ACUIA Audit Report volume 25 issue 2 by pstraubel

Volume 25, Issue 2, 2016

The Magazine of the Association of Credit Union Internal Auditors, Inc.

NEW EXPECTATIONS THE ROLES ARE CHANGING FOR INTERNAL AUDITORS EMPLYEE BENEFITS A NEW EMPHASIS ON AUDITS OF BENEFIT PLANS LESSON FROM THE CRASH A SURPRISING TAKE-AWAY FROM EVENTS OF 1929

READY FOR YOUR CLOSE-UP? HOW WILL YOUR CREDIT UNION HOLD UP TO SCRUTINY UNDER THE BSA?

Like you, we know the numbers are only one part of the picture. Whether your credit union’s goal is to grow membership, assets, or offerings, the big picture’s still about one thing: people. Focus on what matters to your mission. We’ll help you master new regulations, strengthen controls, and uncover opportunity. How can we help you thrive?

W W W. M O S S A D A M S . C O M / C U

Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance IT Consulting & Compliance Credit Review Services

Volume 25, Issue 2, 2016

ATTU UR REESS FFEEA

Bank Secrecy: The Big Picture

ERM considerations and current 2016 BSA focus on issues real and imagined Todd Sherpy

New Expectations

From auditor to trusted advisor – traditional internal audit roles are taking a backseat when it comes to providing credit unions with relevant insights and valuable advice. XXXXMoshirzadeh, CPA Kian

Employee Benefits

The Department of Labor communicates the importance of audit quality David Leising

The Magazine of the Association of Credit Union Internal Auditors, Inc.

10 10

D E PA R T M E N T S 2

From the Editor How Do You Use Your Power? Tabitha Ernst-Chadwick

Chairman’s Message Ahead of the Curve John Gallagher

16 The Standards Communicating Results, Part III Pat Richey 20 Member Spotlight Jason Garlutzo Tabitha ErnstChadwick 22 Regional News 24 Region Directors and Chapter Coordinators

A Lesson from the Crash of 1929 Exposing “the most interesting crime” Pat Richey

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published The Audit four timesReport a yearisinthe Alexandria, official publication VA, as a benefit of theofAssociation membership of Credit and circulated Union Internal free of Auditors, charge toInc. ACUIA It ismembers. published four times Editor: Executive a year in Tabitha Alexandria, Ernst-Chadwick VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Victoria Designer: Editor: Tabitha Valentine Ernst-Chadwick Designer: Victoria Information appearing Valentine in this publication is obtained from sources we believe to be reliable. The information may Information not be a complete appearing statement in thisof publication all available is obtained data and from is notsources guaranteed we believe as such. to Conclusions be reliable. The are information based solelymay noteditorial on be a complete judgment statement and analysis of all available of technical data factors and isand notcredit guaranteed union industry as such. Conclusions information are sources. basedThe solely Audit on editorial Report is copyrighted judgmentand andportions analysis may of technical be reprinted factors with andthe credit permission union industry of the ACUIA. information The Audit sources. ReportThe is not Audit Report is copyrighted responsible for the contents and portions of its advertisements may be reprinted andwith advises the permission all members of to theinvestigate ACUIA. Theclaims Audit Report before is making not responsible any purchases. for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: Permission ACUIA, 1727requests King Street to reproduce Suite 300,written Alexandria, material VA 22314, should (703) be sent 688-2284 to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284

How How Do Do You You Use Use Your Your Power? Power?

Tabitha TabithaErnst-Chadwick, Ernst-Chadwick,CIA, CIA,CFE, CFE,LRP, LRP,CBSAO, CBSAO,CUCE, CUCE,NCCO, NCCO,CISA CISA

live live in in aastate statethat thatisisthe thesubject subjectof of much much debate debate and and controversy controversy due due to to aa bold bold new new law. law. AA few few superstars superstars who are particularly offended who are particularly offended by by the therule ruledecided decidedto toflex flextheir theirfamous famous muscles, muscles,reach reachinto intotheir theirdeep deeppockpockets, ets, and and make make their their own own bold bold statestatement mentby bycancelling cancellingall allvenues venuesin inthe the offending offendingstate. state. The The result? result? Well, Well, II can’t can’t say say for for sure, sure,but butmy myguess guessisisthat thatthe thegovernor governor didn’t didn’t lose lose much much sleep sleep over over aa couple couple of ofpolitically politicallycharged chargedrock rockbands bandsfrom from the the80s 80sand and90s 90s(though (thoughwho whoknows? knows? He Hecould couldbe bethe thepresident presidentof ofboth bothfan fan clubs). If Facebook can be believed clubs). If Facebook can be believed–– which which itit can can because because everything everything on on Facebook Facebookisisobviously obviouslytrue true––the thetantangible gibleresult resultwas wasAALOT LOTof ofvery verydisapdisappointed fans, many of whom lost pointed fans, many of whom lostmonmoney ey despite despite the the ticket ticket refunds refunds (hotel (hotel reservations, reservations, airline airline tickets, tickets, car car rentrentals…). als…). This This particular particular result result isis of of no no concern to the superstars, though, beconcern to the superstars, though, because causetheir theirdesire desirewas wasto tomake makeaapoint point to tothe thepoliticians, politicians,fans fansbe bedamXXd. damXXd. No No matter matter which which side side of of the the infainfamous Bathroom Bill gets your symmous Bathroom Bill gets your sympathy, pathy,the thetrend trendisisaabit bitdisconcerting disconcerting –- people people who who perceive perceive themselves themselves as as influential influential doing doing everything everything in in their their power power to to make make their their opinions opinions your your opinions. opinions.And Andthe thetrend trendwill willcontinue, continue, because because what what artists artists could could possibly possibly now now perform perform in in this this offensive offensive state, state, when their colleagues have taken when their colleagues have takensuch such valiant valiantstands standsagainst againstinjustice? injustice? So So II was was not notfortunate fortunate enough enough to to have havetickets ticketsfor foreither eitherof ofthe theshows, shows,but but ifif 6-year-old soccer soccergames gameswere were held held on on Wednesday I would anyany dayday but but Wednesday I would have been been an an addition addition to to the the angry angry mob mob of of disappointed disappointed fans. fans. II was was outraged outraged nonetheless, becauseI have I have fellow nonetheless, because fellow diedie-hard fans who don’t have Wedneshard fans who don’t have Wednesday day night soccer obligations, did night soccer obligations, whowho did have have tickets, were crushed by tickets, and and whowho were crushed by the the cancellation. My outrage led to recancellation. My outrage led to reflecflection howI Ifelt felt about about bands tion onon how bands punpun-

www.acuia.org www.acuia.org | |TH T HEEAAUUDDI TI TRREEPPOORT RT

ishing ishingfans fansfor foractions actionsoutside outsideofoftheir their control, control,further furtherleading leadingme metotoreflecreflection tionon oncustomer customerservice serviceand andtreating treating people right, and finally to reflection people right, and finally to reflection on on how how this this could could relate relate toto internal internal audit Ohyeah yeah– auditand and risk management. Oh –that’s that’sright; right; in in true nerd fashion fashion IIam am turning a 90s alternative rock concert turning a 90s alternative rock concert into intoan anaudit auditand andrisk risklesson. lesson. So Sohere hereisisthe thelesson. lesson.As Asauditors auditors and andrisk riskmanagers, managers,sometimes sometimeswe weare are the ones in our organizations with the ones in our organizations with those thoseproverbial proverbialbig bigmuscles musclesand anddeep deep pockets. pockets. We We are are the the ones ones with with the the power powerto topersuade. persuade.Most Mostof ofthe thetime, time, there thereisismore morethan thanone oneway waytotoachieve achieve the thedesired desiredresult. result.And Andififyour yourimmeimmediate diatereaction reactionisistotocancel cancelthe theconcert concert tototry tryand andforce forceeveryone everyoneto tosee seeitityour your way, you might be missing a better way, you might be missing a better

opportunity opportunity to to actually actually reach reach out out toto your yourproverbial proverbial“fans” “fans”with withaamore moreefeffective fectivemessage; message;and andmore moreoften oftenthan than not, not,once onceyour youraudiences audiencesfully fullyunderunderstand stand the the issues, issues, they they probably probably have have even evenbetter betterideas ideasabout abouthow howtotoachieve achieve those thewise wiseuncle unthosedesired desired results. As the cle of Spiderman once said “with great of Spiderman once said, “with great power SoSo I powercomes comesgreat greatresponsibility.” responsibility.” ask you, how I ask you, howare areyou youusing usingyour yourgreat great power? power?Are Areyou youflexing flexingthose thosemuscles muscles totoforce your opinions to become force your opinions to becometheir their opinions? opinions?Are Areyou youmaking makingyour youraudiauditees teesperform performan anextra extra10 10steps stepsbecause because that’s that’show howyou youfeel feelititmust mustbe bedone? done? Or are you using your superior Or are you using your superiorintelintellect lect and and experience experience for for good? good? That That is, is,are areyou youteaching teaching[about [aboutthe therisks], risks], sharing sharing [ideas [ideas and and knowledge], knowledge], and and n listening? listening? n

2016 BOARD OF DIRECTORSabitha Ernst-Chadwick, CIA,EXECUTIVE CFE, LRP, CBSAO, ACUIA OFFICE, CBSAO,

CUCE, NCCO, CISA

Chair John Gallagher, CUERME SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 –2016

Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ncsecu.org Term 2015–2018

Vice Chair Margaret Chamberlain,

Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org Term 2015 - 2018

CUERME

Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2015–2017 Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015–2017 Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dswenson2@ wingsfinancial.com Term 2015–2018

Director Doug Wright, CPA, CFE,

CUCE

Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2015–2016 Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com

ACUIA Executive Office 1727 King Street Suite 300 Alexandria, VA 22314

(703) 688-2284 acuia@acuia.org

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.” Follow us on:

RELATIONSHIPS BUILD BUSINESS

Strengthening our connection to you by providing premier professional services.

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

Dean Rohne | CLAconnect.com 800-657-4477 | Minneapolis

from chairman’s the editor editor message {{{{from }} }} chairman’s the message

Ahead of 25 theMore Curve Here’s to

John Gallagher Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

We,anticipate especiallyanother those ofgreat us within ACUIA, have long realized that We conference with plenty being involvedopportunities, with management, the Board, and the credit of networking knowledgeable union’s strategic vision iseducational necessary forsessions. today’s internal auditor. presenters and valuable

I H

recently ananother article year regardard to read believe has ingpassed today’sand internal auditor which we are already well somewhat lefttheme perplexed, coninto 2016. On bright side the year fused,toand upon firstoff read bit anlooks have gotten to aapositive gered.for I pondered overmany the concepts start ACUIA with projects of the article for a considerable peand initiatives underway. riodSoofwhat time is and while Iup canfornow say shaping 2016? there and are some merits what the arFirst foremost is to our signature ticle is saying, I can’t agree with what event, the 26th annual conference, appears to label every internal audiwhich will be held in Reno, Nevada tor June as being in 24th. process or consimon 21stsimilar – June The ply standing idle as the ference committee hasworld beenaround hard himwork changes. at over the past months and Sure, that hopefullywe by all theknow time in you aretoday’s readenvironment there is increased ing this the conference agendafocus will of thealready differentbeen riskspublished and our chalhave and lengehave is to completed ensure we assess aryou your those registraeas which pose the higher risk. Isn’t tion. We anticipate another great that why ourwith audit plansofarenetworkconsidconference plenty ered opportunities, “risk-based?” To assume that ing knowledgeable our environment is not changing or presenters and valuable educational that we as internal auditors are simsessions. In fact many sessions this ply sitting seems using short-sighted. year will beidle presented an interNow while I agree with the sentiment active format (hands-on computer that the perception a “traditional” training, case study,ofpanel/roundta-

internal auditor does notthan provide the ble discussions) rather the traappropriate value-add that manageditional lecture style. The “one-day” ment wants today’s sessions heldwithin on Tuesday areenvironalso bement, it is difficult to day/one comprehend ing changed from a full toptheformat thought that some believe prethat ic to half-day multi-topic we have not changed, matured, or alsentations. This will allow for some tered our approaches. flexibility in the scheduling and for We,sessions especially of us within some to those be repeated. This ACUIA, have long realized that bewill afford attendees the opportuniingtoinvolved with management, the ty maximize their desire to attend Board, and the credit union’s multiple sessions which appealstrato tegic vision is necessary today’s them. We believe this willfor result in a internal auditor. Therefore, I would much more enjoyable conference for consider credit union internal audiall attendees. Lastly, we are looking torsgotopaperless be aheadthis of the comto yearcurve and hope pared our counterparts other into implement the use ofininteractive dustries. which Our working relationships software will allow attendees with individuals at all levels to access the agenda, sessionthroughpresenout the credit is a proven and tations, eventsunion calendar, and also a effectivemedia” mannerpage to bring valuetotoconthe “social specific internalattendees. audit. ference So I hope you will I must say that particular arall plan to join us inthe Reno! ticle I am referencing a slight Financially speaking has ACUIA had theme year to it and takesand the atechnology very successful in 2015 position internal audias such isthat well where positioned to contin-

WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.

www.acuia.org | T H E A U D I T R E P O RT

torsits areoffering laggingof is in the area of their ue periodic webinars limited usetoand around at no cost our knowledge existing members. “bigwill data.” this We alsoAsbementioned evaluatingearlier enhancecomment seems a bit short-sighted ments to our website and especialin that assumes every auditor must ly the itForum page. Other various become experts in data analytics. product and service offerings are While data review. analysisOur is a relevant and also under membership importantcontinue tool for management with numbers to remain strong. regards to measuring As of this writing themetrics, renewalKPIs, figand financial I can’t ures remain inresults, line with thatsee of how past that alone the role of the years, and minimizes we have expectations for auditor. There certainly are instancgrowth overall. es As where we recall (internal you may (and auditors) it’s okay have that thefirst dataChairman’s produced if youfound don’t!), in my by these last so-called analytic message year Ibusiness mentioned that leaders isn’t even accurate and not the Board was evaluating the potenrepresentative of of what was intendtial development a Credit Union ed. Therefore, us internal Internal Auditorwithout Certification Proauditors, that be gram. While theinformation details have could not been used by management to make incorfinalized I am proud to announce that rect Program decisions. supports this hasThat beenalone approved and ourcurrently value! being developed under is Another point raised this artia joint partnership with in CUNA. The cle was the statement that internal first Certification Program offering is auditors simply areinnot valued as scheduled to be held October 2016. trusted advisors to management on Stay tuned for specific announcematters of details. risks. Now I don’t know ments and about you but within the credit union I again look forward to addressindustry this blanket statement does ing the challenges which lie ahead in not hold water. Just think about 2016 with the assistance, input, how and many of us ofhave been producing cooperation all board members, risk-based audit plans for more than regional directors, chapter coordinaa decade (if not volunteers, longer); we’ve tors, committee and been you! directly involved implementaTogether let’s makewith ACUIA the best it tionbe! of n enterprise risk management can practices, conducted numerous risk assessments, served on ERM committees, and even earned CUERME designations. If these are not indicators that we know risk, then I don’t know what is. Long story short, I am proud to serve as Board Chair of ACUIA and lead a group of individuals who understand their role as internal auditors, provide the value that management is seeking, and who – because of our dedication to the profession – will never be considered obsolete. n

David Hume Kennerly

Robert Fenner

Pulitzer Prize Winning White House Photographer

Former General Counsel NCUA

Todd Newton

KEYNOTE

Tom Diane Glatt Dykstra CEO President CEOSt. Paul CA & NVFederal Credit CU LeagueUnion

Emmy Award Winning TV Host and Entertainer

SPEAKERS

Ann Butera President Whole Person Project Inc.

BANK SECRECY:

THE

BIG PICTURE

www.acuia.org | TH E A U D I T R E P O RT

I ERM Considerations and

Current 2016 BSA Focus on Issues Real and Imagined

TODD SHERPY

n our work with Credit Unions in 33 states we are

exposed to a great deal of information as to many topics. A topic we pay close attention to is that of current examination standards and concerns so we can prepare or advise our Credit Unions on how best to prepare for their turn under the microscope. We also try to steer clients in the right direction on other issues where we see real exposure, whether examiners are looking or not. Here we often apply OCC, FDIC and other direct Treasury standards (often overlooked or not understood by NCUA or State Examiners). We also seek to employ a practical approach (i.e., we do not wish to give silly and time consuming tasks to a client unless there are real results associated with the task). Nonetheless, some degree of silliness is required from time to time simply to keep your examiners happy. Thus, with this premise in mind let’s assess the top considerations for 2016 in the area of BSA compliance together with issues to consider that may be overlooked by your examiners, but which are important to real safety in the BSA/OFAC realm. Some may read this first paragraph and ask “why OCC, FDIC or Treasury Standards? We’re Credit Unions.” Geez … after 30-years working with Credit Unions you’d think I’d have caught that. The thing is – I have. Since the issues of BSA/OFAC requirements are nearly identical for banks and Credit Unions, I choose to use the most competent guidance I can lay my hands on. Also, I find NCUA to be generally reactive versus proactive. Thus, what these other regulators have been doing gives

insight as to what NCUA may do in future. By the way: I am not seeking to be unduly critical of NCUA. They simply have neither the resources of these other groups, nor the experience with complex accounts (commercial accounts). First – Enterprise Risk Management (ERM) Considerations: Before we get to specifics let us also consider ERM; and how top compliance considerations such as Bank Secrecy Act compliance fit into ERM Assessment. As some of you know – ERM has been

mandatory on the banking side for over a decade. In 2005 the Federal Reserve Board (speaking for themselves, OCC, and FDIC) explained that in their examinations, the banking agencies are focused on the establishment and implementation of robust policies and procedures for complying with the BSA. The agencies do not have, and have not had, a zero-tolerance policy. FRB wrote that they believe that institutions should exercise sound judgment in filing SARs, and recognize that it is www.acuia.org | TH E A U D I T REP O RT

“THE REAL DISEASE HERE IS THE WITTING, OR SOMETIMES UNWITTING INVOLVEMENT OF BANKS IN CRIMINAL OR FRAUDULENT ACTIVITY.”

www.acuia.org | TH E A U D I T R E P O RT

not always possible, in advance, to identify suspicious activities--the standard for filing a SAR. A policy that encourages the filing of SARs for every occasion and without exercising any judgment will, in FRB’s view, only dilute the usefulness of SARs to law enforcement and burden banking institutions unnecessarily. Query: How many of you have had NCUA tell you lately you are not filing enough SARs? Not only contrary to the FFIEC BSA / AML Manual but also contrary to this directive from Scott G. Alvarez, General Counsel for the Federal Reserve Board. Perhaps share this with your next field examiner who says silly things such as this. Mr. Alvarez explained this in context as follows: The key concern for bankers, though, should not be whether or not a single SAR has been missed. The key here is adequate risk management. While it may appear that this is an issue of filing SARs, the failure to file SARs is only a symptom. The real disease here is the witting, or sometimes unwitting involvement of banks in criminal or fraudulent activity. The first line of defense against that type of activity is a robust risk management system that helps management identify the potential for the bank to be involved in the commission of fraud or other undesirable activity. It is not the timeliness of a SAR filing that attracts bank examiners or criminal law enforcement. It is some other more troubling activity, such as failure to have a credible AML policy, or participation, either witting or unwitting, in a fraud on customers, or participation in money laundering activities, or a history of accounts with terrorists or criminals or politically risky individuals. The failure to file a SAR becomes a more convenient and lesser charge for criminal law enforcement to use as a way to end a criminal investigation that may have greater consequences for the bank than failure to file a SAR. We will continue our efforts to help

the industry to find best practices for identifying money-laundering and fraud. And, as I mentioned, continue to work with law enforcement to ensure that the real focus of all of us is on identifying and prosecuting those who commit fraud, launder money illegally or finance terrorists – the real purpose of the BSA.1 If you have adequate risk management, which is what the true focus should be and not “micro-regulation” based on a single issue (which may or may not be a real concern), then the chances for any substantive concerns are de minimis. Query: How many of you would pay money to have examination with a practical application such as this? I am just saying …. Thus, as a topic for another day, but in summation of this thought, I believe you will need to consider as part of ERM the need to transform the role of compliance from that of an adviser to one that puts more emphasis on active risk management and monitoring. In practice it means expanding beyond offering advice on statutory rules, regulations, and laws and becoming an active co-owner of risks to provide an independent oversight of the control framework. This approach will help avoid the micro-regulatory approach (i.e., not do it like NCUA, but like the other regulators noted. Please consider this per the FinCEN Advisory in footnote 7). Now let’s turn our attention to current concerns. Current Concerns: We cannot put all our eggs into the ERM concepts noted; and must deal with the here and now of the regulator to which we currently answer. Here we start with two considerations: (1) a mess in NCUA’s back yard; and (2) the specific statements on Money Service Businesses (MSBs) for 2016. 1 Remarks of Scott G. Alvarez, General Counsel, Board of Governors of the Federal Reserve System at the Second Annual Minnesota CLE Banking Law Institute, Minneapolis, Minnesota March 7, 2005

As many of you know, in November 2014 CFPB assessed a $300,000 CMP against a small Credit Union in Florida with only 5 employees where there was a complete BSA breakdown. Akin to the corporates, NCUA had been in many times; gave the thumbs up that all was well ... and – well … egg all over the face again. Thus, we are dealing now with reactive regulation. 2 The one finding FinCEN did not make was that there had been inadequate regulation in this case. The next issue to consider is the NCUA 2016 Supervisory Letter advising of their focus on MSBs. I’ll not regurgitate the NCUA’s statements here, but refer you to the letter. 3 I will add to the Letter though by referring to the FinCEN site addressing obligations and tools for MSBs; and for assessing MSBs.4 I also encourage you to assess the recent focus on MSBs and their agents; and to consider that guidance in relation to your own as2 Notably, the credit union had only five employees and $4 million in assets. However, the credit union contracted with a third party vendor and MSB to provide services and subaccounts to 56 MSBs during the period 2009 to 2014. The 56 MSBs were not members of the credit union, were located in high-risk jurisdictions, and produced over $1 billion in transaction volume through outgoing wire transfers. During the period, the credit union failed to implement an adequate BSA compliance program and, instead, relied on the third-party vendor to conduct its required due diligence on MSBs. FinCEN cited the credit union’s deficient BSA compliance program— inadequate internal controls, lack of independent testing, insufficient training, failure to designate an appropriate BSA compliance officer, and systemic reporting failures—as exposing the U.S. financial system to significant risks of money laundering and terrorist financing. 3 https://www.ncua.gov/regulationsupervision/pages/policy-compliance/ communications/letters-to-creditunions/2016/01.aspx 4 https://www.fincen.gov/financial_ institutions/msb/guidance.html

sessments and processes. 5 Also, I encourage you to reassess procedures in this area as well as the documentation of your assessment of applicable MSB considerations. Remember, when regulators are being reactive … they are as crazy as a sprayed roach. So the more you do - the better. After this, the primary focus for NCUA currently, the assessment issues are pretty much all over the board. Here are the issues we are either hearing about or seeing via our own BSA Assessments: Out of date procedures: This generally encompasses procedures that have missed some important FinCEN issuance. For example, not addressing elder abuse.6 Not having truly independent assessments that test – that is truly test your program results via independent means, which may exacerbate any issues over a long period of time. Example: CPA assesses solely based on your data with no independent alternate system verifications of hard check vis-à-vis the three primary lists. Not having proper procedures (risk-based) or documentation to address/show ODFI, IAT and wire transactions. Annual independent assessments not assessing FinCEN Advisory on Promoting a Culture of Compliance.7 This is a post-MoneyGram issue; and quite frankly you’d be nuts not to ensure this is both covered and assessed. As noted, there are many other “little issues” and a great deal of variance on examination findings (often with nit-picky issues that are really not a big deal – well not in reality, but often find their way into a DOR). We just have to deal with these considerations as they arise. 5 https://www.fincen.gov/statutes_regs/ guidance/pdf/FIN-2016-G001.pdf 6 https://www.fincen.gov/statutes_regs/ guidance/html/fin-2011-a003.html 7 https://www.fincen.gov/statutes_regs/ guidance/pdf/FIN-2014-A007.pdf

Future Note: I suggest also considering FinCEN’s proposed rules on assessment of beneficial ownership of entities; and how that may impact your CDD assessments and monitoring obligations. A good summary of the proposed rules can be found via the Harvard Law School’s website.8 I am always listening and tracking these types of issues; and would love any further input now or as the years progress as they help us all prepare and do better in the realm of compliance generally. n

About the Author Todd Sherpy is a founding partner in the law firm of Sherpy & Jones, P.A. with offices in South Carolina and Georgia; and is entering his 30th year of practice in the Credit Union compliance arena. The firm is dedicated to serving all legal needs of Credit Unions; and provides day-to-day compliance, compliance auditing, training and consulting services to Credit Unions throughout the United States. Todd dedicates a large portion of his time to teaching Credit Unions, having made presentations in 46 States and has been a participating as an instructor through many CUNA, League, and Credit Union Trade and Vendor programs. Todd has also authored numerous CUNA and other publications ranging from compliance resources to volunteer training programs. Todd also serves on the Credit Union Sub-committee of the American Bar Association. Todd is married to the Executive Officer at a Large Georgia Credit Union and has two daughters, Caroline and Catherine -- having lost Catherine after a two year battle with cancer in 2013. He adores both his daughters; and now dedicates all funds from speaking & education to the fight against cancer and will accept no compensation personally. If ever Todd can help your Credit Union in regards to any Staff, Board or other training he will work with you in order to raise cancer awareness and donations to fight back against the disease that took from him what he holds as most precious. 8 https://corpgov.law.harvard. edu/2016/02/07/fincen-know-yourcustomer-requirements/ www.acuia.org | TH E A U D I T REP O RT

From auditor to trusted advisor â&#x20AC;&#x201C; traditional internal audit roles are taking a backseat when it comes to providing credit unions with relevant insights and valuable advice.

NEW EXPECTAT KIAN MOSHIRZADEH, CPA

To remain relevant, the expectations of internal audit must evolve as credit unions evolve. A new view of risk management is prompting a shift in the role of internal audit in many financial institutions. New demands from the board, senior management team and regulators are requiring internal auditors to refocus their efforts beyond their traditional roles.

www.acuia.org | TH E A U D I T R E P O RT

ATIONS

www.acuia.org | TH E A U D I T REP O RT

Instead of looking at the organization in hind-sight, internal audit will need to shift their focus to oncoming challenges and opportunities as well. To meet these new requirements internal auditors must: ■■ Develop skill sets to meet their new role as an advisor to management ■■ Participate in strategy development and planning ■■ Understand integrated versus siloed risk management In this environment, leaders recognize the need for internal audit to play a larger role—one that expands on its historic focus on controls to include activities related to performance. Internal audit has an objectivity, perspective, and approach that can bring value in ways it had not in the past. One of the new challenges internal audit departments face in the context of their evolving role and responsibilities looks at helping management implement strategies successfully. New competitors, technologies, and financial instruments; changing cost structures and regulations; increasingly integrated economies; and other developments are creating new risks and opportunities for credit unions. These elements of the credit union’s operations will be important for internal audit to influence management as an independent adviser, supporting management’s goals, monitoring risk, and enhancing regulatory compliance efforts. Internal audit has new opportunities to both expand its traditional activities in value preservation and leverage its skills in new ways to support value creation. Internal audit personnel can bring their core skills of risk and control analysis to other areas.

Managing Risk Throughout the banking industry leaders are focused on managing risk enterprise-wide. Their agendas have the support of their boards as well as their regulators. The Institute of 12

www.acuia.org | TH E A U D I T R E P O RT

Internal audit is particularly suited to assist in a number of areas, including: risk identification, the application of quantitative and qualitative analysis, control design and effectiveness evaluation, continuous monitoring and auditing techniques, and regulatory compliance.

Internal Auditors notes that internal audit’s core role with regard to ERM is “to provide objective assurance to the board on the effectiveness of an organization’s ERM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively.” In addition, internal audit should evaluate activities such as: ■■ Risk identification and prioritization ■■ Alignment of people, processes, and systems with business strategy ■■ Definition of key performance indicators ■■ Analysis and quantification of risk factors in new services and strategies ■■ Understanding of shared risks among various projects and initiatives

Internal audit’s discipline, knowledge of the organization’s key risks, enterprise-wide view, and familiarity with the control environment enable it to bring an important perspective and value with these efforts. This set of qualifications is very unique and one that no other group within the credit union will typically possess.

Developing a Single View of Risk Along with efforts to manage risk, some credit unions struggle with overlapping and often burdensome compliance requirements. The tendency has been to employ multiple approaches to risk identification, measurement, and monitoring, depending on the purpose of the effort or the perspective of the department involved (e.g., compliance, internal audit, operations). Each department

has its own views of risk and how to measure it. For example: Accounting – Financial statement risks Compliance – Reputation and regulatory risks Internal Audit – Process- and control risks Operations – Market, credit, and other operational risks To address this issue, organizations are moving away from a “siloed” approach to a more consolidated risk assessment, management, and monitoring perspective. This effort involves formulating, at the board level, a “single view” of what organizational risk is and how it can be measured and rated. The single view of risk focus and identification, measurement, and monitoring allows senior management to identify and “slice” top risks that face the organization as a whole. Internal audit can support the business with development of related metrics. In many cases, organizations are looking to internal audit to help refine risk management processes and help leverage newly gathered information about organizational risks. Internal audit is particularly suited to assist in a number of areas, including: risk identification, the application of quantitative and qualitative analysis, control design and effectiveness evaluation, continuous monitoring and auditing techniques, and regulatory compliance. These core competencies coupled with regular contact with the external auditor make internal audit well-suited to assess and interpret changes.

Corporate Culture Internal audit can help support and monitor important efforts to enhance “tone at the top” and strengthen corporate culture. It can play an important role in areas such as: Compliance/ethics hotline. Effective risk management is dependent on leaders being aware of all

risks, and information about potential ethics violations is critical. Management needs to communicate its support of its own hotlines to ensure they are used when needed and then field seriously communicated concerns. Internal audit can help ensure effective monitoring and follow-up on raised issues and concerns. Internal audit also can make a difference in the transparency of the process and help monitor the effectiveness of relevant employee communications. Promotion and development of fraud awareness at all levels. From the application of policies and procedures to the identification of waste, corruption, and mismanagement; internal audit can be invaluable in training credit union staff on the importance of ethical behavior and required code of conduct. New business lines. Internal audit can identify whether management has the necessary skill sets to operate effectively in newly identified business areas. New efforts should include internal audit’s review of business and integration plans, and objectives as well as the roll-out of training programs. Internal audit would also consider support systems for new business lines and, specifically, whether senior management has performed appropriate due diligence, research, or risk analysis of the viability of new initiatives.

Developing Internal Audit’s New Skill Set While internal audit was historically a training ground for developing corporate executives from various operations departments, recent compliance efforts have caused many internal audit departments to become heavily finance-focused, both in perspective and skill base. The shift requires a change in audit focus and a corresponding requirement for internal audit departments to acquire new skills through training. Some of

the skills that would benefit internal audit in its transition include: ■■ Industry knowledge and functional expertise ■■ Improved interpersonal skills for effective communication at multiple levels ■■ Evaluation of effectiveness ■■ Fraud detection and prevention skills ■■ Automation of internal control environment ■■ Certifications such as CFE, CIA, CFSA, CISA, to augment internal audit staff capabilities

Conclusion The responsibilities of internal audit are expanding, and the required skill sets are changing. Board members and executive management can leverage internal audit’s capabilities in ongoing analysis to help provide assurance that the credit union’s objectives and strategic goals are achieved. Beyond that, executive leadership looks to the internal auditor as a business advisor that offers valuable suggestions to maximize efficiencies and manage risk. To fulfill this expectation, internal auditors will need to update their skill sets and, in many cases, shift the way they operate. Using ERM and better employing risk management will provide them with more resources to act as an advisor to executive leadership. Internal audit can look beyond compliance to helping the credit union improve overall business performance. n About the Author Kian Moshirzadeh, CPA Kian Moshirzadeh has been in banking since 1988 and joined TWHC in 1993 where he started his career as a credit union auditor. Since that time, he has worked with hundreds of credit unions helping them with audits and consulting engagements. Today, Moshirzadeh is the managing partner of TWHC and continues to work with credit unions and financial institutions exclusively. www.acuia.org | TH E A U D IT REP O RT

ver the last year, the chief accountant of the U.S. Department of Labor (DOL) has begun a communication campaign to individual plan administrators alerting them to the importance of obtaining a quality employee benefit plan audit from a qualified and experienced CPA firm.

Audit Quality Study Results The communication distributed by the DOL highlights the results of its recent audit quality study, Assessing the Quality of Employee Benefit Plan Audits (https://www.dol.gov/ebsa/ (https://www.dol.gov/ebsa/ pdf/2014AuditReport.pdf), which was pdf/2014AuditReport.pdf), released in May 2015. Not surprisingly, the study results show a direct correlation between the size of a firm’s employee benefit audit practice and the quality of the employee benefit plan audit. The study found nearly 76 percent of the audits performed by firms that only perform one or two ERISA plan audits each year have major deficiencies. Firms that audit more than 100 plans were found to have signifi-

cantly fewer deficiencies, demonstratcantly ing the the importance importance of using a qualified ing CPAfirm firmwith withknowledge knowledge and experCPA and expertise tise in performing plan audits. in performing plan audits.

DOL Recommendations Recommendations DOL The DOL identifies the following five The key factors factors for plan sponsors to conkey sider as they evaluate whether the sider CPA firm firm they have chosen to perCPA form their their plan’s audit “has the requiform site knowledge of plan audit requiresite ments and expertise to perform the ments audit in accordance with professional audit auditing standards:” standards:” auditing n■ The The number of employee benefit ■ plans (EBP) the firm audits each plans year, including including types types of of plans plans year, n■ The The extent extent of specific ■ of specific annualannual traintraining the firm’s CPAs received ing the firm’s CPAs received in auin auditing diting plansplans n■ The The status of the firm’s license ■ with the applicable state board of with accountancy accountancy n■ Whether Whether the firm has been the ■ subject of any prior DOL findings subject or referrals, or has been referred or to a state board of accountancy to

EMPLOYEE BENEFITS

The Department of Labor Communicates the Importance of Audit Quality DAVID L. LEISING, CPA

www.acuia.org | |TH TH E EA U AU DD I TI TR R EP EP OO RT RT

or the American Institute of CPAs (AICPA) for investigation n■ Whether or not the firm’s EBP ■ audit work has recently been reviewed by another CPA firm—referred to as a peer review—and, if so, whether such review resulted in negative findings The DOL continues to encourage plan administrators to review its brochure, “Selecting an Auditor for Your Employee Benefit Plan (https:// www.dol.gov/ebsa/publications/ selectinganauditor.html).” This brochure provides a road map for plan administrators to assess the qualifications of the firms they are considering to audit their EBP. regarding If you youhave haveany anyquestions questions regardthe the DOL’s communication, please coning DOL’s communication, please tact a BKD EBPEBP audit professional. n contact a BKD audit professional.

About the Author David L. Leising, CPA Partner, BKD Dave has more than 25 years of experience and assists in audit and consulting services for employee benefit plans. He has worked with benefit plans of all types, including retirement and welfare. He is the director of BKD’s employee benefit plan audit team and was appointed to the American Institute of CPAs (AICPA) Employee Benefit Plans Expert Panel. He also is the recruiting director for the Indianapolis office. He is a member of the AICPA and Indiana CPA Society and serves as BKD’s liaison to the AICPA Employee Benefit Plan Audit Quality Center.

recently read the book “The Great Crash of 1929,” first published in 1955 by the renowned economist John Kenneth Galbraith. The book gets a resurgence of interest whenever there is a recession. My daughter had to read the book for a university American History course, and I thought it might be interesting to read. The ideas in this article are all Galbraith’s. Overall the book was not interesting to me, because it is about the economy and the stock market, neither of which are interesting to me, and neither of which I know anything about. However, I liked the chapter “Aftermath” because Galbraith devotes a section to fraud, which is always interesting to me. First, Galbraith starts the chapter by disproving the common perception that the suicide rate jumped significantly due to the crash. Then he starts the fraud discussion by saying “In many ways the effect of the crash on embezzlement was more significant than on suicide.” To Galbraith embezzlement is the most interesting crime because, unlike other forms of larceny, embezzlement takes place over weeks, months or years before its discovery. According to Galbraith “This is a period, incidentally, when the embezzler has his gain and the man1 who has been embezzled, oddly enough, feels no loss. There is a net increase in psychic wealth.” A win-win situation. Galbraith says that in America there exists an inventory of undiscovered embezzlement. He calls this inventory “the bezzle”, which at any given time is in the millions of dollars, but varies in size with the business cycle. He says “In good times people are relaxed, trusting and money is plentiful” but there are still people who want more. Therefore embezzlement grows, and because people 1 In 1929 very few women were in business, or in 1954 when the book was written

A LESSON FROM THE CRASH OF 1929 Exposing “the Most Interesting Crime” PAT RICHEY

are relaxed and trusting, the rate of discovery falls off. The bezzle rapidly increases. However, this cycle is reversed in a depression. People are no longer relaxed and trusting, but become suspicious and watch money very closely, including ordering comprehensive audits. Therefore, the bezzle shrinks. The person who handles the money is assumed to be guilty of dishonesty until he proves himself otherwise. Galbraith says that in a depression “commercial morality is enormously improved.” Before the crash, the stock market was booming and created a huge bubble. This boom and subsequent crash created an exaggeration of the relationship between business cycle and embezzlement. According to Galbraith, during the boom, there was “the new and overwhelming requirement for funds to play the market or to meet margin calls. Money was exceptionally plentiful. People were also exceptionally trusting.” And the bezzle’s growth was exceptional. The rate of fraud discovery after the crash was also exceptional. Immediately, wide-spread trust turned into wide-spread suspicion. Those comprehensive audits were ordered and people’s behavior was watched very carefully. Galbraith says “The

collapse in stock market values made irredeemable the position of the employee who had embezzled to play the market. He confessed.” According to Galbraith, “after the first week or so of the crash, reports of defaulting employees were a daily occurrence. They were far more common than the suicides. Most of the embezzlers were small men who had taken a flier on the market and then became more deeply involved. Later they had more impressive companions.” Galbraith describes the most outrageous embezzlement of the period – a $3.5 million embezzlement at the Union Industrial Bank in Flint, Michigan. About 12 bank officers started purloining funds, at first individually and unknown to each other. However, it ended with the officers colluding to further their crimes. Galbraith ends embezzlement discussion with “Should the American economy ever achieve permanent full employment and prosperity, firms should look well to their auditors. One of the uses of depression is the exposure of what auditors fail to find.” n

About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired. www.acuia.org | TH E A U D I T REP O RT

security WHY? the standards standards {{{ information }} } the Tom Schauer, Principal, CliftonLarsonAllen

Pat Richey, Retired credit union internal auditor

Communicating Results, Part III Audit reports must be accurate, objective, clear, concise, constructive, complete, and timely.

his is the third part of a threepart series on communicating audit results. The importance of audit reports can be seen in the number of standards11 and practice advisories devoted to audit reports. Standard 2420 is in regard to the quality of communications. Of course, all communications from internal audit must be of the highest quality; but we are particularly concerned here with audit reports. Audit reports must be accurate, objective, clear, concise, constructive, complete, and timely. The Standard includes an interpretation of these terms and Practice Advisory (PA) 2420-1 gives general advice about the audit report quality.

Accurate Accurate audit reports do not have any mistakes and are true to the data supporting them. My mantra is “proof-read, proof-read, proofread.” The internal auditor should check and re-check the audit report against audit workpapers. Although the internal auditor will check all facts and proof-read the audit report, it is most helpful to have a second pair of eyes look at the report. Our draft audit reports were always 1 International Standards for the Professional Practice of Internal Auditing

www.acuia.org | T H E A U D I T R E P O RT

reviewed by a second person in the department before issuing the draft for management’s review. Management also had the opportunity to review the report for errors. In order to have accurate audit reports, internal auditors must first diligently prepare workpapers, then take great care in workpaper evaluation, and precisely summarize the data. There is no point in taking pains writing an audit report if the underlying work is not accurate or wrong conclusions are wrung from the data. The audit report can be no better than the work that came before it.

Objective Standards 1100, 1120, and 1130 are related to the credit union internal auditor’s general objectivity attribute. Standard 2420 is related to the objectivity of audit reports. The internal auditor must be objective in person before she can write an objective audit report. According to Standard 2420’s interpretation, objective audit reports are fair, impartial, and unbiased. The audit report is a reflection of the internal auditor’s objectivity. The internal auditor must make a balanced assessment of ALL the relevant facts and issues. The audit auditreport reportmust must renotnot reflect flect partisanship. Consider the case partisanship. Consider the case where

where the auditor internalreally auditor the internal likes areally parlikes a particular ticular departmentdepartment manager; manthey ager;chess theyatplay chess at lunch and play lunch and their children their children go to the same school. go to the same school. The internal auThe internal performs that ditor performsauditor that department’s audepartment’s audit objectively acdit objectively according to the audit cording toHowever, the auditthe program. Howprogram. department’s ever, the department’s audit results audit results do not reflect kindly on do not reflect kindly on the the department manager. Thedepartinterment manager. The nal auditor knows it, internal but findsauditor it hard knows it, but findsdown it hard put the to put the results on to paper for results down on paper for managemanagement and other readers to ment and other know know it too. Or readers perhaps to there is it a too. Ormanager perhapswho there is a like branch branch doesn’t the manager auditor, who doesn’t thethings interinternal and like makes nal auditor, and makes things diffidifficult for her. It rankles the intercultauditor for her.that It rankles the audit internal nal the branch reauditor that glowingly the branchonaudit results sults reflect the branch reflect glowingly the branch manmanager. In both on situations the audit ager. In both situations the audit rereports must be objective. ports be objective. Themust audit report must not take The audit report not take personal interests intomust consideration. personalthere interests consideration. Perhaps is a into credit union prodPerhaps thereorisprogram a credit union product, service, from which uct, internal service, or program which the auditor hasfrom benefited, the an internal auditorthat hasthe benefited, but audit shows product butservice an audit shows that the or is not profitable or product just not or service is not profitable or justand not a good fit for the credit union a goodbe fitdiscontinued. for the creditIt union and should may break should be discontinued. It may break the auditor’s heart, but the audit rethe auditor’s heart, but the audit report must be objective. port must be objective. The audit report must not reflect audit report must not reflect theThe undue influence of others. When undue influence of others. When Ithe first started as a credit union staffI first started a credit audit union staff auauditor, theasinternal director ditor, the internal audit director would would take draft reports to the take draft audit reports to the CEO, CEO, who would make edits. The diwho would edits. director rector wouldmake revise the The report, and wouldit revise thethe report, it take back to CEO and who take made back to the CEO who made more edmore edits. At some point in the endits. At some of point in the endless round less round edits, I would wonder of edits,audit I would wonder “whose au“whose report is this?” I vowed dit report this?” I vowed that when that whenisI became an internal audit I becameI an internal director director would writeaudit reports that I wouldnot write that would not would bereports influenced (or writbe influenced (or written) by manageten) by management. If the internal ment. If has the an internal auditor an auditor accurate and has objecaccurate and objective audit report, tive audit report, he should stand his he should stand not let ground and nothis letground others and influence

the report so it reads to their own liking or benefit.

Clear Audit reports must be clear, which means the reports are easily understood by readers. The content should follow a logical path and provide all significant and relevant information. The auditor should anticipate questions that the reader might ask, and provide that information so the reader does not have to ask questions. The writer should avoid technical language and audit jargon where possible. Credit unions are a sea of acronyms. If acronyms are used in audit reports, the auditor should always spell out the full name the first time the acronym is used, even if the auditor thinks that everyone knows what the acronym means. Due to the amount of audit report writing, auditors should have excellent written communication skills. Written communication skills are as important as analytical skills. Most job opening announcements state the credit union is looking for auditors with good written communication skills. And guess what? Every applicant says that he has good written communication skills. However, how does the credit union know for sure? When I was in the process of hiring a staff auditor I would throw in the trash any resumé and cover letter with typos, poor grammar, etc. A resumé and cover letter should be an applicant’s best foot forward. If the applicant can’t get that right, then I would question her writing skills. Unfortunately, most resumés and cover letters did not pass my scrutiny and as a result, I would end up with very few applications. At on-site job interviews, I would provide the applicant with a laptop and ask the applicant to

write an essay. How else would you know if an applicant had good writing skills?

Concise If clarity means to provide all significant and relevant information, then concise means to NOT provide insignificant and irrelevant information. The auditor does not need to provide unnecessary elaboration or details, or say the same thing over and over. A concise audit report does not have any unnecessary words. Why say “at a later date,” when you can just say “later?” Why use polysyllabic words when one syllable works? My pet peeve is people who say “utilize” instead of “use.” The auditor should use the fewest words possible to convey

ideas – like a bid in bridge, where you use two words to describe the thirteen cards in your hand. The auditor should review each sentence to ensure it is to the point and meaningful. To be concise, the auditor must take a close, critical look at wording.

Constructive The audit report should be useful to the credit union stakeholders by indicating where the board of directors and management can make improvements toward attaining credit union objectives. It should be obvious that the auditor’s intent is to help the credit union be the best that it can be. An audit report that is not useful will point to an internal auditor that is not useful. The content and tone should be as positive as possible. There is al-

www.acuia.org | TH E A U D IT REP O RT

wayssome somegood goodnews newsamong amongthe the ways badnews. news.The Theauditor auditorshould shouldgive give bad thegood goodnews newsfirst firsttotoset seta apositive positive the tone,and andthen thenadd addthat thatmost mostuseful useful tone, words– –“however.” “however.” ofofwords

According to Standard 2430, internal audit may state in the audit report that the audit was conducted in conformance with the standards – but only if the results of internal audit’s quality assurance and improvement program (QA&IP) support that statement.

1818

www.acuia.org | ET HAEU D www.acuia.org | TH AU EP O RT I TDRI TE PRO RT

Complete Complete Theaudit auditreport reportmust mustbebecomplete. complete. The However,that that does not the However, notmean meanthat that auditor throws in everything but the the auditor throws in everything kitchen Complete that but the sink. kitchen sink. means Complete the auditor has auditor not left has out not anymeans that the thing of importance readleft out anything to of the imporers, andtothe hasand included tance theauditor readers, the everything essential to supportauditor has included everying the essential auditor’s conclusions. thing to supporting the auditor’s conclusions. Timely Audit reports must be timely by Timely following fieldwork Auditthe reports mustasbeclosely timelyas possible. Our audit department had a by following the fieldwork as closeboard on department wall lywhite as possible. Ourthe audit department that detailed foron each the exhad a white board the audit department pected dates, wall thatfieldwork detailed for eachdraft auditreport the date, and final report date. It was the expected fieldwork dates, draft report bestand toolfinal for keeping the audit departdate, report date. It was the ment track. best toolonfor keeping the audit departmore significant the issues, mentThe on track. the more important it is to have timeThe more significant the issues, ly more audit important reports. Ifitan was parthe is audit to have timelarge, our department lyticularly audit reports. If an audit waswould parissue interim reports so that would the auticularly large, our department ditors could reports report on issue interim sothe thatwork the comaupleted, andreport credit union ditors could on themanagement work comwouldand notcredit have to waitmanagement until all work pleted, union was completed towait know the all results. would not have to until work was completed to know the results. Errors and Omissions Standard 2421 says that if a final Errors and Omissions audit report Standard 2421contained says thata ifsignificant a final errorreport or omission, the chief audit exaudit contained a significant ecutive (CAE) must corrected inerror or omission, thegive chief audit exformation to must all parties who received ecutive (CAE) give corrected inthe original report. The key formation to allaudit parties who received word is “significant.” The audit the original audit report. Thereport key should be re-issuedThe if audit the error word is “significant.” reportor omission make difference should be would re-issued if athe error orto the readers, ormake change a conclusion. omission would a difference to If the internal auditoraisconclusion. very meticthe readers, or change with audit workpapers and isIfulous the internal auditor is very meticsues with a draft auditworkpapers report, it is and unlikely ulous audit isthere would be areport, significant error or sues a draft audit it is unlikely omission. might hurt the error auditor’s there wouldItbe a significant or

pride to re-issue report, I think omission. It mightahurt the but auditor’s it shows integrity. pride to re-issue a report, but I think it shows integrity. Conformance with Audit Standards According towith Standard internal Conformance Audit2430, Standards According Standard 2430,report internal audit maytostate in the audit that audit the audit report that the may auditstate wasinconducted in conforthe auditwith wasthe conducted mance standardsin– conforbut only mance with the standards– butquality only if the results of internal audit’s if assurance the resultsand of internal audit’s program quality improvement assurance improvement program (QA&IP) and support that statement. This (QA&IP) support that statement. This is also stated in attribute Standard is1321 also which statedis in attribute Standard part of the Standard se1321 is part of the Standard ries which 1300-1322 about the QA&IPs.series 1300-1322 about the QA&IPs. It is not appropriate to discuss the QA&IP inappropriate this article,tobut the interIt is not discuss the pretation of Standard states that QA&IP in this article, 1321 but the interinternal of audit must conform with the pretation Standard 1321 states that Definition Internal Auditing, the internal auditofmust conform with the Code of Ethics and the Standards. Definition of Internal Auditing, the The results of the include the Code of Ethics andQA&IP the Standards. results of both external The results of theinternal QA&IP and include the assessments. Our department had results of both internal and external an external QA&IP, and we used the assessments. Our department had “This audit wasused conductanstatement external QA&IP, and we the ed in conformance with Internastatement “This audit wasthe conductStandards for thethe Professional edtional in conformance with InternaPractice of Internal Auditing” in our tional Standards for the Professional audit report template as a footnote Practice of Internal Auditing” in ourto the audit audit reportobjective. template as a footnote to the audit objective. Non-Conformance with Audit Standards Non-Conformance with Audit What should the internal auditor reStandards port should if the audit is not conducted What the internal auditor re-in conformance Definition, port if the auditwith is notthe conducted in Code, and the Standards? Standard conformance with the Definition, 2431 and says the thatStandards? the audit report must Code, Standard statesays the that principle or rule with must which 2431 the audit report full the conformance achieved, state principle orwas rulenot with which theconformance reason for the non-conformance, full was not achieved, and the impact non-conformance the reason for the of non-conformance, on the audit and audit report. For and impact ofthe non-conformance occurreport. if the audionexample, the auditthis andmight the audit For tor was not sufficientexample, thisindependent might occur or if the audilywas proficient, or the audit report was tor not independent or sufficienttimely. or the audit report was lynot proficient, not timely. Who Gets the Audit Report? Standard 2440 that the audit Who Gets the Auditsays Report? reports should to that appropriate parStandard 2440 go says the audit ties. Can I say go “duh” here? As opposed reports should to appropriate parto sending audit report to inapties. Can I saythe “duh” here? As opposed

to sending the audit report to inappropriate parties? The interpretation states that the CAE is responsible for reviewing and approving the final audit report before issuance, and for deciding to whom and how the report will be disseminated. When the CAE delegates these duties, the CAE retains overall responsibility. There are a myriad of techniques for the whom and how, and generally one is not more right than another. PA 2440-1 says that internal audit should discuss conclusions and recommendations with appropriate levels of management before the CAE issues the final audit report. To avoid errors, omissions, and misunderstandings, it is important that internal audit discuss audit results with those persons who are most knowledgeable about policies and procedures. These persons should review draft audit reports, which also can help immensely with clarity. Standard 2440.A1 states that the

CAE should issue final audit reports to the persons who can ensure that the results are given due consideration. PA 2440-1 says final audit reports should be issued to management of the audited area and to those who and have the authority to ensure agreed upon recommendations are acted upon. Higher levels of management can get summary reports, and reports may be disseminated to other interested parties such as the board of directors or external auditors. Our internal audit department discussed conclusions and recommendations with branch or department managers during and after fieldwork, and these managers generally received a draft copy of the audit report. This level of management is most helpful in determining the most practical recommendations for improvement. Internal audit can come up with great recommendations on its own, only to determine later that the recommenda-

tions werenâ&#x20AC;&#x2122;t very practical. Our audit department issued final audit reports by email to the VP in charge of the audited area, and included any VP with responsibility for implementing audit recommendations. For instance, a lending audit report would be addressed to the VP of Lending, but if recommendations needed to be implemented by MIS or operations, then the VIP MIS or VP Operations would also be an addressee. The chief executive officer (CEO) was a cc: addressee and received the full report. The Supervisory Committee reviewed the audit reports before the next monthly Supervisory Committee meeting. The credit unionâ&#x20AC;&#x2122;s external auditors requested copies of all final audit reports. n

About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

www.acuia.org | TH E A U D I T REP O RT

{ member spotlight }

Jason Garlutzo

Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

Insert drum roll here! n this Issue we are introducing Jason Garlutzo - Arizona Chapter Coordinator, Rigatoni lover, and biking extraordinaire.

Jason, thanks for allowing me to interview you for this Issue’s Spotlight. Let’s start by learning a little bit about your “business self.” I am currently Audit Supervisor at OneAZ Credit Union (formerly Arizona State CU) in Phoenix, Arizona. My team is responsible for the risk management, compliance, and audit of all aspects of operations within the organization. I am new to the credit union industry, but found it to be an easy transition from community banking, as the same focus is placed on member care as well as significant involvement in helping to improve the local communities in which we serve. Sounds like your work life is pretty busy. What do you do when you aren’t auditing, risk-managing, and compliancing (I’m working on getting my newest made-up word to go “main-stream”)? In my spare time, I look for any excuse to get outdoors with my family. I enjoy mountain biking, hiking, and motorcycles.

We are always happy to see bankers come over to the credit union movement. Tell me more about your educational background and your journey into the credit union internal audit world. I have a Bachelor of Science in Business Administration, with a major in Accounting. After beginning my career in financial services, I went on to attend the Western States School of Banking and the Graduate School of Banking at Colorado University. I’ve now been in audit for nearly 14 years. I earned my CPA designation early in my career to enhance my knowledge and skills, which definitely holds one to a higher level of standards and ethics. An additional realized value was the trust clients and employers place on having received the CPA title. Upon the start of my career, you would have never convinced me that I would become, let alone enjoy, being an auditor. The transition was somewhat of a chance occurrence. I had worked in a public accounting firm for 7 years obtaining experience in everything but audit. My wife wanted to move closer to family; so I accepted a position with a community bank located in Colorado and Northern New Mexico. It was explained that I

FUN FACTS ABOUT JASON Favorite sports team: Phoenix Coyotes Favorite food: Rigatoni (Grandma’s Recipe), Steak, anything with Sriracha Favorite politician: Is this a trick question?

www.acuia.org | T H E A U D I T R E P O RT

was replacing the prior “auditor” who was retiring. Within my first week, I came to learn they never really had an internal audit department or audit program, requiring everything to be built from the ground up. I had to learn about both financial services and audit really quick.

After having to re-build your bank’s internal audit department, is there anything you know now that you wish you would have known coming into the industry? I wish I had known what an important role internal audit plays in a business. I initially steered clear of audit positions due to misconceptions conceived while in school, only to later learn about the rewards of being a part of helping to build and improve processes and businesses from within. Auditors are always talking about being value-added in order to stay relevant. What have you found to be the most useful tools in streamlining audit processes, enhancing efficiencies, and making audit a value-added service? Automating and organizing the workflow of audits has allowed our department additional resources to help other areas of the organization with special projects such as implementing new software and process improvements. I have had the opportunity to learn and use data analytics, which opens up the ability to review and audit large amounts of transactional data. This has helped to quickly provide a complete picture of the function and any underlying issues and eliminated the restrictions of using sampling techniques. Over the 14 years you’ve been involved in auditing, how has the industry changed? The role of internal audit has evolved from policing the

organization through verification of policies and procedures to acting as more of an advisor to management, providing for the evaluation and improvement of processes and controls, and identifying efficiencies. There has definitely been significant growth and complexity in regulatory requirements, a transition to paperless records, and the use of data analytics in audit. Enterprise risk management has also become an integral tool in identifying and navigating risk as well as guiding the audit focus.

What are the major challenges you feel the industry faces today and how can internal auditors overcome those challenges? Internal audit responsibilities seem to be expanding at a greater pace than the departmental budget. Auditors are required

to do more with less, which can be accomplished through defining effective ways to complete audits, looking for time and cost savings wherever possible, all while constantly striving to add value to the organization.

New auditors, especially new ACUIA members, are looking to the tenured auditors like you for guidance. What advice would you give to a new auditor just entering the field? Always continue refining your audit skillset and learning about new and evolving trends. There is an immense value in building trust and relationships with associates at all levels throughout the organization. Learn to be patient and persistent in helping to bring change and improvement; while it sometimes takes a little longer than expected, it is always worth it.

Providing Services to Banks and Credit Unions Nationwide Tony Coble 816.945.5524 • acoble@cbiz.com

www.cbiz.com

Let’s switch gears now to ACUIA. How long have you been a member? Just going on a few months. I’m sure that will turn into longterm membership as you integrate more into the Association. What member benefits have you found to be most rewarding thus far? I do look forward to being part of the ACUIA for years to come, lending help whenever possible. Again, I am new to the organization, but I am excited to meet others in the profession to share ideas, experiences, and advances in the industry. I also just took on the role of the Arizona Chapter Coordinator, and look forward to all of the Chapter benefits. Thanks Jason! I look forward to seeing you at the annual conferences! n

Consulting Services n Tax Preparation and Consulting n Unrelated Business Income Taxation (UBIT) n Operations Review n Risk Assessments n Vendor Management Review n Social Engineering Testing & Training n IT General Controls Review

Audit & Attest Services*

Todd Hershberger 816.945.5148 • thershberger@cbiz.com

www.mhmcpa.com

*Mayer Hoffman McCann P.C. is an independent CPA firm providing audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider.

n Credit Union Opinion Audits n Supervisory Committee Agreed-Upon Procedures n CUSO Audits n Outsourced/Co-Sourced Internal Audit Services n SSAE 16 / SOC 1 Exam (“SAS 70 Audit”) n SOC 2 & 3 Exams n SSAE 16 Readiness Assessments

www.acuia.org | TH E A U D IT REP O RT

standards { the news { regional } } Pat Richey, Retired

REGION

Director: Julie Wilson Director Internal Audit iQ CU 360.992.4233 juliew@iqcu.com

Director: Patrick McCollough, CIA, CISA, CRMA AVP/Director of Internal Audit Arkansas Federal Credit Union 501.533. 2275 pmccollough@AFCU.org

No news for Region 1. Please contact Julie with questions.

No news for Region 4. Please contact Patrick for information.

REGION

Director: Tara Tocco Internal Audit Manager Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org The Region 2 Annual Meeting is scheduled November 3rd and 4th at AZ State Credit Union in Phoenix AZ. Feel free to contact me at ttocco@hughesfcu.org if there are any specific topics or speakers you would like to see on the agenda.

REGION

Director: Michael P. Moreau, CIA, CFE, CFSA Manager Credit Union Services Macpage LLC mpn@macpage.com No news for Region 5. Please contact Mike with questions.

REGION We would like to welcome Jason Garlutzo as the AZ Chapter Coordinator. We would also like to welcome Nikki Ige as the HI Chapter Coordinator. We would like to thank Nikki for agreeing to start a new Chapter in Hawaii.

REGION

Director: Greg A. Czyzewski, CPA, CIA AVP Internal Audit Teachers Credit Union 574.284.6451 gczyz@tcunet.com No News for Region 3. Please contact Greg with questions.

www.acuia.org | T H E A U D I T R E P O RT

Director: Jason Alexander, MBA, CICA Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org No new for Region 6. Contact Jason for information. n

Audit Management Software Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward to implement and affordable whatever the size of your audit team. Key Functionality: Welcome Dashboards

Audit Planning

Audit Scheduling

Audit Management

Libraries

Electronic Working Papers

Controls Management

On-‐line Questionnaires

Enterprise Risk

Time and Expense Recording

Recommendation / Action

Performance and

Tracking

Comprehensive Reporting

Management

___________________________________ www.mkinsight.com United States: +1 847 282 5000

United Kingdom +44 113 2455558

Service So Outstanding, Others Can Only Talk About It…

TWHC has been providing credit unions with Audit, Tax and Advisory services for over 25 years. Today we are the number one credit union professional services firm in California with clients that range in size from $20M in assets to $6.5B in assets.

twhc.com TWHC Business Journal Ad 082812.indd 1

8/28/12 11:17 AM

www.acuia.org | TH E A U D IT REP O RT

standards { the { region }} directors Pat Richey, Retired

REGION

Julie Wilson juliew@iqcu.com

REGION

Tara Tocco TTocco@hughesfcu.org

REGION

Greg Czyzewski, CPA, CIA gczyz@tcunet.com

REGION

Patrick McCollough pmccollough@AFCU.org

REGION

Michael P. Moreau, CIA, CFE, CFSA mpn@macpage.com

REGION

Jason Alexander jasona@lgeccu.org

{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1

REGION 3

REGION 5

CENTRAL CASCADES (OR/WA) CHAPTER

INDIANA CHAPTER

NEW YORK CITY CHAPTER

Terry Robbins trobbins@mapscu.com

Jeff Watson jwatson@iucu.org

VOLUNTEER NEEDED!

REGION 2 ARIZONA CHAPTER

Jason Garlutzo Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER UTAH CHAPTER

Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com HAWAII CHAPTER

Nikki Ige Nige@kcfcu.org

MINNESOTA CHAPTER

Ashley Shrode Ashley.Shrode@thrivent.com MICHIGAN CHAPTER

Kathleen Schaefer Kathleen.Schaefer@elgacu.com WISCONSIN CHAPTER

Karla Hodgkins khodgkin@Covantagecu.org REGION 4 NORTH TEX AS CHAPTER

Kimberly Wiersema kawiersema@hotmail.com ST. LOUIS CHAPTER

David Caster dcaster@firstcommunity.com

www.acuia.org | T H E A U D I T R E P O RT

REGION 6 GEORGIA CHAPTER

Jason Alexander jasona@lgeccu.org FLORIDA CHAPTER

Lourdes Camacho lourdesc@sccu.com NORTH CAROLINA CHAPTER

VOLUNTEER NEEDED! SOUTH CAROLINA CHAPTER

Tammy Farmer tammyf@scscu.com TENNESSEE CHAPTER

Michelle Clark, CUCU mclarck@ecu.org

Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced In addition, Patrickprofessionals. McCullough our professional staff are very familiar with credit union · Opinion Aud operations, internal control issues, regulatory and color ad II_Layout 1 4/17/15 1:55 PM Page 1 · Supervisory C accounting requirements, and more. In other words, ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from · Pension /401 credit union personnel will not have to train our auditors. others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the · Consulting S Executive Office at (703) 688-2284. To learn more, please call our Managing Partner, · Internal Audi Doug Orth at 888.676.3447. · Information T P L AT I N U M · ATM/ACH A

{ member spotlight } { acuia select }

ongratulations to ACUIA

5 years of outstanding service to credit union audit professionals.

Orth, Chakler, Murnane and Company, CPAs A Professional Association

es helps credit unions meet their ﬁduciary responsibilities and internal control objectives by providing:

mation Technology Assessments and System Reviews n Certiﬁed ACH Audits n Bank Secrecy Act GOL D n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits M I A MI | DA L L A S | C HA RL OT T E t / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk ment and Regulatory Compliance n Financial Statement Audits

ocmcpa.com

Working exclusively with Credit Unions

Opinion & Supervisory Committee Audits Internal Audit Outsourcing Certiﬁed Public Accountants & Consultants BSA/AML & Regulatory Compliance Tax Planning & Compliance IT30 Consulting | www.acuia.org | The Audit Report S I LV E R Credit Review Services

BRONZE

CU Accelerator

Wojeski Certified Public Accountants Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.

· BSA/OFAC C · Tax Services: · Supervisory C Board Trainin

Better

BIGGER stronger HAVE YOU HEARD THE NEWS? Doeren Mayhew and Orth, Chakler, Murnane & Co. have merged. Bringing together two of the nation’s top credit union auditing and advisory firms positions us to be bigger, better and stronger for credit unions. We invite you to see how our distinctive attributes can benefit your credit union. • Leadership team of 13 shareholders bringing an average of more than 25 years of credit union knowledge • Diverse hands-on experience serving more than 350 credit unions in nearly 40 states • Proficiency in complex credit union operations gained by assisting over 40 of the nation’s largest credit unions exceeding $1 billion in assets • More than 80 highly-skilled credit union dedicated professionals located in 12 cities from coast to coast delivering tailored support • Locations in four states, including Florida, Michigan, North Carolina and Texas • Diversified technical knowledge offered in 10 specialty areas

Call Us Today! CPAs AND ADVISORS

Firm

888.433.4839

Audit ● Internal Audit ● IT Assurance ● Lending Reviews ● ERM ● Regulatory Compliance Merger Advisory ● Valuations ● Fraud/Forensic Investigation ● Tax