ACUIA Audit Report volume 26 issue 2 by pstraubel

Volume 26, Issue 2, 2017

The Magazine of the Association of Credit Union Internal Auditors, Inc.

FASB CREDIT LOSS STANDARDS THE FAQs

YOUR

ITâ&#x20AC;&#x2122;S THE LITTLE STUFF THAT WILL GET YOU THE BIG ISSUES ARE RARELY THE PROBLEM

WHISTLEBLOWERS CREATING EFFECTIVE SUPPORT SYSTEMS THE STANDARDS OUR TEN CORE PRINCIPLES

PAYROLL PROCESS All the function controls you may have been too computerized to ask about.

RELATIONSHIPS BUILD BUSINESS Strengthen your relationships by using advisors with a strong professional network.

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. Â©2017 CliftonLarsonAllen LLP | 28-1094

Dean Rohne | 800-657-4477 CLAconnect.com

Volume 26, Issue 2, 2017

The Magazine of the Association of Credit Union Internal Auditors, Inc.

{ contents } F E AT U R E S

D E PA R T M E N T S

2 From the Editor The Four Agreements Tabitha Ernst-Chadwick

The Payroll Process Employee compensation and benefits are highly computerized and often under-prioritized. Krissy Thompson, CPA and Alison Herrick, CPA

4 Chairman’s Message Going Strong into the Backstretch John Gallagher 24 The Standards Core Principles and the Code of Ethics Pat Richey

10 How Do You

Measure Losses?

FASB’s Financial Instruments Credit Loss Standards — the FAQs Gordon Dobner

Definitely Sweat the Small Stuff The little things are out to get you. Todd Sherpy

28 Member Spotlight Tom Cosby 30 Regional News 32 Region Directors and Chapter Coordinators

Effective Whistleblower Programs

The goal of any internal whistleblower program is to support employees reporting what they see. Mike Mossel

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284

How Do You Use Your Power? The Four Agreements

Tabitha TabithaErnst-Chadwick, Ernst-Chadwick,CIA, CIA,CFE, CFE,LRP, LRP,CBSAO, CBSAO,CUCE, CUCE,NCCO, NCCO,CISA CISA

live inare a state thatreader is the of subject of f you an avid Original much and controversy due Worksdebate by Tabitha (which, admittotedly a bold new law. A few superstars I made up just now), you’ve who are particularly offended by undoubtedly read a comment or two the ruleAnthony decided to flex their famous about Demangone, EVP & muscles, reach into their pockCOO of NAFCU, and onedeep of my proets, and make theirI value own bold statefessional heroes. his insight ment by cancelling all publications. venues in the and enjoy his Musings offending state. this editorial mediI’m dedicating The to result? Well,May I can’t for tation Anthony’s 17thsay column sure, but my guess that the governor introducing The isFour Agreements. didn’t lose much sleep over a you couple I won’t re-write his Musing; can ofcheck politically charged rockown. bands that out on your Butfrom I do the 80stoand 90s (though who knows? want reflect a little on those Four He could be the president of both fan Agreements: clubs). If Facebookwith can Your be believed 1. Be Impeccable Word – which it canwith because everything on a. Speak integrity. Facebook obviously true – the tanb. Sayisonly what you mean. giblec.result A LOT of verytodisapAvoidwas using the Word speak pointed fans, many of whom lost monagainst yourself or to gossip about others. ey despite the power ticket of refunds (hotelin d. Use the your Word reservations, tickets, car rentthe directionairline of truth and love. als…). This particular is of no 2. Don’t Take Anythingresult Personally concern to the superstars, though, be-of a. Nothing others do is because cause you. their desire was to make a point to the fans damXXd. b. politicians, What others saybe and do is a proNo matter which side of their the infajection of their own reality, own mous Bathroom Bill gets your symdream. pathy, the trend is aimmune bit disconcerting c.When you are to the opin–ions people perceive themselves and who actions of others, you won’tas be influential doing everything in their the victim of needless suffering. power toMake makeAssumptions their opinions your 3. Don’t opinions. trendtowill a. FindAnd thethe courage askcontinue, questions because what artists could possibly and to express what you really want. nowb.perform in this offensive state, Communicate with others as when their colleagues have taken such clearly as you can to avoid misundervaliant stands againstand injustice? standings, sadness, drama. So was just not fortunate enough to c. IWith this one agreement, have for eithertransform of the shows, you tickets can completely yourbut life. if4.6-year-old soccer games were held Always Do Your Best on any day but would a. Your bestWednesday is going toI change been addition the angry mob froman moment to to moment; it will be ofdifferent disappointed fans.are I was outraged when you healthy as opnonetheless, posed to sick.because I have fellow die-hard fans who have Wednesb. Under any don’t circumstance, simday soccer obligations, whoavoid did ply night do your best, and you will have tickets, and who were crushed by self-judgement, self-abuse, and regret. the cancellation. My outrage led to reI can’t really say it better than Anflection on how I felt bands punthony, who used theabout descriptors “sim-

www.acuia.org U DDI TI TRREEPPOORT www.acuia.org | |TH THEEAAU RT

ishing fans“powerful.” for actionsConsider outside ofthe their ple” and imcontrol, further these leading to reflecpact of making theme foundation of tion customer lives. service and treating our on professional people and finally reflection Be right, Impeccable with to Your Word – on this could auditors, relate to and internal As how risk managers, comaudit and risk management. Ohway yeah pliancers, powerful is a good to –describe that’s right; true nerd fashionofI am ourinWord. Because our turning a 90s alternative rockthe concert multi-faceted expertise and posiinto anwe audit and risk lesson. tions hold, others seek counsel and So here from is theus, lesson. auditors guidance so weAscannot be and risk managers, sometimes we are careless with our Word. the Don’t ones in ourAnything organizations with– Take Personally those proverbial big muscles and entire deep This can be difficult when your pockets. Weis are the ones with critthe profession prone to unfounded power persuade. Most ofskin the can time, icisms.toEven the toughest be there is more than one way to achieve penetrated with enough hits. Yet failthe result. And if your immeingdesired to master this concept could evendiate cancel the concert tuallyreaction render isustoineffective, and we towill trymiss and force everyonefor to see it your opportunities growth. way,Don’t you might be missing a Make Assumptions –better Well,

opportunity to actually out in our professions, thisreach should betoat your with a more the proverbial very core “fans” of everything we efdo. fective message; andto more often than Assumptions lead incorrect connot, once your fully underclusions and audiences result in poor recomstand the issues, theycould probably have mendations, which impair or even better ideas about how to achieve destroy our credibility. thoseAlways desired As the wise unDoresults. Your Best – Nearly ever cle of Spiderman once said “with great auditor/risk manager/compliancer power comes great So I I’ve ever met wasresponsibility.” an over-achiever, ask you,got how aremostly. you using great so we this, Justyour remember power? Are youof flexing muscles the definition “best”those will change. to force your opinions to become Yes, the Four Agreements aretheir funopinions? Are youshould making your audidamentals that already reign tees perform an extra 10 because in our professional andsteps personal rethat’s how youyet feel mustuncommon be done? lationships, it’sit not Or you using yourorsuperior to are struggle with one more ofintelthese lect and experience from time to time. for Takegood? someThat time is,forare you teaching and [about the risks], self-reflection improvement, sharing and growth knowledge], both for[ideas your own and forand the n listening? benefit of those around you! n

2017 2016 BOARD OF DIRECTORSabitha Ernst-Chadwick, CIA,EXECUTIVE CFE, LRP, CBSAO, ACUIA OFFICE, CBSAO, CUCE, NCCO, CISA

CUCE, NCCO, CISA

Chair John Gallagher, CUERME SEFCU (518) 464-5245 jgallagh@sefcu.com Term 2014 –2016 2016–2019

Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ncsecu.org Term 2015–2018

Vice Chair Margaret Chamberlain,

Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org 2015–2018 Term 2015 - 2018

CUERME

Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2015–2017 Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org Term 2015–2017 Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dswenson2@ wingsfinancial.com Term 2015–2018

Director Doug Wright, CPA, CFE,

CUCE, BSACS

Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019 2015–2016 Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com

ACUIA Executive Office 1727 King Street Suite 300 Alexandria, VA 22314

(703) 688-2284 acuia@acuia.org

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.” Follow us on:

experience perspective

BKD National Financial Services Group

1400

FINANCIAL INSTITUTIONS

What are you reflecting on? Improved financial reporting? Strategic planning? Regulatory compliance? BKD helps approximately 1,400 financial institutions across the country with their risk management and internal audit issues. Experience how our expertise can give your institution a better vantage point.

Chad Garber, CPA // Director 317.383.4000 // cgarber@bkd.com bkd.com

{ {from } } chairman’s the editor message

Going Here’s Strong to 25 More into the Backstretch John Tabitha Gallagher Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

Even with several furlongs to go in 2017, the race is shaping up nicely thus far and we fully anticipate a strong finish.

aving just finished watching the Kentucky Derby, I will use a horse race as my analogy. For 2017, ACUIA has come out of the gates quickly and positioned itself comfortably out front and along the inside rail. While only approaching the half way point we are ahead by several lengths and looking strong. We most recently completed the second session offering of our joint certification program in conjunction with CUNA to another sold–out crowd. To date, approximately 150 individuals have been awarded the CCUIA (Certified Credit Union Internal Auditor) designation following their successful completion of the course and examination. Based on the high number of individuals who were placed on a waiting list for the program, a decision was made to offer another session later in 2017. This session will be held

on September 25 – 28, 2017 in Tempe, Arizona. If interested, consider signing up early as demand has been high and seating limited. And just as a heads up, another program is being scheduled for March 2018, with exact dates and location yet to be determined. By now I hope everyone is prepared for another exciting annual conference. This year we are returning to San Antonio for another trip along the Riverwalk. The session and speaker line up is strong and offers something for everyone. Plus we are again offering ½ sessions on Tuesday to maximize our educational opportunities. Of course we have built in some fun during our welcome reception Tuesday evening. Registration numbers to date are indicating a tremendous turnout. There has been considerable activity with our chapter groups as well.

WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Tabitha Ernst-Chadwick at acuia@acuia.org to learn more.

www.acuia.org | TH E AU D I T R E P O RT

Florida, for example, now has three chapters which operate across the state (Northern, Central, and Southern divisions). We also added two new chapters in other states as well, one in Illinois and another in Iowa. Many thanks to all who have stepped up and accepted volunteer leadership positions within these chapters. Our webinar offerings to date have been strong and most recently took on the subjects of risk management and auditing social media use. Several more are being scheduled throughout the remainder of the year. So keep checking the ACUIA website for upcoming scheduled events. Hopefully you have noticed some changes to our website as well. In addition to enhancing the upcoming events sections as just mentioned, we also added a Forum topics listing which we hope will help increase postings and responses. If you haven’t taken a look recently, please consider doing so. So while there are several furlongs to go in 2017, the race is shaping up nicely thus far and we fully anticipate a strong finish. Lastly, I would like to extend the happiest of retirement wishes to Terry McEachern. Terry officially retired from her position as Chief Audit Executive of Royal Credit Union on March 31st of this year. Terry started ACUIA in 1989 with just a handful of members from Wisconsin and Minnesota, and has remained involved since. Our sincerest thanks and appreciation go out to her, for without her vision and passion for our profession there would be no ACUIA today. ACUIA has invited Terry to be our guest at this year’s conference so I hope to see everyone in San Antonio to show our appreciation for all she has done! n

Like you, we know the numbers are only one part of the picture. Whether your credit union’s goal is to grow membership, assets, or offerings, the big picture’s still about one thing: people. Focus on what matters to your mission. We’ll help you master new regulations, strengthen controls, and uncover opportunity. How can we help you thrive?

W W W. M O S S A D A M S . C O M / C U

Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance IT Consulting & Compliance Credit Review Services

THE

PAYROLL PROCESS Employee compensation and benefits are highly computerized and often under-prioritized. KRISSY THOMPSON, CPA AND ALISON HERRICK, CPA

www.acuia.org | T H E AU D I T R E P O RT

Compensation and benefits expense is typically the largest noninterest expense for credit unions, but this line item often does not receive the attention it deserves, leaving it susceptible to errors, fraud, and issues of noncompliance.

www.acuia.org | TH E AUD IT R EPORT

ayroll processing and benefit administration is commonly outsourced to third parties, which can give credit unions the sense they are relieved of related responsibilities. The truth is, reliance on the ability of employees, participants, or third-party service providers to identify situations requiring attention by management generally is insufficient without additional corroborative procedures. As internal auditors, there is a lot of opportunity to help your credit unions mitigate payroll fraud and avoid compliance deficiencies. Through our experience with credit union and Employment Retirement Income Security Act (ERISA) auditing, we have compiled a list of payroll and benefit plan controls to help prevent and detect issues. The following are some payroll function controls: SEGREGATION OF DUTIES – Whenever possible, there should be segregation of duties within the payroll function. Payroll processing, approval, and disbursement should be separate functions. DIRECT COMMUNICATION – Bonuses and increases in pay rate and paid time off should be communicated directly to the payroll department by the individual(s) authorized to make changes. Specifically at the CEO level, the payroll department should obtain direct authorization from the Board of Directors for any changes in the CEO’s payroll and bonus. CHANGE AUTHORIZATIONS – Require that employee change requests, whether from employees or supervisors, be appropriately documented as authorized, whether in writing or through the payroll system. CHANGE REPORT REVIEW – Changes to payroll, including new employees, changes in pay rate, direct deposit, change in status, etc., should be reviewed on a regular basis by individual(s) independent from payroll processing. Most payroll providers and payroll systems offer a report of changes made during the period. Make sure it is activated and cannot be de-activated by those with payroll change access. DUPLICATE ADDRESSES/ACCOUNT NUMBERS – Periodically review for duplicate mailing addresses and duplicate direct deposit account numbers associated with multiple employees during selected pay periods. PAYROLL REPORTS – Whether the credit union uses an internal payroll system or payroll provider, the payroll register and change reports should be reviewed by someone independent from the function. The review-

www.acuia.org | TH E AU D I T R E P O RT

er should also have direct access to the reports, whether they have read-only access to the system or the reports are mailed/e-mailed directly from payroll provider. COMPARISON – Payroll expense is often comparable period to period. Compare the current payroll with previous payrolls and investigate anything unusual or unexpected. PAYROLL REGISTER REVIEW – Periodically spotcheck employees from the payroll register and agree their information to supporting documents to help ensure accuracy and existence. Also recalculate their payroll to make sure the payroll system is calculating correctly. REVIEW SOC I USER CONTROLS – If using a service provider, review the SOC I user controls and document how the credit union satisfies each control. As previously noted, credit unions often times rely solely on the benefit plan service provider to adhere to regulatory compliance and plan requirements. Though the service providers can operate in a way that it may feel as though the plan runs on auto-pilot, the responsibility of compliance still remains with the credit union. Penalties and taxes for noncompliance can get expensive quickly, especially if they are first identified during a DOL or IRS audit. It is important to implement effective internal control practices and procedures to assist in prevention of and early identification of compliance problems. This will help to ensure eligibility for self-correction and voluntary correction programs if a plan qualification issue is identified. Some employee benefit plan controls that should be performed periodically include: PLAN ELIGIBILITY REVIEW – Periodically review employees identified as newly eligible, ineligible, and those who have had a change in employment status for proper classification based on the Plan’s definition of eligibility. For those that are deemed eligible, make sure that they have been notified to participate in a timely manner. (Eligible employees are required to be notified and provided with the Summary Plan Description within 90 days from when they became eligible). DEFINITION OF COMPENSATION – Verify the plan is using the correct definition of compensation for purposes of determining contributions as well as for compliance testing purposes. Recalculate employee deferrals and employer match amounts for a few employees to ensure the payroll system is calculating properly. This

is especially important when changes to the Plan and/or payroll system have been made. RECONCILIATION – Reconcile employee contributions between payroll totals and the Trustee report, at least annually. CONTRIBUTION REMITTANCE REVIEW – Verify that the employee contributions have been remitted to the Plan in a timely manner. PAYROLL SYSTEM PARAMETERS – Review payroll system parameters for up-to-date contribution and compensation limits (IRS, Plan limits, etc). DISTRIBUTION REVIEW – Review years of service for terminated participants for proper vesting. Recalculate forfeiture amounts on current benefit payments to ensure accuracy. Verify that proper authorization was obtained by the participant and his/her spouse if applicable. HARDSHIP DOCUMENTATION – Maintain supporting documentation for hardship withdrawals. REVIEW SYSTEM ACCESS – Review the system access levels within the plan recordkeeping system for appropriateness. FILE MAINTENANCE REVIEW – Perform an independent review of file maintenance conducted on participant accounts, to include changes in deferrals, loan requests, distributions, etc. MONITOR ELIGIBLE PARTICIPANTS – Qualified defined benefit and contribution plans generally require ERISA audits once the plan has more than 120 eligible participants at the beginning of the plan year, given that the plan filed as a small plan in the previous year. By monitoring the participant counts in these plans, the credit union can appropriately plan and prepare for any upcoming audits. In addition to payroll and employee benefit plans, executive compensation plans tend to also be overlooked, mainly because of complexity, confidentiality, and reliance on the financial statement audit. Good internal controls as well as internal auditing should extend to executive plans. Some controls and items to consider for executive compensation plans: BOARD OF DIRECTOR APPROVAL – Documented approval of the plan(s) by the Board of Directors.

DUE DILIGENCE – Clear understanding of the plan by the Board of Directors and documentation that they have performed proper due diligence of the investment/insurance products. Those charged with governance should understand the benefits and the risks to the credit union. LEGAL COUNSEL REVIEW – Board of Directors should have legal counsel review the agreement(s) prior to approval. Their review should include making sure the agreement is accurately written and matches intent/understanding of the Board and Management. Remember, these agreements may still be around long after those that approved them, so the agreements should stand alone. CREDIT QUALITY OF PREMIUM NOTES RECEIVABLES – For split dollar agreement(s), premiums paid note receivables should be reviewed regularly for collectability and proper accounting. ASSUMPTION REVIEW – Assumptions used in the projections of investment earnings should be reviewed for reasonableness, especially when the investment product is relied on by the credit union to pay back premiums and/or pay future deferred compensation payments. ONGOING DUE DILIGENCE – Review the financial health of the investment and insurance providers. INSURANCE POLICY LOANS – Monitor loans advanced by the executive for adherence with the agreement(s). PREMIUM LOAN RECEIVABLE INTEREST – Make sure that stated interest per the note agreement, or imputed interest where there is no stated rate, is recorded and reported properly. Payroll and Human Resource internal audits can often be very sensitive areas within a credit union. Proper planning is necessary to ensure the internal audit goes smoothly. Be sure the Supervisory Committee understands the risks in these areas, and is on board with including these areas in the audit plan. n

About the Authors Krissy Thompson is an Audit Manager in the ERISA industry group at Macpage LLC.

Alison Herrick, CPA is a Principal specializing in financial statement and internal audits of credit unions at Macpage LLC. Please feel free to contact them at ket@macpage.com or ajh@macpage.com.

www.acuia.org | TH E AUD IT R EPORT

HOW DO YOU ME

www.acuia.org | T H E AU D I T R E P O RT

ASURE LOSSES?

FASBâ&#x20AC;&#x2122;S FINANCIAL INSTRUMENTS CREDIT LOSS STANDARDS

THE FAQS

The Fed released new standards in December and we bring you the highlights. GORDON DOBNER

www.acuia.org | TH E AUD IT R EPORT

n December 19, 2016, the Federal Reserve, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency and National Credit Union Administration (Agencies) released a joint statement for FAQs on the Financial Accounting Standards Board’s June 16, 2016, Accounting Standards Update 2016-13, Financial Instruments–Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments. Among other things, the new standard creates the current expected credit loss (CECL) model for financial assets carried at amortized cost. These FAQs are a follow-up to the joint statement the Agencies originally issued on the standard in June 2016. These FAQs were developed to assist institutions and examiners as they begin implementation. The Agencies plan on publishing additional FAQs and/or periodically updating existing FAQs. The FAQs mostly expand on the original supervisory views of the Agencies in their June 2016 joint statement. FAQ HIGHLIGHTS ■■ CECL introduces a single measurement objective to be applied to all financial assets carried at amortized cost. However, it doesn’t specify a certain model. Instead, it allows any reasonable approach as long as it achieves the new standard’s objective. ■■ Although the Agencies expect the new standard to be scalable to all institutions, inputs to allowance estimation methods currently used will need to change to properly implement CECL requirements. ■■ Similar to today’s incurred loss model, institutions can continue to leverage credit risk management practices in their qualitative and quantitative factors. ■■ Institutions may apply different estimation models to different

www.acuia.org | TH E AU D I T R E P O RT

IT’S RECOMMENDED INSTITUTIONS DISCUSS THE AVAILABILITY OF HISTORICAL LOSS DATA

■■

groups of financial assets or loan pools. Institutions will be required to incorporate forward-looking information and estimate effects of forecasted future events for periods that are reasonable and supportable. The Agencies expect that smaller and less complex institutions will be able to adjust their existing allowance methods to meet the requirements of the new standard without the use of costly and/or complex modeling techniques. The Agencies expect supervised institutions to make good faith efforts to implement the new standard in a sound and reasonable manner. After CECL’s effective date, the Agencies will assess the new standard’s implementation and consider issuing additional supervisory guidance to aid in developing practices for the sound application of the new standard. Although the new standard provides examples of similar risk characteristics, smaller and less complex institutions may conclude their segmentation practices with the incurred loss methodolo-

gy also are appropriate with the methodology, or they may refine those practices. ■■ CECL will apply to held-to maturity (HTM) debt securities, and in contrast to today’s accounting, institutions will generally need to establish an allowance for credit losses on their HTM debt securities at the date they adopt CECL. ■■ The Agencies won’t require institutions to engage third-party vendors to assist in implementing and calculating allowances within CECL. ■■ Institutions may need to capture additional data and retain data longer to meet CECL data requirements. It’s recommended institutions discuss the availability of historical loss data internally and with their core system service providers. ■■ The Agencies won’t establish allowance level benchmarks or floors with CECL. Both the original joint statement and FAQs encourage transition planning and implementation preparation for the new standard and a discussion of possible methods. For more comprehensive information on implementation considerations, read “Potential Data Needs & Considerations with CECL.” In addition, read “A Comprehensive Look at the CECL Model” and view the archived webinar “CECL – Breaking Down the Final Standard” for more information. Contact your BKD advisor if you have questions. n

About the Author Gordon J. Dobner, CPA, is a member of BKD National Financial Services Group. He has more than 13 years of experience providing audit and consulting services to financial services companies including financial institutions and mortgage companies. Gordon also assists clients with U.S. Securities and Exchange Commission and other regulatory filings.

Macpage believes in developing relationships, earning trust, addressing complex issues and making a diﬀerence. We enjoy the people we serve, and care about the work we do providing integrated accounting, consulting, ﬁnancial statement, IT, internal and compliance auditing services for credit unions throughout the Northeast.

For more information www.macpage.com/creditunions

Accounting Consulting Tax Artwork: Emily Barrera, “Continuum”

www.acuia.org | TH E AUD IT R EPORT

DEFINITELY SWEAT THE SMALL STUFF The little things are out to get you. TODD SHERPY

www.acuia.org | TH E AU D I T R E P O RT

“CFPB may get us.” “There are so many rules to keep up with.” “We are spending hour upon hour checking our TRID CD and LEs.” “We are prepping for our next regulatory exam.” “We are so afraid of all the BIG things out there that may get us.” Any of these sound familiar?

am sure you can throw back about a hundred more on top of these. These statements are noble expressions of your concern for the many issues in legal/regulatory compliance that may affect your credit union. However, how often does a Credit Union really have a major impact from a CFPB Consent Order? A Truth-in-Lending Act claim? An NCUA or State examination that results in any significant liability exposure? I have been practicing law and working with credit unions for three decades and in this time I have seen much. However, I have rarely seen a credit union affected by what I shall refer to as major issues (Significant regulatory fines or penalties; or legal actions resulting in substantial losses). What I have seen are thousands if not millions of dollars lost from overlooking the little things, complacency, lack of common sense in some cases, and even disinterest. Think on it for a bit. With a few headline exceptions – it is rare for a credit union to be tagged with a big loss. Always possible, yes, but rare. I am not saying not to be vigilant in regard to such matters. However, be sure your focus is broad enough to cover the “little things” as well. What are these little things that we should be concerned about you may ask? Let me share just a few to help illustrate my point:

Loose Carpet, Bad Lighting and Other Exposures: When any member or other person comes on your premises he/she is an “invitee” under general negligence laws. If an invitee is injured on your premises the credit union is generally liable for those injuries. Have you assessed your premises for exposures? If you have a 24hour ATM or depository do you have safeguards in place? Have you had a lighting, landscaping and location safety or legal compliance assessment? Have you provided materials to members via your disclosures or

other mean regarding steps to protect themselves? All are important risk mitigation concepts.

Learning to Read Documents: Multiple times each year we have to help a credit union that has not taken the time to read a document. It may be a Power of Attorney. It may be a loan disclosure. I hear things like – “Todd on page 1 section 2 it says the agent on the POA can do this.” “Yes – but on page 5 section 23 it says there are conditions that must first be met.” “Were those conditions met?” Credit union response: “You mean we have to read the whole thing?” Ugh – shoot me now. Or: “Todd, we have a member claiming we miscalculated his APR over the last 10-years. He is claiming there is no floor in our loan note.” “Is there a floor in your loan note? I cannot find one.” “Oh – we assumed there was.” Assumed? Hmmh …

Watch the Numbers: I cannot even begin to recall the number of times a credit union has taken a loss due to a snake in the grass car salesperson giving false information on a bill of sale. All is well until repo or bankruptcy time. Then, you find you have a lesser car than the bill of sale indicated – increasing the loss by thousands; or the possible recovery in bankruptcy by a like amount. Run the VIN and compare the data before you fund the deal. Check the numbers when that title comes in to ensure there has not been a swap (it is easier to address now than a year down the road). Be diligent.

Did the Owners Give You a Lien? Two common oversights have caused many a loss: (1) See my prior article on “and/or” when it comes to collateral liens; and (2) being lackadaisical in assessing a lien on collateral with a commercial loan. When making collateral loans to small businesses be sure you connect the dots. Meaning: (a) be sure

the actual owner of the collateral signs the Security Agreement (small businesses often hold collateral in the business name or the individual owner’s name in a willy-nilly fashion. Regardless of who the borrower is – be sure you have the actual owner signing the Security Agreement); and (b) for general equipment liens – such as “all equipment of the partnership” be sure that when they created the partnership they actually conveyed ownership of the equipment to the partnership (as it may have previously been individually owned and may still be if it was not properly conveyed). Obtain documentation showing it was conveyed from the individual owners to the entity – generally by bill of sale or other documentation. If you end up with a lien on property not owned by the entity that signs the Security Agreement, well then – you have a lien on nothing.

Privacy is a Two-Way Street: Over the years a number of credit unions have been sued and have paid large sums for privacy violations. These violations are not from causes you expect. Rather, they result from the credit union’s own actions. “Todd – we responded to a subpoena from a California State Court from here in Tennessee where the credit union is located. The member is very angry that we sent his documents and is threatening to sue us. Can you write a letter and tell the member what we did is right?” “No. No I cannot as what you did was not right. A state court subpoena is only good in the state in which it is issued with the exception of certain requests associated with alimony/child support, which this was not. You violated the member’s privacy rights and you need to find out pronto what the member wants to be made happy. BTW – the last jury verdict I saw on such a matter was $500,000 to the member.” www.acuia.org | TH E AUD IT R EPORT

I’LL NOT EVEN BEGIN TO LIST THE NUMBER OF CALLS I HAVE RECEIVED WHICH START WITH

“TODD, HERE IS WHAT WE DID. WHAT SHOULD WE HAVE DONE?”

Document retention procedures are great. Proper document production procedures are even better.

Do not be the Nike Commercial “Just Do It!”: I’ll not even begin to list the number of calls I have received which start with – “Todd, here is what we did. What should we have done?” When dealing with substantive legal/compliance issues perhaps consult with counsel before versus after you take action.

Internal Controls Procedures are for More than Tracking the Cash: Internal procedures and requirements have long been used as liability shields by corporate America. From slip and fall situations at the grocery store to use of corporate vehicles and equipment of all types – clearly dictated requirements and expectations establish the standards of the credit union. If an employee does not meet those standards there is the defense that the employee acted outside of policy or outside the scope of his/her employment, so that the liability associated with that credit union van accident or loss of the credit union’s computer are either mitigated or avoided altogether. Every substantive area where there is risk exposure should have procedures that address not just technical compliance matters, but real life events as well. It is real life that causes the greater concerns. This is why we pro-

www.acuia.org | TH E AU D I T R E P O RT

vide a detailed procedure on the use of credit union vehicles (yes – we say do not drink and drive, do not drive in inclement weather, etc., as this is against credit union POLICY). This is why we provide a detailed procedure for the use and care of credit union equipment (yes – we say do not leave that laptop or tablet on the front seat of your unlocked car at the convenience store). These are designed and intended to provide the potential defensive shield noted. If you do not have them, then your defensive arsenal is a weapon short.

Beware of the Unintended Promise: In the legal world there are written contracts and then there are implied contracts. Both are equally binding on the parties. Thus, beware of the things you say; and moreover the things you commit to writing. For example, take the standard “Commitment Letter.” You have to draft these very carefully so that they are not later used against you to force you to lend. They need to be absolutely clear. Perhaps start with that silly “COMMITMENT LETTER” in 32-point type at the top of page one; and revise it to be “CONDITIONAL Commitment Letter.” Do you want a state law or UDAAP theory to force you to make a $200,000 loan you’d rather not make?

Teach Common Sense and Emphasize what is Really Import-

ant: With so much “e-learning” there is little one-on-one training anymore where you can touch upon common sense issues. Examples: ■■ For the loan officers: It is unusual for 19-year olds to have jobs paying $240,000 per year. Prior to lending on that $80,000 vehicle you may want to absolutely verify this. (Why? The loan officer is just following approved procedures and verified income by the pay stub – right?). ■■ For Teller / MSRs: BSA requirements are not subject to your interpretation because you do not agree with them. If you violate these rules you may be prosecuted by the federal government and go to prison. (Why? Because it has happened, that’s why.). Often the message is best conveyed by person-to-person communication. Put down the cell phones and tablets and talk to one another.

Technically Compliant Documents Need More: Rarely is a credit union action brought for any legal/regulatory violations. Where a credit union runs into a brick wall is when it wants to exercise a right or protection that its documents unfortunately do not cover. Also, as things happen you may need to address them contractually to avoid future issues (I am not talking the one-time odd-ball event, but those subject to being repeated where a contractual

provision can address how a matter is to be handled where there is otherwise no certainty). I see this virtually every week which is why I start many conversations with “what document set are you using” as this will be the biggest factor in providing a positive or negative answer to your issue. You need to be sure your documents are not only compliant, but that they also address real life. The average forms provider who drafts forms under fluorescent lights and does not talk to you day-to-day has no shot at knowing these issues, much less covering them. To illustrate I give you just two of dozens of such considerations from our Membership Agreement: Credit Union’s Right to Investigate: It is agreed that it is critical to the Credit Union and its members that the Credit Union have full rights to investigate all transactions, methods and means of making transactions to protect its members and the Credit Union. Therefore, it is agreed that upon notification of any claim of error, unauthorized transaction(s) or other notification related to or arising from any transaction(s), methods or means of making transactions the Credit Union shall have full rights of investigation to extend to all persons, means and methods of making transactions. It is expressly agreed that this shall specifically include the right to inspect and scan a member’s or user’s access device(s) including but not limited to computers, tablets and smartphones; and to report the Credit Union’s findings of such investigation to all owners and/or users. Credit Reports, Membership-Account Eligibility, Other Credit Union Services and Social Media: To verify your eligibility or continued eligibility for membership, any account(s), service(s), or loan products; increases or de-

creases in services and/or credit limits, now and in the future; or as needed to comply with any applicable law, regulation or governmental agency requirements including but not limited to escheatment/abandoned property, privacy, or other issues that may affect your rights, you authorize us to make inquiry to determine your employment history and to obtain information concerning any accounts with other institutions and your credit history, including consumer credit reports. You agree that this authority applies to any account, account-related service, loans or other financial products you request or which we may offer or make available to you. We may also report information concerning your account(s) and credit to others. You also understand that you may elect from time to time to use Credit Union or other parties’ social media tools and sources; that there is no claim of privacy or privilege regarding information shared or discernible from such use or sharing; and the use of such information by us does not violate your privacy or other rights. If you have consented to communicating with us via social media we may use any social media addresses you may establish from time to time. You have to be versed in the practical applications of the above to understand the value, but they expand your rights and opportunities, which proper Risk Management requires. I could go on and on … and expect I could write an entire treatise on these real life matters as that is generally what I have dealt with dayto-day, year after year for thirty years now. Perhaps we should get together and discuss these issues; or perhaps as we adopt processes more in line with Enterprise Risk Management we will find ourselves addressing such

considerations as a matter of course. I hope you will view this short article as an expression of the need to expand considerations beyond technical compliance with the headline of the week variety to the real life issues where we actually do incur losses. Granted, experience gives me insights that many without so many years in the trenches may not possess; but in credit unions we are willing to share and learn from one another. That is why I travel to a credit union and spend time talking real life issues every 3 weeks or so, for after thirty years I accept I still have much to learn. n

About the Author Todd Sherpy is a founding partner in the law firm of Sherpy & Jones, P.A. with offices in South Carolina and Georgia; and is entering his 30th year of practice in the Credit Union compliance arena. The firm is dedicated to serving all legal needs of Credit Unions; and provides day-to-day compliance, compliance auditing, training and consulting services to Credit Unions throughout the United States. Todd dedicates a large portion of his time to teaching Credit Unions, having made presentations in 46 States and has been a participating as an instructor through many CUNA, League, and Credit Union Trade and Vendor programs. Todd has also authored numerous CUNA and other publications ranging from compliance resources to volunteer training programs. Todd also serves on the Credit Union Sub-Committee of the American Bar Association. Todd is married to the Executive Officer at a Large Georgia Credit Union and has two daughters, Caroline and Catherine -- having lost Catherine after a two-year battle with cancer in 2013. He adores both his daughters and now dedicates all funds from speaking and education to the fight against cancer and will accept no compensation personally. If ever Todd can help your Credit Union in regards to any Staff, Board or other training he will work with you in order to raise cancer awareness and donations to fight back against the disease that took from him what he holds as most precious. www.acuia.org | TH E AUD IT R EPORT

EFFECTIVE

WHISTLE PROGRAMS

T MIKE MOSSEL

he goal of any internal whistleblower program is to provide an effective, efficient, and anonymous method for credit union

employees to report suspicious activity, ethics violations, and other internal control concerns. Over the years, I have personally seen where an effective and efficient internal based reporting hotline has been a tangible advantage to credit unions. Not only does it tap into

your most useful and effective resource, that of your employees, but it also provides them with an anonymous method to report any type of irregularities. This then gives the credit union the substantial advantage of detecting possible fraud-related activities sooner, so that potential losses are minimized. It should be noted that the NCUA, CUNA Mutual, and the Association of Certified Fraud Examiners all recommend that an effective fraud reporting hotline be established as a vital fraud deterrent.

www.acuia.org | T H E AU D I

BLOWER

www.acuia.org | TH E AUD IT R EPORT

onsider the following statistics as stated in the 2016 Report to the Nations on Occupational Fraud and Abuse, performed by the Association of Certified Fraud Examiners: n Tips are consistently and by far the most common detection method. Almost 40% of all cases were detected by a tip - more than twice the rate of any other detection method. Employees accounted for nearly half of all tips that led to the discovery of fraud. n Credit unions with hotlines were much more likely to catch fraud by a tip, which the data showed is the most effective way to detect fraud. These credit unions also experienced frauds that were 41% less costly, and they detected frauds 50% more quickly. n Credit unions that had reporting hotlines were much more likely to detect fraud through tips than credit unions without hotlines (47.3% compared to 28.2%, respectively). n The presence of anti-fraud controls is associated with reduced fraud losses and shorter fraud duration. Fraud schemes that occurred at victim credit unions that had implemented any of several common anti-fraud controls were significantly less costly and were detected much more quickly than frauds at credit unions lacking these controls. n In 94.5% of the cases the perpetrator took some efforts to conceal the fraud. Fraud perpetrators tended to display behavioral warning signs when they were engaged in their crimes. The most common red flags were living beyond means, financial difficulties, unusually close association with a vendor or customer, excessive control issues, a general “wheeler-dealer” attitude involving unscrupulous behavior, and recent divorce or family problems. At least one of these red flags was exhibited during the fraud in 78.9% of cases. Who best to observe these types of red flags than fellow employees? n Small credit unions had a signifi-

www.acuia.org | TH E AU D I T R E P O RT

cantly lower implementation rate of anti-fraud controls than large credit unions. This gap in fraud prevention and detection coverage leaves small credit unions extremely susceptible to frauds that can cause significant damage to their limited resources. Unfortunately, many fraud hotlines fail because employees don’t trust them. How do you ensure you have a quality system that concerned employees will use without fear of retribution? Consider these factors: n Trust is the primary determining factor as to whether an employee will come forward with a concern. Employees might view the reporting of concern via hotlines as potential “lose-lose” scenarios. If an employee chooses not to report, and an outside source later discovers misconduct, the credit union might face both financial losses and reputational damage that it could have avoided. However, if the employee does report, and the credit union’s culture of trust is lacking, he or she might face retaliation, including termination. The employee weighs these possibilities and decides that remaining gainfully employed is the better option. Since most frauds are detected by tips, this suggests that credit unions operating ineffective hotline reporting programs risk failing to identify ongoing frauds. If employees don’t feel comfortable reporting fraud and corruption concerns to the credit union, they simply won’t. Employees’ lack of trust in the reporting process also can create an unhealthy work environment and eventually result in organizational issues such as poor employee performance and motivation, employment lawsuits, legal and regulatory actions, loss of assets, external whistleblower complaints, poor customer perception or brand reputation, and high employee-turnover costs. n History tells us that whistleblowers have been subjected to false allegations, retribution from man-

agement and supervisors, and even dismissal. Retaliation cases give life to corporate phrases that haunt potential whistleblowers: “kill the messenger,” “pick your battles” and “career-limiting moves.” Still, whistleblowers are often driven by the motivation to do the right thing so they can sleep at night. n Employees often ignore company hotlines because they witness top management’s indifference to ethical business conduct. When employees see management retaliating against would-be whistleblowers, the message at the operational level is clear: Mind your own business, don’t ask questions, and keep your head down if you want to keep your job. n When investigations ensue and significant losses are later incurred, executive management and the board ask, “Why didn’t anyone report this sooner?” The answer is simple: The focus on “winning at all costs” locally results in a culture of noncompliance at all levels. An ethics hotline reporting system becomes meaningless when employees can’t trust that local management will take appropriate action. Credit unions can try to purchase or fabricate employees’ trust by deploying catchy phrases or slogans. However, from the time an employee reports a concern until the case is closed, a credit union’s reporting program must demonstrate confidentiality, professionalism, and fairness. If a credit union is continuously faced with external whistleblower reports or a lack of internal reporting by employees, management must consider where the process might be broken and why employees believe the hotline reporting process isn’t trustworthy. The following factors often cause a hotline reporting process to be ineffective: Employees don’t understand the system

“Who answers the hotline number?” “Will they know that I filed a complaint if I file anonymously?” “Will they tell my boss that I reported a concern?” and “Where does my complaint go? And who reviews it?” These are just some of the questions employees might have. Doubt and uncertainty can impede an employee’s decision to report a concern. The more information a credit union can share about the program to increase transparency, the more likely an employee might be to come forward. Inadequate resources and poor program design Credit unions demonstrate that they value the reporting of concerns by spending money on well-designed hotline programs with professionally trained efficient responders and investigators, fully integrated case management systems, and all the necessary support tools and resources. Anything less will engender employee mistrust. Lack of personalization of an employee’s concern Reporting a concern can be a very personal experience for an employee. The whistleblower might be a victim, have witnessed significant wrongdoing, or be taking a personal chance by coming forward and doing the right thing. If a concerned employee only hears a recorded message or an automated response on the first call, he or she (and colleagues) might view the whole program as machine-like and indifferent. Qualified and experienced compliance or investigative professionals must immediately follow up on reported concerns. Concerned employees need support and reassurance that they’ve done the right thing, the credit union will address their concerns, and they’ll be protected from retaliation. A credit union can achieve this through a code of conduct that articulates the expectation of behavior, including ethics

rust is the primary determining factor as to whether an employee will come forward with a concern.

and compliance policies that communicate anti-retaliation commitments. Lack of training Additional training may be needed to help employees better recognize their role and responsibilities, and to get a more thorough understanding of the reporting system, including the maintenance of confidentiality and anonymity in filing reports. Make sure your periodic meetings with staff include fraud controls and a reminder that employees have access to report anything that might be suspicious.

Do new employees get the necessary training on fraud and the reporting mechanism? Periodic (monthly) and consistent dialogue about fraud controls and the employees’ ability to report such activity is an additional control to keep it in the forefront. Management involved in hotline Because local frontline management are rarely trained as investigators, they shouldn’t help determine if an employee concern has merit, is factual, or warrants a full-fledged investigation. Local management might be www.acuia.org | TH E AUD IT R EPORT

ombudsmen, ethics officers, supervisors and union steward. These are confusing messages.

redit unions must demonstrate that consistent and fair outcomes are routine regardless of people, relationships, or scenarios.

the problem or — at the very least — might be complicit in allowing the concerns to occur or go unaddressed. Local human resources professionals might also appear to employees to be closely aligned with management. They also might be inadequately trained and show bias or favoritism. To ensure transparency, independence, and objectivity, often it’s most effective to use a third party to administer the hotline. At the point when a concern becomes part of an investigation, the credit union can involve management, including internal audit, compliance/legal, and 22

www.acuia.org | TH E AU D I T R E P O RT

human resources, depending on the type of complaint. Too many reporting mechanisms Hotlines should be the primary entry point for all concerns regardless of who reports them or how credit unions identify them. Unfortunately, credit unions who want to ease the process encourage employees to also alternatively report through email, web portal, in writing, or in person to such departments or individuals as compliance, internal audit, legal, employee relations, safety, environmental, human resources,

Too much emphasis on “credible” complaints Employees file fictitious and malicious complaints against credit unions and colleagues to fend off pending terminations, get others into trouble or retaliate for some perceived personal sleights. Unfortunately, hotline program workers have to respond to erroneous or malicious complaints. Some credit unions might attempt to reduce meritless complaints by communicating that employees should only report “credible” or “good faith” complaints. Other credit unions might go a step further by saying that employees could be subject to disciplinary action for filing complaints that aren’t credible. However, tactics like these, regardless of the trust level, might dissuade employees from reporting any concerns. “Credible” and “good faith” are subjective terms that management will evaluate. Credit unions’ best approach is to encourage employees to report all issues with no hint of the risk of disciplinary action. If a credit union feels a complaint is without merit, it can document and dismiss it after it performs limited diligence. Obstacles of negative incidents and retaliation When an employee is mistreated for following the credit union’s reporting policy, the hotline program can sustain severe damage to its credibility and viability as a safe and secure mechanism. The damage from mismanagement and reprisals - immortalized on the internet, in court records, or public documents - can create a devastating silent “do not report” culture. Credit unions should communicate they have a zero-tolerance policy for

retaliation and will deal with it swiftly and publicly. They might need to conduct ongoing communications and awareness campaigns to make programs as transparent and trustworthy as possible especially if employees know about previous retaliations. Inconsistent outcomes Credit unions must demonstrate that consistent and fair outcomes are routine regardless of people, relationships, or scenarios. Employees will learn through the grapevine if the credit union delivers fair and consistent discipline, regardless of how confidential the credit union hides investigation outcomes. Of course, if employees view outcomes as fair, they’ll feel more compelled to report concerns. Actions speak louder than words Employees critique, judge and evaluate what a credit union says about its hotline-reporting program by what it does rather than what it says. Does it follow policies and procedures as designed? Does it really have a zero-tolerance policy on retaliation? Are outcomes consistent, fair, and proportionate? Does it truly allow employees to report concerns anonymously? Credit unions implement and maintain trusted hotline reporting programs differently, depending on their sizes, cultures, geography, and several other factors. And they must decide if they’ll construct their hotlines in-house or outsource them. Credit unions find many benefits to outsourcing, from experience and expertise to the appearance of independence, which can increase employees’ trust. Hotline providers’ built-in frameworks allow 24/7 accessibility. Smaller credit unions might believe that insourcing is the lower-cost option. However, establishing an insourced program requires investment in hardware, software, and personnel, among other costs.

Whether a credit union’s hotline-reporting system is in-house or outsourced, management must remain independent and only should become involved if it begins an investigation. Most employees want to do the right thing, and credit unions need to do what they can to help support and encourage employees to report. Failures in employee reporting today can result in significant operational and reputational hurdles tomorrow. These tips, which build on the previous ten factors, can help: n Training and awareness. Increased awareness of the program will help build employees’ confidence in it. A credit union should continually strive to help employees know how the hotline-reporting program works, why the credit union believes in it, who operates it, and why it’s a critical part of the compliance culture. Communication about a hotline-reporting program, recent compliance issues, and messages from management should be routine and commonplace. n Accessibility. Information on a hotline program and how to report a concern should be within one click of the credit union’s intranet or external website. Web-based reporting platforms should be available to facilitate anonymous reporting and allow for the inclusion of attachments. n Transparency. Prominently display your credit union’s hotline-reporting and investigation process including the expertise and contact information of your trained investigators, what employees should expect, plus the credit union’s responsibilities to cooperate and protect against retaliation. n Proficiency and objectivity. Those who manage the hotline and investigation processes should be technically proficient, professional, welltrained, and experienced in handling reporting of concerns. The credit union should also install adequate systems, processes, and technologies

to support the investigators and, ultimately, the employees. Ask yourself some frank questions to better understand your credit union’s ability to handle fraud through a whistleblower hotline: n Do your employees have the confidence and assurance that reporting suspicious activity is completely anonymous and confidential? It is in the best interest of the credit union to create a culture of honesty and high ethics and to clearly communicate acceptable behavior and expectations of each employee. Such a culture is rooted in a strong set of core values (or value system) that provides the foundation for employees to understand how the credit union conducts its business. n Do new employees get the necessay training on fraud and the reporting mechanism? Make sure your periodic meetings with staff include fraud controls and a reminder that employees have access to report anything that might be suspicious. Periodic (monthly) and consistent dialogue about fraud controls and the employees’ ability to report such activity is an additional control to keep it in the forefront. Employees have great insight into control weaknesses and ethics issues. Effectively leveraging your internal control framework by “deputizing” your staff provides a critical layer of protection to your credit union and will help in strengthening internal controls to achieve your governance objectives. n

About the Author Mike Mossel, along with Mike Sacher, are co-managing directors of Protect My Credit Union.com, LLC (PMYCU.com), a cost-effective internet-based whistleblower and ethics reporting hotline designed specifically for credit union employees to report suspected fraudulent activity, policy violations and other ethics related matters. You can contact Mike at mmossel@pmycu.com or at 818.807.8067. www.acuia.org | TH E AUD IT R EPORT

{ from the editor }

{Hereâ&#x20AC;&#x2122;s the standards to 25 More}

Pat Richey, Retired credit union internal auditor Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

Core Principles and the Code of Ethics The ten basic standards upon which our profession is based.

first wrote about The Institute of Internal Auditors (IIA) Code of Ethics in 2005. However, the Core Principles were added to the International Professional Practices Framework (IPPF) in 2015. The task force that proposed the 2015 IPPF changes discussed whether The International Standards for the Professional Practice of Internal Auditing (Standards) were principles-based or rules-based. They decided that the Standards were principles-based.1 However, those principles had never been spelled out.

Core Principles The ten Core Principles articulate what effective internal auditing looks like in 2017. Credit union internal auditors should measure the effectiveness of their functions against these principles. All of the principles must be present and operating effectively. The internal audit activity must 1. demonstrate integrity 2. demonstrate competence and due professional care 3. be objective and free from undue influence (independent) 4. align with the strategies, objectives and risks of the credit union 5. be appropriately positioned in the credit union and adequately resourced 6. demonstrate quality and continuous improvement 7. communicate effectively 8. provide risk-based assurance 9. be insightful, proactive and future-focused 10. promote organizational improvement These principles underpin the Standards, which describe how to put the principles into practice. I will dis1 https://normanmarks.wordpress. com/2015/07/24/core-principles-foreffective-internal-audit/

www.acuia.org | T H E AU D I T R E P O RT

{ from the editor }

Here’s to 25 More Tabitha Ernst-Chadwick

cuss the principles in future articles about the Standards. However, the principle of being insightful, proactive, and future-focused is harder to tie directly to a particular Standard.

Insightful, Proactive, and FutureFocused Insightful, proactive and future-focused is a bit abstract. I am not good at abstract. I am as concrete-sequential as it gets (which is why I love internal auditing). In the last issue of The Audit Report I discussed insight, which is also a term in the IPPF Mission Statement. So, what does it mean to be proactive and future-focused? I like best the Google.com definition of the word “proactive.” Proactive means to create or control a situation by causing something to happen, rather than responding to it after it has happened. Being proactive is very powerful. It means taking-charge and being bold, and maybe even “daring greatly.” I am in the middle of reading Dr. Brené Brown’s book Daring Greatly, which is why this term comes to my mind. The book is based on President Theodore Roosevelt’s quote (excerpted here) “It is not the critic who counts; nor the one who points out how the strong person stumbled, or where the doer of deed could have done better. The credit belongs to the person who…., at worst, if he or she fails, at least fails while daring greatly.2” Unfortunately, internal audit may be the critic and finger-pointer. Can internal audit change that role so that the activity is proactive and future-focused? Perhaps being a critic and finger-pointer is a safe position. Are we willing to subject ourselves 2 http://www.appleseeds.org/DareRoos. htm (from an address at the Sorbonne, Paris April 23, 1910

to possible failure because we have dared greatly by being proactive and future-focused? Merriam-Webster includes in its proactive definition “acting in anticipation of future problems, needs or changes,3” which of course means being future-focused. Perhaps the IIA is being redundant when it talks of being proactive AND future-focused. To be proactive and future-focused, the credit union internal auditor must not dwell on what happened in the past, but use that information to anticipate future problems and needs. Is it useful to point out mistakes that were made? It is more useful for the internal auditor to use that information to promote credit union improvement. Vocabulary.com says that a proactive person makes things happen, and gets things done. Yourdictionary.com says a proactive person deals with something before it needs to be taken care of. All these definitions say the same thing in a slightly different way. They all point to a very powerful message that requires significant change for many of us. I like this quote from Dr. Brown’s book: “The willingness to show up changes us; it makes us a little braver each time.” The willingness to show up can be heard in the idiom “stepping up to the plate.” Each time we step up to the plate, it makes it easier the next time. This is a very true statement for me. When I was about 30 years old, I had an experience where I thought “If Linda Steele can do it, so can I” and I stepped up to the plate and have been doing that ever since. So my internal audit friends, step up to the plate, become proactive and future-focused, and dare greatly. 3 ttps://www.merriam-webster.com/ dictionary/proactive

Code of Ethics Credit union internal auditors are familiar with the code of ethics/ conduct for their respective credit unions. They should also be familiar with the IIA’s Code of Ethics for internal auditors. As I mentioned, the IIA’s Code of Ethics has been around for a long time, and the elements have not changed since I last wrote about them. However, the Code of Ethics is now organized into two components — principles and rules of conduct. The rules of conduct help interpret the principles, and are the expected behavior norms for internal auditors and the internal audit activity. The IIA’s Code of Ethics includes guidance on integrity, objectivity, confidentiality and competency. The internal auditor Code of Ethics should be part of the training program for new staff auditors. Integrity Internal auditors are responsible for assessing the control environment of their credit unions. The control environment includes the integrity and ethical values of the credit union. The internal auditor can influence the integrity and ethics consciousness of volunteers, management and employees by being an example of integrity. Anything less than absolute integrity affects internal auditors’ credibility. If internal auditors want the credit union to rely on the auditors’ judgement, the internal auditor must establish trust with all persons. The Rules of Conduct states that internal auditors must perform their work with honesty, diligence, and responsibility; observe the law; make appropriate disclosures when required; not be a party to any illegal activity or engage in discreditable acts; and respect and contribute to www.acuia.org | TH E AUD IT R EPORT

The Rules of Conduct say that internal auditors will not participate in or accept anything that impairs, or may be presumed to impair, the auditor’s unbiased assessment.

the ethical objectives of their credit unions. I think this encompasses the internal auditor’s private life also. A lack of integrity in private life, if it becomes known to the credit union, will undermine the internal auditor’s efforts at the credit union. I think a lack or loss of credibility would be a huge detriment that would be hard to overcome. Integrity means never lying for any reason and admitting mistakes, even in the smallest things

Objectivity Objectivity is not normally a part of a credit union’s code of ethics, but it is part of the internal auditors’ code. The objectivity principle states that internal auditors show the highest level of objectivity in performing their work; make a balanced assessment; and are not influenced by their own or others’ interests. The Rules of Conduct say that internal auditors will not participate in or accept anything that impairs, or may be presumed to impair, the auditor’s unbiased assessment. Internal auditors must disclose all material facts known to them that, if not disclosed, may distort audit communications. Objectivity is addressed more fully in the Standards. Confidentiality The IIA Code of Ethics states that internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority. The Rules of Conduct say that internal auditors are careful in the use and protection of information they obtain, and do not use information for personal gain, unlawful purposes, or to the detriment of the credit union. When I trained a new staff auditor, the first item we discussed on day one of the training program was confidentiality. In our internal audit department, we had access to information that was not available to even

www.acuia.org | TH E AU D I T R E P O RT

senior managers (such as minutes from closed sessions of the board of directors). We had access to personnel files and due to our integrity had the confidences of board members, senior managers, and employees. We would not have had this level of trust if we ever breached a confidence. My guidance to my staff auditors was that no one in the credit union would learn anything from internal audit that had not been published internally or publicly. Also, I told my staff auditors that they may not discuss with spouse, family, or friends any credit union information that has not been made public. Once an auditor gives information to another person, it is out of the auditor’s control and the auditor has no idea where that information will land. The inability to talk about my work made for a dearth of conversation between my husband and I, but early in my internal auditing career I learned to be careful. One evening my husband and I were planning to go for dinner with friends. I called my husband from work and said I would be a little late because I was working on an employee fraud case that came up. When I got to the restaurant, our friends said “So tell us about this fraud case you’re working on,” because my husband had told them why I was delayed. I was mortified.

Competency Is competency part of your credit union’s code of ethics? Probably not. But it is part of the IIA Code of Ethics. The code states that internal auditors apply the knowledge, skills, and experience required to perform audit activity. The Rules of Conduct say that auditors do not perform audits if they do not have the needed knowledge, skills, and experience; perform audits in accordance with the Standards; and continually improve their proficiency, effectiveness, and quality of audits.

When I came to the credit union I knew nothing about branch operations, lending, investments, collections, regulatory compliance, etc. I had never even audited before. I had taken an auditing course as part of my accounting degree – does that count? I had no knowledge, skills, or experience with credit unions or internal auditing. Does that mean that I shouldn’t have been auditing? I think the competency guidance means don’t get into anything that is over your head. Branch operations, lending, and collections is pretty easy stuff. It did take me a while to get the hang of regulatory compliance. I was never sure about investments, because I basically didn’t understand them (CMOs?), but I plunged into NCUA Rule 703 and I could figure out if our investment policy was in compliance with the regulation, and whether our practices were in compliance with our policy.

Information technology is the one area that may be over the head of general auditors. That takes a specialized training, and that is why there are IT auditors, or why IT audits are usually outsourced. However, internal auditors should be able to get at the “the low-hanging fruit” like IT general controls, and leave the really technical audits to the IT auditors. I did a data room security audit, a logical access audit, and a functional access audit (with the help of the FFIEC IS Examination Handbook). I left the rest to external firms. At one time, ATM PIN Security Reviews were required by the ATM networks. The first year the review was required, I attempted the review inhouse. Although some credit union internal auditors (non-processing credit unions) were performing the audit, I was not confident in what I was doing. Actually, I had no idea what I was doing. I couldn’t even

understand the audit program. I did not want to spend the $5,000 unbudgeted funds to outsource the audit, but what it boiled down to was that I would not sign-off on an audit where I was not confident in my work. I felt I did not have the competency that the Code of Ethics requires. I ended up outsourcing the audit. However, I worked closely with the external auditor, and had the external auditor explain everything to me. The next time the audit was required, I was able to do the audit. I encourage all internal auditors to be familiar with the IIA’s Code of Ethics, and to seriously consider all of its implications for your audit department. n

About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

Service So Outstanding, Others Can Only Talk About It…

twhc.com TWHC Business Journal Ad REV-062612.indd 1

6/27/12 2:14 PM

www.acuia.org | TH E AUD IT R EPORT

{ member spotlight }

information security {Tom } WHY? Cosby Tom Schauer, Principal, CliftonLarsonAllen

Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

Say Helloooo to Tom Cosby – basketballer extraordinaire, North Carolinian (kind-of but not really), and noble ACUIA volunteer

ello Tom! I’m excited to get to know our newest Region 3 Director. I usually like to start with the fun stuff, meaning talk about your non-auditor self a bit. I have spent my entire life – except for 5 years -– in Indiana. I spent those five years away in North Carolina, where I met my wife. I have one step son and two grandchildren. I don’t know about “basketballer extraordinaire” but for several years I volunteered as a youth basketball coach with the Catholic Youth Organization in Indianapolis. I coached both boys and girls basketball at three different schools. Once upon a time I was also an avid golfer, but gave up the game about ten years ago. Now most of my spare time is spent with family, and my volunteer time is devoted to ACUIA.

Roughly 36 years in the industry comes with a wealth of knowledge. Can you reflect on how the industry has changed and share some wisdom and lessons learned? Well, looking back I wish I would have had experience working for a CPA firm prior to Thanks for saving some of that spare getting into internal audit. I recomtime for us! Now let’s switch to audit. mend that anyone wanting to get into How long have you been involved in the internal audit field consider getthis exciting profession and how did ting at least a few years’ experience you get here? with a CPA firm first, as well as conI have been in Internal Auditing since sider obtaining some type of certifica1981. My educational background tion such as CPA or CIA. I, myself plan included a BA degree in business ad- to obtain the new ACUIA certification ministration and an MBA in finance. I within the next year or two. was actually working as an industriChange has definitely shaped the inal engineer when I decided to apply ternal audit profession over the years, for an internal audit positon with a the biggest changes being in technolobank. My operations experience as an gy, such as audit software and the use industrial engineer, which included of data mining tools such as IDEA and methods improvement and establish- ACL. The emphasis on obtaining certiing and monitoring work standards, fications has also grown over the years were the reason they hired me as an and more types of certifications are ofoperational auditor. fered now than ever before. The other significant change has been the evolution of Enterprise Risk Management.

FUN FACTS ABOUT TOM

Favorite sports team: Chicago Cubs Favorite food: Steak Favorite politician: My favorite politician is non-politician, Donald Trump

www.acuia.org | TH E AU D I T R E P O RT

Whether you are new to internal audit or have been in it for a while, it’s important to keep current on new technology and what is going on in the audit profession. Get involved in organizations like ACUIA and the Institute of Internal Auditors (IIA) and learn what others in the industry are doing. Being involved in Toastmasters International also helped me enhance my communication skills. What do you feel today’s internal audit challenges are, and how can we overcome? Many organizations are outsourcing internal audit services, so internal auditors are challenged daily to prove their value to the organization. There are many CPA firms out there offering audit services to credit unions and referencing their

expertise in many areas as a selling point. Internal auditors need to keep up with technology and obtain as much training as possible to keep up with new trends in the audit industry. If you were hiring, what background and experience would you be looking for to make a well-rounded department? I am the only audit staff at my credit union. However if I were looking to add staff, I would look at someone’s experience in the banking or credit union industry. I would also look for someone who has good IT skills. That is an area that I don’t have a strong background in, so that would contribute to a well-rounded department. I would look for someone who has had at least 1-3 years of internal audit experience.

Let’s switch to what has brought us together – ACUIA. Tell us about your ACUIA background. I have been a member of ACUIA since 2012. I am currently the Indiana Chapter Coordinator and the Region 3 Director. These volunteer opportunities have allowed me to meet and work with several ACUIA members that I would not have met otherwise. But overall, attending the ACUIA annual conferences, along with the chapter and regional conferences, have benefited me the most. Tom, thanks for taking some time to share your story with your fellow ACUIA members. Hopefully we will run into you in San Antonio! n

www.acuia.org | TH E AUD IT R EPORT

standards { thenews { regional } } Pat Richey, Retired

REGION

Director: Julie Wilson Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com The Region 1 meeting was held on April 28th at WSECU in Olympia, WA. Among the topics covered were Cybersecurity â&#x20AC;&#x201C; NCUA CAT; Supervisory Committee Packet Contents; Third-Party Risk Management; Audit Report Writing; 2017 Compliance & Safety /Soundness Exam Focus; and Military Lending Act & Other Regulation Changes. Thank you to WSECU for hosting the meeting. Special thanks to Aaron Robel & Jill Chase (WSECU), James Alexander (Unitus Community CU), Ken Glascock (BKD, LLP), and Keith Schuster (Washington State DFI) for presenting. Thank you to everyone in attendance for a great regional meeting. The next Region 1 meeting will be in October. More to come on this.

REGION

Director: Tara Tocco Internal Audit Manager Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org No news for Region 2. Contact Tara for information.

REGION

Director Tom Cosby

Vice President Internal Auditing Crane Credit Union (812) 863-7000 ext 7142 tcosby@cranecu.org Brittany Metz is the new chapter coordinator for Iowa. Thank you Brittany for your service! 30

www.acuia.org | TH E AU D I T R E P O RT

The 2017 Region 3 Conference will be October 18-20 in Indianapolis. More details will be forthcoming. Feel free to call me with any regional questions.

REGION

ACUIA NEEDS YOU! This Position is still open. Please contact a member of the ACUIA Board if you are interested in volunteering.

REGION

Director: Michael P. Moreau, CIA, CFE, CFSA Manager Credit Union Services Macpage LLC MPM@macpage.com No news for Region 5. Contact Michael for information.

REGION

Director: Jason Alexander, CIA, MBA, CICA Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org We had a wonderful 2016, a great first quarter, and we look forward to continuing that momentum. We added four new chapters and have opportunities for more to be added. Contact Jason Alexander at jasona@lgeccu.org for more information. We are planning our spring chapter events and Fall Region 6 meeting. Look for announcements from your coordinators soon. n

Credit Union Industry

Since our ﬁrm�s incep�on in 1979, we have been commi�ed to one industry, the credit union industry. That means 100% of our clients are credit unions or CUSOs. Our commitment to one industry allows for an eﬃcient audit with highly trained auditors that know your business.

EXPERIENCE

CLIENT BASE

Our audit approach has evolved over the years through the thousands of credit union audits we have performed. Our experience enables us to provide quality audits at a reasonable price. Our audit Associates are knowledgeable in credit union audi�ng� you do not need to train our auditors.

Our firm partners with more than 170 credit unions across the United States. Our clients range in asset size from $10 million to over $5 billion. Nearman, Maynard, Vallez has been ranked by the research firm of Callahan & Associates as a leading CPA firm providing audit services to the credit union industry.

10621 N Kendall Dr., #219 Miami, FL 33176 800.288.0293 www.nearman.com

standards { the { region }} directors Pat Richey, Retired

REGION

Julie Wilson juliew@iqcu.com

REGION

Tom Cosby tcosby@cranecu.org

REGION

Tara Tocco TTocco@hughesfcu.org

Michael P. Moreau, CIA, CFE, CFSA MPM@macpage.com

REGION

VOLUNTEER NEEDED!

Jason Alexander, CIA, CICA jasona@lgeccu.org

{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1

REGION 3

REGION 4

REGION 6

CENTRAL CASCADES (OR/WA) CHAPTER

ILLINOIS CHAPTER

ARK ANSAS CHAPTER

ALABAMA CHAPTER

Terry Robbins trobbins@mapscu.com REGION 2 ARIZONA CHAPTER

Jason Garlutzo Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER

VOLUNTEER NEEDED! UTAH CHAPTER

Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com HAWAII CHAPTER

Nikki Ige Nige@kcfcu.org

Rick Torres rtorres@CreditUnion1.org INDIANA CHAPTER

Tom Cosby tcosby@cranecu.org MINNESOTA CHAPTER

Ashley Shrode Ashley.Shrode@thrivent.com MICHIGAN CHAPTER

Kathleen Schaefer Kathleen.Schaefer@elgacu. com IOWA CHAPTER

Brittany Metz brittanymetz@uiccu.org WISCONSIN CHAPTER

Karla Hodgkins khodgkin@Covantagecu.org

www.acuia.org | TH E AU D I T R E P O RT

Patrick McCollough pmccollough@AFCU.org NORTH TEX AS CHAPTER

Adrienne Breckenridge, CPA abreckenridge@ avadiancu.com

VOLUNTEER NEEDED!

GEORGIA CHAPTER

ST. LOUIS CHAPTER

VOLUNTEER NEEDED!

David Caster dcaster@firstcommunity.com REGION 5 NEW YORK CITY CHAPTER

VOLUNTEER NEEDED!

FLORIDA CHAPTER

Lourdes Camacho lourdesc@sccu.com MARYLAND CHAPTER

Nikki Torres nichele.torres@towerfcu.org NORTH CAROLINA CHAPTER

VOLUNTEER NEEDED! SOUTH CAROLINA CHAPTER

Tammy Farmer tammyf@scscu.com

TENNESSEE CHAPTER

Michelle Clark, CUCU mclarck@ecu.org

{ member spotlight } { acuia select } Patrick McCullough

ns to ACUIA

Growth.

ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the dit union audit professionals. Executive Office at (703) 688-2284. P L AT I N U M

onsibilities and internal control objectives by providing: New business is always the goal, but with expansion comes added eviews n Certiﬁed ACH Audits n Bank Secrecy Act risk. Whether you’re exploring a joint venture or considering a combination or acquisition, nding Programs n Branch and Operational Audits who’s helping you do it safely? source and Payroll Reviews n Assistance with Risk tatement Audits Discover why more than 300 financial institutions across the nation turn to us to help them grow with GOLD confidence. W W W. M O S S A D A M S . C O M / C U

Opinion & Supervisory Committee Audits Internal Audit Outsourcing BSA/AML & Regulatory Compliance Tax Planning & Compliance IT Consulting Credit Review Services

Certiﬁed Public Accountants & Consultants

S I LV E R

TeamMate

BRONZE

dly serving credit unions throughout the Mid-Atlantic region. mation about PBMares, visit us online at www.pbmares.com.

An Unmatched Experience

Internal Audit and Regulatory Compliance Tailoring each engagement, our Certified Internal Auditors and Certified Compliance Officers consider the credit union as a whole to execute a plan that will identify, monitor and assess risks before they threaten operations.

At Doeren Mayhew, we deliver a unique experience and a level of service that is unmatched in the industry.

Credit Risk Management Leveraging our hands-on experience, we deliver insight into the fundamentals of lending governance, administration and day-to-day operations.

IT Assurance Taking an integrated security management approach, our credentialed technology team ensures confidence in the integrity and security of IT control frameworks.

External Audit Remaining independent, while working collaboratively with credit union teams, Doeren Mayhew delivers practical solutions that improve internal controls and accounting efficiencies through accurate and timely financial reporting.

We invite you to experience what our clients do. Call us today at 888.433.4839.