On-Demand: Operating in the Cloud--Reduce Risk by Paying Bills in the Cloud
November 02, 2020
EisnerAmper and Bill.com demonstrated how businesses could pay bills in the cloud while mitigating the risk of fraud and theft.
Kevin Brady:Sure. Thanks, John. My name is Kevin Brady. I'm a senior manager in our process, risk and technology solutions group at EisnerAmper. I've been working, doing both internal and external audits, as well as IT and cybersecurity risk and gap assessments for about 15 years now. And I'm joining today to give the auditor's perspective of Bill.com and the different controls that it provides the user in their environment.
John Delalio:And we're also very lucky to have a good partner with us today. Lindsay, you want to introduce yourself?
Lindsay Wheeler:Yeah, sure. Thanks John. My name's Lindsey Wheeler. I'm a director at Bill.com. I have spent my entire career in the cloud, helping accountants automate their backend businesses and now doing that through bill pay.
John Delalio:Lindsay, can you tell us a little bit more about Bill.com for those of us who might not be familiar with it?
Lindsay Wheeler:Yeah, of course. If you're not as familiar with Bill.com, we are a leader in financial process automation. We work with leading financial institutions, process about $70 billion annually and we work with 70% of the top 100 accounting firms, including EisnerAmper, who's one of our favorite partners. And our goal is just helping millions of businesses pay and get paid.
John Delalio:And I think the interesting part besides Lindsay saying, "We're a good partner," is her mentioning $70 billion worth of funds that move through Bill.com to help their clients and our clients pay their bills and receive payments. It's actually a pretty major platform. Today, we're going to break this session up, more of like a discussion base. But the first thing we're going to do is talk about the challenge, the risk of paying bills from the cloud. We're going to talk about how you can reduce those risks from the view of an auditor. That's where Kevin's going to come in. And then we're going to talk a little bit about the actual process of paying a bill. We're going to split it into four parts, record, approve, pay, and reconcile. Those are the main things you need to do with any bill so we're going to go through that. And then at the end, we'll have some takeaways for you and we'll have some time for Q&A.
Let's frame the problem. In 2019, a movie came out called Bad Education, and it was about a Long Island school district where the superintendent and a few members of staff stole over $11 million worth of money from the school district. Now, I live on Long Island, I live near Roslyn, so it's kind of relevant to me. And I saw the movie again recently and it really kind of surprised me at how easy it was for this group to steal a lot of money. I thought it was also interesting that it started out as simple as, "Oh, let me just charge my bagel onto it." And the next thing you know, they're stealing millions of dollars. Very good movie, by the way, I recommend it highly.
But that kind of got us thinking about how we could talk about stopping that by paying bills in the cloud. I would also tell you, I recently talked to another cloud accountant client, or a friend of mine actually, who her company identified somebody who was stealing half a million dollars in PPP funding from a company, one of her client's companies. Now this was a trusted person who had been there forever and half a million dollars in PPP loan money, I mean, it's just egregious. And the only reason they spotted it is because they had a separate bookkeeper looking at their books and they identified this problem. So how do you stop it? How do you cause it not to happen? You have to pay your bills. You have to use these tools. You have to work with other people.
I was talking to a CFO recently for a major family office and he and I were going back and forth about different applications. And one of the things he mentioned was QuickBooks Desktop. And I don't mean to throw this technology under the bus. It's an excellent platform for small businesses but the thing you don't realize is it's typically set up on one computer with one user ID and that user ID has system admin privileges. When you do that, it is exceptionally easy to put in fraudulent transactions. You can set up fake vendors. You can pay fake vendors. You can delete fake vendors. All that is totally possible. We want to figure out a way to avoid that and, quite honestly, we like using several different apps so we can kind of spread things out and kind of make sure there's different checks and balances. But there's a few things I want you to keep in mind before I give it over to Kevin about those checks and balances is, one, checkbooks are not secure.
Checks can be stolen. If you worked for a company, they lock the check register up in a safe sometimes. That's great but when COVID happens and everybody's sent home with the checkbook, that control breaks. It doesn't work. Another thing I would say is, you guys, always be aware of a shared computer that has only one user ID. You can't track who does what. And then also, I hate to say it, but the majority of theft comes from individual actors, so they're one person. With that in mind, Kevin, what do you look for as far as controls to stop fraud and theft?
Kevin Brady:Sure. Thanks, John. I think when we're looking at what to look for for a secure application, there is a couple of key areas that we look at. We want to make sure that organizations have the best practices covered. These really involve, and this is often included in a SOC report that an application service provider like Bill.com would have performed to get an independent assessment of their control environment. It's very common for hosted applications. But what we're looking for is really around system security, multi-factor user ID and passwords require multi-factor authentication. That's become basically the gold standard. And that's something that's included with Bill.com. This isn't something that you see on desktop applications, like what you mentioned before QuickBooks, not to pick on it again, but desktop applications just don't commonly have the current standards in place. The other big thing that we look for as auditors is really the role-based security that helps enforce the workflow that's built into the application.
Users being segregated from in the case of a Bill.com who can enter the invoice, who could approve it and who could pay the bill? And then things like setting up fake payments or setting up vendors and approving the vendors, all of these things are sort of intertwined with the system security. And then finally, the other big thing that we look for is how do you go back and double check? Is there an audit trail? Are there logs maintained? Can you view a history of the period in one place versus doing it manually, like looking through your bank's bill payment software, the website? And what are other controls that could be built in, like linking to the GL for reconciliation? That's something that I believe Lindsay may speak to about how that GL reconciliation works but that's an additional control that you can have in place.
Really, just to summarize, the role-based security who has access? What can they do? Is it segregated properly? The workflow that's built into the tool and how you can go back and review and check to make sure that everything that was done in the past month or quarter or audit period for the year was correct.
John Delalio:Thanks, Kevin. I think, just to summarize what you said, secure platform, which I think Bill.com definitely demonstrates. And what's kind of fun about them, is when your auditors ask for a SOC report, you just put in a request and you got one. And it shows that they are a lockdown system that's moving $70 billion a year through their network. They have all the security better than any single little company could put together. We're going to talk about the process now. The real, as again, enter, approve, pay and reconcile. Lindsay, you want to take the screen and kind of show us what we're talking about here.
Lindsay Wheeler:Yeah. Let me share my screen and walk you guys through this. And let me know if you can see this. Essentially, this is the overview page of Bill.com. There's a ton of things that you can do in here. But like John said, we're just going to focus on how the bill gets in, how we code the bill, how we approve it, and then what that payment looks like once it's approved.
Over here, you'll see that you have an inbox and in this inbox, this is where all the bills are going to sit. You can email them in. You can drag and drop a file. You can upload a bunch that you've scanned. Whatever's the easiest way for you. But any of these bills that you see with a green check mark, you'll see that it has a note that says, "We've started this bill for you."
If I click on Review & Save here, what Bill.com has actually done is we have what we call inbox virtual assistant. And so, that's not only going to read the bill and populate, as you can see here, everything that you need to save this bill and send it through your approval workflow. But it's also going to remember where you have coded bills before, as you can see here in the GL, bill descriptions as well as approvers for the bill. You can leave notes here, anything that you'd like. But you can save and close this bill and then move on to the next one, if you'd like.
Once we've saved the bill, if we go back here into Overview, you'll see, you can go into Approvals and you can approve your bill right here. I'm actually going to show you how you can approve it the way most of our clients actually approve it, which is on the mobile device. We have a mobile app for Android or iOS. You can go in, you can pay bills on this mobile app. You can approve bills. If I go in and click on the bills here, I can see all the bills I have to approve. If I want to click on this bill, I can see who the approvers are in the bill. It's me, then it's going to go to Jack. If I want to take a look at the bill, I can do that from the mobile device and then I can scroll down here and deny or approve. If I deny, I'm going to leave a reason and it's going to kick it back and start the process all over again. If I go over here to this Blue Cross bill, I can just simply approve and keep moving on.
Kevin Brady:Sorry, go ahead, John.
John Delalio:Sorry. You go, Kevin. I think we're stepping on each other. Go.
Kevin Brady: Yeah. One of the things I think you just showed us is how easy it is to capture the bill, import the information, make sure that we are reducing manual errors on the entry and being able to look at that history because all the information is captured in one place. Is that what you were just going through on the screen?
Lindsay Wheeler:Exactly. Yep. You'll have everything from the approval workflow, all of the data and the actual document all housed in one system.
John Delalio:What I was going to say is every bill is recorded and captured so that's a great control point.
Lindsay Wheeler:Exactly. And if you wanted to ever look at a bill, you could go here and look at this invoice. And once you open it up, to your point earlier, Kevin, there's a full audit trail of anything that's ever happened in this bill. I can see any time any change has been made, who made the change, what it was and what time. And then if I wanted to look at any payments out that I had done, I can go in here. I can see the pump confirmation number, when it was paid, when it's going to process, how we're paying it whether it's check, E-payment, international wire. I can click on this payment confirmation and this one is being processed today. Once it's sent, you'll see that. Once it's cashed, you'll see that. It'll toggle across. And then you'll see all the details for the vendor, vendor address, what bank account it's coming out of and then you'll actually have the front and back check images, once that check is cashed. And you can always reference back the invoice here.
Kevin Brady:Yeah, this is great, from an auditor's perspective. Instead of hunting down the records in your bank account and then piecing together emails or paper approvals and everything that would be scattered across your shared file or email box, everything's in one spot here. This is great when an auditor comes in and wants to look at the history of the transaction log and see everything right there.
Lindsay Wheeler:Yeah, absolutely. And then what I wanted to just show you as well, while I had you on the screen, is this is the approvers view. You'll see that last bill I had was sent to Michelle Schiffer to approve. And when you log in here, all she sees are bills to approve. She has no ability to pay. She has no ability, if you go into the inbox, to code. She can load in invoices here but she can't do anything besides her role, which is approve. So you're completely customizable and you can tailor the view of what your AP staff is really seeing and also what your approvers and your clients are seeing.
Kevin Brady:Okay. And that's that role based security that's forcing you to follow the workflow that the tool has set up.
John Delalio:And the nice part about that is best practice, people who approve bills, don't pay bills or people who enter bills, don't approve them and don't pay them unless you're the owner of the company. And I know that Bill.com has an option to do that if you want to set it up that way, but at least there's always a record of who did what when. Very, very powerful.
John Delalio:Okay. To kind of put it all together for you guys, just to talk a little bit more about how this can fit into your framework or your company. EisnerAmper has been using Bill.com for about three or four years to pay bills for our clients. We are an outsourcing division so for us handling paper is not efficient, not effective. We actually have been on this platform for a long time. And, during COVID, when it just began to strike, we have a whole another business line for family office where we're paying bills for them. And we were gradually moving them onto the platform but we had a lot of resistance to making a change, particularly in families. Sometimes people really like paying with a check. They feel very comfortable that they can control their spending because of a check. Well, we converted probably about 25 clients in one month to Bill.com and I've never heard a peep out of any of them.
Again, we train them once. The app is very easy to use. If you set it up correctly, it's got the right workflow associated to it and we're off to the races. It actually has been, in addition to you no longer need to handle paper so social distancing and all that was handled with Bill.com, it's also a very efficient way to pay your bills so you can pay a lot more, a lot quicker and a lot more controlled fashion. With that said, we've got some questions coming in. Let me just hold on one second. Let me get to it.
Lindsay Wheeler:Yeah. John, I saw a question come in from a couple, the same question twice from Rosemarie. It was in relation to connecting to the GL. What Bill.com does, I wanted to address that before we got into the schematics questions because I know we touched on that. Bill.com will directly integrate to your general ledger platform. We have direct integrations to all versions of QuickBooks, Xero, NetSuite and Intacct. What that means is anything that's done in the AP will automatically sync over every day into your general ledger so there's no duplicity of keying. And then it also allows you to get some of your AP only staff out of the general ledger which is, I know, important to Kevin when he's going in as an auditor, because the less people we have within our general ledger, the better.
Kevin Brady:Yeah, that's a great point. And the other question that was asked about, "What support do you need attached to the journal entry related to Bill.com?" I think because Bill.com has everything in that log and in the inbox, you have a complete audit trail captured related to the invoice and the payment. You don't need to port this over to the GL if you don't want to. If you want everything in one place, that's a reason to do it. But when an auditor comes in and they have everything kind of tied in a bow in a nice system, it isn't necessary to duplicate that evidence in another system. The journal entry wouldn't require you to attach additional evidence because it's all captured within the AP process that's in Bill.com.
John Delalio:It also, what I'd like to add, is it's such a flexible reporting platform. One of the things we did for a lot of our clients is create a report that shows all the bills that were paid in the month, who approved them and with the actual check be paid. For a family that's paying a lot of bills, you can see them all lined up in one email report that the people get so instead of getting multiple emails back and forth saying, "Do you prove this?" Or, "Did you approve that?" We can just give them a straight report with all the information they would need.
Okay, I have another one here, "Lindsay, how hard is it to set up and learn?"
Lindsay Wheeler:Bill.com is a very simple software, I think, as you just saw to use. As John pointed out, he set up about 20 clients in a month and never heard from them again. That being said, I think the process is where most of the clients will lean on an EisnerAmper to help them set that up. And I'll let you speak a little bit more to that, John.
John Delalio:Absolutely. The software is pretty easy to set up in and of itself but there is a lot of logistics about connecting it to bank accounts. One of the things we didn't talk about and actually, Lindsay, I'm going to bounce it back to you. I know it's really important for Bill.com to validate the people that are paying bills are actually real people. Can you talk a little bit about that control?
Lindsay Wheeler:Right. Yep. Within Bill.com, and I think you saw this when I logged in as Michelle, who is the approver. She does not have the ability to pay the bill. The only people that have access to the bank account are bank-authorized users. Whoever is paying the bills will go in and set up the bank account. And if you need backup payers or there's multiple people within the organization that can actually release funds, they will have to go through an identification process. We pull questions from public record and you'll have to verify that you are who you say you are. You've lived at this address, you know this person, et cetera, et cetera. It's a standard questionnaire but you do have to answer it so that we know it's not a fake person going into your bank account.
John Delalio:Great. There is a little bit of a nuance to setting it up. I would also say you need to have an approval workflow design that deals with things like people going on vacation. Now, I would say that Lindsey was kind to show us approving a bill on a cell phone, which would mean you could approve a bill from your vacation but we would rather not have that be the case. But I also think that that points to a major hole in the process that you need to be careful of.
In the old days, and I know those in banking still do this, they make people go on vacation for two weeks to avoid fraud because it's the concept of, "If you're away for two weeks, things will fall apart." Now with work at home, accessing the system anytime, anywhere, it's really easy to always be into the system and actually cover your tracks.
I know of a local boat yard had a bookkeeper who was stealing, set up a fake vendor, was selling fake parts and collecting fees on both ends. They only caught her when she went away on vacation for two weeks. Now, with a cloud environment and work at home environment, you absolutely need a system that you can track all that activity. And the other thing I would recommend is you put a second set of eyes, maybe from an outside party. And actually this leads me to another question that somebody asked is, "Wouldn't fraud be identified when people do the tax return?" Kevin, can you address that one?
Kevin Brady:Right. Yeah. I mean, that comes up as a common question. The thing is that a tax accountant's job is really just to pay taxes and do some validation. They're not really going to be able to dive into the individual transaction data and identify fraud or look for fraud. They may stumble upon it from time to time but it's not really the key focus of their activities. What's really important these days is using a system that gives the ability for an accounting department or an audit department or someone within the organization to do a periodic reconciliation or some sort of detective control that you review the information to make sure, "Are all my vendor payments correct? Is there anything suspicious? Are there any variances from month to month or week to week based on set expectations?"
And then, of course, the system is giving you some preventative controls that I mentioned before, like the role-based security in the workflow. But the tax accountant is not going to find those. That's going to be a function of reviewing the logs and reviewing the history so you really want a system in place that gives you that capability.
John Delalio:Thanks. Now, another question. There's two questions I'm going to combine for you, Lindsay.
John Delalio:One, "Isn't just paying bills through online banking the same thing?" And then the follow on question is, "My bank offers Bill.com as a complimentary service." Can you answer both those?
Lindsay Wheeler:Yeah. The question about the bank, you would have to check with your bank but Bill.com does, as I mentioned in the intro, we do the bill pay for a lot of the leading banks on the backend, so we process those payments. What is different between doing that and having a Bill.com account is really in that approval workflow and that audit trail. To Kevin's last point that he was mentioning, if you're going in and you're looking for fraud and everyone that's paying bills is paying through your online banking platform, they're going to have to have your banking credentials to log into your online bank and you're not going to be able to see who does what, where, because the banking platform doesn't have that audit trail associated with it. The approval workflow and the ability to see who did what when, is the main difference between paying through your online bank?
John Delalio:Okay, let's see. Actually, we've got an unusual number of questions, which is always great. What about the linkage to cash balances? Also, link us to GL for reporting transactions? I will tell you that when you configure up your accounting software, whether it's QuickBooks Online, Xero, Sage Intacct, or any of the others that Bill.com is associated with, one of the nice things about their interface is that all the reporting categories that you have in your GL automatically flow over to the general ledger. Actually, at the time of entering a bill, you have the same GL accounts that you'd have in your regular books. That's part of the way it works. And also, you can pay out of multiple cash accounts so that's how that's handled. But, Lindsay, talk a little bit about how the cash moves out of Bill.com. And also, I think we should mention international payments because I know that's a really nice feature that has some good benefits.
Lindsay Wheeler:Yep, exactly. The cash moves out of Bill.com, you'll process the payments and we'll pull the money on the day that the money is processed and then we'll disperse those payments at the same time. We move ACH payments. They can be done next day. You have the ability to do same-day payments within Bill.com and then checks usually arrive between three and five days. They're mailed via USPS. I did see the question come through and, John, I'll touch on the international payments. Bill.com can handle any international payment needs that you have. We do them via international wire. You do have to have a US bank account to wire the money from. We can pay the bill in US dollars or foreign currency.
John Delalio:Okay. And this one is to Kevin. Kevin, what is a SOC report?
Kevin Brady:Wow, that's a great question.
Sorry. I should have mentioned when I said it but I throw out acronyms all the time and they're not always well-known. SOC reports are what's formerly known as the SAS 70 report. Now it's SSAE 16 is the standard. The SOC report is an independent assessment that a service provider typically has. They hire an auditor to come in and if it's a SOC 1 report, it's geared towards controls over financial reporting. An auditor will come in to a company like Bill.com and validate that a set library of controls is, in fact, designed and operating effectively by testing those controls in their environment. When you're requesting a SOC report from your vendor, it's typically because your auditors asked you for it. But hopefully, some of the more proactive organizations are getting these without the auditors inquiry because it's going to give you a window into what the control environment is and what the service provider expects you to be doing with the user control considerations that you should be performing.
Those typically are setting up a new user, granting access, approving access, that's the customer's responsibility. But the SOC report will document all of the controls that the vendor has in place like password settings, controls around change management. At Bill.com, for instance, physical security of where Bill.com is hosted and what the controls are around the data center. The SOC report is so that they could, Bill.com or other service providers, could provide you with a nice clean report that shows what the controls are that they have in place that support your financial statement audits.
John Delalio:Okay, we another question here, "Does Bill.com interface with Yardi, MRI?" And I also saw another one talking about Avid. We work with a lot of different bill pay solutions. Bill.com is one we've worked with quite a bit but they don't interface to everything. But what's interesting about it is if you look at the Yardi solution for bill pay or if you look at Avid, from a control standpoint, there's some of the exact same controls you need in place to have that solution be effective, right? It needs to capture every bill. You need to have multiple roles for your users. You need a way to sync it to the GL and you need a way to reconcile it and you need an audit trail.
Bill.com does not connect to everything. I know I talked to Lindsey about it would be great if it could. But where it doesn't, there are some pretty good solutions out there that work with it. And I know Yardi has its own. I know Folio is using Avid, which is pretty decent. There are a bunch out there. And actually, by the way, there are a bunch more out there. It's a developing trend in the industry to automate AP. But I think there is something you guys need to be aware of in that it has to be a SOC compliant solution. You want all those things I just mentioned because if it doesn't have that, it might not be safer than your checkbook.
Lindsay Wheeler:Yeah. I'm going to add one thing to that, John, before you move on to the next question.
Lindsay Wheeler:Because I saw the question come through on what differentiates us, and you want to make sure as well, if your outsource AP solution, one main thing that Bill.com does that most other companies don't, is we issue all payments out of a Bill.com account. And why that's important is you don't have your accounting number, your routing number floating around out there, an uncashed check, a lost check that didn't go through. It's all on Bill.com, on our check stock. I think that's a really important point. Anything that doesn't integrate directly with Bill.com out of those four that I mentioned, you can always import/export out for other GL systems. A lot of our companies do it. But you do want to make sure that, if you're going to outsource it, that you don't have to worry about your account numbers going out there.
John Delalio:Okay. And Lindsay, could you talk a little bit about foreign currency and conversion rates because that's another question that's asked, "How does Bill.com deal with that?"
Lindsay Wheeler:Yeah. Bill.com first of all when you set up the account, will sync with your GL and we'll bring over all of your chart of accounts, your vendors, all of that so it's automatically the same in both systems. No duplicity of keying and everything matches up when you sync the software, if you are syncing the software. That being said, once we have those international vendors in there, you'll select if you want to pay them in foreign currency and we'll do all of the conversion rates and exchange rates for you within the system.
John Delalio:And I'd also say from an accountant's perspective, it's very easy to work with because the day you commit to the payment and the day it settles, there can be exchange rate variance that happens and the system just handles that all very easy. It actually makes our life very easy to do the accounting for that. I'd like to advance to just the takeaway we promised to you all so we're just going to push the slide up to the output. Lexi, I don't know if you can make that happen. Okay.
We're going to email this to everybody as well, but we just want you to think about these three areas when it comes to paying bills online and whether your system is safe. On the process hotspot list, make sure that you capture every bill, you have segmented users and roles and approval on the system. Security has got to be a SOC compliant solution. You're moving money around. You do not want to mess around with that for sure. And you need multi-factor authentication and roles.
And making sure the information is right, and it might not be your tax person. Tax people do find problems, don't get me wrong. It's not like we haven't found that in some of our engagements, but hiding transactions is a very tricky and by having the right controls in place, you want to avoid it. Okay. With that, we do not have any more questions. I'm going to sign off and thank you all for joining today. We have all our contact information up there so if we didn't get to any of your questions and you have any questions, feel free to reach out to any of us. Thank you.