Volume 24, Issue 2, 2015
The Magazine of the Association of Credit Union Internal Auditors, Inc.
CECL THE NEW ACCOUNTING FOR LOAN LOSSES THE STANDARDS: AUDIT RECORDS
CUTTING THROUGH THE
CYBERSECURITY
FOG OF
MORE As the threats mount, so do the technologies to defeat them.
THE WHO, WHAT, WHEN, WHERE, AND HOW OF TILA-RESPA DISCLOSURE INTEGRATION
Š2015 CliftonLarsonAllen LLP
RELATIONSHIPS BUILD BUSINESS Strengthen your relationships by using advisors with a strong professional network.
Audit
Regulatory Compliance
Information Security
Dean Rohne | 800-657-4477 CLAconnect.com
Volume 24, Issue 2, 2015
8
The Magazine of the Association of Credit Union Internal Auditors, Inc.
{ contents } D E PA R T M E N T S 2
From the Editor Here’s to 25 More Tabitha Ernst-Chadwick
4
Chairman’s Message Where Has the Time Gone? John Gallaher
F E AT U R E S Cutting Through the
8
30 Information Security Carbanak Is a Game Changer! Tom Schauer and the TrustCC Team
CECL: The New Accounting 14 for Loan Losses The way we gather data, compute the calculation, and audit the results is bound to change. Blair Svendsen
32 Member Spotlight Tara Tocco 34 Regional News 36 Region Directors and Chapter Coordinators
14
The cyber war is costing companies millions in brand reputation, stolen customer data and intellectual property, business continuity disruptions, and fines. As the threats mount, so do the technologies to defeat them Ted Ritter
24 Where Are They Now? Q & A with Terry McEachern and Barry Lucas Amy Schaefer 27 The Standards Audit Records Pat Richey
Cybersecurity Fog of More
The Who,What, When, Where 18 and How of TILA-RESPA
Disclosure Integration
With the implementation date looming, has your instituiton considered the impacts? Kia Henkneby
27 The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284
18
© Copyright 2015, ACUIA. All rights reserved.
{from the editor} HERE’S TO 25 MORE Tabitha Ernst-Chadwick, CIA, CFE, CISA, CBSAO, LRP, NCCO
W
e are auditors and we are here to help, no seriously. Let’s be honest – regardless of the cooperative relationships we may have with management and the board, regardless of whatever smiles are pasted on when we step into a branch or department for fieldwork, the truth is that “they” are almost never happy to see us (even when we bring donuts!). Why? Because we are auditors, and we are an operational burden. It’s a frustrating stigma, especially when we all know that we really are there to help, and that we really can help. Unfortunately, that stigma may never change. (I was both offended and encouraged when a branch manager called me after a recent audit to say “You guys are not at all as horrible as everyone said you were.”) The thing is, that is a difficult concept for me to accept because I know the truth. I know that credit union auditors by nature are some of the most genuinely helpful and caring professionals to walk the earth. How do I know that? No, not because I’m a credit union auditor, but because I’m a member of ACUIA. As you read through this Issue, you will find several tributes and compliments to ACUIA members past and present who have shaped this organization and its members. And because this Issue is overflowing with fantastic articles, I don’t have the space to list all of those whose names are etched into my heart because of the assistance they’ve given me over the years. I haven’t been a member of ACUIA or attended as many conferences as some others – I’ve only been around since Albuquerque and missed Denver because of the pending arrival of my youngest daughter – but this 25th anniversary of ACUIA is still pretty nostalgic for me. This
2
www.acuia.org | The Audit Report
group of people is ever changing, yet one theme always prevails – helping each other. So to those of you “old timers” that have helped me figure out this whole auditing gig (and get pretty good at it if I do say so myself), I say thank you, from
the bottom of my heart. You gave me more than you can ever know. And to you “newbies” just coming on, I ask that you continue to carry on that legacy that made this organization what it is today. Enjoy the conference everyone! n
2015 BOARD OF DIRECTORS
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA Chair
Director
John Gallagher
Dana McCranie, CBA, CUCE
SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 - 2016
Empower FCU (315) 477-2200 X5107 dmccranie@empowerfcu.com Term 2013 – 2015
Vice Chair
Director
Kara Giano, CIA, CIDA, CRMA
Barry Lucas, CPA, CIA, CFSE
Golden 1 CU kgiano@golden1.com Term 2014-2016 Treasurer
Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015-2017
Linda Goff, CUCE
Associate Director
Enrichment FCU (865) 482-0045 x1201 lgoff@enrichmentfcu.org Term 2013 - 2015
Doug Wright, CPA, CFE, CUCE
Secretary
Associate Director
Margaret Chamberlain, CUERME
Kimberly Wiersema, CIA
Arizona State CU (602) 452-4960 Margaret.chamberlain@azstcu.org Term 2015-2017
kawiersema@hotmail.com
ACUIA EXECUTIVE OFFICE, CBSAO, CUCE, NCCO, CISA
ACUIA Executive Office 1727 King Street, Suite 300 Alexandria, VA 22314 (703) 688-2284 acuia@acuia.org Follow us on:
Baxter CU (847) 932-8765 doug.wright@bcu.org
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”
Innovation. It’s great for your customers, but it can carry risks for your credit union. Whether you’re exploring improvements to your mobile app or putting together new loan products, who’s helping you do it safely?
Discover why more than 300 financial institutions across the nation turn to us to help them innovate with confidence.
W W W. M O S S A D A M S . C O M / C U
Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance Tax Planning & Compliance IT Consulting Credit Review Services
from the editor {{chairman’s } } message
IN THIS HAS ISSUE WHERE THE TIME GONE?
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA John Gallagher
In preparation for this article I did a little reminiscing about where we have been, what have we done, and what have learned over the years.
A
t times I find it hard to imagine that I have been a member of ACUIA for over 20 years and now here we are celebrating the Association’s 25th Anniversary. I consider myself very fortunate to have met so many individuals over these years which I consider peers, colleagues, and most of all friends. I have seen some of these individuals move from internal audit to accept roles as risk officers, CFOs, and even CEOs. Others have gotten married, had children and even some had the good fortune of retiring from their credit unions after many years of service. As said, so many of them became close personal friends and I miss not having the opportunity to meet up with them during an annual conference and just hang out. In preparation for this article I did a little reminiscing about where we have been, what have we done, and what have learned over the years. Last night I was reading Terry McEachern’s article that she wrote as part of ACUIA’s 20th Anniversary (hard to believe that was 5 years ago). In the article she recalled the first “meeting” held in 1990 which consisted of seventeen credit union members. This year we will again play host to well over 200 attendees. I also found it interesting that she went on to mention that some of the first conference topics were on Preventing Fraud, Risk Assessments, Internal Auditor Roles 4
www.acuia.org | The Audit Report
and Responsibilities, Audit Report Writing, and Disaster Recovery. Reading this got me wondering whether I was caught in some time continuum as many of these topics are still relevant today and frequently appear on annual conference and regional meeting agendas. To be honest there are really too many articles of all my memories of ACUIA over the years to be captured this article, so I will simply highlight a few of my favorite memories below. My first memory of ACUIA was attending my first regional meeting (Region 5 Rocks!!) held in Philadelphia, PA back in 1995. The regional director at the time was Lee Haas. The meeting was held at a small hotel located close to the airport. While I was nervous at first, I quickly became more comfortable as Lee and the other attendees welcomed me into the group. Being a relatively small group it was easy to meet new people and soon became part of what I affectionately called the Philadelphia Connection. Included in the group were Mark, Amy, Dennis, and our very own “Philly Guy” himself Warren Whiteoak. While this group has changed over the years I credit these individuals with making me want to be a bigger part of ACUIA and to welcome others into our network. Lastly I recall as part of the regional meeting hopping on a bus for a group outing to Atlantic City. What
made the night interesting was that one of the sessions held earlier that day was presented by the internal auditor at one of the casinos so as we had our fun we could also witness the various controls the casino utilized to protect itself against theft, fraud, etc. At least now I understand why the card dealers wear pants without pockets! The bus ride to and from the casino gave even more time to get acquainted with other attendees and although I went back to the hotel with less money than I started, it was still a great evening. Shortly after that regional meeting I couldn’t wait to attend my first annual conference, 1996 in Denver, Colorado. Of course the “Connection” was there who then introduced me to many other internal auditors, compliance officers, fraud experts, etc. from all over the U.S. From that point on I was hooked on ACUIA and have been attending the annual conferences ever since. So what conferences and locations have I enjoyed most? Well it is hard to say but let’s start with San Diego. Great location, perfect weather! What I remember most is making the decision to stay at a local Bed & Breakfast instead of the hotel. I shared this huge house with Mark (mentioned above) that was run by a husband and wife. They lived in a smaller house on the same property. Every morning she would make us breakfast before we headed off to the conference ensuring that we had a well-balanced breakfast and never eating the same thing two days in a row, eggs one day, fruit parfaits the next, and so on. When we went back each night she would greet us with some cold beer and asked how our days went. It felt like she was our mother. At one point she read our
CREDIT UN ION S ERVICES
As Unique as Your Institution As every credit union is unique, so too are their needs. Orth, Chakler, Murnane and Company, CPAs (OCM) was founded with the objective of providing independent, professional audit and consulting services to credit unions of all size and complexity. Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced professionals. In addition, our professional staff are very familiar with credit union · Opinion Audits operations, internal control issues, regulatory and · Supervisory Committee Audits accounting requirements, and more. In other words, · Pension/401 (K) Audits credit union personnel will not have to train our auditors. To learn more, please call our Managing Partner, Doug Orth at 888.676.3447.
Orth, Chakler, Murnane and Company, CPAs A Professional Association
MIAMI | DALLAS | CHARLOTTE
ocmcpa.com
Working exclusively with Credit Unions
· Consulting Services: · Internal Audit Assistance · Information Technology Reviews · ATM/ACH Audits · BSA/OFAC Compliance Reviews · Tax Services: CUSOs, 990, 990-T · Supervisory Committee and Board Training
The optional event this time around was a dinner cruise on [Lake Tahoe]. Unfortunately the boat ran aground before we even had a chance to board…oops!
palms, not sure if that was before or after the beer, but I can tell you that looking back now she was spot on!! Another conference location that I recall was Albuquerque, New Mexico. The conference was scheduled for shortly after 9/11 and the Association considered cancelling. Well it wasn’t cancelled and despite the mood being somewhat somber by the tragedy, we all pulled together. I specifically recall the optional event held that year, the hot-air balloon festival. Despite needing to board a bus at some ungodly hour of the predawn morning in the cold, the event itself was awesome to see. Over 100 hot-air balloons taking off at the same time was a sight to see. The unfortunate part is that we still had afternoon sessions scheduled. I think most of you/us slept through a least some of those sessions! Speaking of great views, there was our conference in Lake Tahoe. The conference was held at a resort directly on the lake, a departure from the usual downtown city locations. The snow-capped mountain views
combined with the lake’s crystal blue waters was a sight to behold. It definitely made it hard to concentrate during the sessions. The optional event this time around was a dinner cruise on the lake. Unfortunately the boat ran aground before we even had a chance to board…oops! After some quick thinking we were able to arrange for the resort to provide dinner vouchers for all of the attendees. The best part for me was having the opportunity to play some golf. Given the high altitude, it was and continues to be the only time I could say I hit a 300-yard drive! Some of the other conference locations I recall fondly include Seattle where we visited the Space Needle and went bowling at the Garage; San Antonio where we visited the Alamo and spent time on the River Walk; Nashville where we spent time on music row listening to local talent; Austin where we hung out on the bridge to watch millions of fruit bats come out each night; and certainly can’t forget New Orleans (although I almost did) where we spent time
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.
6
www.acuia.org | The Audit Report
on Bourbon Street and were introduced to Hurricanes, the drink and not the storm! Over the years I have taken in my share of baseball games during the conferences (Os, Red Sox, Braves, Twins, Rockies, Nationals, and so on) and I am not even a big baseball fan. But for me it is not as much about the game as it is about simply having time to hang out with fellow attendees, taking in the atmosphere, and sharing stories. In addition to baseball games we have also been on our share of boat cruises. I know some of you would like to forget about some of those as you spent the majority of the time hanging over the rail and losing your dinner. That’s all I’ll say about that! Let me briefly comment on the past and present leadership of ACUIA. First, I again extend my thanks to Terry and her credit union for having the vision 25 years ago to establish an association for credit union internal auditors. Without such a vision and dedication, none of us would be where we are today. Additional thanks to all of our past volunteer leaders who have helped shape and manage the association through these many years: Terry M., Anne E.R., Randy M., Randy P., Pat R., Valerie W., Gary L., Barbara N., C. Joseph M., and so many others. Of course where would we be without our vendor partners. Many of them have been part of the association for as long as I can remember and I thank them for their continued support. Lastly, let me thank you for being a member of ACUIA. If you are a long term member like me I hope you share some fond memories of all of your past experiences throughout the years, and for those who may be new to the Association my hope is that you enjoy creating your own experiences and memories of ACUIA with the many individuals you will meet. Happy 25th Anniversary ACUIA!!! n
Â
Over thirty-five years ago our firm began with just a handful of clients and a new concept...limiting the practice to serving only credit unions. We believed in the “people helping people� philosophy that the credit union industry was founded on. You might think as auditors our only goal is to ensure the financial statements we certify are materially correct. However, since 1979, our mission has been to provide quality, efficient, and professional services to the credit union industry. We offer our clients more than just audit services, we also serve as a resource and provide accounting expertise, operational knowledge, and compliance services.
To put our experience to work for your credit union, visit www.nearman.com or email us at info@nearman.com.
CUTTING THROUGH THE
CYBERSECURITY
FOG OF
MORE
8
www.acuia.org | The Audit Report
T
he cost to credit unions from the Home Depot breach was painful. The cost of a direct breach could be fatal. The harsh reality of today’s cyber war is that 9 out of
10 companies’ defenses are already compromised by malware and malicious insiders. This is costing companies millions in brand reputation, stolen customer data and intellectual property, business continuity disruptions, and fines. As the threats mount, so do the technologies to defeat them. By Ted Ritter
www.acuia.org | The Audit Report
9
C
redit unions must find a way to cut through the fog and quickly project a
new technology’s potential impact on the credit union’s risk posture.
This rise is creating a “fog of more” scenario for credit union IT shops where it’s increasingly difficult to focus on the greatest risk, the greatest threats, and the most effective means to combat them. As an example, malware defense is a critical component of the security architecture of every credit union. It consists of a plethora of vendor products (IDS/IPS, Firewall, anti-virus, breach detection system, etc.) utilizing a broad range of underlying technologies (signatures, heuristics, anomaly detection, contextual behavioral analytics, virtual execution, machine learning, big data, sandboxes, etc.). Figuring out the best product with the right underlying technology to meet the credit union’s current and future needs is a daunting task. Credit unions must find a way to cut through the fog and quickly project a new technology’s potential impact on the credit union’s risk posture. Traditionally, this type of projection has involved extensive testing, bake-offs, and simulations — way beyond the credit union’s IT budget, let alone its IT security budget. Evaluating New Security Product Effectiveness To minimize costs, credit unions can creatively use a standard set of security functional controls as their evaluation pivot point. As discussed below, this is far more cost effective than standing-up a test lab and far 10
www.acuia.org | The Audit Report
more practical than lining up data sheets to compare – often arbitrary – performance characteristics. The best place to find these functional security controls is from a standards, research, and educational organization such as SANS. SANS Critical Security Controls (CSC) 20 First developed by SANS, the 20 Critical Security Controls (CSC) provide a very pragmatic and practical guideline for implementing and continually improving cyber security best practice. The CSC-20 are real-world prescriptive guidelines for effective information security. As stated in the Council on Cyber Security’s overview, the CSC-20 represents the “most effective and specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced attacks.” The great news for credit unions is there is significant synergy and cross-mapping between the CSC-20 and other cybersecurity efforts. For example, SANS provides a crosswalk matrix mapping CSC-20 to NIST 80053, ISO27001/2, and the NIST Cyber Security Framework. The CSC20 may also be mapped to specific FFIEC guidance. With the CSC-20, one can build a matrix to map both internal credit union progress implementing the controls, and also to evaluate poten-
tial new security product or service effectiveness. This is only possible because of the CSC-20’s granularity, modularity, and design for measuring continual effectiveness improvement. To underscore this point, each control not only defines why the control is essential, but it provides relevant effectiveness metrics, automation metrics, and effectiveness tests for that control. In other words, the control provides guidance on what to do as well as guidelines on how to know you are doing it correctly. Diving into the depths of the CSC20 is well beyond the scope of this article, but as a reference point, the CSC-20 contains 20 controls made up of 184 sub controls. Essentially, the controls are already mapped out to facilitate a matrix for product/service effectiveness evaluation. As an example, following on the earlier discussion, CSC-5 is the Malware Defenses control: “Control the installation, spread and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.” All of the products and underlying technologies listed earlier are relevant to this control and as such, could be evaluated against the control and its 11 sub-controls. The process is pretty straightforward: 1. Determine which of the sub-controls the credit union currently supports and do a self-assessment of how well the controls are covered. 2. Determine the incremental projected benefit of adding a new security product. What sub controls will the product cover and to what level? How much overlap is there between what the new product covers and the existing environment? 3. Recalculate a projected effectiveness rating against the control with the new product/service added to the security infrastructure. 4. Repeat the above process with
other vendor products to determine which product has the greatest potential impact on the credit union’s overall security effectiveness. To illustrate, Figure 1 shows an organization self-assessing its own effectiveness against CSC-5 at 40%. If this sounds low, it is! This is despite deploying numerous products targeting malware defense. And, this is why they wanted to conduct this exercise. The second column shows the organization’s projected assessment after adding preemptive breach detection from TaaSera to their security infrastructure. Clearly, they project significant improvement. Yet, the real value to them is they are able to de-
ket. And, they can easily connect the dots between the CSC-20 and credit union directives including the direction from both NIST and FFIEC. Using the CSC-20 as a baseline matrix for security product effectiveness assessment cuts right through the “fog of more,” helping credit unions focus on the greatest risk, the greatest threats, and the best place to focus scarce security resources. n About the Author termine the potential impact of their next product in advance, without running a single test. Conclusion The above example showed only one control from the CSC-20. Taking into account all 20 controls, credit unions can effectively evaluate almost any security product/service on the mar-
OUR REPUTATION
Ted Ritter is a Certified Information Systems Security Professional (CISSP) and the founder of Cyber Velocity. Prior to forming Cyber Velocity, Ted was at Nemertes Research where he was a highly regarded principal analyst covering information security, cloud and data center and a successful sales executive selling to Fortune 500 commercial organizations. He can be reached at tritter@taasera.com.
100% of our clients would recommend TrustCC to their colleagues needing IT Audits and Security Assessments
SPEAKS FOR ITSELF
Ask your ACUIA colleagues about us.
*Based on client satisfaction data collected in 2013 & 2014
www.acuia.org | The Audit Report
11
12
www.acuia.org | The Audit Report
CE CL The New Accounting for Loan Losses By John Miller Director, Financial Institutions Group and
Blair Svendsen Commercial, Consumer & Real Estate Lending Supervisor
Anxiety is increasing as the final version of the Financial Accounting Standards Board’s (FASB) guidance on the Current Expected Credit Loss (CECL) model is expected to be issued sometime later this year. As we wait, most financial institutions are wondering many things, including how they are going to implement the new rules, what it means to capital ratios, and how it will change things as we know it. The one thing that is sure at this point is the process by which we gather data, compute the calculation, and audit the calculation will significantly change.
www.acuia.org | The Audit Report
13
How Did We Get Here? Following the global economic crisis, FASB and the Internal Accounting Standards Board (IASB) set out to improve the current “incurred loss” model. Collectively, they observed three main weaknesses that need to be addressed: 1. Delayed recognition of credit losses due to “probable” and “incurred” loss concepts 2. A lack of ability to consider factor forward-looking information 3. The creation of inconsistencies due to the use of numerous credit impairment models To help address these concerns FASB released a proposed Accounting Standard Update (ASU) in late 2012. Initially, the goal was to have one “global” standard to create the same accounting for loan losses for entities using U.S. accounting standards and those using international standards. After much debate and the inability to come to a consensus, FASB proceeded with the CECL model in late 2013, while the IASB went in a different direction. For those of you curious as to why the accounting standards are not the same, it came down to a massive deal breaker – the impact it would have independently on U.S. and foreign institutions. The IASB model would have resulted in U.S. institutions reversing millions of dollars of reserves. Federal regulators would not have been happy with that. On the other hand, the FASB model would have significantly weakened otherwise strong foreign financial institutions due to its severity in comparison to the IASB model. Why CECL? The new CECL method is aimed at recognizing all losses associated with 14
www.acuia.org | The Audit Report
The new CECL method is aimed at recognizing all losses associated with the loan at inception and only changing throughout the loan as information would dictate.
the loan at inception and only changing throughout the loan as information would dictate. The primary way to do this is to compute the expected collection of contractual cash flows. The new model would: n Remove probable and incurred
levels for recognition of credit losses n Extend the time horizon over which expectations are to be formed (life of loan) n Be more forward-looking by incorporating reasonable and supportable forecast of the future n Reduce complexity by replacing numerous models with a consistent approach As a quick refresher, the current basis for accounting for loan losses is the “incurred loss” method. Broadly speaking, this method involves using historical loss rates as a basis for estimating the potential loan losses currently in the portfolio. Some would argue this is “one year” worth of losses even though many institutions end of up with more than one year of losses in the allowance for loan losses (ALLL). The expectation is the expected losses for the “life of the loan” will be in the ALLL. For
many institutions, this will result in a large one-time adjustment to the existing allowance. At this point, it’s anticipated this onetime adjustment will be recorded to beginning equity in the year of adoption and not be recorded into earnings.
The Distinctive Differences The CECL model will require financial institutions to factor historical losses, current environmental conditions, and the new expectation of “reasonable and supportable forecasts” of future environmental conditions when establishing their ALLL. For those asking how will this be possible – you are not alone. Institutions will face many implementation challenges, which include: n Calculations using an annualized
charge-off rate will no longer be sufficient. A much more complex forecast of losses or a method to estimate future losses will need to be implemented. n Data gathering for the ALLL will be much more detailed and onerous. This is where management and auditors need to think differently. There will be so much data and so many assumptions causing auditing the allowance to take on a life of its own. n Reasonable and supportable forecasts will be required. There may be a whole new industry for companies forecasting loss rates on loan portfolios. n Much more lead time will be required to update an ALLL analysis, therefore the process to close the books will be different. FASB is currently working on addressing individual “issues” as it prepares to publish final guidance later this year. The issues are specific and
Congratulations to ACUIA on 25 years of outstanding service to credit union audit professionals.
PBMares helps credit unions meet their fiduciary responsibilities and internal control objectives by providing: Information Technology Assessments and System Reviews n Certified ACH Audits n Bank Secrecy Act Audits n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits n Asset / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk Assessment and Regulatory Compliance n Financial Statement Audits n
Certified Public Accountants & Consultants
Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.
help clarify how to help implement the process. The proverbial “question” many members of management and professionals are waiting for is the implementation guidance. This accounting change is so substantial that FASB is writing volumes of guidance just to assist in implementing the standard. Regardless, while we have to wait and see how FASB completes the final guidance you should start preparing now for what you can. Choosing the Right Calculation The proposed standard requires financial institutions to use methods estimating the ALLL for the life of the loan. There are various methods that may be used, which is why this “simple” concept becomes “complex.” One of the first steps to estimating the losses over the life of a loan is to determine how long the loan will be on the books. Certain institutions have longer maturity loans (i.e. 30 year mortgages) on their books. Further, some loans have shorter lives, but longer amortization periods. FASB will have to shed some light on how these longer term loans will be treated. Early indication is once it reaches a certain length (from a seasoning standpoint), a straight line assumption may be used for the remaining losses left on the loan. Another tip-off regarding possible strategies is coming from the project deliberations. For example, new disclosures will be required for each type of loan by “vintage.” At a February 2015 FASB meeting, the board decided to require that credit-quality indicators for all classes of loans (excluding revolving lines of credit such as credit cards) disclosed under current GAAP be disaggregated by year 16
www.acuia.org | The Audit Report
Some institutions are beginning to explore other methods of estimating the ALLL, one of which is referred to as “roll-rate methods” or the loss migration analysis.
of the asset’s origination (the vintage year). FASB decided to limit the disaggregation by vintage year to no more than five annual reporting periods, with the balance for financing receivables originated before the fifth annual reporting period shown in the aggregate. While there is a possibility this decision will change before the final rule is issued, it has steered some institutions toward the thought of doing the CECL calculation based on vintage year since this information will be required. Some institutions are beginning to explore other methods of estimating the ALLL, one of which is referred to as “roll-rate methods” or the loss migration analysis. For these methods, the portfolio is segmented into similar asset pools (i.e. loan type, risk rating, FICO score range or delinquency status). Each category is assigned an allocation based on an analysis. If a loan migrates to another category, the loss rate changes. This method requires significant analysis as each category has its own loss percentage allocation. Based on three risk components, probability of default (PD), exposure at default (EAD), and loss given de-
fault (LGD), the “probability of default” method has also been discussed as a valid option. The resulting formula can be expressed as: Credit Loss = PD x EAD x LGD. This method is another great example of how the CECL process can be made “simple” assuming the proper data is used to generate accurate information to feed into the model. Regardless of the method used, FASB expects many entities to have an initial approach to address the updated rules. Then the models and assumptions will need to be updated occasionally. This continues to be a source of discussion as some will argue monthly or quarterly, yet smaller institutions might argue for annual updates. Once the analysis is recalculated, any changes would flow through earnings as the overall ALLL is adjusted. Start Preparing Now Shifting to the CECL model of computing ALLL will have significant impact on financial institutions not only from a capital standpoint, but also an operational and audit standpoint as well. Selecting a model will ultimately dictate the data needed to compute the analysis and how to gather it. One thing is for sure – you will need more data than ever before and auditing it will be much more difficult. As a great starting point, Doeren Mayhew suggests at a minimum the following data points be retained or obtained for most new loans. While some professionals are expecting a 2018 or later implementation date, data will be needed for a few years to build out the initial model. Most people are in agreement that institutional
data – meaning “ours” as opposed to someone else’s - is preferred. Therefore, consider retaining the following information in a database allowing for gathering over multiple periods (e.g. take a snap shot each quarter or even monthly): Credit scores Debt service coverage ratios Loan to value ratios Loan risk ratings Loan risk rating changes Delinquency statistics by risk profile (i.e. credit scores) n Counts of loans in each pool n Unemployment rates (locally and nationally) n Real estate trends (locally) n Lease rates (capitalization rates by rental type) n Population rates (locally) n n n n n n
The implementation of the CECL model will have a significant impact on your operational and accounting
procedures. Although there are many uncertainties, start preparing what you can now to make the implementation process a smoother one for your institution. n About the Authors John Miller, Director –
Financial Institutions Group John Miller is a Director in the firm’s Financial Institutions Group. Drawing upon 25 plus years of financial institutions industry experience as not only a CPA and advisor, but recently as a Chief Financial Officer of an institution, John’s understanding of financial institutions and their operations provides a unique perspective to clients’ engagements. As a highly technical advisor, John is relied on to ensure sound accounting and business practices are being performed through a variety of assurance and advisory services. From external audits, to evaluating
internal controls, or consulting on recent regulatory and technical pronouncements, he assists clients in assessing and managing risk. Blair Svendsen,
Commercial, Consumer and Real Estate Lending Supervisor Blair Svendsen is the Commercial, Consumer and Real Estate Lending Supervisor in the Financial Institutions Group at Doeren Mayhew. For more than 17 years, he has worked with a variety of financial institutions with portfolios exceeding $1 billion. Clients have relied on Blair to provide loan reviews and analysis in the commercial, consumer, business and real estate sectors. He works closely with a variety of credit unions and CUSO clients to evaluate the creditworthiness and collateral of borrowers, provide loan workout routines for at-risk borrowers and create loan structures.
Audit Management Software Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward to implement and affordable whatever the size of your audit team. Key Functionality:
www.mkinsight.com United States: +1 847 282 5000 Welcome Dashboards Audit Management Performance Reporting Comprehensive Reporting Enterprise Risk Management Recommendation/Action Tracking
United Kingdom +44 113 2455558 Audit Planning Audit Scheduling On-line Questionnaires Electronic Working Papers Time and Expense Recording Libraries
www.acuia.org | The Audit Report
17
THE
WHO, WHAT, WHEN, WHERE, AND HOW OF
TILA-RESPA
DISCLOSURE
INTEGRATION
By Kia Hekneby Senior Compliance Specialist, Doeren Mayhew
18
www.acuia.org | The Audit Report
M
ore than a year has passed
since the Consumer Financial Protection Bureau finalized the most talked about lending regulatory change – the combining of the Truth in Lending Act (TILA) and Real Estate Settlement Procedures Act of 1974 (RESPA) disclosures. With the implementation date of August 1, 2015 looming, has your institution considered the impact on current processes and put procedures in place to comply? Doeren Mayhew’s Financial Institutions Group examines six key changes the new regulations require and suggest considerations for procedures in terms of the who, what, when, where, and how. WHO will be completing the Loan Estimate and Closing Disclosure? Due to the transaction specific nature of the Truth in Lending RESPA Integrated Disclosures (TRID), these documents are much more complex than the existing forms. Information not specific to a transaction cannot be included on the form with a simple “N/A” next to it, or by leaving an unmarked check box. In addition, the charges subject to a zero tolerance have increased, which comes with a
whole new set of fees (charges for which the borrower is not allowed to shop), as well as charges from affiliates. To avoid curing tolerance and RESPA violations, institutions must provide accurate estimates. Given the complexity of the forms, as well as the change in tolerances, consider whether you can centralize the issuance of the Loan Estimate and all re-disclosures of the Loan Estimate. This would allow for greater oversight, concentration of training,
and increased consistency, as well as help to mitigate risk on non-compliance. If centralization is not an option, then ensure all staff is welltrained and procedures are in place for them to follow when completing a Loan Estimate. Address areas on the form which are more prone to errors. Design a grid which indicates the number of columns in the Projected Payments Table for each type of loan offered by your institution, keeping in mind that columns need www.acuia.org | The Audit Report
19
to include balloon payments and termination of mortgage insurance. If adjustable rate mortgages are offered, create the AIR Table for all products. Define which origination charges will be assessed. List all the fees borrowers cannot shop for, indicating ones which should always appear and those that are transaction-specific, such as mortgage insurance. Ensure fees in the system are accurate and are reviewed on a periodic basis. Define which disclosures should appear on the Other Considerations tab, based on loan purpose. Finally, audit all Loan Estimates using a quality control checklist in at least the first month of production to determine if forms are generating as expected. When determining whether you or your settlement agent will prepare the Closing Disclosure, consider the following: ■■ Under the new rules, a lender is ultimately responsible for the accuracy of the Closing Disclosure. ■■ There are tight timeframes to be met. Will the closing date need to be extended out to include time for the closing agent to prepare and distribute the Closing Disclosure? ■■ If you will rely on the title company to prepare the Closing Disclosure, then consider limiting the number
of title companies with which you work. You need to have confidence that the Closing Disclosure will be accurate and timely. ■■ The major title underwriters (Land Title, Stewart, Old Republic and First American) have all indicated they may no longer offer simultaneous reissue rates for the owner’s title policy. This eliminates the benefits to borrowers of using the same title company as the seller and provides you more freedom to choose the best title company for your purposes. In the end, whether you decide to prepare the Closing Disclosure or have the settlement agent prepare it, it should always be reviewed for accuracy. The most common errors we find on the HUD Settlement Statement today are: ■■ Fees are included in the incorrect tolerance table ■■ Fees from the Good Faith Estimate are carried over incorrectly to the tolerance tables ■■ Re-disclosed fees on the Good Faith Estimate are used in the tolerance table when there is no documented RESPA change for the increase The new rules will only exacerbate these existing issues, leading to
paying to cure tolerance violations and regulatory assessment violations. WHAT is a business day? In order to ensure disclosures have been given in the correct timeframes and the minimum waiting periods have passed, understanding the definition of “business day” is key. Under TILA and RESPA, the definition of a business day has always been different, and unfortunately, the revised rules did not resolve this. Under TILA, a business day is defined as any day except Sundays and legal holidays. Under RESPA, a business day is defined as any day an institution is opened for business and carries out substantially all of its business functions. The main difference between these two definitions comes down to whether an institution is open on Saturdays or not, and whether Saturday can be counted as a business day. Institutions should identify what constitutes a business day under RESPA and apply it consistently. In addition, it would also be helpful to distinguish which definition applies to all required timeframes in procedures. The following grid shows the different time frames for disclosures and indicates which definition of business day applies:
WHAT IS A BUSINESS DAY? EVENT TIME FRAME
APPLICABLE DEFINITION
Loan Estimate must be given within 3 business days of application
RESPA Definition – Any day a business is open for business and carries out substantially all of its business functions
Loan Estimate must have been received at least 7 business days prior to closing Re-disclosure of the Loan Estimate for a changed circumstance or rate lock must be given within 3 business days from the triggering event Re-disclosed Loan Estimate must be received at least 4 business days prior to consummation Closing Disclosure must be received at least 3 business days prior to consummation If the Closing Disclosure is put in the mail, then under the mailbox rule, the disclosure is considered received on the 3rd business day after mailing. This means the Closing Disclosure must be put in the mail at least 6 business days prior to closing
20
www.acuia.org | The Audit Report
TILA Definition – All days except Sundays and legal holidays
Save the date!
ANNUAL CONFERENCE
JUNE 21 – 24, 2016
M
any institutions
now rely upon signed Intent to Proceed and/ or acknowledgment of receipt of the Good Faith Estimate to collect upfront fees. Putting similar procedures in place for the Closing Disclosure would be relatively easy.
WHEN are the new disclosures required and when are the existing ones still used? The TRID must be used for most closed-end consumer credit transactions secured by real property, which are taken on or after August 1, 2015. Comparing the coverage of the new rule to loans currently covered under RESPA, it encompasses loans currently covered under RESPA with the addition of the following categories of loans: ■■ Construction only loans ■■ Loans secured by vacant land or by 25 or more acres ■■ Loans in the name of a trust for tax or estate planning purposes The new disclosures will not be used for the following: ■■ Reverse mortgages ■■ Home equity line of credit loans ■■ Chattel-dwelling loans (mobile 22
www.acuia.org | The Audit Report
homes or dwellings not attached to real property) The Good Faith Estimate, Servicing Disclosure, Appraisal Disclosure, and HUD Settlement Statement and existing Settlement Costs booklet must be used on all loans taken on or before July 31, 2015. This means that for at least the last quarter of the year, loans will be closing on both the HUD Settlement Statement, as well as the Closing Disclosure. Write procedures that define which loans will use existing disclosures (loans in the pipeline prior to August 1 and reverse mortgages) and which will use the new TRID. WHERE will you document changes in individual costs until there is an overall 10% change in the group of fees subject to the tolerance?
Under the new rule, a Loan Estimate is considered accurate, and should not be re-disclosed unless there is at least a 10 % change in the total charges subject to the tolerance, not just a 10% change in one fee. A checklist or tracking sheet should be set up to document all changes in fees subject to a 10% tolerance, including the date, changed circumstance and amount of the revised fee. This will support the re-disclosure of the Loan Estimate – disclosing the Loan Estimate when the “tipping point” is reached. HOW will waiting periods and increased timeframes for re-disclosure affect closing loans? How will you ensure all disclosure timeframes have been met? The new waiting periods associated with re-disclosures of the Loan Estimate and the Closing Disclosure have led many in the industry to predict the average time to close will increase to at least 60 days. In discussion groups, we’ve learned many institutions plan to rely on the mailbox rule which would require the Closing Disclosure be sent a minimum of six (6) days prior to closing – either by mail or e-mail. However, the rules do allow for same-day receipt if the Closing Disclosure is presented in person, or if the institution establishes a method for borrowers to acknowledge receipt. To shave off the three (3) business day mailbox rule from closing timeframes, institutions could provide the Closing Disclosure by fax or e-mail, and require borrowers to sign and return acknowledgments of receipt. Many institutions now rely upon signed Intent to Proceed and/ or acknowledgment of receipt of the Good Faith Estimate to collect upfront fees. Putting similar procedures in place for the Closing Disclosure would be relatively easy. One way to better understand the impact of new timeframes and provide insight on whether your institu-
tion should rely on the mailbox rule or develop procedures to document borrower receipt of the Closing Disclosure, is to work current files in parallel with your closing agent using the new time frames. Doing so may also help to identify kinks and additional considerations for your closing procedures. Whether institutions plan to follow the mailbox rule or document receipt to ensure timeframes are met, each file should indicate the key dates for each milestone, and this should be included in the file review prior to issuing the Closing Disclosure: ■■ Date the Loan Estimate is sent ■■ Date of each RESPA changed circumstance and the date of re-disclosure of the Loan Estimate ■■ Last date a Loan Estimate can be issued ■■ Date the Closing Disclosure must be received
■■ Date the Closing Disclosure is to
be mailed if it must be sent out. Conclusion The rules surrounding the completion and issuing of the new TRID are much more complex than the rules for the existing forms. Attention to detail will be required to disclose timely and accurately. Written procedures will play an important role in roll out and continuing compliance for these forms. Make sure your institution is positioned to comply with the new requirements by August 1, 2015. n About the author Kia Hekneby is a Senior Compliance Specialist in the Financial Institutions Group at Doeren Mayhew. For more than 20 years, clients in the financial institutions
industr y have relied on her to provide significant regulator y compliance ser vices. Kia works alongside credit unions, banks, CUSOs and mortgage companies to make sure they are in compliance with state and federal regulations. Additionally, Kia offers clients valuable insight regarding loan, and compliance policies and procedures. Prior to joining the firm, she was a Senior Compliance Analyst with Wolters Kluwer Financial Services, where she ensured customers conformed to changing state and federal regulations through the creation and revision of both forms and lending platforms. Kia also has severed in various management capacities, including Branch Operations Manager and Closing Manager for leading financial institutions, including Chase Bank, Fifth Third Bank, Old Kent Mortgage, Washington Mutual Bank and Great Western Mortgage.
experience ideas
BKD National Financial Services Group
90+ YEARS
What’s your destination? Wherever you’re headed, chances are we’ve been there. BKD brings more than 90 years of experience to the table and offers credit unions an array of services, including: • Audit & assurance • Internal audit
• Loan review • Regulatory compliance consulting
• IT risk management • Strategic planning
You’ll work with partners and managers who can provide the personal attention your institution needs. Experience how our commitment to ideas can help you light the path to success.
Don Hutson // National Industry Partner 314.231.5544 // bkd.com
www.acuia.org | The Audit Report
23
{ where are they now? } Amy Schaefer
In this issue we continue our three-part series of Q&A interviews featuring ACUIA incorporators and long-term members. You will also see snippets of these interviews in upcoming ACUIA’s Facebook posts. Not following us on Facebook yet? What are you waiting for?Follow us on Facebook and Twitter to stay up-to-date on what’s happening with ACUIA, “Throw back Thursday” features, and more.
TERRY McEACHERN
BARRY LUCAS 24
www.acuia.org | The Audit Report
T
his issue highlights Terry McEachern, Chief Internal Auditor at Royal Credit Union and Barry Lucas, Internal Auditor at Desco
FCU. Terry McEachern is the founder of ACUIA. It was her vision
What are your fondest memories of ACUIA?
that made ACUIA a reality. Terry McEachern’s Background Terry is the Chief Internal Auditor at Royal Credit Union in Eau Claire, Wisconsin and has been in this position for 28 years. She lives on Lake Wissota, (Wisconsin Minnesota) notably mentioned in the movie Titanic, even though the man-made lake did not exist in 1912. In the winter, Terry and her husband escape the cold Wisconsin weather to vacation in Mexico. She has two sons and two granddaughters. Why was it important for you to help create ACUIA?
In 1986, the internal auditor at Royal CU was a part-time position held by a CPA from an accounting firm. I was hired to replace this person and the job became full-time. In the beginning I was “both” the Examining (Supervisory) committee and internal auditor! Other than a few reports the former auditor shared before she left, I didn’t have anyone to provide direction in my role. While my work background was from other financial institutions, I had limited experience in auditing. The chairman of the board of directors at the time also felt that I shouldn’t socialize or become too friendly with other credit union staff. Needless to say, I felt isolated and alone and struggled with my role and responsibilities. Shortly after I was hired, I joined the Institute of Internal Auditors and attended some training for our state regulators. Two other credit union internal auditors were at the training. We talked and really connected. There were other
relationships and opportunities. It will not only make you a better internal auditor but also a better person.
individuals who faced the same job challenges and experiences. I was elated and energized. That feeling of remoteness and discovery of other credit union internal auditors moved me to contact other credit unions about a possible organization. What have you gained most as an ACUIA member?
Every year when I attend the conference, I am amazed at the talent and intelligence of other credit union internal auditors. I have to admit, I am usually humbled by their perspectives and accomplishments. Listening to what other auditors are doing in their credit unions, I come away thinking “Dang, we should be doing that.” Networking with other auditors and consultants at conferences and meetings has provided me with a myriad of experiences including: advice, support, confidence, satisfaction in helping others, friendships, new ideas, and most important of all, having someone who speaks auditing! Tell us how being a member of ACUIA helped you get to the position you have today?
It has given me the confidence to express what I feel is best for my credit union and profession, the wisdom to trust my instincts, and courage to recognize when change is needed. What advice do you have for our current ACUIA members?
Focus on networking with as many other auditors as possible. Make connections and build mutually beneficial
The great conversations and interactions I have had over the years with ACUIA members from every part of the country; Paige, Bonnie, Randy, Jim, Terri, Mike, Tom, Joe, Brenda, Valerie, Warren, Karen, Jeff, Don, Pam, Marion, Paul, Frank, Van, Brian, Mark, Jennifer, Kathy, John, Travis, Doug, Kara, Cheryl, David, Pat, Sharon, Ron, Sangeeta, Margaret, Tirso, Bev, Anne, Geoff, Edward, Barry, Greg, Ron, Cynthia, Merritta, Karla, Sam, Jerry, Edmundo, Sheri, Tracie, Brian, Patrick, Nancy, Debra, Kendall, Vicki, Michael, Dean, Charon, Bobby, Matthew, Barbara, Diane, Tim, Roger, Chetta, Andy, Kim, Jill, Ennio, Dana, Anne, Carlton, Richard, Linda, Koji, Margaret, Marcos, Ana, Betty, Linda, Gary, Cathy, Jack, Rick, Jeannie, Janet, Elizabeth, Greg, Craig, Susan, and Kevin. Their names will never be forgotten. As you know, ACUIA is celebrating our 25th Annual Conference & One-Day Seminar this summer. What would you like to say to our current members?
I’ve done (and sometimes continue to do!) some pretty dumb things in my career and life. This is a quotation that has stuck with me over the years: “The road to wisdom? Well it’s plain and simple to express: Err and err and err again But less and less and less.” Piet Hein Amen. www.acuia.org | The Audit Report
25
B
arry Lucas is an original ACUIA member, served two terms as a board member beginning in 2002 and began his current
term on the board in 2015. He noted in his interview how fortunate he is to work for a great organization that has always supported him in bettering himself, and his efforts to help other credit union organizations such as ACUIA. If it wasn’t for his credit union’s support, he wouldn’t be what he is today.
Barry Lucas’ Background Barry created the internal audit position at his credit union and has been there for twenty-seven years. When did you join ACUIA? Why?
Actually, I was a member of the group before it was even called ACUIA. I was attending a National Association of Credit Union Supervi-
‘‘
I guess the fondest memories I have of ACUIA are of the personal relationships I developed with certain members of the organization over the years.
sory & Audit Committee (NACUSAC) conference in 1988. Another auditor was there and we agreed that the material being offered wasn’t much help to actual internal auditors. She said a group of credit union auditors in Wisconsin and Minnesota were going to try to form their own group that better fit internal auditor needs for information. A few months later, she called about the group they were going to call ACUIA. I attended my first meeting in Minnesota in the spring of 1989 and never looked back. 26
www.acuia.org | The Audit Report
How many conferences have you attended? What was your favorite & why?
I know this sounds self-serving, but I’ve attended all 24 conferences. And I’ll be in Boston. I’m very proud of this. I really believe in this organization, and support it in any way I can. My favorite conference? All of them, in different ways. It’s hard to beat the actual physical beauty of San Francisco and Seattle. But all of them have been great. What have you gained most as an ACUIA member?
Friendships with some of the most knowledgeable and nicest people in the world (not just the credit union industry). People that are willing to answer your questions (even if it seems kinda dumb), always have time for you (even when they really don’t), and will just listen to you. Being able to say you’re friends with people like Randy Manscill, Randy Partin, Pat Richey, John Gallagher, and too many others to mention, means something. And how could I have left out the one that started it all, Terry McEachern. These are the cream of the crop when it comes to our profession. What advice do you have for your fellow ACUIA members?
Talk to other members at the conferences, the regional meetings, and other ACUIA functions. Ask questions. Don’t be afraid to talk to someone you don’t know. You’ll find that if
you have a problem, usually someone else had the same problem and might have a possible solution. Establish the professional network. Talking to people is like water for plants. Talk makes relationships flourish. What are your fondest memories of ACUIA?
The people, both in the past and present, that make up this organization’s membership. Honestly, the conferences are wonderful, and the educational offerings great. I wouldn’t be where I am today without the help this organization has provided me in the past. But the people are what make an organization. Great people equal a great organization. So, I guess the fondest memories I have of ACUIA are of the personal relationships I developed with certain members of the organization over the years. This group has led to many friendships for me. As you know, ACUIA is celebrating our 25th Annual Conference & One-Day Seminar this summer. What would you like to say to our current members?
Ask questions. Listen. Learn. Evolve. Repeat. n Keep an eye out for more “Where Are They Now?” articles in upcoming magazine issues and don’t forget to follow ACUIA through social media!
About the Author Amy Schaefer, CIA, CUCE, CUERME is the Senior Internal Auditor at Royal Credit Union. She is a graduate of the University of Wisconsin – Eau Claire with a degree in accounting. She is also an ACUIA Social Media Committee Member and former ACUIA Board Member. Amy is married, has three sons and enjoys camping, cheering on the Packers and attending Brewers and Twins games (but when head-to-head has to root for the Brew Crew!)
{ chairwoman’s message }
{
the standards EAGER ANTICIPATION
}
Pat Richey, Retired Dana McCranie
AUDIT RECORDS I
n the last issue I discussed Standard1 2330 which requires the internal auditor to document audit work in working papers. There are 2 related standards about controlling access to audit records and their retention requirements. Controlling Access Standard 2330.A1 says that internal audit must control access to audit records, and Practice Advisory (PA) 2330.A1-1 gives guidance to the internal auditor as to how to comply with the standard. The issues have changed over the years with changes in technology and the profession going from paper-based audit records to electronic records. However, the Standard has not changed, and it refers to audit records regardless of the storage media. Audit records include reports, supporting documentation, review notes, and correspondence. All of these records are credit union property. My credit union management understood internal audit’s requirements for controlling access to audit records, to a certain extent. Initially the Chief Audit Executive (CAE) had a lockable office and lockable file cabinets; however the staff auditor was in a cubicle. Subsequently, through a renovation, both internal auditors and the file cabinets were placed together in a lockable room (with windows, so it was not a basement dungeon, where I know some
audit departments have resided). A subsequent renovation now has each of the 2 auditors in a lockable office, and file cabinets are a thing of the past.
‘‘
However, electronic audit records must also be controlled. Internal audit has to be aware of which credit union personnel can access the records through network permissions. It was my credit union’s policy that the IT department have access to the entire network – including internal audit’s network folders. Therefore, if a document was very sensitive, internal audit would password protect the document. The PA states that internal auditors may educate management and the board2 about access to audit records
Internal audit has to be aware of which credit union personnel can access the records through network permissions.
www.acuia.org | The Audit Report
27
WHY?
‘‘
Internal audit’s requirement to control access to audit records should be in the internal audit charter.
by external parties. There should be an audit policy relating to audit records, the handling of requests to access records, and the procedures to be followed when an audit warrants an investigation. I don’t recall ever educating management about external party access, but it was not much of an issue at our credit union. Generally, the only requests for audit records would come from NCUA or the CPA firm during their annual examinations and audit. However, the CAE should approve external audit’s access to audit records. Internal audit’s requirement to control access to audit records should be in the internal audit charter. However, the internal audit policy documents: ■■ who in the credit union is responsible for audit records control and security ■■ what to include in audit records ■■ the content and format of the records ■■ which internal or external parties can be granted access now or in the future 28
www.acuia.org | The Audit Report
■■ how access requests should be
handled. ■■ how to resolve access issues Even though audit records access may not currently be an issue in your department, it is a good idea to have the issue thought through and documented in a policy. What if credit union management requests access to all or specific audit documentation? For our department, this was not an issue. Management rarely requested access to working papers; I believe they were thoroughly confident in our work. However, we were very open about our work, and would not hesitate to share a working paper (always an indication that we were right!). Sometimes a working paper might be the best explanation of all. A spreadsheet is worth a thousand words. We did not have secrets in internal audit. The exception was when internal audit was working an internal fraud case. Those documents were definitely on a need to know basis. But we never had an inappropriate
request for records. A fraud policy would be a good place to document internal audit’s investigation prerogatives. The CAE should approve internal access requests. Our department never had an instance where internal audit records were requested in a legal proceeding, so I do not have any experience in that area. However, in an attempt to get internal fraud prosecuted we would try to force credit union and audit documentation onto a prosecutor in the hopes of the prosecutor taking the case for prosecution. One of the things we learned is that if internal audit did all the legwork and provided organized and well-documented evidence, then the case was more likely to be prosecuted. Granting Access to Audit Records Standard 2330.A1 also says that the CAE must obtain approval of senior management and/or legal counsel prior to releasing audit records to external parties. PA 2330.A1-2 gives guidance on granting access to records. PA 2330.A1-2 states that legal proceeding requirements vary significantly in different jurisdictions, so if there is a request for audit records in a legal proceeding, the internal auditor should work closely with legal counsel before providing any information. Legal proceedings could include criminal prosecution, civil litigation, and regulatory reviews. According to PA 2230.A1-2 the guidance contained in the PA is based primarily on the legal systems that protect information and work performed for, or communicated to, an engaged attorney. This is called attorney-client privilege. According to www.law.cornell.edu “attorney-client privilege is a legal privilege that works to keep communications between an attorney and his or her cli-
ent secret. The privilege is asserted in the face of a legal demand for the communications, such as a discovery request or a demand that the lawyer testify under oath.” Most of the credit union’s records that are not protected by attorney-client privilege may be accessible in criminal proceedings, although in non-criminal proceedings the access issue is less clear. It is important that internal audit have a working relationship with the credit union’s attorney. Audit records are generally produced under the presumption that their contents are confidential and may contain a mix of facts and opinions. However, those who are not familiar with the credit union or the internal audit process may misunderstand those facts and opinions. The internal audit policy depends on credit union industry practice or the legal jurisdiction, so the CAE should be aware of changing practices and legal precedents. The CAE may train internal audit staff, senior management, and the board concerning the risks and issues regarding audit records access. The board may review the audit policy. PA 2330.A1-2 says that when internal audit furnishes audit records to external parties, internal audit should furnish only the specific documents as directed by legal counsel or policies, but will generally exclude documents covered by attorney-client privilege. Internal audit should not release documents, internally or externally, that can be changed. For paper-documents, internal audit should provide copies and retain the originals. Electronic documents should be converted to images such as .pdf format. Documents should be labeled “confidential” and a notation stating that secondary distribution is not al-
lowed without permission. To place a confidential watermark in Word 2103, click on Design, and then Watermark, and select a standard watermark or make one of your own design. In Excel 2013, Click on Page Layout, and then under Page Setup, click on the tiny arrow in the right hand corner. Click on Header/Footer and create a header or footer with the word “Confidential.” You can increase the font size as desired. In Adobe Acrobat, click Tools, then Pages, go to Watermark, then Add Watermark. Record Retention Standard 2330.A2 states that internal audit must develop retention requirements for audit records. Again this is regardless of the storage medium. The retention requirements must be consistent with the credit union’s guidelines and any regulatory requirements. PA 2330.A2-1 gives some vague guidance that suggests retention requirements vary among jurisdictions and legal environments. Internal Audit should have a written record retention policy, or audit records may be included in a credit union wide policy. It should also include retention of external service providers’ engagement records. In an electronic environment, audit records are probably retained into infinity if they are stored on the credit union’s network, and there is a schedule of daily, weekly, monthly, and annual backups. In 23 years of auditing, I’m sure I never had a request for old audit records. However, internal audit would have occasion to review previous audits, and we particularly accessed old emails related to audits. If we had paper records (e.g. cash count sheets), at the least we would retain those records until the next NCUA examination and CPA audit. Or
we would retain the documents until the next audit of that area. We preferred to audit paper loan files, rather than review online, so we would print the loan files for audit. We retained those print-outs for 1 year, since the original loan files could be accessed electronically as needed. In my pre-internal audit days, long before the current technology advances, I worked in the library of a biomedical firm’s research and development area. The organization retained EVERYTHING………. in HARD COPY. And by everything, I mean EVERY letter, memo, notepad page, and luncheon napkin if business related information was scribbled on it. Nothing that was written on was destroyed. Then my supervisor indexed each of these items by key words; I entered the items in a database and filed the item in a file folder, in a file cabinet, in a room filled with nothing but file cabinets. From there I went to credit union internal auditing (after a short stint of substitute teaching). The R&D imperative to retain everything made me inclined to save everything in internal auditing. So review your audit charter and policy for language about control and retention of audit records and ensure network permissions are appropriate. n About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a careerlong supporter of ACUIA and its members. She is currently retired.
Endnotes The International Standards for the Professional Practice of Internal Auditing 2 The Standards allow the Supervisory Committee to be an alternative to the board 1
www.acuia.org | The Audit Report
29
{ information security } WHY? Tom Schauer and the TrustCC Team
Carbanak is a Game Changer! The Carbanak breach announced in February of 2015 is a game changer. Carbanak was uncovered when a bank headquartered in Ukraine asked Kaspersky Labs, a well known and reputable Russian security firm, to help with a forensic investigation.
T
he bank was losing money through ATMs. Months later, additional investigations revealed a broad and sophisticated attack that used ATMs, online banking accounts, and the ACH-like Swift electronic payments system to extract nearly $1,000,000,000 from as many as 100 banks. This attack is by far the largest bank heist in history! For the complete story go to www.nytimes.com/ 2015/02/15/world/bank-hackerssteal-millions-via-malware.html.
Data on public breaches, compiled, sorted by sector, and published thanks to Privacy Rights Clearinghouse, show that direct attacks on financial services firms are rare. While attackers routinely commit card data theft and attack online banking, direct attacks on banks and credit unions account for only 3.6% of publicly announced breaches. It is unclear why thieves have held off directly attacking banks and credit unions to this point, however the success of Carbanak is sure to entice others to mimic these methods and attack in similar ways. TrustCC’s research and experience indicates that credit unions are susceptible to such attacks. In fact, TrustCC’s realistic penetration testing has a 63% intrusion rate. Using the exact same methods as in real attacks, TrustCC regularly performs black box penetration testing and is able to breach the network and gain control of systems and data in 63% of its tests. Black box is significant as it is testing performed without the knowledge of those in the credit union’s Information Technology (IT) group who are responsible for breach detection and response. Black box testing is the only method of truly testing incident detection and response. 30
www.acuia.org | The Audit Report
This article is intended to help credit unions understand the often misused term “penetration testing.” The article will help credit unions better test their ability to detect and respond to a breach. The Gramm-Leach-Bliley Act requires that financial institutions “regularly test the key controls of their information security program.” To be compliant, an IT audit should consist of both a security assessment and a compliance assessment to ensure administrative, physical, and technical controls are tested. Honing in on testing of technical controls, credit unions and vendors alike often misuse the term “penetration testing” to depict this testing. Pen testing, when the term is used correctly, is a subset of the testing required to evaluate technical controls. The term “security assessment” more appropriately describes the procedures necessary to evaluate technical controls. A complete security assessment will incorporate each of the following elements: Social Engineering: Tests designed to evaluate employee resistance to being enticed by an attacker to divulge information or to allow an attacker to gain access to their system. This is the best, most frequently exploited way to test whether attack payloads can be introduced and executed on internal systems. Vulnerability Scanning: Toolsbased testing to evaluate whether systems have vulnerable software that can be exploited by attackers. The best vulnerability scans access systems with Administrator credentials so the scanner can directly inspect programs in memory and on disk to evaluate if vulnerabilities are present. This “credentialed” scanning methodology yields results with 97% accuracy. However, not all scanning tools are
equally adept with assessment, which can lead to vast swaths of terrain left unchecked on a vulnerable system. Credit union IT staff should investigate the scanning technology used by the security assessment vendor. Vulnerability Validation: This type of testing attempts to confirm scanning results by proving the exploitability of select vulnerabilities. Vulnerability validation is most often performed using the laptop of an assessor stationed on premises. This approach is pretty far from reality for three reasons: (1) physical access to the building is assumed; (2) the tester’s laptop is allowed on the network; and (3) the testing relies on vulnerability scan data. While often referred to as “penetration testing,” vulnerability exploitation and validation is not penetration testing because it does not mirror reality, nor a real-world attacker’s path to access. Penetration Testing: This testing follows the vectors of a real attack with the objective of determining if an attacker can obtain access to the internal network from the Internet, escalate access, and obtain protected information or Administrator privileges. This testing is generally performed in one of two forms, so-called “black box” or “white box.” With black box testing, personnel and systems responsible for intrusion detection and incident response are unaware of the testing and are challenged as they would be in a real attack. Black box testing is the only way a credit union can evaluate incident detection and response. In white box testing, IT is fully aware and may even stand-down certain systems to allow testing. Another standard form of penetration testing is to simulate data breach due to insider threats. For this type of testing, the assessor starts with a typical workstation and an unprivileged
user account. The objective is to uncover the pathways an attacker could use to escalate from an account with limited access to one with broad access and control over the network. Configuration and Console Review: This testing verifies and
reviews the configuration of key systems and consoles including anti-virus, logging and monitoring, patch management, vulnerability scanning, remote access, and data loss prevention systems. Interview and Documentation Review: Finally, any worthwhile se-
curity assessment will include interviews with key security personnel and a complete review of documented IT policies and practices. It is important to note that various security assessment companies may organize their assessments a bit differently than as noted above. In any case, it is vital for a pen test to match reality as much as possible in order for it to be effective in assessing the likelihood of data breach or malware implantation for threat such as Carbanak. It has been lamented, “It’s not a matter of whether an attack will occur. It’s a matter of when.” Carbanak may well be an indicator that direct attacks on financial services may become common. It is critical that credit unions have true black box penetration testing performed so they know their capability to detect and respond to a “real” attack. n About the Author Tom Schauer – CISA, CISSP, CISM, CRISC, CTGA, CEH Tom has been practicing in information technology security and auditing for 26 years. Tom is one of the country’s leading experts in IT compliance matters in the Financial Services sector. Tom is the founder of TrustCC and is frequently asked to speak at conferences and provide training to regulatory examiners.
www.acuia.org | The Audit Report
31
{ member spotlight } WHY? Tara Tocco
Tara Tocco is this Issue’s Member Spotlight. Tara is a devoted mother and grandmother, a fellow James Patterson enthusiast, and also the newly appointed Region 4 Director.
Tara, thanks so much for being our Member Spotlight for this Issue. Tell us a little about yourself. Let’s start with the personal stuff.
I have been married to my husband Joe for almost 13 years. I have two sons and my first granddaughter was born in July 2014. I spend most of my free time with my family. I babysit my granddaughter every chance I get. I like to play golf, but do not get to play as often as I would like. That’s understandable – when given the choice between golf and hanging out with the grandbaby, I’m sure that’s an easy one. So let’s get into the work stuff. Tell us about your auditing career.
Before taking the internal audit position at Hughes FCU in 2001, I worked at a bank for 21 years. I started working for the bank right out of high school, so my experience and education came from on –the – job training. I started at the very bottom in the Op-
erations department filing canceled checks and sending out monthly statements. I took every opportunity to learn other duties and other areas. I was an Assistant Manager for about ten years, and when I left the bank I was a Branch Manager. I’ve now been involved in auditing for nearly 29 years. I did branch audits in the bank for close to 15 years and have been the Internal Auditor for the credit union for 14 years. I’ve expanded my education by obtaining the Credit Union Compliance Expert designation. Since compliance is always changing, I attend the CUNA Compliance Update every year to stay current. So how did you initially become involved in auditing?
By accident. I had no intention of leaving the bank, but one Sunday morning, I was looking at the want ads and saw the ad for Hughes FCU Internal Auditor. I read the job description and thought “I can do that.” I applied for the job and they offered
NOMINATE A MEMBER! Do you know a member who should be featured in our member spotlight? Send nominations to Tabitha Ernst-Chadwick at acuia@acuia.org
32
www.acuia.org | The Audit Report
it to me. Accepting the job with the credit union was the best career decision I ever made! What do you know now that you wish you would have known coming into the industry?
I wish I would have started working in the credit union world much earlier in my career. I love the credit union philosophy and community involvement. I did not know anything about credit unions until I started working for Hughes. During your years as an internal auditor, what have you found to be the most useful tools in making audit a value-added service?
I think your staff and communication are the tools needed to have audit seen as a value to the credit union. I feel very fortunate that I have open communication with all levels of management. For the most part they understand that the audit department is there to help the credit union avoid violations and ensure positive CPA audit and NCUA exams. What types of background/experience do you look for in your auditors to make a well-rounded department?
I think people who have experience working in a branch can appreciate both sides. They have been audited
and are now doing the audits. They understand the “dislike” of being audited but also understand it is necessary. Having an accounting background is always helpful, but not necessary. Do you have any advice for new auditors just coming into the field?
The first advice would be to join ACUIA and participate. I joined in 2001, but did not start participating in the annual or regional meetings until 2012. I know I missed out on a lot of information and fun over the years. Let’s talk about ACUIA for a minute. You’ve been a member since 2001 and recently took on the Region 2 Director position. What ACUIA membership benefits do you find most rewarding?
FUN FACTS ABOUT TARA: Favorite Book: Love mysteries and my favorite author is James Patterson Favorite Food: Mexican Favorite Place: Maui Favorite Flower: Roses Favorite Holiday: Christmas Eve
The annual meetings are a great way to network and learn valuable information. I also really enjoy the Region meetings. I have met some amazing people and really appreciate having
other auditors I can bounce things off of. Thanks Tara! It was great getting a chance to know you better! n
Protect Your Credit Union from Internal Fraud by Subscribing to:
ProtectMyCreditUnion.com An online whistleblower reporting tool specifically designed and created for employees of credit unions to report suspicious activity and ethics violations anonymously if deisred! • • • • • • •
Password Protected Completely Confidencial Investigative Guidance Provided by Michael Sacher Monthly Governance Reporting Tool Immediate Notification When a Report is Filed Personalized Training for Staff and Administration Affordable Annual Subscription for All Credit Unions
Designed by Industry Expert, Michael J. Sacher, CPA For more information, call 310.459.9313 or email Mike@PMYCU.com or View Us At www.PMYCU.com
www.acuia.org | The Audit Report
33
standards { regional { thenews } } Pat Richey, Retired
1
REGION
Director Julie Wilson Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com
Region 3 News: This year’s regional meeting is
scheduled for October 14, 15, and 16 at the Indiana Credit Union League offices in Indianapolis. I’m in the process of putting together an agenda. Details will be available at the National Conference in Boston.
REGION
No news for Region 1. Please contact Julie with questions.
2
REGION
Director Tara Tocco Internal Audit Manager, Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org
Director Patrick McCollough, CIA, CISA, CRMA AVP/Director of Internal Audit, Arkansas Federal Credit Union 501.533. 2275 pmccollough@AFCU.org No news for Region 4. Please contact Patrick for information.
No news for Region 2. Please contact Tara with questions. Open
3
REGION
Director Greg A. Czyzewski, CPA, CIA AVP Internal Audit, Teachers Credit Union 574.284.6451 gczyz@tcunet.com Minnesota Chapter Info: The Minnesota chapter held
its annual day-long meeting on May 8th at Wings Financial CU. Jeff Olejnik from Wipfli LLP kicked off the meeting with a presentation about managing IT risk. Brenda Benson from McGladrey, LLP followed with how to audit vendor management. Justin Robinson and Adam Bleck from CliftonLarsonAllen, LLP provided a short update on the top compliance issues credit unions face. After a good lunch, Ashley Shrode, Thrivent Financial CU, and Van Sprenger, TopLine FCU, discussed hurdles credit unions need to get over to fully implement an ERM program. Van Sprenger ended the day with a discussion on key components of an annual audit plan. Van Sprenger would like to thank the three vendors that provided presenters and Wipfli, LLP for providing breakfast. 34
www.acuia.org | The Audit Report
4
5
REGION
Position Open! Region 5 needs you!
REGION
6
Director Bobby Nichols SVP - Audit Services, State Employees’ Credit Union 800.385.7014/919.8395338 Bobby.nichols@ncsecu.org The Region 6 Meeting will be held October 7th – 9th,
2015 in Atlanta, Georgia hosted by Georgia’s Own Credit Union. North Carolina Chapter Info:
In attendance at the NC Chapter Meeting were representatives from 7 NC Credit Unions. A roundtable discussion was held with topics including Cyber Security, NCUA hot topics, Vendor Management, and Interest Rate Risk and independent testing. A representative from the Carolinas CU League shared information from a recent meeting with NCUA Region 3 Director Myra Toeppe.
Tracy Dangerfield from TDC Consulting Services provided a demonstration on Vendor Management services to the group. Georgia Chapter Info:
The inaugural Georgia Chapter meeting, held at LGE Community Credit Union on Friday, April 24th was attended by 10 internal auditors representing 4 Georgia Credit Unions. The meeting opened with an informative Cyber security presentation by Sabrina Serafin, Partner of Frazier and Deeter, LLC. Over lunch the group had a collaborative discussion regarding the use or non-use of data analytics in internal audit, different risk assessment approaches, and sharing experiences from recent regulatory examinations. Tennessee Chapter Info:
The Tennessee Chapter of ACUIA held a meeting on April 17th at US Community Credit Union in Nashville, TN. In attendance were 15 representatives from 6 Tennessee Credit Unions and 1 Kentucky Credit Union. A roundtable discussion was held with topics including
Unclaimed Property, Member Business Loans, RDC/ Mobile Banking, Enterprise Risk Management, Cybersecurity, ALM, Branch Auditing, and NCUA hot topics. Auditors present shared audit programs, best practices, and beneficial resources with the group. South Carolina Chapter Info:
The SC ACUIA chapter met May 7, 2015. Jennifer Hoskins, partner with Nearman, Maynard, Vallez CPAs, spoke about cybersecurity and internal audit’s role in cybersecurity. The remainder of the meeting was for open discussion. Topics included NCUA exams, fair lending exams and audits, information security auditing including social engineering audits, member complaints, auditing online banking and mobile banking services, and audit and data mining software. There were 13 attendees representing 7 SC credit unions. n
Service So Outstanding, Others Can Only Talk About It‌
TWHC has been providing credit unions with Audit, Tax and Advisory services for over 25 years. Today we are the number one credit union professional services firm in California with clients that range in size from $20M in assets to $6.5B in assets.
twhc.com TWHC Business Journal Ad 082812.indd 1
8/28/12 11:17 AM
www.acuia.org | The Audit Report
35
directors standards { region { the } }WHY? Pat Richey, Retired
1
REGION
Julie Wilson juliew@iqcu.com
2
REGION
Tara Tocco TTocco@hughesfcu.org
REGION
3
Greg Czyzewski, CPA, CIA gczyz@tcunet.com
REGION
4
Patrick McCullough pmcollough@AFCU.org
5
REGION
Open
REGION
6
Bobby Nichols bobby.nichols@ncsecu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1
REGION 3
REGION 5
CENTRAL CASCADES (OR/WA) CHAPTER
INDIANA CHAPTER
NEW YORK CITY CHAPTER
Jeff Watson jwatson@iucu.org
VOLUNTEER NEEDED!
Terry Robbins trobbins@mapscu.com REGION 2 ARIZONA CHAPTER
Allen Lorti alorti@sunwestfcu.org
MINNESOTA CHAPTER
Van Sprenger vsprenger@toplinecu.com
CALIFORNIA CHAPTER
REGION 4
VOLUNTEER NEEDED!
NORTH TEX AS CHAPTER
UTAH CHAPTER
Kimberly Wiersema kawiersema@hotmail.com
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com
ST. LOUIS CHAPTER
David Caster dcaster@firstcommunity.com
REGION 6 GEORGIA CHAPTER
Jason Alexander jasona@lgeccu.org NORTH CAROLINA CHAPTER
Staci Hutchinson stacih@summitcu.org SOUTH CAROLINA CHAPTER
Tammy Farmer tammyf@scscu.com TENNESSEE CHAPTER
Michelle Clark, CUCU mclarck@ecu.org 36
www.acuia.org | The Audit Report
Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced In addition, Patrickprofessionals. McCullough our professional staff are very familiar with credit union · Opinion Aud operations, internal control issues, regulatory and color ad II_Layout 1 4/17/15 1:55 PM Page 1 · Supervisory C accounting requirements, and more. In other words, ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating· Pension /401 credit union personnel will not have to train our auditors. your company from others and significantly enhancing your visibility. If you have questions about · Consulting S joining ACUIA Select, please contact the Executive Office at (703) 688-2284. To learn more, please call our Managing Partner, · Internal Audi Doug Orth at 888.676.3447. · Information T P L AT I N U M · ATM/ACH A
{ member spotlight { acuia select } }
ongratulations to ACUIA
5 years of outstanding service to credit union audit professionals.
Orth, Chakler, Murnane and Company, CPAs A Professional Association
es helps credit unions meet their fiduciary responsibilities and internal control objectives by providing:
mation Technology Assessments and System Reviews n Certified ACH Audits n Bank Secrecy Act GOL D n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits M I A MI | DA L L A S | C HA RL OT T E t / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk ment and Regulatory Compliance n Financial Statement Audits
ocmcpa.com
Working exclusively with Credit Unions
Opinion & Supervisory Committee Audits Internal Audit Outsourcing Certified Public Accountants & Consultants BSA/AML & Regulatory Compliance Tax Planning & Compliance IT30 Consulting | www.acuia.org | The Audit Report S I LV E R Credit Review Services
BRONZE
CU Accelerator
Wojeski Certified Public Accountants Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.
· BSA/OFAC C · Tax Services: · Supervisory C Board Trainin
Go higher. Rocky growth. Compliance cliffs. Steep risks. You don’t have to make the ascent toward your financial institution’s goals alone. At Doeren Mayhew, our highly specialized Financial Institutions Group has helped more than 200 institutions like yours find opportunities to drive growth – from climbing toward enterprise risk management, to overcoming steep compliance challenges, to harnessing technology to stay relevant on new delivery systems. Simply put, we know the ropes. So whether your vision is to achieve new heights, or you need a rescue mission, you can always work in tandem with us. Call 248.244.3159 to start the climb.
Insight. Oversight. Foresight.® 248.244.3159 | doeren.com