Would Your Vacation Policy Pass a Risk Assessment?
One of the questions we get frequently has to do with vacation policies. Typically, the question asked is "are we required to make employees take a two consecutive week vacation every year?" The answer is that it's not a rule, but it's a very strongly suggested practice that's emphasized by all the regulatory agencies.
A good vacation policy can be highly effective in preventing embezzlements, which usually require a perpetrator's ongoing presence to manipulate records, respond to inquiries, and otherwise prevent detection. In general, financial institutions should have a policy that requires all officers and employees in sensitive positions to be absent from their duties for an uninterrupted period of not less than two consecutive weeks. For credit unions, the NCUA allows a one week absence but prefers two consecutive weeks.
As part of your internal control procedures, you should make a risk assessment of your significant areas and sensitive positions. This assessment should consider all employees, but should focus more on those with authority to execute transactions, those with signing authority and access to the books and records of the bank, as well as those employees who can influence or cause such activities to occur. Particular attention should be paid to areas engaged in trading and wire transfer operations, including personnel who may have reconciliation or other back-office responsibilities.
After producing a profile of high-risk areas and activities, it would be expected that a minimum absence of two consecutive weeks per year be required of employees in sensitive positions. If a shorter period is chosen, the required period of absence should, under all circumstances, be enough time to allow all pending transactions to clear. The absence should also allow sufficient time for independent monitoring of all transactions that the absent employee was responsible for initiating or processing. This practice could be implemented in several ways: through a requirement that affected employees take vacation or leave; the rotation of assignments in lieu of required vacation; or a combination of both so that the prescribed level of absence is attained.
Some institutions, particularly smaller ones, might consider compensating controls such as continuous rotation of assignments in lieu of required absences to avoid placing an undue burden on the bank or its employees. For IT employees, management should consider suspending or restricting an individual's normal IT access rights during periods of prolonged absence, especially for employees with remote or high-level access rights. At a minimum, management should consider monitoring and reporting remote access during periods of prolonged absence.
"If you think compliance is expensive, try non-compliance."
- Former U.S. Deputy Attorney General Paul McNulty