The question often arises as to some of the most common trouble spots and risk areas detected during Internal Audits. Everyone would probably have different answer to question, but herein are just a few.
Potential internal related fraud always comes up and rarely is this fraud at the teller line in terms of cash shortages. Some of the most common fraud occurs in areas such hold, post office return, or electronic statements. Quite simply, if it is known that customer statement review is lacking, the opportunity presents itself for an employee to engage in customer account tampering. Thus, the necessity for employee account activity review and ensuring proper control and follow up on hold and post office return statements.
Also, in the employee fraud area is the issue of fiduciary relationships of employees for customer accounts. It should be prohibited for employees to be involved in fiduciary relationships for customer accounts.
Nondisclosure issues can present problems as well in terms of ensuring adequacy of controls. It is important to ensure that Affiliate Relationships and Regulation O Related Interests are fully and accurately disclosed to ensure proper independence in the loan approval process. It is important on reviewing loans to Directors that the same detail scrutiny is given to these loans in the loan approval process as loans to and other customer and that this detail is documented.
Wire transfers present a high risk area. It is essential to ensure that the integrity of security procedures over wire transfers are maintained and never compromised.
Dual control issues present risk. It is difficult to prove the accuracy of night depository contents if the night depository is not opened under dual control and deposits and not worked under dual control, and such dual control is not documented. Dual control over keys and combinations and as well as duplicate keys and combinations also presents risk. If this type dual control is not maintained, it is hard to make the case of anything in the branch, including even employee theft of cash. If dual control over keys and combinations is lacking, essentially no case can be made as to the integrity of the accuracy of anything in the office requiring dual control and no responsibility can be established for loss of assets. As an aside, you never put the night depository duplicate combination under the night depository mat.
Contractual and log completion areas also present risk. Be it a night depository or safe deposit area issue that may arise, the first question that comes from legal counsel defending the financial institution is “let me see and review the associated log/contact for completion”.
On the lending side, in times of a significant volume of construction lending, controls over construction loan disbursement and related segregation of duties from the lender is essential. On a related note, in such times it may be useful to do site inspections on percentage of completion relative to percentage disbursed. If a construction loan is 80% completed and disbursed and inspection reveals all you have is a lot and foundation, you have a problem.
On the regulatory side, common areas found in internal audits include failure to adhere to account opening and titling deposit account rules in the given state, failures to train front line personnel as an active line of defense in such BSA Suspicious Activity reporting areas as Elder Financial Abuse, lack of understanding and adhering to rules for garnishment procedures for protected funds and lookback period, lack of Esign Act compliance, issues with Reg. E error resolution, Regulation CC disclosure, credit report disputes, and a failure under BSA to detect Money Service businesses for proper due diligence (a wire transfer of any amount constitutes a Money Service Business).
The list could certainly continue, but hopefully as the Internal Audit process occurs during the year, this might bring to the forefront potential issues to be aware of where concentrated efforts may be prudent.