ACUIA Audit Report volume 26 issue 1 by pstraubel

Volume 26, Issue 1, 2017

The Magazine of the Association of Credit Union Internal Auditors, Inc.

NCUA PRIORITIES THERE’S A LOT THAT’S FAMILIAR EVALUATING YOUR PROGRAM KNOW WHAT THE RISKS ARE NEW RULES THE GUIDELINES ARE OUT FOR BUSINESS LENDING

GEARING UP TO FIGHT

FRAUD

RELATIONSHIPS BUILD BUSINESS Strengthen your relationships by using advisors with a strong professional network.

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. Â©2017 CliftonLarsonAllen LLP | 28-1094

Dean Rohne | 800-657-4477 CLAconnect.com

Volume 26, Issue 1, 2017

The Magazine of the Association of Credit Union Internal Auditors, Inc.

{ contents } F E AT U R E S

D E PA R T M E N T S

2 From the Editor Management Is from Mars, Audit Is from Venus Tabitha Ernst-Chadwick

Mitigate Fraud and Errors We’ve identified eight critical control areas to help you get in gear. Dustin Birashk, CPA

4 Chairman’s Message Contemplating Risk John Gallagher

12 NCUA’s 2017 Priorities

The Supervisory Priorities Letter to Credit Unions is out. Are you ready? Sam Capuano, CBA, CRP

Evaluating Your Internal Audit Program

In today’s ever-expanding risk environment, credit unions need to be responsive in their internal audit program’s ongoing design. Kenneth Bishop

24 The Standards The International Professional Practices Framework Pat Richey 28 Member Spotlight Chad Nequent 30 Regional News 32 Region Directors and Chapter Coordinators

New Rules 20 Member business lending

enters a new era. Sean Ruban, CRC, MBA

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284

fromthe theeditor editor}} {{from

Management Is from Mars, Audit Is from Venus How Do You Use Your Power? TabithaErnst-Chadwick, Ernst-Chadwick,CIA, CIA,CFE, CFE,LRP, LRP,CBSAO, CBSAO,CUCE, NCCO,NCCO, CISA CISA Tabitha

live in aage-old state that is the operations subject of t’s an dispute; much and adequate controversy due fails todebate implement controls to a internal bold new law.fails A few superstars and audit to have reasonwho are particularly offended by able perspective. Even when comprothe rule decided tothe flexspace their between famous mise is achieved, muscles, reach After into their deepinpockoften remains. 16 years audit ets, and make own other bold stateI found myselftheir on “the side,” ment in the guiltybyoncancelling occasion all of venues being one of offending state. those people who frustrated me in auresult? I can’t for dit.The Though thatWell, is unlikely to say change, sure, but in mya guess is position that the governor I’m also unique to use my didn’t much sleep over aour couple audit lose experience to bridge own of politically charged bands organizational gaps.rock So to startfrom the the 80s and 90sI asked (though who knows? conversation, a group of colHe could five be the presidentSome of both leagues questions. of fan the clubs). Facebook can beso believed – answersIf were interesting, I wanted which it them can because to share with you.everything on Facebook is obviously true – the tangible was A LOT of that very disapWhatresult is the first thing comes pointed many of whom lostaudit? monto mindfans, when I say internal ey despite refunds (hotel There was the a lotticket of “compliance” and reservations, tickets, car rent“monitor” in airline the responses. Here are als…). This particular result is of no a few others: concern to the superstars, ■■ Covermyass (1 word) though, because their desire was to make a point ■■ Protection to politicians, fans be damXXd. ■■the Controls which side of the infa■■ No Didmatter I do something wrong? mous Bathroom Bill gets your sympathy, therisk trend is a bit disconcerting How are management and inter–nal people perceive themselves as auditwho different? The most promiinfluential doing their nent response waseverything that Auditin is black power to and make opinions your & white, Risktheir is gray. Some of the opinions. And the responses: trend will continue, other interesting because what artists could ■■ Risk makes decisions forpossibly mitiganowtion perform offensive state, of risk;inIAthis monitors how sucwhen their we colleagues cessful are. have taken such valiant against injustice? ■■ Riskstands manages internal operations So was not fortunate to andI each function’s risk.enough IA ensures havewe tickets forlegal either of the shows, but follow requirements. if■■6-year-old soccer games held Risk Management stayswere on top of on any day butregulations, Wednesdaylaws, I would compliance best beenpractices, an addition mob etc. to IA the testsangry to ensure of disappointed fans. Ifollows was outraged the credit union regulanonetheless, because have fellow tions, laws, and bestI practices. die-hard who don’t have Wednes■■ Risk fans management manages apday propriate night soccer riskobligations, tolerances;who IA did enhavesures tickets, were crushed by we and staywho in compliance. the outragethe led to re■■ cancellation. IA focuses onMy ensuring credit flection onishow felt about bands union in Icompliance with punlaws

www.acuia.org www.acuia.org || TTHHEE AAU U DDI ITT RREEPPOORT RT

ishing for actions outside of their andfans regulations. Risk Management control, leading to reflechas afurther larger scope andme is concerned tionwith on customer service and treating all aspects of business; less people reflection “yesright, or no”and thanfinally “good,to better, best.” on could relatebut to IA internal ■■ how They this work together looks audit risk management. Ohcredit yeah forand things that places the – that’s right; in true nerd fashion I am union at risk and brings them to turning rock concert light.a 90s Riskalternative Management makes intodecisions an audit and risk lesson. concerning the risk that So the lesson. As auditors thehere CU isisfacing. and risk managers, sometimes we are the onesthe in sentence: our organizations with Finish The problem those proverbial big muscles deep with internal audit is… Thisand was the pockets. with the only oneWe thatare hadthe noones consistency in power to persuade. thethe time, answers. Here are Most a fewofof rethere is more than one way to achieve sponses: the desired result.understand And if yourthe imme■■ Staff doesn’t role diate is to cancel the concert ofreaction IA and views it as trying to find to try and forceto everyone to see it your something write-up. way, beall missing a better ■■ It you may might not have the facts.

opportunity to actually ■■ Not enough time. reach out to your proverbial “fans”as with more ef■■ Can be perceived theaFBI of the fective message; moremakes often than credit union,and which emnot,ployees once your audiences fully undernervous. stand theappear issues,tothey probably have ■■ They be secretive. even bettermanagement ideas about how to achieve ■■ Only receives the those desired results. As the wise unfeedback. cle Spiderman takes once said “withrecomgreat ■■ of Operations every power comes great I mendation as responsibility.” The Gospel; Soit’s ask you, howasare you usingrather your great viewed a mandate than power? Are you flexing those muscles a partnership. to force your opinions to become their opinions? you making your audiFinish theAre sentence: The great thing tees perform an extra steps because about internal audit10is… Nearly evthat’s how you feelthat it must done? ery answer noted auditbe helps imOr are processes, you using which your superior intelprove was definitely lect and experience for good? That encouraging. A few others… is, you teaching [about the risks], ■■ are It keeps the credit union from besharing [ideas and knowledge], and ing fined. listening? n continued on page 4

2017 2016 BOARD OF DIRECTORSabitha Ernst-Chadwick, CIA,EXECUTIVE CFE, LRP, CBSAO, ACUIA OFFICE, CBSAO, CUCE, NCCO, CISA

CUCE, NCCO, CISA

Chair John Gallagher, CUERME SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 –2016 2016–2019

Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ncsecu.org Term 2015–2018

Vice Chair Margaret Chamberlain,

Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org 2015–2018 Term 2015 - 2018

CUERME

Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2015–2017 Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015–2017 Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dswenson2@ wingsfinancial.com Term 2015–2018

Director Doug Wright, CPA, CFE,

CUCE, BSACS

Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019 2015–2016 Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com

ACUIA Executive Office 1727 King Street Suite 300 Alexandria, VA 22314

(703) 688-2284 acuia@acuia.org

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.” Follow us on:

{ {from } } chairman’s the editor message

Contemplating Here’s to 25 More Risk

John Tabitha Gallagher Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

The idea of focusing on the right risk at the optimal time in the process is a critical component in evaluating the effectiveness of any internal audit function.

ver the past year or two there appears to have been an increasing number of articles written about risk and more specifically enterprise risk management practices. As a means of combating the threat or risk of internal or external fraud many credit unions today have an internal audit function and either have or are considering a separate ERM function. I have often been asked what is the difference between these functions and why both are necessary. The best way for me to describe this is that one function is looking left-to-right (ERM - forward looking) while the other has been traditionally looking right-to-left (IA - backward looking). However, in the end they both have the same focal point and goal in mind… mitigate unnecessary risks by ensuring a strong internal control environment is maintained.

The idea of focusing on the right risk at the optimal time in the process is a critical component in evaluating the effectiveness of any internal audit function. It is imperative that internal audit find a balance between the traditional approach (backward looking) and the more proactive approach (forward looking). Proactive internal audit functions can provide input and valuable insight on what should be considered as the credit union evaluates a certain path or strategic action, as well as identify potential risks and appropriate controls throughout the initiative planning and implementation processes. In the end this tends to lead to greater value provided to management and the credit union as a whole. In general, that is the difference between ERM and internal audit responsibilities today. ERM

MANAGEMENT IS FROM MARS from page 2 ■■ ■■ ■■ ■■

They find out I am doing something wrong before the Feds do. They ensure we are doing things correctly. They ensure we are complying with laws and help us minimize risks. They help point out blind spots in processes.

How important is the internal audit function? Not Important; Somewhat Important; Very Important; Critical All respondents chose very important or critical, with critical being 4

www.acuia.org | T H E AU D I T R E P O RT

the most prominent answer. A bit surprising; even as an auditor I didn’t rank IA with the “Critical” functions (let’s face it, I didn’t keep the lights on, bring in income, or hold the data...). But I found these answers to be encouraging. It seems that even if Management is from Mars and Audit is from Venus, this little survey revealed that, while we have more work to do in building the partnership and understanding between them, operations sees value in IA regardless of its other-worldly origins. n

is looking forward and internal audit looking backward. However, as mentioned earlier both approaches aim towards the same common goal…to ensure adequate controls are in place to mitigate risk exposure to the credit union. Much of the information and perspective is gained by participation in direct discussions with senior management and/or “steering” committees, which enables internal audit to identify new projects/initiatives and engage early to provide perhaps a differing perspective of risks and controls. When it comes to aligning the internal audit function within the credit union it is important to define how the function interacts with other areas and senior management when focus is placed on those posing the most significant risks. There are three lines of defense that, if and when aligned within the risk management practices, serve to identify and mitigate risks, as well as help reduce audit fatigue and/or ineffectiveness. Business functions/owners are the first line of defense, ERM as the second line, and internal audit as the third.

WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.

Here’s to 25 More Tabitha Ernst-Chadwick

These areas working together serve to increase efficiency and further the understanding of risk environment. For both internal audit and enterprise risk management, successful credit unions must identify the right people for the job by looking at core competencies rather than simply just a preferred skill set. Here are four key competencies that are essential for IA and ERM: 1. Communication – Some internal auditors tend to be introverted and would rather not seek the limelight, but to succeed and add value they must accept the challenge of becoming more comfortable speaking to all levels of the credit union. Most professionals can be taught how to perform and document an audit, but to truly understand controls and to manage risk, there needs to be effec-

tive, frequent, and meaningful interaction with other strategic partners; 2. Risk – Internal auditors, enterprise risk professionals, and supervisory committee members must be risk-conscious. There must be an emphasis on identifying, monitoring, and mitigating risk across the seven categories defined by NCUA including cybersecurity; 3. Alignment – Internal audit must expand its influence across the traditional three lines of defense – leadership implements policy, senior management verifies execution of policy, and internal audit assesses adherence to that policy; 4. Data – New sources of data must continue to be identified and analytics should be embraced as a way to assist in the risk management process. In today’s environment and with

the automated tools available, internal audit should be evaluating 100% of the data as compared to only testing a relatively small “sample” as has been traditionally done. In the end, internal audit and enterprise risk management do look at the same issue from opposites sides. But the focus is always the same – identify risk, mitigate risk, and provide effective controls. This balanced viewpoint serves to reduce risk and strengthen the internal control environment of the credit union. So as you assess the value of internal audit within the credit union ask yourself if you have placed the appropriate level of focus in the four areas of competency. Have a successful and rewarding 2017! Hope to see everyone in San Antonio. n

Place Your Credit Union’s Trust in Our Experience, Responsiveness and Dedication Audit & Accounting • Internal Audit Services Tax • Management Consulting We provide superior accounting, auditing and tax services to our Credit Union clients by understanding the unique business challenges they face. Our services include audits of ﬁnancial statements, supervisory committee audits, internal audit services, employee beneﬁt plan audits, tax compliance and management consulting.

5010 Campuswood Drive / East Syracuse, NY 13057 / 315-472-7045 / www.fmfecpa.com

www.acuia.org | TH E AUDIT R EP ORT

2 MITIGATE FRAUD AND ERRORS

www.acuia.org | T H E AU D I T R E P O RT

4 Mitigating fraud and errors is essential for credit unions. Weâ&#x20AC;&#x2122;ve identified eight critical control areas to help you get in gear. DUSTIN BIRASHK, CPA

5 6

www.acuia.org | TH E AUD IT R EP ORT

hile highly regulated by the National Credit Union Administration, state regulatory agencies, or both, credit unions can always benefit from employing more controls to mitigate risk. These eight control areas should always be on the radar for credit unions to help mitigate the risk of fraud and error.

SEGREGATION OF DUTIES

Credit unions have become more efficient over the past few years, but they’ve also reduced head count in many cases. In a perfect world, organizations would be able to have different individuals initiate, approve, process, and record transactions. The reality is that most organizations have to be both creative and vigilant in ensuring at least two people are involved in every transaction. Oftentimes, institutions fail to revisit segregation of duties after downsizing or reorganizing teams. It’s important to evaluate roles and responsibilities after a significant change so deficiencies can be identified and remediated. Rotation of responsibilities, for example, is a way to segregate duties and cross-train, which can be a motivator for individuals who need more challenge.

SPREADSHEET CONTROLS

For most credit unions, the allowance for loan losses calculation is performed in a large, complex spreadsheet. It’s worthwhile to ask these questions: ■■ Who has access to it? ■■ Where is it stored? ■■ Are static and dynamic files maintained? ■■ Are backups created? ■■ Does anyone review the spreadsheet for accuracy? As spreadsheets grow in both size and usage, so should the related controls surrounding them. At a minimum, organizations should: 8

www.acuia.org | T H E AU D I T R E P O RT

■■ ■■ ■■

Maintain spreadsheets in secure file locations accessible only by those who should have access Save a static copy of the files at the end of each reporting period in the event they need to access it Have an independent, secondary review of the inputs, formulas, and totals by an individual who understands the calculation

FINANCIAL CLOSE CHECKLISTS

Financial reporting requirements are often very different for organizations depending on whether it’s month-end, quarter-end, or year-end. For credit unions on a calendar year-end for audit purposes, December 31 marks the most significant financial reporting period, which includes the financial statement audit, call report, board reporting, and annual meeting materials. Quarterly reporting (March 31, June 30, and September 30) is somewhat less involved, with a call report and board reporting. Off-quarter-end months are generally the least difficult, with only board reporting typically required. Detailed financial reporting checklists customized for each of these three time periods can prove very beneficial when organizing the accounting department, allocating resources, and ensuring all necessary items are completed on time and appropriately documented.

RECONCILIATIONS

One of the strongest internal controls an institution can have is timely and accurate account reconciliations coupled with an independent review. All critical balance sheet accounts should have an individual assigned to reconcile and another to review, along with a deadline for completion. Just as important is a process to promptly address unusual or large reconciling items and that you consider segregation of duties when assigning individual responsibilities.

Recognized Leadership, Enduring Value Crowe Horwath LLP is one of the top 10 auditors of credit unions with more than $100 million in assets.

Crowe demonstrates commitment to the credit union industry by continually supporting various industry-focused trade organizations, as well as providing thought leadership to the regulatory bodies that oversee the industry. To learn more about our commitment to the credit union industry, visit crowehorwath.com/cu or contact Mark Taylor at +1 630 575 4335 or mark.taylor@crowehorwath.com.

Audit / Tax / Advisory / Risk / Performance

Smart decisions. Lasting value.â&#x201E;˘

2016 Guide to Credit Union Auditors published by Callahan & Associates

In accordance with applicable professional standards, some firm services may not be available to attest clients. ÂŠ 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure

FS-17005-014A

MANDATORY VACATION

Many news stories about internal fraud identify a trusted, long-standing employee as the perpetrator. In many cases, these employees are seemingly the hardest workers at the credit union and never took time off, which allowed them to be present every day to cover their tracks. Requiring employees to take mandatory vacations in blocks of time (one week or two weeks, for example) is one of the oldest internal controls in the books, but it’s also one of the least enforced. When taking their block of time off, employees shouldn’t come into the office every day of their vacation, and they shouldn’t log into the system. In their absence, another individual should step in to complete their day-to-day responsibilities.

SYSTEM ACCESS

Controlling who has access to the core and ancillary systems impacting financial reporting can prevent a significant amount of fraud. Most core systems allow companies to customize who has access to loans, shares, and other critical areas. Once the access levels are set, credit unions should perform regular reviews, either on a set time frame or after a change in personnel.

SECONDARY REVIEW

One of the most common audit findings is loan and share accounts that aren’t properly set up in the core system. 10

www.acuia.org | T H E AU D I T R E P O RT

While these eight controls are just a small sample of critical controls at a credit union, they represent a good baseline. In some instances, variable rates are incorrectly set up as fixed rates, tickler items such as reminders for rate changes aren’t put in properly, or coding of fees and costs are wrong. A high-quality, independent secondary review of the input into the core system is the best control to mitigate the risk of new accounts being set up incorrectly.

GENERAL LEDGER REVIEW

Most general ledger and core processing systems provide daily general ledger reports so organizations can evaluate changes each day. One powerful control is to set up a report for a trailing five to seven days of daily general ledger trial balances, along with a summary of dollar changes day over day. If this information is distributed to key personnel for a quick daily review, credit unions can quickly identify items that don’t appear accurate, such as unusual spikes or dips in interest income or expense or large increases in other expenses. By delegating a few items to be researched on occasion, it reminds others in the organization that anything and everything is subject to review, which can be a useful deterrent to fraud. While these eight controls are just a small sample of critical controls at a credit union, they represent a good baseline. They’re generally easy to implement, not cost-prohibitive, serve as a good deterrent to fraud, and help minimize errors. n

About the Author Dustin Birashk, a Moss Adams partner, has been in public accounting since 1999 and specializes in serving financial institutions and other financial services organizations. He’s responsible for financial audits, operational audits, and other consulting engagements and can be reached at dustin.birashk@ mossadams.com or (425) 303-3023.

8th ANNUAL SUPERVISORY COMMITTEE & BOARD OF DIRECTORS CONFERENCE MAY 16-18

2017

FOUR SEASONS HOTEL – LAS VEGAS, NV

GOING BEYOND THE LIMITS Join us at our annual conference as credit union industry experts discuss hot topics such as: • Getting a Pulse on the Economy and Credit Union Industry

• Credit Union Mergers and Acquisitions – A Look into the Future

• Cybersecurity: The New and the Need to Know

• What Millennials Want: Understanding #GenY

• Keeping Pace with Compliance Expectations

• Internal Controls: The Yellow Brick Road to Success

• Successful Risk Management for Commercial MBL Portfolios

• And Much More

NCUA’S

2017 PRIORITIES ARE YOU READY? SAM CAPUANO, CBA, CRP

An annual highlight from the NCUA is its Supervisory Priorities Letter to Credit Unions, which comes out like clockwork every January. When I took a look at the letter last month, I got a sense of déjà vu. I then took a look at 2016’s Priorities Letter, and sure enough there were some repeat topics.

www.acuia.org | T H E AU D I T R E P O RT

www.acuia.org | TH E AUDIT R EP ORT

hose holdovers from 2016 include Bank Secrecy Act, again highlighting concerns with money services businesses (MSBs), Interest Rate and Liquidity Risk, and that area which will likely be included in the Priorities Letter in 2018 and beyond, Cybersecurity Assessment. The NCUA would seem to be rather fond of each of these areas, as they were also on the Priorities Letters in 2015, and 2014. Also part of this year’s hot topics are Internal Controls and Fraud Prevention, the new Military Lending Act, and Commercial Lending, due to the revised Part 723 rules. Since most, if not all, of these will be part of your 2017 Audit Plan, let’s take a closer look at what you might expect the next time you’re due for an NCUA exam.

Cybersecurity Assessment Cybersecurity risk is here to stay, as we all know. The NCUA (along with other banking regulators) in June 2015 issued the FFIEC Cybersecurity Assessment Tool. In both 2016 and 2017’s Priorities Letters, NCUA “encouraged” credit unions to use the tool as a means to manage cybersecurity risk. It is always good practice to implement what NCUA “encourages” (although, in the October 2016 FAQ on the Cybersecurity Assessment Tool, FFIEC says using it is voluntary, while recommending that institutions use it, or another similar tool). The examination focus for cybersecurity in 2017 will be “a structured assessment process.” While this sounds ominous, use of the Cybersecurity Assessment Tool, along with the excellent Cybersecurity Resources page on the NCUA’s website (https:// www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/cyber-security.aspx) 14

www.acuia.org | T H E AU D I T R E P O RT

IN BOTH 2016 AND 2017’S PRIORITIES LETTERS, NCUA “ENCOURAGED” CREDIT UNIONS TO USE THE TOOL AS A MEANS TO MANAGE CYBERSECURITY RISK. IT IS ALWAYS GOOD PRACTICE TO IMPLEMENT WHAT NCUA “ENCOURAGES”…

should help. This page has several useful links to the Examiner’s Guide, FFIEC, and other goodies. Highly recommended reading, if you haven’t already paid that page a visit.

Bank Secrecy Act Compliance No real surprise that BSA has been on the Priorities Letter the past four years, as it is always a hot topic come exam time. Mirroring all the banking regulators, NCUA has remained quite focused on ensuring credit unions are proactive against money launderers. As noted above, this year that focus will include a closer look at credit unions and their MSBs. Examiners will be evaluating how credit unions are classifying risk of MSBs, and how they are monitoring them. The NCUA fleshed out MSB risks when they issued Letter 14-CU10 in December 2014. Given MSB’s continued presence in the Priorities Letter, the time seems to be right to revisit that Letter, and corresponding Supervisory Letter SL 14-05. Interest Rate and Liquidity Risk The third and final repeat topic in this year’s Priorities Letter pertains to IRR. While the topic is a carryover from past years, there will be a new exam-

ination method in 2017. Starting in January, NCUA will be examining IRR using a revised approach. This was explained in greater detail last October in Letter 16-CU-08. Some of these changes include the new Interest Rate Risk Review Procedures Workbook, updated IRR tolerance thresholds in the Net Economic Value Supervisory Test, and a revised IRR chapter in the Examiner’s Guide. Scopes were also reduced in the exam approach for smaller credit unions. Asset Liability Management, which includes Interest Rate and Liquidity Risk, can be a challenge for even the most experienced auditors, and the fact the NCUA will be looking at it differently in 2017 might just add to that challenge. The good news is that the enclosures in Letter 16-CU-08 provide some decent ALM guidance, as well as specifics as to how it will be examined.

Commercial Lending The changes to NCUA Part 723 pertaining to business loans are also on NCUA’s radar in 2017. This is not a shock. The revision, approved by NCUA’s board (not without some infighting) on February 18, 2016, represents the most sweeping changes to NCUA Rules & Regulation Part 723 since 2003. Most of the revisions took effect on January 1st of this year. In February of this year, CUNA stressed the need to comply with the changes, especially Part 723.4, dealing with minimum requirements of a credit union’s commercial loan policy. When performing MBL audits for my credit union clients, a review of the policy has always been the first step. Then, as now, Part 723 laid out what needs to be in there. The only difference now is that some of the policy requirements have changed. Non-compliance with this portion of

723 is something I have seen on more than a few NCUA exams. In preparation for the January 1st effective date, the NCUA revised the Commercial and Member Business Loan section of the Examiner’s Guide on December 2, 2016. This is also worth a look, especially the “Procedures for Conducting an Effective Commercial Lending Review” section. There are some nice steps in there that you probably would want in your audit programs.

Consumer Compliance From a compliance perspective, the Priorities Letter highlights regulations pertaining to the military. Many of the Military Lending Act (MLA) requirements became effective in October of 2016 (some provisions, pertaining to credit cards, kick in October 2017). Shortly after the MLA became effective last October, NCUA, in 16-CU07 noted that its exam approach the

first time through would more or less ensure the CU was aware of the regulation and working towards complying. The Priorities Letter also makes mention of the similar, but definitely different Servicemembers’ Civil Relief Act. Given the increased importance regulators have placed in recent times on protecting the military, and the fact that these two regulations are singled out as a 2017 priority, having these areas in your 2017 Audit Plan should be a given. No one wants a repeat of the $20 million civil money penalty slapped on Wells Fargo by the OCC for violations of the SCRA in September 2016.

Internal Controls and Fraud Prevention The final topic singled out in the Priorities Letter deals with something we’ve dealt with for years, fraud. NCUA notes here that they will continue assessing the effectiveness of the internal controls in your credit union.

Insider fraud is always a threat, and smaller credit unions sometimes, with their relatively small staffs, are often more susceptible, as proper separation of duties can be a challenge. Since NCUA is making this a 2017 priority, more so than in the past, evaluating those “no” answers in ICQs seems to be more important than ever. So, for that matter, is being ready in each of the areas NCUA has highlighted here. n

About the Author Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started their IA function there in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.

www.acuia.org | TH E AUDIT R EP ORT

EVALUATING YOUR INTERNAL AUDIT PROGRAM BY KENNETH BISHOP

www.acuia.org | T H E AU D I T R E P O RT

In today’s ever-expanding risk environment, credit unions need to be responsive in their internal audit program’s ongoing design. As noted in interagency guidance, the board and senior management are responsible for ensuring the internal control system is effective. An important element in assessing its effectiveness is the internal audit function. Consider these concepts when evaluating your program.

ESTABLISH A POLICY To assist in carrying out their responsibilities, the board or committee should establish an audit policy outlining the internal audit function’s framework. The policy should define an objective and incorporate such components as reporting requirements, independence considerations, and establishing outsource relationships, to name a few. The policy should consider the credit union’s size and complexity.

www.acuia.org | TH E AUDIT R EP ORT

If you don’t identify a risk, then you can’t measure and manage it.

USE YOUR RISK ASSESSMENT Credit unions know the importance of risk assessments. Regulatory authorities have emphasized developing entitywide comprehensive assessments and maintaining assessments specific to key compliance and operational functions. To develop an effective internal audit risk assessment, the credit union’s risk profile and strategic plan need to be considered. Once addressed, the most important step is identifying risks within the audit universe. If you don’t identify a risk, then you can’t measure and manage it. To effectively do this, you need a thorough understanding of the business lines’ operations and activities, so solicit input from appropriate personnel during the process. Measure all auditable areas for inherent and residual risk. It’s important to identify the controls being relied upon to determine residual risk as this is pertinent in the design of the testing procedures. DETERMINE AN APPROPRIATE CYCLE The frequency and depth of the audits should be commensurate with the credit union’s risk level. Areas identified as high risk should be addressed at least annually; lower risk areas may be limited to a biennial or triennial audit cycle, or it may be appropriate to not test an area. It’s 18

www.acuia.org | T H E AU D I T R E P O RT

no longer proper to test every audit area each year, a common practice years ago. Today, the audit function requires risk-based audit planning. This approach can effectively use resources and provide a more meaningful effect to improve the credit union. The audit procedure’s design should align with the identified risks. As previously mentioned, determining which controls are relied upon in the residual risk assessment process drives the testing procedures. In addition, consider past results. Audit procedures that have resulted in previously reported findings should be included in the procedures’ design and may likely warrant larger sample sizes. APPROVE THE PLAN AND HAVE CAPABLE PERSONNEL TO EXECUTE The internal audit plan, including risk assessment, should be presented and approved by the committee at least annually. It’s critical that those responsible for performing internal audit procedures possess the necessary skills and are independent from the business process. As a result, many credit unions find it necessary to outsource some or all of the testing to third parties. It’s important to understand that outsourcing doesn’t absolve the board and senior management of its responsibilities for

ensuring an effective internal control system. CREATE ACTION PLANS AND BE ACCOUNTABLE Internal audit testing should be accompanied by written reports that clearly communicate the scope and findings. It’s management’s responsibility to respond to these results by defining a corrective action plan and a targeted remediation date. As it’s important for management to develop a corrective action plan, it’s equally important to hold management accountable by designing audit procedures to test the execution of action plan items. These are just a few concepts to consider when evaluating your internal audit program. An effective internal audit program achieves the audit policy’s objectives and is efficient. If appropriately administered, it also will identify opportunities for process improvements, promote a culture of compliance, create accountability, and help reduce mistakes. Contact your BKD advisor if you have questions. n

About the Author Ken Bishop is a partner with BKD National Financial Services Group who specializes in managing engagements with a focus on risk management services. For more information, contact him at 630.282.9512 or kbishop@bkd.com.

TeamMate+ The future is here

TeamMate+ is a fully configurable, web-based internal audit platform that seamlessly consolidates and reports issues and risks for management action.

Learn more at TeamMateSolutions.com/Plus Copyright ÂŠ 2017 Wolters Kluwer Financial Services, Inc. 10153

MEMBER BUSINESS LENDING ENTERS A NEW ERA At the beginning of this year (January 2017), the National Credit Union Administrationâ&#x20AC;&#x2122;s (NCUA) final new member business loan (MBL) rules went into effect. Moving from a prescriptive approach to a more principlesbased approach, the new regulations modify collateral, security, equity requirements, loan limits, and waivers in MBL/commercial loan processes. SEAN RUBAN, CRC, MBA

www.acuia.org | T H E AU D I

NEW

RULES M

irroring what the banking community has been doing for years, the rules allow credit unions, through policy and risk concentration guidelines, to internally govern their own MBL/commercial lending activities, ultimately opening up growth opportunities through these portfolios. Aimed at providing a flexible and modern approach to commercial lending, these rules encourage credit unions to serve more member businesses. More flexibility requires responsible, effective assessment of concentrations integrated into credit union risk management. Maintaining sufficient capital proportionate to risks associated with commercial lending activities will be critical, especially considering the Risk Based Net Worth weightings scheduled for implementation in January 2019.

■■

■■ ■■

■■

Modernizing the Rules The biggest change resulting from the modernized rules first published in March 2016 is the separation of commercial loan policies and program responsibilities from the statutory limits on MBLs. Highlighted below are the specific changes brought on by the NCUA rules: ■■ Exemption of small credit unions under $250 million and small commercial loan portfolios from

certain requirements Elimination of the requirement for full, unlimited personal guarantees in certain situations as long as credit union officers detail the mitigating factors Removal of the explicit loan-tovalue limits in certain situations where collateral is appropriate Elimination of the need for NCUA waivers due to previous specific limits: • Prior waivers included aggre gate Construction and Development (C&D) loan limits • Minimum borrower equity for C & D loans • LTV requirements • Personal guarantees Removal of the limit on construction and development loans Exclusion of the need for waivers for maximum unsecured and aggregate loans to one member or group of associated members Elimination of the requirement to include non-member participation commercial loans towards the MBL/commercial limit (cap)

Time to Recognize the Opportunity With greater lending power for MBL/ commercial and participation loans, comes the need to put proper processes in place to manage the risks of the commercial lending portfolio. The board is responsible for establishing a risk strategy that takes into consideration

the credit union’s goals and the overall composition of the lending portfolio. Developing Commercial Lending Policies Tasked with developing commercial lending policies, some credit unions might not know where to start. At a minimum under Section 723.4, commercial loan policies will need to address: ■■ Types of the loans offered ■■ Geographic area in which loans will be offered ■■ Underwriting, documentation and monitoring requirements of the loans ■■ Required qualifications and education of all staff involved in the lending process ■■ Formalization of the underwriting process ■■ Use of a single risk-rating model (a rating scale of 1-8 is commonly utilized) ■■ A process for approving and tracking loan exceptions ■■ Ongoing monitoring procedures, including third parties of the commercial loan program Although the board is ultimately responsible for the portfolio’s oversight, when it comes to developing the policies and procedures, the burden lies on senior management. They will need to recommend policies and implement procedures to bring the board’s vision to light.

www.acuia.org | TH E AUDIT R EP ORT

ithout NCUA

prescriptive

measures in place, the added responsibility on your board will be a little heavier now – bearing the ultimate responsibility of monitoring the commercial lending program.

www.acuia.org | T H E AU D I T R E P O RT

Monitoring and Performance Metrics Are Valuable Developing an ongoing monitoring program to properly manage risks will be essential to successfully running an MBL program under the new rules. Most credit union core systems are designed to handle the monitoring of consumer loan systems, but may not have the robust tracking necessary for commercial loans. Ideally, your software should monitor delinquencies, lien filings, covenants, and loan exceptions. Management should review the current core system to determine its ability to meet these requirements. Monitoring should take place not only at the portfolio level, but also at the individual loan level. From a portfolio standpoint, the concentration make-up (geographic, industry, etc.), LTVs, and policy exceptions should all be looked at closely. Digging deeper, attention should be given to individual loans to track lien filings, cash flow and loan covenants. Continuously evaluating the portfolio is more important than just monitoring it. Regulators are typically requiring an independent commercial loan assessment of the risk rating system’s objectivity and effectiveness. Segregation of the commercial loan officer functions from the credit underwriting activities is common practice. When these duties are not well defined and segregated, regulatory recommendations may require third-party loan reviews to be completed annually to identify potential areas of concern. An effective commercial loan review process: ■■ Validates adherence to internal credit policies and procedures ■■ Identifies loans with potential credit weaknesses ■■ Assesses the overall quality of the loan portfolio ■■ Evaluates trends potentially able to affect the collectability of loan segments in the portfolio ■■ Appraises the adequacy of the allowance for loan and lease loss

Top-Level Oversight Without NCUA prescriptive measures in place, the added responsibility on your board will be a little heavier now – bearing the ultimate responsibility of monitoring the commercial lending program. Board members are required to understand the risks associated with the portfolio, which, depending on the financial background of members, may be challenging. Most boards will rely on robust reporting and monitoring from its senior management teams. However, board members will need to interpret and evaluate the performance, risk and concentration metrics on their own, plus revisit MBL/commercial policies on an annual basis.

Start Moving Forward With the new rules in place, there’s no better time for credit unions to capitalize on member business lending...but not without pause. Like with anything, rewards don’t come without risks. Each credit union will have to weigh its options. The leeway provided by the NCUA provides more growth opportunities, but may also put the credit union at greater risk if effective commercial risk management practices haven’t been established. Internal audit, lending officers, executive team members, and the board need to work together to develop the right policies and procedures. In some instances, your credit union may want to seek the outside assistance of an independent third party well-versed in commercial credit risk processes to help formulate a plan of action to manage risks. n About the Author Sean Ruban, CRC, MBA is a Commercial, Consumer and Real Estate Lending Associate in Doeren Mayhew’s Financial Institutions Group. For nearly 10 years, Sean has provided a wide range of commercial, consumer, business and real estate lending review services to credit unions and CUSOs across the nation.

Credit Union Industry

Since our ﬁrm�s incep�on in 1979, we have been commi�ed to one industry, the credit union industry. That means 100% of our clients are credit unions or CUSOs. Our commitment to one industry allows for an eﬃcient audit with highly trained auditors that know your business.

EXPERIENCE

CLIENT BASE

Our audit approach has evolved over the years through the thousands of credit union audits we have performed. Our experience enables us to provide quality audits at a reasonable price. Our audit Associates are knowledgeable in credit union audi�ng� you do not need to train our auditors.

Our firm partners with more than 170 credit unions across the United States. Our clients range in asset size from $10 million to over $5 billion. Nearman, Maynard, Vallez has been ranked by the research firm of Callahan & Associates as a leading CPA firm providing audit services to the credit union industry.

10621 N Kendall Dr., #219 Miami, FL 33176 800.288.0293 www.nearman.com

{ from the editor }

{Here’s the standards to 25 More}

Pat Richey, Retired credit union internal auditor Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

The International Professional Practices Framework Learn how to become a more insightful auditor.

he International Professional Practices Framework (IPPF) is promulgated by the Institute of Internal Auditors (IIA) to be a guiding framework for internal auditors worldwide. The IPPF is composed of several layers. Some of the IPPF guidance is mandatory and other guidance is recommended. The IPPF’s mandatory elements are the Core Principles for the Professional Practice of Internal Auditing, Definition

www.acuia.org | T H E AU D I T R E P O RT

of Internal Auditing, Code of Ethics, and International Standards for the Professional Practice of Internal Auditing (Standards). The recommended guidance includes practices for implementing the mandatory elements, and is divided into Implementation Guidance and Supplemental Guidance. Implementation Guidance helps internal auditors by suggesting methods of complying with the Standards. The

IPPF was updated in 2015 and as of January 1 2017, the former Practice Advisories have been replaced by Implementation Guidance. The Implementation Guidance is general in nature, but the Supplemental Guidance includes more detailed procedures and techniques. Practice Guides, Global Technology Audit Guides, and Guides to the Assessment of IT Risks are the elements of the Supplemental Guidance. The Practice Guides can be very topic specific, such as Auditing Executive Compensation or Auditing Anti-Bribery and Anti-Corruption Practices.

Mission The IPPF also includes the Mission of Internal Audit. This states that the Mission of Internal Audit is “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” Sixteen words. This is a very concise and precise statement of internal auditing’s aim - concise in that it packs a lot of meaning in a few words, and precise in that it is exactly correct. Your internal audit charter may have a mission statement to focus your department on its core purpose, and help the credit union understand the internal audit’s goal in the credit union. It would be a good exercise to compare your mission statement with the IPPF statement. I googled “internal audit mission statement” and the first three that I found were 29, 46 and 89 words long. How many words is your mission statement? Although brief, there are many components to consider in the IPPF mission statement. Not only does internal audit protect the credit union, but internal audit should also be increasing the credit union’s value. How a credit union internal auditor enhances value depends on how the credit

{ from the editor }

Here’s to 25 More Tabitha Ernst-Chadwick

Insight On the website of the Chartered Institute of Internal Auditors (CIIA, Britain), there is an excellent article “Insight and Internal Audit1” which discusses at length the IPPF’s mission statement use of the word insight and what that means. The article says that insight describes the way we develop an understanding of a situation that lets us solve problems. David Rock, Executive Director of the Neuro-leadership Institute says there are 4 stages of insight –

awareness, reflection, motivation, illumination. Insight is relevant to internal audit because internal audit is removed from the day-to-day activities which enables internal audit to see the activities with an unbiased mental attitude. The article ties insight with professional skepticism. My grandson (who has lived with me for 15 of his 18 years) calls me The Truth-Seeker, as he is often the focus of both my insight and skepticism. If you have raised teenagers you know what I mean. The CIIA article gives suggestions for becoming a more insightful credit union internal auditor: ■■ Develop your knowledge of your credit union and the industry ■■ Talk to people ■■ Keep on top of what’s happening in the audit profession ■■ Find a coach ■■ Consider different perspectives ■■ Benchmark ■■ Ask questions ■■ Don’t accept anything at face value (in my opinion one of the hardest things to teach new internal auditors) ■■ Identify trends and connections ■■ Look critically at your audit reports ■■ Use metaphors In 2011, The IIA Research Foundation published a 60-page paper “Insight: Delivering Value to Stakeholders2.” It defines insight as “the capacity to gain an accurate and intuitive understanding.” The conclusion states “…….to be successful, internal audit is less about presenting audit results and more about engaging executives and board members in thoughtful consideration of

1 https://www.iia.org.uk/resources/globalguidance/mission-statement/insight-andinternal-audit/

2 http://www.theiia.org/bookstore/ downloads/freetoall/IIA%20INSIGHT%20 REPORT%20Final%20for%20Web.pdf

union measures its success, as there are different measurements of success such as bottom-line, service-levels, or market share. The mission to enhance value should focus internal audit on the big-picture of corporate strategy. The mission to protect and enhance the credit union’s value requires the internal auditor to focus on the risks that are most significant to the credit union’s success. The Standards Glossary (and the Interpretation of Standard 1100 Independence and Objectivity) defines objectivity as “an unbiased mental attitude,” and we can explore this Standard in-depth later this year. Internal auditors may be more familiar with the wording “assurance and consulting” rather than “assurance, advice, and insight.” The phrase “assurance and consulting” is still in the Definition of Internal Auditing, but I think “advice and insight” is a more descriptive term than consulting. I was blessed to work with some credit union CEOs who openly let me know that they were interested in my insight outside of formal, written audit reports.

current business challenges and in supporting the development of strategies to address the associated business risk.” I am a bit surprised that the Foundation’s report uses the term “intuitive.” Merriam Webster defines intuition as the power of attaining direct knowledge without evident rational thought3. One time I went to an IIA local chapter meeting where the topic was Developing Intuition. It wasn’t too far into the meeting when I realized the speaker (not an internal auditor) was talking about being psychic. I raised my hand and asked her if she was talking about being psychic, and she said yes. It was the worse internal audit related session I have ever attended. It was at that same meeting that the speaker opened the session with the question “Who loves their job?” I raised my hand, and looked around, and saw I was the only internal auditor who raised his or her hand.

Definition of Internal Auditing The IPPF’s mandatory guidance includes the Definition of Internal Auditing: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” This definition has not changed in 18 years. Most of the elements of the definition are further explored in the Standards and Implementation Guidance, and we will explore them in future articles. I particularly like the 3 https://www.merriam-webster.com/ dictionary/intuition www.acuia.org | TH E AUDIT R EP ORT

“systematic, disciplined approach” element of internal auditing as I am a very concrete/sequential thinker and learner. There is nothing random or abstract in my makeup. I am guessing that many of you reading this article are the same personality type as I am. At one credit union internal audit professional meeting that I attended, the attendees were given the DISC personality test. All the internal auditors in the group were the same personality type – except for one woman,

whom it appeared should have been in marketing. During my credit union’s new hire orientation and training, I gave one hour sessions on “Who ARE These People and What do They Do?” (sounds like Richard Scarry’s “What Do People Do All Day?”!!) Generally, most new hires were tellers and so the presentation was very basic, but I touched on independence (internal audit’s role in the credit union), objectivity, types of assurance services

Internal and Compliance Audit • External Audit • IT Audit

CONNECT WITH US Tom Giglio, CIA, CFSA— Executive Vice President 315.214.7841 | tgiglio@bonadio.com

bonadio.com |

Samuel Capuano, CBA, CRP—Principal 518.250.7763 | scapuano@bonadio.com

www.acuia.org | T H E AU D I T R E P O RT

(but not using that term), and introduced the terms risk and control as applicable to branch operations.

Standards The Standards provide a framework for the basic requirements of internal audit performance and practice. The Standards are applicable worldwide, in every type of organization, to audit departments, and to internal auditors individually. Chief Audit Executives are held accountable for overall conformance with the Standards. Most of the Standards, but not all, include an Interpretation which clarifies the intent of the Standard and a Glossary of terms is included in the Standards. There are two categories of Standards. The first is the Attribute Standards which address the characteristics of internal audit departments and internal auditors. The other category is Performance Standards which address the nature of audit work and provide performance evaluation criteria. Within these two categories are Implementation Standards that apply to either assurance services or consulting services. The Standards use the word “must” for mandatory requirements and “should” where a requirement is expected, unless the situation justifies nonconformance based on professional judgement. The many elements and layers of guidance may be a bit confusing to the uninitiated. However, the IIA’s website Standards and Guidance webpage has a menu of the elements that can visually clarify how the elements come together. Implementation Guides are available on the IIA website for IIA members. Non-IIA members can purchase a hardcopy of the IPPF (The Red Book) for $89.99. n About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

experience tradition

BKD National Financial Services Group

90+ YEARS Today’s highly regulated financial services environment can overwhelm even the most diligent professional. BKD brings more than 90 years of experience to the table and offers credit unions an array of services, including: • Audit and assurance • Internal audit

• Loan review • Regulatory compliance consulting

• IT risk management • Strategic planning

You’ll work with partners and managers who can provide the personal attention your institution deserves. Experience our enduring legacy of unmatched client service.

Chad Garber // 317.383.4000 cgarber@bkd.com // bkd.com

{ member spotlight }

information security {Chad } Nequent WHY? Tom Schauer, Principal, CliftonLarsonAllen

Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, NCCO, CISA

We are kickin’ off the 2017 Spotlight with Chad Nequent, life-long Texan, Chapter Coordinator, and reformed Examiner.

had, everyone is anxious to get to know all about our newest Indiana Chapter Coordinator. So, tell us everything! Ok. So I am an internal auditor for 5Point Credit Union out of Nederland, TX, which is near the Gulf of Mexico border of Texas and Louisiana. I have lived in the area all my life and directly entered the credit union industry out of college. I hold a BBA in Accounting from Lamar University. My first job after graduation was with the National Credit Union Administration as an examiner. I stayed with NCUA for 7 years and became a principal examiner before transferring to 5Point CU in December of 2015. While with the NCUA, I worked with credit unions throughout the nation from the hundred thousand in assets to the multi-billion institutions. Impressive! And what fills your time when you aren’t auditing? My spare time is devoted to my beautiful wife Darryl and to our church. My wife and I serve as youth

pastors at Iglesia Triunfo. Our church holds two services, one in English and the other in Spanish. The youth group we serve is mostly made up of bilingual teenagers representing Hispanic countries from around the world. We devote most of our time to building leaders within our adult leadership in the church and holding events for the youth to remain active in the community, fun or serving through clothing giveaways, passing out food, or cleaning the streets of the impoverished areas of Port Arthur, TX. We are honored to serve our community and shape the lives of this generation’s youth leaders. I also hold a certification in personal training through NASM, National Academy of Sports Medicine. Wow, that’s fantastic. I almost hate to shift back to the mundane, but if we stop here it will be a very short interview, so on we go. You worked at NCUA for 7 years then transferred into the credit union. How long have you been in audit overall?

FUN FACTS ABOUT CHAD: Favorite sports team: Dallas Cowboys ever since I was born Favorite athlete: All Time - Barry Sanders; Current – Ezekiel Elliott Favorite food: Pepperoni pizza or a good tuna steak Favorite Author: Andy Andrews Most Influential People in My Life: Pastor Carlos Torres, Dr. Henry Holland & Mr. Kenneth Miller Where I see myself in 5-10 years: CEO of 5Point Credit Union What do you contribute to your success? God alone. He gives me opportunities and favor with the right people according to His will. I have everything because of Him!

www.acuia.org | T H E AU D I T R E P O RT

Counting my NCUA experience, 9 years. So what drew you into auditing? I went to college for my bachelor’s in accounting with no real desire to make accounting my career. By the time I realized I was not too interested in accounting I had one year left before reaching my degree. I remember being in my last semester and somebody asking me where I was going to work after graduating and with a smile, I said, “God will show me where I need to go.” I had no worries about my future because I knew I would end up where I needed to go. I received a call from a family member letting me know a spot in a government position was coming open in my local area and I should go interview. I had no clue who NCUA was or what they did but the idea of a salary with benefits sounded good for a 22 year-old. I went for the interview and was offered a job the same day, still not knowing much about the credit union industry. Over the next several years I soaked in as much as I possibly could, learning the industry in and out. I have been privileged to have fantastic leaders and supervisors to teach, guide, and show patience in my learning experience. I have much success today because of those people early in my career. My journey has made me work hard and research to find what I need to learn. There is not anything I would change about that experience. Have you taken advantage of any continuing education opportunities and received any professional certifications? As a matter of fact, my coworker Julie Myers and I were on the first round of ACUIA participants to earn the Certified Credit Union Internal Auditor accreditation (CCUIA). So in your experience, what are the

most useful audit tools in your toolbox? We utilize several avenues at the credit union but the tools I typically use the most are: ■■ CoNetrix Audit Pro software – document audits and run reports; ■■ NCUA website – regulations, call report analytics, and NCUA publications; and ■■ Cbanc – Information sharing website between banks and credit unions. Over the years you’ve been involved in auditing, how has the industry changed? I came into the industry during the first stabilization assessment encountering several angry and discomforted credit union people. As a new examiner I was blamed for the

assessment and quickly learned how to handle a volatile economic change. However, as time progressed, I learned the heart behind the credit union movement and realized the anger was really passion disguised for all credit union members affected by the industry change. Credit union culture has remained throughout rapid technology changes over the last decade…the culture of people helping people. This filters through the auditing department as we look for efficient ways to help the members and our staff by keeping the necessary internal control functionality. Throughout the years, manual processes improve to more efficient paperless forms. Our department at 5Point Credit Union has worked diligently to

reduce paper costs and improve our electronic efficiencies, accomplishing much of our goals. Fortunately, we serve under tremendous leadership that gives us the tools necessary to accomplish these efficiencies. What are the major challenges you feel the industry faces today and how can internal auditors overcome those challenges? Fraud is the biggest challenge and will most likely remain. Internal auditors will need to evaluate existing fraud tactics and review internal control structures to ensure weaknesses at other institutions where fraud was present, are not even available at their own credit unions. The second greatest challenge is remaining current with the rapid-

Strategic Business Management General & Private Accounting Macpage believes in developing relationships, earning trust, addressing complex issues and making a diﬀerence. We enjoy the people we serve, and care about the work we do providing integrated accounting, consulting, ﬁnancial statement, IT, internal and compliance auditing services for credit unions throughout the Northeast.

For more information www.macpage.com/creditunions

www.acuia.org | TH E AUDIT R EP ORT

{ regional news } ly growing compliance changes. It is imperative internal auditors are supported by a strong compliance department. A strong compliance department ensures employees are properly aware, trained, and demonstrate an understanding of changes. Additionally, a compliance officer must test new procedures, policies, and processes to ensure staff follows through with guidance. A strong working relationship between internal auditors and the compliance officer is vital to ensure new regulatory changes are adequately covered. So you’ve been in the field for a while now. Do you have any advice for someone who is new to auditing? Give yourself time to adjust to the ongoing changes and remember to always ask “why?” Remain humble and do not let pride cover what you honestly do not know. Auditors need to ask the hard questions and keep asking until an answer is understood. It is ok if someone does not think you know much about the topic in question, but rather, the person in charge should know more than you. Clearly communicate with all affected parties your results before publishing anything and making someone else feel or look undermined. Let’s talk about ACUIA. How long have you been a member? A little over one year. We know that you took on the role of Chapter Coordinator in Houston, Texas. (Thank you by the way!). How has that, as well as other opportunities or resources, enhanced your membership? I believe the Chapter Coordinator position will allow me to meet new and experienced auditors. The other valuable ACUIA resources that I’ve used are website resources, conferences, and online forums. n 30

www.acuia.org | T H E AU D I T R E P O RT

REGION

Director: Julie Wilson Director Internal Audit iQ CU 360.992.4233 juliew@iqcu.com

Director: Michael P. Moreau, CIA, CFE, CFSA Manager Credit Union Services Macpage LLC MPM@macpage.com

No news for Region 1. Contact Julie for information.

No news for Region 5. Contact Michael for information.

REGION

Director: Tara Tocco Internal Audit Manager Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org No news for Region 2. Contact Tara for information.

REGION Director: Tom Cosby

Region 3 has a new Director! Tom Cosby, who is also serving as the Indiana Chapter Coordinator, is taking on this role. You can “meet” Tom in an upcoming Member Spotlight. In the meantime, contact Tom with any regional questions: tcosby@cranecu.org

REGION

Position open. ACUIA needs you! Contact an ACUIA Board member if you would like to volunteer.

REGION

Director: Jason Alexander, MBA, CICA Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org No news for Region 6. Contact Jason for more information. n

Audit Management Software Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward to implement and affordable whatever the size of your audit team. Key Functionality: Dashboards

Audit Planning

Audit Scheduling

Audit Management

Libraries

Electronic Working Papers

Controls Management

On-line Questionnaires

ERM

Time and Expense Recording

Recommendation Tracking

Comprehensive Reporting

___________________________________ www.mkinsight.com United States: +1 847 440 5515

United Kingdom +44 113 2455558

Providing Services to Banks and Credit Unions Nationwide CONSULTING SERVICES

AUDIT & ATTEST SERVICES*

■ Tax Preparation & Consulting

■ Credit Union Opinion Audits

■ Cybersecurity

■ Supervisory Committee AgreedUpon Procedures

■ Operations Review ■ Risk Assessments ■ Vendor Management Review ■ Social Engineering Testing & Training ■ IT General Controls Review

TONY COBLE 816.945.5524 acoble@cbiz.com

■ CUSO Audits ■ Outsourced/Co-Sourced Internal Audit Services

TODD HERSHBERGER 816.945.5148 thershberger@cbiz.com

■ SSAE 18 / SOC 1 Report ■ SOC 2 & 3 Reports

www.cbiz.com www.mhmcpa.com

■ SSAE 18 Readiness Assessments

MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms.

www.acuia.org | TH E AUDIT R EP ORT

standards { the { region }} directors Pat Richey, Retired

REGION

Julie Wilson juliew@iqcu.com

REGION

Tom Cosby tcosby@cranecu.org

Michael P. Moreau, CIA, CFE, CFSA MPM@macpage.com

REGION

Tara Tocco TTocco@hughesfcu.org

REGION

Jason Alexander jasona@lgeccu.org

VOLUNTEER NEEDED!

{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1 CENTRAL CASCADES (OR/WA) CHAPTER

Terry Robbins trobbins@mapscu.com REGION 2 ARIZONA CHAPTER

Jason Garlutzo Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER

Andrea Munoz andrea.munoz@firsttechfed.com UTAH CHAPTER

Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com HAWAII CHAPTER

Nikki Ige Nige@kcfcu.org REGION 3 ILLINOIS CHAPTER

Rick Torres rtorres@CreditUnion1.org

MINNESOTA CHAPTER

Ashley Shrode Ashley.Shrode@thrivent.com MICHIGAN CHAPTER

Kathleen Schaefer Kathleen.Schaefer@elgacu.com WISCONSIN CHAPTER

Karla Hodgkins khodgkin@Covantagecu.org REGION 4 ARK ANSAS CHAPTER

Patrick McCollough pmccollough@AFCU.org NORTH TEX AS CHAPTER

VOLUNTEER NEEDED! MISSOURI CHAPTER

David Caster dcaster@firstcommunity.com SOUTHEAST TEX AS CHAPTER

Chad Nequent cnequent@5pointcu.org

INDIANA CHAPTER

REGION 5

Tom Cosby tcosby@cranecu.org

NEW YORK CITY CHAPTER

www.acuia.org | T H E AU D I T R E P O RT

Dana McCranie

REGION 6 ALABAMA CHAPTER

Adrienne Breckenridge abreckenridge@avadiancu.com GEORGIA CHAPTER

Levi Dickerson levi.dickerson@gucu.org FLORIDA CHAPTER

Lourdes Camacho lourdesc@sccu.com MARYLAND CHAPTER

Nikki Torres nichele.torres@towerfcu.org NORTH CAROLINA CHAPTER

VOLUNTEER NEEDED! SOUTH CAROLINA CHAPTER

Tammy Farmer tammyf@scscu.com TENNESSEE CHAPTER

Michelle Clark, CUCU mclarck@ecu.org

{ member spotlight } { acuia select } Patrick McCullough

ns to ACUIA

Growth.

ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the Executive Office at (703) 688-2284. dit union audit professionals.

P L AT I N U M

onsibilities and internal control objectives by providing: New business is always the goal, but with expansion comes added eviews n Certiﬁed ACH Audits n Bank Secrecy Act risk. Whether you’re exploring a joint venture or n nding Programs Branch and Operational Auditsconsidering a combination or acquisition, who’s helping you do it safely? source and Payroll Reviews n Assistance with Risk Statement Audits Discover why more than 300 financial institutions across the nation turn to us to help them grow with GOLD confidence. W W W. M O S S A D A M S . C O M / C U

Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance Tax Planning & Compliance IT Consulting Credit Review Services

Certiﬁed Public Accountants & Consultants

S I LV E R

TeamMate

BRONZE

dly serving credit unions throughout the Mid-Atlantic region. mation about PBMares, visit us online at www.pbmares.com.

Like you, we know the numbers are only one part of the picture. Whether your credit union’s goal is to grow membership, assets, or offerings, the big picture’s still about one thing: people. Focus on what matters to your mission. We’ll help you master new regulations, strengthen controls, and uncover opportunity. How can we help you thrive?

W W W. M O S S A D A M S . C O M / C U

Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance IT Consulting & Compliance Credit Review Services