Volume 25, Issue 4, 2016
The Magazine of the Association of Credit Union Internal Auditors, Inc.
MILITARY LENDING ACT YOUR MARCHING ORDERS HAVE ALREADY COME THROUGH
CYBERSECURITY EVALUATING YOUR READINESS FOR THREATS
THE STANDARDS NEW CORE PRINCIPLES BRING NEW STANDARDS
ESTIMATING
CREDIT LOSS
Like you, we know the numbers are only one part of the picture. Whether your credit union’s goal is to grow membership, assets, or offerings, the big picture’s still about one thing: people. Focus on what matters to your mission. We’ll help you master new regulations, strengthen controls, and uncover opportunity. How can we help you thrive?
W W W. M O S S A D A M S . C O M / C U
Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance IT Consulting & Compliance Credit Review Services
Volume 25, Issue 4, 2016
The Magazine of the Association of Credit Union Internal Auditors, Inc.
{ contents }
19 F E AT U R E S
D E PA R T M E N T S
6
2 From the Editor
Estimating Credit Loss
The Skill We Have in Common
Tabitha Ernst-Chadwick
Internal audit considerations for CECL Anne Coughlan and Derek Stahlman, CPA
4 Chairman’s Message Another Success Story John Gallagher 18 Member Spotlight Kathleen Schaefer
12 Military
Lending Act
October 3rd has come and gone. Are you compliant? Jeanne Couchois, Esq.
16
How Strong Are Your Walls?
Evaluating your cybersecurity preparedness Nicholas Norton, MPAC and Durward Ferland, Jr., MBA
16
6
19 The Standards The Standards Evolve Pat Richey
M
The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284
12
Š Copyright 2016, ACUIA. All rights reserved.
{{from fromthe theeditor editor }}
How Do You Power? The Skill We Use HaveYour in Common
Tabitha TabithaErnst-Chadwick, Ernst-Chadwick,CIA, CIA,CFE, CFE,LRP, LRP,CBSAO, CBSAO,CUCE, CUCE,NCCO, NCCO,CISA CISA
IA
live sinauditors, a state that is the subject of compliance profesmuch debateand andrisk controversy due sionals, management to a bold new law. fewdifferent superstars professionals, we Aare in who particularly offended by manyare ways – varied backgrounds, the ruleand decided to flex theirBut famous ideas, responsibilities. there muscles, reach into deep pockis one skill/trait thattheir we all probably ets, and make their own boldnot stateshare – without it we could sucment byour cancelling all venues in the ceed in professions: planning. offending state.a time in a land far far Once upon The planning result? Well, I can’t say for away, wasn’t too difficult. sure, but our my guess is that the tasks, governor We had routine annual risk didn’t lose much over a couple assessments that sleep dictated priorities in of politically charged bands from the coming year, androck a fairly predictthe and 90s (though who knows? able80s compliance environment. Now, He be thethat’s president of both fan thecould only thing predictable is that clubs). canI started be believed – nothingIfisFacebook predictable. making which it canand because everything on compliance risk plans in October Facebook obviously true – theintanthat wereisturned upside down Nogible result was A LOT very always disapvember! External forcesofhave pointed fans, card manytoofour whom lost monbeen a wild planning, but ey despite theforces ticketand refunds (hotel those external their dynamreservations, airline tickets, car–rentics have changed exponentially polials…). This particular resultconsumer is of no tics, government agencies, concern the superstars, though, belawsuits,tosocial media, security threats, cause their desire was toyour makeplanning a point …have you changed to the politicians, fans bethe damXXd. strategies to encompass full impact No matter side of the infaof this volatile which environment? mous Bill gets your TheBathroom most unpredictable, yet symargupathy, themost trendinfluential is a bit disconcerting ably the example is –Politics. people Regardless who perceive themselves as of the election reinfluential doing everything in swing their sults, the potential pendulum power to union make folks theirwas opinions your for credit and is signifopinions. And theyou trend will audit, continue, icant. How will adjust risk because what and artists could possibly management, compliance stratenow in this could offensive state, gies?perform The pendulum go far bewhen colleagues have taken such yond their interest rate risk…Which leads valiant injustice? directlystands to theagainst next example – our BFF So CFPB. I was Hopefully not fortunate to – the you enough are not livhave tickets for either of thebeen shows, but ing in a bubble and have adjustifing 6-year-old soccerasgames were held your strategies a result of recent on any day but Wednesday would industry-changing punitive I actions. been addition to ray the of angry mob Thereanwas a brief sunshine of disappointed was outraged when the court fans. ruledI its structure to nonetheless, becauseatIleast haveuntil fellow be unconstitutional, you die-hard fans who have But Wednesread beyond the don’t headline. now, day nightwith soccer whostrucdid coupled theobligations, politics, is the have andof who by ture tickets, and power thewere CFPBcrushed uncertain the cancellation. My outrage led to reenough to reconsider the strategies we flection how I last felt about bands punjust puton in place month?
22
www.acuia.org www.acuia.org || TTHHEE AAU U DDI ITT RREEPPOORT RT
ishing fans for actionsand outside of their While politics CFPB are control, to reflecenough further to keep leading us busyme full-time, we tion customer service treating still on must keep all of theand other risk, people right, and finally to reflection compliance, audit juggling balls on howair, this internal in the onecould of therelate mostto critical beaudit and riskvery management. Ohsecuriyeah ing the new, scary, look of –ty. that’s right; incybersecurity true nerd fashion I am Obviously is crucial, turning rock concert and all aof90s us alternative have been working diliinto an audit andour riskcredit lesson. gently to make unions less Sothan herethe is the lesson. next As auditors sexy institution door to and risk managers, sometimes weshift are would-be-hackers. But as you the in our organizations with yourones security resources over to the IT those muscles deep world,proverbial don’t losebig sight of theand dramatic pockets. are the with the changes We occurring in ones physical securipower to persuade. Moststill of the time, ty. Is your credit union using the there more than one way to in achieve sameissecurity program put place the desired result. yourhad immeback in 1947? Or And haveif you the diate reaction is to cancel the concert foresight to update your policies and to try andtoforce everyone to seekidnapit your training address employee way, you active mightshooter be missing a better ping and incidents?
opportunity to actually reach outwith to I could write a 3-page article your proverbial “fans” with a more efexamples of how our planning stratefective message; morenew often than gies are affectedand by this dynamnot, once your audiences fully underic reality (I didn’t even mention Sostand the issues, they but probably have cial Media and BSA!) I am out of even better ideas how to achieve room, so let’s getabout to the point. Take a those desired results. thechecklists. wise unstep back from yourAsold cle of Spiderman once “with Grab your crystal ballsaid with newgreat perpower comes responsibility.” So I spective andgreat reinvigorate those plans ask how are you using your great andyou, checklists because 2017 promises power? youmore flexing thoseand muscles nothingAre except change more to force your opinions to becomeyet their surprise. Don’t stop planning, be opinions? Are you your audiflexible enough to making change those plans tees annotice extra 10 because at aperform moment’s (orsteps I guess if you that’s youtofeel it must be done? reallyhow want punish yourself you Or are build you using superior intelcould lots ofyour different plans…). lect and experience for good? That If you already discovered the secret to is, aretransformation you teaching [about the risks], total of planning, give sharing and your knowledge], me a call[ideas and share strategy. and J listening? HappynNew Year everybody! n
2016 BOARD OF DIRECTORSabitha Ernst-Chadwick, CIA,EXECUTIVE CFE, LRP, CBSAO, ACUIA OFFICE, CBSAO,
CUCE, NCCO, CISA
CUCE, NCCO, CISA
Chair John Gallagher, CUERME SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 –2016 2016–2019
Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ncsecu.org Term 2015–2018
Vice Chair Margaret Chamberlain,
Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org 2015–2018 Term 2015 - 2018
CUERME
Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2015–2017 Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015–2017 Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dswenson2@ wingsfinancial.com Term 2015–2018
Director Doug Wright, CPA, CFE,
CUCE
Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019 2015–2016 Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com
ACUIA Executive Office 1727 King Street Suite 300 Alexandria, VA 22314
(703) 688-2284 acuia@acuia.org
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.” Follow us on:
An Unmatched Experience
Internal Audit and Regulatory Compliance Tailoring each engagement, our Certified Internal Auditors and Certified Compliance Officers consider the credit union as a whole to execute a plan that will identify, monitor and assess risks before they threaten operations.
Bringing together two of the nation’s top credit union auditing and advisory firms, we deliver an unique experience and a level of service that is unmatched in the industry.
Credit Risk Management Leveraging our hands-on experience, we deliver insight into the fundamentals of lending governance, administration and day-to-day operations.
IT Assurance Taking an integrated security management approach, our credentialed technology team ensures confidence in the integrity and security of IT controls frameworks.
External Audit Remaining independent , while working collaboratively with credit union teams, Doeren Mayhew delivers practical solutions that improve internal controls and accounting efficiencies through accurate and timely financial reporting.
We invite you to experience what our clients do. Call us today at 888.433.4839.
CPAs AND ADVISORS
A
Firm
{ {from } } chairman’s the editor message
Another Here’s toSuccess 25 More Story
John Tabitha Gallagher Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
A new event—the Certified Credit Union Internal Audit School—exceeded all initial expectations and quickly sold out.
A
s I begin drafting this message I am also in the midst of preparing for the Board’s Annual Strategic Planning later this month. At this time of the year, it is beneficial to reflect back on where we have been and where the Association is going. This past year has been another success story for ACUIA. We began the year with strong membership renewals. Our member number counts remain consistent with those of past years with a bit of an uptick. We also experienced enhanced commitments by many of our vendor partners. On an educational, development, and networking perspective ACUIA continued to deliver high quality programs with numerous networking opportunities. Thus far in 2016 ACUIA has offered its annual conference (held in Reno, NV), held regional meetings in all six regions, conducted numerous chapter meetings, and presented five topical webinars with more on the way prior to year-end. And above all of that we
introduced a new event, the Certified Credit Union Internal Audit School in October, at which nearly seventy attendees successfully completed the required examination and earned the CCUIA designation. This program was developed jointly through a recent partnership formed between ACUIA and CUNA. This inaugural event held in Denver exceeded all initial expectations and was quickly sold out. In fact response was so great we added an additional 25 seats for the event and still had to create a waiting list! The next certification school is scheduled to be held March 27 – 30, 2017 and looks to be sold out as well! We are extremely pleased with the response from our members and the support shown from their credit union management and supervisory committees. We believe that this program and certification designation will serve to further promote more awareness and recognition to the profession of credit union internal auditors.
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.
4
www.acuia.org | T H E AU D I T R E P O RT
On the technology front ACUIA has been in the process of updating many facets of our website and related servers. While many of the enhancements are behind the scenes, the intent is to allow our members a better experience when visiting the site. This includes faster speeds, better graphics, and more interface with current industry news and social media posts. I am also pleased to note that we have added many Chapters this year. The benefit of our Chapters is that they allow our members to meet and network with each other in a smaller, less formal setting to discuss current internal audit topics, best practices, or upcoming changes in the regulatory environment. I encourage everyone to participate and take advantage of these networking opportunities. Looking ahead to 2017, our next annual conference is scheduled for June 20 – 23 at the Grand Hyatt in San Antonio, Texas. It has been several years since ACUIA last visited the state of Texas. I hope you will plan to join us at this worthwhile event. Beyond the conference the Board will be discussing many ideas and concepts during the upcoming Strategic Planning session. Until then, I wish you all a very happy and enjoyable holiday season!! n
Who We Are Cindrich, Mahalak & Co. is a certified public accounting firm specializing in meeting the audit, accounting, consulting, and compliance needs of credit unions. Dedicated service to our clients since 1971 has positioned us as one of the largest credit union audit firms in the country. We have grown organically, taking on additional clients and performing more and varied services for both old and new clients to meet their needs. We are available for our clients, whether in person, on the phone, or via e-mail or other electronic means, from our support staff through our professionals and partners in the firm. Having worked with credit unions and their management, staff, and volunteers, we have had the privilege of watching them evolve from simple savings and loan providers to full-service financial institutions meeting the needs of their expanding memberships. We know credit unions. A targeted focus has led to our success. It is that same focus that will help you in whatever you need. We have evolved as you have, and our corporate direction is to continue our commitment to credit unions. We have changed as the industry has demanded and expected, and we will continue to do that. We are large enough to have the resources to meet the needs of credit unions in many areas. Yet, we are small enough to pay exceptional attention to every detail of the engagement.
What We Do √
Opinion Audits
√
Regulatory Matters
√
Agreed-Upon-Procedures Engagements
√
Information Technology
√
Supervisory Committee Audits
√
Tax Preparation & Assistance
√
Accounting
√
CUSO Accounting, Auditing & Consulting
√
Consulting
√
Strategic Planning
√
Compliance Auditing & Consulting
√
Education & Training
√
Internal Audit Co-Sourcing
√
Executive Search
Cindrich, Mahalak & Co. is prepared to help you meet your needs in a wide variety of areas. Call or contact us for more information or to discuss. 31215 Jefferson Ave. St. Clair Shores, MI 48082 586.296.1155 or toll-free 877.998.CMCO info@cm-co.com www.cm-co.com
ESTIMAT
6
www.acuia.org | T H E AU D I T R E P O RT
ING CREDIT LOSS Internal Audit Considerations for CECL ANNE COUGHLAN AND DEREK STAHLMAN, CPA
In June 2016, the Financial Accounting Standards Board (FASB) released the long-awaited standard updating the guidance on recognition and measurement of credit losses for financial assets. Accounting Standards Update (ASU) 2016-13, Financial Instruments-Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments, supersedes today’s guidance and applies to all entities that hold financial assets not measured at fair value through net income. This has come to be known as the current expected credit loss model (CECL).
www.acuia.org | TH E AUD IT R EP ORT
7
F
ASB has staggered adoption dates for the standard, with different dates for large and small public business entities and all other entities, which specifically includes not-for-profits. Most credit unions will fall into the third category, and this new guidance will be effective for annual reporting periods beginning after December 15, 2020, and interim reports beginning after December 15, 2021—which means 2021 for annual financial statements and first-quarter 2022 for call reports.
CECL Model FASB has replaced today’s “incurred loss model” with an “expected credit loss model.” At inception and at each reporting date, entities will recognize an allowance for lifetime expected
cal and consistent with the principles of the guidance. Credit unions may apply different estimation methods to different groups of financial assets. Smaller institutions are not required to implement complex or costly models when adopting the new standard; however, this will still require substantial changes to policies, procedures and technology to comply with the standard.
Range of Information FASB has broadened the information a credit union is required to consider in developing its credit loss estimate. Under current generally accepted accounting principles (GAAP), an entity usually considers past events and current conditions in measuring credit losses. The ASU requires the loss estimate to include relevant information about
➡ START
ADJUST
REVERT
Begin with historical losses
Look forward for a “reasonable” period
Revert to historical averages
credit losses for instruments within the ASU’s scope. The amount recognized will be based on the current estimate of contractual cash flows not expected to be collected. Subsequent changes in the allowance for credit losses will be immediately recognized through net income. In comparison to an incurred loss model, an expected loss model will result in earlier loss provisions and require significantly more management judgment to estimate future losses. Entities will have flexibility to develop the methods to estimate and measure expected credit losses as long as they are appropriate, practi-
8
www.acuia.org | T H E AU D I T R E P O RT
past events, current conditions and reasonable and supportable forecasts. A credit union only needs to consider information reasonably available without undue cost and effort and can use both internal and external information—including qualitative and quantitative factors—to estimate expected credit losses. For periods a credit union is unable to make a reasonable and supportable forecast, it would revert to historical credit loss experience.
Individual Versus Pooled Assessment During the standard’s drafting, credit unions were concerned they would
be required to pool financial assets when measuring expected credit losses. The final standard’s language better conveys that smaller institutions can develop credit loss estimates on a pooled basis if the assets share similar risk characteristics—if not, an individual evaluation is appropriate. Regulatory Expectations The allowance for credit losses is the most significant estimate at most credit unions and already is subject to detailed scrutiny and second-guessing by regulators and auditors. Shortly after the standard was issued, a group of four banking regulators— including the National Credit Union Administration—issued a joint statement with initial supervisory views on the CECL model that included these highlights: ■■ Benchmark targets or ranges for the change in allowance levels upon CECL’s adoption will not be developed by banking regulators. ■■ Third-party service providers are not required to calculate allowances for credit losses. ■■ Different estimation methods may be applied to different groups of financial assets. ■■ Smaller and less complex institutions will not need to implement complex modeling techniques. ■■ Institutions are encouraged to build strong processes and controls over their allowance methodology. The regulator’s goal is to ensure consistent and timely communication, delivery of examiner training, and issuance of supervisory guidance pertaining to the new standard. The agencies will consider the needs of smaller and less-complex institutions in determining the nature and extent of supervisory guidance. Detailed guidance from the regulators will be crucial to address scalability and documentation requirements to support the increased judgment required by the new standard. To date, no additional details have been provided.
In the absence of specific guidance, management should educate themselves, the audit committee and supervisory committee about the changes, determine which existing processes can be leveraged, and review the costs and benefits of the various approaches available under the standard; the approach chosen will have a direct impact on the data requirements. Starting early with the right data will give credit unions the flexibility to test multiple methodologies before CECL implementation in 2021.
CREDIT UNIONS
Audit Implications While the effective date for credit unions is several years away and regulators are just starting to develop their specific guidance and examination approaches, planning now for new internal controls and documentation requirements will help to ensure a smooth transition. The CECL model likely will change internal audit’s risk assessments and audit approach. Due to the estimation uncertainty, materiality of the loan loss provision, level of judgment on key data and assumptions, the new model is likely to give rise to one or more significant risks of material misstatement. Some of the challenges include: ■■ Forward-looking view and subjectivity can be challenging to support ■■ Complex, material estimates will require strong internal controls, including governing body oversight ■■ Increased regulatory scrutiny
FACTORS. WITH
the need for more data for life of loan and forward-looking CECL calculations. Data governance procedures should be formalized to ensure all data used in the credit loss estimate is consistent, accurate, complete, timely and secure. Data requirements should be well-documented and auditable, and data ownership must be clearly established. Credit unions should begin to assess where data will come from, how much is enough and how to apply data to a forecast methodology that will provide meaningful and auditable results.
WILL NEED TO CAPTURE AND RETAIN MORE DETAILS ON THEIR LOAN PORTFOLIOS, BORROWERS AND ECONOMIC THE RIGHT DATA CREDIT UNIONS WILL BE ABLE TO BETTER DEFEND THEIR CECL CALCULATIONS TO AUDITORS AND EXAMINERS.
Historical Data FASB expects the estimate of expected credit losses will be based on historical loss information for financial assets of a similar type and credit risk. Under CECL, annual charge-off data will no longer be relevant. For life of loan credit loss calculations, credit unions will need to store additional data on a regular basis. Additional loan details to be saved at least quarterly include book balance, risk ratings, interest rate, origination date and transaction detail of charge-offs and recoveries. Examiners and auditors will require greater quantitative support for the qualitative factor adjustments. Forward-Looking Data Management and internal audit will need to understand the implication of the use of forward-looking data and assumptions, especially if that data is obtained outside the credit union. Experienced credit experts likely may disagree about the appropriate assumptions for a given circumstance, and even minor differences in assumptions can give rise to a large range of loss estimates. Considerations include: ■■ How many and which scenarios to use ■■ Probability and weight for each scenario and how it is determined ■■ Where to obtain the data
Data Governance Data governance is a set of processes that ensures important data assets are formally managed throughout the enterprise. Data governance ensures data can be trusted and people can be made accountable for any adverse event that occurs due to low data quality. Credit unions may need to develop or strengthen their processes for data gathering and retention given
www.acuia.org | TH E AUDIT R EP ORT
9
How to factor inputs from various sources ■■ How to match the data and assumptions with loan maturity Credit unions can prepare by analyzing the primary drivers of losses in today’s loan portfolio and tracking those items to the most relevant national, regional or local economic data. Not only will the new standard potentially require the collection and use of a broader range of data than is used under the current standard, some of this new data may be sourced from both internal loan systems and external data sources that are not part of traditional accounting systems and have not previously been subject to audit procedures. Internal audit will need to determine how to address these systems and data in the audit. Some data sources or assumptions may have a greater effect on the loss estimate than others, e.g., a portfolio of residential mortgages may be particularly sensitive to changes in prepayment rates or unemployment rates for a geographic region. It may be inappropriate to apply national or global data to a credit union’s smaller, more diverse lending portfolios. ■■
Forecast Period Credit unions will need to determine the appropriate forecast period. Economic cycles tend to have several years of low levels of chargeoffs followed by short periods of high charge-offs. Local and regional recoveries often deviate from national averages. When historical averages are the starting point for loss estimates, large adjustments based on management’s judgment likely will be required to arrive at an actual loss expectation. FASB’s basis of conclusion notes that recent history may not represent a sound basis for life of loan loss expectations. Credit unions will need several years of data to support forward-looking calculations. 10
www.acuia.org | T H E AU D I T R E P O RT
REVERSION TO HISTORICAL AVERAGE IS APPROPRIATE FOR PERIODS BEYOND A CREDIT UNION’S ABILITY TO FORECAST USING REASONABLE COST AND EFFORT.
Portfolio Segments In evaluating loans on a collective basis, aggregation should be on the basis of similar risk characteristics. Management judgment will determine what constitutes a “similar” risk characteristic, but this should be supported by accurate, observable data for regulators and auditors. Management judgments are high-risk areas that require strong internal controls. Examiners also will evaluate if the portfolio segmentation is consistent across the organization. Management will need to appropriately group credit exposures into portfolio segments with sufficient granularity to appropriately forecast expected credit losses. Having an inaccurate origination date, maturity date, interest rate or collateral value in the system today should not significantly affect an allowance estimate. Using an incorrect date for forward-looking allowance estimates could have a material effect on the financial statements. Controls to ensure accuracy, proper updating and security of the data will take on increased importance. Credit unions must remove a loan from a pool if its risk characteristics are no longer similar to other loans in the pool, e.g., changes in credit risk, borrower circumstances and recognition of write-offs or cash collections. Management must assess whether the asset should be moved to another pool with similar risk characteristics or if the asset’s credit loss measurement should be performed individually. Controls and supporting documentation will need to be developed around the portfolio segmentation process as well as subsequent moves in and out of portfolio segments. Loan Origination Internal control requirements over loan origination may expand under CECL. This is generally considered an operational function, but under CECL the loan origination will create a loss
expectation and could be considered a new process within the financial audit. Credit unions will be required to ensure that factors underlying loss expectations are appropriately identified and tracked, e.g., appraisals underlying loan-to-value ratios on collateral.
Commitments Under current GAAP, the recognition of liabilities for commitment agreements is based on a probable and estimable criteria. Methodologies will need to be adjusted to fully capture the life of contract exposure under CECL. Off-balance sheet credit exposure will need to consider both the likelihood and amount expected to be funded over the commitment’s estimated life. Funding probability on the commitment could be based on internal or external data. This data may not be needed immediately, but building up a solid history of detailed data will give credit unions the flexibility and resources to adjust their models as needed.
Conclusion Successfully implementing the new credit impairment standard will require significant time and cross-functional resources. Upfront planning for data collection and developing and documenting new internal controls around the additional information required will ensure a smooth transition. n About the Authors Anne Coughlan, Director Anne serves as a firmwide technical writer for BKD. She provides technical research and incorporates regulatory intelligence into in-depth articles and guidance, marketing materials, and course development. Prior to joining BKD, Anne worked at several international investment banks with extensive experience with U.S. and international financial and regulatory reporting. Anne is well-versed in technical accounting, internal control, compliance, and governance issues. She is a member of the American Institute of Certified Public Accountants, Indiana
CPA Society and a graduate of New York University, New York with a B.S degree in accounting and an M.B.A in finance. Derek Stahlman, CPA, Senior Manager Derek, a member of BKD National Financial Services Group, has more than eight years of experience providing audit and accounting services to a broad range of clients. His background includes performing audits for midto-large size businesses, primarily in the financial services, manufacturing, retail, and distribution industries. In addition, he has significant experience with employee benefit plan audits. He is a member of the American Institute of CPAs, Texas Society of Certified Public Accountants and San Antonio CPA Society. Derek is a 2007 graduate of Trinity University, San Antonio, Texas, with an M.Acc. degree and a B.S. degree in business administration. He also is a 2015 graduate of the SW Graduate School of Banking at Southern Methodist University.
Place Your Credit Union’s Trust in Our Experience, Responsiveness and Dedication Audit & Accounting • Internal Audit Services Tax • Management Consulting We provide superior accounting, auditing and tax services to our Credit Union clients by understanding the unique business challenges they face. Our services include audits of financial statements, supervisory committee audits, internal audit services, employee benefit plan audits, tax compliance and management consulting.
5010 Campuswood Drive / East Syracuse, NY 13057 / 315-472-7045 / www.fmfecpa.com
www.acuia.org | TH E AUDIT R EP ORT
11
12
www.acuia.org | T H E AU D I T R E P O RT
OCTOBER 3RD HAS COME AND GONE. ARE YOU COMPLIANT?
M
JEANNE COUCHOIS, ESQ.
Make no mistake, the Military Lending Act (MLA) and implementing regulations impact every credit union, regardless of field of membership, that offers openend or closed-end loans to a covered borrower. A covered
borrower is defined as an active duty service member,
including active reservist and National Guard and their dependents. It is essential that credit unions modify policies and procedures to comply with the MLA, as the penalties for non-compliance have increased. The MLA enacted in 2006 provided protection to covered borrowers from abusive practices associated with predatory lending. The initial regulations imposed limitations on the cost and terms of three specific loan products: payday, vehicle title, and refund anticipation loans. With the passage of the Dodd-Frank Act in 2010 the Consumer Financial Protection Bureau and the Department of Defense (DoD) were required to strengthen protections for covered borrowers from predatory lenders. In July 2015, the Department of Defense issued a final rule amending the MLA regulations, and these regulations had a compliance date of October 3, 2016 for all aspects of the new rules except credit cards; the Department of Defense extended the compliance date for credit cards to October 3, 2017.
The new rule extends the protections of the MLA to a much broader range of closed-end and open-end loans within the scope of Regulation Z. In order to develop effective policies, procedures, and training, credit unions need to review the scope of the final rule, to whom the rule applies, what disclosures must be provided to covered members, as well as the cost of non-compliance.
Expanded Scope The DoD expanded the scope of the regulation to more closely align with Regulation Z’s definition of consumer credit. Consumer credit is defined as credit offered to a covered borrower primarily for personal, family or household purposes and that is subject to a finance charge or payable by a written
agreement in more than four installments. The MLA applies to closedend loans such as installment loans, payday loans, private student loans, vehicle title loans, and tax refund anticipation loans, as well as openend loans such as lines of credit and credit cards. It also includes loans to refinance a vehicle. Several consumer loans are specifically excluded by the new regulations: mortgage loans secured by an interest in a dwelling, including a loan to finance the purchase or initial construction of the dwelling; any loan to finance the purchase of an automobile or motor vehicle when the loan is secured by the vehicle; or any loan to finance the purchase of personal property when the loan is secured by the property being purchased. www.acuia.org | TH E AUDIT R EP ORT
13
Safe Harbor When a member applies for a loan covered by the MLA, the credit union must determine if the member qualifies as a covered borrower. Under the initial MLA, credit unions were permitted to rely on information obtained from members to determine if they were covered borrowers. However, beginning October 3, 2016 the burden of determining if the member is a covered borrower shifted to the credit union. Credit unions may no longer simply ask members to check a box to determine eligibility; a credit union is afforded a safe harbor if it uses one or both of the following methods to determine if the member is a covered borrower: ■■ Access the DoD’s Military Lending Act database which maintains personal information for active duty service members and their dependents. Note: If this method is used the credit union should develop backup procedures for those instances when the database is inaccessible. Or ■■ Obtain a credit report from a nationwide consumer credit report agency (CRA). Note: Credit unions should verify that their CRAs are ready to provide the needed information as well as develop procedures and training for staff on the “new” credit reports.
o
A credit union must maintain documentation that shows compliance to receive the safe harbor.
Disclosures Credit unions are still required to provide a disclosure to covered borrowers informing them of their rights un14
www.acuia.org | T H E AU D I T R E P O RT
comply with the verbal requirement by providing the member with a toll-free number. Note: A credit union’s procedures and training should be updated to address how the credit union will respond to those covered borrowers that call the toll free number.
ctober 3, 2016, the burden of determining if
Military Annual Percentage Rate (MAPR) Limit covered borrower The MAPR is the cost of credit expressed as an shifted to the annual percentage rate, which cannot exceed 36 credit union. percent for applicable loans made to a covered borrower. For closed-end loans the MAPR applies at time of consummation, however for openend loans the MAPR apder the MLA, but the disclosure has plies for each billing cycle. If there is been simplified. The final rule elim- no balance during a billing cycle then inated several provisions that were the only fee that can be charged is a required in the original MLA: participation fee, which cannot ex■■ the “clearly and conspicuously” ceed $100 per year regardless of the billing cycle in which the fee is imlanguage; ■■ the statement of federal protec- posed. The MAPR calculation includes: tions; ■■ interest ■■ the periodic rate of the Military Annual Percentage Rate (MAPR); ■■ other finance charges ■■ premiums or fees for credit insurand ance ■■ the total dollar amount of all ■■ charges for single premium credit charges included in the MAPR. insurance Effective October 3, 2016, the con■■ fees for a debt collection contract tents of the disclosure must include a or a debt suspension agreement statement of the MAPR and a clear de■■ fees for a credit-related ancillary scription of the payment obligation. product sold in connection with The payment obligation requirethe loan ment is met when a credit union pro■■ fees imposed for participation in vides a payment schedule for closedany plan end loans and an account opening ■■ application fees disclosure for open-end loans. The
the member is a
disclosure must be in writing in a form the member can keep AND it must be provided verbally to the member. For those loans consummated remotely or electronically, a credit union can
Several fees are specifically excluded from the MAPR calculation, including: ■■ a bona fide fee charged to a credit card account if reasonable
to■ ■
prepare a separate report. Howevfor federally chartered credit er unions, taking into allonly the the consideration application fee, possible we small very when report makingrecipients, a short-term carefully reports. amountworded loan our (PALaudit loan). This Weexception took great is pains with every word, limited to one apandplication we neverfee used namesin in aanrolling audit charged report, only position 12-month period. titles. Standard 2440 talks about disPenalties seminating auditwith reports, whichmay I’ll Non-compliance the MLA discuss in another article. However, lead to costly penalties for credit PA 2410-1 that there if the are conditions unions. Forsays example regulabeingactions reported involvea senior mantory by NCUA, misdemeanagement, the audit report should be or (punishable by a fine or imprisondistributed to the board of directors. ment up to one year or both), or the Also, loan PA 2410-1 summaryvoid recovered could says be declared portsinception may be issued to higher levels of from for non-compliance. A management. Perhaps new penalty created bythe the CEO final does rule not needa covered or wantborrower the leveltoofsue detail permits the that internal audit provides to a mancredit union civilly for actual damagager or less VP. We not for issue a sumes (not thandid $500 each viomary report. However, that is why lation), punitive damages, equitable thedeclaratory first sentence in our report or relief, andaudit reasonable narrative was the conclusion that anattorney fees. It is worth noting that swered the audit this penalty opensobjective the doorquestion. to class The CEO didn’t need to go any furaction lawsuits.
ther into the audit report than the 1st Limitations sentence he did not need to know The MLAif also contains important the details. limitations that credit unions must Audit reports be released address when might developing their to outsideand parties. In this case, Stanpolicies procedures. First, an dard 2410.A3 says the audit report agreement to arbitrate any dispute should impose limitation on MLA outinvolving a loanacovered by the side parties’ use and distribution of shall not be enforceable against any the report and its Secondly information. Our covered borrower. a credit audit reports subject to review union cannot were require a covered borby the external audit firm and NCUA, rower to waive his/her rights under but we did not have this disclaimer. If the Servicemember Civil Relief Act. necessary, should Lastly the your finallegal rulecounsel only permits be able to union help you with aa securisimple the credit to take statement to include in the report (or ty interest in funds deposited after is legal counsel and simpleand statement the extension of credit in an an oxymoron?). account established in connection with the loan. The security interest Signed Reportsaffects the standard requirement PA 2410-1 says that theclause authorized cross collateralization and internal auditor should sign final statutory lien clause found in most auditcontracts. reports, either manually or loan electronically. did not sign audit In summaryWecredit unions must reports, and I am notpolicies, sure of the purmodify applicable procepose of and this practice. PA dures, training However, for MLAthe com-
states that the chief audit executive pliance. Additionally, credit unions determines which auditor need to work withinternal their attorneys is authorized to sign the and forms providers to report. ensure We all were only a two-person department, lending documents comply with the so perhaps thetheir advice didprocessors not apply to MLA; contact data us. My staffwhat auditor wroteneed the drafts determine changes to be and I edited until I an was comfortable made; and develop audit program with the final report, authorized to monitor their MLA and programs. n the report issuance. The PA says that if reports are distributed electroniAbout the Author cally, internal audit retains a signed Jeanne Couchois, Esq. version on file. We were pretty much MVP Compliance and paperless; my goal was to rid internal Regulatory Counsel audit of fileCarolinas cabinets.Credit I would not have Union kept a pieceLeague of paper because it had a signature it. Carolina-licensed However, the PA was Jeanne is a on North issued 2009, attorneyinwith moreand thansubsequent twenty years verin the credit industry. ■ to joining sions mayunion update this. Prior the CCUL, she worked in various roles for State Employees’ Credit Union, most recently as vice president of compliance and BSAthe officer. Jeanne is a graduate of About Author the Campbell University School of Law Pat Richey was director of Internal Audit and brings with her a passion for helping at Financial Center FCU for 23 years, and credit unions interpret and overcome a career-long supporter of ACUIA and complex regulatory issues. its members. She is currently retired.
experience reach
BKD National Financial Services Group
BKD National Financial Services Group can help you effectively identify and manage operational risks. Our advisors offer tailored internal audit solutions to credit unions across the country. Experience how our insight can help you choose the right path to pursue your strategic objectives with confidence.
Chad Garber // Director 317.383.4200 // cgarber@bkd.com bkd.com
www.acuia.org | TH E AUDIT A U DIT R REP EP O ORT RT
2315
HOW STRONG ARE YOUR WALLS? Evaluating your cybersecurity preparedness NICHOLAS NORTON, MPAC AND DURWARD FERLAND, JR., MBA
C
redit unions are being bombarded with cyber-attack warnings. Expectations to implement cybersecurity controls continue to rise. Regulators are issuing new cybersecurity tools and guidance, and members are expressing concern over the security of their financial data. The cybersecurity world seems to be a ball of confusion. To help provide clarity, Macpage LLC’s information assurance services group developed seven questions that will help credit unions evaluate their preparedness for some of the most common cybersecurity-related risks. Every organization, regardless of its size and complexity, should be able to answer “yes” to these seven cybersecurity questions. A lack of cybersecurity controls may make your organization more vulnerable to cyber attacks.
Are employees continuously reminded of their cybersecurity responsibilities and provided with annual cybersecurity awareness training? Organizations should provide employees with annual cybersecurity awareness training that identifies current threats and vulnerabilities as well as techniques for mitigating them. In addition, organizations should have programs in place to continuously remind employees of their cybersecurity responsibilities, such as email campaigns, newsletter articles, and other awareness methods.
16
www.acuia.org | T H E AU D I
Are network devices adequately protected? Ids/ips: in addition to their firewall, organizations should have an intrusion detection system (ids) or intrusion prevention system (ips) that will detect or prevent inappropriate, incorrect, or anomalous activity and provide notification of the activity. Anti-virus: anti‐virus software should be installed on all workstations and servers that are connected to the network or internet. The anti‐ virus software should be configured to check for updated virus definitions on a regular basis, at minimum daily. A centralized anti‐virus management tool is recommended to help ensure that anti‐virus is in place and virus definitions are updated on all workstations and servers and cannot be overridden by end users. Patch management: a formal patch management process should be in place that ensures critical patches are installed in a timely manner and security flaws are remediated immediately upon discovery. Centralized monitoring of patch management is recommended to help ensure that patches and updates are applied as expected. Hard drive encryption: organizations should encrypt the hard drives on servers and workstations to ensure that sensitive data is stored encrypted and cannot be accessed by unauthorized parties if the hard drive is lost or stolen. Are user accounts and their associated access levels on the network and critical applications reviewed on a regular basis? Organizations should perform a documented review of user accounts and their access levels to verify that accounts of terminated users are disabled and accounts of current users have appropriate access levels based on their job description. The review should be performed by an employee independent of the ad-
ministrative rights for the system being reviewed.
Are strong password parameters system-enforced on the network and critical applications? Strong password parameters should be system‐enforced for all accounts on the network and critical applications. At a minimum, these parameters should include: requirement for the password to be changed on the first login; minimum password length of seven characters; complexity requirements enforced; maximum password age of ninety days; minimum password age of ten days; password history of five passwords; and, account lockout after three to five invalid login attempts. Does remote access require dual factor authentication? Dual factor authentication should be required for all remote access to the organization’s systems. Dual factor authentication requires the user to present at least two of the following: something they know, such as a password or personal identification number (pin); something they have, such as a token; or something they are, such as biometric identification. Is critical data backed up on a regular basis, at minimum daily, and are backups tested? The servers and workstations containing critical data should be backed up on a regular basis, at minimum daily, and the backups should be moved to an off‐site location to help prevent data loss. In addition, backups should be tested on a regular basis, at minimum quarterly, to verify that the backup is functioning as expected and the data can be restored. Is confidential information encrypted when it is sent outside of the organization’s network? Encryption should be used when transmitting confidential informa
tion outside of the organization’s network. This is not an all-inclusive list of cybersecurity controls, but rather the minimum controls that an organization should have in place. Additional controls will be required to address your organization’s specific operations. To help evaluate your organization’s cybersecurity controls, Macpage offers cybersecurity controls reviews. Cybersecurity controls reviews result in prioritized recommendations that help identify areas of concern so that management can align controls with industry best practices and requirements. Following the cybersecurity controls review, Macpage provides you with recommendations for cybersecurity control improvements and we will meet with management to discuss the results of the cybersecurity controls review. For more information on Macpage’s cybersecurity controls review services visit www.macpagecybersecurity. com or contact Durward Ferland, Jr., Principal, at (207) 523-3355 or djf@ Macpage.com. n
About the Authors Nicholas S. Norton, MPAC – Manager As an Information Assurance Services consultant, Nick performs a wide variety of diversified IT auditing tasks. He performs inquiries of client personnel regarding internal controls, information technology, and information security. Durward J. Ferland, Jr., MSB, MBA – Principal Durward helps lead information assurance services at Macpage and advises clients nationwide. With 14 years of experience in the field of IT-related internal controls, he has extensive knowledge of the Control Objectives for Information and Related Technology (COBIT), and specializes in identifying opportunities and developing effective controls. www.acuia.org | TH E AUDIT R EP ORT
17
{ member spotlight }
information security {Kathleen } WHY? Schaefer Tom Schauer, Principal, CliftonLarsonAllen
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
All the way from Burton, Michigan, this Issue’s Spotlight is on Spartans-lover and Michigan Chapter Coordinator Kathleen Schaefer.
K
athy, tell us a little about your- have maintained that certification. I self. feel that the process of obtaining that I am a Michigan State University certification (part of which required 2 graduate and a CPA. Currently I am years of public accounting experience the Internal Auditor at ELGA Credit in Michigan & 3 years in Indiana at the Union in Burton, where I started the time) allowed me to experience a wide department from scratch upon being range of situations. Since my focus was hired in 2015. on financial institutions, I was able to How did you initially get into au- apply my audit experience to my curditing? rent position at the credit union. As an accounting major in college In addition to having a CPA license, the expectation at the time was to I will be attending CUNA’s Enterprise join a public accounting firm, which Risk Management School where I I did. Upon hope to beentering that come a CUFUN FACT ABOUT KATHY: world, I was ERME. This My favorite sports team is the Michigan drawn to perd e s i g n a t ion State Spartans (and yes, I am still willing forming audits will enable me to admit this even during a dismal football – I enjoyed the to assist ELGA season. Their current season reminds me search for anin establishing of the years I attended the games as a stuswers. I spent an enterprise dent more years ago than I care to admit!) the first four risk manageyears of my professional career as an ment program and thus provide a valexternal auditor specializing in finan- ue-added service to the credit union. cial institutions. When I left public acDuring your tenure in the audit counting I held a variety of other posi- and accounting industries, what have tions, all of which in some way tied to been the most significant changes? the field of Accounting. Those several I think the biggest change to the years during which I was away from industry has been the exponential auditing, I found I was still drawn to growth in the number of regulations that field and found a position as an in- to which credit unions are subject ternal auditor in a place where I could and which we must incorporate into also fulfill my mission to be of service our audits. to the community, a credit union! I’ve In addition, technology has changed been involved in credit union internal significantly from my early years as an auditing for the past five years. auditor. When I started as an external Tell us a little bit about your con- auditor, reports were provided in huge tinuing education. Do you have any books of green-bar paper, loan files professional certifications? were only maintained in paper form, Well, as I mentioned earlier I am and 10-key calculators were a must for a Certified Public Accountant and all the manual reconciliations.
18
www.acuia.org | T H E AU D I T R E P O RT
What are the major challenges auditors must face today and how can they overcome those challenges? A major challenge facing internal auditors today is the need to balance time as a consultant providing added value to the credit union and time for the completion of audits to test the controls and reporting of the organization. An internal auditor must find the time to attend meetings, perform audits & report on findings, and stay on top of all the changes to accounting principles & credit union regulations, as well as be knowledgeable of the latest products and delivery methods and their associated risks. As a result, perhaps our most valuable skills are the abilities to stay focused on the priorities and to embrace change. What advice would you give to a new auditor just entering the field? I would recommend that new auditors keep in mind the “why” behind what they are doing: ■■ Why am I performing this particular audit step this way? What am I trying to accomplish? ■■ Why is this test important to the audit as a whole? What is the concern? ■■ Why is this audit part of my risk based testing? What effect do the results have on the organization? ■■ Why am I here? What does internal audit add to the organization? Let’s switch gears and talk about ACUIA. How long have you been a member and what do you feel are the most valuable aspects of membership? I have been a member since first becoming a credit union internal auditor in 2012. For me, attending the annual conference is the most rewarding benefit. It’s an opportunity to gain training on relevant, current topics and to network with others in the same field. I also enjoy the volunteer opportunities and enjoy being a Chapter Coordinator. n
{ the standards }
Pat Richey, Retired credit union internal auditor
The new Core Principles added to our professional canon in July bring with them changes to the official standards.
I
n July 2015, The Institute of Internal Auditors (IIA) added a set of ten “Core Principles for the Professional Practice of Internal Auditing” (Core Principles) to the International Professional Practices Framework (IPPF). With the addition of these Core Principles to the IPPF, the IIA decided changes were needed to the International Standards for the Professional Practice of Internal Auditing (Standards). The revised Standards are effective January 1, 2017. This article describes some of the changes.
New Terms In accordance with the updates to the IPPF, there are new terms in Standards 1000 and 1010 which are related to the purpose, authority and responsibility of internal audit and recognizing mandatory guidance in the internal audit charter. Standards 1000 and 1010 now refer to “the Mission of Internal Audit” and the “mandatory elements” of the IPPF. The mandatory elements of the IPPF include the Core Principles, the Code of Ethics, the Standards, and the Definition of Internal Auditing (but not the Mission).
However, 9 references to the “Definition of Internal Auditing” were removed from the Standards and Interpretations as the term is embodied in the Standards and the Code of Ethics. The title of Standard 1010 now refers to mandatory guidance, rather than the Definition of Internal Auditing.
Two New Standards Standard 1112 is a new standard related to chief audit executive (CAE) independence. The Standard addresses the situations where the CAE has, or is expected to have, roles outside of
internal auditing. For example, a CAE may be expected to head up the credit union’s compliance efforts, or other risk management duties, which combines internal audit activities with credit union operations. In this case, the credit union must ensure that there are safeguards in place to limit impairments to the CAE’s independence and/or objectivity. Standard 1112’s Interpretation suggests that additional roles outside of internal auditing may impair organizational independence or objectivity of the individual internal auditor. The credit union board should implement oversight activities to limit potential conflicts, which could include evaluating reporting lines and responsibilities. There would need to be alternative processes for auditing the area of operational responsibility (e.g. using an external audit firm), which is addressed in Standard 1130.A2. Standard 1130. A2 states that audits for functions over which the CAE has responsibility must be overseen by a party outside of internal audit.
www.acuia.org | TH E AUDIT R EP ORT
19
The other new Standard is 1130. A3, which also addresses a circumstance when internal audit independence or objectivity might be impaired. This standard says that internal audit can audit an area where internal audit had performed consulting services, if the consulting did not impair the internal auditor’s objectivity, and if individual objectivity is effectively managed when assigning auditors to engagements. There is not any interpretation for this Standard.
Expanded Standards Several Standards have been expanded to include additional concepts. Standard 1110.A1 states that internal audit must be free from interference in determining the scope of internal auditing, performing work and communicating results. Now, the CAE will be required to disclose any interference to the credit union board, and discuss the implications of that interference. Standard 1320 states that the CAE must communicate the results of the Quality Assurance and Improvement Program (QA&IP) to senior management and the credit union board. However, the standard was expanded to detail what the communication should include – the scope and frequency of assessments; qualifications and independence of the assessor and any potential conflicts of interest; assessor’s conclusions; and corrective action plans. Standard 2050 on internal audit’s coordination with assurance and consulting service providers was expanded to include the consideration of relying on the providers’ work. Standard 2100 on the nature of internal audit work states that internal audit must use a systematic and disciplined approach to evaluating processes. Now that requirement states that the approach must also be risk-based. Standard 2110 on governance says that the internal audit activity must 20
www.acuia.org | T H E AU D I T R E P O RT
assess and make appropriate recommendations to improve the credit union’s processes, and lists a variety of processes. The Standard was expanded to include that internal audit must assess the governance processes for making strategic and operational decisions, and overseeing risk management and control. These changes better align the Standard with the Glossary’s definition of governance. Standard 2200 states that internal audit must have a documented plan for each audit. The Standard was expanded to state that the plan must consider the credit union’s strategies, objectives, and risks relevant to the audit.
New Interpretations Standard 2050 on coordination with and reliance on other providers now includes an Interpretation. The Interpretation recognizes that there are other risk and control functions in the credit union, such as compliance and legal, and that there has to be coordination between internal audit and these functions to limit duplication of effort, which in turn reduces inefficiencies and costs. Also in the mix are external service providers. When the CAE coordinates activities with other assurance and consulting providers, the CAE can rely on their work. However, first the CAE has to consider the competency, objectivity, and due professional care of provider. There should be a consistent process for evaluating reliance. The CAE should have a clear understanding of the providers’ scope, objectives and results. Even though the CAE is relying on the work of others, the CAE is still accountable and responsible for ensuring there is sufficient support for internal audit’s conclusions and opinions. Standard 2210.A3 states that adequate criteria are needed to evaluate governance, risk management, and controls. A new Interpretation of this Standard gives examples of the types of criteria that may be in-
cluded – internal (e.g. credit union policies and procedures), external (e.g. regulations), and leading practices (e.g. industry and professional guidance). This is a guide to types of criteria, not a complete list. The rationale is that evaluation criteria is established by management and/or the board. Internal auditors do not develop the criteria. Standard 2230 states that internal auditors must determine appropriate and sufficient resources to achieve engagement objectives. A new Interpretation defines “appropriate” as the mix of knowledge, skills and other competencies needed to accomplish the engagement. “Sufficient” means the quantity of resources needed to accomplish the engagement with due professional care.
Expanded Interpretations A few Interpretations have been expanded to include additional concepts. The interpretation to Standard 1210 on proficiency of internal auditors now includes that proficiency “encompasses consideration of current activities, trends and emerging issues, to enable relevant advice and recommendations.” The rationale behind this addition is to emphasize that the internal auditor is responsible for providing insight and forward-looking advice, and solving problems. The Interpretations to Standards 1300 and 1312, relating to the QA&IP and external assessment respectively, were both expanded to encourage credit union board oversight throughout the QA&IP, and in the external assessment specifically. Also, Standard 1312’s Interpretation of external assessments was expanded to include that the external assessor must conclude as to the internal audit activity’s conformance with the Code of Conduct and the Standards, and that the assessor may also include operational or strategic comments. The requirement for
a conclusion clarifies the purpose of the external assessor’s report. The Interpretation of Standard 2000 on effectively managing the internal audit activity describes what is meant by effective management. That description was expanded to include the consideration of trends and emerging issues that could impact the credit union. Standard 2060 states that the CAE must report periodically to senior management and the board on internal audit’s activity. The Interpretation was expanded to clarify that the communications must include information about the audit charter; internal audit’s independence; the audit plan and its progress; resource requirements; results of audit activities; conformance with the Code of Ethics and Standards; action plans to address significant issues; and management’s response to risk that may be unacceptable to the
credit union. This expansion of the Interpretation consolidates reporting requirements that are dispersed throughout the Standards. The Interpretation for Standard 2450 on issuance of overall opinions has a list of items that the communication will include. “A summary of the information that supports the opinion” was added to this list.
Rearrangement Standard 2410 stated that engagement communications must include the objectives, scope, results, conclusions, recommendations and action plans. However, it was recognized that some consulting engagements are strictly advisory, and that there may not be conclusions, recommendations and/or action plans. So, the requirement for conclusions, recommendations and/or action plans was moved to the Assurance Standard 2410.A1.
Wordsmithing Some Interpretations, such as 2000 and 2010, and Standard 2110 were reworded to better reflect the Core Principles (e.g. aligning work with strategies, objectives, and risks of the credit union; providing risk-based assurance; and being insightful, proactive, and future-focused). Implementation Guidance In July through October 2016, the IIA issued 15 new Implementation Guides to supersede the relevant practice advisories. I am looking forward to reviewing these new Implementation Guides and the relevant standards in upcoming issues of The Audit Report. n About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.
Strategic Business Management | General & Private Accounting
Macpage believes in developing relationships, earning trust, addressing complex issues and making a difference. We enjoy the people we serve, and care about the work we do providing integrated accounting, consulting, financial statement, IT, internal and compliance auditing services for credit unions throughout the Northeast. For more information, visit our Credit Union Services page at www.macpage.com/creditunions
Artwork: Michael Walek
www.acuia.org | TH E AUDIT R EP ORT
21
standards { thenews { regional } } Pat Richey, Retired
1
REGION
Director: Julie Wilson Director Internal Audit iQ CU 360.992.4233 juliew@iqcu.com
Position open. ACUIA needs you! Contact an ACUIA Board member if you would like to volunteer.
No news for Region 1. Contact Julie for information.
2
REGION
Director: Tara Tocco Internal Audit Manager Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org No news for Region 2. Contact Tara for information.
3
REGION
Director: Greg A. Czyzewski, CPA, CIA The Region 3 meeting was held October 5, 6, and 7th at Baxter Credit Union in Vernon Hills, IL. Among the topics covered were Compliance, Customer Due Diligence, Fraud, Lending Controls, File Maintenance, and ERM. Thank you to our sponsors Clifton Larson Allen, RSM, BKD, Moss Adams, and Doeren Mayhew. Special thanks to Doug Wright and the team at Baxter for hosting the event. Most of all, thanks to the members of Region 3 for their attendance and for making this another very successful meeting!
22
4
REGION
www.acuia.org | T H E AU D I T R E P O RT
5
REGION
Director: Michael P. Moreau, CIA, CFE, CFSA Manager Credit Union Services Macpage LLC mpn@macpage.com Region 5 held its Regional meeting at Empower FCU in Syracuse NY, on September 26th and 27th. We had an enthusiastic group of internal auditors, who heard about many topics, including compliance and fraud. Planning for the 2017 Regional meeting has already started. We are looking forward to the National meeting!
REGION
6
Director: Jason Alexander, MBA, CICA Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org No news for Region 6. Contact Jason with any regional questions. n
EXCLUSIVELY SERVING THE CREDIT UNION INDUSTRY SINCE 1979. Since our firm’s inception in 1979, we have been committed to one industry, the credit union industry. That means 100% of our clients are credit unions or credit union service organizations. Our commitment to one industry allows for an efficient audit with highly trained auditors that know your business. Learn why Nearman, Maynard, Vallez, CPAs is ranked as a leading CPA auditing firm by Callahan & Associates. Contact us today for a free proposal.
10621 N. KENDALL DR., SUITE 219, MIAMI, FL 33176 | 800.288.0293 | www.nearman.com
TeamMate®
Ecosystem for Audit
Audit
Controls
Analytics
Learn more at : www.TeamMateSolutions.com www.acuia.org |
TH E AUDIT R EP ORT
23
standards { the { region }} directors Pat Richey, Retired
1
REGION
Julie Wilson juliew@iqcu.com
2
REGION
Tara Tocco TTocco@hughesfcu.org
REGION
3
VOLUNTEER NEEDED!
REGION
4
VOLUNTEER NEEDED!
5
REGION
Michael P. Moreau, CIA, CFE, CFSA mpn@macpage.com
REGION
6
Jason Alexander jasona@lgeccu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1 CENTRAL CASCADES (OR/WA) CHAPTER
Terry Robbins trobbins@mapscu.com
Ashley Shrode Ashley.Shrode@thrivent.com MICHIGAN CHAPTER
REGION 5 NEW YORK CITY CHAPTER
VOLUNTEER NEEDED!
Kathleen Schaefer Kathleen.Schaefer@elgacu.com
REGION 6
REGION 2 ARIZONA CHAPTER
WISCONSIN CHAPTER
Levi Dickerson levi.dickerson@gucu.org
Jason Garlutzo Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER
VOLUNTEER NEEDED! UTAH CHAPTER
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com HAWAII CHAPTER
Nikki Ige Nige@kcfcu.org REGION 3 INDIANA CHAPTER
Jeff Watson jwatson@iucu.org
24
MINNESOTA CHAPTER
www.acuia.org | T H E AU D I T R E P O RT
Karla Hodgkins khodgkin@Covantagecu.org REGION 4 ARK ANSAS CHAPTER
Patrick McCollough pmccollough@AFCU.org NORTH TEX AS CHAPTER
VOLUNTEER NEEDED! ST. LOUIS CHAPTER
David Caster dcaster@firstcommunity.com
GEORGIA CHAPTER
FLORIDA CHAPTER
Lourdes Camacho lourdesc@sccu.com NORTH CAROLINA CHAPTER
VOLUNTEER NEEDED! SOUTH CAROLINA CHAPTER
Tammy Farmer tammyf@scscu.com TENNESSEE CHAPTER
Michelle Clark, CUCU mclarck@ecu.org
PBMares-2015 ACUIA-color ad II_Layout 1 4/17/15 1:55 PM Page 1
{ member spotlight } { acuia select } Patrick McCullough
Congratulations to ACUIA
Growth.
ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the on 25 years of(703) outstanding Executive Office at 688-2284. service to credit union audit professionals.
P L AT I N U M PBMares helps credit unions meet their fiduciary responsibilities and internal control objectives by providing: New business is always the goal, but with expansion comes added risk. and Whether you’re exploring joint n Information Technology n a Assessments System Reviews Certified ACH Audits n Bank Secrecy Act venture or considering a combination or acquisition, n Audit of Risk-Based Lending Programs n Branch and Operational Audits Audits n Lending Reviews who’s helping you do it safely? n Asset / Liability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk n Financial Discover why more than 300 financial institutions Assessment and Regulatory Compliance Statement Audits Opinion & Supervisory Committee Audits across the nation turn to us to help them grow with Internal Audit Outsourcing BSA/AML & Regulatory Compliance confidence.
GOLD
W W W. M O S S A D A M S . C O M / C U
Tax Planning & Compliance IT Consulting Credit Review Services
Certified Public Accountants & Consultants
S I LV E R
TeamMate
BRONZE
Proudly serving credit unions throughout the Mid-Atlantic region. For more information about PBMares, visit us online at www.pbmares.com.
RELATIONSHIPS BUILD BUSINESS
28-0955 | ©2016 CliftonLarsonAllen LLP
Strengthening our connection to you by providing premier professional services.
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
Dean Rohne | CLAconnect.com 800-657-4477 | Minneapolis