Risk Management
Three essential components of a credit union’s cash operations are:
-
The people who run the operation, from those who make high-level decisions related to overall cash management to those who initiate and process cash transactions.
-
The processes established by a credit union that lay the framework for sound internal controls over cash operations.
-
The data processing systems and technology that maintain proper recording of all cash transactions, and used to accurately present the credit union’s cash position.
People
Board of Directors
NCUA regulation § 701.4, General authorities and duties of Federal credit union directors, requires a FCU’s board of directors to have at least a working familiarity with basic finance and accounting practices, including the ability to read and understand the credit union's balance sheet and income statement. The regulation requires a board member to acquire this level of understanding within six months of election or appointment. The board should have a fundamental understanding of cash accounts the credit union uses, and a credit union should not use account types if the board does not demonstrate an understanding of those account types.
Examiners expect to see an active board that is involved in generating sound policies, procedures, and controls. The board reviews policies associated with cash operations and updates them as necessary. It is a good practice to review and update policies at least once a year or when there is a major operational change (for example, and new product is introduced or the credit union installs proprietary ATMs, etc.).
The FCUA § 1761b(19) requires the board of directors to establish and maintain a system of internal controls.
Sound internal controls over cash operations include:
- Authorizing the maximum amount for each cash account (petty cash, teller change fund, vault change fund, ATM change fund, etc.) with consideration of surety bond limits
- Confirming that board-established policies, procedures, controls, and limits are upheld, and maintaining documentation (meeting minutes) when items are discussed in board meetings
- Approving ad hoc exceptions to the institution’s cash account and cash operations policy and documenting any exceptions properly with supporting information
- Instituting adequate segregation of duties, specifically assigning staff who are independent of all cash operations to complete all necessary reconciliations promptly and with adequate oversight
Supervisory Committee
An FCU’s supervisory committee is responsible for maintaining oversight of the institution’s internal controls and ensuring that the board’s policies, procedures, and controls are upheld. This may include oversight activities on a regular basis such as:
- Reviewing policies and procedures for appropriateness, proper controls and risk limits,
- Conducting or commissioning surprise cash counts (counts performed without prior notifications to staff)
- Verifying that the reconciliation of bank statements is completed properly and promptly, signed, and approved in accordance with credit union policy and associated internal controls
- Reviewing cash over and short reports
- Following up on any weaknesses in the above areas
While FCUs are required to have a supervisory committee per FCUA § 1761b, Board of directors; meetings; powers and duties; executive committee; membership officers; membership application, not every FISCU will have one. In states where a supervisory committee is not required, an audit committee, internal auditor, or risk management committee may perform the functions outlined above.
Some credit unions are large enough to staff an internal audit function. Internal auditors help the supervisory committee fulfill its role in overseeing the credit union’s cash operations, among other things.
It is important to consider the chain of command when evaluating the independence of the work performed by an audit committee or internal audit department. Internal audit committees and staff reporting to operational management instead of a Board appointed or elected audit committee or supervisory committee may not have the same independence as those who do not report directly to operational management.
Senior Management
Senior management is responsible for carrying out the credit union’s board-established policies and limits for cash operations. Senior management is also responsible for generating sound written procedures and internal controls for cash accounts and cash operations.
Management should have a full understanding of, and experience level commensurate with, the type and complexity of each cash account a credit union maintains. If examiners find there is a lack of experience with an account type, they can urge the credit union to obtain that expertise by training existing staff, hiring experienced staff, or outsourcing the function to a third party (for example, a bookkeeper or an employee of another credit union).
The senior management team should also maintain adequate staffing levels to support board-approved strategies and activities. The size of the staff should be commensurate with the complexity of a credit union’s cash accounts and the volume of transactions.
Frontline Employees
Employees with a role in a credit union’s cash operations may be responsible for:
- Disbursing and receiving funds
- Maintaining appropriate records
- Balancing and reconciling all cash accounts
- Reporting shortages and overages
- Clearing daily checks
Depending on a credit union’s size and structure, these may be member service representatives, tellers, or other staff.
Segregation of Duties
Whenever possible, duties and responsibilities for cash operations should be segregated between two or more individuals with clearly defined responsibilities. Clearly defining the roles and responsibilities of each credit union employee with respect to cash operations can:
- Minimize fraud-related losses through segregation of duties
- Ensure board-established policies and limits are observed
- Provide appropriate oversight
For example, credit union staff responsible for counting vault cash should not be the same staff responsible for reconciling vault cash and should not have access to the GL. Similarly, credit union staff should not be able to post transactions to their own or related-party accounts. Smaller credit unions may not have adequate staffing resources to completely segregate duties in all areas. In such credit unions, the supervisory committee can provide adequate oversight to ensure that there are sufficient mitigating controls and that staff is adhering to board-established policies and procedures.
Examiners should assess a credit union’s segregation of duties with respect to cash accounts and cash operations. If complete segregation is unrealistic, examiners should assess whether the credit union has adequate oversight and sufficient mitigating controls over this area. Some examples of mitigating controls include periodic internal control reviews and an active supervisory committee.
Processes
Policy and Procedures
The board of directors should approve a credit union’s cash control policy. The policy should provide a framework for safe cash operations. At a minimum, a credit union’s cash control policy should authorize a maximum amount for each cash account (petty cash, teller drawers, vault cash, ATMs, etc.)
Credit unions should establish a suitable anti-fraud policy and document employees’ agreement to comply with the policy as a condition of employment.
A credit union’s management team establishes cash control procedures to implement the cash control policy established by the board. If no policy has been established, written procedures become more important. These procedures should establish the steps credit union staff should follow when performing cash operations.
Risk-Management Practices
Risk-management practices are an important element of cash operations. Such practices help a credit union monitor risk and adhere to board-established limits. The more complex a credit union’s cash operations, the more detailed and extensive its risk management practices should be.
Risk Management practices may include, but are not limited to:
- Bank reconciliations explain the difference, on a specified date, between the bank balance shown in an organization's bank statement (as supplied by the bank) and the corresponding amount shown in the organization's own accounting records. Adjusting entries to the reconciliation should be clearly supported and documented. All adjusting entries should be cleared in a timely manner
- Surprise cash counts reconcile the physical cash to the individual and aggregate, end-of-day, teller cash counts
- Individual teller cash counts should balance to the ending cash balance on system generated teller summary reports. The total ending cash balances for all tellers should balance to the amount of the overall change fund appropriated to teller change funds in the GL
- Periodic physical cash inventory and reconciliation such as:
- Daily cash drawer balancing and balancing reports
- Periodic vault counts and reconciliation
- Daily cash and cash items reporting internally and from service providers
Additionally, a credit union should establish written procedures to respond to incidents of theft or fraud and monitor cash limits as established by the board.
Credit unions should also have their risk-management practices independently reviewed on an ongoing basis. This is usually performed by the supervisory committee or an auditor (internal or external). This will help identify exceptions to policy and bond specifications, allowing for implementation of remedial action as needed.
Systems/Technology
A credit union must have adequate systems and technology in place to accurately record all cash transactions and document its cash balances for disclosure to interested parties (regulators, credit union boards, auditors, members, etc.).
With respect to cash operations, a data processing system can help a credit union maintain accurate records of disbursements and receipts, and monitor board-approved limits.
The IT - Expanded 748 Compliance Questionnaire can help examiners evaluate certain aspects of a data processing system including data encryption, system access, and physical security of the servers, among others.
Last updated on September 15, 2021