Vacation Policies & Procedures

Though there is no law or regulations covering vacations, examiners frequently "suggest" that every employee of a financial institution remains away from the premises for several uninterrupted days. Many financial institutions incorporate this practice as part of their policy-and a wise one it is.

This tactic is an excellent crime prevention tool. Embezzlers routinely transfer stolen funds to their own accounts; reconcile their own work with an inappropriate level of oversight; or store the evidence of their crimes in their desks and/or on their computers. Many times the crime is such that entries must be made on a regular, ongoing, basis in order to mask the missing funds-or to replace them from another source.

A criminal needs the opportunity and the means to commit a crime. An effective internal control program eliminates both opportunities and means. Internal controls are not only created just to prevent a crime or to trap an offender, but also to protect innocent employees from suspicion.

Though the suggestions below may sound like "overkill", they are sound requirements to protect your institution.

When an employee is on vacation:
Collect the employee's keys, both metal and electronic;
Remind the employee that he/she is only to conduct banking business as a customer until they return from vacation;
Block the employee's access to any portion of the institution's computer system and change the employee's password before he/she returns;
Remind the employee's supervisor of the restrictions you've placed;
Allow no entry to the employee's restricted work areas. (If entry is absolutely necessary for personal reasons, it should be done only with an escort and the incident should be documented for the audit department.); and
Use this time to audit the employee's work area, function or department so that the employee returns to a "clean shop".

The use of computers in our financial institutions has made the mandatory five or ten sequential days off the job much more important and necessary. "Dedicated" employees who never take a day off and never take a vacation can no longer be accepted by our audit procedures.

And most importantly, whatever policies and procedures you implement for staff and management must also be applied to executives, directors and other "insiders". There can be no exceptions to this policy.

Copyright © 1997 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 7, No. 5, 4/97