I am so frustrated that I can't answer this question when I know its prudent business practice, but I need more narrative than that.

I am recommending that the bank I work for change the combinations on its vaults and ATMs since they have not been changed in over 4 years. Key personnel have left in that time, including a President and Cashier, among others. Knowing this managment (I am preparing a draft report not yet presented), they would say their alarm systems would take care of this need. I keep reading in audit literature over the many years that combinations need changing when key personnel leave.

Help!

You are, IMHO, right on the money with this request. It is part of the process when key personnel leave to change combo's, entry codes, and other security based procedures based on the personnel's access and usage rights. It should be done right away! The alarm system won't help if the whole system is flawed.

It's a no-brainer, why would they not change the codes?

I would have said that, like computer passwords, they should be changed at least every ninety days, and whenever anybody who knows the codes leaves even the department/ branch (as they no longer have a need to know), and much more so if they leave the bank.

Definately you are not nuts! In a recent internal audit review- one branch was written up for failure to change ATM combo's. Your regulators should help your case - give them a call- they will assist- maybe an audit finding will wake them up? But that is what you are trying to keep them from....

Here's another one of similar magnitude of ?????
Combinations to the vault are on paper and stored in the Cashiers brief case for one facility. A second facility its stored on paper in the top drawer to the branch managers desk. Again, accept my appologies for asking such silly no-brainer questions, but I'm dealing with managment that will think there's nothing wrong with that.
So....other than making a pudent business descision reqarding proper safekeeping, what can I recommend regarding procedures over the storage of combinations on paper?

Hope these two posts have made you day. Should be safed in the BOL Hall of Fame.

Thank you.

Um, WOW this is as you have stated "a no brainer". These codes should be maintained under dual control as Wild Turkey suggested. Other institutions even have divided codes to prevent such a complete security nightmare. If both codes need to be maintained together for some unknown reason(other than because it's easier that way ), they should, for the code holders sake if nothing else, be maintained in dual control(I wouldn't want to hold a complete combo with no control in place ).

Ok...so management is saying, "So what,they leave with the combo but can't get in the vault without alarm codes.: Who says the exemployees didn't leave with those either? And who says an ex-employee with vault codes doesn't work with an insider who has other codes to access vaults?
Why court disaster? If money disappears and ex-employees leave with combos, wouldn't your investigation now have to include them?? Yep, they just don't get it. My sympathies to you!

Depending on the location of the bank, if I wanted to raid the vault and had the codes to open the vault door I wouldn't necessarily care about the alarms, so long as I could get in, out, and away quickly enough.

If you really still need something to persuade your management, ask them what they are planning to tell the insurance company if the vault is raided? ... Under the current procedures I wouldn't want to be in their shoes if the worst happened.

If they won't change the combo, keys, codes reccomend they remove the locks as the locks are usless when you do not control the combo, keys, codes. The response should be "thats crazy" If they give this recomendation consideration you are lost!

Do you have an internal auditor? Subtely suggest that they perform an audit on bank security, and have them write this up as a comment. Internal audits must be presented to your banks Audit Committee, which is comprised Board members and reprots to the Board of Directors. Next time the regulators come through and ask to review your Board minutes, I bet these get changed.