June 15, 20113:30 – 5:00 PM

Presented by:Catherine Bruder, CPA.CITP, CISA, CISM, CTGA

OPERATIONAL BRANCH AUDITS

Overview

Branch Audits Planning Risk Assessment Audit Program Security Compliance

2

Branch Audits – nothing has changed in 50 years!

Everything has changed! Survey

Operational Branch Auditing

© Doeren Mayhew 3

Select a branch Random, loss based, activity based, etc.

Gather Permanent File Branch organizational chart List of key personnel and duties List applicable policies and procedures List of forms and/or reports used by the

branch List of applicable laws and regulations

Planning

Policies and procedures Determine if the branch has current

documented policies and procedures for the CU

Determine if branch personnel are aware of the policies and procedures

Are the policies and procedures adequate?

Planning

Perform a risk assessment Identify risks

Cash and cash items ATM’s Money orders, cashier checks, travelers checks,

instant issue plastic cards Keys and combinations Safe deposit boxes Night depository Security Compliance

Risk Assessment

Conduct a walkthrough Interview key personnel

Do they understand the risk? Do they understand the policy?

Communicate with Finance Any outstanding concerns with the branch?

Communicate with Operations Inspect the premises

Doors and windows Video surveillance Insecure procedures

Risk Assessment

Branch basics Cash counts Policies & procedures Over and short reporting Branch limits Cashier’s checks, travelers checks, money orders Compliance postings Safe deposit boxes Security

Adjust the audit program to address the risks identified in the planning process

Audit Program

Document the branch operation in a narrative

Determine if the current operations reflect compliance with credit union policy and procedure

Identify key controls

Branch Processes

Cash Count – Surprise or No Surprise Control the cash – Vault cash, drawers,

ATM canisters and cash dispensers. Arrive prior to normal hours

Inspect compartments, drawers, etc. for unusual items.

Verify cash limits are maintained Obtain vault cash record and balancing

sheet

Cash Counts

Keep vault supervisor present throughout the count Inquire the number of cash compartments Count cash

Strapped cash and rolled coin Loose currency and change Bait money

Trace to schedule, schedule should be under dual control Watch for ‘stale dates’ on strap of bait money, change bait at

least monthly Compare totals and reconcile any differences Report differences immediately to the appropriate

supervisor

Cash Counts

Obtain teller over and short records for the last 6 -12 months

Determine if disciplinary action was taken

Look for patterns such as Short just before pay day or vacation Watch for large overs that correct

themselves

Over and Short

Dual control Observe the following vault

processes and compare to documented procedures Opening process Deposit and withdrawal procedures Access during business hours

“The Money Cart” Vault closing

Vault Security

Observe that teller cash is maintained under separate control of the one and only assigned teller

Observe that keys are maintained in the personal possession of the assigned teller at all times

Cash drawers are locked and the key removed Test whether a teller key will open any other teller

drawers (in the presence of the head teller) Ensure that teller cash is counted and securely

stored at the end of day

Cash Controls

Interview personnel regarding procedures for handling counterfeit currency

Secret Service – “Know Your Money”

Counterfeit Currency

http://www.secretservice.gov

Inventory stock is stored in a secure location under dual control Inventory of unissued stock by serial number

is maintained Physical inventory is performed at least

monthly Working stock controlled

Last issued inventory recorded Locked at night

Greater than $10k requires CTR

Cashier Checks, Money Orders, Travelers Checks

Observe access to the compartment is under dual control Register of bags/envelopes received is under dual control Register is adequately completed including

Account number Amount and number of all deposits Bag number Initials of two tellers

Controls over keys/combination Sample test deposits Ascertain that any bags held overnight containing valuable

are recorded and secured Sample night depository contracts

Signed and on file

Night Depository

Unrented boxes Sample test keys to ensure keys are maintained

under dual control Newly rented boxes

Sample boxes rented within the last 6 -12 months Member identification and contract is obtained Contract is signed and dated by member and

employee All blank lines in the contract are canceled in ink to

prevent adding unauthorized names Identification of the renter has been verified

Safe Deposit Boxes

Visits Register identifies employee that provided

access Member signature compared with the contract Proper identification is provided by the member Date and time is recorded Area is checked after the member leaves to

ensure no items or documents are left Delinquent boxes

Procedures are followed to ensure collection

Safe Deposit Boxes

Start-up or access cards are maintained under dual control

Cash and envelopes should be counted under dual control

Deposits should be verified to the audit tape, initialed and dated by both employees

ATM proving is periodically rotated Captured cards should be

destroyed under dual control

ATM

Cards are locked and stored under dual control – working and stock

Card stock logged and inventoried PIN encoding equipment is secured

During working hours and after

ATM Cards

Obtain the number of wire transfers, greater than $2,000 (or similar amount based upon risk tolerance) originated by branch

Wire transfer form is completed properly Fee was collected Transaction was processed from members

account Originator’s account number, name, address, etc. Recipient’s name, account number, financial

institution name and address, etc.

Wire Transfers

Interview VP of Lending Errors Low/high close rates

Determine delinquency and charge-offs by branch

Observe procedures Interview staff regarding policies and

procedures

Loan Documentation

Identify any exceptions noted in the BSA audit attributable to branch activity Modify audit program

Conduct a BSA assessment at the branch

Verify branch employees receive annual training

Bank Secrecy Act

Identify the number of Currency Transaction Reports (CTRs) filled by branch Determine the number of CTR errors for

each branch Ensure CTRs are stored appropriately

Identify the number of Suspicious Activity Reports (SARs) by branch Review wire transfers >$10k originated

at branch

CTRs and SARs

Inspect work areas Confidential, sensitive member

information User IDs or Passwords

Evaluate user access profile “Too few staff, I need more access” Segregation of duties

Social engineering Security awareness

Information Security

Ensure branch employees receive training Robbery and security BSA GLBA – Information Security Compliance Operational New procedures New products

Training

Combinations Vault, drawers, lockers, etc. Segregation

The same person shouldn’t control both combinations Combinations are changed at least once every 2

years even if the custodian has not changed Observe vault gate is kept closed (if

applicable) Control over gate key

Keys are kept under dual control Including the spares

Security

Video/DVR Checked daily to ensure

Proper coverage Time/date Clear picture/image

Maintained under management control Clean desk policy

Inspect working areas for sensitive or confidential information

Security

Observe opening procedures Inspection of premises Signal to other employees – all clear

Observe closing procedures All currency, negotiable instruments, valuables,

etc. are secured No unauthorized persons are present Doors and windows are secured Video/DVR is working Alarm is set

Conduct a physical security audit

Security

Evacuation Plans - Interview and verify that a written evacuation plan exists, containing: Designated emergency assembly area, with diagram Designated employee positions to act as evacuation

personnel Procedures for rapidly securing the institution's

facilities, assets, and records Telephone numbers to notify emergency-service

agencies. Emergency-notification telephone numbers for all

employees. Verify individuals demonstrate knowledge and

proficiency in emergency-activation procedures

Security

Verify initial disclosures are available to the members in the branch

Ensure the branch is providing Truth in Savings Act disclosures before opening the account

Expedited Funds Availability Act postings in the lobby NCUA posting Home Mortgage Disclosure Act Equal Housing Lender U.S. Patriot Act Inspect Labor Posting requirements

Federal (FMLA, EEO, ADA, OSHA, etc.) State

Compliance

Communicate with the branch manager

Validate initial findings and recommendation

Review the management responses and discuss with the manager

Communicate target dates for remediation

Reporting

Deposit accounts overdrawn for more than 30 days, including dollar amount and volume (number of accounts)

New accounts opened Fees waived Transactions per full-time equivalent (FTE) employee Statements mailed to branches Security alarm reports HR turnover ratio by branch Identify the number of member complaints by

branch

Other Metrics by Branch

Reassess audit program Rotate procedures

Document a rotation schedule for the next audit period

Document follow-up procedures

Audit Program

QUESTIONS?

© Doeren Mayhew, 2011 36

755 West Big Beaver Road Suite 2300

Troy, Michigan 48084

Thank You!

2603 Augusta DriveSuite 1100

Houston, Texas 77057

www.doeren.comCatherine Bruder, CPA.CITP, CISA, CISM, CTGA

Director, Financial Institutions GroupOffice: (248) 244-3295Cell : (248) 320-3434

Email : bruder@doeren.com

Services

38

Financial Institutions Group

Audit Mergers &

consolidations Information technology

assurance Vulnerability

assessments Penetration testing

Member business loan review

Commercial loan consulting

Internal audit co-sourcing

Loan loss & delinquency control systems

CUSO consulting Regulatory compliance

services