"Internal Controls that are not monitored or tested are like gardens that are not watered or fertilized."
Existing or new products and services, whether geared toward the internal or the external customer, involve a flow of information. Each of these flows needs to be designed or updated with an understanding of the risks inherent in that flow. Risk analysis and control implementation whether in the branch or wire room involves the following steps:
Update or design the flow of information to make it as efficient as possible within the constraints of your technology and departmental structure.
Consider the possible range of errors and internal or external frauds that are likely and less likely to occur.
Determine the best control procedures that will detect or prevent the most likely error or fraud events using a combination of software reports and manual procedures.
Document those controls in your department procedures and include them in the workflow.
It is important to point out that adding too many controls or adding controls that are needed for rare or unlikely events is costly and inefficient. There are many managers who are so focused on cost they argue for too few controls. Conversely many auditors argue for far too many controls in their attempt to prevent or detect almost all possible errors and frauds. The key of course is to balance cost and prevention. Unfortunately for all of us this is more of an art than a science.
Detection control procedures are those that detect the possible errors or fraud after it has occurred. In order to be effective detection procedures must be timely. The meaning of timely varies depending on the impact to us, our customers, or to third party relationships. Timely detection can vary from next day to 60 or 90 days. Examples of detection controls include certifications, edit and change reports, non post reports, cameras, and third party totals.
Prevention controls prevent access to assets that are easily stolen or negotiated. Examples of prevention controls include dual control procedures, vaults, passwords and alarms.
Do your polices and procedures document a reasonable balance of detection and prevention controls for the risks involved? Incorporating these controls into your documentation requires you to think through the risk process either formally or informally. As we can see with recent regulatory pronouncements and examination emphasis, this is a process we will all have to learn and implement sooner rather than later. Here is a useful idea to assist with regulatory compliance and a thoughtful internal control process: Most policies and all procedures should have a separate section that is entitled Internal Controls.
Gene Bucciarelli, CPA is the principal of Internal Control Systems, a community bank internal audit and internal control consulting firm. He is an expert witness for employee frauds. He can be reached at 925.828.7360 or via email at genebu@home.com.
BankersOnline is a free service made possible by the generous support of our
advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all
banking professionals. Support our advertisers and sponsors by clicking
through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
