Entire Course (including glossary) (2024)

Chapter 2. Government Regulation of the Banking Industry

This chapter describes governmental regulation of the bank industry, including primary federal regulations, as well as other regulatory controls. Additionally, it discusses the regulatory examinations designed to ensure that banks operate safely and soundly.

One factor that makes bank audits different from others is the high degree of government regulation and supervision of the banking industry. Because banks are so vital to a healthy economy, the government oversees their functions to ensure safe and sound operation. While ensuring compliance with regulations is not the role of an independent public accountant, one should understand the effect of regulations on bank structures and accounting systems and the related reporting requirements.

Section 112 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) requires management of banks with total assets over $500 million to make an assessment, in writing, of the effectiveness of the bank's internal controls. Regulations in the 2013-2014 timeframe require increased risk governance activities with stronger requirements in large banks and BHCs. In the largest institutions independent risk governance of the Board is required with stronger responsibilities than even the audit committee.

External auditors must issue a report on the assertions made by management. In addition, FDICIA Section 112 requires management of banks with total assets over $500 million to report on compliance with certain designated laws and regulations.

The external auditor of such institutions must report on the results of applying agreed-upon procedures to test compliance with specified laws and regulations.

The auditor should also be aware of the resources government regulation brings to the work of the independent public accountant. The same requirements apply to bank holding companies with assets over $5 billion. The Sarbanes-Oxley requires that all publicly traded companies, including banks, must maintain systems of internal control to comply with the provisions of the Act.

Regulations dramatically affect the manner in which financial institutions are managed and evaluated. The significant provisions of the FDICIA and other laws are discussed, as appropriate, throughout the remaining chapters of this course.

In a 1992 survey, the American Bankers Association determined that the cost of regulation exceeded $10 billion, or 57% of the entire pretax profit of the banking industry. Such costs were expected to increase because of the FDICIA. Many other regulations have been added since that time and searches for other estimates of regulatory burden costs have not produced numbers that are currently reliable.

Though dated, these 1992 numbers are offered to give a feel for the impact of this factor on the operations of banks. First-hand knowledge testifies that the cost of Sarbanes-Oxley compliance, anti-money laundering efforts, and the costs of the regulations associated with the Global War on Terrorism have added multiples of the cost cited in the 1992 survey. No such survey is available in the recent past though opinions of informed observers support estimates that compliance cost of all types have ballooned to many multiples of those numbers from 30 years ago. The growth of compliance issues has made it difficult to impossible to identify all of the cost numbers. Costs include costs of implementation and new staffing, statutory fines, requirements for changes in operations and administration arising from regulatory examinations, and a host of other obvious and subtle changes.

In the previous chapter we discussed a number of the provisions of the Dodd-Frank Act (DFA) that apply directly to banks. DFA is the most far reaching banking reform legislation in more than 50 years. For those who wish to gain more understanding of the creation and provisions of DFA a valuable book was published in 2013. It is Act of Congress by Robert G. Kaiser. Another important book is After the Music Stopped by Alan S. Blinder.

The responsibilities of the individual state banking departments vary by state and are beyond the scope of this course.

This chapter identifies:

• federal bank regulatory agencies and their functions,

• characteristics of bank examinations,

• measures regulators may take to obtain bank compliance with regulations,

• the roles of the bank examiner and external auditor, and

• the importance of the regulatory exam report to the auditor's tasks.

Primary federal bank regulatory agencies govern bank activities and are primarily concerned with the safety and soundness of bank operations, and the bank's compliance with laws and regulations that govern its activities.

Three separate federal agencies have substantial regulatory and supervisory responsibilities over banks, including periodic examinations. They are the:

1. Office of the Comptroller of the Currency (OCC),

2. Federal Reserve System (the Fed) Board of Governors, and

3. Federal Deposit Insurance Corporation (FDIC).

As noted in the previous chapter the Financial Stability Oversight Council (FSOC) is charged with surveillance of the largest banks which have the potential for significant risk to the entire financial system.

U.S. banks operate under either a federal or state charter.

National banks operate under a federal charter. In addition to having the word “National” or “NA” in their titles, national banks:

• are supervised by the OCC (part of the U.S. Treasury),

• must be members of Federal Reserve System, and

• must be insured by the FDIC.

The FDIC, through the Deposit Insurance Fund (DIF), insures the deposits of member banks up to a specified amount. Each bank must pay a semiannual premium for insurance protection to the FDIC based on its deposits.

Effective January 1, 1993, subject to FDICIA Section 302, premiums assessed by the FDIC are risk-based. Specifically, the premiums assessed each financial institution vary depending on the capitalization of the institution and the estimated risk of loss that the institution poses to the applicable insurance fund. The conditions of premiums and risk were further expanded in the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act” or DFA).

The FDIC insures virtually all bank deposits. It also has supervisory responsibilities over thrifts relative to the insurance of their deposits. When a bank fails and the deposit liabilities are assumed by another bank, all deposit balances become the liability of the acquirer. If a failed bank is closed and no one will buy it (a rare occurrence) then the FDIC is obligated to pay depositors up to the ensured limit of $250,000. Though various account titling and customer association structures this amount can be increased. For example, Bill Thompson $250k, Bill and Linda Thompson $500k (sum of 2), Thompson Revocable Family Trust 750K (sum of individuals plus joint trust) and so on.

Although state banks are chartered by the state in which they operate, they are also subject to federal controls.

State banks can, but are not required to, be members of the Federal Reserve System. If they do join, they:

• must have FDIC insurance,

• are called state member banks, and

• are supervised by the Fed as well as the state banking department.

Note

State banks that do not join the Federal Reserve System may still obtain FDIC insurance. If they do, they are called FDIC-insured state nonmember banks and are supervised by the FDIC and the state banking department. The number of banks not insured by the FDIC is extremely small.

The Fed plays a dominant role in supervision not only because it supervises banks and bank holding companies, but also because it regulates the nation's monetary policy. As such, the Fed exercises some control over all depository institutions. The Fed is also the issuing agency of all consumer regulations though it is being replaced in the Consumer Financial Protection Bureau (CFPB) established in Dodd-Frank.

The CFPB, is now the source of all federal consumer protection regulations regardless of whether the bank in question is a state or national bank. It has no bearing on Fed membership. The CFPB headquarters resides at the Fed but the Fed has no direct control over its activities. (The activities and very existence of CFPB has been a political football since the passage of DFA.)

The Fed is the central bank of the United States. It regulates the nation's money supply by controlling the amount of reserves depository institutions must hold in cash and deposits at the Fed. One of the tools the Fed uses is management of the money supply by increasing or decreasing bank reserves. The Fed adds and removes money from the lending supply by increasing or decreasing bank reserves. This is how the Fed dampens or stimulates the economy. The Fed also buys certain classes of securities to add liquidity to the economy or sells these types of securities to reduce the amount of liquidity. Liquidity is the amount measured in M1 and M2.

Reserves are computed based on a stated percentage of certain deposits. Increases in reserve requirements reduce the amount of money (liquidity) banks have available to lend or invest. Decreases in reserve requirements have the opposite effect. The Fed also controls the foundation interest rates on which all other rates are based. This is the most visible power that most of society sees and ‘feels’.

The Fed has other responsibilities:

• It acts as fiscal agent of the U.S. Treasury to sell and buy back U.S. government bonds and maintains all records of UST securities issued. Fed is the government's bank just as your bank handles your money.

• It is the lender of last resort for member banks. The Fed can make loans to banks when loans are secured by the borrowing bank's investment securities or by certain kinds of loans, such as qualifying residential mortgage loans and consumer loans.

• It provides check clearing and collection, security safekeeping, and wire transfer services to banks for a fee.

• It examines and supervises state member banks and bank holding companies and their affiliates.

• It is the home site of the Consumer Financial Protection Bureau though the CFPB operates as an independent agency.

The following table summarizes the primary federal regulatory responsibilities (marked “P”) and the secondary federal regulatory responsibility if any (marked “S”):

The terms primary and secondary regulators refer to supervisory roles that sometimes overlap. For instance, the OCC is the primary federal regulator for national banks, but the FDIC has a secondary role because the FDIC insures the deposits.

In state-chartered banks, the primary federal regulator and the state regulator are basically equals, though they will defer to each other in different circ*mstances.

For example, if a state bank fails, the FDIC takes the lead role in the closure and liquidation because the FDIC has to pay the insurance coverage on the deposits. In general, the state and FDIC will take the position of lead examiner in alternative examinations. If a national bank fails, the FDIC takes the lead in the liquidation process.

In some cases, examinations will be staffed with examiners from both agencies with the in-charge responsibility. It is common for the FDIC to take the position of the senior among equals.

Study Question 7

Basic authority for the bank to conduct business and for constraints on its activities flow from which of the following?

Study Question 8

FDIC-insured state nonmember banks are supervised and examined by which of the following?

The Fed acts as a correspondent bank, a regulator of banking activities, and a controller of the money supply. It lends money to banks, but the loans must be secured by qualified securities or qualified loans. It is the fiscal agent of the U.S. Treasury and as such regulates many transactions for banks that are not Fed members, such as the sale and redemption of savings bonds and Treasury tax and loan (tax payment) transactions. It is also the ultimate record keeper for all issues of U.S. government securities (T-bills, notes, and bonds.)

Study Question 9

All national banks and some state banks:

Consumer Financial Protection Bureau (CFPB)

A new regulator, the Consumer Financial Protection Bureau (CFPB), was created under the terms of the Dodd-Frank Act. This regulator is housed under the Federal Reserve but not controlled by it. Although not fully funded as of mid-year 2023, it has a major impact on banking. The potential for significant financial risk in the form of fines and constraints on bank activities could be large. In 2016 this agency has been stripped down so as to be eliminated for all practical purposes. Virtually all of the protections afforded to consumers under Dodd-Frank were lost in the process. In the years beginning in 2021 the Bureau was rejuvenated and its powers restored. It is obvious that the Bureau is a political football. This means that the banking industry is subject to changes in enforcement which makes for instability in planning and operations in the banks.

Which is a material risk on financial outcome; a $10 million fraud or a $10 million fine? Non-compliance fines have run as high as $50 million in a Bank Secrecy Act violation.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC forms a common meeting ground for the Fed, FDIC, OCC, and other regulatory bodies like the National Credit Union Administration (NCUA) which regulates credit unions. Through the FFIEC, these regulatory bodies coordinate certain regulatory activities, including reporting and examination. Information Technology systems examination procedures are set out in a common manual for use by all regulatory examiners. A growing number of examination procedures and regulatory interpretations are established by the FFIEC and published under the auspices of the individual regulatory agencies. Even more importantly many Joint Agency Policy Statements are coming out of the FFIEC which are then published by each of the agencies as regulations.

Securities and Exchange Commission (SEC)

Bank holding companies are subject to the regulations of the Fed. Bank holding companies that meet the periodic reporting requirements of the Securities Exchange Act of 1934 must also report to the SEC. Banks with 500 or more shareholders are subject to the 1934 act, but they report to their primary regulatory agency rather than to the SEC. Generally, the reporting rules of the bank regulatory agencies parallel those required by the SEC.

Other regulators for specialized activities

Banks are subject to other regulators for some specialized activities. If the bank has a bond trading department, it is subject to the Municipal Securities Rulemaking Board (MSRB) and its rules. Traders must be registered with that organization as well. If the bank is making insured mortgage loans or selling mortgages in the secondary market, it may be governed by the rules of the following agencies:

• Federal National Mortgage Association (Fannie Mae or FNMA)

• Federal Home Loan Mortgage Corporation (Freddie Mac or FHLMC)

• Government National Mortgage Association (Ginnie Mae or GNMA)

• Federal Housing Administration (FHA)

• Veterans Administration (VA)

The maze of federal and state agencies that regulate banking operations is often difficult to understand. Just as difficult are the number and scope of regulations that banks must comply with in their day-to-day operations.

Two examples of regulations having an effect on all banks and their operations include Regulation CC and the Bank Secrecy Act.

Regulation CC implemented the Expedited Funds Availability Act of 1988 as a result of consumer concern over the amount of time banks made funds available after a deposit was made which in some cases was several days. This law applies to member and nonmember banks, savings banks, and credit unions.

Regulation CC requires banks to:

	make funds available on a schedule established by the law and the regulation,
	provide a faster method of returning unpaid checks to the bank in which they were deposited,
	provide notice of the return of large checks no later than 4:00 p.m. on the second business day following presentment, and
	endorse checks in a prescribed manner and location on the back of the check.

The Currency and Foreign Transactions Reporting Act

One of the most current and visible federal regulations is the Currency and Foreign Transaction Reporting Act, which is also called the Bank Secrecy Act. This law is intended to uncover depositors and other bank customers who are laundering money, particularly drug and terrorist money, through financial institutions.

In part, the law requires banks to report all currency transactions over a certain dollar amount (generally $10,000 in daily aggregate).

The bank must complete a currency transaction report (CTR) for each deposit, withdrawal, and certain other transactions when the transaction contains a specified level of cash or cash equivalents, such as traveler's checks, money orders, or cashier's checks. The CTR is filed with the Financial Crimes Network (FINCEN) in the US Department of Homeland Security. This report form is titled Suspicious Activity Report. Despite what politicians want to make of it, it has nothing to do with the transaction (deposit or withdrawal) being suspicious; it is solely driven by the size of the transaction. The form is prepared by the teller handling the cash transaction and is a mechanical process; it does not involve any knowledgeable inquiry into the nature of the customer's acquisition or use of the cash involved.

Banks and the federal government have determined that reporting all cash transactions in excess of $10,000 creates a large number of reports of legitimate transactions. This volume of legitimate transactions tends to bury the small number of questionable transactions, thus undermining the effectiveness of the reporting system. The regulation now provides that many corporations listed on the U.S. stock exchanges are exempt from reporting—essentially all listed companies except the small cap companies on the NASDAQ.

In addition, a bank can perform an analysis of customers who have cash-intensive operations and prepare justifications for exempting them from reporting. The bank—its officers, directors, and employees—can be criminally liable if the exemption mechanism is misused to hide money laundering or other criminal activities. Therefore, the bank needs strong controls over the internal process of creating and supporting exemptions for customers. The bank and its employees face substantial criminal penalties for failure to comply with the Bank Secrecy Act. Banks have incurred penalties of $50 million and more for failure to comply.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001

Another law that imposes a heavy compliance burden on banks and heavy penalty for compliance failure is the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act of 2001, which is also known as US PAT). Effectively under this law, like the Bank Secrecy Act, the bank is turned into a law enforcement agency. In the case of the US PAT, banks are not alone in this burden; libraries, airlines, and a host of other public institutions have the responsibility of checking everyone, including long-standing customers, every time they open a new account or apply for a new loan.

The US PAT expired in June of 2015 and in two days was replaced with another nonsensical y title law Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act. Or USA Freedom Act. The changes between the two laws did not change the burden on banks. If you are interested the text of the act is found at (www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf). USA Freedom Act. The titling of these laws – as is the case with many others – are examples of creating an acronym for political purposes then coming up with words to use in titling the law for legal purposes. A classically Washingtonian exercise. For all the clownish aspects of titling, the bank is still liable for substantial penalties for noncompliance.

Study Question 10

Banking regulations cover many aspects of bank operations. Three of the following are areas of concern that are regulated by the OCC, the Federal Reserve, the FDIC, or state banking departments. One of the following is the responsibility of a nongovernmental organization. Identify that item.

The role of examiners from bank regulatory agencies can be distinguished from the role of the auditor.

Traditionally, the auditor is concerned about whether the financial statements of the bank are presented fairly in accordance with GAAP and whether appropriate controls over financial reporting exist. Thus, the auditor's work encompasses accounts and activities that could materially affect the financial statements.

Under the FDICIA, the external auditor's traditional role was expanded. Because of FDICIA Section 112, banking has become the first industry group for which management must report on internal controls and on compliance with laws and regulations. The act also requires the auditors of insured depository institutions (IDIs) to report on management's assertions regarding the effectiveness of internal controls and to report on agreed-upon procedures relating to certain laws and regulations.

The Sarbanes-Oxley Act and PCAOB standards came later and further expanded the requirements of the auditor to investigate and report on internal controls over financial reporting. Auditing Standards were redefined to encompass control evaluation in the financial statement audit.

To view this interactivity please view chapter 2, page 23

Interactivity information:

Four Areas of Bank Examination

The bank examination is organized into four areas:

1. General operations and lending

2. Consumer compliance

3. Electronic data processing or information systems (IT)

4. Trust Department operations

The examiner, on the other hand, is concerned with the overall operations of the bank and whether they are conducted in a safe and sound manner. Consequently, in addition to financial statement matters, the examiner looks at other factors such as management's experience and the bank's compliance with laws and regulations. When regulatory examinations are complete, the examiners prepare exam reports summarizing their findings.

General operations and lending

The general operations examination focuses on lending, investment, interest rate management, and the quality and depth of management.

Generally, examiners do not concern themselves with substantive testing of the general ledger or subsidiary accounting applications. In this area, the roles of the auditor and the examiner can be described as complementary rather than duplicative. However, it must be noted that the examiners are keenly interested in the accuracy of the periodic (quarterly) Call reports. To that extent the accuracy of accounting is of interest to the examiners. Examiners will look at whether the Call reports reflect the general ledger, but not whether the general ledger figures are an accurate reflection of the assets, liabilities, income and expense. They consider that the auditor's job.

A Call report is a detailed statement of a bank's operating and financial condition. This report offers valuable information to the auditor though it is not the role of the auditor to attest to that report. The Call contains much detailed information on the components of the bank's business operations which the auditor will find helpful.

Consumer compliance

The consumer compliance examination does not have a parallel in the financial audit, though the internal auditor usually considers such matters because of the potential for regulatory discipline for noncompliance.

The compliance examiner makes a detailed examination of the bank's policies, procedures, and training systems to ensure compliance. The examiner also makes substantive tests of records to determine that the bank is complying with the applicable regulations. The creation of the Consumer Financial Protection Bureau under Dodd-Frank continues to develop as of this writing. That Bureau is under attack by lobbyists and member of Congress. Therefore, the exact nature and outcome of the implementation process is progressing slowly. Dodd-Frank gives that Bureau full and far reaching authority for establishing and amending consumer compliance rules and examination procedures. Dodd-Frank also gives the Bureau primary consumer compliance examination authority over the largest banks in the country. How the authority of the Bureau is being practiced at a given time cannot be stated at the time of this writing.

Electronic data processing or information technology systems (IT)

The IT examination is comparable to the review performed by the internal IT auditor or the public accounting IT specialist. It concentrates on procedures and controls. This examination is usually conducted separately from the rest of the regulatory exam. With the growth in electronic service delivery systems, the role of this examination segment has taken on greater weight in the overall examination process.

Trust Department operations

Trust operations are unique in that they encompass legal, investment and other disciplines that are not found in the bank examination. The scope of investment management in the trust department encompasses fixed income (bond) securities, equities, real estate, business operations and a host of activities that differ widely from the bank's management skill sets.

The trust department may be the paying agent on bonds, the registrar and transfer agent of stock issues and the custodian of pension and endowment funds. With all of these activities in play in the trust department it is obvious that the examiners covering this area must themselves have very special skills.

Just as an auditor reaches a final conclusion on financial presentations and controls, the examiner concludes the examination when he/she assigns a CAMELS rating to the bank.

The acronym CAMELS stands for:

• C – Capital (adequacy)

• A – Asset (quality and collectability)

• M – Management (qualifications and performance)

• E – Earnings (adequacy and sustainability)

• L – Liquidity (ability to convert assets to cash and the likelihood of adequate cash to meet withdrawal demands)

• S – Sensitivity (interest sensitivity—the ability to maintain a proper margin between rates paid on deposits and rates earned on loans and investments and a proper matching of maturities)

The frequency of a regulatory examination varies. It is based on the financial health of the institution and the bank rating.

The bank is rated from “1” (best) to “5” (worst) in each of these categories. There is also a composite rating, but it is not an average of the CAMELS factors. The examiners can weigh the factors.

Additional areas examined and rated are:

• consumer protection regulation compliance,

• information systems (IT), and

• fiduciary activities (trust, mortgage servicing, etc.).

The FDICIA introduced the statutory requirement for annual examinations. The Riegle Community Development and Regulatory Improvement Act amended that requirement to provide that well-managed small banks will be examined every 18 months. State-chartered banks will also be examined by state examiners on a schedule established by state laws and regulations.

If an examination reveals a problem, the regulator can require a bank to achieve compliance in the identified area.

Some of the courses of action available to correct the problem include (in ascending order of severity):

• The board will be required to pass resolutions instructing management to correct problems cited by the examiners.

• The bank may be required to enter into an agreement with the regulatory agency to cure the cited problems.

• The bank may enter into a memorandum of understanding (MOU) agreeing to correct the identified problem.

• The regulators can also issue a cease-and-desist order (C&D) requiring the bank to cease and desist from some identified violation.

• The regulators could require the removal of directors and officers and, ultimately, the closing of the bank.

Note

The board resolutions and agreement are not legally binding on the bank; however, the MOU and C&D are binding and can result in immediate legal action against the bank and its officers and directors. Failure to perform on resolutions and agreements leads almost inexorability to MOUs and C&Ds.

An enforcement action was created under FDICIA Section 39. It is known as a Request for a Compliance Plan. Section 39 contains the Standards for Safety and Soundness. These standards cover almost every aspect of a bank's activities. Although the title of the plan has the word request it really is more of a demand.

If the examiners determine that the bank has violated a requirement of the standards, the regulatory agency can require the bank to develop a compliance plan to bring the bank into the compliance with the provisions of the standards. If the bank fails to provide a plan, if the plan is not adequate to achieve compliance acceptable to the agency, or if the bank fails to execute the plan, the regulatory agency can go directly to court for a C&D order.

The Section 39 Compliance Order is a very powerful tool for regulatory agencies in enforcing corrective action requirements on the banks.

The work and findings of the examiner help the auditor set the scope of the audit. For example, the auditor can use the examiner's report as a source for identifying problem loans that should be reviewed during the audit.

The auditor should review the exam report and can talk with the examiner, particularly if the exam is complete but the report has not been issued yet.

During 1992, the Federal Reserve Board of Governors (FRB) and other federal bank and thrift supervisors issued a policy statement on coordination and communication between external bank auditors and examiners. This policy statement provides guidelines concerning information that should be provided by financial institutions to their external auditors and meeting arrangements between external auditors and bank examiners in connection with safety and soundness examinations.

The auditor must review the regulatory exam report. Otherwise, a scope limitation on the audit would exist.

AAG-DEP 5.218 – AICPA Audit and Accounting Guide

Study Question 11

The regulatory examination has a broad scope; however, auditors perform one type of testing that is not used by regulatory examiners. Identify the testing approach unique to the work of auditors.

Chapter 3. Bank Financial Statements

This chapter discusses bank financial statements, including the preparation of balance sheets, income statements, statements of cash flows, and call reports. Management of cash flows to achieve profitability and liquidity is also discussed.

Reflecting the unique nature of its business and operations, bank financial statements differ from those of other commercial entities. In this chapter, we will examine the business of the bank as reflected in its balance sheet, income statement, and statement of cash flows. We will also examine another instrument of accountability, management's call report to regulators.

By the end of this chapter, you will be able to identify:

• differences between bank financial statements and those of other commercial enterprises,

• characteristics of periodic financial reports to regulators (call reports),

• the importance of the call report to auditors, and

• strategies banks use to manage assets and liabilities to ensure the often-conflicting objectives of profitability and liquidity.

Please see First National Bank Balance Sheet.

One of the first things you have probably noticed is that the balance sheet appears to be backwards. When auditors first see a bank balance sheet, they wonder why loans are on the asset side and why deposit accounts are liabilities.

If it helps, think of the loans as the bank's accounts receivable and the deposits as its accounts payable. A bank is liable for the money it receives from customers (deposits) and puts that money to work by lending and investing it (loans and securities).

One thing common to a bank's and a commercial entity's balance sheets is the arrangement of assets and liabilities in the order of liquidity. Let's study the assets in this order.

Most Liquid to Least Liquid

Cash and due from banks

The first item on the Balance Sheet, which is cash and due from banks, represents the most liquid assets of the bank. In our discussion of correspondent banking, we said the funds that one bank deposits in another are called due from banks on the balance sheet of the depositing bank. These funds are grouped here on the balance sheet with cash.

Note

The amount of cash you see on a bank's balance sheet will seem substantial compared to, let's say, the line item for cash on a commercial entity's balance sheet. Remember, though, the bank is in the business of receiving and paying cash. Banks are the primary and almost sole source of coin and currency for use in the commercial and personal world.

Interest-bearing deposits in other banks held by this bank

The next asset on the Balance Sheet is interest-bearing deposits in other banks, which is a deposit account subject to a waiting period for normal turnover but can be liquidated immediately (subject to penalties) if needed. This is almost always in the form of certificates of deposit (CDs) purchased from other banks. This is a rarely found use of bank funds.

Federal funds sold and securities purchased under resale agreements

The next item on the balance sheet is federal funds sold and securities purchased under resale agreements. As noted earlier, banks make short-term loans to each other through the sale of federal funds (Fed Funds). Another method of short-term lending is through reverse repurchase agreements (often called reverse repos). The second of these items may also be labeled securities purchased under agreement to resell.

Example1

REPO: A bank agrees to purchase securities from a broker-dealer or another bank and sell them back at a future date at a specified price. The difference in price represents interest on the funds. (an asset; invests current idle funds)

REVERSE REPO: A bank agrees to sell securities and to buy them back at a future price at a future date. (a liability; generates current usable funds)

Trading account securities

As shown on the balance sheet, trading account securities are part of many banks' basic business activities. A bank that engages in this activity can sell certain kinds of securities (bonds, not stocks) to its customers, so it often carries an inventory of these bonds for sale. A bank can also buy and sell bonds for its own account to take advantage of market price changes; securities purchased for trading (trading account) are separated from bonds purchased for long-term investment (investment account). The amount of trading for its own account is subject to limitations under the Dodd-Frank Act and implementing regulations. The most important limitation is found in the Volker Rule previously described. They are not grouped with investment securities on the balance sheet because they are ‘goods for sale’ rather than interest earning assets. In addition, current day pricing requirements reduces their value in terms of planning meet withdrawal demands. Current restrictions on trading must be determined in preparation for the audit because they are changed from time to time.

In a bank holding company configuration, trading in stocks and mutual funds is carried out in a nonbanking subsidiary of the holding company such as a brokerage.

Investment securities

Investment securities, as shown on the balance sheet, are not a temporary investment of idle funds as in a commercial entity, but are part of the bank's standard application of funds. These can also be readily liquidated in the market.

The portfolio of investment securities, however, is divided into two categories: held to maturity and available for sale. The significance of these categories and ASC 320 Investments (is discussed in Course 2.) Regulations have enforced restrictions that make almost all investment securities ‘available for sale’ (“AVS”). Accounting rules and regulatory enforcement require that trading securities and AVS securities be “mark-to-market (MTM”) no less than monthly. The MTM transaction is a direct charge or credit to an equity account; it does not pass through the income/expense accounts.

Loans

Loans, the next asset item on the balance sheet, are the largest asset on the bank's balance sheet. Interest on loans is the primary source of the bank's revenue. If the bank makes or purchases leases this category is titled as Loans and Leases.

The allowance for loan losses (similar to a reserve for bad debts) is shown below gross outstanding loans as a contra account and the presentation shows the net loans balance.

Customers' acceptance liability

Bankers' acceptances are created when a bank agrees to pay, at a specified future date, a draft drawn on it for a specified amount; the draft is stamped “accepted,” evidencing the bank's commitment. Acceptances are rarely used in the 21^st century, but if they are found on the balance sheet, they require special attention.

Bankers' acceptances are used to facilitate trade. The bank is liable for these short-term market obligations, but there are customers who are liable to the bank to pay these off on the maturity date. The bank's liability to holders for payment of the acceptances is absolute. The bank's claim on customers who agree to pay the bank for the issuance of acceptances is conditional on the customer's payment. Think of this as the bank's position in loans and deposits. Deposits must be paid regardless of whether the borrowers on loans repay. The loans are funded with money supplied by deposits but the bank must pay the depositors.

The balance sheet shows how customers' acceptance liability (an asset) is offset by the bank's liability to the holders of the acceptances, which is called acceptances outstanding (a liability). The amounts of these accounts are the same. The liability account is often called bankers' acceptances.

Other assets

You should already be familiar with the next two items, banking premises and equipment and accrued interest receivable, so we will skip them. Traditionally, a bank's expense for depreciation is significantly less than, for instance, a manufacturing company. As banks rely more on electronic activities, the investment in brick and mortar locations is falling more than the cost of computer equipment is rising.

Accrued interest receivable will be discussed later in sections related to the assets that create the receivables (loans and securities being the primary assets)

The final item shown in this part of the balance sheet, other assets, can include:

• prepaid expenses, and

• other real estate owned (OREO),

• in some banks an asset, Bank Owned Life Insurance (BOLI), will be found. It is related to retirement benefits for senior officers. Audit work in this area is usually handed by staff with specialized skills.

OREO is real estate the bank acquires when it forecloses on loans collateralized by real estate. It can also include property the bank has acquired for expansion purposes. There are limitations on how long OREO can be carried. At the end of that time the property is considered to be unsalable and must be charged off. Sales efforts can continue and subsequent sales would be treated at a recovery. An account that is also found in the other assets category is repossessions. This will include collateral other than real estate that has been acquired on defaulted loans, such as cars, mobile homes, and boats. Foreclosures and repossessions are carried at fair value (“FMV”); the balance of any loan exceeding FV at the time of foreclosure must be charged-off to the allowance for loan and lease losses.

The allowance for loan losses is a valuation allowance for probable and inherent losses incurred in the loan portfolio. The allowance is comprised of both a specific component and a general component.

In determining the general allowance management segregates the loan portfolio by purpose and collateral type. For each class of loan, management computes a historical loss factor.

Management adjusts the historical loss factors for the impact of the following qualitative factors: changes in lending policies, procedures and practices, economic and industry trends and conditions, experience, ability and depth of lending management, level of and trends in past dues and delinquent loans, changes in the quality of the loan review system, changes in the value of the underlying collateral for collateral dependent loans, changes in credit concentrations and portfolio size and other external factors such as legal and regulatory.

Historically, specific allowances are determined as a result of the impairment process. When a loan is identified as impaired it is evaluated for loss using either the fair value of collateral method or the present value of cash flows method. If the present value of expected cash flows or the fair value of collateral exceeds the Bank's carrying value of the loan no loss is anticipated and no specific reserve is established. However, if the Bank's carrying value of the loan is greater than the present value of expected cash flows or fair value of collateral a specific reserve is established. In either situation, loans identified as impaired are excluded from the calculation of the general reserve.

CECL, or current expected credit loss, is a new accounting standard that has changed how financial institutions account for expected credit losses. We will not delve into all the intricates here (that's for specialists on the audit). Basically, when each loan is made, a provision to the loan loss reserve is made to cover its loss potential. The amount is determined by characteristics of the loan (collateral, purpose, borrower's sector, etc.)

Study Question 12

Which of the following is an asset on a bank balance sheet?

Study Question 13

Which of the following would be presented first on (i.e., toward the top of) the asset side of the balance sheet?

Study Question 14

A common form of borrowing and lending between banks is:

Study Question 15

Which of the following accounts would contain property that has been obtained through foreclosure and property purchased for a future branch location?

This subchapter examines the liability side of the balance sheet and stockholders' equity. We will review the accounts in the order they appear on the balance sheet. Let's start with liabilities.

The first item of liabilities on the Balance Sheet is deposits. The different types of deposit accounts are presented in order of the likelihood they will be immediately withdrawn. Think of it as reverse liquidity.

As you see on your sample statement, noninterest-bearing deposits, which include demand deposit accounts, are listed first. Called demand because the funds can be withdrawn upon demand. Often the bank lingo is DDA for Demand Deposit Accounts.

The category non-interest bearing deposits includes several types of accounts. Negotiable order of withdrawal (NOW) accounts (interest checking) are listed first because customers tend to leave money in these accounts longer to draw the interest.

Money market deposit accounts (MMDAs) are interest bearing accounts. The depositor in an MMDA account is limited to six withdrawals per month but the entire balance can be withdrawn in any one of the six.

Savings accounts cannot be drawn down by checks. They are subject to a period of notice before withdrawal, but this requirement is seldom enforced.

Most time deposits are certificates of deposit (CDs) that have fixed maturity dates ranging from seven days to several years.

Deposits up to $250,000 are FDIC insured. CDs of $100,000 and over, called jumbo CDs, are shown separately because they often have short maturities and move out of the bank at maturity. They are sometimes called hot money. If they are withdrawn prior to maturity, they are subject to significant penalties.

Note

If they are acquired from third-party brokers instead of directly from a bank customer, they are called brokered deposits. There is a very active market for these deposits and many banks, particularly larger banks rely on these jumbos as an important part of their asset and liability management and their net interest management, tying their jumbo CDs to their longer term fixed rate loans.

Some banks report deposits on published financial statements in the broad categories of interest-bearing and non-interest-bearing (domestic and foreign) on the face of the balance sheet without breaking down the subsets of interestbearing accounts.

The next item on the balance sheet is federal funds purchased and securities sold under repurchase agreements. Just as some banks lend to other banks on a short-term basis (Fed Funds Sold), some borrow on that basis, so Fed Funds purchased and repos are liabilities.

The next item on the balance sheet, acceptances outstanding, was explained earlier when we discussed customers' acceptance liability on the asset side. This is the absolute liability to the holder of the acceptance on the date of maturity. Effectively, the bank has advanced its credit for the benefit of a customer. If the customer defaults on paying its obligation to the bank (Customer's Liability for Acceptances), the bank is still liable for the payment of the acceptance.

The next two categories of liabilities on the balance sheet are long-term borrowings and other liabilities. Long-term borrowings are similar to other entities.

Other liabilities include accrued interest payable on deposit liabilities and accrued expenses. Though interest-bearing deposits make up the largest part of the bank's liabilities, long-term borrowings can be a significant item.

The next section of the balance sheet, which is stockholders' equity, contains the following items: Capital stock; Capital surplus; Market value adjustment of securities available for sale; and Retained earnings.

As shown on the balance sheet, the capital accounts of a bank are slightly different from those of commercial entities. The bank's surplus accounts are more than just the excess of paid-in capital over the par value of stock. As you will see later in the course, surplus is subject to rigid controls by regulatory agencies. The adjustment for mark to market (MTM) on securities available for sale is another equity account that is unique to banks and similar entities. This account will include the adjustment for debt securities with other than temporary impairment losses.

Retained earnings are regularly transferred to the surplus account in order to increase regulatory capital so the bank may increase the amount it can lend.

Limitations

Regulatory requirements define the use of capital accounts:

1. No transfers can be made from the surplus account back to retained earnings without the advance approval of the bank's primary regulator.

2. Dividends cannot be paid from the surplus account.

3. There are restrictions on the amount of surplus that must exist, relative to the capital stock account, before dividends can be paid.

To view this interactivity please view chapter 3, page 20

Interactivity information:

Now that we have reviewed the balance sheet items, let's step back and note three unique characteristics of the balance sheet.

1. First, as we have already discussed, presentation of certain elements of the balance sheet seems backward compared to non-banking entities' balances.

2. Second, as you may have noticed, the bank balance sheet is not classified overall into current and non-current assets in the same fashion as most commercial entities. While those headings are not found, the assets are arranged in the order of liquidity. That is, Cash is the most liquid, balances due from other banks (like cash in banks in a commercial balance sheet) is next, securities are next because they can be liquidated quickly, than loans which cannot be turned into cash as fast as cash, due-from banks and securities. On the liability side the listing is based on the order of withdrawal liquidity. Checking accounts are immediate, savings are subject to short delay and CDs (time deposits) are subject to maturity dates.

3. Third, the equity-to-assets ratio of a bank is much lower than ratios seen in other businesses. This is because the bank's assets—cash, investments, loans—are funded primarily by customers' deposits, not by equity.

Note

Bank regulators are focused on seeing that deposits are used for authorized investments that generate profits while, at the same time, minimizing the risk of loss.

Study Question 16

Which of the following is found at the top of the liabilities on the bank's balance sheet?

Study Question 17

Which of the following is a noninterest-bearing account?

Please see First National Bank Income Statement.

We will discuss accounting treatments of income and expense items later in this course and in Course 2.

As you have seen, the bank's income statement differs significantly from that of a commercial enterprise. The unique presentation form of the bank's income statement is referred to as the net interest concept.

The top half of the income statement contains amounts of interest earned and interest paid. If you think of money as the bank's product, this format is similar to the gross profit section of a manufacturing company's income statement (i.e., sales less cost of goods sold).

The interest income items on the income statement show the major sources of interest income and help the reader relate them to the degree of risk inherent to each source.

The interest expense categories are deposits and borrowed funds.

Net interest income or interest margin comprises the major source of funds from the employment of money in deposit and lending/investment activities. As a generalization net interest margin is to banks as gross profit is to commercial entities.

The Income Statement also contains the provision for credit losses and the balance sheet contains the related allowance for credit losses account. The provision for credit losses is similar to the bad debt expense account in the income statement of other enterprises. However, lending is a primary business line for banks and, as a result, the provision and the related allowance are significant items for a bank.

The terms allowance for loan losses or loan loss reserve are often used to refer to the allowance for credit losses.

Caution

Tax treatment related to the allowance for loan losses

For banks, the treatment of bad debt expense is subject to complex tax treatment. In addition, the IRS allowable tax deductions for bad debt expense is significantly contradicted by the bank regulators' requirement to maintain an adequate allowance for loan losses. Bank examiners may require the charge off of loans that are not yet failing to pay. These regulatory charge-offs will not be available as tax deductions unless and until they are formally recognized as losses. The examiners focus on them as being of “less than bank quality.” Often the accounting rules for troubled debts drive the examiners' assessment.

Given the tax situation, the auditor must be sure that the transactions in the allowance for loan losses and charges to the bad debt expense can be clearly identified as specific charge-offs are reductions of the reserve and reserve additions increase the amount of the loan loss reserve on the income statement. Only specific charge-offs are available for tax deductions.

Other tax requirements concern the bank's interest income on tax-exempt securities and the bank's expense on deposits (as shown on the income statement). This is a complex tax issue, but a brief explanation of the issue will help.

You are familiar with the tax principle that a taxpayer cannot take an interest deduction for the expense on a debt when that debt is incurred to purchase or carry tax-exempt securities. This principle is based on the argument that it is not proper to get a deduction when the debt is used to produce income that is not taxable; it would effectively be a double deduction.

The same principle has been applied to the interest the bank pays on deposits where those deposits are part of the funds used to purchase and carry the bank's portfolio of tax-exempt securities. Therefore the deductibility of interest on deposits is directly related to the income received on tax free securities.

The effect of this tax treatment is not shown in the income statement; it is found in the bank's tax return and thus in the provision for taxes.

To view this interactivity please view chapter 3, page 26

Interactivity information:

The income statement's sources of other income for a bank other than interest on investments and loans include revenue from:

• service charges on deposit accounts,

• credit card fees,

• trust services, and

• securities trading.

Note

Income is classified by function. The categories for other expenses are the same as those for a commercial entity. Bank expenses are classified by general use (personnel, occupancy, etc.).

Study Question 18

The difference between the interest income and the interest expense categories is:

Study Question 19

Net interest income generally can be compared to which of the following on the income statement of a commercial entity?

Now let's review First National Bank's statement of cash flows, which characterizes the bank's sources and uses of funds. It uses the indirect method, which reports net cash flow from operating activities indirectly by adjusting net income.

Under the requirements of Topic 230 of the FASB Codification standards, cash receipts and cash payments are classified on a statement of cash flows as resulting from investing, financing, or operating activities.

Be aware that many believe the classifications required by Topic 230 are not relevant to a bank. The background information for Topic 230 notes that many banks believe they make money through lending activities, which makes cash the product of a bank's earning activities just as finished goods are the product of a manufacturer's earning process. However, the unique product of a bank does not exclude the entity from needing cash for essentially the same reasons a manufacturer does; banks must prepare a cash flow statement in the same manner as any other entity.

To view this interactivity please view chapter 3, page 30

Interactivity information:

Statement of Cash Flows

The following lists illustrate some examples of cash inflows and outflows for a bank and their related classification on the statement of cash flows.

Note

Cash inflows:

• Checking and savings accounts deposits (financing, net of withdrawals, shown as outflow if withdrawals exceed deposits)

• CDs issued (financing, net of repayments, shown as outflow if repayments exceed issuances)

• Securities maturing and sold (investing)

• Loans maturing and repaid (investing, net of loans made, shown as outflow if new loans exceed collections)

• Short-term funds borrowed (financing, Fed Funds, repos)

• Debt issued (financing)

Note

Cash outflows:

• Checking and savings accounts withdrawals (financing, net of deposits, shown as inflow if deposits exceed withdrawals)

• Certificates of deposit matured (financing, net of issuances, shown as inflow if issuances exceed repayments)

• Securities purchased (investing)

• Loans made (investing, net of collection, shown as inflow if collections exceed new loans)

• Short-term lending (financing, Fed Funds, reverse repos)

• Debt of the bank repaid (financing)

Study Question 20

Which of the following is a cash outflow?

Study Question 21

In the statement of cash flows, which of the following is found in the investing activities section?

Study Question 22

An inflow of cash would result from which of the following?

Banks must make periodic reports on their financial condition to the governmental agencies that oversee them. In the past, these reports were requested on a surprise basis and consequently earned the name call report. Now, reports are required at each calendar quarter-end. Civil money penalties can be assessed against the bank or any officer, director, or employee if the bank fails to prepare and submit its call report or submits false or misleading information.

Because call reports are helpful in planning an audit as well as performing analytical reviews, this subchapter briefly reviews them.

The call report is a comprehensive document that includes schedules covering the following:

Note

Because of the regulator's regular demand for information, many banks maintain the general ledger records in a structure that provides easy compilation of call reports. Bank examiners review the bank's call reports and vouch them back to the general ledger; this is analogous to the auditor's work to verify published financials to the general ledger. However, the auditor's flexibility is deemed to be greater than the accounting knowledge of bank examiners. This is particularly true of small banks that are not required to file Form 10-K and other SEC reports.

In the past, call report accounting requirements differed widely from generally accepted accounting principles (GAAP). As such, they were referred to as regulatory accounting practices (RAP). Today, you will continue to find some regulatory accounting practices that differ from GAAP; however, the Federal Deposit Insurance Corporation Improvement Act of 1991 mandated that regulatory reporting must, at a minimum, meet GAAP. The regulators have worked to minimize RAP/GAAP differences largely to mitigate reporting issues in bank-unique matters.

The call report is a significant source of information for the auditor planning the audit. Management is not prohibited from giving the auditor access to call reports.

For example, the schedules in the call report give the auditor detailed information about the makeup of risk assets (loans and securities) as well as commitments and off-balance-sheet transactions. The call report also contains schedules on insider borrowings, significant personnel changes, interest sensitivity, and liquidity.

Study Question 23

Call reports are used to report the bank's condition to:

Study Question 24

Which of the following statements concerning the auditor's use of call reports is true?

This subchapter examines how the bank manages cash flow to achieve profitability and liquidity.

The following are the bank's sources and uses of cash:

Let's briefly review some of the terminology we have just used.

Borrowings: Fed Funds purchased and securities sold under agreement to repurchase.

Sales of assets: The sale and maturity of investment securities, sale of loan participations, and repayment of loans.

Service fee income (also called noninterest income): Income sources that are not associated with interest-bearing assets (e.g., service charges on checking accounts, trust department fees, safe deposit box rentals).

Assets purchased: Investment securities acquired, loan participations purchased, and loans made to borrowers.

As cash flows through the bank, management invests it to provide a profitable difference between the amount of interest earned from assets (loans and investments) and the amount of interest paid on liabilities (deposits and borrowings). This difference is the interest rate spread. Exposure to changes in interest rates is interest rate risk.

A 2023 vivid example of the effect of a negative interest rate risk was Silicon Valley Bank. SVB had a heavy concentration of deposits from tech related funds, largely start-ups. The bank thought it was being prudent by having a low loan to deposit ratio to maintain liquidity. The bank invested the greatest portion of its funds in US government securities, considered as safe as cash. The bank bought major holdings of such securities in the period leading up to 2022. At that time, interest rates were at historical lows. Beginning in 2022, the Federal Reserve began aggressively raising interest rates to fight inflation. Then in early 2023 significant deposit withdrawals were being made as start-ups needed their money, the bank needed to sell securities to raise cash. Ordinarily, this would be a perfectly normal event in a bank.

The problem for SVB was that the securities it purchased at par (face value) with then current low interest rates now had to be sold at a discount. This was so that purchasers would be able to earn current rate income on their purchases regardless of the coupon rate (the original rate on the bond.). The sale of billions of dollars of UST securities at discounted values meant that SVB incurred losses on the sales. When the word got around that SVB was incurring such large losses, other depositors began withdrawing their money in panic so additional sales were required and more losses resulted.

This is a classic case of a ‘run on the bank.’ The FDIC and the California Banking Department had to step in and close the bank. SVB was an immediately purchased by a large bank and FDIC has to shoulder the loss value on the remaining securities than were ‘underwater’.

If the interest rate spread were negative, the bank would have an interest rate mismatch. The following is a simplified spread analysis (in millions):

The interest rate spread (average rate earned – average rate paid) is a positive 3.95%.

The bank also faces the issue of liquidity because it must have adequate cash available for customer withdrawals and loan applications. Using the same balance sheet model, let's examine potential liquidity exposure.

Examine the proportion of liabilities that could demand cash quickly (deposits + Fed Funds purchased = $92 million) compared to the assets that can be converted to cash quickly (Fed Funds sold + investments = $44 million). Consider that investment securities could have a market decline and sell for less than their book value.

Comment

You can see why it is a challenge to balance rate spreads and cash demands and, at the same time, earn a profit and meet liquidity requirements.

A bank manages rate spreads and liquidity requirements by matching the rate sensitivity and maturities of its assets and liabilities. In the process, management monitors:

• the weighted-average maturities of loans and securities,

• the weighted-average maturities of deposits and borrowings,

• the market value of securities owned,

• the weighted-average rates earned on loans and securities, and

• the weighted-average rates paid on deposits and borrowings.

Let's examine some strategies management might use.

Let's say the bank has a high level of short-term deposits. In this case, it would not want a high level of long-term loans and securities. Why not? A maturity mismatch would occur because the funds (deposits) supporting the assets (loans) would mature before the loans. To show the complexity of this issue, it is not simply a case of how much is outstanding in loans but what is the cash flow from those loans. Consider the difference if all of those loans were payable at maturity only; compared to a loan portfolio containing a great percentage of the loans making monthly payments. The cash flow from those monthly payments makes a significant difference in the funds available to meet deposit withdrawals.

A strategy the bank might consider is to maintain competitive interest rates on deposits to hold them in the bank. To do this without a loss of profitability, the bank must be able to change the rate on loans as quickly as the rates on deposits (particularly CDs) change. It can do this by making loans that have adjustable interest rates instead of fixed rates.

The following are other strategies for managing assets and liabilities:

• If the bank has a high level of short-term deposits (demand deposits and large CDs), it might want to attract short-term commercial loans (e.g., seasonal working capital loans) to obtain equilibrium in the balance sheet and the income statement.

• If the bank needs more long-term deposits, it should market long-term consumer CDs; these deposits are not likely to move because of long maturities and early withdrawal penalties.

• If the bank has significant long-term consumer CDs at fixed rates, it might want to attract longer-term loans (e.g., auto loans) to match the maturities and interest rates on such CDs.

In addition to the strategies we have seen, the bank can also artificially extend the maturities of its assets and liabilities and reduce interest rate risk by using complex financial instruments such as futures, options, and interest rate swaps. It can ‘insure’ the investments and the loan portfolio against credit losses with credit default swaps (CDS). That device was used heavily by large banks in the period leading up to the crisis of 2008. On the other hand, the use of CDS became a major hazard because the assurance that a CDS would pay off a bad loan can lead to looser credit standards. Therefore, an auditor should consider the implications of the bank buying a significant amount of CDS instruments.

The bank must also cover operating costs. This is done with the net interest rate spread plus noninterest income. To this end, it strives for a steady flow of noninterest revenue that does not fluctuate with interest rates by offering services such as the following:

As you perform the audit, be aware of pressures on profitability and liquidity and their impact on the bank's operations. One of the major problems in banks was the use of derivatives beginning in the mid-1990s and reaching great levels in the first and second decades of the 21^st century.

Some bankers attempted to hedge interest rate risks and maturity gaps with investment vehicles that embodied substantial risks. In a number of cases, management did not understand the nature of these risks and entered into ill-advised investments. In some cases, banks sold derivative instruments to customers without fully exposing the principal risk to purchasers. Some banks incurred substantial losses in court over these sales.

Chapter 4. Planning the Audit

This chapter explains audit planning factors related to banks. Specific subjects include audit risks, objectives, and procedures as well as an explanation of internal control considerations and internal auditing in banks.

The purpose of the audit is the same for banks as for other entities—to express an opinion on the financial statements and on the internal controls over financial reporting in place as found in the audit. The rest of the audit plan, however, reflects the unique characteristics of the banking industry. In this chapter, we will examine audit planning and internal control considerations for banks.

This chapter identifies:

• planning considerations for bank audits, including inherent risk, internal controls, audit objectives, and procedures;

• the basic elements of the internal control structure and their importance to the bank audit; and

• the objectives of the work of internal auditors and their relevance to the external auditor.

The audit plan is directly dependent on the risks inherent to the function being audited. This subchapter describes the risks inherent to banking that the auditor must consider when planning and performing a bank audit as well as the scope and timing of the audit and reliance on internal audit work.

Banks have the same risks as other entities—errors in calculations, economic downturns, obsolescence of product offerings and equipment; but there are some risks to which banks are more sensitive.

As of June 1, 2017, the PCAOB adopted a change in Standards that will affect the reporting on the audit. That change requires the auditor to cite CRITICAL AUDIT MATTERS (CAMs) as part of the auditor's report. The requirement states that the auditor should describe the CAMs and report on the findings on those matters.

Why is that issue listed here? The auditor makes the identification and scoping plans an integral part of the audit planning process. CAMs must be identified. Appropriate resources must be assigned to those issues. Data collection and organization will be important to the reporting process and support of the auditor's statements on these issues.

Therefore, the engagement partner and the team members must keep these issues in the forefront of their thinking throughout the audit even when there are no negative findings. The fact that there were no negative findings in the CAMs is a reportable factor.

Finally, remember also that additional CAMs may arise during the audit. A finding that indicates a possible critical matter must be communicated to the engagement partner as rapidly as possible. The engagement partner must officially sanction it as critical and make the appropriate adjustments in the audit plan.

Banks are sensitive to changes in the general economy and in the geographic market area of the bank. In many respects, banks experience the negative effects of an economic downturn sooner than other businesses because of the sensitivity of transactions between banks and effects on securities markets. In an economic downturn, borrowers are more likely to default on loans while, at the same time, depositors may need to draw down their savings. In addition, the effects will last longer because of lingering effects on some borrowers that may be slower to recover than the general public.

Banks operating in more than one nation are affected by currency fluctuations. Radical changes in economic activity cause unusual movements in the relationships of different currencies. The bank's positions in multiple currencies can result in profits in one currency and losses in another. Settling transactions for customers who trade across national borders often leads to their banks being caught in the middle of currency exchange gains and losses.

The expansion of bank-affiliated companies (sister entities) into fields such as investment banking has brought extreme pressure on all segments of the holding company including the bank. Clear evidence of this fact was seen in the financial crisis beginning in 2008 during which the largest banks were ‘bailed out’ through the TARP program and other government initiatives. The crisis was precipitated by banks' activities in previously non-banking products like mortgage backed securities, collateral backed securities, credit default swaps and derivatives. The Dodd-Frank Act addressed a number of these risks. Amendments to Dodd-Frank have watered down a number of these provisions and the risks in proprietary trading and other related activities have risen. Currency fluctuations were dramatic in the election and implementation of BREXIT, the exit of Britain from the European Common Market.

To view this interactivity please view chapter 4, page 5

Interactivity information:

The inherent risks in banking are particularly significant in the following areas:

• Asset-quality risk: Loans, securities, derivatives and other assets will not be repaid or will lose value.

• Interest rate risk: Adequate spreads between rates earned and paid will not be maintained.

• Liquidity risk: Assets cannot be converted to cash as rapidly as depositors demand cash.

• Fiduciary risk: These are risks associated with the custody and management of the assets of others.

• Processing risk: These are risks arising from the large transactional volumes in banks and computer processing which is amplified by the demand for timely processing and settlement of obligations.

Note

Banks are exposed to other common types of risk, but most bank failures stem from the inability to manage asset-quality, liquidity, and/or interest rate risks.

For a thorough description of risks (in the banking industry) and bank audit planning, consult the following PCAOB and AICPA publications:

• AICPA Audit and Accounting Guide, Depository and Lending Institutions (AAG-DEP)

• PCAOB Auditing Standards AICPA Audit Guide, Assessing and Responding to Audit Risk in a Financial Statement Audit (AAG-ARA)

• Auditing Standard 1101 Audit Risk and 2105 Consideration of Materiality in Planning and Performing and Audit; 2301 The Auditor's Responses to the Risks of Material Misstatement, 2305 Substantive Analytical Procedures, 2310. The Confirmation Process, 2315 Audit Sampling

• Auditing Standard 2503 Auditing Derivative Instruments, Hedging Activities, and Investment Securities

• Auditing Standard 2401 Consideration of Fraud in a Financial Statement Audit

• BE AWARE: The Financial Accounting Standards Board (FASB) issued the current expected credit losses (CECL) standard – ASU 2016-13 – on June 16, 2016. This accounting requirement is effective 1-1-2019. The details of implementation continue to evolve even into the 2020's

Risks arise from many factors. All of these items are evaluated when considering asset-quality risk. Asset- quality risk, is the most significant risk to banks, and may increase for the following reasons:

• Improper lending procedures principally declining credit standards

• Changes in the national, regional, local, or international economy

• Changes in the status of a particular industry when a bank has a concentration of loans in that industry or to persons whose ability to repay is affected by that industry

• Excessive loan concentration to specific borrowers, industries, or geographic areas

• Excessive concentration of depositors who might panic and create a run on the bank (concentration of CD holds who may flee to higher interest paying banks when rates rise sharply, e.g., notably senior citizens who rely of interest income; or similar deposit groups that may panic upon rumors and withdraw their deposits)

• Insider transactions

• Deterioration of the creditworthiness of the borrowers after the loans are made

• Accelerated prepayment of assets when interest rates fall, increasing the percentage of lower quality loans (The best borrowers are in a position to take advantage of by seeking loans at other lenders making early payouts; weaker borrowers are less likely to secure lower priced credit at other sources.)

• Reliance on artificial means (e.g., derivatives) to ‘insure’ against loss; rather than the exercise of prudent judgment in establishing credit exposure, currency exposure or interest exposure. That is, loans are made and securities are purchased with high credit risks and the risks are thought to be offset by the purchase of credit default swaps (insurance) but the issuer of the credit default swap (the insurer) is not able to honor the swap when the loans/securities go bad

Interest rate risk occurs when the bank's assets and liabilities are mismatched; for example:

• Liabilities are on short maturities but assets are on long maturities so liquidity is at risk;

• Liabilities are in floating rates (often created by short term liabilities like CDs that reprice at maturity) but assets are at fixed rates;

• Earnings rates in future periods become insufficient to cover expense rates; and

• Interest rates are set without adequate analysis because interest rate swaps (insurance) are purchased but the issuer of the interest rate swap instrument (the insurer) is not able to pay when rate changes result in a claim.

If rates rise and management has not planned appropriately, the bank may pay higher rates for funds, leading to lower profit margins—even losses.

Fiduciary risk includes activities such as servicing collateral-based securities and managing mutual funds and trust accounts.

Planning considerations other than inherent risk

The nature, timing, and extent of audit procedures are based on the scope of the audit engagement. Before the audit begins, the scope of the services to be performed should be agreed on in writing with the bank.

This becomes particularly important in larger banks and bank holding companies, which have requirements for reporting on internal controls and compliance with certain laws and regulations under Section 36 of the Federal Deposit Insurance Corporation Improvement Act of 1991. The engagement for an auditor's independent reporting on these statements carries the scope of the audit beyond traditional financial statement scope considerations.

The passage of Sarbanes-Oxley and the implementation of the PCAOB Standards brought the emphasis on internal controls to all audits.

Standing above all else is the need for the auditor to understand all of the tools used by management to mitigate risks; particularly when the tools relate to transfer of risk (the use of derivatives) rather than employment of prudence in the creation of risk. For example, prudent risk underwriting in making loans is a better tool than sloppy underwriting and buying a credit default swap to ‘insure’ the loan. The same is true with purchases of investment securities. Making a loan or buying a security with a higher than average interest rate return and buying a credit default swap to insure against loss is not prudent banking.

RULE: The higher the return the higher the risk (e.g., the higher the interest rate is paid by a debtor that cannot obtain credit elsewhere for a lower rate).

The timing of audit procedures is important to attaining the audit objectives. In most banks a large portion of the work is conducted at one or more interim dates. (In virtually all banks, the fiscal year coincides with the calendar year.)

The complexity of a bank's operations makes it advisable to perform as much work as possible at interim dates. An audit team will have a difficult time performing all procedures at a single point in time particularly at calendar year end even in the smallest bank.

The planning of the audit should also take into consideration the availability of the bank's internal auditors. They can provide valuable assistance in conducting audit tests and allowing easier access to the bank's records and functions.

When an outside auditor decides to rely on the work of internal auditors, compliance with PCAOB Standard 2201 paragraphs 16-19, and Standard 2605 which are the most important professional guidance.

Study Question 25

To operate a bank successfully, management must control a number of interdependent activities. Which of the following is a condition that can have a negative impact on the profitability and success of a bank?

Study Question 26

Inherent risk in banking arises from both external and internal conditions. Which of the following is an internal condition that affects inherent risk in bank operations?

Study Question 27

Bank A has a large proportion of its deposits in large certificates of deposit (CDs) and a large proportion of its loans in adjustable rate mortgages on residential real estate. The bank is primarily exposed to which of the following risks?

Study Question 28

Which risk is affected by improper lending procedures, changes in the economy, undue loan concentration, and deteriorating circ*mstances of borrowers?

Two aspects of audit planning—audit objectives and initial procedures, including sampling and client representation

The engagement partner who is planning the audit develops audit objectives for accounts to be examined. The following are examples of objectives for bank assets. The auditor wants to determine that:

• assets presented exist and are held for use in the normal course of business unless otherwise identified and segregated (existence or occurrence);

• asset quantities include all items on hand (or that are held by others for the bank's account) or in transit, and the subsidiary trial balances and records are accurately compiled and agree to control totals (completeness);

• the bank has legal title or similar rights to all assets and that bank assets do not include customer collateral or other valuables held in a fiduciary capacity (rights and obligations);

• assets are properly stated at cost (except where market or other valuation is appropriate to the circ*mstances) and that assets are reduced, if necessary, to fair value or estimated net realizable value (valuation or allocation); and

• assets are properly categorized in the balance sheet, that major categories of asset groups and the base of valuation are adequately disclosed, and that any pledging or assignment of assets is disclosed (presentation and disclosure).

Planning for the audit increasingly calls for advanced knowledge of:

• the bank's capital condition under regulatory rules and any regulatory restrictions related to capital compliance (such as regulatory enforcement orders);

• the findings of all regulatory examinations since the last audit;

• the explanation of differences between generally accepted accounting principles (GAAP) and regulatory accounting practices (RAP) financial reporting positions;

• factors influencing inherent risk;

• the basis for management's weighting of assets in computing regulatory capital;

• the volume and complexity of off-balance-sheet transactions;

• past disagreements with regulatory agencies about classification, risk weighting, or other interpretations of RAP or their application of capital regulation;

• any poor CAMELS rating;

• frequent call reports corrections; and

• unusual, material, or frequent related-party transactions.

Note

The auditor must also obtain an understanding of the entity and its environment, including internal control and the degree of substantive testing that is indicated by these preliminary evaluations.

Sampling

As in all audits, the use of sampling lets the auditor draw conclusions on large numbers of accounts or assets without testing each item.

In a bank audit, attribute sampling is often used and is applied to deposit accounts, consumer loans, and credit card accounts as well as commercial loans (using stratified samples). However, the auditor may employ more modern approaches using data mining with computer systems. This will provide better insight into general conditions and outliers in the files than the practice of statistical sampling.

PCAOB 2201 Para 75-77 requires that written representations be obtained from the client on certain matters. In the banking environment, these representations generally relate to:

• contingent assets and liabilities;

• the adequacy of the provision for losses on loans, leases, and securities;

• the adequacy of liabilities accrued for payment of interest on deposits and debt;

• proper reporting of permanent declines in investment securities; and

• proper disclosure of commitments to lend, commitments to purchase and sell securities, and commitments to meet obligations under letters of credit, both oral and written.

• the auditor's procedures are not part of management's assessment of the effectiveness of internal controls.

• management has described material or management fraud that has occurred.

• Management has described any subsequent events that bear on the statements being opined by the auditor.

Study Question 29

Which of the following approaches is the best method for obtaining conclusions regarding the total loan portfolio?

Section 363.4 of the Federal Deposit Insurance Act (FDI Act) requires that the bank file designated regulatory Annual Reports within 90 days of year-end.

Quote

...an annual report containing audited financial statements, the independent public accountant's report thereon, management's statements and assessments, and the independent public accountant's attestation report concerning the institution's internal control structure and procedures for financial reporting as required by sections 363.2(a) and 363.3(a), 363.2(b) and 363.3(b), respectively... and the accountant's attestation concerning compliance with laws and regulations pursuant to 363.3(b)...

The burdens of this requirement have a heavy impact on the planning for the audit. The terms of engagement for the attestation on internal controls are covered by SSAE 10. The promulgation of PCAOB 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements has resulted in an audit and audit report that largely replace the previous requirement.

AAG-ARA and Auditing Standard 2201 provide general guidance on internal control. Specific guidance on internal control in banks is found in AAG-DEP 18.13. Appendix A of AAG-DEP is an in-depth discussion of audit and reporting requirements mandated by the FDI Act. Of greatest importance PCAOB Auditing Standard 2201 covers the integrated audit of financial statements and internal controls over financial reporting.

If the bank is an issuer under SEC rules, it is subject to the Sarbanes-Oxley Act of 2002 and all the issues of internal control flowing from that act. (That material is too extensive to discuss here. The auditor will also be required to know the requirements of PCAOB Auditing Standards 1215 Audit Documentation and 2201 and Rule 3101.) Though a given bank (often a small bank) is not subject to the SEC reporting rules under SOX, most CPA firms will employ the same audit procedures in all companies in the same industry.

This material should be required reading at the beginning of the audit planning process. The auditor's expanded role in attestation to management statements on internal control and compliance with designated laws and regulations goes far beyond the responsibilities in other commercial enterprises.

The internal control structure has five components as described in the COSO Study. These components are: control environment; risk assessment; control activities; information and evaluation; and monitoring.

In planning and performing an audit, the independent accountant should obtain an understanding of each of these five components of internal control and how a specific control prevents or detects and corrects material misstatements in relevant assertions. Audits of depository and lending institutions are subject to Auditing Standard. The auditor should be familiar with the discussions in AAG-ARA and PCAOB Auditing Standard #2201.

The control environment

Auditing Standard 2201 defines the control environment as setting the “tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.” However, Audit Standard # 2201 makes it plain that COSO is to be used to assess internal controls in a financial audit.

The factors encompassed in the control environment are:

• integrity and ethical values,

• commitment to competence of personnel,

• participation of those charged with governance,

• management philosophy and operating style,

• organizational structure,

• assignment of authority and responsibility, and

• human resource policies and practices.

Unlike other entities, banks post their general ledger entries every day and reconcile subsidiary trial balances to the general ledger controls daily for major accounts. Reconciliations should be followed through to the clearing of all reconciling items in a timely fashion. A clear signal of control problems is the failure to reconcile and/or clear reconciling items on a timely basis. In many/most banks the reconciliation of subsidiaries to the general ledger is an automated function. However, someone must be assigned to review the results of that reconciliation process. It is designed to spotlight differences as much as to assure cleared reconciliations.

Reconciliations should be performed by independent personnel. In virtually all computer systems there are programmatic procedures that perform automatic reconciliation of major subsystems (deposits, loans) to their general ledger control totals. In small banks, if an independent review of the reconciliation report cannot be established a rotation plan should exist or the reconciliation reports should also be reviewed for propriety by a senior manager.

Banks must ensure the separation of incompatible duties. If an individual employee can dominate any transaction or transaction type, it is a red flag that requires further review by the auditor.

The advances in computer technology have led to a high degree of individual transaction domination.

For example, a teller will handle a transaction (take a deposit or cash a check) and then scan the transactions for input for processing without review or handling by any other person. Personnel in financial areas make transactions online. These transactions are often not subject to individual review by managers such as individual transaction sign-offs in the paper processing environment. The decline in detail review of paper transactions has been replaced by the accountability for transactions by the attachment of individual user ID to each transaction or batches processed – and audit trail being established immediately upon the creation of transactions. The bank must insure, through initial orientation of new employees and periodic training of existing employees, that all employees understand that all transactions on automated systems carry the identification of the person that originated or modified any transaction.

BANKS HAVE AN EXTRAORDINARILY HIGH VOLUME OF ACCOUNTING ENTRIES AND A HIGH RATIO OF ENTRIES PER EMPLOYEES.

Banks have a high degree of physical control over assets such as cash and securities. Physical controls such as pre-numbered forms have been prevalent in banks in the past but are decreasing as online systems with user ID on transactions replace paper forms. The computerized systems also provide absolute journaling of events.

One of the most important areas of control is the computer systems of the bank. The detail records (e.g., deposits, loans, credit cards) and control records (e.g., general ledger) of the bank are maintained on its computers.

Computers have been used in banks since the late 1950s. Computer capabilities have made advances unparalleled in any other facets of banking and changed the nature of transaction processing in banks. In the past, banks used monolithic computer systems where everything was processed on one huge computer or a small number of large computers that each performed specific work—one for deposit processing, another for loans and general ledger. Access to these computers was limited to bank employees and transactions were largely paper-based.

Today, computerized processing systems are all over the bank. Some are still on the mainframe computer(s), but a growing number are on server based networks. The systems on based networks can be as rigidly controlled as the traditional mainframe systems.

Most systems use online entry instead of paper transactions. This means that support for these transactions is not as readily available as former paper systems. Again, the issue of system control may be a major concern for management and the auditor. As part of the auditor's walkthrough of operations, attention should be given to how transactions are originated and how and by whom validation can be assured.

Corporate customers are allowed to access their accounts to view balances and transactions, make transfer funds between accounts, pay bills, make deposits through remote deposit capture systems, create wire transfers, create electronic funds transfer (EFT) transactions, and send administrative messages to the bank.

Consumers can access their accounts by PC, smart phones and tablets as well as telephone to obtain balances, transfer funds between accounts, pay bills, order checks, enter stop-payment orders, and even deposit checks through smart phones.

None of these transactions have any paper backup. The security systems in the computer are a critical factor in controlling these transactions and protecting against hacking by unauthorized individuals.

In addition to access to computer files, the bank must be concerned with access to program files. The computer programs for systems, networks, and computer files must be protected from access by unauthorized individuals.

A specific area of interest to the auditor is the use of spreadsheets that are ‘programmed’ and handled on personal computers. Many of these spreadsheets are used in the financial reporting process. The auditor should give attention to the degree of oversight to the programming of spreadsheets. The auditor should consider the inclination of individuals to accept without question the figures that are displayed in spreadsheets. The auditor should consider obtaining, electronically, copies of key spreadsheets and examining the formulas in the cells. The auditor making the examination should have competence in spreadsheet programming; advisedly high levels of competence.

In the audit planning process, the auditor should include a careful review of AAG-DEP 5.74–5.84, Information Technology Considerations.

The auditor must also include consideration of the issues covered in Auditing Standard 2401 Consideration of Fraud in a Financial Statement Audit. The possibilities for fraud in a bank are many and varied. As we progress through this course, many of the common types of fraud will be described. The circ*mstances that create exposure and the controls that limit risk will also be discussed.

The auditor must consider the possibility of fraud to assure that the audit procedures employed comprehend the possibility of fraud.

Study Question 30

Bank accounting is characterized by which of the following?

Internal auditing has a long history in banking. The first organization of internal auditors was founded in the banking industry in 1928. Today, bank internal auditors have three primary professional designations:

1. Certified internal auditor (CIA) is the most common and highly professionalized

2. Certified Financial Services Auditor (CFSA) which is an advanced CIA designation

3. Certified bank auditor (CBA) the earliest but diminishing in number and discipline

There are also specialized professional designations, such as certified information systems auditor (CISA) for information systems auditors and the certification in risk management assessment (CRMA).

Internal auditors and external auditors should have an excellent working relationship. They have a mutual interest and, with cooperation, can profit significantly from each other's work. For this working relationship to occur, it is important that they understand and identify with each other's objectives.

Comparison of the objectives of external and internal auditors

The external auditor's objective is to obtain sufficient, appropriate evidence to express an opinion on the financial statements the internal controls that effect the creation and accuracy of the statements, and management's reports on the internal control structure and compliance.

The objective of internal auditing is described in the Statement of Responsibilities of Internal Auditing issued by the Institute of Internal Auditors (1947, revised 1981 and 1990 and beyond) and the broader Standards for the Professional Practice of Internal Auditing as follows:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The objective of internal auditing, therefore, is to focus on the bank's internal control structure. In a real sense the internal audit function is concerned with all three of the objectives of internal control (operational, financial reporting and compliance) where the external auditor is concerned with the financial reporting objective.

As part of examining the control structure, internal auditors, like external auditors, may perform tests that ensure the accuracy of financial information. They may:

• verify selected transactions,

• prove detail and control accounts,

• confirm loan and deposit accounts, and/or

• perform branch audits.

To fulfill internal auditing professional standards, however, internal auditors must probe further into all aspects of the internal control.

The extent and quality of internal auditing in the banking industry varies. The external auditor must determine the independence and competence of the internal auditor. If this is a continuing engagement, the external auditor's prior experience with the internal audit function is important in this evaluation. The determination can also be done through review of the internal audit department's operating budgets, audit plans, workpapers, and prior audit reports.

When the CPA is performing the audit under PCAOB Auditing Standard 2201, the requirements of paragraphs 16–19 apply. The language of Auditing Standard 2605 The Auditor's Consideration of the Internal Auditing Function in an Audit of Financial Statements is further expanded and linked in planning to rely on the work of internal auditors.

Internal auditors report all findings to the audit committee. Their ultimate responsibility is to the board of directors or the audit committee. For administrative purposes, they usually report to the CEO.

An area in which the bank's internal auditor can be particularly helpful to the outside auditor is electronic data processing or information systems (IT).

To understand the bank's internal control structure, the outside auditor must understand the bank's computer system and its related controls. All banks have their accounting systems on computer. More and more banks have their own computer systems, but many have their work processed independent data-processing services.

Most internal auditors have a thorough understanding of the bank's computer operations and can provide flowcharts, system documentation and evaluations, and other information on the system.

Study Question 31

According to the COSO Study and Auditing Standard 2201, the monitoring component of the control system in an entity assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. This is accomplished through ongoing activities, separate evaluations, or both. Which of the following staff members contributes to the monitoring process?

Chapter 5. Bank Operations

This chapter continues the discussion of bank operations, including the function of tellers, control concerns, the check processing functions, electronic payments systems, and the check collection process.

This chapter examines the bank's teller and check processing functions.

The teller function is one of diminishing purpose. Deposits of checks are being made from customers' desktops and mobile phones. The handling of checks in deposits has almost disappeared. Where checks are presented to tellers for deposit, they are handled in the same fashion as customers using bank supplied equipment. This is described in detail in the check processing subject in a few minutes. However, the handling of cash remains very much in the hands of tellers.

The physical locations where the teller works from the teller's point of view is described below.

• The teller's window or workstation has two major components. The first component is the cabinet or pedestal, which contains the teller station's cash drawer. This is where the teller stores cash while he/she is working at the teller window. The second component is the terminal, where the teller makes inquiries to the computer and prints receipts and, in some systems, creates cash accounting tickets.

• The teller's cash is stored overnight in the vault in a special area referred to as the cash room, where each teller has a special storage safe or locker.

Some banks classify tellers into two general categories—specific teller and universal teller.

A specific teller processes specific types of transactions, such as lending (loan teller), sale of travelers' checks and money orders, and savings and checking transactions (deposit teller). A universal teller processes all types of transactions. The universal teller is the most common teller configuration.

To view this interactivity please view chapter 5, page 3

Interactivity information:

The four basic teller function activities are categorized as:

1. payment function,

2. receiving function,

3. other customer related teller functions, and

4. head teller function.

Each of these functions is important to understand the overall operations of tellers in controlling cash and establishing the beginning of the audit trail on a number of customer transactions.

Teller Functions

Payment

Payment transactions can involve check processing and savings withdrawals. A teller pays a check if the check cashed is drawn on the bank where the teller works. The check is considered as paid because the teller has access to all information required to assure that the check can be charged to the drawer's account and has the ability to hold the funds giving the paid check priority in posting that night. The information available to the teller includes account balance, any holds or stop payments on the account, specimen signatures, and other information.

A teller cashes a check if the check cashed is drawn on another bank. It is later presented to the drawee bank for payment and could be found to have defects that prevent its being paid at the drawee bank. Such possible defects include insufficient fund, signature not authorized, payment stopped, etc. If the check is not honored at the drawee bank it will be returned ultimately to the teller wo cashed it.

When paying a check or processing a savings withdrawal, the teller should determine the following:

• The check is drawn on this bank.

• The check is dated and endorsed properly.

• The account has sufficient collected (or available) funds to cover the check.

• The signature is verified in accordance with the bank's policy.

Receiving

Receiving functions involve tellers receiving funds primarily for deposits to checking and other deposit accounts. When accepting them, they:

• verify the amount of the deposit,

• detect counterfeit coin or currency,

• verify proper endorsem*nts on checks for deposit,

• identify the presence of obvious fraud, and

• issue an appropriate receipt for the transaction.

Other

Tellers perform numerous other functions, including:

• dispersing loan proceeds,

• accepting loan payments,

• selling traveler's checks and savings (EE) bonds, and

• in some banks, accepting payments to third parties such as utility companies.

Head teller

Each teller area within an office, or group of tellers within an area, has a head teller responsible for overall teller activities often as a supervisor. The head teller balances the office's funds as a whole at the end of the business day, which include individual teller's funds plus the reserve or vault cash. The head teller is usually the individual who has custody of the reserve cash in the vault. Depending on the amount of activity in the office, the vault cash supply may be a large amount in which case that cash fund is under the dual control of two individuals.

In some cases, particularly in a large branch with a number of tellers, the head teller will be only a supervisor and another teller will be the vault teller who has primary custody of the reserve or vault cash. In these cases, the vault cash is usually a large amount and the vault cash is under the dual control of two individuals. DUAL CONTROL MEANS THAT TWO ASSIGNED PEOPLE ARE REQUIRED TO OPEN THE STORAGE SAFE AND WILL BE PRESENT THE ENTIRE TIME THAT SAFE IS OPEN – BOTH WILL SEE THAT THE SAFE IS PROPERLY CLOSED AND LOCKED.

Banker's Joke

Two friends, were arguing about their relative leverage at the bank. Joe said, “One of my buddies is a vice president at the bank!”

Paul said, “Ah, vice presidents are a dime a dozen at the bank. I bet they have a vice president in charge of coins!”

After some verbal back and forth they agreed to call the bank and ask for the vice president in charge of coins. They placed the call to speak to the vice president in charge of coins. The call was answered by an operator who inquired, “Did you want the vice president in charge of rolled coins or loose coins?”

The teller records the receipt and payment of cash. To provide security for cash, the movement of cash stops at the teller's window and documentation of the cash transaction flows through the accounting system.

When cash is received, the teller prepares what is known in bank parlance as a cash-in ticket (a debit to general ledger cash account) and places it with the transaction item (e.g., deposit ticket and any deposited checks) for the next step of processing. The cash is placed in the teller's fund. When a check is cashed, the teller prepares a cash-out ticket (a credit to general ledger cash account) that accompanies the check for later processing. The net total of cash-ins and cash-outs is the day's change in the teller's cash fund balance.

The cash-in ticket takes the place of actual cash. It is the means of recording the receipt of cash in the accounting system without cash leaving the protection of the teller's cash supply. The cash-in ticket is later posted to a control account the teller must balance to at the end of the day. This account operates as a general ledger account for the teller's cash fund.

Cash-out transactions are treated similarly. A cash-out ticket (credit to cash) is placed with a cashed check or a deposit from which cash has been deducted (a split deposit). It is later posted to the control account.

Later we will discuss the processing of check clearing and payment using current technology. The change in check clearing has led to a fundamental adoption of paperless processing. In this environment, the paper cash-in (debit) and Cash-out (credit) ticket have disappeared in some cases. Instead, when the teller completes the count of cash related to the transaction and presses a key for either cash in or cash out, the computer system creates an electronic transaction which is merged into the total processing of the deposit or withdrawal transaction. All transactions bear trace numbers for the pieces of the transaction (i.e., the deposit slip, electronic cash in ticket, each deposited check and a cash out for any cash returned (less cash transaction)). If it is a check cashing transaction, the pieces are the check(s) cashed and the electronic cash out ticket. Remember: cash-in is a debit (increase) to the teller cash account; cash-out is a credit (reduction)

The traceable number is often referred to as batch sequence number and can be traced entirely through the processing of the item. This is the ultimate audit trail. The term batch sequence number refers to a common terminology from the days when paper transaction where processed in mass production operations in batches which were units for balancing. They are sometimes called trace numbers.

Examples of transactions at the teller's window

If you prepare a deposit slip including a $1,000 check on another bank and $500 cash (a total deposit of $1,500), the teller processes a transaction containing the check (that will become a debit to clearings) for $1,000, a cash-in ticket often an intangible electronic entry (debit cash) for $500, and the deposit (credit deposit account) for $1,500.

If your transaction includes only the check and you want $100 cash from that $1,000 check, the teller processes the check (that will become a debit to clearings) for $1,000, the deposit (credit deposit account) for $900, and a cash-out ticket often an intangible electronic entry (credit cash) for $100.

At most banks, the teller is aided by a machine at the teller window. The machine is a computer terminal that:

• maintains a running total of cash-in and cash-out transactions,

• validates deposit receipts,

• serves as an adding machine,

• maintains an electronic journal of all transactions on the server that supports the terminal,

• if the teller counts the cash in a deposit (10 $5, 3 $10, 20 $1 = $100) creates a record of counts of cash in (deposits) or cash out (checks cashed) which is helpful if the teller's cash is out of balance at the end of the duy, and

• creates the electronic cash in or out ticket.

The teller machine/terminal also has the ability to make balance inquiries and place holds on funds if checks are cashed.

A note on internal controls

In an ideal world, the handling of cash and the originating of entries should be separated from the posting of account records. However, you will have noticed that when the teller enters a figure for cash received and scans in the paper associated with the deposit, the transaction is not subject to further human handled or review. Effectively, the tellers are now posting the books without further review. Similarly, if a teller enters a cash-out on the keyboard and introduces a scanned check to offset it, there is no further human review unless the two factors do not balance.

When paper items are being scanned, the system will prompt the scanner operator to enter any data that the scanning system cannot read. This means that a blank piece of paper could be run through and the operator (teller) could manually enter all data fields to make it appear that a proper check or deposit slip had been scanned. This raises the possibility that a blank piece of paper could be dispatched through the electronic clearing or posting applications and would be uncovered only when it was returned from a mythical paying bank or reported as an unidentified debit by a customer. If it is a credit to the employee's checking account it would be uncovered only when the teller's cash was counted and found to be short by the amount entered as deposited cash.

Think about the bank's surrounding procedures when performing the walk through of teller activities.

Study Question 32

Activities in the teller's area usually include all but one of the following. Identify the activity that is not appropriate to the teller's area.

ATMs are machines that stand ready to give cash, take deposits, report account balances and transfer funds between accounts 24 hours a day, seven days a week, without the presence of a bank employee. ATMs are connected, directly or indirectly, to the bank's computers and pass their transactions to the computer in electronic form. They verify that sufficient funds are on hand in a customer's account before paying out cash or transferring funds.

The cash stored in an ATM is a cash fund just like a human teller's fund. As such, it must be balanced daily. In addition, deposits and loan payments accepted by the machine must also be balanced.

In some cases of very low activity machines, the deposits and loan payments will be extracted from the machines daily, but the cash supply will be balanced less frequently; for example weekly.

ATMs are built to maintain dual control over critical areas. There are at least three such critical audits.

1. The first is the space where the cash is stored. The cash is contained in ‘canisters’ that hold the cash for easy and correct dispensing.

2. The second is a safe for receiving deposits made by customers; this unit should be treated like the night depository described below.

3. The third is a safe that contains cards that are captured by the machine this unit should be treated like the night depository.

The machine will capture cards that have been reported stolen and cards on which there were too many failed attempts to enter the PIN number/password. This function is disappearing as newer ATM use a ‘swipe’ technology where the card is entered and immediately removed. The old method took the card in an held it until the transaction is completed then returned it to the customer. In the old operation, the card is ‘captured’ into a special internal safe if it is reported stolen or lost or if there are a number (usually 3) failed attempts to enter the PIN number. The idea of swiping and returning cards seems like a poor idea because a stolen card can remain in circulation. Banks balanced this against the number of customers mistakenly entered their PIN numbers and had to return to the bank the next day to retrieve their card or a new card had to be issued. (The author makes no comment on the risk to the general public of allowing stolen and counterfeited cards to circulate. Auditors are considered to be overcautious to the point of be impractical.)

The processing of ATM deposits should be under dual control from the opening of the ATM until the contents of the capture bin has been recorded and the contents of the deposit bin has been recorded and the envelopes processed. See night depository procedures on the next page.

The Night Depository

The night depository allows individuals and businesses to leave deposits at the bank at any hour and have them processed the next business day. When envelopes or deposit bags are dropped in the portal outside, they fall into a vault with dual-control locks.

When night deposits are removed, they should be in the custody of two people from the time the safe is opened through processing at the tellers' lines. Dual control should be maintained at least until the cash has been counted and verified to the deposit slip. The contents of the night deposit vault should be logged as items are removed from the vault; not later.

The Night Depository (cont'd)

Note the graphic here. There is a key lock that must be opened in order for the combination dial to move. Alternatively, the lock may be electronic requiring two separate numeric entries to open or a key lock in the center of the handle and a single combination in the keypad. You should observe and evaluate the physical facilities and the actions of the personnel in opening the safe. Dual control of the night depository requires that one person have the combination to the vault and another has the key that activates the combination lock. To be effective the two must remain in the presence of the contents of the night vault until the cash in each deposit has been verified. The presence of the two individuals that opened the safe may be accomplished by bringing others into the process as long as two people are always present. When a customer brings a deposit to be processed in his/her presence at the teller's window there is the effect of dual control – customer and teller. The dual control of night deposit and ATM processing places a bank employee in the observer role of the customer.

Some businesses make night deposits in special locked bags, which are opened and processed under dual control. Some businesses elect to call at the bank, unlock the bag, and observe the processing. Increasingly, s banks are supplying customers with a tamper evident clear plastic envelope/bag. The contents of the bag can be seen through the bag. This bag, when sealed, cannot be opened without destroying the bag (thus the tampering is evident). They are cheaper than locking bags. Locking bags bear no evidence that the bag has been opened or closed as long as there are keys available to the bag.

To view this interactivity please view chapter 5, page 14

Interactivity information:

Major Control Concerns

Many controls exist to prevent losses in the teller function, but cash can still be lost.

The four most common ways that cash is lost are overcharging customers, internal theft, robbery, and lapping.

The first three are easily defined, but lapping is more complicated.

1. Overchanging occurs when the teller unintentionally pays out more than is specified on the check or deposit withdrawal.

2. Internal theft occurs when the teller or other employee steals cash from the teller's cash fund.

3. Robbery occurs when a person from outside the bank's employ uses or threatens violence to obtain cash from the teller's cash fund.

4. Lapping, a common scheme for taking money, is based on the perpetrator's logic pattern that “I'm just borrowing it; I'll pay it back.” It is a process of diverting debits (i.e., cash at the teller's window) and withholding the offsetting credits by matching withheld credits to debits in transactions on subsequent days.

Let's examine a scenario of lapping to see it at work. You may want to access the Lapping Chart.

Example

Customer A deposits $500 in cash; Teller Z pockets the cash and withholds the deposit from processing (i.e., the teller does not prepare a cash-in transaction).

The next day, Customer B deposits a $1,000 check; Teller Z shows the check as cashed, places $500 cash in the cash fund, prepares a $500 cash-intransaction, places it with A's deposit, and processes the deposit. Teller Z withholds B's deposit and pockets an additional $500. The following day, Customer C buys $500 in traveler's checks with a check and Customer D makes a $500 loan payment with a check. Teller Z withholds the credits from C and D's transactions and matches their checks with B's deposit slip and processes B's deposit.

Round and round it goes until someone discovers that credits are being delayed by one or more days. The discovery is usually made during an investigation prompted by customer complaints about the delayed posting of transactions to their accounts.

As you can see from this Lapping Example that it is an illustration of the lapping scheme. In the early stages, the person who takes the funds in a lapping scheme often repays the shortage (on payday), but that means there is less of the paycheck to make it to next payday, so the scheme usually begins again and tends to grow until it cannot be repaid.

Savings deposits, loan payments, money orders sales, Series EE bonds sales, and traveler's check sales are particularly vulnerable to lapping because the funds are not drawn out immediately as they are in checking account deposits. Therefore, delays in booking the credits are not as readily identified.

Study Question 33

Which of the following is maintained under a single control as contrasted with dual control?

Study Question 34

One of the common schemes that employees use for taking money from a bank and attempting to cover the theft is:

Check Processing Function

This subchapter discusses the processing of transactions through check processing, and the operations functions that are the integral next step after the teller function. Check processing coupled with the advancement of the internet as a total function is the pivot point of the greatest revolution in banking and the payments system in more than 70 years.

This revolution is all about technological change that is reshaping the payments system, so it is broader than just the question of balancing transactions like deposits after they leave the tellers' windows. It is broader than how checks are collected that are drawn on other banks. It is important to see all of the elements of the payments system in order to understand any single portion such as check collection.

To understand those issues in the audit, it is critical to understand the broader issues and the ways that different banks are addressing them in this changing environment. A number of different methods and technologies are being employed; each has its own risks and controls. However, the number of differences among banks is diminishing as all banks, large and small have access to the same means of interacting with their customers. Though standardization is increasing, all methods are presented here to prepare you to deal with client operations wherever you encounter them.

To plan and perform the audit, it will be necessary to understand: the broad framework of the payments system and how check clearing fits into that system; how the financial institutions reached the current state and what the likely future is; and how to make an efficient assessment of the operating methods employed in a financial institution under audit. Remember that the movement of deposit account transactions is the greatest volume and the greatest amount of financial movement every day in any bank.

The Evolution of the Current System

Historically, consumers paid for products and services in cash or with checks. The merchant accepted customer checks and took them to the bank batched together. The bank sorted out the checks drawn on that bank (the depository bank) and bundled up the ones payable at other banks and sent them to a correspondent bank which would further sort them and forward them on to the paying bank (drawee) for collection. Then the credit for the collected funds flowed back through that channel to the depository bank.

The current system continues to place the banking system as the hub for payment settlement; but the way the collection process has changed means there are different channels. However, the thinking that created the modern electronic system was heavily based of the paper system of the past. Each channel has its own risks and controls. Now let's move to the next page to see an example.

To view this interactivity please view chapter 5, page 21

Interactivity information:

Example

An example of the payment system is portrayed in the following scenario.

Today is payday for Bill. Instead of Bill's employer handing him a paper check, his pay has been credited at his bank to be available first thing on the morning of his payday.

Bill decides he wants a cup of coffee on his way to work, so he stops at Starbucks for a latte. Instead of writing a check, he considers paying with his debit card, a Starbucks (prepaid) card or an app on his phone. He decides to use his iPhone which has an app that accesses his Starbucks prepaid account. The scanner at the shop reads the iPhone and deducts the charge from his prepaid account. The Starbucks account has reached an agreed minimum so Starbucks automatically creates an ACH charge to Bill's checking account to replenish his Starbucks account.

During the day, Bill receives an e-mail from his bank reminding him that his credit card bill is due so he logs on to the card issuer's web site. After reviewing the charges on his account, he authorizes the issuer to send a charge (referred to as an Electronic Funds Transfer or EFT) to his deposit account at his bank for a specified payment amount.

That afternoon, Bill decides to take his wife to dinner and a movie. He stops by a bank branch to withdraw cash through the ATM for snacks at the theater and then goes to the gas station where he pays for the gas with his debit card scanned at the pump. Dinner is paid with his credit card. At the movie, Bill picks up the tickets that he paid for in advance with a charge to his credit card.

When Bill and his wife finally get home that night, he notices the utility bill received in the mail this morning, so he logs on to computer and accesses his bank account on-line. After checking the balance in his account which shows all of the debit card transactions for the day and reduces his balance accordingly, he uses the bill payment option to remit to his utility provider.

Bill then opens the rest of the mail and finds a check from his Aunt Tillie that she sent for his birthday last month. Instead of planning a trip to the bank to deposit it, he endorses the check, and uses his iPhone to access his bank's online banking app. Using that app, he takes a picture of the front and the back of the check and sends the picture plus other data the app requires to the bank. Tonight, the bank will credit his deposit account for the amount of the check and will send the (picture copy) check to Aunt Tillie's bank, where it will be paid day after tomorrow.

In this example we see no paper used in the banking transactions but funds moved around all over the place. And that was just our hero Bill.

Checks

Checks are still around and they will be for the foreseeable future. However, the way they are handled has changed almost completely and along with that change is a huge change in the ways banks operate.

From the operations of tellers to the speed of collection, the handling of checks has changed. Traditionally, deposits were made by handing them to a teller at a branch. While this action still occurs, more and more checks are deposited by an electronic system.

Today the teller accepts a small number of deposits and thus a smaller volume of paper checks pass through tellers' hands. For those deposit transactions that do occur, the accepts the deposit does the usual steps with any cash and scans the checks to capture the image of the check for collection; we'll look at how that is done in a couple of approaches in a minute. The paper checks, once scanned, are bundled up for the day and stored in the branch; they never leave the branch. Increasingly, they never reach the branch because they are scanned by the merchant and the pictures are sent to the bank. Virtually all banks have a cell phone app that lets the customer take a picture of both sides of the check and deposit in their bank.

Scanning Process

The scanning process in the banking office is in two general forms:

• Front counter approach

• Back counter (the most common) approach

The front counter approach

In this method the deposit is scanned at the teller's window as the deposit is processed. The teller runs the deposit slip and checks through a scanner in real time as the deposit is processed. As the cash in the deposit is counted, an electronic cash-in ticket is prepared; no physical cash-in ticket is prepared. (Remember a cash-in ticket is a debit accounting for the increase in the teller's cash drawer.) If the transaction is the cashing of a check or checks, the cash is counted as it comes out of the drawer and a credit to the teller's cash account (a cash-out ticket) is electronically prepared. There is no need for a paper ticket to be prepared because the entry (debit or credit) will be electronically routed to the general ledger or a subsidiary thereof. The cashed check is then scanned.

Often there is no need for a deposit slip. The balancing or ‘proving’ of the deposit will generate an electronic deposit ticket (credit to the depositor's account) which makes the paper deposit slip superfluous. However, the customer will have to supply a total for the deposit, which the teller enters in the terminal at the beginning of processing along with the depositor's account number. The teller's terminal prints a receipt which the teller hands to the customer. At this point the deposit transaction is complete and the electronic entries including the images of the checks are on their way for collection. As we will see, if the scanner cannot read any element of the check the teller is given the opportunity to enter it on the keyboard of the terminal.

The back counter approach

The second form is referred to as the back counter approach and is the more commonly used method. The tellers batch their transactions until a point in the day when they are taken to a central scanning station in the branch. This can be at the end of the business day when all of the transactions are scanned at one time. This is usually very inefficient. Most commonly there will be several scanning sessions during the day. That means that the amount of work to be performed at the end of the day will be of lesser volume. It can then be rapidly and efficiently scanned, balanced and dispatched and the day's work is concluded. Take a look at the equipment.

Identifying which of the two approaches used is easy. If there is a scanning device in each teller's window, the front counter approach is used. If there is only one scanner and it is used for all teller transactions, the back counter system is used.

As the checks are passed through the scanner, several OCR (optical character recognition) actions are taking place. First the characters on the bottom of the check (the font is known as E13B) identify the bank the check is drawn on and the account number at that bank. That line is referred to as the MICR line (Magnetic Ink Character Recognition pronounced ‘Mike arr’); that form of recognition pre-dates optical character recognition (OCR). There may also be a serial number of the check on that line. That information is read magnetically (the ink has embedded iron particles) or read optically. The software in the server supporting the scanner can identify where the MICR line is if the data was not read magnetically. The computer logic of all scanning methods is seen in supplement Branch or Remote Deposit Capture.

At the same time the MICR characters are being read, other information is being obtained from the check using OCR techniques. To send the check for collection, a minimum of three pieces of data are necessary.

• The first piece of information is the bank it is drawn on (paying bank); that is, the routing & transit number which is the first set of characters on the left of most MICR lines. That bank number group is set off by special characters to cue the beginning and ending of the R&T number.

• The second piece of information is the identification of the account that will pay the check when it arrives at the paying bank; a set of special characters separates the account number from the R&T number and signals the end of the account number. These 2 pieces of data were printed on the checks when they were created as blank checks and shipped to the customer.

• The third piece of information is the amount of the check. Obviously, this data cannot be determined until the check is read electronically. The software driving the scanner tries to find the amount in 2 ways. The first is the Courtesy Amount Recognition or CARS. That's the numbers following the dollar sign $ on the check. If you look at one of your checks, you'll notice that the dollar sign is large compared to the other printing; that's so scanners can zero in on that field of the check. In addition, the software uses Legal Amount Recognition or LARS to read the writing amount on the next line. Most scanning software uses three different CARS algorithms to discern the verbal numeric amount and one or more to discern the written amount. The algorithms will ‘vote’ and the most discovered value will be assigned. (There is still a verification of this in the balancing process which follows.)

Scanning starts with the credit amount input. Then the sum of all items – checks read less any cash out ticket and plus cash in values will determine if the deposit is in balance. Corrections can be made at the terminal monitor. When the scanning software has read all of the paper items, a virtual deposit slip is presented on the screen. The cash-in or -out is presented as it would be on a physical deposit slip; then each check is listed; again, as it would be on a physical deposit slip. The picture of each item is shown; usually beside the three data fields.

If the amount could not be reliably read by OCR, the teller can see the check and manually enter the amount. If either of the other two fields (R&T & account) did not read, that data can also be entered at this time.

When all data has been completed, the software will generate a total which will be compared to the total provided by the customer. If there is a difference, the teller can review all of the items both on the capture screen and the physical check to assure that the correct data has been captured and prepared for processing.

Note

The fidelity of image capture OCR is so high that it is seldom necessary to consult the physical items.

The percentage of all checks that are read accurately by CARS and LARS processing is now in the range of 98% leaving only 2% requiring input or correction of amounts.

When all of this work has been completed, the deposit (or batch in the case of a number of cashed checks) is released for further processing which is the check collection process. This now becomes an automated process.

• The images and data for checks on the depository bank (the bank where this deposit is being made) are sorted out and routed to the deposit system.

• The deposit identification data is sorted to the deposit system for credit to the depositors' accounts.

• The cash-in or cash-out transactions are routed to the general ledger or subsidiary for posting to the teller's cash account.

• The images and data for checks payable at other banks are sorted to a process that will create one or more electronic cash letters to send them for collection at the payor banks. Remember cash letters from the earlier discussion; the deposits of one bank for its credit at another bank.

Note

In all cases hereafter when the term ‘check(s)’ is use it refers to the electronic image of the check and an integrated data tag that contains the R/T, account number, possibly the check number, and the amount. Actually, those data sets are the keys to passing the transaction through the clearing process and the picture of the check is tagged to that set.

Typical full scanning station for back counter & central (ops center) processing

This scanner is in the upper right, a ‘jogger’ in front of the scanner that is used to align the stack of checks so the feed-end of the stack is all together, the monitor that displays all information in processing is on the left and the PC/server in on the floor under the counter.

Detail picture of a scanner

The stack of checks is placed in the bay on the near side. The checks are drawn through the reading mechanism which is the track wrapping around the right side and the completed checks end up in the bay on the far side in the same order as the start. In the track or slot of the reading mechanism, there are readers to sense the MICR encoding on the bottom of each check and optical readers to read the CAR and LAR amounts and – if the MICR did not read magnetically, the optical reader can try to capture that data. The cameras to capture the front and back images are in the assembly.

Monitor for scanner server

When the checks have been read by the scanner, any check that does not have complete data will be displayed on the monitor. At this time the software will display checks that need additional information; this speeds the process by showing only items that need additional data. When all of these have been completed, the software will then try to balance the debits to the credit(s) in each transaction set (deposit or matched debit/credit set if other than deposit transactions such as loan payments.)

Any transaction/deposit that is out of balance will be presented on the monitor showing all items (deposit and checks) so any incorrectly loaded data can be corrected. If the deposit is out of balance (the customer gave an incorrect amount), a correction entry can be prepared here and scanned and the transaction will be balanced. In some systems the required correcting entry (a debit or credit) can be created within the system as an electronic entry and a copy printed for mailing to the customer or hand delivery if the customer is present. If the scanning software read an entry incorrectly, the data can be corrected and the item will be carried forward with the correct date attached to the image.

When each transaction set has been balanced, the total batch (all credits less all debits) will be balanced. If there is any difference, the items can all be reviewed on screen to locate and correct errors. Then the balanced batch is released to the processing operation at a central point. If the core processing (deposits, general ledger, etc.) is on a computer in-house, the batch will be directed there for processing. If the bank uses a service bureau the batch will be sent to them.

The system on the scanning server maintains a list of batches processed in the business day. In most banks, a manual log of batches is maintained as well. The batch log will show each batch by number, the number of items in the batch and the name of the person who processed it. Please see sample batch log.

At the end of the day, a total, non-dollar ticket will be prepared showing the total number of batches released from the branch. Please see total ticket. It is a picture that is sent to central processing to declare the end of the business day and to give the number of batches that should have reached central processing.

The software will maintain the complete contents (images and data) of all batches so that they can be retrieved in the event of transmission failures. These archived batches will be maintained on the server in the branch or other scanning location for a long period specified by management. This file retention scheme applies to front counter (teller window) scanning as well.

All of the steps that have just been described for back counter processing at the bank branch are used in the same fashion in a customer's ‘remote deposit processing’. The customer is doing these steps using software that the bank has installed on a PC at the customer's office. In a small office a low volume scanner like the one pictured here will perform all of the steps described for the bank lobby. In higher volume customers, more elaborate high-volume, high-speed scanner may be used but the software operations will be the same.

Customer originated transactions are usually conducted through a service bureau retained by the bank that specializes in this processing. That bureau will deliver completed and sorted general ledger, deposit application system transactions, and cash letters to the bank for processing. In some arrangements, the service bureau will dispatch the cash letters out for collection with instructions to credit the bank's due from account at a correspondent bank. The bureau will supply control totals to the bank so staff can follow up to see that data was successfully loaded into the bank processing system (timely and in balance)

These specialized service bureaus are universally used by small banks. In some cases, a smaller banks may use a service bureau for all of its IT processing and that organization may be the provider for customer remote deposit capture. Because of the volume and dollar amount of financial activity passing through this operation every day, there should always be a current SASE 16 Thirty Party Review of the servicer and the bank should have documentation of its actions on the User Consideration portion of that report. Larger banks may use such service providers or they may maintain internal operations doing the same functions.

In central processing, they will check to see that all of the batches were received in preparation for delivery to the service bureau that handles CRDP. They will also determine that every branch has declared the end-of-day (EOD) so that processing can continue when all input has been received. This is an important control point. A control procedure must be in place to assure that all input is received for processing and that it is received only once; no duplications. In most scanning/capture systems, there is an edit process that identifies duplicate items. This spotlights unintended duplicate entries and any attempt to purposely re-enter an item (e.g., a bank employee trying to take a check from a previous day and enter it as a deposit to his own account.) This duplicate identification control is particularly critical in smart phone deposit systems and remote mass capture systems in client locations.

Note

Under the Check 21 law the bank does not have to hold the original checks longer than 60 days. The risk of re-presentment (checks being processed twice) of checks is eliminated if the checks are destroyed. The earlier the shredding the sooner the risk is avoided. While the paper checks are in the hands of the bank, they should be stored in a locked facility. Depending on volume it may be a cabinet or a locked storage room.

Therefore, the bank should have a rigid practice of shredding checks between 60 and 120 days after the initial scanning and dispatch. Some banks hold these checks for 120 days in case of late returns (like duplicate presentment returns) where the bank might feel more comfortable having the original OR be able to find out that the original is missing.

The destruction by shredding should be in the presence of two people. It should be given more attention that the disposal/shredding of other documents which is often handed off to an outside shredding provider. If an outside provider is used bank personnel should observe the process through to the end.

Customer Remote Deposit Capture (additional thoughts)

This description has been very detailed, but a similar process is used elsewhere in a system called Customer Remote Deposit Capture. This system that takes place in the customer's office is the same as the branch capture.

The customer will process a deposit as though it was a batch. The deposit is image and data captured and balanced in the same fashion (often with the same hardware and software) as a branch back counter system. When the deposit has been balanced, it is released to the central operation. Cash cannot be processed through this system; cash must be taken to the bank for an over-the-counter deposit.

Some customers will have only one deposit per day; others will process multiple deposits per day depending on volume and/or the number of responsibility units (locations, departments or employees) who created batches.

For example, the deposits may be at multiple locations or multiple cashiers in a single location. Whether the capture process is in the bank branch or a remote capture at the customer's location, the batches are sent to the central processing location. At that site the processing will continue.

There are several steps in this processing and there are important controls in those steps.

Processing controls

First, each received batch is balanced by the receiving software. The process of reading the transactions and assuring a balanced condition is extremely fast. That may seem redundant, since the batch had to be in balance before they were released from the branch or customer capture. However, it is imperative to see that complete and balanced input is entering the central processing. Any differences have to be traced back to the originating location.

The next step is to compare each check to a database of checks previously handled through central processing. A high level risk is the re-presentment of any check or checks. The database may be from 6 months to three years. The software in central processing must assure that the event will not occur regardless of the source.

For example, the bank wants to avoid the reprocessing of a check in the branch. Equally the bank would want to avoid an event where a check was deposited through a customer remote deposit and then brought to the bank for an over-the-counter deposit. The combinations of duplicate deposit risks are many.

The bottom line is a check should not be credited to a customer more than once, obviously the maker of the check does not want it charged to his deposit account more than once.

The software will maintain a database of all the checks that its processed. The software will look in the database for a check with the same bank number (routing/transit number), account number, check serial number and amount. This combination of 4 data points is a reliable data set for identifying most duplicates.

If a customer is not using checks with a serial number on each check (rare but it does happen) there are chances of false positives when routing/transit number, account number and amounts are the only criteria.

If there is no serial number, there is a possibility of multiple checks. In this case, manual review is required.

The system will display the check in the current processing and the suspected previous check. An operator can compare the two, and if they are similar in the data points but not the same check, an override can be entered and the new check passed on for processing. The operator will look at the payee and check date for added identification.

If the check proves to be an actual duplicate, it is removed from the processing stream and moved to a file of checks to be charged back to the depositor. Appropriate accounting entries are generated by the software when the operator identifies it as a duplicate presentment.

“On-us” and “Off-us” checks

When all issues in the database comparison have been resolved and that segment completed, the next step is instigated by the software. The checks are sorted into checks payable at our bank (on-us) and those drawn on other banks (off-us or transit checks.) The on-us checks are routed to the deposit processing system and all deposit slip are routed there. The totals of these debits and credits are moved to the in process account for deposit accounting, which will be cleared as the posting process is executed.

The off-us checks are compiled into a cash letter in X9.37 format. (That is a format dictated by the American National Institute of Standards [ANSI] to assure that the check and all of the attendant data can be processed at every step in the clearing/collection process.) The cash letter(s) are then dispatch to the Fed or other clearing channel. A transaction for the total of cash letters dispatched will be generated for debit to the designed correspondent due from bank account on the general ledger.

There may be some slight difference between the amount of the total cash letter and the amount credited by the correspondent bank on the next day which results from deferral of credit for some few items in the cash letter that will take more time for clearing. The amount of such deferrals is small in proportion to the total cash letter and because of the improvements in clearing technology the occasions are becoming smaller all the time. The difference amount can be verified by the report of the correspondent bank that shows the amount deferred on the next morning after dispatch. The deferred amount should be found as a discreet credit amount on the following day.

Note

All of this description applies only to checks drawn in US dollars on US operating banks. Therefore, Canadian checks cannot be included in the image clearing process nor can checks drawn on other countries. There are arrangements where banks outside the US have agencies that will pay checks denominated in US dollars at points in the US – often New York City.

Unpaid checks are returned by reversing the same channels. The drawee bank creates a transaction with the routing back to the depository bank and a code indicating that it is the image of an unpaid check being returned. In most cases an unpaid check will be back in the hands of the depository bank no more than three days after deposit.

Early shredding (no more 120 days) should be a contractual requirement of remote deposit customers.

Risks and Controls

Risks and controls related to check capturing are broken into two categories:

• Internal check capture

• Remote check capture by customer

Move on to the next page for more detail about these risks and controls.

Internal Check Capture

• Individual items lack all required information. Software will not allow the transaction to advance in processing if information is missing.

• All items (checks & deposits) are not processed. The lack of any part of a deposit will immediate show an out of balance condition and prohibit the transaction from going forward until the missing data is supplied. (This does not affect the failure to input an entire deposit transaction(s).)

• Items are processed twice. Input of any check in the transaction a second time will identify a duplicate and thus surface as a difference from the duplication of entire deposit transactions.

• Check(s) withdrawn from completed work and renegotiated. The software capacity to identify duplicate check input will identify the re-presentment IF IT OCCURS IN THE SAME BANK.

• Some or all batches are not dispatched to operations. The EOD batch report ticket will identify that batches are not dispatched if they are scanned at the branch or customer remote capture site. This will not identify a circ*mstance where transaction sets are not input/scanned at all.

• Item(s) are returned for duplicate presentment. The return of one or more checks as duplicate presentments is a cardinal indication of a problem condition that poses a loss potential to the bank but all signals the need for immediate and thorough investigations.

• Check are available for re-processing in the bank. The software capacity to identify duplicate check input will identify the re-presentment IF IT OCCURS IN THE SAME BANK. Early destruction reduces the period of exposure.

• Check are available for re-processing by deposit in another bank or negotiation at a non-bank location. If the check is deposited at this bank it will be identified by duplicate detection software. If it is deposited at another bank both presentations will be returned as a duplicate presentation; bank procedures should take immediate investigation action. Early destruction reduces the period of exposure.

Remote Check Capture by Customer

NOTE that all of the risks and controls on the previous page also apply to remote check capture by customer. The following are additional risks and controls. General note: Some of these controls should exist software and systems (*) as they operate in the bank; others may be at the customer location but stressed in training by the bank (#).

The customer (business) might reprocess checks thinking it can get duplicate credit. Duplicate detection software identifies this exposure. (*) Early destruction reduces the period of exposure. (#)

An employee of the business tries to reprocess checks to defraud the bank and the business. Duplicate detection software identifies. (*)

Bank performs credit review before opening remote capture service for the business to determine the ability of the business to cover losses resulting from their action or the actions of their employees. (*) Early destruction reduces the period of exposure. (#)

Activities in the business related to processing of deposits cannot be traced to a specific individual. Software provided by the bank for use by the customer (business) contains security features that support specific authorization of individuals. (*)

Bank must train the business/employer is use of features (*). Business must manage the use of software and maintain a IT security plan. (#)

Audit Objectives

• Establish that controls exist to assure the completeness of transaction input

• Establish that controls exist to assure the accuracy of transaction input

• Establish that controls exist to assure that appropriate procedures exist to reduce or eliminate the misuse of transaction materials

• Establish that controls exist to assure that transactions are recorded on a timely basis to assure that financial statements accurately reflect the financial position of the entity

Audit Procedures

• Observe the capture of transactions by the tellers' operation.

• Determine that a daily balancing routine is followed for teller's activities.

• Determine balancing routines are carried out to completion and that all balances are captured.

• Determine that end of day proceeds ensure all data has been transmitted to the processing site (in-house or service bureau) and that means exist to assure the processor can establish that all input is received and received only once.

• Determine that checks which have been scanned are secured in a manner that will preclude their renegotiation.

• Determine that procedures exist to rapidly recognize and act on any report of duplicate presentation of any checks.

• Determine that appropriate credit analysis has been made on remote deposit capture customers to assure their ability to cover any losses resulting for their own actions or the actions of their employees.

• Determine that the bank has a formal process for training (and where necessary, retraining) of remote deposit capture customers.

MICR line

The MICR line is divided by field codes that indicate where these fields start and end. They are composed of vertical bars and blocks. In the case of checks and deposit slips, virtually all of these fields are pre-encoded when the checks/deposit slips are printed. A transaction code is encoded in advance on deposit slips so the scanning related software will recognize them as credits. That transaction code is passed through to the deposit systems so these credits will be properly posted. The amount will be captured when the paper transaction is captured in the scanning process.

Inevitably, some items will fail to read magnetically. Poor quality ink on the items, items that are misaligned and thus do not track across the read head properly, and piggybacks (one item stuck to the back of another) are the most common causes. These items will result in differences in the deposit. In that case the unseen items will have to be re-scanned independently and the software will allow the moving of the new image into the proper deposits set.

Study Question 35

The primary accounting purpose of the scanning procedure is to:

Image Statements

Although image statements are not exactly a function of the scanning process, the images that are used in the image statement process are the ones captured in the initial scanning process and incoming cash letters with electronic images.

One of the major advances in banking that was introduced in the early 1990s and adopted first in small banks was the image statement. In the past, the paid checks were included in the deposit statement mailed to the customer. Image statements presented pictures of the paid checks, and usually the deposits slips, posted in the statement period on letter-sized paper, the same size as the accounting portion of the statement.

These statements are printed on laser printers for mailing to the customer or are held in the online banking system for customer download. In some banks, the statements are sent by password-protected email or, most commonly, they are available to be downloaded from the bank's web site.

To implement this system, the images of the items are required. Those images are captured at the time of the input to scanning process. The images of on-us are passed to the deposit systems for use in the image statement system. These items are then available to the statement-producing system as statements are created in the coming.

To view this interactivity please view chapter 5, page 48

Interactivity information:

Efficiency and Control Improved Through Technology

Technology improves both efficiency and control.

Efficiency

• Many more transactions can be processed much faster and by fewer people.

• Statements are prepared electronically and if mailed fewer pieces of paper are mailed at a lower paper cost.

• Image statements can be accessed and downloaded from secured web sites which could not be done with paper statements.

• Statement and transaction information can be stored on the customer's computer (in pdf format) and instantly recalled-much faster than digging through paper files or older recording methods like microfilm.

Control

• The pictures of the items are stored in electronic form on servers that allows for immediate recall that will not deteriorate like paper or microfilm. Archives (very old items) are sometimes stored on magnetic tape or DVDs.

• The data (including the pictures) can be sorted in any number of ways to see transactions, patterns of transactions, and associated debits and credits.

• Most importantly, the statement that is created in PDF format and accessible by download from the bank's website cannot be altered in any way to cover improper activity. All account statements will be created and available; none can be withheld.

Study Question 36

Which of the following interprets only the written amount on a check?

Float Time and Implications for a Bank's Investment Activities

Float is the time between the date a check is deposited at the payee's (depositor's) bank and the date it is paid at the drawee bank (where it is payable).

Note

An example of float time is when someone writes a check that exceeds the balance in their checking account, confident that a deposit made the following day will cover the amount of the check.

Float time is extremely short in today's world of high-speed check processing. The time from deposit to receipt of any return check has decreased to about 48 hours. Float has been reduced to almost zero because check received in deposit today (day1) are presented at the paying (drawee) bank tomorrow (day2). Therefore the paying banks due-from account will be charged as of day 2, and the depository bank's due-from account will be credited on that same day.

Example

If someone who lives in Florida and deposits in his/her local bank a check drawn on a bank in Washington State, it would likely be charged to the drawer account on the day 2 and rarely day 3. Local area checks will always be paid on the day after deposit (day 2). In the 2020's forward all checks are reaching the drawee bank next day and returns are no later than day 3.

A bank gives depositors credit for deposited checks on a schedule set by the Fed under Regulation CC.

When a check is deposited, the bank may post the deposit to the customer's account, but it has the right to hold the funds until it receives credit for the Fed. If the customer's bank lets them use the funds sooner, it is making a noninterest loan, in effect, because it has not received credit for the funds. Currently, there is little to no justification for holding funds beyond the time a deposited check would be returned and processed – roughly 4 days max.

When funds become collected and available at the upstream correspondent, the bank can earn income on funds in several ways. It can:

• leave the funds on deposit in an upstream correspondent bank to pay for services furnished (e.g., check collection, data processing, wire transfers), or

• invest the collected funds by selling Fed Funds overnight.

The bank must collect checks promptly if it is to earn interest on the balances obtained from deposited funds. This is particularly true if the deposit is made to an interest-bearing account such as a money market account or a certificate of deposit. If the bank begins paying interest before it can earn interest on the funds, it loses money. This is also true if the check is payment on a loan and the accrual of interest stops.

Note

The slower the bank's collection routing, the longer its float and the lower the earning power of its funds will be. The loss of earnings for one day on each $1 million of cash letters when Fed Funds are 5% is about $137. Under the provisions of Check 21 clearing methods, the depository bank does not make choices about the routing. The clearing system automatically directs each item for the fastest collection.

Federal regulations (Regulation CC) limit the time a bank can wait before it must start paying interest on deposits. The bank must collect checks before it starts paying interest to avoid a negative float position.

Check 21 reduced the time required to collect checks and, in turn, shortens float time. Aggregate float time declines as checks are cleared electronically instead of the former physical presentation to the drawee's bank. Check 21 has reduced collection time to an average of one day and in rare cases, two days. When a bank is dealing in cash letters that are 1% to 2% of total assets (depending on the day of the week), a reducing in float (uninvested funds) has a significant effect on income.

A bank can also experience internal float, which must be kept to a minimum.

For example, if it receives credit for interest paid on securities held in safekeeping by a correspondent and does not record it promptly, it will not know that funds are available for investment. If it does not promptly enter a loan payment check into the collection process, it may lose the full earning potential of the funds for a short time.

By careful management of the float, the bank can maximize its investment activities.

Study Question 37

The time between the date a check is deposited and the date it is paid is referred to as:

Study Question 38

Gordon State Bank had a loan outstanding to Wayne for $100,000. Wayne gave Gordon State a check on an out-of-state bank to pay off the loan on Friday, January 15, 202X. The bank returned the note to Wayne on January 15, 2002X, marked paid. Gordon State Bank sent the check in a cash letter to Gotham National Bank. The funds would be available to Gordon State to invest on Monday, January 18, 202X. The bank has suffered an opportunity loss because of:

Chapter 6. Bank Operations (Continued)

This chapter builds an understanding of bank operations, including the concepts of electronic payment systems exploring payment modes and transaction processing. It covers the operating methods, settlement methods and measures for confirmation of accurate handling. In addition, it defines the audit considerations and reviews audit objectives and internal controls and procedures.

It again emphasizes that this is the greatest volume of transactions and the greatest dollar movement in the bank every day. However, it takes place in a rigidly structured, automated system both inside and outside the bank.

We have previously discussed the conversion of paper checks into electronic transactions. Now we move to transactions that were originated as electronic transactions. They are the rising tide of payments of electronic payments that have no physical forms from beginning to end. The form of electronic payments is not a single type and neither is the channel of clearing a single one.

This section will examine the several types of electronic payments and the methods used to move them through the transfer of value from one party to another. Individual payments that reach the bank for charge or credit to the customer's account will be in the form of an ACH (Automated Clearing House) transaction. How the ACH transaction gets from its point of origin to the transaction process at the at the bank will depend on the nature of the transaction.

The electronic payments system is now the overwhelming method of value exchange in the world economy. The transactions are ‘invisible’; that is, they have no physical form. This means that the auditor – whether in the bank audit or in the audit of any other entity – cannot handle transactions for inspection and confirmation. The volumes are too great and the time frame available for any testing of individual transactions is highly constrained. Therefore, audit techniques must be largely based on gaining an understanding of operating systems and the controls built into them.

A further consideration is the auditor's grasp of terminology used in electronic transaction processing. Throughout this chapter you will find a large array of terminology in the context of descriptions of operating methods. Give close attention to both system descriptions and terminology so you will be able to communicate to the bank personnel you will deal with.

There is one common characteristic that can be attributed to all forms of electronic payments. Once entered into the payment system these are among the most secure transactions from origination to payment and the risks are lower than was ever present in the former paper check clearing world. How they are originated and how they get into the payments systems is where the major risks exist.

Note

Fraud in the form of stolen credit cards, and counterfeited credit card and debit card data is beyond the scope of this course. It is beyond the ability of the bank to prevent this type of fraud in its origination, however the bank must react to such fraudulent charges rapidly when they are reported. This reaction is a compliance issue and not included in the scope of an opinion audit. That said, the bank MUST have a well defined and robust system for collecting reports of discrepancies from customers and procedures for investigating and settling such reports.

The level of risk is a function of the highly structured transaction standards and the rigid requirements of regulatory organizations such as NACHA, the National Automated Clearing House Association (discussed further below), Visa and MasterCard and the dictates of Regulation E (the Electronic Funds Transfer Act.)

ACH Payments

ACH (Automated Clearing House) was the earliest of the purely electronic transactions. It has formed the basis for most of the ultimate charges and credits to customer accounts outside of electronic checks. Therefore, the handling of ACH transactions is the same regardless of the source of origin.

The operations of the ACH system are closely regulated by NACHA, the National Association of Automated Clearing Houses. The standards set down by NACHA are supported by enhancements to the Uniform Commercial Code. NACHA and its state units require a rigorous audit conducted under a program dictated by NACHA. This material is an important information resource for the auditor conducting the independent audit. The report from this audit is a valuable resource in risk assessment. The growth of ACH transactions makes this a significant area of risk if the appropriate controls are not maintained. The report on this audit is an important information source for the opinion auditor's assessment of risk.

Note

The plural on “Houses” in the National Association of Automated Clearing Houses speaks to the fact that each state has its own clearing house association, though some state level organizations have merged to multi-state organizations.

Key Term

ODFI: Originating Depository Financial Institution. The bank (FI) where an ACH transaction is created and sent for clearing. Example: your employer's bank where your paycheck begins its journey to your account.

RDFI: Receiving Depository Financial Institution. The bank (FI) where the ACH transaction will ultimately be posted to a deposit account. Example: the bank where you have your deposit account and receive your payroll credit.

Incoming ACH transactions

A bank receiving ACH transactions is known as an RDFI (Receiving Depository Financial Institution). There are important operating regulations and procedures built around this designation by NACHA.

For example, on a given day the incoming ACH file (referred to as a letter, harkening back to the days of physical checks (‘cash letters’) containing credits may include social security direct deposits (origin: US Treasury), paychecks for individuals (Origin: ADP, other payroll service providers and sometimes individual employers); trade payments from purchasers to suppliers, and so on. These credits will all be handled with a common mechanism in the bank's software, regardless of the point of origin. The key controller is the value date or effective date. The detailed description of this activity is described below as the warehouse).

In most cases, by regulation, the ACH credits must be in the hands of the bank on the business day prior to the date on which they will be credited to the depositor's account on the night before the date it is due.

Example

The easiest example is an employee's paycheck.

By regulation the deposit must be available to the employee upon the opening of the bank. The logic is parallel to the former paper paycheck and is the basis for this rule. If the employer handed the employee a physical check, that employee could go to the bank immediately and deposit to his or her account. With an ACH credit, unlike a paper paycheck, there will be no issue of a hold pending the collection of paper check. The ACH credit is actually posted to the employee's account on the night before his or her payday, so it will be available on the morning of his or her payday. The effective or value date will be the date on which the ‘value’ is available in the account. All ACH credits will have an effective date even if the transaction is to be credited immediately upon receipt. It is standard practice that credits like payroll deposits will be delivered to the RDFI about two days before the effective date and held pending the arrival of the effective date.

Incoming transactions (debits and credits) are placed in an electronic holding file called a “warehouse.” Here is an illustration of Warehouse Operations. When the transactions in the warehouse are scanned and all transactions with an effective date equal to or earlier than the next date processing are withdrawn from the warehouse and placed in the current night's transactions to be posted. Those with future dates beyond tomorrow remain in the warehouse until their effective date.

The Fed maintains records of the effective date of the transactions sent to the bank. The gross settlement transaction for the ACH letters is based on the effective date, not the date of delivery.

The same is true on the other side. The credit or debit to the ODFI for the origination of transactions is not settled until the effective date.

Example

Bill's paycheck is to be credited to his account to be available on the morning of the 15^th. The credit must be posted to his account on the night of the 14^th to achieve that timing. The depositor bank (Bill's bank) will be credited on the 15^th and the bank that originated the ACH credit (Bill's employer's bank) will be charged on that date.

His employer's bank has a credit risk associated with this timing issue. The ACH credits are dispatched to the destination banks 2 to 3 days in advance and are not subject to recall. If Bill's employer does not have the funds on deposit to cover the total of ACH credits sent, the originating bank (Bill's employer's bank) is on the hook for any shortage until the funds are supplied by his employer. The bank cannot charge the account of Bill's employer until the effective date. This is why Bill's employer's bank makes a credit risk assessment on his employer as an ACH originator to assure that the originator will be able to cover all credits originated no later than the effective date. This credit assessment is similar to making a loan decision. Think of this as a loan where the ODFI is taking on the credit risk if the originating party (e.g., Bill's employer) cannot cover the charge on the effective date.

Trade credits settled by ACH

Trade credits are often settled by ACH transactions. The purchaser might make an ACH remittance to suppliers in the form of an ACH credit. These transactions are credited upon receipt, that is, the effective date is equal to date of receipt. However, the agreement between the supplier and the purchaser may provide for payment within 30 days of receipt of goods. In this case the purchaser may find it more convenient to send the payment as soon as the invoice is received but to place an effective date on the credit equal to 30 days forward. This relieves the accounting department of the purchaser from the headache of keeping files of bills to be paid by date.

In other cases, the agreement between the parties may provide that the supplier will originate a debit against the purchaser's account. In that case, the ACH transaction will be a debit to the purchaser's account but all of the same logic will apply with the exception that a holding period credit risk does not apply because this is a debit origination and not a credit that will settle at a future time.

Incoming ACH Transactions is a diagram of the process.

Study Question 39

Incoming ACH transactions are first placed in which of the following until the effective or value date?

Outgoing ACH Transactions

Banks may also have outgoing ACH transactions. The operation of ODFI activities is highlighted in the NACHA audit report and should be studied by the bank's independent audit as part of the audit planning process. Unlike RDFI activities which are highly automated and less subject to risk in the receiving bank, ODFI involves much more human interaction with higher risk potential. This human interaction occurs before the transactions are created and enter the automated handling process.

These transactions can be instigated in three general forms:

Internally created transactions

There are also instances of transactions created for the bank's own account such as credits to vendors created by the bank's accounts payable system where payments are dispatched to vendors according to pre-established conditions with the vendor. Other manually-created outgoing transactions might be created on a case-by-case basis and these will be found in the bank's account payable system.

Example: customers order blank checks through the online banking system. That order goes directly to the printer who prints the checks, mails the checks to the customer and sends a file of debit transactions to the bank to credit individual customer accounts. The bank orders its own checks for that printer and the printer sends the debit to the bank's account payable account. The accounting department at the bank will scrutinize the charge and debit expense and credit payable to clear the transaction. In some cases, the bank will supply the printer with a routing directly to the expense account instead of accounts payable. The ACH transactions from the various sources as consolidated each day into one or more ACH letters.

Key Term

The term “ACH letter” comes from the old relation to the movement of paper checks – the cash letter concept; they are balanced batches of transactions.

In this case the ACH letters often contain a mix of debit and credit entries so a net total condition exists. Some banks will elect to send ACH letters for debit entries and separate ACH letters for credit entries. The “letter(s)” or transaction batches are dispatched to Fed where the clearing channel for ACH transactions is long established.

There are a variety of customer-created ACH transactions. Examples:

• files of payroll deposits to employees;

• files of insurance premium charges;

• files of remittances from a marketing firm to the suppliers of products; etc.

They must be created in a form that means NACHA rules. The bank must have performed a risk assessment before allowing a customer to create and enter transactions into the ACH clearing pipeline. Once a customer is allowed to participate in this system, the risk of error (often irretrievable error) or fraud is always present. Because of the immediacy of settlement of transactions entered, it is very difficult reverse transactions. They must be handled on a case-by-case claim basis outside the automated processing. This differs from electronic clearing which is structured on the sure knowledge that there will be returns.

Therefore, there should be a risk analysis file on each customer-originator. There should be established procedures for immediate actions and reporting of complaints about such transactions.

Effective dating

The issue of effective dating applies similarly to outgoing transactions as it does with incoming transactions. The transactions may be effective on the date dispatched or at some future date.

For example, the CD interest payments may be sent early on the same principle as a paycheck, so the funds will be available to the CD owner on the date the interest is due. Some banks will wait to dispatch the interest payment until the due date of the interest, so they can have the funds of one additional day.

Conversely, the loan payment debit may be dispatched in advance of the due date so the bank can receive available funds on the date the bank is due or the payment may be dispatched on the due date and the bank losses availability for one day.

When the bank is dispatching payroll deposits on behalf of commercial customers who are paying their employees by direct deposit, the credit transactions must be sent in advance. The settlement entries will be on the effective date of the payroll due date.

When the bank is dispatching other credit entries for customers such as the customer's payments to trade creditors and suppliers the bank usually requires that the customer fund the transaction when the transactions are dispatched. When customer debit entries are being dispatched a potential for credit loss is not present.

Since the issue of deferral and effective dates exists, the timing of availability dates at the correspondent bank where the settlement for the ‘letters’ will be made is the same as the issue on the incoming side. The incoming and outgoing will not be mixed on the correspondent side, however.

Outgoing ACH transactions diagram

Refer to Outgoing ACH Transactions for a visual representation on the flow of outgoing ACH transactions.

The outgoing bank, the ODFI, has two options for handling the accounting for deferred availability. One approach is to post the net total of each ACH letter to the due from account on the date the letter is dispatched. This approach results in the posting on the correspondent side coming in multiple days based on the effective date (availability date). Sometimes this is spread over as much as three days. The practice is relatively easy to manage in small institutions that generate a small number of outgoing transactions, particularly where the transactions occur only periodically instead of every day. The due from account reconciliation will show minor reconciliation items for the delay but they will resolve within three days.

Example

An ACH outgoing letter totaling $300,000 contains $200,000 in payroll deposit credits that will be effective in 3 days from the date of dispatch and credited to the due from account. There are $60,000 in credits for CD interest payments that will be available on the second day, and there are $40,000 in payments to vendors that are available on the date of dispatch. The correspondent bank will debit the ODFI $40,000 on day one, leaving an open reconcilement amount of $260,000. On the next day, the correspondent will debit for $60,000 leaving and open reconcilement amount of $200,000. On the third day, the correspondent will charge the ODFI for the $200,000 that is effective on that date and the reconciliation will be cleared.

The approach discussed on the previous page works for a bank with only a few pending warehouse transactions.

However, tracking the deferral and matching them to specific ACH letters is more complicated if the ODFI is sending future items every day. When the transactions for deferrals are posted by the correspondent, all values effective on that date are included together. Each transaction is not identified according to the ACH letters where they originated. Therefore, a bank with overlapping availabilities will use a more complex tool for managing deferral charges and credits.

An alternative is a reverse warehouse for the one described in the incoming transactions discussion. The transactions are posted to the outgoing warehouse. Each day the software scans the items in that warehouse and creates the transactions for the ODFI's books. The bank will have specialized software or will use a service bureau to handle this issue.

For example, the transactions for the bank's payments to supplier's effective on the date of creation/dispatch are used to create a debit to the designated expense account and add the amount to an accumulating credit to the due from correspondent account.

On that same day, the ACH items that were dispatched on the previous day but have one day in the future are created on the original day with debits to the appropriate application (general ledger, loans, deposits, CDs, etc.) and the total offset is added to the accumulating entry to the due from account. The same applies for other deferrals.

At the end of the process, the internal entries are handed over to the applicable internal accounting applications and the net total in the accumulation register is sent to the general ledger for posting to the due from account. This matches the posting to the correspondent bank's due to account and eliminates reconciliation items.

NACHA-required audit program

NACHA has a required audit program that the bank is to have executed by qualified individuals each year. This audit program is comprehensive and covers the ACH activities throughout the bank in transaction recordkeeping, accounting, originations and returns. This audit is not part of the opinion audit. However, the opinion auditor should consider determining that the audit has been conducted and to see the summary report for any material weaknesses in controls. The audit program is very rigid and its ability to focus on results/weaknesses is efficiently structured. This operational (e.g., non-financial) audit directly concerns a significant amount the dollars that are the subject of the internal controls over financial reporting.

Credit Cards

Credit cards first appeared in the 1960's as a non-cash payment method at the point of sale or service. The verification of available credit was ascertained by a telephone call. Each charge was a multi-part transaction ticket. One copy went to the cardholder, one copy to the merchant and the third (card stock) copy referred to as a draft was cleared to the bank that issued the credit card and carried the receivable. This process like paper checks took a long time. The Electronic Draft Capture (EDC) system appeared in the 1980's. Operating over telephone lines, a merchant was able to confirm the availability of credit and the card data was forwarded over the phone line. In the late 1990's, the communication channel was changed to the internet and the ‘swipe’ card was introduced.

Note

Visa, MasterCard and several banks agreed to settle antitrust charges which stem from a dispute over the “swipe fee” which can be 2% to 5% of each transaction charged to merchants. Under the terms of the settlement, Visa, MasterCard and the banks would pay out $6 billion in penalties and reduce the swipe fee. In addition, merchants would be allowed to levy a surcharge on customers who use credit cards. (The reduction in swipe fee percentages (percentage of total ticket) has had a notable effect on bank revenue.)

When a credit card transaction is processed several things happen in automatic operations (Credit Card Transaction.)

The system compares the amount of available credit with the transaction. It issues an approval or declines the transaction.

If the transaction is approved, a conditional hold is placed on the funds; if the transaction is not finalized by the merchant within 24 hours the conditional hold is released. (If the hold is placed by a hotel or rental card company, there is a facility for setting a longer hold period.)

When the merchant finalizes the transactions, it drops the conditional and makes the hold permanent, awaiting the delivery of the charge from the network. The network advises the merchant of the confirmation of the transaction. The network then adds the debit (ultimately an increase in receivables transactions for the card issuer) and increases the credit flowing to the merchant's bank via that bank's correspondent bank (ultimately an increase in deposits in the merchant's bank.)

For the benefit of the merchant's bank, there will be a credit on the correspondent bank's due to account for the merchant's bank. It will be the sum of all credit card credit received that day.

An ACH cash letter (credit) will be received at the merchant's bank containing credit for each merchant. The ACH credit will be a total amount; not individual credits for each credit card charge taken by the merchant. As the bank processes the ACH credits from the warehouse, a debit to that bank's due from account will be constructed and directed to the general ledger posting application.

Debit Cards

Evolution of debit cards

Debit cards originally appeared in the 1970's as “ATM cards” and were used solely to access automated teller machines (ATMs) owned and operated by the bank that issued the cards.

A depositor could check the balance in his or her deposit account or withdraw funds from the deposit account by using the card issued by the bank.

In time, ATMs advanced allowing deposits at the machine at the bank. Later, funds could be withdrawn from an account at one bank when using an ATM at another bank (under certain conditions). This was accomplished through specialized networks that only handled ATM interchange among banks.

Note

However, a banking customer cannot make deposits at any bank's ATM other than the bank which holds the customer's account.

ATM networks expanded their access to allow Point of Sale (“POS”) terminals in stores, gas pumps and other merchant locations creating a direct parallel to the operations of the credit card networks. The big difference was the fact that the ATM cards (becoming known as debit cards) were issued by the bank where the depositor maintained an account.

Then, came the day when the credit card companies (Visa and MasterCard) entered the scene with debit cards. This opened the means for the use of debit cards issued under the signature of either of these organizations for clearing through their networks. The card companies expanded debit card activity to all of the merchants that were accepting their credit cards. Prior to this debit cards had been accepted at gas stations and some grocery stores and convenience stores.

Branded debit cards

The introduction of branded debit cards under the two primary credit card organizations not only opened debit card transactions to a greater number of retail establishments, it also attracted new merchant groups that had not previously been highly active in the card environment. The debit and credit card as payment media appeared at retail stores, fast food stores, coffee shops and a host of other merchants large and small that were previously marginalized. It also enabled the acceptance horizon to spread outside the United States.

The relationship between the card networks and the previous ATM card networks vis-à-vis the depository bank is different. The card network arranged for the depository bank to issue debit cards with their logo on the card. Therefore, the card would appear as Last National Bank VISA debit card, for example. This card would have all approvals and clearing through the Visa network. There are MasterCard debit cards as well.

The depository bank may collect a monthly fee from the customer for the availability of the card and the card company charges the bank for the ‘franchise.’

Debit card transaction flow

The transaction flow from merchant to network to bank for approvals, and transaction accounting is virtually identical to the credit card flow except that it may be conducted through a network that is separate from those credit card networks. The significant difference is the fact that the approval is against a collected deposit balance bank at the bank rather than a credit availability balance. The issuers of debit cards are a far greater number of banks under the Visa and MasterCard umbrella than the number of banks that carry credit card portfolios.

Please see Debit Card Transaction.

The collection of transaction amounts from the deposit accounts is by ACH transaction and the credit to the merchant is by ACH credits. This means that far more transactions related to debit card transactions pass through an individual bank than credit card transactions. The number of merchant credits may be the same, since the merchant credits for sales on debit cards and credit cards can be commingled into a single payment to the merchant. However, banks that have no credit card loan portfolio will have many debit card withdrawal transactions on a given day.

The rise in debit card usage has resulted in an almost direct decline in check activity. So many transactions that might have been paid for in the past by check are now paid by debit card. For the customer this means less time spent writing checks for purchase and the cost of check orders. For the paying bank it means less cost in archiving check images, and statement printing – not insignificant costs. For any financial institution in the clearing and settlement process, it means handling of single transactions for ACH letters. The handling of check cash letters involves deferments and other handling that increases operating costs.

Risks and Controls Related to Debit Cards

• Counterfeiting of cards. Debit cards can be counterfeited by evil doers and when data is received at POS locations. Counterfeit cards can be embossed and coded for fraudulent uses. It is not possible to prevent this but 2 steps can be taken. (1) The bank's supply of blank cards should be under rigid control so they cannot be internally stolen and sold to outsiders. (2) The bank's deposit system and transaction approval systems should have robust screening features to detect high volume and unusual patterns of transactions at a customer level.

• Failure to receive or process incoming batch of transactions (ACH Letters). There must be a system to properly receive and catalog incoming ACH letters and integrate them into the input queue. A checklist in the data center is the first control. Detection of a failure is commonly found in an exception condition in the next morning's reconciliation of the due-from account. This risk and control set is the same as the ACH transaction discussion.

• Failure to properly handle unpaid transactions in deposit processing (a rarity because the funds are held when the transactions are originated). Because the funds are held when a transition is originated at a POS or ATM site, it is rare to have return items as NSF and stop payments are not allowed. However, frozen accounts – often arising from fraud alerts – will cause transactions to be ‘non-posted’ and thrown out for inspection and clearance. These are “red flag” transactions and should receive knowledgeable attention early in the daily following the overnight deposit processing.

• Failure to act promptly on customer complaints. Action on customer complaints must be rapid and knowledgeable. This action is critical to minimize ongoing exposure. Complaints should be logged and the logs should be regularly reviewed for patterns.

Audit Objectives

• Establish the completeness of transaction input.

• Establish the accuracy of transaction input.

• Establish that appropriate procedures exist to reduce or eliminate the misuse of transaction materials.

• Establish that transactions are recorded on a timely basis to assure that financial statements accurately reflect the financial position of the entity.

Audit Procedures

• Coordinate with the audit work on the due-from banks reconciliation.

• Inspect logs of customer complaints and unpaid items. Discuss with management the practices used by the bank to capture and analyze red flag transactions.

• Determine that unissued debit cards are maintained under rigid control and that any embossing and encoding equipment on the premises is under locked control.

The Automatic Teller Machine (ATM) had its conceptual beginnings in 1939 in a machine that did not dispense cash but performed some basic banking functions. In 1959, the first cash dispensing ATM appeared in a shopping mall in Upper Arlington Ohio. However, it was 1965 before the concept of the magnetic strip on the back of the ATM card and a Personal Identification Number (PIN) were incorporated into the total ATM concept. This was the single feature that fully launched the ATM as a “disruptive innovation” in banking.

A “sustaining innovation” is an evolution. The ATM was a new approach to major segments of the banking experience compared to the previous purely check based banking system. With the ATM, a depositor could get cash at any time of the day or night without entering the bank including anywhere in the country and in many foreign locations. At the banking customer's own bank's ATM, the customer can inquire as to the balance of his/her own account and transfer funds between his/her accounts in that bank.

In a recent subscribers' survey, The Economist magazine asked, “Are brick and mortar bank branches obsolete?” That question comprehended the ATM, internet banking, check image capture at the commercial and consumer level and other factors in the payments system. The survey found a majority vote for the continuation of branches but the vote against them was surprisingly high.

The ATM technology incorporates many of the key issues in all the other elements of the electronic payments system that is emerging more and more rapidly. They involve personal identification and transaction security as major components of the electronic paradigm.

Physical Structure of an ATM Machine

The automated teller machine is in a highly intrusion-resistant cabinet, akin to a gun vault. Within that vault is the cash chest which is an inner vault. It is equipped with dual control lock system that provides the ability to establish a two person access routine. Some banks do not use the two person rule but opt for assignment of the ATM to a designated teller in the same fashion as an individual teller's cash supply.

The cash cabinet has two containers, each with high volumes of bills. In most cases today there are $20 bills in each container. The machines can be programmed to have different denominations in each container. Originally, ATMs dispensed mixtures of $5's and $10's so a customer could request any amount divisible by $5. Later it was $10's and $20's; now it's all $20's and in the future is may be $20's and $50's.

Replenishment Procedures

The standard practice is to periodically change the current partially used containers for new full containers. The frequency of replenishment with cash is based on the historical data about usage at that machine. Some banks will opt for replenishment at holidays or in advance of coming storms even though it is shorter than the normal cycle. If the ATM is at a branch location, particularly if it is a ‘through the wall’ unit, the change out will be conducted by tellers. If the ATM is a free-standing unit, the bank will likely contract with an armored car service to perform the task using armed personnel.

ATMs are equipped with messaging systems that will notify a designated officer or officers that the machine has exhausted its currency supply or malfunctioned in some other way. The bank will have procedures established for cash replenishment usually an armored car service in off hours, because bank vaults are on time locks and not available or by contract service technicians to handle machine breakdowns. ATMs are equipped with alarm devices that activate if someone is trying to break into a machine.

In addition, all ATMs are equipped with video cameras to capture pictures of the individuals making transactions at the machine. The balancing of the cash account involves counting the cash remaining in the removed containers and subtracting that from the count when the container was full. That difference should balance to the cash paid out since the removed containers were installed. The machine has an internal register that will print out a tape showing how much was dispensed from each container and the total dispensed. The cycling of new containers includes resetting the registers to zero.

At the time the containers are being changed out, two other secure tasks are to be accomplished. There is a vault that holds any deposits that have been made at the ATM. Another vault compartment holds any cards that have been captured. These two compartments are customarily cleaned out each day. Obviously, if the cash is scheduled for replenishment only weekly, the bank cannot leave either deposits or captured cards without attention for that long.

Why Are ATM Cards Captured?

In some ATMs, if a card is inserted in the machine and held throughout the transaction, and the wrong PIN is entered 3 times, the card will be subject to being captured on the third incorrect attempt. The term ‘subject’ is used because some machine models take the card fully inside during the transaction and can channel it into a capture vault instead of returning it. In addition, if the card issuer has a report of the card being stolen or counterfeited (hot card), it can be captured when the verification transaction is transmitted.

Some machines, however, use the ‘swipe’ reading approach; the card is pushed into the machine and rapidly withdrawn so it is not located in the machine to be captured. In those cases, a message is sent to the card issuer advising that the card was used with repeated incorrect PIN entries and/or that a HOT CARD was used at an identified location. The message will contain the location of the failed occurrences. Remember that the ATM contains a video camera that can identify the user.

The information on the magnetic strip includes the card number and identification of the card issuer. The PIN verification can take place at the machine as a first step in the transaction. Information is passed back and forth between the ATM, the ATM network and the depository bank as the transaction proceeds.

Counterfeiting of ATM Card Information

When the user enters the PIN into the machine, the degree of visibility of the keyboard is an important issue because data captured off the card along with the PIN number can be counterfeited. The common ATM theft practice is to install a card swipe reader immediately in front of the ATM's reader to capture the card stripe data as the card passes into and out of the slot. These devices are so small that most ATM users will not notice that the slot structure looks a little different. It is rare that these devices will be attached to bank ATMs. The most common location is gas pumps. Very often they will be used at large stations with many pumps, and they will be placed on the pumps furthest from the convenience store entrance and in the darkest location. Locations near interstate highway exits are very popular.

The PIN number is still required to complete the theft. For this, thieves attach a tiny camera (like a web cam) in a location that can view the keyboard. Both of these devices will communicate their data to a flash drive located close by. The thieves will return after a few days (nights) and collect their devices to create counterfeit cards.

More recently, cyber criminals have been hacking into the networks of major retailers and stealing the data necessary to create forged debit cards. Lately, the data for hundreds of millions has been stolen in this fashion. The worse part of this scheme is that the data never should have been stored on the networks of these retailers to begin with. The data on transactions (particularly the PIN numbers) should not be retained after the completion of the approval transaction. The thefts were facilitated by the merchant's retention of data that they should not have stored in the first place. The counterfeits are often sold and used far across the country from the site of the data capture. Las Vegas is a popular site for their use but they may be used locally to buy products instead of getting cash. The products are then sold to monetize the crime.

ATM Control: Inspection

An important control feature at the bank is machine inspection.

The first and regular inspection priority is the exterior of the ATM for devices like those described on the previous screens. In addition, the supplies bin on the front of the ATM (and the one at the night depository) should be checked every day to see that there are envelopes for customers to use when making deposits.

Customers sometimes put deposit materials (deposit slip and check(s)) in the slots without a container. This can lead to the mechanisms being jammed. Or, the customer's papers may be pushed back out after the customer leaves, and be found by others. An external inspection can detect this type of activity.

When the ATM is opened daily, the deposit and card capture containers must be opened and the contents withdrawn; preferably under dual control. However, the machine captures information on the deposits entered and the cards captured that can be used in verification of contents processed. This allows one person to enter the ATM cabinet and remove the contents and another inside the bank to immediately check to see that all were received by checking the log data. This is particularly important when armored car contractors are used.

ATM Control: Encryption

As soon as the data leaves the card strip reader and the keyboard, it is encrypted before it travels anywhere. The encryption takes place in a device that is mated to the back of the keypad. The term mated is used with special meaning. The device known as a Tamper Resistant Security Module (TRSM) lies at the heart of secure communication between the ATM being used and all other connection points; the network, the issuing bank or card issuer if a credit card. The TRSM is attached to the keypad in such a way that no one can introduce a connection between the keypad and the TRSM so that the unencrypted data can be captured.

The TRSM is seeded with a key at the time of its installation (or a new one if a replacement TRSM has to be installed). The encryption seed is installed with an elaborate dual control procedure. Two halves (A & B) of the seed or key are sent from the network provider or, in large banks with many ATMs, they have units to create the encryption keys. The two halves each consist of two pieces (A1, A2, B1, B2). Each of the four pieces consists of 32 digits that are entered through the keypad.

The individuals who each hold a half (A set and B set) handle them separately, and they will enter their information without the other seeing their entry. The sequence of entry is A1, B1, A2, and B2. At the end of the last portion, the TRSM is triggered and creates a 128 bit new key; this is approaching CIA grade encryption. After entry, the two individuals seal their two pieces in a tamper evident container, and take them to a dual control storage. In practice, this often means that the halves are each in a reinforced envelope that makes any tampering obvious.

The two envelopes are then stored in a dual control area like a safe deposit box set aside for that purpose. If the bank has a number of ATMs, the contents of that box may hold all of the keys which will be labeled; such as North Branch A, North Branch B; West Branch A, West Branch B, and so on. If the ATM has to be completely reset, replaced or a new TRSM installed, the keys will be withdrawn and the process started from the top. Such an event is extremely rare. However, the logic is that the keys should not fall into the hands of anyone who would misuse the information or would install it in a phantom machine.

When the 128 key is created, it is sent to the ATM network's server. The network system recognizes the key and links it to that ATM. Every ATM has its own encryption key. The network immediately sends back a new key, so that the one generated from the entered data is no longer valid. Every hour, the network electronically sends a new key to replace the one in service. The possession of the original key would not enable anyone to calculate the current key being used, so no one could intercept a current encrypted transaction and be able to convert it to ‘in the clear’ information.

When a TRSM is removed from an ATM, it is rendered completely useless immediately, so no current information can be extracted from it. The preferred method of rendering is a large hammer.

These procedures are elaborate for a sound reason. Considering all of the transaction data that flows over the network of ATMs and the point of sale (POS) terminals in retail places of business, the payment system could be seriously compromised if these devices lost their security.

The hackers that have broken into databases to extract credit card or debit card information have not broken into the networks that are passing transaction information. They have attacked databases that merchant organizations have sent up to capture customer information for their own data mining use.

Banks are the sponsors of merchants using POS terminals or their own ATM machines. The bank sponsorship is the means by which the merchants monetize their transactions. Therefore, the ATM networks impose on the sponsoring bank the obligation to see that the merchants' devices follow the same device and encryption protocols as those imposed on the banks. This material is summarized graphically in ATM Basics.

The Importance of Information on ATMs and POS Devices

The opinion audit does not, at this time, include a compliance element as found in the third objective of the COSO and ERM internal control models. However, internal auditors and management have a keen interest in these issues. The public accountant has an interest under AS 2605 section on the Consideration of the Internal Audit Function to determine that the breadth of risk and control assessment in the client organization is part of a total plan that encompasses all of the risks that face the entity and considers the proportional impact on that entity.

The risks and controls coverage will be limited to the issues related to the cash accounting and deposit processing in this section on ATMs. This is because it is doubtful that the public accountant will ever have to conduct procedures on ATM and sponsored POS activities of a financial institution involving the encryption and communications issues. However, consideration of the control plan coverage of the institution must include a section on ATM and sponsored POS risks and controls. The lack of coverage on this activity could embody potential for losses. In order to discuss the need for such coverage with the client, the accountant must be familiar with the basics of the activity. The amounts of money passing through these conduits, particularly POS terminals does reach significant amounts in the aggregate.

Risks and Controls Related to ATMs

• Inability to assign responsibility for events. Maintaining dual control or restricting access in the same fashion as a teller's cash drawer. Other than dual control of the ATM cash cabinet as well as the vault cash, dual control is seldom seen any more. The old rules about dual control of large item transactions are lost in modern high-volume electronic processing. That said, the system now produces automated reports of high dollar transactions in many circ*mstances which should be promptly reviewed.

• Failure to process incoming transaction batch from ATM network. There must be a system to properly receive and catalog incoming ACH letters and integrate them into the input queue. A checklist in the data center is the first control. Detection of a failure is commonly found in an exception condition in the next morning's reconciliation of the due-from account. This risk and control set is the same as the ACH transaction discussion.

• Loss of deposits or captured cards. Preventive Control: The ATM is opened under dual control and both people should be present throughout the period when the ATM cabinet is open. When deposits and captured cares are removed they must be logged and both people must sign off on the log.

• Loss of cash. Recorded balancing sheet (parallel to teller's balancing form). Independent periodic count of used canisters upon receipt.

Audit Objectives

• Establish the completeness of transaction input.

• Establish the accuracy of transaction input.

• Establish that appropriate procedures exist to reduce or eliminate the misuse of transaction materials.

• Establish that transactions are recorded on a timely basis to assure that financial statements accurately reflect the financial position of the entity.

Audit Procedures

• Observe the removing of deposit transactions and deposits and logging of same; remember that logs at scanning locations are logs of who scanned which batches of work, then internal/electronic logs of transactions are automatically created within the scanning software.

• Determine that a balancing routine is followed for cash withdrawal activities.

• Determine balancing routines are carried out to control account (general ledger or general ledger sub account).

• Confirm with accountant handling due-from procedures that there are not exception items related to ATM transactions.

• Determine that independent counts of the ATM cash are carried out periodically. (Requires surprise count of used canisters as they are returned from the ATM when new canisters are installed. Deduct cash in canister from full canister amount and match to total withdrawals logged by machine.)

• Coordinate with the audit work on due-from banks to identify any exception items in the reconciliation that are related to ATM incoming or outgoing transactions.

Audit Considerations in the Item (Transaction) Processing Function

The item processing function is the nerve center of transaction processing in the bank. Most of the entries that occur in the bank clear through it either directly or in control total entries. This function should be viewed in its broadest possible perspective. It includes the capture and processing of physical documents (checks, deposit slips, etc.) and the processing of electronic entries (ACH, EFT, Debit cards, credit cards, etc.)

Because of the importance of this function, the auditor should:

• begin the audit with a detailed, final audit plan,

• prepare thoroughly, and

• do not impede processing.

To view this interactivity please view chapter 6, page 37

Interactivity information:

Item Processing Function

Begin the audit with a detailed, final audit plan

The auditor in charge should prepare a detailed, approved audit plan. That plan, prior to beginning work, because once the auditor is on-site in the department or departments, time to learn the function or to finalize a rough audit plan is limited. The procedures must be ready to be put into action when the auditor enters the department.

Prepare thoroughly

The auditor should thoroughly understand the function before the audit begins. The senior auditor may recommend a discussion with the relevant department managers before the testing date to ensure that you understand the exact methods used in the bank you are auditing. The auditor should review the prior year's audit workpapers in this area. If there are narratives or flowcharts, they should be studied carefully. Also, the auditor should establish working coordination with the auditor handling due from banks. However, the auditor should be aware that technology is advancing so rapidly that the system description maybe out of date.

Do not impede processing

The auditor must perform the audit without interrupting the bank's processing. It is critical to bank operations that items be processed on schedule.

The auditor cannot stop the bank's processing to prove transactions or verify totals. In the world of electronic processing, there is little to be gained by trying to stop processing to verify totals. Everything is being captured to computer files that can be verified in the future.

Observation of operations

The auditor should observe the operations in advance of the audit date. Principal points of concern for the auditor are:

• The capture of items in the teller area, whether back counter or frontline (teller window, real time) mode;

• Whether the balancing of deposits and proof of batches is handled at the branch office or whether there is a central processing function where this work is carried out;

• The process of capturing totals from teller/branch capture of over-the-counter work into work-in-process accounts and to the due-from account;

• The process of capturing and balancing customer remote deposit transactions;

• The process of capturing incoming cash letter files (check image letters, ACH, ATM or other batches) and the procedures used to convey the totals into warehouse and work-in-process accounts or other general ledger recording with the offsetting entries to the due-from account;

• The probability that the previous two items may be highly automated and little human intervention is required; and

• The reconciliation of the due-from bank account(s) because that will be the verification of entries for all incoming cash letters and the outgoing files for off-us checks sent for collection, outgoing ACH cash letters, and ATM transactions for withdrawals by other than our bank customers.

• The processing of transactions is balanced at the end of the business day before committing the final work to system processing. Sated simply, being sure that all input is balanced before telling the processing system to go.

Confirmations

A traditional audit procedure has been to send confirmation forms to correspondent banks for all of these items and due from bank balances.

The audit organization will have to dictate this procedure. However, the facts are that this is as outmoded as sending paper checks for collection.

The auditor should use the facilities available at the bank to look into the correspondent banks' account records and confirm the entries on their books over the next two to three days until all amounts have been posted to their books.

Similarly, the auditor should look at the charges for cash letters and any adjusting entries on the client's books on the audit date. This technique will provide immediate answers (as opposed to weeks if the correspondent answers at all).

It is equally independent because the audit information is coming from the correspondent's data files. The client's connectivity facility (which is provided and controlled by the correspondent) does not compromise that independence just because it is viewed on the client's computer terminal. The information the auditor sees on the screen can be printed out for audit records.

Inherent risks to the item processing function include the following:

• Lost documents

• Delayed identification and disposal of differences or reconciling items

• Misappropriated cash items

• Customer deposits or loan payments misappropriated by substitution of documents

• Losses concealed by the use of suspense accounts

• Losses concealed by the use of lapping

• Check collection delayed by items being sent to the wrong location

Lost documents

Because of the volume of items being handled and their multiple destinations, some documents are lost either temporarily or permanently. Because of the change to electronic documents, the occurrence of lost documents has almost ended. Banks take various steps to mitigate this risk:

• Trace numbers are assigned to items as they go through the item processing operation. (Examine the back of one of your canceled checks for the number associated with each bank's endorsem*nt.)

• Trace numbers are created within the computer system when items are input at the point of capture.

• All items are imaged to ensure that if a document is lost, a picture of its front and back can be processed; this is integral to the capture process and it is required to proceed with processing.

Caution

These risks exist almost solely before the scanning process. Once the images of the items have been captured and the transactions balanced the ability to change any part of the transaction becomes very difficult. In addition, the ‘loss’ of an item becomes almost impossible.

The fact that a system is designed to trace missing items also means that errors and fraud can be traced back through the system and identified.

Delayed identification and disposal of differences or reconciling items

Coordination with the audit of the due from banks account discloses such problems because they show up as reconciling items on the bank statement reconcilement. As a control, the bank should have procedures for immediately identifying and recording adjusting entries if they are received from banks to which cash letters have been sent. Differences in the balancing of internal totals should be immediately booked.

Misappropriated cash items

In some banks, the scanning or input takes place all day; often it starts relatively early and continues until shortly after closing time when the bank practices all day banking.

Note

All day bank means that every transaction made up to closing time will be processed in that day's work; no work will be held over for processing the next day. The easier way to determine the bank's practice is to look for signs around the tellers' windows saying, “Deposits received after NN o'clock will be processed on the next business day” or words to that effect. This is an antiquated practice and most banks have adopted the modern practice of all day banking.

Misappropriation of cash items means checks already entered can be extracted from scanned groupings at any point in the process, matched with a credit, and re-introduced into the process as new transactions. Effective software in the scanning process will check for and identify duplicated items.

Example

A clerk can take a check already scanned and pair it with a deposit to her own checking account. The computer software should be able to recognize the check as having been processed before. There is always a concern that an item which is retained after scanning, could be extracted and taken to another bank for negotiation. This possibility exists in the customer remote capture service/product and it is more like there than internal at the bank. Inside the bank the employees are more aware of the controls that will catch them. Employees/business owners and consumers using their smart phones may think they can sneak an item through by depositing it at another bank and not get caught.

Within the bank immediate action must be taken when a deposit reports that the same checks have been paid twice on their account. Both presentations should be returned with the explanation of duplicate presentment.

Customer deposits or loan payments misappropriated by substitution of documents

Example

A clerk can withdraw a customer deposit or loan payment before scanning and substitute a deposit to his own account for an equal amount. All processing will be in balance, but the customer will not receive credit for the deposit or loan payment. This must happen between the time the transaction is received and the time it is scanned. The window of opportunity is very small but it can happen.

Alternatively, the checks that are scanned each day and bundled up and put in short term storage. From 60 to 120 days later (time depends on bank policy) they are destroyed by shredding to small pieces. During this holding period, they could be subject to someone taking one or more of those checks and depositing them in an account the thief has access to. That account could be in that bank or elsewhere. Most banks maintain a security system that would catch a check through scanning a second time. If a stolen check is taken to another bank it would not be caught by the original bank's preventive scan. Think about an employee having an account at another bank with deposit through a smart phone, it would be possible for an employee to take a check(s) and depositing it through the phone without taking out of the bank.

To ensure proper control, the physical pieces of paper (debits and credits) should be subject to very close control during the scanning cycle. To uncover the scheme, customer complaints and difference reports must be received and investigated by individuals who are not involved in the handling of item processing items. A depositor's claim of duplicate deposit should be treated very seriously. This complaint would come to the bank from the bank the check is drawn on.

Losses concealed by the use of suspense accounts

When differences regarding cash letters and customer deposits are reported, a bank employee can satisfy the difference report by making an entry to a suspense account without taking further action. This scheme is found less and less in the electronic payment system as contrasted with the old paper-based systems.

Example

Customer A reports that a deposit has not been credited to his checking account. If the perpetrator who has substituted a deposit to his own account for the customer's deposit slip is assigned to research the error, he can credit the customer's account, debit a suspense account, and then report the error as found and corrected.

As a control, all charges and credits to suspense accounts should be approved by supervisors or managers. Suspense accounts should be independently reconciled and outstanding items investigated and monitored daily.

Losses concealed by the use of lapping

Losses concealed by the use of lapping involve rolling differences from day to day as discussed in the previous example. Remember that a lapping scheme involves diversion or misappropriation of a debit on day one to support a credit that will benefit the perpetrator. On the following days, the diversion is covered by withdrawing one or more current-day credits and inserting the credit(s) withheld from the previous day. Usually no credit is withheld more than one day or processing cycle.

Study Question 40

In reconciling a due-from bank account as of December 31, 20XX, you find an adjustment for a difference in a cash letter sent to the bank on October 15, 20XX. This is an indication the bank is experiencing a risk described as:

Study Question 41

The item processing department has a control section that researches reported differences. The differences are recorded in a suspense account while they are being researched. The offsetting transactions are maintained in an unlocked file cabinet overnight. The bank might be exposed to the primary risk of:

Study Question 42

Which of the following would be an inefficient audit procedure in the item processing function?

Chapter 7. Deposit Systems and Accounts

This chapter discusses how deposit systems and accounts function. These include demand deposit accounts, time and savings accounts, account openings and disbursem*nts, dormant accounts, closed accounts, uncollected funds, stop payments, and file maintenance. In addition, it discusses risks and mitigating controls for dormant and closed accounts and for uncollected funds.

Deposits are the unique activity of financial institutions that set them apart from other businesses. The depository function of banking is so important to the economy and society that a quasi-government corporation, the Federal Deposit Insurance Corporation (FDIC), ensures deposits against loss to a specified level should a bank fail.

This chapter identifies:

• types of deposit accounts;

• operational considerations of deposit accounts; and

• risks and controls for account openings, disbursem*nts, account closings, stop payments, and file maintenance.

There are two major categories of deposit accounts—demand and time accounts.

Demand deposits are the most active of the bank's deposits. As the name indicates, deposits can be withdrawn at any time or on demand.

The checking account is the best-known demand deposit account, but other funds are also classified as demand deposits, including checks issued by the bank itself (official or cashiers checks) and certain specialized deposit accounts.

For example: a matured, unredeemed certificate of deposit (CD) becomes a demand account at its maturity date because the principal and accrued interest of the CD is available to be withdrawn by the owner and stays in that classification until it is redeemed (cashed in) by the depositor.

A bank usually offers one or more checking account plans. Even though incentives and benefits vary, the account plans function similarly:

• Funds are deposited by:

  • mail;

  • online transfers from other deposit accounts;

  • electronic deposit facilities through smart phones;

  • ATM;

  • night depository; and

• The bank collects the checks that are deposited.

• Funds are withdrawn by writing a check, using an ATM, making electronic payments or transfers through online banking systems or authorizing drafts (ACH) on an account.

• The bank periodically gives a summary of transactions in a bank statement.

• Most banks now charge a fee for checking accounts or require a minimum balance instead of a fee.

The second type of demand deposit, official checks, are checks issued by the bank that are payable at the bank. Most are used to pay the bank's own obligations, but some are issued for the benefit of customers. For example, in a real estate transaction the settlement usually requires the buyer to provide a “cashier's check” at the closing unless a wire transfer has been made in advance.

Official checks used solely for bank purposes include:

• checks for expenses (accounts payable checks),

• CD interest payments,

• loan disbursem*nt, and

• dividends.

Those checks issued solely for customer use (usually for a modest fee) are money orders and cashier's checks.

A unique legal characteristic of bank cashier's checks is that payment CANNOT be stopped on them. Legally, cashier's checks are drawn by the bank and payable at that same bank; thus, the business community and government view them as cash that is safer to handle, regardless of the name on the check.

However, there are arrangements where the issuing bank's check is payable on another bank and payment CAN be stopped on those checks; these of often referred to only as official checks. These can be differentiated from cashier's checks by looking at the drawee bank (the bank where the check will be paid) as it appears usually in the lower left corner of the check.

Banks must be particularly careful about the handling of unissued official check stock particularly cashier checks because, if it is stolen and misused, the bank has no defense against a holder even though the check is signed by an individual who is not authorized. The legal defense of “fraud in the making” is almost nonexistent for cashier's checks. Remember that any individual official check can be executed for a large amount and there is no defense for an unauthorized signature, fictitious payee or any absolute defense such as ‘fraud in the making’ or ‘personal’ defense' such as fictitious payee.

Official checks, including cashier's checks are vulnerable to short-term lapping schemes. This is particularly true of checks sold to customers (such as money orders). An important control is the timely recording of issuance. Accounting for the check numbers to assure prompt recording and identify lost forms (checks).

A third type of demand deposit arises when a CD matures but is not redeemed.

Regulations require the CD be transferred from time deposits to demand deposits after seven days because it has become payable upon the demand of the customer. This requirement does not apply when the customer has made arrangements for automatic rollover and thee CD enters a new time/maturity period.

To recap, demand deposits include:

• Checking accounts – business and personal non-interest bearing

• Negotiable Order of withdrawal (NOW) interest bearing

• Official checks and bank money orders non-interest bearing

• Matured CDs non-interest bearing

• Treasury Tax & Loan special withdrawal and interest conditions

Note

FUN FACT: The title Cashier dates back to a time when a senior officer of the bank – the Cashier – was the chief financial officer, chief accounting officer and sometimes also the chief operations officer. In a bank the term Cashier is NEVER applied to the teller position.

Now let's examine how demand deposits are recorded on the general ledger. They are often classified on the general ledger in the following order by depositor type as follows:

• Due to banks—deposits by other banks

• Individuals, partners, and corporations

• Trusts—deposits in the bank's trust department

• Public funds—deposits of state and local government

• The U.S. government—particularly deposits of withholding taxes such as Social Security and unemployment taxes [Treasury tax and loan (TT&L) account]. They are amounts that business customers withhold from employees' paychecks and deposit at the bank.

To view this interactivity please view chapter 7, page 8

Interactivity information:

Demand deposits generate income for the bank from the following:

• Service charges (activity charges):

  • Normal account activity

  • Dormant or inactive accounts afforded special protective procedures

• Service fees (exchange):

  • Issuance of official checks

• Penalty charges:

  • Check drawn against insufficient or uncollected funds when it is returned (NSF charge)

  • Check drawn against insufficient or uncollected funds when it is paid (overdraft charge)

Note

Service charges for normal account activity are usually assessed during preparation of periodic statements then posted during a subsidiary posting run within the statement processing. Totals are accumulated by type throughout the run. At the end of the run, the total for each type of charge from the run is used to generate a single entry to each appropriate income account, such as activity charges.

There is usually a journal report of all the individual charges that should total at the bottom. Service charges for dormant or inactive accounts are assessed monthly or quarterly, usually in a special analysis run of the computer system, and are totaled for credit to the income account.

NSF, overdraft charges, and service fees are charged at the time of occurrence. The total amount of all charges applied during the posting run is credited to the appropriate income account as a single transaction. All of these revenue entries that are created by the totaling of individual fees are passed electronically to the general ledger through what is referred to as interface entries. (Interface of activities between a subsidiary system and the general ledger or between two subsidiary level systems.) For example, the entry for accumulated NSF service fees will be a debit to the liability account (demand deposit – checking accounts) and the income account (NSF Fee Income – checking accounts).

Study Question 43

Demand deposits include all but one of the following. Identify the one that is included in a different classification of deposits.

Study Question 44

A check that is drawn by the bank, signed by an authorized official of the bank, and payable on that same bank is known as:

Study Question 45

Direct income from demand deposits is derived from service fees. Which of the following is the service fee charged for bounced checks?

Study Question 46

Which of the following would change from time deposit to demand deposit because of the passage of time and lack of an expected event?

The second category of deposit accounts is time and savings deposit accounts.

The following are examples of time and savings accounts:

• Statement savings

• Money market deposit accounts (MMDAs) a quasi-time account or restricted demand account

• CDs

• Christmas and other club accounts

• Time deposit open accounts (TDOAs)

Time deposits differ from demand deposits in that the funds generally are on deposit longer and interest is paid on the funds (though interest can be paid on certain demand accounts).

Limitations

Because funds in time and savings accounts are on deposit longer, they are subject to certain withdrawal limitations, such as: (1) Christmas club accounts are only payable a few weeks before Christmas; (2) MMDAs are subject to limitations on the number of withdrawals each month, and (3) CDs have a maturity date and a substantial penalty for early withdrawal.

Interest is paid on all types of time and savings accounts. The rate of interest varies based on:

• the length of time the funds are on deposit,

• the likelihood of sudden withdrawal,

• the cost of servicing the deposited amount, and

• the amount on deposit.

Interest rates vary in relation to the bank's ability to invest for a known time period.

A CD left in the bank for a year should earn higher rates than an equal amount in a savings account that can be withdrawn at any time.

Interest rates can also vary in relation to the cost of maintaining the account.

The cost of booking, carrying, and paying a CD is the same, regardless of the principal amount. Thus, a CD with a large balance pays a higher rate than one with a small balance. For this reason, banks compete to attract large CDs, thereby driving up interest rates.

Special Characteristics of Time and Savings Deposit Accounts

Statement savings

As the name implies, a statement savings account is one in which a monthly or quarterly statement is used to report activity. Customers have flexibility in making deposits with this account. They can deposit by:

• mail;

• online transfers from other deposit accounts;

• electronic deposit facilities through smart phones;

• ATM;

• night depository; and

• EFTs, which, like payroll deduction deposits, can be made at any time.

The bank can invoke a notice period for withdrawals on statement accounts in the event of a run on the bank.

Statements may also be issued for passbook savings accounts. A passbook account is one of the oldest bank services, almost never used today. When an account is opened, a book is given to the depositor that records deposits, withdrawals, and interest earnings and the passbook becomes the record of the account. It looks like the check register that is given to DDA customers. Most banks issue statements for these accounts.

Negotiable order of withdrawal (NOW) account

Basically, a NOW account is a checking account that pays interest (an expense to the bank). A NOW account:

• requires a minimum balance (higher than regular checking),

• pays a low rate of interest,

• levies service charges for excessive withdrawal activity,

• pays no interest if the balance falls below specified levels, and

• provides monthly activity statements.

Money market deposit account (MMDA)

An MMDA is intended to compete with the brokerage houses' money market accounts. Compared to a NOW account, an MMDA:

• requires a higher minimum balance,

• permits fewer withdrawals per month (set by regulations), and

• offers higher interest rates.

Like a NOW account, an MMDA issues monthly statements.

Study Question 47

All the following time deposits allow withdrawals whenever the customer chooses. One of them, however, limits the number of withdrawals the customer can make in a month. Identify that account.

Study Question 48

Interest is paid on all types of:

Additional time and savings accounts include:

• CDs,

• Christmas and other club accounts, and

• time deposit open accounts (TDOAs).

Certificate of deposit (CD)

In general, a certificate of deposit (CD) requires minimum deposit amounts of $500 to $1,000, but the amount of a single CD can be as high as several million dollars. CDs for $100,000 or more are referred to as jumbo CDs and are often negotiable.

CDs have a stated maturity date ranging from a minimum of seven days to multiyear, but they can be renewed for an additional period at maturity if so stated in the agreement or instrument.

CD interest rates can be fixed for the life of the CD or can vary on a schedule stated on the CD (monthly, quarterly, etc.).

Interest can be paid at maturity or can be paid regularly by check or deposit to the depositor's checking account. Interest not paid out may be compounded.

The bank can negotiate any maturity period of seven days or more and any rate.

When a CD is sold, the depositor receives an agreement stating the terms of the deposit (maturity, interest rate, interest payment method, etc.). The accompanying instrument may be:

• a certificate that is transferable, or

• a receipt for the deposit that is not transferable but is assignable on the books of the bank (referred to as a book-entry CD).

If the transferable form is used, the CD must be returned to the bank to be redeemed at maturity.

Christmas and other club accounts

Christmas and other club accounts (vacation club and tax club) are designed to help a depositor save for a given purpose. This account type has largely been withdrawn from the market but a few small banks continue to offer it because of customer demand.

The customer receives a coupon book that contains 50 coupons of a stated amount, each with a weekly date. The customer deposits the amount on the coupon (the coupon works like a deposit slip) and at the end of the period receives a check for the total deposited plus interest. The customer receives only the amount paid in plus interest and may be penalized for failure to complete the club. In some cases no interest is paid because the operating cost does not allow for the bank to earn enough to justify interest payments.

These accounts are vulnerable to lapping and diversion of deposits due to lack of verification with the customer until the end of the club period. No statements are issued during the savings period which is 50 weeks.

Time deposit open account (TDOA)

A time deposit open account (TDOA) is used primarily by governments. This account is like a CD without the paper form. There is a contract between the bank and the depositor for a stated rate of interest and a stated notice period before withdrawal. The depositor may add to or withdraw from the balance. Because the depositor is usually a governmental unit, the deposit is often secured by the pledge of securities in the bank's investment portfolio. Only deposits up to $ 250,000 are insured by the FDIC. Governmental units require a pledge of securities for those deposits in excess of the insured amounts.

Time Account Characteristics

In general, time accounts are attractive to the bank because the funds are on deposit for a longer period of time than demand deposits. In most cases, these periods are known. This enables the bank to plan for the investment of the funds as well as manage rates and maturities to match the flow of funds into and out of the bank as well as matching investment opportunities.

Each type of time deposit account, however, presents unique characteristics to the management task of matching rates and maturities to the flow of funds into and out of the bank. Though savings can be withdrawn at any time, these funds tend to be rather stable in terms of inflow and outflow as well as low cost.

On the other hand, jumbo CDs (over $100,000) can be very unstable. Often these funds move in and out of the bank quickly as the customer looks for the bank paying the highest rate. Time periods are often very short to provide the depositor with flexibility. This is especially true when the funds are placed by a broker on behalf of a customer (brokered CDs). Such funds are sometimes called hot money because they move around quickly in search of higher rates. Brokers offer these deposit arrangements on internet sites and the regulators often call them Internet CDs Regulators consider them to be very volatile money and view them quite unfavorable even though it is very rare that a depositor redeems before maturity and takes the very substantial penalty.

Compared to CDs, service costs tend to be high for savings club accounts, NOW accounts, and MMDAs due to the high level of transactions processed on them. Therefore, the bank must monitor the cost of such funds to determine the rates they can pay while still earning a profit.

Reserve requirements are lower on time deposits than on demand deposits because the likelihood of immediate withdrawal is significantly lower. Regulation D of the Federal Reserve System requires that all financial institutions maintain a specified proportion of their deposits in cash to meet the withdrawal demands of customers (the concept of primary liquidity reserves). Cash, in this case means a deposit account maintained at the Fed or another sound bank.

The concept of primary liquidity reserves was developed after the bank holidays of the early 1930s when depositors ran to the banks to withdraw their money only to find that the banks did not have enough cash to meet their immediate demands. The regulation requires that banks have enough money on hand to meet the first surge of such a demand and cool off a run on the bank. This amount, called reserves, can be in the form of vault coin and currency or a due-from balance at the district Federal Reserve Bank.

Generally, the Federal Reserve System regulations require that the bank maintain 3% of time and savings deposits and 12% of demand deposits in reserve. Demand deposits have a higher reserve requirement because there is more exposure to these deposits being withdrawn immediately. Since a stated percentage of each dollar of deposits must be maintained in reserves, the bank cannot invest every cent of every dollar deposited. The bank can place more of each dollar into earning assets when the deposit is in an account with lower reserve requirements (time deposits) than when it is in an account with higher reserve requirements (demand deposits). The bank can, under regulations and under the deposit contracts with the customer, require a period of notice to withdraw savings or to enforce the maturity date on a CD or TDOA. Thus, the immediacy of payout is reduced on time deposits and the reserves can be lower.

Study Question 49

Which of the following time deposits generally pays the highest rate of interest?

Study Question 50

A CD that has a principal amount of $100,000 or more is referred to as:

Major areas of concern regarding control in the deposit account system that apply to all types of accounts include opening, disbursem*nt, and closing of accounts.

Several other areas of concern deal with account servicing functions, such as stop payments and file maintenance.

Opening an Account

All accounts must be opened or created. No transactions (e.g., the opening deposit) can be posted to an account until it has been created in the computer system. This activity generally is handled by appointed employees in the banking lobby, often called customer service representatives (CSRs).

In opening an account, a CSR:

• obtains proper identification,

• obtains all needed authorization documents (signature cards, corporate resolution, partnership agreement, etc.),

• explains applicable rules and regulations to new customers,

• orders checks and deposit slips for customers, and

• forwards new account input forms to the data entry department or makes direct input at the CSR's terminal.

You can see that if CSRs wanted to open accounts for the purpose of manipulating funds, they would be in a perfect position to do so. Because they open accounts, CSRs should not handle funds. Conversely, tellers should not open accounts because they handle cash. The separation of these two functions is an important control to prevent the creation of accounts for fraudulent purposes. The CSR opens the account; the initial deposit is handled by the teller.

Thus, the account opening function of the CSR should be restricted to designated individuals and new accounts should be reviewed by an officer. An officer's review has only marginal value since the officer cannot be expected to be personally familiar with everyone who comes into the bank to open an account.

The control system should provide accountability for the action of opening the account. If the open activities are done online by the CSR (as they almost always are), this employee's user identification will be attached to the new account setup transaction in the computer records. It should be stressed to employees that all computerized transactions are recorded with identification of the people who performed them.

Funds are disbursed from all accounts, but the means of disbursem*nt differ for demand and time accounts.

Funds are disbursed from demand accounts by:

• checks,

• withdrawals from ATMs, and

• electronic funds transfer (EFT) paperless entries.

Some savings accounts and MMDAs may allow withdrawals from ATMs and EFT.

In addition, the bank often debits demand accounts for:

• loan payments;

• automatic transfers to other deposit accounts;

• customers' check orders;

• NSF, overdraft, and other charges; and

• other general purposes.

The following debits should be supported by the customer's written order:

1. Blanket authorization for automatic transfers or loan payments.

2. Discrete authorization for each check order; these are increasingly made through the customer's online banking facility. Thus the password system provides the basis for authorization.

All debits to customer accounts other than checks and EFT debits should be supported by accountability. Paper transactions should be on tickets that have been approved by an authorized officer or supervisor. This includes the charge-back of checks deposited by the customer that have been returned by the bank they are drawn on. Electronic transactions, which are the most common type, should be supported by identification of the user performing the transaction.

Increased use of technology resources is reducing the number of paper transactions. For example, chargebacks of return items are often created on workstations in the bank operations department. The debit transaction to the depositor's account is an electronic debit and the notice to the customer that will accompany the check in the mail is the only paper created. Safe deposit rent payments, loan payments, and charges for the purchase of cashier checks are being created through similar systems that create electronic transactions.

Compared to demand accounts, disbursem*nt from time accounts is limited. Funds are disbursed from these accounts by:

• teller cash,

• official bank check,

• transfer to another deposit account of the customer's, and

• wire transfer.

NOW accounts and MMDAs allow customers to withdraw funds by checks similar to demand accounts. Funds are disbursed differently from CD accounts than from other time accounts. Let's examine the differences.

Funds disbursed from time accounts other than CDs are usually made by the direct payout of cash at a teller's window. The risk of error in disbursing funds is low because these accounts have fewer transactions than demand accounts and the teller must verify signatures and account balances before paying out cash for withdrawals. While most disbursem*nts take place at the teller's window, a customer may sometimes send a withdrawal order by mail or by collection from another bank (e.g., when the customer moves out of town before closing the account). In such cases, the bank pays the customer by sending an official bank check.

The collection department should follow established procedures in receiving the withdrawal order and remitting the check. Time account disbursem*nts are also made by transfers to the depositor's checking account or by wire transfers. These transactions should require signed instructions or established identification. Increasingly, computer systems provide a facility for directing the point of disbursem*nt at the time the CD is issued to provide an electronic payment.

Example

Jones buys a CD and specifies that the interest is to be credited quarterly to his DDA A/C No. 12345. He directs that the principal is to be credited to his savings A/C No. 98765 when it matures. The disbursem*nts from the CD are made accordingly and no paper entries are ever created; advice notices to the customer will be created.

CD payments are often made by official bank check. Disbursem*nt is made in the name of the CD owner. If the name differs, the bank may have a liability.

Example

If a CD is payable to Mr. and Mrs. John Jones and the funds are credited to an account in the name of John Jones only, Mrs. Jones is deprived of her ownership in the funds.

Example

If a CD is payable registered to John Jones, custodian for Joey Jones, a minor, the bank cannot assume that paying the funds into an account in the name of John Jones is adequate. If John diverts custodian funds and the bank has not disbursed the funds appropriately, the bank may be liable.

The safest way for the bank to handle this payment situation is to use an electronic depositing system if it is available. The customer gives direction for a specific payment point (account) when the account is opened. To change that point, a written order signed by all parties to the CD is required.

To handle nondirect or questionable CD disbursem*nts, it is advisable to issue a cashier's check payable in the same form as the CD. The customer must endorse the check with all required endorsem*nts to negotiate it. The evidence of the customer's action is clearly shown on the check and the bank is free to act on the basis of that representation. If diversion takes place, the bank is not made a party to the action. The bank where the check is deposited is responsible for seeing that the deposit account conforms to the endorsem*nts on the check and that the endorsem*nts conform to the payee designation on the check.

Study Question 51

Certain disbursem*nt transactions are accomplished without the use of paper entries. These transactions are referred to as:

Study Question 52

A checking account is maintained in the name of John and Jane Jones. They are moving to a distant city. John presents a check to a teller to withdraw the balance and have it converted to a cashier's check to take to their new bank. The check is signed only by John because Jane has already gone to the new location. The teller can pay these funds out safely using which of the following methods?

There are risks for dormant accounts, closed accounts and uncollected funds which require directed controls.

Banks consider an account inactive if the customer neither deposits nor withdraws funds. After a specified time (usually six months) these accounts are declared dormant.

When the account is dormant, the signature card is pulled from the active file and kept under dual control. If a check is presented on the account, a common control is for two bank employees to compare the signature on the check to the signature card. Both employees sign off if the signature is determined to be the customer's.

This is a rather outmoded control. In the past, the only copy of the signature card was a physical card for each open account that was maintained in an easily accessed file in the ‘bookkeeping’ department where it could be consulted if needed. When an account when dormant (the computer system reported, it is coded as dormant) the signature card was pulled from the active file and placed in a dual controlled file. This was to ensure that no one could substitute a card with a signature written by someone who wanted to attack a dormant account.

Today, most signature cards (contracts) are scanned into a computer file and that signature is the one used to verify any check presented against an account. The signatures on checks are seldom verified. (Sorry, to burst your bubble but banks almost universally take the risk of not checking signatures figuring they have the right to charge back forged checks for a long period of discovery by the depositor.) However, designated individuals who receive notice of a check presented against a dormant account can pull up the electronic image of the signature to verify it. It is extremely difficult – virtually impossible – to substitute an electronic signature card.

Computer programs for deposits should automatically identify based on the lack of activity and list dormant accounts. Because these accounts are susceptible to misuse by bank employees, most banks prevent access to them by using hold codes. Most computer deposit processing systems automatically place the dormant status hold on such account. When a transaction is presented to the account (debit or credit) it is rejected as an unposted item and reported for review. The hold on the account is manually removed and the account returns to active status. The transaction is then processed. Some banks will send a letter to the customer advising that a transaction has been received and the account returned to active status. If the customer does not recognize the transaction he is asked to contact a designated officer (usually the internal auditor) immediately.

Many states have escheat laws that require the funds in a dormant account be turned over to the state. This requirement is activated when:

• the account has been inactive for a number of years (usually 5 to 10), and

• the customer cannot be located.

Periodic audits are performed by escheatment examiners to see that the bank complies with the law. Penalties are assessed against the bank if it cannot prove it has contact with the customer.

Closing accounts is sometimes a formal action, but more often it is not. In the case of CDs, club accounts, and TDOAs, customers withdraw all funds and that formally closes the account.

In the case of savings and checking accounts, the balance is usually drawn to zero. After some period of time the bank recognizes the intent was to close the account. It may notify the customer that the account is closed.

In many cases, customers draw the savings or checking account balance to what they think is zero, but in fact they leave a small balance. This amount is usually consumed by service charges; the service charges may even create a small overdraft. In such cases, the overdraft is cleared by charging the service charge income account where the service charges were credited and crediting the checking account for the amount of the overdraft.

Inactive or dormant accounts should be closed on the computer records by an administrative action, and the signature card should be pulled and placed in locked files.

If physical signature cards are used (rarely today), the computer report of closed accounts is used to pull the cards and put them in a locked file. If a closed account is reopened and physical signature cards are used, two employees must obtain the signature card from the locked file and verify that it matches the signature presented before placing the account in the active file.

Failure to protect physical cards on closed accounts could allow an employee to substitute a new card using her own handwriting for the signature on the account.

Note

Increasingly the signature cards are not retained in physical form any longer. They are scanned into a document imaging system. This has strengths and weaknesses. The strength lies in the fact that the signature card cannot easily be withdrawn and a new one with a forged signature substituted as can occur in a physical file. The weakness is that the image of the card can be deleted and a new card scanned into the system in its place. The strength that offset the weakness is that the document image storage system usually has the ability to restrict who can delete files. This provides a control point where someone can check to see that when a file is deleted no new file document with the same name is inserted. In such cases the reason can be validated independently; for example, a new signer is added to the account. If the imaging system provides archiving (backup) facilities and the computer security system provides Limited access for maintenance (adding & deleting records), and tracing of authorized access to the system, the physical cards can be destroyed.

Caution

Closed accounts present a potential for misuse as there is a potential for it to be diverted because deposit accounts provide a means of conversion.

Example

An employee could make a small deposit to reopen a closed checking account and divert funds through it to create a conduit for fraudulent activity. Then the employee can debit a closed account, credit a checking account she controls, and write a check on the latter account. As an important control for such situations, the bank's internal auditor or a high-level bank manager usually reviews employee checking accounts.

Uncollected funds

Another aspect of deposit system operations that creates potential for risk is uncollected funds.

Funds are considered uncollected during the period between receipt of the deposit and receipt of the credit from the bank on which the deposited check is drawn. Uncollected funds pose a risk to the bank if it pays a check before receiving the credit and the funds subsequently are not collected; that is the deposited check is returned unpaid. In today's electronic clearing systems this reduce has been dramatically reduced this risk. However, banks that give immediate credit for all deposits still face a small exposure to this risk.

The bank also considers itself vulnerable during the time it takes to receive a returned item (check). The paying bank must notify the depository bank by wire or phone if a check of $2,500 or more is being returned.

During the period of collection, the depository bank has to be careful to monitor accounts for possible withdrawal of uncollected funds and for check kiting.

Study Question 53

Jones' checking account has had no activity for the last 12 months. In accordance with its policy, the bank places Jones' account in a special, protected classification. This classification is referred to as:

There are risks and controls for two service functions of deposit accounts—stop payment and file maintenance.

The principal exposure on stop payments is the failure to prevent payment of the check by promptly recording a stop payment order.

If the bank receives a stop payment order from an account owner and fails to do stop the payment promptly, the bank cannot recover the amount of the check from the account owner if the check is paid over the stop order.

File maintenance activities in the deposit function present endless opportunities for improper actions by employees.

Example

An employee could:

• change names and addresses on accounts to misdirect mail or to completely mask a previously closed account,

• change the account record to pay overdrafts up to a stated amount or to pay all checks automatically, or

• use file maintenance entries to waive service charges on an account.

As a means of control, a senior supervisor should review and sign off on all file maintenance activities.

Study Question 54

An account can be easily manipulated if the person doing it can conceal the fact from the legitimate depositor. This can be accomplished by the misuse of:

Chapter 8. Deposit Systems and Accounts (Continued)

This chapter continues our discussion of deposit systems and accounts. Areas of focus will include overdrafts, employee accounts, audit planning considerations, confirmations, deposit-related regulations, and how to prepare financial statement presentations.

It is important to examine audit considerations for the depository functions with a focus on the practical considerations in confirmations as well as reviewing significant regulations affecting deposit accounts.

This chapter identifies:

• the risks inherent in overdrafts and employee accounts and the controls used to counteract them,

• audit objectives and procedures for the deposit function,

• significant laws and regulations affecting deposits, and

• concepts related to the financial statement presentation of liabilities.

Overdrafts

Overdrafts are a constant problem in all types of deposit accounts. Depositors inadvertently or purposefully withdraw more than they have on deposit, and banks inadvertently or purposefully allow these withdrawals. The bank may also approve accounts of important customers for overdraft believing that the overdraft will be covered immediately.

Because overdrafts can reach large amounts, banks must have procedures for granting and collecting overdrafts.

Overdrafts are loans and as such should be approved by officers authorized to make loans. In some cases, a bank will authorize special ‘lending authority’ to one or more individuals in the deposit operations department for the sole purpose of authorizing overdrafts. This authority may be subject to stated limits dollar on any individual account.

The extent of the bank's credit exposure on the customer should be judged as a whole. That is, the amount of the overdraft plus any loans outstanding plus any open loan commitments. Chronic overdrafts may be an indication that all loan(s) to the customer could be in trouble.

To avoid creating an overdraft, the bank should not hold unpaid items in the cash items or unposted items account. Neither should unpaid items be re-presented or re-run the next day in hope that the funds will be there to cover them. Failure to return unpaid items on a timely basis will result in the loss of the right to charge-back unpaid items.

A bank axiom is, ‘if you don't return it immediately, you better be prepared to eat it.’

Pay regardless or automatic overdraft

Over recent years, a pay regardless or automatic overdraft plan has become a popular product offering for many banks. This is a feature that will automatically pay a check that is in excess of the bank customer's balance.

The posting action occurs at night and the next morning an authorized officer or employee can decide whether the check is to remain paid or the posting will be reversed and the check returned. In the case of minor overdrafts, the checks will remain paid and the bank will assess a charge usually equal to the amount of the return check fee.

The bank will have a limit for the total amount of overdraft that a given deposit can reach under this automatic program. In many banks that amount will be in the range of $250 to $300. That limit is applied per account but it is usually set on a global basis. That is the program is set so that any account can be overdrawn as much as the limit amount.

This automatic overdraft feature has become popular because many depositors want to avoid the embarrassment of the occasional error in the checkbook that leads to insufficient funds. The depositor also wants to avoid the total cost of a return check, which is equal to the bank's return charge plus a likely return charge at the payee's site.

There has been much controversy surrounding these automatic overdraft programs.

Consumer groups lobbied Congress and provisions were included in the Dodd-Frank Act that limit the amount of fees banks can charge (number of charges on a given day) for automatically paying these checks. There is no limit on the charges for many return checks on a given day.

This raises the incentive for banks to return checks instead of taking the risk of overdrawing the account (lending unsecured money to the depositor). Customers are ambivalent because they would like to avoid the embarrassment of returned checks but they do not want to pay banks to take the risk.

The classical overdraft is an individually made credit decision involving the risk to a given customer. In this case, the bank may designate specific officers or supervisors to make the decision to overdraw accounts. The programmatic overdraft is a universal rule that is subject to override (a decision to not allow the overdraft to notoriously weak customers.) Again, specific officers or supervisors will be designated to make such decisions.

Classification of overdrafts on the balance sheet

During the audit of the demand deposit area, the auditor should determine that any overdrafts existing as of the balance sheet date are classified on the balance sheet as loans.

In most banks, the computer systems will automatically make the posting to the asset account overdrafts in the same posting cycle as the posting of paid items in which case the general ledger properly reflects the assets and liabilities correctly.

However, if the decision is made the next day to pay a check that was treated as a return during the posting run, that overdraft will not appear until the next business day when the check is paid (posted) and the actual overdraft is created. The is always the possibility that the customer will make a deposit on that second day and no overdraft will occur.

In most cases this is not a significant number in the financial statements. However, the unpaid items on the morning after the as-of date of the financial statements may reveal one or more large unpaid items that could affect the financials. In that case the auditor should determine if any such checks were in fact paid into overdraft that next day. If so, the overdraft is considered to have existed from the time the bank accepted the incoming cash letter or deposit, and thus the overdraft existed at the as-of date.

Overdraft collectability

The auditor should obtain from management an assessment of the collectability of the overdrafts that have not cleared in a timely manner, particularly older items and large amounts. When assessing the credit risks on overdrafts the auditor should be prepared to stratify the existing overdrafts when discussing the recovery likelihood with management. Knowing the programmed overdraft limit, the auditor should question individual balances greater than the program limit (the classical overdrafts). The auditor should then question the collectability of the programmatic overdrafts as a whole. The assertions of management on the programmatic overdrafts can be tested by looking at the recent history of charge-off of overdrafts in this group.

The auditor should be sure to look at the record of charge-off of balances after the deduction of service charges which are reversals of uncollected income, not credit losses. The collectability of classical (individually approved) overdrafts that are significant in amount should be checked back to credit files on these depositors. If large overdrafts have been approved the decision should have been based on prior credit experience with the depositor/borrower.

Example

Remember that the amount of overdrafts must be added to the balance of loans outstanding to match to the lending limits on the customer. That includes both legal lending limits and in-house limits (in-house must be not greater than legal.) As you will find in the chapter on loans, the legal limit is measured as a percentage of the bank's capital and any extension of credit in excess of that limit is a violation of law. “Extension of credit” in this definition is the sum of all credit advanced to the debtor through all activities of the bank (loans, overdrafts, credit card limits, letters of credit, unfunded ACH advances, unfunded loan commitments or any other credit facility.)

If significant overdrafts appear to be losses and management does not charge them off, they should be included in the assessment of the adequacy of the allowance for loan losses.

Note

Overdraft losses are not charged to the allowance (for loans) account but instead to bad debt expense.

Bank Employee Accounts

Employee accounts are provided as a fringe benefit (no service charges) and employees' pay is usually credited directly to the accounts.

While these accounts represent a convenience to the bank in handling payroll and to the employees as a benefit, they also represent an exposure to the bank.

Banks discourage employees from overdrawing their accounts and usually have stringent disciplinary rules. Thus, when an employee has an insufficient check, he feels pressure to obtain funds to cover the check. This can lead to potential fraud problems.

Example

It is possible for an employee to debit any account in the bank and credit his own account. The account debited can be another deposit account or a general ledger or subsidiary account. Customer deposits or payments can be created with the magnetic ink character recognition (MICR) encoding to credit the employee's account. Electronic entries are also possible – and more likely.

The bank should have a program in place to review employee accounts. Employee accounts should be segregated by account type or number grouping to ensure that reviews are easily made. Access by other employees should also be limited to ensure confidentiality regarding account activity, pay levels, etc.

Study Question 55

One group of accounts incorporates a special risk to the bank because they can be used as a conduit to divert funds. They are:

In this subchapter, we will revisit many of the deposit functions as well as operational and control issues by looking at the audit plan. We will describe inherent risks, audit objectives, internal controls, and audit procedures.

To view this interactivity please view chapter 8, page 12

Interactivity information:

Some of the risks inherent to deposit accounts include the following:

• Misappropriated or lost checks: Checks can be lost before processing (a problem in item capture) or after. Checks can be misappropriated by an employee and reentered with a deposit to an account the employee can access. This results in a double charge to the customer's account, since the computer recognizes each entry in item capture as a new debit. It is wise to question management about the software used in item capture to determine whether duplicate entry is part of the editing process in scanning. This is a powerful control in mitigating this risk. However, do not overlook the potential for a check being taken from the post-scanning files and deposited in another bank. The use of a smart phone based depositing facility at another bank can make this a very likely exposure.

• Misappropriated deposits: A deposit can be misappropriated (removed) by an employee and one substituted to an account she controls without causing an out-of-balance condition (also see lapping).

• Lapping of deposits: Lapping of credits can be used to cover the diversion of a deposit or other credit. This is the most common scheme to cover misappropriation of credits.

• Unauthorized withdrawals: An employee can withdraw funds from an inactive or dormant account. If the customer then makes a withdrawal that requires the stolen funds, the employee can make a deposit to the customer account by misappropriating the deposit of another customer. The misappropriated deposit is covered by a lapping scheme.

• Unauthorized overdrafts or unauthorized payment against uncollected funds: An employee can approve an overdraft for his own account or someone else's account. It is done by entering an appropriate code (called a transaction code) on the item telling the computer to pay the item regardless of the balance. Technically, payment against uncollected funds is an overdraft.

• Check kiting by customers or employees singly or in collusion: An employee can kite checks between two or more banks or can instruct a customer on the scheme. The employee can then monitor any early presentations that would expose this scheme to using unauthorized payment against uncollected funds. As electronic check clearing as become a reality, kiting has almost disappeared because the clearing time is too fast to hide it.

• Improperly identified or disposed of reconciling items: Failure to reconcile correctly and on a timely basis and to follow up and clear reconciling items can prevent disclosure of errors and fraud. Problems can be covered by a perpetrator or fail to be uncovered by other workers.

• Incorrectly prepared or lost source documents for general ledger posting: If the bank uses manually prepared general ledger entries to post the results of subsidiary (application) subsystems to general ledger control accounts, the entries can be incorrectly prepared or lost. This would result in out-of-balance conditions. If the bank uses an interface application on the computer, this condition should not occur. However, an incorrect cross-reference table in the interface application can create the same condition.

Objectives for deposits

The audit objectives for deposit accounts reflect the inherent risks and the controls needed to reduce them.

The auditor should determine that:

1. transactions from internal and external sources are recorded correctly as to account, amount, and period;

2. withdrawals from controlled deposit accounts such as dormant accounts are properly authorized;

3. transactions affecting deposits are properly recorded in subsidiary and control accounts;

4. interest on deposits is properly calculated and recorded in deposit accounts and expense accounts as to account, amount, and period; and

5. service charges and early withdrawal penalties and other service fee income assessed against deposit accounts are properly calculated and recorded in deposit accounts and expense accounts as to account, amount, and period.

Internal controls for risks associated with deposit operations

The following internal controls address the risks in deposit operations:

• A daily reconciliation is made of subsidiary records to the general ledger usually an automatic feature of the computer system BUT that requires human review of the report to verify that the subsidiaries application and the general ledger control are in fact in balance.

• Depositor statements are made available on the bank's website regularly, and statement preparation is an automated function of the deposit system. In some special cases, the statements will be printed and mailed to the customer but this is a rapidly diminishing number. Some banks will NOT mail statements under any conditions. This fact should be considered when making audit plans for confirmation procedures.

• Unposted holdover items, overdrafts (including payments against uncollected funds), and return items are reviewed and approved by an officer or supervisory employee.

• Physical files (as opposed to electronic) of signature cards, scanned checks, and deposit tickets are properly controlled and safeguarded; signature cards are usually scanned and images are stored in archive files; this prevents alterations of signatures, scanned checks are destroyed after a reasonable period to prevent reprocessing, etc.

• Dormant activity is reviewed by an officer or supervisory employee.

• Pre-numbered official checks are used and the number sequence is accounted for.

• Adequate separation of incompatible duties exists or is compensated for by rotation of duties under a stated plan.

• Employee accounts are reviewed for unusual activity.

• Cost of funds analysis is made monthly and reported to management.

• Monthly (month-over-month comparisons) analysis of service fee income is made and reported to management.

Examples of audit procedures for deposits

The following are examples of typical audit procedures for deposits:

• Review reconciliations of subsidiaries to the general ledger and verify the propriety and timely clearing of reconciling entries (including accrued interest payable). Automated reconciliation reports in the bank's core system should reveal that there are no differences. If any differences are shown, they should be immediately and thoroughly investigated.

• Confirm account balances (discussed in the next subchapter).

• Review unposted, holdover, return, and suspense items for propriety and verify timely clearing of items.

• Review overdrafts for collectability.

• Analytically review interest expense and fee income for reasonableness, compliance with bank policy, and agreement with advertised rates.

• Recalculate interest paid to verify the correctness of computer calculations and processing.

Study Question 56

The auditor in charge has assigned you the task of obtaining the interest expense on deposits by type and the average outstanding balance of deposits by type for each month in the year. The average cost of funds is to be calculated for each type of deposit. Why would you prepare these schedules?

Study Question 57

Sometimes audit objectives and audit procedures become confused. It is important to distinguish between the objectives of the audit and the procedures used to achieve those objectives. Three of the following are audit objectives. Which one is an audit procedure?

This subchapter examines traditional techniques in the audit of deposits—direct confirmation with the customer. The depositor is traditionally considered to be the most reliable independent source for evidence on the correctness of the stated balances for deposit accounts. However, the customer is not always the most reliable source of response to confirmations; that is, they often will not return positive form confirmations. This audit technique is of questionable value but continues to be used by some auditors.

PCAOB Auditing Standard 2310, The Confirmation Process, provides guidance for the circulation of confirmation requests. The auditor may also reference the following PCAOB Auditing Standards 1101 Audit Risk, 2101 Audit Planning and 2810 Evaluating Audit Results for guidance on planning, performing, and evaluating samples. As of this writing, PCAOB is studying the process of confirmations as a reliable audit tool.

Confirmations

The Standard concerning confirmation is AS 2310. When planning confirmation of deposit accounts, the auditor should consider the following, which we will review in detail for the next several screens:

1. Positive versus negative confirmation

2. Contents of the confirmation letter

3. Name and address changes

4. No-mail accounts

5. Last statement date and balance

6. Accrued interest

7. Unexplained differences

8. Alternative procedures

9. Year-end procedures

10. Internal auditor work

11. Important considerations in the electronic banking environment

Now let's move on to discuss each one of these items in more detail.

Confirmations: Detailed Discussion

Positive versus negative confirmation: Since the auditor is primarily concerned with understatement of the deposit liability, it may be appropriate to use positive confirmations for only a few of the larger accounts and a relatively large number of negative confirmations for a sample of all other accounts, including zero balance accounts and accounts that have closed since the beginning of the period under examination. Negative confirmation requests should not be used unless:

• tests of controls are performed and the assessed level of inherent and control risk of error is low,

• there are a large number of small balances, and

• there is no reason to believe that the recipient would ignore the confirmation request.

Contents of the confirmation letters: All confirmation letters or statements circularized should include the:

• type of account,

• account number,

• account balance as of the end of the period,

• applicable interest rate,

• date through which interest has been posted,

• maturity date of a certificate,

• date of account closing if applicable, and

• date of the last statement demand deposit accounts (DDAs) and negotiable order of withdrawal (NOW) accounts.

Name and address changes: Unauthorized name and address changes can affect the reliability of the confirmation process. The bank's control over name and address changes should be evaluated in determining what procedures, if any, should be used in verifying names and addresses prior to mailing confirmations.

No-mail accounts: This issue has almost disappeared with the introduction of online statement retrieval. However, where a customer wants a statement printed and does NOT want it mailed to the business or home address, the following considerations apply. Many banks allow customers to maintain no-mail accounts for printed statements. Good controls require that the customer's request for no mail be documented and signed by the customer. The bank also should have a binding agreement with the customer limiting its liability. In some cases, the agreement indicates that the bank is authorized to mail an annual statement if the customer does not pick up the annual statement in person and sign for it. The auditor needs to determine how the presence of no-mail accounts and the client's system for controlling those accounts affect the scope of the audit since the bank typically will not permit the auditor to circulate confirmation of these accounts. If amounts are material, the auditor should consider alternative procedures since the inability to confirm may represent a scope limitation.

Last statement date and balance: The last statement date and statement balance should be used for all confirmations of accounts that produce statements. The customer cannot reasonably be expected to reconcile his records to a date between statements when no paid checks and statement enclosures are available. In certain circ*mstances, the auditor may consider having special cutoff statements rendered, controlling the preparation of the statements for mailing, and matching confirmation information to the cutoff statement balance. In this date of electronic statements that the customer downloads, the use of the special statements method should be restricted to only the most extreme circ*mstance such as very material fraud.

Accrued interest: The auditor must be careful about confirming accrued interest amounts the customer may not be able to calculate. Expect exceptions that will require resolution. This is particularly true on accounts like consumer checking accounts (NOW and MMDA) that may calculate interest on an average daily balance basis. Almost nobody can accurately recompute those figures.

Unexplained differences: Many customers do not reconcile their statements when they are available; this means the auditor can expect some confirmations to be returned with unexplained differences. The auditor will have to investigate the differences reported and work with management to determine the steps needed to clear the exception. The bank's internal auditor can help in these investigations. The bank should report the results of the auditor's investigation to the customer and courteously acknowledge customer response to the confirmation.

Alternative procedures: When responses are not received after a second mailing on positive confirmations, alternative procedures should be used. The auditor should examine the signature card, deposit activity, and any paid checks in the image files and verify:

• the signatures on the paid checks match those on the signature card, and

• the addresses on the checks match those in the bank's records; the auditor should report address changes to management.

Year-end procedures: If internal controls can be relied on, most confirmation procedures are conducted at interim dates. Year-end procedures are determined by the findings of the interim work. If the interim work has not produced negative results, the year-end procedures include analytical review procedures comparing account balances at the cutoff date with year-end balances. If internal controls cannot be relied on, the auditor may consider reconfirming balances or other alternative substantive procedures as of year-end.

Internal auditor work: In planning confirmations, the auditor should take into account confirmation work done by the bank's internal auditor, which includes:

• confirmation procedures (usually a higher percentage than confirmations performed by an independent accountant);

• analysis of fee income and interest expense;

• tests of interest calculations; and

• reviews of controls on dormant accounts, file maintenance changes, account opening procedures, overdraft approval and collections, etc.

Important considerations for confirmations in the electronic banking environment

Traditionally, confirmations have included the practice of bundling the confirmation form with the outgoing statement. That statement would include the statement's accounting pages and the paid checks. Very few statements are delivered in physical form anymore. In some banks, there is even a charge if the customer wants the statement delivered by mail. Therefore, the auditor must consider how the confirmation can be tied to the mechanism of downloaded statements.

The auditor should keep in mind that the statement, as posted on the bank's web site, will be assured as being the correct reflection of the account as it exists on the books of the bank. This includes the accuracy of accounting and the checks and debits posted to the account. There is no method of changing that information. The software for archiving transactions and images, plus the software for creating statements and granting access to them is not vulnerable to manipulation. So, consider that the statement on the website is a sound basis for the confirmation.

Next, consider that all statements will be available to the customer on the day after the cutoff. Virtually all businesses will be downloaded statements right away and reconciliation should be completed very promptly. Individual account statements may or may not be downloaded and reconciled promptly but they will be available by the time a confirmation is received.

The practice of including a negative confirmation notice in the statement is not available anymore so that is not a valid option. Internal auditors can sometimes arrange to have a negative confirmation message on the bottom of each statement sheet for a cycle of statements or for a month so that it is seen during the download. This does not really prove effective so it is used only in extreme circ*mstances like the discovery of a major embezzlement in the deposit operation.

Always keep in mind that focusing confirmation procedures on large balance accounts is shaky logic. If the balance has been drawn down by improper means it will likely fall below the confirmation floor threshold. Thus, it will not be confirmed. If the confirmation process is based only on being able to quote the confirmed total as an impressive percentage of dollars of total liabilities this is a flawed approach.

In general, the internal auditor will have performed all the procedures listed. The independent accountant should perform:

• sufficient tests to establish the reliance of the internal auditor's work,

• all planned tests that the internal auditor has not performed, and

• at least limited confirmations in addition to confirmations performed by the internal auditor.

With all of this said about confirmations, the use of confirmations has proved over time to be of questionable value relative to the amount of effort expended. The auditor should be careful to apply effort where it will produce the greatest useable results. See Auditing Standard 2605 The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements.

First, the auditor should remember that the basic objective of confirmation procedures is to uncover understatement of liabilities. The evaluation of the internal controls operating in mitigation of this risk should be conducted before developing any confirmation plan. The procedures used by the bank to maintain independent handling of customer complaints and inquiries is an important factor in identifying any condition that understates liabilities (such as unauthorized withdrawals from deposit accounts, missing deposits or attacks on dormant or inactive accounts.)

The accountant should be careful in structuring a plan that targets high dollar balances to pump up confirmation statistics. Confirmation of high balance, high volume corporate accounts produces little usable information because these accounts are usually reconciled by the depositor quickly upon receipt of the bank statement. Therefore, these depositors will be inquiring about problems without the stimulus of an auditor's confirmation. On the other hand, high balance, low activity accounts are very likely to receive less prompt review by the depositor and thus be more vulnerable. Remember that confirmation selection based on high balances will not include accounts with low balances that should be high. (If somebody steals $50,000 from an account that had a $55,000 true balance, it is not likely that it would be in the high balance selection of $40,000.)

All of the cautions set out above should be carefully considered in developing the confirmation protocols.

Study Question 58

The auditor performs confirmation procedures during the course of the audit. There are also procedures that occur in day-to-day operations of the bank that confirm important transactions. Identify the procedure that has no value for confirmation purposes.

Study Question 59

The negative confirmation form requests the recipient to respond only if he disagrees with the information stated on the request. Which of the following makes it acceptable to use negative confirmations to reduce audit risk to an acceptable level?

For more comprehensive listings or information on regulations, consult the following:

• The Comptroller's Handbook for National Bank Examiners

• The Comptroller's Manual for National Banks

• The Federal Reserve Examination Manual

Actual Laws and Regulations

The actual laws and regulations, including the following:

• Regulation D (12 CFR 204)—Reserve Requirements Establishes the reserve requirements banks must maintain on deposits. The Fed can vary the amount of these reserves, but at the end of 2008, they are the amounts shown in the table below. Increases in reserve rates reduce the percentage of each deposit dollar available for lending or investment.

  Category	Reserve Requirement
  Net transaction accounts:
  $0 to $10.3 million	0% of amount
  Over $10.3 million and up to $44.4 million	3% of amount
  Over $44.4 million	$1,023,000 plus 10% of amount over $44.4 million
  Nonpersonal time deposits	0%
  Eurocurrency liabilities	0%

Actual Laws and Regulations (cont'd)

• Regulation Q (12 CFR 217) Prohibition against the payment of interest on demand deposits.

• Regulation O (12 CFR 215)—Loans to Executive Officers, Directors, and Principal Shareholders Specifies the limits of loans to the parties named. Overdrafts must be added to the amount of the loans to determine the total debt.

• Regulation CC – the Funds Availability Act controlling how long a bank can hold deposited funds before making them available for withdrawal.

• 12 CFR 1972(2)—Loans to Executive Officers, Directors, and Principal Shareholders of Correspondent Banks Covers overdrafts on the deposit accounts of the parties named.

• 12 USC 376 Section 22—Interest on Deposits of Directors and Officers Specifies that interest paid to officers and directors cannot exceed the rates paid to other depositors.

• 12 USC 371c Section 23A—Loans to Affiliates Covers the limits on loans to affiliated organizations. It also covers overdrafts of the bank's holding company or sister companies in the holding company.

• 31 CFR 103.51—Currency and Foreign Transaction Reporting Act Covers the efforts of the Drug Enforcement Agency (DEA), the Justice Department, and the Internal Revenue Service (IRS) to uncover money-laundering activities.

Actual Laws and Regulations (cont'd)

• 12 USC 501 and 18 USC 1004—Certification of Checks Makes it illegal to certify a check when the account does not have sufficient funds. Certified checks are not commonly seen today. When a bank certifies a check, it immediately charges the customer's account and stamps the check to show that its payment is guaranteed (certified) by the bank. The check then becomes a bank obligation. Issuing a cashier's check or other bank official check in exchange for an insufficient funds check is also illegal.

• Uniform Commercial Code, Article 4—Bank Deposits and Collection Provides the principal rules that govern the bank collection process.

• Uniform Commercial Code, Article 4a—Funds Transfers Provides the principal rules governing electronic funds transfers.

• State escheat laws Specify when a deposit account is considered abandoned and under what conditions the balance is to be paid to the state.

• The USA Patriot Act Requires positive identification of a potential new customer against a government run danger list before the account can be opened.

This subchapter looks briefly at the financial statement presentation of a bank's deposit liabilities. The bank presents deposit liabilities on its financial statements. See the supplements for First National Bank's Balance Sheet and Income Statement, using the following concepts:

• Accounts are disclosed at their gross amount (overdrafts are moved to assets under the loan classification).

• Accounts are displayed in the order of demand for the funds in a manner similar to the display of payables in a commercial balance sheet.

• Foreign deposits are shown separately.

• Jumbo CDs ($100,000 and over) are disclosed separately.

• Interest expense on deposits is reported separately in the interest section of the income statement.

• Income from service charges is shown in the noninterest income section.

Changes in deposits are shown in the PDF supplement for First National Bank Statement of Cash Flows. They are shown under Cash Flows from Financing Activities. For simplification, the line is shown in the PDF supplement as “Net increase in deposits.”

For disclosure purposes, banks must split the deposits into two lines:

• Net increase in noninterest-bearing demand, savings, and NOW deposit accounts

• Net increase in time deposits

The average amounts of the following deposit categories are stated separately in certain reports to the SEC by bank holding companies and to bank regulatory agencies by other banks reporting under SEC requirements:

• Noninterest-bearing demand deposits in domestic banks

• Interest-bearing demand deposits

• Saving deposits in domestic banks

• Time deposits in domestic banks

• Deposits in foreign bank offices

Note

These categories are sometimes also used for reporting for financial statement purposes.

Study Question 60

For balance sheet purposes, overdrafts are classified as which of the following?

Study Question 61

Which of the following is a true statement about the financial presentation of accounts related to deposits?

In this chapter, we discussed risks and controls for overdrafts and employee accounts. Then, we reviewed audit planning considerations for deposit accounts. After reviewing significant regulations and laws affecting deposits, we concluded with a brief discussion of financial statement presentation of deposit liabilities.

The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures, whether automated or manual, and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity.

Transactions may be initiated manually or automatically by programmed procedures. Authorization includes the process of approving transactions by the appropriate level of management. Recording includes identifying and capturing the relevant information for transactions or events. Processing includes functions such as edit and validation, calculation, measurement, valuation, summarization, and reconciliation, whether performed by information technology (IT) or manual procedures. Reporting relates to the preparation of financial reports as well as other information, in electronic or printed format, that the entity uses in monitoring and other functions. The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports. AU-C §315

As defined in AS 1301, the audit committee is a committee (or equivalent body) established by and among the board of directors of a company for the purpose of overseeing the accounting and financial reporting processes of the company and audits of the financial statements of the company; if no such committee exists with respect to the company, the entire board of directors of the company.

For audits of nonissuers, if no such committee or board of directors (or equivalent body) exists with respect to the company, the person(s) who oversee the accounting and financial reporting processes of the company and audits of the financial statements of the company.

An audit procedure is specific and specialized steps or actions auditors take to meet audit objectives. Audit procedures are performed to achieve the following:

• Obtain an understanding of the entity and its environment, including internal controls, to assess the risk of material misstatements at the financial statement level and the assertion level. These audit procedures are referred to as risk assessment procedures.

• Test the operating effectiveness of internal controls over financial reporting when necessary, or when the auditor has determined to do so. These audit procedures are referred to as tests of controls.

• Detect material misstatements at the relevant assertion level. These audit procedures are referred to as substantive tests.

Audit sampling is the application of an audit procedure to fewer than 100% of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class. Audit sampling may be statistical or nonstatistical and requires professional judgment (AU-C §530).

The design and size of the audit sample impacts the sufficiency and appropriateness of the evidential matter.

Judgmental decisions involved in audit sampling include the following:

• Population definition

• Sample method

• Selection technique

• Error analysis

• Sampling risk

Aspects of sampling risk include the following:

• When performing substantive tests of details:

  • The risk of incorrect acceptance

  • The risk of incorrect rejection

• When performing tests of controls:

  • Risk of overreliance

  • Risk of underreliance

The sample must be representative of the population (i.e., selected from the entire population in such a way that every element in the population has an equal chance of being selected).

Personal or real property in which a security interest has been given.

FASB ASC Master Glossary

Collateral is the property that a person can give and in which another can take a security interest or property subject to a security interest. Many of the rules regarding collateral depend on the type of property involved. Three categories of collateral include tangible, intangible and documentary.

Classes of collateral are mutually exclusive. A given item cannot be in more than one class at the same time with respect to the same debtor, but the same item can be in different classes to different debtors or at different times to the same debtor. Classification is based on the principal use to which the item is put by the owner or debtor.

A currency transaction report (CTR) is a report, on IRS Form 4789, that banks and thrift institutions are required to submit per the Bank Secrecy Act.

The CTR details currency transactions of $10,000 or more.

Electronic funds transfer (EFT) is an essentially “checkless” system of transferring funds by debiting or crediting accounts electronically.

The EFT Act of 1978 defined an electronic funds transfer as any financial transaction originating from a telephone, electronic terminal, computer, or magnetic tape.

The Federal Deposit Insurance Corporation (FDIC) is a federal insurance agency for banks and savings and loans.

The FDIC manages the Bank Insurance Fund, which insures deposits in commercial banks. The FDIC also manages the Savings Association Insurance Fund, which insures deposits in savings and loan associations. The coverage by both funds is up to $250,000 per depositor through December 31, 2013. On January 1, 2014, the standard insurance amount will return to $100,000 per depositor for all account categories except IRAs and other certain retirement accounts, which will remain at $250,000 per depositor, per insured bank. Certain retirement accounts, such as an Individual Retirement Account, are insured up to $250,000 per depositor, per insured bank.

This insurance coverage with the FDIC is mandatory for all federally chartered banks and savings institutions.

Another function of the FDIC is as a conservator or receiver for troubled banks. In this capacity, the FDIC can repudiate contracts and borrow from the Federal Home Loan Banks.

The FDIC also manages the FSLIC Resolution Fund, which handles insolvent savings and loans. In 1989, under this FDIC function, the Resolution Trust Corporation (RTC) was established as a government-sponsored private organization specifically to manage insolvent institutions that failed between 1989 and August 1992. The RTC was set up with a limited life and it has now been terminated.

The FDIC's board of directors is composed of five members: the chairman of the FDIC, the comptroller of the currency, the director of the Office of Thrift Supervision, and two other members who are appointed by the president with confirmation by the Senate.

Federal funds (Fed Funds) are unsecured advances of immediately available funds from excess balances in reserve accounts held at Federal Reserve Banks.

Federal funds are not borrowings, technically. They are purchases of immediately available funds.

A bank which advances Fed Funds is selling excess reserves. A bank that receives Fed Funds is buying excess reserves.

On the account of the selling bank, Fed Funds are credit transactions; they are debit transactions to the receiving (buying) bank.

Most federal funds are sold on an overnight basis; however, there are some that are negotiated for longer periods—called Term Federal Funds.

The Federal Reserve Board is the government–owned and operated institution that acts as a control on the banking system and money supply. It is the instrument through which the government conducts its monetary policy and is a macroeconomic concept.

The Federal Reserve System is composed of a seven-member board of governors (appointed by the president for 14-year terms) and its advisory councils, 12 Federal Reserve banks, the Federal Open Market Committee, and the member commercial banks.

Functions of the central bank: The central bank serves as a bank for commercial banks and for the government, controls the nation's money supply, and regulates the money markets.

Financial statements are the principal means of communicating financial information to those users external to the entity. They are a formal tabulation of names and amounts of items derived from the accounting records by simplifying, condensing, and aggregating. They are a fundamentally related set of tabulations that articulate with each other and derive from the same underlying data.

The full set of nongovernment financial statements for a period should show the following:

• Financial position at the end of the period (balance sheet or Statement of Financial Position (SOFP))

• Earnings (loss) for the period (income statement or Statement of Activities (SOA))

• Comprehensive income or loss for the period (comprehensive income statement)

• Cash flows during the period (statement of cash flows)

• Investments by and distributions to owners during the period (statement of changes in owners' equity and statement of retained earnings)

• The term financial statements ordinarily refers to a complete set of financial statements as determined by the requirements of the applicable financial reporting framework but can also refer to a single financial statement. Disclosures comprise explanatory or descriptive information, set out as required, expressly permitted, or otherwise allowed by the applicable financial reporting framework, on the face of a financial statement or in the notes, or incorporated therein by reference. The requirements of the applicable financial reporting framework determine the presentation, structure, and content of the financial statements and what constitutes a complete set of financial statements.

Generally accepted accounting principles (GAAP) are authoritative standards of and guidelines to financial accounting and reporting. GAAP for U.S. public and private companies and non-profit organizations is established by the Financial Accounting Standards Board. GAAP for state and local governmental entities is established by the Governmental Accounting Standards Board (GASB).

The indirect method for statement of cash flows (SCF) is one of the two optional methods of presentation of the statement of cash flows. It presents a reconciliation of net income to net cash provided by operating activities in all major classes of adjustments: accruals of expected future operating cash receipts and payments (receivables and payables), deferrals of past cash receipts and payments (inventory, prepaids, deferred income and expenses), noncash income and expenses (depreciation, amortization, provisions for bad debts), and gains and losses from transactions classified as investing or financing activities (sale of productive assets, sale of debt, liquidating dividend, retirement of debt). (SFAS 95)

The indirect method is allowed by the Financial Accounting Standards Board (FASB) for SCF. (The direct method is preferred by the FASB.) When the indirect method is used, interest and income taxes paid must be separately disclosed.

NSF (insufficient funds or not sufficient funds) is a designation for a bounced check. A check written against insufficient funds (on an account holding less than the amount of the check) will be dishonored and returned by the bank marked “Insufficient Funds” or simply “NSF.”

In most states, deliberately writing checks for an amount exceeding the deposits in a checking account is a crime.

An interest rate swap is a technique for managing interest rate risk, whereby two counterparties contract to exchange interest payments of differing character. The underlying principal amount is never exchanged.

Generally, a bank earns a fee for arranging an interest rate swap for two other institutions or individuals.

There are basically three types of interest rate swaps:

1. Coupon swaps: exchanges of fixed rate for floating rate instruments in the same currency

2. Basis swaps: exchanges of floating rate for floating rate instruments in the same currency

3. Cross-currency interest swaps: exchanges involving fixed-rate instruments in one currency for floating rate in another

Most commonly, a swap contract exchanges long-term, fixed-rate obligations for a short-term, floating-rate instrument in the same currency.

Example

An example of this would be a corporation that has most of its debt in variable short-term instruments and a corporation that has most of its debt in fixed long-term obligations. This might describe a bank and a credit union. Their swap agreement would change the complexion of their respective interest rate risks. They would still be subject to interest rate risk, but less so than without having made the swap.

Kiting is a method of intentionally overstating bank balances to hide a cash shortage or to fraudulently overstate the amount of cash reported on the balance sheet.

Example

An employee might employ kiting to embezzle funds that are recorded as cash receipts but not deposited in the bank. To cover the shortage, he would draw a check from another bank account to deposit in the account with the shortage. This would eliminate the shortage as a reconciling item on the bank reconciliation. Until the check clears the bank, the money can be shown as a deposit at one bank and not show as outstanding at the other.

Kiting can occur under a system of weak internal control, whereby one person both issues checks and records them, or where there is collusion between two or more employees. This scheme can be detected by means of a bank transfer schedule, which lists all bank transfers for a few days before and after the balance sheet date as recorded in cash receipts and cash disbursem*nts journals.

A loan portfolio is a group of loans, classified as to type of borrower (e.g., commercial loans, mortgage loans, and consumer installment loans). A loan portfolio may be managed by a bank's trust department.

The largest asset portfolio in a commercial bank is usually its loan portfolio.

The loan portfolio will include any type of loan or obligation to loan funds as evidenced by loan commitment letters or letters of credit, as well as funds that have already been committed through notes, mortgages, or bonds.

The Municipal Securities Rulemaking Board (MSRB) sets the rules for trading of municipal bonds by broker-dealers and bank dealers. The MSRB also provides arbitration services.

Its rules are approved by the Securities Exchange Commission (SEC) and enforced by the National Association of Securities Dealers (NASD) and bank regulatory agencies.

The board has 15 members from among securities firms, bank dealers, and the public. Each member has equal representation.

The National Credit Union Administration (NCUA) is an independent federal agency established in 1970 to charter and supervise federal credit unions. The NCUA is governed by a three-member board, appointed by the president for six-year terms.

Its responsibilities are:

• to examine federal credit unions,

• to manage the National Share Insurance Fund, which provides deposit insurance for federal credit unions and many state credit unions, and

• to manage the Central Liquidity Facility, a source of short-term funds for credit unions.

Operating activities are one of the three categories of cash flows in the statement of cash flows. Operating activities are all transactions and other events that are not investing or financing activities. Operating activities generally include transactions that enter into the determination of net income and include production and delivery of goods and services, interest and dividends received, and payment of interest.

SFAS 95

The SEC is a federal government agency charged with the responsibility of writing rules consistent with federal security laws, investigation of violations, maintenance of financial disclosure documentation, and the initiation of action against violators of federal securities acts. The SEC's main office is in Washington, D.C., but it has enforcement and field offices throughout the country.

The SEC is charged with the oversight of the Federal Securities Act of 1933, the Federal Securities Exchange Act of 1934, and the Foreign Corrupt Practices Act. The agency serves to govern the registration, offering, sale, and so forth of stocks, bonds, notes, convertible debentures, warrants, or other financial documents involving investments and purchases.

In addition to writing regulations, the SEC reviews registration statements for compliance with disclosure requirements. The SEC does not determine whether the information provided to investors is accurate or truthful, nor does the SEC determine whether the terms of the offering are fair or reasonable to investors.

The mission of the SEC is to protect the integrity of capital markets through enforcement of financial disclosure laws that apply when a business entity attempts to raise capital by selling ownership to investors. The SEC defines what information prospective investors must receive from offerors and what information the entities must continue to report to their shareholders if the entity has a certain number of owners.

One of the objectives of financial accounting is to provide information that helps financial statement users to assess the amounts, timing, and uncertainty of prospective net cash inflows to the related enterprise (SFAC 1).

Historically, this information was provided by the funds statement required by APB Opinion 19. However, the FASB now requires the preparation of a statement of cash flows. This statement provides a summary of cash inflows and outflows for a period of time.

An entity, including an unincorporated entity such as a partnership or trust, in which another entity, known as its parent, holds a controlling financial interest. (Also, a variable interest entity that is consolidated by a primary beneficiary.)

FASB ASC Master Glossary

A visual display terminal (VDT) or cathode ray tube (CRT) can be used for input and output, usually in conjunction with a keyboard.

An intelligent terminal is a device containing a screen, internal storage devices, and computing capabilities separate from the mainframe computer it is attached to. In general, an intelligent terminal is a personal computer that contains speed program instructions that will allow it to connect with a larger computer.

A smart terminal is the same as an intelligent terminal.

A dumb terminal can only be used for data input or output and has no computing capabilities, as in banking or retailing.

Turnover is the number of times an asset, such as inventory or employees, is replaced within a given period of time, usually a year.

Welcome to Introduction to Bank Auditing and Accounting I. Below is the full list of final exam questions associated with this course. When you launch the final exam for this course, it will contain a randomized subset of the questions below, totaling 55 questions. During the actual final exam, the questions will not appear in the same order as they do below. Note: Each attempt at the final exam will result in a new randomized subset of the questions below. You must earn a score of at least 70.00% in order to pass the exam and receive CPE credit for this course.After you have answered all the questions, select the "Submit Answers" button to receive your score.

Exam Question 1

Bank deposits are insured by which of the following organizations?

Exam Question 2

A bank's primary source of funds to finance its loan and securities portfolios comes from which of the following?

Exam Question 3

Interest margin is much like cost of goods sold in retail and manufacturing business, in banking it is the difference between:

Exam Question 4

Which of the following bank types is controlled by a head office that operates multiple locations in the same or another city, county, or state?

Exam Question 5

The bank's primary source of revenue is from interest and the larger portion of interest income is from loans. Which of the following organizational components would be responsible for the generation of the major source of bank income?

Exam Question 6

Certain activities of the bank involve handling transactions and safekeeping of assets owned by customers rather than by for the bank's account(s). They do not result in balance sheet transactions. These activities are said to be in handled in which of the following components of the bank's structure?

Exam Question 7

Which of the following is found among the activities of the lending component of the bank?

Exam Question 8

Which committee of the board of directors is often composed entirely of independent (non-management) directors?

Exam Question 9

Which of the following committees of the board of directors' would work with management in setting strategic directions?

Exam Question 10

ABC Bank is a small bank. Which of the following is a major group that would definitely be found at ABC Bank?

Exam Question 11

A larger bank that supplies services to a smaller bank is referred to as which of the following?

Exam Question 12

When checks are unpaid at the bank they are drawn on, they are to the bank where they were first deposited in a transaction group known as a:

Exam Question 13

When an upstream correspondent bank holds securities for a downstream bank, the service is referred to as:

Exam Question 14

Overnight, unsecured loans between banks are known as:

Exam Question 15

When a bank obtains funds by Purchasing Fed Funds from another bank which of the following activities is it?

Exam Question 16

Reserves are maintained by member banks under regulations of the:

Exam Question 17

Identify the organization that a national bank is subject to but does not regulate a state bank.

Exam Question 18

Identify the one of the following that the FDIC regulates directly in all banks.

Exam Question 19

The Federal Reserve Bank has limited lending authority. Which of the following is the Fed allowed to do?

Exam Question 20

If a bank is chartered by the Office of the Comptroller of the Currency, it will use which of the following in its name?

Exam Question 21

All bank holding companies are regulated by the Federal Reserve. In addition, bank holding companies and banks with 500 or more shareholders are subject to the regulation of which of the following?

Exam Question 22

Banks must report certain transactions under the Bank Secrecy Act and the USA Patriot Act. These transactions may have the characteristics of:

Exam Question 23

If a bank is making mortgage loans and selling them in the secondary market, it may be subject to the rules of one of the following, depending on the nature of the loans made. Identify the agency that is a participant of the secondary mortgage market.

Exam Question 24

Banks that sell municipal bonds are regulated in that activity by the rules set by the ______.

Exam Question 25

Which of the following is an activity of the independent accountant and not the regulatory examiner?

Exam Question 26

The regulatory examination groups often have specialists in bank lending and investments and three of the following areas of bank activities. Identify the area in which the independent accountant specializes.

Exam Question 27

The examiners rate a bank as a result of their examinations. The rating, referred to by the acronym CAMELS, includes the factors of Capital, Asset, Management, Liquidity, Sensitivity, and which of the following?

Exam Question 28

Due from banks is grouped in a general class of assets with one of the following. The groupings are based on liquidity and lowest risk. Which one would be in that general class of assets where due from banks is found?

Exam Question 29

Which of the following is a liability on a bank's balance sheet?

Exam Question 30

Jumbo CDs are certificates of deposit in amounts of:

Exam Question 31

Bank balance sheets show a higher ratio of assets to equity than a commercial entity's balance sheet. This ratio exists because the leverage created by which of the following?

Exam Question 32

In a commercial entity's income statement, it is common to see sales reduced by the cost of goods sold to show the gross profit on sales. In a bank, the figure on the income statement that parallels gross profit on sales is:

Exam Question 33

Major items of income are shown on the income statement in a form that allows the reader to associate the income item with:

Exam Question 34

Three of the following items are major items of income or expense in a bank income statement as contrasted with a manufacturing organization. Identify the item that has less significance in a bank's income statement compared to a manufacturer.

Exam Question 35

Which of the following statements is true regarding the preparation of a cash flow statement for a bank?

Exam Question 36

The bank must submit periodic reports of its condition to regulatory agencies. These reports are referred to as:

Exam Question 37

Like any other entity, banks have sources and uses of cash. Which of the following is a use of cash in a bank's cash flow pattern?

Exam Question 38

The net difference between the rate of return on earning assets and the cost of liabilities to fund those earning assets is referred to as:

Exam Question 39

Which of the following risks is a primary risk for banks that maintain cash positions in more than one country?

Exam Question 40

The risk that assets cannot be converted to cash as rapidly as depositors demand cash is known as:

Exam Question 41

Foundation National Bank has 65% of its loan portfolio in fixed-rate, 30-year maturity real estate loans. Its deposits are distributed as 35% in checking account deposits, 40% in savings deposits, and 25% in certificates of deposit with maturities of one year or less. Foundation is subject to all the following except which type of risk?

Exam Question 42

Which of the following audit objectives is achieved by determining that the bank has legal title or similar rights to all assets and that bank assets do not include customer collateral or other valuables held in a fiduciary capacity?

Exam Question 43

One of the objectives of the bank audit is described as follows:

“Determine that assets are properly categorized in the balance sheet, that major categories of asset groups and the base of valuation are adequately disclosed, and that pledging or assignment of assets is disclosed.”

This objective is referred to as:

Exam Question 44

The auditor is performing an inventory of the investment securities that the bank holds in its own vaults. This inventory is conducted as part of the audit objective of:

Exam Question 45

According to Auditing Standard 2201 and the COSO Study, the bank's internal controls are built on five components that should be considered in planning the audit. Which of the following is considered in planning in addition to the considerations in Auditing Standard 2201?

Exam Question 46

The accounting operations of a bank differ from those of an industrial entity. Which of the following is an area of control that is more common to the industrial environment than to a bank?

Exam Question 47

What function of the bank is authoritatively described as the control that assures that other controls are adequate and effective?

Exam Question 48

When a teller receives cash from a customer in a deposit, an entry must be prepared to record the increase in cash in the teller's cash fund. The common name for this transaction in the bank is:

Exam Question 49

The teller's machine/terminal is used to perform three of the following functions. Identify the function that is performed outside or beyond the individual teller's operations.

Exam Question 50

One of the functions of the teller's machine is to support the accountability for the teller's cash fund. Which of the following functions of the machine accomplishes that purpose?

Exam Question 51

Which of the following devices allows a customer to receive cash, make deposits, and make transfers between accounts without the presence of a bank employee?

Exam Question 52

Of the four methods of loss in the teller's window, which of the following is perpetrated by an outsider of the bank?

Exam Question 53

Cheryl is a bank teller. Mr. Smith, a customer, presented a check written for $500 that he was cashing. Cheryl accidentally processed the check as $550 and gave Mr. Smith $550 in cash. This an example of what type of control concern?

Exam Question 54

Which data field is usually found on a check but will not be found on a deposit slip?

Exam Question 55

When the batch is in the process of being balanced, certain items are passed through the scanner again because:

Exam Question 56

Which of the following creates the condition known as internal float?

Exam Question 57

The time between the issue of a check by the depositor and its payment at the bank on which it is drawn is referred to as:

Exam Question 58

The bank earns interest on deposited funds:

Exam Question 59

Rules governing the origination, receipt and handling of ACH transactions are promulgated by:

Exam Question 60

One of the following is a risk associated with a banking activity outside the item processing function. Identify that item.

Exam Question 61

Three of the following are internal risks associated with item processing and check collection. Identify the one that is an external risk as compared to the others that are purely internal.

Exam Question 62

Sometimes transactions are encountered that do not balance such as total credits are greater or less than the debits. Such differences should be:

Exam Question 63

In the environment of electronic processing, audit procedures in the item-processing function which of the following is NOT a practical option?

Exam Question 64

Deposits that the depositor can withdraw at any time without prior notice are called:

Exam Question 65

Penalty charges on demand deposit accounts would arise from which of the following conditions or events?

Exam Question 66

Identify the item in the following list that is an expense for the bank related to certain deposit accounts as seen on its income.

Exam Question 67

On January 1, 20X1, John deposits $1,000 into a time deposit account. The agreement states that John will earn 4% interest on the deposit; the maturity date is on March 31, 20X1. Which of the following instruments did John open?

Exam Question 68

Banks must maintain a specified portion of their deposits to meet the withdrawal demand of customers. These reserves must be maintained in ______.

Exam Question 69

Which of the following bank employees is responsible for opening new customer accounts?

Exam Question 70

To protect accounts for which regular contact with the customer has been lost, special controls are maintained on:

Exam Question 71

The legal process of turning unclaimed deposits over to the state government is known as:

Exam Question 72

One type of account offers special risk because it can be used by an insider to manipulate funds from any area of the bank. Special review procedures should be in place over these accounts. These accounts are:

Exam Question 73

A $5,000 check is presented for payment on the checking account of AMZ Company in the processing of November 30, 20XX. The current balance on the account is $1,000 and the check is shown as unpaid because of insufficient funds on the computer reports when they are reviewed the next morning. Which of the following is an appropriate treatment for this check?

Exam Question 74

You are responsible for the audit of deposit accounts. One of the auditors assigned to you is to prepare a list of the audit objectives for the audit of these accounts. The following is the list supplied by that auditor. One of the items indicates to you that the auditor may not fully understand the operations and accounts that are to be audited. Which of the following items is not a logical objective arriving at an option on the financial statements?

Exam Question 75

Audit procedures for deposits would include all but one of the following. Identify the item that would be carried out by management not by the auditor.

Exam Question 76

Which of the following items would have no value if included in the confirmations of deposit accounts?

Exam Question 77

Which of the following presents a particular problem for the confirmation procedures?

Exam Question 78

When rendering confirmations on checking accounts including NOW accounts, the confirmation information must be information the customer can use in making a data comparison. For example, the information should be as of which of the following dates:

Exam Question 79

Regulation D of the Federal Reserve System requires that banks do which of the following?

Exam Question 80

Interest paid on deposits is shown in the financial statements in which of the following locations?

Exam Question 81

Which of the following statements concerning the financial presentation of deposits and deposit-related accounts is false ?