skip navigation

Tuesday, May 26, 2015

[ – ] Text Size [ + ]  |  Print Page

SRC Insights: Fourth Quarter 2009

Avoiding the Breakdown: An Effective Internal Control Program

The current economic environment and financial pressures to improve margins and earnings performance are challenging many financial institutions, causing them to downsize, employ newer technologies, or offer new products and services in attempts to maintain a competitive edge. As a result, there is the potential that the internal control environment may not always evolve in kind. Failure to maintain an internal control environment commensurate with the size and activities of an institution can open Pandora's Box and create issues, including opportunity for fraud.

This article will provide the characteristics of an effective internal control program and expectations from the examiner's perspective, detail some examples of fraudulent activity and outline potential trends, and discuss how to avoid or limit the likelihood of a fraud event (if possible). In addition, the various responsibilities of the board of directors and senior management will be defined.

Characteristics of an Effective Internal Control Program1

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has defined internal control as a process, which should be developed by the directorate and senior management to provide reasonable assurance regarding the effectiveness and efficiency of an institution's operations, the reliability of financial reporting, and compliance with applicable laws and regulations. According to COSO, the following five components can help to create an effective internal control system:

  1. Control environment-This sets the tone for an effective internal control system, and factors include the integrity, ethical values, and competence of the institution's staff; management's philosophy and operating style; management's methods for assigning authority and responsibility and for organizing and developing staff; and the attention and direction provided by the board of directors.
  2. Risk assessment-This is defined as the identification and analysis of relevant risks to achieve the objectives and form a basis for determining how internal and external risks should be managed. As economic, industry, regulatory, and operating conditions continue to evolve, likewise processes must be developed for the purpose of identifying and managing unique risks associated with those changes.
  3. Control activities-These consist of policies and procedures that help to ensure that management directives are fulfilled, and they also help to ensure that necessary actions are taken to appropriately address risks in order to achieve the entity's objectives. There is a range of control activities, including but not limited to approvals, authorizations, verifications, reconciliations, operational reviews, security of assets, segregation of duties, and dual controls. These occur at various levels throughout an organization.
  4. Information and communication-These cover system-generated information, as well as effective communication, internally throughout the organization and externally to stakeholders. The board of directors and senior management must clearly communicate to all staff that control responsibilities must be taken seriously. In addition, staff must understand their own role in the internal control system and how individual activities relate to the work of others within the organization.
  5. Monitoring activities-These relate to oversight of the internal control structure. The internal control system needs to be monitored through a process that assesses the quality of the system's performance over time. This process is ongoing and occurs throughout the normal course of operations. The scope and frequency of assessments or evaluations will be contingent upon the risk posed to the institution and the level and effectiveness of surrounding controls. In any event, internal control deficiencies should be escalated and the most serious issues reported to the board and senior management. Additional guidance surrounding monitoring activities has been developed by COSO; in February of 2009 COSO released its first volume of "Guidance on Monitoring Internal Control Systems."2

What to Expect from Examiners

A financial institution's internal control environment assessment falls under the Management and Risk Management components of a bank examination or bank holding company inspection. Examiners expect that board members and senior management understand their institution's activities and associated level of risk. During an examination or inspection, examiner activities include the following:

  • Conduct discussions and fact-finding interviews regarding risk and internal controls
  • Request and review internally-generated reports, policies and procedures, and physical controls to ensure that adequate controls exist
  • Request and review management information system (MIS)-generated reports for accuracy and appropriateness given the risk undertaken by the institution.
  • Evaluate committee and board packages (with minutes) to ensure that appropriate reports and information are disseminated to the board adequately, and that risks are identified and quantified in a timely fashion
  • Review internal audit reports and ensure that deficiencies are reported and addressed in a timely manner
  • Request and review internal audit workpapers to determine the level and scope of audits conducted by the internal audit function

The board and senior management are responsible for monitoring all significant risk, controls, and the high-risk areas associated with new products, such as electronic banking, stored value cards, remote deposit capture, and ACH. In addition, the board is ultimately responsible for compliance with new laws and regulations; therefore, the board must ensure that the audit function consistently meets legal, regulatory, and supervisory requirements. Moreover, the board must make certain that the audit function monitors and tests the reliability and effectiveness of both the institution's internal controls and its financial statements. Lastly, the independence of the audit function is vital to the overall effectiveness of every audit program.

Fraud: A Result of Broken Internal Controls?

Some would argue that not all fraudulent activity is the result of broken controls. However, there is no doubt that a broken control environment is conducive to fraudulent activity. Even more importantly, fraud can eventually cost an institution enormously in terms of viability and reputation, in addition to any direct financial impact.

Adrian Stern, CPA, Cr.FA, suggests that some effective tools in the battle against fraud include having strong internal controls, performing audits of records, and analyzing key financial trends. Clear policies and zero tolerance toward fraud, along with employee support programs, also help to create the proper control environment. Moreover, Stern provides some clear examples of poor controls, which may be common occurrences, as outlined below:

  • Lack of segregation of duties, such as an individual making bank deposits, posting them to the accounts receivable system, and performing monthly bank reconciliations
  • Poor physical controls over inventory, marketable securities, or blank check stock
  • Inadequate documentation and support for cash disbursements
  • Inadequate or obsolete accounting software
  • Failing to perform independent verification, such as spot checks of physical inventory

To prevent internal control breakdowns, financial institutions should conduct periodic risk assessments, led by either internal or external auditing staff. The assessments should focus on high-risk areas, such as physical controls relating to high dollar fixed assets, cash, marketable securities, payroll, and inventory.3

The Lending Function

Current economic conditions demand that financial institutions strengthen internal controls over the lending process; at a minimum, they should be reviewed for effectiveness. In a case study of a company's internal controls, author Kevin Clancy documented that the validity and collectability of the company's accounts receivable were in question. A subsequent forensic investigation identified fictitious customers, fictitious sales, and forged bills of lading, invoices, and other fraudulent documents. Ultimately, it was determined that certain company officers were involved in a massive fraud, resulting in U.S. and foreign bank losses of between $600 million and $1 billion and, in turn, the arrest of the company's chief executive officer on charges of conspiracy to commit bank fraud, mail fraud, and wire fraud. The company's CFO and former treasurer were also arrested on similar charges.4 Regardless of a loan department's credibility, internal controls are necessary to ensure professional and legal operations.


Comprehensive and correct internal controls can prevent many types of fraud, especially those committed by an institution's employees. The Department of Justice noted one such case, where a vault teller responsible for preparing the daily vault cash reconciliation reports and providing the reports to bank officers created false internal bank documents, which purported to show the movement of cash in and out of the branch vault. In doing so, the vault teller defrauded the bank in excess of $3.2 million. Bank management indicated that the teller had used the position of trust and co-opted internal controls by exploiting professional relationships at the institution.5 Because not all fraud is the result of weak controls, Stern indicates that institutions should seek ways to lessen outside pressures on employees that may lead them to commit fraud. He attests that some institutions have actually introduced programs to help their employees with financial difficulties, thereby reducing the employee's temptation to commit fraud.

Future Considerations and Other Areas

While lessons can be learned from past instances of fraudulent activity related to insufficient internal controls, lessons are also being learned about potential areas of increased fraud now and in the future.

TARP. In the age of Troubled Asset Relief Program (TARP) funds, the appropriate use of funding has often been the topic of discussion. According to Robert S. Mueller, III, director of the Federal Bureau of Investigations (FBI), a potential area for new fraud cases involves TARP funds. The FBI is currently working with other agencies to identify how and for what purpose these funds are being used. Mueller stressed the need for "independent board members, auditors, and outside counsel" to help keep organizations honest. "If this financial crisis has taught us anything," he said, "it may be that it is time for a cultural shift-a 'back to basics' approach that incorporates sound business judgment, risk assessment, and integrity, from the top down."6

Investment portfolio. Another area susceptible to fraudulent activity is the investment portfolio process, due to the level of oversight and management. Brent Currey, an audit manager at the accounting firm, Frost PLLC, indicates that the investment portfolios of most financial institutions are often managed by a single individual with little or no oversight by another party, often due to a lack of available staff.7 In some instances, staff with the required specialized skill set to manage the investment portfolio may be scarce. This highlights a greater need for additional scrutiny.

Currey explains the key controls needed under such circumstances, and they include proper segregation of duties for investment portfolios and processes involving purchasing, disbursement, and reconciliation within the investment cycle. Moreover, Currey indicates that risk analysis of the investment portfolio should be monitored closely by the institution's oversight group or an appropriate committee to ensure that the risk profile of the investment portfolio matches the risk goals for the institution. A key control is to separate the reconciliation of the investment portfolio from the management function. However, and more importantly, the reconciliation process should be performed by a separate individual, and the reconciling individual should be familiar with the investment process and diligently follow up on any significant reconciling items in a timely matter.


The point can again be made that one of the most significant challenges of the current economic environment is combating fraudulent activity. While there may not be a feasible way to eliminate every imaginable type of fraud, board and senior management have an important role in ensuring that the internal control environment and internal audit control function remain effective. Plato was quoted as saying "Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws." In this case, a strong and effective internal control environment serves as a deterrent to those who seek to circumvent the laws and processes designed to protect an institution.

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.