The primary purpose of internal controls is to safeguard an organization and further its objectives. Internal controls function to minimize risks and protect assets, ensure accuracy of records, promote operational efficiency, and encourage adherence to policies, rules, regulations, and laws.
All institutions large or small, private, or public, should have some form of internal controls in place. Internal controls serve as a safeguard for all stakeholders in the institutions – from the board to the teller, and even the customer. Some institutions have formal, written internal controls and some simply have unofficial controls that employees know. However, best practice is to have a formal, written control which holds more weight.
Below, I will highlight key elements of creating and maintaining internal controls.
How to Start the Process
- Document controls for each functional area of the bank. Ask questions from leaders and doers of each function to ensure you are documenting the realistic actions and steps that take place – not what is assumed to happen.
- Review and update controls annually. Internal controls can be fluid and change often, so be sure to review and update them at least annually.
- Break down the process of creating internal controls:
- Policy – Documents what the bank will do. It may be in a general statement that explains the institution’s practice. Remember the policy must be followed and should be reviewed and approved by the board on a periodic basis (usually annually).
- Procedures – Documents how and what the institution is doing.
- Processes – Documents the tools used for the procedures and should be reviewed for adequacy.
- Patterns/Practices – Review what is being done based on the above items. Policies MUST be followed. Procedures SHOULD be followed. If the functional area is no longer adhering to the written procedures, the procedures should be reviewed and changed as applicable; or the original procedures should be re-implemented and followed. If the processes are no longer adequate, examine what changes need to be made.
Pro Tip: Remember to use the “Who, What, When, Where, Why, & How” elements, when completing these documents. Don’t use names, try to use titles.
Tips to Safeguard Your Institution
Internal controls are meant to safeguard all invested parties in the institution; however, the banking and financial services industry has the most occupational fraud. Here are nine tips to safeguard your institution against fraud:
- Implementing and following internal controls can help prevent this fraud.
- Everyone at the institution should be aware of what the internal controls are.
- Question when exceptions are being made.
- Document the reason for any exception.
- Train employees to not just sign off on a control based on trust or authority of the individual requesting the exception.
- Allow for questions when exceptions are being made.
- Be aware of management overrides of controls.
- Encourage employees to let someone know when they feel something isn’t right.
- Provide an anonymous tip line.
Internal controls are the safety net institutions rely on to operate. The practice of implementing, maintaining, and following internal controls should increase bank awareness and lessen the risk of fraud.
Additional Resources – Internal control guides for financial institutions:
FDIC Internal Routine and Controls
FRB Management and Internal Controls Evaluation
OCC Internal Controls: A guide for Directors
For any questions regarding internal controls or protecting against fraud, please contact a Pinion advisor.
