|
I do
understand your point. Please forgive me as I do not know what industry
you are from. Access to ee accounts is normally restricted from public
view for the very purpose of payroll protecting [although very little can
be gained from a deposit amount in most circumstances].
In
the bank, the fact that the account holder is an ee as opposed to Joe XX is of
little consequence when using tools to monitor for fraudulent activities.
An employee, in a risk profile, is often considered higher risk than a
client. The deposit account is our asset that happens to be an
employees.
What
you normally may find in the Bank is that the entire account base is subject to
the same intrusive analysis tools (BSA, OFAC, numerous NSF, kiting trends, ATM
activity, neural agent analysis). EE accounts then would fall to GREATER
analysis based on the necessity to maintain a responsible fiscal
condition. For example, a report of EVERY ee account overdrawn, regardless
of amount or days o/s or total OD YTD would be created and reviewed. EE's
in sensitive areas [wires, finance, Dealer Drafts, Comm Lns, Item processes,
etc] may be subject to account review and "lifestyle" reviews - maybe
more.
I
apologize as I am not prepared to detail our actual methodology on this bulletin
board.
www.frb.org will provides links to each of the
laws I have mentioned.
BSA
- required for unusual cash activity
Reg
O - requires very intrusive and comprehensive financial review of certain
officers and directors
OFAC
- review of any account (ee does not matter) involved in
wires.
US
Patriot Act - takes account privacy and throws it away.
An
important distinction ( as it relates to the privacy comment) would come into
play with the USE of the information once gathered. The privacy
issue is a matter that is incorporated into an HR policy. I am unaware of
any privacy policy that would prevent me from viewing an account solely because
it was coded as an employee [in a bank environment].
Paul
-----Original Message-----
From: Bines, Judith
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 22, 2002
3:33 PM
To: Kaplan, Jim; Hugenberg III, Paul; BILL GALATIOTO;
[EMAIL PROTECTED]
Subject: RE: Employee
Monitoring
My
experience has been that employee information IS and should be restricted
unless specifically necessary. It is the same as having access to
payroll information and executive compensation... it is not just a free for
all.
I
would think your concern would be more with the Privacy regulations rather
than Sarbanes-Oxley
Thank you.
Judith S. Bines, MBA, CPA/CITP, CISA,
CBM
Director, Information Resource
Security
AmerisourceBergen
Corporation
1.610.727.7156
(Voice)
1.610.727.3656
(Fax)
Paul,
Thanks for the clarification and information regarding audit
access in a banking environment. The original question posed by Bill
Galatioto is "what do you do to assure yourself that no improprieties are
taking place, save for a bounced check or deposited item
returned?"
When you say that certain new regs all and require this type of
activity on any account - employee or otherwise, are you saying that
auditors now have unrestricted access? Do you have the specific citations from these "acts"
as well as a Web site link for other
subscribers?
-----Original Message-----
From: Hugenberg III, Paul
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 22, 2002 3:08
PM
To: 'Kaplan, Jim'; 'BILL GALATIOTO';
[EMAIL PROTECTED]
Subject: RE: Employee
Monitoring
Jim:
In the banking environment, the employee account info is not
normally restricted from auditor views. In fact, some
'best-practice' audit programs includes steps to review accounts of
associates who work in sensitive areas. An HR policy provides the
umbrella of 'fiscal responsibility' and monitoring acitivies. A
subpeana is not necessary for any internal account.
However, personal account info that is external to the bank deposit/loan
account would require more legal finesse. As always, a reasoned
support would be necessary of course [ e.g. NSF, kiting, lifestyle clues,
audit...].
My question in return would be the 'legal' aspect that you have
brought in. Certain new regs [US Patriot, Sarbanes-Oxley] as well as
older regs [OFAC, BSA, Reg O] allow and require this type of activity on
any account - employee or otherwise. Would the concern be with the
precedent set by the reaction to certain activity [discrimination, bias]
rather than the actual viewing of the info?
Your thoughts...
Paul Hugenberg
Bank Regional Audit Manager/IT Audit Officer
Bill,
I am curious as to how an auditor would gain access to personal
savings and checking accounts? In my experience this is not something
that a financial auditor would do except in the case of a fraud
investigation. IMO this is an area where subpoena power would be needed
to access personal financial information and it would only pertain to
situations where you had proper cause to
investigate.
But assuming from your email address that you
are a bank auditor, I guess the question is whether bank auditors would
or should have unrestricted access to employee bank accounts within
their own financial institution? Audit common sense would suggest that you would
still need a good reason to review employee personal
accounts.
-----Original Message-----
From: BILL
GALATIOTO [mailto:[EMAIL PROTECTED]]
Sent: Tuesday,
October 22, 2002 1:52 PM
To:
[EMAIL PROTECTED]
Subject: Employee
Monitoring
I am reaching out to those in the financial auditing community.
Does anyone out there conduct reviews of employees accounts (savings,
checking etc.) including monitoring their account activity. To the
extent that employee's activity does come up your radar, what do you
do to assure yourself that no improprieties are taking place, save for
a bounced check or deposited item returned. Any information received
is greatly appreciated and will be held in strictest
confidence.
|
