Volume 24, Issue 1, 2015
The Magazine of the Association of Credit Union Internal Auditors, Inc.
WHO PROTECTS OUR ASSETS? SUPERVISORY COMMITTEE ROLE AND RESPONSIBILITY
Q&A WITH FRANK WEIDNER THE STANDARDS: DOCUMENTING INFORMATION
W E N THE ECURITY S R K E R B O Y C W E M FRA IDANCE GU U READY? O ARE Y
Credit Union security doesn’t stop at the vault.
SCA offers a full range of technology, compliance and training services that ensure your institution is safeguarded from potential risks, guaranteeing you compliance and satisfaction. Technology Services Internal and External Vulnerability Assessments Penetration Testing Physical Security Social Engineering Web Application Assessments On-line Banking & Mobile Banking Assessments Cybersecurity Framework
Compliance Services Information Security Policy and Procedures Awareness Training Disaster Recovery / Business Continuity Incident Response Programs Vendor Due-Diligence Web Site Compliance Risk Assessment Services PCI Gap Analysis
Securing Your Success www.scasecurity.com 877-993-4472
Volume 24, Issue 1, 2015
The Magazine of the Association of Credit Union Internal Auditors, Inc.
{ contents }
14 F E AT U R E S
Who Protects Our Assets? 10 Supervisory Committee
D E PA R T M E N T S 4
From the Editor Bad Day. Edition II. Tabitha Ernst-Chadwick
8
Chairman’s Message Here We Go Again John Gallaher
26 Q&A Interview With Frank Weidner Amy Schaefer 30 The Standards Documenting Information Pat Richey
Role and Responsibility While we as internal auditors often describe our primary responsibility as that of safeguarding credit union assets, it should be recognized that such responsibility actually lies with the Supervisory Committee. John Gallagher
34
34 Information Security Keeping Your Ear to the Ground Tom Schauer and Jeff Dimmock 36 Member Spotlight Terry Robbins 38 Regional News 40 Region Directors and Chapter Coordinators
Breaking Down the 14 CyberSecurity Framework Not everyone is ready for embracing the cybersecurity framework. Are you? Rick Woods
10
Special Section: 20 25th Annual
ACUIA Conference
Information and Registration
The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284
Š Copyright 2015, ACUIA. All rights reserved.
{from the editor} BAD DAY. EDITION II Tabitha Ernst-Chadwick, CIA, CFE, CISA, CBSAO, LRP, NCCO
Those of you that were privy to the first edition of Bad Day might remember that it ended with a trip to the emergency room. Believe it or not this Bad Day actually surpassed that one.
I
hope this is not the case for any of you, but for me, 2015 is already proving to be a difficult year, both professionally and personally. 2015 is a year of change in my organization; two amazing colleagues who have been both mentors and friends, fam-
ily really, will be retiring soon. Great for them, but less-than-great for me and many others in the organization. 2015 is also bringing some very difficult challenges for several of my loved ones, one in particular who has now joined the fight against cancer.
When bleach just isn’t enough, garbage bags and duct tape will do the job.
4
www.acuia.org | The Audit Report
So, when it came time to write this column, I really didn’t have much to say (shocking right?!). Everything that came to mind was just way too depressing to put into a magazine read by our lively group of credit union auditors. But then I remembered one of my newest mottos: Having a Bad Day? Could be worse – you could be wearing mouse poop. Those of you that were privy to the first edition of Bad Day might remember that it ended with a trip to the emergency room. Believe it or not this Bad Day actually surpassed that one. I had been out of the office for a week or so, and during my absence my building experienced a mouse invasion. Now mouse invasions are not new to our building. In fact, my department has become quite skilled at mouse-catching. These mice, however, evidently were of the steroid variety because they actually ate through someone’s Tupperware. So when I returned to work after my time off, I was immediately filled in on the mousecapades. Miraculously, my office was unaffected. My co-workers searched the floors and desk drawers for mouse “evidence” and found nothing. Awesome. Off to work I go. We started with a meeting which lasted about an hour and a half. [Momentary sidebar - any of you that have seen me at a conference know that I pretty much always have a sweater – or four – handy. So, as you might expect, I have a stash of sweaters in my office, ready to pile on when needed.] Halfway through my meeting I get cold and pull one of my many sweaters from my chair. Put one on over my shoulders, another over my lap. Continue the meeting. Meeting finishes. I type some memos, review some reports, drink some water. I’m ready for a break. So I
C RE D I T U N I O N S ERVICES C RE D I T U N I O N S ERVICES
As Unique as Your Institution As Unique as Your Institution As every credit union is unique, so too are their needs. Orth, Chakler, Murnane and Company, CPAsunion (OCM) was founded the objective of providing As every credit is unique, so toowith are their needs. Orth, Chakler, independent, Murnane and professional audit and consulting services to credit unions of all size and complexity. Company, CPAs (OCM) was founded with the objective of providing independent, professional audit and consulting services to credit unions of all size and complexity. Our approach to each audit and consulting engagement is to meet and exceed our expectations. To and accomplish this,engagement our firm’s Partners, and Ourclient’s approach to each audit consulting is to meetManagers and exceed Supervisors work on site to our clients with our client’s expectations. Toprovide accomplish this, our firm’s Partners, Managers and access to our most experienced professionals. In addition, Supervisors work on site to provide our clients with our professional staff are very familiar with credit union access to our most experienced professionals. In addition, · Opinion Audits operations, internal control issues, regulatory and our professional staff are very familiar with credit union · Supervisory Committee Audits Opinion Audits accounting and more. In other words, operations, requirements, internal control issues, regulatory and (K) Audits Audits · Pension /401Committee Supervisory credit unionrequirements, personnel willand not more. have toIntrain our auditors. accounting other words, credit union personnel will not have to train our auditors. To learn more, please call our Managing Partner, Doug Orth at 888.676.3447. To learn more, please call our Managing Partner, Doug Orth at 888.676.3447.
Orth, Chakler, Murnane and Company, CPAs A Professional Association
Orth, Chakler, Murnane and Company, CPAs A Professional Association
M I A M I | D A L L A S | CHA R L OT T E M I A M I | D A L L A S | CHA R L OT T E
ocmcpa.com ocmcpa.com
Working exclusively with Credit Unions Working exclusively with Credit Unions 30 | www.acuia.org | The Audit Report
Consulting Services: (K) Audits · Pension /401 · Internal Audit Assistance · Consulting Services:
· Information Technology Reviews · Internal Audit Assistance · ATM /ACH Audits · Information Technology Reviews · BSA /OFAC Compliance Reviews · ATM /ACH Audits · Tax Services: CUSOs, 990, 990-T · BSA /OFAC Compliance Reviews · Supervisory Committee and · Tax Services: CUSOs, 990, 990-T Board Training · Supervisory Committee and Board Training
{ from the editor } IN THIS ISSUE Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
get up to head to the restroom and I happen to look down at my chair. What do I see? MOUSE EVIDENCE. I start to sweat a little. Pick up another sweater. MORE MOUSE EVIDENCE. More sweat, a few screams as the realization that I’ve spent the last 3
2015 BOARD OF DIRECTORS
SWEATERS!!! Have I mentioned I’m
hours sitting in and wearing mouse poop hits me. THEY NESTED IN MY
More sweat, a few screams as the realization that I’ve spent the last 3 hours sitting in and wearing mouse poop hits me. THEY NESTED IN MY SWEATERS!!! a bit of a germaphobe? Miraculously, I resisted the urge to strip off my clothes in the office; I practiced my NASCAR skills and made it home for decontamination (nearly scalded my skin off, but decontamination was successful!). I even rallied the energy to return to The Scene and decontaminate my office and chair (Check out the picture on page 4 if you need tips on how to do this). The moral of the story? Well, there are several lessons to learn from this incident: 1. Don’t leave sweaters piled up in your chair. Hang them on the door. 2. When looking for mouse evidence, make sure to check your chair. 3. Tupperware can be compromised by a mouse on steroids. 4. Bad days – there are many. And, as I learned in the past few weeks, some of them are even worse than wearing mouse poop. But, whatever kind of bad day you are having, try to find something to make you laugh. n 6
www.acuia.org | The Audit Report
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA Chair
Director
John Gallagher
Dana McCranie, CBA, CUCE
SEFCU 518-464-5245 jgallagh@sefcu.com Term 2014 - 2016
Empower FCU (315) 477-2200 X5107 dmccranie@empowerfcu.com Term 2013 – 2015
Vice Chair
Director
Kara Giano, CIA, CIDA, CRMA
Barry Lucas, CPA, CIA, CFSE
Golden 1 CU kgiano@golden1.com Term 2014-2016
Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015-2017
Treasurer Linda Goff, CUCE
Associate Director
Enrichment FCU (865) 482-0045 x1201 lgoff@enrichmentfcu.org Term 2013 - 2015
Doug Wright, CPA, CFE, CUCE
Secretary
Associate Director
Margaret Chamberlain, CUERME
Kimberly Wiersema, CIA
Arizona State CU (602) 452-4960 Margaret.chamberlain@azstcu.org Term 2015-2017
kawiersema@hotmail.com
ACUIA EXECUTIVE OFFICE, CBSAO, CUCE, NCCO, CISA
ACUIA Executive Office 1727 King Street, Suite 300 Alexandria, VA 22314 (703) 688-2284 acuia@acuia.org Follow us on:
Baxter CU (847) 932-8765 doug.wright@bcu.org
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”
{chairman’s message} HERE WE GO AGAIN John Gallagher
Financially speaking ACUIA had a very successful year in 2014 and as such is well positioned to continue its offering of periodic webinars at no cost to our existing members.
I
t has been quite some time since I prepared my last Chairman’s Message back in 2008 and I am ready to take the reins once again. I consider it very much an honor and privilege that the members of the Association and Board have voted me as Chairman for a second time. I take that as a vote of confidence in my leadership skills but you know what they say about assuming! Much has changed since then so in that case I will need to work even harder this time around, and together with the Board members achieve even greater success. I would be remiss if I first didn’t thank Dana McCranie for her leadership over the past two years. Her hard work and dedication has proven invaluable and I again look forward to continuing to work with her on the Board in 2015. In addition I would also like to thank Amy Schaefer and Nathan Cunningham for their past Board efforts. While both of them recently completed their
Board term they continue to volunteer on various committees. So what is shaping up for 2015? First and foremost is our signature event, the annual conference which will be held in Boston on June 23rd – June 26th. What will set this conference apart is that ACUIA will be celebrating its 25th Anniversary. This is a significant accomplishment for any volunteer-run organization, and we should take some time to acknowledge those who have volunteered their time and efforts to ensure the association has remained an invaluable resource to credit union internal auditors, supervisory committee members, and others. In doing so we are planning to include some fun and exciting anniversary themed activities around this year’s annual conference to help us celebrate this milestone. I hope you will all plan to join us in Boston! Financially speaking ACUIA had a very successful year in 2014 and as such is well positioned to contin-
ue its offering of periodic webinars at no cost to our existing members. We will also be evaluating enhancements to other various product and service offerings. Our membership numbers remain strong. As of this writing with the renewal figures remain in line with that of past years and we have expectations for growth overall. Through increased educational offerings, regional and chapter meetings, Forum informational exchanges, etc. our goal is to continue to expand our membership and better fulfill our mission of being the premier resource for credit union internal auditors. In response to results of a member survey performed last year, the Board is continuing to evaluate the potential for development of a Credit Union Internal Auditor Certification Program. There are many details still to be considered and analyzed, so stay tuned. Lastly, while we can be proud of our accomplishments and success over the past 25 years we must continue to strive ahead with new goals and challenges. I look forward to addressing these challenges with the assistance, input, and cooperation of all board members, regional directors, chapter coordinators, committee volunteers, and you. Together let’s make ACUIA the best it can be! n
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.
8
www.acuia.org | The Audit Report
Š2014 CliftonLarsonAllen LLP
relationships Build Business Strengthen your relationships by using advisors with a strong professional network.
Audit
Regulatory Compliance
Information Security
Dean Rohne | 800-657-4477 CLAconnect.com
WHO PROTECTS OUR ASSETS? SUPERVISORY COMMITTEE ROLE AND RESPONSIBILITY While we as internal auditors often describe our primary responsibility as that of safeguarding credit union assets, it should be recognized that such responsibility actually lies with the Supervisory Committee. By John Gallagher
10
www.acuia.org | The Audit Report
H
ow many times have you asked yourself whether your committee is fulfilling its regulatory requirements and mandates, or better yet are they aware of what they are? It is important that committee members have knowledge of their roles and responsibilities and that a practice is implemented whereby they can ensure they are meeting at least the minimal requirements. These requirements are outlined in the subsequent paragraphs.
www.acuia.org | The Audit Report
11
Section 715.3 of the NCUA Rules and Regulations define the basic responsibilities of the committee as ensuring that the credit union (1) meets required financial reporting objective and (2) establishes practices and procedures sufficient to safeguard member assets. More specifically, the regulation defines four specific responsibilities: a. Determine whether internal controls are established and effectively maintained to achieve the credit union’s financial reporting objectives which must be sufficient to satisfy the requirements of the supervisory committee audit, verification of members’ accounts, and its additional responsibilities b. Determine whether the credit union’s accounting records and financial reports are promptly prepared and accurately reflect operations and results c. Determine whether relevant plans, policies, and control procedures established by the Board are properly administered d. Determine whether policies and control procedures are sufficient to safeguard against error, conflict of interest, self-dealing and fraud. To accomplish the above relating to internal controls the Committee should oversee and review the internal control system, oversee the audit program, ensure insurance coverages are adequate, and perform surprise cash counts. In a majority of instances this is accomplished by the internal audit department and reported to the Committee. In regards to the credit union’s accounting records and financial reports the Committee should perform or engage the annual audit and bi-annual account verification process, review monthly financial statements and reports, analyze financial trends, and personally meet with examiners and auditors to discuss findings. 12
www.acuia.org | The Audit Report
To fulfill the duties regarding policies and procedures the Committee, or its delegate (internal audit), should perform audit of employee and official accounts, perform verification of new and closed accounts and loans, ensure ethics and fraud policies are in place, and handle complaints from members and employees. These complaints can vary in nature ranging from service dissatisfaction to potential fraud (whistleblower) concerns. Although the above define the responsibilities, more specifically there are four “mandates” which further outline what the Committee must do. Simply stated the Committee must ensure that the credit union financial statements and reports are consistent with GAAP, perform or obtain a supervisory committee audit, verify or cause verification of members’ accounts, and avoid penalties for failure to comply with the above mentioned requirements. So the questions you are asking yourself now are “what does that mean and how does the committee accomplish it?” Let’s look at each mandate by itself to gain a better understanding of the regulation. First, there is reporting in a manner consistent with GAAP. This mostly applies to quarterly filing of
the NCUA 5300 Call Report (assuming that your credit union is greater than $10 million in assets). GAAP accounting includes the need to establish accruals to properly record income and expenses. Income should be recorded in the period earned and expenses in the period for which the expense was incurred. It also states that shares will be classified as liabilities, and not part of equity. The next responsibility states that the Committee must perform or obtain a Supervisory Committee audit. While the minimum requirements vary depending of type of charter and asset size (see chart below), an audit which occurs at least once every calendar year and covers the period since the last audit period must be obtained. For most, this is simply referred to as the annual audit and completed by an external audit firm. The important element of the audit process is to remember that engaging an external auditor is the responsibility of the Committee and not credit union management. Often management is consulted with throughout the RFP process for engaging the external auditor, but ultimately it is the Committee chair that signs the engagement letter. In addition, the Committee should plan to
MINIMUM AUDIT REQUIREMENTS Type of Charter
Asset Size
Minimum Audit Required
Federal or State
$500 million or more
Financial state audit per GAAS by independent state licensed person(s)
State
Less than $500 million
Supervisory Committee audit per section 715.7
Federal
Less than $500 million but greater than $10 million
Supervisory Committee audit per section 715.7
Federal
$10 million or less
Supervisory Committee audit per section 715.7
T
he Committee should oversee and review the internal control system,
oversee the audit program, ensure insurance coverages are adequate, and perform surprise cash counts.
meet with the external auditor to review the engagement process and receive results and required disclosures at the conclusion of annual audit. As referenced in the above chart there are instances where the audit requirement can be met through other means. These include a balance sheet audit, report on examination of internal controls over call reporting, and an audit per the Supervisory Committee guide. All three of these are also commonly completed by an external audit firm, but the latter can be completed by the Committee, its internal auditor, or any other qualified person as prescribed by NCUA. Section 715.9 of the regulation further outlines requirements if assistance from an outside compensated person is obtained, and more specifically what should be included within an engagement letter. The Supervisory Committee should ensure the engagement letter specifies the following: ■■ Terms, conditions, and objectives of the engagement; ■■ The basis of accounting to be used; ■■ The rate or total compensation to be paid;
■■ The timeframe during which
the auditor will deliver a written report. An exact date for delivery of the written report is not required however the engagement letter should specify a target date of delivery. One important note is that the report must be provided within 120 days from year-end close. The letter should also specify the NCUA will be provided unconditional access to the complete set of audit working papers and acknowledge that working papers shall be retained for a minimum of three years from the date of the written report. In addition to the annual audit, the Supervisory Committee must also ensure the verification of members’ accounts which is outlined in Section 715.8 of the regulations. Such a verification must be completed at least once every two years and could include both negative and positive confirmation samples. Documentation of the verification process must be retained until the next verification is performed. For most larger credit unions, the account verification process may be completed in conjunction with the annual audit, whereby the exter
nal audit firm controls the various aspects of the process (i.e. sample selection, handling returned verifications, etc.). This helps to ensure independence within the process by not allowing employees or management of the credit union to assist in any manner. In summary, many of the Supervisory Committee roles and responsibilities are well defined under Section 715. Although defined in regulation, best practice suggests that they also be incorporated into a Committee Charter document. A charter often serves as a contract between the credit union’s Supervisory Committee and Board of Directors. Annual reporting to the Board indicating fulfillment of their responsibilities ensures that such requirements have been met. n About the Author John has served as the Director of Internal Audit for the State Employees Federal Credit Union (SEFCU), headquartered in Albany, New York, since 1995. He also currently serves as the Board Chair of ACUIA and has given numerous presentations on Internal Audit and Supervisory Committee best practices.
www.acuia.org | The Audit Report
13
1
5
BREAKING DOWN THE CYBERSECURITY FRAMEWORK
N L E CY N T
D
N
N R E DE T E X E N EM P G D E NA MA
ARE YOU READY? By Rick Woods, SCA
www.acuia.org | The Audit Report
3 A
H O RE O R M AT LL A A TI O BO N RA TIO
T F IN C
AN
4
14
Y URIT EC RS OLS BE NTR CY CO
2
CYBE R RESILIE NC E
RISK MANAGEM R EN BE AND Y T C OVERSIGHT
2014 brought information security to a board room level, not that it shouldn’t have been that way anyway. With the daily news of data breaches bombarding all of us, the everyday American became much more aware and as a byproduct, individuals charged with running companies or operations became more accountable for their actions on protecting privileged information assets that were entrusted to the enterprise. This statement is further illustrated by the “new” cybersecurity framework guidance. It is interesting, but not all credit unions comply with information security guidance to the same degree, despite efforts from the NCUA and their examination procedures. The more proactive credit unions embrace a robust information security program. SCA has realized that asset size does not necessarily correspond to the efforts of best practices or GLBA requirements. This is one way of saying that not everyone is ready for embracing the cybersecurity framework. Ready or not, it’s best to start somewhere. NCUA representatives have recently con-
ment, more often than not, the credit union has
firmed that the 5 domains have been agreed
much of the criteria in place. The challenge is
upon, although some of the sub-sets are still in
documenting the practice, while utilizing SANS
debate. When comparing the new guidance to
terminology. It is highly likely that most cred-
the NIST CyberSecurity Framework, the termi-
it unions deploy practices that directly satisfy
nology may differ, but the spirit is very similar.
SANS Top 20. Similar circumstances are likely
Let’s explore each section individually and
when considering the CyberSecurity Frame-
correlate it to efforts that may or may not al-
work. The following criteria is derived from an
ready be in place. I am reminded of SANS Top 20
actual CyberSecurity Pilot Examination and the
guidance. When SCA performs a SANS assign-
resulting document request list.
www.acuia.org | The Audit Report
15
1 CYBER RISK MANAGEMENT AND OVERSIGHT A. Organization chart is an easy win.
Ultimately, accountability for a lapse can be judged on a job description. B. Cybersecurity related policies and procedures is another easy win,
especially for those credit unions that keep abreast of new threats such as social media, denial of service, and the mobile device revolution, etc. C. Board/IT Committee minutes are increasingly more import-
ant. The thrust of the issue is centered on whether key personnel are aware of the information security landscape — is it being discussed and disseminated throughout the organization and is it commensurate to today’s climate? D. Strategic plans are necessary to fulfill obligations. These include budgeting for new hires with cybersecurity skills & specialized hardware or software, entering new strategic third party relationships, strengthening existing incident response plans, training, and business continuity. E. Employee incentive plans are one of the more benign sub-categories. Offering a variety of incentives to attract and retain personnel with the critical skills needed to accomplish their missions. These incentives can include recruitment, relocation and retention incentive payments, student loan repayments, annual leave enhancements, scholarships, and student employment programs. Each credit union has the flexibility to determine which specific incentives of those authorized it chooses to offer. If a credit union offers relo16
www.acuia.org | The Audit Report
cation or retention incentives, it should track their implementation. Furthermore, it is important to establish the necessary data and indicators to track an incentive program’s effectiveness, as well as establish a baseline to measure the changes over time and assess the program in the future. A recent GAO study listed the following types of incentives: recruitment incentives; relocation incentives; retention incentives; superior qualifications and special needs pay-setting authority; scholarships; student employment programs; student loan repayments; annual leave enhancements. F. Cybersecurity job descriptions
are necessary to match your in-house skill sets with today’s reality. “Home Grown” technical personnel may not meet current industry expectation. G. Cybersecurity personnel qualifications. If a credit union expe-
riences a cybersecurity breach and their personnel skill set is not sufficient to handle the intrusion, it is possible that the credit union Board of Directors and Senior Management may be held accountable because this may be interpreted as a roll-ofthe-dice type mindset. H. Risk assessments are worth more than the paper they are written on. Risk Assessments illustrate a maturity level for credit unions. Thoughtful and sensitive are two words that don’t normally come to mind, but risk assessments often display these traits in order to derive realistic results. Credit unions should adopt a risk assessment type program that is unique to the entity. These should be conducted following a best of breed methodology that is repeatable, defensible, and measurable. The results provide a snapshot of the risks and likelihood of the risk to the organization. I. IT Audit schedule is a loaded weapon. I’m still not sure why some
credit unions are held to higher standards than others. SCA has conducted hundreds of IT Assessments and it is puzzling why audit schedules vary so much. Please adopt a schedule that does not coincide with upcoming Exams. If a major incident occurs and it is discovered that your audit schedule is intended to appease rather than proactively manage, it may well put the credit union in jeopardy. J. Engagement letters clearly spell out rules of engagement, including primary responsibility, objective, and expectation. It is a sad certainty that legal language can confuse and deflect intent. Engagement letters offer a more layman’s path that may defuse the old argument “I didn’t understand.” K. IT Audit reports and correspondence (includes financial audit if there are IT or Cybersecurity scope areas) are necessary to gauge an institution’s awareness and engagement prowess. Incomplete or sporadic documentation indicates that a credit union does not embrace current guidance. Interestingly, “correspondence” may indicate a willingness of Examiners to review a trail of requests or e-mails to uncover awareness, along with the subsequent response or lack thereof - another area that pins down accountability. L. Audit exception tracking (with emphasis on IT/Cybersecurity audits) intends for strengthening a credit union’s ability and willingness to utilize existing technology. Many, if not all, credit unions deploy log monitoring and exception tracking capability to some degree. A surprisingly large percentage does not take advantage of their technology. M. Risk management reports
provide another window into where a credit union resides on the information security scale. Many credit unions ask their third party partners to include executive summaries as part of the deliverable. Risk management reports should be used to
produce the annual security plan, the strategic security plan and the list of accepted risks. N. Documentation evidencing employees have completed Cybersecurity training and Awareness training. It is a common practice to have employees acknowledge and sign off on their training. This practice may also include social media policies and BYOD. O. Cybersecurity training policies
and procedures should be enterprise wide and should rely on FFIEC and NCUA directive. Any unique practice or new threat should also be addressed. P. Cybersecurity training and awareness materials are readily
available. An on-line course may be the best option because of tracking capability and the need to on board new employees.
C. Software Development Life Cycle (SDLC) is increasingly becom-
ing a real concern. The proliferation of mobile phone applications brings hundreds, if not thousands of unsanctioned opportunities to bury malicious code into the application. Similarly, a credit union that develops its own application must ensure that the development lifecycle remains closely knit and that there is a digital certificate of authenticity and accountability. The more people that “touch” the application in development, the more risk. D. Vulnerability/patch management policies and procedures should be another easy
win at this stage of the game. Please continue to adhere to policy and periodically review scan results for assurance that the credit union is remaining proactive in resolving known vulnerability issues. E. Patch management reports
will provide a snapshot to the reviewer on the current state of discovered vulnerabilities and the ongoing efforts to mitigate the problems as they occur. Vulnerabilities that remain unfixed present the credit union with not only the deficiency itself, but with a trail of evidence that may suggest complacency.
2
CYBER- SECURITY CONTROLS
tions are known to the community.
A. List of physical access controls
(such as key cards, biometric controls, video cameras) is suggested in order to establish the extent of your physical security initiatives. This will also assist you as a guide for future considerations, a wish list of sorts. B. Baseline security configuration standards are important in par-
ticular, because they should be addressed in the credit union standards and procedures. Default passwords and factory issued configurations do not necessarily offer best practices since each entity is unique to itself and many off-the-shelf configura-
F. Penetration test results/ reports, much like log reports
or patch management reporting, detail the current state of a credit union’s posture on securing the environment. Deficiencies that remain unaddressed should be considered RED FLAGS. G.
Vulnerability
assessments
are a necessary friend. Many credit unions conduct their own assessments, supplemented with a recognized expert. GLBA guidance encourages “arm’s length assessments.” It is a very good idea to employ industry expertise because of
advanced skill sets and the ability to conduct assessments with a variety of tools and software. The more looks you perform on the network, the better! Please, don’t just look though - timely remediation is necessary.
3 EXTERNAL DEPENDENCY MANAGEMENT A. List of third parties and subcontractors is the first step for managing
your vendor relationships and ultimately, your exposure. Some credit unions have over forty 3rd party relationships. Listing them will assist you creating a hierarchy of importance and criticality. Those vendors that have access to member information, (either storing, processing or accessing) should take precedent. Consider this as an opportunity for organizations to better understand the cybersecurity risks imposed through their vendors. Ensure all Complementary Controls identified in the SSAE16 are in place and effective. B. Contracts governing all third party relationships should be in a
readily assessable file. A vendor management software program is popular because it assists the credit union in housing key vendor information. Built in alarms that provide alerts for expiring contracts, insurance renewals and other milestones is helpful. The NCUA wants to see indemnification language on all contracts from key providers. This language is much www.acuia.org | The Audit Report
17
C. Inventory of all third party connections, including connections to:
i. Customers ii. Third party service providers iii. Business partner(s) iv. Other internet connections (e.g., web server, remote maintenance, etc.) Lists are good in that they illustrate thought. This list narrows down possible exposure points, which can then be monitored in a more acute manner. Connections to third parties that have access to member information should be monitored on an accelerated basis. Service agreements should include indemnification language if the credit union is entrusting member information to a third party. D. Network Topology is a key ingredient for the CyberSecurity Framework. If a network is improperly configured, if devices don’t mesh well together, if settings are default, if legacy equipment is utilized, etc., etc., there will be inherent risks. Although not specifically mentioned in the Framework, an up to date network diagram is a helpful tool to assist in managing the entire footprint. Some credit unions undergo network architecture assessments. Professional engineers can review the current environment and offer best of breed advice on strengthening the security of the network, not to mention improving the speed and fluidity. E. Independent report on the service provider’s security control
should be requested for every key vendor. Typical artifact gathering will include insurance certificates, liability language, risk assessment reports, financial stability, privacy policies, background check criteria, and non-disclosure agreements, etc. F. Remote access log offers a snapshot on Who, When, or Where, but not Why. Why is determined by access privilege assignment. These logs 18
www.acuia.org | The Audit Report
are necessary for vigilance. If an event occurs, a timestamp will help narrow down the investigative process. G. Third party employee access reviews also provide a concise view
on who, when and where. The why is predetermined but should remain static unless a formal request is mutually agreed upon. Credit unions should always have a strict policy on providing third party access privileges. The third party should have clear and written understanding on how they are required to govern themselves with information assets entrusted to them.
inate relevant information pertaining to new or trending threats. A by-product of sharing information is increased awareness!
5
easier to ask for before a contract is signed or renewed.
H. Vendor Management policies
and procedures will outline the protocols your credit union adopts.
4 THREAT INFORMATION AND COLLABORATION A. Lists of threat intelligence sources, (e.g. industry groups, consortiums, threat and vulnerability reporting services, list serves, forums and trade organizations, etc.) One goal of the
CyberSecurity Framework initiative is sharing intelligence. If an enterprise experiences an event, collaboration with another business that has experienced a similar event should, in theory, ease the remediation efforts. Explicit recommendation by the FFIEC asks that credit unions should join Financial Services-Information Sharing Analysis Center. FS-ISAC. B. Management reports on cyber intelligence will help dissem-
CYBER RESILIENCE A. Cyber security event logs and reports on cyber incidents are neces-
sary for conforming to breach notification regulations. B. Business Impact Analysis is increasingly under more scrutiny. Most credit unions have conducted a BIA. Efforts are not all to the same degree. These exercises demand a fairly high level of competence. A credit union may have 20 to 85 business units, depending on how segregation is preferred. There will be “infighting” when prioritizing the business units to determine which unit is more essential and thus is higher on the food chain for recovery. It is highly recommended that the credit union outsource this assessment unless there is clear demonstration of in-house abilities and no conflicting agenda. C. Business/Corporate Continuity Plan should take into consideration all
third party relationships that may impact daily operations. For many of you, Sandy and Katrina provided a blueprint on the importance of crossing all of the Ts and dotting all of the Is. D. Results of resilience testing
provides direction for improvement. Many credit unions conduct annual table top exercises to ensure person-
nel are on the same page. Regardless, a continuity plan should be updated every time there is change, employee turnover or promotion, etc. E. Resilience testing report measures your readiness. Deficiencies can be prioritized and addressed. This report also offers itself as a study guide. F. Cyber incident response plans
are now at the forefront of best practices. In a fatalistic way, it can be said that no matter what you do, you are already compromised to some degree, or will be. With that in mind, the best defense shifts to how do you detect a threat and stem the damage. G. Crisis management plans are the roadmap for fulfilling your obligations to “Safeguard Member Information.” Consider them as guidance. The aforementioned summary of the CyberSecurity Framework is intended as a basic guide for complimenting your existing Information Security Program. When one considers that the last written FFIEC guidance was 8 or 9 years ago, it is evident that the new framework will be the de facto “go to” document for adhering to information security standards. The list should serve to identify deficiencies in your existing program, while also assisting you to strengthen areas that may already be addressed, but not to the degree that is stressed. SCA recently attended a Credit Union Information Security Professional’s Association, (CUISPA) conference. The NCUA was represented by Examiners from all regions. They all agree that the CyberSecurity Framework will be enforced. Interestingly, they also singled out ALL credit unions, regardless of asset size, for being held accountable to the guidance. Specific thrust includes the necessity for classifying data. In order to properly protect information assets, you must identify those that warrant the focus over those that don’t. A related byproduct is the guidance to quarantine data and network devices
IN ORDER TO PROPERLY PROTECT INFORMATION ASSETS, YOU MUST IDENTIFY THOSE THAT WARRANT THE FOCUS OVER THOSE THAT DON’T.
per business function. Similar to PCI directive, co-mingling sensitive data with other credit union information is taboo. Access privileges are better defined with data classification. The NCUA Examiners underscored that Cyber Resiliency is key. Response program scrutiny will be emphasized. Disaster Recovery, Business Continuity, Business Impact Analysis, and Incident Response should be tested at least annually. Table top exercises and walk through scenarios are highly recommended. Other topics for upcoming exams include testing key controls, addressing previous audit shortcomings, lack of defense in depth and risk assessment aptitude. For those credit unions that display a mature information security model, the NCUA will ask that they consider specialized assessments to complement their existing initiatives. DDoS susceptibility and ATM Cash-out Schemes were specifically cited. Some pleasant advice was that credit unions should work towards appointing or electing Board Members with IT backgrounds. With all of the increased awareness surrounding CyberSecurity, it will be paramount for C level Executives, Board Members and Supervisory Committee Members to be informed and involved in the direction your credit union takes in its CyberSecurity pos
ture. The Examiners will conduct interviews intended for gauging awareness. Nobody likes pop quizzes, but it looks like this method is sticking around. Let’s hope this summary helps prepare you for the future. Wherever you currently reside on the CyberSecurity scale, this document can serve as your checklist. Remember, Information Security is a process that can be measured, defended, and repeated when following the CyberSecurity Framework guidelines. n About the Author A founding member of SCA, Mr. Woods has personally developed over 200 client relationships throughout America. Mr. Woods is the primary contact for introducing SCA to your organization. Mr. Woods’ responsibilities include managing and growing SCA’s sales force and marketing operations. Rick is an accomplished speaker at industry trade shows and offers his presentations at various higher learning seminars such as ACUIA, Supervisory Committee Conferences and IT centric associations. The Pittsburgh Steelers drafted Rick out of Boise State University, where he majored in history. After a six year NFL career, Rick involved himself in financial institution sales. Rick has almost 30 years’ experience in financial institution sales and marketing, including credit card processing, PCI, and Internet Banking solutions.
www.acuia.org | The Audit Report
19
Featuring Esteemed Keynote & Seminar Speakers* Dennis Dollar
Todd Newton
Principal Dollar Associates
Emmy Award Winning Entertainer
Paul Gentile
Tom Schauer
President MA, NH, RI Credit Union Leagues
CEO TrustCC
Raven Catlin
Ann Butera
President Raven Global Training
President Whole Person Project Inc.
Over 25 CPE Credits Offered for Annual Conference & One Day Seminar
* Some speakers invitations pending as of publication date.
ACUIA is invading Beantown for a very special 25th Anniversary Annual Conference. Join us for four days filled with educational sessions and entertainment in one of the most historic and charm filled cities in New England. Acclaimed as one of the best teaching tools in the credit union system, the ACUIA One–Day Seminar is an outstanding way for both new and seasoned auditors to learn about the latest auditing issues. As a conference attendee you can choose to attend the One-Day Seminar, the Annual Conference, or both. There is a separate fee for each.
ACUIA’s One-Day Seminar June 23, 2015 Choose From 3 Sessions Based on Interest
RUN FASTER THAN YOUR COLLEAGUES Learn how effective IT auditing can make your CU more secure and compliant than the one down the road. In this seminar, Tom Schauer of TrustCC will describe the latest security and compliance risks and some innovative ways to evaluate these risks through contemporary IT auditing and best practices. Participants can expect to learn techniques to make internal audits more effective. They also will receive several white papers and other auditing resources to help them develop more effective IT auditing at their credit union.
INTERNAL AUDIT MANAGER TRAINING Learn to be the ‘boss’ workers flock to and perform for In this course, Raven Catlin will help the senior auditors understand their roles and responsibilities and prepare themselves for future roles in the organization. You will learn the most important endeavor to ensure your team’s success on an audit – planning the audit and some valuable project management techniques to meet your audit objective and audit budget. You will learn how to manage and supervise your audits and assigned staff, including overseeing audit progress, motivating staff, and reporting status to audit management and audit clients. You will also learn about building and retaining a highly-qualified, engaged team of auditors.
RISK ASSESSMENT TECHNIQUES THAT GET RESULTS
Annual Conference June 24-26, 2015 The Annual Conference is the most comprehensive and beneficial professional development opportunity offered by the ACUIA. Featuring speakers presenting timely and in-depth topics pertinent to the profession, the conference is the ideal opportunity to network with your peers. Designed for professionals who want to keep pace with the diverse and dynamic field of internal auditing, the annual conference agenda is created specifically for you; whether you are a member of your credit union's internal audit department or the Supervisory/Audit Committee. Gain timely, insightful and indispensable information from the roster of nationally recognized, keynote, general and breakout session speakers who are experts in their field. With an average attendee rating of 4.2 out of 5 from this past year’s sessions, the ACUIA Annual Conference has cutting edge topics that will put any audit professional and Supervisory Committee member at the top of their game. Come join us in historic Boston for four very valuable days of education, exploration, and interaction with your peers. TIMELY, RELEVANT BREAKOUT SESSIONS
There will be a wealth of learning in our breakout sessions for auditors, risk managers, Supervisory Committee Members and CFOs.
Audit / Accounting
Top 10 Reasons You Don't Complete Your Annual Plan and How to Overcome Them. CAE Best Practices Essential Information for a New Internal Audit Manager/CAE Asset Liability Management - Liquidity Contingency Auditing the Lending Function - MBL, Mortgage, Consumer CECL - What the New Guidance Means to Your CU’s AAL A View of Indirect Lending - Through Auditor's Eyes Best Practices in Auditing Sensitive Areas (Payroll, Employee Accounts, Employee Expenses, etc.) Fair Lending - What You Need to Know Performing CUSO Audits Supervisory Committee Hot Topics
Compliance/Risk Vendor and Third Party Risk Management Out on a Limb - Are Your Branch Controls and Security Strong Enough?
For new Internal Auditors, Supervisory Committee members or those seeking a solid refresher
This interactive seminar, led by Ann Butera will define what “accessing risks” really means. The session designed for new internal auditors will provide practical approaches internal auditors can use to:
IT Audit
Understand and use The Critical Linkage, a COSO-based, four
step thought process when performing risk-based audits Identify the inherent risks that exist in an area, process or function under review. Differentiate between gross and residual risk Assess risks within a particular entity, process or subsidiary to concentrate audit resources on the areas of greatest exposure.
The National Cyber Security Initiative: Will it Make Credit Unions More Secure? Cyber Security: Preventing, Detecting, and Responding to a Breach Top Technology 2015 PIN Security and Key Management (TR39) Audits
...and more!
TRANSPORTATION Please note, the hotel does not provide airport shuttle service There are 3 transfer options: 1. Taxi - 10 min. ride from Logan Airport, fare about $25/ea. way 2. GO Boston Shuttle - Shared van about $17/ea. way 3. Boston Subway - The "T" - Hotel located at Arlington Stop (Green Line) and Back Bay Stop (Orange Line).
HOTEL & RESERVATIONS In celebration of ACUIA's 25th Anniversary Conference, the conference is being held at the luxurious The Boston Park Plaza Hotel. Rich in history, the hotel has distinguished itself with classic elegance and luxury accommodations coupled with unmatched service. ACUIA - Special Group Room Rate: $239/ night Single/Double Occupancy. This exceptional conference rate has been extended from June 18th thru June 30th. To make your reservations Click Here
WIN AN APPLE WATCH®!
Register online or send in your paid registration postmarked by April 30th, 2015 to be entered to win a new Apple Watch®. The newest cool technology from Apple can be yours by registering now!
OPTIONAL EVENTS
KEYNOTE SPEAKERS This year’s esteemed, keynote speakers represent a crosssection of the credit union industry and beyond. They will offer insight and understanding to help you create greater value, clarity, and focus in your audit efforts for the coming year. THE HONORABLE DENNIS DOLLAR - Principal, Dollar Associates Dollar Associates is one of the leading credit union consulting firms in the country. Prior to forming the firm Mr. Dollar was appointed by President George W. Bush to be the Chairman of the National Credit Union Administration in 2001, having previously served on the board since 1997. Prior to his nomination, he was President/CEO of what is now Gulf Coast Community FCU. Mr. Dollar has been cited for numerous awards, including the Dora Maxwell Award, the CUES Hall of Fame and the 2004 Ambassador Award from the World Council of Credit Unions.
TODD NEWTON - Emmy Winning Entertainer and Speaker Daytime Emmy Award winning TV personality Todd Newton is often referred to by industry insiders as "The Host with the Most," Newton's amiable persona on E! Entertainment Television brought viewers in more than thirty countries face to face with Hollywood's elite for over a decade. Todd entered the world of game shows in 1999 on GSN's Hollywood Showdown. Since that time, he has awarded contestants over thirty million dollars in cash and prizes on Whammy, Instant Millionaire, Made in the USA, Monopoly Millionaire's Club and Family Game Night. Todd also serves as host of The Price Is Right Live!-a live stage version of the iconic game show classic currently touring the US. When not working in front of the camera, Todd speaks to corporations, universities, and organizations on personal achievement and success with his entertaining and inspiring presentations.
PAUL GENTILE – President, MA Credit Union League (Click icon for more info)
generations have come and Wed. g Though gone, Fenway Park remains, much like Evenin it did the day it opened on April 20, 1912. Come join us at this storied ballpark for a match-up against the Baltimore Orioles. Come see who can conquer the Green Monster. We have secured 100 tickets for this Wed. evening game, and anticipate they will go fast, so register early and reserve your seat now! Relive history on this 90-minute walking tour which explores 11 of the 16 sites on the Freedom Trail and their crucial role in the American Revolution. Geared to appeal to both history aficionados and the newlyminted history buff. Walk along the red brick trail with an 18th century costumed guide who tells the stories of the brave people who dared to challenge the mightiest nation d. on earth. Learn of their daring actions that lead to the We ning Eve birth of the nation. The tour concludes with dinner. aboard the luxury yacht, Spirit of Boston and sail Thurs. g Step off into the sunset of picturesque Boston Harbor. Evenin With a brand new, $2.5 million renovation, you’ll cruise in high style on this three-hour, evening cruise with a full-course dinner. Relax and take in the sights Boston’s historic harbor offers from one of three climate controlled decks with panoramic windows or the topside, rooftop open air deck. Optional events are extra and not included in conference registration fee. Apple, and Apple Watch are registered trademarks of Apple Inc.
Mr. Gentile has been a part of the credit union movement for 18 years. Most recently, he served as Executive VP of Strategic Communications for the Credit Union National Association (CUNA). Prior to CUNA, Gentile was the President/CEO of the New Jersey Credit Union League (NJCUL). Under his leadership, NJCUL spearheaded successful passage of public deposit legislation that enabled New Jersey’s credit unions to accept public funds for the first time in their history. Before joining NJCUL, Gentile was the Editor/Publisher of Credit Union Times, the nation’s largest independent credit union trade publication.
TOM SCHAUER – CEO & Chief Client Experience Officer TrustCC Tom has been practicing in IT security, audit and compliance for over 25 years. He started his career in the role of Security Analyst and BCP coordinator for a $3.5B regional bank. In 2000, Tom recognized that community size banks and credit unions were under-served by existing consultancies. He founded TrustCC to specifically address this need. Since 2001, TrustCC has performed about 2000 security assessments and IT audits for 400 financial institutions throughout the US.
Raven Catlin - President, Raven Global Training Raven is an internationally recognized speaker and instructor in risk management and internal audit. She possess over 15 years of diverse internal audit experience and 11 years of instructing and facilitating a variety of courses. With this diverse experience, Raven teaches how to accomplish goals they only dreamed possible. Through her seminars and presentations, you will gain valuable skills, motivation, and belief systems to achieve success.
Ann Butera - President, The Whole Person Project Inc. Ann is a frequent speaker at internal audit conferences and has worked with audit departments of all sizes to provide auditors with the tools and techniques needed to improve risk management practices within their organizations. She is a member of the IIA, the American Society for Training and Development, the Association of Government Accountants, and the National Association of Corporate Directors. She served as Supervisory Committee Chair for a financial services firm.
RegistrationForm __________________________________________________________________________________________________________ Name
NameforBadge
__________________________________________________________________________________________________________ CreditUnion/Organization
AssetSize
#YearsACUIAMember
__________________________________________________________________________________________________________ MailingAddress
City
State
Zip
_________________________________________________________________________ ( _______ ) _______________________ EmailAddress
Phone
Pleaseselecttheconferenceeventsyouwillbeattending: OneDaySeminar:(chooseone) Tues.June23 rd
seekingasolidrefresher
25thAnnualConference
AnnualConference: th
RunFasterThanYourColleagues-HoweffectiveITauditingcanmakeyourCUmoresecure InternalAuditManagerTraining-Learntobethe‘boss’workersflocktoandperformfor RiskAssessmentTechniquesThatGetResults:-FornewIAs,SCmembersorthose
th
Note:Theconferencewill concludeby11:30amonFriday.
June24 -26
WednesdayJune24th
OptionalEvents:(chooseoneortwo) Theseeventsareoptional withaseparatefeenotedbelow.
Thursday.June25th BostonHarborDinnerCruise
RedSoxvs.OriolesBaseballGame FreedomTrailTourandDinner
EarlyBird
RegistrationSummary
(ByApril30)
RegistrationFees One-DaySeminarRegistrationOnly
t es
AnnualConferenceRegistrationOnly
Save$100!OnBoth Save$100!OnBoth
Member Non-Member Member Non-Member
@ @ @ @
$299 $499 $899 $1,099
Regular
(May1-Jun16)
$349 $549 $999 $1,199
B lue! BOTHOneDaySeminar/AnnualConferenceRegistrationMember @ Va
IncludesTheBigBeantownWelcomeReception
$1,098 $1,248 Non-Member @ $1,498 $1,648 TOTAL $__________$__________
OptionalEvents(chooseoneWed.Eveningand/orThurs.Eveningevent) RedSoxvs.OriolesBaseballGameWednesdayEvening@ FreedomTrailTourandDinnerWednesdayEvening@ BostonHarborDinnerCruiseThursdayEvening@
$68.00/each $71.00/each
$_______________ $_______________
$81.00/each
$_______________
TOTAL $_______________
________________________________________________________________________________________________________ CreditCardNumber:
Exp.Date
CSVCode
________________________________________________________________________________________________________ Nameasitappearsoncard
ThreeWaystoRegister FortheConference:
Signature
Fax:(703)348-7602
Online: https://www.acuia.org/civicrm/event/register?reset=1&id=42
BillingZip-Code
Mail:
ACUIAConferenceDepartment 1727KingStreetSuite300 Alexandria,VA22314
Notes:
IncludedintheOne-Dayregistrationfeearebreakfast,lunchandbreaks.IncludedintheAnnualConferencefeearebreakfastandbreakseachdayand lunchonWednesdayandThursdayandTheBigBeantownwelcomereceptionTuesdayevening.Formoreinformationregardingadmin.policiessuchas refunds,cancellationsandcomplaintspleasecontacttheACUIAat703.688.2284oracuia@acuia.org
www.acuia.org | The Audit Report
25
26
www.acuia.org | The Audit Report
{ where are they now? } Amy Schaefer This is the first in a series of Q&A interviews featuring ACUIA incorporators and longterm members. You will also see snippets of these interviews in upcoming ACUIA’s Facebook posts. Not following us on Facebook yet? What are you waiting for? Click here to follow us to stay up-to-date on what’s happening with ACUIA, “Throw back Thursday” features, and more.
FRANK WEIDNER O
ur first interview highlights Frank Weidner, President & CEO at Wings Financial Credit Union in Apple Valley, MN ($4 billion
in assets). In 1990, Frank was one of the original eight signers when the Association of Credit Union Internal Auditors was incorporated with the Wisconsin Department of Financial Institutions. Frank Weidner’s Background Frank has nearly 30 years in the financial services industry encompassing a broad range of leadership experiences. Before he was named CEO at Wings Financial Credit Union, he held the role of Sr. VP Member Service and head of all front-office functions, including lending, payments, marketing, business development, branches, call centers, and more at Alliant Credit Union. Prior to that role he was CFO at United Airlines Employees’ Credit Union, and head of Audit at US Federal Credit Union. He began his career with Mc-
Gladrey, CPA firm, working in their national banking practice. As a lifelong learner, Frank has earned his Certified Public Accountant, Certified Internal Auditor, and Certified Credit Union Executive designations. He graduated with honors from St. Johns University in Minnesota and earned his MBA from Norwich University. He currently serves on the Board of the Minnesota Zoo. He has been married for over 25 years to his high school sweetheart and has two daughters in high school. His interests include hunting, fishing, traveling, and spending time at his cabin.
www.acuia.org | The Audit Report
27
‘‘
Realize this: No one in a credit union possesses nearly the breadth of knowledge of all of the functions, operations, processes, and controls that internal audit does and should know.
Why was it important for you to help create ACUIA? Twenty five years ago internal audit (IA) positions were relatively rare in the credit union industry. Those of us taking internal audit roles were often introducing the role to the organization and didn’t have much support or precedence to rely upon. ACUIA became a resource of like-minded professionals facing many similar experiences. What did you gain most as an ACUIA member? The ability to network, share and learn best practices, and increase the professionalism of the role. Tell us how being a member of ACUIA helped you get to the position you have today? Realize this: No one in a credit union possesses nearly the breadth of knowledge of all of the functions, operations, processes, and controls that internal audit does and should know. Internal audit is absolutely the best role for those who like to learn about the numerous functions in a complex financial institution. This insight is hugely valuable to an organization. Every large company is challenged with understanding and making sense of the interplay of functions, policies, and processes (and looking for professionals who have broad exposure). Who better to shed light into and create value around this than internal audit? What advice do you have for our current ACUIA members? Give thoughtful consideration to how the internal audit role creates robust organizational value by supporting and connecting to your organizations’ key corporate goals and mission to the membership. Be real and specific in this. IA can be a bit mysterious and its independence can make it seem disconnected from the organizational priorities. Communicate and demonstrate its con-
28
www.acuia.org | The Audit Report
nection and value regularly. One example: Enterprise risk management is a fast growing (aspirational) competency in our industry but still immature. Be sure the organization understands how IA really becomes a lynchpin and resource to successful ERM initiatives. What are your fondest memories of ACUIA? The annual meeting was an opportunity to meet like-minded professionals from around the nation and certainly a huge professional learning opportunity. That said, perhaps even more impactful were the personal relationships that developed when a small group of folks rallied behind a great concept and brought it to life through hard work and determination. It’s rewarding to see ACUIA celebrating 25 years strong. ACUIA is celebrating our 25th Annual Conference & One-Day Seminar this summer. What would you like to say to our current members? Definitely enjoy celebrating the past 25 years of accomplishment…but the even greater joy is in creating your vision for the next 25 years. This holds true for both ACUIA and each of us as individuals. n Keep an eye out for more “Where Are They Now?” articles in upcoming magazine issues and don’t forget to follow ACUIA through social media! About the Author Amy Schaefer, CIA, CUCE, CUERME is the Senior Internal Auditor at Royal Credit Union. She is a graduate of the University of Wisconsin – Eau Claire with a degree in accounting. She is also an ACUIA Social Media Committee Member and former ACUIA Board Member. Amy is married, has three sons and enjoys camping, cheering on the Packers and attending Brewers and Twins games (but when head-to-head has to root for the Brew Crew!)
Innovation. It’s great for your customers, but it can carry risks for your credit union. Whether you’re exploring improvements to your mobile app or putting together new loan products, who’s helping you do it safely?
Discover why more than 300 financial institutions across the nation turn to us to help them innovate with confidence.
W W W. M O S S A D A M S . C O M / C U
Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance Tax Planning & Compliance IT Consulting Credit Review Services
www.acuia.org | The Audit Report
29
{ the standards }WHY? Pat Richey, Retired
DOCUMENTING INFORMATION
S
tandard 2330 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that internal auditors must document relevant information to support their conclusions and audit results. This documentation is called “working papers” which is further discussed in Practice Advisory (PA) 2330-1. Working papers is the collection of all the information gleaned during the audit, and the analysis of that information. Working papers are a very basic internal audit tool, but one of the most important. Generally, another person should be able to review the working papers and come to the same conclusion as the internal auditor. Or in the other direction, a reviewer should be able to trace audit report data to the working papers. Good working papers make reviews more efficient. I was in my new internal auditor position three days when I realized I was going to love being in internal audit. Audit plans, audit programs
30
www.acuia.org | The Audit Report
and working papers fit so perfectly into my concrete-sequential personality (a typical ISTJ in the Myers-Briggs world). Working papers (and perhaps auditing) will not be loved by those with more creative personalities (the ENFPs of the world). For these people, audit working papers will be a chore to organize and maintain, and probably seen as a burden. In addition to providing documented support for audit conclusions, working papers help with the planning and performance of future audits and audit reviews. The auditor may not be the same one that performs a particular audit again in the future. Working papers will outline decision-reasoning that may be helpful in future audits, and could include comments and suggestions for future audits, particularly suggestions for making the audit process more efficient and effective. Of course, the auditor cannot just do an audit procedure or complete a working paper because “that’s the way it was done last time,” without considering the effectiveness of the work.
Working papers demonstrate whether the audit objectives were achieved, and can be reviewed for accuracy and completeness. Working papers can be shared with management, if necessary, to gain management’s concurrence with audit results, or perhaps the auditor may want to share its process-flow diagram with management to validate the diagram’s accuracy. Also, internal audit may need to share working papers with examiners or external audit firm, or, heaven forbid, in court. Good working papers make conclusions easier to defend. Internal audit should consider these third parties when preparing workpapers. To this end, working papers should be self-explanatory. Audit programs summarize what the internal auditor did, and the working papers document the results. Does EVERYTHING the auditor collects have to go into the working papers? If a working paper is tangential to the audit objective (sometimes the auditor goes down
unintended paths) and the results are not reported to management, then the working paper need not be retained for THAT audit, but the auditor may want to retain the working paper for a future audit. Working papers that are irrelevant, immaterial, needless, useless, or do not support the conclusion should not be retained if they just muddy the waters. Of course, working papers that support a wholly different conclusion is a completely different matter. Working papers will differ depending on the type of audit and audit procedures; for example some audits may have process-flow diagrams or interview summaries; branch audits have cash count sheets; loan audits may be checklist audits; and other audits may document data extraction results. Generally, no two audits will have the same working paper design. However, working papers may follow a standard method of organization. For instance, our audit department’s working papers followed a standard number/referencing system that tied to the audit program, and which allowed working papers to be cross-referenced to each other. The amount of information collected during an audit can be overwhelming without a system to organize the working papers. The auditor should timely organize the working papers as the audit progresses. The auditor should not have a collection of working papers that need to be organized 6 months after the audit is concluded. Organizing working papers during the audit reduces the risk of them being misplaced. Also audit programs and working papers should be organized so that if another auditor has to jump in and help or finish the audit, that 2nd auditor can know exactly where to start and not do redundant work.
‘‘
Working papers are a very basic internal audit tool, but one of the most important.
www.acuia.org | The Audit Report
31
‘‘
The auditor should not have a collection of working papers that need to be organized 6 months after the audit is concluded.
The audit department should have an internal policy regarding general working paper expectations and audit programs will detail the specific types of documentation required for each audit. The audit department may have standardized control questionnaires, audit programs, or working paper titles or headings. We had an audit program template that we used for all audits, though the content differed for each audit. All aspects of the audit should be documented from audit planning to audit reporting and follow-up, and from entrance interviews to exit interviews. We retained all emails related to the audit as part of our working papers, and answers to all interview questions. In fact, we attempted to do all our audit communication by email so that there was documentation of questions and answers. I was always a little bit miffed when I would send an email asking a question and the recipient would call me to give me the answer. We never relied on verbal answers to questions if there was physical evidence available. We tried to prove every statement made by an auditee with physical evidence or data. The auditor should clearly differentiate between proven fact and subjective 32
www.acuia.org | The Audit Report
statements. If we had to rely on verbal information, we always prefaced the information with “According to so-and-so………” (and had the email as evidence). Working papers may be paper-based or digital. Of course, in the old days working papers were generally all paper-based and stored in file folders. However, likely in this day and age most audit departments are paperless or heading that way. Our audit department was mostly paperless; generally we scanned paper-based working papers to store them digitally. The exception was cash count sheets. However, I knew an audit department that printed their digital working papers and retained all working papers in paper-based format, all neatly bound in 3-ring binders (a new Chief Audit Executive may have changed that policy). The beauty of paperless auditing is that working papers can be shared and reviewed at any location (hurrah for telecommuting!), and tablets can be carried around at branch audits. Whatever the format, all working papers should be collected together in an official and final format. There are software applications for integrated working papers, but I did not use audit software so I cannot
comment on them. I just used simple word documents and spreadsheets – lots of spreadsheets. Working papers are evidence of the internal auditor’s competency and professionalism. Internal auditors do not want their competency and professionalism devalued by working papers that are careless, disorganized, illegible, illogical, inaccurate, incomplete, inconsistent, insufficient, messy, vague or have gaps in audit trails, or improper cross-references. Of course, these risks could all result in inaccurate conclusions. Other suggestions for working papers: Working papers should document all testing and if some audit procedures are not completed the reason is documented. If management has provided documentation, the information should be reviewed for accuracy. A working paper should reference source documents and all tick marks should be concisely explained. The auditor should not use color-coded tickmarks unless the document can be printed/copied in color. Some audit departments may require the auditor to sign or initial the working paper. We initialed and dated the audit procedure in the audit program when the procedure was completed, but not the working paper. Working papers may include the source and scope of the information, but we included source and scope in our audit procedures. Working papers are the foundation of audit’s quality assurance and improvement program, and quality assurance reviews. Supervisors should review an auditor’s working papers, but I will defer that discussion until we get to the audit supervision standard. n About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.
Audit Management Software Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward to implement and affordable whatever the size of your audit team. Key Functionality: Welcome Dashboards Audit Management Performance Reporting Comprehensive Reporting Enterprise Risk Management Recommendation/Action Tracking
Audit Planning Audit Scheduling On-line Questionnaires Electronic Working Papers Time and Expense Recording Libraries
www.mkinsight.com United States: +1 847 282 5000 United Kingdom +44 113 2455558
www.acuia.org | The Audit Report
33
{ information security } WHY? Tom Schauer and Jeff Dimmock, TrustCC
KEEPING YOUR EAR TO THE GROUND When working to enhance the controls evaluated by a credit union’s internal audit testing plan, one need not look any further than the news.
I
n recent years, there is no shortage of real-life threats or attacks from which to choose. Perhaps at least a handful of companies and cutely-named vulnerabilities instantly just came to your mind. Target, Home Depot, Sony, Anthem… Shellshock, Heartbleed, Cryptolocker… and many more.
34
www.acuia.org | The Audit Report
Everyone knows the basic stats: millions of affected customers, nation states implicated, millions of dollars spent on cleanup. The details of interest are often buried a little deeper in the news: how did the breach happen, what weakness does the vulnerability exploit, and how did the attackers evade detection so long?
These details can be used to help you align your internal audit controls testing plans. First, determine the general threat landscape at a high level. What kinds of attacks are prevalent and successful? To determine this, there are a few good resources listed in the box on the next page. Next, identify what the attackers are doing. This step is easy in concept, but the high number of news stories spinning FUD (fear, uncertainty, and doubt) can make it hard to determine what information is actually useful. See the resources at the bottom of the box for a good place to start for finding specific techniques being used by attackers. Using these resources, we can determine that one of the major threats facing Financial Institutions today is
WHAT KINDS OF HACKS ARE GOING ON? Privacy Rights: http://www.privacyrights.org/data-breach FBI’s Internet Crime Complaint Center Reports:
http://www.ic3.gov/media/annualreports.aspx The Open Security Foundation Data Loss Website: http://datalossdb.org Verizon’s Data Breach Investigations Reports:
http://www.verizonenterprise.com/DBIR/ WHAT TECHNIQUES ARE THEY USING? Brian Krebs Blog: http://krebsonsecurity.com The Threatpost Website: http://threatpost.com
social engineering. Social engineering was most recently used in the Carbanak attacks. See http://krebs onsecurity.com/2015/02/the-great -bank-heist-or-death-by-1000-cuts/
The Financial Institutions affected by Carbanak were infected primarily through spear phishing emails with malicious attachments. Once on the internal network, attackers gathered user credentials and spread through the network from there. This example alone elevates three threats that should be controlled and tested: social engineering resilience, network user account least privilege, and monitoring of network authentication activities. Have plans been made to emphasize these controls in your 2015/2016 IT audit testing? For instance, the key controls addressing social engineering resilience at your credit union may be annual employee training, annual Information Security Policy acceptance by all employees, and the use of technical controls to prevent employees from clicking on links and downloading viruses. These are very important controls but most credit unions test these in only a limited fashion. Given the prevalence of social engineering,
a real-world test of your staff would give the credit union a clearer idea of the level of resilience the staff pose to attackers. Such testing could be a phishing exercise (or other social engineering form) performed with “real” payloads that result in your tester actually obtaining network access should an employee fall for the phish. Should the tester gain access to the network the testing then evaluates the IT department’s ability to detect and respond to what would appear to be an actual network attack. Have you made plans to execute “real world” testing of social engineering controls combined with “real world” testing of incident detection and response? Using real-life events to inform internal audits not only helps ensure that controls are being tested properly, but can help illuminate new controls that could be implemented. Attackers are more financially incentivized to elude the controls the defensive side implements, so use that to your advantage! Additional research about the Carbanak breach reveals that the malware used can be identified through vulnerability scanning (Contact Trust
CC for details). Have plans been made to have your network scanned for the presence of Carbanak? Another benefit of using news headlines is enhancement of tabletop testing scenarios. Tabletop testing gathers key stakeholders into a meeting whereby a threat scenario is doled out one element at a time in order to discuss the likely actions to be taken in response. These exercises help response teams be better prepared for real incidents. Has internal audit planned to participate in business continuity and incident response tabletop testing in 2015/2016? The final benefit of using news headlines is to keep your Board better apprised of the threats facing organizations. As a result, your Board will be better apprised to provide necessary oversight and guidance to the credit union. Every Board should recruit a member that is capable of providing effective oversight of IT. n About the Authors Tom Schauer – CISA, CISSP, CISM, CRISC, CTGA, CEH Tom has been practicing in information technology security and auditing for 26 years. Tom is one of the country’s leading experts in IT compliance matters in the Financial Services sector. Tom is the founder of TrustCC and is frequently asked to speak at conferences and provide training to regulatory examiners. Jeff Dimmock Jeff is an IT Audit and Security Analyst for TrustCC. His skills include designing social engineering exercises, developing constantly changing payloads used in social engineering exercises and successfully penetrating networks from the Internet. Jeff is currently preparing to begin his Master’s program in Information Security Assurance. Jeff’s ideal Friday night is taking a phishing exercise all the way to full corporate network takeover.
www.acuia.org | The Audit Report
35
{ member spotlight } WHY? Terry Robbins
This Issue’s Member Spotlight is Terry Robbins. Terry recently took on the establishment of Region 1’s first Chapter – the Central Cascades Chapter – and serves as the Chapter Coordinator. I know you will enjoy getting to know Terry as much as I did!
point, I made the “right turn” down the auditor career path and have been hooked ever since. I am now the Director of Audit Services at Maps Credit Union in Salem, OR and Chapter Coordinator for the Central Cascades Chapter in Region 1.
I’ve been in the internal audit profession now for over 16 years. Prior to this, I was an accountant with the Defense Finance and Accounting Service (DFAS) after serving in the Air Force. While working as an accountant with DFAS, I was selected to be a member of an operational review team visiting regional offices throughout the country. Our primary objective was to identify inefficiencies in systems and related business processes and to provide for cost effective solutions. Participation in this project was an eye opener for me. Not only did it give me broader insight into the organization, it also allowed me to contribute in an entirely different way. At that
I, for one, am glad that you made that turn into audit! What kind of educational experiences have you had that helped you get where you are today? While serving in the Air Force, I earned my Bachelor of Business Administration in Accounting from McKendree University located in Lebanon, IL. I have also had the great opportunity to attend many of the courses offered by The Institute of Internal Auditors (IIA). I am currently a Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA) and have a Certification in Risk Management Assurance (CRMA). The knowledge I gained in preparation for earning these certifications has proved to be invaluable, particularly the CIA and CISA. Both have helped me to establish a solid foundation in each of their respective disciplines and have led to continued improvement and advancements in my career.
Terry, tell us a little bit about yourself – let’s start with the fun stuff. What do you like to do when you aren’t auditing and Chapter Coordinating? I enjoy spending most of my spare time either in the outdoors participating in activities such as cycling, mountain biking, hiking and fly fishing or volunteering in my local community, church and daughter’s school. On occasion, you might even find me experimenting in the science of zymurgy. Well, of all the sciences, I believe that is also my personal favorite! Ok let’s switch to the business side. Tell us about your journey into the audit world.
FUN FACTS ABOUT TERRY: Favorite music: Bluegrass, Christian Favorite singer: Alison Krauss Favorite cuisines: Italian American, Asian Favorite season: Fall
NOMINATE A MEMBER! Do you know a member who should be featured in our member spotlight? Send nominations to Tabitha Ernst-Chadwick at acuia@acuia.org
36
www.acuia.org | The Audit Report
You have been in audit now for a while – what have you found to be the most useful tools in streamlining audit processes, enhancing efficiencies, and making audit a value-added service? I am a big proponent of utilizing available technology to enhance the audit process and improve performance. From a software perspective, utilizing a complete audit management system such as TeamMate AM to manage the entire audit cycle has
been a key factor in achieving this for me. Some days I wonder how I would even be able to do without it. Data analytics software has been another useful tool for me over the past 10 years, not only to gain efficiencies in the audit process but to also add value to the organization. I remember 100 years ago when I was young and just getting involved in audit, several very seasoned auditors helped me along the way. With your vast experience and educational background, you are definitely the type of auditor from whom others could learn – Do you have any advice for new auditors just getting their feet wet in our field? First and foremost, get to know your industry and your organization. I would highly recommend getting involved in both the ACUIA and The IIA. Both are really great resources
for new auditors, each with its own focus. I’ve been a member of the IIA since entering the profession which has helped me to learn and establish the necessary framework for effective internal auditing. Although the IIA has an industry-specific group for financial services auditors, upon transitioning into the credit union industry, I immediately joined the ACUIA in order to develop relationships with other credit union internal auditors and to better understand the industry and related risks.
bers, whether on the local or national level, has been very valuable to me since transitioning into the industry.
So let’s switch gears to your ACUIA experiences. How long have you been a member? 3 years.
Tell us about the ACUIA volunteer opportunities you have embraced. How has that enhanced your membership? Having stepped up last year to help establish the first chapter for Region 1, the Central Cascades Chapter, I am now the Chapter Coordinator. This opportunity has allowed me to be more involved at both the local and national levels and I look forward to being able to contributing more to both. As a starter, I’ll be hosting the Region 1 Spring Meeting here at Maps on April 30th and May 1st.
What aspects of the ACUIA have you found to be most rewarding? By far, it is the networking with my colleagues I find most rewarding. The ongoing dialogue among mem-
Thank you for taking the time to talk with us Terry! I hope everyone will get to meet you in person at the Annual Conference this year!! n
Protect Your Credit Union from Internal Fraud by Subscribing to:
ProtectMyCreditUnion.com An online whistleblower reporting tool specifically designed and created for employees of credit unions to report suspicious activity and ethics violations anonymously if deisred! • • • • • • •
Password Protected Completely Confidencial Investigative Guidance Provided by Michael Sacher Monthly Governance Reporting Tool Immediate Notification When a Report is Filed Personalized Training for Staff and Administration Affordable Annual Subscription for All Credit Unions
Designed by Industry Expert, Michael J. Sacher, CPA For more information, call 310.459.9313 or email Mike@PMYCU.com or View Us At www.PMYCU.com
www.acuia.org | The Audit Report
37
standards { regional { thenews } } Pat Richey, Retired
1
REGION
2
REGION
Director Julie Wilson Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com
Director Tara Tocco Internal Audit Manager, Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org
Region one has a 2-day meeting scheduled for April 30th and May 1st. Terry Robbins of Maps Credit Union will be hosting the meeting in Salem, Oregon. The meeting promises to be jam packed with exciting discussions from excellent speakers.
I am pleased to take over the Director position for Region 2. Please call me anytime with questions, comments, or concerns about the Region.
On Day 1 Tom Schauer from Trust CC will presenting all topics with an IS/T focus: ■■ Cybersecurity – New Risk or new Term, Regs and
Industry Standards & Audit Steps ■■ Data Breach - Preventing, Detecting and Responding On Day 2 we have a great agenda: ■■ Tom Schauer, Trust CC – 20 Often Overlooked IT ■■ ■■ ■■ ■■
Controls Hugh Chakler, OCM – Revised Risk-Based Capital Rule, Will this do the trick? Ryan Sturgins, Moss Adams – Industry Audit Update Janet Powell, State of Oregon – Industry Regulatory Update, Hot Topics & Common Findings Pamela Stroebel Powers, Powers CPA – ERM – What is IA’s Role?
The AZ Chapter had a quarterly meeting on February 20, 2015 In Chandler, AZ. We had a great meeting with nine people in attendance. Watch the ACUIA website for information on upcoming meetings.
3
REGION
Director Greg A. Czyzewski, CPA, CIA AVP Internal Audit, Teachers Credit Union 574.284.6451 gczyz@tcunet.com The Region 3 Meeting is scheduled for October 14-16 in Indianapolis. Mark your calendars!
You can view the full agenda and register for the meeting the ACUIA website; check it out. REGION
4
Director Patrick McCullough, CIA, CISA, CRMA AVP/Director of Internal Audit, Arkansas Federal Credit Union 501.533. 2275 pmccollough@AFCU.org The Region 4 Meeting will be scheduled for September 10th and 11th in Dallas or Fort Worth. We are currently looking for a credit union in that location that is willing to host the meeting. If you are interested, please notify Patrick McCollough at pmccollough@afcu.org. 38
www.acuia.org | The Audit Report
Open
5
REGION
Position Open! Region 5 needs you!
REGION
6
Director Bobby Nichols SVP - Audit Services, State Employees’ Credit Union 800.385.7014/919.8395338 Bobby.nichols@ncsecu.org No news for Region 6. Please contact Bobby for information.
Service So Outstanding, Others Can Only Talk About It‌
TWHC has been providing credit unions with Audit, Tax and Advisory services for over 25 years. Today we are the number one credit union professional services firm in California with clients that range in size from $20M in assets to $6.5B in assets.
twhc.com TWHC Business Journal Ad 082812.indd 1
8/28/12 11:17 AM
www.acuia.org | The Audit Report
39
directors standards { region { the } }WHY? Pat Richey, Retired
1
REGION
Julie Wilson juliew@iqcu.com
2
REGION
Tara Tocco TTocco@hughesfcu.org
REGION
3
Greg Czyzewski, CPA, CIA gczyz@tcunet.com
REGION
4
Patrick McCullough pmcollough@AFCU.org
5
REGION
Open
REGION
6
Bobby Nichols bobby.nichols@ncsecu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1
REGION 3
REGION 5
CENTRAL CASCADES (OR/WA) CHAPTER
INDIANA CHAPTER
NEW YORK CITY CHAPTER
Jeff Watson jwatson@iucu.org
VOLUNTEER NEEDED!
Terry Robbins trobbins@mapscu.com REGION 2 ARIZONA CHAPTER
Allen Lorti alorti@sunwestfcu.org CALIFORNIA CHAPTER
VOLUNTEER NEEDED! UTAH CHAPTER
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com
MINNESOTA CHAPTER
Van Sprenger vsprenger@toplinecu.com REGION 4 NORTH TEX AS CHAPTER
Kimberly Wiersema kawiersema@hotmail.com ST. LOUIS CHAPTER
David Caster dcaster@firstcommunity.com
REGION 6 GEORGIA CHAPTER
Jason Alexander jasona@lgeccu.org NORTH CAROLINA CHAPTER
Staci Hutchinson stacih@summitcu.org SOUTH CAROLINA CHAPTER
Tammy Farmer tammyf@scscu.com TENNESSEE CHAPTER
Mark Jenkins, CUCE mjenkins@tvacreditunion.com 40
www.acuia.org | The Audit Report
regional { member {spotlight { acuia select }news } Patrick McCullough
CONFERENCE Conference SPONSORS & E XHIBITORS Sponsors
ACUIA ACUIASELECT SELECT
& E XHIBITORS erence Sponsors One Day Seminar Sponsors and Exhibitors, who help make the annual event great.
SORS
ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating (as(as ofenhancing of December 31,31, 2012) 2012)Annual ACUIA extends a and special thanks toDecember our 2014, 24th your company from others significantly your visibility. If youConference have questionsand about joining ACUIA Select, please contact the Executive Office at (703) 688-2284.
onference Sponsors
24th Annual Conference and PONSORS & EXHIBITORS P L Aannual T I N U Mevent great. elp make the PLATINUM
ACUIA SELECT
2014, 24th Annual Conference and XHIBITORS CONFERENCE Conference SPONSORS & E Sponsors Zwho &help Mayer Hoffman McCann P.C. make the annual event great. (as of December 31, 2012)
ACUIA ialists in Credit Unions and Community Banks – extends a special thanks to our 2014, 24th Annual Conference and
One Day Seminar Sponsors and Exhibitors, who help make the annual event great.
hips ness
PLATINUM
GOLD
CONFERENCE Conference SPONSORS & E XHIBITORS Sponsors
GOLD
OLD thanks to our 2014, 24th Annual Conference and ACUIA extends aGspecial One Day Seminar Sponsors and Exhibitors, who help make the annual event great. Dean Rohne | 800-657-4477
hips by using advisors network.
pliance
Information Security
SILVER PLATINUM
CLAconnect.com
ACUIA
(as of D
SILVER
S I LV E R
Platinum
AL STATEMENT AUDITS * • IT AUDITS • INTERNAL AUDITS
GPrecision OLD at a Fair Price Quality &
With national resources and credit union expertise, BRONZE you can be assured your financial statement audit ill be performed B Rwith O Ncare Z E and always in compliance with the industry’s professional standards.
BRONZE SILVER
Gold EXHIBITOR
EXHIBITOR
ony Coble – Managing Director, CBIZ MHM, LLC and Shareholder, Mayer Hoffman McCann P.C. acoble@cbiz.com • 913.234.1031 www.cbiz.com • www.mhmcpa.com
n McCann P.C. is an independent CPA firm providing audit, review and attest services, ks closely with CBIZ, a business consulting, tax and financial services provider.
Silver
© Copyright 2013. CBIZ, Inc. and Mayer Hoffman McCann P.C. All rights reserved.
The Audit Report | www.acuia.org |
BRONZE
The Audit Report | www.acuia.org |
The Audit Report | www.acuia.org | 29 alified t qualified decision decision makers makers in this in this field,field, differentiating differentiating youryour company company fromfrom others others uvehave questions questions about about joining joining ACUIA ACUIA Select, Select, please please contact contact the Executive the Executive Office Office
port t
Bronze
29
23
www.acuia.org | The Audit Report
41