Internal Controls Checklist

1)Segregation of Duties

No one person controls a transaction from start to finish.

Ex: Ordering supplies, receiving supplies, reviewing/paying invoice

2)Dual Controls

It takes two people to perform critical duties.

Ex: Counting vault; transfers within Corporate or Bank accounts; ACH transactions

3)Access to Passwords

Each software program should require its own unique password.

Ex: DP password different from Bank/Corp password different from ACH password

The default 'Admin' password should not be used.

Ex: Set up a unique password for anyone routinely using the software (DP support, etc.)

Passwords should NEVER be shared with others.

Ex: If another person needs access, they should have their own password AND there should be at least 2 people with access to critical programs.

4)Computer Access Levels

Computer access levels should be based on Job Function.

Ex: Entry level tellers might not have access to general ledger functions; volunteers might have 'read only' access.

This tiered access allows the CU to more readily

a. Enforce segregation of duties

b. Support override controls

c. Enforce the prohibition of transactions on personal and family accounts

d. Make fraud more difficult to perpetrate and conceal

Ex: A user would not be able to perform a transaction for a family member; a loan officer would not be able to cut a loan check, etc.

5)Cash Drawers & Vault

Maintain separate control of the key to the inner & outer drawers

Ex: This would require two people to access the vault

Date Reviewed/Passed/

InitialsFailed

______

______

______

______

______

Never share teller cash drawers.

This canhappen accidentally when one staff member is doing two jobs, but is always a mess to straighten out!

Count and balance each day.

Ex: Each cash drawer in use that day should be counted and balanced; if a discrepancy is found, it should be researched and solved no later than the following day.

Surprise counts of both teller drawers and vault cash.

Ex: Should happen once every 6-8 weeks; observe any notes in the drawer. Record and track any discrepancies.

6) Loan Process

Segregation of Duties

Ex: No one person should be able to create AND fund a loan.

Independent review of file maintenance.

Ex: the SC should do or have done a review of the file maintenance report looking for such red flags as 'due date changes', 'back-dating', social security number changes, removal or changes in collateral, 'do not mail', etc.

Periodic loan reviews.

Ex: With a checklist for your specific CU, pull 1 or 2 of your higher dollar loans each month and make sure all the documentation is present: signatures on all docs, titles, insurance, notes completely filled out, etc.

Dormant account review.

Ex: Pull the current month's report AND the previous month's report. Review any account that is on the previous month's report but not on the current month's report. Simply ask to see the receipt signed by the member.

7) Expense Reimbursement

Policy should specify:

a. Approval requirements (limits within board approval, procedure to exceed those limits, etc.)

b. Timing of submitting the personal expense report.

(Delayed reporting puts the expense in the wrong month and can lead to confusion and difficulty in monitoring.)

c. Receipts are required to be attached and appropriate.

There should be independent review and approval of each expense report.

Date Reviewed/Passed/

InitialsFailed

______

______

8) Credit Union's Credit Card

Policy should specify:

a. Usage parameters (ex: no purchase over established 'depreciation' limit; who has authority to use, etc.)

b. Establish reasonable limits

c. Explicitly prohibit personal use (with prompt report to board with accompanying documentation if it is inadvertently used for personal items.)

d. Merchant receipts required for all purchases.

e. A monthly independent review and approval.

(Ex: The actual itemized card statement should be reviewed and initialed each month.)

And 'best practices' might be:

a. Cards should be locked up when not in use.

b. Require signature to check card out and in.

9) Call Reports

Must be completed and submitted by deadline.

(NCUA is now assessing fines for late submissions)

Keep separate files for each call report with supporting documents behind each report page. Ex: Supporting docs might include all system generated reports, internally generated reports (bankruptcy, etc.) and any manual calculations (TDR's, etc.)

Print and file with each report the 'comments, warnings & error' pages and the confirmation of submission and acknowledgment of receipt email.

10) Audits

At a minimum, your SC Audit should include:

a. Insider Account review

b. File Maintenance review

c. Dormant Account activity

d. Share Draft exception & overdrawn account reports

e. Bank Reconciliation

f. General Ledger review

g. Loan review

11) Internal Red Flags

a. Staff, volunteers living above their means or exhibiting personal or financial problems or addictions

b. Staff not taking vacations; frequent NSF's; transfers to/from another acct; overrides on dormant accts, etc.

c. Proper procedures not enforced or followed.

d. Errors made repeatedly; work not completed on time

Date Reviewed/Passed/

InitialsFailed

______

______

______

______