Just to clarify, I didn't mean diclosing to employees prior to the review. Rather, does a bank/cu have to have a policy or something in writing to indicate to the employee that these types of reviews will take place. We have policies regarding the monitoring of Internet and email activity. Nothing to indicate that employees accounts will be monitored. BTW, we have software that monitors all suspicious activity, including those of employees. We also have daily reports that show NSF activity. So I guess I'm curious, if there isn't some sort of trigger, is it commonplace for an internal auditor or security officer to be randomly reviewing employees account activity? I guess I'm just not comfortable that there's no written policy to indicate when/why such a review would take place...like maybe the auditor is bored and nosey.