IN TERNAL CONTROLS 1 CONTENTS Page Introduction 5 Definition of Risk Management 5 What is Risk? 6 Pure Risk Speculative Risk What is Risk Management? 8 Risk Identification Risk Measurement 9 Measurement Control Loss Control and Prevention 10 Internal Controls Definition Internal Control System Administrative Controls Segregation of Duties Accounting Controls Operating Responsibilities Evaluation of Internal Controls 19 Segregation of Duties Survey of Internal Controls Analysis by Function Internal Controls in Effect 23 Reporting Internal Control Deficiencies 2 CONTENTS Computer Risk Management Page 24 Introduction Risks to Data 25 Human Error Technical Error Natural Disasters Deliberate Actions Malicious Damage Improper Disclosure Computer Systems Controls 26 Hardware Controls Software Controls Data Controls Input Controls File Controls Output Controls Data Transmission Controls Administrative Controls 29 Physical Security Backing-up Maintenance & Support Legal Requirements Physical Aspects of Risk Management 30 Physical Hazards Fire Storm & Flood Vandalism Robbery Cash in Transit 3 CONTENTS Internal Security in the Credit Union Page 35 Safes Alarms Staff Training Staff Instructions Burglary, Break-in 37 Public Liability 38 Employers Liability 39 Glossary 40 Appendix 1 42 4 INTRODUCTION The term Risk Management has evolved in the insurance and commercial world during the last thirty years. Most people tend to think of Risk Management only in terms of insurance. However, Risk Management may be defined as a conscious attempt on behalf of Credit Union management to identify, to measure and to control, all exposures to loss which are created by the activities in which a Credit Union engages. This lesson is sub-divided into three sections: (1) (a) (b) Definition of Risk Management Internal Controls. (2) Computer Risk Management. (3) Physical aspects of Risk Management. DEFINITION OF RISK MANAGEMENT Credit Unions are confronted with risk on a daily basis, regardless of the nature of the common bond, size or location. The element of risk is found in all phases of the Credit Union operation. Down through the years Credit Unions have encountered substantial losses suffered by way of burglary, robbery, forgery, embezzlement and liability claims. In some cases the viability of the Credit Union may have been seriously threatened not because of the monetary loss, but because of the impact such an occurrence can have on the public and membership credibility in the Credit Union. A Credit Union is 5 no different from other business organisations in that it is equally vulnerable to loss by way of error or fraud. Often the significance of risk management is only appreciated when the Credit Union has experienced loss. Risk Management starts at a fundamental level and asks the basic question – “To what risks is this organisation exposed?” WHAT IS RISK? In insurance terms “RISK” is exposure to loss or injury or the subject of insurance. In Credit Union “Risk” may be defined simply as the uncertainty of loss. When the loss will occur, and the effect and cost of that loss are the unpredictable aspects of “Risk”. Basically there are two types of risk. These are PURE RISK and SPECULATIVE RISK. PURE RISK embraces all possibilities of loss arising out of either the destruction or confiscation of Credit Union assets. Credit Unions may also suffer indirect loss. Loss by destruction can involve loss of assets or reduction of value of assets by fire, flood, storm, vandalism or civil commotion. Loss by confiscation can occur by legal or illegal means. Legal means may involve a Credit Union being sued for such matters as negligence, wrongful dismissal of staff or damage caused by Credit Union personnel to property or vehicles owned by third parties. The Credit Union, being a legal entity can be sued as can its directors and staff, individually or collectively. In turn, a Credit Union can itself initiate legal action. However, the greatest risk facing a Credit Union for loss by confiscation arises out of illegal means and methods. Cash and other assets may be lost or destroyed through burglary, robbery or armed hold-up. These losses usually come about by the action of outside parties. Such losses amount to almost 50% in money value, of bond claims made by Credit Unions under the League Star Plan Insurance package. 6 The other area of substantial loss arises through embezzlement and internal fraud perpetrated by Credit Union personnel. In order to embezzle the criminal must have access to assets and records and have opportunity to carry out the crime which in some cases has occurred over long periods of time. In addition to the types of loss mentioned indirect loss may also occur. When a Credit Union’s property or records are destroyed further loss may arise such as additional expenses incurred in the rebuilding of the property, renting of alternative interim accommodation, loss of rent income, reconstruction and re-establishing of Credit Union records or computer files. All the above risks can be insured against and certain losses can result from underinsurance (see lesson 4). SPECULATIVE RISK - embraces all the uncertainties in the management of the assets of the Credit Union and can bring gain or loss. The main purpose of Credit Union is to help members accumulate savings and to use that pool of savings to make loans to its members. These simple functions require the exercise of astute financial management on the part of the Board of Directors. This requires a fine balance between Credit Union Philosophy and sound business practices. Credit Union Boards continually have to weigh the granting of loans and investment decisions against the risk of bad debts which impair the assets and income return necessary to meet the day-to-day expenditure. Decisions have to be made in regard to the acquisition of premises and equipment and balanced against the immediate loss of income in anticipation of growth and further income. These decisions and many more involve the Board in Speculative Risks on an ongoing basis. 7 SUMMARY Pure Risk – can result only in loss – there is no possibility of gain Speculative Risk – can bring gain or loss – it embraces all the uncertainties in the management of the assets of the Credit Union. Definition WHAT IS RISK MANAGEMENT? Risk Management may be defined as a conscious attempt on behalf of Credit Union management to IDENTIFY, to MEASURE, and to CONTROL, all exposures to loss which are created by the activities in which a Credit Union engages. There are three key words in this definition – IDENTIFY, MEASURE and CONTROL. RISK IDENTIFICATION. This involves recognising the various exposures confronting the Credit Union by determining what can happen to cause a loss. It is helpful to list out all the potential areas of the Credit Union’s operation where risk might exist and where there is a potential for loss to the Credit Union. Risk areas can be identified under the following headings: - Internal controls Cash and other Assets Administrative and Computer Systems Staffing Robbery Burglary Systems Premises 8 The Board of Directors should examine each of these areas and determine the potential risk to the Credit Union. Apart from direct loss Credit Unions must also be aware of additional losses arising from such matters as loss of income on embezzled funds and the substantial expenses that can arise where it is necessary to have a separate independent audit undertaken. RISK MEASUREMENT. This process helps to determine how often a loss may occur as well as the probable effect such a loss could have on the Credit Union. Loss frequency and loss severity are two measurements of risk. The assessment of the potential severity of a robbery loss might help a Board of Directors to make alternative arrangements for the lodgement of cash or to improve physical security protection in the Credit Union premises. Measuring the potential severity of a fraud might encourage a Board of Directors to increase the level of fidelity bonding. RISK CONTROL. Risk control involves the selection of the most effective and efficient methods that may be used to prevent and at least minimise the possibility of loss. Basically there are five risk control methods which may be used to determine how a given risk can best be handled. Avoid Credit Unions should first consider ways to avoid risks, if possible and practical. For example, the exposure to flood can be avoided by selecting an office site in an area that has no flood history. Reduce If a risk in unavoidable, Credit Unions should next consider ways in which exposure to risk may be reduced. The risk of armed robbery can be reduced by installing an effective alarm system. 9 Spread The third risk control step to be considered is that of spreading a risk, if possible and/or practical. An example of spreading a risk would be to make more frequent cash lodgements, thereby spreading the risk. Assume There are some risks that a Credit Union may wish to assume. For example, a Credit Union may decide it can afford to stand the loss of its office furniture. The Credit Union’s investment in such furniture is usually a nominal amount, so the loss may not adversely affect its assets. A word of caution when considering the use of this risk management tool – never risk a lot for a little, and never risk more than your Credit Union can afford to lose. Transfer Credit Unions should transfer all risks which cannot be totally avoided, effectively reduced, or efficiently spread to a safe assumption level. Transfer of risk may be accomplished through the use of lease agreements, or by the purchase of insurance. Remember that while transfer of risk through insurance may seem the most effective method, it is recommended that this be the last consideration in handling risks. Internal Controls LOSS CONTROL AND PREVENTION. Let us now look in more detail at the ways, means and systems available to a Credit Union to reduce the effects of loss. A safe Credit Union environment with sound operating policies and procedures is critical to preventing and minimising losses. All Credit Union losses are directly reflected in the cost of insurance premiums and it is in the interest of all Credit Unions to prevent losses because the payment of a claim to one has repercussions for all Credit unions costs. 10 A Credit Union is a member owned financial institution dealing in and having a high turnover of money and other negotiable documents. The trust of its members and the general public is vital. It must maintain its good reputation by conducting its business and that of its members in an efficient and trustworthy fashion. The existence of a system of prudential internal control procedures helps to maintain the integrity of the Credit Union. Definition Internal Control is a term that describes a system of organisation and operation that: - Safeguards the Credit Union’s assets. Checks the accuracy and reliability of the Credit Union’s accounting records. Promotes operational efficiency. Encourages adherence to Board policy and directions. In general terms, internal controls minimise the possibility that intentional or unintentional errors will go undetected. While internal controls will not necessarily prevent mistakes they will be of help in identifying those that do occur. Above all they minimise the risk of loss resulting from fraudulent activity by preventing and making detection easier. To commit fraud, there must be access to the assets (cash, bank account balances, loan balances) either through physical custody (authorised or otherwise) or to have control or part control over their use, i.e. to be in a position to authorise a loan or share withdrawal or to be a cheque signatory. 11 In the Irish Credit Union experience most loss by fraud and embezzlement has arisen from custody and/or control over functions associated with: - loan approval/disbursement share withdrawals share transfers receipt of cash in respect of shares/loan/interest opening of bogus share/loan accounts custody of cash control over the movement of funds control over ancillary Credit Union activities such as saving stamp schemes and travel cheques fraudulent insurance claims. Internal Control System. Invariably almost all areas of fraud or error can be traced to some deficiency in the internal control system. There are two areas of internal controls – administrative controls and accounting controls. Administrative controls are associated with Board decisions to authorise transactions and its responsibility for achieving the objectives of the Credit Union. This authorisation is the starting point for establishing accounting control over transactions. Account controls, on the other hand, are concerned with safeguarding assets and assuring the reliability of financial records. Accounting controls should provide reasonable assurance that: - Transactions are in accordance with general or specific authorisation Transaction records permit proper preparation of monthly financial statements and year end accounts Transaction records maintain accountability for all assets Access to assets requires proper authorisation Records, inspected at reasonable intervals, match existing assets and if not, appropriate action will follow. 12 Each Credit Union is unique and no set of internal controls fits all cases. There are, however, certain underlying principles and procedures that must exist in all internal control systems. Administrative Controls The administrative structure and operating procedures of a Credit Union must be approved by the Board of Directors, subject to standard rules and legislation. There should be clear lines of authority and responsibility to segregate the operating and recording functions, and to provide persons, volunteer or full-time, who are qualified to perform their duties. From an administrative viewpoint, an internal control system should encompass the following elements. Accounting System The primary component of a strong internal control system is a good accounting system, which includes the recording and reporting of all transactions and balances. The accounting system must be flexible in its capacity, yet rigid in its controls and standards. It must be accurate and efficient. With experience, the supervisory committee can evaluate these broad criteria with precision. Board Approval The Credit Union’s lending, investing, borrowing, and operating expense policies must appear in the minutes of the meeting of the Board of Directors and must clearly establish limitations and authority. The Board should review and adopt formal income and expense budgets as well as cash flow projections. This control feature must provide for a reporting system that will keep the directors informed regarding delinquent loans, level of withdrawal of shares and deposits, investments, and an accurate monthly financial statement including, cash report, income & expenditure account and a balance sheet. 13 Access to Assets Cash Control. The Board must authorise the amounts of cash floats, petty cash and internal cheque funds. Each teller needs to have sole access to his cash. Cash funds shared by tellers are a threat to security, and even relief tellers must have their own funds. Each individual must be directly and solely accountable for the cash assigned to him or her. Joint Custody/Dual Control It is recommended that access to the strong-room, files or other storage devices should require at least two keys or combinations under the control of at least two different individuals. It is essential, if dual control is to be effective, that all persons involved guard their keys or combinations carefully. Then only the collusion of two or more people can bypass this important control feature. Items that should be under effective dual control include: Cash Funds Investment securities Reserve supply of cheques Un-issued travellers cheques Savings stamps Cash vouchers Spare keys to tellers’ cash boxes. Segregation of Duties When two or more persons are involved in a transaction, the work of one serves as a check on the accuracy of the work of another. When two or more persons are involved in a transaction, the possibilities of fraud and the incidence of undetected error diminish considerably. No one person should handle any transaction from beginning to end. For example, a person paying out and accepting cash should not post the journal cash record or receipts/disbursement books. A loan officer must not pay out the loans he or she has approved and those persons having authority to sign cheques should not reconcile bank accounts. 14 Obviously, segregation of duties becomes more difficult the smaller the Credit Union. The example overleaf shows how some credit union duties can be divided between two persons. To the degree that duties are not segregated, the supervisory committee must consider the need for greater testing of the internal controls to ensure that the risk of error or fraud is reduced. Example: Segregation of Credit Union duties between two persons. First Person Second Person 1. Acts as teller and completes pay-in-slips. 1. Posts Share, loan, interest payment to member a/c’s. 2. Prepares bank account reconciliations. 2. Is a cheque signatory. 3. Acts as Loan Officer. 3. Pays out loans. Personnel Policies The Board should rigorously check the references of prospective employees. The Credit Union should create an atmosphere in which employees feel free to discuss problems and plans. Written job descriptions that define duties and responsibilities should exist for each position. Finally, each employee’s job performance should be evaluated regularly. Rotation of Personnel. Planned and unannounced rotation of duties of all Credit Union personnel is an important principle of internal control. This rotation should be of sufficient duration to be effective. Rotation of personnel, besides being an effective internal control check, can also be a valuable aid in the Credit Union’s overall training programme. 15 Holidays All Credit Unions should have an annual holiday policy that provides that each official be absent from his duties for an uninterrupted period of not less than one week. The indispensable official is a myth. This cannot be overemphasised. It is our experience than an embezzlement of any substantial size usually requires the presence of the embezzler in order to manipulate the books, respond to enquiries from members or other officials, and otherwise to prevent detection. Account Controls A Credit Union cannot conduct an efficient operation without a record-keeping system that is capable of generating a wide variety of reports. Such a system is necessary if a credit union’s Board of Directors and Management are to stay well informed and to remain fully in control. Forms, records, and systems differ from Credit Union to Credit Union. However, the books of every Credit Union must follow and comply with the requirements of the Credit Union Legislation (Republic of Ireland and Northern Ireland) and the accounts must comply with the relevant Statements of Accounting Practice as developed by the Accounting Standards Committee of the Accountancy Bodies. In each instance, a Credit Union’s records and accounts must reflect its actual financial condition, structure, and operations accurately. A Credit Union’s accounts and records must exhibit the following characteristics. 16 Operating Responsibilities The accounting system must gather information in such a way as to provide internal reports on major areas of operation such as regular reports on delinquency and analysis of loans and savings. These reports assist in the management of the Credit Union and provide a check on accuracy and integrity. The Credit Union must handle transactions uniformly during each accounting period. For instance, it cannot defer or capitalise expenses or accelerate income in order to misrepresent earnings. Sequentially numbered transaction books and records, manual or computerised, will aid in proving, reconciling, and controlling used and unused items. A person who confirms the existence of un-issued cheques and savings stamps should not prepare or issue them. In other words un-issued, pre-numbered instruments that could be used to obtain funds should fall under dual control. Records posted daily reflect each day’s activities and keep them separate and distinct from another day’s work. The records must show the Credit Union’s financial condition and structure as of the given date. Each account on the Credit Union’s general or nominal ledger must be individually proved and balanced at least monthly. Subsidiary records, such as share and loan ledgers and investment registers, must agree with general ledger control figures. The records and systems must provide an audit train to enable the tracing of any given transaction as it passes through the Credit Union’s books. Some of the more prevalent record-keeping deficiencies encountered by field officers or at year end audit include: - General ledger does not trial balance Tellers’ cash sheets do not balance All pay-in-slips not recorded on collection sheets/computer printout. Investment Registers not maintained Inadequate details concerning cash-over and cash-short Use of erasers/tippex in correcting errors Failure to keep accounts and records posted on a current basis Bank reconciliation records that are not current and/or fail to reflect all outstanding items. . 17 Annual Audit Every Credit Union must have an annual audit. This serves as a verification of the accuracy of the Credit Union’s records and may disclose weaknesses in the system of internal control, which must receive the attention of the Board and be remedied by changes in procedures. In the course of his/her audit, the auditor, will evaluate and test the internal controls to determine the degree of reliance which he/she may place on the information contained in the credit Union’s accounting records. He/she will also review the work of the supervisory committee regarding it as the internal audit function in the Credit Union. Should the supervisory committee require assistance or clarification on any accounting matters during the year; the auditor can and should be consulted. The extent to which he/she will be able to take into account the work of the supervisory committee will depend on his/her assessment of the effectiveness of their function. In doing this assessment he/she will be concerned with: - the level of knowledge and competence/experience of the committee the degree of independence of the committee from day-to-day operations of the Credit Union the scope, extent, timing and independence of the tests and verifications carried out by the committee the documented evidence of work carried out by the committee the evidence of reports to the Board and A.G.M. and the extent to which action has been taken on the recommendations of the supervisory committee. The Credit Union Movement prides itself on its commitment to “self-regulation and control”. It is fundamental to the success of the Movement that the supervisory committee satisfactorily performs its “internal audit functions” in order to safeguard the Credit Union from exposure to risk from error and fraud. 18 EVALUATION OF INTERNAL CONTROLS 1. Segregation of Duties The concept of segregating duties is a major part of any internal control system and involves the segregation of those duties or responsibilities which would, if combined, enable an individual to record and process a complete transaction. In evaluating the system of internal control the question to ask is whether it would be possible for an official to steal assets of the Credit union and also cover up the shortage in the accounting records. It is a standard of internal control than an official should not have both access and responsibility for recording that asset. The actual division of duties is in some cases very difficult because of a limited number of officials and the necessity of specialised training to perform certain duties particularly where a computer system is used. It may be necessary to rely on independent reviews and control totals rather than an actual segregation of the duties. In some extreme cases, one person, the Treasurer may assume or be left no alternative but to assume control of all book-keeping and cash transactions. Even a review of control totals may not be possible because of staff limitations. The supervisory committee should recognise this situation and concentrate additional checking effort on the transactions that could potentially contain errors. 19 2. Survey of Internal Controls The level of internal control that exists in your Credit Union plays a major part in determining the scope of the work of the supervisory committee and the auditor. The survey of internal controls will also help in identifying areas in which improvements can be made in the Credit Union’s operating procedures and its volunteer/staff organisation. The most direct method for gaining an understanding of the internal controls in a credit union is to complete an internal control questionnaire, such as the one in Appendix 1. Ideally, the supervisory committee should complete this questionnaire. Complete the questionnaire by asking the questions of the Credit Union official who is directly responsible for a particular functional area, for example meeting with the Treasurer to answer the questions concerning disbursements and the books of account. It is a good idea to write explanatory notes on the questionnaire as answers are given. For instance, you should make a note of the names of the cheque signatories. The internal control questionnaire is arranged by subject area to provide convenient groups of questions. It is a good idea to do some preliminary planning before starting to complete the questionnaire. The supervisory committee should decide who should be asked to answer the questions in each section and record this on the questionnaire for later checking, if more information or explanation is required. 3. Analysis by Function. After completing the questionnaire the next step is to evaluate the answers. This step calls for sound judgement on the part of the supervisory committee to determine if the system of internal control in operation is adequate. An adequate system is one that is free from material weaknesses i.e. one which enables credit union personnel, in the normal course of their duties to prevent or detect major errors or irregularities in the records, promptly. 20 The following method for evaluating the system of internal control allows analysis by function. A. Divide credit union operations into the following functional areas; -Cash receiving, including recording of the transaction -Cash disbursements, including recording of the transactions -Loan processing and record keeping -Investment functions. B. List the potential errors and irregularities that could possibly occur in each of the above functional areas. For example, one potential error in the receipt of cash would be recording the wrong amount on a member’s pay-in-slip. C. After each potential error, list the possible control procedures that would either prevent or detect it. These are some of the control procedures that would prevent or detect the pay-in-slip error. Members are given a copy of the pay-in-slip, which may then lead to discovery and reporting of the error. Tellers must reconcile their cash on hand at the end of each day with the transactions they processed during that day. The Treasurer or Manager must review each teller’s daily cash reconciliation before making an entry for cash-over or cash-short in the Journal Cash Record. Member passbook verification is undertaken on a regular basis or members receive a statement of their accounts showing all transactions since the last statement. 21 D. Determine which of these procedures the Credit Union performs by use of the internal control questionnaire. E. Evaluate each potential error to determine if it could be prevented or detected by the internal control procedures in effect at the Credit Union. Make a list of the potential errors that could occur and escape detection. F. Consider whether this list of potential errors is serious enough to cause loss of faith in the ability of the internal control system to produce reasonably accurate records for the Credit Union. The conclusion not to rely on the existing system could be based upon your judgement that the potential errors are very large in amount or serious in nature or what the lack of control procedures could allow a large number of less serious errors to occur. Summary In evaluating the adequacy of the internal control system an overview must be taken of the system as a whole. Where a control is missing in one area, the errors that it might allow to get through could well be detected by another control at a different point in the transaction process. For instance, if the person who prepares the lodgements also completes the bank reconciliation this might well be a weakness, but if, however, someone else who did not handle the cash checks the reconciliations it is likely that any errors or losses there will be detected. So there is a compensating control for the one that is missing. It should also be borne in mind that it may not be absolutely necessary to have a rigid control where the potential loss is negligible in size. If it is concluded that it is not possible to rely on the system of internal control to produce reasonably accurate records and to prevent error and loss, the Committee must expand its work to determine the extent of the actual errors in the records. The specific tests and extra work depend on which areas the internal control weaknesses affect. 22 For example, if there is serious weaknesses in internal control of the loan processing area it would be necessary to review a larger number of loan application/promissory notes and to verify signatures of borrowers, check credit committee records, and paid cheques. The committee should be satisfied that apart from posting errors there is no fraud or embezzlement being perpetrated. INTERNAL CONTROLS IN EFFECT The evaluation of internal control is based upon the answers to the questionnaire, but that does not verify that the control procedures exist in actual practice. To be effective, procedures and policies must not only be established by the Board – they must be followed and be seen to be in operation. Adherence to most of the major internal control procedures can be reviewed by observing personnel at work or by reviewing Credit Union records. For example, to verify compliance with the procedure requiring the Treasurer or Manager or senior teller to review all of the tellers’ daily cash reconciliations, you could either watch that person actually conduct the review, or the committee could inspect a sample of the daily cash reconciliations to see that the overseer’s initials appear on each one to indicate review and approval. If it is found that Credit Union officials are not complying with certain control procedures, the Board should insist they be brought into effect or re-evaluate the control procedure. Reporting Internal Control Deficiencies Internal control is not a fixed system of procedures. If weaknesses are discovered they can be corrected. Any procedures which are not in use and which would reduce the changes of loss or errors should be insisted on as part of Board policy. Having completed the questionnaire, the supervisors should report any discrepancies or other matters to a meeting of the Board of Directors. 23 Suggestions by the supervisory committee for change must be supported by sound reasoning and ample evidence – description of how things are currently being done and how the new recommendations can improve operations. COMPUTER RISK MANAGEMENT Introduction Today computers have become a necessary part of most organisations, even though the first business application of computers only took place in the late 1950’s. There are many advantages for those who use computers. - Storage of large quantities of information (Data) Ease and speed of access to this information Ability to process large volumes of transaction in a short period of time Use of date to give necessary management reports. The decision to purchase a computer system is an important one. A Credit Union will be tied to its purchase for at least five years before replacing it or updating it. Many of the controls which may have formerly operated under a manual system will have to be applied to the operation of the new computer system. This system and the data which it holds should be viewed as a valuable resource to be protected from accidental or malicious modification, destruction or disclosure. In the Credit Union context, personal data relating to members and their accounts must be safeguarded. Risks to Data Risks to data can fall under the following headings: HUMAN ERROR TECHNICAL ERROR NATURAL DISASTERS DELIBERATE ACTIONS MALICIOUS DAMAGE IMPROPER DISCLOSURE 24 Human Error This is the risk with the highest incidence. Examples of human errors are: Incorrect entry of transactions Failing to correct errors Using wrong data files during processing Failing to carry out instructions in respect of security procedures. Many of these errors arise from lack of suitable training and unauthorised use of the computer. Technical Error Technical error can involve malfunctioning of: Hardware, including Computer and Disk Drives Communication equipment Normal & emergency power supplies Air conditioning units Software, including Operating system File Management Software Database Software Natural Disasters Fire, flooding, and to a lesser extent, explosion, impact and lightning are examples of natural disasters. 25 Deliberate Actions The scope for fraud needs particularly careful consideration where data is held on magnetic media, because such data is not immediately legible and it may therefore be difficult to obtain evidence of improper amendment. Malicious Damage There may be a risk of disaffected employees or volunteers destroying data. Malicious damage may also be caused by vandalism. Improper Disclosure The information held by a Credit Union can be of value to outside parties and the transfer of such information can result through improper or unauthorised disclosure. COMPUTER SYSTEM CONTROLS As part of the risk management process, computer system controls must be maintained regardless of the size of application or method of processing, (i.e. batch or real time). If certain controls are difficult to establish, (e.g. segregation of duties) some emphasis has to be placed on other control areas (e.g. procedural and processing controls). Hardware Controls Computer hardware can break down, malfunction or be used incorrectly. Controls can be established to: a) Ensure the continuity of data processing should a hardware fault occur b) Identify such incorrect usages when they occur, and either prevent them from reoccurring or report them when they do happen. There should be regular maintenance checks on hardware by qualified computer engineers to prevent faults from happening. This is certain to reduce the likelihood of breakdown and data transfer faults. 26 However, if a hardware breakdown does occur there ought to be contingency plans to ensure that data processing operations can continue. These include: Back-up unit An agreement with the supplier to provide a replacement system or a manual stand-by system for temporary interruptions. SOFTWARE (PROCESSING) CONTROLS Software Controls Controls over data on file can be written into the computers software. These include file identification checks and control total checks. In the former case the computer will check that the correct file has been loaded for processing before it will begin its processing operations. In the case of control total checks these can be made on a file by writing them into the application program. The complexity of these checks varies with the degree of control required but basically they are designed to ensure that all member accounts are fully processed. Data Controls Processing Controls can be divided into four main areas: Input Controls File Controls Output Controls Data Transmission Controls 27 Input Controls The method of input chosen should minimise the likelihood of clerical errors. Staff should be well trained, properly supervised and encouraged to look for errors. There should be some method of verifying data that has been input before processing such as “on screen check”. Another check would be a printed listing providing an audit trail of what has been keyed. Batch control checks and sequence checks can also be used to ensure processing is complete. File Controls Computer files should be physically safeguarded. Fireproof cabinets should be used for storage purposes. Files can be stolen, misplaced, damaged or corrupted and this is why creating back-up files is now a regular routine in many offices. Back-up copies should be stored off-site. Special problems exist with computer systems where the computer user can access data files and program files via his or her keyboard. This problem is one of unauthorised access. To ensure that files are not read, altered or destroyed, either accidentally or deliberately without proper authority, access to computer files must be restricted. The most effective means of restricting access is by means of passwords with all attempted violations of security automatically logged. Output Controls In a batch processing system it is necessary to ensure that all batches have been processed fully. If input data has been rejected, the cause must be ascertained. Output can be in the form of either computer listings or magnetic files. Computer listings should be destroyed when no longer of use. Magnetic files should be properly labelled and stored. 28 Data Transmission (Telecommunications) Controls To date these are not very relevant in the Credit Union context but where data is being transmitted special control measures need to be taken. ADMINISTRATIVE CONTROLS Administrative controls relate to the day-to-day responsibilities of the computer user and will include much of what has already been discussed. Controls can be considered under four headings: Physical Security Disks and tapes should be kept in a fireproof cabinet or safe. Passwords and/or lockable keyboards should be used to prevent unauthorized access to the system. Computer printouts should be destroyed or shredded when no longer required. Backing-up Files should be backed-up regularly. Procedures should not be allowed to slacken whereby office staff does not bother to create back-up files because it takes too much time. Backing-up of files should be regarded as an essential daily routine. Maintenance and Support Credit Unions should consider it a necessity to enter into hardware and software maintenance agreements, either with the supplier of the equipment or other reputable parties. 29 Legal Requirements All Credit Unions should be aware of the relevant Data Protection legislation and Credit Union users must register. Care should also be taken to renew registration as appropriate (Annually in the Republic of Ireland and triennially in Northern Ireland). Board of Directors should be aware of the penalties for improper disclosure of Data and must also comply with valid requests to have Data corrected where appropriate. PHYSICAL ASPECTS OF RISK MANAGEMENT Physical Hazards The element of risk to the physical assets of the Credit Union will be dealt with in this section. In previous sections we have identified ways in which Credit Unions can suffer loss. We will look in more detail at ways of minimising risk resulting from physical hazards under the following headings: - 1. FIRE, STORM, FLOOD AND VANDALISM 2. ROBBERY, BURGLARY, BREAK-IN AND HOLD-UP 3. PUBLIC LIABILITY 4. EMPLOYERS LIABILITY 1. FIRE, STORM, FLOOD AND VANDALISM It is the responsibility of the directors of the Credit Union to ensure that every precaution is taken to maintain premises as fire-proof as possible: - Materials used in the construction or renovation should be to the highest standards available; 30 - Electrical installations should be carried out and checked regularly by experienced personnel; - Central heating boilers should be serviced regularly by experienced personnel. Other heating systems such as electric fires should have all elements covered. Bottled gas heaters should be treated with caution; - Flammable materials should not be allowed in the vicinity of cooking appliances; - Ash trays, waste paper baskets etc., should be constructed from fire-proof material; - Fire extinguishers should be positioned in a conspicuous position and should be serviced regularly. There are different types of extinguishers available. A Credit Union should at least have one for electrical fires and one for nonelectrical fires. Credit Union personnel should be trained in the use of this equipment. - A reliable fire alarm system should be installed and in the case of large Credit Union offices, a sprinkler system should be considered. All Credit Union personnel should be familiar with a fire drill. One person should be responsible for co-ordinating all aspects of fire precaution. The law in relation to fire escapes etc. should be observed. Before leaving the office, the following routine should be standard practice: All electrical equipment should be disconnected or switched off. All inner doors should be closed. Alarms should be activated. If all the foregoing has been observed in risk management terms the board of directors will have done their best to avoid or reduce the risk. 31 STORM AND FLOOD Loss can be sustained from flood and storm, while this is a more difficult risk to minimise the following precautions should be taken: Siting a Credit Union office in an area not subjected to flooding if possible Maintain building in good repair Pipes should be lagged. VANDALISM Vandalism can account for loss to a Credit Union. The risk can be minimised by the use of: (a) (b) (c) (d) (e) Steel Shutters Flood lighting Internal security shutters Perimeter fences Burglar alarms. The Credit Union may transfer the risk to an Insurance Company. Previous lessons will have dealt with this in some detail. When transferring a risk we must be sure to adequately cover the risk through The Fire and Other Perils Contract (See Lesson 4). 2. ROBBERY, BURGLARY, BREAK-IN AND HOLD-UP The number of losses to Credit Unions, particularly in city areas has increased in the recent past. Why are these losses happening in our Credit Unions? A major contributing factor is that many of us feel it cannot happen to us and consequently an easy-going attitude is adopted. Eventually such losses do happen. If we look at our Credit Union office from the viewpoint of the criminal, what do we see? - Currency exposed Easily accessible teller positions Doors to inner offices open or easily accessible. 32 Avoid all unnecessary exposure of money at teller’s position, desks or offices or in any area that anyone other than authorised personnel has access to. All money must be counted in an area that cannot be seen by members, guests or the general public. The teller counter should be designed so that no unauthorised person can walk behind it during office hours. Security doors (preferably opening outwards) should be used to protect this area and particularly the people who work there. The use of security glass is recommended and no space big enough to allow a would-be robber to vault should be left. Lockable cash drawers or cash trays must be provided for each teller in order to maintain exclusive control over the amount of funds for which the teller is responsible. Tellers must be instructed to lock their cash drawers and remove the key every time they leave their position. Also they must be instructed to maintain a stipulated amount of money in the cash drawer. Remember that in many cases the robber will only have enough time to steal the money in their cash drawer. Bait money should be kept in each teller’s drawer or tray. An example of bait money is a small bundle of currency such as several €5 notes, the serial numbers of which have been listed. This list should be kept on file (but not with the currency). In the event of a robbery, bait money should be handed out with other money. This is a good post-robbery investigative technique to help police officials. Tellers must be instructed to stamp all cheques received “for deposit only to the account of ---- Credit Union”. There should be no exception to this rule. A list of these cheques should be kept by the teller consisting of the cheque number, payee, Credit Union account number, bank and amount of cheque. Staff should be instructed not to discuss Credit Union affairs especially cash handling procedures in public places such as on buses or in pubs because they may be overheard. 33 Cash in Transit Banking the cash Cash should be deposited by: - More than one person - At varying times - Using varying routes - By different people - In daylight hours (as much as possible). Under no circumstances should Credit Union personnel make it obvious that they are carrying currency or cheques to or from the bank. Use of Night Safe All the preceding precautions should apply but care should be taken to ensure that staff are trained in procedures: - If lodging money at night, an advance party should check out the site of the bank night safe. The car driver or cash carriers should be instructed to keep going if: - Someone suspicious is loitering near the bank, check shop doorways etc. - The night safe appears to have been tampered with - An out-of-order sign is on the night safe. 34 At least two people should make the cash lodgement and check that the moneybag has not been left behind in the nigh safe drawer. Keep in mind carrying money to the bank poses a large exposure to the people involved. When it is necessary to transport large sums to the bank, the use of a security firm may be considered by larger Credit Unions. INTERNAL SECURITY IN THE CREDIT UNION Safes - Safes should be fire-proof and purchased from a reputable firm. During opening hours safe doors should not be left open. If large sums of money are maintained in the safe, only authorised personnel should have access to them. The safe should never be open in view of members, guests or the general public. The use of a good safe can be an enormous benefit to a Credit Union. Alarms - Burglar alarms and panic buttons can also help to minimise risks to the Credit Unions. Alarms should, if possible, be connected to the local police station or security firm. They should be serviced and tested regularly. Care must be taken to ensure that the alarm is activated every time the office is unattended. If a panic button is used, it should be a silent one. Any sudden noise when a robbery is in progress can lead to serious injury for the Credit Union personnel or indeed members. Staff Training Regardless of the number of defensive procedures that are established by a Credit Union, there is still a danger that the Credit Union may experience an armed robbery. Therefore staff must be trained regarding what to do and when to do it should an unfortunate event occur. 35 Staff Instructions: - Remain calm Follow instructions of the robber No heroics Be observant Inform police Preserve evidence Staff training sessions should be held on a periodic basis, at least once per quarter. Staff should be encouraged to remain as calm as possible. Keep in mind the robber in many cases will be more nervous than the victim and any unexpected action could precipitate injury to someone in the Credit Union office. Staff should be instructed not to play the role of a hero, keep in mind that direct action against criminals is a responsibility of law enforcement officials and not Credit Union employees. Credit Union personnel should be instructed to be as observant as possible during the hold-up. Rather than trying to guess the person’s height and weight afterwards staff should be instructed to compare an individual’s height with some other object in the room. An individual’s weight should be compared to the size of some else rather than trying to guess the exact weight. This will give the police a more accurate description of the individual. Keep in mind that many things can be changed by the robber, i.e. hairline, moustache, beard, clothing etc. Therefore staff should pay particular close attention to the shape of the robber’s head, nose, ears and mouth. These items will provide the necessary data that a police artist needs to draw a likeness of the bandit. After the robber leaves, staff should observe the method of escape. For instance what car he may be driving. At this point the local police should be called – stay on the telephone as long as is necessary and give the data to the police as requested by them. After the telephone call leave a line open in case the police need to call back to the Credit Union for any purpose. At this point the premises should be secured. No-one should be allowed to enter or leave until the police arrive. 36 Credit Union personnel should protect any evidence left by the robber. There may be mud or other debris from the robber’s shoes, a dropped match box etc. If the robber uses a note, staff should not touch this note unless it is absolutely necessary. The note should be left lying on the counter until the police arrive. After the robber leaves, a number of staff should immediately verify the amount of the loss. Staff should be instructed to refrain from releasing any information to the local news media regarding the robbery. Keep in mind if the amount of money stolen is released to the press, this may very well appear in the headlines the following day. Such advertisements will merely create additional problems for other Credit Unions. Keep in mind that other robbers read the newspapers as well and they may find that if a large figure is quoted, this may indicate that other Credit Unions carry a substantial amount of money. Burglary, Break-In. Credit Unions are also very susceptible to losses during non-business hours. So let us take a look at the Credit Union office again from the criminal’s viewpoint-what does the criminal see: - Is the area around the Credit Union office quite dark during non-business hours? - Is there an absence of effective street lighting? - Are shrubs or trees growing a little too high around windows and doors providing a good concealment for the burglar while he is breaking into the Credit Union office? - Is the Credit Union dark inside? 37 Even though your Credit Union may not maintain any currency during non-business hours, it is still susceptible to substantial losses such as theft or destruction of computers, expensive typewriters, adding machines and vital records. Therefore procedures need to be taken to help preserve Credit Union assets. All external doors should be made of thick woodwork and fitted with good quality five lever mortice deadlocks. Care must be taken when purchasing locks that they are burglar-proof. For instance screws should not be seen from the outside as they can simply be unscrewed to allow the burglar to break in. The presence of a burglar alarm can sometimes deter the criminal. As mentioned before the use of a security shutter can also be a deterrent to a break-in. Another area of vulnerability can be windows and special attention should be paid when having the alarm system installed so that all windows are covered by the system. 3. PUBLIC LIABILITY Public liability simply means that the Credit Union has a legal liability to third parties arising out of normal Credit Union activities. If for instance a Credit Union member is injured on or about the premises of the Credit Union, the Credit Union may be liable (See Lesson 4). Special care should be taken by the Credit Union in designing the office to see that it is safe for all people using it. For instance all floor coverings should be securely tagged down. If a Credit Union can only be accessed by a stairs, special care should be taken to see that the stairs are in good repair; that they are lit properly and that a notice will draw the attention of the person using them to the fact that the stairs are there. One example previously used in a lesson is of a slate falling off a roof. For instance if a slate falls off the roof and damages a vehicle belonging to a third party, the Credit Union could be liable to a claim under its public liability insurance. It is in the interests of Credit Union directors to see that the premises are in good repair and that all roof tiles are replaced if needed; that signs are secured and that car park areas are properly maintained. In some Credit Unions, a Committee is set up to oversee the maintenance of the Credit Union office. 38 4. EMPLOYERS LIABILITY Credit Union Personnel may sue the Credit Union in respect of damages sustained as a result of an accident. For such an action to be successful, it is necessary to prove that the Credit Union is negligent. Some of the examples where negligence can be proven are if the Credit Union fails to provide a safe place and system of work. Employees should always be suitable for the jobs they are being asked to do. Care should be taken in the siting of all equipment. Credit Union employees should not be asked to work with unsafe electrical connections, for instance loose sockets or loose wires. The law should be followed in relation to people working with computers and other machinery. 39 GLOSSARY OF TERMS BAIT MONEY Pre-marked currency which may be identified later CONFISCATION Losses arising out of illegal means and methods EMBEZZLEMENT The wrongful taking of property or money entrusted to one’s care FIDELITY BONDING Insurance to protect credit union assets arising out of loss through misappropriation of funds by credit union personnel and third parties FRAUD Criminal deception INTERNAL CONTROL A term that describes a system of organisation and operation to minimise the possibility that intentional or unintentional errors will go undetected. LIABILITY A legal obligation to a Third Party MINIMISE To reduce the likelihood of loss PHYSICAL ASSETS All property of the credit union with the exception of currency and cheques RISK Exposure to loss or injury or the subject of insurance 40 ROBBERY The taking of another’s property by violence or threat of violence SEGREGATION OF DUTIES Division of duties between credit union personnel THEFT The act or instance of stealing VANDALISM Destruction of physical assets maliciously 41 APPENDIX 1 INTERNAL CONTROL QUESTIONNAIRE This list sets out some of the key internal control considerations relating to major areas of a Credit Union’s operation where error or fraud may occur. The list is organised in relation to the major functional areas of a Credit Union. CASH 1. Is cash on hand counted and verified regularly? 2. Does the Treasurer count and verify cash receipts daily or weekly? 3. Do all transactions have appropriate receipts and payment vouchers? 4. Is cash reasonably safeguarded? 5. Are pay-in-slips/collection sheets used when members pay in money? 6. As cheques are received, are they stamped “For Deposit Only to the account of ..............Credit Union”? 7. Are cash receipts balanced daily and entered in the Journal and Cash Record or Receipts Books on the day received? 8. Are sufficient precautions taken to prevent Credit Union funds from being mixed with personal funds? 9. Is cash in the safe under dual control and are adequate safekeeping facilities provided? 10. Are bank deposits made intact and within the time limits prescribed in the Rules? 11. Are cash floats established and replenished as decided by Board policy? 12. Is individual responsibility maintained for Credit Union funds including a separate cash drawer, and provisions for receipts for transfers of funds when there is more than one teller concerned with cash receipts and custody? 13. Are cash over/short items recorded accurately and are such items reviewed monthly by the Board of Directors? 14. Are bank lodgements prepared by an official or employee who does not serve as Teller? 15. Are there regular Board member (Treasurer), or supervisory committee checks conducted on cash balances, cash limits and balancing procedures? 16. Is petty cash counted and verified regularly? 42 Disbursements 1. Do all disbursements have appropriate authorisation by invoices or payment vouchers? 2. Are there any unusual or unauthorised disbursements? 3. Are there any unusually large payments? 4. Are disbursements made by cheque and in accordance with Board approved procedures? 5. Are all disbursements properly recorded? 6. Do the board minutes contain a current record of the names of directors and employees who are authorised to sign cheques? 7. Are adequate measures taken to prevent blank cheques from being signed or countersigned? 8. Are spoiled or voided cheques accounted for and retained? 9. Are withdrawals from inactive accounts verified by an official other than the person making the disbursement? 10. Are bank reconciliations prepared monthly by persons not directly concerned with handling Credit Union funds and recording them on the books of accounts? 11. Does the supervisory committee receive bank statements directly from the bank, and reconcile them monthly with Credit Union Records? 12. Are loans disbursed only after completed and fully signed application forms have been approved by the credit committee or loan officer and properly signed promissory notes have been completed? 13. Are loans disbursed by the loan officer who approved the loans? 14. Are invoices and bills for Credit Union expenses and capital expenditures marked paid with the date of payment to prevent their being used more than once to support a disbursement? 43 Lending 1. 2. 3. 4. 5. Has the Board of Directors adopted written loan policies and procedures? Have the policies and procedures been explained to members? Is interest being calculated properly? Have any large or unwarranted loans been made to officers? Are loans to officers approved in accordance with Rules (Rule 41-Republic of Ireland and Rule 42 Northern Ireland)? 6. Are members making full payments on both interest and principal? 7. Are loans disbursed after completed applications are made, a thorough screening and evaluation is made, approval is given by the credit committee and a signed note is obtained? 8. Are complete minutes prepared of every credit committee meeting? 9. Are loan officer records incorporated in the credit committee minutes? 10. Are credit committee minutes totalled and ruled off in such a manner that prevents additions or alterations? 11. Are paid promissory notes marked “paid” (and returned to members)? 12. Are loans paid out by someone other than the loans officer or credit committee members who have approved the loan? Loan Delinquency 1. Is a complete report of delinquent loans prepared each month and reviewed by the Board of Directors or by a special committee of the Board? 2. Is the delinquency ratio reasonable? 3. Is the method of collecting delinquent loans effective? 4. Are written-off loans reviewed by the directors at least twice annually to reinstitute collection efforts? 5. Are recoveries of written-off loans properly recorded? 6. Does the supervisory committee confirm the outstanding balances of delinquent loans that are in the hands of the collection agencies and also the loan balances written-off since the last audit? 7. Are reserves and provisions properly maintained at a level to protect the members’ savings? 8. Is Resolution No. 11 of 1987 completed on a regular basis? 9. Is the existing provision for bad & doubtful debts sufficient to meet that required by Resolution 11? 44 Investments 1. Do Board Minutes contain prior approval for the making of or changes in investments? 2. Are investment policies reviewed at least annually for possible adjustments? 3. Are adequate safekeeping facilities provided for investment certificates and receipts? 45