The COVID-19 pandemic caused considerable disruption of business practices throughout the past year and continues to affect businesses of all sizes. Banks are facing an unprecedented amount of disruption to customers, employees and the internal operations within their institutions. More than ever, there is a heightened risk of failure within a bank’s internal control structure.
Internal control risk is present in all organizations, and organizations of all sizes are looking for ways to better manage risk. One way to identify internal control risk is to perform a periodic evaluation of existing controls. To evaluate the suitability of the design of internal control, procedures should be performed to understand controls placed in operation to meet expected objectives.
So, what should management teams be evaluating during a time of disruption? The following is a list of controls that become more vulnerable to failure during periods of disruption and what to look out for at your institution.
10 areas of concern
Cash and vault controls
Most of these assets are held under dual control and subject to periodic cash account verifications (surprise cash counts). Has your bank in any way modified custody of physical cash due to staffing restraints or suspended independent verifications of cash?
Best practice would indicate that general ledger accounts should be reconciled to the core system balances on a routine basis; for some accounts this is daily, for others weekly or quarterly. In addition to the reconciliation process, reconciling items need to be monitored to ensure proper clearing from the accounts on a timely basis. Has the timing of any of these reconciliations been delayed or postponed due to changes in roles or responsibilities of bank personnel?
Much like your account reconciliation practices above, loan and deposit suspense or clearing accounts should be reconciled with frequency and monitored to ensure that reconciling items are clearing next-day or on a timely basis. Has the timing of any of these reconciliations been delayed or postponed due to changes in roles or responsibilities of bank personnel?
House account reconciliations (accounts payable)
Official check or bank house accounts that are used to disburse cash to vendors should be restricted to authorized individuals, subject to different levels of review (based on dollar amounts), and outstanding disbursements should be reconciled to the overall general ledger balance. Management should check to see if the bank authorized anyone new to perform this function, if disbursement limits have been waved or changed and that proper reconciliation of disbursements are being performed timely.
Purchasing card controls
Best practice would also indicate that only authorized individuals have the ability to use purchasing cards. However, there is also a heightened risk that individuals authorized to use the cards may be in tough personal situations, which heightens the risk of personal purchases by employees on company cards. Monitoring controls over purchasing cards should remain in place to ensure expenses are proper.
Management override of controls
Management override of existing controls is always an inherent risk to any internal control structure. Does your management team have a list of controls that were modified or suspended due to business interruption? Most of the time, the failure of a control is due to a choice of management to override or suspend a control in certain situations. Make sure you know what existing controls might temporarily be suspended, for whatever reason, to best understand your risk.
Management uses several loan monitoring controls throughout the year, including internal loan reviews and sometimes hiring external third parties for an independent loan review. We have seen that COVID disruptions have suspended or delayed third party loan reviews and also the flow of current financial information from borrowers. Management should also keep in mind that COVID relief legislation may also defer payments on loans that would be past due otherwise. Make sure your lenders are diligent in credit monitoring during an economic downturn and don’t assume that “no news is good news” from your borrowers.
Segregation of duties
Procedures performed by accounting personnel involved in each transaction cycle should be analyzed for possible overlaps that might create a lack of segregation of duties. Also, shifting of functions from limited staffing (from COVID disruptions) may create segregation issues that did not exist before. When possible, make sure to segregate the authority, recordkeeping and custody function within an applicable transaction cycle.
Expense account review
As a best practice for a monitoring control, management should perform a trend analysis over year-over-year expense account totals, as well as an analysis of budget to actual to ensure that bank expenses are reasonable for a stated period.
Journal entry review
A monitoring control that would be considered a best practice is for management to review period-end and manual journal entries made each period to ensure they are authorized and supported by the proper documentation. This is a fraud prevention control to ensure that financial statements do not include journal entries that would conceal a fraud or make the overall financial statements misleading to a user.