Volume 24, Issue 3, 2015
The Magazine of the Association of Credit Union Internal Auditors, Inc.
ADDRESSING
FRAUD RISK
IN TODAY’S ENVIRONMENT
INTERNAL AUDIT HAS YOUR PROGRAM CHANGED? VULNERABILITY MANAGMENT RENEWING YOUR COMMITMENT THE STANDARDS: AUDIT SUPERVISION
Go higher. Rocky growth. Compliance cliffs. Steep risks. You don’t have to make the ascent toward your financial institution’s goals alone. At Doeren Mayhew, our highly specialized Financial Institutions Group has helped more than 200 institutions like yours find opportunities to drive growth – from climbing toward enterprise risk management, to overcoming steep compliance challenges, to harnessing technology to stay relevant on new delivery systems. Simply put, we know the ropes. So whether your vision is to achieve new heights, or you need a rescue mission, you can always work in tandem with us. Call 248.244.3159 to start the climb.
Insight. Oversight. Foresight.® 248.244.3159 | doeren.com
Volume 24, Issue 3, 2015
The Magazine of the Association of Credit Union Internal Auditors, Inc.
{ contents } F E AT U R E S Addressing Fraud Risk in 10 Today’s Environment
10
In today’s constantly changing environment, frauds, embezzlements, and dishonesty have affected each and every credit union. Cecil D. Maynard
D E PA R T M E N T S 4 From the Editor Transitions Tabitha Ernst-Chadwick 6
Has Your Internal Audit 16 Program Changed?
Chairman’s Message Areas of Emerging Focus for Internal Audit John Gallaher
Remember in the 1990s when members came into your branches, loan terms were sealed with a handshake and closing the year-end financial statements lasted until 1 a.m.? Robert E. Purdy
22 Where Are They Now? Q & A with Paul Kundart Amy Schaefer 26 Information Security Social Media and You: A Risk Assessment Primer Tyler Butler, TrustCC 28 The Standards New Professional Framework Pat Richey
24 Commitment to
32 Member Spotlight Karla Hodgkins 34 Conference Recap
36 Regional News 37 Region Directors and Chapter Coordinators
16
Renewing Your
24
Vulnerability Management
Managing vulnerabilities in a Microsoft environment is more complex than in the past. The patching tactics of yesterday— click, apply, update, done— are no longer effective. Andrew Luke and Tim Gamble
The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284
© Copyright 2015, ACUIA. All rights reserved.
{from the editor} TRANSITIONS Tabitha Ernst-Chadwick, CIA, CFE, CISA, CBSAO, LRP, NCCO
T
his Issue is full of articles to help us learn how to be better auditors and manage/create/sustain better audit departments. But what is on my mind these days is how to ensure an audit department is equipped for transitions. This has been on my mind for a number of reasons, then was solidified by a recent email I received from a colleague regarding a credit union that lost its internal auditor suddenly in a tragic accident. Your internal audit department probably has some thorough policies, a copy of the IIA’s most up to date Standards, a robust library of audit plans, and a number of other resources to assist in completion of your annual audit plan. As auditors, we have schedules, plans, and documentation, and possibly even more documentation that explains the schedules, plans, and documentation. But if you ever got hit by the proverbial bus or (fingers crossed) win the Publisher’s Clearinghouse, is your audit shop aligned so that the next guy – who by the way may not know anything about internal auditing – can walk in and take over? Have you prepared a detailed roadmap to guide the next person to step in and take over in your stead? If you are the CAE of a multi-person audit department, you may be more equipped for transition than the one-man-show audit department. But even very skilled auditors may not be ready to step in as CAE in a pinch. Have you really prepared them to take over in your unanticipated absence? Have you asked them if they feel they are up to the task? If you are a one-person shop, this preparation is even more critical. When you are lounging on the beach in Tahiti enjoying your fruity umbrella drink, can management review your files and easily determine
4
www.acuia.org | The Audit Report
where you were on the annual/quarterly audit plan? Do they know where to find your continuous auditing resources? Can they navigate your filing system easily? If you aren’t very fond of your management team and spent an inordinate amount of time dreaming of the day you can throw down your
pencil and declare “I’m outta here!” then maybe this isn’t at the top of your list. But for those of you that work for credit unions like mine, that, while I may not choose them over the beach in Tahiti, I do feel compelled to make sure they will be well prepared when the Publisher’s Clearinghouse team finally knocks on my door. n
2015 BOARD OF DIRECTORS Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA Chair John Gallagher, CUERME SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 - 2016
Director Dana McCranie, CBA, CUCE Empower FCU (315) 477-2200 X5107 dmccranie@empowerfcu.com Term 2013 – 2015
Vice Chair Kara Giano, CIA, CIDA, CRMA Golden 1 CU kgiano@golden1.com Term 2014-2016
Director Linda Goff, CUCE Enrichment FCU (865) 482-0045 x1201 lgoff@enrichmentfcu.org Term 2013 - 2015
Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015-2017 Secretary Margaret Chamberlain, CUERME Arizona State CU (602) 452-4960 Margaret.chamberlain@azstcu.org Term 2015-2017 Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ncsecu.org Term 2015-2018
Director Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dwsenson2@wingsfinancial.com Term 2015 - 2018 Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@schoolsfirstfcu.org Term 2015 - 2018 Associate Director Doug Wright, CPA, CFE, CUCE, BSACS Baxter CU (847) 932-8765 doug.wright@bcu.org Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com
ACUIA EXECUTIVE OFFICE, 1727 King Street, Suite 300 Alexandria, VA 22314 (703) 688-2284 acuia@acuia.org Follow us on:
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”
Â
Over thirty-five years ago our firm began with just a handful of clients and a new concept...limiting the practice to serving only credit unions. We believed in the “people helping people� philosophy that the credit union industry was founded on. You might think as auditors our only goal is to ensure the financial statements we certify are materially correct. However, since 1979, our mission has been to provide quality, efficient, and professional services to the credit union industry. We offer our clients more than just audit services, we also serve as a resource and provide accounting expertise, operational knowledge, and compliance services.
To put our experience to work for your credit union, visit www.nearman.com or email us at info@nearman.com.
from the editor {{chairman’s } } message
IN THIS OF ISSUE AREAS EMERGING FOCUS FOR INTERNAL AUDIT Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA John Gallagher
Several months ago while preparing my annual internal audit plan I came across a recent white paper published by PwC entitled 2015 State of the Internal Audit Profession Study.
N
ot surprising to me, the writer stated that it is easy for internal auditors to remain with that which is familiar to them. I guess we too can become complacent in what we do and how we do it. However given the ever changing business environment around us, it becomes increasingly difficult, if not impossible, to remain status quo. In doing so we run the risk of minimizing the value of the internal audit function. Based on this information I decided to read the Study further. It was stated that “internal audit leaders must find and stay focused on their “True North,” their ideal of how the audit function should operate to keep pace with the changes of their organizations and their critical risks.” So this got me thinking — what is my True North at the credit union and am I providing a high level of value? While I would like to have said yes, it did get me thinking about change. This is something we all should be doing. Research has shown that, according to senior management and the Board, internal audit functions contributing value to their credit unions are those who are actively involved in the most impactful business imperatives, offer a proactive perspective on all business risks, and provide recommendations on how to mitigate risks before they occur. Interestingly, a recent survey of CAEs conducted by Grant Thornton identified the top
6
www.acuia.org | The Audit Report
three goals for internal audit as (1) improve efficiency of the internal audit function, (2) contribute more to the organization strategy, and (3) build talent and skills. Even more interesting is that during a meeting with my internal audit staff we identified very similar goals. So based on this information we set out to create four initiatives as part of the current year’s audit plan. These initiatives were summarized into areas defined as risk, talent (staffing), alignment, and data.
Risk: The idea of focusing on the right risk at the optimal time in the process is a critical component in determining the effectiveness of any internal audit function. While we have always (well almost always) taken a riskbased approach as part of the annual audit planning process, we must ask ourselves if we have placed focus on areas of emerging risks and not simply those currently rated as having the perceived higher risk value. It is imperative that internal audit begin to find a balance between our traditional approach (backward looking) and a more proactive approach (forward looking). Forward looking internal audit functions provide input on what to consider as the credit union evaluates a certain initiative decision or action, and identifies potential risks and appropriate miti-
gating controls while the initiative is in process. This will lead to greater value provided to management as it enables internal audit to “be in the loop” or “have a seat at the table” for new projects/initiatives being undertaken throughout the credit union. Having internal audit engaged early to provide a differing perspective and more open discussion of risks and controls would benefit the credit union through the introduction of process and cost efficiencies. Determination of which audits are included within a particular year’s plan has been based on the level of risk associated with that particular area. Those deemed with higher risk levels are often considered for review on a more frequent basis, typically annually. Factors often considered in the determination of audits for a plan include last audit date, previous audit rating and findings, portfolio size/ volume, management control environment (control risk), business risk (financial loss or reputation), regulatory/compliance risk, information system environment, and organizational change (operational risk). The ongoing challenge for internal audit is how to effectively review an appropriate number of audit entities, identify the various risk concerns, and maintain quality level of efforts with current staffing. Talent: As the complexities and diversification of products and services within credit unions continue to expand, the appropriate mix of skills and knowledge by internal auditors must also evolve and keep pace. In many credit unions the necessary skill sets have not maintained pace with emerging technology and operational level risks. This tends to result in lessening the perception of internal audit’s
CREDIT UN ION S ERVICES
As Unique as Your Institution As every credit union is unique, so too are their needs. Orth, Chakler, Murnane and Company, CPAs (OCM) was founded with the objective of providing independent, professional audit and consulting services to credit unions of all size and complexity. Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced professionals. In addition, our professional staff are very familiar with credit union · Opinion Audits operations, internal control issues, regulatory and · Supervisory Committee Audits accounting requirements, and more. In other words, · Pension/401 (K) Audits credit union personnel will not have to train our auditors. To learn more, please call our Managing Partner, Doug Orth at 888.676.3447.
Orth, Chakler, Murnane and Company, CPAs A Professional Association
MIAMI | DALLAS | CHARLOTTE
ocmcpa.com
Working exclusively with Credit Unions
· Consulting Services: · Internal Audit Assistance · Information Technology Reviews · ATM/ACH Audits · BSA/OFAC Compliance Reviews · Tax Services: CUSOs, 990, 990-T · Supervisory Committee and Board Training
The greatest efficiency that can be gained within internal audit comes with the ability to obtain, analyze, maintain, and create output of quality data.
ability to complete the work required or to effectively communicate results across the organization. In today’s environment this has often resulted in either outsourcing or co-sourcing of audits. The question to each of us as internal auditors is whether this diminishes the perceived value of internal audit or is it a more cost effective way to complete the required number of audits given the limited resources or level of inhouse experience/knowledge. In my opinion, internal audit departments should be allocating significant hours towards continuation of staff development rather than limiting training dollars. Proactively acquiring diverse skill sets, credentials, and further education needed to address the most critical risks of the credit union and aligning with organizational initiatives and risk/complexity profiles will result in a value add for internal audit departments. Alignment: When it comes to aligning the internal audit function within the credit union it is important to define how the function interacts with other areas when it comes to keeping sight
of the most significant risks. Most risk management models identify three lines of defense that, if and when aligned within the risk management process, language, and framework, serve to identify and mitigate risks, as well as help reduce audit fatigue. Business functions/owners are considered the first line of defense, ERM the second line, and internal audit as the third. These three areas working together serve to increase efficiency and further the understanding of risk environment. Of course specific alignment takes time to fully develop and is highly dependent on the information (risk assessments) conducted by and recorded within the ERM function. Internal audit leveraging the work performed within ERM, or risk management in general, would result in increased effectiveness and efficiency for internal audit. Again, this process takes some time to mature before internal audit can place full reliance of the information being presented. However, in time and with a full understanding internal audit will be able to adjust its focus and current methods of review with emphasis on risk and strategic objectives.
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.
8
www.acuia.org | The Audit Report
Data: The greatest efficiency that can be gained within internal audit comes with the ability to obtain, analyze, maintain, and create output of quality data. The terms data analytics and continuous auditing are not new to us but we often struggle with what it really means or how to go about implementing. If implemented properly, they can serve to assist internal audit simplify and improve the audit process through increasing efficiencies, reducing costs, and detecting errors and potential fraud sooner. The use of data analytical tools can fundamentally change and improve traditional internal audit approaches. While not easily achieved, developing a mature analytical process has the potential for benefiting the audit function in the long term through the ability to interpret data in a more effective way and allow internal auditors to zero in on specific areas of risk. This can ultimately result in the production of a more efficient, more effective, and higher quality internal audit with more informative data, while enabling improved strategic decision making by business owners. While the four area tasks mentioned above are challenging and the initiatives complex, internal auditors should be diligent in their efforts to identify and incorporate emerging trends in our industry and avoid remaining status quo. While internal audit department’s primary goal remains the safeguarding of credit union assets through the identification and analysis of associated risks within each audit entity, we must ensure that this is accomplished in a most cost effective and efficient manner, and with the best people and tools available. To fulfill this objective I encourage you to evaluate your current process with consideration of each of the four areas discussed above…risk, talent, alignment, and data. Doing so has the potential to result in a value add to you, internal audit, and your credit union. n
Š2015 CliftonLarsonAllen LLP
RELATIONSHIPS BUILD BUSINESS Strengthen your relationships by using advisors with a strong professional network.
Audit
Regulatory Compliance
Information Security
Dean Rohne | 800-657-4477 CLAconnect.com
S S E R D D A D
U A N E R S ’ F Y A D O T IN By Cecil D. Maynard
I
n today’s constantly changing environment, frauds, embezzlements, and dishonesty have affected each and every credit union. The sophistication and ingenuity of frauds and embezzlements are on the rise. The 2014 Global Fraud Study released by the Association of Certified Fraud Examiners stated that:
“The industries most commonly victimized in their current study were the banking and financial services sectors.”
10
www.acuia.org | The Audit Report
G N I S
K S I T R N E D M N O R I V N
www.acuia.org | The Audit Report
11
“Over 40% of all cases were detected by a tip — more than twice the rate of any other detection method. Employees account for nearly half of all tips that lead to the discovery of fraud.”
Based on the 2014 Global Fraud Study, anti-fraud controls contribute to a decrease in fraud schemes. This article will outline several areas of testing that internal auditors may want to consider as part of their internal audit plans. The regular review of specialized reports and establishing policies and procedures is an important part of a credit union’s internal control program. Reviewing specific reports and examining the highest risk areas can also serve as a fraud prevention tool. The following is a partial list of areas an internal auditor may want to implement and/or consider as part of the overall annual audit plan. Policies and procedures for reporting fraud and/or the establishment of a hotline number: According to the 2014 Global Fraud Study released by the Association of Certified Examiners: “Tips are consistently and by far the most common detection method. Over 40% of all cases were detected by a tip — more than twice the rate of any other detection method. Employees account for nearly half of all tips that lead to the discovery of fraud.”
Because tips are the most common detection method, the credit union should consider the following at a minimum: n Ensure that the credit union has clear written policies and procedures for reporting fraud. n Ensure that the employees are aware of these policies and procedures. n Consider implementing a hotline phone number, which may be internal or monitored by an outside organization. 12
www.acuia.
org | The Audit Report
■■ Communicate these policies and
procedures on an annual basis to all employees. File Maintenance Reports: File Maintenance reports are reports that detail changes to selected fields of a member’s loan, deposit account, or other personal information, normally reflecting a “before” and “after” change of information. The types of information changes that would appear on a file maintenance report include, but are not limited to, changes in name, interest rates, address, phone number, frequency of loan payments, loan due date changes, additional individuals added to selected accounts, etc. Testing of File Maintenance reports should include the following: ■■ Check if changes were authorized. ■■ Check if due date changes on loans were authorized. ■■ Check if address changes were authorized. ■■ Check if interest rate changes were authorized. ■■ Check the frequency of changes to fields. File Maintenance reports should be independently reviewed by someone who does not have the ability to make these types of changes. Depending on a credit union’s resources, file maintenance reports should ideally be reviewed on a monthly basis. Supervisory Override Reports: Supervisory Override reports are reports that detail transactions that were permitted after obtaining a supervisory override. These types of transactions are usually “blocked” in the computer system; the system will not allow the transaction to proceed until a Supervisor “keys” in a code or physically turns a key at a terminal. Supervisory override controls are established to limit sensitive transactions and to ensure that credit union policies and procedures are followed. Some examples where super-
visory overrides may be required include any type of access to dormant accounts, employee access to their own accounts, access to immediate family members’ or other employees’ accounts, placing no-mail codes on members’ accounts, and certain file maintenance changes such as loan due dates or interest rate changes (depending on the data process system). Testing of Supervisory Override reports should include the following: ■■ Check if the Supervisory Override reports are being independently reviewed. ■■ Check if the computer system requires a manual input from a Supervisor, or if the requesting credit union employee can perform the override him/herself. ■■ Check if the individual requesting the override is different from the Supervisor. ■■ Check the frequency of the overrides to an account. Multiple overrides to an account could reveal problems and/or alterations of information over specific periods of time. ■■ Check the frequency of overrides by a Supervisor or for any unusual combinations between Supervisors and credit union personnel. As you can see, if Management has taken the steps to establish a Supervisory Override, then by its nature, the area has been identified as a sensitive area and should be monitored. Dormant Accounts: Dormant accounts are defined as share accounts in which there has been no member generated activity for a specified period of time. Due to the nature of dormant accounts and the inactivity of these accounts, they are a prime target for fraudulent activity. Here are some helpful hints for auditing dormant account reports. A Dormant Account report is a report of all dormant accounts. The dormant account report could contain thousands of accounts, and there-
fore, to audit this listing, it could take the reviewer a long period of time. One suggestion which has reduced time for the reviewer is to generate a report of only those dormant accounts that have had recent member generated activity which are in the process of being removed from the dormant account report. Experience has demonstrated that this report is much smaller and will identify which accounts are no longer dormant. The reviewer can now test these accounts to determine if the transaction(s) were authorized. Also, make sure you test both withdrawals and deposits which resulted in the removal of the member’s account from the dormant status. It is not uncommon for the reviewer to only test withdrawals and not deposits. One favored technique that we have seen is that the fraudster will make a large deposit to a dormant account which removes the account from the dormant status, and once the account is not dormant, the fraudster will withdraw all funds. Credit unions should be aware that controls over dormant accounts should be periodically tested to determine that the controls are still in place. In our testing, we have noticed that a power surge, system update, or some other system change had removed the controls over dormant accounts. In addition, depending on who has access to the computer system, controls can change; therefore on-going testing of this area is recommended. Loans Paid Ahead 2-months and greater: The objective of reviewing a Loans Paid Ahead report is to ensure the next payment due date is correctly stated and in accordance with the loan terms. The report is usually generated so that it includes all loans with a next payment due date two months or more into the future. Testing of the Loans Paid Ahead report should investigate the following at a minimum:
■■ Payments made by the member,
which are greater than the scheduled payment ■■ Advanced due dates with no recent payments ■■ Small balances with no recent payments - which could indicate an attempted loan pay-off ■■ Deficiency balance not charged off ■■ Unauthorized loan due date advancements ■■ Continuous due date changes to the same account ■■ Continuous changes by the same employee Bumping due dates is a popular way fraudsters keep loans from being reported on the delinquency list and therefore, the Loans Paid Ahead report should be periodically reviewed to detect any unusual next payment due dates. Additionally, if it’s the Board of Directors’ intention to allow loans to be paid in advance, this should also be conveyed in the written loan policy. Review of Account Reconciliations: A reconciliation of each balance sheet general ledger account should be prepared to indicate the individual items that compose the general ledger account balance. When general ledger accounts are not reconciled, errors or frauds can go undetected for an unreasonable period of time, or not found at all. The following could be conducted in the review of completed account reconciliations: ■■ Ensure the reconciliation was completed timely and prior to the closing of the accounting records for that month. ■■ Ensure the account reconciliation was signed off by the preparer and the reviewer. ■■ Ensure the reconciliation preparer and reviewer is not the same person. ■■ Ensure all reconciling items are well described and dated to allow the tracking of how long items are outstanding. www.acuia.org | The Audit Report
13
■■ Ensure that there are no old items
We have found that most credit unions are unaware of the exposure in the area of employee personal credit cards and do not include this area in their review.
on the account reconciliation. We recommend each balance sheet general ledger account be reconciled on a monthly basis. Any old items, which have been researched and determined to be uncorrectable, should be written off. Having a process in place to ensure accounts are reconciled timely is important to the control environment. Account reconciliations should be well documented and a policy/procedure in place to address when accounts are to be reconciled and when old outstanding items are to be written-off. Employee and Official Loan and Share Statements: The review of employee and official accounts is considered a critical part of most credit unions’ internal audit
plan. This review is important because it looks at the accounts of either those in a position of influence or those in control over credit union assets. The review should look at these individuals’ accounts for suspicious and/or unusual activity. In order to perform this review, you first need a report of all employees’ and officials’ accounts. This report should include loans and shares and share equivalent accounts. Testing of credit union statements should include the investigating of the following areas: ■■ Large deposits. ■■ Loan repayments without corresponding finance charges. ■■ Unusually high amounts of activity in dollars and number of transactions. ■■ Journal transactions. reversal of fees, and/or multiple transfers to other accounts ■■ Changing interest/dividend rates. ■■ Check kiting. ■■ Large draws or purchases and subsequent repayments. Most of the areas of concern above are self-explanatory, however, there are certain transactions that might seem unusual but may be perfectly normal. These could include large deposits which could consist of IRS refunds, a new loan taken out at another institution, life insurance proceeds, or sale of property. Large deposits should be traced to the deposit slip and original check, if applicable. Journal transactions include transactions such as NSF fees, credit card advances, etc. If the reviewer sees a new loan on the employee or official statement, the loan file should be checked for proper documentation and approval. Check kiting involves frequent corresponding deposits and withdrawals in similar amounts throughout the month.
Employee and Official Credit Card Statements: Another area, which is most often overlooked in the review process, is the examination of the officials and employees’ personal credit cards. Testing of employee and official credit card statements includes, but is not limited to a review in the following areas: ■■ Large draws or purchases and subsequent repayments. ■■ The official/employee’s credit line and changes. ■■ Finance charges and reversal of fees. ■■ Journal transactions (i.e. cash advance or payment on credit card at counter). We have found that most credit unions are unaware of the exposure in the area of employee personal credit cards and do not include this area in their review. Recent trends have found it is a common occurrence to see large draws from individual credit card accounts with subsequent payments to these accounts from unauthorized credit union transactions. In addition, do not forget to monitor file maintenance changes for these credit cards since the credit cards could be off-system and not included in the file maintenance report for the credit union’s main computer system. Credit union employees owe a fiduciary duty to the credit union to act in good faith in the performance of their duties. Most employees take their fiduciary duty seriously and perform their duties in accordance with the policies and procedures of the credit union. However, not all employees share this loyalty to the credit union. While the above procedures cannot guarantee that there will not be problems in the future, the items above are proactive measures which could aid the credit union in their on-going operation of the credit union. The review of the above areas by the credit union must be documented with tangible infor-
mation and retained for subsequent review by the examiners and auditors in the future. Testing the areas noted above may help in identifying a fraud, but knowing the operations at your credit union, its control enviroment, and the staff are critical to the success of an internal audit department. Internal auditors should consider the items above, but never forget that the audit plan needs to continually react to the ever changing risk enviroment. n About the Author Cecil D. Maynard III CPA, MPA, FCPA, CFE, CFF Cecil D. Maynard received his Bachelor of Accounting from Florida International University and his MPA (Master of Professional Accountancy) from Barry University. He successfully completed the requirements for the CPA (Certified Public Accountant) designation in the state of Florida, and has met the requirements of being a Certified Public Accountant in six other states. Cecil has earned the CFE (Certified Fraud Examiner) designation from the Association of Fraud Examiners. Cecil received this certification after an extensive application process and upon passing the uniform CFE Examination. Cecil has also met the requirements for certification as a Forensic Certified Public Accountant (FCPA). Forensic CPAs not only utilize their accounting and auditing skills, but also use their investigative skills to determine what events actually took place in a financial setting. In addition, Cecil has fulfilled all the established requirements of eligibility as required by the American Institute of Certified Public Accounts and has been granted the designation of being Certified in Financial Forensics (CFF). He has been with Nearman, Maynard, Vallez, CPAs, P.A. since 1990. As a Partner of Nearman, Maynard, Vallez, CPAs, P.A., Cecil is directly responsible for the firm’s credit union clients and the day-to-day management of the Miami office. In addition to being a Partner of the firm, he is also Chairman of the firm’s Quality Control Committee. The primar y objective
of the Quality Control Committee is to maintain and enhance the quality control standards of the firm through quarterly monitoring, annual inspections, and a triennial peer review. Cecil is also part of a team that manages the proposal process, ensuring that proposals meet client requirements and reflect any change in accounting or regulator y requirements. Cecil has assisted both federal and state chartered credit unions. This includes supervising and training the audit staff, planning and reviewing the audit engagements, and ensuring the audits are performed in compliance with regulatory pronouncements and professional standards set forth by the AICPA. Additional responsibilities include the presentation of audit results to the Supervisory or Audit Committees, Management, and Boards of Directors. Cecil has also conducted and supervised various fraud and fraud-related audits in the credit union industry. In addition, Cecil has also contributed to the American Institute of Certified Public Accountants publication of Checklists and Illustrative Financial Statements for Depository and Lending Institutions for Credit Unions. Cecil writes articles for the firm’s newsletter “The Auditor’s Report” and other publications on topics such as fraud, internal controls, quality control, and various accounting and auditing issues. “The Auditor’s Report” is distributed nationally. Cecil has conducted educational workshops at our Credit Union Conferences in the past, regional workshops, credit union chapter meetings, and at individual credit unions. Some of the topics include developing internal controls, fraud prevention, accounting and auditing issues, and cash counts and counter feit detection. Cecil is a member of the American Institute and Florida Institute of Certified Public Accountants, Certified Fraud Examiners, the Forensic CPA Society, the International Association of Financial Crimes Investigators, the Institute of Management Accountants, National Society of Tax Professionals, and the National Notary Association.
www.acuia.org | The Audit Report
15
r u o Y s a H
N I
A N R E T
By Robert E. Purdy, CPA, CTFA
Remember in the 1990s when members came into your branches, loan terms were sealed with a handshake and closing the year-end financial statements lasted until 1 a.m.?
16
www.acuia.org | The Audit Report
T I AL A U D
? d e g Program Chan
www.acuia.org | The Audit Report
17
A lot has changed in financial services since the 1990s. Almost everything now is done electronically, data is stored and processed in the cloud, and members perform transactions through mobile devices. All this change in the last 25 years begs the question: “Has your internal audit program changed?” Regulatory agencies continue to update their expectations for risk management programs. It’s become such a point of emphasis that regulators are now focusing on credit unions’ risk management programs. While risk management has many components, a robust internal audit program is a foundational aspect of a solid risk management program. Internal audit programs can be diverse. You can insource, outsource or cosource your
D
internal audit plan. You can spend a lot of time performing internal audit procedures for every activity in the credit union, or you can focus on high-risk areas. Regardless of your credit union’s approach, an efficient and effective internal audit program today cannot be the same program used 25 years ago. Here are three examples of “old” methodologies and practices: Reperformance Internal audit is about identifying risks in controls. Reperforming an activity only addresses its accuracy. It will not identify a weakness in a control. Many old internal audit programs still contain internal audit procedures such as, “Reconcile the loan trial balance to the general ledger.”
o you really want
to pay an audit firm or your internal auditor to reconcile your general ledger accounts?
18
www.acuia.org | The Audit Report
Do you really want to pay an audit firm or your internal auditor to reconcile your general ledger accounts? Often, the procedure represents reperforming work already performed. The modern methods of performing internal audit procedures of reconciliations are multifaceted and include: ■■ Agreeing the general ledger and subsidiary ledger to source documents ■■ Determining whether the preparer and reviewer signed and dated the reconciliation ■■ Assessing independence of the preparer and reviewer as to the respective accounts The most important step is assessing the independence of the personnel responsible. Reconciliation can be completed accurately by personnel who are not independent, but the risk of having personnel who can post transactions to the respective account is one of the most important things for management and board of directors to know. Why should internal auditors be so focused on segregation of duties? This is the primary method by which fraud is perpetrated. Risk Assessment Most financial services personnel despise the phrase “risk assessment.” It’s understandable; credit union employees generally are required to perform a formal risk assessment prior to initiating any new activity, product or service. It’s also despised because employees generally perform a risk assessment anyway as part of the decision to initiate any new activity, product or service, even if it is informal. A risk assessment is a process; it’s not a doc-
Congratulations to ACUIA on 25 years of outstanding service to credit union audit professionals.
PBMares helps credit unions meet their fiduciary responsibilities and internal control objectives by providing: Information Technology Assessments and System Reviews n Certified ACH Audits n Bank Secrecy Act Audits n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits n Asset / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk Assessment and Regulatory Compliance n Financial Statement Audits n
Certified Public Accountants & Consultants
Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.
ument. Management always assesses risk, though they don’t always document the process and results. This is what truly matters. Your internal audit program should always be based on a comprehensive risk assessment. Without assessing the risks in the organization and allocating resources appropriately, you may end up auditing low-risk items more often than needed. Low-risk activities should be subject to internal audit, but not too frequently. An internal audit program should be risk-based. Higher-risk areas should be audited more frequently. Gone are the days of auditing everything every year. Generalists A major concern, especially with credit unions that have internal auditors on staff, is
whether personnel have the ability to perform some of the more complex areas of the internal audit plan. Information technology reviews, ACH audits and regulatory compliance reviews require specific knowledge and training to perform an effective internal audit. It’s highly unlikely one individual—internal or third-party—will have the skills to audit all of these and the general operational areas of the credit union. These are just three of the antiquated internal audit practices still living in financial institutions today. Now is the time to look at your internal audit program or question your internal audit provider and make sure your internal audit program has progressed out of the 90s. For more information
G
one are
the days
of auditing
everything
every year.
on internal audit issues, contact your BKD advisor. n About the Author As a member of BKD National Financial Services Group, Bert brings more than 12 years of experience to the clients he serves. He provides a wide range of accounting, auditing and consulting services. Bert works with financial institutions ranging in size from fifty million to multibilliondollar institutions. He manages the St. Louis office’s financial services consulting team, which provides internal audit services, SOX consulting, internal audit and information security risk assessments, asset liability management reviews, ACH audits, information technology audits, trust audits and loan review services. As a Certified Trust and Financial Advisor (CTFA), Bert is recognized as a leader in providing services to trust departments. He is a member of the American Institute of CPAs and Missouri Society of Certified Public Accountants. Bert is active in many Missouri and Illinois associations, is a facilitator of CBAI’s Operations and Technology Forums and has spoken at other CBAI seminars. In addition, he is on the board of the St. Louis chapter of The Risk Management Association (RMA), is chairman of the Young Professionals (YP) Affinity Group of RMA’s St. Louis chapter and is on the National YP Committee for RMA. He also has written articles for BKD publications. Bert is a 2000 graduate of Harding University, Searcy, Arkansas, with a B.S. degree in accounting. In 2007, he graduated from Cannon Financial Institute’s Personal Trust School.
20
www.acuia.org | The Audit Report
Innovation. It’s great for your customers, but it can carry risks for your credit union. Whether you’re exploring improvements to your mobile app or putting together new loan products, who’s helping you do it safely?
Discover why more than 300 financial institutions across the nation turn to us to help them innovate with confidence.
Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance Tax Planning & Compliance IT Consulting Credit Review Services
W W W. M O S S A D A M S . C O M / C U
www.acuia.org | The Audit Report
21
{ where are they now? } Amy Schaefer
This is the last in a three-part series of Q&A interviews featuring ACUIA incorporators and long-term members. You will also see snippets of these interviews in upcoming ACUIA’s Facebook posts. Not following us on Facebook yet? What are you waiting for?Follow us on Facebook and Twitter to stay up-to-date on what’s happening with ACUIA, “Throw back Thursday” features, and more.
PAUL KUNDERT T
his issue highlights Paul Kundert, President/CEO at
UW Credit Union. Paul Kundert is one of the eight original incorporators of ACUIA. Today he is the President/CEO of the $2 billion UW Credit Union in Madison, Wisconsin.
Paul Kundert’s Background Paul started his career as a CPA with McGladrey, and then became internal auditor at the Rochester Minnesota based IBM Mid America Employees Credit Union. He has been in his current position at UW Credit Union since 2003. Why was it important for you to help create ACUIA?
When I started working as an internal auditor, there weren’t that many credit union specific resources available to help. Many credit unions were reaching a size in which it made sense to invest in an internal 22
www.acuia.org | The Audit Report
audit function. There were a lot of us traveling the same path, so it just made sense to find a way to network with each other and collaborate in sharing best practices. What did you gain most as an ACUIA member?
It was very helpful to network with other audit professionals that were working to establish audit functions within their credit union. Through ACUIA, I gained a peer network. Many of us were hired to start an audit function in our credit union, and having a network to tap for information and advice made a big difference.
Tell us how being a member of ACUIA helped you get to the position you have today?
To get the next opportunity, it is important to excel in your current position. ACUIA helped me excel in the role of credit union internal auditor. What advice do you have for our current ACUIA members?
Good communication skills are essential to sustaining success as an internal auditor. What are your fondest memories of ACUIA?
Holding our first ACUIA conference stands out. The ACUIA was just starting as a new organization, and didn’t have any reserves to draw on. With
only a shoestring budget we held our first conference in a suburb of Minneapolis. The response was great, and it really took off from there. There were some wonderful people who really worked to get ACUIA up and going. Terry McEachern, Anne Evenson Rajanen, Frank Weidner, and Jim Andrews all come to mind. Being elected President of ACUIA after Terry McEachern’s term ended was an honor for me. There wouldn’t be an ACUIA without Terry McEachern. ACUIA celebrated our 25th Annual Conference & One-Day Seminar in June. What would you like to say to our current members?
Don’t forget to follow ACUIA through social media!
About the Author Amy Schaefer, CIA, CUCE, CUERME is Senior Internal Auditor at Royal Credit Union, ACUIA Social Media Committee Member and former ACUIA Board Member. She is a graduate of the University of Wisconsin – Eau Claire with a degree in accounting. Amy is married, has three sons and enjoys camping, cheering on the Packers and attending Brewers and Twins games (but when head-to-head has to root for the Brew Crew!)
The work you do is important to your credit union’s success. Do it well! n
CLA + TrusTCC = 3 TrustCC and CliftonLarsonAllen have combined resources to offer you more. You’ll benefit from personalized service, strong technical teams, and an expanded level of capabilities you know and trust from security and compliance professionals dedicated to credit unions.
©2015 CliftonLarsonAllen LLP
CLAconnect.com
WEALTH ADVISORY | OUTSOURCING AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
www.acuia.org | The Audit Report
23
RENEWING YOUR COMMITMENT TO
VULNERABILITY MANAGEMENT Managing vulnerabilities in a Microsoft environment is more complex than in the past. The patching tactics of yesterday— click, apply, update, done—are no longer effective. By Andrew Luke and Tim Gamble, TrustCC
T
oday’s environments require diligent attention to the details of applying patching and working through the activation steps. Failing to do so will leave systems vulnerable. TrustCC has noticed an industry trend while evaluating vulnerability and patch management practices at a large number of its clients. Administrators are not understanding the patches that they are applying. Initially, it appeared that some of the missing patches reported by vulnerability scanners were false-positive based on how often they were seen. A false-positive is a finding from a vulnerability scanner that is incorrect. In our testing we applied the particular Windows system patches with patch management tools, yet the vulnerabilities again registered as
24
www.acuia.org | The Audit Report
present, as though no remediation had taken place. Upon deeper analysis the vulnerability scanning tools and vendor patches were working as promised. It turns out that administrators were failing to complete the ad hoc, final steps to activate system patches. These final steps are easy to ignore, but are a vital part of the procedures used to manage patches and updates. MS15-011 is a recent example of a vendor-issued patch that requires special steps to apply it. This critical security bulletin addressed a vulnerability in group policy that allows remote code execution on just about every Windows system released in the last decade. At the end of the executive summary, the authors point out: “to be protected from the vulnerability
described in this bulletin, additional configuration by a system administrator is required in addition to deploying this security update.” A link is then provided with detailed instruction for the additional steps, which involve changes to the registry and group policy object deployment. When assessing the effectiveness of client’s patch management, we found the majority of our clients are failing to apply the steps necessary to fully remediate the vulnerability. All patch management software we tested reported the patch as applied even though the extra steps necessary to remediate the associated vulnerability had not been performed. The patch management software will show a green status indicating patches are applied. Systems administrators expect reliability and accuracy with their patch management tools, yet in this example the patch tool is falsely reporting that the vulnerability related to the patch is addressed. More often than not, a systems administrator will chalk the results of a subsequent vulnerability scans up as false positives. In reality, their systems remain vulnerable, proven by our technical team’s ability to exploit the vulnerabilities these clients believed they had addressed. To address the root of this problem, our testing team recommends two patch and vulnerability management procedures be either reaffirmed or implemented into current practices. The first is simple, understand the patches that are being deployed. This means reading advisories and keeping an eye out for patches that require additional
steps before a vulnerability is remediated. Click, apply, update, done is not a sufficient method for vulnerability remediation. Granted, this can be time consuming, but there is a significant difference between an administrator that clicks the patch button and one that can describe to you exactly what is being applied. The second procedure is one that our testing team has been recommending for a long time, use credentialed, vulnerabilities scans to confirm that patches have been deployed properly and the associated vulnerabilities have been remediated. With regard to vulnerability scanners, some are vastly superior to others. There are three commercial scanners that continually perform the best. Send us an email and we will gladly have a conversation with you to share our opinions on the scanners on the market. Generally speaking, the “proprietary” scanners embedded in the appliances of some leading security companies often fall short. Organizations that practice these two procedures will be more secure. Internal audit can readily evaluate if patch bulletins are reviewed by auditing the process. And internal audit can also evaluate the frequency and configuration of any vulnerability scanning performed. n *Note: this article was submitted by TrustCC. TrustCC was acquired by CliftonLarsonAllen on September 1, 2015
Abou
t the
A
uthor The a s uthor( s) are Clifton a par t Larso of nA Ser vic es Gro llen’s Infor matio up an testin nS dp g, and g vulnerabilit rovide pen ecurity enera y asses lc for hu ndred ontrols revie sments so w throug hout t f credit unio s he Un n s ited S tates.
www.acuia.org | The Audit Report
25
{ information security } WHY? Tom Schauer and the TrustCC Team
Social Media and You: A Risk Assessment Primer With our ever-increasing reliance on the Internet for interpersonal relationships, it comes as no surprise that the use of social media has gained steam for professional relationships as well. By Tyler Butler, TrustCC
A
ny new form of relationship-building tools, especially digital tools, are prone to new forms of risk and must be considered carefully before reputational damage (or worse) is done due to carelessness.
26
www.acuia.org | The Audit Report
The FFIEC, SANS Institute, NIST, and others have all issued guidance on appropriate use of social media to extract value while reducing risk. Here are a few key points to consider when assessing social media risk:
How official channels are managed Social media can be a powerful and rewarding tool to connect with new and existing clients, but how these channels are managed can be cumbersome. It is up to your organization to determine the best approach to maintaining an official social media presence. Many organizations have an official Facebook and LinkedIn page, but Twitter, Instagram, Google+ and many others offer even more opportunities to connect with an audience. For example, if your organization will utilize an official Facebook page, who will have access to it? Marketing, human resources, executives, or some combination of business units? What will be posted? Upcoming com-
munity events, job postings, photos of staff? How will complaints be handled? There are an endless number of considerations to weigh before making decisions, and every organization is going to have different answers depending on what they consider worthwhile, their relationship with the community, and their ability to adapt quickly. Understanding the pros and cons of maintaining a social media presence is a critical component of making appropriate choices. Remember, it has always taken months or years to cultivate relationships with clients, but only seconds to destroy them — and social media has made that process even swifter. Whether internal access is allowed Blocking social media sites through a web-content filter has lately been the topic of a heated back-and-forth at many organizations, as management and IT departments clash with users over what seems appropriate. From an organizational standpoint, restricting access to users has a twofold benefit: users have less opportunity for distraction while at work, and the organization remains more technically secure as these sites are often targets for malware, file sharing, or other forms of inappropriate and undesired content. Users, however, counter that these sites can be useful as a stress release or for current events, or for use on breaks or other downtime. It is up to the organization to determine whether access to such sites will be technically restricted, for whom, and for what reason. There is not a one-size-fits-all answer, so management and IT should work together to determine the organization’s risk and an appropriate response.
How employees represent the organization In all likelihood, your employees are connected to your organization on social media. Employees may follow an official company account; Facebook allows searching by employer, and LinkedIn is solely built around working relationships. It is therefore important for every employee to use professionalism and good judgement when using their personal social media accounts. Employees should remain mindful of confidentiality standards, copyrighted materials, and any other information that should not be disclosed publicly. Anything done by an employee, such as rude or derogatory language, inappropriate behavior, or intentionally harmful actions, could potentially be interpreted to represent the organization as a whole, regardless of intent. It is therefore important to coach employees on appropriate use of social media, and to have contingency plans in place in case an employee does cause reputational damage. Protecting information online The easiest way for an adversary to gain information about your organization is through social media. Your employees likely have multiple profiles across various sites, and depending on how privacy settings are configured, could represent a treasure trove of information that can be leveraged against you. A successful social engineering attack oftentimes only needs information that is publicly visible by default: first and last name, and a job title. Did you know that Facebook offers a “View As…” option to see what it looks like to anybody else, including the public? Or that Linke
dIn only displays detailed information for profiles depending on their degrees of separation for that profile? Many sites also offer a third-party API, allowing access to stored data even if it is not publicly visible. A recent example from Microsoft allows Facebook to extract and share WiFi credentials via the new WiFi Sense feature in Windows 10. This represents a potential risk if employees are permitted access to an internal wireless network, especially common in BYOD environments, and then share out the connection details to their friends. Social media sites change their security settings frequently, often with little notice or fanfare, so make sure that you and your employees know what to watch out for. Consider adopting a policy that all employees must monitor the privacy settings of their social media profiles to determine what is publicly visible and ensure that it is appropriate, and under no circumstances accept a connection request from someone they do not know personally. You may want to include a tutorial on how to perform basic defense measures during annual security awareness training - not only for the security of your organization, but also for you employees’ personal privacy and protection. n *Note: this article was submitted by TrustCC. TrustCC was acquired by CliftonLarsonAllen on September 1, 2015 About the Authors The author(s) are a part of CliftonLarsonAllen’s Information Security Services Group and provide pen-testing, vulnerability assessments and general controls reviews for hundreds of credit unions throughout the United States.
www.acuia.org | The Audit Report
27
{ from the editor }
{
INthe THISstandards ISSUE
}
Pat Richey, Retired Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
NEW PROFFESSIONAL FRAMEWORK
‘‘
The amount of required audit supervision depends on the proficiency and the experience of the internal auditors, and audit complexity.
O
n July 6th the Institute of Internal Auditors (IIA) released a revision of the International Professional Practices Framework (IPPF). The IPPF organizes the IIA’s guidance. The first layer of guidance is mandatory - the Mission, Definition, Core Principles, Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (Standards). The Mission and Core Principles are new elements of the IPPF. The second layer of the IPPF is Recommended Guidance. Like the mandatory guidance, the Recommended Guidance is formally approved and endorsed by the IIA. The Recommended Guidance is divided into Implementation Guidance and Supplemental Guidance. Implementation Guidance will replace the Practice Advisories, which help internal auditors apply the Standards. However the Implementation Guidance will be more comprehensive. The former Practice Advisories remain in effect until new implementation guidance is promulgated. The Supplementation Guidance includes all Practice Guides, Global Technology Audit Guides (GTAGs), and Guides to the Assessment of IT Risks (GAIT). Audit Supervision Standard 2340 states that engagements/audits must be properly supervised to ensure audit objectives are achieved, audit quality is assured, and audit staff is developed. The January 2009 Practice Advisory (PA) 2340-1 for Standard 2340 still applies at this writing. Proficiency, Experience, and Complexity The amount of required audit supervision depends on the proficiency and the experience of the internal
28
www.acuia.org | The Audit Report
auditors, and audit complexity. For my whole credit union auditing career, I was the Chief Audit Executive for a 2-person audit department (including me); I only ever had 1 person to supervise. However, time spent supervising decreased the time I spent auditing, so it was important to me to have a staff auditor that did not require a lot of supervision. I had a mixed bag of experience when it came to supervising my staff auditors. Very early in my audit career, the staff auditor position was an under-paid, part-time position. The work was generally daily, weekly, and monthly monitoring, and checklist audits. I was able to hire a couple of women who had college degrees and business experience, but at that time in their careers only wanted part-time work due to child care issues. They did not have audit experience, but were very capable, and the work was not complex, so they required little supervision. I finally persuaded the credit union that the staff auditor position should be full-time. Unfortunately, the hourly wage did not increase. My college-degreed auditors did not want to work full-time, and particularly not at the low funding level. So, I ended up promoting a couple of tellers. Though I tried to hire the most proficient teller, audit proficiency and experience were negligible (except relating to branch operations). However, the work consisted of monitoring and routine audit procedures that, once learned, were easy to follow; so the required supervision was minimal. Finally a college student who had been tellering for the credit union graduated with a degree in accounting; internal audit got some additional funding, and this new college
graduate became the staff auditor. I thought that now the staff auditor could break out of the monitoring and check-list audits and go on to more complex audits; however, that would have required increased supervision. Unfortunately, this staff auditor liked monitoring and check-list audits and I had a hard time getting the auditor to broaden her horizons. She eventually transferred to credit union operations to do check-list loan reviews. However, one of the good things to come out of this experience was that going forward the credit union committed to funding the staff auditor at new-college-graduate salary levels. However, new college graduates are neither proficient nor experienced and may require substantial supervision. For many summers, I hired college interns to supplement our 2 person department, but all I was doing was supervising them and not doing any auditing myself, which was detrimental to the audit schedule rather than helping it. So I stopped hiring interns. I eventually hired an auditor with previous credit union auditing experience, and another one with 6 months CPA experience, but neither hires turned out to be particularly impressive. I was still doing all the thinking and writing all the audit programs. I wanted persons who could do their own thinking. My big break came when I hired a former attorney who had left law practice and was working for the credit union. She was very bright and capable and quickly became audit proficient. With her I did not have to do all the thinking, could leave her to develop her own audit programs, and conduct complex audits. However, this required more supervision than with persons who were just routinely following pre-written
audit programs. I envied the large audit departments, where the CAE could supervise without also having to complete their own audits. Supervision Responsibility The CAE has overall responsibility for audit supervision. However, the CAE can designate experienced internal auditors to review the work of less experienced auditors. This is generally going to apply to larger audit departments. Supervision is required from planning through audit report writing. However, supervision usually starts even earlier with the hiring process. The CAE should ensure that auditors meet proficiency Standards. To this end, the CAE should provide adequate training and conduct performance evaluations as both are important element of supervision in any job. The CAE should give sufficient planning directions, approve the audit programs and ensure that the approved audit program is completed. Also, the CAE is responsible for all audits performed by persons other than internal audit. The CAE should approve the audit program changes, and review audit working papers to ensure that they adequately support audit observations, conclusions and recommendations. The CAE should review the audit report to determine that the report is accurate, objective, clear, concise, constructive and timely. Finally, the CAE must ensure that the audit engagement goals are met. Professional Judgment Most importantly, the CAE is responsible for all significant professional judgments made in any audits. PA 2340-1 says the CAE should have policies and procedures that minimize the risk that internal auditors (or www.acuia.org | The Audit Report
29
WHY?
‘‘
The supervisor must document and retain evidence of audit reviews.
others performing audit work) make professional judgments or take other actions that are inconsistent with the CAE’s professional judgment. If there is a difference in opinion on significant audit matters between the auditor and CAE, it would adversely impact the audit. Therefore the differences must be resolved. Certainly the CAE and audit staff should have a good working relationship so that audit results can be thoroughly discussed in an amiable matter. If there is a difference of opinion, it is likely that more research or audit work would need to be performed. Supervision Evidence The supervisor must document and retain evidence of audit reviews. The PA states that the supervisor should initial and date each working paper after the review. Another option is to complete an audit working paper review checklist. This is closest to how I documented reviews. Our checklist was built into the audit program, and I initialed and dated each section of the audit program as it was 30
www.acuia.org | The Audit Report
completed and reviewed. Other acceptable techniques are to prepare a written narrative of the nature, scope and results of the review. For those using working paper software, there will be steps to evaluate and accept working papers and reviews. Workpapers should be reviewed during the course of the audit, not when the audit procedures are fully completed. This ensures that audit work is reviewed and corrected timely while the work is fresh in audit staff minds, and while they are working with credit union staff. With network technology, workpapers are easy to review without disturbing the audit process. Review Notes Supervisors should make a written record of questions (review notes) arising from the review process. I did this within the audit program using a red font. The staff auditor would reply to the questions and comments in blue font, and/or correct the working paper. Each review note should be “cleared” or resolved before the su-
pervisor signs off the working paper. The PA states that the working papers should provide adequate evidence that the questions are resolved. However, the PA allows for the alternative of discarding the review notes once resolved. We did not retain evidence of the review questions and answers. Once the questions were resolved to the CAE and staff auditor’s satisfaction and the working papers amended, I deleted the conversation from the audit program. Often staff auditors will take information from credit union employees at face value, and never question what they are told. The supervisor must ensure that questions are asked until there are not any more questions to ask. Once the review notes are resolved, the auditor can discuss preliminary findings and conclusions with credit union staff and management. In the April 2000 Issue of Internal Auditor, Larry Hubbard’s Back to Basics article suggested that supervisor and auditor should sit down together and talk through the workpapers, rather than writing review notes. Although I am not sure that this meets the recommended guidance, Hubbard says that with a verbal review method less documentation is required to describe a situation. Which sounds good to me. However, many review notes are simple fixes, and need not be discussed. Certainly, anything more complex needs to be discussed. In general, audits must be properly supervised to ensure audit objectives are achieved, audit quality is assured and audit staff is developed. n About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a careerlong supporter of ACUIA and its members. She is currently retired.
Place Your Credit Union’s Trust in Our Experience, Responsiveness and Dedication Audit & Accounting • Internal Audit Services Tax • Management Consulting We provide superior accounting, auditing and tax services to our Credit Union clients by understanding the unique business challenges they face. Our services include audits of financial statements, supervisory committee audits, internal audit services, employee benefit plan audits, tax compliance and management consulting.
5010 Campuswood Drive / East Syracuse, NY 13057 / 315-472-7045 / www.fmfecpa.com
Providing Services to Banks and Credit Unions Nationwide Tony Coble 816.945.5524 • acoble@cbiz.com
www.cbiz.com
Consulting Services n Tax Preparation and Consulting n Unrelated Business Income Taxation (UBIT) n Operations Review n Risk Assessments n Vendor Management Review n Social Engineering Testing & Training n IT General Controls Review
Audit & Attest Services* n Credit Union Opinion Audits n Supervisory Committee Agreed-Upon Procedures n CUSO Audits n Outsourced/Co-Sourced Internal Audit Services n SSAE 16 / SOC 1 Exam (“SAS 70 Audit”) n SOC 2 & 3 Exams n SSAE 16 Readiness Assessments
Todd Hershberger 816.945.5148 • thershberger@cbiz.com
www.mhmcpa.com
*Mayer Hoffman McCann P.C. is an independent CPA firm providing audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. © Copyright 2015. CBIZ, Inc. and Mayer Hoffman McCann P.C. All rights reserved.
www.acuia.org | The Audit Report
31
{ member spotlight } WHY? Karla Hodgkins
For this Member Spotlight, I’d like to introduce Karla Hodgkins from CoVantage Credit Union in Wisconsin. Karla recently took on the position of Wisconsin Chapter Coordinator. And, as we conduct this interview, Karla also is enjoying a landmark birthday! Welcome to the club Karla! [that would be the club of “young and vibrant and getting better every year… insert wink here]
So Karla, first, HAPPY BIRTHDAY! And second, let’s start the old fashioned way. Tell us a little about yourself.
I just turned 40 on Saturday and realize that I am not 21 anymore! I love my job and find it both challenging and rewarding. In my spare time, I love spending time with my family and friends. We (husband Bryan) have two boys; Bock is 6 and Breven is 4. During the summer months we spend most weekends at our cottage on Lake Buteau in Harrison Hills and love to go ATV riding on the local trails. That sounds pretty cool. I imagine the winter months in Wisconsin really help you appreciate those summers! So let’s talk business. Tell us
about your journey to internal audit.
Well, I’ve been in auditing for 15 years. After I graduated (BS in Accounting) I applied for the Internal Audit position here at CVCU. I had accepted a job offer from a CPA firm two days before I was offered the position at CVCU. I have never regretted my decision to work here. Streamlining efficiencies and doing more with less seem to be topics that are always at the top of internal auditors’ minds. What have you found to be the most useful tools?
Technology! I have taken several IST courses to assist in auditing our various systems. Over the years I have learned to program my own computer code to allow for 100% testing in certain areas
NOMINATE A MEMBER! Do you know a member who should be featured in our member spotlight? Send nominations to Tabitha Ernst-Chadwick at acuia@acuia.org
32
www.acuia.org | The Audit Report
to identify errors or missing information. I’ve also created electronic work papers to allow for greater efficiency. Wow! Do you offer that programming expertise to your fellow ACUIA members? (I’m only partially kidding – what a fantastic skill!!) Ok, sorry to digress, back to the interview. How have you seen our industry change over your 15 years, and what do you feel are our biggest challenges now?
There has certainly been an increase in regulatory oversight in several areas, especially mortgage lending and liquidity. I think the biggest challenge we face is keeping up with all the regulatory changes to ensure our audits are compliant with current state and federal laws. What advice would you give to a new auditor just entering the field?
Although internal audit is independent and some people think the reason for auditing is to pick apart departments and processes, the truth is, we are here to offer a fresh look at various areas of the organization and add value by identifying areas of improvement. What types of background/experience do you find to be most important when you are looking to hire additional staff?
I do like to see a background in accounting. Education is important; however I would not pass someone up just because they do not have a college education. A lot can be said about someone that is ambitious and a quick learner. So not too long ago you graciously agreed to take on the Chapter Coordinator position for the Wisconsin Chapter. Let’s talk more about your ACUIA history. How long have you been a member?
15 years
FUN FACTS ABOUT KARLA: Favorite Magic Trick: We have a 4 year old black Labrador retriever named Luci. When Luci was two we began calling her Houdini. She has impressed us with her talents of escaping from a vehicle, kennel and can even open doors with her teeth to escape out of our house. Favorite TV Show: I LOVE the show Hoarders and am absolutely amazed that people can live like that. Psychological Disorder: I think I’m always right!
Which of our many membership benefits do you find to be the most rewarding?
Networking! The more contacts the better! n
Macpage provides integrated professional services to over 80 credit unions throughout the Northeast. We have worked with credit unions for over 30 years, and understand how important it is to engage people who thoroughly understand your business, and who can tailor services to meet your needs. Services provided include: • Annual audit • Supervisory Committee Exam • Compliance audits • Co-sourced internal audit services • Outsourced internal audit services • Expansion and merger consulting • IT General Controls Review • IT Risk Assessment • Operations reviews • SSAE 16/SOC 1 Examinations • Strategic planning facilitation
macpage.com
Strategic Business Partner of the Cooperative Credit Union Association
South Portland, ME · Augusta, ME · Portland, ME · Marlborough, MA
www.acuia.org | The Audit Report
33
A R E C AP
ANNUAL CONFERENCE & ONE DAY SEMINAR
Many thanks to the 200+ attendees at this year’s annual conference held in Boston. For those who were unable to attend here is a brief summary. After completion of the one-day seminars on Tuesday, the conference really got into the swing of things during the welcome reception that evening. Hosted by Todd Newton, attendees were entertained by our own version of a game of ACUIA Feud. While all in good fun it was obvious some participants came to play! The evening was filled with fun and laughter. The annual meeting was held during lunch on Wednesday and winners of the annual awards were announced. Congratulations to each of these individuals and credit unions! After the sessions on Wednesday, many attendees headed out for one of the optional events with their peers. Over 125 of us 34
www.acuia.org | The Audit Report
attended the Red Sox game at Fenway Park. What a beautiful night it turned out to be. Other attendees opted for a guided tour on the Freedom Trail followed by dinner. Then on Thursday evening many took a sail around the harbor on an evening dinner cruise. Each of the events certainly provided attendees time to network with their peers. During Friday morning’s general session we announced the location of the 2016 Annual Conference. We will be at the Peppermill Resort in Reno, Nevada on June 21 – 24, 2016. We hope to see you there!!
Congratulations to Our Award Winners!
TERRY M c EACHERN INTERNAL AUDITOR OF THE YEAR
Patrick McCollough Arkansas Federal Credit Union
CHAIRMAN’S AWARD OF EXCELLENCE IN SERVICE
Amy Schaefer Royal Credit Union
PAT RICHEY ARTICLE OF THE YEAR
BEST PRACTICE AWARD
Doug Wright Baxter Credit Union
1st Place Fairwinds Credit Union Runner up went to Bayport CU and Wings Financial CU
Save the date! Save the date!
ANNUAL CONFERENCE ANNUAL CONFERENCE
JUNE JUNE 21 21 – – 24, 24, 2016 2016
BOARD ELECTION RESULTS
The winners of the Board election results were also announced. Congratulations to the following individuals who were each elected to a three-year term beginning July 1, 2015. From left to right): Bobby Nichols, State Employees Credit Union (NC); Jill Meznarich, SchoolsFirst FCU; Dean Swenson, Wings Financial Credit Union
www.acuia.org | The Audit Report
35
standards { regional { thenews } } Pat Richey, Retired
1
REGION
Director Julie Wilson Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com
REGION
4
Director Patrick McCollough, CIA, CISA, CRMA AVP/Director of Internal Audit, Arkansas Federal Credit Union 501.533. 2275 pmccollough@AFCU.org
No news for Region 1. Please contact Julie with questions. No news for Region 4. Please contact Patrick for information.
2
REGION
Director Tara Tocco Internal Audit Manager, Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org Region 2 is having its conference October 1st and 2nd in Utah. The Conference will be held at the America First Training Center in Sandy, Utah.
3
REGION
Director Greg A. Czyzewski, CPA, CIA AVP Internal Audit, Teachers Credit Union 574.284.6451 gczyz@tcunet.com No news for Region 3. Please contact Greg with questions.
Open
5
REGION
Position Open! Region 5 needs you!
REGION
6
Director Bobby Nichols SVP - Audit Services, State Employees’ Credit Union 800.385.7014/919.8395338 Bobby.nichols@ncsecu.org The Region 6 Meeting meeting will be held October
7–9 in Atlanta, Georgia. Georgia’s Own CU is hosting the event which will begin at noon on the 7th and conclude with lunch on the 9th. We have a great line up of speakers and session topics include Auditing ALM Functions, NCUA Hot Topics, Cyber Security Audit Programming, BSA Compliance with Third Parties and Fair Lending. 12 CPEs are available for attendees. With my election to the Board, Region 6 will be getting a new Director. I’m pleased to report that Jason Alexander will be taking over the position. n
36
www.acuia.org | The Audit Report
{ the standards }
{ region directors }
Pat Richey, Retired
1
REGION
Julie Wilson juliew@iqcu.com
2
REGION
Tara Tocco TTocco@hughesfcu.org
REGION
3
5
REGION
Greg Czyzewski, CPA, CIA gczyz@tcunet.com
REGION
Open
4
REGION
Patrick McCollough pmccollough@AFCU.org
6
Jason Alexander jasona@lgeccu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1
MINNESOTA CHAPTER
REGION 5
CENTRAL CASCADES (OR/WA) CHAPTER
VOLUNTEER NEEDED!
NEW YORK CITY CHAPTER
MICHIGAN CHAPTER
VOLUNTEER NEEDED!
Terry Robbins trobbins@mapscu.com REGION 2 ARIZONA CHAPTER
Allen Lorti alorti@sunwestfcu.org CALIFORNIA CHAPTER
VOLUNTEER NEEDED! UTAH CHAPTER
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com REGION 3
Kathleen Schaefer Kathleen.Schaefer@elgacu.com
REGION 6 GEORGIA CHAPTER
WISCONSIN CHAPTER
Jason Alexander VOLUNTEER NEEDED!
Karla Hodgkins khodgkin@Covantagecu.org
NORTH CAROLINA CHAPTER
REGION 4
Staci Hutchinson stacih@summitcu.org
NORTH TEX AS CHAPTER
Kimberly Wiersema kawiersema@hotmail.com
SOUTH CAROLINA CHAPTER
Tammy Farmer tammyf@scscu.com
ST. LOUIS CHAPTER
David Caster dcaster@firstcommunity.com
TENNESSEE CHAPTER
Michelle Clark, CUCU mclarck@ecu.org
INDIANA CHAPTER
Jeff Watson jwatson@iucu.org
www.acuia.org | The Audit Report
37
Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced In addition, Patrickprofessionals. McCullough our professional staff are very familiar with credit union · Opinion Aud operations, internal control issues, regulatory and color ad II_Layout 1 4/17/15 1:55 PM Page 1 · Supervisory C accounting requirements, and more. In other words, ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating· Pension /401 credit union personnel will not have to train our auditors. your company from others and significantly enhancing your visibility. If you have questions about · Consulting S joining ACUIA Select, please contact the Executive Office at (703) 688-2284. To learn more, please call our Managing Partner, · Internal Audi Doug Orth at 888.676.3447. · Information T P L AT I N U M · ATM/ACH A
{ acuia select }
member spotlight } {WHY?
ongratulations to ACUIA
5 years of outstanding service to credit union audit professionals.
Orth, Chakler, Murnane and Company, CPAs A Professional Association
es helps credit unions meet their fiduciary responsibilities and internal control objectives by providing:
mation Technology Assessments and System Reviews n Certified ACH Audits n Bank Secrecy Act GOL D n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits M I A MI | DA L L A S | C HA RL OT T E t / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk ment and Regulatory Compliance n Financial Statement Audits
ocmcpa.com
Working exclusively with Credit Unions
Opinion & Supervisory Committee Audits Internal Audit Outsourcing Certified Public Accountants & Consultants BSA/AML & Regulatory Compliance Tax Planning & Compliance IT30 Consulting | www.acuia.org | The Audit Report S I LV E R Credit Review Services
BRONZE
CU Accelerator
Wojeski Certified Public Accountants Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.
38
www.acuia.org | The Audit Report
· BSA/OFAC C · Tax Services: · Supervisory C Board Trainin