Employees/Volunteer Accounts Audit Program 5/31/11 Audit Procedure By: Reference/Comments AUDIT OBJECTIVES 1. To determine the adequacy of internal controls over employee & volunteer actions. 2. To ensure that employee & volunteer loans are appropriate and properly approved. 3. To review employee & volunteer deposit accounts for appropriateness. 4. To determine the appropriateness of employee & volunteer expenses. 5. To determine the appropriateness of employee incentive pay. AUDIT PROCEDURES Preliminary 1. Review and update PAF as necessary. 2. Follow up on prior audit findings (from IAD, external and regulatory exams) for proper management resolution. 3. Read and become familiar with any reference materials in the PAF. Internal Controls 1. Obtain any written policies & procedures, Employee Handbooks, etc., pertaining to employee prohibitions. 2. From management, obtain and document other controls in place. 3. Document how employee & volunteer accounts are flagged; note whether joint ownership accounts flagged as “employee.” 4. Document what type of employee “hot line” is in place to report irregularities. 5. Note whether or not “hot line” is anonymous. Loans 1. From I/S, request a trial balance of accounts with the following characteristics: 2/16/2016 Page 1 of 8 Employees/Volunteer Accounts Audit Program 5/31/11 Audit Procedure PO Box for address; Current balance is the same as the original balance; Due date is more than 60 days in the future; Inadequate amortization; No payment for more than 90 days; Frequent refinances; and Frequent extensions. By: Reference/Comments a. Follow up as necessary. 2. Select a sample of 35 employee and volunteer loans and ensure that: a. The corresponding loan file contains all required documentation; b. The file information agrees to that on the loan system; c. The loan went through the proper approval process; d. The loan is being repaid as written; and e. If the loan is delinquent, that it is being reported as such. Deposit Accounts 1. In conjunction with the MIA, Select a sample of 35 employees and volunteers. 2. Review corresponding statement history for at least a 4-month period, looking for any irregularities. 3. Follow up on any unusual credits. 4. If there are any multiple NSFs or Neg Balance fees, determine if there has been any counseling or other action taken with the employee. 5. Look of evidence of kiting, such as: Large, round dollar deposits; Matching withdrawals; Large number of deposits; 2/16/2016 Page 2 of 8 Employees/Volunteer Accounts Audit Program 5/31/11 Audit Procedure Large share draft volume; Illogical total credits vs. employee salary, High activity/low ending balance; and Frequent NSFs. By: Reference/Comments 6. Ensure that holds are properly placed on checks. 7. Trace any incoming, non-payroll transfers. Employee/Volunteer Expenses 1. For the individuals chosen above, pull their expense documentation for the past year. 2. Ensure that expense forms were completed in accordance with CU Policy, including approval by authorized personnel. a. Note how management ensures that approval is by authorized personnel. 3. Look for evidence of “double dipping” (employees/volunteers being reimbursed for expenses already incurred on a corporate credit card.) 4. For expenses paid with expense checks, look for personal items being paid, alteration of checks, bogus vendors, etc. 5. Look for expense theft red flags, such as: Missing receipts; Inconsistent amounts; Duplicated items; No legitimate CU purpose; Excessive amounts and frequencies; and “Ship to” address other than CU’s address. 6. Ensure that corporate card usage is within CU guidelines/Policy, i.e. timely payments and proper purpose and documentation. Note specifically what was tested, and for what thresholds. 2/16/2016 Page 3 of 8 Employees/Volunteer Accounts Audit Program 5/31/11 Audit Procedure By: Reference/Comments 7. For volunteers, ensure that subsequent to any conferences attended, they provided summaries to their respective Committee and/or Board. Incentive Pay 1. Document controls over personnel earning incentive pay, including those for loan and share “steals.” 2. Determine how management monitors this.1 3. For employees selected in above testing, review incentive pay for prior 4 months. a. Review for propriety. b. Ensure that steals were for accounts actually opened. 4. Determine that steals were done in the best interests of the member. Family Members 1. Determine the existence of family members for the employees selected above. 2. Note how CU determines and monitors activity of family members, and any related businesses controlled by them. 3 Review transactions of these family members for instances of employees performing transactions for these relatives. 4. Via review of applicable evidence (ie invoices) to determine any improper or unethical business being steered towards companies in which employees, or their relatives are employed. Code of Ethics 1. Verify that the CU has a formal code of ethics policy for employees and volunteers. 2. Determine that the policy covers the following information in accordance with the Bank Bribery Act: 1 NCUA Part 721.7 (b)(3) allows incentive payments to an employee, other than a senior management employee, provided that the Board, “establishes written policies and internal controls for the incentive program and monitors compliance with such policies and controls at least annually.” 2/16/2016 Page 4 of 8 Employees/Volunteer Accounts Audit Program 5/31/11 Audit Procedure By: Reference/Comments a. Acceptance of gifts, gratuities, amenities, or favors from anyone in return for business, service, or confidential information except for certain circumstances; b. Acceptance of meals, refreshments, entertainment, accommodations, or travel arrangements from anyone in return for business, service, or confidential information except for certain circumstances; c. Guidelines for employees’ and officers’ acceptance of loans from other credit unions or financial institutions except in accordance with state and federal law; d. Acceptance of advertising or promotional material of reasonable value; e. Acceptance of discounts or rebates available to the general public; and f. Acceptance of civic, charitable, educational, or religious organization awards for recognition of service and accomplishment. 3. Ascertain that the CU has established limits or dollar amounts for exceptions to the acceptance of gifts and other items listed in 2 above. Describe how this is monitored. a. During test work throughout the audit, determine adherence to this policy. 4. Certify that upon employment, each new employee receives a copy of the code of ethics. 5. Confirm that each new employee signs a statement certifying that: a. He or she has read and understands the policy; 2/16/2016 Page 5 of 8 Employees/Volunteer Accounts Audit Program 5/31/11 Audit Procedure By: Reference/Comments b. He or she has or will comply with its requirements; and c. He or she is not aware of any violation of policy on their part that has not been properly disclosed. 6. Confirm that each employee signs an annual statement certifying to the points noted in 5 above. 7. Establish that the CU has a conflict of interest disclosure statement for appropriate officers and employees. 8. Ascertain that upon employment, new employees complete and sign a conflict of interest disclosure statement about themselves and family members. 9. Document that the conflict of interest disclosure contains the following information: a. Financial interest information; b. Outside organization affiliations or employment; and c. Creditors. 10. Confirm that each employee annually submits a conflict of interest disclosure regarding the information outlined in 9 above. 11. Substantiate that there are procedures in place for employees to report to an immediate supervisor potential conflicts of interest or improper gifts. 12. Verify that employees who plan to accept a directorship of another organization, unless it is a charitable or nonprofit organization, obtain the pre-approval of the president and board. 13. Examine how the CU procedures outlining violations to the credit union’s conflict of interest/code of ethics policy will be handled. 2/16/2016 Page 6 of 8 Employees/Volunteer Accounts Audit Program 5/31/11 Audit Procedure By: Reference/Comments 14. Verify that all violations of the policy are reported to the board of directors directly or through the supervisory committee. 15. Determine that the policy contains a provision for fair and accurate accounting standards. 16. Verify that the policy contains a provision for employees to report irregular accounting practices to the board without fear of reprisal. 17. Perform test work to determine any violations of the Code of Ethics. 18. Perform similar test work for volunteers. Ensure that Policy is in compliance with NCUA Rules and Regulations. GUI Spectrum 1. Document and ensure adequacy of procedures authorizing employees “zz” authority; note who is authorized and if anyone is restricted 2. Determine if there are formal procedures for allowing access to restricted accounts. Enforced Leave 1. Determine if all staff took their required 5 day enforced leave during the most recently ended calendar year. 2. Document controls in place to limit access to systems while on leave. 3. Review system records to determine if there has been any system access (remote or otherwise) by employees while on leave (use the same sample of 35 as above.) 4. Review payroll records to determine if the employee actually took the enforced leave dates off as stated on their staff leave request sheets (use the same sample of 35 as above.) 5. Determine if employees used their proximity pass during their enforced leave (use the same sample of 35 as above.) 6. Determine if there has been any telephone contact with staff during leave. 2/16/2016 Page 7 of 8 Employees/Volunteer Accounts Audit Program 5/31/11 Audit Procedure By: Reference/Comments 7. Look for existence of any other actions taken during enforced leave that is either inappropriate or in violation of Policy and/or the Employee Handbook. 2/16/2016 Page 8 of 8