All financial institutions have controls surrounding file maintenance changes to their customer database. Although significant time and energy is expended managing these controls, file maintenance remains a common source of deficiencies during audits and regulatory examinations. Focusing on conducting risk assessments can help financial institutions design stronger controls, while reducing the cost and monotony of reviewing all file maintenance activity.
File Maintenance Procedures
In a core banking system, file maintenance includes any non-monetary adjustment to a customer account (such as changing contact information, the interest rate on a deposit or loan account, or the maturity date for a loan). It doesn’t include routine monetary transactions, such as processing loan payments or processing transactions to customer deposit accounts.
Risks Associated with File Maintenance
Financial institutions must safeguard customer data in their core banking system against internal or external fraud like any other valuable asset. The potential for unauthorized changes through file maintenance exposes a financial institution to operational, legal, and reputational risks.
Seemingly simple changes can actually come at a high risk, such as:
- Address change: Bank statements are mailed to the address on file, so changing this could allow a fraudster to stop or redirect statements, ultimately overriding the customer review control.
- Phone number change: Changing this could defeat a call-back control for authorization/confirmation of a wire transfer request.
- Loan due date change: This field is used for calculating interest and tracking the current status of the loan (if delinquent or not). One way to prevent a past-due loan from appearing on a delinquency report is to bump the due date forward so the loan appears current.
The Risk Assessment
To mitigate these risks, companies can begin by conducting a risk assessment to prioritize, create, and implement security controls. Here are a few ways you can properly initiate and perform a risk assessment.
The Control Objective
Start by determining the control objective and state what you are trying to achieve. For example: “Controls are adequate to ensure that file maintenance is performed by appropriate personnel.” You could say “authorized personnel,” but “appropriate personnel” is more comprehensive. Appropriate could mean well-trained personnel who are appropriately segregated from conflicting duties and ideally don’t have enough authority or system access to perpetrate a significant fraud.
An example of a poorly constructed control objective would be: “Controls are adequate to ensure that there are no errors in file maintenance processing.” This is nearly impossible to achieve. If the context is internal control over financial reporting, maybe it’s not necessary to have perfect controls that eliminate the potential for any errors. A large number of customer account change errors would have to occur to be material to the financial statements. However, global changes such as changing the rate on all money market accounts could have a material impact on the financial statements. This is a good example showing that a risk assessment can increase efficiency by focusing on the significant risks to achieving the control objective.
Brainstorm what could go wrong with file maintenance to identify the high-risk changes. Include the right people from multiple groups, such as operations, loan servicing, accounting, IT, and internal audit. It’s difficult to anticipate every scheme that can be perpetrated over a customer’s account, but the alternative of treating all file maintenance the same is less effective.
Consider risks due to fraud and risks due to error, because these might vary. For example, the fraud risk for rate adjustments on adjustable rate mortgages is low, but the risk of error is high, and so are the repair costs. Changing a phone number poses low risk due to error, but high fraud risk if the customer didn’t authorize it. Once the risks have been identified and graded, the financial institution will better be able to design sufficient, cost-effective controls that correspond to the identified risks. For low risk file maintenance changes, the financial institution might rely more on top-level controls—such as written procedures, employee training, and segregation of duties—whereas the high-risk changes might be assigned more robust and precise controls.
Using the risk assessment, build a combination of preventive and monitoring controls that reduce the risk of fraud or systemic errors happening or going undetected. The controls should be simple, repeatable, and verifiable.
Preventive controls have the objective of preventing errors or fraud that could result in a misstatement of the financial statements from occurring. Restricted access and segregation of duties are key controls. Determine who should have access to make changes to a customer’s account. Ideally, this function will be assigned to employees who aren’t involved in custody or reconciliation functions, and they shouldn’t have conflicting interests. For example, loan officers shouldn’t have the ability to alter loan accounts. Using the system to enforce segregation of duties is a stronger control than relying on policies and procedures to segregate duties. Additionally, stronger preventive controls can allow for fewer monitoring controls.
Detective controls have the objective of detecting errors or fraud that has already occurred that could result in a misstatement of the financial statements. They might entail review of changes for irregular activity, comparing changes to supporting documentation, and verifying that authorized personnel performed the changes. This is where a risk assessment can add efficiency. Errors must be prevented, but if the fraud risk is low and personnel are attentive and well trained, then it might not be necessary to verify the accuracy of all changes.
The review process should start with system reports to ensure the entire population of maintenance is subject to sampling and review. This control is more susceptible to breakdown because it’s manual, as opposed to the preventive controls within the core system discussed previously. Institutions with a high volume of changes might require a sampling approach if it’s not cost effective to review every instance of file maintenance, but this should be a risk-based determination. Also, the use of properly designed custom reports to isolate high-risk changes is a practice that can make the review more effective and efficient.
Perform a walkthrough to understand the control. Ask the reviewer of file maintenance changes about the purpose of the review and what they do with the information in the report. Perhaps the reviewer initials an exceedingly large file maintenance log each day to indicate their review, and it’s evident that nobody could perform a meaningful review of this many changes. Regardless of how responsibility for file maintenance is distributed, the people performing this task require knowledge of the basic system structure and system file maintenance capabilities in order to perform a meaningful review. The reviewer should understand the related risks associated with the changes that they review, and know what to do if there’s an exception. A risk-based approach can help eliminate superficial review processes.
Notifying the customer of changes to their account can also be a strong monitoring control, especially when the notification process is system initiated. Notifications could include a letter mailed to the customer’s last address of record, or an email or text message to customers who use electronic banking to confirm they authorized the change. Automated notification should be the goal, since it’s less susceptible to human intervention or error.
Operating Effectiveness of Controls
During an internal or external audit, tests of controls might be performed to ensure they’re operating effectively. Common problems encountered during an audit are undocumented file maintenance reviews, improper segregation of duties, and lapses in control operation.
Undocumented File Maintenance Reviews
Documentation varies, and some financial institutions have moved to online reviews and might not be able to directly evidence performance of the control. The use of online sign-offs or a daily log to evidence performance is usually sufficient documented evidence indicating controls are operating. In some cases, the review process could be in the form of a checklist, which can serve as a guide to the reviewer and better document the reviewer’s actions.
Improper Segregation of Duties
Improper segregation of duties, such as the reviewer of file maintenance changes also having access to perform file maintenance changes, is a common deficiency due to limited resources. Management might accept and mitigate this business risk, but ideally the reviewer should be independent of the process when there’s fraud risk.
If this isn’t feasible, then a secondary review of file maintenance changes can be an adequate compensating control. The secondary review process must, at a minimum, identify all transactions performed by the primary reviewer. It shouldn’t rely on the honor system, wherein the primary reviewer notifies the secondary reviewer of what maintenance requires review. This dual-review type of control is expensive to maintain and not always necessary. It’s more common in small institutions when numerous people have access to perform file maintenance, including personnel that probably shouldn’t. Proper risk assessment could help smaller institutions reduce the scope of dual-review controls to only those file maintenance changes determined to have fraud risk.
Other common deficiencies include inconsistent application of the control such as days or weeks missed, catch-up reviews due to vacation or sick leave, or ineffective review. A well-designed process including written procedures can reduce the risk of control lapses.
Continuous Audit Approach
As a best practice, management can establish a continuous audit process to fortify controls. This can help mitigate the risks of using a sampling approach (i.e. not reviewing 100% of transactions). This might entail periodic internal audit testing using random sampling, database integrity tests, customer confirmations, or a combination thereof.
Fraudsters use technology to their advantage—but internal auditors can also leverage technology to quickly detect fraud. The internal auditor can use data analysis software, such as Monarch, ACL, ActiveData, or IDEA, for data extraction and analysis to assist in identifying irregularities in the data.
Procedures for analyzing the core database might include:
- Identifying statistical outliers that could indicate fraud
- Reviewing activity in no-mail accounts and duplicate address accounts
- Identifying irregular patterns in the activation of dormant accounts
- Testing loans with out-of-range interest rates
- Reviewing advanced loan due dates for propriety
- Reviewing activity in employee loan and deposit accounts
The controls over file maintenance changes should include a mix of preventive and monitoring controls based on thoughtful risk assessment. Time spent designing the controls will help make the system more cost-effective while still controlling risk exposure.