Q. (cont.) Right now, I could just go in and manually change dollar amounts and bank account numbers. Any best practices around that?
A. You want to have controls built into your policy and process, such as segregation of duties, access control, and reconciliation.
System access control (protected by unique username and password) should be in place that restricts activities around payments to authorized persons.
Reconciliation by someone other than the person uploading the file is a very important control. While there is likely to be a quick acknowledgement from the bank upon the upload, it might have just totals and counts, which is not much help; but the next day you should get a file that can be reconciled promptly by different person.
Is there any audit trail regarding building the text file that could be reviewed to track any changes? Some text files can be built to include check digits based on content. Depending on programming expertise available and other factors, perhaps that could be a possibility.
Of course you want to be sure that people handling file are trustworthy insofar as you can (keeping in mind that fraudsters have often turned out to be long-serving-and-trusted employees – with too much access and not enough oversight; trust but verify!).
Finally, consider having two people perform the file upload, if possible, given your staff size.