1 Insight. Oversight. Foresight. SMMichigan Texas Florida North Carolina

File Maintenance: What Can Go Wrong

Presented by:Bob Parks, CPA Shareholder Jack Tracy, CPA, Shareholder

Region 3 MeetingOctober 2016

2

Financial Institutions GroupOverview

• What is file maintenance?• Why is monitoring file maintenance important?• How can the risk of inappropriate transactions be

reduced?• A system of controls

• Preventative controls• Detective controls• Soft controls• Documentation and record retention

3

Financial Institutions GroupWhat is File Maintenance?

NCUA’s definition:“All changes made through the computer system that affect members’ accounts. Also called the Non-Financial Transaction report, this report usually differentiates between old and new data so the user can determine the credit union’s changes. Changes that occur most often include: addresses, telephone numbers, loan due dates, payment amounts, interest rates, and maturity dates.”

4

Financial Institutions Group

Why Is Monitoring File Maintenance Important?

• Reduce the risk inappropriate non-financial transactions, performed by an employee, continuing to go undetected.

• Primarily a “detective control”• Has a deterrent nature, if potential perpetrators know

it exists

5

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?A system of internal controls is key• Preventative controls

• Hard controls that establish restrictions through system settings and job functions.

• Detective controls• Ongoing monitoring that helps identify unauthorized activity

and transactions.

• Soft controls• Combination of policy and procedures, in addition to

communicating to employees that file maintenance changes will be monitored.

6

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Preventative controls• Restrict file maintenance changes to only employees who

need to perform changes related to their job duties or function

• Restrict employees from making changes on their own accounts, as well as family related accounts.

• Segregation of file maintenance capabilities is essential.• Loan officers and underwriters should not have the capability

to perform file maintenance changes

7

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Preventative controls• Segregation of file maintenance capabilities is essential.

• Sr. management should not have the capability to perform file maintenance transactions.

• Sr. management should be in the approval process position providing signed forms, etc., to processors who then perform the change - this provides a documented paper trail.

8

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Detective controls• At least monthly, an employee who is both independent

and does not have the ability to perform any file maintenance transactions should review system generated file maintenance reports. • Could be someone from compliance or management

(preferably not IA). • Key criteria is reviewer is restricted from performing any file

maintenance changes.

9

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Detective controls• Areas to focus the ongoing review include loan, share,

and administrative transactions. • Remember to look for patterns and occurrence of changes by

employees. • Test through sampling transactions and documentation, as

needed.

10

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Detective controls: Loan transactions• Interest rate changes

• Why did the rate change? Was it a rate match or employee loan ?

• Past due or delinquent amounts change• Payment terms change (i.e., weekly, bi-weekly, monthly,

movement of maturity date)• Payment due date changes

• Was there a modification or extension agreement approved and signed?

• Line-of-credit increases

11

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Detective controls: Share transactions• Interest rate changes • Check hold changes• Special hold amount changes • Activity in dormant accounts

• Transactions that change the status from dormant to active

12

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Detective controls: Administrative transactions• Address changes (particularly changed to PO Boxes)• Sort by multiple addresses to help detect• Statement mail code changes

• Statement holds placed on the account

13

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Soft controls: Policies and procedures• Establish the Credit Union’s position on file maintenance,

which helps create management’s “tone at the top” as to what is expected.

• Helps provide accountability in determining who is responsible for reviewing reports, which employees are authorized to perform file maintenance transactions, and what documentation is required to support the change.

14

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Soft controls: Policies and Procedures• Includes making employees aware that file maintenance

transactions will be monitored. • If employees are under the impression their transactions are

subject to review, this helps create an environment which may deter inappropriate file maintenance activity.

• Employees should undergo regular training and updates on these policies and procedures.

15

Financial Institutions Group

How Can The Risk of Inappropriate Transactions Be Reduced?Documentation and record retentionThere should be a paper trail supporting why changes occurred

• Member’s written authorization for address changes or other administrative changes.

• Approved and signed modification or extension agreements for loan due date changes.

• “Rate match” documentation if interest or share rates were changed.

• Best practice suggests documentation for changes be maintained for at least three years after the change.

16

Financial Institutions GroupAuditing File Maintenance Controls

First….do your homework

• Review the policies and procedures regarding file maintenance reviews

• Review and summarize the various data systems that process member transactions

• Include any third-party systems or servicers that would require file maintenance

17

Financial Institutions GroupAuditing File Maintenance Controls

Second…set up and conduct interviews with those responsible for the file maintenance function:

• This is an important step, so include all participants

• Make sure all transactional areas are covered

• Credit unions often consider file maintenance a nuisance, so be persistent

• Speak directly to those performing the function

• Who are the identified issues reported to?

18

Financial Institutions GroupAuditing File Maintenance Controls

Third…validate and document the interview results

• Confirm the independence of those performing the file maintenance function

• Consider using electronic methods of auditing file maintenance database

• Determine the competence of those performing the file maintenance function…this is key to the employee properly spotting violations of policy or worse

19

Financial Institutions GroupAuditing File Maintenance Controls

Finally…evaluate and summarize the results of the audit:

• Is a secondary or follow-up interview needed?

• Are there holes in the process that need filling?

• Are reviews being documented?

• Are all employees being trained in the importance of file maintenance?

20

Financial Institutions GroupAuditing File Maintenance Controls

Common Weaknesses• Lack of independence

• Person performing the review can also perform file maintenance transactions

• Person performing the review is not very knowledgeable in the transactional activities

• Not all data or servicing systems are included in the regular file maintenance reviews (i.e., MBL on separate system)

21

Financial Institutions GroupBeware the Temptation

The Internal Auditor should not be the person performing the regular file maintenance reviews.

INSTEAD

They should regularly validate file maintenance activity is sound and functioning as intended by

management.

22

Questions?

23 Insight. Oversight. Foresight. SMMichigan Texas Florida North Carolina

Thank You!

Robert M. Parks, CPAShareholder

Office: (248) 244-3049Cell: (248) 709-1046

Email: parks@doeren.com

Jack Tracy CPAManager

Office: (248) 244-3189Cell: (248) 302-2697

Email: tracy@doeren.com