While rural banks can perform exactly the same functions as their urban and suburban counterparts, rural banks face special risks because of their small staffs and because their budgets to maintain and improve controls may be limited. Auditors will audit rural banks using the same programs that they would for any other bank, but will pay special attention to areas of higher risk.
Dual control requires that two bank employees share access to a vault, with each employee holding a different means of access. Without both employees, the vault cannot be opened. Because rural banks may not have adequate staff to ensure effective dual control, the means of access, such as keys and combinations, may be shared or employees may be left alone with unsecured assets. Auditors will use the bank’s key and combination logs to ensure that only authorized personnel have keys and that adequate backup exists if a key or combination holder calls in sick. Both dual-control employees should remain present while the vault is open to account for all transactions.
Rural banks may choose to rely on sole control over some assets, including the cash vault, cashier’s checks, savings bonds and money orders. Sole control requires that only one individual be authorized to access the assets under his control. If that employee is absent, no other employee should be able to gain access. Sole control can be handed over during vacation periods, but only after a full asset count and documentation of the control change.
Auditors will compare sick days taken by employees with sole control responsibilities to logs showing access to assets under sole control. They will ensure that no one else has accessed the assets without a documented control change.
Separation of Duties
Because of small staff sizes, a rural bank employee might perform conflicting duties, such as preparing credit or debit slips and holding customer statements. Entries could be made to customer accounts and go undetected because customers do not receive their statements. Every bank should maintain a matrix that lists each employee and the system and manual activities to demonstrate that duties are effectively separated. If the bank does not have a matrix, one should be prepared and checked for effective separation of duties.
The Office of the Comptroller of the Currency recommends that employees in sensitive positions, such as lenders or vault personnel, take a minimum of two weeks consecutive vacation during the year. Rural banks may not be able to observe this standard because of small staffs. If a mandatory vacation policy is not enforced, auditors should identify and test compensating controls, including surprise cash and asset counts.
Locks and Alarm Codes
Changing locks and alarm codes helps ensure that unauthorized people do not access the bank’s interior. Exterior locks and alarm codes should be changed when an employee with a key or code is fired, resigns or is laid off. Rural banks may have limited budgets and choose not to change locks after terminations. Auditors should expand their audit procedures to review all personnel terminations after each audit, and compare leaving dates with locksmith invoices and changes in the alarm system.