contents - The Irish League of Credit Unions

advertisement






IN TERNAL
CONTROLS
1

CONTENTS
Page
Introduction
5
Definition of Risk Management
5
What is Risk?
6
Pure Risk
Speculative Risk
What is Risk Management?
8
Risk Identification
Risk Measurement
9
Measurement
Control
Loss Control and Prevention
10
Internal Controls
Definition
Internal Control System
Administrative Controls
Segregation of Duties
Accounting Controls
Operating Responsibilities
Evaluation of Internal Controls
19
Segregation of Duties
Survey of Internal Controls
Analysis by Function
Internal Controls in Effect
23
Reporting Internal Control
Deficiencies
2

CONTENTS
Computer Risk Management
Page
24
Introduction
Risks to Data
25
Human Error
Technical Error
Natural Disasters
Deliberate Actions
Malicious Damage
Improper Disclosure
Computer Systems Controls
26
Hardware Controls
Software Controls
Data Controls
Input Controls
File Controls
Output Controls
Data Transmission Controls
Administrative Controls
29
Physical Security
Backing-up
Maintenance & Support
Legal Requirements
Physical Aspects of
Risk Management
30
Physical Hazards
Fire
Storm & Flood
Vandalism
Robbery
Cash in Transit
3

CONTENTS
Internal Security in the
Credit Union
Page
35
Safes
Alarms
Staff Training
Staff Instructions
Burglary, Break-in
37
Public Liability
38
Employers Liability
39
Glossary
40
Appendix 1
42
4

INTRODUCTION
The term Risk Management has evolved in the insurance and commercial world
during the last thirty years. Most people tend to think of Risk Management only in
terms of insurance. However, Risk Management may be defined as a conscious
attempt on behalf of Credit Union management to identify, to measure and to control,
all exposures to loss which are created by the activities in which a Credit Union
engages.
This lesson is sub-divided into three sections:
(1) (a)
(b)
Definition of Risk Management
Internal Controls.
(2)
Computer Risk Management.
(3)
Physical aspects of Risk Management.
DEFINITION OF RISK MANAGEMENT
Credit Unions are confronted with risk on a daily basis, regardless of the nature of the
common bond, size or location. The element of risk is found in all phases of the
Credit Union operation. Down through the years Credit Unions have encountered
substantial losses suffered by way of burglary, robbery, forgery, embezzlement and
liability claims.
In some cases the viability of the Credit Union may have been seriously threatened
not because of the monetary loss, but because of the impact such an occurrence can
have on the public and membership credibility in the Credit Union. A Credit Union is
5

no different from other business organisations in that it is equally vulnerable to loss
by way of error or fraud. Often the significance of risk management is only
appreciated when the Credit Union has experienced loss. Risk Management starts at a
fundamental level and asks the basic question – “To what risks is this organisation
exposed?”
WHAT IS RISK?
In insurance terms “RISK” is exposure to loss or injury or the subject of insurance.
In Credit Union “Risk” may be defined simply as the uncertainty of loss. When the
loss will occur, and the effect and cost of that loss are the unpredictable aspects of
“Risk”.
Basically there are two types of risk. These are PURE RISK and SPECULATIVE
RISK.
PURE RISK embraces all possibilities of loss arising out of either the destruction or
confiscation of Credit Union assets. Credit Unions may also suffer indirect loss.
Loss by destruction can involve loss of assets or reduction of value of assets by fire,
flood, storm, vandalism or civil commotion.
Loss by confiscation can occur by legal or illegal means. Legal means may involve a
Credit Union being sued for such matters as negligence, wrongful dismissal of staff or
damage caused by Credit Union personnel to property or vehicles owned by third
parties. The Credit Union, being a legal entity can be sued as can its directors and
staff, individually or collectively. In turn, a Credit Union can itself initiate legal
action. However, the greatest risk facing a Credit Union for loss by confiscation
arises out of illegal means and methods. Cash and other assets may be lost or
destroyed through burglary, robbery or armed hold-up. These losses usually come
about by the action of outside parties. Such losses amount to almost 50% in money
value, of bond claims made by Credit Unions under the League Star Plan Insurance
package.
6

The other area of substantial loss arises through embezzlement and internal fraud
perpetrated by Credit Union personnel. In order to embezzle the criminal must have
access to assets and records and have opportunity to carry out the crime which in
some cases has occurred over long periods of time.
In addition to the types of loss mentioned indirect loss may also occur. When a
Credit Union’s property or records are destroyed further loss may arise such as
additional expenses incurred in the rebuilding of the property, renting of alternative
interim accommodation, loss of rent income, reconstruction and re-establishing of
Credit Union records or computer files.
All the above risks can be insured against and certain losses can result from underinsurance (see lesson 4).
SPECULATIVE RISK - embraces all the uncertainties in the management of the
assets of the Credit Union and can bring gain or loss.
The main purpose of Credit Union is to help members accumulate savings and to use
that pool of savings to make loans to its members. These simple functions require the
exercise of astute financial management on the part of the Board of Directors. This
requires a fine balance between Credit Union Philosophy and sound business
practices. Credit Union Boards continually have to weigh the granting of loans and
investment decisions against the risk of bad debts which impair the assets and income
return necessary to meet the day-to-day expenditure.
Decisions have to be made in regard to the acquisition of premises and equipment and
balanced against the immediate loss of income in anticipation of growth and further
income. These decisions and many more involve the Board in Speculative Risks on
an ongoing basis.
7

SUMMARY
Pure Risk – can result only in loss – there is no possibility of gain
Speculative Risk – can bring gain or loss – it embraces all the uncertainties in
the management of the assets of the Credit Union.
Definition
WHAT IS RISK MANAGEMENT?
Risk Management may be defined as a conscious attempt on behalf of Credit
Union management to IDENTIFY, to MEASURE, and to CONTROL, all
exposures to loss which are created by the activities in which a Credit Union
engages.
There are three key words in this definition – IDENTIFY, MEASURE and
CONTROL.
RISK IDENTIFICATION.
This involves recognising the various exposures confronting the Credit Union by
determining what can happen to cause a loss.
It is helpful to list out all the potential areas of the Credit Union’s operation where
risk might exist and where there is a potential for loss to the Credit Union.
Risk areas can be identified under the following headings:
-
Internal controls
Cash and other Assets
Administrative and Computer Systems
Staffing
Robbery
Burglary
Systems
Premises
8

The Board of Directors should examine each of these areas and determine the
potential risk to the Credit Union. Apart from direct loss Credit Unions must also be
aware of additional losses arising from such matters as loss of income on embezzled
funds and the substantial expenses that can arise where it is necessary to have a
separate independent audit undertaken.
RISK MEASUREMENT.
This process helps to determine how often a loss may occur as well as the probable
effect such a loss could have on the Credit Union. Loss frequency and loss severity
are two measurements of risk. The assessment of the potential severity of a robbery
loss might help a Board of Directors to make alternative arrangements for the
lodgement of cash or to improve physical security protection in the Credit Union
premises. Measuring the potential severity of a fraud might encourage a Board of
Directors to increase the level of fidelity bonding.
RISK CONTROL.
Risk control involves the selection of the most effective and efficient methods that
may be used to prevent and at least minimise the possibility of loss. Basically there
are five risk control methods which may be used to determine how a given risk can
best be handled.
Avoid
Credit Unions should first consider ways to avoid risks, if possible and practical. For
example, the exposure to flood can be avoided by selecting an office site in an area
that has no flood history.
Reduce
If a risk in unavoidable, Credit Unions should next consider ways in which exposure
to risk may be reduced. The risk of armed robbery can be reduced by installing an
effective alarm system.
9

Spread
The third risk control step to be considered is that of spreading a risk, if possible
and/or practical. An example of spreading a risk would be to make more frequent
cash lodgements, thereby spreading the risk.
Assume
There are some risks that a Credit Union may wish to assume. For example, a Credit
Union may decide it can afford to stand the loss of its office furniture. The Credit
Union’s investment in such furniture is usually a nominal amount, so the loss may not
adversely affect its assets. A word of caution when considering the use of this risk
management tool – never risk a lot for a little, and never risk more than your Credit
Union can afford to lose.
Transfer
Credit Unions should transfer all risks which cannot be totally avoided, effectively
reduced, or efficiently spread to a safe assumption level.
Transfer of risk may be accomplished through the use of lease agreements, or by the
purchase of insurance. Remember that while transfer of risk through insurance may
seem the most effective method, it is recommended that this be the last consideration
in handling risks.
Internal Controls
LOSS CONTROL AND PREVENTION.
Let us now look in more detail at the ways, means and systems available to a Credit
Union to reduce the effects of loss. A safe Credit Union environment with sound
operating policies and procedures is critical to preventing and minimising losses. All
Credit Union losses are directly reflected in the cost of insurance premiums and it is
in the interest of all Credit Unions to prevent losses because the payment of a claim to
one has repercussions for all Credit unions costs.
10

A Credit Union is a member owned financial institution dealing in and having a high
turnover of money and other negotiable documents. The trust of its members and the
general public is vital. It must maintain its good reputation by conducting its business
and that of its members in an efficient and trustworthy fashion.
The existence of a system of prudential internal control procedures helps to maintain
the integrity of the Credit Union.
Definition
Internal Control is a term that describes a system of organisation and operation that:
-
Safeguards the Credit Union’s assets.
Checks the accuracy and reliability of the Credit Union’s accounting records.
Promotes operational efficiency.
Encourages adherence to Board policy and directions.
In general terms, internal controls minimise the possibility that intentional or
unintentional errors will go undetected. While internal controls will not necessarily
prevent mistakes they will be of help in identifying those that do occur. Above all
they minimise the risk of loss resulting from fraudulent activity by preventing and
making detection easier.
To commit fraud, there must be access to the assets (cash, bank account balances,
loan balances) either through physical custody (authorised or otherwise) or to have
control or part control over their use, i.e. to be in a position to authorise a loan or
share withdrawal or to be a cheque signatory.
11

In the Irish Credit Union experience most loss by fraud and embezzlement has arisen
from custody and/or control over functions associated with:
-
loan approval/disbursement
share withdrawals
share transfers
receipt of cash in respect of shares/loan/interest
opening of bogus share/loan accounts
custody of cash
control over the movement of funds
control over ancillary Credit Union activities such as saving stamp schemes
and travel cheques
fraudulent insurance claims.
Internal Control System.
Invariably almost all areas of fraud or error can be traced to some deficiency in the
internal control system.
There are two areas of internal controls – administrative controls and accounting
controls. Administrative controls are associated with Board decisions to authorise
transactions and its responsibility for achieving the objectives of the Credit Union.
This authorisation is the starting point for establishing accounting control over
transactions.
Account controls, on the other hand, are concerned with safeguarding assets and
assuring the reliability of financial records. Accounting controls should provide
reasonable assurance that:
-
Transactions are in accordance with general or specific authorisation
Transaction records permit proper preparation of monthly financial statements
and year end accounts
Transaction records maintain accountability for all assets
Access to assets requires proper authorisation
Records, inspected at reasonable intervals, match existing assets and if not,
appropriate action will follow.
12

Each Credit Union is unique and no set of internal controls fits all cases. There are,
however, certain underlying principles and procedures that must exist in all internal
control systems.
Administrative Controls
The administrative structure and operating procedures of a Credit Union must be
approved by the Board of Directors, subject to standard rules and legislation. There
should be clear lines of authority and responsibility to segregate the operating and
recording functions, and to provide persons, volunteer or full-time, who are qualified
to perform their duties. From an administrative viewpoint, an internal control system
should encompass the following elements.
Accounting System
The primary component of a strong internal control system is a good accounting
system, which includes the recording and reporting of all transactions and balances.
The accounting system must be flexible in its capacity, yet rigid in its controls and
standards. It must be accurate and efficient. With experience, the supervisory
committee can evaluate these broad criteria with precision.
Board Approval
The Credit Union’s lending, investing, borrowing, and operating expense policies
must appear in the minutes of the meeting of the Board of Directors and must clearly
establish limitations and authority. The Board should review and adopt formal
income and expense budgets as well as cash flow projections. This control feature
must provide for a reporting system that will keep the directors informed regarding
delinquent loans, level of withdrawal of shares and deposits, investments, and an
accurate monthly financial statement including, cash report, income & expenditure
account and a balance sheet.
13

Access to Assets
Cash Control.
The Board must authorise the amounts of cash floats, petty cash and internal cheque
funds. Each teller needs to have sole access to his cash. Cash funds shared by tellers
are a threat to security, and even relief tellers must have their own funds. Each
individual must be directly and solely accountable for the cash assigned to him or her.
Joint Custody/Dual Control
It is recommended that access to the strong-room, files or other storage devices should
require at least two keys or combinations under the control of at least two different
individuals. It is essential, if dual control is to be effective, that all persons involved
guard their keys or combinations carefully. Then only the collusion of two or more
people can bypass this important control feature.
Items that should be under effective dual control include:
Cash Funds
Investment securities
Reserve supply of cheques
Un-issued travellers cheques
Savings stamps
Cash vouchers
Spare keys to tellers’ cash boxes.
Segregation of Duties
When two or more persons are involved in a transaction, the work of one serves as a
check on the accuracy of the work of another. When two or more persons are
involved in a transaction, the possibilities of fraud and the incidence of undetected
error diminish considerably. No one person should handle any transaction from
beginning to end. For example, a person paying out and accepting cash should not
post the journal cash record or receipts/disbursement books. A loan officer must not
pay out the loans he or she has approved and those persons having authority to sign
cheques should not reconcile bank accounts.
14

Obviously, segregation of duties becomes more difficult the smaller the Credit Union.
The example overleaf shows how some credit union duties can be divided between
two persons. To the degree that duties are not segregated, the supervisory committee
must consider the need for greater testing of the internal controls to ensure that the
risk of error or fraud is reduced.
Example:
Segregation of Credit Union duties between two persons.
First Person
Second Person
1. Acts as teller
and completes
pay-in-slips.
1. Posts Share,
loan, interest
payment to
member a/c’s.
2. Prepares bank
account
reconciliations.
2. Is a cheque
signatory.
3. Acts as Loan
Officer.
3. Pays out
loans.
Personnel Policies
The Board should rigorously check the references of prospective employees. The
Credit Union should create an atmosphere in which employees feel free to discuss
problems and plans. Written job descriptions that define duties and responsibilities
should exist for each position. Finally, each employee’s job performance should be
evaluated regularly.
Rotation of Personnel.
Planned and unannounced rotation of duties of all Credit Union personnel is an
important principle of internal control. This rotation should be of sufficient duration
to be effective. Rotation of personnel, besides being an effective internal control
check, can also be a valuable aid in the Credit Union’s overall training programme.
15

Holidays
All Credit Unions should have an annual holiday policy that provides that each
official be absent from his duties for an uninterrupted period of not less than one
week.
The indispensable official is a myth. This cannot be overemphasised. It is our
experience than an embezzlement of any substantial size usually requires the presence
of the embezzler in order to manipulate the books, respond to enquiries from members
or other officials, and otherwise to prevent detection.
Account Controls
A Credit Union cannot conduct an efficient operation without a record-keeping
system that is capable of generating a wide variety of reports. Such a system is
necessary if a credit union’s Board of Directors and Management are to stay well
informed and to remain fully in control.
Forms, records, and systems differ from Credit Union to Credit Union. However, the
books of every Credit Union must follow and comply with the requirements of the
Credit Union Legislation (Republic of Ireland and Northern Ireland) and the accounts
must comply with the relevant Statements of Accounting Practice as developed by the
Accounting Standards Committee of the Accountancy Bodies.
In each instance, a Credit Union’s records and accounts must reflect its actual
financial condition, structure, and operations accurately. A Credit Union’s accounts
and records must exhibit the following characteristics.
16

Operating Responsibilities
The accounting system must gather information in such a way as to provide internal
reports on major areas of operation such as regular reports on delinquency and
analysis of loans and savings. These reports assist in the management of the Credit
Union and provide a check on accuracy and integrity.
The Credit Union must handle transactions uniformly during each accounting period.
For instance, it cannot defer or capitalise expenses or accelerate income in order to
misrepresent earnings.
Sequentially numbered transaction books and records, manual or computerised, will
aid in proving, reconciling, and controlling used and unused items. A person who
confirms the existence of un-issued cheques and savings stamps should not prepare or
issue them. In other words un-issued, pre-numbered instruments that could be used to
obtain funds should fall under dual control.
Records posted daily reflect each day’s activities and keep them separate and distinct
from another day’s work. The records must show the Credit Union’s financial
condition and structure as of the given date. Each account on the Credit Union’s
general or nominal ledger must be individually proved and balanced at least monthly.
Subsidiary records, such as share and loan ledgers and investment registers, must
agree with general ledger control figures.
The records and systems must provide an audit train to enable the tracing of any given
transaction as it passes through the Credit Union’s books. Some of the more
prevalent record-keeping deficiencies encountered by field officers or at year end
audit include:
-
General ledger does not trial balance
Tellers’ cash sheets do not balance
All pay-in-slips not recorded on collection sheets/computer printout.
Investment Registers not maintained
Inadequate details concerning cash-over and cash-short
Use of erasers/tippex in correcting errors
Failure to keep accounts and records posted on a current basis
Bank reconciliation records that are not current and/or fail to reflect all
outstanding items.
.
17

Annual Audit
Every Credit Union must have an annual audit. This serves as a verification of the
accuracy of the Credit Union’s records and may disclose weaknesses in the system of
internal control, which must receive the attention of the Board and be remedied by
changes in procedures. In the course of his/her audit, the auditor, will evaluate and
test the internal controls to determine the degree of reliance which he/she may place
on the information contained in the credit Union’s accounting records. He/she will
also review the work of the supervisory committee regarding it as the internal audit
function in the Credit Union. Should the supervisory committee require assistance or
clarification on any accounting matters during the year; the auditor can and should be
consulted.
The extent to which he/she will be able to take into account the work of the
supervisory committee will depend on his/her assessment of the effectiveness of their
function. In doing this assessment he/she will be concerned with:
-
the level of knowledge and competence/experience of the committee
the degree of independence of the committee from day-to-day operations of
the Credit Union
the scope, extent, timing and independence of the tests and verifications
carried out by the committee
the documented evidence of work carried out by the committee
the evidence of reports to the Board and A.G.M. and the extent to which
action has been taken on the recommendations of the supervisory committee.
The Credit Union Movement prides itself on its commitment to “self-regulation and
control”. It is fundamental to the success of the Movement that the supervisory
committee satisfactorily performs its “internal audit functions” in order to safeguard
the Credit Union from exposure to risk from error and fraud.
18

EVALUATION OF INTERNAL CONTROLS
1. Segregation of Duties
The concept of segregating duties is a major part of any internal control system and
involves the segregation of those duties or responsibilities which would, if combined,
enable an individual to record and process a complete transaction.
In evaluating the system of internal control the question to ask is whether it would be
possible for an official to steal assets of the Credit union and also cover up the
shortage in the accounting records. It is a standard of internal control than an official
should not have both access and responsibility for recording that asset.
The actual division of duties is in some cases very difficult because of a limited
number of officials and the necessity of specialised training to perform certain duties
particularly where a computer system is used. It may be necessary to rely on
independent reviews and control totals rather than an actual segregation of the duties.
In some extreme cases, one person, the Treasurer may assume or be left no alternative
but to assume control of all book-keeping and cash transactions. Even a review of
control totals may not be possible because of staff limitations. The supervisory
committee should recognise this situation and concentrate additional checking effort
on the transactions that could potentially contain errors.
19

2. Survey of Internal Controls
The level of internal control that exists in your Credit Union plays a major part in
determining the scope of the work of the supervisory committee and the auditor. The
survey of internal controls will also help in identifying areas in which improvements
can be made in the Credit Union’s operating procedures and its volunteer/staff
organisation.
The most direct method for gaining an understanding of the internal controls in a
credit union is to complete an internal control questionnaire, such as the one in
Appendix 1.
Ideally, the supervisory committee should complete this questionnaire.
Complete the questionnaire by asking the questions of the Credit Union official who
is directly responsible for a particular functional area, for example meeting with the
Treasurer to answer the questions concerning disbursements and the books of account.
It is a good idea to write explanatory notes on the questionnaire as answers are given.
For instance, you should make a note of the names of the cheque signatories.
The internal control questionnaire is arranged by subject area to provide convenient
groups of questions. It is a good idea to do some preliminary planning before starting
to complete the questionnaire. The supervisory committee should decide who should
be asked to answer the questions in each section and record this on the questionnaire
for later checking, if more information or explanation is required.
3. Analysis by Function.
After completing the questionnaire the next step is to evaluate the answers. This step
calls for sound judgement on the part of the supervisory committee to determine if the
system of internal control in operation is adequate. An adequate system is one that is
free from material weaknesses i.e. one which enables credit union personnel, in the
normal course of their duties to prevent or detect major errors or irregularities in the
records, promptly.
20

The following method for evaluating the system of internal control allows analysis by
function.
A. Divide credit union operations into the following functional areas;
-Cash receiving, including recording of the transaction
-Cash disbursements, including recording of the transactions
-Loan processing and record keeping
-Investment functions.
B. List the potential errors and irregularities that could possibly occur in each of
the above functional areas. For example, one potential error in the receipt of
cash would be recording the wrong amount on a member’s pay-in-slip.
C. After each potential error, list the possible control procedures that would either
prevent or detect it. These are some of the control procedures that would
prevent or detect the pay-in-slip error.




Members are given a copy of the pay-in-slip, which may then lead to
discovery and reporting of the error.
Tellers must reconcile their cash on hand at the end of each day with
the transactions they processed during that day.
The Treasurer or Manager must review each teller’s daily cash
reconciliation before making an entry for cash-over or cash-short in the
Journal Cash Record.
Member passbook verification is undertaken on a regular basis or
members receive a statement of their accounts showing all transactions
since the last statement.
21

D. Determine which of these procedures the Credit Union performs by use of
the internal control questionnaire.
E. Evaluate each potential error to determine if it could be prevented or detected
by the internal control procedures in effect at the Credit Union. Make a list
of the potential errors that could occur and escape detection.
F. Consider whether this list of potential errors is serious enough to cause loss
of faith in the ability of the internal control system to produce reasonably
accurate records for the Credit Union. The conclusion not to rely on the
existing system could be based upon your judgement that the potential errors
are very large in amount or serious in nature or what the lack of control
procedures could allow a large number of less serious errors to occur.
Summary
In evaluating the adequacy of the internal control system an overview must be taken
of the system as a whole. Where a control is missing in one area, the errors that it
might allow to get through could well be detected by another control at a different
point in the transaction process. For instance, if the person who prepares the
lodgements also completes the bank reconciliation this might well be a weakness, but
if, however, someone else who did not handle the cash checks the reconciliations it is
likely that any errors or losses there will be detected. So there is a compensating
control for the one that is missing. It should also be borne in mind that it may not be
absolutely necessary to have a rigid control where the potential loss is negligible in
size.
If it is concluded that it is not possible to rely on the system of internal control to
produce reasonably accurate records and to prevent error and loss, the Committee
must expand its work to determine the extent of the actual errors in the records. The
specific tests and extra work depend on which areas the internal control weaknesses
affect.
22

For example, if there is serious weaknesses in internal control of the loan processing
area it would be necessary to review a larger number of loan application/promissory
notes and to verify signatures of borrowers, check credit committee records, and paid
cheques. The committee should be satisfied that apart from posting errors there is no
fraud or embezzlement being perpetrated.
INTERNAL CONTROLS IN EFFECT
The evaluation of internal control is based upon the answers to the questionnaire, but
that does not verify that the control procedures exist in actual practice. To be
effective, procedures and policies must not only be established by the Board – they
must be followed and be seen to be in operation.
Adherence to most of the major internal control procedures can be reviewed by
observing personnel at work or by reviewing Credit Union records. For example, to
verify compliance with the procedure requiring the Treasurer or Manager or senior
teller to review all of the tellers’ daily cash reconciliations, you could either watch
that person actually conduct the review, or the committee could inspect a sample of
the daily cash reconciliations to see that the overseer’s initials appear on each one to
indicate review and approval.
If it is found that Credit Union officials are not complying with certain control
procedures, the Board should insist they be brought into effect or re-evaluate the
control procedure.
Reporting Internal Control Deficiencies
Internal control is not a fixed system of procedures. If weaknesses are discovered
they can be corrected. Any procedures which are not in use and which would reduce
the changes of loss or errors should be insisted on as part of Board policy. Having
completed the questionnaire, the supervisors should report any discrepancies or other
matters to a meeting of the Board of Directors.
23

Suggestions by the supervisory committee for change must be supported by sound
reasoning and ample evidence – description of how things are currently being done
and how the new recommendations can improve operations.
COMPUTER RISK MANAGEMENT
Introduction
Today computers have become a necessary part of most organisations, even though
the first business application of computers only took place in the late 1950’s. There
are many advantages for those who use computers.
-
Storage of large quantities of information (Data)
Ease and speed of access to this information
Ability to process large volumes of transaction in a short period of time
Use of date to give necessary management reports.
The decision to purchase a computer system is an important one. A Credit Union will
be tied to its purchase for at least five years before replacing it or updating it. Many
of the controls which may have formerly operated under a manual system will have to
be applied to the operation of the new computer system. This system and the data
which it holds should be viewed as a valuable resource to be protected from
accidental or malicious modification, destruction or disclosure. In the Credit Union
context, personal data relating to members and their accounts must be safeguarded.
Risks to Data
Risks to data can fall under the following headings: 
HUMAN ERROR

TECHNICAL ERROR

NATURAL DISASTERS

DELIBERATE ACTIONS

MALICIOUS DAMAGE

IMPROPER DISCLOSURE
24

Human Error
This is the risk with the highest incidence. Examples of human errors are: 



Incorrect entry of transactions
Failing to correct errors
Using wrong data files during processing
Failing to carry out instructions in respect of security procedures.
Many of these errors arise from lack of suitable training and unauthorised use of the
computer.
Technical Error
Technical error can involve malfunctioning of:
Hardware, including
Computer and Disk Drives
Communication equipment
Normal & emergency power supplies
Air conditioning units
Software, including
Operating system
File Management Software
Database Software
Natural Disasters
Fire, flooding, and to a lesser extent, explosion, impact and lightning are examples of
natural disasters.
25

Deliberate Actions
The scope for fraud needs particularly careful consideration where data is held on
magnetic media, because such data is not immediately legible and it may therefore be
difficult to obtain evidence of improper amendment.
Malicious Damage
There may be a risk of disaffected employees or volunteers destroying data.
Malicious damage may also be caused by vandalism.
Improper Disclosure
The information held by a Credit Union can be of value to outside parties and the
transfer of such information can result through improper or unauthorised disclosure.
COMPUTER SYSTEM CONTROLS
As part of the risk management process, computer system controls must be
maintained regardless of the size of application or method of processing, (i.e. batch or
real time). If certain controls are difficult to establish, (e.g. segregation of duties)
some emphasis has to be placed on other control areas (e.g. procedural and processing
controls).
Hardware Controls
Computer hardware can break down, malfunction or be used incorrectly. Controls
can be established to: a) Ensure the continuity of data processing should a hardware fault occur
b) Identify such incorrect usages when they occur, and either prevent them
from reoccurring or report them when they do happen.
There should be regular maintenance checks on hardware by qualified computer
engineers to prevent faults from happening. This is certain to reduce the likelihood of
breakdown and data transfer faults.
26

However, if a hardware breakdown does occur there ought to be contingency plans to
ensure that data processing operations can continue.
These include:  Back-up unit
 An agreement with the supplier to provide a replacement system or a manual
stand-by system for temporary interruptions.
SOFTWARE (PROCESSING) CONTROLS
Software Controls
Controls over data on file can be written into the computers software. These include
file identification checks and control total checks. In the former case the computer
will check that the correct file has been loaded for processing before it will begin its
processing operations. In the case of control total checks these can be made on a file
by writing them into the application program. The complexity of these checks varies
with the degree of control required but basically they are designed to ensure that all
member accounts are fully processed.
Data Controls
Processing Controls can be divided into four main areas: 



Input Controls
File Controls
Output Controls
Data Transmission Controls
27

 Input Controls
The method of input chosen should minimise the likelihood of clerical errors.
Staff should be well trained, properly supervised and encouraged to look for
errors. There should be some method of verifying data that has been input
before processing such as “on screen check”. Another check would be a
printed listing providing an audit trail of what has been keyed. Batch control
checks and sequence checks can also be used to ensure processing is complete.
 File Controls
Computer files should be physically safeguarded. Fireproof cabinets should
be used for storage purposes. Files can be stolen, misplaced, damaged or
corrupted and this is why creating back-up files is now a regular routine in
many offices. Back-up copies should be stored off-site.
Special problems exist with computer systems where the computer user can
access data files and program files via his or her keyboard. This problem is
one of unauthorised access. To ensure that files are not read, altered or
destroyed, either accidentally or deliberately without proper authority, access
to computer files must be restricted. The most effective means of restricting
access is by means of passwords with all attempted violations of security
automatically logged.
 Output Controls
In a batch processing system it is necessary to ensure that all batches have
been processed fully. If input data has been rejected, the cause must be
ascertained. Output can be in the form of either computer listings or magnetic
files. Computer listings should be destroyed when no longer of use. Magnetic
files should be properly labelled and stored.
28

 Data Transmission (Telecommunications) Controls
To date these are not very relevant in the Credit Union context but where data
is being transmitted special control measures need to be taken.
ADMINISTRATIVE CONTROLS
Administrative controls relate to the day-to-day responsibilities of the computer user
and will include much of what has already been discussed.
Controls can be considered under four headings:  Physical Security
Disks and tapes should be kept in a fireproof cabinet or safe. Passwords
and/or lockable keyboards should be used to prevent unauthorized access to
the system. Computer printouts should be destroyed or shredded when no
longer required.
 Backing-up
Files should be backed-up regularly. Procedures should not be allowed to
slacken whereby office staff does not bother to create back-up files because it
takes too much time. Backing-up of files should be regarded as an essential
daily routine.
 Maintenance and Support
Credit Unions should consider it a necessity to enter into hardware and
software maintenance agreements, either with the supplier of the equipment or
other reputable parties.
29

 Legal Requirements
All Credit Unions should be aware of the relevant Data Protection legislation
and Credit Union users must register. Care should also be taken to renew
registration as appropriate (Annually in the Republic of Ireland and triennially
in Northern Ireland).
Board of Directors should be aware of the penalties for improper disclosure of
Data and must also comply with valid requests to have Data corrected where
appropriate.
PHYSICAL ASPECTS OF RISK MANAGEMENT
Physical Hazards
The element of risk to the physical assets of the Credit Union will be dealt with in this
section. In previous sections we have identified ways in which Credit Unions can
suffer loss. We will look in more detail at ways of minimising risk resulting from
physical hazards under the following headings: -
1. FIRE, STORM, FLOOD AND VANDALISM
2. ROBBERY, BURGLARY, BREAK-IN AND HOLD-UP
3. PUBLIC LIABILITY
4. EMPLOYERS LIABILITY
1. FIRE, STORM, FLOOD AND VANDALISM
It is the responsibility of the directors of the Credit Union to ensure that every
precaution is taken to maintain premises as fire-proof as possible:
-
Materials used in the construction or renovation should be to the highest
standards available;
30

-
Electrical installations should be carried out and checked regularly by
experienced personnel;
- Central heating boilers should be serviced regularly by experienced personnel.
Other heating systems such as electric fires should have all elements covered.
Bottled gas heaters should be treated with caution;
-
Flammable materials should not be allowed in the vicinity of cooking
appliances;
-
Ash trays, waste paper baskets etc., should be constructed from fire-proof
material;
-
Fire extinguishers should be positioned in a conspicuous position and should
be serviced regularly. There are different types of extinguishers available. A
Credit Union should at least have one for electrical fires and one for nonelectrical fires. Credit Union personnel should be trained in the use of this
equipment.
-
A reliable fire alarm system should be installed and in the case of large Credit
Union offices, a sprinkler system should be considered. All Credit Union
personnel should be familiar with a fire drill. One person should be
responsible for co-ordinating all aspects of fire precaution. The law in relation
to fire escapes etc. should be observed.
Before leaving the office, the following routine should be standard practice:  All electrical equipment should be disconnected or switched off.
 All inner doors should be closed.
 Alarms should be activated.
If all the foregoing has been observed in risk management terms the board of directors
will have done their best to avoid or reduce the risk.
31

STORM AND FLOOD
Loss can be sustained from flood and storm, while this is a more difficult risk to
minimise the following precautions should be taken:  Siting a Credit Union office in an area not subjected to flooding if possible
 Maintain building in good repair
 Pipes should be lagged.
VANDALISM
Vandalism can account for loss to a Credit Union. The risk can be minimised by the
use of: (a)
(b)
(c)
(d)
(e)
Steel Shutters
Flood lighting
Internal security shutters
Perimeter fences
Burglar alarms.
The Credit Union may transfer the risk to an Insurance Company. Previous lessons
will have dealt with this in some detail. When transferring a risk we must be sure to
adequately cover the risk through The Fire and Other Perils Contract (See Lesson 4).
2. ROBBERY, BURGLARY, BREAK-IN AND HOLD-UP
The number of losses to Credit Unions, particularly in city areas has increased in the
recent past. Why are these losses happening in our Credit Unions? A major
contributing factor is that many of us feel it cannot happen to us and consequently an
easy-going attitude is adopted. Eventually such losses do happen. If we look at our
Credit Union office from the viewpoint of the criminal, what do we see?
-
Currency exposed
Easily accessible teller positions
Doors to inner offices open or easily accessible.
32

Avoid all unnecessary exposure of money at teller’s position, desks or offices or in
any area that anyone other than authorised personnel has access to. All money must
be counted in an area that cannot be seen by members, guests or the general public.
The teller counter should be designed so that no unauthorised person can walk behind
it during office hours. Security doors (preferably opening outwards) should be used
to protect this area and particularly the people who work there. The use of security
glass is recommended and no space big enough to allow a would-be robber to vault
should be left. Lockable cash drawers or cash trays must be provided for each teller
in order to maintain exclusive control over the amount of funds for which the teller is
responsible. Tellers must be instructed to lock their cash drawers and remove the key
every time they leave their position. Also they must be instructed to maintain a
stipulated amount of money in the cash drawer. Remember that in many cases the
robber will only have enough time to steal the money in their cash drawer.
Bait money should be kept in each teller’s drawer or tray. An example of bait money
is a small bundle of currency such as several €5 notes, the serial numbers of which
have been listed. This list should be kept on file (but not with the currency). In the
event of a robbery, bait money should be handed out with other money. This is a
good post-robbery investigative technique to help police officials.
Tellers must be instructed to stamp all cheques received “for deposit only to the
account of ---- Credit Union”. There should be no exception to this rule. A list of
these cheques should be kept by the teller consisting of the cheque number, payee,
Credit Union account number, bank and amount of cheque. Staff should be instructed
not to discuss Credit Union affairs especially cash handling procedures in public
places such as on buses or in pubs because they may be overheard.
33

Cash in Transit
Banking the cash
Cash should be deposited by: -
More than one person
-
At varying times
-
Using varying routes
-
By different people
-
In daylight hours (as much as possible).
Under no circumstances should Credit Union personnel make it obvious that they are
carrying currency or cheques to or from the bank.
Use of Night Safe
All the preceding precautions should apply but care should be taken to ensure that
staff are trained in procedures: -
If lodging money at night, an advance party should check out the site of the
bank night safe.
The car driver or cash carriers should be instructed to keep going if: -
Someone suspicious is loitering near the bank, check shop doorways etc.
-
The night safe appears to have been tampered with
-
An out-of-order sign is on the night safe.
34

At least two people should make the cash lodgement and check that the moneybag has
not been left behind in the nigh safe drawer. Keep in mind carrying money to the
bank poses a large exposure to the people involved. When it is necessary to transport
large sums to the bank, the use of a security firm may be considered by larger Credit
Unions.
INTERNAL SECURITY IN THE CREDIT UNION
Safes
-
Safes should be fire-proof and purchased from a reputable firm. During
opening hours safe doors should not be left open. If large sums of money are
maintained in the safe, only authorised personnel should have access to them.
The safe should never be open in view of members, guests or the general
public. The use of a good safe can be an enormous benefit to a Credit Union.
Alarms
-
Burglar alarms and panic buttons can also help to minimise risks to the Credit
Unions. Alarms should, if possible, be connected to the local police station or
security firm. They should be serviced and tested regularly. Care must be
taken to ensure that the alarm is activated every time the office is unattended.
If a panic button is used, it should be a silent one. Any sudden noise when a
robbery is in progress can lead to serious injury for the Credit Union personnel
or indeed members.
Staff Training
Regardless of the number of defensive procedures that are established by a Credit
Union, there is still a danger that the Credit Union may experience an armed robbery.
Therefore staff must be trained regarding what to do and when to do it should an
unfortunate event occur.
35

Staff Instructions: -
Remain calm
Follow instructions of the robber
No heroics
Be observant
Inform police
Preserve evidence
Staff training sessions should be held on a periodic basis, at least once per quarter.
Staff should be encouraged to remain as calm as possible. Keep in mind the robber in
many cases will be more nervous than the victim and any unexpected action could
precipitate injury to someone in the Credit Union office.
Staff should be instructed not to play the role of a hero, keep in mind that direct action
against criminals is a responsibility of law enforcement officials and not Credit Union
employees.
Credit Union personnel should be instructed to be as observant as possible during the
hold-up. Rather than trying to guess the person’s height and weight afterwards staff
should be instructed to compare an individual’s height with some other object in the
room. An individual’s weight should be compared to the size of some else rather than
trying to guess the exact weight. This will give the police a more accurate description
of the individual. Keep in mind that many things can be changed by the robber, i.e.
hairline, moustache, beard, clothing etc. Therefore staff should pay particular close
attention to the shape of the robber’s head, nose, ears and mouth. These items will
provide the necessary data that a police artist needs to draw a likeness of the bandit.
After the robber leaves, staff should observe the method of escape. For instance what
car he may be driving. At this point the local police should be called – stay on the
telephone as long as is necessary and give the data to the police as requested by them.
After the telephone call leave a line open in case the police need to call back to the
Credit Union for any purpose. At this point the premises should be secured. No-one
should be allowed to enter or leave until the police arrive.
36

Credit Union personnel should protect any evidence left by the robber. There may be
mud or other debris from the robber’s shoes, a dropped match box etc. If the robber
uses a note, staff should not touch this note unless it is absolutely necessary. The note
should be left lying on the counter until the police arrive. After the robber leaves, a
number of staff should immediately verify the amount of the loss. Staff should be
instructed to refrain from releasing any information to the local news media regarding
the robbery. Keep in mind if the amount of money stolen is released to the press, this
may very well appear in the headlines the following day. Such advertisements will
merely create additional problems for other Credit Unions. Keep in mind that other
robbers read the newspapers as well and they may find that if a large figure is quoted,
this may indicate that other Credit Unions carry a substantial amount of money.
Burglary, Break-In.
Credit Unions are also very susceptible to losses during non-business hours. So let us
take a look at the Credit Union office again from the criminal’s viewpoint-what does
the criminal see: -
Is the area around the Credit Union office quite dark during non-business
hours?
-
Is there an absence of effective street lighting?
-
Are shrubs or trees growing a little too high around windows and doors
providing a good concealment for the burglar while he is breaking into the
Credit Union office?
-
Is the Credit Union dark inside?
37

Even though your Credit Union may not maintain any currency during non-business
hours, it is still susceptible to substantial losses such as theft or destruction of
computers, expensive typewriters, adding machines and vital records. Therefore
procedures need to be taken to help preserve Credit Union assets. All external doors
should be made of thick woodwork and fitted with good quality five lever mortice
deadlocks. Care must be taken when purchasing locks that they are burglar-proof.
For instance screws should not be seen from the outside as they can simply be
unscrewed to allow the burglar to break in. The presence of a burglar alarm can
sometimes deter the criminal. As mentioned before the use of a security shutter can
also be a deterrent to a break-in. Another area of vulnerability can be windows and
special attention should be paid when having the alarm system installed so that all
windows are covered by the system.
3. PUBLIC LIABILITY
Public liability simply means that the Credit Union has a legal liability to third parties
arising out of normal Credit Union activities. If for instance a Credit Union member
is injured on or about the premises of the Credit Union, the Credit Union may be
liable (See Lesson 4). Special care should be taken by the Credit Union in designing
the office to see that it is safe for all people using it. For instance all floor coverings
should be securely tagged down. If a Credit Union can only be accessed by a stairs,
special care should be taken to see that the stairs are in good repair; that they are lit
properly and that a notice will draw the attention of the person using them to the fact
that the stairs are there.
One example previously used in a lesson is of a slate falling off a roof. For instance if
a slate falls off the roof and damages a vehicle belonging to a third party, the Credit
Union could be liable to a claim under its public liability insurance. It is in the
interests of Credit Union directors to see that the premises are in good repair and that
all roof tiles are replaced if needed; that signs are secured and that car park areas are
properly maintained. In some Credit Unions, a Committee is set up to oversee the
maintenance of the Credit Union office.
38

4. EMPLOYERS LIABILITY
Credit Union Personnel may sue the Credit Union in respect of damages sustained as
a result of an accident. For such an action to be successful, it is necessary to prove
that the Credit Union is negligent. Some of the examples where negligence can be
proven are if the Credit Union fails to provide a safe place and system of work.
Employees should always be suitable for the jobs they are being asked to do. Care
should be taken in the siting of all equipment. Credit Union employees should not be
asked to work with unsafe electrical connections, for instance loose sockets or loose
wires. The law should be followed in relation to people working with computers and
other machinery.
39

GLOSSARY OF TERMS
BAIT MONEY
Pre-marked currency which may be identified later
CONFISCATION
Losses arising out of illegal means and methods
EMBEZZLEMENT
The wrongful taking of property or money entrusted to one’s care
FIDELITY BONDING
Insurance to protect credit union assets arising out of loss through misappropriation of
funds by credit union personnel and third parties
FRAUD
Criminal deception
INTERNAL CONTROL
A term that describes a system of organisation and operation to minimise the
possibility that intentional or unintentional errors will go undetected.
LIABILITY
A legal obligation to a Third Party
MINIMISE
To reduce the likelihood of loss
PHYSICAL ASSETS
All property of the credit union with the exception of currency and cheques
RISK
Exposure to loss or injury or the subject of insurance
40

ROBBERY
The taking of another’s property by violence or threat of violence
SEGREGATION OF DUTIES
Division of duties between credit union personnel
THEFT
The act or instance of stealing
VANDALISM
Destruction of physical assets maliciously
41

APPENDIX 1
INTERNAL CONTROL QUESTIONNAIRE
This list sets out some of the key internal control considerations relating to major
areas of a Credit Union’s operation where error or fraud may occur. The list is
organised in relation to the major functional areas of a Credit Union.
CASH
1. Is cash on hand counted and verified regularly?
2. Does the Treasurer count and verify cash receipts daily or weekly?
3. Do all transactions have appropriate receipts and payment vouchers?
4. Is cash reasonably safeguarded?
5. Are pay-in-slips/collection sheets used when members pay in money?
6. As cheques are received, are they stamped “For Deposit Only to the account of
..............Credit Union”?
7. Are cash receipts balanced daily and entered in the Journal and Cash Record
or Receipts Books on the day received?
8. Are sufficient precautions taken to prevent Credit Union funds from being
mixed with personal funds?
9. Is cash in the safe under dual control and are adequate safekeeping facilities
provided?
10. Are bank deposits made intact and within the time limits prescribed in the
Rules?
11. Are cash floats established and replenished as decided by Board policy?
12. Is individual responsibility maintained for Credit Union funds including a
separate cash drawer, and provisions for receipts for transfers of funds when
there is more than one teller concerned with cash receipts and custody?
13. Are cash over/short items recorded accurately and are such items reviewed
monthly by the Board of Directors?
14. Are bank lodgements prepared by an official or employee who does not serve
as Teller?
15. Are there regular Board member (Treasurer), or supervisory committee checks
conducted on cash balances, cash limits and balancing procedures?
16. Is petty cash counted and verified regularly?
42

Disbursements
1. Do all disbursements have appropriate authorisation by invoices or payment
vouchers?
2. Are there any unusual or unauthorised disbursements?
3. Are there any unusually large payments?
4. Are disbursements made by cheque and in accordance with Board approved
procedures?
5. Are all disbursements properly recorded?
6. Do the board minutes contain a current record of the names of directors and
employees who are authorised to sign cheques?
7. Are adequate measures taken to prevent blank cheques from being signed or
countersigned?
8. Are spoiled or voided cheques accounted for and retained?
9. Are withdrawals from inactive accounts verified by an official other than the
person making the disbursement?
10. Are bank reconciliations prepared monthly by persons not directly concerned
with handling Credit Union funds and recording them on the books of
accounts?
11. Does the supervisory committee receive bank statements directly from the
bank, and reconcile them monthly with Credit Union Records?
12. Are loans disbursed only after completed and fully signed application forms
have been approved by the credit committee or loan officer and properly
signed promissory notes have been completed?
13. Are loans disbursed by the loan officer who approved the loans?
14. Are invoices and bills for Credit Union expenses and capital expenditures
marked paid with the date of payment to prevent their being used more than
once to support a disbursement?
43

Lending
1.
2.
3.
4.
5.
Has the Board of Directors adopted written loan policies and procedures?
Have the policies and procedures been explained to members?
Is interest being calculated properly?
Have any large or unwarranted loans been made to officers?
Are loans to officers approved in accordance with Rules (Rule 41-Republic of
Ireland and Rule 42 Northern Ireland)?
6. Are members making full payments on both interest and principal?
7. Are loans disbursed after completed applications are made, a thorough
screening and evaluation is made, approval is given by the credit committee
and a signed note is obtained?
8. Are complete minutes prepared of every credit committee meeting?
9. Are loan officer records incorporated in the credit committee minutes?
10. Are credit committee minutes totalled and ruled off in such a manner that
prevents additions or alterations?
11. Are paid promissory notes marked “paid” (and returned to members)?
12. Are loans paid out by someone other than the loans officer or credit committee
members who have approved the loan?
Loan Delinquency
1. Is a complete report of delinquent loans prepared each month and
reviewed by the Board of Directors or by a special committee of the
Board?
2. Is the delinquency ratio reasonable?
3. Is the method of collecting delinquent loans effective?
4. Are written-off loans reviewed by the directors at least twice annually to
reinstitute collection efforts?
5. Are recoveries of written-off loans properly recorded?
6. Does the supervisory committee confirm the outstanding balances of
delinquent loans that are in the hands of the collection agencies and also
the loan balances written-off since the last audit?
7. Are reserves and provisions properly maintained at a level to protect the
members’ savings?
8. Is Resolution No. 11 of 1987 completed on a regular basis?
9. Is the existing provision for bad & doubtful debts sufficient to meet that
required by Resolution 11?
44

Investments
1. Do Board Minutes contain prior approval for the making of or changes in
investments?
2. Are investment policies reviewed at least annually for possible adjustments?
3. Are adequate safekeeping facilities provided for investment certificates and
receipts?
45
Download