I took over as Internal Auditor at my bank a year ago. The former auditor didn't do much risk based auditing. She just had a set schedule that she completed every year.

My question is this: She monitored a "Security Exceptions" report that would show if an employee tried to access another employees account or tried to access their own account. The key word is "tried". Because of our system settings, they just get an error message and are not able to proceed. Should I be monitoring something that our system already monitors? Does anyone else review a report like this?

Also, our regulators suggested that we track our returned mail. How do other institutions do this? How do you audit it?

Thanks

At my former bank, our Internal Auditor received the report of folks that "tried" to get where they weren't supposed to. We just scanned it for folks that were obviously trying hard. Our report also included folks that were trying to access GLs, run trxns that they can't and the like. Mostly, it was slip of the finger type stuff by folks that work in GLs all day long.

But every now and then......

At my current bank, there is no such report, we just know that you can't access accounts and you will be told so if you try.

The thinking at my former employer was that these are folks that need to be observed for awhile - - - and who don't need to be given any "override" authority until they are more proven. It was always helpful for them to hear that they were being watched, too.

Our security officer monitors this report at our Bank. The report indicates anytime someone tries to access a blocked account (all of our employee accounts are blocked). My role as IA is to ensure that the security officer is performing this review. I don't remember which audit looks at this but the audit program is something like 1) ensure the review is performed and by whom, 2)ensure evidence is present indicating the reivew is performed (daily exception reports are printed and the security officer reviews and initials), etc. I make sure the process is being done, but don't actaully have any involvement in the review process. I could see a possible compromise of independence if IA is performing this review.

AG:

How about review of employee accounts?

Prior life: IA, and included in the deposit operations audit

Current life: HR with HR SVP's done by IA.

BC: Almost forgot.....yes, we track returned mail. I audit the process as a part of the teller operations audit.

What do you do with your returned mail? Is it destroyed after a period of time? If so, I would suggest tracking it on a spreadsheet with destroy date. I would also look into where returned checks (ie bank checks) are sent. I believe our process is reviewed the same as CT.

Confidential accounts are reviewed by IA. Odd hits are reviewed and if necessary explanations for the hit are requested and documented.

Ha! Funny you should ask. I currently do it...but I also realize that it does in fact compromise my independence as more likely it should be a management control function with a review by audit. When the FRB was here for some preliminary work I asked the one examiner what he thought based on what he saw in other institutions. He said the best case scenario was that a member of sr. mgt be performing employee account reviews due to the reasons mentioned above. However, he also added that in smaller banks, such as ours, it is not uncommon for IA to do them. This just then needs to be documented somewhere that the Audit Committee realizes it may impair independence and they approve IA doing them (our AC approves this policy and the authority given to me in it). I can see both sides of the argument, especially given a size factor. However, I think that we're going to shift away from me doing it and make it a pure management function...which is fine with me

Oh and FWIW our externals told me it would be best for management to do it, however given our size an arugment could be made for IA to do it. The same with surprise teller audits.

How do you handle those?

Funny you should ask about that one!

Mgmt currently does the surprise audits and I audit the fact that they get done. However, our audit committee wants me to do surprise counts at each branch throughout the year.

$$$$$$-wise, it's just not worth it for a full-blown audit salary to be spent on cash counts plus the travel time. And it's time not spent on audit work.

To date, I have been visiting the branches anyway (as the whole IA function is new here) and it is easy to spot check the cash while I am there.

In the aforementioned prior life I was able to eliminate it by convincing AC that cost to risk wasn't good. The security officer visited certain branches and would spot check, too, while there, so those of us in IA felt more comfortable. Prior to that time, we sent six figures in annual salaries out to count every cent in the branches. The only thing we ever gained was knowcking them for being over their cash limits which we could have found out w/o leaving our desks.

My feeling is, surprise cash counts are an internal control function, and internal audit is supposed to evaluate the effectiveness of an internal control, not be the control.