ACUIA Audit Report volume 26 issue 3 by pstraubel

Volume 26, Issue 3, 2017

The Magazine of the Association of Credit Union Internal Auditors, Inc.

ASSET-LIABILITY MANAGEMENT WHO ARE THE PLAYERS? COMPLIANCE MANAGEMENT THE BIG THREE AREAS TERRY McEACHERN FOUNDER, ROCK STAR, COLLEAGUE, LEADER, FRIEND

YOUR

I NTEGRITY

CORNERSTONE

RELATIONSHIPS BUILD BUSINESS RELATIONSHIPS BUILD BUSINESS Strengthen your relationships by using advisors with a strong professional network. Strengthen your relationships by using advisors with a strong professional network.

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP Wealth | 28-1094 Investment advisory services are offered through CliftonLarsonAllen Advisors, LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP | 28-1094

Dean Rohne | 800-657-4477 Dean Rohne | 800-657-4477 CLAconnect.com CLAconnect.com

Volume 26, Issue 3, 2017

The Magazine of the Association of Credit Union Internal Auditors, Inc.

{ contents }

6 F E AT U R E S

D E PA R T M E N T S

2 From the Editor The End of the Story Tabitha Ernst-Chadwick

Creating the Right Culture Internal fraud prevention is founded on a cornerstone of integrity. Mike Mossel

Hello from the New Editor Dian Scott 4 Chairman’s Message Another Great Success Story John Gallagher

12 Asset-Liability

26 Conference Highlights

Management

It’s definitely a group effort. Alison Herrick, CPA

The Big Three

Auditing Compliance Management has an intensified focus due to regulatory changes. Sam Capuano, CBA, CRP

28 The Standards Internal Audit Charter Pat Richey 28 Member Spotlight Lourdes Camacho 34 Regional News 36 Region Directors and Chapter Coordinators

Terry McEachern 20 A fond salute to a Founder,

Rock Star, Colleague, Leader, Friend Amy Schaefer

24 The Dawn of a

Purpose,

Authority

New Credit Score

We’re more than just a number. Brok Lahrman

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Dian Scott Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284

and

Responsibility 

The End of the How Do You UseStory Your Power?

TabithaErnst-Chadwick, Ernst-Chadwick,CIA, CIA,CFE, CFE,LRP, LRP,CBSAO, CBSAO,CUCE, CUCE,NCCO, NCCO,CISA CISA Tabitha

loveintoa state read.that As is a the working mom live subject of with active children and a few volmuch debate and controversy due I don’t tounteer a boldactivities new law.ofAher fewown, superstars get toare enjoy as many books as I once who particularly offended by did. But every now and then there the rule decided to flex their famous is a newreach release so their enticing I’m muscles, into deepthat pockwilling to forgo a few more hours ets, and make their own bold state-of sleepby so cancelling I can read it. ment allSometimes venues in even the when I’m falling asleep with the book offending state. onThe my face I simply put it down. result? Well,can’t I can’t say for It’s so interesting I have to devour sure, but my guess is that the governorit. And that exactly what I do, devour didn’t loseismuch sleep over a couple it. But then — it’s over, and the of politically charged rock bands better from the80s book, disappointed I am the andthe 90smore (though who knows? when it’s finished. I love to get to the He could be the president of both fan end toIfsee what happens, and I hate clubs). Facebook can be believed – that it ended. which it can because everything on You may recall antrue article ortantwo Facebook is obviously – the included in The Original Works gible result was A LOT of very disap-of Tabithafans, about transitions and change, pointed many of whom lost monas that was the constant in life ey despite the ticket refunds my (hotel over the past two years. But for some reservations, airline tickets, car rentreason,This until recently,result I did not als…). particular is ofassono ciate “change” with “The End.” Yet concern to the superstars, though, beunless you are Superman(woman) cause their desire was to make a point some sciencefans phenomenon toorthe politicians, be damXXd.with theNoability to alter time, change and matter which side of the infatransition almostBillalways also symbring mous Bathroom gets your an end. I recently heard a wise man pathy, the trend is a bit disconcerting say that you need to be willing to – people who perceive themselves see as when Goddoing is writing the ending influential everything in theirto your current story so that you can bepower to make their opinions your gin the next story. opinions. And the trend will continue, I havewhat beenartists working on this magabecause could possibly zine since 2005 and I have loved it. I now perform in this offensive state, have their learned so much andtaken met many when colleagues have such great people through my work valiant stands against injustice? with The I do notenough want this SoAudit I wasReport. not fortunate to story to end. As much as I want but this have tickets for either of the shows, to continue, also want emifstory 6-year-old soccer Igames weretoheld brace the new stories that are being on any day but Wednesday I would written me, and unfortunately been an for addition to the angry mob I am neither Superwoman a sciof disappointed fans. I was nor outraged ence phenomenon. nonetheless, because I have fellow And fans so as learned at this die-hard whoyou don’t have Wednesyear’s annual conference, I day night soccer obligations, who have did turned overand Thewho Audit Report reinsbyto have tickets, were crushed thecancellation. very capable quite the My(and outrage ledfrankly to remuch better!) hands of Dian flection on how I felt about bands Scott. pun-

www.acuia.org | | TH E AU D I T R E P O RT www.acuia.org TH E A U D I T R E P O RT

This will last Editor’s ishing fansbe formy actions outsideColumn. of their Some of you are cheering now and control, further leading me to reflecothers are wiping tears (ok maybe tion on customer service and treating I’m theright, only and one tearing upreflection but since people finally to this is my story I can write it the way on how this could relate to internal audit and risk management. Oh yeah – that’s right; in true nerd fashion I am i, dear hearts. turning a 90s alternative rock concert I’m Dian Scott, into an audit and risk lesson. your new Audit ReSo here is the lesson. As auditors port editor. and risk managers, sometimes we are Who, I’m with sure the ones in our organizations you’re asking, those proverbial big muscles and deepis Scott?! pockets. We areDian the ones with Well, the the short story is I’ve power to persuade. Most of the time, enjoyed a productive cathere is more than one and wayexciting to achieve reer in a variety of fields, spending 11 the desired result. And if your immeyears at USA Today in the fast-paced diate reaction is to cancel the concert of force national newstojournalism, toworld try and everyone see it your working with a team of world-class way, you might be missing a better

I want). Forto allactually of you that are out tearing opportunity reach to up, have no fear. This is The Endef-of your proverbial “fans” with a more my Audit Reportand story, butoften definitely fective message; more than not The End of my ACUIA story. See not, once your audiences fully underyou on the other side! stand the issues, they probably have even better ideas about how to achieve those desired results. As the wise unwriters, editors,once illustrators andgreat phocle of Spiderman said “with tographers. power comes great responsibility.” So I I’ve how also are raised champion show ask you, you using your great collies, worked in various capacities power? Are you flexing those muscles a large, high-end cateringtheir firm tofor force your opinions to become and, once upon a time, was a ballopinions? Are you making your audiroom dancean instructor…but perhaps tees perform extra 10 steps because those are stories for another edition. that’s how you feel it must be done? I had of your the most wonderful Or are youone using superior intelexperiences recently when I traveled lect and experience for good? That San attend is,toare youAntonio teachingto[about theACUIA’s risks], 27th Annual I met and a lot sharing [ideasConference. and knowledge], continued on page 4 listening? n

2017 2016 Board BOARD of OF Directors DIRECTORSabitha Ernst-Chadwick, CIA,EXECUTIVE CFE, LRP, CBSAO, ACUIA OFFICE, CBSAO, CUCE, NCCO, CISA

Chair ChairGallagher, CUERME John John Gallagher, CUERME SEFCU SEFCU (518)-464-5245 (518) 464-5245 jgallagh@sefcu.com Term 2016–2019 jgallagh@sefcu.com Term 2014 –2016 Vice Chair Vice ChairChamberlain, Margaret Margaret Chamberlain, CUERME CUERME State CU Arizona Arizona State CU (602) 452-4960 (602) 452-4960 Margaret.chamberlain@ azstcu.org Margaret.chamberlain@ Term 2017–2020 azstcu.org Term 2015–2017 Treasurer Treasurer Barry Lucas, CPA, CIA, Barry Lucas, CPA, CIA, CFSE CFSE Desco FCU FCU Desco (740) 354-7791 (ext. 3334) barryl@descofcu.org barryl@descofcu.org. Term 2017–2020 2015–2017 Secretary Secretary Dean Swenson, Swenson, CPA Dean CPA Wings Financial Financial FCU FCU Wings (952) 997-8131 dwsenson2@ dswenson2@ wingsfinancial.com Term 2015–2018

Director Director Bobby Nichols Bobby Nichols CU State Employees (919) State 839-5338 Employees CU bobby.nichols@ (919) 839-5338 ncsecu.org bobby.nichols@ncsecu.org Term 2015–2018 Term 2015–2018 Director Director JillMeznarich Meznarich Jill Schools SchoolsFirst FirstFCU FCU (714) 466-8676 (714) 466-8676 jmeznarich@ jmeznarich@ schoolsfirstfcu.org schoolsfirstfcu.org Term 2015–2018 Term 2015 - 2018 Director Director DougWright, Wright,CPA, CPA, CFE, Doug CFE, CUCE BSACS CUCE, BaxterCU CU Baxter (847) (847)932-8765 932-8765 doug.wright@bcu.org doug.wright@bcu.org Term 2016–2019 Term 2015–2016 Associate Director Kimberly Wiersema, CIA kawiersema@hotmail.com

CUCE, NCCO, CISA

ACUIA Executive Office 1727 King Street Suite 300 Alexandria, VA 22314

(703) 688-2284 acuia@acuia.org

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.” Follow us on:

MOSSADAMS.COM/FI

INNOVATION RISES IN THE WEST

Out here, the sun rises on endless possibility. Backed by decades of experience serving credit unions, our professionals are committed to helping you grow your business with industrysmart assurance, tax, and consulting services. We invite you to discover how Moss Adams is helping financial institutions thrive.

RISE WITH THE WEST.

Assurance, tax, and consulting offered through Moss Adams LLP. Wealth management offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

SAN DIEGO, CA

6:37 AM PDT

AS SUR A NCE INTERN A L AUDIT REGUL ATORY COMPLI A NCE IT CONSULTING CREDIT RE V IE W SERV ICES STR ATEGY & OPER ATIONS

{ {from } } chairman’s the editor message

Another Here’s toGreat 25 More Success Story

John Tabitha Gallagher Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

During the annual meeting portion of the conference I was fortunate enough to recognize an individual who is, and will always be, held in the highest regard.

t’s hard to believe that another annual conference has come and gone so quickly. The 27th Annual Conference was truly a special one, and one that I will remember for a long time. During the annual meeting portion of the conference I was fortunate enough to recognize an individual who is, and will always be, held in the highest of regard. Terry McEachern founded ACUIA more than 27 years ago and has remained a strong proponent of the Association ever since. Terry retired from her position at Royal Credit Union this past March and it was my honor to provide a special tribute video and commentary on what she means to ACUIA. She will definitely be missed at the annual conferences but I can wish her nothing but the utmost happiness in her retirement. She will always be a part of ACUIA.

As for the conference itself, another great success story. Fun was had by all as we continued the tradition of game show night during the Wild West Welcome Reception hosted by Todd Newton. On Wednesday we got down to business and heard from several credit union industry professionals on a variety of topics which provided thought and insight to the world in which we operate. Evening events provided another opportunity to have some fun, but even more importantly a time to network with peers and colleagues. Whether it was an evening at the Alamo, a private tour of the AT&T Center (the home of the San Antonio Spurs), a tequila dinner cruise around the infamous Riverwalk, or perhaps participating in a few sing-alongs at the local Irish pub, there were plenty of opportunities to take advantage of.

FROM THE NEW EDITOR from page 2 of talented, knowledgeable people dedicated to the world of internal audit. The energy level was pervasive; the commitment to helping others learn and succeed was impressive. What a nice, diverse group of people. I would say the credit unions’ fiscal health is in extremely capable hands. A heartfelt tribute to Tabitha for doing such an outstanding job as editor for so many years. She set a high standard for me to follow. And, she’s

always there to answer my questions. Quite simply, a doll! Grateful thanks also to our exceptional designer, Vicki Valentine. She has such a great eye, and pulls everything together beautifully (I think there must be some serious magic afoot there). Feel free to contact me with anything Audit Report-related. Your comments and suggestions are always welcome.I look forward to getting to know you in the days ahead. n

www.acuia.org | TH E AU D I T R E P O RT

So, while on the topic of the annual conference, mark your calendars now for June 19 – 22, 2018. The conference will be held in Chicago. Planning is already underway and it promises to be another terrific and worthwhile event. Another educational event to consider is attendance at the CUNA/ ACUIA Credit Union Internal Audit Certification Program. It appears that the second session for 2017 in Tempe, Arizona in September is already sold out. This will make this the third straight program sellout. As such, I would encourage anyone interested to sign up early. Another program is already scheduled for March 2018, in Dallas, TX. Keep a watch out for upcoming presentations in our webinar series. There are several more planned throughout the remaining months of 2017. Remember these webinars are offered free of charge to ACUIA members. Lastly, I will take this opportunity to thank all of the ACUIA members for their continued support of the association. If there is anything you would like to see offered, please contact our executive office or any volunteer leader. n

WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Dian Scott at acuia@ acuia.org to learn more.

Recognized Leadership, Enduring Value Crowe Horwath LLP is one of the top 10 auditors of 1

credit unions with more than $100 million in assets.

Crowe demonstrates commitment to the credit union industry by continually supporting various industry-focused trade organizations, as well as providing thought leadership to the regulatory bodies that oversee the industry. To learn more about our commitment to the credit union industry, visit crowehorwath.com/cu or contact Mark Taylor at +1 630 575 4335 or mark.taylor@crowehorwath.com.

Audit / Tax / Advisory / Risk / Performance

Smart decisions. Lasting value.â&#x201E;˘

2016 Guide to Credit Union Auditors published by Callahan & Associates

In accordance with applicable professional standards, some firm services may not be available to attest clients. ÂŠ 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure

FS-18500-001A

INTERNAL FRAUD PREVENTION

CREATING THE RIGHT CULTURE MIKE MOSSEL

Many articles regarding fraud over the years have provided some key elements for an effective anti-fraud program, and have concentrated on hard controls, such as: Handling fraud investigations Reporting methodologies for fraud events Internal controls and procedures Fraud policies and guidelines However, it is even more important to concentrate on the soft controls of anti-fraud programs that deal with the overall cultural environment of a credit union. In many ways, the hard controls are much less effective without the right culture within a credit union to help combat fraud. The cornerstone of an effective anti-fraud environment is a culture with a strong value system founded on integrity. This value system often is reflected in a formal code of conduct document that all employees are expected to understand and follow. For a code of conduct to be effective, it should be communicated to all personnel in an understandable fashion, and should be developed in a participatory and positive manner that results in both management and employees taking ownership of its content. 6

www.acuia.org | TH E AU D I T R E P O RT

www.acuia.org | TH E AUD IT R EPORT

t is critical for credit unions of all sizes to create and maintain a culture of honesty and high ethics. The information presented here generally is applicable to credit unions of all sizes. However, the degree to which certain programs and controls are applied in smaller, less-complex credit unions, and the formality of their application, are likely to differ from the approach taken at larger institutions. In any case, all credit unions must make it clear that unethical or dishonest behavior will not be tolerated. Fraud negatively impacts credit unions in many ways, including financial, reputation, psychological, and social implications. There is an impact across all functional areas and departments, and most of the credit union’s business processes. Numerous studies have shown the significant dollar value lost to fraud. What is key for credit unions to understand is that most frauds are perpetrated by insiders, not by members and vendors. The full cost of fraud is not measured in dollars alone – it is also measured in terms of time, productivity and reputation, including member relationships. Depending on the severity of the loss, credit unions can be irreparably harmed, due to the financial impact of fraud activity. Therefore, it is important for credit unions to have strong cultural environments that promote positive efforts toward preventing internal fraud. The risk of fraud can be reduced through a combination of prevention, deterrence and detection. However, fraud can be difficult to detect because it often involves concealment through falsification of documents, or collusion among management, employees, or third parties. Therefore, it is important to place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to occur, and fraud deterrence, which could persuade individuals that they should not commit fraud because of the like-

www.acuia.org | TH E AU D I T R E P O RT

lihood of detection and punishment. Moreover, prevention and deterrence measures are much less costly than the time and expense required for fraud detection and investigation. A credit union’s management has both the responsibility and the means to implement measures to reduce the incidence of fraud. The measures an organization takes to prevent and deter fraud also help create a positive workplace environment that can enhance the credit union’s ability to recruit and retain high-quality employees. Research suggests that the most effective way to implement measures to reduce wrongdoing is to base them on a set of core values that are embraced by the credit union. These values provide an overarching message about the key principles guiding all employees’ actions. This provides a platform upon which a more detailed code of conduct can be constructed, giving more specific guidance about permitted and prohibited behavior, based on applicable laws and the organization’s values. Management needs to clearly state that all employees will be held accountable to act within the organization’s code of conduct.

Setting the tone at the top Research in moral development strongly suggests that honesty can best be reinforced when a proper example is set—sometimes referred to as “the tone at the top.” Directors and officers of credit unions set the tone at the top for ethical behavior within a credit union. The management of a credit union cannot act one way, and expect others in the organization to behave differently. In many cases, particularly in larger credit unions, it is necessary for management to both behave ethically, and openly communicate its expectations for ethical behavior because most employees are not in a position to observe management’s actions. Management must show

employees, through its words and actions, that dishonest or unethical behavior will not be tolerated, even if the result of such inappropriate actions benefits the credit union. Moreover, it should be evident that all employees will be treated equally, regardless of their position.

Creating a positive workplace Environment Research indicates that wrongdoing occurs less frequently when employees have positive feelings about a credit union than when they feel abused, threatened, or ignored. The lower an organization’s morale, the more likely that fraud will occur. Factors that detract from a positive work environment and may increase the risk of fraud include: ■■ Top management that does not seem to care about or reward appropriate behavior ■■ Negative feedback and lack of recognition for job performance ■■ Perceived inequities in the credit union ■■ Autocratic rather than participative management ■■ Low organizational loyalty or feelings of ownership ■■ Unreasonable budget expectations, or other financial targets ■■ Fear of being punished for delivering bad news to supervisors and/ or management ■■ Less-than-competitive compensation ■■ Poor training and promotion opportunities ■■ Lack of clear organizational responsibilities ■■ Poor communication practices A credit union’s human resources department is instrumental in helping to build a corporate culture and a positive work environment. Human resource professionals are responsible for implementing specific programs and initiatives that can help to eliminate many of the negative work-

place practices mentioned above, and that support management’s strategies. Factors that help create a positive work environment and reduce the risk of fraud may include: ■■ Recognition and reward systems that are in tandem with goals and results ■■ Equal employment opportunities ■■ Team-oriented, collaborative decision-making policies ■■ Professionally administered compensation programs ■■ Professionally administered training programs that focus on career development and/or promotion to a position of trust ■■ Thoroughly checking a candidate’s education, employment history and personal references ■■ Periodic training of all employees about the credit union’s values and code of conduct. Most internal frauds at credit unions are committed by long-term employees because they have the experience, knowledge, responsibilities, access, and trust to commit fraud. Therefore, it is vital to reinforce values and ethics throughout every employee’s career. ■■ Incorporating an evaluation of how each individual has contributed to creating an appropriate workplace environment in line with the credit union’s values and code of conduct into regular performance reviews ■■ Continuous objective evaluation of compliance with the credit union’s values and code of conduct, with violations being addressed immediately

Training New employees should be trained at the time of hiring about the credit union’s values and its code of conduct. This training should explicitly cover expectations of all employees regarding (1) their duty to communicate certain matters; (2) a list of the types of issues, including actual or

suspected fraud, to be communicated along with specific examples; and (3) information on how to communicate those matters. There also should be an affirmation from senior management regarding employee expectations and communication responsibilities. Such training should include an element of fraud awareness, the tone of which should be positive but nonetheless stress that fraud can be costly (and detrimental in other ways) to the credit union and its employees. In addition to training at the time of hiring, all employees should receive regular and consistent refresher training. Some credit unions may consider ongoing training for certain positions, such as purchasing agents or employees with financial reporting responsibilities. Training should be specific to an employee’s level within the organization, geographic location and assigned responsibilities. For example, training for senior manager level personnel would normally be different from that of nonsupervisory employees, and training for purchasing agents would be different from that of sales representatives.

able to act within the credit union’s code of conduct. All employees should be required to sign a code of conduct statement annually, at a minimum. Requiring periodic confirmation by employees of their responsibilities will not only reinforce the policy but may also deter individuals from committing fraud and other violations. It might also identify problems before

Research suggests that the most effective way to implement measures to reduce wrongdoing is to base them on a set of core values that are embraced by the credit union.

Confirmation/acknowledgment Management needs to clearly articulate that all employees will be held account

they become significant. Such confirmation may include statements that the individual understands the credit union’s expectations, has complied with the code of conduct, and is not aware of any violations of the code of conduct other than those the individual lists in his or her response. Although people with low integrity may not hesitate to sign a false confirmawww.acuia.org | TH E AUD IT R EPORT

tion, most people will want to avoid making a false statement in writing. Honest individuals are more likely to return their confirmations and to disclose what they know (including any conflicts of interest or other personal exceptions to the code of conduct). Thorough follow-up by internal supervisors or others regarding non-replies may uncover significant issues.

Active oversight by the supervisory committee can help to reinforce management’s commitment to creating a culture with zero tolerance for fraud.

Supervisory Committee and Board of Cirectors The supervisory committee (in concert with the board of directors) should evaluate management’s identification of fraud risks, implementation of anti-fraud measures, and creation of the appropriate tone at the top. Active oversight by the supervisory committee can help to rein10

www.acuia.org | TH E AU D I T R E P O RT

force management’s commitment to creating a culture with zero tolerance for fraud. A credit union’s supervisory committee also should ensure that senior management implements appropriate fraud deterrence and prevention measures to better protect members, employees and other stakeholders. The supervisory committee’s evaluation and oversight not only helps make sure that senior management fulfills its responsibility, but also can serve as a deterrent to members of senior management engaging in fraudulent activity themselves. This is achieved by creating an environment whereby any attempt by senior management to involve employees in committing or concealing fraud would lead promptly to reports from such employees to appropriate persons, including the supervisory committee. As part of its oversight responsibilities, the supervisory committee should encourage management to provide a mechanism for employees to report concerns about unethical behavior, actual or suspected fraud, or violations of the credit union’s code of conduct or ethics policy. The committee should then receive periodic reports describing the nature, status and eventual disposition of any fraud or unethical conduct. A summary of the

activity, follow-up and disposition also should be provided to the full Board of Directors. If senior management is involved in fraud, the next layer of management may be the most likely to be aware of it. As a result, the supervisory committee (and other directors) should consider establishing an open line of communication with members of management one or two levels below senior management to assist in identifying fraud at the highest levels, or to help in investigating any fraudulent activity that might occur. The supervisory committee typically has the ability and authority to investigate any alleged or suspected wrongdoing brought to its attention. Most supervisory committees’ charters empower them to investigate any matters within the scope of their responsibilities, and to retain legal, accounting, and other professional advisers as needed to assist in their investigations.

Conclusion Everyone affiliated with a credit union has a certain level of responsibility to prevent and/or deter fraud, whether it is internal or external. The cultural environment has a huge impact on the success of any fraud program. Developing and maintaining the right cultural environment and attitude throughout the credit union will go a long way toward preventing fraud, or at least reducing the likelihood of it occurring at your credit union. n About the Author Mike Mossel, along with Mike Sacher, are co-managing directors of Protect My Credit Union.com, LLC (PMYCU.com), a cost-effective internet-based whistleblower and ethics reporting hotline designed specifically for credit union employees to report suspected fraudulent activity, policy violations and other ethicsrelated matters. You can contact Mike at mmossel@pmycu.com or at 818.807.8067.

ASSET-LIABILITY

MANAGEMENT Itâ&#x20AC;&#x2122;s definitely a group effort. ALISON HERRICK, CPA

www.acuia.org | T H E AU D I T R E P O RT

hough informal and much less complicated in the past, asset-liability management (ALM) has been a consideration since the very first

credit union transaction. Through various economic trials and tribulations, ALM has evolved into a more formal process to help credit unions be more proactive than reactive in dealing with interest rate and liquidity risks. Although ALM has been a major piece of credit union oversight and regulatory scrutiny, we continue to see weaknesses in ALM programs. Here are some factors to incorporate into your ALM internal audit program, based on typical audit findings.

www.acuia.org | TH E AUD IT R EPORT

TO EFFECTIVELY PERFORM AN ALM AUDIT, IT IS IMPORTANT TO FIRST THE PLAYERS AND THEIR FUNCTIO OVERSIGHT Ultimately, the responsibility of credit union oversight is with the Board of Directors. This includes approving policies, strategies, and limits/thresholds. Management is tasked with developing and maintaining the ALM measurement systems. Credit unions typically assign the ALM function to the Asset/Liability Committee (ALCO) to help manage interest rates and liquidity risk. To effectively perform an ALM internal audit, it is important to first understand the players and their functions. The best way to accomplish this is to review or create an organizational chart, and identify who is responsible for ALM measurement and/or oversight. From there you should determine the following: ■■ Do the members of ALCO have the background/experience necessary to be effective members of the Committee? ■■ Is the Committee engaged or is there one person that dominates the meetings and decisions? ■■ Is there a good mix of Board members and Management on the Committee? ■■ Does the Committee understand the mission and strategies of the credit union? It is important to keep a bridge between the strategic plan and ALM oversight.

REPORTING CONSIDERATIONS To make informed decisions, the ALCO and the Board of Directors need accurate and appropriate re14

www.acuia.org | TH E AU D I T R E P O RT

ports. Internal audit should be reviewing the content of the reports for appropriateness as well as the process for generating the reports. Some items to consider regarding ALM reporting are: ■■

■■

Is the report content appropriate for the users? Is it too detailed? Not detailed enough? Does the measuring and reporting address interest rate risk? Liquidity risk? Credit risk? Is there proper segregation of duties? The risk measurer should be separate from the risk taker. What this means is that the individual(s) responsible for making ALM-type decisions should not be reporting on the results of those decisions. Having an ALM vendor helps segregate the reporting function; however, the data input to the ALM vendor should be conducted independently from the decision-making function. Are policy guidelines and limits incorporated into the reports? Consider using a dashboard report to give to the ALCO and the Board of Directors to communicate the credit union’s policy limits compared to actual amounts. Report and document responses to policy limit/threshold exceptions to the ALCO and Board of Directors. Include large depositors and unused lines of credit on the dashboard report to help monitor liquidity risk. These are typically excluded from ALM vendor reports.

ASSUMPTIONS Without the right assumptions, ALM modeling is ineffective, so it is very important for the ALCO to understand the assumptions. When auditing the credit union’s oversight of assumptions, the following should be considered: ■■ Is training provided to all ALCO members? Is training considered for the Board of Directors as well? Internal audit should review the training documentation for appropriate coverage of assumptions, what they mean, and how they are determined. ■■ Is a sensitivity analysis of the assumptions conducted regularly? How did the ALCO respond to the results? ■■ Is back-testing conducted regularly to help determine if the assumptions used were reasonable based on actual results? How did the ALCO respond to these results? ■■ Review the ALM vendor’s assumption methodology for exclusions in the model. For example, future use of unused lines of credit – how has the ALCO responded to these exclusions?

REGULATORY REQUIREMENTS In 2013, the NCUA came out with contingency funding requirements that were effective in 2014. We continually see credit unions miss these requirements, mostly with smaller credit unions merging/growing and then exceeding the thresholds. As a

INTERNAL UNDERSTAND NS. refresher, the requirements are as follows: ■■ Assets less than $50 million – must establish and maintain basic written, Board-approved liquidity policy. ■■ Assets over $50 million – must establish and maintain a written contingency funding plan (CFP) that clearly sets out strategies for meeting emergency liquidity needs (see NCUA established minimum requirements for the CFP noted in the Letter to Credit

Unions 13-CU-10). Assets over $250 million – must establish access to at least one contingent federal liquidity source for use in times of financial emergency and distressed economic circumstances. Testing of the funding sources must also be done periodically. Asset-liability management is a mindset that should be continuously evolving, and should not be the sole responsibility of one individual. The more knowledgeable Management ■■

and the Board of Directors are in asset/liability management, the more integrated it becomes in the strategic planning and goal setting. n

About the Author Alison Herrick, CPA is a Principal at Macpage LLC and specializes in financial statement and internal auditing of credit unions. Please feel free to contact her at ajh@ macpage.com. To learn more about the services Macpage LLC provides, visit www. macpage.com.

EXCLUSIVELY SERVING THE CREDIT UNION INDUSTRY EXCLUSIVELY SERVING THE CREDIT UNION INDUSTRY SINCE 1979. SINCE 1979. Since our firm’s inception in 1979, we have been Since our firm’s inception in 1979, have union been committed to one industry, the we credit committed to one industry, theourcredit industry. That means 100% of clientsunion are industry. unions That means our clients are credit or 100% credit of union service credit unions or credit union service organizations. Our commitment to one industry organizations. Our commitment one industry allows for an efficient audit withtohighly trained allows for efficient audit with highly trained auditors thatanknow your business. auditors that know your business.

Learn why Nearman, Maynard, Vallez, CPAs is Learn Maynard, CPAs is ranked why as a Nearman, leading CPA auditing Vallez, firm by Callahan ranked as a leading CPA us auditing Callahan & Associates. Contact todayfirm for by a free pro& Associates. Contact us today for a free proposal. posal.

AUDITING COMPLIANCE MANAGEMENT

THE

BIG THREE

Regulatory compliance has long been a key area for credit unions, and for those of us who perform their internal audits. While we constantly have to refresh our individual compliance audit programs because of regulatory changes, in March of this year the regulatory agencies, including the NCUA, began to place an increased premium on overall Compliance Management. SAM CAPUANO, CBA, CRP

CUA Letter to Credit Unions 17-CU-02 referenced the simultaneously issued Supervisory Letter 17-01, both addressing the overall evaluation of compliance risk. SL 17-01, which included an

Updated Compliance Risk Indicators Appendix, along with a new Compliance Risk AIRES Questionnaire, divides compliance risk into three categories: Board & Management Oversight; Compliance Programs; and Violations of Law & Consumer Harm. Examiners will use these indicators to evaluate your credit unionâ&#x20AC;&#x2122;s Compliance Management System. So, then, how do you prepare your credit union for the next compliance exam? Even if your institution is in compliance with regulations, there could still be some work to be done when it comes to overall Management. This means itâ&#x20AC;&#x2122;s time for a detailed Compliance Management Audit. 16

www.acuia.org | TH E AU D I T R E P O RT

Board & Management Oversight

Examiners, more so than ever, want to see involvement from your board, as well as management in all areas of your credit union, including compliance. For this audit, start off by reviewing how involved they are in overseeing Compliance Management: 1. Are directors and senior management aware of their ultimate responsibility for compliance with laws and regulations? 2. Do they appear to be knowledgeable (through training, etc.) about the laws and regulations applicable to the credit union? 3. Overall, does senior management have a supportive attitude toward the regulatory compliance process? While these questions can be answered via use of a good questionnaire, it’s also good practice to have discussions with the key players. This includes the aforementioned directors and senior management, but also with the person in charge of compliance at the credit union. The key here is to determine how active a role the board and management have. The board can’t delegate their ultimate responsibility for ensuring compliance. So, while they can appoint a Compliance Officer (CO) and/or Compliance Committee to oversee the function, they must still be in charge. To audit this, determine the structure at your credit union. If a Compliance Committee is running things, is there

a board member on it? If so, check the minutes to see if that individual regularly attends the meetings. If not, ensure that the Committee minutes are included in monthly Board packets, and that compliance is regularly discussed at the Board meetings. Next, assess your credit union’s culture of compliance. Are there appropriate resources provided for compliance? These resources should include systems, capital and personnel. Much of this depends on the Compliance Officer. The Compliance Officer should have appropriate authority within the credit union. If there is a Compliance Committee, the Compliance Officer Compliance Officer should be the Chair, and be the ultimate coordinator of all things compliance. I have seen situations in which the Compliance Officer is in middle management, or not even at an officer level, and, as such, lacks the authority to properly coordinate. The result of such situations is a decentralized compliance function, which can cause things to slip through the cracks. As for that aforementioned culture of compliance, it is greatly enhanced when the Compliance Officer has appropriate authority, and an adequate training budget. This enables the Compliance Officer to properly coordinate compliance across the various teams within your credit union. Part of this coordination is staying abreast of changes in regulations, and disseminating them as appropriate. Examiners are looking for change management to be a robust, proactive process. This process includes proper due diligence in advance of affected product changes. And, on the flip side, the Compliance Officer and/or management also need to adequately respond to any compliance deficiencies. Proper corrective action and self-identification is the key here. If your credit union does have a Compliance Committee, determine: 1. How often does the Committee meet?

2. Does the Committee represent all functional areas of the credit union? 3. Are any of the Committee members senior officers of the credit union? 4. And again, are any of the Committee members also members of the Board of Directors? Review Committee minutes to determine if they adequately document the credit union’s compliance efforts, such as the change management and corrective action processes discussed above. If you do not have a Compliance Committee, determine the adequacy of the process in which the CO communicates and monitors compliance in relevant areas of the credit union.

Compliance Program

Review the Compliance Program in place at the credit union, and assess

its effectiveness. The Program can include policies, procedures, training, monitoring, complaint resolution, and compliance checklists. Determine if the Program is sufficient, given the parameters of your credit union. Written policies and procedures should be comprehensive and provide sufficient guidance to management compliance risk. Ensure the Program is current. I often see Programs which have not been updated to note the current reporting structure of the credit union, or recent regulatory changes. Also ensure that the Program is approved by the Board at least annually. Effective Compliance Programs will also have a Compliance Calendar. It should address how all applicable compliance issues, risks and regulations are being proactively monitored. Proper documentation of follow-through of calendar items is a key.

The Board can’t delegate its ultimate responsibility for ensuring compliance.

Ensure that Compliance Training Programs are included in the Compliance Program: 1. Is there annual compliance training? 2. Who receives the training? 3. Are Board and Supervisory Committee members also included in the training schedule? 4. How does your credit union monitor to ensure that all staff have received the appropriate training? Finally, has the Board appointed individuals to promptly respond to consumer complaints? Does the Compliance Officer/ Committee review the complaints to ensure timely resolution? Has appropriate corrective action been taken for submitted complaints?

Violations of Law & Consumer Harm For this third risk category, start by reviewing your credit union’s pro-

cess for reporting noted regulatory violations, and the tracking program in place to enforce the remediation of such violations: ■■ Review the reporting structure to ensure communication of compliance violations and issues to board level with stipulated institution action. ■■ Review the credit union’s process for reporting noted regulatory violations. ■■ Review the tracking program to enforce the remediation of such violations. Then take a look at the cause of the violation. Was it a weakness in the Compliance Management system? If so, ensure the weakness was properly addressed. Also determine the severity of the violation. Document any material supervisory concerns and/or consumer impact. Audit steps here also include determination of the time period of the violation, whether or not it was isolated, and noting any resulting supervisory concerns. While the updated Risk Indicators don’t create anything new from a regulatory standpoint, it’s worth noting that the recent Supervisory Letter and updated Compliance Risk AIRES checklist very likely signal an increased supervisory focus at your next NCUA exam. A solid Compliance Management Audit can be an effective way to have your credit union ready when it does. n

About the Author Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont Offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started their IA function there in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.

Macpage believes in developing relationships, earning trust, addressing complex issues and making a diﬀerence. We enjoy the people we serve, and care about the work we do providing integrated accounting, consulting, ﬁnancial statement, IT, internal and compliance auditing services for credit unions throughout the Northeast.

For more information www.macpage.com/creditunions

Accounting Consulting Tax Artwork: Emily Barrera, “Continuum”

www.acuia.org | TH E AUD IT R EPORT

TERRY McEACHERN Founder, Rock Star, Colleague, Leader, Friend

AMY SCHAEFER

y now, you should have read the history page on the ACUIA website where Terry McEachern, ACUIA’s founder and first President, recounts the story of the beginnings of the Association. For those who have not, here is the 30,000 foot overview:

n In 1988, Terry asked Royal Credit Union’s CEO and Board for their permission to establish our amazing organization. ■■ She started by reaching out to other credit unions in Wisconsin and Minnesota. Eight credit union auditors met in Eau Claire, Wisconsin for their first official meeting and officer election. ■■ In 1991, ACUIA held its first annual meeting in Bloomington, Minnesota with 75 auditors in attendance! (Bloomington is best known these days as the home of the Mall of America.) ACUIA was established, and continues to support, the core credit union philosophy of “People Helping People” – This makes our organization special and I cannot imagine what all of us would do without all of our ACUIA friends to reach out to for assistance and advice.

www.acuia.org | |T H TH E EAU AU DD I I T R E P O RT

Terry hired me as a naive 23 year-old right out of college with an accounting degree. Frankly, I had very little idea of what an internal auditor did on a daily basis, since our audit classes in school focused primarily on external auditing. I had been a Member of Royal Credit Union for years, but didn’t have the knowledge of what sets credit unions apart from other financial institutions. But, I must have faked it well enough during the interview that Terry took a chance on me. At no point during the interview or hiring process did I know that I would be working for a credit union audit Rock Star. I remember Terry giving me a stack of ACUIA magazines to read in my office during my first few weeks of employment. After I started to read the magazines and checked out the ACUIA website to learn more about the organization, I ran into her office and said something like “Wow! You started ACUIA?” For those of you who know Terry well, she is quite modest and doesn’t care for the limelight. The second ACUIA annual conference I attended was in 2004 in Las Vegas. I recall sitting in the back of a room waiting for a session called “Introduction to Auditing” to begin. A friendly gentleman with a southern accent sat beside me and introduced himself. It was quite some time ago, but I am sure our introduction went something like this: “Welcome. I’m Randy Partin from State Employees Credit Union in Raleigh, North Carolina and will be teaching this session. Where are you from?” Me: “Nice to meet you, I’m Amy Canfield from Royal Credit Union in Wisconsin. I work for Terry McEachern.” Randy: “Why would you need to attend my session when you work for the famous Terry McEachern?” Over the years I have heard more sentiments of respect than I could possibly capture in this article from members of our group and vendor sponsors for their colleague, Terry McEachern. Terry is a fierce leader. If a line needs to be drawn in the sand, she will stand up for what is right. She is very passionate about continuous learning and investing in yourself to develop your skills and knowledge. In her 30 years at Royal Credit Union, she never sat back and had an “I know everything I need to know” attitude. Her last day at Royal Credit Union was March 31st. Those of you who attended the conference this past June saw that she still attended a few sessions. That’s just the way she is… always having a thirst to learn something new. I recently asked Terry what ACUIA has meant to her over the years. This is what she had to say about the annual conferences:

“Every year I would sit in the classes, or listen to other auditors and think, ‘Wow, they are really doing some great things. I think we should try that.’ I would come back to Royal rejuvenated, enthusiastic about auditing and once again reminded that auditors do make meaningful contributions in our credit unions.” She also noted how proud she is of ACUIA’s strategic direction, including the new auditor certification, which will increase audit awareness and provide a better understanding to the credit union industry of the job we do. When Tabitha asked me to write this article she asked if I could give our readers some information on who is “The Person behind the Auditor.” So, I reached out to one of her sons to provide a little insight for all of us: “Growing up, as a child, I always knew my mom was very active with the ACUIA, but I didn’t actually know she was the founder and first president until I was much, much older. She was, and still is, very humble, even though she has accomplished so much in her career. I have always looked up to her both personally and professionally as a role model. Outside of internal auditing, my mother enjoys spending quality time with her family, specifically her three granddaughters Terese, Chloe, and Charlotte. She also thoroughly enjoys cooking both traditional and exotic meals, boating with friends on Lake Wissota, and vacationing in Mexico. Now that she is officially retired she can, and rightly deserves to, spend more time with her other passions in her life besides RCU and the ACUIA.” – Mathew McEachern, son of Terry McEachern Terry made it clear over the years that family always comes first. Whether it was taking time to care for sick loved ones, or attending her sons’ or granddaughters’ activities, she was always there for them. This was an important life lesson for all of us, to not only hear, but to see what supported our credit union’s core values, long before they were officially established. Before Terry retired, she took a 3-week vacation to sunny Mexico in March. Why on earth she wanted to come back to work for one week after sitting on a beach that long is still a mystery to me. As a thank you for all Terry has done for ACUIA and for me over the years, I wanted to put together a keepsake for her of various ACUIA memories and well-wishes from her ACUIA friends. I received pictures and sentiments, added a thoughtful letter John Gallagher had written our credit union’s Board of Directors, thanking her for her years of service, and stole a few items from a box of ACUIA memorabilia she had collected over the years to put together a scrapbook for her. Please enjoy some of the highlights I collected for this tribute to this very special lady.

www.acuia.org | TH E AUD IT R EPORT

“Terry has served as both a mentor and friend to many of us at ACUIA over the years, and we cannot thank her enough for all that she has done for our profession.” – John Gallagher, SEFCU & ACUIA Chairman

amazing “You started an ad a ACUIA. It has h in n io at iz n ga or k on both our wor profound impact we s. Through you and personal live s derful friendship have gained won e er rewards. W and so many oth good times, remember lots of you tours! Wishing especially ghost res in the years fun and adventu miss you!” ahead. We will U di Rinkel, WSEC - Jill Chase & Hei

“Terry: It was always fun hanging out with you at ACUIA conferences. Whether we were walking along the Riverwalk in San Antonio, or touring Baltimore, or visiting the vineyards outside of San Francisco, it was always fun. I also remember signing up for the gangster tour in Minneapolis, at the last minute, thanks to you asking me to come along. That was a fun adventure as well. Thank you for your friendship over these many years. I will miss seeing you.” – Linda Goff, Enrichment Federal CU

gave e h s reer e to emu la c IA on ea ACU be, some rt!). I r ye y m o to in sh se arly to aspire e to fall y mind’ e y r ve em ne me inu omeo h I cont the imag it into so d s e m g a e 23 (thou ould tak ransform ve now h and y e l t b a l ’ a c t I I d ry rob e wish Terry an n though now Ter ins: IA, p onferenc n y l U e a k C to A y first c had bee ds of gible. Ev ly get to age rem ole l o w e h n . im ,R al an nt d.M kI ing t ars to re that first , Pioneer an; it’s bran the time on’t thin that poi h s t a e s r m e , y “I w old at ue. I d eting at rry wa any a friend - Found zing Wo e that s m q e e r r t T a e m a a e r u o l h n e y m t t q ap a all h cEacher nright A lowing c Albu a region xposure eting at s c s a e f e M w a o erry and Dow n with a sed t emorable usiness m hy she w T o p x e .” ico el, ber w ual b r the irst m Mod foot tall ant light k, My f g the ann n’t remem ward, fo being i 10- a brill dwic a r n a a I a e i c n r h h d a I s u C r n e . r d t tembe IA, a t rence er, fo Erns al CU radia a h t confe and-cent But I rem r of ACU e room a i Tab ne Feder e . th t t d – n a n d n o o i h i n u r n o f Mar , or w as the F ked arou credit u ittle d r a st bo loo tl d unce l awe. I the bigge my shor ing o n n a tota eople – d in an stand le e n i d n s e sib om wa those p I’d att his w as respon sence f t t o a t l h l a t a re ho w rence ooked he p confe – then l e room w was in t advice r d th I r caree front of ddenly help an trails fo u n e e, s in th ll, and I’ve gotte e ACUIA uch mor a h m for it lebrity… blazed t mething e o o c of a thers wh ave me s o g y rrRT from www.acuia.org | TH E AU D I T uRtETPeO B . me

“Royal’s Board of Directors and Audit Committee have often said they sleep better at night for having our internal auditors on staff. For nearly half of the past 30 years, it was Terry providing all of us greater peace of mind by working diligently to ensure internal controls were in place and operating as intended, to prevent and detect fraud and other problems, that members assets were being safeguarded, and that credit union policies and procedures were being followed! Just as dual control protects us all, so have Terry’s efforts! Terry is incredible! Her commitment to Royal and to living our core values has been exemplary! She is a role model for her colleagues and to the auditing profession. Terry continued to develop new and creative solutions for the credit union, right up to the day she retired. ” ‑ Jennifer McDonough, Royal CU Board Member and Audit Committee Chair

the profession, “Terry’s dedication to or ts to make Royal CU , and her effcommittee grow the audit team and ings that I think professionally, are th make her stand out.” al CU Audit – Ray Hughes, Roy Committee Member

About the Author This tribute to Terry McEachern was created by Amy Schaefer, CIA at Royal Credit Union in Eau Claire, WI. She obtained her accounting degree from the University of Wisconsin, and is a Director Emeritus for ACUIA.

www.acuia.org | TH E AUD IT R EPORT

THE DAWN OF A NEW CREDIT SCORE We’re more than just a number. BROK LAHRMAN, CPA

owever, as a consumer in need of financing or even a job, our personal credit report and FICO score tell quite a story. For many financial institutions, the applicant’s credit score is a key factor in the underwriting and pricing of consumer and mortgage loans. Beginning this summer, financial institutions will start to see changes in both the items included in the credit report and credit scores. This change results from a settlement with the three major credit reporting bureaus—TransUnion, Experian and Equifax—regarding allegations of inaccurate credit reporting. A couple of primary areas of concern were tax liens and civil judgments on a consumer’s record. In many instances, tax liens and civil judgments don’t include all perti-

nent record data (consumer’s name, address, Social Security number and date of birth); therefore, these items can’t easily be verified by the entity using the report. Another issue with tax liens and civil judgments is that information related to these judgments weren’t always updated in a timely manner on credit reports. For instance, a tax lien could have been paid by a consumer but the payment wasn’t up-to-date on the person’s credit report due to a delay in the creditor’s reporting. An initial Consumer Data Industry Association estimate, which represents the three major credit reporting bureaus, stated that approximately 12 million people will see these credit blemishes removed as a result of impending change.

The credit reporting change has caused some financial institutions to use other scores and methods in the underwriting process. For example, VantageScore Solutions, a competitor of FICO, announced the release of its VantageScore 4.0 model in the first quarter of 2017. This updated consumer credit score model will emphasize medical collections and other negative public records less, place an increased emphasis on trended data and use machine learning to create higher scores for consumers with limited credit history. By looking at data through a period of time--as opposed to a static snapshot of the date the credit report was pulled--it’s believed that trended data will be a better predictor of payment performance and overall credit capacity. A trended data analysis example is looking at the payment performance on revolving debt for a mortgage loan applicant. Research would suggest that applicants who pay off their credit card in full each month are three to five times more likely to meet mortgage payment obligations. While credit reports likely will remain a staple of the underwriting process, financial institutions should evaluate their underwriting criteria and pricing to help ensure adequate consideration has been given to the possible uptick in the credit scores of future applicants. For more information, contact your BKD advisor. n Article reprinted with permission from BKD, LLP, bkd.com. All rights reserved.

About the Author As a member of BKD National Financial Services Group, Brok has served as the in-charge accountant for a number of audits performed for financial institutions in northeast Indiana and northwest Ohio. In addition, he has helped staff many other audit and attest engagements for financial service institutions.

TeamMate+ The future is here

TeamMate+ is a fully configurable, web-based internal audit platform that seamlessly consolidates and reports issues and risks for management action.

Learn more at TeamMateSolutions.com/Plus Copyright ÂŠ 2017 Wolters Kluwer Financial Services, Inc. 10153

CONFERENCE ROUND-UP 2017

REMEMBER THE ALAMO!

ith San Antonio in the rear-view mirror, we look back fondly on ACUIA’s 27th Annual Conference and One-Day Seminar. Set against the historic backdrop of the Alamo, this year’s conference called the stunning Grand Hyatt Riverwalk home for four days of learning and networking, with ample time for fun in between. With a wealth of sessions ranging from Auditing to ERM, and Compliance to COSO, this year’s conference featured several nationally-recognized and respected industry experts. They shared the latest insights and updates on audit, risk and compliance best practices, regulations and key hot topic subjects.

Everything kicked-off Tuesday morning with the ACUIA traditional OneDay Seminar sessions…with a twist. For the second year, these deep-dive sessions were split into two half-day seminars to offer more topic choices for attendees. This also allowed them to ‘double-down’ on session topics for the day. As Enterprise Risk Management (ERM) continues to be an increasingly important and integral part of internal audit, ACUIA kept pace with a number of sessions on ERM, including an ERM Fundamentals 101 and 202 course, Legal & Compliance Considerations for ERM, and a well-received session on Integrating ERM into the Audit Plan. With day one done, it was time for some serious fun…the ACUIA way! The Wild West Welcome Reception picked-up the pace, and brought a smile to everyone’s faces, with Emmy Award® winning host Todd Newton returning to the stage for our third installment of ACUIA Feud. Todd’s hilarious hosting kept laughter rolling, along with the libations and wide array of southwestern fare served throughout the evening. Teams squared off in the fast-paced rounds, with a fervor and focus that reached new heights of levity. The star of the evening, with her quick answers at clutch moments, was Amy Schaefer, who helped propel her team to ultimate victory.

s day two got underway, ACUIA officially convened the 27th Annual Conference with a welcome, and introduction for current board Chairman John Gallagher. The opening keynote session by nationally-acclaimed speaker Tim Harrington posed the question: when it comes to disruption in banking, who will be your Uber? Tim’s insightful presentation delved into the ever-evolving and rapidly-changing business environment in which credit unions operate, and the increasingly disruptive role digital technology plays in the world of financial services. 26

www.acuia.org | TH E AU D I T R E P O RT

With a continued focus on risk management, ERM expert Tony Ferris explored best practices of what is quite possibly a credit union’s biggest weakness – establishment of a risk culture and development of a risk appetite program. His engaging session helped give a better sense of the high-wire balancing act of managing between safety and soundness, while giving license to seek new opportunities. Continuing along the theme of rapidly-changing business environments, Partners Colorado CU President & CEO and cannabis banking pioneer Sundie Seefried opened our eyes to a new financial services reality of serving the exploding cannabis business. Now legal in 28 states and counting, Sundie has helped lead the way to serving this burgeoning business opportunity in a responsible and fully compliant manner that mitigates associated risks. The morning wouldn’t be complete without a session on marketing! In this session that was certainly true, as marketing and branding expert Paul Lucas made the case as to why marketing matters to auditors. His colorful experiences, combined with pragmatic marketing principles, brought the two functions together. This year’s annual meeting and awards luncheon produced many memorable moments. Board Chairman John Gallagher gave a very touching tribute to ACUIA’s recently retired founder, Terry McEachern. A few tears flowed and smiles of pride abounded throughout the room as John recognized the lady to whom ACUIA owes our very existence today. When it comes to leaving a legacy, Terry’s is larger than life, and one that will live on for years to come, as ACUIA continues to grow and increase its reach within the audit and risk management professions. Not to be forgotten amidst Terry’s tributes, we presented the award for the 2016 Auditor of the Year. This year’s honors go to Region 1 Director from IQ Credit Union, Julie Wilson. Julie, a long-time member of ACUIA

and tireless advocate, has helped to build and support membership throughout the Northwest, and she demonstrates many of the best practices in her profession each day. The afternoon flew by with eight breakout session selections for attendees to choose from to further their conference educational goals. With the adjournment of day two’s sessions, the evening heated up (literally and figuratively) with two memorable events. Over 100 people marched just a few blocks from the hotel for a historic evening and dinner at the Alamo. Yes, ‘the’ Alamo. Visiting and dining at this historic and much-loved landmark was an unforgettable experience. Just across town, another group of attendees was having a modern-day moment visiting the AT&T center, home of the five-time NBA world champion San Antonio Spurs. It’s not very often one gains entry to the team’s locker room, gets up close and personal with the five, yes, count them, five championship trophies – and meets Charlie Amato, one of the team’s illustrious owners. Attendees almost didn’t need the bus to carry them on to a delicious dinner at famed Chef Johnny Hernandez’s local eatery La Gloria. Time is flying by as the sun rises on day three, and the sessions quickly start heating up. Frank Diekmann, Co-Operator in Chief at CUToday, got everyone thinking 17.5 thoughts with his witty, insightful and unique look at opportunities and issues credit unions are facing today. The room really came alive when Mark Sievewright, voted one of the most influential people in credit unions over the past 25 years, took the stage. His dynamic presentation took a candid and innovative look at how our mobile-centric marketplace requires innovative new approaches to member engagement. The morning closed out with Steve Otto, from the Federal Home Loan Bank of Dallas, highlighting tools and resources to manage liquidity and funding risks.

The afternoon break-out sessions once again flew by, leading to the much-anticipated evening event, the Tequila dinner cruise. Over seventy very eager participants boarded three river barges for an evening of dining… and drinking. With San Antonio’s famed Riverwalk as the backdrop, guests sampled endless tequilas, and dined on a decadent array of traditional southwestern dishes. We’re pleased to confirm no reports of man or woman overboard as the barges docked back at the hotel. Although, there were lots of giddy smiles… Before everyone realized it, day four arrived to usher in ‘The Closer’, one of the conference’s all-time highest-rated speakers. Catherine Bruder, of Doeren Mayhew, bounded on stage to wrap up the week with an exciting and thoughtful presentation on Ten Key IT Considerations for Internal Audit. Her upbeat engaging style and boundless energy brings even the most technical topics alive. After a mid-day adjournment, many attendees re-convened Friday afternoon for a candid hot-topic discussion roundtable session, by region, moderated by the respective regional director. By all accounts, the exchange was valuable and informative. So, there you have it! After four fabulous days in San Antonio, ACUIA’s 27th Annual Conference is in the record books. We thank all those who participated, supported and helped host our event. Many thanks for the Texas-size hospitality. Stay tuned for details as ACUIA heads to the Windy City of Chicago on June 19-22, 2018. Our thoughts and prayers are with the brave people of Texas and the Gulf Coast who are enduring the devastation of the hurricanes. n SEND US YOUR PHOTOS!

Send favorites from the conference at least 1000px wide and we’ll consider them for the next issue. Send to dilanto166@gmail.com.

www.acuia.org | TH E AUD IT R EPORT

{ from the editor }

{Here’s the standards to 25 More}

Pat Richey, Retired credit union internal auditor Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

Internal Audit Charter The first Standard establishes our mission.

he 1st standard (1000) of the Standards for the Professional Practice of Internal Auditing (Standards) is titled Purpose, Authority and Responsibility, but it is really about the internal audit charter. Standard 1000 says the purpose, authority and responsibility of the

internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (IPPF). The IPPF includes the Core Principles for the Professional Practice of

Purpose,

Authority and

Responsibility 

Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing. The Chief Audit Executive (CAE) must periodically review the internal audit charter and present it to senior management and the Board for approval. In summary, the internal audit activity MUST have an internal audit charter. Collinsdictionary.com defines a charter as a formal document describing the rights, aims, or principles of an organization or a group of people. An internal audit charter describes the purpose, authority and responsibility of internal audit. The charter gives internal audit and the credit union direction by defining internal audit’s mission, its role in the credit union, and the overall scope (breadth) of internal audit’s activities. The charter describes the CAE’s functional reporting relationship with the Board of Directors. Although the Standard has not changed in the last 8 years, the Implementation Guidance (IG) 1000 is much more robust than previous guidance. IG1000 says the charter is a critical document; I think of it as a powerful document. Not that it gives internal audit “power” but that it unquestionably defines internal audit’s role in the credit union.

Creation IG 1000 states that the CAE must first understand all the mandatory elements of the IPPF. The Institute of Internal Auditors (IIA) website has a model audit charter that can be used as a template. It can be accessed at https://na.theiia.org/standards-guidance/PublicDocuments/ ModelInternalAuditActivityCharter. pdf.1 It is 3 ½ pages long and includes 1 The IIA website also has a model audit committee charter.

www.acuia.org | T H E AU D I T R E P O RT

sections Introduction, Role, Professionalism, Authority, Organization, Independence and Objectivity, Responsibility, Internal Audit Plan, Reporting and Monitoring, Quality Assurance and Improvement Program, and Signatures. Of course, this is just a model; the credit union can use its own format. The charter is a policy, with broad statements that are unlikely to change. The charter should not be too detailed. It is not a job description, nor procedures, nor a list of audits that will be performed. To keep the charter simple, the charter can refer to other documents such as the internal audit manual where there are more specifics. In addition to the internal audit and supervisory committee charters, my credit union had a “Memo of Agreement Between Supervisory Committee and Credit Union Management” which detailed how audits would be conducted and management’s responsibility related to audits, and was signed by the CEO and the Supervisory Committee Chair.

Approval Although Standard 1000 states that the CAE must present the internal audit charter to senior management and the Board for approval, the Standard’s interpretation states that final approval resides with the Board. The Standards glossary defines Board as the highest level governing body charged with the responsibility to direct and/or oversee the credit union’s activities and hold management accountable. In credit unions, this would be the Board of Directors. The “board” in the Standards can refer to a committee to which the Board of Directors has delegated certain functions (e.g. audit committee or supervisory committee). In my

credit union, the supervisory committee was very active, and would have approved the charter before it was finally approved by the Board. In internal audit matters, the supervisory committee was more directly responsible than senior management. The CAE should present the internal audit charter to senior management for approval in that senior management and internal audit must agree upon the purpose, authority, and responsibility of the credit union’s internal audit activity. The CAE cannot take the charter to the Board for approval without management’s buy-in. The CAE and senior management should discuss internal audit’s objectives, the stakeholders expectations for internal audit (which may differ among stakeholders), the CAE’s functional and administrative reporting lines, and internal audit’s level of authority (particularly access authority). The Board meeting minutes should document Board approval of the internal audit charter.

Authority The charter authorizes internal audit’s full access to credit union records, personnel, and fixed assets as needed for the performance of audit engagements. Any financial or operational information should be available to internal audit, and internal auditors should be able to speak to any credit union employee. Internal audit should refer to the charter when challenged about access to sensitive information. I believe that access to records means that if internal audit asks for records, credit union personnel will provide the records to internal audit. The guidance does not necessarily mean that internal audit should have direct system access to department

network files. For example, I think that internal audit does not need system access to other department or management files on the network, just as no other employee has access to internal audit’s network files. And similarly, I would not help myself to another department’s file cabinets. I would prefer that the department get me the files, because they are responsible for the files, for signing out the files, and knowing the whereabouts of their files. There may be cases where internal audit should not have carte blanche access. For internal control purposes, internal audit should not be able to do transactions or file changes on member accounts nor post to the general ledger. I know of one credit union where the internal auditor had unrestricted access to member accounts and committed fraud. Can you believe it?! The most sensitive issue regarding internal audit access authority may be employee files. However, I believe most credit union internal auditors have unlimited access to employee files. That does not include employee health insurance records, which should be separate from employment files. Many times it is more convenient and more efficient for internal audit to have direct access to systems than to always have to ask other employees for information. Internal audit should run their own database queries, and have direct access to employee electronic timecards, the digital surveillance system, communication system reports, and Human Resources electronic personnel software. In most cases this would be read-only access. The IIA model charter states that the charter should include internal auditors’ accountability for safeguarding credit union assets and www.acuia.org | TH E AUD IT R EPORT

Purpose,

Authority and

Responsibility 

Standard 1000 states the CAE must periodically review the internal audit charter and present it to senior management and the Board for approval.

confidentiality. Confidentiality is an element of the internal audit Code of Ethics, so this should be a no-brainer for internal auditors. Also the model states that internal audit will have free and unrestricted access to the Board. This was always the case in my credit union, but we also experienced a Board with free and unrestricted access to internal audit. Which is a good thing, unless the Board members are asking for research or work on pet issues to the detriment of the scheduled audit plan.

Quality Assurance and Improvement Program IG1000 says this section of the charter describes the expectations for developing, maintaining, evaluating and communicating the results of a quality assurance and improvement program. The IIA model charter summarizes Standards 1300-1322 expectations for a QA&IP. Periodic Review Standard 1000 states the CAE must periodically review the internal audit charter and present it to senior management and the Board for approval. “Periodically” should be defined in the charter. IG1000 states that the CAE should ask the Board to create a standing ANNUAL agenda item to discuss, update, and approve the internal audit charter as needed. Board meeting minutes will evidence this periodic review and approval of the internal audit charter. If the charter is written broadly enough, there should not be frequent updates. However, over the years, the role and responsibilities of internal audit may change, and the charter should change with them. Assurance and Consulting Standard 1000.A1 says that the nature of assurance services provided to the credit union must be defined in the internal audit charter. Likewise, Standard 1000.C1 states that the na-

www.acuia.org | TH E AU D I T R E P O RT

ture of consulting services must be defined in the charter. The Standards Glossary defines assurance services as an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the credit union. Examples of assurance services are general ledger reconciliation audits, branch audits, Bank Secrecy Act audits, data processing security audits, and vendor management audits. On the other hand, consulting services are advisory and management service activities. In assurance auditing, internal audit determines the nature and scope of the audit. In consulting services, internal audit and management agree on the nature and scope of the services. Generally, management determines the “what” and the “how.” These services may include counseling, advising, facilitation, and training. However, internal audit should never assume management responsibility. In my credit union, we were almost 100% assurance providers. However, occasionally we would provide a consulting service. For example, our internal audit department facilitated disaster recovery simulations. Also, we conducted fraud investigations. Consulting services may be formal engagements that are performed at the request of management, and could be formalized in a consulting engagement agreement. For instance, management may request internal audit’s involvement in a merger or a system conversion. Consulting might be a little less formal such as in the event of an emergency (e.g disaster recovery after a hurricane) when internal audit might be asked to step out of its assurance role and participate on the recovery team. Informal consulting may be part of an internal auditor’s normal or routine activities such as being a committee member or doing com-

pliance research. Or consulting may be blended into an assurance audit. Most of my assurance audits had a consulting component since internal audit gets so involved in the area under audit that internal audit becomes an “expert” on the topic. This depth of knowledge that crosses functional boundaries leads internal audit to give advice on improving operations, which is consulting. However, I would consider the audit to be an overall assurance activity. There is a very excellent article by Michael Parkinson at www.financepractitioner.com “The Assurance vs. Consulting Debate: How Far Should Internal Audit Go.” The article concludes that assurance is perhaps directed at minimizing loss, and consulting at maximizing benefit, and that there should be a conscious strategy to find the right balance. Parkinson says that consulting can be an excuse for internal audit doing work that man-

agement should be doing, so the audit committee must determine the rules under which consulting is offered, and manage the amount of consulting conducted by internal audit. Standard 1000.A1 states that if the internal audit activity is providing assurances to parties outside the credit union, the nature of these assurances must be defined in the charter. If internal audit is providing assurance services to a CUSO, this should be noted in the charter.

Mandatory Guidance Standard 1010 says that the mandatory elements of the IPPF must be recognized in the internal audit charter. The IIA’s model charter includes this mandate under the Professionalism heading. The model charter says that the internal audit activity will govern itself by adherence to The IIA’s mandatory guidance (and lists the mandatory elements).

Communication Stakeholders must be aware of the internal audit—its roles and responsibilities. The CAE should not develop a charter and then file it away, never to be seen again. The charter should be in the internal audit manual and the credit union’s policy manual. We posted the charter to our credit union’s Board-only website, and on the internal audit page of our credit union’s intranet. Conclusion The charter is the cornerstone of the internal audit function. It will place expectations on internal audit, and internal audit should be held accountable for meeting those expectations. n About the Author Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

Service So Outstanding, Others Can Only Talk About It…

twhc.com TWHC Business Journal Ad REV-062612.indd 1

6/27/12 2:14 PM

www.acuia.org | TH E AUD IT R EPORT

{ member spotlight }

{ Camacho WHY? } Lourdes Tom Schauer, Principal, CliftonLarsonAllen information security

Dian Scott

This month we’re shining the ACUIA spotlight on Lourdes Camacho – devoted mom, field hockey star, talented dancer, innovative senior internal auditor and chapter coordinator from Florida’s sunny climes.

ourdes, tell us a little about yourself? I started banking just five months after my high school graduation. Throughout the years, I’ve worked in various positions in the banking industry, evolving my skillset along the way. What do you do in your spare time (hobbies, social interests, volunteer opportunities)? I enjoy watching drama movies and comedy shows on Netflix. As a parent, I’ve been involved in my church as a youth group leader, and have actively participated in my daughter’s academic growth. I even participated as a judge in her competitions with the Future Business Leaders of America (FBLA). Currently, I hold the position as President at our Institute of Internal

Auditors local chapter. I started the ACUIA Chapter in the State of Florida. Describe your educational background. Bachelor’s Degree in Accounting and currently working towards my M.B.A at the University of Massachusetts. How long have you been involved in auditing? Since 2003 What professional certifications do you hold, and how have they enhanced your knowledge and/or career? Certified Fraud Examiner – has enhanced my knowledge on detecting fraud. Certified Credit Union Internal Auditor – has enhanced my knowl-

FUN FACTS ABOUT LOURDES At the age of 12, while growing up in New York, our field hockey team won the Youth Tri-State Award. In the 1980s, I overslept and missed the opportunaity to audition for the role of a dancer on the show “In Living Color.” I also attended one of Prince’s house parties in New York City when I was a teenager.

www.acuia.org | TH E AU D I T R E P O RT

edge on performing good audits. How did you initially become involved in auditing? I was working as a Home Equity processor while completing my college education. I was encouraged by a Senior Fraud Investigator to apply for an entry-level fraud investigator position. (Back then, the loss prevention department was combined with the internal audit department). I applied and was interviewed by the CAE. I didn’t get the entry-level Fraud Investigator position. Instead, I was hired to perform audits on mortgage loans. After a couple of months, I was trained to perform operational and financial audits. What have you found to be the most useful tools in streamlining audit processes, enhancing efficiencies, and making audit a value-added service? The most useful tool I find pertinent in the audit process is communication. Auditors communicate with all levels of management. As auditors, our goal is the safety and soundness of the credit union and our stakeholders. The field of audit has evolved, and having the “gotcha” attitude will restrict open communication from management. I use the consultative approach. Second, I research the business unit that is being audited. You want to approach the scope meeting with knowledge and good open-ended questions. Over the years you’ve been involved in auditing, how has the industry changed? I noticed the audit industry has changed, based on how we audit. Before, the audit consisted of “agreed upon procedures.” There is so much more besides looking at procedures. We can integrate audit with detecting

fraud by performing data analytics on reports we currently obtain during the audit process. Audits are no longer just looking for a signature missing on a document, but at missing data and anomalies. What are the major challenges you feel the industry faces today, and how can internal auditors overcome those challenges? Internal auditors should get involved in their local chapters, attend conferences, network with other credit union auditors, and enroll in seminars and webinars. If they are unable to attend due to limited resources, they should look for a tenured auditor for mentoring, and ask lots of questions. It’s important to network and share because industry knowledge is ever-changing and the internal audit profession will continue to evolve. What advice would you give to a new auditor just entering the field? My advice is get involved in organizations and obtain the required certification according to the career path they choose to pursue. What type of background/experience do you look for in your staff auditors to make a well-rounded department? We have staff auditors consisting of a CPA, CCUIA, and CFE + CCUIA.

you embraced, and how has that enhanced your membership? As a Chapter Coordinator in the State of Florida, I was able to recruit a volunteer to cover the Central Florida region, while looking for volunteers to cover the Northern and Southern regions of the state. Florida covers a very large area, and it can be a chal-

lenge for internal auditors to attend our meetings, so I decided to split the state into three different regions. Lourdes, thank you for sharing your very interesting background and accomplishments with ACUIA members. n

Internal and Compliance Audit • External Audit • IT Audit

How long have you been a member of ACUIA? Not sure, probably since 2003. What ACUIA membership benefits do you find most rewarding? Since I started the ACUIA Florida Chapter in 2016, what I find most rewarding is getting to know the internal auditors in the State of Florida. What volunteer opportunities have

CONNECT WITH US Tom Giglio, CIA, CFSA— Executive Vice President 315.214.7841 | tgiglio@bonadio.com Samuel Capuano, CBA, CRP—Principal 518.250.7763 | scapuano@bonadio.com

bonadio.com |

www.acuia.org | TH E AUD IT R EPORT

standards { thenews { regional } } Pat Richey, Retired

REGION

Director: Julie Wilson Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com Region 1 has a 1-day meeting scheduled for October 13th. Columbia Credit Union will be hosting the meeting at their Operations Center in Vancouver, Washington. We are currently working on the agenda, but we promise it will be jam-packed with exciting discussions from excellent speakers. We are already busy planning our Spring 2018 meeting. Denali Credit Union in Anchorage, Alaska will be hosting a 2-day meeting, May 24th and 25th.

REGION

Director: Tara Tocco Internal Audit Manager Hughes Federal Credit Union 520-205-5744 TTocco@hughesfcu.org No news for Region 2. Contact Tara for information.

REGION

Director Tom Cosby

Vice President Internal Auditing Crane Credit Union (812) 863-7000 ext 7142 tcosby@cranecu.org The Region 3 Conference is October 18-20 at the Indiana Credit Union League office in Indianapolis, Indiana. The Illinois ACUIA chapter is having its first chapter meeting on November 3, 2017, at the Credit Union League in Naperville, Illinois.

www.acuia.org | TH E AU D I T R E P O RT

REGION

ACUIA NEEDS YOU! This Position is still open. Please contact a member of the ACUIA Board if you are interested in volunteering.

REGION

Director: Michael P. Moreau, CIA, CFE, CFSA Region 5 is in the process of forming a new chapter in the NJ/NY/PA area. Many thanks to Terrance Phillips of Affinity FCU for volunteering. Watch for emails with further details. The Region 5 meeting will be held Oct. 2-3, 2017, at Service Credit Union in Portsmouth, NH. Watch for more details.

REGION

Director: Jason Alexander, CIA, MBA, CICA Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org We are excited about our upcoming Region 6 Conference. It will be magical because it will be in Orlando! Weâ&#x20AC;&#x2122;ll be staying at the Hyatt Grand Cyprus â&#x20AC;&#x201C; a popular resortstyled hotel. Register and book your room NOW while the rates are ridiculously low, like $149 a night low! Hope to see you there. The conference is September 18-20. FYI, this conference is CPE eligible. Check out the link to register and learn more. https://acuia.org/event/region-6-meeting-fall-2017. n

Audit Management Software Audit Management Software

Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful easy to use Audit Management System. Trusted by Companies, Governments andand Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward toauditors implement and affordable whatever the size of your audit team.straight From individual to State Audit Institutions MKinsight™ is easy to use, forward to implement and affordable whatever the size of your audit team. Key Functionality: Key Functionality: Dashboards

Audit Planning

Audit Scheduling

Audit Management

Dashboards Libraries

Audit Planning Electronic Working Papers

Audit Scheduling Controls Management

Audit Management On-line Questionnaires

Libraries ERM

Electronic Working Papers Time and Expense Recording

Controls Management Recommendation Tracking

On-line Questionnaires Comprehensive Reporting

ERM

Time and Expense Recording

Recommendation Tracking

Comprehensive Reporting

___________________________________ ___________________________________ www.mkinsight.com www.mkinsight.com United States: +1 847 440 5515 United Kingdom +44 113 2455558 United States: +1 847 440 5515

United Kingdom +44 113 2455558

experience reach

BKD National Financial Services Group

BKD National Financial Services Group can help you effectively identify and manage operational risks. Our advisors offer tailored internal audit solutions to credit unions across the country. Experience how our insight can help you choose the right path to pursue your strategic objectives with confidence.

Chad Garber // Director 317.383.4200 // cgarber@bkd.com bkd.com

standards { the { region }} directors Pat Richey, Retired

REGION

Julie Wilson juliew@iqcu.com

REGION

Tom Cosby tcosby@cranecu.org

REGION

Tara Tocco TTocco@hughesfcu.org

Michael P. Moreau, CIA, CFE, CFSA MPM@macpage.com

REGION

VOLUNTEER NEEDED!

Jason Alexander, CIA, CICA jasona@lgeccu.org

{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1

rtorres@CreditUnion1.org

CENTRAL CASCADES (OR/WA) CHAPTER

INDIANA CHAPTER

Terry Robbins trobbins@mapscu.com REGION 2 ARIZONA CHAPTER

Jason Garlutzo Jason.Garlutzo@azstcu.org

MINNESOTA CHAPTER

Nikki Ige Nige@kcfcu.org REGION 3

ILLINOIS CHAPTER

Rick Torres

SOUTH CAROLINA CHAPTER

David Caster dcaster@firstcommunity.com

VOLUNTEER NEEDED!

UTAH CHAPTER

HAWAII CHAPTER

ST. LOUIS CHAPTER

MICHIGAN CHAPTER

IOWA CHAPTER

Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com

VOLUNTEER NEEDED!

REGION 5

VOLUNTEER NEEDED!

Brittany Metz brittanymetz@uiccu.org WISCONSIN CHAPTER

Karla Hodgkins khodgkin@Covantagecu.org

NEW YORK CITY CHAPTER

REGION 6 ALABAMA CHAPTER

Adrienne Breckenridge, CPA abreckenridge@ avadiancu.com GEORGIA CHAPTER

VOLUNTEER NEEDED! FLORIDA CHAPTER

REGION 4

Lourdes Camacho lourdesc@sccu.com

ARK ANSAS CHAPTER

MARYLAND CHAPTER

Patrick McCollough pmccollough@AFCU.org

www.acuia.org | TH E AU D I T R E P O RT

NORTH CAROLINA CHAPTER

VOLUNTEER NEEDED!

Ashley Shrode Ashley.Shrode@thrivent.com Kathleen Schaefer Kathleen.Schaefer@elgacu. com

CALIFORNIA CHAPTER

Tom Cosby tcosby@cranecu.org

NORTH TEX AS CHAPTER

Nikki Torres nichele.torres@towerfcu.org

Tammy Farmer tammyf@scscu.com

TENNESSEE CHAPTER

Michelle Clark, CUCU mclarck@ecu.org

{ member spotlight } { acuia select } Patrick McCullough

ns to ACUIA

ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the dit union audit professionals. Executive Office at (703) 688-2284. P L AT I N U M

onsibilities and internal control objectives by providing:

eviews n CertiďŹ ed ACH Audits n Bank Secrecy Act nding Programs n Branch and Operational Audits source and Payroll Reviews n Assistance with Risk tatement Audits

GOLD

CertiďŹ ed Public Accountants & Consultants

S I LV E R

TeamMate

BRONZE

dly serving credit unions throughout the Mid-Atlantic region. mation about PBMares, visit us online at www.pbmares.com.

An Unmatched Experience

Internal Audit and Regulatory Compliance Tailoring each engagement, our Certified Internal Auditors and Certified Compliance Officers consider the credit union as a whole to execute a plan that will identify, monitor and assess risks before they threaten operations.

At Doeren Mayhew, we deliver a unique experience and a level of service that is unmatched in the industry.

Credit Risk Management Leveraging our hands-on experience, we deliver insight into the fundamentals of lending governance, administration and day-to-day operations.

IT Assurance Taking an integrated security management approach, our credentialed technology team ensures confidence in the integrity and security of IT control frameworks.

External Audit Remaining independent, while working collaboratively with credit union teams, Doeren Mayhew delivers practical solutions that improve internal controls and accounting efficiencies through accurate and timely financial reporting.

We invite you to experience what our clients do. Call us today at 888.433.4839.