Like my last newsletter article on internal monitoring programs, this article is based on an actual event which took place within the past month. As you read it, consider your current “Information Destruction Procedure.”

I happened upon a bank the other day on personal business. I wasn’t visiting a busy main office, I was visiting a not-so-busy branch location. I pulled into the parking lot and noticed a big truck parked at the entrance to this bank’s office and I noticed it was for a vendor that provides document shredding services, according to the sign on the truck. Since this isn’t the bank’s main location, there wasn’t a lot of activity in the parking lot or at the door.  I parked, got out of my car, and walked to the door. I couldn’t help noticing that the back of the document destruction truck was wide open, so I looked in. (I’m an auditor; I can’t resist!) The truck was half-filled with labeled boxes of various banks’ documents. Not only was the back of the truck open, but the loading ramp was down, too. Pretty easy access for a passerby such as me.

I looked around and noted that the driver or individual who staffed this truck was not within eyesight. I stood by the truck for a few minutes waiting for someone (to educate…really), but no one showed up. I entered the bank and a few minutes later I noticed a gentleman with the same company name on his shirt walk by me toward the truck with a hand truck loaded with more boxes of documents. He had been in the bank loading up his hand truck with more boxes, while the truck with very sensitive documents was wide open. The control issues are obvious. Any less-than-honest passerby could have jumped into the truck and taken a box of documents, if he/she could lift them; or at the very least taken a packet or two of documents without ever being seen.

More importantly, consider the controls of the other banks whose documents were already loaded onto that truck from previous stops that day. I bet the Compliance Officer and/or Information Security Officer truly believed those documents would be secure until they were destroyed by the vendor. I bet their written procedures indicate they are. Do those procedures reflect reality? Were the procedures ever tested? Were the controls identified and audited?

The risk is that those sensitive documents sitting on the truck are lost/stolen/obtained by someone without authorization. When this happens, how will the story read in the local newspaper or online service? “XYZ Bank suffers information breach.” Sure, the vendor’s procedures caused the breach, but the vendor might not even be mentioned in the article. And the customer whose information was disclosed probably doesn’t care who exactly caused the breach. So, before stating in your written procedure that these documents are “secure until destroyed,” verify that first. That could mean observing the vendor’s process when performing due diligence during vendor selection and again spot-checking on occasion once contracted, and/or asking for a tour of the vendor’s facility/process so you can witness their procedures first-hand.

Personally, if I were the Compliance Officer or Information Security Officer, I would test the procedure while my boxes are being picked up and occasionally follow the vendor’s truck– after my boxes were loaded – to verify the security of my documents until they were shredded. I recognize that’s not entirely feasible, but would I take my inspection a step further than just relying on their conveyed procedures to me?

You betchya.

By Sharon Blanchette, CPA, CIA, MBA

Assistant Director