When is a control not a control?

One of the key procedures as a bank auditor was to audit the branch operations. This was pretty dull and routine. Cash money is amazingly dirty and we did not enjoy having to count up $100,000 in the vault. In order to protect ourselves (the auditors), we required that a branch employee be physically in the vault with us as we counted the cash. As I’ve covered in some previous stories, this is not because they could not trust the auditors. Internal controls have nothing to do with trust. The requirement was to protect the auditor from false accusations of theft. If for some reason the branch employee had to leave the vault, we stopped counting, put everything down, and left the vault. Too. I was surprised how often the employees were ready and willing to leave one or more auditors alone in the vault. In a year of branch audits, I only ran across one finding of any real significance, although there was one common finding we suspected, but never did anything about.

The common suspected finding involved “dual control.” In a bank branch, and in many other critical environments, a standard process involves dual control whereby the combination of the safe or key access requires two people. Each person knows part of the combination, and enters it in turn. It was easy to see that when we arrived for the branch audit, the branch employees had to be careful to follow the dual control procedure. One person would enter half the combination, and then say, “Now it’s time for YOU to enter YOUR HALF of the combination.” It was always said in such a way as to indicate this was NOT the normal procedure. Practically and honestly speaking, I’m certain that in many cases, for convenience, they both knew the entire combination. That is a bad decision, because, obviously, if there was some theft or missing media, they would both be under suspicion.

The only finding of any significance in my year of branch audits was one bank branch in northern Maine. When I went to count the teller’s drawer, I found a check in the drawer from the person who happened to be the branch manager for about $100 that the teller was counting as cash. In other words, the branch manager had taken a $100 short term loan from the teller’s drawer. This is a very bad thing for a branch manager who has 27 years of service to be doing. The teller was so nervous and scared I was afraid she would pass out on me. I turned the issue over to the VP of internal audit and was told that a formal disciplinary note would be placed in the manager’s file and that would probably be the end of the matter. In many other places and companies, the manager would be terminated on the spot.



, , , , , , , , ,

Leave a Reply

This entry was posted on July 5, 2011 and is filed under Bank Auditing. Written by: . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.