INTERNAL CONTROLS

Bank Operations Institute

October 15, 2013

What’s in Store

Define internal control

Review the components

Discuss control activities

Discuss different scenarios

Internal Control Defined

Internal control is a process, implemented by

an entity’s board of directors, management,

and other key personnel, designed to provide

reasonable assurance regarding the

achievement of:

effective & efficient operations

reliable financial reporting

compliance with applicable laws & regulations

Committee of Sponsoring Organizations (COSO)

Components of Internal Control

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information & Communication (MIS)

5. Monitoring

Banking is a Risky Business

The

Bank

Controls

Risks Goals

From a Coopers & Lybrand presentation

Where Does It All Begin?

Board of Directors is ultimately responsible!

Sets tone of the organization

Cannot delegate responsibility

May be personally liable

Risk Management and Internal Controls

(SR 95-51)

www.federalreserve.gov/bankinforeg/srletters/1995/sr9551.htm

Elements of Risk Management

Active board and senior management oversight

Adequate policies, procedures, and limits

Adequate risk management, monitoring, and

management information systems

Comprehensive internal controls

Types of Control Activities

Directive

Written policies/procedures

Verbal communication

Memorandums

Preventative

Dual controls

Segregation of duties

Proper Authorizations/Approvals

Passwords

Security of assets

Detective

Audit

Reconcilements

Performance reviews

Cameras

Preventative Controls

1. Segregation of duties (process)

2. Dual controls (physical)

3. Limits

4. Required vacations/Rotation of duties

5. Timely reconciliations

6. Authorizations/Approvals

Segregation of Duties

Assigns the responsibility of:

Authorizing/initiating transactions

Recording/posting transactions

Reconciling the account

Maintaining custody of assets

…to different individuals!

Scenario #1

Bob, a loan officer, wants to simplify the lending

process for his customers so he keeps a stack of loan

disbursement checks at his desk.

After he approves the loan, he fills out the check for the

amount borrowed and gives the loan customer the

check.

Dual Controls

Requires employees to perform critical

activities as a “team”

Cash vault

Blank bank checks

Dormant accounts

Scenario #2

Sally, a 5 year employee in the customer services

area, is entrusted with the bank’s dormant accounts.

If a customer wants their money, she verifies their

ownership of the account and disburses the funds to

them. She then immediately reconciles the accounts

to ensure they still balance to the general ledger

account.

Limits

Check signing authority

Wire transfer

Loans

Aggregating limits

Purchasing authority

Expense reimbursements

Scenario #3

Bob, a loan officer (remember him?), has a lending

limit of $25,000. One of his good friends and

customer needs a loan for $40,000.

So, Bob talks Jim, a new loan officer with a lending

limit of $15,000, to aggregate his authority with Bob’s

so the loan can be made without having to waste time

by going through the designated committee process.

Mandatory Vacations

A fraud usually falls apart in two weeks

Require employees/officers be absent from

their duties

Deny/restrict IT access

Enforce compensating controls

Effective rotation of personnel

Scenario #4

Frank, the bank’s IT Security Officer, reviews,

on an annual basis, employee access to the

system. He removes access for all retired or

fired employees and for any others who no

longer work for the bank.

Reconciliations &

Authorizations/Approvals

Timely

Dated

Performed by someone independent of

posting/authorizing the transaction

Approved by a supervisor

Scenario #5

Betty, an employee in the wire transfer area,

reviews and reconciles incoming and outgoing

wires on a weekly basis when she receives the

bank statement from the correspondent bank.

Independent Review

Someone outside the function

Internal Audit

Loan Review

Director’s Exam

External Audit

NOTE: Examiners do not fill this gap.

Bank Failures In the News

Barings Bank – 1995 (Was it the Stock Market?)

Oakwood Deposit Bank – 2002 (Was it the Kite?)

Barings Bank

Nick Leeson

Internal Control Failure:

Barings Bank

What happened to Nick?

Read his poor story at www.nickleeson.com

Oakwood Deposit Bank

Steven Miller

Internal Control Failure:

Oakwood Deposit Bank

What happened to Steven?

Fraud

Types of Fraud

Embezzlement

Loan Fraud

Kiting

Counterfeit Checks

Forgery

Unauthorized Wire Transfers

Counterfeit Debit Card Transactions

False Expense Claims

Picture of Fraud

Perpetrated by “Nice People”

Friendly

Helpful

Knowledgeable

Most co-workers do not tell

WHY?

Tattletale

Snitch

Stool Pigeon

Rat Fink

Inside Perpetrators

Typically – college-educated white male

Nearly 75% of offenses committed by men

Median losses:

by men nearly 4 times than by women ($185,000 vs. $48,000)

by managers 4 times than by employees

by executives 16 times than those of their employees

Association of Certified Fraud Examiners

Inside Perpetrators (cont’d)

Most occupational fraudsters are first-time offenders with clean employment histories

87% had never been charged or convicted of a fraud-related offense

84% had never been punished or terminated by an employer for fraud-related conduct.

Association of Certified Fraud Examiners

Inside Perpetrators (cont’d)

In 81% of cases, the fraudster displayed one or more behavioral red flags that are often associated with fraudulent conduct.

Most commonly observed behavioral warning signs: Living beyond means (36%)

Financial difficulties (27%)

Unusually close association with vendors or customers (19%)

Excessive control issues (18%)

Association of Certified Fraud Examiners

Fraud Triangle

Rationalization

Frequent Types of Fraud at Banks

Check Fraud

Forgery

Counterfeit

Alteration

Credit and Debit Card Fraud

Identity theft (counterfeit, lost or stolen, mail/telephone order, internet)

Employee Fraud

Teller/Vault shortages

Redirecting customer funds for personal benefit

Ghost Employees – Payroll Fraud

Kiting

Less common than in past, but still occurs

Elements for a Fraud Environment

Weak Internal Controls

Poor Management Oversight

A Family Affair

“Short Cuts”

Dual Roles

Vacation – “Are you kidding me?”

Commission/Bonus Dependent Employees

What Examiners Look For…

Board review of internal audit

Appropriate system of internal controls Clear lines of authority Independence of control areas

Sufficient separation of duties

Adequate policies & procedures

What Examiners Look For… (cont’d)

Reliable, accurate, & timely reports Adequate testing & review of information systems

Official structures reflect actual practices

Receptiveness to exam findings; Willingness to

correct problems/violations Dominant decision maker

High turnover of board members, senior

management, & employees

Review

1. Allowing the cashier to prepare journal entries for an account and then reconcile that account is a violation of which internal control function? a. Separation of Duties b. Dual Control c. Supervisory Review d. Limits e. Reconciliations

Review

2. Who is ultimately responsible for ensuring that a bank’s system of internal controls is adequate? a. Internal audit department b. Board of directors c. Executive officers d. Each employee e. The external auditor

Review

3. True or False?

Internal controls can give management absolute

assurance that an organization’s objectives and goals

will be achieved efficiently and economically; that

financial statements will be reliable; and that laws

and regulations will not be broken.

Can You Spot a Scam?

Test your ability at:

www.sonicwall.com/phishing/index.html

www.lookstoogoodtobetrue.com

www.fakechecks.org

Questions?