It's easy to assume that fraud is a bigger problem for large institutions because of their complexity, but a recent example in Texas shows there's no such thing as being too small for proper internal controls.

Enloe State Bank in Cooper, Texas, was closed by the Texas Department of Banking on May 31, 2019, becoming the first bank failure in the nation in 17 months. The bank was closed "due to insider abuse and fraud by former officers" as stated by Texas Banking Commissioner Charles Cooper in the news release announcing the failure.

Enloe State Bank had assets of $36 million; a small bank in a small Texas town. Cooper, located 80 miles northeast of Dallas, is an agricultural community of approximately 2,000 residents.

Days before the state examiners were to be onsite for the bank's examination, a fire broke out in the bank that destroyed many loan files. Investigations are ongoing by the FDIC and The Bureau of Alcohol, Tobacco, Firearms and Explosives.

As the investigation continued, at least a dozen customers of the bank received letters from the FDIC advising them they had loans at the bank; which turned out to be fraudulent. Their question to the FDIC was "how did this happen?" Unfortunately, loan fraud represents one of the highest area of risk for financial institutions.

Why Fraud Happens

The 2018 Association of Certified Fraud Examiners (ACFE) Report to the Nations cited internal control weaknesses as the leading cause of fraud. In addition, overriding existing controls represented a large percentage of fraud cases. More than 17% of financial services organizations were victims of fraudulent activity.

No financial institution wants to be the victim of an external or internal fraud; they want to trust their customers and their employees. But, that isn't always the case. The risks of loan, mortgage, real estate, check, wire and account fraud, as well as embezzlement and white-collar crimes exist.

How to Protect Against Fraud

No institution is too small or too big to become a victim of fraud. So how do institutions protect themselves from becoming a victim? The answer: a system of internal controls that allows management to measure the institution's performance and an internal audit program to ensure the controls are in effect.

The Federal Reserve System, OCC, FDIC and NCUA provide guidance to their institutions for the internal audit function. All financial institutions must adhere to certain regulatory requirements regarding internal controls. Institutions are required to operate in a safe and sound manner.

As stated in the Federal Reserve's Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing, "the primary objectives of the internal audit function are to examine, evaluate, and perform an independent assessment of the institution's internal control system, and report findings back to senior management and the institution's audit committee. An effective internal audit function within a financial institution is a vital means for an institution's board of directors to maintain the quality of the internal control environment and risk management systems."

The system of internal control of an organization consists of the environment and procedures put into place by management to ensure that significant risks presenting threats to the successful achievement of key business objectives are identified, evaluated and reduced to an acceptable level. Examples of key business objectives include reliability of financial reporting, operational effectiveness and efficiency, compliance with laws and regulations and safeguarding of the institution's assets.

Components of Internal Control

Internal control consists of five interrelated components:

  1. The control environment sets the tone of the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
  2. Risk assessment is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
  3. Control activities are the policies and procedures that help ensure that management directives are carried out.
  4. Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
  5. Monitoring is a process that assesses the quality of internal control performance over time.

Independence is critical to the internal audit function. Internal audit is an independent function that supports the organization's business objectives and evaluates the effectiveness of risk management, control, and governance processes. To accomplish the objectives of the audit function, audit personnel must maintain total independence from management or other employees.

Critical for Success

Implementing a strong internal audit program that includes the regulatory guidance, maintains competent and properly trained staff and is independent within the institution is a challenge in today's environment. However, as the Enloe State Bank failure shows, it's critical for your long-term success. Fortunately, our team can assist you with developing a strong internal audit program as well as ensure that the most qualified person(s) are on your engagement team.

Want to learn more? Here's why a Quality Assurance and Improvement Program is important to your internal audit function.

"The 2018 Association of Certified Fraud Examiners (ACFE) Report to the Nations cited internal control weaknesses as the leading cause of fraud."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.