Although part of the basic “blocking and tackling” of running a bank, internal controls frequently get overlooked during stressful times as management focuses on visible and critical problems. But such controls are critical for preventing the types of fraud at financial institutions that have gained local and national attention. We have seen several cases of fraud at smaller institutions that have had devastating effects on the institution and the community over the past few years. In light of such reminders and with banking conditions improving across the country and in the Ninth District, now is a good time to review internal controls to ensure that they continue to serve the bank well going forward.
Internal controls are the systems, policies, procedures and processes implemented by the board and senior management to safeguard bank assets, limit or control risks and achieve the bank’s objectives. Effective internal controls may prevent or detect mistakes, potential fraud or noncompliance with bank policies. Banks should also maintain an effective internal or external audit program to help detect any deficiencies in the bank’s internal controls.
In a small community bank, officers and staff have multiple jobs, making it challenging to effectively segregate duties. However, all banks should strive to establish and maintain a strong system of internal controls to minimize the potential for errors or internal fraud. When we review internal controls, we focus on the following factors based, in part, on what we and others have learned from fraud cases.
- Segregation of duties. This reduces the risk that employees will be able to carry out and conceal errors or fraud without detection. Segregation of duties typically focuses on three areas:
- Custody of assets (e.g., cash, official checks).
- Authorization or approval of transactions.
- Recording or reporting of these transactions, which ensures that the same employee does not originate a transaction, process the transaction and reconcile the transaction to the general ledger.
- Dual controls and/or joint custody (e.g., wire transfers).
- Annual two-week vacations with no remote access to the bank’s MIS.
- Internal review of employee accounts and expense reports.
- Reliance on one person for a key area or business line.
When banks cannot effectively segregate duties or establish dual controls, banks should implement compensating controls, such as having another person spot check entries and reports for accuracy. Audits should focus on areas where segregation is lacking. These controls can vary based upon bank resources, but they should provide an independent review of entries, transactions or reports. Additionally, management may consider periodically rotating duties to provide a fresh perspective.
Also, in many small community banks, management teams have been together for years and effectively run the bank, trusting that others on the team will do their jobs well. In rare cases, however, this trust can be abused. Such possibilities should prompt management to “trust, yet verify.” Management teams are well served not only by establishing and maintaining a strong system of internal controls, but also by avoiding complacency.
No matter how strong the internal controls, determined individuals can perpetrate internal fraud. However, a strong system of internal controls and a “trust, yet verify” perspective minimizes the risk of internal fraud or errors.
