390 likes | 584 Views
Operational Branch Audits. June 15, 2011 3:30 – 5:00 PM. Presented by: Catherine Bruder, CPA.CITP, CISA, CISM, CTGA. Overview. Branch Audits Planning Risk Assessment Audit Program Security Compliance. Operational Branch Auditing. Branch Audits – nothing has changed in 50 years!
E N D
Operational Branch Audits June 15, 2011 3:30 – 5:00 PM Presented by: Catherine Bruder, CPA.CITP, CISA, CISM, CTGA
Overview • Branch Audits • Planning • Risk Assessment • Audit Program • Security • Compliance
Operational Branch Auditing • Branch Audits – nothing has changed in 50 years! • Everything has changed! • Survey
Planning • Select a branch • Random, loss based, activity based, etc. • Gather Permanent File • Branch organizational chart • List of key personnel and duties • List applicable policies and procedures • List of forms and/or reports used by the branch • List of applicable laws and regulations
Planning • Policies and procedures • Determine if the branch has current documented policies and procedures for the CU • Determine if branch personnel are aware of the policies and procedures • Are the policies and procedures adequate?
Risk Assessment • Perform a risk assessment • Identify risks • Cash and cash items • ATM’s • Money orders, cashier checks, travelers checks, instant issue plastic cards • Keys and combinations • Safe deposit boxes • Night depository • Security • Compliance
Risk Assessment • Conduct a walkthrough • Interview key personnel • Do they understand the risk? • Do they understand the policy? • Communicate with Finance • Any outstanding concerns with the branch? • Communicate with Operations • Inspect the premises • Doors and windows • Video surveillance • Insecure procedures
Audit Program • Branch basics • Cash counts • Policies & procedures • Over and short reporting • Branch limits • Cashier’s checks, travelers checks, money orders • Compliance postings • Safe deposit boxes • Security • Adjust the audit program to address the risks identified in the planning process
Branch Processes • Document the branch operation in a narrative • Determine if the current operations reflect compliance with credit union policy and procedure • Identify key controls
Cash Counts • Cash Count – Surprise or No Surprise • Control the cash – Vault cash, drawers, ATM canisters and cash dispensers. • Arrive prior to normal hours • Inspect compartments, drawers, etc. for unusual items. • Verify cash limits are maintained • Obtain vault cash record and balancing sheet
Cash Counts • Keep vault supervisor present throughout the count • Inquire the number of cash compartments • Count cash • Strapped cash and rolled coin • Loose currency and change • Bait money • Trace to schedule, schedule should be under dual control • Watch for ‘stale dates’ on strap of bait money, change bait at least monthly • Compare totals and reconcile any differences • Report differences immediately to the appropriate supervisor
Over and Short • Obtain teller over and short records for the last 6 -12 months • Determine if disciplinary action was taken • Look for patterns such as • Short just before pay day or vacation • Watch for large overs that correct themselves
Vault Security • Dual control • Observe the following vault processes and compare to documented procedures • Opening process • Deposit and withdrawal procedures • Access during business hours • “The Money Cart” • Vault closing
Cash Controls • Observe that teller cash is maintained under separate control of the one and only assigned teller • Observe that keys are maintained in the personal possession of the assigned teller at all times • Cash drawers are locked and the key removed • Test whether a teller key will open any other teller drawers (in the presence of the head teller) • Ensure that teller cash is counted and securely stored at the end of day
Counterfeit Currency • Interview personnel regarding procedures for handling counterfeit currency • Secret Service – “Know Your Money” http://www.secretservice.gov
Cashier Checks, Money Orders, Travelers Checks • Inventory stock is stored in a secure location under dual control • Inventory of unissued stock by serial number is maintained • Physical inventory is performed at least monthly • Working stock controlled • Last issued inventory recorded • Locked at night • Greater than $10k requires CTR
Night Depository • Observe access to the compartment is under dual control • Register of bags/envelopes received is under dual control • Register is adequately completed including • Account number • Amount and number of all deposits • Bag number • Initials of two tellers • Controls over keys/combination • Sample test deposits • Ascertain that any bags held overnight containing valuable are recorded and secured • Sample night depository contracts • Signed and on file
Safe Deposit Boxes • Unrented boxes • Sample test keys to ensure keys are maintained under dual control • Newly rented boxes • Sample boxes rented within the last 6 -12 months • Member identification and contract is obtained • Contract is signed and dated by member and employee • All blank lines in the contract are canceled in ink to prevent adding unauthorized names • Identification of the renter has been verified
Safe Deposit Boxes • Visits • Register identifies employee that provided access • Member signature compared with the contract • Proper identification is provided by the member • Date and time is recorded • Area is checked after the member leaves to ensure no items or documents are left • Delinquent boxes • Procedures are followed to ensure collection
ATM • Start-up or access cards are maintained under dual control • Cash and envelopes should be counted under dual control • Deposits should be verified to the audit tape, initialed and dated by both employees • ATM proving is periodically rotated • Captured cards should be destroyed under dual control
ATM Cards • Cards are locked and stored under dual control – working and stock • Card stock logged and inventoried • PIN encoding equipment is secured • During working hours and after
Wire Transfers • Obtain the number of wire transfers, greater than $2,000 (or similar amount based upon risk tolerance) originated by branch • Wire transfer form is completed properly • Fee was collected • Transaction was processed from members account • Originator’s account number, name, address, etc. • Recipient’s name, account number, financial institution name and address, etc.
Loan Documentation • Interview VP of Lending • Errors • Low/high close rates • Determine delinquency and charge-offs by branch • Observe procedures • Interview staff regarding policies and procedures
Bank Secrecy Act • Identify any exceptions noted in the BSA audit attributable to branch activity • Modify audit program • Conduct a BSA assessment at the branch • Verify branch employees receive annual training
CTRs and SARs • Identify the number of Currency Transaction Reports (CTRs) filled by branch • Determine the number of CTR errors for each branch • Ensure CTRs are stored appropriately • Identify the number of Suspicious Activity Reports (SARs) by branch • Review wire transfers >$10k originated at branch
Information Security • Inspect work areas • Confidential, sensitive member information • User IDs or Passwords • Evaluate user access profile • “Too few staff, I need more access” • Segregation of duties • Social engineering • Security awareness
Training • Ensure branch employees receive training • Robbery and security • BSA • GLBA – Information Security • Compliance • Operational • New procedures • New products
Security • Combinations • Vault, drawers, lockers, etc. • Segregation • The same person shouldn’t control both combinations • Combinations are changed at least once every 2 years even if the custodian has not changed • Observe vault gate is kept closed (if applicable) • Control over gate key • Keys are kept under dual control • Including the spares
Security • Video/DVR • Checked daily to ensure • Proper coverage • Time/date • Clear picture/image • Maintained under management control • Clean desk policy • Inspect working areas for sensitive or confidential information
Security • Observe opening procedures • Inspection of premises • Signal to other employees – all clear • Observe closing procedures • All currency, negotiable instruments, valuables, etc. are secured • No unauthorized persons are present • Doors and windows are secured • Video/DVR is working • Alarm is set • Conduct a physical security audit
Security • Evacuation Plans - Interview and verify that a written evacuation plan exists, containing: • Designated emergency assembly area, with diagram • Designated employee positions to act as evacuation personnel • Procedures for rapidly securing the institution's facilities, assets, and records • Telephone numbers to notify emergency-service agencies. • Emergency-notification telephone numbers for all employees. • Verify individuals demonstrate knowledge and proficiency in emergency-activation procedures
Compliance • Verify initial disclosures are available to the members in the branch • Ensure the branch is providing Truth in Savings Act disclosures before opening the account • Expedited Funds Availability Act postings in the lobby • NCUA posting • Home Mortgage Disclosure Act • Equal Housing Lender • U.S. Patriot Act • Inspect Labor Posting requirements • Federal (FMLA, EEO, ADA, OSHA, etc.) • State
Reporting • Communicate with the branch manager • Validate initial findings and recommendation • Review the management responses and discuss with the manager • Communicate target dates for remediation
Other Metrics by Branch • Deposit accounts overdrawn for more than 30 days, including dollar amount and volume (number of accounts) • New accounts opened • Fees waived • Transactions per full-time equivalent (FTE) employee • Statements mailed to branches • Security alarm reports • HR turnover ratio by branch • Identify the number of member complaints by branch
Audit Program • Reassess audit program • Rotate procedures • Document a rotation schedule for the next audit period • Document follow-up procedures
Thank You! 755 West Big Beaver Road Suite 2300 Troy, Michigan 48084 Catherine Bruder, CPA.CITP, CISA, CISM, CTGA Director, Financial Institutions Group Office: (248) 244-3295 Cell : (248) 320-3434 Email : bruder@doeren.com www.doeren.com 2603 Augusta Drive Suite 1100 Houston, Texas 77057
Financial Institutions Group Services • Audit • Mergers & consolidations • Information technology assurance • Vulnerability assessments • Penetration testing • Member business loan review • Commercial loan consulting • Internal audit co-sourcing • Loan loss & delinquency control systems • CUSO consulting • Regulatory compliance services