Volume 23, Issue 4, 2014
The Magazine of the Association of Credit Union Internal Auditors, Inc.
HOUSE RULES A new proposal from CFPB will expose more details about your mortgage process
SOME THOUGHTS ON LEVERAGING YOUR AUDIT RESOURCES A NEW FOCUS ON REMOTE DEPOSIT CAPTURE THE STANDARDS: AUDIT SAMPLING
Go higher. Rocky growth. Compliance cliffs. Steep risks. You don’t have to make the ascent toward your financial institution’s goals alone. At Doeren Mayhew, our highly specialized Financial Institutions Group has helped more than 200 institutions like yours find opportunities to drive growth – from climbing toward enterprise risk management, to overcoming steep compliance challenges, to harnessing technology to stay relevant on new delivery systems. Simply put, we know the ropes. So whether your vision is to achieve new heights, or you need a rescue mission, you can always work in tandem with us. Call 248.244.3159 to start the climb.
Insight. Oversight. Foresight.sm 248.244.3159 | doeren.com
Volume 23, Issue 4, 2014
The Magazine of the Association of Credit Union Internal Auditors, Inc.
16
D E PA R T M E N T S 4
{ contents } }
6 Chairwoman’s Message Gratitude Dana McCranie 20 The Standards Audit Sampling Pat Richey
F E AT U R E S
8
Open House The CFPB has issued a proposal for significant new disclosure requirements under the HMDA. John Zadada and Zachary Pearlstein
From the Editor Bad News or Worse News? Tabitha Ernst-Chadwick
8
How am I Going to Get All These Audits Done? 12 Some Thoughts on Leveraging Learn the five areas to consider that will allow you to maximize your audit resources. Doug Wright
24 Information Security Change Management Tom Schauer
20
26 Member Spotlight Tammy Farmer 28 Regional News 30 Region Directors and Chapter Coordinators
All About “It” 16 “It” is known by many names – Merchant Capture, Corporate Capture, Image deposit – but whatever you call “It” check out this article to learn how to establish a good audit plan for RDC. Sam Capuano
12 The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284
© Copyright 2014, ACUIA. All rights reserved.
{from the editor} BAD NEWS OR WORSE NEWS? Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
T
he other day I hit a co-worker’s car. Because you will likely dismiss them as silly excuses and because they aren’t really relevant to this story anyway, I will spare you my slew of rationalizations and explanation of events that led to what I’ve dubbed the incident. Bottom line – car crash, another VP at work, in the parking lot, my fault. This of course was not how I wanted my day to begin. Yet in total defiance to my own plans, begin this way it did. Man did I dread that phone call. I actually contemplated whether or not I could somehow get my co-worker’s car to the body shop, have the scratch buffed out, and back into his parking space without his knowledge. Alas as I have no experience with grand theft auto (not even the video game!), I had to make the call. The tone in his voice when he answered the phone told me that already knew about the incident. He was not happy to see my name on his caller ID. I launched into my spiel anyway (which included all of the rationalizations and explanation of events from which you have been spared) and ended with profuse apologies. You know what I heard in his voice after that? Relief. Now I have a pretty good relationship with management, a great one in fact. I know very few internal audit colleagues that share the total cooperative atmosphere that I enjoy every day. So I was more than a bit baffled at this exchange. The man was actually happy that I called him to say I crashed into his car because that meant I was not calling about an audit. Whoa. Well this exchange got me thinking. Have I overestimated the value of our management relationship? Or is audit just so daunting that even in a cooperative atmosphere our clients prefer a fender bender to an audit? And if it’s the latter, is there a fix to that problem?
4
www.acuia.org | The Audit Report
Unfortunately my column is too short to answer all of audit’s philosophical questions. But I know that a new line item on my 2015 Audit To Do list is going to be looking beyond the audit-client relationship to
enhancing the audit experience. And I’m updating my audit surveys with a new line item: Which is preferable? A fender bender or an audit? Happy New Year everyone! n
2014 BOARD OF DIRECTORS
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA Chair Director Dana McCranie, CBA, CUCE Amy Schaefer, CIA Empower FCU Royal CU (315) 477-2200 x 5107 (715) 833-7292 dmccranie@empowerfcu.com amy.schaefer@rcu.org Term: 2013-2015 Term: 2012-2014 Vice Chair John Gallagher SEFCU (518) 464-5245 jgallagh@sefcu.com Term: 2014-2016 Treasurer Linda Goff, CUCE Enrichment FCU (865) 482-0045 x1201 lgoff@enrichmentfcu.org Term: 2013-2015 Secretary Nathan Cunningham, CPA, CRMA, CGMA Mountain America CU (801) 325-6573 ncunningham@macu.org Term: 2012-2014
ACUIA EXECUTIVE OFFICE, CBSAO, CUCE, NCCO, CISA
ACUIA Executive Office 1727 King Street, Suite 300 Alexandria, VA 22314 (703) 688-2284 acuia@acuia.org Follow us on:
Director Kara Giano, CIA, CIDA, CRMA Golden 1 CU kgiano@golden1.com Term: 2014-2016 Associate Director Doug Wright, CPA, CFE, CUCE Baxter CU (847) 932-8765 doug.wright@bcu.org Associate Director Kimberly Wiersema, CIA Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”
C RE D I T U N I O N S ERVICES C RE D I T U N I O N S ERVICES
As Unique as Your Institution As Unique as Your Institution As every credit union is unique, so too are their needs. Orth, Chakler, Murnane and Company, CPAsunion (OCM) was founded the objective of providing As every credit is unique, so toowith are their needs. Orth, Chakler, independent, Murnane and professional audit and consulting services to credit unions of all size and complexity. Company, CPAs (OCM) was founded with the objective of providing independent, professional audit and consulting services to credit unions of all size and complexity. Our approach to each audit and consulting engagement is to meet and exceed our expectations. To and accomplish this,engagement our firm’s Partners, and Ourclient’s approach to each audit consulting is to meetManagers and exceed Supervisors work on site to our clients with our client’s expectations. Toprovide accomplish this, our firm’s Partners, Managers and access to our most experienced professionals. In addition, Supervisors work on site to provide our clients with our professional staff are very familiar with credit union access to our most experienced professionals. In addition, · Opinion Audits operations, internal control issues, regulatory and our professional staff are very familiar with credit union · Supervisory Committee Audits Opinion Audits accounting and more. In other words, operations, requirements, internal control issues, regulatory and (K) Audits Audits · Pension /401Committee Supervisory credit unionrequirements, personnel willand not more. have toIntrain our auditors. accounting other words, credit union personnel will not have to train our auditors. To learn more, please call our Managing Partner, Doug Orth at 888.676.3447. To learn more, please call our Managing Partner, Doug Orth at 888.676.3447.
Orth, Chakler, Murnane and Company, CPAs A Professional Association
Orth, Chakler, Murnane and Company, CPAs A Professional Association
M I A M I | D A L L A S | CHA R L OT T E M I A M I | D A L L A S | CHA R L OT T E
ocmcpa.com ocmcpa.com
Working exclusively with Credit Unions Working exclusively with Credit Unions 30 | www.acuia.org | The Audit Report
Consulting Services: (K) Audits · Pension /401 · Internal Audit Assistance · Consulting Services:
· Information Technology Reviews · Internal Audit Assistance · ATM /ACH Audits · Information Technology Reviews · BSA /OFAC Compliance Reviews · ATM /ACH Audits · Tax Services: CUSOs, 990, 990-T · BSA /OFAC Compliance Reviews · Supervisory Committee and · Tax Services: CUSOs, 990, 990-T Board Training · Supervisory Committee and Board Training
{chairwoman’s message} GRATITUDE Dana McCranie
My gratitude does not seem to be sufficient, but it is heartfelt.
A
s we come to the close of 2014, it is time for reflection of the past year, hope for 2015 and beyond, and acknowledgement of those things that we typically take for granted. Thanksgiving is now just a memory, but the feeling of gratitude has lingered, and promises to carry us through the celebrations of the next month. I, for one, have too many blessings to list individually; however, one of the most treasured is that of family and friends. I am truly lucky to consider the ACUIA as part of my family. 2014 was another successful year for the Association. The annual conference and one-day seminar in Baltimore was a big success thanks to the hard work of the Conference Committee. Regional Directors organized meetings around the country, offering members more educational and networking opportunities. In addition, a number of webinars were available throughout the year covering a variety of topics.
To reiterate what I’ve previously mentioned in these articles, there are numerous people working behind the scenes at the ACUIA, for which I am extremely grateful: the Executive Office; fellow Board members; Associate Board members; Regional Directors and Chapter Coordinators; various Committees and The Audit Report editor and contributors. Thank you for everything that you do – it is your dedication that makes the ACUIA a success! With the dawn of 2015, I will hand over the reins for the ACUIA Chair to John Gallagher. I am honored by the support that I have been shown by my fellow Board members and the membership at large. My gratitude does not seem to be sufficient, but it is heartfelt. I will close out my tenure as a Board member next year, but I hope to continue to serve the Association in some capacity. It has been a pleasure to serve the membership and be a part of an organization such as ACUIA. ■
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.
6
www.acuia.org | The Audit Report
Credit Union security doesn’t stop at the vault.
SCA offers a full range of technology, compliance and training services that ensure your institution is safeguarded from potential risks, guaranteeing you compliance and satisfaction. Technology Services Internal and External Vulnerability Assessments Penetration Testing Physical Security Social Engineering Web Application Assessments On-line Banking & Mobile Banking Assessments Cybersecurity Framework
Compliance Services Information Security Policy and Procedures Awareness Training Disaster Recovery / Business Continuity Incident Response Programs Vendor Due-Diligence Web Site Compliance Risk Assessment Services PCI Gap Analysis
Securing Your Success www.scasecurity.com 877-993-4472
8
www.acuia.org | The Audit Report
OPEN HOUSE The CFPB has issued a proposal for significant new disclosure requirements under the HMDA John Zasada, Principal, CliftonLarsonAllen Zachary Pearlstein, Regulatory Compliance Consultant, CliftonLarsonAllen
O
n February 7, 2014, the Consumer Financial Protection Bureau (CFPB) proposed a series of changes to improve the Home Mortgage Disclosure Act (HMDA). Enacted in 1975, HMDA requires financial institutions to disclose certain data and statistics regarding the loans that they provide to borrowers. Although the original goal of HMDA was to ensure that financial institutions were providing access to credit and serving the needs of the public, over time the regulation became more focused on discovering and preventing patterns of lending that would discriminate against certain groups of borrowers. As a result of the recent mortgage crisis, the Dodd-Frank Wall Street Reform and Consumer Protection Act assigned HMDA rulemaking authority to the CFPB. While HMDA current
ly requires financial institutions to report information such as property location, loan purpose, and the race, ethnicity, and gender of borrowers, the Dodd-Frank Act requires the CFPB to expand HMDA reporting to collect additional data, such as total points and fees, and the difference between the APR and a benchmark rate, along with any other data the CFPB determines to be necessary. Through these changes, the CFPB is seeking more comprehensive borrower/applicant information, which it believes will allow regulators to more effectively monitor and improve the mortgage market. In addition to these required changes, the Dodd Frank Act allows the CFPB the discretion to require the reporting of other relevant data points as well. The CFPB is proposing exercising this discretion by requiring the www.acuia.org | The Audit Report
9
reporting of several additional pieces of information not explicitly required by the Dodd-Frank Act. Rather than providing these changes outright, the CFPB announced that it will organize a Small Business Review Panel to give feedback on the most effective ways to improve HMDA reporting, with comments accepted through October 29, 2014. In addition, the CFPB will be seeking similar feedback from industry and consumer groups that may be impacted by changes to HMDA regulations.
pricing outcomes for borrowers. HMDA will also require the reporting of certain loan features that may be risky to borrowers. These include teaser rates, prepayment penalties, and non-amortizing features. The CFPB believes including this data in HMDA will help regulators monitor any detrimental effects that result from these features. Further, HMDA will require financial institutions to report information that will help regulators keep track of the personnel involved in each trans-
Lastly, borrower credit scores will also be tracked. This information is to be used to help explain certain rate disparities, as well as denial decisions. Additional Data Points under Consideration While the CFPB is required to add certain information to the HMDA reporting requirements, the Dodd Frank Act allows the CFPB the discretion to require the reporting of other relevant data points as well. Although these additional points have yet to be determined, the CFPB is asking for comments from the Small Business Review Panel on a variety of possibilities. One possible addition to HMDA is the reporting of the reason for denial in all denied loans. Although certain lenders are currently required to provide this information, it is still optional for most institutions. The CFPB would like to make this requirement universally applicable in order help ensure similarly situated applicants be treated in a consistent manner. The CFPB is also proposing to add debt-to-income (DTI) ratios to HMDA data. Under current regulations, financial institutions must assess a borrower’s DTI when underwriting a loan and determining the borrower’s ability to repay, and a high DTI is a common reason for denial. The CFPB believes that requiring DTI reporting would help regulators gain a better understanding of denial trends. Another possible requirement is the disclosure of whether or not a lender determined that a loan was a “Qualified Mortgage,” which would have complied with the CFPB’s Ability-to-Repay rule. The basic features of a Qualified Mortgage are that the
HMDA WILL REQUIRE FINANCIAL INSTITUTIONS TO REPORT INFORMATION THAT WILL HELP REGULATORS KEEP TRACK OF THE PERSONNEL INVOLVED IN EACH TRANSACTION.
Major Changes The proposal would expand the types of transactions subject to HMDA although unsecured home improvement loans would no longer need to be reported. Under the current rule, you must report home purchase, home improvement, and refinancings. Currently, home-equity lines of credit (HELOCs) are optional. The proposal would generally require financial institutions generally to report all closed-end mortgage loans, HELOCs, and reverse mortgages secured by dwellings. Loans on unimproved land and temporary financing would continue to be excluded from HMDA reporting. The CFPB is seeking feedback on a variety of new HMDA reporting requirements, which have been mandated by The Dodd Frank Act. Financial institutions will be obligated to capture and report certain data that was not previously required. For example, HMDA will require financial institutions to disclose the total points and fees, and rate spreads for all loans. This requirement will ostensibly help regulators get a better sense of how much borrowers are actually paying for their loans, as well as understand risk factors and 10
www.acuia.org | The Audit Report
action. They will be required to report the unique identifier for the loan originator (and a unique identifier for each loan itself), and additionally report if a mortgage broker was involved in the transaction. Another new requirement will be the reporting of property values. Because of the critical role that property values play in the decision to lend, regulators will use this information to examine certain acceptance and denial decisions, and have more data about local markets. Financial institutions will also be required to report borrower age. This requirement will principally help identify and prevent unfair lending practices aimed at the elderly, to whom dishonest lenders may offer unfavorable loans.
total points and fees charged to the borrower are less than or equal to 3% of the loan amount (for loan amounts less than $100k, higher percentage thresholds are allowed), there are no risky features such as negative amortization, interest-only, or balloon payments, and that the maximum loan term is less than or equal to 30 years. As this is a recent regulation, effective as of January 10, 2014, reporting Qualified Mortgage status would help regulators determine the effectiveness of the new Qualified Mortgage rule. While the Dodd-Frank Act modified HMDA to mandate the reporting of each borrower’s loan-to-value (LTV) ratio, the CFPB is considering whether to further require the reporting of combined loan-to-value (CLTV) ratios. These ratios are important in a lender’s decision to offer a loan, as they disclose more broadly the combined unpaid principal balance of multiple loans that the borrower holds, against the value of the property. The results of automatic underwriting systems (AUS), which make loan decisions based on algorithms, are also a consideration for HMDA reporting. Tracking the use and results of such systems could help detect errors, and could also determine how they affect loan decisions as compared to manual underwriting. As previously mentioned, the Dodd-Frank Act mandates that the total points and fees, as well as rate spreads, will become required HMDA data. However, the CFPB is also considering requiring the reporting of more detailed pricing information, in an effort to identify discriminatory lending patterns and reduce “false positives” when making comparisons. The CFPB is considering a requirement that lenders disclose their total origination charges, as will be calculated on the Closing Disclosure, which would include certain charges that would not be included in the to-
tal points and fees, such as bona fide discount points. The CFPB is also considering a requirement for lenders to disclose each borrower’s pre-discounted interest rate. Regulators would use the information for a comparison between the base rate and discount points paid, to the final risk adjusted rate that the borrower actually receives. Affordable housing programs are another area that is under consideration. For multiple unit dwellings, the CFPB believes that it might be useful to require a disclosure of whether or not the property is deed restricted for affordable housing. Regulators could then examine disparities in access to credit among different communities, which could in turn help direct public resources. Finally, the CFPB is considering requiring lenders to report more detailed information regarding loans for manufactured housing. Currently, lenders are required to disclose whether a loan is for a manufactured home. The CFPB believes that additional data, such as the type of financing, and whether the borrower will own or lease the land, will help identify the sources of disparities in denial rates, and will help regulators learn more in general about financing for manufactured housing. Better Collection The CFPB is reviewing current HMDA reporting requirements, and looking for ways to make it easier for lenders to record and report their data. The CFPB is looking to standardize and streamline reporting. As many lenders are already collecting similar information in similar ways, the CFPB is seeking to create HMDA reporting requirements that closely resemble the standards used by the majority of the mortgage market. The CFPB believes that this would improve both consistency and the quality of the information reported.
Under current regulations, banks and credit unions that meet various criteria must submit HMDA data annually, regardless of how many loans that they close. However, nonbank mortgage lenders are only required to report their data if they close one hundred or more loans, among other requirements. Because of this discrepancy, the CFPB is considering a new standard that would require all financial institutions to report HMDA data if they close twenty-five or more loans in a given year. Finally, the CFPB is looking into developing online HMDA data entry software. By providing a simple and accessible uniform system of data collection, the CFPB is seeking to provide financial institutions with a more convenient and streamlined way of reporting of their data. Financial institutions had until October 29, 2014 to submit information to the CFPB. The proposal does not set forth when any final rule will become effective but many commentators are guessing at a January 2016 effective date. n About the Author John Zasada leads the financial institution regulatory compliance practice of CliftonLarsonAllen. John assists financial institutions nationwide in establishing regulatory compliance programs, conducting compliance testing, training staff on regulations, and performing website compliance assessments. John also writes and edits the compliance newsletter and conducts compliance webinars. John is a frequent speaker at financial institutions’ industry conferences and state associations. Prior to joining CliftonLarsonAllen, John was managing director at RSM McGladrey. He led a national financial institution compliance practice, developed work programs, managed engagements, and consulted directly with clients. Prior to working at McGladrey, John was employed as the compliance officer of a large financial institution where he developed and implemented their first regulatory compliance program.
www.acuia.org | The Audit Report
11
HOW AM I GOING TO GET ALL OF THESE AUDITS DONE?
Some Thoughts on By Doug Wright
LEVERAGI
During my audit planning process, I typically identify a lot of audit areas where there are valid reasons to conduct a review, mostly due to the extent of change at my credit union. However, internal audit resources just don’t exist to perform all of the audits targeted. I suspect a lot of you find yourself in the same situation. Nothing tends to stay the same as our credit unions change: new services or products are introduced, new systems are implemented, and new third party vendors are contracted. We have many new regulations that must be dealt with (have you experienced the pleasure of doing an Ability to Repay/Qualified Mortgage audit yet?). We also face new emerging risks such as cyber security, interest rate risk, and student loans just to name a few hot topics identified in the NCUA’s examination focus Let12
www.acuia.org | The Audit Report
ter to Credit Unions. And don’t forget those examiners who expect us to risk assess and have a policy for everything the credit union does. How are we going to cover all of this in our Audit Plans? Unfortunately, it is not realistic to expect that we can go hire more staff. Using my Credit Union as an example, we grew our membership over 10% last year, and we are pushing for 8.5% growth this year, but our total audit staff has stayed the same over this time. So as our credit unions
grow and change, how do we cope with this audit resource dilemma? Here are some thoughts on how to leverage the resources you have to provide more audit coverage for your credit union. First, calibrate what you need to audit: I know you have heard this a million times, but the starting point is to do a thorough risk assessment of your credit union to identify the highest risk areas. As this is old news to most of you, I don’t want to go into details of how to do a risk assessment. The point is to have a process to quantify risk in some manner in order to allocate your available audit time to the areas that have the greatest risk to your organization. The process I use includes multiple inputs including a risk template, correlation with ERM risk assessments, conversations with management (they actually will tell you what they think should be audited if you ask them), the credit union’s strategic plan (a lot of good stuff in these plans!) and “good old” auditor judgment. Another thing to consider when preparing your audit plan is other audit coverage. For example, if your external auditor reviews the Allowance for Loan Losses every year, do you need to audit this area every year as well? In addition, many credit unions have a loan quality assurance group that you might be able to leverage. You might consider reviewing the scope of the quality group’s review process, and retesting a small number of their reviews instead of testing a larger sample of loan files yourself. A third area to consider is to look at the audits you do annually, and cycle the ones that don’t pose as high of a risk, have had good past
NG
www.acuia.org | The Audit Report
13
audit results and/or no significant changes to policy, process, or personnel that have occurred. Once the risk assessment is completed, you should be able to create and justify your Audit Plan of the highest risk areas to review. Once you have selected the areas to include in the Audit Plan, the final part of “whittling down” the audit work to be performed (and I know everyone has heard this before as well), is to do a specific risk analysis of the process you are reviewing. Divide the audit into sub-processes, and for each area, think about what can go wrong, and assign a risk rating to it. The extent of review procedures can be adjusted based on your risk assessment of each area. For example, a high risk sub-process may involve more significant testing to ensure controls are functioning effectively, a medium rated risk may involve limited testing, and you may not do any testing for low risk areas. Another approach is to do a limited scope audit that focuses only on a few key controls to test. Either of these methods will ensure that you are allocating your time appropriately to the areas that pose the greatest risk to your credit union. So you have done your annual risk assessment, cycled some audits, and have done specific risk assessments to narrow the scope of the audit procedures, AND YOU STILL DON’T HAVE ENOUGH RESOURCES! Now what? Here are some additional ideas to consider. Get Some Help: Look at the possibility of outsourcing some of your audit plan, or hire a contract auditor to supplement your resources. I know this costs money that you might not have in your budget, but if your risk as14
www.acuia.org | The Audit Report
sessment objectively determines that there are more audits to perform than there are internal resources available, then discussing the possibility of outsourcing some of the work is a prudent conversation to have with your Supervisory Committee and Management Team. In the end, if they decide to accept the risk of not fulfilling the audit plan, be prepared to recommend to them which audits you will want to drop, and the associated risks that will not be covered (hint: get them to squirm a little to see if they will free up some money!). The two basic approaches to getting help involve completely outsourcing an entire audit to an external firm, or just hiring someone and supervising the work yourself. The outsourcing option usually entails providing an external firm with an Agreed Upon Procedures Engagement Memo to establish the scope of the review, and the external firm drives the process for the entire audit. They will be responsible for creating the work program, staffing, supervision, and writing the final audit report. While this approach will require minimal involvement from the Internal Auditor, in my experience, this process typically gets more pricey on a per hour basis. The second co-sourcing option involves obtaining experienced auditors on an hourly basis. You will need to plan their work, train them on internal systems or procedures, supervise them, and review their work. As I am writing this article, I have a contract auditor sitting outside my office who has been able to review a lot of loan files. In hindsight, his efficiency should be no surprise, as he does not go to a lot of meetings, have to review and answer hundreds of emails each day, or get calls from other credit union staff with their endless questions (all right, I am venting a little about my credit union’s culture!). But the point is that I think the hourly rate I have been paying is well worth the productivity he has been able to provide!
At the risk of sounding like an “infomercial,” many of the firms that are the ACUIA’s Vendor Partners will work with you to provide you with the supplemental resources you need. The trick is to hit them up during the summer when they have staff unassigned (I used to work in public accounting, and remember some of the “fun” busy work I was given during the slow summer months). If you wait until the end of the year when they get into their busy season, either staff will not be available, or the cost of hiring them will go up significantly. Get Some Internal Help: Another approach that my credit union uses is to enlist the help of staff from other departments in what we call our Guest Auditor Program. We sell the Program by offering non audit staff the opportunity to learn about auditing and to see how other areas of the credit union function. Sometimes, you can also tie in the audit experience gained to the other employee’s development plan. The guest auditor approach typically works best for routine, “checklist” types of audits such as your branch reviews. (You don’t have to provide a lot of training to count cash and negotiable items!) As I work for a SEG based credit union that has branches in 11 states and Puerto Rico, I have some interesting travel destinations to entice staff from other departments to volunteer to go do a branch audit. We typically pair an internal auditor with a guest auditor for each branch. The internal auditor provides minimal training to the guest auditor, they will perform the pre-work together, and will then travel to the branch to complete the audit. The process works very well as we get a significant amount of assistance from guest auditors for the overall Audit Plan.
If you want to try this approach, here are some tips for making a guest auditor program successful. 1) Try to avoid complex process audits as the training needs will outweigh the benefit of any audit time gained; 2) if the audits involve travel, include the cost for the guest auditors in your budget as the other department won’t want to pay for an audit; 3) while the guest auditors are usually “gungho” about volunteering to do an audit, make sure you get the consent of their managers, as you don’t want to create any coverage issues in the other department; and 4) make sure you provide adequate supervision for the guest auditors so that they do not go off on tangents. Delegate audit responsibility: Another approach to consider is to have someone else provide the audit coverage. There are some areas of operations that should be audited, but it might make sense to have another department assume the responsibility to audit those areas. For example, if your credit union has a separate Compliance Department, are they doing compliance audits, or are you doing these reviews? In addition, every credit union audits their branches, but do all of the audits have to be done by Internal Audit? My credit union has a number of Regional Directors, each who oversees several branches. The Regional Directors are required to conduct and document a surprise audit of all of their assigned branches at least once annually. When the Internal Audit team conducts our branch audits, we review this documentation to make sure the Regional Director audits were completed. Another opportunity to delegate audit responsibility would be for oversight of your vendors. For ex-
ample, if your credit union uses outside collection agencies, someone should audit them, but wouldn’t it make sense for the Collections Department to monitor their own vendors? My credit union uses several outside collection agencies, and we worked with the Collections Manager to create a work program specifically designed for third party agencies that focuses on compliance with the Fair Debt Collections Practices Act. We conducted the first audit with the Collections Manager as our “guest auditor” to train him, and then turned over third party collection agency audit responsibility back to the Collections Department. If you use outside agencies, this approach might be something you would want to consider for your credit union. While the above examples would appear to have an issue with lack of independence, I don’t think there is any harm in having someone review a function for which he/she is accountable. Also, these management reviews do not necessarily remove the need to perform periodic audits of compliance, branches, or vendors, however it can provide for additional “audit” coverage and help stretch internal audit resources. Technology can be your friend: Another way to leverage your resources is to use technology. There are a number of data analysis tools on the market that can be used in a variety of ways to support your audits. I am fortunate that my credit union utilizes a data warehouse that contains extracts from all core processing systems. We can run queries against this database to define audit populations, create samples, look for deviations or exceptions, or to perform regression testing on management reports. This ability not only creates a
much more efficient use of our time, we can cover a lot more ground than just utilizing traditional audit sampling techniques. There are several good data analysis tools on the market that can be used in a similar fashion. In addition, many core systems contain decent reporting tools that can also be used to query the data. If you don’t already use data analytics in your audit process, you may want to consider investing in a tool and being trained on how to use it to realize audit efficiencies down the road. Another use of technology to consider would be to utilize a good audit software package to streamline some of your audit administrative and reporting tasks. These systems can provide a high degree of automation for some tasks such as maintaining audit work programs, scheduling audits, keeping audit budgets, writing audit reports and tracking comment remediation. Several audit software vendors attended the 2014 Annual ACUIA Conference, so hopefully you were able to talk to some of them about the benefits of using their applications. In summary, we will always have more on our plate to audit than we have the resources to cover. Accordingly, we will need to look for ways of not only being risk-focused, but also being creative to provide additional audit coverage for your credit union as well. Hopefully, this article will provide you with some ideas that you can possibly implement to stretch your limited resources. n About the Author Doug Wright, CPA, CFE and CUCE, started his career in public accounting, and has worked extensively as an internal auditor in the insurance and banking sectors. Doug has worked at Baxter Credit Union in Vernon Hills, IL since 2003, where he is currently the Vice President of Audit and Compliance. Doug also currently serves as an Associate Board of Director for the ACUIA.
ALL ABOUT
16
www.acuia.org | The Audit Report
“IT”
IT’S been called many things: Merchant Capture, Corporate Capture, Image
Deposit…. IT’S also been deemed by the examiners as an area on which credit
unions should place an increased focus. “IT” is Remote Deposit Capture, or RDC. By Sam Capuano
W
hile the process itself (members transmitting items electronically and remotely for deposit purposes) seems simple from a macro perspective, the corresponding risks are many. Which is why the NCUA has addressed it in each of the past two years in their annual “Supervisory Focus” Letters to Credit Unions. In 13-CU-01 they met the issue head on, saying: Credit unions are adopting new technology to meet evolving member service needs and to leverage automation for increased efficiencies. Remote deposit capture, online banking, mobile banking, and social media are just a few examples of new technologies credit unions are increasingly employing to serve members. If your credit union adopts such new technologies, you need to implement controls commensurate with the risks involved, in particular ensuring the security and stability of these service delivery channels. In 2014’s Focus, NCUA discussed cybersecurity threats, warning of the exposures to credit unions adopting “new technology to meet member service needs.” And that, meeting such member service needs, is why RDC is
being offered by more and more credit unions. However, the NCUA, as they typically seem to do when new products are offered throughout the industry (such as Member Business Loans a dozen years ago, and Private Student Loans in 2014) worry that as more and more credit unions offer the service, they will jump into such products without proper due diligence. Hence, the increased focus. The FFIEC perhaps states it best in their IT Examination Handbook, saying, “Although remote deposit taking is not a new activity, RDC should be viewed as a new delivery system and not simply as a new service.” A look at the ACUIA Forum over the past year or so shows quite a few postings pertaining to RDC, so it certainly appears as though this has become not only an area which your credit unions are getting into, but also one in which many of us are looking for guidance as to how to best audit this increasingly hot topic. First up then would be to take a look at how senior management and the Board of Directors reviewed the risks prior to implementing this new delivery system. The NCUA examiners start by looking for the existence of a formal strategic plan for RDC implementation. While this plan should
preferably be in writing, if it is not, have discussions with the key players to determine the plan. Ask them how they determined that RDC was something that made sense for the credit union’s style of business. Then take a look at the most recent RDC Risk Assessment. There are several risks which need to be considered, including legal, compliance, operational, and reputational. While these risks are perhaps self-evident, look for sufficient documentation of each. Also ensure the assessments are specific to how RDC is set up at your credit union, and are not (as is sometimes seen) a generic review, or one which was just borrowed from another institution. When evaluating these risk assessments, the NCUA will look for product scope, type of member, payment process, anticipated volume, member role/responsibility, member ability to download/retain non-public information, credit union-approved vendors and equipment, and systems in place. And, as with any risk assessment, take a look at when it was last reviewed. Have there been any changes — technology, field of membership, etc. — which would necessitate a revision in the assessment? Regardless, the assessment should be reviewed at least annually. Finally, www.acuia.org | The Audit Report
17
ensure the risk assessment has received input for all applicable areas in the credit union, such as deposit operations (obvioo often it seems that ously), but also consumer compliance, BSA/AML, internal audit’s opinions are GLBA, and internal audit. That’s right, this innot included in the planning cludes the fine folks in and/or implementation internal audit. Too often it seems that internal auprocess of such critical dit’s opinions are not included in the planning services such as RDC. and/or implementation process of such critical services such as RDC. Even if the Chief Audit Executive is be accomplished by taking a look not on the Executive Management at the BSA/AML manual). Finally, Team, he/she should still have a procedures for ongoing monitoring presence when any new products of members should similarly be in and services are introduced. place, and be documented. Lack of proper risk assessments Items to be reviewed for potenfor the RDC process was a common tial new members could include an response when I was asking around application, financial analysis, loan/ about issues identified in RDC au- deposit history, credit score, etc. dits. These ranged from assessAny contracts and agreements ments which were weak, to some used in the function will need be replaces in which there are no assess- viewed. Both the FFIEC and NCUA ments at all. underscore the importance of this in Next up is to assess the internal their respective examination procecontrols in place. This includes a re- dures. Such a review should firstly view of the policies and procedures. ensure that legal counsel was part of The examination procedures of both the process in putting any such docthe FFIEC and NCUA have their folks uments together. looking for written policies, while the There are several good sources NCUA will also be looking for them out there (such as the examination to be reviewed by the Board. procedures noted in the above paraThis should include a review of graph) for a checklist of what you due diligence procedures for new may want to look at during your reand existing retail members, and view of contracts and agreements. third-party processing members. ApWhich brings us to an item that ply your vendor management audit was invariable cited by those I spoke steps here. to when researching this article, and This due diligence review should that is in the area of training. Include ensure that everything your credit in your audit program a step to ensure union performed during the process proper training of the members over is extremely well-documented. Fur- the adequate security and controls to ther, the system in place to review be implemented. Training can include and rate potential candidates for the making sure the work station where RDC delivery system should be part RDC is being used is protected, that of written procedures, and include there is proper segregation of duties, CIP as well (this might be able to and proper destruction of checks.
T
18
www.acuia.org | The Audit Report
The training program should be written and documented, and it should include incident response procedures. Also verify there has been proper training of credit union employees, so they are able to meet the needs of the members in this area. During your review of transactions, make sure to take a look at how “real time” RDC transactions really are. For instance, would the system in place at your credit union allow someone to remotely deposit an item then negotiate the same item over the counter? While such an issue is not new (the bad guys have been trying such shenanigans for as long as checks have been around), having RDC provides yet another means for such activity. Last up is the area of fraud. An ACUIA forum posting from earlier this year asked if there had been any RDC –related fraud, and none of the respondents had seen any to a material degree. This will likely change as more financial institutions implement the service. As such, review for the presence of an appropriate fraud monitoring system for RDC. As with any audit procedures what you include should be tailored to your credit union. And, it should also change as time goes by. When the NCUA issues their Supervisory Focus Letter in January 2015, I would not be surprised to perhaps see a change or two in what they will be looking for in RDC as well. More to follow, I’m sure. n About the Author Sam Capuano, CBA, CRP, Manager of Internal Audit at Wolf & Company, P.C., has over 25 years of experience as a financial institution internal auditor. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA
www.acuia.org | The Audit Report
19
{ the standards }WHY? Pat Richey, Retired
S
tandard 2320 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that internal auditors must base their conclusions and results on appropriate analysis and evaluations. But what is appropriate? How much information does the auditor have to evaluate? Previously I discussed the advice of Practice Advisory (PA) 2240-1 on audit programs, which states that an audit program includes sampling techniques. PA 2320-3 is a 4-page advisory on audit sampling. It is relatively technical and written by persons who know much more about sampling that I do. If I remembered anything from my graduate level statistics class, I would get into the technicalities, but I don’t, so I will not be discussing tolerable error rates, expected error rates, or confidence levels. The following is a simple guideline of audit sampling based on the PA. The premise of audit sampling is that the auditor does not have to
20
www.acuia.org | The Audit Report
AUDIT SAMPLING
‘‘
How much information does the auditor have to evaluate?
look at EVERYTHING. It is okay to look at less than 100%. There just isn’t enough time or staff resources to look at everything. For example, if you are doing a loan audit, you do not need to look at every loan file. The auditor would look at a sample of files. If the auditor does a cash count, the auditor does not have to fine count every bill in the vault. I am forever indebted to Terry McEachern who recommended counting all the vault cash bundles to trace to financial records and then fine counting a sample of bills -– 100% of twenties and fifties, 50% of twenties, 30% of tens, etc. Population One key to sampling is population. Population is the entire set of data from which a sample is selected. For example, in a wire transfer audit, the population would be ALL the wire transfers performed during a particular timeframe. From this population, the auditor selects a sample of transactions to evaluate. However, before picking a sample, it is very
important that the auditor validate that the population is complete and there are not any transactions missing from the population. Random Sampling The other sampling key is randomness. In a random sample, every item of the population has an equal chance of being selected for the sample, and the sample is chosen systematically. Generally, the auditor determines the sample size needed and divides the population by the sample number needed to determine an “nth”, and then selects every nth item. As an example, the auditor is performing a loan audit for the 4th quarter 2014. In January 2015, the auditor determines that there were 500 loans closed in the 4th quarter, and wants to look at a sample of 50 loans. 500 divided by 50 is 10, and so the auditor selects every 10th loan to evaluate. Stratified Sampling There are other methods of sampling which I never found a need to use
such as monetary unit sampling, attribute sampling, variable sampling, and discovery sampling. However, I have used stratified sampling, which divides the population into subgroups before sampling. In the loan example above, let’s suppose that the entire loan population consists of 50% auto loans, 30% mortgage loans, and 20% credit card loans. However, when the sample is randomly selected it happens that there are not any credit card loans in the sample. Is this sample representative of the population? No, so the auditor does a stratified sample. The auditor randomly selects 25 loans from the auto loan population, 15 loans from the mortgage loan population and 10 loans from the credit card loan population, so that the sample is more representative of the population. Sampling Risk Sampling risk is the risk that the auditor’s conclusion based on evaluating a sample is not the same conclusion that would result based on evaluating www.acuia.org | The Audit Report
21
the population. There is the risk that the auditor concludes that a condition is unlikely when in fact it is likely. Or conversely, the auditor concludes that a condition is likely when actually it is quite unlikely. Sample Size The big question is “How large a sample do I need?� I do not have a definitive answer to that. This is where tolerable errors, expected errors, confidence levels, and level of sampling risk come into play to determine the odds of an erroneous conclusion. I recommend asking your CPA firm for help if you want to become more proficient in statistical sampling, or it would be a good educational session at the conference. I just used my judgment to select a sample size, and our CPA firm never had a problem with my work, and management never contested my results. Audit standards requires that results be sufficient, reliable, relevant, and useful. If audit results do not appear to be reasonable, or there appears to be a significant problem, then the sample size should be increased to see if the results change. At one time I was told that 25 was the largest sample needed, no matter the population size. I do not know who to credit with that statement, or if it is correct. However, consider that when the population is all US residents, a sample poll of 1000 persons is typical. Also, I was always taken aback by how few member confirmations the CPA firm performed as part of their financial statement audit, considering the population size. For repeated audits (ones performed annually), I usually found myself decreasing the sample size each year. If you are spending too much time on a particular audit, generally reducing sample size will be more effective. It is a balance between the additional effort of a large sample, 22
www.acuia.org | The Audit Report
and a small sample not accurately reflecting the population. Errors found in a sample should be analyzed to determine the cause of the errors. However, if significant problems are found in a sample, then a larger sample should be evaluated to ensure the results are the same. Over 23 years I changed the scope and sampling size for loan audits several times. When I first started performing loan audits, I would audit 100 loans from the previous 12 months. However, it meant I was commenting on some loans that were 12 months old, which was not very useful. I switched to auditing 25 loans each quarter, which was more relevant. Then we switched to auditing a sample of a specific loan officer’s population of closed loans, and audited 2 loan officers each month, about 20 loans a month. That was a lot of loans and we were spending too much time auditing loans. So we settled on auditing loans by product. One year we would audit mortgage loans, the next year indirect loans, then credit card loans, etc. Exceptions to Sampling An auditor may choose to evaluate the population if the population is comprised of a few highly material or risky items. Also, if there is a high degree of fraud suspicion, or fraud has been detected, a population of at risk transactions might be evaluated. Risk is always the trump. In a conference expense reimbursement audit, the finding of one fraudulent expense would lead the auditor to review all expenses at that conference. If additional fraudulent items are discovered, then all expense reimbursements for that person would be reviewed. Also, continuous auditing tools efficiently allow the auditor to test a whole population. Continuous auditing involves the use of advanced, specialized software to identify exceptions in whole populations.
Workpapers and Reporting Audit workpapers should include sufficient detail to clearly describe the source of the population and the sampling technique. As always, another person should be able to follow your audit program and workpapers to arrive at the same conclusion. The audit report should clearly indicate that a sample was evaluated, and the conclusion is based on the sample. The report should not lead the reader to believe that the population was evaluated. Other Considerations Generally the auditor will randomly select a sample from list of items in the population, and then obtain the documentation for those items. If the supporting documentation cannot be obtained, the auditor can use alternative procedures to evaluate the sample item. For example, the auditor may send positive loan confirmations to a sample of borrowers. If a borrower does not return the positive confirmation, the auditor can evaluate the loan file to determine the validity of the loan. However, if the auditor selects a sample of loans to audit, and a loan file is missing for one or more of the sample loans, the loan officer can randomly select other loans, but the auditor must follow up on the missing loan file until the issue is resolved, or reported as a deviation. In conclusion, the cost of auditing should not outweigh the benefits. To be cost-effective the auditor should be using audit sampling to provide evidence of a reasonable conclusion about the population which is the scope of the audit. The auditor should keep in mind the audit objective and the purpose of the sample. n About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.
Strength. Is your credit union built to last? Staying competitive in today’s complex regulatory environment requires tighter controls, smarter procedures, and an advisor that understands your industry. Discover why more than 300 financial institutions across the nation turn to us to help them grow with confidence.
W W W. M O S S A D A M S . C O M / C U
Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance Tax Planning & Compliance IT Consulting Credit Review Services
www.acuia.org | The Audit Report
23
{ information security } WHY? Tom Schauer
CHANGE MANAGEMENT C What is it? Change management in the context of information technology refers to the controls and processes that govern alterations to systems, networks, devices, applications, or privileges.
ommon industry standards define the goal of change management as: ■■ [ITIL] To ensure standardized methods and procedures are used for efficient and prompt handling of all changes, in order to minimize the impact of change-related incidents upon service quality, and consequently improve the day-today operations of the organization. ■■ [ISO 20000 (part 1, 9.2)] To ensure all changes are assessed, approved, implemented and reviewed in a controlled manner. Some are surprised to find that even GLBA, codified as NCUA regulation 12 CFR Part 748, Appendix A, III. C. 1. d, addresses change management. The guidance recommends that “Procedures are designed to ensure that member information system modifications are consistent with the credit union’s information security program.” Change management is a critical control category and when done well change management contributes to a secure environment with fewer continuity issues and greater information integrity. Mistakenly, some believe change management only applies to major systems development such as an in-house loan system. Not true. Effective change management controls all significant changes that could impact the operational environment including changes to routers, firewalls, servers, and even printers. Common initiators of change management include software updates, hardware upgrades, regulatory changes that drive business processes, or personnel role changes. What systems, equipment or procedures does it use? Whenever an organization intends to make significant changes to sys-
24
www.acuia.org | The Audit Report
tems, networks, devices, applications, or privileges it should activate its change management process. An effective formal change management process will ensure that the full ramifications and risks of the change are properly understood, and that the change is approved by management, appropriately documented, and suitably tested with a fail-back plan in place before moving to production. Understanding the potential risk of a change (including information security risks) should drive the complexity and rigor of the change management activities. Thus, a risk assessment should be part of the initial change description and never skipped. Further the description of the change should indicate affected stakeholders (i.e. users), systems, documentation, business processes and risk controls (i.e. GLBA risk assessment, business continuity plans and incident response plans). All changes should have an appropriate level of documentation, ensuring the rationale, justification and approval for the change are available for post-change review and audit. The depth and formality of the documentation will be dependent upon the change risk and complexity, and may include creating service desk tickets, archiving email, or developing formal project management documentation. It is a common mistake of small organizations to overlook proper change processes and documentation. The result is unintended service impact when something goes wrong. A simple change log indicating the
system updated, a brief statement of the change, who made the change, and the time of the change will often point you in the direction of the core issue when unexpected issues occur. Documentation should include a risk assessment for the change, along with any alterations the change may cause to the overall GLBA Information Security Risk Assessment, the business continuity plan, the incident
Understanding the potential risk of a change (including information security risks) should drive the complexity and rigor of the change management activities.
response plan, and any other policies, procedures, or standards. Testing of the change before moving into production should be documented as well, along with a back-out procedure in case issues arise once the change is formally implemented. Finally, management’s approval of the change should be documented. Documentation may be by creating a project file, archiving emails, or by
using help desk software like Track-It to open tickets for each change. What controls does TrustCC test? TrustCC recommends all significant server and network device configuration or hardware changes be authorized, tested and approved prior to production implementation. TrustCC recommends all significant system or application software changes be authorized, tested and approved prior to production implementation. Documentation of changes could include risk assessment, security and BCP impacts, change impact ratings, dependencies, testing results, and back out procedures; approvals should be documented and the documentation should be available. TrustCC recommends that Software Development Life Cycle (SDLC) policies, procedures and standards be documented and include source code and library standards, separation of duties (test environment, production environment), testing and back out procedures, and management oversight and approval practices. n About the Author Tom Schauer – CISA, CISSP, CISM, CRISC, CTGA, CEH Tom has been practicing in information technology security and auditing for 26 years. Tom is one of the country’s leading experts in IT compliance matters in the Financial Services sector. Tom is the founder of TrustCC and is frequently asked to speak at conferences and provide training to regulatory examiners.
www.acuia.org | The Audit Report
25
{ member spotlight } WHY? Tammy Farmer
This Issue’s Member Spotlight is Tammy Farmer. Tammy is a long-time auditor and ACUIA member. She is also the Chapter Coordinator for our newly created South Carolina Chapter. Tammy, after all these years I’m very excited to interview you for the Spotlight. As you know, we like to know the personal stuff about our ACUIA friends. So tell us a little. I’m an avid University of South Carolina Gamecock fan. My weekend calendar during football season is pretty much blocked off. I also have a special young man in my life - my 13 year old nephew, Hunter. He plays a lot of traveling baseball. Their games are fun so I go when they aren’t too far from home.
Ok, let’s talk business now. Tell us how you came to be where you are today, and any professional certifications you’ve attained along the way. I think audit is the best type of work – you get to see how everything operates and have an opportunity to learn so much. I’ve been auditing credit unions my entire career. Providing the information for the spotlight made me realize that it has been 25 years! I graduated from Francis Marion College (yes, it was
FUN FACTS ABOUT TAMMY: Favorite sports team: University of South Carolina Gamecocks Favorite food: I love pizza. Maybe it is the cheese. Travel: I like to travel but haven’t gotten very far out of the southeast. I like the mountains and the sea and spend a good bit of time on a local lake. Music: I like a variety but I’m still a little bit of an 80s hair band head banger. I like it loud! Auditors: Who says they are boring?
NOMINATE A MEMBER! Do you know a member who should be featured in our member spotlight? Send nominations to Tabitha Ernst-Chadwick at acuia@acuia.org
26
www.acuia.org | The Audit Report
a college and not a university when I attended) in 1989 with a major in Accounting. I loved the auditing class in college. My first fulltime job was as a staff auditor for the SC Credit Union League in 1989. Then I moved to SC State FCU in 2001 and have been there ever since. I’m thinking this deserves some sort of anniversary present to myself! I am a CIA. I’m certainly proud of the designation. It took me a while to get it but I became certified in 1994. I’m diligent about maintaining the designation by keeping up my CPE. You’ve been in auditing a long time. Please share some of your wisdom about useful audit tools, processes, and industry challenges. You have to be a good communicator, open-minded and flexible. And you need to prove that the activity adds value. Getting input from the stakeholders can help with that challenge. How long have you been part of the ACUIA family and what is the best part of that experience? I’m not so sure about that but I think since the early 90s. Networking with peers is definitely the most valuable part of ACUIA. These people do exactly what you do every day. They can provide a wealth of information. n
Š2014 CliftonLarsonAllen LLP
relationships Build Business Strengthen your relationships by using advisors with a strong professional network.
Audit
Regulatory Compliance
Information Security
Dean Rohne | 800-657-4477 CLAconnect.com
standards { regional { thenews } } Pat Richey, Retired
1
REGION
Director Julie Wilson Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com No News for Region 1. Contact Julie for information.
2
REGION
Director Margaret Chamberlain, CUERME AVP Internal Audit, Arizona State Credit Union 602.452.4960 margaret.chamberlain@azstcu.org The Region 2 annual meeting was held October 16-17, hosted by Mountain America Credit Union in Salt Lake City Utah. Thank you to all of our awesome speakers and attendees!
3
REGION
Director Greg A. Czyzewski, CPA, CIA AVP Internal Audit, Teachers Credit Union 574.284.6451 gczyz@tcunet.com The Minnesota and Indiana Chapters have nothing to report. Contact your Chapter Coordinators for Chapter information. The Annual Region 3 Meeting was held in September at the University of Wisconsin Credit Union in Madison. The meeting covered a variety of topics including ALM, audit planning, fraud, compliance, and IT. Thanks to our sponsors Doeren Mayhew, Clifton Larson Allen, BKD, McGladrey, and Moss Adams. A special thanks to Jodi Dins and the staff at UW Credit Union for hosting a very successful meeting.
28
www.acuia.org | The Audit Report
REGION
4
Director Patrick McCullough, CIA, CISA, CRMA AVP/Director of Internal Audit, Arkansas Federal Credit Union 501.533. 2275 pmccollough@AFCU.org No news for Region 4. Please contact Patrick for information.
Open
5
REGION
Position Open! Region 5 needs you! Update provided by former Region 5 Director Lorraine Heneka: Region 5 had another very successful regional meeting this year. The meeting was held September 29th & 30th and was hosted by Dana McCranie and her team at Empower FCU in Syracuse, NY. Topics presented included: Top 10 Audit Issues by Carrie Kennedy of Moss Adams; Supervisory Committee Perspectives by Jay Bowman of Accume Partners; Online Security;how hackers really get in and how to stop them by Gavin Landless of Empower FCU; Panel discussion on Creating an IA Risk Assessment and Audit Plan by John Gallagher of SEFCU, Sam Capuano of Wolf & Co and Carrie Kennedy; ALL and Loan Documentation by Neal Keiffer and Michelle Perry of Firley, Moran, Freer & Eassa, CPA; and our annual Compliance Update by Michael Carter of CUANY. Although we had to make some last minute schedule changes due our first speaker getting delayed at the airport in Chicago, it all worked out. On Monday night, we enjoyed dinner and drinks at Coleman’s Irish Pub. Food, drinks, and conversation were all great!! Thank you to all of the speakers for donating their time and expertise to educate us, and to Dana and her team for hosting the event.
For those of you who haven’t heard, I have stepped down as Region 5 Director. I have accepted a different position within the credit union and will no longer be in Internal Audit, but you may still hear from me if I need your assistance in my new job. I truly enjoyed serving as your regional director and being a member of the ACUIA. The meetings and networking…and most importantly the friendships I’ve gained…have proven to be invaluable!
REGION
6
Director Bobby Nichols SVP - Audit Services, State Employees’ Credit Union 800.385.7014/919.8395338 Bobby.nichols@ncsecu.org No news for Region 6. Please contact Bobby for information.
Service So Outstanding, Others Can Only Talk About It…
TWHC has been providing credit unions with Audit, Tax and Advisory services for over 25 years. Today we are the number one credit union professional services firm in California with clients that range in size from $20M in assets to $6.5B in assets.
twhc.com TWHC Business Journal Ad 082812.indd 1
8/28/12 11:17 AM
www.acuia.org | The Audit Report
29
directors standards { region { the } }WHY? Pat Richey, Retired
1
REGION
Julie Wilson juliew@iqcu.com
2
REGION
Margaret Chamberlain, CUERME margaret.chamberlain@azstcu.org
REGION
3
Greg Czyzewski, CPA, CIA gczyz@tcunet.com
REGION
4
Patrick McCullough pmcollough@AFCU.org
5
REGION
Open
REGION
6
Bobby Nichols bobby.nichols@ncsecu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1
REGION 3
REGION 5
CENTRAL CASCADES (OR/WA) CHAPTER
INDIANA CHAPTER
NEW YORK CITY CHAPTER
Jeff Watson jwatson@iucu.org
VOLUNTEER NEEDED!
Terry Robbins REGION 2 ARIZONA CHAPTER
Allen Lorti alorti@sunwestfcu.org
MINNESOTA CHAPTER
Van Sprenger vsprenger@toplinecu.com
CALIFORNIA CHAPTER
REGION 4
Jim Henthorn jhenthorn@golden1.com
NORTH TEX AS CHAPTER
UTAH CHAPTER
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com
Kimberly Wiersema kawiersema@hotmail.com ST. LOUIS CHAPTER
David Caster dcaster@firstcommunity.com
REGION 6 GEORGIA CHAPTER
Jason Alexander jasona@lgeccu.org NORTH CAROLINA CHAPTER
Staci Hutchinson stacih@summitcu.org SOUTH CAROLINA CHAPTER
Tammy Farmer tammyf@scscu.com TENNESSEE CHAPTER
Mark Jenkins, CUCE mjenkins@tvacreditunion.com 30
www.acuia.org | The Audit Report
Audit Management Software Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward to implement and affordable whatever the size of your audit team. Key Functionality: Welcome Dashboards Audit Management Performance Reporting Comprehensive Reporting Enterprise Risk Management Recommendation/Action Tracking
Audit Planning Audit Scheduling On-line Questionnaires Electronic Working Papers Time and Expense Recording Libraries
www.mkinsight.com United States: +1 847 282 5000
United Kingdom +44 113 2455558
www.acuia.org | The Audit Report
31
{ acuia select }
{ member spotlight } Patrick McCullough
CONFERENCE Conference SPONSORS & E XHIBITORS Sponsors
ACUIA ACUIASELECT SELECT
& E XHIBITORS erence Sponsors One Day Seminar Sponsors and Exhibitors, who help make the annual event great.
SORS
ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating (as(as ofenhancing of December 31,31, 2012) 2012)Annual ACUIA extends a and special thanks toDecember our 2014, 24th your company from others significantly your visibility. If youConference have questionsand about joining ACUIA Select, please contact the Executive Office at (703) 688-2284.
onference Sponsors
24th Annual Conference and PONSORS & EXHIBITORS P L Aannual T I N U Mevent great. elp make the PLATINUM
ACUIA SELECT
2014, 24th Annual Conference and XHIBITORS CONFERENCE Conference SPONSORS & E Sponsors Zwho &help Mayer Hoffman McCann P.C. make the annual event great. (as of December 31, 2012)
ACUIA ialists in Credit Unions and Community Banks – extends a special thanks to our 2014, 24th Annual Conference and
One Day Seminar Sponsors and Exhibitors, who help make the annual event great.
hips ness
PLATINUM
GOLD
CONFERENCE Conference SPONSORS & E XHIBITORS Sponsors
GOLD
OLD thanks to our 2014, 24th Annual Conference and ACUIA extends aGspecial One Day Seminar Sponsors and Exhibitors, who help make the annual event great. Dean Rohne | 800-657-4477
hips by using advisors network.
pliance
Information Security
SILVER PLATINUM
CLAconnect.com
ACUIA
(as of D
SILVER
S I LV E R
Platinum
AL STATEMENT AUDITS * • IT AUDITS • INTERNAL AUDITS
GPrecision OLD at a Fair Price Quality &
With national resources and credit union expertise, BRONZE you can be assured your financial statement audit ill be performed B Rwith O Ncare Z E and always in compliance with the industry’s professional standards.
BRONZE SILVER
Gold EXHIBITOR
EXHIBITOR
ony Coble – Managing Director, CBIZ MHM, LLC and Shareholder, Mayer Hoffman McCann P.C. acoble@cbiz.com • 913.234.1031 www.cbiz.com • www.mhmcpa.com
n McCann P.C. is an independent CPA firm providing audit, review and attest services, ks closely with CBIZ, a business consulting, tax and financial services provider.
Silver
© Copyright 2013. CBIZ, Inc. and Mayer Hoffman McCann P.C. All rights reserved.
The Audit Report | www.acuia.org |
BRONZE
The Audit Report | www.acuia.org |
The Audit Report | www.acuia.org | 29 alified t qualified decision decision makers makers in this in this field,field, differentiating differentiating youryour company company fromfrom others others uvehave questions questions about about joining joining ACUIA ACUIA Select, Select, please please contact contact the Executive the Executive Office Office
port t
32
www.acuia.org | The Audit Report
Bronze
23
29