Include in that risk assessment the potential for user (the individual(s) at the business) fraud. If the business now has reasonable controls to prevent a bookkeeper, for example, from issuing checks to fraudulent payees including himself, where do those controls go if the bookkeeper has access to the bill pay system? Do you have dual control (separate user verification before commit) capabilities?
_________________________
John S. Burnett
BankersOnline.com
Fighting for Compliance since 1976
Bankers' Threads User #8