Bank of Israel Photo: Noam Rivkin Fenton, Flash 90
International statistics show that any organization is at risk of embezzlement by its employees, managers or other related parties, and banking and financial entities are even more vulnerable to embezzlement. Although no significant embezzlement has taken place in banks in Israel for nearly two decades, financial institutions in other countries have experienced significant embezzlement events in recent years, and the risk of a significant embezzlement event naturally always exists.
In light of this, the Supervisor of Banks has recently completed a systemic audit process on the subject of internal control of embezzlement risk, in order to strengthen and improve the banks’ readiness to prevent the realization of this risk or to reduce its damages.
The audit process carried out by the Supervisor is intended to examine the banks’ readiness to deal with this risk, by examining the corporate governance in risk management, the existing arrangements and processes in the Bank and combining various functions and bodies, organizational breadth controls and the control environment.
The investigation revealed that the banking system in Israel strives to instill an organizational culture of zero patience for embezzlement and invests many resources in the prevention and early detection of embezzlement, and in dealing with the consequences of those embezzlements that actually occurred despite everything. However, in the context of these audit processes, areas were identified in which the banking corporations were required to continue the processes of strengthening risk management and internal control.
In a review of activities regarding the preparation of the banking system for the prevention, detection and treatment of embezzlement published by the Bank of Israel, it was explained that risk management in banks is actually managed in accordance with the concept of the three lines of defense. The examination revealed that in general the internal audit is active and raises a significant value in risk management. However, areas have also been found where the government needs to be strengthened in order to be more comprehensive and active. For example, it has been found that the information presented to management and the board on this subject is not always complete, and is not generalized and analyzed sufficiently, in a way that makes it difficult to identify risk points or possible failures in internal control. In addition, organizational latitude controls, such as the mechanism for exposing irregularities, do not work effectively in some banks. There are non-uniform approaches to dealing with employee anomalies and the rate of complaints revealed through a tip received from an employee or anonymously is low in an international comparison. The mechanisms of rotation and continuous absence exist, but insufficient emphasis is placed on controls within these processes, which may increase the chance of embezzlement through them.
Following the process, the Supervisor clarified to the banks that they must implement an active and proactive action plan, to convey organizational messages, guide managers and employees and train risk management and control staff, in addition to adopting internationally accepted standards in this regard. The latest COSO framework, which is the international standard for this, in banks that have not yet done so voluntarily.
In the summary of the comprehensive review, the Bank of Israel stated that the banking system strives to assimilate the culture of zero patience with embezzlement, and invests considerable efforts to do so. The Banking Supervision Authority’s expectation is that the banking system will continue to maintain a high and constant vigilance against the possibility of material embezzlement, and will strengthen and refine its risk monitoring and internal control systems, and will adopt the highest international standards (such as the COSO. According to the 1992 internal control framework of COSO, only some of them implemented the updated framework from 2013. Some banks found weaknesses in the implementation of the assimilated standards, in fact, the audit requirements sharpened the steps to be taken to reduce the gaps.
Finally, it was written, the letters of demand sent to the banks detail the specific steps that must be taken to close the gaps. Following the audit, the Supervisor of Banks intends to require the adoption of the current COSO framework through appropriate regulation, in order to create a commitment to this in banks that have not yet done so voluntarily.