Presented by Alan Christopher, CPA VP of Risk Management DuPont Community Credit Union ext

Presented by Alan Christopher, CPA VP of Risk Management DuPont Community Credit Union [email protected] 540-946-3200 ext. 3175 As easy as pus...
Author: Ashlynn Parsons
12 downloads 2 Views 4MB Size
Presented by Alan Christopher, CPA VP of Risk Management DuPont Community Credit Union [email protected] 540-946-3200 ext. 3175

As easy as pushing a button!

2

Or do you feel like you are getting swallowed up by things outside of your control? 3

Let’s talk about using internal controls to keep things under control.

4

Internal controls are an integral part of a credit union’s risk management program and a key responsibility of the Board of Directors, the Supervisory Committee and Management.

5

The Board of Directors and management must identify risks and design internal controls to manage them.

Set appropriate tone at the top

6

The Chief Executive Officer of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the “tone at the top” that affects integrity, ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. 7

The Board of Directors is also responsible to institute internal controls to deter fraud. The responsibility for establishing an environment in which dishonesty, inefficiency, and costly errors are not tolerated begins with the Board of Directors in its policy-making capacity. Internal control policies are adopted by the Board and translated into procedures by the credit union management team and carried out by staff.

8

Internal Controls are a shared responsibility involving all parties in the credit union—the Board of Directors and Supervisory Committee, executives and managers, frontline and back-office employees, and outside parties and business partners, including the external auditor.

9

According to the COSO Framework (we will discuss later) everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions.

10

The Supervisory Committee: • Is tasked with the responsibility of making sure sufficient, effective internal control systems are in place and enforced. •Periodically examines the internal control environment for sufficiency and effectiveness. •Plays a key monitoring role in recommending policies and ensuring that internal controls are effective and up-to-date.

11

The Supervisory Committee also: Confirms the scope of audits to be performed by the external and internal auditors Reviews significant findings Monitors management's response to all audit findings. Monitors progress on implementation 12

Working with Your Supervisory Committee to Foster a good Control Environment The Supervisory Committee can help credit union staff: •Monitor the quality and adequacy of your organization’s internal controls •Make recommendations to enhance the design or operation of internal controls •Confirm the scope of audits to be performed by the external and internal auditors 13

Working with Your Supervisory Committee to Foster a good Control Environment The Supervisory Committee can help credit union staff: Review and approve the audited financial statements Review significant audit report findings Monitor management's response to audit findings

Monitor progress of implementation and review results

14

You can work with your Supervisory Committee to review the following reports & accounts: •Negative shares report •Un-posted items report •Maintenance reports showing loan due date changes

•Reports showing loans by interest rate - reveals unusually low loan rates •General ledger suspense accounts - generally used to temporarily "store" a transaction until all necessary information is available, but can also be used to hide an unauthorized transaction 15

The internal auditors and external auditors measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control.

16

In order to determine what internal controls to put in place, it helps to think of what could go wrong.

17

NCUA Issues Prohibition Orders against Credit Union Employees. NCUA enforcement orders are available online at http://go.usa.gov/4ReQ. ALEXANDRIA, Va. (Aug. 30, 2013) – The National Credit Union Administration has issued several orders in August prohibiting the following individuals from participating in the affairs of any federally insured financial institution: Autumn Rene Guillot, a former employee of Credit Union of the Rockies in Golden, Colo., pleaded guilty to the charge of theft. Guillot was sentenced to 60 months community corrections and ordered to pay restitution in the amount of $275,795. Tania Jackson, a former employee of VyStar Credit Union in Jacksonville, Fla., pleaded guilty to the charge of defrauding a financial institution. Jackson was sentenced to 12 months in prison and ordered to pay court costs. Kathleen Maheux, a former employee of Rainbow Federal Credit Union in Lewiston, Maine, pleaded guilty to the charge of theft by unauthorized taking or transfer. Maheux received two years deferred disposition and was ordered to complete 100 hours of public service. Sharon Maston, a former employee of Sturdy Credit Union in Attleboro, Mass., pleaded guilty to the charge of larceny and forgery of a check. Maston was sentenced to one year in prison and five years of probation. Johanna Mite, a former employee of UFCW Local 342 Federal Credit Union in Mineola, N.Y., was found guilty of bank fraud. Mite was sentenced to time served, five years supervised release and ordered to pay restitution in the amount of $382,790. Laura Powers, a former employee of Parker Community Credit Union in Janesville, Wis., was convicted of theft and unauthorized use of an individual’s identity. Powers was sentenced to five years in prison, five years supervised release and ordered to pay restitution in the amount of $692,869.75. 18

Fraud Triangle Accounting, auditing, and security professionals often refer to the fraud triangle in explaining the 3 elements that are in place when fraud occurs. Pressure to obtain money by whatever means. Often driven by personal “emergencies”, such as high medical bills, gambling debts. Sometimes motivated by greed or the desire to maintain a better lifestyle. Rationalization—Justifying actions with excuses like:

•I had to do it to pay for my child’s medical expenses. •I would have lost my home, car, family—if I didn’t come up with the money •It was just a loan . . . I was going to pay it back. Opportunity—means and ability to commit fraud—weak controls or lack of oversight. Opportunity is where CUs have most control. 19

Hard economic times have caused a surge in the number of embezzlements, while fraudsters are constantly evolving their strategies to obtain access to your credit union's money - as well as your members'.

Charles Ponzi 20

Despite the rash of frauds, the NCUA is optimistic that the health and stability of credit unions have improved so much that it is projecting a positive outlook for the National Credit Union Share Insurance Fund this year.

21

Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual administration, with one set of bureaucrats charged with collecting taxes and another with supervising them. In the Republic of China, the Control Yuan (監 察院; pinyin: Jiānchá Yùan), one of the five branches of government, was an investigatory agency that monitored the other branches of government.

22

Internal Controls are essentially good business practices 23

What are the key controls to prevent, monitor, detect and mitigate risks? Where can I go for guidance? There are numerous resources . . .

24

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides the prevailing guidance on internal controls.

Many of the internal controls implemented by organizations originated from COSO.

Website: http://www.coso.org/IC.htm 25

In 1992, COSO published a report titled Internal Control—Integrated Framework . This document provides principles-based guidance for designing and implementing effective internal control. This framework has become the most widely used internal control framework in the United States and has been adapted or adopted by numerous countries and businesses around the world. The Framework was updated in 2013 to include guidelines to address the current business environment. 26

NCUA Accounting Manual for FCUs--Section 200, pages 6-7 Internal Controls Provides guidance on Internal Controls at Credit Unions

27

www.aicpa.org Internal Controls and Fraud Proofing 1.3.1 Defining Internal Control Objectives 1.3.2 Basic Controls 1.3.3 Supervision 1.3.4 Audit

28

NCUA Supervisory Committee Manual http://www.ncua.gov/Legal/GuidesEtc/GuidesManuals/supc omm.pdf What are internal controls and how do we review them? 4.06 Internal controls include the staff structure, operating procedures, and other measures within the credit union to: • Safeguard assets. • Check the accuracy and reliability of accounting data. • Promote efficiency. • Encourage compliance with board policies. Internal controls minimize the possibility that errors or fraud remain undetected for any length of time. Internal controls can also help prevent errors. Examples. An example of an internal control is establishing passwords on the computer system. This control: • Prevents unauthorized access. • Helps to identify transactions by the user. 29

NCUA Supervisory Committee Manual http://www.ncua.gov/Legal/GuidesEtc/GuidesManuals/sup comm.pdf Continued . . . Another example would be the separation of duties between staff with cash disbursement authority. If staff with access to generate a check are different, and separate, from staff authorized to sign the check, you minimize unauthorized disbursements. Collusion between staff would be required to effect an unauthorized disbursement. Even small credit unions can establish internal controls. Review of internal controls is one of your most important responsibilities. Refer to the internal control section in Chapter 7 for guidance on how to review internal controls.

30

Internal Control Questionnaires (ICQ’s) from NCUA Visit www.ncua.gov and search for:

AIRES Questionnaires

31

NCUA Accounting Manual for FCUs--Section 200, pages 6-7 Internal Controls Adopt appropriate measures of internal control to improve the dependability of accounting records. These measures must include: •An organization plan to provide, to the extent feasible, segregations of duties so different employees will handle the operational, custodial and accounting functions;

•A system of authorization and recording procedures adequate to provide reasonable accounting control over assets, liabilities, income and expenses; •The employment of personnel capable of performing duties and responsibilities; and

•A supervisory committee to conduct effective and timely audits of records and accounts including verification of members' accounts, with assistance provided, where needed, by an independent auditing firm. 32

NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: June 25, 1996 LETTER NO.: 96-CU-4 TO ALL FEDERALLY INSURED CREDIT UNIONS: SUBJECT: INTERNAL CONTROL STRUCTURE

We are sharing the results of NCUA's review of the 1995 fraud and embezzlement cases with credit union officials so that you can use the results to review your internal control structure and make needed adjustments. The purpose of internal controls is not to entrap employees; rather, good internal controls provide a working environment in which good employees are not tempted to do something they would not ordinarily do. In smaller credit unions, the supervisory committee often oversees the internal controls, while in larger credit unions, the controls are often monitored by the internal auditing department. Credit unions that initiate and consistently follow basic internal controls are less likely to experience fraud and embezzlement than credit unions whose internal controls are weak.

http://www.ncua.gov/Resources/Documents/LCU1996-04.pdf

33

Sarbanes-Oxley Act Of 2002 - SOX

Doesn’t apply directly to credit unions, since they are not publicly traded entities. Good to think about, though. The two key provisions of the Sarbanes-Oxley Act are:

Section 302: A mandate that requires senior management to certify the accuracy of financial statements Section 404: A requirement that management and auditors establish internal controls and reporting methods on the adequacy of those controls. 34

Now we will discuss some attributes of internal controls that are gleaned from the various resources mentioned above.

35

According to NCUA Letter to CUs -LETTER NO.: 96-CU-4 -- credit unions that initiate and consistently follow basic internal controls are less likely to experience fraud and embezzlement than credit unions whose internal controls are weak. 36

Effective internal controls provide reasonable assurance, not absolute certainty that fraud and errors will not occur. Internal controls can prevent, detect, or correct.

Internal controls aim to prevent thefts by people outside the CU as well as fraud and costly mistakes by employees and CU business partners. 37

The larger the CU the more internal controls are required and the more complicated they are. But even the smallest CU must have functional internal controls in place.

38

The primary objectives of internal controls are to prevent employee dishonesty and errors and to protect the credit union from loss. Internal controls also aim to prevent thefts by people outside the CU and costly mistakes by CU business partners. Internal controls employ a system of checks and balances that hold individuals accountable for their actions and minimize the risk of loss to the credit union.

39

Internal control is all of the policies and procedures management uses to achieve the following goals: •Safeguard assets

•Ensure the reliability and integrity of financial information •Ensure compliance •Promote efficient and effective operations •Accomplishment of goals and objectives 40

Internal Controls can also:

•Help achieve performance and profitability targets •Prevent loss of resources •Protect from damage to the credit union’s reputation

41

Internal Controls Can’t: •Ensure success •Make a good manager out of a poor one

•Provide absolute assurance that management and board objectives will be realized

42

Hard vs. Soft Controls Hard Controls refer to policies, procedures, and systems designed to prevent fraud and error.

Example: Requiring a separation of duties ensures that an individual that approves a loan isn’t the same one who disburses the loan funds. 43

Hard vs. Soft Controls Soft Controls refer to the competency, integrity, and commitment to honesty and accuracy by employees, managers, volunteers, and consultants and business partners. Examples:

•Supervisors who monitor and model proper cash handling techniques •hiring honest employees •fostering an environment that values integrity •Active oversight by the Supervisory Committee •Objective internal audit function 44

Under the COSO Internal Control-Integrated Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a)Effectiveness and efficiency of operations; b)Reliability of financial reporting; and c) Compliance with laws and regulations.

45

COSO defines internal control as having five components: Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities Control Activities-the policies and procedures that help ensure management directives are carried out. Monitoring-processes used to assess the quality of internal control performance over time. 46

In order to determine what internal controls to put in place at your credit union, it helps to think of what could go wrong. If time permits, we will later practice thinking about a type of fraud or error, and think about controls that would help prevent, detect or mitigate each. 47

Here is a starter list of what could go wrong: Internal Fraud Embezzlement Cash Theft Misuse of Company Credit Card Collusion with Vendors (kickbacks, bribery) Identity Fraud (using co-worker’s credentials to commit fraud, theft of customer ID, etc. Theft of Assets (laptops, physical equipment, software piracy) Payroll Fraud (Manipulating payroll systems; ghost employees) Accounts Payable Fraud Financial Reporting Fraud (unusually high revenues, odd patterns in receivables, etc) External Fraud Vendor Fraud Check Fraud—forged/altered checks Cyber-Crime—hacking, info theft, system sabotage, viruses, etc. Social engineering—phishing, smishing, etc. 48

Here is a list of some of the internal controls at my credit union that can help prevent, detect or mitigate errors and fraud. DuPont Community Credit Union Internal Controls

Written policies and procedures Segregation of duties—no concentrated control Dual control—requires more than one person to complete a procedure or transaction Keeping good records—documentation and computer reports provide good audit trails Computer output reports—regularly reviewed by management (file maintenance changes, supervisory overrides, exception reports, etc.) Mandatory vacations Surprise audits Fraud Management Software—Efunds, TrueChecks, etc. Approval and authorization—supervisory preview (or review) and sign-off Reconciliations Verification—double-checking Numerical sequencing—numbering documents and accounting for them after processing 49

DuPont Community Credit Union Internal Controls Continued: Control totals—ensures that all transactions presented for processing actually receive complete processing Pending files—provides for follow-up on the open items that should have been completed Checklists—ensures that steps in the process are not overlooked Restricted physical access—Vaults, safes, alarms, video surveillance Passwords Supervisory overrides required for certain transactions Ongoing training—staff and members Position descriptions—define duties and responsibilities Budgets—performance results and variances CPA Audits—determine accuracy of financial statements Risk Assessments Audit Program Risk Management Program Red Flag ID Theft Program 50

Now lets discuss some specific internal controls

51

But first . . . Policy vs. Procedures Policy—a statement of direction or method that guides and determines present and future decisions. Policies are a necessary first step of maintaining effective internal controls. Policies must be implemented and enacted through a series of processes, procedures and steps.

Procedure—a fixed sequence of activities that must be followed to correctly perform a task. 52

Written Policies Some Key Areas: •Lending •Asset Liability Management •Personnel •Compliance •Retail •Member Information Security •Information Systems 53

Written Policies: •Are necessary to provide guidance •Must be documented and reviewed periodically •Must be effectively communicated to all staff •Should tell who and what they apply to, and why they exist •Don’t need to be lengthy 54

Written Procedures Some Key Areas: •Teller •Branch Operations •Accounting •Credit & Underwriting •Security •Member Identification •Collections

55

Written Procedures: •Describe HOW to implement policy components •Provide detail on steps needed to accomplish tasks

56

Segregation of Duties: No concentrated control More than one person involved in the process No one individual should control all key aspects of a transaction or event.

57

Segregation of Duties: Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for :

•authorizing transactions •processing and recording them •reviewing and approving transactions, and •handling (custody of) any related assets.

58

Segregation of Duties: Examples: •Lending Officer approves a loan, and another staff member disburses the proceeds. •One staff member keys in wire transfer info, and another sends the wire.

59

Dual Control—requires more than one person to complete a procedure or transaction

Examples:

•Takes two persons to open vault. •Open ATM deposits and Return Mail up with 2 staff present. •Night Depository should require 2 persons to access contents. 60

Conflict of Interest Control Definitely have a business ethics and conduct policy that: Covers your Anti-Fraud Policy, including a description of Acts which are considered to be either fraudulent or dishonest. 1. 2. 3. 4. 5. 6. 7. 8.

Manipulation of loan accounts, documents, computer records, savings or checking accounts. Theft of any kind, including stealing from members accounts, overpayment of dividends and creating fictitious loans. Check kiting. Forgeries. Unauthorized or unapproved salary advances or overtime reimbursement. Intentional violation of credit union rules, internal controls, regulations or procedures. Intentionally failing to secure collateral, to properly record a security interest on collateral or pledging a member’s savings as collateral without that member’s permission. Unauthorized use of computer time, equipment and software for personal use. 61

Conflict of Interest Control Definitely have a business ethics and conduct policy that: Creates a culture of honesty and high ethics within your credit union

Promotes ethical, honest and trustworthy behavior, preserves confidential information, and avoids conflicts of interest Requires conducting all aspects of CU business in an honest, ethical and legal manner Protects and ensures the efficient use of CU assets

Provides a mechanism for employees to report concerns about unethical behavior, actual or suspected fraud or violations of your credit unions code of conduct or ethics policy. 62

Conflict of Interest Control Definitely have a business ethics and conduct policy that: Describes personal responsibility to protect confidential and proprietary information from release or misuse. Emphasizes that employees are not permitted to access confidential information without a business purpose.

Restricts employees from transacting any business through the core computer system on their own or a family member’s account. Employees are permitted to conduct transactions on their own accounts through the Teller line and the online banking system. Considers any form of dishonesty on the part of employees as totally unacceptable conduct. 63

Conflict of Interest Control

Definitely have a business ethics and conduct policy that requires each staff member and volunteer to sign the policy: I have read the above Code of Ethics and Conduct, Confidential Information Policy, and Fraud Policy. I agree to be bound by and follow them. I understand the Credit Union will not tolerate fraudulent or dishonest activity of any kind. I am not to engage in any unethical acts while employed at the Credit Union. I understand that adherence to these policies and guidelines is a condition of employment at DCCU, and that violation of them could result in termination of employment, and civil or criminal liability. Dated this ________________ day of ___________________, 20 Witness signature

Employee/Volunteer signature 64

Keeping good records: Documentation and computer reports provide good audit trails. Department management can closely monitor department operating statistics and other benchmarks. Negative trends are identified and addressed promptly. Expense related documents and time sheets should be reviewed for completeness, accuracy and compliance with policies and procedures.

65

Computer output reports—regularly reviewed by management

•Were file maintenance changes properly authorized? •Were supervisory overrides appropriate? Were they made by authorized staff members?

66

Computer output reports—regularly reviewed •What activity occurred on dormant accounts? Were they valid? •Are there any 0% interest loans? Why? Are there loans with a payment due date 3 months from now? Why? 67

Mandatory Vacations Is this when my wife tells me we have to take a vacation, or else . . . ?

68

Surprise Audits Teller Cash Vault Cash

69

Maintain an anti-fraud environment Detect Fraud Respond

70

Fraud Management Software BSA Monitoring New Account Counterfeit Checks Check Collectability

71

Approval & Authorization—supervisory preview or review and sign-off. Ensure that authority limits are clearly defined in writing and communicated.

Consists of a signature or electronic approval of a transaction by a person with approval authority Could also be as easy as giving a department permission to expend funds from an approved budget

72

Reconciliations Accounts are reconciled on a timely basis to their underlying source data. •General Ledger •ATMs

•Bank Accounts 73

Verification—double checking Balances Items

74

Numerical sequencing—numbering documents and accounting for them after processing •Helps identify missing items •Helps keep track of status of items

•Helps with review of items

Example: Invoices, Checks, etc.

75

Control totals

Ensures that all transactions presented for processing actually receive complete processing

76

Pending (Tickler) Files

Provides for follow-up on the open items that should be completed

77

Checklists Ensures that steps in the process are not overlooked

78

Bonding through Insurance Company: Ensure that all employees are bonded against the loss of money or property due to dishonesty or fraud. Does not release anyone from liability, prosecution, or accountability for such losses. Background checks for all employees when hired. 79

Restricted Physical Access Vaults, safes, alarms, video surveillance

Equipment, supplies, inventory, cash and other assets are physically secured and periodically counted and compared to records. 80

Supervisory Overrides required for certain transactions Requires a seasoned staff member to review and approve transactions done on computer

81

Ongoing Training •Staff •Members Social engineering—phishing, smishing, etc. 82

Provide adequate training for Frontline staff on: •Methods to evaluate driver licenses and other documents

•Steps that should be followed to analyze identification •High-risk documents that cause the biggest losses •Methods to identify forged, altered, or traced signatures •Techniques that criminals use to confuse a staff member facilitating a transaction

83

Human Resources: Background checks for all employees hired. Position descriptions should adequately define duties and responsibilities—provides for less confusion & less errors. Performance appraisals should reflect an objective assessment of each employee's abilities and their measured achievements of goals and objectives. Efficiency and effectiveness is enhanced, and errors are reduced.

Set reasonable and reachable goals and deadlines 84

Budgets:

Performance results and variances Ratio Analysis

85

Listen to member and vendor complaints

Complaints could be an indication of a problem

86

Consider having a Fraud Hotline for staff and members to anonymously call and report suspected fraud. This could be a reporting mechanism through the Credit Union’s Supervisory Committee Chairman or other designated person.

All initial contacts should be treated as confidential to the extent permitted by law. Disclose to callers that, although they may choose to make their report anonymously, no guarantee can be given that they will not have to testify, or make their report and identity public knowledge during the course of the resolution of the situation. Public testimony may be required if a subpoena is served. Also, under some circumstances, federal and state laws and regulations may require your credit union to report activity that it suspects may violate certain criminal laws. 87

Documentation Provides Audit Trail--Evidence for a transaction Who has performed each action pertaining to a transaction, and the authority to perform such activities. 88

CPA Audits Determines accuracy of financial statements

89

Quality Audit Program

•Internal •External

90

Quality Risk Management Program Provides framework for making business decisions and acting on basis of priorities when faced with uncertainty and choices. Allows for fewer surprises, taking advantage of opportunities, improved planning, performance & effectiveness, economy & efficiency, accountability and governance. Contributes to good corporate governance by providing reasonable assurance that the organizational objectives will be achieved within a tolerable degree of residual risk. 91

Quality Risk Management Program Provides for: Identifying, measuring, controlling, and monitoring risks Determining the likelihood and impact of events on your credit union Reporting of exposures, impact and mitigation efforts Consulting and advising on the development of risk mitigating policies, procedures, limits, and other control systems, including preventive & detective internal controls 92

Risk Assessments •Likelihood & Impact •Required Risk Assessments: •Bank Secrecy Act •ACH •Red Flag ID Theft •Not Required (yet), but good to do: •Member Information Security •Vendor Management •Asset Liability Management •Wire Transfer Operations •Physical Security 93

Quality Red Flag ID Theft Program Identify Risks and Controls. Document actual incidents, and what action was taken. Report to Board annually. •Alerts from Consumer Reporting Agencies •Suspicious Documents •Suspicious or inconsistent personal ID info provided by applicants •Unusual or suspicious activity •Notice from members 94

Information Systems Controls Acceptable Use Policy for Staff Member Info Security Policy—Privacy & Confidentiality of Member Info Access Controls—access to facilities, systems, access logs and data is restricted to authorized personnel Log-on Procedures—provides audit trail •Passwords—Effective vs. Ineffective

Access Levels—s/b determined by job functions Shredding

95

Information Systems Controls IT application controls – Controls over information processing enforced by IT applications, such as: •edit checks to validate data entry •accounting for transactions in numerical sequences •comparing file totals with control accounts. 96

Exercise:

In order to determine what internal controls to put in place, we need to think of what could go wrong. Embezzlement

Cash Theft Misuse of Company Credit Card Collusion with Vendors (kickbacks, bribery) Identity Fraud (using co-worker’s credentials to commit fraud, theft of customer ID, etc.) 97

Exercise:

In order to determine what internal controls to put in place, we need to think of what could go wrong. Theft of Assets (laptops, physical equipment, software piracy) Payroll Fraud (Manipulating payroll systems; ghost employees) Accounts Payable Fraud Financial Reporting Fraud (unusually high revenues, odd patterns in receivables, etc) 98

Exercise:

In order to determine what internal controls to put in place, we need to think of what could go wrong. Vendor Fraud Check Fraud—forged/altered checks Cyber-Crime—hacking, info theft, system sabotage, viruses, etc. Social engineering—phishing, smishing, etc.

Risk of fire, flood, earthquake, and other natural or manmade disasters 99

Exercise: In order to determine what internal controls to put in place, we need to think of what could go wrong. Lawsuits brought against the CU for loss , injury, errors, or omissions Electronic or Computer systems malfunction Reputation risk

100

Now everything is under control.

101

Presented by Alan Christopher, CPA VP of Risk Management DuPont Community Credit Union [email protected] 540-946-3200 ext. 3175