor who wants to get to know your business, because the depth of their experience and knowledge comes from a portfolio concentration of similar organizations. Industry experience is a biggie, so ask yourself, “Do they speak your speak, understand your business model, have a depth of knowledge around payments? Are they so connected that they even know your regulatory filing dates and critical deadlines? You want to be comfortable that they fully understand your business and its payments opportunities and challenges.
- Educator Status – Every audit should be an educational experience on some level. Your ACH auditor should have a vast amount of knowledge and experience, and they should be looking ahead at upcoming rule changes that may impact you. With the industry-specific expertise they bring to the table, they are constant students of payments education. In short, you want your auditor to help educate you on the need-to-know ACH developments and how they impact your business.
Selecting the right ACH auditor means choosing a firm who speaks to your organization in more ways than one. Beyond cultural alignment, you want a firm who understands you; if you are jumping through hoops to interpret an auditor’s comments, you won’t get the most out of the experience. But if you have a firm that takes the time to work with you on a granular business level, the audit can make your business more efficient, effective, and successful. Quite simply, when selecting a specialist for an ACH audit, you want an auditor that speaks to the heart of your business, can translate the Rules in a vernacular you can understand, and in a manner you can act upon.
If you’re looking for an ACH Auditor specializing in third-party senders, third-party service providers, or anything business-related, consider OAS your payments specialist to address your business’ specific needs. Contact us today.
Addressing the Top Six Business Issues Identified in ACH Risk Assessments
- ACH risk is not evaluated. In many organizations, risk is an afterthought that only gets addressed after something blows up. A risk assessment can help you head this off at the pass, by fixing your vulnerabilities before someone or something exploits them.
- The business conducts a “check-the-box” ACH risk assessment. When it comes to risk, one size does not fit all. Many off-the-shelf solutions may focus on risks not inherent to your business environment and miss those that impact your operations and industry daily. It’s like having a band-aid that won’t stick!
- The payments team decides to fly solo. You know that saying, you can’t see the forest through the trees? That’s what it’s like to conduct your own risk assessment when you’re in the weeds of daily operations. The best ACH risk assessments engage every internal stakeholder who has a role in the ACH process, including sales, credit, underwriting, compliance, onboarding, legal, technology, business continuity, fraud, and risk teams, just to name a few. An ideal ACH risk assessment will follow the path of the payment, uncovering steps within the process that could create inherent risk.
- The organization has instituted poorly designed or weak controls. Internal controls are meant to do just that, control the environment, but if they haven’t been designed with all stakeholders and the full payment process in mind (see #3), they won’t be able to fulfill this mission. There are not many controls that are silver bullets, and by that, I mean 100% effective. Instead, a layered approach to risk mitigation will help ensure that your control environment is designed effectively, and a risk assessment will home in on ways to strengthen these safeguards.
- There’s a lack of clarity around the organization’s risk tolerance. Risk tolerance is defined as what you’re willing to lose. In reviewing risk assessments, we look for residual gaps to determine if these gaps are within management’s identified risk tolerance. If the risk tolerance does not align with the organization’s risk appetite, that’s a big problem. Having discussions with all management levels is critical to ensure that everyone is on the same page and that risk tolerance is defined in the organization.
- The business employs a “one-and-done” approach to risk assessments. ACH risk assessments are a proactive—not reactive—means to risk mitigation. Risk assessments must be reviewed on an ongoing basis, including when there are changes in the Nacha Operating Rules, introductions of new products, changes in technology, staff transitions, acquisitions or mergers, ACH losses, vendor disruptions, data breaches, pandemic developments, and more. Adding an ACH risk assessment topic to a periodic management meeting agenda will ensure your business plans continue to support your predetermined risk tolerance (see #5).