By Donya Parrish, MCU VP- Risk Management
A few weeks ago, the blog discussed the board’s role in reviewing loans to officials. Today, we’ll turn to another important check and balance for your credit union — audits on employees’ accounts. Whether this role resides with management, the supervisory committee, or both, likely depends on the size of your credit union.
The bottom line is that no employee should have access to their own accounts, nor to the accounts of anyone in their family or household. A few key steps are required to develop a strong internal control, and it starts with knowing which accounts to restrict and reviewing them on a regular basis to ensure the controls are in place and being managed appropriately.
Some credit unions ask for a self-report of family and household accounts, and others rely on their data processing system to help them restrict at the household level. Asking about your credit union’s process is a good place to start if you need help understanding the current landscape for this internal control.
Even if your credit union’s HR department or manager is responsible for reviewing employees’ account access, the supervisory committee should also be reviewing reports and ensuring management is included in the restrictions.
The NCUA Supervisory Committee Audit Guide provides the following list of controls to review:
- Loans: Select a sample of at least five employee and official (related party) loans originated during the testing period and list in the report any instances of the following:
- Delinquent loans
- Reversal of late loan fees
- Loans with an interest rate not provided to members
- Loans with a term not in accordance with board-approved policy
- Payments made on the loan directly from the general ledger
- Loans to officials in excess of $20,000 in aggregate; not approved by the board as evidenced by the board meeting minutes
- Loans with collateral not in accordance with board-approved policy
- Shares: Select a sample of at least five employee and official (related party) share accounts and list in the report any instances of the following:
- Negative balance in share account or share draft account at any time during the testing period
- Share or share certificate with a dividend rate not provided to members
- Failure to impose a fee in accordance with credit union policy (Examples include NSF or ATM fees.)
Keep in mind that internal controls are intended to deter fraud and eliminate the opportunity for circumventing procedures, not to suggest that you don’t trust your own team. We have heard plenty of examples of lapses in this control leading directly to losses and misuse of funds.