the risk management blog

Cash Auditing and Compliance in a New World

byLowers & Associates | May 08, 2014

The banking industry has undergone significant and historic change since the financial crisis of 2008. The Dodd Frank Wall Street Reform and Consumer Protection Act created heightened expectations and new regulations for financial institutions.

This, in turn, has created the need for additional levels of oversight within the financial institution itself. However, it isn’t just financial institutions that are feeling the impact. Third party service providers of financial institutions, including armored carriers, are being impacted as well.

Historically, by outsourcing cash vault operations to CIT companies, financial institutions were able to pass along many of their risks and cost burdens. Today, the Office of the Comptroller of the Currency (OCC) makes clear that banks are expected to practice effective risk management “whether the bank performs the activity internally or through a third party” and goes on to say that “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner in compliance with applicable laws.”

Furthermore, the OCC has identified significant potential for gaps in risk mitigation and compliance, which has brought more focus on auditing procedures.

Risks associated with vendor management

Financial institutions have developed strategies for vendor management and programs to ensure risks are being handled appropriately.  These programs cannot afford to fail, but many do.  Here are some common reasons for these failures:

Lack of understanding

A lack of understanding of CIT company procedures and internal controls leads to inherited risks when developing an audit program. For example, when a financial institution performs the physical site assessments or cash and coin counts themselves, they typically only count their internal cash and coin inventories. This can allow the CIT outsourced cash vault personnel to potentially conceal variances and play a shell game to conceal errors/shortages.


The minimum compliance standards that are utilized have inconsistencies that go undiscovered due to bias, strategy, and cost. The audit controls that are implemented have the same gaps since they are ultimately self-developed and designed around what the bank considers priority.  Financial institutions are still left with the risk of inadequate audit capacity.


The most prevalent concern with an internal review is complacency.  This occurs when folks begin to think “This will never happen to me.” People can easily become acclimated the day-to-day operations, resulting in a lack of oversight of risks, audits, and best practices.

To address these risks, many CIT companies and banks utilize a third party to perform site assessments, cash and coin audits, and process best practice reviews.

The role of a professional third party in cash management audits

A professional third party audit company understands not only the business requirements imposed by both the financial institutions, and CIT operator, but also the detailed requirements of their insurers.

Preventing Shell Games

When CIT operations or banks employ an independent third party for audits of the CIT locations, the inventories are counted in whole to validate no shell game is being performed to cover up variances.  Financial institutions can properly forecast change orders for commercial customers, ATMs, retail-banking centers, and Federal Reserve deposits.

Monitoring Compliance

A professional third party audit company should also incorporate a compliance survey where various inspections of the facility are evaluated.  Typical compliance surveys should cover internal controls, hiring, and training documentation to physical security and CCTV coverage, providing a level of assurance to the financial institution that the CIT provider has the capacity and infrastructure to comply with the performance and reporting requirements of the financial institution.

It is critical that an audit program is developed to incorporate the bank’s best interests as well as the CIT operator while validating that minimum compliance standards are in balance.

Wanted: Universal Cash Handling Standards

Central to best practices for cash handling controls and loss prevention is the need for the financial services industry as a whole to embrace and apply universal fundamental cash handling standards.

Financial institutions doing business with the various vendors should have the confidence that these standards are being followed.   And there should be absolute transparency with the vendors so the financial institution can verify that the appropriate controls are in place and being followed consistently.

Included in a set of standards should be these three key methods for reducing the likelihood, or at least the impact, of cash service vendor theft, fraud, or misuse of customer funds:

  1. Annual assessments and periodic cash and coin external audits — Vendors should be required to submit to such requirements in order to be eligible for work.
  2. Standard audit framework — The creation of a common set of standards, or auditing body, will allow for both comprehensive annual assessments and periodic standardized audits.
  3. Vendor certification — The certification of cash service vendors that prescribes to more rigorous audit and best practice standards.

A qualified third party working within the framework of industry standards or best practices, as well as the requirements of the financial institution, may properly address areas of compliance and audit findings as well as appropriate remediation efforts.

Next Steps

Ready to learn more?  The team at Lowers & Associates can help you by conducting periodic independent audits of cash assets that are in the care and custody of third-party CIT and/or ATM service providers.   Give us a call today to learn how to put our expert cash audit services to work for your bank.


Lowers & Associates provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly-regulated environments and organizations that value risk mitigation.
View all posts by Lowers & Associates >