Are your Internal Controls like Swiss Cheese?
Are your Internal Controls like Swiss Cheese?
Part 6 - Dormant Accounts
by Gene Bucciarelli, CPA
Internal Control Systems
"Wildlife that goes dormant does so only if it is well protected from predators."
Protection of dormant accounts from employee theft is a well known concept. However the degree of protection varies greatly from institution to institution. This is due to the differences in dormant laws and an incomplete understanding of the ingenuity of employee theft. Dormant laws are state laws and as a result vary widely from state to state. Regardless of the state requirements the protection of these accounts until the proper escheatment time is a basic internal control requirement of all financial institutions. All DDA applications written in the last twenty years have a dormant restriction capability that restricts most if not all access to the account, except by authorized personnel, after the dormant status code is applied. While this restriction is fundamental it is not the entire internal control story. The most important element of dormant protection is the activation feature . That is, protection and/or detection of unauthorized removal of the dormant status between becoming dormant and forwarding the money to the state. Controls you should consider to ensure that only authorized activation has occurred include:
Segregation of duties - personnel certifying and doing dormant administration work should not be activating accounts.
Documentation requirements - all activation should be documented with either a check, a deposit, a written and signed request from the customer or evidence that the customer has other active accounts with the same name and address. You should consult the specifics of your state laws on what is allowed for activation proof. If your state is silent on the subject you should use requirements listed here. Phone calls to or from the customer and general knowledge of the customer should not be allowed as activation attributes as there is no documentation that can be used in the future in the event of a state audit or a legal claim by the account holder.
Daily dormant status reports - these reports can be useful to monitor dormant accounts that are activated. Each activation should be followed up and documentation put in file.
Non Post - all transactions on dormant accounts should go to non post where the transaction can be scrutinized for proper customer or bank initiated activity.
Certification - dormant accounts should be certified monthly. The most comprehensive and foolproof method of certification is to use the reconciliation of dollars approach. In effect this means using last month's total dormant dollars and reconciling that number to the current month's dormant dollars.
Last month's total dollars
Add interest earned during the month
Add new dormant accounts during the month
Less any service charges during the month
Less any dormant activations during the month.
This month's total dollars
The information needed to certify in this manner may require a little programming or report writing but the effort is well worth it. Many dormant certification procedures I have seen fall far short of this comprehensive method and as a result are not useful as an improper activation detection procedure.
Signature removal - documents with the customer's signature should be placed in restrictive status to prevent copying of the signature. Institutions with online signature programs should remove that signature from employee access. Also all dormant reports should also be place in a restrictive status.
In addition to dormant status many institutions will also have an inactive status. For many institutions a DDA account will go inactive after six to eight months of inactivity and then dormant after 12 months of inactivity. I believe the purpose of the inactive status is to give warning that an account is nearing its dormant status. At this point the institution will/should commence contact procedures. It is my experience that the inactive status poses a serious internal control risk. Since the accounts are not officially dormant, the typical dormant controls are not applied and inactive information is not secured. Anyone who wishes usually has access to the fact that the customer is not or may not be paying attention to his account. An employee with the intent could certainly use this to his advantage. My best opinion on the inactive status is to eliminate it entirely and wait for accounts to go dormant and then start the control procedures noted above.
Are your dormant accounts well protected from internal predators?
Access the previous articles in the Swiss Cheese series
Gene Bucciarelli, CPA is the principal of Internal Control Systems, a community bank internal audit and internal control consulting firm. He is an expert witness for employee frauds. He can be reached at 925.828.7360 or via email at email@example.com.
First published on BankersOnline.com 12/10/01
First published on 12/10/2001