Internal Control Benefits Go Beyond Fraud Detection

While some may argue that credit unions’ greatest vulnerability is to cybercrime, I disagree – it is in fact to internal fraud. CU Times has reported on a number of credit unions that failed due to internal fraud, while we have yet to see a credit union fail due to cybercrime. We have seen many fraud-related losses at credit unions as well due to poor internal controls, including inefficient processes and countless errors.

Auditors and the insurance company that sells you your bond will tell you it is too difficult to audit or look for fraud. The boiler plate in your audit option points out that it is management’s responsibility to design, implement and maintain a system of internal control relevant to the preparation and fair presentation of financial statements that are free from misstatement whether due to fraud or error. The boiler plate goes on to say that the auditors express no opinion on the effectiveness of the credit union’s internal control. In other words, don’t count on audits as an internal fraud management strategy.

The best way to prevent and detect fraud is through a well-designed system of internal control that is documented, tested and operating. A well-designed system of internal control also leads to additional benefits such as improved member service and lower operating costs due to fewer errors and rework; it also helps local law enforcement reduce and prevent crime.

There are a few keys to creating a well-designed system of internal control:

• The system must be documented. Documenting your internal control system includes identifying the key controls you intend to rely on in each area of the credit union, so you can test them and ensure they are in place, effective and operating as expected.
• Responsibility for the system of internal control has to rest with the CEO. The buck stops at the CEO’s desk.
• Your board must hold the CEO accountable for the design, implementation and maintenance of the system of internal control.
• The CEO can and should assign the day to day work of internal control to an internal auditor(s) (either on staff or outsourced). Smaller credit unions will need to rely on help from their bond carrier or CPA to do the work that an internal auditor does for a larger credit union.
• An active supervisory committee is critical (or if there is no supervisory committee, an active board audit committee). The supervisory committee must conduct an annual audit with a well-qualified CPA firm. It should also make sure that all audit findings are addressed by the board and CEO (this includes any findings from external consultants, insurance providers, examiners and internal auditors). No audit finding should be closed without the agreement of the supervisory committee and the board. Unresolved audit findings should be documented and assigned to a member of staff with a deadline for completion. The supervisory committee should verify that the system of internal control is in place, operating and effective (and documented).
• You must have a data processing system that is well documented and reviewed annually for SAS 70 security risks. Most of a credit union’s transactions are completed through the data processing – it must record an audit trail, and all controls within the system must be documented and annually assessed.
• A working and effective vendor management program is essential. Credit unions rely on vendors to provide many of their services; vendors’ work can have an impact on their internal controls, and affect member balances or the credit union’s safety and soundness.

I was a credit union CEO for 32 years, a credit union CFO for five years, a CPA, a member of the CUMIS Risk Management Committee, a member of the California Department of Corporations Credit Union Advisory Committee and the volunteer chairman of a supervisory committee. Just as it takes a village to raise a child, it takes a coordinated and cooperative effort among a credit union’s key players – the CEO, CFO, board, supervisory committee, CPA, bond insurer and examiner – to prevent fraud (and errors). Here are some examples of what I learned in 37 years of credit union service and three years as a CPA to a number of credit unions:

1.  Insurance claims can be a sign of internal control problems, and the claims won’t end unless you identify the cause of the problem and fix it. Make sure your staff and board consider insurance claims the same way they would a loss on the financial statements.  Losing your bond coverage may be the incentive you need to improve internal control.

2.  A good way to find internal control problems is to ask your staff, “What makes your job difficult?” Staff often spend a lot of time fixing problems that affect members or hinder their ability to serve members. Those problems can also be internal control problems.

3.  My 22-branch credit union once experienced six armed robberies in one year. It happened just after 9/11, when the FBI was busy working on terrorism and stepped back from bank robbery work. I was told that robberies were a part of operating a financial institution, but we treated robbery as an internal control problem. We put in bandit barriers; increased our robbery drills to get tellers and staff focused on robbery procedures; asked service counter staff to advise members of our no hats, no hoods and no sunglasses policy; joined the local Crime Stoppers and organized with other financial institutions to share not only robbery photos but photos of potential “casing.”

As a result, we did not experience any more robberies even when institutions just across the street were robbed. At one point, a robber who robbed the bank across the street cased our branch. Our alert teller asked him to remove his hat, allowing our cameras to get a clear photo that helped lead to his arrest (and her alertness induced him to go elsewhere).

4.  Our internal audit team gave us countless recommendations for process improvement.  While documenting a process for internal control, they were able to recommend changes that saved time and money, and improved member service. That resulted in happier members, happier staff and lower costs.

5.  We completed a number of mergers and many more merger due diligence reviews, where we often found countless examples of internal control weaknesses (poor performance is often a reason for a merger). We saw countless examples of examiner, auditor and other third-party recommendations and findings that were never acted on or resolved. Amazingly, despite significant documented problems, neither the board nor supervisory committee members at these credit unions took action. Even worse, we saw that examiners and bond insurers often did not take action either.

6.  Segregation of duties is a key control. You will find in many of the reported fraud cases that one employee had control of too many aspects of a process, with no other person to control and oversee the work to ensure that there were no errors or fraud.

7.  I sensed that many credit union boards considered the audit a required function rather than a key control. I saw boards and supervisory committees that had no members with audit, financial or accounting expertise; unresolved audit findings; failure to hire an external reviewer of internal control to offset the lack of an internal audit function; hiring the lowest cost audit firm rather than the most qualified audit firm; and the lack of active engagement with auditors in planning and supervising the audit and the resulting findings.

As my grandmother always said, “An ounce of prevention is worth a pound of cure.” Internal control is the ounce of prevention. It gives you far more than fraud prevention – it improves operations, reduces costs, improves member service, increases staff morale and can result in innovations that lead to more revenue. That said, it is also the key responsibility of the CEO, and the board and supervisory committee are responsible for making sure internal controls are in place and functioning. Yes, I agree it is difficult to detect fraud, but a good internal control system will make it less likely to occur, and if it does, you’ll discover it quickly.

Henry Wirz is the Former President/CEO for SAFE Credit Union in Sacramento.