Volume 24, Issue 4, 2015
The Magazine of the Association of Credit Union Internal Auditors, Inc.
THE TAWDRY TEN THE TOP DEFICIENCIES IN AUDIT FINDINGS TALES OF A DINOSAUR HOW ONE VETERAN INTERNAL AUDITOR KEEPS HIS EDGE
YOUR HIDDEN STRENGTH MAKE FRIENDS WITH YOUR SUPERVISORY COMMITTEE
MANAGING YOUR
INTEREST RATE
RISK
RELATIONSHIPS BUILD BUSINESS
Š2015 CliftonLarsonAllen LLP
Strengthening our connection to you by providing premier professional services.
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
Dean Rohne | CLAconnect.com 800-657-4477 | Minneapolis
14 { contents }
Volume 24, Issue 4, 2015
The Magazine of the Association of Credit Union Internal Auditors, Inc.
F E AT U R E S
D E PA R T M E N T S
6
2
From the Editor Taking On the World Tabitha Ernst-Chadwick
4
Chairman’s Message A Quick Look Back and What Lies Ahead John Gallagher
22
Information Security Are You Adequately Evaluating IT Controls? Tom Schauer
A Balancing Act
Having an effective interest rate risk management process Kenneth M. Bishop
Tawdry Ten 10 The Top 10 deficiencies in audit findings from regulators and external auditors Charlie Shannon 14 18
6
26 The Standards Communicating Results Pat Richey
Tales of a Dinosaur
Longevity as an internal auditor can depend on following some very basic principles. Barry Lucas
Your Hidden Strength
10
29 In Memoriam Staci Hutchinson 30 Regional News 32 Region Directors and Chapter Coordinators
The benefits of developing your relationship with the Supervisory Committee. Sam Capuano
18 22 The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284
Š Copyright 2015, ACUIA. All rights reserved.
{ from the editor }
Taking On the World
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
O
nce upon a time I could do it all – bring home the bacon and bake it up in a pan. Then, I had children. Whoa. Game changer. Forget “baking it up in a pan” – I was lucky to remember to bring it into the house! Fast forward a few years and now I’m taking on a new job, a new puppy (yes, a momentary lapse of judgement that resulted in a very long term, very expensive commitment, many chewed up shoes, and not-so-clean carpets...), and a new house, all at the same time. I’ve reached the point that my mountain of responsibility is so high that I don’t want to bother climbing at all; I’d rather ignore it and sit on the couch with a cupcake. So, when Issue 4 deadlines were approaching, I didn’t have time to even think of a topic, and certainly not actually put pen to paper, or I guess more literally fingers to keyboard. What does this have to do with internal auditing you ask? A lot, I think. Because in my 16+ years in internal auditing, there was never a dull moment; the theme was always “more” and over the years “more” was not even enough to explain everything we had to do. Internal audit has evolved into way more than looking at the accounting books. We still must be able to do that, plus count cash, evaluate operations and controls, assist with risk management, understand compliance, understand IT and cybersecurity, and the list gets longer every year. We must be able to take on the world, the credit union world at least, and help the credit union protect itself. And often we have to learn these tasks with little or no time to train. Unfortunately, ignoring the mountain of work/responsibility in front of us is usually not an option. The boss still expects me to meet deadlines; the dog still wants to be walked; the children still expect to be fed; and the
2
www.acuia.org | T H E A U D I T R E P O RT
bills still have to be paid. So how to overcome the paralysis caused by the ridiculous workload? Well, I’m not quite there yet, but here is what has helped me so far. And I think this can apply to your audit world also: Recognize the impossibility of the tasks in front of you. Sometimes you just cannot do it all. For go-getters like us, that is very hard to admit. Ask for help. Find some trusted co-workers that have the skills to assist with pieces of your projects, or consider the value of outsourcing. Celebrate each small victory. “Celebrating” likely (hopefully) has a different definition depending on
whether you are celebrating a victory at work or home, so I will leave that to you to determine. Just make sure to give yourself credit for the small stuff. Find your Grit. I attended an amazing leadership seminar this year that had so many valuable lessons that I can’t begin to tackle them in one article. But one of the lessons that applies to this particular challenges is about Grit. The session, presented by Bill Hybels, identified the #1 attribute in successful people as GRIT. It wasn’t IQ, experience, or education; it is that key characteristic of The Little Engine that Could that pushes us over the mountain despite the odds. n
2015 BOARD OF DIRECTORSabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA Chair John Gallagher, CUERME SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 –2016 Vice Chair Margaret Chamberlain, CUERME Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2015–2017 Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015–2017
Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dswenson2@wingsfinancial. com Term 2015–2018 Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ncsecu.org Term 2015–2018 Director Dana McCranie, CBA, CUCE Empower FCU (315) 477-2200 X5107 dmccranie@empowerfcu.com Term 2013–2015
Director Linda Goff, CUCE Enrichment FCU (865) 482-0045 x1201 lgoff@enrichmentfcu.org Term 2013–2015 Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@schoolsfirstfcu.org Term 2015 - 2018 Director Doug Wright, CPA, CFE, CUCE Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2015–2016 Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com
ACUIA EXECUTIVE OFFICE, CBSAO, CUCE, NCCO, CISA
ACUIA Executive Office 1727 King Street, Suite 300 Alexandria, VA 22314 (703) 688-2284 acuia@acuia.org Follow us on:
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”
Strength. Is your credit union built to last? Staying competitive in today’s complex regulatory environment requires tighter controls, smarter procedures, and an advisor that understands your industry. Discover why more than 300 financial institutions across the nation turn to us to help them grow with confidence.
W W W. M O S S A D A M S . C O M / C U
Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance Tax Planning & Compliance IT Consulting Credit Review Services
{ chairman’s } } from the editor message
A Here’s QuicktoLook 25 More Back and What Lies Ahead John Tabitha Gallagher Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
The Board of Directors recently held a 2-day strategic planning event to discuss the challenges and opportunities which lie ahead.
A
s I sit in my office today I reflect back and am finding it hard to believe that the end of 2015 is for the most part already completed. It seems like the time has gone by so quickly that I find it difficult to even remember what happened or what occurred. Some would say that is because I am getting older and my brain doesn’t work as fast as it once did. I would simply state that it is because so much has changed over the past year. Within ACUIA we continue to refine the products and services for each of our members and remain committed to our original mission of being the premier and quality provider of education and resources for credit union auditors. The Association in recent years has taken this a step further and incorporated credit union compliance officers, supervisory committee members, and most recently risk managers into this vision. As many of our individual credit unions continue, or simply begin, to incorporate enterprise risk management into its strategies, we as internal auditors must view this as an opportunity to significantly add value to our organizations. Internal audit should be seen as a resource and “subject matter expert” throughout this initiative as, despite evaluating risks and controls from opposite ends of the spectrum (traditional
4
www.acuia.org | T H E A U D I T R E P O RT
audit looking backwards and risk management looking forwards), the work and efforts and both groups share a common goal…ensure safety and soundness of the organization through the mitigation of risks. ACUIA recognizes this common perspective and is working towards better alignment and collaboration of both functions within our product and service offerings, including our annual conference, regional meetings, and webinar offerings. Speaking of annual conferences, while we had another successful conference in Boston this year ACUIA has already begun the planning process for next year’s annual conference to be held in Reno during the week of June 21 – 24, 2016. ACUIA hopes to bring back Todd Newton as our conference MC and perhaps another round of ACUIA Feud! (I know…the thought of getting up on stage in front of everyone is scary, but for those who attended you must agree it was filled with fun and laughter). The conference committee is currently being pulled together so specifics are not known as of yet but I can tell you we are discussing a plan to shake up the session format of the conference a bit to provide even more value to the attendees. I hope to see you all there!! The Board of Directors recently held a 2-day strategic planning
event to discuss the challenges and opportunities which lie ahead. The Board identified numerous key initiatives and has already begun working on a few of them. While I am not currently prepared to outline or disclose these as of yet I can tell you that we find them to be very exciting opportunities for the Association and our members. (I know… what a tease!!) Stay tuned for announcements and details. During the planning session the Board also had the opportunity to meet with NCUA Board Member Mark McWatters and Director of the Office of Examination and Insurance Larry Fazio. While there were no specific outcomes or deliverables from these conversations, we very much welcomed and appreciated the opportunity to discuss a wide array of topics with each of these NCUA leaders, while also further promoting ACUIA and the credit union internal audit profession as a whole. Lastly, I would be remiss if I did not acknowledge the tireless work and dedication of two outgoing board members, Dana McCranie and Linda Goff. Having both served on the Board for the past six years, their terms will officially come to an end as of December 31, 2015. So on behalf of the Board and all ACUIA members please join me in thanking both of these women for their volunteered leadership of ACUIA. I would also like to thank all of the current and past volunteer leaders (Board members, regional directors, chapter coordinators, and various committee members) for volunteering. Without you ACUIA would not be where we are today or achieve that which lies ahead. Thank you all for being part of ACUIA and looking forward to a very exciting 2016! n
Over Over thirty-five thirty-five years years agoago ourour firmfirm began began withwith justjust a handful a handful of clients of clients andand a new a new concept...limiting concept...limiting the the practice practice to to serving serving onlyonly credit credit unions. unions. WeWe believed believed in the in the “people “people helping helping people” people” philosophy philosophy thatthat the the credit credit union union industry industry waswas founded founded on. on. YouYou might might think think as auditors as auditors ourour onlyonly goalgoal is toisensure to ensure the the financial financial statements statements we we certify certify areare materially materially correct. correct. However, However, since since 1979, 1979, ourour mission mission hashas been been to provide to provide quality, quality, efficient, efficient, andand professional professional services services to the to the credit credit union union industry. industry. WeWe offer offer ourour clients clients more more than than justjust audit audit services, services, we we alsoalso serve serve as aasresource a resource andand provide provide accounting accounting expertise, expertise, operational operational knowledge, knowledge, andand compliance compliance services. services.
To To put put ourour experience experience to work to work for your for your credit credit union, union, visitvisit www.nearman.com www.nearman.com or email or email us at usinfo@nearman.com. at info@nearman.com.
A
C N A L BA AC
6
www.acuia.org | T H E A U D I T R E P O RT
ING CT
Having an Effective Interest Rate Risk Management Process
KENNETH M. BISHOP, CPA
M
anaging interest rate risk is one of the most important responsibilities for credit union management and the board of directors. With interest rates expected to rise
after several years of flat and historically low rates, have you taken a close look at your process for managing this risk?
www.acuia.org | TH E A U D IT REP O RT
7
CREDIT UNIONS
are required to develop reaso assumption s about how nable and membe rates r behavior r eacts to changes in conditions.
o o
An effective process can better prepare the credit union to develop prudent strategies in a changing environment. When reflecting on your process, the following are simple questions that you should be asking yourself.
Do our written policies clearly document expectations? The credit union’s policy is the foundation of the process and should be approved by the board annually. It should establish lines of authority and include acceptable risk management strategies; identify meaningful tolerance limits; define allowable products, services, and activities; and 8
www.acuia.org | T H E A U D I T R E P O RT
determine how the measurement system and process is tested. As noted in 2010 interagency advisory guidance, tolerance limits should be in place to ensure positions that exceed certain predetermined levels receive prompt management attention. An appropriate limit system should permit management to identify exposures, initiate discussions about risk, and take appropriate action as specified in the policies and procedures. Credit unions are to find a balance between establishing limits that are neither so high that they are never breached nor so low that they are routinely exceeding the limits.
Finally the policy should identify relevant measurement scenarios for the credit union. There are a number of measurements that can be applied to monitor interest rate risk, which the board should understand and tailor to the credit union’s size and complexity. This can include parallel and non-parallel shocks; gradual shifts; dynamic or static conditions; along with determining the magnitude of rate increases and decreases over varying time horizons.
Have we identified and documented our key assumptions? Credit unions are required to develop reasonable assumptions about how rates and member behavior reacts to changes in conditions. This can be a challenging task for many credit unions because of historically low and little volatility in rates recently. There are certain critical assumptions that should be addressed. This includes identifying key driver rates for each product; asset prepayment assumptions; and price sensitivity and decay rates of non-maturity deposits. At a minimum, your process should consider each of these assumptions and be well documented. If possible, they should be supported by the credit union’s historical data. A common deficiency noted by credit union examiners is the use of unsupported or stale assumptions. Are we doing enough to test our model? There are three components to testing the model, which includes the theoretical and mathematical accuracy of the model; variance analysis; and an independent review of the process. As most credit unions utilize standardized vendor software, the credit union should be receiving validations by the vendors to support the mechanics and mathematical calculations. When a vendor validation is received, it is still the responsibility of
the credit union to review the results and conclude if it meets the credit union’s standards of compliance. The second form of testing is through variance analysis or what is commonly referred to as back-testing. The purpose of back-testing is to determine if results and assumptions applied make sense or are considered to be reliable. This involves comparing previous forecasts with actual results. This test can identify errors in the setup of the model or flaws in the assumptions which are critical since the model results are used in developing strategies. Lastly, the credit union’s interest rate process should be subject to an independent review. This can be done in-house or by an outside consultant, such as BKD. The scope of an independent review should encompass all aspects of the interest rate risk management process, such as the accuracy of input information; assumption development; and output
reporting, including variance analysis. Common findings related to independent review include the lack of annual testing, deficiencies in scope, and testing not performed by qualified individuals. As the process and requirements for managing interest rate risk is comprehensive, this is just a small sample of things to consider when reflecting on your procedures. Ensuring an effective interest rate management framework is essential for a credit union when considering sustained profitability and preservation of capital in an expected rising interest rate environment. n
About the Author Ken Bishop is a member of BKD National Financial Services Group with approximately 15 years of experience participating in and managing financial services engagements with a focus on risk management services. His
Providing Services to Banks and Credit Unions Nationwide Tony Coble 816.945.5524 • acoble@cbiz.com
www.cbiz.com
experience includes annual financial statement audits and reviews, internal control and regulatory compliance reviews, Bank Secrecy Act examinations and loan portfolio reviews and allowance consulting. He provides one-on-one and group training about regulatory and accounting issues, such as troubled debt, restructuring, other real estate owned and loan loss allowance. He has led engagements for a range of entities subject to regulatory reporting requirements, including financial institutions, mortgage brokers and money service businesses. Ken is a member of the American Institute of CPAs (AICPA), Illinois CPA Society (ICPAS), Financial Managers Society and Aurora Regional Chamber of Commerce. He serves on the Easter Seals DuPage & Fox Valley Board of Directors and previously served on the PKF North America Financial Institutions Committee. He regularly attends AICPA, ICPAS and various association seminars about internal control, Bank Secrecy Act and regulatory compliance issues. He is a 2000 graduate of Illinois State University, Normal, with a B.S. degree in accounting.
Consulting Services n Tax Preparation and Consulting n Unrelated Business Income Taxation (UBIT) n Operations Review n Risk Assessments n Vendor Management Review n Social Engineering Testing & Training n IT General Controls Review
Audit & Attest Services*
Todd Hershberger 816.945.5148 • thershberger@cbiz.com
www.mhmcpa.com
*Mayer Hoffman McCann P.C. is an independent CPA firm providing audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider.
n Credit Union Opinion Audits n Supervisory Committee Agreed-Upon Procedures n CUSO Audits n Outsourced/Co-Sourced Internal Audit Services n SSAE 16 / SOC 1 Exam (“SAS 70 Audit”) n SOC 2 & 3 Exams n SSAE 16 Readiness Assessments
© Copyright 2015. CBIZ, Inc. and Mayer Hoffman McCann P.C. All rights reserved.
www.acuia.org | TH E A U D IT REP O RT
9
THE TAWDRY TOP 10 DEFICIENCIES IN AUDIT FINDINGS FROM REGULATORS AND BY CHARLIE SHANNON, CPA PARTNER, MOSS ADAMS LLP
10
www.acuia.org | T H E A U D I T R E P O RT
TEN EXTERNAL AUDITORS
Most credit unions would rather avoid an audit deficiency, considering that deficiencies during the audit process are, at a minimum, a distraction for both management and the auditor. They can also be symptomatic of an ineffective internal control environment and raise concerns about a credit union’s ability to process, record, and report its financial information.
The worst case scenario: deficien- ■■ Have larger sample sizes and alter notes are complete and accurate. cies can bring the audit or complithe timing of the testing to allow ■■ Design and periodically test inance process to a standstill and create for proper remediation efforts. ternal controls over financial tension among management, the su- ■■ Identify the correct key controls to reporting for operating effecpervisory committee, and regulators. be tested, and focus on the level of tiveness (including information Fortunately, many of the most comprecision. technology). mon deficiencies can be avoided. As ■■ Put greater emphasis on testing ■■ Deploy internal audit resources to you review the top 10 issues, keep in Information Technology General supplant corroboration of ALLL mind that some commonalities across Controls. model inputs. the board are: ■■ Automate system re■■ Lack of internal conports when possible. trols ■■ Consider third-parTHE TOP 10 AUDIT FINDINGS ■■ Insufficient support ty software solutions as far as documentaand loss data to support 1 tion management’s ALLL esAllowance for loan losses ■■ Inaccuracies in retimates. 2 porting As pressure to imSystem access controls It should come as no prove audit quality con3 surprise that the allowtinues, the standard-setSegregation of duties ance for loan loss is the ters appear to be more 4 number one issue where risk-averse than they Accounting for compensation arrangements auditors and manageused to be, and this and accounting for investments ment spend the most can make for a more 5 time. One of the top rigorous audit process Impaired loan accounting problems is that loan for credit unions. This 6 and qualitative data isn’t doesn’t mean that credit Foreclosure/repossession accounting accurate or complete. unions should avoid the 7 Lack of directional conchallenges that growth Internal control over financial reporting sistency is also a factor; and changes in the regwe see this when credulatory landscape can 8 Suspense/clearing accounts it unions continue to have. Instead, preparers maintain elevated levof financial statements 9 els in the allowance for should look to invest the Third party due diligence loan losses while there’s appropriate resources in 10 improvement in credit management, the superMember business lending issues quality. This is often a visory committee, and challenge for both authe internal control enditors and management vironment to ensure analike, since regulators are supportive Best Practices nual reporting and compliance objecof higher reserves. Best practices hinge on effective tives are achieved in an efficient and communication. Some guidelines to effective manner. Only in this fashion Implementing Key Controls follow: can potential audit deficiencies be Take the time to look at your key con- ■■ Communicate frequently with ex- managed to an acceptable level. n trols and make some enhancements. ternal auditors and regulators. There are other actions you can take ■■ Seek active involvement of those About the Author: now to help alleviate potential issues, charged with governance (superCharlie Shannon has more such as involving your internal audit visory committee). than 20 years of accounting function to: ■■ Evaluate alternative treatment experience. He focuses on ■■ Expand your testing for underfor complex and subjective acserving financial institutions, lying data in allowance for loan counting areas, and communi- leasing companies, payment processors, losses models, particularly when it cate the potential for changes. and other financial services companies. comes to controls over access and ■■ Utilize financial statement dis- He can be reached at (972) 924-5120 or changes to inputs. closure checklists to ensure foot- charlie.shannon@mossadams.com. 12
www.acuia.org | T H E A U D I T R E P O RT
Congratulations to ACUIA on 25 years of outstanding service to credit union audit professionals.
PBMares helps credit unions meet their fiduciary responsibilities and internal control objectives by providing: Information Technology Assessments and System Reviews n Certified ACH Audits n Bank Secrecy Act Audits n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits n Asset / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk Assessment and Regulatory Compliance n Financial Statement Audits n
Certified Public Accountants & Consultants
Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.
TALES OF A
BY BARRY LUCAS 14
www.acuia.org | T H E A U D I T R E P O RT
T
he recent 25th anniversary conference
gave me pause to think about the past of not just this great organization, but also my past history at my credit union. And since I was asked to write an article for this magazine, I decided to expand on my answers to a certain question that often comes up in the one-day sessions I teach with John Gallagher at the annual conference. That question is how I’ve survived in a profession involving quite a bit of turnover this long. Since they ask this question at the beginning of the session, I’m pretty certain they’re being sincere in wanting an answer (at the end of the session, they REALLY may want to know how I’ve survived this long). Here are some thoughts on why my shop has been successful over the years. While this may not work at your credit union, or at the multi-person shop, I think there’s some truth in these thoughts for every credit union internal auditor.
www.acuia.org | The Audit Report
15
M
any of
the areas I identified 27 years ago for audit are still being audited today. But not in the way we originally did it. Other than the obvious, the increased use of technology, we think differently about our approach.
16
www.acuia.org | T H E A U D I T R E P O RT
Develop Your Supervisory Committee This sounds so simple, but in actuality, is probably the most difficult task you might face. The committee is your protection. A good committee just doesn’t happen. All my committee members over the last 27 years have been talented, intelligent, dedicated people. And none of them knew anything about credit union auditing, including the ones with an accounting background. Our credit union has given me the task of educating them. The side benefit to this is you develop trust between yourself and the committee members. That trust comes in handy when trying to get recommendations accepted by the committee, or having them fight for the recommendations with management. An additional benefit of developing trust with committee members is that often at our credit union, those committee members become board members. And that trust then carries to that level. The majority of board members at my credit union started on my committee. It’s not unusual to see the comment in board minutes “Let’s pass this by Barry and see what he thinks.” That kind of trust makes your job easier. Develop a Relationship with Upper Management Based on Respect I’ve had two CEOs in my 27 years at my credit union. Both had different styles of management, and both have been successful in achieving the objectives of the credit union. And I got along fine with both CEOs. The reason we got along is I realized that they had a job to do managing the credit union, and my job was to make their job easier. We both have an interest in making sure that the risks facing the credit union are being addressed. But the CEO has the final say, because he or she has to live with the end result. If I have a recommendation that isn’t adopted, I’m fine with it as long as the CEO says he understands the risk,
and accepts it. I don’t have to win every battle. I also consult for the CEO on occasion. I do this because he trusts my opinion when it comes to controls and audit issues. He also includes me in the product development process so that the controls are in place from the very beginning, instead of having to be addressed after the fact. Again this makes both our jobs easier. And builds goodwill that can be used at other times.
Develop a Relationship with Department Management Based on Ability to Help Them For lower level management, I emphasize that I’m there to help them, not catch them doing something wrong. I don’t play “Gotcha.” Errors happen, and controls sometimes don’t work as intended (or at all), through no fault of their own. I also include compliments about their departments in my audit reports. By helping them, they’ll hopefully help me by passing on information about items before they become problems. Again, both our jobs become easier. Save the Audit Report for the Important Things Not all audit findings are equal in importance. My audit reports to the CEO and Board of Directors only include findings that are serious in nature, or have the potential to become serious issues in the future. I don’t clutter this report with listings of minor errors or adjustments that have already been corrected or will be shortly by department management. I will mention that there is a list of minor findings that is available if requested in my report, but usually it’s enough that it’s already being handled. I save my arguments for the truly important issues. Be Open to Recreating the Way You Do Things Many of the areas I identified 27 years ago for audit are still being au-
dited today. But not in the way we originally did it. Other than the obvious, the increased use of technology, we think differently about our approach. I’m much more risk focused about what gets audited, and the scope of the audit. Being a one auditor shop, I don’t have time to cover all the audit areas in a one year period of time. Myself, management, and the Supervisory Committee develop a practical, achievable audit schedule. This saves me from having to justify what I did and didn’t do each year. I’m also not shy about co-sourcing audit work. While I prefer to do all the work myself, often the payback is too little for the resources involved, especially if specialized skills are involved. I don’t do BSA, IT, and other specialized audits. But I do receive the reports and findings. I don’t care who does it as long as it gets done. Finally, try to think out of the box. I realized while reviewing expense reports for travel (my review is required for everyone’s travel at Desco) that the conference brochure is always attached. By looking at the brochure, I could tell what type of training our employees had received, including the sessions on fraud. Using this information, I often ask to review their material from the conference, so that I can see if Desco is at risk for the same fraud. It also sends a subtle message to the employee that I know what they’ve been trained to do.
Pick Your Fights This may sound naïve, but I try not to get involved in other people’s battles, unless it involves an audit issue. I realized a long time ago that employees are sometimes not happy about certain policies or procedures. And sometimes I agree with them. But the board sets policy, and management creates the procedures. Management also makes certain decisions that really are not audit areas,
like promotions, hiring, and firing. My role ends when those decisions fall within policy, and all the procedures were followed. I’ve used the phrase “It’s not an audit issue” many times not to get sucked into personal battles of right and wrong. It’s not cowardice on my part, but I realize that I only have a limited amount of political capital at my disposal to get things done. I just choose to use it for audit issues. These are just a few of the reasons I think I’ve survived this long in the profession and been successful. As I said above, this might not work for everyone, especially those internal auditors in charge of multi-person audit shops. My sympathy goes out to these audit managers, because I know how hard it is just to manage myself, let alone others. But you need to have a plan for success. This is mine. Hope it helps. To continue this conversation, or question my sanity, please contact me at barryl@descofcu.org. Let’s get a conversation going. n
About the Author Barry Lucas has served as the internal auditor for Desco Federal Credit Union since 1988. Desco FCU is a $250 million credit union located in Portsmouth, Ohio. Barry has been a member of ACUIA from the beginnings of the organization. He has served as a presenter at the annual conference, as the chairman of the Election Committee for three years (which he is currently serving on again), and on the Board of Directors of ACUIA for nearly nine years. He has attended all of the annual conferences of ACUIA. Barry received his BA from Ohio State University, an MBA from Ohio University, and is currently ABD for his doctorate in accounting from Argosy University in Sarasota, Florida. In addition to working for Desco FCU, Barry also is a fulltime professor of accounting at Shawnee State University in Portsmouth, Ohio. Barry is a licensed CPA in the state of Ohio, and is a CIA. www.acuia.org | TH E A U D IT REP O RT
17
YOUR HIDDEN STRENGTH INTERNAL AUDIT AND THE SUPERVISORY COMMITTEE
18
www.acuia.org | T H E A U D I T R E P O RT
The relationship between the credit union internal auditor and the Supervisory Committee has always been a critical component of effective risk management, even before the term risk management came into vogue about 20 years ago. The relationship has always been quite interesting as well.
P
BY SAM CAPUANO, CBA, CRP
art of this is due to how the roles of both internal audit and the Supervisory Committee have changed at credit unions over the past 10-15 years. Further, the relationship between the two parties is quite different at credit unions, than say, a bank auditor and her Audit Committee. One of the reasons for this is the difference in the makeup of the committees at banks (usually all board members) and credit unions (at most, one board member). Another, frankly, is due to the difference in how each committee, and internal audit, is viewed at banks and credit unions. Let’s start with some basics. While many credit unions have only had an internal audit function in relatively recent times, Supervisory Committees have been around a lot longer. And they have their own handbook from the NCUA, Supervisory Committee Guide for Federal Credit Unions. This handy guide contains lots of good material for Supervisory Committees…and hasn’t been updated since 1999. Obviously much has changed during that period, yet it is still an excellent resource for new committee members. The general responsibilities of the Supervisory Committee are addressed in NCUA Rules and Regulations 715.3. The basic responsibilities, literally referred to that way, are:
www.acuia.org | TH E A U D IT REP O RT
19
a) Basic. The supervisory committee is responsible for ensuring that the board of directors and management of the credit union(1) Meet required financial reporting objectives and (2) Establish practices and procedures sufficient to safeguard members’ assets. This requirement has also been unchanged since 1999, yet how the Committee meets these responsibilities has changed so much during that time, not to mention the importance both external auditors and examiners have placed on the Committee, and internal audit. For the Committee to be effective in achieving these responsibilities, and the more specific ones which follow in 715.3, it must have an effective, healthy relationship with internal audit. And, perhaps even more critically, the reverse must also be true for those of us in internal audit. But, is it? My discussions with several credit union internal audit shops over the past five years would lead me to believe for many this is not the case. This was underscored dramatically at a roundtable I moderated a few years ago at the ACUIA Annual Conference. Some of the situations discussed amongst auditors in the audience left many stunned. There were many internal auditors in quite a tenuous situation in their credit unions, and it seemed their respective Supervisory Committees were not there for them. In a nutshell many CEOs were in control of the internal audit function. There are many reasons for that, but I believe it starts with internal auditor independence, or lack thereof. The Standards of the Institute of Internal Auditors (which we are all adhering to, right?) note in Attribute Standard 1100: The internal audit activity must be independent, and internal auditors must be objective in performing their work.
20
www.acuia.org | T H E A U D I T R E P O RT
How is this independence best achieved? It needs to start with clear reporting authority between internal audit and the Supervisory Committee. Internal audit should be reporting functionally to the Committee, with a dotted line to the CEO. This reporting structure should be documented in an Internal Audit Charter and the Charter then approved by the Committee. If you don’t have a Charter, develop one now; there is an excellent checklist to help one do so in the ACUIA “Shop Tools” at www.acuia.org. The examiners want to see this independence as well. I was asked about my reporting structure every time the NCUA came calling. Indeed, the very first question in the NCUA AIRES questionnaire for “Internal Audit Review” asks, “Does the internal auditor report to and take direction from the supervisory committee, free from undue influence by management and/or the board?” The emphasis added to that question is mine. That can be a particularly difficult question to answer, at least honestly. When I hear stories like the ones mentioned above – and I do, a lot – the first question I’ll always ask is, “What did your Supervisory Committee have to say about this?” The frequent answer, disturbingly, is, “I don’t have direct access to the Chair.” Now then to that relationship between internal audit and the Supervisory Committee. What should it be like? I always found a good way to have a good relationship with individual members was to start at the beginning. Whenever there was a new Committee member, I would spend a few hours with him/her in what was a quasi-orientation. I would provide the NCUA Supervisory Guide, IIA Standards, and my credit union’s Internal Audit Procedures Manual and Internal Audit Charter. Assuming you do have direct access to the Committee, how often should you communicate with them? It should be
more frequently then at the Committee meetings, especially if your meetings are quarterly or semi-annually. Certainly if during the course of an audit a material find is uncovered, a call or email to the Committee, or at least the Chair, is in order. During my dozen years at my credit union, I made several such calls to the Chair, who was appreciative. Another way to strengthen this relationship is to have an occasional breakfast or lunch with the Committee Chair. Such get-togethers provide not only an opportunity to fill the Chair in on what is going on in internal audit and/or the credit union, but also as a relationship builder. Years ago, when I started having monthly lunches with my Chair, it improved our relationship, and made the Committee meetings run smoother. Ah, yes those Supervisory Committee meetings. They are necessary of course, so it behooves all involved to have them be as effective and efficient as possible. The usual suspects on the agenda are the audit reports. Most Committees don’t want to see the final reports until the response has been received. By the time this occurs, many of the items could be old news, so it’s a good idea for internal audit to give an interim status on audits in progress. Meetings are also the time to update the Committee on anything new happening in the credit union, such as new products or recent material personnel changes. Other needed meeting agenda items are the statuses of prior audit findings and the Internal Audit Plan. Having a tracking mechanism in place for both is a plus. Examiners have put an increased focus on these, and it’s something the Committee should be seeing anyways. ■■ The aforementioned Internal Audit Plan should have been approved by the Committee prior to the beginning of each year. Towards the end of the 3rd quarter it’s a good idea to look at the Plan status and deter-
mine if everything will be finished by year end. Things tend to happen during the course of the year which get in the way of our best laid plans. The Committee should be told of any audits which may not be completed in the year around October or so. Come prepared with reasons why, as you’ll likely be challenged. Ensure any changes/deletions made to the Plan are included in meeting minutes so that you’ll have that to show in case examiners ask, and to cover yourselves. One final note about the Committee meetings, and that’s the attendees. I once had an SC Chair who steadfastly refused to allow anyone from management, besides myself in the meetings. While this may be a bit Draconian, it at least allowed open discussion, free from that pesky undue influence discussed earlier. If members of management are regular invitees to the meeting, then there should also be an executive session at each meeting where it is just internal audit and the Committee. Having this as a regular agenda item could also mitigate some of the more controlling CEOs, also mentioned earlier. All of this can help your jobs run that much smoother. Which is what everyone (well at least those in internal audit) wants, right? For the Supervisory Committee to be effective in achieving its responsibilities, it must have an effective, healthy relationship with internal audit. And, perhaps even more critically, the reverse must also be true for those of us in internal audit. n
ANOTHER WAY TO STRENGTHEN THIS RELATIONSHIP IS TO HAVE AN OCCASIONAL BREAKFAST OR LUNCH WITH THE COMMITTEE CHAIR. SUCH GETTOGETHERS PROVIDE NOT ONLY AN OPPORTUNITY TO FILL THE CHAIR IN ON WHAT IS GOING ON IN INTERNAL AUDIT AND/OR THE CREDIT UNION, BUT ALSO AS A RELATIONSHIP BUILDER.
About the Author Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont Offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started the IA function in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.
www.acuia.org | TH E A U D IT REP O RT
21
information security }} WHY? {{ information security Tom Schauer, Principal, CliftonLarsonAllen
Tom Schauer, Principal, CliftonLarsonAllen
Are You Adequately Evaluating IT Controls? The Internet and the Board Room are abuzz with the latest cyber threat. NCUA Chairwoman Debbie Matz and her colleagues at other regulatory agencies agree that cybersecurity is the number one threat facing financial institutions.
A
common question asked of people in positions of power is what keeps them up at night. For Debbie Matz, the head regulator for 6,350 of the nation’s credit unions, it’s an easy answer: a cyber hacker sneaking in through a credit union vendor, cracking through to the larger U.S. financial system and wreaking havoc along the way.1 1 http://www.businessinsurance. com/article/20150309/ NEWS06/150309854
While cyber threats may be the easy answer, executives and the Board are often either too busy with other credit union matters or may be ill-equipped to provide sufficient oversight. Most credit union executives are not well-versed in IT principles and processes. And most Boards and Supervisory Committees do not have members that are proficient in IT. When these conditions occur internal audit becomes even more critical as the eyes and ears of the Board of Directors.
A quote from Joe Demarest of the FBI can be helpful to management and the Board. “The threat has reached the point that given enough time, motivation, and funding, a determined adversary will likely be able to penetrate any system accessible from the Internet.”2 Rather than looking at this quote as an inevitable forecast of the future, management and the Board can use the quote as a tool for oversight. Management and the Board should regularly ask IT management to provide written and detailed answers to the following two questions: ■■ What is planned over the next 12 months to increase the time, motivation and funding that would be required to attack our systems and key vendors? ■■ What is planned over the next 12 months to reduce the benefit of attacking our systems and key vendors? IT could respond with a number of initiatives to increase controls such as: ■■ implementing more consistent practices for deploying systems, ■■ improving the process of addressing vulnerabilities identified by credentialed vulnerability scanning, or ■■ implementing a new tool to make the management of unique passwords per system more manageable by employees. And IT could respond with a number of initiatives to reduce the bounty of a would-be-attacker such as: ■■ improving controls to validate that ACH originations are not manipulated through the inherent flaws in the ACH file format and process, 2 http://www.justice.gov/iso/opa/ ola/witness/05-08-13-fbi-demaresttestimony-re-cyber-threats.201385147. pdf
22
www.acuia.org | T H E A U D I T R E P O RT
■■ deleting NCUA Aires extracts once
exams are complete, or ■■ strengthening controls that detect and prevent the transfer of sensitive information outside the credit union. When management and the Board are challenged to provide effective IT oversight, internal auditors play a key role in evaluating and reporting on their credit union’s ability to thwart an attack. But even internal auditors can be uncomfortable with Information Technology and may not implement an independent and effective IT audit program. In fact, nearly 5 out of 10 internal auditors surveyed suggested that their IT audit programs are largely based upon recommendations from IT management. This is truly a case of the fox watching the hen house. Internal audit should be comforted by having a strong IT department but needs to rise to the occasion and provide an effective audit program to identify IT risks and evaluate IT controls. Below is a list of five key methods for identifying risks and evaluating IT controls:
1. Risk Assessments Management is responsible for performing IT risk assessments but internal audit should evaluate the risk assessments to verify they are performed in a thorough and accurate manner. After all, risk assessments are only as good as the effort put into them. While there are many risk assessments within NCUA and FFIEC guidance, the two most important to cyber security are addressed below. GLBA Member Information Security Risk Assessment: The GLBA Member Information Security Risk Assessment has been required by 12CFR Part 748 Appendix A since 2001. Shockingly, many credit unions do
not have this risk assessment or have not updated the risk assessment in the past 12 to 24 months. The GLBA risk assessment must: ■■ consider (document) reasonably foreseeable internal and external threats ■■ document the controls that mitigate each threat ■■ document the impact and likelihood of the threat given controls ■■ conclude on the overall sufficiency of the controls 12CFR Part 748 (aka GLBA for credit unions) also addresses testing the control identified in the second bullet point above to verify they are acting as intended. To complicate matters, both vendors and examiners often misrepresent this risk assessment. Examiners often add requirements to document assets and inherent/residual risks. While these concepts are relevant, they are not addressed at all by 12CFR Part 748. Vendors often misrepresent the differences between risk assessment and the tests of the controls identified in risk assessments. In either case, internal auditors need mastery of the requirements of risk assessment guidance so they are not misled. FFIEC Cyberecurity Assessment: FFIEC Cybersecurity Risk Assessment guidance was released in June of 2015. The announcement was accompanied by a tool that will help credit unions consistently evaluate cybersecurity controls and practices and the tool will be used as an examination aide. While not officially mandatory, credit unions are encouraged to use the tool (or one very similar) to assess the inherent risks and maturity of their cybersecurity program. The maturity model component of the tool features 500 independent statements about a cybersecurity pro
gram grouped by domains and sub-domains. Each of these statements are either true or false. The statements are also grouped by maturity levels ranging from baseline to innovative. 3 A credit union’s maturity is measured as the most advanced maturity level of which all statements are true. The biggest weaknesses of the Cybersecurity Assessment Tool will be inconsistency in how it is completed and a missing validation component to verify the statements are accurately evaluated.
2. Credential Vulnerability Scanning and Related Actions Management is responsible for keeping systems free from known vulnerabilities and insecure configurations. The very best category of tool for evaluating for vulnerabilities and misconfigurations in systems is the vulnerability scanner. Three scanners are routinely rated as best: Nessus, Nexpose, and Qualys. This author endorses Nessus. Internal audit should regularly evaluate management’s use of vulnerability scanners through the following two activities: ■■ Verify that scanning is performed using domain administrator credentials. This method reduces scanning time, the impact of scans on the network, and greatly improves the accuracy of the scan results. ■■ Evaluate the process and practices used by management to ensure that identified vulnerabilities are either addressed in a timely manner (within 15 to 45 days of discovery) or accepted through written documentation and approval. 3 page 3 of https://www.ffiec.gov/pdf/ cybersecurity/FFIEC_CAT_CEO_Board_ Overview_June_2015_PDF1.pdf www.acuia.org | TH E A U D IT REP O RT
23
penetration testing one to four times per year.
To be most beneficial, penetration testing should closely simulate an actual attempted breach.
3. Penetration Testing Penetration testing is also frequently misunderstood or misrepresented by vendors. The primary purposes of penetration testing are to demonstrate the potential impact of a targeted attack and to evaluate incident detection and response. To be most beneficial, penetration testing should closely simulate an actual attempted breach. And given that a breach will be a surprise to those responsible to detect and respond, so should an effective penetration test. Internal audit should contract with a reputable firm for penetration testing and the timing and nature of the test should not be known by those responsible for detection and response. It is therefore critically important for internal audit to be onsite during this testing and be able 24
www.acuia.org | The Audit Report
to monitor incident detection and response activities so they do not result in a response that impacts member service or excessively wastes limited IT resources. Penetration testing most closely simulates an actual breach when it is initiated through social engineering or when it starts from an employee’s workstation that is assumed compromised by social engineering. In this approach the activity of the attacker will be partially masked by and attributed to the employee whose workstation is compromised. Internal audit should verify that penetration testing truly simulates a breach and that management receives a report on the penetration testing performed. And with the frequency of breaches on the rise, many credit unions are now contracting for
4. Vulnerability Assessment Vulnerability Assessment complements penetration testing by being collaborative and as comprehensive as possible. Like looking for needles in a haystack, vulnerability assessments are less accurate when sampling is used and testing is limited to a subset of systems. And unlike penetration testing, effective vulnerability assessments require IT participation. For the most comprehensive assessment, IT will need to allow access on to the network, will need to provide configuration and practice documentation, and will need to show the tester various consoles such as those used to manage patching, anti-virus, and more. Do not be concerned if your security testing partner requests that some controls be disabled to facilitate testing. Because effective security is the composite of multiple layers of controls, some “outer” layers need to be stood down (disabled) in order to evaluate “inner” layers. Internal audit should evaluate the depth and breadth of the vulnerability assessment testing that will be provided by potential testing partners. Making sure that all systems are evaluated and all key stakeholders are present for the assessment is critically important. 5. General Controls Review The final area of testing is often referred to as General Controls Review (GCR). A GCR evaluates many non-technical controls that contribute to security. For example, a GCR evaluates vendor management, physical security, Board oversight of the security, core and network access administration and information security policies. Given sufficient training and experience, many GCR controls could be performed by internal auditors either as a dedicated audit or as a part
of regular branch and departmental audits. Internal audit leaders should provide for training so that auditors can, at a minimum, follow up on GCR findings. These five key methods for identifying risks and evaluating IT controls will not provide a guarantee that a cybersecurity event will be avoided but if performed with rigor they will greatly reduce the likely impact should an event occur. Keep in mind that when being chased by a bear, you need not outrun the bear. You only need to outrun the others being chased by the bear. Internal audit can help avoid a breach by making sure that your credit union is more secure than others. In conclusion, internal audit must not allow discomfort with IT and IT controls to limit their responsibility to be the eyes and ears of the Board of Directors. n
About the Author Tom Schauer, Principal CliftonLarsonAllen CISA, CISSP, CISM, CRISC, CTGA, CEH Tom has been practicing in IT security, audit and compliance since 1986. Tom started his career in the role of Security Analyst and BCP coordinator for a $3.5B regional bank. He later led Deloitte’s IT Audit and Security Assessment team on the West Coast and in this capacity performed Technology Audits for Washington Mutual, Bank of America, American Express, Boeing, Starbucks and many other Fortune 500 organizations. In 2000, Tom recognized that community banks and credit unions facing GLBA and other IT security regulations were under-served by existing consulting firms. He founded TrustCC to specifically address this need. TrustCC has performed thousands of security assessments and IT audits for hundreds of financial institutions.
TrustCC is best known for its technical penetration testing capabilities. Using the same techniques as actual attacks, TrustCC breaches and obtains Domain Administrator privileges at about 65% of the banks and credit unions tested. TrustCC is also known as the only firm in the nation that performs IT examinations on behalf of both federal and state regulatory agencies. Our alignment with examiners allows us to provide insightful regulatory guidance. In September of 2015 the TrustCC team joined CliftonLarsonAllen. Combined CLA’s team consists of 60 professionals and can meet every information security and compliance need of a community bank or credit union. Tom is recognized as a thought leader in financial institution security and compliance. Tom speaks at many conferences including those hosted by the NCUA, OTS, OCC, CUNA, NASCUS, ACUIA, CUISPA, AICPA, the Western Independent Bankers, and the Washington/Oregon Bankers Association.
Place Your Credit Union’s Trust in Our Experience, Responsiveness and Dedication Audit & Accounting • Internal Audit Services Tax • Management Consulting We provide superior accounting, auditing and tax services to our Credit Union clients by understanding the unique business challenges they face. Our services include audits of financial statements, supervisory committee audits, internal audit services, employee benefit plan audits, tax compliance and management consulting.
5010 Campuswood Drive / East Syracuse, NY 13057 / 315-472-7045 / www.fmfecpa.com
www.acuia.org | TH E A U D IT REP O RT
25
security {{ information WHY? } } the standards Tom Schauer, Principal, CliftonLarsonAllen
Pat Richey, Retired credit union internal auditor
Communicating Results There is no point in doing an audit if the results are not communicated.
W
ell, The International Standards for the Professional Practice of Internal Auditing (Standard) 2400 is really easy – internal auditors have to communicate the results of audits. There is no point in doing an audit if the results are not communicated to someone. However, the hard part is the who, what, when, where and how. But never fear, there are 10 pages of audit standards and practice advisories that address those questions, and will be discussed over multiple Audit Report articles. As of this writing, these standards and related practice advisories have not yet been revised to accommodate the revised International Professional Practices Framework.
The What?
What should be communicated in an audit report? Standard 2410 says audit reports must include the audit objectives, scope, conclusions, recommendations and action plans. This is the minimum required. Otherwise, the format and other content may vary by type of audit or by credit union.
Audit Objective The audit report must include the audit objective. In our audit reports, after a brief background paragraph (2-3 sentences), our 1st sentence in 26
www.acuia.org | T H E A U D I T R E P O RT
the audit report would state the objective such as “The audit objective was to determine whether the credit union is originating loans in compliance with credit union policies and procedures.” Then the 2nd sentence of the report gave a one sentence conclusion, such as “In general, the credit union is originating loans in compliance with credit union policies and procedures.” The 3rd sentence would be “However, internal audit noted the following issues.” The rest of the audit report would discuss those issues.
Audit Scope The audit report must include the audit scope which communicates exactly what was or was not audited, and the time period reviewed. We included the audit scope in our audit objective or background paragraph. In the above loan audit example, we would state in the audit objective what types of loans were audited, if the audit did not encompass the whole loan portfolio, such as “ … originating home equity loans in compliance …” to let the reader know that only home equity loans were audited and not any other type of loan. In the background paragraph, we would state exactly what loans were reviewed such as “Internal audit reviewed a random sample
of 100 home equity loans from the period January 2015-September 2015.” This lets the reader know that not all home equity loans were reviewed, that the sample was selected randomly, and the period the loans were made. We did not describe what audit work was performed. If the reader was interested in knowing what work was performed, the reader could ask for a copy of our audit program.
Background Information The final audit report can include background information. However, my ideal audit report was a 1 page report, though generally our audit reports were 2 pages long. Therefore, as noted above, we included very little background information, and no information not directly relevant to the conclusions. We included only background information necessary to put the audit in context, as we tried to make our audit reports as concise as possible. The interpretation of Standards 2420 says that concise means to the point with no unnecessary elaboration, superfluous detail, redundancy and wordiness. Our audit reports might have failed on other criteria, but they were concise. It is probably necessary to describe the credit union unit or activity reviewed and perhaps a brief explanation. The audit report content would definitely mention any unresolved issues from the prior audit of that area. The report can include summaries of the audit report’s content; however I would make that summary very concise. Observations Observations are the facts. The audit report only needs the facts that support the conclusions and recommendations, and so that there is not any misunderstandings. A statement of
fact is “ 10 of the 100 loans sampled did not have appropriate approvals.” Not all observations have to be included in the audit report. The internal auditor should include all significant observations, but the less significant can be communicated more informally. When I went to the first ACUIA conference in 1991, one of the education sessions was about audit report writing. The presenter suggested writing each observation in the form of criteria, condition, cause and effect (and this is also suggested in PA 2410-1). The criteria is the way things should be -“Loans are appropriately approved.” The condition is the way things are - “Loan approvals were not documented on 10% of loans.” The cause is the reason for the discrepancy between what should be and what is – “Loan officers are not paying attention” (be sure to get down to the root cause of an issue). The effect is the “so what?”, so that the reader’s response is not “who cares?” What is the risk to the credit union because of the discrepancy between the “should be” and “what is?” This puts observations into perspective. After that 1991 presentation, I started writing each observation with the headings of criteria, condition, cause, and effect, followed by headings for recommendation and management’s response. There was one observation per page, and the whole process was rather tortuous. I abandoned that method for straight narrative, but the process is a foundation for building observations.
and opinions. Actually, I’d prefer to present the facts and let the reader come to her own conclusions, but that is not fulfilling the audit responsibility adequately.
Attorney-Client Privilege
One issue in communicating results is legal considerations, which is not an easy issue. Practice Advisory (PA) 2400-1 states that internal auditors should consult legal counsel when legal issues or requirements vary significantly in different jurisdictions. What is the law in one state may not be the law in another state, and networking with internal auditors in other states regarding a legal issue might lead the internal auditor astray. Examples of issues where
differences might exist are recording telephone conversations, or fire and building codes. The advice in PA 2400-1 is based on attorney-client privilege, which is the legal system that protects information and work performed for, or communicated to, an engaged attorney. The attorney is the expert in this legal system, so you don’t have to be. Our internal audit department had an excellent working relationship with the credit union’s general counsel, which the PA strongly encourages. However, the credit union used three other law firms for human resources issues, regulatory compliance, and collections, with whom the internal audit department had limited contact.
Conclusions and Opinions It is very easy to present facts; much more difficult to present conclusions
www.acuia.org | TH E A U D IT REP O RT
27
It is very easy to present facts; much more difficult to present conclusions and opinions.
28
www.acuia.org | T H E A U D I T R E P O RT
What happens if the audit results show that the credit union is not complying with laws, regulations or other legal issues? PA 2400-1 says that internal audit should be cautious when communicating these results. Internal audit should have policies and procedures, such as role definition and methods of communication, for handling these matters and management should be educated about the policies. Internal audit has to prepare audit working papers that support results and judgments. PA 2400-1 says audit documentation might conflict with legal counsel’s wish to not have discoverable evidence that could harm the credit union’s position in legal matters. What happens if working papers negatively impact the credit union from a legal perspective?According to PA 2400-1, some courts have recognized a privilege of critical self-analysis that shields materials like audit working papers from discovery, because the confidentiality of self-analysis outweighs the value of public interest. Fortunately, in all my years of internal auditing, internal audit was never involved in a legal issue so I cannot comment on this PA. Neither did I have a conversation with another internal auditor where it was an issue. It would make for an interesting case study. Internal audit and legal counsel should not be at odds with one another. PA 2400-1 says that communications made between privileged persons is necessary to protect attorney-client privilege. This communication is made in confidence and for the purpose of obtaining or providing legal assistance for the credit union. This privilege protects communications with attorneys, and with third parties working with an attorney. PA 2400-1 says that privilege usually applies when the information results from a self-critical analysis, the public has a strong interest in preserving information communication contained in the analysis, and infor-
mation communication would be curtailed if discovery were allowed. This self-critical analysis is less likely to be available when a government agency (e.g. NCUA) seeks the information, because of the government’s interest in enforcing the law. According to PA 2400-1 documents intended to be protected under the work-product doctrine usually need to be some type of work product prepared in anticipation of litigation and completed by someone working at the direction of an attorney. Documents prepared and delivered to the attorney BEFORE the attorney-client relationship is established are generally NOT protected by the attorney-client privilege. Jennifer Rue, JD and CAE at Financial Center First CU went to the 2014 IIA General Audit Management Conference where auditors were advised to meet with legal counsel before beginning an audit, if the auditor is concerned that there might be issues uncovered during the audit that should be protected by the attorney-client privilege. The attorney can issue a letter of privilege and the audit work products are protected. Or the CAE can review the annual audit plan with the general counsel to determine in advance if there will be any audits that need this protection. A good example might be a fair lending audit or any type of consumer compliance review. If the Credit Union were to get sued in the future, you would not want workpapers showing lack of compliance to be discoverable. For additional information on attorney-client privilege and internal investigations, see Latham & Watkins Client Alert White Paper “How to Protect Attorney-Client Privilege in Internal Investigations.” n
About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.
IN MEMORIAM
Staci Hutchinson
Staci Hutchinson, who served as the ACUIA North Carolina Chapter Coordinator, tragically passed away on November 7, 2015, from injuries sustained in a car accident. Since 2009, Staci worked as an auditor with Summit Credit Union in Greensboro, NC, and had served as the ACUIA NC Coordinator for the past two years. Staci assisted on the Region 6 meeting planning team for 2015 and was also an active participant in our recent Regional Meeting in Atlanta. Staci is survived by her husband and two children. Our thoughts and prayers go out to Staci’s family.
www.acuia.org | TH E A U D IT REP O RT
29
standards { the news { regional } } Pat Richey, Retired
1
REGION
Director: Julie Wilson Director Internal Audit iQ CU 360.992.4233 juliew@iqcu.com
Director Patrick McCollough, CIA, CISA, CRMA AVP/Director of Internal Audit Arkansas Federal Credit Union 501.533. 2275 pmccollough@AFCU.org
No news for Region 1. Please contact Julie with questions.
No news for Region 4. Please contact Patrick for information.
2
5
REGION
REGION
Director: Tara Tocco Internal Audit Manager Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org
Director: Michael P. Moreau, CIA, CFE, CFSA Manager Credit Union Services Macpage LLC mpn@macpage.com
No news for Region 2. Please contact Tara with questions.
No news for Region 5. Please contact Mike with questions.
3
30
4
REGION
6
REGION
REGION
Director: Greg A. Czyzewski, CPA, CIA AVP Internal Audit Teachers Credit Union 574.284.6451 gczyz@tcunet.com
Director: Jason Alexander, MBA, CICA Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org
Region 3 held its annual meeting at the Indiana Credit Union League offices on Oct 14-16 in Indianapolis. Among the topics covered were: Member Business Loans, TILA-RESPA Disclosures, ALL, ERM, Cybersecurity, Accounting Updates, ACH, and some very good interactive discussions. We want to thank the Credit Union League for hosting the event. Also, thank you to our sponsors: BKD, Doeren Mayhew, Moss Adams, CliftonLarsonAllen, and The Payments Authority. And of course, a big thank you to all of the attendees who helped to make this another successful meeting.
Submitted by Bobby Nichols: The Region 6 meeting was held in Atlanta at Georgia’s Own Credit Union October 7-9, 2015. Sessions included Fair Lending, Developing an Effective Audit Plan, Auditing ALM, Cyber Security Auditing, NCUA, BSA Compliance with 3rd Party Vendors and an Audit Director’s Panel. In addition, the 40 audit and compliance staff in attendance were treated to a number of networking opportunities and a BBQ sponsored by our host credit union.
www.acuia.org | T H E A U D I T R E P O RT
There are a couple of newsworthy items to share. We
have a new Region 6 Director as Jason Alexander (LGE Community Credit Union) takes over the reins from Bobby Nichols (State Employees’ Credit Union), who was recently elected to the ACUIA Board. Jason previously served as the Georgia Chapter Coordinator. We also have a new chapter to announce as Lourdes Camacho (Space Coast Credit Union) has agreed to start a chapter in Florida. n
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.
www.acuia.org | TH E A U D IT REP O RT
31
standards { the { region }} directors Pat Richey, Retired
1
REGION
Julie Wilson juliew@iqcu.com
2
REGION
Tara Tocco TTocco@hughesfcu.org
REGION
3
Greg Czyzewski, CPA, CIA gczyz@tcunet.com
REGION
4
Patrick McCollough pmccollough@AFCU.org
5
REGION
Michael P. Moreau, CIA, CFE, CFSA mpn@macpage.com
REGION
6
Jason Alexander jasona@lgeccu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1
MINNESOTA CHAPTER
REGION 5
CENTRAL CASCADES (OR/WA) CHAPTER
VOLUNTEER NEEDED!
NEW YORK CITY CHAPTER
Terry Robbins trobbins@mapscu.com REGION 2 ARIZONA CHAPTER
Allen Lorti alorti@sunwestfcu.org
Kathleen Schaefer Kathleen.Schaefer@elgacu.com WISCONSIN CHAPTER
Karla Hodgkins khodgkin@Covantagecu.org
CALIFORNIA CHAPTER
REGION 4
Andrea Munoz andrea.munoz@firsttechfed.com
NORTH TEX AS CHAPTER
UTAH CHAPTER
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com REGION 3 INDIANA CHAPTER
Jeff Watson jwatson@iucu.org 32
MICHIGAN CHAPTER
www.acuia.org | T H E A U D I T R E P O RT
VOLUNTEER NEEDED! REGION 6 GEORGIA CHAPTER
Jason Alexander jasona@lgeccu.org FLORIDA CHAPTER
Lourdes Camacho lourdesc@sccu.com
Kimberly Wiersema kawiersema@hotmail.com
NORTH CAROLINA CHAPTER
ST. LOUIS CHAPTER
SOUTH CAROLINA CHAPTER
David Caster dcaster@firstcommunity.com
Tammy Farmer tammyf@scscu.com
VOLUNTEER NEEDED!
TENNESSEE CHAPTER
Michelle Clark, CUCU mclarck@ecu.org
Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced In addition, Patrickprofessionals. McCullough our professional staff are very familiar with credit union · Opinion Aud operations, internal control issues, regulatory and color ad II_Layout 1 4/17/15 1:55 PM Page 1 · Supervisory C accounting requirements, and more. In other words, ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from · Pension /401 credit union personnel will not have to train our auditors. others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the · Consulting S Executive Office at (703) 688-2284. To learn more, please call our Managing Partner, · Internal Audi Doug Orth at 888.676.3447. · Information T P L AT I N U M · ATM/ACH A
{ member spotlight } { acuia select }
ongratulations to ACUIA
5 years of outstanding service to credit union audit professionals.
Orth, Chakler, Murnane and Company, CPAs A Professional Association
es helps credit unions meet their fiduciary responsibilities and internal control objectives by providing:
mation Technology Assessments and System Reviews n Certified ACH Audits n Bank Secrecy Act GOL D n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits M I A MI | DA L L A S | C HA RL OT T E t / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk ment and Regulatory Compliance n Financial Statement Audits
ocmcpa.com
Working exclusively with Credit Unions
Opinion & Supervisory Committee Audits Internal Audit Outsourcing Certified Public Accountants & Consultants BSA/AML & Regulatory Compliance Tax Planning & Compliance IT30 Consulting | www.acuia.org | The Audit Report S I LV E R Credit Review Services
BRONZE
CU Accelerator
Wojeski Certified Public Accountants Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.
· BSA/OFAC C · Tax Services: · Supervisory C Board Trainin
Go higher. Rocky growth. Compliance cliffs. Steep risks. You don’t have to make the ascent toward your financial institution’s goals alone. At Doeren Mayhew, our highly specialized Financial Institutions Group has helped more than 200 institutions like yours find opportunities to drive growth – from climbing toward enterprise risk management, to overcoming steep compliance challenges, to harnessing technology to stay relevant on new delivery systems. Simply put, we know the ropes. So whether your vision is to achieve new heights, or you need a rescue mission, you can always work in tandem with us. Call 248.244.3159 to start the climb.
Insight. Oversight. Foresight.® 248.244.3159 | doeren.com