ACUIA Audit Report volume 25 issue 3 by pstraubel

Volume 25, Issue 3, 2016

The Magazine of the Association of Credit Union Internal Auditors, Inc.

THE BANK SECRECY ACT PAY ATTENTION TO THE SMALL STUFF

AUDITING CASH ANTI-FRAUD METHODS THAT WORK

GET THE UPPER HAND DONâ&#x20AC;&#x2122;T LET VENDORS WIN AT YOUR EXPENSE

MANAGING

RISK

IN A POST-CRISIS WORLD

RELATIONSHIPS BUILD BUSINESS

Strengthening our connection to you by providing premier professional services.

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

Dean Rohne | CLAconnect.com 800-657-4477 | Minneapolis

Volume 25, Issue 3, 2016

The Magazine of the Association of Credit Union Internal Auditors, Inc.

{ contents }

F E AT U R E S

D E PA R T M E N T S

2 From the Editor Remembering Tom Tabitha Ernst-Chadwick

How’s Your Appetite?

Risk Appetite, Risk Tolerance and the BandwidthFidelity Dilemma Sridhar Ramamoorti, Alan Siegfried & Alan White

Secrecy Act 12 Bank The Little Details

Auditing the Area of Cash

Because of the very nature of cash and cash equivalents, this requires good internal controls and careful monitoring. Cecil D. Maynard III CPA, MPA, FCPA, CFE, CFF

22 Gain the Upper

24 The Standards Monitoring Progress Pat Richey

Michael Moreau

4 Chairman’s Message A Great Annual Conference John Gallagher

28 Reno Wrap-up 30 Regional News 32 Region Directors and Chapter Coordinators

Hand with Your Vendors

7 Ways to Make Sure You Don’t Pay More Than You Have To Ben Mrva

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284

How Do You Use Your Power? Remembering Tom

Tabitha TabithaErnst-Chadwick, Ernst-Chadwick,CIA, CIA,CFE, CFE,LRP, LRP,CBSAO, CBSAO,CUCE, CUCE,NCCO, NCCO,CISA CISA

live in alike state is thethis subject of would to that dedicate column much debate and controversy due to a friend colleague, Tom to a bold who new we law.lost A few Schauer, verysuperstars unexpectwho particularly offended by edly. Iare hope all of you were fortunate the rule decided to flex enough to have met himtheir and famous worked muscles, deeptopockwith him.reach I, for into one, their feel lucky have ets, make their own bold statehadand the pleasure of knowing him. ment by was cancelling allinvenues in the Tom working the audit and offending state. IT industries for many years, during The time result? Well, I can’t say for which he identified a weakness sure, my he guess is that governor that but he felt could fill.the Thus, he dedidn’t much over a couple cided lose to start his sleep own IT security auof from ditpolitically firm, andcharged TrustCCrock was bands born. When the 80s and who knows? TrustCC was90s in (though its infancy stages, the He could be theout president ofhome. both fan group worked of Tom’s He clubs). can be believed – createdIfaFacebook family company in a family which it can and because everythingtruly on atmosphere his employees Facebook obviously true – the tanloved him.isTrustCC continued to grow gible result was LOTasofthe very disapand prosper, butAeven company pointed fans,never manystopped of whomgiving lost mongrew, Tom peoey theand ticket refunds (hotel pledespite a chance recognizing talent reservations, airline Itickets, car rentin unlikely places. remember new als…). This particular resulttoisdo of our no IT auditors coming onsite concern to the superstars, though, beengagements, and Tom later telling cause their desire make a point me stories aboutwas howtohe discovered to the politicians, fanstalked be damXXd. them. Tom always about his No matter which side the about infaemployees with pride; he of cared mous Bathroom Billingets your symthem and it showed their work. pathy, theblessed trend istoawork bit disconcerting I was with Tom in –several peoplecapacities who perceive themselves as – through IT secuinfluential doing everything their rity engagements at my creditinunion, power to make opinions your through ACUIAtheir conferences, and opinions. And the trend willtocontinue, through his contributions the magbecause what artists azine. Hopefully evencould thosepossibly of you now in this offensive who perform didn’t work closely withstate, Tom when their colleagues have takenmergsuch and TrustCC (and subsequent valiant er withstands CLA) against had theinjustice? opportunity to So him I was not fortunate to hear speak at ACUIA enough or another have tickets for either of the shows, but event. He was a great educator and ifprovided 6-year-old soccer games were held insight that I’ve not experion anyinday Wednesday I would enced anybut other IT training venue. been anbe addition to the angry mob He will truly missed. of disappointed fans. I was outraged nonetheless, because I have fellow die-hard fans who don’t have Wednesday night soccer obligations, who did have tickets, and who were crushed by the cancellation. My outrage led to reflection on how I felt about bands pun-

www.acuia.org www.acuia.org || TTHHEE AAU U DDI ITT RREEPPOORT RT

ishing fans for actions outside of their opportunity actually reach out to Some client quotes aboutto Tom: control, further leading meWhat to reflecyour proverbial “fans” with a more I always loved about Tom was his “down to eftion on customer service and treating fective message; and more often earth” attitude and I can’t remember ever seeingthan people right, and finally tohim reflection once your fully underwithout anot, smile when he audiences was here. He knew his on how this could relate to internal stand the issues, they probably have technical stuff but never talked over your head or audit and risk management. Oh yeah ideas aboutThe howother to achieve down to you ifeven you better asked a question. thing – that’s right; in true nerd fashion I am those desired results. As the wise unI appreciated about him was hearing him talk about turning a 90s alternative rock concert clecompany of Spiderman once said great everyone in his at TrustCC with“with such pride. into an audit and risk lesson.You could tellpower comes great responsibility.” So I he not only liked what he did but also So here is the lesson. As auditors ask you, how are you using your great the people who worked alongside him. and risk managers, sometimes we are power? Are you flexing those muscles Tom had the rare gift of being able totocommunicate the ones in our organizations with to force your opinions become their Tom was a man effectively both with IT professionals and “normal” those proverbial big muscles and deep opinions? Are you making your audiI’ve never anyone who could because do that of his word and pockets. We are theaonespeople. with the tees met perform an else extra 10 steps as effectively as Tom could. power to persuade. Most of the time, that’s how you feel it must be done? man of the Lord there is more than one way Tom to achieve aretoyou using your just knewOrhow treat people, to superior make youintelfeel the desired result. And if your imme- Helect and good? important. could tellexperience you that youfor were doingThat diate reaction is to cancel the concert wrong, is, arebut you teaching [about everything did it in a way that the stillrisks], made to try and force everyone to you see it your sharing [ideas and knowledge], and feel smart. way, you might be missing a better listening? n

2016 BOARD OF DIRECTORSabitha Ernst-Chadwick, CIA,EXECUTIVE CFE, LRP, CBSAO, ACUIA OFFICE, CBSAO,

CUCE, NCCO, CISA

Chair John Gallagher, CUERME SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 –2016 2016–2019

Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ncsecu.org Term 2015–2018

Vice Chair Margaret Chamberlain,

Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org 2015–2018 Term 2015 - 2018

CUERME

Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2015–2017 Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015–2017 Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dswenson2@ wingsfinancial.com Term 2015–2018

Director Doug Wright, CPA, CFE,

CUCE

Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019 2015–2016 Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com

ACUIA Executive Office 1727 King Street Suite 300 Alexandria, VA 22314

(703) 688-2284 acuia@acuia.org

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.” Follow us on:

Like you, we know the numbers are only one part of the picture. Whether your credit union’s goal is to grow membership, assets, or offerings, the big picture’s still about one thing: people. Focus on what matters to your mission. We’ll help you master new regulations, strengthen controls, and uncover opportunity. How can we help you thrive?

W W W. M O S S A D A M S . C O M / C U

Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance IT Consulting & Compliance Credit Review Services

{ {from } } chairman’s the editor message

A Here’s GreattoAnnual 25 More Conference

John Tabitha Gallagher Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

This networking truly is what sets ACUIA apart from other professional associations.

t’s hard to believe that our 26th Annual Conference, held in Reno June 21st – 24th, has come and gone so quickly. I guess there must be some truth to the saying “time flies when you’re having fun!” For those who attended the conference I hope you found it as enjoyable as I did. In true ACUIA fashion the sessions proved to be insightful, educational, enjoyable, and invaluable. I always find the endless networking opportunities and reconnection with peers the highlight of every conference. This networking truly is what sets ACUIA apart from other professional associations. For those who unfortunately were unable to attend this year, I hope you will plan to join us next year when we will return to the city of San Antonio, Texas. It’s been some time since ACUIA last visited this city and the many attractions along the River Walk. There were two (okay maybe more than two!) particular events that stand out to me when I think back to this year’s annual conference. The first was reminding the audience an instance at the previous

conference in Boston, where I had planned to do what-in my opinion at least-was an attempt at a humorous or light-hearted presentation; however our host Todd Newton threw me a curveball just before I was to go on stage, and for the first time he turned all serious and began to talk about his charitable foundation Newtonfund4kids. Let it just be said this affected the mood of the room and thus altered my presentation. So this year, I attempted to “turn the tables” on Todd. I called Todd up to the stage and surprised him with a donation to Newtonfund4kids on behalf of the ACUIA. Sometimes payback can be so much fun, not to mention rewarding knowing that we were all supporting a great cause! The second event occurred during the annual meeting on Wednesday when I had the distinct honor of recognizing someone who I have long considered a mentor, colleague, peer, and dear friend. For his long time support and contributions to ACUIA, it was my privilege to present Randy Manscill of America First Cred-

WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.

www.acuia.org | T H E AU D I T R E P O RT

it Union with the ACUIA Lifetime Achievement Award. To show appreciation for his lifetime commitment to ACUIA and the credit union internal audit profession the Board also voted to rename the Excellence in Service Award as the Randy Manscill Excellence in Service Award. Like Randy himself has consistently demonstrated, this award recognizes an ACUIA volunteer who exemplifies the spirit and dedication of volunteer service in going above and beyond the call of duty on behalf of their fellow internal auditors. Thank you Randy for all that you have done for ACUIA!! Looking forward, I am extremely pleased that the first Credit Union Internal Audit Certification Program coming in October is completely sold out! ACUIA has long had the desire and goal to develop such a program and we are pleased to be able to offer the certification in conjunction with our partners at CUNA. And don’t worry if you got shut out this year, the next program offering is coming in March 2017. Lastly and with a heavy heart, I am saddened by the news of the untimely passing of Tom Schauer from CliftonLarson Allen (and previously TrustCC). Tom was a huge supporter of ACUIA and frequent contributor at our conferences, regional meetings, and The Audit Report magazine. He was a true friend to many and will be missed. n

HOW’S YOUR Background The 2008 Wall Street financial crisis and the relatively slow financial recovery have increased demands from regulators and raters for financial services companies to significantly upgrade their risk management capabilities. Poor decisions were made on multiple levels by capital market actors, and management and audit oversight was weak or absent altogether. As a result, the grave consequences of potentially catastrophic risks were not identified until it was too late. In the aftermath of the crisis, regulators and other oversight bodies are calling for better descriptions of organizations’ risk management processes, including oversight by the board.1 As a result, se1 Rittenberg, L.E. & Martens, F. (2012). Enterprise Risk Management: Understanding and Communicating Risk Appetite. Committee of Sponsoring Organizations of the Treadway Commission (COSO). See also http://coso. org/documents/ERM-Understanding%20 %20Communicating%20Risk%20AppetiteWEB_FINAL_r9.pdf

www.acuia.org | T H E AU D I T R E P O RT

RISK APPETITE, RISK TOLERANCE AND THE BANDWIDTHFIDELITY DILEMMA Implications for the Credit Union Industry

APPETITE? SRIDHAR RAMAMOORTI, ALAN SIEGFRIED & ALAN WHITE QUETZAL GRC, LLC

nior executives have been compelled to rethink how they manage risk and justify the risks that they take. It is in this context that two fundamental risk concepts appear to beg for further clarification: risk appetite and risk tolerance.2 Risk appetite and risk tolerance were concepts widely introduced by the COSO Enterprise Risk Management Integrated Framework (first released in September 2004).3 Specifically, risk appetite was defined as “the amount of risk—on a broad level—that an entity is willing to accept in pursuit of value.” Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so. Similarly, risk 2 Koletar, J.W. (2010). Rethinking Risk. New York: AMACOM. 3 The exposure draft of an updated COSO Enterprise Risk Management Integrated Framework is expected to be released later this year.

tolerance referred to the “acceptable range of variation in the achievement of objectives.” Both quantitative and qualitative measures were recommended when evaluating risk tolerance. Despite such definitions and clarifications, over a decade after the release of the COSO ERM 2004 guidance, much confusion still exists among practitioners. For instance, a COSO thought leadership piece asserts4: “An organization must consider its risk appetite at the same time it decides which goals or operational tactics to pursue. To determine risk appetite, management, with board review and concurrence, should take three steps: 4 Rittenberg, L.E. & Martens, F. (2012). Enterprise Risk Management: Understanding and Communicating Risk Appetite. Committee of Sponsoring Organizations of the Treadway Commission (COSO). See also http://coso. org/documents/ERM-Understanding%20 %20Communicating%20Risk%20AppetiteWEB_FINAL_r9.pdf

1. Develop risk appetite 2. Communicate risk appetite 3. Monitor and update risk appetite.” In 2009, regulators seized the two largest wholesale credit unions, U.S. Central Federal Credit Union and Western Corporate Federal Credit Union, after finding their losses were much larger than previously reported. Similarly, with the creation of a Members United Corporate Federal Credit Union, Southwest Corporate Federal Credit Union and Constitution Corporate Federal Credit Union, which had a total of $19.67 billion in assets as of July, were taken into conservatorship by federal regulators. In an effort to minimize and spread out credit union industry losses, regulators said they will move all the battered securities into a good-bank-badbank structure. It was reported that the National Credit Union Administration (NCUA) officials will manage the $50 billion portfolio, or “bad bank,” of the

www.acuia.org | TH E AUDIT R EP ORT

WHO IS TO SAY THAT THE VERY NEXT MICRO-HEDGE WOULDN’T PUT THE COMPANY PAST THE “TIPPING POINT,” THEREBY EXCEEDING THEIR RA?

failed wholesale institutions.5 Obviously, it seems that the risk management activities at credit unions were as poor as at the banks. In addition, academic researchers studying the risk management capabilities of the C-level suite and its associated oversight6 indicate that these trends across industry sectors are relatively unchanged. Perhaps the confusion regarding key terms like risk appetite (RA) and risk tolerance (RT) reigns because of the dearth of real-world examples demonstrating how these concepts can be usefully applied in practice. This presents challenges for internal auditors as they try to assess the effectiveness of risk management activities in their organizations, and therefore should be further discussed.

Materiality and Risk Materiality, like risk, is a crucial concept in auditing. It helps auditors distinguish the important from the trivial, 5 See WSJ article at: http://on.wsj. com/12ln2Xa Losses on the mortgage-backed securities held by the five seized credit unions are expected by regulators to total about $15 billion. Under federal rules, wholesale credit unions were supposed to invest only in safe, liquid assets. But some chased higher returns by loading up on securities backed by subprime mortgages or other risky loans. Their portfolios were decimated by the mortgage meltdown. 6 Beasley, M., Branson, B. & Hancock, B. (2010). Report on the Current State of Enterprise Risk Oversight. 2nd ed. Research conducted in conjunction with the AICPA Business, Industry and Government Team and the ERM Initiative at North Carolina State University. February 2010. See www. erm.ncsu.edu

www.acuia.org | T H E AU D I T R E P O RT

enabling them to direct audit efforts to highest risk areas. However, it is also important to emphasize the “operationalization” of the concept, resulting in the measurable constructs of “bandwidth-materiality” (materiality applied to the financial statements as a whole), and “fidelity-materiality” (materiality as it relates to a specific account balance, such as marketable securities). A bandwidth-fidelity dilemma is analogous to choosing between a microscope and a pair of binoculars; this choice is to some degree influenced by what it is we want to see: the forest (binoculars; high bandwidth, low resolution) or the trees (microscope; low bandwidth, high resolution). In the final analysis, the distinction between fidelity and bandwidth comes down to breadth of measurement.7 A bandwidth-materiality measure helps assess the landscape of risk, even the types of risk; fidelity-materiality focuses on one particular risk, but assists with its precise measurement and calibration.8 The “fidelity-materiality” construct has both a quantitative as well as a qualitative aspect to it. We surmise that RA is a bandwidth-level construct while RT is a fidelity-level construct.

7 Hogan, J & Roberts, B.W. (l960). Issues and non-issues in the fidelity-bandwidth trade-off. Journal of Organizational Behavior, 17, 627-637. 8 S. Ramamoorti (1995). Decision Framing and Efficiency-Effectiveness Trade-Offs in Auditors’ Planning Materiality Judgements. Unpublished Ph.D. dissertation. Department of Psychology—Quantitative Program, The Ohio State University, Columbus, Ohio.

A Consumption Example Consider RA in the context of alcohol consumption. In a manner similar to consuming alcohol, a risk-taking activity too appears to have an “addictive” dimension to it. Bank regulators, such as the Basel Committee for Banking Supervision, seem only too aware of the seduction of “playing with other people’s money.” Just like drinking too much alcohol can lead to loss of mental and motor control, too much appetite for risk-taking could prove toxic for companies. (e.g., AIG, Bear Stearns, and Lehman Brothers all seem to have badly misjudged their RA in terms of loss tolerance, risk-to-capital leverage, and target debt ratings.) Nevertheless, the basic risk-reward theory from financial economics informs us that assuming a certain threshold-level of calculated risk is necessary for business success. Once a certain level of risk within the RA has been assumed, the next step is to worry about how much more risk can be tolerated. It should be noted that business environments globally are very dynamic and ever-changing. As such, both RA and RT must be evaluated in the context of a shifting landscape—tracking a constantly moving target—a complex assessment that is easier said than done.

A Real-World But Still Conceptual Example Global organizations must have a good idea of their “risk,” or capacity to take on an absolute level of risk. Consider the context of “portfolio level” and “transaction level” for financial institutions. Over the last several years, volatility-based models such as Value-At-Risk (VaR) and Risk-Adjusted-Return-on-Capital (RAROC) have become fashionable and extensively used to measure and manage market risk and credit risks for organizations. Theoretically speaking, the ValueAt-Risk (VaR) can be defined as the maximum potential loss that a portfolio or position would experience

within a specific confidence interval over a specific period of time. However, when such models are based on questionable assumptions like “housing prices can never decline,” they are reliable only as long as their underlying assumptions remain true. Moreover, it is unlikely that such statistical models will have significant success in dealing with operational risk management issues.9 Who is to say that the very next micro-hedge wouldn’t put the company past the “tipping point,” thereby exceeding their RA? Those with access to macro-hedging information (the ERM overseer, such as the CRO or CEO) are unlikely to have simultaneous access and knowledge of micro-hedging information. After all, one cannot be simultaneously and instantaneously looking at the forest and the tree.10

A Matter of Educating Boards, the C-Level Suite, and Other Risk Owners So, what can internal auditors do to help their companies better understand RA and RT? For example, how can they go about: ■■ Educating the Board, senior management, and risk owners on the difference between RA and RT? ■■ Identifying whether the Board and senior management have articulated the organization’s RA; and if not, how to facilitate an enterprise-wide discussion and communication strategy? Based on some of the ideas discussed thus far, internal auditors can 9 In this connection, the distinction between statistical significance and practical significance is more than of academic interest. 10 In fact, this may well describe what happened on Wall Street in 2008 in terms of specific financial institution risk versus what is being referred to as “systemic risk” by the Federal Reserve. Indeed this is also illustrative of the bandwidth-fidelity trade off, for even in measurement “you can’t have your cake and eat it too.”

perhaps create organization-specific examples to communicate the RA and RT concepts persuasively and establish their relevance to the senior management and the Board. Harvard professor Robert Simons (1999) article11 suggested a “Risk Exposure Calculator” that considers “pressure points” which can generate risk to an organization in three areas, across the three dimensions: Growth – pressures for performance, rate of expansion, inexperience of key employees; Culture – rewards for entrepreneurial risk-taking, executive resistance to bad news, level of internal competition; and Information management – transaction complexity and velocity, gaps in diagnostic performance measures, and degree of decentralized decision making. Using this scoring model produces an overall score that would land a company in one of three zones: the safety zone, the caution zone and the danger zone. Simons urges immediate action for those in the danger zone, but also suggests that those falling in the safety zone may be acting too conservatively, and should perhaps consider taking some calculated gambles. As for benchmarking risk management capabilities, Hillson’s (1997) article12 introduces the Risk Management Maturity (RMM) model first developed by HVR Consulting Services Limited in the UK in 1997. The RMM model places organizations in four levels of ascending risk management maturity: Level 1: Naïve risk organization – unaware of the need for management of risk 11 Simons, R. (1999). How Risky is Your Business? Harvard Business Review, May/ June 1999, pp. 85-94. 12 Hillson, D.A. (1997). Towards a Risk Maturity Model. International Journal of Project and Business Risk Management, Vol. 1, No. 1, pp. 35-45.

Level 2: Novice – has begun to experiment with risk management, but has no formal or structured processes in place Level 3: Normalized – management of risk is built into routine business processes; structured generic risk management processes have been formally implemented and are widespread and Level 4: Natural risk organization – the organization has a risk-aware culture, and proactively manages both upside and downside risks; risk information is actively used to improve business processes and gain competitive advantage. Once risk management practices have been successfully implemented in the organization, they will then need to become more granular in their audit approaches and “kick the tires” so to speak to test the effectiveness of the implemented risk management processes, and monitor their continued effectiveness amidst changing business environments. Specifically, they must ensure that proper boundaries are being set with respect to RA and RT from both a quantitative and a qualitative standpoint and are dynamically updated.

Establishing and Communicating Suitable Reference Points for RT and RA With regard to risk management policies, reference points, and boundaries, internal audit must evaluate existing RT and RA relationships to determine if: ■■ Existing RTs are properly linked to the RA. ■■ Additional RTs need to be created to ensure that the business is effectively managed relative to the RA. ■■ The company is operating within the RT parameters that have been established. Basically, it is understanding where the risk appetite threshold is so that the risk tolerance can be assessed in relation to the threshold already www.acuia.org | TH E AUDIT R EP ORT

“IT’S NOT ONLY ABOUT REPORTING BUT ALSO TELLING MANAGEMENT WHAT WOULD HAPPEN IN CERTAIN SCENARIOS AND BEING VERY PROACTIVE IN HOW WE DO THAT.” reached. Once the risk assessment has been completed, findings must then be communicated to help senior management and the Board understand the company’s current state. This is especially critical due to the challenges that many organizations face in today’s unstable economic environment. The senior risk managers at Minneapolis-based Allianz Life, a division of Munich-based Allianz, also are facing greater demands for risk transparency from the company’s leadership in the wake of the financial crisis. According to Neil McKay, the carrier’s SVP and chief actuary, “It’s not only about reporting but also telling management what would happen in certain scenarios and being very proactive in how we do that.” McKay adds that Allianz has invested heavily in the hardware, software and people to meet the new world’s requirements. “We have a lot more information at our fingertips when we make decisions, and that gives us the confidence that we can manage through events such as the crisis,” McKay remarks. “Being able to run scenarios at the close of the market and have the information before you go home to support the next day’s decisions has become imperative to running our business.” Again, it is important to recognize the linkage between risk appetite and risk tolerance; and quickly address any gaps in the linkage or in risk-related policies from the Board. Internal auditors will need to work closely with chief risk officers in the future to ensure that the implications of the RA and RT concepts are fully recognized, understood, implemented, and monitored. 10

www.acuia.org | T H E AU D I T R E P O RT

Summary and Conclusion Now that the U.S. economy is slowly showing signs of a sustained recovery, and the DJIA is hitting the highs last seen in 2007, organizations are taking heed of all that went wrong during the Wall Street financial crisis. Specifically, “reckless risk taking” must be curbed, and the risk assessment and measurement process greatly enhanced. A folk saying in Oklahoma is pertinent here: “It is when the skies are bluest that you should prepare for the next tornado.” As organizations move aggressively to enhance their risk management capabilities, the concepts of Risk Assessment and Risk Tolerance are going to assume a new and higher level of significance, evidenced by having disciplined and systematic ways of measuring, calibrating, and responding to risk. Unless executive management and the Board are coached by internal audit13 to thoroughly understand the relevance and critical importance of the vocabulary around risk and control, we would still not have learned the real lessons from the Wall Street financial crisis. n 13 In this regard, the IIA’s relatively new certification, the Certified in Risk Management Assurance (CRMA) is helpful in that it evidences an internal auditor’s understanding and expertise in the specialized area of risk management and risk assurance.

About the Authors Alan Siegfried, MBA, CPA, CIA, CISA, CRMA, CBA, CGMA, CFSA, CITP, CCSA, CGAP Alan has over 35 years of experience serving in

internal audit and risk management leadership roles for international organizations and financial institutions in both the public and private sector. He was partner to the Big Four firms of Deloitte, LLP and Ernst & Young LLP, and has served in the public sector for the U.S. Government Accountability Office (GAO) and the U.S. General Services Administration (GSA). Alan also currently serves as assistant academic director for the Internal Auditing Track, Master of Science in Accounting (MSA) Program at the University of Maryland’s Smith School of Business, where he is also an adjunct professor of graduate internal audit courses. Dr. Sridhar Ramamoorti Principal & Managing Director, Quetzal GRC LLC and Associate Professor of Accountancy Director, Corporate Governance Center, Kennesaw State University Dr. Ramamoorti is an authority on corporate governance and behavioral forensics. He has over 30 years of experience in academia, auditing, and consulting. Dr. Ramamoorti has authored over 35 papers and articles, and 15 books and monographs. He served as a member of development and authoring teams at the AICPA, COSO, and ISACA, and co-chaired the 2010 global Common Body of Knowledge (CBOK) Study spanning 100+ countries for the IIA. Active in the profession, he currently serves on the Boards of Ascend, and the Institute for Truth in Accounting, as well as on the prestigious Standing Advisory Group of the PCAOB in Washington, D.C. Alan White, MBA, CISA President & Client Relationship Executive Mr. White is the founder and President of CU Accelerator. He has worked with over 60 credit unions ranging in size from $170 million to over $8 billion in assets. Prior to founding CU Accelerator, Mr. White served as an engagement executive at Ernst & Young LLP’s Technology & Security Risk Services practice in Los Angeles, CA. Alan holds a BS in Industrial Management from Carnegie Mellon University and an MBA from the University of Texas at Austin with specializations in Entrepreneurship and Private Equity Finance.

experience tradition

BKD National Financial Services Group

90+ YEARS Today’s highly regulated financial services environment can overwhelm even the most diligent professional. BKD brings more than 90 years of experience to the table and offers credit unions an array of services, including: • Audit and assurance • Internal audit

• Loan review • Regulatory compliance consulting

• IT risk management • Strategic planning

You’ll work with partners and managers who can provide the personal attention your institution deserves. Experience our enduring legacy of unmatched client service.

Chad Garber // 317.383.4000 cgarber@bkd.com // bkd.com

BANK SECRECY THE LITTLE DETAILS

www.acuia.org | T H E AU D I T R E P O RT

MICHAEL MOREAU

In the previous Issue of The Audit Report, we read about the high risk Bank Secrecy Act (BSA) concerns that are found within credit unions, and considering BSA risks at the enterprise level. We also read about smaller areas of concern on which regulators seem to focus.

ACT

Our BSA work takes us throughout New England and New York, and provides us with a picture of the smaller details that concern either or both state and NCUA regulators. Are they violations of BSA requirements or violations of other related regulations, such as Office of Foreign Assets Control (OFAC) and Customer Information Program (CIP)? Sure, clearly some of them. But there are also many comments that fall into gray areas. By sharing some of the BSA violations that we commonly see, my hope is that you can review these areas, either for individual violations or more systemic concerns in your credit union.

www.acuia.org | TH E AUDIT R EP ORT

olicies and procedures are always an area of great regulatory attention. Regulators often look for BSA and related policies to be approved annually, even if there have been no changes. They are also looking for documented procedures for all BSA-related functions. Procedures are important not only to guide the employees performing the work, but also contribute to the business continuity program, in the event of an unexpected absence or departure. Procedures should be in sufficient detail to guide someone not wholly familiar with the area through the process. Training is also an area of attention. The Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act Anti-Money Laundering Examination Manual calls for ongoing training incorporating current developments and changes to BSA regulations and related regulations. The Manual also requires that institutions document their training programs, and that training and testing materials, dates of training sessions, and attendance records be maintained and available for examiner review. Additionally, institutions must ensure that appropriate personnel are trained in applicable aspects of the BSA. What does this mean to you? If you are providing training, call it that. To be clear, don’t call it the 2016 Annual BSA review; call it the 2016 Annual BSA Training. That way everyone knows what was provided. How often is ongoing? Generally, we have heard that ongoing means annual, and annual means twelve months from the last training. This does not seem to be based on a calendar year, especially if the period between the training exceed 12 months – your credit union might have a hard

www.acuia.org | T H E AU D I T R E P O RT

time arguing the training is ongoing if training was provided in January 2014, and again in December 2015 – performed within the calendar years, but 23 months apart. It has long been held that everyone needs some type of training, but not everyone needs the same training. Training provided should be ap-

to report large cash transactions. Everyone involved in the credit union, including all employees and volunteers, should be versed on the reporting of suspicious activity, as no one can predict where suspicious activity will arise. Be sure to track who attends the training sessions, follow up with

propriate for the individual’s position within the credit union. A teller needs to be aware of the credit union’s policies and procedures. A director does not need to know the steps needed to complete a Currency Transaction Report (CTR), but should know that credit union personnel are required

those missing the session, and document the training. We have seen many comments made regarding employees who were not present at a group training, and no followup training was documented. Also be sure to track the credit union’s volunteers for BSA training – if a Director

misses the training session, provide training to that volunteer, document the training provided, and consider including the follow up training provided in the next Board minutes. Another area of common concern is a lack of documentation supporting the Office of Foreign Assets Control (OFAC) and Financial Crimes En-

WE OFTEN SEE WHERE TELLERS MAKE NOTES SUCH AS “ID ON FILE” FOR LONGTIME MEMBERS, BUT WHEN WE ASK TO SEE THE IDENTIFICATION, OR A RECORD OF THE IDENTIFICATION USED, NONE IS ON FILE.

forcement Network (FinCEN) scans that are completed. Many times, we see that anti-money laundering software, or perhaps the core processor, completes these scans, and sends an email to the compliance officer with the results. So far so good. The weakness comes in where there is no docu-

mentation that anyone ever reviewed the results of the scan. Be sure to review the results provided, and document that the review was completed. For cash purchase of monetary instruments, in amounts $3,000 to $10,000 inclusive, the credit union must maintain documentation about the purchase and purchaser. Every member has identification documented at the credit union, right? How about that member that joined many years ago? We often see where tellers make notes such as “ID on file” for long-time members, but when we ask to see the identification, or a record of the identification used, none is on file. How about shared branching? The threshold for collecting and maintaining additional information is if the purchaser “has a deposit account with the financial institution.” Argue as you might that, due to the agreements in place, a guest member is a member, that still does not meet the criteria of the purchaser having a deposit account with the financial institution. Shared branching guest members are not members of your credit union, and the additional information required of non-deposit holders is required to the obtained and maintained. However, there is always the possibility that the guest member is indeed a member of your credit, and the additional information is already on hand. Risk ratings of members can also cause problems. We are seeing trends where it is expected that each individual account be risk rated. Clear definitions of what makes a high risk account should be documented. Front line employees cannot be expected to identify a high risk account if no one has told them the characteristics of a high risk account. Credit union vendors also cause credit unions troubles. Does the policy state how often vendors will be scanned against the OFAC lists? Is the credit union in compliance with the

policy? If the vendors are not scanned each time they are paid, is this risk included in the BSA risk assessment? How about the cash amounts included on CTRs? If someone is manually taking the cash amount from a system report and inputting it into the CTR, was the cash amount input correctly? We often see errors in the cash amounts when they are manually carried over. A secondary area of concern is when there is no independent review of the CTRs prior to filing, to identify errors, including incorrect cash amounts. Suspicious activity reports (SARs) can also be an area of trouble for credit unions. They should be complete and include a descriptive narrative of the suspicious activity. While completing the SAR, remember the investigator/ analyst reviewing the narrative does not have any prior knowledge of the circumstances surrounding the transactions. Be sure to be clear. What if someone reports a potentially suspicious transaction to the compliance officer, who then reviews and analyzes the transaction, and determines no SAR is needed? This should be documented, including the specific reasons the SAR was not filed, as many regulators are looking for this. Hopefully, these tips will help you to look at some of the more common areas that might be overlooked by the compliance officer, and help tighten up the little BSA details. n

About the Author Mike Moreau, CIA, CFE, CFSA is the Manager, Credit Union Services, for Macpage LLC, a full-service CPA firm in South Portland, Maine. Based in Macpage’s Massachusetts office, Mike has been an Internal Auditor for more than 27 years, all in financial institutions, and has provided internal audit services to credit unions since 1993. Mike has been active in ACUIA since 1996, and is the Region 5 Director and past Rhode Island Chapter Coordinator. www.acuia.org | TH E AUDIT R EP ORT

AUDITING

C ASH THE AREA OF

CECIL D. MAYNARD III CPA, MPA, FCPA, CFE, CFF

www.acuia.org | T H E AU D I T R E P O RT

must protect!

ecause of the very nature of cash and cash equivalents, this area of credit union operations is usually considered an area that requires good internal controls and careful monitoring. This article outlines the testing that Supervisory/Audit Committees, Risk Management, and Internal Audit Departments may want to consider as part of their review of the internal controls in the area of cash and cash equivalents. It was also pointed out in the Association of Certified Fraud Examiners 2016 Global Fraud Study, Report to the Nations on Occupational Fraud and Abuse that:

“The presence of anti-fraud controls was correlated with both lower fraud losses and quicker detection. We compared organizations that had specific anti-fraud controls in place against organizations lacking those controls and found that where controls were present, fraud losses were 14.3% - 54.0% lower and frauds were detected 33.3% - 50.0% more quickly.” Cash usually includes cash on deposit or credibility. Existence of risk is in other depository institutions, cash not, by itself, a reason for concern. on hand, and cash equivalents. Cash Rather, Management must considequivalents are short-term, highly er whether the risks are warrantliquid instruments that are easily coned. Risks are warranted if they are vertible to known amounts of cash. understandable, controllable, and Types of cash and cash equivalents within the credit union’s capacity include, but are not limited to, cash, to readily withstand adverse perforteller cash, vault cash, ATM cash, pet- mance. The area of cash and cash ty cash, traveler’s checks, money or- equivalents historically is a low risk ders, cashier’s checks, investments, area compared to other areas of the movie tickets, stamps, etc. credit union. However, continuous Risk is defined as the potential coverage in the area of cash and cash that events (expected or unantici- equivalents must be part of the interpated) may have an adverse impact nal control consideration due to the on a credit union’s earnings, capital, nature of cash.

www.acuia.org | The Audit Report

As can be seen in the “Fraud Tri- allow them to knowingly and inten- fecting cash and cash equivalents, the angle” below, three items are usually tionally commit a dishonest act. following recommendations should needed for an embezzlement of cash The above example relates to indi- be considered at a minimum, to deter to occur: viduals who are tellers and how the against fraud: Opportunity: Circumstances exist, three areas could effect a potential Conduct surprise cash and cash for example the absence of controls, embezzlement. As can be seen in the equivalent counts: These cash counts ineffective controls, or the ability of matrix, all three items (Opportunity, should be conducted throughout the Management to override controls, Pressure, and Rationalization) need year and should cover all branches that provide an opportunity for fraud to exist in order for a potential em- and, if possible, all tellers. These cash to be perpetrated. bezzlement to occur. The explana- counts could be on a “spot basis” and Pressure: Management or other tion in last rows provide an example may cover all and/or a sample of tellemployees may have an incentive or where the likelihood of the probabili- ers. In addition, other cash and cash be under pressure, which provides a ty of embezzlement would not occur. equivalent areas should be covered motivation to commit fraud. Therefore, embezzlements would in these counts which include but are Rationalization: Those involved most likely occur when conditions in not limited to cashier checks, travin a fraud are able to rationalize a row one exist. This matrix could be elers’ checks, money orders, movie fraudulent act as being consistent developed for specific areas for virtu- tickets, stamps, etc. with their personal code of ethics. ally all conditions and/or situations Also, examine the teller drawers Some individuals possess an attitude, where fraud could potentially exist. to determine if tellers have any of character, or set of ethical values that Based on the numerous areas af- their own personal checks in their cash drawers. It is not uncommon for tellers to place their personal checks in their drawers without “dating” the check. The embezzlement of funds The Fraud Triangle is accomplished by the teller taking money for the value of the check for Opportunity long periods of time and in the event of a surprise cash count, the teller states that the check was placed into the drawer that day and that he/she forgot to date the check. Bait money: Bait money are bills Pressure Rationalization whose serial numbers are recorded by the credit union either by making a Opportunity Pressuren Rationalization copy* or by listing the serial numbers in a log book. In the event of a robI have access to I need the money. The credit union bery, the bait money is given to the the vault. has excess cash. bank robber, with the other money in I have access to I need the money. I do not want to the cash drawer. If the money is subthe vault. go to jail. sequently found in the possession of I do not have I need the money The credit union someone or used to purchase goods, access to the has excess cash. then it is often easier to identify the vault. perpetrator of the bank robbery. Also, I have access to the vault.

I do not need the money.

www.acuia.org | T H E AU D I T R E P O RT

The credit union has excess cash.

*Care should be taken if the credit union makes a photocopy of bait money. The law strictly restricts photographs or other printed reproductions of paper currency. Black and white reproductions are permissible if larger than 1½ times (150%) or smaller than ¾ of the size (75%) of the genuine. Also, the photocopies and/or the bait money control log should be maintained in a secured location, preferably away from the cash area.

since the majority of the cash on hand second employee verifies that count. We have is maintained in the vault, it is also Some examples may include: encountered... recommended the vault be assigned ■■ Reserve cash, negotiable instrutellers placing a bait money. ments, unissued traveler’s checks, During cash counts, the bait monthe vault, ATM machines, the restrap around several ey should be verified to the bait monserve supply of official checks; of the bait money ey control list. In addition, the bait are examples of items and areas bills (which easily money and how it is placed in the that should be under dual custoteller drawer should be examined. dy. Walk through the steps identifies Lastly, the bait money should be peto obtain these items or the bait riodically rotated to ensure it does access these areas money...) not give the appearance of being old. to ensure at least This is also important in the event two people are that the drawer has bait money clips required to obwhich hold the bait money in the tain access. drawer. Because of the sensitive sit- ■■ Night deposiuation with bait money and the fact tory box prothat many credit unions will impose cedures should disciplinary measure on tellers who be done under detecmistakenly give out bait money as dual control. For tion tool. part of their daily teller transactions, example; withReview we have encountered the following drawal of funds, the written problems: opening of bags, repolicy to en■■ Tellers placing rolls of coins on top cording of bag numbers, sure the policy is of the bait money to prevent givenvelope numbers, and deposenforced and select a ing out the bait money as part of itors’ names, and counting and sample of employees and verify the their normal routine. verifying the contents of the en- mandatory vacation was taken in the ■■ Tellers placing a strap around sevvelopes. Review a sample of daily prior year. eral of the bait money bills (which work for dual control signatures. Review teller cash overage/short easily identifies the bait money ■■ Deposits received by mail should accounts: There should be written due to this is an unusual grouping be opened under dual control. procedures in place for prompt reof the bills) Review a sample of daily work for porting and investigating of shortag■■ Tellers marking “bait money” on dual control sign off. es when they become known. Cash the straps. ■■ Logs should record entrance and overages/shortages should be prop■■ Tellers placing a paper clip on the exits to the vault, ATM machines, erly recorded in a cash over/short bait money which is an indicator night depository, safe deposit account. Review account details that the currency could be bait boxes, etc. Review logs for com- for recurring patterns or any large money pleteness and appropriate access or unusual items. Ensure shortages Test dual custody or dual control granted. have been properly investigated and procedures: Dual custody requires ■■ Currency shipment procedures resolved. that a minimum of two employees (sending and receiving) should Test key and combination assignare required to physically access cerbe done under dual control. Verify ments: The credit union should have tain items or records and are equally procedures with appropriate per- a record of all keys and combinations accountable for their protection. For sonnel and review cash order re- issued to employees. Physically verify example, one employee has the key ceipts for appropriate signatures. each employee has in his or her posand a second employee has the comReview mandatory vacation pol- session the keys assigned from this bination to access the ATM machine. icies: The credit union should have record and these keys are secured and Dual control extends that concept a written vacation policy that man- not located in an unlocked drawer or by requiring that the work of one dates employees be absent from their file cabinet. Keys should be retrieved employee is verified or approved by duties for an uninterrupted period of and combinations changed when an a second employee. One employee not less than one week. Someone else employee terminates. Review the recounts and records the deposits ob- should assume the duties of the ab- cords to ensure this has occurred if tained from the night deposit box, a sent employee as a fraud prevention/ an employee with possession of a key

www.acuia.org | TH E AUDIT R EP ORT

eo cameras should be placed in man Resources to ensure terminated strategic places where there are employees have been removed from cash and cash equivalents. In ad- the system. The following should be have required that dition, while most video cameras considered by the credit union: tellers are installed to monitor member ■■ Most computer systems have the wear activity, consideration should be capability to require passwords considered in areas behind to access the system; passwords uniforms the teller lines and in need to be changed on a frequent which are areas where there is basis. We recommend forced passpocketless. continuous trafword changes every 45-60 days, fic. Also, if the and the employee should not be tellers have allowed to use the same password. an area ■■ Passwords should be a minimum or combination where they 6-10 alphanumeric characters, has recently store their one capital letter and a symbol and terminated. Unpersonal should not be easily guessed. Guidassigned keys belongings ance should be provided about the should be kept during the importance of keeping the employunder dual conworking ee’s password confidential to introl. Walk through hours, the clude not writing it down or sharthe steps to observe installation of ing it with other employees. how access to these keys is a video camera ■■ The computer system should log obtained to ensure at least two in this area should be out the teller when there has not people are required to gain access to considered. However, the credit been activity for a certain period the keys. union should consult their Attorof time (usually 10 minutes). If Review of other procedures and ney to determine if there are any automatic log-off is not an option, controls: Your credit union may have privacy issues which may be vioconsider screen savers that would other controls in place for security of lated. activate after 10 minutes of inaccash and the teller function. Do credit ■■ Establish and install lockers outtivity and would require re-enunion policy and procedures require side the cash area. The credit tering the teller’s password when any of the following? If yes, verify pracunion may want to establish an coming back to the application. tice is consistent with written policy. area outside of the teller area ■■ Terminated employees should be ■■ Pocketless uniforms or clothing for where credit union employees can removed from the system at time tellers. Several credit unions have place their personal belongings of termination to prevent anyone required that tellers wear uniaway from the area where cash from using that ID for unauthoforms which are pocketless. Howand cash equivalents are mainrized access to transactions and ever, the implementation of this tained. This procedure could preinformation. requirement would be based on a vent the transfer of unauthorized ■■ One last point is that tellers cost versus benefit basis dependfunds into the credit union emshould not be permitted to make ing on each credit union. ployee’s personal belongings. any transactions to their person■■ Receipts for all transactions. ManReview of teller access and aual or relative’s accounts. It has agement should consider making thentication mechanisms on the been noted that tellers who have it a requirement that tellers pro- computer system: Access and authenembezzled in the past have used vide each member with a receipt tication mechanisms on the computer their relative’s accounts for unaureflecting the member’s transac- system are important tools to ensure thorized activity (Sometimes with tion. Each teller station should accountability and prevent unauand without their relative’s knowlhave a sign posted that states: thorized access to transactions and edge). In addition, teller access to “All members must be provided with information. Review authentication the system should be based on the a printed receipt as part of your and password policies for appropriprinciple of “least privilege” - limtransaction. In the event that the ateness. Select a sample of employees ited to those functions required member does not receive a receipt, and review their access rights on the for their job responsibilities. please notify Management.” system. Compare system user ID lists Conduct background checks: De■■ Installation of video cameras. Vid- to a current employee list from Hu- pending on your Credit Union and

Several credit unions

www.acuia.org | T H E AU D I T R E P O RT

the views of Management, Board Police Departments provide this we strongly recommend that credit of Directors and Supervisory/Audit service free of charge to financial unions consider the recommendaCommittee, full and/or limited backinstitutions. tions we have discussed and incorpoground checks should be conducted ■■ Have the new potential employee rate a review of the internal controls. on each teller. Also, these background sign an “annual disclosure form.” As was pointed out in the Association checks should be considered for inThe annual disclosure form pro- of Certified Fraud Examiners 2016 dividuals in sensitive positions at vides information on the credit Global Fraud Study, Report to the the Credit Union. These background union employees and must be filled Nations on Occupational Fraud and checks include but are not limited to out annually by the employees. Abuse, the most prominent organizathe following: ■■ Verify that potential employees are tional weakness that contributed to ■■ Criminal Background Checks. able to be bonded by your insur- the frauds in their study was the lack ■■ Background Check on the Driving ance company. of internal controls. Most of the items History of the potential employee. Please note that not all credit detailed above are proactive measures This is also important when tell- unions agree on which if any of the and a psychological deterrent, which ers travel from Branch to Branch above should be conducted on new should aid the credit union in their during credit union hours. hires. We have credit unions which monitoring of these sensitive areas. ■■ Contact the former employers of do all and/or some portion of these In addition, many of the procedures potential employees and request above. Therefore, credit unions should should be included in a written Fraud their last two evaluations. This contact their Human Resource De- Policy for the credit union employees may not always be possible during partments and Attorneys for advice. whom would be required to read and the hiring stage due to potenPolicies, procedures, and zero tol- acknowledge that they have read the tial employees not wanting their erance of fraud. Credit union employ- contents of the written Fraud Policy. n current employers to know that ees should be informed of the policies they are seeking employment and procedures covering the area in About the Author elsewhere. However, once they which they are working. The credit Cecil D. Maynard III CPA, have given notice to their current union’s employees should also be inMPA, FCPA, CFE, CFF employers that they are leaving formed that the credit union has zero As a Partner of Nearman, their current positions, this infor- tolerance for any fraud and they will Maynard, Vallez, CPAs, P.A., mation could be requested. This prosecute any credit union represenCecil is directly responsible for procedure can provide the credit tative who violates these policies. In the firm’s credit union clients and the dayunion with valuable information addition, it should also be communi- to-day management of the Miami office. In addition to being a Partner of the firm, on the potential hire and also con- cated to all employees that any credit he is also Chairman of the firm’s Quality firm information provided during union representative who is aware Control Committee. the interviewing process. of a potential fraud has a duty to reCecil has assisted both federal and state ■■ Credit Bureau Review. Besides pro- port this to the appropriate individu- chartered credit unions. Cecil has also viding information on the poten- als at the credit union. Not reporting conducted and supervised various fraud tial employee’s credit history, the this to the appropriate individuals and fraud-related audits in the credit credit reports can also verify the constitutes a violation of the credit union industry. In addition, Cecil has also potential employee’s employment union’s policies and procedures and contributed to the American Institute of Certified Public Accountants publication history, employee’s address, social the employee will be subject to the of Checklists and Illustrative Financial security number, etc. same disciplinary actions which will Statements for Depository and Lending ■■ Drug Testing. While this is a very take place against the original abus- Institutions for Credit Unions. Cecil writes sensitive area, would you as a po- er. Review the credit union’s written articles for the firm’s newsletter “The tential employer want to know if policies related to fraud. Determine Auditor’s Report” and other publications on topics such as fraud, internal controls, there was a pre-existing problem how these policies are communicated quality control, and various accounting prior to this individual being em- to the employee. If the employee is re- and auditing issues. Cecil is a member ployed by your credit union? quired to sign an acknowledgment of of the American Institute and Florida ■■ Finger printing of potential em- receiving the policy, select a sample Institute of Certified Public Accountants, ployee. Due to the sensitive area of employees and verify an acknowl- Certified Fraud Examiners, the Forensic CPA Society, the International Association of cash, this may be a procedure edgment was signed. of Financial Crimes Investigators, the that the credit union may want to Based on the information pre- Institute of Management Accountants, consider. It has also been brought sented in this article and the poten- National Society of Tax Professionals, and to my attention that several local tial for detecting fraudulent activity, the National Notary Association.

www.acuia.org | TH E AUDIT R EP ORT

GAIN THE UPPER HAND WITH YOUR VENDORS

7 Ways to Make Sure You Don’t Pay More Than You Have To BEN MRVA

www.acuia.org | T H E AU D I T R E P O RT

f I gave you a list of the top 10 credit union vendors in the country, chances are that your credit union is doing business with at least one of them. If I then showed you the profit margin and income increases that these vendors have enjoyed over the past five years, you would be astounded at the number. Does this mean that vendors are bad? Absolutely not! On the contrary, they are just better at managing their relationships with their clients (your credit union) and they don’t leave any money on the table. The number of credit unions is shrinking – mergers, acquisitions and liquidations continue this decline. Credit unions that best manage the vendor relationship will find themselves with a strategic and financial advantage. Vendors are gaining the upper hand in these relationships, and that equates to credit unions paying higher than needed fees and missing revenue opportunities. There are seven keys to gaining the upper hand in the vendor/credit union relationship. 1. Manage term and notification dates – There are a number of contract management tools that can be utilized by the credit union. Limit auto-renewals to 12 months or less. And don’t forget to notify vendors of the intent not to renew. Even if the contract is renewed, the credit union will not lose the leverage of missing a deadline. It also eliminates surprises for the CEO and Board. 2. Bid out every contract – This especially applies to critical vendors. Start the process 18-24 months prior to the termination date which will allow for sufficient time to review options. Include alternate vendors in your search and solicit multi-year options. This will drive the contracts toward market pricing and will improve awareness of new technologies and services. The end result is

a prevention of performance drag from bad contracts. 3. Consider other vendors – Be open to alternate vendor proposals and don’t give a “partner premium.” In other words, just because the credit union has done business with a vendor in the past, it doesn’t mean that the relationship has to be exclusive. Many credit unions tie their hands and increase their costs by renewing with the “old standard.” The credit union must also communicate to the vendor that it is willing to move the business. Credit unions become comfortable with the status quo and don’t want to upset a relationship. Take the opposite approach – bring other vendors into the mix and this will drive contracts towards market pricing. 4. Negotiate all de-conversion costs – Address costs up-front in the negotiations and remember to cap

all fees. Eliminating surprises will allow for increased flexibility. 5. Factor in growth – Take the time to plan and design contract pricing to account for scale. If the goal of the credit union is to grow, the approach with your vendor partners should include the same rate of growth. This also may allow the credit union to take advantage of economies of scale and reduce the chance that the credit union will out-grow the vendor. 6. Manage the business relationship – Eliminate emotion and be open to options. The credit union should set appropriate polices for vendor management. While having a good working relationship with the vendor is important, that relationship must have a business foundation. 7. Validate vendor pricing – The credit union must dictate the pricing model. Beware of unsolicited proposals and research all

options. The credit union must take the time to validate pricing on their own or through a third-party resource. This allows for “apples to apples” comparisons while also identifying new incentives. A strong credit union/vendor relationship is built on a level playing field. The more information that the credit union has, the better the outcome for the credit union. Those credit unions that follow these seven steps are much more likely to thrive in the market. n

About the Author Ben Mrva is Executive Vice President of Strategic Resource Management (SRM), a Memphis-based independent consulting firm that helps to reduce expenses, generate revenue and maximize profitability. Using a proprietary benchmarking database, SRM has saved millions of dollars for financial institutions in the USA and Canada.

Place Your Credit Union’s Trust in Our Experience, Responsiveness and Dedication Audit & Accounting • Internal Audit Services Tax • Management Consulting We provide superior accounting, auditing and tax services to our Credit Union clients by understanding the unique business challenges they face. Our services include audits of ﬁnancial statements, supervisory committee audits, internal audit services, employee beneﬁt plan audits, tax compliance and management consulting.

5010 Campuswood Drive / East Syracuse, NY 13057 / 315-472-7045 / www.fmfecpa.com

www.acuia.org | TH E AUDIT R EP ORT

security {{ information WHY? } } the standards Tom Schauer, Principal, CliftonLarsonAllen

Pat Richey, Retired credit union internal auditor

Monitoring Progress It’s up to the internal auditor to make sure action is taken at a reasonable pace.

he credit union internal auditor spends a great deal of time and effort conducting an audit, writing the audit report, and negotiating recommendations and action plans. Wouldn’t it be nice if the internal auditor’s effort ended with management’s agreement to implement the audit’s recommendations? However, the audit’s effort does not end there. According to the International Standards for the Professional Practice of Internal Auditing, Standard 2500 says that the internal auditor must monitor the disposition of audit results. This means that the credit union internal auditor must establish and maintain a system to monitor the implementation of internal audit recommendations to determine that corrective action has been taken as agreed. This system is commonly referred to as “follow-up.” In July 2016, The Institute of Internal Auditors issued Implementation Guide (IG) 2500 Monitoring Progress, which replaces the old Practice Advisory.

Monitoring System Wouldn’t it be nice if management implemented all of internal audit’s recommendations immediately? Then there would be no need for a monitoring system. I am sure this is never the case. 24

www.acuia.org | T H E AU D I T R E P O RT

Our credit union internal audit department started our monitoring process with the audit report. At the end of the audit report narrative, internal audit listed the recommendations, and a date for management’s expected response to the report. The official audit report included management’s response to each recommendation (whether they agreed or disagreed), and management’s date for implementation of corrective action. Management’s implementation date was the basis for audit’s subsequent monitoring. If the monitoring process starts with the audit report, it is best to obtain from management a concrete response to recommendations, rather than “we’ll look into it” or “we’ll research the issue.” It is much harder to pinpoint corrective action compliance without a concrete response.

Format According to IG 2500, monitoring processes can be sophisticated or simple, depending on the complexity of the credit union and the availability of software. The guidance does not recommend any particular format. Probably every credit union internal auditor has a different process, with different levels of automation and detail.

For most of my career, our internal audit went the simple route, using an Excel spreadsheet to monitor progress. However, many credit unions are using audit software. Our Excel follow-up report was in landscape format with the audit report number and title, date the report was issued, name of the manager responsible for corrective action, list of audit recommendations (stated very succinctly), implementation date from management’s response to the audit report, and the status of corrective action. This report is very similar to suggestions in IG 2500 for information tracking. Audit listed all the audit reports and recommendations in this table. Later in my career, the credit union’s IT database administrator devised an Access database for follow-up with fields that mirrored the Excel table. Whether Excel or Access, internal audit issued a monthly follow-up report to management for their review of outstanding recommendations. When a recommendation was implemented, audit would note the implementation date on the report, and then the recommendation would drop off subsequent reports. Once all the recommendations for a particular audit were implemented, the audit would drop off the follow-up report. Some credit unions monitoring reports may be less frequent (e.g. quarterly, or semi-annually).

Management Expectations There is still frequent interaction between credit union internal audit and management after the audit report is issued, until corrective actions are implemented, so it is important to maintain open communications with management. IG 2500 says that internal auditors should get a clear understanding of what information,

and what level of detail, senior management and the board of directors expect from internal audit’s monitoring process. The board and senior management may only want to know about the status of significant risks, or a summary report (e.g. the number of outstanding issues by department). Our audit department’s follow-up report listed the status of all recommendations. Some credit unions may address follow-up expectations in the internal audit charter. In addition to the charter (which was on a high level), our audit department had a “Memorandum of Agreement” with management on the conduct of audits and management’s responsibility to respond and implement agreed-upon recommendations. However, I admit that follow-up was a constant thorn in internal audit’s side. Our management generally agreed to implement audit’s recommendations, but the recommendations would not get implemented timely. This was frustrating as the impetus for change decreases as time goes by. Our Excel/Access report would run as long as 3-4 pages of outstanding recommendations (but I was also a prolific audit report writer). Internal audit understood that management had many pressing issues and limited time, and that audit reports were not always on the top of management’s priorities. However, there is no point in agreeing to do something, if it doesn’t get done. Also, there’s no point in conducting an audit if the results are ignored. The whole

point of an audit is identifying where corrective action is needed. Internal audit’s credibility takes a hit when corrective action is not implemented; lagging corrective action would seem to point to internal audit not being taken seriously. IG 2500 suggests getting management’s input on ways to create an effective and efficient monitoring process. For a long time our credit union never seemed to get a handle on this. Internal audit tried many avenues to get the credit union’s attention to untimely corrective action. We tried providing the follow-up table monthly for Supervisory Committee meetings. At one point we issued the follow-up table to the Board of Directors. We had a monthly meeting with the CEO to discuss the follow-up report. We documented in the follow-up table’s status column management’s response to our follow-up queries, and documented any non-responsiveness. However, nothing seemed to make a difference. Finally, the VP Risk Management was given responsibility for ensuring management’s implementation of audit recommendations. This was the best solution for our credit union. The VP Risk Manage-

ment was the impetus to migrate from the Excel spreadsheet monitoring system to the Access database (and had the clout with IT to get the database developed in-house). The VP Risk Management had access to the Access database, where he could update the status of corrective action.

Effectiveness IG 2500 says the monitoring approach may be based on the level of risk and available resources. The guidance doesn’t give any recommendations for effective monitoring practices, but suggests networking with other internal auditors to determine best practices. This is the value of ACUIA networking. Our internal audit department monitored the implementation of ALL audit recommendations. Perhaps it would be more effective to just monitor higher risk issues, but I can’t see just letting less significant issue slide by. We monitored the implementation of corrective action at management’s stated expected implementation date, and if not yet implemented, asked for a new implementation date and then would follow-up on that date. However, this is not ef-

www.acuia.org | TH E AUDIT R EP ORT

fective if this process goes on forever. Once management states that corrective action has been taken, credit union internal auditors should verify that the corrective action is adequate to correct the underlying issue, which might require some testing or other audit procedures. Internal audit should not rely on management’s assertion that corrective action has been taken or is adequate. Some audit departments may delay this testing until a future audit of the area, or perform a special “follow-up” audit. Our audit department routinely monitored the adequacy of corrective action, as part of our monthly follow-up activities; then if the issue proved corrected, the issue was dropped from the follow-up table. Though we routinely reviewed corrective action status, we would also ensure that the corrective action was still in place at the next scheduled audit of that area. For audit planning purposes we tracked follow-up activities separate-

ly from the relevant audits. Generally, our audit department spent 4 hours a month on follow-up, including updating the spreadsheet/database. That is 48 hours annually, which if not spent on follow-up would have allowed us to add another audit to the audit plan. Internal audit should ensure there is time built into the audit plan for follow-up.

External Recommendations Internal audit may be asked to take the same monitoring approach to recommendations made by external auditors or examiners, particularly if the monitoring system is working well for internal audit recommendations. I suggest that this is a management function, but internal audit should gladly share the monitoring system developed by internal audit. I prefer that internal audit stick to internal auditing. The failure to follow-up is an audit risk. IG 2500 guidance concludes by

stating that capturing and measuring positive improvements based on the execution of corrective actions is considered a leading practice. To this end, internal audit departments should have a formal, documented, routinely updated exception tracking system, with corrective action status reports prepared for senior management and the board. This documented tracking system also fulfills the requirements of Standard 2330 which requires that internal auditors document relevant information to support audit’s conclusions and audit results. See also Standard 2060 which requires reporting to the board of directors and senior management on significant risk exposures and control issues. n

About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

Service So Outstanding, Others Can Only Talk About It…

TWHC has been providing credit unions with Audit, Tax and Advisory services for over 25 years. Today we are the number one credit union professional services firm in California with clients that range in size from $20M in assets to $6.5B in assets.

twhc.com TWHC Business Journal Ad 082812.indd 1

www.acuia.org | T H E AU D I T R E P O RT

8/28/12 11:17 AM

Who We Are Cindrich, Mahalak & Co. is a certified public accounting firm specializing in meeting the audit, accounting, consulting, and compliance needs of credit unions. Dedicated service to our clients since 1971 has positioned us as one of the largest credit union audit firms in the country. We have grown organically, taking on additional clients and performing more and varied services for both old and new clients to meet their needs. We are available for our clients, whether in person, on the phone, or via e-mail or other electronic means, from our support staff through our professionals and partners in the firm. Having worked with credit unions and their management, staff, and volunteers, we have had the privilege of watching them evolve from simple savings and loan providers to full-service financial institutions meeting the needs of their expanding memberships. We know credit unions. A targeted focus has led to our success. It is that same focus that will help you in whatever you need. We have evolved as you have, and our corporate direction is to continue our commitment to credit unions. We have changed as the industry has demanded and expected, and we will continue to do that. We are large enough to have the resources to meet the needs of credit unions in many areas. Yet, we are small enough to pay exceptional attention to every detail of the engagement.

What We Do √

Opinion Audits

√

Regulatory Matters

√

Agreed-Upon-Procedures Engagements

√

Information Technology

√

Supervisory Committee Audits

√

Tax Preparation & Assistance

√

Accounting

√

CUSO Accounting, Auditing & Consulting

√

Consulting

√

Strategic Planning

√

Compliance Auditing & Consulting

√

Education & Training

√

Internal Audit Co-Sourcing

√

Executive Search

Cindrich, Mahalak & Co. is prepared to help you meet your needs in a wide variety of areas. Call or contact us for more information or to discuss. 31215 Jefferson Ave. St. Clair Shores, MI 48082 586.296.1155 or toll-free 877.998.CMCO info@cm-co.com www.cm-co.com

The Welcome Reception reprised the widely popular ACUIA FEUD gameshow and this year was better than ever. Emmy Award® winning host Todd Newton led the game participants in the wild and free-wheeling fun that produced some memorable responses.

Take a look at these photos from the conference – we look forward to seeing you next June 20th – 23rd in San Antonio!

DAY 1

Wednesday morning as everyone settled in for the business at hand, Todd kicked off the conference with an insightful presentation “The Choice is Yours: Six Keys to Putting Your Best Into Action”. Other presentation highlights included former White House photographer and Pulitzer Prize winner David Hume Kennerly, who took the audience behind the scenes of history from the vantage point of his famous lens. Former NCUA General Counsel Bob Fenner delved into the facts on NCUA exam rights, and returning top-rated speakers Tom Glatt and Ann Butera dug deep into internal audit relationships and function within the credit union organization.

DAY 2

The 26th Annual ACUIA Conference and One-Day Seminar kicked off in Reno with a little different feel – the One-Day sessions are no more. This year, ACUIA revamped the conference program with more interactive and handson sessions designed to solicit more participation from the attendees. And it worked! The One-Day Seminars were broken up into half-day sessions that allowed for more topics and more speakers. There was something for everyone!

RENO WRAP-U 28

www.acuia.org | T H E AU D I T R E P O RT

-UP

www.acuia.org | TH E AUDIT R EP ORT

standards { thenews { regional } } Pat Richey, Retired

REGION

Director: Julie Wilson Director Internal Audit iQ CU 360.992.4233 juliew@iqcu.com

Minnesota Chapter

Region 1 has a one-day meeting scheduled for October 3rd. Moss Adams, LLC will be hosting the meeting at their Portland, Oregon office. We are currently working on the agenda, but we promise it will be jam packed with exciting discussions from excellent speakers.

REGION

Director: Tara Tocco Internal Audit Manager Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org The Region 2 Conference is scheduled for November 3rd and 4th at One AZ Credit Union in Phoenix. We have several great speakers lined up including Todd Newton!

REGION

Director: Greg A. Czyzewski, CPA, CIA AVP Internal Audit Teachers Credit Union 574.284.6451 gczyz@tcunet.com There is lots of news for Region 3! The annual Region Three meeting will be held on October 5, 6, and 7 at Baxter Credit Union in Vernon Hills, Illinois – a great location! Doug Wright and his team always do an excellent job hosting. There will be plenty of interesting topics including Compliance Hot 30

Topics, Forensics, ERM, Common Audit Findings, and a Best Practice Round Table Discussion. AND lots of great restaurants in the area. Come join us for what promises to be a great meeting!

www.acuia.org | T H E AU D I T R E P O RT

Ashley Shrode reports: We had our annual chapter meeting at TruStone Financial CU on May 20th. We had speakers from WipFli, CliftonLarsonAllen, and the Bureau of Criminal Apprehension. Topics discussed included interest rate risk environments, TRID compliance, and financial crimes. We also had open discussion on “hot topics” and areas of concern. We had a great turnout from individuals in both Minnesota and Wisconsin. Wisconsin Chapter Karla Hodgkins reports: The Wisconsin Chapter Meeting was scheduled for Wednesday, August 17, 2016 from 9:00am to 2:30pm at CoVantage Credit Union in Wausau, Wisconsin. Topics included Bank Secrecy Act, Cybersecurity, Fraud and Fraud Identification, and Current Expected Credit Loss (CECL). Michigan Chapter Kathleen Schaefer reports: The Michigan Chapter of the ACUIA held a lunch and learn on Tuesday, August 30th. Kathy Enbom from Wipfli presented on the topic of Auditing the TRID as well as touch on recent updates from the CFPB regarding mortgage servicing guidelines. Thank you to CASE Credit Union at 2400 West Road, East Lansing, MI for hosting the event. Our next meeting is tentatively scheduled for late November. A big thank you to all the chapter coordinators for their work!

REGION

Director: Patrick McCollough, CIA, CISA, CRMA AVP/Director of Internal Audit Arkansas Federal Credit Union 501.533. 2275 pmccollough@AFCU.org

Director: Jason Alexander, MBA, CICA Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org

No news for Region 4. Please contact Patrick for information.

No news for Region 6. Contact Jason with any regional questions. n

REGION

Director: Michael P. Moreau, CIA, CFE, CFSA Manager Credit Union Services Macpage LLC mpn@macpage.com No news for Region 5. Please contact Mike with questions.

EXCLUSIVELY SERVING THE CREDIT UNION INDUSTRY SINCE 1979. Since our firmâ&#x20AC;&#x2122;s inception in 1979, we have been committed to one industry, the credit union industry. That means 100% of our clients are credit unions or credit union service organizations. Our commitment to one industry allows for an efficient audit with highly trained auditors that know your business. Learn why Nearman, Maynard, Vallez, CPAs is ranked as a leading CPA auditing firm by Callahan & Associates. Contact us today for a free proposal.

10621 N. KENDALL DR., SUITE 219, MIAMI, FL 33176 | 800.288.0293 | www.nearman.com

www.acuia.org | TH E AUDIT R EP ORT

standards { the { region }} directors Pat Richey, Retired

REGION

Julie Wilson juliew@iqcu.com

REGION

Tara Tocco TTocco@hughesfcu.org

REGION

Greg Czyzewski, CPA, CIA gczyz@tcunet.com

REGION

Patrick McCollough pmccollough@AFCU.org

REGION

Michael P. Moreau, CIA, CFE, CFSA mpn@macpage.com

REGION

Jason Alexander jasona@lgeccu.org

{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1

REGION 3

REGION 5

CENTRAL CASCADES (OR/WA) CHAPTER

INDIANA CHAPTER

NEW YORK CITY CHAPTER

Terry Robbins trobbins@mapscu.com

Jeff Watson jwatson@iucu.org

VOLUNTEER NEEDED!

REGION 2 ARIZONA CHAPTER

Jason Garlutzo Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER

VOLUNTEER NEEDED! UTAH CHAPTER

Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com HAWAII CHAPTER

Nikki Ige Nige@kcfcu.org

MINNESOTA CHAPTER

Ashley Shrode Ashley.Shrode@thrivent.com MICHIGAN CHAPTER

Kathleen Schaefer Kathleen.Schaefer@elgacu.com WISCONSIN CHAPTER

Karla Hodgkins khodgkin@Covantagecu.org REGION 4 NORTH TEX AS CHAPTER

Kimberly Wiersema kawiersema@hotmail.com ST. LOUIS CHAPTER

David Caster dcaster@firstcommunity.com

www.acuia.org | T H E AU D I T R E P O RT

REGION 6 GEORGIA CHAPTER

Jason Alexander jasona@lgeccu.org FLORIDA CHAPTER

Lourdes Camacho lourdesc@sccu.com NORTH CAROLINA CHAPTER

VOLUNTEER NEEDED! SOUTH CAROLINA CHAPTER

Tammy Farmer tammyf@scscu.com TENNESSEE CHAPTER

Michelle Clark, CUCU mclarck@ecu.org

Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced In addition, Patrickprofessionals. McCullough our professional staff are very familiar with credit union · Opinion Aud operations, internal control issues, regulatory and color ad II_Layout 1 4/17/15 1:55 PM Page 1 · Supervisory C accounting requirements, and more. In other words, ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from · Pension /401 credit union personnel will not have to train our auditors. others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the · Consulting S Executive Office at (703) 688-2284. To learn more, please call our Managing Partner, · Internal Audi Doug Orth at 888.676.3447. · Information T P L AT I N U M · ATM/ACH A

{ member spotlight } { acuia select }

ongratulations to ACUIA

5 years of outstanding service to credit union audit professionals.

Orth, Chakler, Murnane and Company, CPAs A Professional Association

es helps credit unions meet their ﬁduciary responsibilities and internal control objectives by providing:

mation Technology Assessments and System Reviews n Certiﬁed ACH Audits n Bank Secrecy Act GOL D n Lending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits M I A MI | DA L L A S | C HA RL OT T E t / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk ment and Regulatory Compliance n Financial Statement Audits

ocmcpa.com

Working exclusively with Credit Unions

Opinion & Supervisory Committee Audits Internal Audit Outsourcing Certiﬁed Public Accountants & Consultants BSA/AML & Regulatory Compliance Tax Planning & Compliance IT30 Consulting | www.acuia.org | The Audit Report S I LV E R Credit Review Services

BRONZE

CU Accelerator

Wojeski Proudly serving credit unions throughout the Mid-Atlantic region. Certified Public Accountants For more information about PBMares, visit us online at www.pbmares.com.

· BSA/OFAC C · Tax Services: · Supervisory C Board Trainin

Better

BIGGER stronger HAVE YOU HEARD THE NEWS? Doeren Mayhew and Orth, Chakler, Murnane & Co. have merged. Bringing together two of the nation’s top credit union auditing and advisory firms positions us to be bigger, better and stronger for credit unions. We invite you to see how our distinctive attributes can benefit your credit union. • Leadership team of 13 shareholders bringing an average of more than 25 years of credit union knowledge • Diverse hands-on experience serving more than 350 credit unions in nearly 40 states • Proficiency in complex credit union operations gained by assisting over 40 of the nation’s largest credit unions exceeding $1 billion in assets • More than 80 highly-skilled credit union dedicated professionals located in 12 cities from coast to coast delivering tailored support • Locations in four states, including Florida, Michigan, North Carolina and Texas • Diversified technical knowledge offered in 10 specialty areas

Call Us Today! CPAs AND ADVISORS

Firm

888.433.4839

Audit ● Internal Audit ● IT Assurance ● Lending Reviews ● ERM ● Regulatory Compliance Merger Advisory ● Valuations ● Fraud/Forensic Investigation ● Tax