Auditors Take the Fight to Fraudsters
Keep a tight leash on member information, and require certain measures to protect it.
Fraud comes in many forms, whether it’s a “model employee” repeatedly raising her credit card limit to fund a gambling addiction, or a member swiping $400,000 of a relative’s money via automated clearinghouse.
That’s where Jennifer Hoskins, CPA, comes in. The partner at Nearman, Maynard, Vallez CPAs has seen it all during her more than 20 years as an auditor. She provided a glimpse of her world Tuesday during the 2014 CUNA CFO Council Conference in Las Vegas.
Hoskins outlined seven of the most common audit findings, and how to avoid them:
1. Supervisory override reports. These reports detail transactions that were permitted after obtaining a supervisory override, such as accessing dormant accounts or employee accounts, and file-maintenance changes such as loan due dates or interest-rate modifications.
Problems typically arise when there is no review of supervisory overrides, or when such reports are reviewed by staff who have override authority, Hoskins explained.
2. File maintenance reports, which detail changes to select fields of credit union information (i.e., interest rates, addresses, phone numbers, and loan due dates and payment frequency). Common audit findings often reveal a lack of useful file maintenance reports.
3. Dormant accounts, in which there has been no activity for a specified amount of time.
“Due to the nature and inactivity of dormant accounts,” Hoskins said, “they're usually the target for fraudulent activity.”
4. No-mail accounts. On this type of account, the member has requested that the account statement not be mailed to him or her, or the statement was returned due to a bad address.
Problems might crop up when employees have access to “no-mail reports,” she said. “These are very sensitive documents that provide too much member information. There’s no reason to keep these reports.”
5. Annual disclosure statements, which authorize the credit union to review accounts related to the credit union’s staff and directors.
Too often, credit union employees and directors either don’t fill out this statement or fail to update it annually.
“It lets staff know that we might look at the relationship between their accounts,” Hoskins said. “The purpose is to keep people from hiding illegal transactions.”
Not all violations are nefarious. Sometimes credit unions simply implement this requirement—and promptly forget about it, she added.
6. SSAE 16 reports. These reports examine whether third-party data providers have vulnerabilities in their systems.
Short for Statement on Standards for Attestation Engagements, such reports sometimes lack sufficient documentation. “Often, people get them but never read them,” Hoskins said. “They should make you more comfortable with the validity of your data.”
7. Reconciliations. Auditors sometimes find that reconciliation reports aren’t filed in a timely manner—or at all, Hoskins said. Reviewers of this report need to sign and date the reconciliation.
“This happens over and over and over again,” she said. “Sometimes people try to hide that they don’t know what something is.”
That includes one person who was unfamiliar with a certain abbreviation: ATM.