Volume 25, Issue 1, 2016
The Magazine of the Association of Credit Union Internal Auditors, Inc.
A NEW FLEXIBILITY? MEMBER BUSINESS LENDING RULE CHANGES
VENDOR MANAGEMENT AND DUE DILIGENCE YOU HAVE TO SEE THE BIG PICTURE
IS YOUR CORE PROCESSING SYSTEM
OUT OF DATE?
RELATIONSHIPS BUILD BUSINESS
28-0955 | Š2016 CliftonLarsonAllen LLP
Strengthening our connection to you by providing premier professional services.
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
Dean Rohne | CLAconnect.com 800-657-4477 | Minneapolis
Volume 25, Issue 1, 2016
14
The Magazine of the Association of Credit Union Internal Auditors, Inc.
{ contents }
F E AT U R E S
D E PA R T M E N T S
6
2
From the Editor Spring Renewal Tabitha Ernst-Chadwick
4
Chairman’s Message The Shape of 2016 John Gallagher
Core Values
Evaluating and Implementing an Effective Core Processing System Brian J. Mischel, CPA, and Steven J. Wuchnick
New Flexibility? 10 AMember Business Lending
18 Information Security The Real Cost of a Data Breach SCA
Rule Changes Sam Capuano, CBA, CRP
14
Vendor Management and Due Diligence
Looking at the Big Picture for Outsourcing Kyle Konopasek
20 The Standards Communicating Results, Part II Pat Richey
6
24 Member Spotlight Jason Alexander Tabitha Ernst-Chadwick 26 Regional News 28 Region Directors and Chapter Coordinators
18
10
The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284
Š Copyright 2016, ACUIA. All rights reserved.
{ from the editor }
Spring Renewal
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
T
hough the reasons differ for each of us, one common denominator for probably all of us is that Spring is a time of renewal and new life. Even though audit, compliance, and risk are ever-changing, there is still a pattern in most of what we do on a day to day basis. Before we know it we have slipped into the same complacency about which we warn our auditees. If we go too far into that slump we risk missing the opportunity for renewal. This has been on my mind a lot lately (as you may have gleaned from my various articles about evaluating your shop, preparing for change…). But recently I had an experience that took my own personal renewal to a new level. Several weeks ago I had the opportunity to “hike the hill” and personally voice some credit union industry concerns to our Congressmen and women. This was not something I had the occasion to do when I was in internal audit, and honestly, it’s not something I probably would have considered in that job function. But after spending a week with more than 5000 passionate credit union leaders who were electrified with the desire to share the Credit Union Difference, it didn’t take long for me to drink the proverbial Kool-Aid. I don’t feel that in my 18+ years in the credit union industry (yes, as far as you know I started when I was 15), that I ever lost sight of the member-centric focus for which credit unions were born. But I haven’t felt that energized about it in a long time. Suddenly I couldn’t wait to talk to governmental leaders, co-workers, and strangers in the grocery store about the Credit Union Difference. My hope is to inspire that same renewal in you. Find that passion to get back to your credit union roots;
2
www.acuia.org | T H E A U D I T R E P O RT
Suddenly I couldn’t wait to talk to governmental leaders, co-workers, and strangers in the grocery store about the Credit Union Difference. no matter what type of job function you are performing, you can have an impact on our industry. (Case in point – check out Jason Alexander’s
Spotlight interview.) Take some time out of that extremely busy audit or compliance schedule to post a video about how credit unions change lives; write a letter or make a call to your senators and representatives to encourage them to drink the Kool-Aid; participate in one of the many community events your credit union supports. Let’s participate in this Spring Renewal and remind those around us why credit unions were created and how we can change the world. n
2016 BOARD OF DIRECTORSabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
Chair John Gallagher, CUERME SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 –2016 Vice Chair Margaret Chamberlain, CUERME Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2015–2017 Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015–2017
Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dswenson2@ wingsfinancial.com Term 2015–2018 Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ncsecu.org Term 2015–2018 Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org Term 2015 - 2018
Director Doug Wright, CPA, CFE, CUCE Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2015–2016 Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com
ACUIA EXECUTIVE OFFICE, CBSAO, CUCE, CISAOffice ACUIA NCCO, Executive
1727 King Street, Suite 300 Alexandria, VA 22314 (703) 688-2284 acuia@acuia.org
Follow us on:
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”
Like you, we know the numbers are only one part of the picture. Whether your credit union’s goal is to grow membership, assets, or offerings, the big picture’s still about one thing: people. Focus on what matters to your mission. We’ll help you master new regulations, strengthen controls, and uncover opportunity. How can we help you thrive?
W W W. M O S S A D A M S . C O M / C U
Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance IT Consulting & Compliance Credit Review Services
{ {from } } chairman’s the editor message
The Here’s Shape to 25ofMore 2016
John Tabitha Gallagher Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
We anticipate another great conference with plenty of networking opportunities, knowledgeable presenters and valuable educational sessions.
H
ard to believe another year has passed and we are already well into 2016. On the bright side the year looks to have gotten off to a positive start for ACUIA with many projects and initiatives underway. So what is shaping up for 2016? First and foremost is our signature event, the 26th annual conference, which will be held in Reno, Nevada on June 21st – June 24th. The conference committee has been hard at work over the past months and hopefully by the time you are reading this the conference agenda will have already been published and you have completed your registration. We anticipate another great conference with plenty of networking opportunities, knowledgeable presenters and valuable educational sessions. In fact many sessions this year will be presented using an interactive format (hands-on computer training, case study, panel/roundta-
ble discussions) rather than the traditional lecture style. The “one-day” sessions held on Tuesday are also being changed from a full day/one topic format to half-day multi-topic presentations. This will allow for some flexibility in the scheduling and for some sessions to be repeated. This will afford attendees the opportunity to maximize their desire to attend multiple sessions which appeal to them. We believe this will result in a much more enjoyable conference for all attendees. Lastly, we are looking to go paperless this year and hope to implement the use of interactive software which will allow attendees to access the agenda, session presentations, events calendar, and also a “social media” page specific to conference attendees. So I hope you will all plan to join us in Reno! Financially speaking ACUIA had a very successful year in 2015 and as such is well positioned to contin-
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.
4
www.acuia.org | T H E A U D I T R E P O RT
ue its offering of periodic webinars at no cost to our existing members. We will also be evaluating enhancements to our website and especially the Forum page. Other various product and service offerings are also under review. Our membership numbers continue to remain strong. As of this writing the renewal figures remain in line with that of past years, and we have expectations for growth overall. As you may recall (and it’s okay if you don’t!), in my first Chairman’s message last year I mentioned that the Board was evaluating the potential development of a Credit Union Internal Auditor Certification Program. While the details have not been finalized I am proud to announce that this Program has been approved and is currently being developed under a joint partnership with CUNA. The first Certification Program offering is scheduled to be held in October 2016. Stay tuned for specific announcements and details. I again look forward to addressing the challenges which lie ahead in 2016 with the assistance, input, and cooperation of all board members, regional directors, chapter coordinators, committee volunteers, and you! Together let’s make ACUIA the best it can be! n
David Hume Kennerly
Robert Fenner
Pulitzer Prize Winning White House Photographer
Former General Counsel NCUA
Todd Newton
KEYNOTE
Tom Diane Glatt Dykstra CEO President CEOSt. Paul CA & NVFederal Credit CU LeagueUnion
Emmy Award Winning TV Host and Entertainer
SPEAKERS
Ann Butera President Whole Person Project Inc.
ING
D AN
IM
R E P R O E C V I T C AN EFFE
T E VA L U A
P
M LE
OC
E
ENT
N SSI
ING
TEM G SYS
he diverse demands of credit unions in today’s
environment require an integrated, flexible and secure core processing system solution. This system affects virtually every critical aspect of a credit union’s operations, including processing shares, payments, loans, most transactions, and customer data. The core processing system can directly impact business objectives, growth goals and member satisfaction. Evaluating core processing options and determining the best option is one of the most important decisions a management team can make. B R I A N J . M I S C H E L , C PA A N D S T E V E N J . W U C H N I C K
6
www.acuia.org | T H E A U D I T R E P O RT
www.acuia.org | TH E A U D IT REP O RT 7
he technology platform is the backbone of all credit union operations, and implementing a new core processing system is an extensive process that requires considerable planning and coordination. While a system conversion can involve significant time and resources, it can be an opportunity to improve processes as new functionality is added. Here are some points to remember as your credit union considers whether to make this important change.
Time for a Change Many credit unions have been running the same core system for years despite the fact their business model or needs may have changed. If system capabilities aren’t meeting current needs or won’t likely meet future needs, it may be time to review other options. The evaluation of a credit union’s needs should be a strategic process driven by input throughout the organization. A team should be assembled that includes senior management and representatives from each business line or department. The team should have a clear, uniform understanding of key business objectives and critical issues throughout the credit union and evaluate the performance of the current system and provider as well as the current contract, service expectations and future needs. Examples of situations indicating other core processing system options that should be considered include: ■■ An old and aging system that’s no longer supported 8
www.acuia.org | T H E A U D I T R E P O RT
■■ A system requiring a high degree
of manual processes ■■ Increased demand for services to be delivered over new channels, such as mobile banking, that aren’t offered or functionality that lags behind competitors ■■ Inability to easily roll out new products to support strategic growth plans
Many credit unions have been running the same core system for years despite the fact their business model or needs may have changed.
A new core processing system can provide increased efficiency, more flexibility, better integration across products, and stronger security and data protection. Converting core systems is a costly and demanding undertaking, and converting systems in the middle of the current contract may be cost-prohibitive. It takes clearly defined improvements to jus-
tify a change. Once the decision has been made to explore core system options, a request for proposal (RFP) can be sent to prospective service providers to facilitate the evaluation process.
Due Diligence An RFP outlines needs and expectations when searching for a system and provider. All selection criteria—including performance requirements, business needs, partnership expectations and other concerns—should be included in the RFP. Many credit unions will use a consultant in various parts of the core system evaluation process. A consultant can add value by sharing pros and cons of the available options, helping craft language in the RFP, and helping management identify the key decision factors in making a selection. After the initial due diligence or RFP process, the best provider candidates should be brought in to demonstrate their processing systems. Each presentation should conclude with questions and an internal debriefing discussion of each option. All providers’ references should be contacted to discuss their experience and answer practical questions. There’s no better assessment of a product than a peer who’s a current user. Contract Negotiation Once the right system has been identified, the contract needs to be negotiated. A consultant and legal counsel can assist in the negotiation process. Core processing is one of
the most significant noninterest expenses for a credit union, and in the current environment of tight interest margins, rising compliance costs and less-than-stellar economic growth, controlling expenses is critical in building member value and maintaining performance. A poorly negotiated core processing contract also can significantly reduce member value in mergers and acquisitions and even obstruct a potential deal. While financial terms are an important aspect of the contract, other key contract issues should be considered, including: ■■ All service agreements, including well-defined responsibilities and recourse ■■ Language regarding dispute resolution and how disagreements will be resolved ■■ Agreement length and termination clauses ■■ Renewal scenarios and required notice prior to making a change ■■ Backup and recovery processes ■■ Account management ■■ Training ■■ Technical support
Implementation To fully take advantage of the new core system’s capability, all users should understand the system. A successful core conversion implementation requires planning well in advance of the conversion date, along with preparing data to be converted and significant training. Conversion Process Planning All parties should develop a clear blueprint of the conversion, and senior management at all levels should participate in task planning and completion. Discussion with peer credit unions that have gone through a similar conversion process is helpful in establishing the steps and timeline and avoiding common pitfalls. Set a schedule with milestones and stick to it. A clearly planned conversion
process will help control conversion costs. Frequent meetings are necessary to track progress and issues. Data Preparation The data to be converted should be ready for the migration to the new system. Member account information must be correct prior to conversion to ensure a smooth process. Complete as much system cleanup as possible before conversion. Reports should be compared from the old system to the new system prior to conversion. Don’t assume terminology and reports on the old system will be the same on the new system. Extract and archive as much relevant information from the old system as possible in case it is needed after the conversion. Staff Training The most critical aspect of the implementation is user training. Getting employees trained and comfortable with the new system is imperative. Frequent, transparent communication is necessary throughout the conversion process. Employees should be reminded of why they’re doing certain things to help re-establish the how. Support from management will be necessary, as some might be overwhelmed during the process. Employees should be encouraged to suggest how processes can be re-engineered for improved effectiveness and efficiency. In addition, issues will arise in the implementation phase, so senior management’s handling of these situations will send a message to all employees. Having the right core processing system in place is essential to remain competitive in the credit union landscape. The system should be evaluated to ensure strategic objectives are met and member objectives are maintained. An effective core processing system can add value to credit unions through better functionality, efficiency and cost savings. n
About the Authors Brian J. Mischel, CPA Brian is a member of BKD National Financial Services Group, providing audit and consulting services to financial institutions ranging from $50 million to several billion in asset size. He has more than 15 years of experience in control analyses, asset and liability management consulting, credit quality assurances and loan and lease loss allowance analyses. Brian also has experience with U.S. Securities and Exchange Commission reporting requirements and integrated audits under Sarbanes-Oxley Act Section 404. In addition, he has assisted strategic buyers with financial due diligence and other services encountered through acquisitions. Brian is a member of the American Institute of CPAs, Kentucky Society of Certified Public Accountants and Ohio Society of CPAs. He is active in the Ohio Credit Union League, Community Bankers Association of Ohio, Ohio Bankers League, Kentucky Bankers Association and Financial Managers Society. He contributes to various firm publications as well as BKD Thoughtware® articles. His articles have also been published in BankNews, Colorado Real Estate Journal, Kentucky Banker, The Independent Report, The Wyoming Banker Newsletter and Western Banker. Steven J. Wuchnick Steven is a member of BKD National Financial Services Group, providing audit and consulting services to publicly traded and closely-held financial institutions of various sizes. Steven has more than five years of experience providing external and internal audit services, control analyses, asset and liability management consulting, credit quality assurances, loan and lease loss allowance analyses and other consulting services to financial institutions. Steven also has experience with U.S. Securities and Exchange Commission reporting requirements and integrated audits under Sarbanes-Oxley Act Section 404. Steven is a member of the American Institute of CPAs and the Ohio Society of CPAs. He is active in the Ohio Credit Union League, Community Bankers Association of Ohio and Financial Managers Society.
www.acuia.org | TH E A U D IT REP O RT
9
A NEW FLEXIBILITY? MEMBER BUSINESS LENDING RULE CHANGES 10
www.acuia.org | T H E A U D I T R E P O RT
On February 18, 2016, the National Credit Union Administration’s (NCUA) Board, in a unanimous vote, approved an overhaul of the Member Business Loan (MBL) rule. SAM CAPUANO, CBA, CRP www.acuia.org | TH E A U D IT REP O RT
11
hile it did not go down without some infighting – a recurring trend of of the current Board Chair Debbie Matz, Mark McWatters, and Rick Metsger – it does represent the most sweeping changes to NCUA Rules & Regulation Part 723 since 2003. Matz said it was the beginning of a “new era,” while CUNA President & CEO Jim Nessle called it, “a major victory for America’s small business and job creators.” Not surprisingly, bankers’ groups blasted the action. American Bankers Association President & CEO Rob Nichols promised congressional lobbying, and Independent Community Bankers of America’s Camden Fine noted that, “… it represents a blatant disregard for Congress and the thousands of concerned citizens who sent in comment letters to the agency.” The final rule becomes effective January 1, 2017, with the exception of Part 723.5(b) (pertaining to personal guarantees) which will be effective 60 days after Federal Register publication. So, it’s time to take a look at Part 723 again. Most of us have had its provisions etched in our memory for some time. For instance, the aforementioned personal guarantee provision has changed, as have some definitions (including some as basic as “commercial loan”); some lending limits are gone, and MBL Policy requirements have eased a bit, while adding some additional guidance. The NCUA says the final rule, “will provide federally insured credit unions with greater flexibility and individual autonomy in safely and soundly making commercial and business loans to meet the needs of their membership.” So, does it? Here are some of the highlights of the changes. Overall, smaller credit unions get some regulatory relief here. Credit 12
www.acuia.org | T H E A U D I T R E P O RT
unions with less than $250 million in assets and a commercial loan portfolio less than 15% of its net worth will be exempt from the rule. What does the new Part 723 mean for credit unions, and those of us who audit them? Or will it mean much at all? One of the ballyhooed regulation changes was pertaining to MBL policy. But, according to the results of a poll of 750 credit unions released by CU Business Group shortly after the NCUA action, one in three credit unions said they would only change a few items in their policy. Another third were unsure of what changes would be made. A mere 4% responded that their policy would be materially revised. Some interesting results, and perhaps a bit of confusion as well, which is to be expected. The guess from here is that these poll results may change in due time. That said, one of the positives of the existing Part 723.6 was pertaining to MBL Policy. “What must your member business loan policy address?” was short, and to the point, with 10 requirements. At the time this part had previously been revised, in October 2003, many credit unions were making their initial foray in member business lending. And, frankly, many were jumping into to it a bit too quickly, and were somewhat unsure of what their policy should be. Part 723.6 was an effective way for these credit unions to at least have their policies in line with expectations. But then again, one of the weakest sections of the existing Part 723.6 was the requirement of only a minimum of two years’ experience of personnel running the MBL shop. Over the years I have given several MBL presentations at national and regional ACUIA meetings, and each and every time I have mentioned that the MBL head honcho should have much more experience than this. The revised regulation now states only that MBL Policy should state the
qualification and experience requirements of the lead MBL person. Hopefully those will be more than two years. Given the expectations for Senior Executive Officers and Qualified Lending Personnel, cited in the subsections under Required Expertise and Experience, I would suspect not. And, while the experience requirement can be satisfied by using a third party and/or a CUSO, Part 723.3(b) (3) now details the four conditions which must be met for looking elsewhere for this issue. This is one example of the “greater flexibility and more autonomy” the NCUA mentioned after taking the action. While there are still policy requirements, the changes will allow credit unions to tailor their policies to their specific needs. I would suspect the examiners will look at MBL risk assessments and see if policies relate accordingly. As with policies for other loan products, this policy should be prudent, but now it won’t be as restrictive. Part 723.5 addresses collateral and security. The loan-to-value requirements (which were previously in 723.7) have been replaced. Collateral now “must be sufficient to ensure adequate loan balance protection…” If a credit union makes an unsecured loan, the loan file will have to be documented to note the mitigating factors which sufficiently offset the risk. Probably wouldn’t be a bad idea to have this conspicuously noted in policy, so it’s clear what is required if the guarantee isn’t. Personal guarantees are no longer required, however, if they’re not, again, the loan file must document the mitigating factors, as with unsecured loans noted above. Likewise, the corresponding Regional Director waivers for collateral and security, previously required by 723.7, have also gone bye-bye. The view from here is that this is a slight easing of what many saw as too much of a focus on collateral in
The NCUA says the the final rule: ill provide federally insured credit unions with greater flexibility and individual autonomy in safely and soundly making commercial and business loans to meet the needs of their membership.” So, does it? Part 723. Yes, loan security obviously is still a critical component, but not as critical as looking at overall risk, including repayment ability. Which brings us to construction and development (C&D) loans. For many, this has caused several discussions with the examiners over the years. I have come across many situations in which there was disagreement between management and the examiners as to what constituted a C&D loan. Which means examiners found loans they felt fit into the C&D definition. As a result, often times credit unions would have to reclassify loans into the C&D category, and thus exceed the 15% of net worth portfolio limit. The new Part 723.6 eliminates the 15% limit, and also clarifies the C&D definition. While I suspect there may still be some issues as to whether or not a loan is a C&D, there will now be less, and without the limit, so will the repercussions. And, speaking of definitions, Part 732.2 contains revised definitions of associated borrower, commercial loan, credit-risk rating system, loan-
to-value ratios and readily marketable collateral. Other changes pertaining to limits include those on single obligors. The single obligor limit of 15% of net worth is now part of the policy requirement and has had the waiver removed. The limit can be as much as 10% higher (25% of net worth) if fully secured by readily marketable security. As for what constitutes “readily marketable collateral” security, as mentioned above, Part 732.2 contains a revised definition, which I recommend taking a look at. It’s been my experience that lenders can stretch their imaginations a bit when it comes using stock as collateral, especially when it comes to valuation. Now there is a definition, right in this very regulation, which hopefully puts an end to that. And for the examiners? Prior to the final rule’s implementation, they will receive supervisory guidance, to which credit unions will also be privy. The NCUA is also reaching out directly to credit unions on the issue. As deadline approached for this article, NCUA announced there
would be a free webcast on the new MBL rules in early March presented by Director of Examinations and Insurance Larry Fazio. At the same time, NCUA said the corresponding Final Regulation on MBL is in the works and would be sent to members in the near future. Should make for some interesting reading. The NCUA says the final rule, “will provide federally insured credit unions with greater flexibility and individual autonomy in safely and soundly making commercial and business loans to meet the needs of their membership.” So, does it? n
About the Author Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont Offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started their IA function in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA. www.acuia.org | TH E A U D IT REP O RT
13
14
www.acuia.org | T H E A U D I T R E P O RT
VENDOR MANAGEMENT
DUE DILIGENCE AND
Too many organizations fail to see the big picture when evaluating the risks associated with outsourcing existing services beyond the company walls. KYLE KONOPASEK
www.acuia.org | The Audit Report
15
N
e a rly ever y organization outsources some piece of its business to a third-party service provider. All evidence indicates that this trend will continue, and even expand, within the next five years, as economic and political factors continue to influence organizations to outsource more than one key function of their business. Many organizations outsource payroll processing activities, however, other commonly outsourced functions include human resources, accounting, data hosting, compliance, customer support, and even internal audit activities. Unfortunately, too many organizations fail to see the big picture when evaluating the risks associated with outsourcing existing services beyond the company walls. For one, the scope of the risk may be larger than organizations realize. Vendors include not only those external relationships that are 100 percent outsourced, but also all services that are not performed 100 percent by an organization’s personnel. The key to monitoring vendor related risk is to ensure enough is being done to assess all outsourced relationships in accordance with the organization’s overall risk acceptance and risk tolerance. Vendor management and vendor due diligence are the means for accomplishing this task. Vendor management is a general phrase used to describe the overall process, but may also be applied to describe the activities for assessing existing third-party relationships. Vendor due diligence is generally the process of assessing new or prospective third parties. The process for critically assessing the risks with third-party services begins with establishing a vendor management policy that is approved annually by the board of directors. This policy should include several key sections specifically addressing the dif-
16
www.acuia.org | T H E A U D I T R E P O RT
Vendors include not only those external relationships that are 100 percent outsourced, but also all services that are not performed 100 percent by an organization’s personnel ferent types of sensitive information the organization wants to protect and where that information is stored.
Defining Your Vendors The vendor management policy should define critical and non-critical vendors. Sometimes, albeit rarely, the most critical vendors are those who only provide weekly or even monthly support—it all depends on the functions being outsourced. All existing vendors in the organization should be assessed, including information technology and operational service providers. One method of identifying current service providers is to run an accounts payable listing, however, organizations should note that the amount paid annually does not necessarily reflect the risk or concern level of the vendor, especially if sensitive data are involved. For example, a vendor who is paid $1,000 annual-
ly may be a larger risk than one paid $100,000 annually. If the vendor is a health insurance broker, it may have access to personally identifiable information (PII) of employees, such as Social Security numbers or protected health information (PHI). Likewise, a third party may also have access to PII or PHI or a company’s customers or clientele. When evaluating risk, it is critical that organizations focus on what information the service provider has access to versus the functional support provided by the third party. An information breach by even the smallest vendor may severely damage the reputation of the organization and/or its customers/members in the event of an intentional or unintentional security breach if that vendor has access to critical information.
Documenting and Evaluating Vendors A vendor management policy should
also provide direction on the frequency for re-evaluating existing third party relationships, the responsible parties for approving internal vendor assessments, and key individuals responsible for completing the documentation required for vendor assessments. For both new and existing vendor relationships, management should obtain relevant financial information in the form of tax returns or financial statements, evidence of financial responsibility through insurance coverages and associated policies and service organization control (SOC) reports. It is the documentation and accumulation of these sources of information that make a single vendor assessment. The responsibility for compiling the documentation and ensuring its appropriate completion should be assigned to a single individual; however, that individual may play a very small role in the actual completion of the required documents. For example, the Controller may be responsible for compiling all of the information but may delegate responsibilities so that the review of vendor financial information is sent to the CFO. The review of vendor insurance coverages and policies often rests with the legal department, and the review of SOC reports may be passed on to someone in the accounting department or another individual with strong knowledge for the purpose, types and content of a SOC report. Each of the respective vendor reviewers is responsible for documenting the risks identified with the vendor and the service to be provided. Knowing who will be responsible for document completion will dictate standardization of vendor assessment forms and documentation requirements to be developed by management. Generally, thorough documentation of the risks, mitigating controls in place (i.e. SOC reports, insurance policies), and risk to be accepted should all be documented in as much
detail as possible prior to accepting a new vendor or continuing an existing relationship. The vendor assessment documentation should clearly address why the vendor is deemed to be a critical or non-critical vendor, who the primary third-party contacts are, what sensitive information the vendor has or will have access to, the information technology systems involved, and the results of the vendor’s most recent SOC report.
SOC Reporting It is vital all vendors provide the appropriate variety of SOC reports. There are three varieties of reports, which include: SOC 1, SOC 2, and SOC 3. A SOC 1 or SOC 2 report is typically the most common. A SOC 1 report focuses on the controls related to financial reporting at the third-party service provider, and a SOC 2 focuses on a combination of security, availability, processing integrity, confidentiality, and/or privacy over the service the vendor will be providing. Within SOC 1 and SOC 2 are two “types” of reports— Type 1 and Type 2. A Type 1 report would be conducted as of a specific date and would not opine on the operating effectiveness of the vendor’s control activities. A Type 2 report is the more robust of the available reporting options and covers a period of time, usually twelve-months. This report would opine on the operating effectiveness of the vendor’s control activities related to the service the vendor will be providing. When it comes to assessing how a vendor will handle company data, a SOC 1 Type2 or a SOC 2 Type 2 are among the best tools available. Management should question doing business with “critical” vendors who do not have some level of SOC report available for review. Managing the Process The process of documenting vendor assessments can quickly become
flooded with supporting documentation and management’s effort to write narratives regarding the acceptance or denial of a vendor relationship. Coordinating the process is a key element of a successful vendor management program and is best done by centralizing the monitoring and responsibility for the program by digitizing vendor documentation and internal assessment forms, including management approvals. Delegating responsibilities for assessing vendor financials, information technology systems and legal documentation to appropriate persons within the organization is crucial to the vendor management program and ensures a company-wide approach to vendor acceptance. By documenting and implementing a strong vendor management program focused on addressing all third-party risks within the organization, management will be better prepared to address any issues with specific vendors and potentially mitigate related risks. Strong vendor assessments and related controls will also help insulate the organization from any collateral damage related to a vendor cyberattack or other possible information breaches. n
About the Author Kyle Konopasek Kyle is a manager in the Business and Technology Risk Services group in the Kansas City office of CBIZ MHM, LLC, and has been with the organization since 2001. He is experienced in planning, conducting, supervising, reviewing, and reporting on internal audit engagements, SOC engagements, and financial statement audits. Complementary experience includes assisting companies with emerging information security and privacy risks. Kyle has been featured in the Kansas City Business Journal and is an experienced public speaker on topics such as information security, social engineering, and vendor management. Kyle serves a diverse client base within multiple industries. www.acuia.org | TH E A U D IT REP O RT
17
security { information WHY? { information } } security Tom Schauer, Principal, CliftonLarsonAllen
Security Compliance Associates
The Real Cost of a Data Breach How much can a Credit Union lose in a data breach? This isn’t simply a question of cost – it’s also matter of reputation, member satisfaction, and remediation activities.
18
www.acuia.org | T H E A U D I T R E P O RT
T
here is no question that the best way to deal with a data breach is to stop it before it can ever happen. Unfortunately, thieves are becoming more clever and resourceful. To outsmart would-be criminals, you need to make sure your Credit Union’s security policies and procedures are upto-date and sustainable. What is the best reason to make sure your information and your member information is secure? Consider the true cost of a data breach.
The Identity Theft Resource Center (ITRC) reported a near record high data breach total in 2015. There were 781 breaches last year. According to a 2015 study by Ponemon Institute LLC, the loss due to breaches has continued to rise over the last 10 years. The Institute calculated a single compromised record at a cost of $217.00. Ponemon broke down that number, suggesting that $143 was for indirect costs (including abnormal turnover of customers), and $74 representing the direct costs of resolving the breach. The average cost of a breach to companies included in the study in 2015 was $6.53 million. For example, companies that lost less than 10,000 records spent approximately $4.7 million. Those who lost more than 50,000 records spent more than $11 million. Unfortunately, the financial sector is one of the top industries to be targeted by cyber thieves. In 2015, businesses that suffered a data breach spent an average of $1.64 million in post-breach activities. In addition, companies lost approximately $3.72 million in lost business due to breaches. In determining the cost of a breach, Ponemon considered the amounts spent on conducting investigations, putting together an incident response team, public relations outreach and specialized employee training. After a breach has been found and dealt with, there are also the aftermath costs that include consulting services, legal fees, regulatory fees, discounts to customers, identity protection services, and loss of customer business. Regulatory fees and fines are two important areas to seriously consider. It is always important for Credit Unions to maintain regulatory compliance. However, simply being compliant does not always mean that
your institution is protected from cyber thieves. While institutions certainly need regulatory experts to inspect policies and ensure compliance, it is also important for Credit Unions to have an IT specialist analyze their data protection procedures, identify gaps in security, and help put in place policies and practices that will ensure information and funds are safeguarded. Something else to consider is “who” puts you at risk for a data breach. One of the primary security dangers is cyber thieves. These are people outside of your organization, who are likely thousands of miles away, and are trying to gain access to your servers through the use of malware for nefarious reasons. The Identity Theft Resource Center says that 37.9 percent of data breaches in 2015 were due to hackers. Unfortunately, security issues can also come from people who are closely related to your Credit Union. Some data breaches occur because of employee conduct. In fact, the ITRC indicates that last year employee error or negligence resulted in 14.9 percent of breaches. It could be that the employee is innocent in the actual theft. For example, it could be as simple as an employee turning the virus scanner off on his computer because it slowed the processing speed down, or an employee who has a work computer stolen from his car. Another issue, of course, is employee fraud. A 2014 report by the Association of Certified Fraud Examiners (ACFE) suggests that 42 percent of occupational fraud is committed by lower-level employees and 36 percent is perpetrated by those at the managerial level. Many employee fraudsters have been in their positions for more than five years and are often trusted. Data suggests that higher-level em
ployees steal more money, and employees who are in a position longer will be likely to take more. One of the most prevalent red flags to watch out for is a person who is living beyond his or her means. Other red flags include unusually close associations to vendors, an unwillingness to share duties, or family problems. When it comes to data security, Credit Unions cannot be too careful. Various reports suggest that thieves are specifically targeting the financial services industry, so it is always best to head thieves off by protecting data on the front-end. Maintaining member trust, the loss in reputation, and the financial impact of a breach are lessons you need not learn the hard way. Developing comprehensive security policies and procedures, educating your staff, and assessing your cyber-risk will go a long way towards protecting your Credit Union. Validating that you have safeguarded personal information and your funds by hiring a qualified third-party IT security firm might be just what is needed to mitigate the chance of a breach. n
About the Authors The article was submitted by Security Compliance Associates (SCA). For nearly 16 years, SCA has delivered world class IT Information Security Assessment services throughout the United States. SCA employs credentialed engineers and compliance professionals to meet clients’ IT Information Security needs. SCA Engineers have more than 100 years of combined IT Information Security experience, including, NASA Mission Operations at Johnson Space Center, the Department of Defense and the National Intelligence Community. SCA’s credentialed security experts are recognized industry leaders, are frequent speakers and considered subject matter experts in the financial services, settlement, and healthcare industries. www.acuia.org | TH E A U D IT REP O RT
19
security {{ information WHY? } } the standards Tom Schauer, Principal, CliftonLarsonAllen
Pat Richey, Retired credit union internal auditor
Communicating Results, Part II Final audit reports must contain the internal auditor’s opinion and/or conclusion.
A
s discussed in last quarter’s article, Standard 2410 of the International Standards for the Professional Practice of Internal Auditing (Standards) says audit reports must include the audit objectives, scope, conclusions, recommendations, and action plans. I discussed the audit scope, objectives, and observations in that article. In this article, I will discuss conclusions, opinions and recommendations, and action plans. Practice Advisory (PA) 2410-1 touches on these topics, and “Practice Guide: Formulating and Expressing Internal Audit Opinions” (PG) is a 17page guide that should be useful to credit union internal auditors.
Conclusions and Opinions Standard 2410.A1 says that final audit reports must contain the internal auditor’s opinion and/or conclusion. The PG refers to macro and micro opinions – a macro opinion is based on the results of many audits, but a micro opinion is based on the results of one audit. The audit report’s conclusions and opinions should answer the questions “So, what does this mean?”, or “Why should I care?” The internal auditor has laid out the auditor’s observations in the report, but the auditor must also express what effect or implications these observa20
www.acuia.org | T H E A U D I T R E P O RT
tions have on the credit union. The conclusions and opinions put the observations into perspective. The conclusion should answer the audit objective. If the audit objective is to determine whether internal controls in credit card lending are operating effectively, the conclusion should state “Internal controls in credit card lending are operating effectively” (or not, as the case may be). In our audit reports, we answered the audit objective question in the very first sentence of the audit report narrative. Our conclusion sentence would read “Internal controls in credit card lending are operating effectively; however, internal audit observed some issues discussed below.” Then we would discuss our observations. If the audit objective was very broad, we generally broke the audit into several sections with more focused objectives, and then had a conclusion or opinion on each audit section. Standard 2410.A1 states that the conclusions and opinions must take into account the expectations of senior management, board/audit committee, and any other stakeholder. The conclusions and opinions must be useful to these stakeholders; they must be of value. I reported functionally and administratively to the Supervisory Committee, so
their expectations were uppermost in my mind. However, senior management’s expectations had to be met and the external audit firm and NCUA requested copies of audit reports, so those entities had to also be taken into account. Audit conclusions and opinions must be supported by internal audit’s observations. Standard 2410.A1 states that opinions and conclusions must be supported by sufficient, reliable, relevant, and useful information. If internal audit’s opinion or conclusion is challenged, internal audit has only to provide the underlying audit work. Internal audit does not make conclusions and opinions on a whim. An opinion or conclusion describes the audit results. The Interpretation of Standard 2410.A1 states that opinions may be ratings, and the PG includes a discussion of using a rating system. For many years we used ratings in branch audits, giving branches a letter grade (e.g. A, B- ,C+, F) as our branch audit conclusion. To come up with the grade, we placed a point value on the significance of each deficiency (e.g. 5 for very significant to 1 for insignificant). We analyzed 3 years of branch audit results to determine an average (grade C), and then going forward compared branch audits to this average and assigned a letter grade. This gave us the ability to compare the results of a branch audit to audits of other branches, or compare one branch from year to year. However, management began to incorporate these letter grades into branch management performance evaluations, and so internal audit discontinued the rating system as the system was being used in unintended ways. There is not enough space for me to discuss everything in the PG on
forming and expressing an opinion, so I encourage credit union internal auditors to read the PG which includes several appendices
Recommendations It is not enough for the internal auditor to express an opinion or the conclusion. Internal audit must also make recommendations for improvement or corrective action based on the auditor’s observations and conclusions. If the auditor finds deficiencies, management should act to correct the deficiencies. We generally worked with staff to come up with recommendations for improvements or corrections. The staff is in the best position to know how to correct an issue. I don’t know how many times I came up with a recommendation on my own, only to find out the recommended action was not practical. Recommendations can be general or specific. A recommendation that management find a solution for correcting a condition is not very helpful. However, there may be a case where considerable analysis must be done before determining the correct solution, and internal audit does not have the resources to conduct the analysis.
ment’s actions. If internal audit has made recommendations, audit has done its job. It is management’s decision as to whether a recommendation will be implemented. PA 2410-1 states that management’s response may be included in the audit report, as an appendix or in a cover letter. Our audit reports listed the recommendations followed by a section for management’s response, and so the response was included in the audit report. We had an agreement with management as to the time frame allowed for senior managers to respond to the audit report (they were given a certain number of working
days). When the audit report was delivered to management, the report included the date by which internal audit expected management’s response. Management’s response would include whether or not management agreed with each specific recommendation. I was looking for a yes or no answer. We did not include lengthy management responses in the audit report if ultimately the response was a yes or no. If management agreed with a recommendation, management’s response had to specify the date the recommendation would be implemented. If management agreed that a deficiency had to be corrected,
Plan of Action PA 2410-1 states that internal audit should obtain management’s agreement on the audit results or plan of action. Management needs to agree or disagree with internal audit’s recommendations for improvement or corrective action. Internal audit only makes recommendations; internal audit does not have the authority to dictate manage
www.acuia.org | TH E A U D IT REP O RT
21
Internal audit must also make recommendations for improvement or corrective action.
22
www.acuia.org | T H E A U D I T R E P O RT
but disagreed with internal audit’s recommended course of action, management and internal audit would discuss other solutions. However, this would rarely occur because recommendations would be discussed during field work or audit report writing. If management outright disagreed with a recommendation for change or improvement, then management’s position would be included in the management response section. However, these issues should be resolved during the audit engagement, not after the auditor has written the audit report. If internal audit’s opinions and conclusions are supported by sufficient, reliable, relevant, and useful information, internal audit should not back down on audit’s position just because management disagrees. Management has the right to assume the risk of not correcting a deficiency, and this assumption of risk should be part of management’s response.
Interim Reports Management should not learn about the audit results in a final audit report. Internal audit should apprise management of the audit progress. PA 2410-1 says interim reports can be written or oral, and formal or informal. The key is communicate, communicate, communicate. The audit is not a secret, unless it involves a fraud or criminal investigation. Hopefully, management and internal audit both have open-door policies which makes communication easy. If an issue requires management’s immediate attention, then management needs immediate communication. When we had a very broad audit objective, we would issue audit reports at different stages. Rather than wait 2 months to publish a ten-page audit report at audit completion, we might issue five 1-page reports at different intervals to report on the work accomplished to that date (generally based on
breaking a broad audit objective into a series of narrower objectives). We always issued a draft report to management before issuing a final report. Similar to the final report, we had an agreement with management that management would respond to a draft report within a certain number of days. With a draft report, we were looking for areas where management had questions, needed something clarified, or internal audit had missed the boat on something. At this point we were not looking for a decision on recommendations.
Satisfactory Performance Is the audit report a depressing read of the auditee’s deficiencies? Standard 2410.A2 says that internal auditors are encouraged to acknowledge satisfactory performance in an audit report. Internal audit should look for ways to make positive statements about the audited area. When we used letter grades to rate branches, satisfactory performance was obvious when a branch scored an “A”. Also, we would comment if a grade was an improvement over a previous audit. Perhaps our general conclusion “Internal controls are operating effectively” was a lukewarm acknowledgement of performance, as the conclusion was almost always followed by the “however, internal audit observed some issues ……” PA 2410-1 says internal audit should be fair and provide perspective and balance in the audit report. Hopefully, nothing is ALL bad. Disclosure Many people may be privy to audit report information, and perhaps not all report recipients should have the same level of information. PA 24101 says that if there is privileged or proprietary information, or the information is related to improper or illegal acts, this information can be disclosed in a separate report. I cannot recall of a situation where I had
to prepare a separate report. However taking into consideration all the possible report recipients, we very carefully worded our audit reports. We took great pains with every word, and we never used names in an audit report, only position titles. Standard 2440 talks about disseminating audit reports, which I’ll discuss in another article. However, PA 2410-1 says that if the conditions being reported involve senior management, the audit report should be distributed to the board of directors. Also, PA 2410-1 says summary reports may be issued to higher levels of management. Perhaps the CEO does not need or want the level of detail that internal audit provides to a manager or VP. We did not issue a summary report. However, that is why the first sentence in our audit report narrative was the conclusion that answered the audit objective question. The CEO didn’t need to go any fur-
ther into the audit report than the 1st sentence if he did not need to know the details. Audit reports might be released to outside parties. In this case, Standard 2410.A3 says the audit report should impose a limitation on outside parties’ use and distribution of the report and its information. Our audit reports were subject to review by the external audit firm and NCUA, but we did not have this disclaimer. If necessary, your legal counsel should be able to help you with a simple statement to include in the report (or is legal counsel and simple statement an oxymoron?).
Signed Reports PA 2410-1 says that the authorized internal auditor should sign final audit reports, either manually or electronically. We did not sign audit reports, and I am not sure of the purpose of this practice. However, the PA
states that the chief audit executive determines which internal auditor is authorized to sign the report. We were only a two-person department, so perhaps the advice did not apply to us. My staff auditor wrote the drafts and I edited until I was comfortable with the final report, and authorized the report issuance. The PA says that if reports are distributed electronically, internal audit retains a signed version on file. We were pretty much paperless; my goal was to rid internal audit of file cabinets. I would not have kept a piece of paper because it had a signature on it. However, the PA was issued in 2009, and subsequent versions may update this. n
About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.
experience reach
BKD National Financial Services Group
BKD National Financial Services Group can help you effectively identify and manage operational risks. Our advisors offer tailored internal audit solutions to credit unions across the country. Experience how our insight can help you choose the right path to pursue your strategic objectives with confidence.
Chad Garber // Director 317.383.4200 // cgarber@bkd.com bkd.com
www.acuia.org | TH E A U D IT REP O RT
23
{ member spotlight }
Jason Alexander
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
I
n this Issue I’d like to point the spotlight on Jason Alexander, Region 6 Director, community financial advisor, and loyal “da Bears” fan.
Jason, I’m really excited about this Spotlight because it gives me an opportunity to get to know my own new Regional Director. Please start by sharing a little bit about yourself and your credit union. I am currently Director of Internal Audit at LGE Community Credit Union in Marietta, Georgia (Metro- Atlanta). I lead a staff of two and manage the daily operations and external audit activities. I love what I do. I believe you have to have a passion for what you do, and if you do, it is a great fulfillment. Working in the credit union movement does make it easier to love what you do. What about after hours? What do you do in your spare time? My passion for the credit union industry has led me to develop a hobby of teaching others about financial wellness. I currently spend my free time volunteering in my
community and for the credit union by teaching practical ways for people to take control of their finances and become good stewards of this valuable resource.
So tell us about the path that led you to your internal audit career. I have a Master of Business Administration with a concentration of Accounting. I have now been in auditing for 12 years. I began my audit career as a staff auditor at a CPA firm that specialized in auditing credit unions. How did I get there? I have always enjoyed math, and one day in high school I was considering my future career and there happened to be a career matrix in one of my classrooms that identified potential career fields. I noticed math and accounting were most directly related so I took a class in accounting as an elective and fell in love with it. The concepts came naturally to me. I carried that interest into college (with aspiration from reading text books) to leverage my accounting skills to acquire senior management and executive-level positions.
FUN FACTS ABOUT JASON Favorite sports team: Chicago Bears Favorite food: Pizza Psychological disorder: What’s that??? (Laughing)
24
www.acuia.org | T H E A U D I T R E P O RT
During my college years, I interned at various places where I worked in Accounts Payables, Accounts Receivable, invoice processing, inventory, financial reporting and internal auditing. I noticed I enjoyed auditing the best. I figured all auditors were CPAs and that I must therefore work for a CPA firm. I did not realize the role and impact of internal auditing until a fellow co-worker told me that being an internal auditor provides insight into every aspect of a company and was a good way to reach senior management and executive-level positions. This lined directly with my ambitions and I haven’t left this part of the industry since. To my surprise, the credit union industry became my niche. I fully believe in the cause; I bleed the motto of people helping people.
I suspect your passion for the job has led you to continually enhance your education and effectiveness. What professional certifications do you hold, and how have they enriched your career? I am Certified Internal Controls Auditor and recently became a Certified Internal Auditor (CIA). The latter credential has revealed the greatest impact. The CIA definitely gives one higher degree of confidence and assurance but to others as well. The greatest impact the CIA designation has had is not the prestige or validity it brings, but rather the process which taught and instilled in me and my family valuable qualities and skills. I appreciate the journey. A lot changes in a 12-year career. What do you know now that you wish you would have known coming into the industry? While on the external audit side I dealt with management “push back” but only to a limited degree. When I transitioned to an inter-
nal auditor I experienced this more frequently and at a different degree. I think it is attributable to our close proximity but I wish could have been more prepared; though I don’t think there is any preparation for fine tuning one’s soft skills - only experience does that.
What is the most useful tool in your audit toolbox? The most useful tools are humbleness, patience, and communication. I noticed that if I am humble, patient, and communicate consistently contention stays down, and as a result, process efficiencies come, value is added to both sides, and audit reporting is streamlined. I apply these tools in the form of entrance and exit meetings (i.e. in person or emails) and status updates throughout the process.
Like I said, a lot changes during a 12 year career. Give us some insight into how our industry has changed during this time. Over my career, audits have definitely become more risk-based, but as the control environments mature I have seen audits go from box checking for regulation compliance to assurance reviews of the effectiveness and efficiency of control design. These types of audits push the status quo beyond the low benchmarks of regulator standards to help the entity achieve its objectives in the most efficient and effective way. However, this shift does come with resistance; it can be seen as more subjective because there is not a standard to benchmark. What advice would you give to a new auditor just entering the field? Take
Providing Services to Banks and Credit Unions Nationwide Tony Coble 816.945.5524 • acoble@cbiz.com
www.cbiz.com
on the spirit of a teacher. Develop thick skin. Know the standards.
Let’s switch gears to ACUIA. How long have you been a member? 3 years. What benefits do you find most rewarding? The opportunity to collaborate with peers and use them as a sounding board. .
What ACUIA volunteer opportunities have you embraced and how has that enhanced your membership? Chapter Coordinator, Regional Director, and helping in any way needed. Volunteering has helped me develop relationships where I learn from others, sharpen my skills and have the opportunity to vent to a colleague every now and then. n
Consulting Services n Tax Preparation and Consulting n Unrelated Business Income Taxation (UBIT) n Operations Review n Risk Assessments n Vendor Management Review n Social Engineering Testing & Training n IT General Controls Review
Audit & Attest Services*
Todd Hershberger 816.945.5148 • thershberger@cbiz.com
www.mhmcpa.com
*Mayer Hoffman McCann P.C. is an independent CPA firm providing audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider.
n Credit Union Opinion Audits n Supervisory Committee Agreed-Upon Procedures n CUSO Audits n Outsourced/Co-Sourced Internal Audit Services n SSAE 16 / SOC 1 Exam (“SAS 70 Audit”) n SOC 2 & 3 Exams n SSAE 16 Readiness Assessments
© Copyright 2015. CBIZ, Inc. and Mayer Hoffman McCann P.C. All rights reserved.
www.acuia.org | TH E A U D IT REP O RT
25
standards { the news { regional } } Pat Richey, Retired
1
REGION
Director: Julie Wilson Director Internal Audit iQ CU 360.992.4233 juliew@iqcu.com
Director: Patrick McCollough, CIA, CISA, CRMA AVP/Director of Internal Audit Arkansas Federal Credit Union 501.533. 2275 pmccollough@AFCU.org
No news for Region 1. Please contact Julie with questions.
No news for Region 4. Please contact Patrick for information.
2
5
REGION
Director: Tara Tocco Internal Audit Manager Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org The Arizona Chapter had a luncheon on February 19th and the Utah Chapter had its meeting on February 12th. The Arizona chapter voted Jason Garlutzo from AZ State Credit Union as the Chapter Coordinator. Thanks Jason for volunteering! Thanks to Brian Williams, Assistant Attorney General in the Utah Attorney General’s Office, and Tyson Downey, investigator for the Utah Attorney General’s Office, for speaking at the Utah Chapter Meeting. Everyone enjoyed their session entitled Investigating and Litigating Financial and White Collar Crimes in Utah. And last but definitely not least, thanks to Cyprus Credit Union for providing the meeting facilities. We tentatively have the Region 2 Annual Meeting scheduled for Nov 3rd and 4th in Phoenix. More to come on this.
3
REGION
Director: Greg A. Czyzewski, CPA, CIA AVP Internal Audit Teachers Credit Union 574.284.6451 gczyz@tcunet.com No News for Region 3. Please contact Greg with questions. 26
4
REGION
www.acuia.org | T H E A U D I T R E P O RT
REGION
Director: Michael P. Moreau, CIA, CFE, CFSA Manager Credit Union Services Macpage LLC mpn@macpage.com No news for Region 5. Please contact Mike with questions.
REGION
6
Director: Jason Alexander, MBA, CICA Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org A Florida Chapter of the ACUIA has been formed and our first meeting was held on Tuesday March 8th at Fairwinds Credit Union in Orlando. Thanks to our speakers, Jim Krieser and Jack Greenberg from CliftonLarsonAllen, who spoke on Cyber Security and IT Fraud. n
Audit Management Software Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward to implement and affordable whatever the size of your audit team. Key Functionality: Welcome Dashboards
Audit Planning
Audit Scheduling
Audit Management
Libraries
Electronic Working Papers
Controls Management
On-‐line Questionnaires
Enterprise Risk
Time and Expense Recording
Recommendation / Action
Performance and
Tracking
Comprehensive Reporting
Management
___________________________________ www.mkinsight.com United States: +1 847 282 5000
United Kingdom +44 113 2455558
www.acuia.org | TH E A U D IT REP O RT
27
standards { the { region }} directors Pat Richey, Retired
1
REGION
Julie Wilson juliew@iqcu.com
2
REGION
Tara Tocco TTocco@hughesfcu.org
REGION
3
Greg Czyzewski, CPA, CIA gczyz@tcunet.com
REGION
4
Patrick McCollough pmccollough@AFCU.org
5
REGION
Michael P. Moreau, CIA, CFE, CFSA mpn@macpage.com
REGION
6
Jason Alexander jasona@lgeccu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1
REGION 3
REGION 5
CENTRAL CASCADES (OR/WA) CHAPTER
INDIANA CHAPTER
NEW YORK CITY CHAPTER
Terry Robbins trobbins@mapscu.com
Jeff Watson jwatson@iucu.org
VOLUNTEER NEEDED!
REGION 2 ARIZONA CHAPTER
Jason Garlutzo Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER UTAH CHAPTER
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com HAWAII CHAPTER
Nikki Ige Nige@kcfcu.org
MINNESOTA CHAPTER
Ashley Shrode Ashley.Shrode@thrivent.com MICHIGAN CHAPTER
Kathleen Schaefer Kathleen.Schaefer@elgacu.com WISCONSIN CHAPTER
Karla Hodgkins khodgkin@Covantagecu.org REGION 4 NORTH TEX AS CHAPTER
Kimberly Wiersema kawiersema@hotmail.com ST. LOUIS CHAPTER
David Caster dcaster@firstcommunity.com
28
www.acuia.org | T H E A U D I T R E P O RT
REGION 6 GEORGIA CHAPTER
Jason Alexander jasona@lgeccu.org FLORIDA CHAPTER
Lourdes Camacho lourdesc@sccu.com NORTH CAROLINA CHAPTER
VOLUNTEER NEEDED! SOUTH CAROLINA CHAPTER
Tammy Farmer tammyf@scscu.com TENNESSEE CHAPTER
Michelle Clark, CUCU mclarck@ecu.org
Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced In addition, Patrickprofessionals. McCullough our professional staff are very familiar with credit union · Opinion Aud operations, internal control issues, regulatory and color ad II_Layout 1 4/17/15 1:55 PM Page 1 · Supervisory C accounting requirements, and more. In other words, ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from · Pension /401 credit union personnel will not have to train our auditors. others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the · Consulting S Executive Office at (703) 688-2284. To learn more, please call our Managing Partner, · Internal Audi Doug Orth at 888.676.3447. · Information T P L AT I N U M · ATM/ACH A
{ member spotlight } { acuia select }
ongratulations to ACUIA
5 years of outstanding service to credit union audit professionals.
Orth, Chakler, Murnane and Company, CPAs A Professional Association
es helps credit unions meet their fiduciary responsibilities and internal control objectives by providing:
mation Technology Assessments and System Reviews n Certified ACH Audits n Bank Secrecy Act GOL D n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits M I A MI | DA L L A S | C HA RL OT T E t / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk ment and Regulatory Compliance n Financial Statement Audits
ocmcpa.com
Working exclusively with Credit Unions
Opinion & Supervisory Committee Audits Internal Audit Outsourcing Certified Public Accountants & Consultants BSA/AML & Regulatory Compliance Tax Planning & Compliance IT30 Consulting | www.acuia.org | The Audit Report S I LV E R Credit Review Services
BRONZE
CU Accelerator
Wojeski Certified Public Accountants Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.
· BSA/OFAC C · Tax Services: · Supervisory C Board Trainin
Go higher. Rocky growth. Compliance cliffs. Steep risks. You don’t have to make the ascent toward your financial institution’s goals alone. At Doeren Mayhew, our highly specialized Financial Institutions Group has helped more than 200 institutions like yours find opportunities to drive growth – from climbing toward enterprise risk management, to overcoming steep compliance challenges, to harnessing technology to stay relevant on new delivery systems. Simply put, we know the ropes. So whether your vision is to achieve new heights, or you need a rescue mission, you can always work in tandem with us. Call 248.244.3159 to start the climb.
Insight. Oversight. Foresight.® 248.244.3159 | doeren.com