Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


How effective are your fiduciary risk management and internal controls?

Jun 15, 2023

As a fiduciary, a trust department is responsible for the management and care of the property of others. It’s required to administer the trust to benefit the beneficiaries and avoid conflicts of interest. To meet its fiduciary duty, a trust department must implement an appropriate risk management system designed to monitor, measure and manage the inherent risk associated with the administration of trust accounts.

The foundation of risk management is to implement policies, procedures and controls over the department’s fiduciary activities that are commensurate with the complexity of the products and services provided. Some basic recommended internal controls include the following:

Segregation of duties

The most fundamental internal control is the segregation of duties. One person should not have the ability to initiate, authorize, execute and review a transaction. For a trust department, this usually means separating the administration function from the operation function. Access in the trust operating system should be restricted so that one person is unable to perform a transaction from start to finish.

When the segregation of duties is not feasible due to the department’s size, management should implement other mitigating controls, such as requiring a second person to review and approve the transaction before it is executed. Administrators could review transaction journals and sign off as having reviewed.


Reconciliations of deposit accounts, suspense accounts, brokerage accounts and securities statements should be performed by someone who does not have the authority to initiate, authorize or post transactions to the recordkeeping system. An officer or manager should also independently review the reconciliations.

Ideally, the reconciliations and review would be performed at least monthly. For small departments, someone outside of trust could be responsible for performing the reconciliations. As part of the reconciliation, someone independent of the process should be reviewing and resolving stale reconciling items.


The recordkeeping system should provide for accurate and reliable recordkeeping and reporting. Records should have sufficient detail to reflect all departmental activities, including account opening, annual reviews, discretionary disbursements and account closing. Transactions should be processed promptly and accurately.

Assets of each trust account should be reported separately from assets of other accounts, and department assets should be segregated from bank assets. A record retention policy should be implemented to guide staff on how long to retain documents.

Discretionary distributions

Controls over discretionary distributions are critical. Written distribution requests should be obtained or, at a minimum, documentation of the distribution request should be retained. Approval limits for discretionary distributions should be established by policy. The distribution request should be performed by someone who did not initiate the request. Discretionary distributions should be reported to the trust committee along with the purpose of the request.

Dual control

Dual control should be required to access physical assets, including trust assets and blank checks. Procedures should be in place for accessing the vault where physical assets are retained, including procedures for logging access and the transfer of assets to and from the vault. Checks received by mail and checks returned as undeliverable should be opened, logged and retained under dual control. Dual signatures should be required for checks in excess of a specified threshold.

Internal reviews and inventories

An independent audit of all assets should be performed periodically. This includes doing a physical inventory of vault assets at least annually. Assets in the vault should be agreed to trust vault safekeeping reports. As part of this audit, the access log and record of transfers to and from the vault should be reviewed. A log of check stock should be maintained and reviewed as part of the periodic audit. The access log to the vault should also be reviewed as part of the audit.

Vacation policy

Supervisory agencies have recommended institutions implement the practice of requiring personnel to be continuously absent from their jobs for a specific period of time. While they are absent, another employee should perform their duties. This allows for the possibility of detection irregularities because the absent employee is unable to control the situation.

While there is no one-size-fits-all internal control standard, basic controls should be implemented. Management should review the procedures and controls they have implemented, determine if they are appropriate and implement additional controls in areas where they feel there is increased risk. Having a strong audit program will help bolster areas that may have deficiencies.

How Wipfli can help

Wipfli’s specialists can assess the risk management and compliance efforts at your financial institution and help you strengthen procedures where needed. We can assist you in implementing solutions and staying current with best practices and regulations. Contact us to learn more about how we can help you protect consumers and your institution.

Sign up to receive additional financial institutions content in your inbox or continue reading:


Shelley Foster, CRCM, CCBIA
Senior Manager, Internal Audit and Regulatory Compliance
View Profile