Internal controls are the lifeblood of a bank’s risk management system. Weak or ineffective controls can lead to operational losses and expose a bank to a higher risk of fraud. As we continue to recover from the COVID-19 pandemic, banks need to assess the pandemic’s impact on their internal control systems and make appropriate adjustments.
Many banks continue to rely on remote workers, and it’s likely that many employees will continue to work remotely long after the pandemic is behind us. In addition, some banks are operating with reduced workforces. In this environment, maintaining key internal controls — segregation of duties, in particular — can be a challenge. In addition, as workers’ duties are adjusted to accommodate remote work and leaner staffs, these changes can inadvertently render some controls ineffective.
Evaluate the impact on segregation of duties
Segregation of duties is a simple yet powerful control that substantially reduces the risks of fraud and error. By assigning different people responsibility for authorizing or reviewing transactions, recording transactions and maintaining custody of assets, a bank makes it virtually impossible for a single employee to perpetrate a fraud or make an error and conceal it. If workforce changes reduce segregation of duties, they can significantly weaken a bank’s internal controls.
Consider this example: ABC Bank has been operating with a reduced staff since early in the pandemic. As lending activity has increased, its staff has struggled to keep up with the growing volume of loan applications. To avoid falling behind, the bank provides Jane Doe, its vice president for loan servicing, with the ability to record transactions on the bank’s loan system. Because Jane is also responsible for reviewing loan file maintenance changes, she now lacks independence with respect to her review of loan file maintenance reports. In other words, the duties associated with recording and reviewing transactions are no longer segregated.
How can your bank avoid this situation? When employees’ operational responsibilities change, it’s important to evaluate any potential conflicts of interest with employees’ existing review responsibilities.
Digital approvals: Handle with care
A byproduct of the remote work environment is that reviewers may sign off on transactions via email or by typing their initials on an electronic document. This can be risky, as virtually anyone can enter the reviewer’s initials.
One solution is to use a digital signature platform, which requires the reviewer to enter a username and password. It also incorporates other protections to verify the signer’s identity and otherwise ensure the integrity of the approval process.
Review your controls
These are just a few examples of how a changing work environment can affect a bank’s internal control systems. The consequences aren’t always obvious, so be sure to review your internal control policies and procedures and conduct a risk assessment to anticipate the full impact of contemplated changes. Also consider implementing or strengthening other types of controls — such as surprise audits, management or director oversight, mandatory vacations, job rotation, employee support programs and fraud training — to help compensate for a lack of segregation of duties and other internal control weaknesses.