ACUIA Audit Report vol 22 iss 4 by pstraubel

Volume 22, Issue 4, 2013

INFORMATION SECURITY PROGRAM PG. 10

IN THIS ISSUE AUDITING PRIVATE STUDENT LOANS pg. 7

Six erm program mistakes CRedit unions make pg. 13

developing high performing auditors pg. 17

The Standards: engagement scope pg. 19

We focus on your audit. So you can focus on your members. For more than 30 years, Moss Adams LLP has helped credit unions remain in compliance, stay current on financial-reporting standards, implement industry best practices, and navigate an ever-changing regulatory environment. We understand your needs and offer a high level of partner involvement to help meet them. Put our expertise to work for you.

(800) 443-9058 w w w. m o s s a d a m s . c o m / c u

Certified Public Accountants | Business Consultants

Acumen. Agility. Answers.

Opinion Audits Supervisory Committee Audits BSA/AML Compliance Examinations Internal Audit Outsourcing Internet Security Assessments EDP Audits

{ } TABLE OF CONTENTS Volume 22, Issue 4, 2013

10 7 13 FEATURED ARTICLES

7 10 13

Auditing Private Student Loans

Developing High Performing Auditors

The Standards

Information Security Program Six ERM Program Mistakes Credit Unions Make

Engagement Scope

17 19 EDITORIALS 4 In This Issue 5 Chairwomanâ&#x20AC;&#x2122;s Message

ACUIA NEWS 24 Member Spotlight: Greg Czyzewski 25 Regional News 30 ACUIA Member Application

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA P.O. Box 150908 Alexandria, VA 22315, (703) 688-2284 ÂŠ Copyright 2013, ACUIA. All rights reserved.

{

editorials

} IN THIS ISSUE

by Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO

I don’t know about you, but I’m really hoping for some positive industry change in 2014 (I’m really hoping to win the lottery too, and I’m thinking those odds might actually be better…). The trends of 2013 – unreasonable regulatory burden, difficult exams, tight margins, minimal loan yields…have all made this year extremely difficult not just for credit union management but also for audit and compliance professionals. Most of us have had to make some significant changes to audit plans and compliance programs to accommodate this increasingly complex environment.

Of course I cannot finish my column without a sincere thanks to everyone who faithfully contributes to every Issue: Warren Whiteoak tirelessly continues to bring us Forum summaries in every Issue; Pat Richey is still sharing her insight post-retirement; and our chairwoman and regional directors always contribute important Association information.

Fortunately ACUIA is constantly working hard to give us the tools we need to navigate this uncertain terrain through conferences, meetings, webinars, online tools, and The Audit Report.

Empower FCU (315) 477-2200 x 5107 dmccranie@empowerfcu.com Term: 2013-2015

So on that note, let me take a minute to tell you what we have going on in this Issue. On the topic of making changes to audit plans, take a look at Sam Capuano’s article on auditing private student loans (PSLs). If you are thinking of passing it by because your credit union doesn’t offer PSLs, are you sure that you don’t have any PSLs?? Take a good look at some of those “purpose” boxes on your approved loan applications. Chances are that you will find some “dorm expenses” or “tuition” somewhere in there. Thus, you may have PSL duties that you didn’t anticipate. Check out the article to get a foundation for what you need to review on these loans. In addition to keeping up with all the new, we must continue to allocate sufficient audit resources to key foundations. Two extremely important areas that must always be on the forefront of our minds are adequate Enterprise Risk Management (ERM) and strong Information Systems policies. Alan White and Tom Schauer walk us through critical components of those functions and give us all the tools we need to evaluate their adequacy. And last but definitely not least, Dean Rohne helps us bring it all together by providing important guidance on how to develop good audit teams. In this environment of “doing more with less” it is critical that we have the right audit resources in place to get the job done.

4 | www.acuia.org | The Audit Report

I’m in the planning stages for 2014 issues. If you have a specific topic of interest that you want covered, or a specific author you’d like to see (yourself maybe?), please let me know.

2013 BOARD OF DIRECTORS Chair Dana McCranie, CBA, CUCE

Director Geoff Meyer

Vice Chair Amy Schaefer, CUCE, CIA

Director Marnie Hardebeck, CUCE

Treasurer Linda Goff, CUCE

Director Jill Chase, CIA

Secretary Nathan Cunningham, CPA, CRMA, CGMA

Associate Director Kara Giano, CIA, CIDA, CRMA

Royal CU (715) 833-7292 amy.schaefer@rcu.org Term: 2012-2014

Enrichment FCU (865) 482-0045 x1201 lgoff@enrichmentfcu.org Term: 2013-2015

Mountain America CU (801) 325-6573 ncunningham@macu.org Term: 2012-2014

ACUIA EXECUTIVE OFFICE ACUIA Executive Office P.O. Box 150908 Alexandria, VA 22315 (703) 688-2284 acuia@acuia.org www.acuia.org

ACUIA can now be found on:

HVFCU (845) 463-3011 meyeg@hvfcu.org Term: 2013-2015

Purdue FCU (765) 497-7480 mhardebeck@purduefed.com Term: 2011-2013

WSECU (360) 754-6341 jchase@wsecu.org Term: 2011-2013

Golden 1 CU kgiano@golden1.com

Associate Director Doug Wright, CPA, CFE, CUCE Baxter CU (847) 932-8765 doug.wright@bcu.org

Associate Director Kimberly Wiersema CU of Texas (972) 301-1819 kwiersem@cuoftexas.org

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”

{

}

chairwoman’s message

A SUCCESSFUL YEAR

by Dana McCranie

By the time you receive this issue,

members on topics ranging from SSAE

cannot express the depth of my

2013 will be coming to an end and a

16 Reports to Employee Dishonesty.

thanks. It has been a pleasure to serve

new year will be upon us. The ACUIA

Thank you to Nathan Cunningham

the membership and be a part of an

will look back on this past year as a

and the Webinar Committee for your

organization such as ACUIA.

success for the association (and our

efforts in providing relevant topics for

members). The annual conference

continuous learning. Enhancements

and one-day seminar in San Francisco

were made to our website (thank

boasted the highest attendance in four

you to Amy Schafer for heading that

years. Several association members

project). Laura Rae and the Social

were recognized for their contributions

Media Committee kept members

to the ACUIA in the way of the

informed through Facebook, Twitter

annual awards, including Pat Richey

and LinkedIn.

who was given special recognition for her dedication to the internal audit profession as well as the ACUIA. Survey results for the conference revealed high ratings for presenters and topics. Congratulations once again to Jill Chase, Marnie Hardebeck and other Conference Committee members for their hard work – well

There are numerous people working behind the scenes to ensure the ACUIA continues to provide you with the support and resources you need. I would like to take this opportunity to recognize a few that do not typically get the recognition they deserve. Tabitha Ernst works diligently, year

done!

after year, to publish The Audit Report

Various regional meetings were held

to produce one issue is astounding.

this year with resounding success.

Also, the association’s Executive Office

Regional Directors and the Executive

– Geoff Bacino and Paul Straubel –

Office work diligently to offer these

for running the ACUIA on a day-to-

educational events for our members.

day basis. On behalf of the ACUIA

Our thanks to them as well as the

Board and members – you have our

sponsors and speakers; the association

gratitude and sincere appreciation.

greatly appreciates your support.

magazine. The work that is required

Personally – I would like to thank

It was a busy year for the Association.

everyone for your support of my

Several webinars were offered to our

tenure as ACUIA Chair. Words

we need you! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.

The Audit Report | www.acuia.org |

{

}

featured article

Auditing Private Student Loans By: Sam Capuano, CBA, CRP

Internal audits of student loans have all of a sudden become, if not a hot topic, one which is at least trending. Student Loans have been around for years, of course. For those of us receiving them back in the day, it was a pretty sweet deal: we would get our check and then use it for a down payment for the car we would be using when we drove to college. And, from the lender side, they weren’t thought of a material item, due to the fact they were government insured. I remember one lender telling me early in my audit career, “I don’t give a rip about student loans.” Many auditors felt the same way, citing lack of relative materiality as the reason to not devote many resources towards their review. Well, that was then. These days many of us

are offering Private Student Loans (PSLs), which are definitely not your father’s student loans. And, like seemingly every other banking product we deal with nowadays, the Consumer Financial Protection Bureau has taken quite an interest in them. Heck, CFPB even (via the requirements of Dodd-Frank) has a dedicated Student Loan Ombudsman, Rohit Chopra. Chopra has been plenty busy, already having issued two annual reports which have dealt heavily with PSLs. Further, a recent thread on the ACUIA Forum noted NCUA examiners were also taking a look, especially if it is a new product at your credit union. And, in their January

2013 “Supervisory Focus For 2013” Letter to Credit Unions (13-CU-01), NCUA said: Less Established Products – Some credit unions invest in less established or complex products, such as private student loans … that would otherwise be impermissible. If your credit union invests in less established or complex products, examiners will verify whether your credit union has the appropriate expertise and risk-mitigation controls over such products with which credit unions have historically had limited experience. Similar regulatory thinking was in play a dozen or so years ago when Member Business The Audit Report | www.acuia.org |

{

}

featured article

Loans started to become a popular product in credit unions. Many credit unions jumped in a bit too quickly, and were told just as much from their examiners. I have heard comparable war stories about early forays into indirect loans. Which means it’s probably a good idea to take a closer look at PSLs. To kick things off, let’s see how PSLs differ from the traditional government-based student loans. According to CFPB: Private student loans – also known as alternative loans – are offered by private lenders to provide funds to pay for educational expenses. They are not part of the federal student loan program and generally do not feature the flexible repayment terms or the borrower protections offered by federal student loans. And, as per Reg. Z [226.46(b)]: (5) Private education loan means an extension of credit that: (i) Is not made, insured, or guaranteed under title IV of the Higher Education Act of 1965 (20 U.S.C. 1070 et seq.); (ii) Is extended to a consumer expressly, in whole or in part, for postsecondary educational expenses, regardless of whether the loan is provided by the educational institution that the student attends. CFPB recently estimated private student loan debt at approximately $165 billion. While this is just a relatively small percentage of the $1.3 trillion student loan portfolio, it’s still a good chunk of change, and it’s only going to get bigger. To start off the audit, take a step back and determine the infrastructure in place. Yeah, I know this is how we should start every audit, but most of the areas we review have been in place for a while so it’s pretty easy to take this step for granted. However, since there is a good possibility PSLs are relatively new at your CU, don’t gloss over it this time. This process should include the obvious, such as review of written policies & procedures. From these, and discussions with management, get a process flow, and evaluate strengths and weaknesses. During the course of your review, ensure absolutely every part

8 | www.acuia.org | The Audit Report

of the policy is followed. Examiners will always do the same, especially when it is a new product. And really especially when they (NCUA) considers it a “less established product.” Also, review board minutes to ensure the Board had appropriate knowledge and approval of this product prior to implementation. All too often financial institutions can jump into a trending new product in an effort to increase revenue. In such instances, proper due diligence can be easily overlooked. So, the addition of audit steps to ensure management did proper research prior to implementation is a must. This would also include third party due diligence, since it is likely your credit union is using a service provider in the PSL process. While I am sure your provider has the utmost respect for loan quality, regulatory compliance, and not just in making money each time you make a PSL, there are some out there who don’t. Make sure you have sufficient audit documentation to show the regulator your credit union did a decent job in this regard. Further, as with any third party process, determine how the provider is being paid, and opine on the appropriateness of same. Probably also wouldn’t hurt to review for any evidence of kickbacks going to the PSL lenders in your credit union. Next up, perform a walkthrough of the process. Determine what, if anything, might cause an applicant to file a formal complaint in the process. Don’t think they will? Think again. CFPB’s most recent Student Loan Annual Report (dated October 16, 2013) estimates “3,800 complaints submitted between October 1, 2012 and September 30, 2013.” They also note many of these complaints pertained to borrowers trying to adjust repayment terms in times of hardship, debt collection practices, and payment processing. The latter issue, payment processing, takes up a good chunk (nearly 1/3) of the Annual Report, so having sufficient audit procedures in this area would be prudent. This should include an audit review of loan modifications.

To further this point, in July 2013 a regulatory joint issuance was released to: Encourage financial institutions to work constructively with private student loan borrowers experiencing financial difficulties. Prudent workout arrangements are consistent with safe-and-sound lending practices and are generally in the longterm best interest of both the financial institution and the borrower. While it must be noted the NCUA was not part of this issuance (it listed OCC, FDIC and FRB), it should not shock any of us if NCUA examiners look at this process, too. As such, include it in your audit program so you can also look at it. Also include a step in there to review how your credit union handles similar PSL-related complaints. Ensure there is there a proper system in place to sufficiently log, track and resolve them. Based on review of ACUIA’s Forum, and discussions at a few Regional Meetings I have attended this fall, member complaints have become a hot topic. One final note on the CFPB Annual Report. It contains several “might considers” for student loan servicers pertaining to transfer of loan servicing. Again, not necessarily requirements, but since many of CFPB’s “might considers” could very well be part of future NCUA AIRES checklists, well, you know. So, student loan servicers might consider: • Providing notices prior to and following a change in servicer; • Taking steps to ensure timely transfer of all documents and information; • Taking steps to introduce greater consistency in the handling of payoff requests; • Providing borrowers with a timely payoff system in writing; and • Establishing more robust error-resolution procedures. So then, internal auditors “might consider” including audit program steps to review the above bullet points. And, lest we forget, PSLs are consumer loans, and any consumer loan audit has to address regulations.

{

}

featured article

“Like seemingly every other banking product we deal with nowadays, the Consumer Financial Protection Bureau has taken quite an interest in Private Student Loans.” Pursuant to this, lenders offering PSLs must comply with Regulations: B, E, P & Z, Fair Debt Collection Practices Act, and Fair Credit Reporting Act. Pertaining to Reg. Z, take a look back to 2009, when it was amended to include provisions of the Higher Education Opportunity Act. These revisions included mandatory PSL disclosures. These are covered in Subpart F of Reg. Z. Audit steps here should include determination on whether or not your credit union’s compliance and/or lending areas have taken sufficient steps to ensure compliance in this area. The three sections of Subpart F cover the disclosure requirements, their content, and limitations on PSLs. We will also need to review compliance with Electronic Funds Transfer Act (EFTA)/ Reg. E, which kicks in if the loan servicer of the PSL within the scope of coverage obtains recurring electronic payments from borrowers.

times in the past. But, as this is relatively new for many of us, we may want to do a bit more. This might include (if possible) observing the interaction between the borrowers and loan officers. This can assist IA in determining if the officers are properly applying PSL best practices and regulations. It may also reduce or eliminate subsequent borrower complaints. Finally, we will have to take a look at marketing. IA should review policies, procedures and controls to determine how PSLs are developed and marketed. Relationships between your credit union and service provider (brokers, agents, lead generators, etc.) to advertise, offer, or provide loans should also be reviewed. The examiners seem to be placing an emphasis on the lenders having the responsibility to ensure the service providers are in compliance. So, IA should determine if controls are in place on the part of the credit union to do so. I would also review the servicing agreement to ensure it spells out in detail the necessary responsibilities on the part of the provider.

Then there is the Fair Debt Collection Practices Act, which governs the activities of debt collectors; this seems to be of particular interest to CFPB when it comes to PSLs. Audit steps here can include looking at servicing records for borrowers in default as well as listening to a sample of collection calls. If your credit union is using a service provider for the collection process of PSLs, review to ensure the credit union has a process in place to monitor said provider for compliance in this area.

At the very least, compliance with applicable marketing portions of Regs. Z and B should be tested.

Also test compliance with the usual suspects pertaining to consumer debt such as Fair Credit Reporting Act/ Regulation V, Equal Credit Opportunity Act/Reg. B and Unfair Deceptive or Abusive Acts or Practices.

But, giving it a separate line item is not enough. For homogenous loans such as PSLs, many of just us use a three year loss history average as our loss percentage factor on the ALLL calculation. But, what if you have only offered the product for a year or two?

I know many of these aforementioned compliance steps will be accomplished by performing loan file documentation review, something most of us have done countless

And, before wrapping this article up, I want to address the Allowance for Loan & Lease Losses (ALLL.) First of all, ensure there is a separate line item on your ALLL calculation for PSLs. It should not just be grouped in with “consumer loans,” or for that matter, with government insured student loans, either.

examiners don’t like to see that. IA program steps in this area should include a discussion with the individual who prepares the ALLL calculation. Ask him or her how the loss factors for PSLs were determined in the event they have only been offered at your credit union for a year or two. A prudent way to reserve for these, at least until an adequate time period for loan loss history can be established, is to look at industry trends. One of these might be from the CFPB Annual Report mentioned earlier. According to the Report, “A noteworthy number of borrowers are in default.” Information such as this, coupled with the fact many college grads are struggling to find well-paying jobs (and thus, perhaps more prone to not paying their PSLs), should trigger at least some qualitative factor to be reserved for PSLs. Any such qualitative factor should be supported by a few words on the calculation worksheet as to how and why this figure was determined. And, if management still does indeed insist on a zero reserve, some prose to support this also needs to be in place. So, there you have it. When all is said and done, it’s obvious Private Student Loans are just another loan product. But, again, given its relative newness, and increased regulatory focus, those of us auditing credit unions offering it should definitely give it a closer look. About The Author Sam Capuano, CBA, CRP, has been a financial institution internal auditor since 1985. He has been Manager of Internal Audit at Sunmark FCU in Albany, NY since starting the IA function there in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.

If the loss history for this small window is zero, should the reserve also be zero? Well, The Audit Report | www.acuia.org |

{

}

featured article

INFORMATION SECURITY PROGRAM

By Tom Schauer, CISA, CISSP, CISM, CRISC, CEH, CTGA, CEO at TrustCC www.trustcc.com Michael David Brown, PMP

{

}

featured article

As the IT security threats that your organization faces continue to expand, it is becoming increasingly important to create a formal information security program to govern and direct your overall information security posture. Implementing a written information security program is the key requirement of the information security component of the Gramm-Leach-Bliley Act (GLBA). Even if it were not required by law, implementing a formal information security program would still be a best practice for any organization. These days, there are simply too many moving parts to an IT security program to rely on informal processes without a significant risk of important items being overlooked or forgotten. By formally documenting roles, responsibilities, and procedures, an organization can clearly delineate its expectations. Formalizing and writing down your policy can also help provoke discussion on the best solution to issues and even discover areas where current practices may be deficient. WHAT DOES GLBA REQUIRE? To satisfy the requirements of the GLBA, your information security program must address several items. The program should include “administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities;” and it must be designed to “ensure the security and confidentiality of member information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member.” Designated Responsibilities: The GLBA directs that organizations designate specific responsibility for the information security program. The

designated leader of the program should have sufficient experience, skills, and time to allocate to the program. Other designated roles would likely include senior management sponsorship, supervisor responsibilities, and the role of every employee to contribute to the program. Risk Assessment: The GLBA directs that the program should be created by first identifying “reasonably foreseeable internal and external threats,” assessing their likelihood and potential damage, and then assessing the sufficiency of any systems in place that control those risks. This process is commonly referred to as the GLBA Member Information Security Risk Assessment and is the cornerstone risk assessment of the information security program. Risk assessment warrants a separate article and is not the core focus here. Risk Assessment has been addressed in past ACUIA Audit Report issues. Policies, Standards and Practices: Beyond the controls identified in the GLBA Member Information Security Risk Assessment, the GLBA identifies several specific controls that each financial institution must consider:

• access controls on member information systems • access restrictions at physical locations • encryption of member information while in transit, or while in storage in locations to which unauthorized users may have access • procedures to control information systems modifications • dual control/segregation of duties • background checks • monitoring systems to detect intrusions

• incident response plans • measures to protect against environmental hazards such as fire or water damage • vendor oversight Each of the above controls should have a dedicated policy/standard and welldefined and mature practices. Policies and standards for the items noted above are a minimum. In addition to the main GLBA-required program, it is recommended that credit unions create several other supplemental security standards to help ensure the security of your organization’s information. Having a clean desk policy and an end-of-day policy will help ensure that users properly secure information technology assets and physical media when away from their desks. Policies should also be put into place limiting the procurement, deployment, or configuration of hardware and software to IT personnel. This will help ensure that no unapproved devices or software are used, and will help reduce possible attack vectors as well as potential liability from the use of unlicensed software. Finally, an item that is forgotten all too often is a policy for how to handle exceptions to policy. Sooner or later a critical business need or piece of legacy software will conflict with your information security program; exceptions are almost inevitable. A formal process should be put into place that will document the request for an exception, the business case for it, a risk assessment of the implications of the exception, and management’s approval of the exception. This documentation should be retained after the exception is approved, and a list of exceptions should be maintained and regularly reviewed by management to ensure that they are still necessary and appropriate.

The Audit Report | www.acuia.org |

{

}

featured article

Staff and Volunteer Training: The GLBA requires that the financial institution must train its staff to implement the information security program. Even the best-written information security program will fail to protect your organization if it is not put into practice and followed by your staff. All personnel, and any volunteers, contractors, vendors, or interns that will be given system accounts or other access to sensitive information should be required to review the contents of your information security program and provide written acknowledgement on an annual basis. Beyond simple policy acknowledgement, users should also be required to take part in security awareness training at least annually. This should instruct them in common tactics used by attackers, especially social engineering methods like pretext calling or phishing that could be used to target any employee. Training should specifically remind users to never share their passwords and that they should always follow your verification methods when contacted by “IT” to ensure that the communication is valid. It should also walk them through what items to check to spot suspicious emails or other requests for information, how to respond, and who to notify in the case of suspicious events. Staff security awareness training often occurs in many forms ranging from newsletter articles to presentations. The form is not important but the effectiveness of training is important. Employees should be well equipped to address all forms of threats including malware, social engineering, and password cracking. One of the best ways to evaluate the effectiveness of training is a quiz one week after the training and through social engineering testing. Testing of Key Controls: The GLBA requires that the key controls of the information security program should be tested regularly by staff independent of those that develop the 12 | www.acuia.org | The Audit Report

program or by a third party. While penetration testing is often performed to fulfill this requirement, pen-tests are generally aimed at evaluating only technical controls. A more effective test would include pen-testing, general controls auditing and more. Organizations should identify the key controls not tested by their IT auditors and ensure those are also tested. A classic example is building alarms. An IT Auditor does generally not test alarms so testing should be arranged through another means. TrustCC intends to submit a subsequent article on selecting an IT Audit and Security Assessment partner. There are many vendors providing IT audit services and the depth and breadth of each vendor’s approach can vary greatly. It is critically important to select a vendor with a deep knowledge of credit union operations and compliance, thorough technical skills to evaluate vulnerabilities, and useful reports that will guide management through remediation. Board Oversight and Monitoring: Finally, the Board (or an appropriate Board committee) should be involved in the development and maintenance of the information security program. They must approve the institution’s written program and receive a report from management at least annually detailing compliance to the program, including “risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.” One effective technique to provide more regular Board oversight and monitoring is to include in the monthly Board packet a report on the information security program. The report would not necessarily require a time slot on the meeting agenda or spark any conversation, but the report would provide more timely dissemination of

information to the Board. It is generally recommended to keep a monthly report to just one or two pages and to use colors or graphs to draw attention to the most important information. CONCLUSION Remember, a formal information security program should be enacted not just because it’s a GLBA requirement, but because it’s the best way to ensure the safety of your information systems and data. A robust information security program, in conjunction with regular training, is the foundation for any solid information security environment. Often, it will do more to protect you than a flashy new device or piece of software. Have you checked on yours lately? About the Authors Tom has been practicing in IT security, audit and compliance for over 27 years. He started his career as an information security analyst at a $3.5B bank. Tom later developed and led IT audit and security practices for Ernst and Young, Deloitte, and Guardent (now Verisign). In 2000, Tom recognized that community size banks and credit unions were underserved by existing consultancies. He started TrustCC to specifically address this un-met need. Since 2000, TrustCC has performed over 1600 IT audits and security assessments for about 400 community banks and credit unions. In addition to providing IT Audits and Security Assessments, TrustCC is contracted by the NCUA to perform some IS&T examinations. Tom is a frequent speaker at numerous national and international conferences including those hosted by the IIA, AICPA, ISSA, NASCUS, CMA, ACUIA, ISACA and NCUA. Mike performs GLBA and custom audits for financial institutions, and as TrustCC’s “help desk” he uses his eight years of experience in audit, operations, project management, and finance to advise TrustCC’s clients on the best ways to address their IT security and compliance needs.

{

}

featured article

Six ERM Program Mistakes Credit Unions Make By A L aN W H I T E

The Audit Report | www.acuia.org |

{

}

featured article

Enterprise Risk Management, or ERM, is one of the biggest buzzwords in the Credit Union movement today. But many organizations struggle to implement ERM for a variety of reasons. These reasons range from staffing to measurements. To help their credit unions to be successful implementing ERM, internal auditors should be on the lookout for these challenges and be ready to avoid them. As Georges Santayana said, “Those that do not study history are doomed to repeat it.” I have helped more than fifty credit unions with their ERM efforts. Before that, I assisted ERM efforts at organizations ranging from fortune 500 technology companies to small community banks. Despite differences in size, industry, structure, and objectives, organizations seem to face the same challenges and make the same mistakes again and again when implementing ERM. In the pages that follow, I will share some of these mistakes as well as some lessons I’ve learned from my experience implementing ERM. Mistake Number 1: Misunderstanding the goal and scale of ERM This may seem simple, but misunderstanding the goals and deliverables of ERM is the most common mistake that organizations make. Often, this happens when ERM was recommended (or demanded) by a regulator or auditor without clear guidance. The natural reaction of the management team is to hope to satisfy the regulator by building something “ERM-like” with a minimum of effort and cost. This is not an unreasonable reaction, and I fully understand it. But if the goals of ERM are not well understood, the program will not receive sufficient resources, will often have several “false starts,” and will lose momentum. As a result, the progress of the risk management program will rarely satisfy those who have demanded it. Worse yet, little value will be realized or perceived because there was a fundamental lack of understanding of the goals of the program at the outset. What is the goal of ERM? Simply put, the goal of ERM is to understand and manage the uncertainty involved in making decisions and operating the business. Any manager worth his salt knows that to be successful and drive results, he must manage money, people, technology, partners, projects, and customers. High performing managers also manage uncertainty by identifying potential surprises that could destroy profitability and preventing them, preparing for them, or

14 | www.acuia.org | The Audit Report

"Internal audit has a very specific role to play that is related to, but not the same as managing risk." avoiding them altogether. That means that sometimes plans will change or be refined based on the new information you have gathered. In fact, fair measurements for ERM might be: “how many strategic mistakes have we avoided by doing some basic analysis of risks?” or “how many errors did we root out of a given project?” Those are tough things to measure, but hopefully they give a better idea of why the organization is undertaking ERM in the first place. Mistake Number 2: Inappropriate reporting structure Inevitably, the question of staffing will come up. Should the program report to the COO, the CFO, or should there be a Vice President of Risk Management? I have seen credit unions succeed and fail with each of these structures, so clearly there is no perfect answer. It seems that all things being equal, the magic number for a credit union to have a dedicated risk management person is $750 million in assets. ERM is a somewhat new concept for credit unions, and they have a lot of latitude in determining the best structure. I usually recommend that the credit union simply ask the executive with the most interest and best skills for the job to lead ERM. But there is one mistake that credit unions must avoid. ERM should not be “given” to internal audit or compliance nor should it be completely outsourced. Credit unions will often make one of these mistakes, and they are dangerous to the success of the program. Internal audit has a very specific role to play that is related to, but not the same as managing risk. Internal audit is meant to give the board and supervisory committee an effective way to obtain assurance that business activities are being conducted in accordance with set policies and guidelines. Internal audit should be as independent from management as

practicable and should not make operational or strategic decisions. Risk management is part of management, makes decisions, and implements them (think in terms of Human Resources’ role in managing people). This can create a conundrum however, and internal audit often has the most relevant skills to undertake risk management. Because of this, a successful formula will sometimes include expanding the Chief Audit Executive’s responsibilities to include risk management. But this structure is usually only successful if personnel are expanded/redeployed accordingly. Risk management can report to audit, but the opposite should never be true for independence reasons. Using compliance as the risk management function is also dangerous. Regulations are rarely focused on the most current risks. For example, the FFIEC required an online banking risk assessment by December 31, 2011. But online banking has been popular for years. In addition, the objectives of compliance are rarely the same as the credit union’s. Rarely (if ever) have I heard of an examiner recommending faster growth, more lending products, or upgrades to member facing technology. Yet those are all common initiatives for credit unions. Finally is the question of whether it is better to tackle the job in house or to use a consultant. As a consultant, it breaks my heart to admit this, but consultants cannot provide a silver bullet to completely build ERM for you. They can provide specific information or guidance and can be extremely valuable to help you plan out your activities. If you hire a consultant, use a specialist, not a firm who has simply “added on” ERM to its service offerings. Even if you chose to hire a consultant, you will need someone internal to the credit union who is dedicated (although not necessarily full time) to drive the program to success.

{

}

featured article

"Effective metrics serve as early warning signs that allow you to realize when risks are imminent and take action to reduce the damage quickly." Mistake Number 3: Managing all types of risks with the same methods Many credit unions attempt to use the same risk management method regardless of the type of risk. But clearly, interest rate risk is managed very differently than transaction risk. And strategic risk is managed differently than either of those. The NCUA has defined seven categories of risk. But for most credit unions, I find those categories to be incomplete and unwieldy. As a result, I tend to divide risks in to three categories: operational (transaction, some credit, most compliance), financial (interest rate, liquidity, some credit, some compliance), and strategic (strategic, reputation, some credit). Risks can also be from internal or external sources. The most common mistakes are either to use process controls (segregation of duties, access rights, documented procedures) to manage all types of risks, or to use financial risk techniques (data models, industry benchmarking) to manage operational risks. Clearly, operational risks should not be managed using financial risk management tools and vice versa. And neither of these toolsets is effective for managing strategic risk. Mistake Number 4: Ineffective measurements Bill Hewitt of HP is widely believed to have first coined the phrase “You cannot manage what you cannot measure.” Regardless of who first said those words, the concept is as true about ERM as it is about any other initiative. In fact, effective risk metrics are the best way credit unions have for reducing the impact of many risks (most risk management focuses on prevention). Effective metrics serve as “early warning signs” that allow you to realize when risks are imminent and take action to reduce the damage quickly. Organizations that do this well also assign thresholds for each metric and build required action plans to be executed when metrics fall outside of those acceptable bounds. In some cases, this can be integrated with existing performance metrics or balance scorecard measurements. Mistake Number 5: Over reliance on models One mistake that many organizations make is to believe that all the risk in the enterprise can

be represented by a single, dollar denominated number. The thinking goes that if we can identify all of the events that might impact us, we can also assess their probability in percentage terms and their impact in dollar terms. Simply multiplying the probability percentage times the dollar impact gives an expected value for the risk. If the expected value of all risks are summed, then a total risk number is calculated. And in theory, we can add math that analyzes the interconnectedness of these risks to take into account the belief that if Risk A occurs, Risk B is more likely or has a greater impact. This method is often used to analyze financial risks (interest rate changes, etc.) with varying degrees of success. But it is not appropriate for analyzing operational or strategic risks (see Mistake 3 above). I’ll leave a discussion of the statistics for another article, but the simple fact is that probabilities and dollar value estimates of operational risks are highly subjective and easily manipulated (often when the “total risk” seems to be getting outside of the risk appetite, the estimates are simply changed). In addition, the number of intertwined scenarios increases exponentially as risks are added to the model. In fact just twenty interconnected risks create over a million combinations! Truly understanding those interconnections in mathematical terms is nearly impossible. Even if theoretically possible, most organizations simply do not have the time, resources, and skill sets to collect and monitor all of this data in real time. This means that all of this effort and analysis is done to create what basically amounts to a made up number. And of course, relying on that number could lead to a false sense of security. The large investment banks learned this lesson the hard way late in 2008 when they relied on their highly sophisticated, yet clearly flawed, “Value at Risk” models. As discussed above, efforts would be better spent identifying a set of key risks to the enterprise, and building simple metrics to monitor them. The power of this approach is that it spends more time on actively managing risk and less time on trying to identify a total (but ultimately subjective) number that represents the amount of risk in the organization. Mistake Number 6: Poor project management and program measurement I have found that basic project management is often lacking from ERM programs. There are

rarely set milestones, including clearly defined deliverables and task assignments. This makes it almost impossible to ensure accountability or to measure the results of the program. In fact, many organizations (not just credit unions) do not have strong project management skills in the organization at all. If successful project completion has been elusive within your credit union, ERM can actually provide an opportunity to build some of those competencies. One credit union I worked with had a “Strategic Services” group that included Risk Management, Project Management, Process Excellence, and Strategic Planning (a group that only included two professionals). These skills often overlap, so this structure can work well. The Last Word: ERM is new to most organizations, and challenges are to be expected. But most of the challenges can be overcome by knowing them ahead of time, learning from the experiences of other organizations, and applying sound management principles (sounds like basic Risk Management!). Every ERM failure I have witnessed can be traced to one (or more) of the mistakes I list here. I hope that these lessons can increase the odds of success in your ERM efforts and help you to use ERM as a powerful management tool.

About the Author Alan White is the founder and President of CU Accelerator, a leading provider of Enterprise Risk Management & Strategic services and Governance, Risk & Compliance software for credit unions. Alan has also assisted the implementation of ERM related projects at more than 100 organizations, ranging from local credit unions to fortune 500 companies. Prior to founding CU Accelerator, he was a Risk Management and Business Consulting Executive at Arthur Andersen and at Ernst & Young as well as an Internal Auditor at Revco Drug Stores and Goodrich. He holds a Bachelor of Science from Carnegie Mellon University and an MBA in Finance from the University of Texas at Austin. The Audit Report | www.acuia.org |

16 | www.acuia.org | The Audit Report

{

}

featured article

D ev elo p i n g By Dean ROHne Training and supervising staff is not most internal auditorsâ&#x20AC;&#x2122; top priority when managing an internal audit department; however, it might be the most important activity for a long term successful audit department. The Institute of Internal Auditors Professional Standard 1230 requires internal auditors to enhance their knowledge, skills, and other competencies through continuing professional development. There are many resources available to accomplish this including training provided by the Association of Credit Union Internal Auditors. Training should go beyond technical knowledge and also address communication, technology, and leadership skills. To meet the long term needs of the internal audit department it is vital to maintain an inventory of the auditorâ&#x20AC;&#x2122;s area of expertise, certifications, and organizations where the department is involved. Once this is complete an annual and long range

development plan can be drafted to identify the current and future audit needs and determine areas of focus within the department. There also might be areas identified where it is clear that the audit department will be not able to obtain the level of expertise needed. Decisions can be made to hire the expertise needed or contract with a specialist to complete these audits. Obtaining feedback from others and providing feedback to internal audit staff can be challenging, but it is an important part of employee development. Feedback can be obtained in many forms, including review notes, audit surveys, project performance evaluations, employee development plans, and periodic employee evaluations. Review notes are a long standing form of evaluation. Through the review process of an audit a reviewer will look over the audit workpapers for quality. He/she will identify areas that need to be corrected in audit workpapers. There might be questions on

the scope of audit work, documentation of an audit finding, or on improving internal controls. Reviewers should resist the urge to just correct the audit work themselves. While this is more efficient in the short term it does not allow for feedback on performance, nor give the preparer the opportunity for learning. Audit surveys are a tool that can be used to obtain feedback from outside the audit department. A survey is generally completed once an individual audit is completed. It will identify whether the audit was completed efficiently and effectively as well as allow for suggestions to improve the audit process. Project performance evaluations are a less formal way to provide feedback to staff. The evaluation is generally limited to a specific project or audit. This form is generally simple and easy to complete, usually consisting of four questions or less. In most entities it is generally not included in an employeeâ&#x20AC;&#x2122;s personnel file. It identifies what the employee did well on a project The Audit Report | www.acuia.org |

{

}

featured article

and what could be improved. Internal audit departments may consider requiring these to be completed for projects where staff involvement was more than a set number of hours such as 20 or 40 hours. A development plan is a tool that identifies short and long term goals. It also describes what the employee is going to do to reach individual short and long term goals. Short term actions items might include identifying certain training to obtain to learn a new skill set. They might also identify completing an audit area not completed previously to expand knowledge. Long term goals go beyond training to identify skills or a set of skills needed for the employee’s career advancement. These will not generally be completed in six months or a year, but over multiple years. Periodic employee evaluations are completed for employees in accordance with the credit union’s evaluation policies. It is crucial to provide honest feedback to employees, even if the news is hard to deliver. While difficult in the short term, it will be beneficial for the employee and the credit union in the long term. In addition to a written evaluation a meeting should also be scheduled to review the details of the evaluation and discuss any of the positive or negative items identified within the evaluation. Setting up development plans and providing feedback on a systemic process in many forms might seem like a lot of work, which will take away from time spent completing audits. However, the time spent in these areas will improve the quality of audit staff both for completing audits, and also in developing an employee’s long term career whether within the internal audit department or in meeting the credit union’s needs outside of the audit department.

About the Author Dean Rohne is a principal in Clifton Larson Allen’s credit union services group. He provides audit services to credit unions throughout the country. He can be reached at dean.rohne@claconnect.com.

Service. Experience. Insight. DeLeon & Stang has served credit unions for over 25 years. We pride ourselves on an intricate knowledge of the specific issues that credit unions face on a daily basis. Our CPAs can provide you insights to your most complex challenges and, in the process, eliminate your headaches and risks. In the end, DeLeon & Stang provides solutions to help credit unions achieve longevity and prosperity through increased profitability and confidence in the marketplace. For a complete listing of our credit union services, please call 301-948-9825.

18 | www.acuia.org | The Audit Report

{

}

featured article

THE STANDARDS ENGAGEMENT SCOPE

by Pat Richey, Retired Internal Auditor

The Audit Report | www.acuia.org |

The key to an appropriate scope is in the risk. The higher the risk, the greater the scope. In last quarter’s issue, there was a discussion about establishing the audit’s objective as part of the audit planning process. In audit planning, internal audit must also determine the audit’s scope. The International Standards for the Professional Practice of Internal Auditing (Standards) does not say much about scope, or even define it. Scope is the extent, or the range, of the audit. What is the breadth of the audit, or how deep will it go? Will the audit cover a full year of transactions, transactions since the last audit, or 1 week worth of transactions? The audit scope is the boundary of internal audit’s activities towards answering the audit objectives. There should be a limit to how much the internal auditor will review. Think of it as drawing a box around the required audit activities. Inside the box is what is included in the audit. More importantly, what is outside the box is what is not included in the audit. The scope provides a focus for internal audit. What is or is not in the box should be welldefined. The scope should be stated in the audit report so that the reader understands what was and was not reviewed. You don’t want the audit report reader to assume you looked at every transaction if you only looked at a sample of transactions. The International Standards for the Professional Practice of Internal Auditing states in Standard 2220 that whatever the

20 | www.acuia.org | The Audit Report

breadth and depth of the audit, it must be sufficient to satisfy the audit objective. The audit objective and the scope go hand in hand.

control of 3rd parties. However, we generally looked at systems separately as an IT audit, and 3rd parties under vendor management audits.

Do you have to review all transactions or loans to satisfy the audit objective? A loan fraud audit would entail looking at all of the loans for a particular loan officer. However, to determine if a process is working accurately, a week’s worth of transactions might be sufficient to conclude that a process is working effectively. Generally, we would look at the previous quarter when performing an audit.

At the beginning of each month, we would define a start date and an end date for each audit, and a date for the draft report and the final report. However, sometimes during an audit, issues would come up that made us want to increase the scope. If we wanted to change the scope, we would look at the scheduled audit end date and determine if we could change the scope and still meet our end date. Depending on the significance of the issue, we would either increase the scope and get off schedule (which meant a future audit would end up with a narrower scope than planned), schedule a separate audit to deal with the issue (and use unallocated hours to do the audit), or postpone looking at the issue until the next audit plan.

Scope Creep Scope creep is where the scope just keeps getting bigger and bigger, so more time and work is involved than originally planned. Or scope creep might be the result of poor planning. Generally, audit scopes are probably too ambitious. Internal audit tries to tackle too much, and then is unable to stay on schedule. Poor planning in determining the audit scope will result in not staying on the audit schedule. As mentioned last quarter, my audit department worked with narrow audit objectives. But our audit scope was quite deep and comprehensive, given the audit objective. Standard 2220.A1 states that the audit scope must include consideration of systems, records, personnel, and physical properties, including those under the

The key to an appropriate scope is in the risk. The higher the risk, the greater the scope. About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

{

}

featured article

The Audit Report | www.acuia.org |

What’s Happening On the forum

by Warren Whiteoak, CUCE, BSACS

Summary of Recent Discussions on the ACUIA Forum The purpose of the column is to summarize the discussions on ACUIA’s Forum. The Forum is being used more and more every day. So go to www.acuia.org and see what your peers are discussing and join in.

Just a reminder, if you are requesting a copy of a policy or procedure on your post to the Forum, remember to include your e-mail address so people can respond directly to you since there is no way to attach documents to Forum responses. Also there is no need to send a thank you for responses to the Forum. If you want to thank respondents send them an e-mail directly. And lastly, if you are sending someone a copy of an audit program please also send the program to the Executive Office so they can include it in the Association’s Audit Guide.

Question: How is your Internal Audit department structured?

Answer: Check out the Forum to see how your department’s structure compares to others.

Question: What is the size of your Internal Audit department?

Answer: Refer to the Forum for the sizes of various Audit departments.

Question: Who investigates member complaints?

Answer:

If the compliant is from the NCUA or sent to the Supervisory Committee, it is investigated by Internal Audit. Other member complaints are investigated by Member Services.

Question: Are there credit union staff or officers on the Board of your CUSOs?

Answer:

The majority of respondents stated that at least one officer from the credit union is on the Board of their CUSO(s).

Question: Do you have an IT auditor on your staff?

Answer:

Four credit unions did not and two did. Of those that did not, many outsourced the IT audit function.

Get involved in the conversation at www.acuia.org 22 | www.acuia.org | The Audit Report

CBIZ & Mayer Hoffman McCann P.C. – Specialists in Credit Unions and Community Banks –

FINANCIAL STATEMENT AUDITS * • IT AUDITS • INTERNAL AUDITS

Quality & Precision at a Fair Price With national resources and credit union expertise, you can be assured your financial statement audit will be performed with care and always in compliance with the industry’s professional standards.

Tony Coble – Managing Director, CBIZ MHM, LLC and Shareholder, Mayer Hoffman McCann P.C. acoble@cbiz.com • 913.234.1031 www.cbiz.com • www.mhmcpa.com Mayer Hoffman McCann P.C. is an independent CPA firm providing audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider.

The Audit Report | www.acuia.org |

{

}

ACUIA news

MEMBER SPOTLIGHT

by Tabitha Ernst-Chadwick

Greg Czyzewski This issue’s Member Spotlight is dedicated to Greg Czyzewski. Greg is the new Region 3 Director. Tell us a little bit about yourself Greg. I am a lifelong resident of Indiana. I was born and raised in South Bend and now live in Mishawaka. I have worked for Teachers Credit Union for 26 years. What about your spare time? What do you like to do for fun? In my spare time I play guitar and sing. I perform in a band locally and have also written songs and recorded a CD. I primarily play classic rock, folk, and country (50s, 60s, 70s). During the summer months I follow baseball closely and try to attend major league games when I can. How long have you been involved in auditing? I have been on the audit side for 14 years. Prior to auditing, I spent time as a loan officer and branch manager. Auditing (or rather expectations of the audit department) has evolved fairly significantly over the past 14 years, which sometimes presents challenges in building the right audit team. What do you look for when seeking out new audit employees? Like my own experience, I feel it is extremely beneficial to have auditors who have held other positions besides auditing. All of my team members have held other positions either within the credit union or elsewhere. This really helps to add perspective and credibility when dealing with auditees. Let’s switch gears to your ACUIA involvement. You are the new Region 3 Director, so that tells me you enjoy volunteering and working with the association. What are the ACUIA benefits that you find most rewarding? The interaction with other credit union auditors is by far the most rewarding. The shared experiences and stories from other auditors is a valuable tool you won’t find in any audit manual.

24 | www.acuia.org | The Audit Report

FUN FACTS ABOUT GREG

Favorite SPORTS TEAM: Chicago Cubs Favorite FOOD: Almost any type of Mexican or Italian food.

Favorite VACATION DESTINATION: Arizona for MLB Spring Training PSYCHOLOGICAL DISORDER: Being a lifelong Cubs Fan

REGIONAL NEWS REGION 2

REGION 1 Director Julie Wilson

Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com Region One meeting summary, submitted by Larae Jensen, Internal Auditor Region One held a meeting on September 27, 2013. It was hosted by iQ Credit Union in Vancouver, Washington. There were 26 attendees from 22 Credit Unions in Washington and Oregon. There were five topics on the agenda as well as a roundtable discussion. The following is a synopsis of the presentations. 1. Fraud Current Trends Presented by Nancy Young, Senior Manager, Moss Adams. Topics included how and why fraud occurs; identifying different types of internal controls; understanding different fraud schemes; and characteristics of a fraudster. 2. Compliance and Regulatory Update Presented by Katie Clark, NW League. Topics included CFPB final rules and upcoming actions; NCUA final rules and upcoming actions; State Legislative update; and NCUA Fair Lending. 3. DFI Compliance Exams and Establishing and Maintaining a Compliance Program Presented by NWCG. The session focused on the Sept 11, 2013 DCU Bulletin outlining processes for enhancing compliance examinations for CUs with assets over $500M and compliance program requirements. Significant highlights from that discussion: • Credit unions with less than $500M will continue to have compliance audits incorporated with safety and soundness exams; BSA will continue to be part of safety and soundness; mortgage lending compliance will most likely be the highest priority; results may be shared with NCUA; audit ratings will compare to the FFIEC rating system • Compliance programs must be appropriate to the size, complexity, diversity of operations, and resources; establish roles and responsibilities of staff responsible for compliance within the CU; and should be comprised of four interdependent control components: űű Board and Management oversight űű Compliance Program űű Consumer Complaint Monitoring and Response System (this per CFBP) űű Compliance Audits 4. Trends in Auditing--Safety and Soundness Presented by Ryan Sturgis, Audit Manager, Moss Adams. Topics included the “good and the bad” trends for both banks and credit unions; what we learned from the “great recession;” and hot topics such as rising interest rates, credit loss and the ALL estimate, concentration risk, and operational risks. 5. Auditing the Member Complaint Process By Heidi Rinkel, Internal Auditor, WSECU. Topics included CFPB discussion; determining what constitutes a complaint; the method complaints are received; and logging complaints and reporting to the board of directors. 6. Roundtable Discussion. The roundtable covered a number of important topics, including interest rate risk; 2014 Audit Plan; ACUIA Chapters; branch audits; incentive program audits; new payment systems; and RDC Issues. The ACUIA Regional Meeting is a very good resource and always raises many questions and areas of concern. Our members have said “I find this venue valuable, insightful, enlightening, fun, and a great networking opportunity.”

Director Margaret Chamberlain, CUERME

Assistant Director Internal Audit, Arizona State Credit Union 602.452.4960 margaret.chamberlain@azstcu.org The Region 2 meeting was held November 15th and 16th in Phoenix, AZ. The meeting was attended by Credit Unions from AZ, CA, and Nevada. The agenda included a large variety of topics including: Branch Audits, Data Analytics, PCI Compliance, Elder Abuse, Fannie Mae Quality Control update, Audit Plan Development, and Board Reporting Requirements. I would like to thank two individuals in particular for traveling so far to present: Sam Capuano and Rick Woods, we appreciate your support and dedication to the ACUIA.

REGION 3 Dean Swenson,

General Auditor, Wings Financial Credit Union 952.997.8131 dswenson2@wingsfinancial.com Region Three Meeting Summary During September, Region 3 had its annual meeting at the Michigan State University Federal Credit Union. Topics covered included ERM, Lending, Branch Audits, Payment Fraud, and the Internal Auditor’s Duties Outside of Auditing to name a few. I highly recommend Randy Romes’ bear story if you have not had a chance to hear it. The feedback for the meeting topics and location were excellent, once again showing the great value that ACUIA provides its members. Thanks to James Hunsanger and his staff for being great hosts and providing an excellent location for our meeting. There were thirty-three attendees at the meeting from twenty different credit unions. Eight of the attendees were new to ACUIA! Special thanks goes out to our presenters and meeting sponsors; Crowe Horwath, CliftonLarsonAllen, MossAdams, and DoerenMayhew. Your support was essential to the success of the Meeting. Indiana Chapter News Jeff Watson, from Indiana University Credit Union, has agreed to be the Chapter Coordinator for the State of Indiana. If you are located in Indiana or any of the surrounding states, give Jeff a call to participate in the chapter. Thanks to Jeff for stepping up to take this position. Other Region News Moving forward, I am stepping down as the director of Region 3 as I feel it is time for some new ideas and perspective to be brought to the region. I have truly enjoyed my last three years serving as the Region 3 Director for a great association like ACUIA. I have not left the credit union industry and will continue to be seen at future ACUIA events. The leadership of Region 3 will now be in the capable hands of Greg Czyzewski of Teachers Credit Union in Indiana. Good Luck to Greg and I have no doubt that he will do a great job. The Audit Report | www.acuia.org |

{

}

ACUIA news

REGION 4 Director James Wright, CIA, CISA, CRMA VP Internal Audit, Anheuser Busch ECU 314.657.9220 jwright@abecu.org

Chapter Meeting Summary There was a great turnout for the North Texas Chapter meeting on Friday, November 1. UHY Advisors hosted the event at their downtown Dallas location, which offered a beautiful view of the city. Chapter members were encouraged to participate, enjoying the interaction and input of fellow members. The speakers were very knowledgeable, informative, and offered a lot of insight regarding the topics covered. The meeting was a training event that offered 7 hours of CPE credit and covered the topics of Social Media Risks, Understanding SSAE Reports, Critical Thinking, Audit Report Writing, Assessing Risks & Controls, Financial Statement Ratios for Internal Auditors, and Optimized Meeting Communications. Regional Meeting - Planning: Pre-planning for the next Regional Meeting has begun and I am soliciting input for topics, speakers, venues, etc. The vast majority of the members in Region 4 reside in Texas; therefore, my plan is to hold the 2014 meeting in Texas – probably Houston in April. Over the last five years, the event has been held in the following cities: • • • • •

2013 – St. Louis 2012 – Cancelled 2011 – San Antonio 2010 – Dallas / Ft. Worth 2009 – Austin

REGION 5

Director Lorraine Heneka MBA, NCCO

Director of Internal Audit, Hudson Valley Federal Credit Union 845.463.3011 x-1010 henel@hvfcu.org Region 5 Rocks!!! We had another successful meeting this year with about 45 in attendance, including registrants and speakers! The meeting was held September 30th & October 1st at SEFCU in Albany, NY. The presentations were all very informative, and attendees found the networking opportunities extremely valuable. Thank you to John Gallagher and his staff at SEFCU for hosting again this year—as always, you did a great job for us! Thank you also to the following individuals who gave great presentations at the meeting: • Carrie Kennedy from Moss Adams: two presentations - Internal Audit and ERM; Fraud Prevention/Detection • Jay Bowman from Accume Partners: Business Continuity/Disaster Recovery • Rick Woods from Security Compliance Associates: How to Audit/Assess an SSAE16 and SOC 1 & 2 • Sam Capuano from Sunmark FCU: Internal Audit Roundtable • Dean Rohne from CliftonLarsonAllen: The Internal Auditor’s Duties Outside of Auditing • Mike Carter from Credit Union Association of New York: Regulatory Compliance Update If you have suggestions for speakers or topics for the 2014 meeting, feel free to contact me at henel@hvfcu.org. Planning will be underway soon. I wish you all a happy, healthy and successful 2014.

If you have any suggestions for topics, speakers, sponsors and/or venue (in the Houston area) please contact James Wright or Kimberly Wiersema, Associate Director and North Texas Chapter Coordinator. Also, any help planning and carrying out the event would be much appreciated, so if interested please contact one of us regarding this as well. Volunteer Opportunities - Reminder: There are volunteer opportunities available to serve as Chapter Coordinators in Region 4. The states in our region that currently do not have Chapter Coordinators are Arkansas, Kansas, Louisiana, and Oklahoma. There are also opportunities in other areas of Texas to take on the Chapter Coordinator role. Responsibilities: Establish a chapter which consists of ACUIA members in a major metropolitan area or state and continuously identify new members for the chapter. Coordinate meeting locations and times, develop meeting agendas, and obtain speakers when appropriate. Meetings may include, but not be limited to, training sessions with speakers, round table discussions, luncheons, and informal sharing of best practices. Inform your Regional Director of chapter activities and prepare a report of chapter activities for inclusion in the ACUIA Audit Report magazine. Chapter Coordinators must be available to attend quarterly conference calls with Board Liaison and Regional Directors. {Source: ACUIA website} If interested please contact James Wright or Kara Giano, the Board Liaison.

GOT QUESTIONS?

Contact your regional director to find out the latest on region news and events. 26 | www.acuia.org | The Audit Report

Director Bobby Nichols

REGION 6

SVP – Audit Services, State Employees’ Credit Union 919.839.5338 bobby.nichols@ncsecu.org Our Region 6 meeting was held September 16-18th in Alexandria, VA. We were fortunate to have another strong slate of speakers who covered topics relevant to the credit union industry. CEO Frank Pollack from Pentagon Federal Credit Union kicked off the meeting challenging attendees to have an Audit voice at the management table and be active, not reactive. An interactive session by NCUA Region 3 Interim Director Myra Toeppe allowed an opportunity for credit unions to hear NCUA focus areas as well as ask specific questions. Other topics covered included ERM, Lending Compliance, QARs, Audit Interaction with Supervisory Committees, and IT Risk Assessments. Around 30 members were in attendance for the sessions and we were treated to a Braves- Nationals baseball game for our group outing. We will be heading South next year as Savannah, Georgia is being considered for the Fall 2014 regional meeting. The next Carolinas chapter meeting will be held on Friday, December 13 at Founders FCU in Lancaster, SC. Todd Sherpy will be out guest speaker and will be leading a discussion on “Compliance Focus 2014.” The meeting starts at 10:00 and will also include a roundtable discussion on topics of interest to the attendees.

REGION Directors Region 1

Julie Wilson, CU juliew@iqcu.com

Region 3

Region 5

Dean Swenson, CPA dswenson2@wingsfinancial.com

Lorraine Heneka, MBA, NCCO henel@hvfcu.org

Region 6

Bobby Nichols bobby.nichols@ncsecu.org

Region 2

Margaret Chamberlain, CUERME margaret.chamberlain@azstcu.org

Region 4

James Wright, CIA, CISA, CRMA jwirght@abecu.org

chapter coordinators Arizona Chapter

North Texas Chapter

California Chapter

New York City Chapter

Carolinas Chapter

St. Louis Chapter

Indiana Chapter

Tennessee Chapter

Allen Lorti alorti@sunwestfcu.org

contact these volunteer leaders and get involved in local ACUIA activities.

Kara Giano, CIA, CIDA, CRMA kgiano@golden1.com

Roger Holcomb, CIA, CBA, CFSA, CFE, CRP roger.holcomb@sharonview.org

Jeff Watson

Minnesota Chapter Van Sprenger vsprenger@toplinecu.com

Kimberly Wiersema kwiersem@cuoftexas.org

Warren Whiteoak, CUCE, BSACS wwhiteoak@progressivecu.org

Shashawnee D. Newhouse, CUCE snewhouse@firstcommunity.com

Mark Jenkins, CUCE mjenkins@tvacreditunion.com

Utah Chapter

Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com

The Audit Report | www.acuia.org |

ACUIA SELECT (as of December 31, 2012)

Platinum

Gold

Silver

Bronze