Company/Employee Expense Disclosure Portal (End to End Encryption)

Demo Site & YouTube Video List - (Setup directions in yellow below.)

• DEMO EMPLOYEE EXPENSE DISCLOSURE TEST SITE
• YOUTUBE VIDEO HOW TO LINK

Purpose

This application is free to use. Please read the disclaimer.

I originally developed this system to support SOX and financial reporting compliance for both public and private companies, particularly in relation to anti-bribery, anti-corruption, and anti-fraud regulations such as the Foreign Corrupt Practices Act (FCPA). During my work with organizations of different sizes, I noticed that many smaller companies cannot afford the high cost of commercial compliance platforms, nor do they always have the technical expertise required to manage complex server-based solutions. As a result, this project was designed with simplicity, accessibility, and practicality in mind. The most important aspect of this system is not the technical difficulty involved in designing the core components or writing the code. Rather, its effectiveness depends on the policies, procedures, and internal controls that your organization establishes to manage the process. The technical framework has already been developed—you simply need to implement and govern the process around it. For example, organizations should secure key files, restrict access to executable files, and control other critical elements of the system to maintain integrity and accountability. For most regulatory inspections and oversight reviews, having the technical components in place is only part of the requirement. Proper documentation, procedures, and evidence of internal controls are equally critical. My hope is that this project helps your organization meet regulatory expectations or, at the very least, provides a practical reference for building a compliant process.

This portal is designed to provide a secure, transparent, and efficient system for employees to disclose expenses in alignment with corporate governance and regulatory standards. It ensures accountability, traceability, and proper documentation across all submissions.

The platform supports compliance with key regulations, including SOX, anti-bribery, anti-fraud, and anti-corruption requirements. It is applicable across multiple jurisdictions, including North America, the United Kingdom, the European Union, Singapore, and other international markets.

Built with simplicity and efficiency in mind, the system requires minimal infrastructure and resources to operate. Estimated operating costs are approximately $80 per month, primarily for web hosting such as godaddy or etc. If you run your own web server and hosting then you won't have any cost. Compared to traditional enterprise solutions that can cost tens of thousands annually, this system provides a highly cost-effective alternative.

The architecture follows a zero-trust model and incorporates end-to-end encryption to ensure data security and integrity.

From a compliance perspective, the platform streamlines data management by supporting:

• Date security
• Review and inspection processes
• Investigation and enforcement workflows
• Easy AI scanning integration

Key features include:

• Comprehensive audit trails for system access
• Detailed security logging
• Encryption controls and oversight mechanisms
• Support for internal and external audits
• Convient the road, desktop or mobile submission
• Support for internal and external audits
• Built to exceed regulatory requirements

WHAT YOU WILL NEED FOR THE SETUP:

• --ON THE WEB SERVER SIDE--
• employee_report.php
• failed_logins.json
• login.php (modify this)
• login_audit_logs.json
• logout.php
• public_key.pem (modify this)
• submit_expense.php (modify this)
• PHPGangsta (directory) (*you don't need to modify this)
• set .htaccess in your web directory (modify this)
• receiptuploads (directory)
• expensesubmission (directory)
• --ON YOUR SIDE--
• download Microsoft Authenticator or Google Authenticator on your phone
• WEBLOGIN_PASS_GENERATOR_V4.exe (password,php hash, TOTP secret)
• place the php password hash/TOTP into the login.php
• distribute the plain password and user names to the users (protect this list)
• Default: 3X logins, 15 mins lockout, failed login, TOTP log, session cookie, etc.
• rsa_key_generator.exe (rsa_private_3072.pem and rsa_public_3072.pem **rename them correctly)
• key generator key file #######.pim (You must have this to run the exe files. SHA256 hash verification)
• decrypt_expenses_V3.exe
• private_key.pem (Protect this / Modify this)
• There is an optional app called cryto_RSA_key_shredder_V2.exe that you can use to shred files securely. (security pim file required)
• There is an optional app called RSA3072_PRIVATE_KEY_SPLITTING_V2.exe that you can you use to split the private keys (or any files) into pieces to delegate security holds. (security pim file is required)
• Where ever you choose to run the decrypt exe, it will create the date time directories.

The system also complements existing financial tracking and accounting platforms, enhancing overall organizational visibility and control.

Overall, this solution enables a proactive approach to fraud detection and regulatory compliance, helping organizations identify risks early and maintain adherence to evolving standards.

Security (Designed to pass Auditing and Compliance regulations)

• End-to-End Encryption (E2EE)
• Multi-Factor Authentication (MFA)
• Password hashing (bcrypt via password_verify)
• Hard code logins (no db hijacks or insertions)
• Audit Logging
• Secure Data Storage Practices
• Multi-factor authentication (Microsoft or Google Authenticator)
• Session management
• Session fixation protection
• Session-based MFA state tracking
• CSRF protection
• POST request enforcement
• Login attempt limiting (max attempts)
• Account lockout mechanism (time-based)
• TOTP attempt limiting
• Failed, TOTP, Success, Pass Success login tracking
• IP address logging
• AES and RSA encryption
• Decryption exe file
• Decryption exe password lock
• Decryption file SHA 256 (Will only run on authorized pc)
• Decryption required private key to decrypt
• Custom rsa encryption utility
• Custom MFA key generator
• And more..

Disclaimer

This application, including all code and associated files, is the exclusive property of www.thugon.com and its developer. All rights reserved. This software is provided “as is” and “as available,” without any warranties or guarantees of any kind, express or implied. Use of this system is at the user’s own risk. By using this application, the user agrees to release the developer from any and all liability arising from its use. Limited modifications are permitted, provided proper credit is given to the original owner. Unlimited use of the system is allowed. However, this system may not be sold, marketed, transferred, or substantially modified without prior written consent from the developer. The developer reserves the right to update or modify this agreement and disclaimer at any time without prior notice. EXCEPTIONS AND CREDITS: www.thugon.com or the developer does not own the phpgansta Google authenticator library files. Credits to and Copyright (c) 2012, Michael Kliewe, used under his opensource.org license.