Working with the internal audit function in many community banks over the years, I have come across some really good controls and thought this would be a great opportunity to share them with you.
Did you know that some banks perform quarterly reviews of system user access? Some Bank’s Information Security Policies require the Information Security Officer to send out a quarterly memo to each department head with a list of all employees in their department and the system access for each one. Then requires the department head to sign off on the report and submit back to the ISO. I think this is an excellent control to have in place to mitigate the risk of unwanted access and ensure proper segregation of duties is in place. Also, quarterly rather than annually increases the timeliness of detection of unwanted access.
Did you know that general ledger account reconciliations should be performed by someone who does not also have access to make changes to those accounts or have access to the process? Proper segregation of duties will help to mitigate employee fraud. For example, an employee in the Finance/Accounting Department, who is responsible for preparing the daily wire reconciliation, should not have input or verification access relative to wire transfers. Personnel with both the capability to enter/verify wire transfers and responsibility for preparing the daily reconciliation relative to wire transfers significantly deteriorates the segregation of duties relative to wire transfers and increases the Bank's risk of internal fraud relative to such process. Another example could be found in the Investment process. A key control here would be to separate the reconciliation of the investment portfolio from the management function. And, the reconciliation process should be performed by a separate individual, and the reconciling individual should be familiar with the investment process and diligently follow up on any significant reconciling items in a timely matter.
Automated Cashiers Checks:
Did you know that some banks are moving towards automated cashiers checks? Software programs are available that can generate a cashiers check on a routine printer. Once the controls are set up as to who has access and to what dollar amount, this product removes the need to have a cashiers check supply. A supply needs to be locked up under dual control, inventoried, certified and audited. All of which involves people and time. The software program provides a significant preventive control while the supply of checks on hand involves significant detective controls and ongoing costs.
Review of Employee Accounts:
Did you know that some banks review employee accounts on a daily basis for overdraft activity and quarterly basis for other account activity? Keeping track of employee account overdrafts on a daily basis will assist in keeping timely records of any violations with the bank’s employee overdraft policy. In addition, reviewing activity on a quarterly basis will ensure that suspicious employee account activity is researched on a timely basis. Some of the quarterly reviews that I have seen include reviewing all employee accounts at the same time. Sampling employee accounts is not effective. Sampling involves making a judgment on the population. Employee accounts should be reviewed on an individual basis. A thorough review would be to review account transactions over a rolling 90 to 120 days of activity. This would enable the reviewer to look for patterns of activity, unusual credits, trends, significant changes in expected activity, transfers from non-employee accounts, deposits around the times of teller differences, etc.
Vacation Policy for Executive Officers:
In the FDIC’s Manual of Examination Policies and per FIL-52-95, the FDIC encourages bank’s to require executive officers and employees to be absent from their duties for an uninterrupted period of no less than two weeks. This control has proven to be an effective internal safeguard in preventing fraud. The following paragraph is included as examiner guidance in the Internal Routine and Controls Section of the FDIC's Manual of Examination Policies:
“Vacation Policies - It is the FDIC's goal that all banks have a vacation policy which provides that active officers and employees be absent from their duties for an uninterrupted period of not less than two consecutive weeks. Such a policy is considered an important internal safeguard largely because of the fact that perpetration of an embezzlement of any substantial size usually requires the constant presence of the embezzler in order to manipulate records, respond to inquiries from customers or other employees, and otherwise prevent detection. It is important for examiners and bank management to recognize that the benefits of this policy may be substantially, if not totally, eroded if the duties performed by an absent individual are not assumed by someone else. Where the bank's policy does not conform to the two-week recommended absence period, examiners should encourage the board of directors to annually review and approve the policy followed and the exceptions allowed. It is important in such cases that adequate compensating controls be devised and strictly enforced.”
What sticks out here is in the last sentence, where they indicate that when exceptions to the policy happen, compensating controls should be devised and enforced. Do you have compensating controls in place? A compensating control for example would be a vacation policy that encourages rotation of duties. I have seen regulators citing bank’s lately for this in reports and I think if you adopt a reasonable policy, the regulators would accept it.
Hope these were helpful. As I come across more I will surely send out an update.
Quality Control Specialist
Sharon Geiger, Quality Control Specialist Sharon has 27 years banking experience, 21 of which have been involved in internal audit. She has extensive knowledge of all aspects of the banking industry, with a particular emphasis on regulatory compliance and identifying risks and controls. As QCR Specialist, she performs Quality Control Reviews to ensure all workpapers and reports are completed in compliance with the firm's standards.