Volume 26, Issue 4, 2017
The Magazine of the Association of Credit Union Internal Auditors, Inc.
SUPERVISORY COMMITTEE MEETINGS ARE THEY SERVING YOU WELL?
ROOT CAUSE ANALYSIS DIG UP YOUR PROBLEMS
THE STANDARDS LET FREEDOM RING
BREAKING DOWN THE AUDIT WHAT, WHEN, AND HOW
WEIGHING
ALL YOUR OPTIONS
An Unmatched Experience
Internal Audit and Regulatory Compliance Tailoring each engagement, our Certified Internal Auditors and Certified Compliance Officers consider the credit union as a whole to execute a plan that will identify, monitor and assess risks before they threaten operations.
At Doeren Mayhew, we deliver a unique experience and a level of service that is unmatched in the industry.
Credit Risk Management Leveraging our hands-on experience, we deliver insight into the fundamentals of lending governance, administration and day-to-day operations.
IT Assurance Taking an integrated security management approach, our credentialed technology team ensures confidence in the integrity and security of IT control frameworks.
External Audit Remaining independent, while working collaboratively with credit union teams, Doeren Mayhew delivers practical solutions that improve internal controls and accounting efficiencies through accurate and timely financial reporting.
We invite you to experience what our clients do. Call us today at 888.433.4839.
Volume 26, Issue 4, 2017
10 The Magazine of the Association of Credit Union Internal Auditors, Inc.
{ contents } F E AT U R E S
D E PA R T M E N T S
6
2 From the Editor What a Year It’s Been Dian Scott
Weighing All Your Options Risk Management Concepts and Litigation Todd Sherpy
10 Supervisory
Committee Meetings: Make the Most of Them Are those periodic get togethers serving you and your CU well? Sam Capuano, CBA, CRP
14
4 Chairman’s Message What Lies Ahead John Gallagher 20 The Standards Independence Pat Richey 24 Member Spotlight Julie Wilson 26 Regional News 27 Region Directors and Chapter Coordinators
14
Root Cause Analysis
18
Methodical internal audit procedures help dig up problems and identify solutions. Matt List, CPA
What, When, and How...to Audit
Three basic categories for breaking down this daunting project. Cynthia Austin, MBA, NCCO, CICA
20
The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Dian Scott Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284
© Copyright 2017, ACUIA. All rights reserved.
{ from the editor }
What a Year It’s Been Dian Scott
H
2017 Board of Directors
appy New Year, dear hearts. 2017 has wound down here at ACUIA. And,
what a year it’s been. The ACUIA Board of Directors has announced the appointment of two new members to the Board. Newly-minted Assistant Directors to the Board, Tabitha Ernst-Chadwick and Tara Tocco are welcome additions to an already impressive list of members. Tabitha is the
{ from } theeditor editor former of this magazine, among other things, and
a delight to work with; Tara has been the Region 2 DirecHow Do You Use Your Power? tor and has impressed everyone with her dedication and
Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA energy. A warm welcome to you both.
Andrea Munoz will be filling the position of Region 2
Chair John Gallagher, CUERME SEFCU (518)-464-5245 jgallagh@sefcu.com Term 2016–2019
Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org Term 2015–2018
Vice Chair Margaret Chamberlain, CUERME Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2017–2020
Director Doug Wright, CPA, CFE, CUCE, BSACS Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019
Treasurer Barry Lucas, CPA, CIA, previously heldfans by Tara Tocco. outside Andrea previousstate that is Director, the subject of ishing for actions of their opportunity to actually reach out to CFSE ebate and controversy control, further me to reflec- your proverbial “fans” Desco FCUwith a more efly served asdue the California Chapterleading Coordinator. (740) 354-7791 (ext. than new law. A few We superstars tion on customer service and treating fective message; and more often bid a heartfelt adieu to Terry McEachern, on the 3334) particularly offended by people right, and finally to reflection not, once your audiences fully underbarryl@descofcu.org. occasion of her well-deserved retirement. She was the ecided to flex their famous on how this could relate to internal stand the issues, probably have Termthey 2017–2020
Associate Director Tabitha Ernst-Chadwick Marine FCU (910) 355-5611 TErnst@marinefederal. org Associate Director
Founder who made theand magic She is admired each into their deep pockaudit riskhappen. management. Oh yeah even better ideas about how to achieve Tara Tocco andbold loved by her –ACUIA will nerd be sorely missed. make their own statethat’s fans, right;and in true fashion I am those desiredSecretary results. As the wise un- Hughes FCU (520) 205-5744 Dean Swenson, CPA ancelling all venues in the offices turninghave a 90s alternative cle of Spiderman once said “with great TTocco@hughesfcu.org The regional been busy allrock year concert with Wings Financial FCU state. audit and risk lesson. all power comes great So I (952) responsibility.” 997-8131 training seminarsinto andanmanagement workshops, sult? Well, I can’t say for So here is the lesson. As auditors ask you, how dwsenson2@ are you using your great well-attended. Their enthusiasm seems to be contawingsfinancial.com my guess is that the governor and risk managers, sometimes we are power? Are you flexing those muscles Term 2015–2018 gious. Membership has grown to over 700 members much sleep over a couple the ones in our organizations with to force your opinions to become their across thefrom country, dueproverbial in no small to outstanding ly charged rock bands those bigpart muscles and deep opinions? AreDirector you making your audiBobby Nichols d 90s (thoughleadership who knows? pockets. atWe the ones with the tees perform an extra 10 steps because and guidance theare executive level. State Employees CUdone? be the president of both fan power to persuade. Most of the time, that’s how you feel it must be A major highlight, of course, was the Annual Con(919) 839-5338 Facebook can be believed – there is more than one way to achieve Or are you using your superior intelbobby.nichols@ ference, this year in storied San Antonio. The dynamic an because everything on the desired result. And if your imme- lect and experience ncsecu.orgfor good? That duo of Bacino & Straubel kept everything moving at a Term 2015–2018 s obviously true – the tan- diate reaction is to cancel the concert is, are you teaching [about the risks], throughout the force week.everyone The speakers t was A LOT steady of veryclip disapto try and to seewere it your sharing [ideas and knowledge], and ns, many of whom lost– monway, youand might be missing listening? n terrific knowledgeable entertaining. All athebetter dithe ticket refunds (hotel verse mini-seminars/workshops allowed lots of time for ns, airline tickets, car rentnetworking, seeing old friends and making new ones. 2016 BOARD OF DIRECTORSabitha Ernst-Chadwick, CIA,EXECUTIVE CFE, LRP, CBSAO, ACUIA OFFICE, BSAO, is particular result is of no And then, there wasCUCE, the much-anticipated dinner folNCCO, CISA CUCE, NCCO, CISA the superstars, though, beACUIA Executive Office “The Association of Director Chair entertainment provided the wonderful by our r desire was tolowed makeby a point 1727 King Street John Gallagher, CUERME Bobby Nichols Credit Union Internal game show host Todd Newton. The seductive icians, fans befavorite damXXd. Suite 300 State Employees CU SEFCU Auditors is committed ter which side of the infariverwalk and lighted carriage rides charmed(919) us all. 839-5338 (518) 464-5245 Alexandria, VA 22314 to being the premier hroom Bill gets Ah, youryes, symbobby.nichols@ncsecu.org jgallagh@sefcu.com (703) 688-2284 this conference is one to be remembered, and quality provider of trend is a bit disconcerting Term 2015–2018 Term 2014 –2016 acuia@acuia.org with a smile. All in all, 2017 was a very good year, don’t credit union internal who perceive themselves as Director Vice Chair audit resources.” you think? doing everything in their Jill Meznarich Margaret Chamberlain, CUERME I hopeyour you all had the happiest of holidays. make their opinions Schools First FCU “The Association Follow us on: Arizona State CU (714) 466-8676 And the trend willDian continue, n of Credit Union (602) 452-4960 jmeznarich@ what artists could possibly Margaret.chamberlain@ schoolsfirstfcu.org Internal Auditors is rm in this offensive state, azstcu.org Term 2015 - 2018 www.acuia.org | 2 E AU D I T R E P O RT colleagues have taken such THTerm committed to being 2015–2017 Director nds against injustice? the premier and Treasurer
C
Doug Wright, CPA, CFE,
Recognized Leadership, Enduring Value Crowe Horwath LLP is one of the top 10 auditors of 1
credit unions with more than $100 million in assets.
Crowe demonstrates commitment to the credit union industry by continually supporting various industry-focused trade organizations, as well as providing thought leadership to the regulatory bodies that oversee the industry. To learn more about our commitment to the credit union industry, visit crowehorwath.com/cu or contact Mark Taylor at +1 630 575 4335 or mark.taylor@crowehorwath.com.
Audit / Tax / Advisory / Risk / Performance
1
Smart decisions. Lasting value.™
2016 Guide to Credit Union Auditors published by Callahan & Associates
In accordance with applicable professional standards, some firm services may not be available to attest clients. Š 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure
FS-18500-001A
{{from } } chairman’s the editor message
What Here’sLies to 25 Ahead More John Tabitha Gallagher Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
ACUIA’s many successes in 2017 pave the way for a bright year ahead.
W
ith year-end fast approaching and the Board’s Annual Strategic Planning meeting just around corner, it is time to look both where ACUIA has been and what lies ahead for 2018 and beyond. In short, 2017 has been another very successful year for ACUIA. We began the year with strong membership renewals, with our total counts continuing to increase every year. Our business relationships with our vendor partners expanded further, and commitments are stronger than ever. On an educational, development, and networking perspective ACUIA continued to deliver high quality programs with numerous networking
opportunities. In 2017, ACUIA held its annual conference in San Antonio, Texas. Attendance was strong and beyond the educational sessions, our members enjoyed their evenings dining at the Alamo and taking in the sights along the Riverwalk. In 2018, the conference will take us to the Windy City…Chicago. ACUIA regions and chapters continued to expand as well, and several pertinent webinars were offered throughout the year. I am extremely pleased that the Certified Credit Union Internal Audit School continues to be in high demand. During 2017, we offered two sessions (Spring and Fall) with both being sold out to capacity. In
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Dian Scott at acuia@acuia.org to learn more.
4
www.acuia.org | TH E AU D I T R E P O RT
the three sessions offered thus far, over 200 individuals have successfully completed the course and earned their CCUIA designation. The next School will be offered March 19 – 22, 2018 in Dallas, Texas. I hope all of you will consider participating in this program as I believe it serves to further promote awareness and recognition to the profession of credit union internal auditors. On an administrative front, the ACUIA Board was expanded with both Tabitha Ernst-Chadwick and Tara Tocco being named as Associate Board Members. Their experience and knowledge of ACUIA will be a tremendous asset. Lastly, ACUIA bid a fond farewell to our founder, Terry McEachern. Terry retired from Royal Credit Union on March 31, 2017. We wish nothing but the best for her and her family in the many years ahead. Thank you all for your membership in ACUIA. Looking forward to seeing everyone in 2018. n
Service So Outstanding, Others Can Only Talk About It…
twhc.com TWHC Business Journal Ad REV-062612.indd 1
6/27/12 2:14 PM
6
www.acuia.org | TH E AU D I T R E P O RT
WEIGHING
ALL YOUR OPTIONS RISK MANAGEMENT CONCEPTS AND LITIGATION
TODD SHERPY
In many years of practicing law I have generally been of the school that being 100% legally right is not always the best “business direction/decision” for an entity. For 30-years and more, I have tried to bring our client base along to the point where they understand why this can be the case. This is why I welcome the era of Enterprise Risk Management.
www.acuia.org | TH E AUD IT R EPORT
7
A
s more credit unions embrace the concepts of ERM, they are more accepting of my general premise. Let me explain, with the following insights, history and lessons learned, based on the potential for litigation, or actual litigation, or threats. When I came out of law school 30-years ago, I was quite naturally infallible (very tongue in cheek); and it was my clients’ good fortune to have access to my perfect advice. Then I spent the next 30-years learning how a credit union is actually successfully run; growing up and immersing myself into my clients’ business to the point where I could actually connect the dots. This led me to
where I am today – understanding there are many answers to every situation; and the selection of the right path to follow requires many inputs – most of which can only come from the credit union. When you begin to work as a team, you will achieve so much more. Most lawyers I have known do not subscribe to this way of thinking, and that disappoints me. I cannot tell you the number of times I have seen a credit union blindly following the advice of legal counsel who never grew beyond the god-like belief they had right out of law school (i.e., the lawyer is all-knowing). This unfortunately leads to poor risk management and decision-making. Perhaps an illustration will help:
You risk assess.
You consider the options. You weigh them, including all other issues, such as
reputation risk.
Then,
management
8
www.acuia.org | TH E AU D I T R E P O RT
makes a decision.
Approximately 20 years ago I was spending time with a credit union in Michigan. Members of their management team asked if they could run a situation by me that dealt with employment matters, which is a specialty area we do not cover. Nevertheless, you have to know the basics of all areas in order to serve as general counsel to any credit union. So, with that caveat, I said sure – let’s hear it. They then explained the problem and the legal advice they had been given in order to address the matter, which required them to spend nearly $200,000. At the end of the story I asked “and were you happy with this option, versus your other choices?” At which point, I got the all-too-familiar “what other choices?” So – the lawyer heard the problem, and gave you the 100% legally correct choice only, and that is what the credit union went with. In this instance, the credit union had three basic choices: 1. The 100% option that cost $200,000. 2. The second choice was to consider addressing only the exposure within the statutory time period, by way of mitigation, which would have cost the Credit Union approximately $75,000. It would have left the credit union exposed to a potential fine, but the actions taken would likely have resulted in either a small fine or none at all. 3. Do nothing. Here the odds of a significant exposure, by way of discovery, were very low to begin with. However, if discovered, the exposure and possible fine would likely have been in the $200,000 range. The credit union’s response – “we wish that would have been explained to us”. Recently I helped a credit union with another matter where they just totally missed the boat (actually a whole fleet of ships). The issues involved the failure to include a floor in ARMs dating back ten or more years; and assuming they had. To
make a long story short, after one member complained, they identified hundreds of mortgages in which they had made this error, dating back as much as 12-years. Okay – per TILA/Reg Z and any number of other laws/rules you wish to throw in – the 100% “legally right” way to address this situation is to go back; take corrective action; and repay all these members for the interest overpaid. The problem: This would cost several million dollars by the credit union’s calculation, which was more than they could afford to pay. So, how do you risk-manage this hot mess? You risk assess. You consider the options. You weigh them, including all other issues, such as reputation risk. Then, management makes a decision. Let’s share those choices, so you can follow along with the credit union’s dilemma: 1. You pay millions you do not have. You likely expose the credit union’s errors publicly, and suffer reputation loss, and perhaps regulatory action (NCUA and/or CFPB). 2. You have one member raising the issue. You address that issue. You pay them the $50,000 overcharge; and you enter into a confidentiality agreement regarding the matter. 3. As to the others – you have a number of loans at relatively high rates in a low rate environment. You offer to refinance all those loans to get those members into fixed rate loans at much lower rates; and you offer to pay all costs associated with these refinancings. It will cost money to do this, but a lot less that the millions noted. Once the old loans are “paid and satisfied” the exposures are reduced, and after a period of time, are gone altogether. 4. You do nothing and just let those loans pay-out hoping no more “come to light” but if they do, use
the same risk mitigation plan used with the prior upset member. Some of you may say that choosing any option other than 1 is not legally right. I cannot argue the point, but accept that this is not my point. Here we are talking about making business decisions, and “legal” is but one component of that decision process. All applicable factors. including risks, need to be assessed, so that the best “business decision” can be made. The credit union made a decision that led to its refinancing nearly every one of the problem loans. As to the others – it has a risk mitigation plan in place. The litigation of today is the “predatory class action”. Many of you are seeing this by way of the ADA Website Accessibility issues that have been in the news since 2014. If or when you receive your letter, the first step is to notify your bond/insurer, and follow their instructions. This is the only to preserve your coverages. Some carriers are risk-assessing, and are paying these guys to go away. Others are assessing these my way and are choosing not to play. What would be the basis of not “paying along”? Honestly, as I see it, these demands are just shy of a blackmail scheme, designed primarily to put money in the lawyers’ pockets, and they are not interested in getting involved in litigation all over the country on these matters. You have to understand the game to play the game. When you consider some of the letters being sent out making these demands, you have to question the bona fides – such as “we represent a blind Texan” as there is likely no basis at all for the demand; they likely do not have a clue about credit union membership issues, in relation to standing, to bring a claim; it is likely there is not even a client (the claim is akin to my claiming “I represent a web-footed Louisianian who was not able to swim up to your teller line, in violation of ADA accessibility requirements”).
Which approach to these ADA demands is the right one? Luckily, that is not for me to decide. It is a risk-based matter for the client and/ or the insurer to decide. However, the right parties are making the decisions based on all the factors; and that, my friends, is risk-based decision making which allows you to make the best choices for your organization. At the end of the day, that is all I seek to convey. You are the decision-maker, and good ERM knowledge and practices will help you immensely as we move forward in this ever more litigious environment. n
About the Author Todd Sherpy is a founding partner in the law firm of Sherpy & Jones, P.A. with offices in South Carolina and Georgia; and is entering his 30th year of practice in the Credit Union compliance arena. The firm is dedicated to serving all legal needs of Credit Unions; and provides day-to-day compliance, compliance auditing, training and consulting services to Credit Unions throughout the United States. Todd dedicates a large portion of his time to teaching Credit Unions, having made presentations in 46 States and has been a participating as an instructor through many CUNA, League, and Credit Union Trade and Vendor programs. Todd has also authored numerous CUNA and other publications ranging from compliance resources to volunteer training programs. Todd also serves on the Credit Union Sub-Committee of the American Bar Association. Todd is married to the Executive Officer at a Large Georgia Credit Union and has two daughters, Caroline and Catherine -- having lost Catherine after a two-year battle with cancer in 2013. He adores both his daughters and now dedicates all funds from speaking and education to the fight against cancer and will accept no compensation personally. If ever Todd can help your Credit Union in regards to any Staff, Board or other training he will work with you in order to raise cancer awareness and donations to fight back against the disease that took from him what he holds as most precious. www.acuia.org | TH E AUD IT R EPORT
9
SUPERVISORY COMMITTEE MEETINGS
MAKE THE MOST OF THEM SAM CAPUANO, CBA, CRP
10
www.acuia.org | T H E AU D I T R E P O RT
Much has been written and said about credit union Supervisory Committees. They are always a topic of discussion at ACUIA annual conferences and regional meetings, including the recently completed Region 5 meeting in New Hampshire. Much of this SC discussion has been about how to make them more effective, who is on the Committee and how do they interact with those of us in internal audit. But, what about the Supervisory Committee Meeting? Are those periodic get togethers serving you and your CU well?
www.acuia.org | TH E AUD IT R EPORT
11
M
aking the most out of the meetings is especially important if there is not regular communication between IA and the Committee. So, let’s take a look at some best practices for Supervisory Committee meetings. Leading off, how often are the meetings? Typically, they occur quarterly or monthly. According to a recent poll on the ACUIA forum page, the results were just about down the middle. I’ve always thought the quarterly was the most effective way to go, as sometimes, due to the audit schedule, there may not be much to discuss certain months. Limiting the meetings to four times a year can eliminate this issue. I have seen instances in which CU’s hold monthly meetings, because it dates back to a time when the Committee was performing the IA duties. In these situations, changing the fre-
THESE MEETINGS PROVIDE THE BEST OPPORTUNITY FOR INTERNAL AUDITORS TO HIGHLIGHT WHAT WE DO, AND HOW WE BRING VALUE TO THE CU. quency to quarterly might be something to consider, or at least discuss with your committee. Bottom line, use the frequency which makes the best sense for your CU. Another issue brought up in this poll is one that has been a forum top-
ic many times before: who should attend the meetings. The consensus here seems to be there are members of management present for at least part of the meeting, joining the Committee and those from IA. If there are members of the management team present, there should at least be a period, typically at the end of the meeting, in which they are excused and the Committee and IA can meet in executive session. Having such an executive session often is the only time IA and the Committee are able to communicate without management present. This type of communication is a key part of being able to show independence. The very first question on the NCUA “Internal Audit Review” examination checklist asks, “Does the internal auditor report to and take direction from the supervisory committee, free from undue influence by management and/ or the Board?” While holding an ex-
Audit Management Software Audit Management Software
Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful easy to use Audit Management System. Trusted by Companies, Governments andand Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward toauditors implement and affordable whatever the size of your audit team.straight From individual to State Audit Institutions MKinsight™ is easy to use, forward to implement and affordable whatever the size of your audit team. Key Functionality: Key Functionality: Dashboards
Audit Planning
Audit Scheduling
Audit Management
Dashboards Libraries
Audit Planning Electronic Working Papers
Audit Scheduling Controls Management
Audit Management On-line Questionnaires
Libraries ERM
Electronic Working Papers Time and Expense Recording
Controls Management Recommendation Tracking
On-line Questionnaires Comprehensive Reporting
ERM
Time and Expense Recording
Recommendation Tracking
Comprehensive Reporting
___________________________________ ___________________________________ www.mkinsight.com www.mkinsight.com United States: +1 847 440 5515 United Kingdom +44 113 2455558 United States: +1 847 440 5515
12
www.acuia.org | TH E AU D I T R E P O RT
United Kingdom +44 113 2455558
ecutive session doesn’t guarantee a “yes” answer here, it certainly helps the process. As for the meetings themselves, what should be on the agenda? Audit reports and responses are a given. The reports should be discussed, and noted as such in the minutes. Often times, Committees also want to see just a summary of findings since the prior meeting. If this is the case, the full reports should still be included in the packet. And what about those findings? Well, they need to be tracked on an ongoing basis, until the issues have been cleared. These tracking reports have become as critical to the meetings as audit reports themselves. Audit reports typically generate the most questions during the meetings, so be prepared for this. Having the work papers handy can be a bonus as well, for more in depth queries. Providing a status update on the annual audit plan is also a key component to an effective SC meeting. Examiners regularly ask both us in IA and the committee how things stand with the audit plan; if it’s the latter, this will allow the committee to have an answer. The meetings are also the place to bring up if for any reason, especially as the fourth quarter rolls around, the aforementioned audit plan may not be met. Discuss reasons why (typically an unexpected special project, or maybe a fraud situation) at the meeting. Then, based on risks, recommend which audit(s) will have to be pushed into the next year. Once that is discussed, and (hopefully) approved by the Committee, ensure that the minutes properly reflect the discussion, and approval. Ah, those minutes. They need to be comprehensive, right? A common regulatory exam comment is that the Committee minutes don’t have enough detail. They should at a minimum, include who was present, which
audits were discussed, and discussions which were held. So, if you’re not the one taking the minutes, give the draft a perusal prior to them becoming final, and if need be suggest a change here, or an addition there. A final note. These meetings provide the best opportunity for internal auditors to highlight what we do, and how we bring value to the CU. We already know this, so why not let those in attendance know as well.
About the Author Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont Offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started their IA function there in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.
Internal and Compliance Audit • External Audit • IT Audit
CONNECT WITH US Tom Giglio, CIA, CFSA— Executive Vice President 315.214.7841 | tgiglio@bonadio.com Samuel Capuano, CBA, CRP—Principal 518.250.7763 | scapuano@bonadio.com
bonadio.com |
Albany | Batavia | Buffalo | East Aurora | Geneva | New York City | Rochester | Rutland | Syracuse | Utica
www.acuia.org | TH E AUD IT R EPORT
13
rrors or irregularities may be identified as part of the procedures performed by your internal audit team. One of the key ways an internal auditor can add value to your institution is to perform a root cause analysis on any identified errors or irregularities. A root cause analysis is the process of identifying why an issue occurred (versus only identifying or reporting on the issue itself). An issue is considered a root cause if removal thereof from the problem fault sequence prevents the final undesirable event from recurring. Performing a root cause analysis has these benefits: ■■
Insights into root cause analysis make it potentially useful as a pre-emptive method
■■
Can be used to forecast or predict probable events before they occur
■■
Adds insight to improve the long-term effectiveness and efficiency of the business process
■■
Issue may have a higher probability of occurring without a root cause analysis A core competency for delivering insights is the ability
to identify the need for root cause analysis and, as appropriate, actually facilitate, review and/or conduct a root cause analysis. Internal audit—due to independence and
ROOT CAUSE METHODICAL INTERNAL AUDIT PROCEDURES HELP DIG UP PROBLEMS AND IDENTIFY SOLUTIONS
objectivity—can be the ideal group to analyze issues and identify root causes. In circumstances where the root cause of an issue is a result of actions or inaction of management, it’s critical to use an objective party to investigate and report back to senior management. The goal should be to identify the root cause and identify the solution to prevent recurrence at the lowest cost in the simplest way. Resources spent on root cause analysis should be commensurate with the impact of the issue or potential future issues and risks. More complex issues may require a greater investment of resources and more rigorous analysis. It also may require an extended amount of time and effort. You may not have all the skill sets needed for the issue identified. Your chief audit executive (or similar position) should 14
www.acuia.org | TH E AU D I T R E P O RT
MATT LIST, CPA
ANALYSIS
www.acuia.org | TH E AUD IT R EPORT
15
5
PRACTICAL STEPS TO PERFORMING A
ROOT CAUSE ANALYSIS 3 IDENTIFY POSSIBLE CAUSAL FACTORS
1 DEFINE THE PROBLEM
What sequence of events led to the problem? What conditions allow the problem to occur?
What do you see happening?
What other problems surround the occurrence of the central problem?
What are the specific symptoms?
Use tools to identify as many causal factors as possible:
2
So what? Five whys
COLLECT DATA
Cause-and-effect diagrams)
Proof a problem exists How long has the problem existed? What is the problem’s effect?
4 IDENTIFY THE ROOT CAUSE(S)
Know all the details of the problem before you can look at the contributing factors
Use the tools from Step 3 to identify the causal factors
Look at data from all perspectives (customers, insiders, etc.)
Dig deeper
5 RECOMMEND FEASIBLE SOLUTIONS Get chief audit executive’s (or similar position) feedback and guidance Do not take ownership of implementation (management function)
16
www.acuia.org | TH E AU D I T R E P O RT
make the final call on which issues to perform root cause analyses and which personnel should conduct them. In addition to complex issues, management may be hesitant to perform a root cause analysis. You should anticipate these potential barriers: ■■ Business management may be reluctant to support internal audit’s role in the root cause analysis. ■■ Business management may resist conducting a root cause analysis due to necessary time and resource commitment from their staff. Management may be focused on a short-term fix to immediately maintain compliance or return the business process or transaction to its correct state. ■■ Determining the true root cause may be difficult and subjective. In these circumstances, value provided by internal audit is the independent and objective evaluation and presentation of various data and analyses from which management may draw a conclusion on the most probable root cause. For more information, contact your BKD advisor. n
About the Author Matt is a member of BKD National Financial Services Group. He provides audit, accounting and consulting services to financial institutions as well as commercial entities in the manufacturing, distribution, service and retail industries. He has more than 20 years of experience assisting publicly traded and privately owned companies with complex corporate structures, financing alternatives, forecasting and mergers and acquisitions as well as preparation of financial statement audits, internal control assessments and operation reviews. Matt routinely meets with management, boards and audit committees to discuss technical accounting issues and the impact of financial accounting decisions. In addition, he is familiar with the requirements of the Securities and Exchange Commission and Public Company Accounting Oversight Board.
experience perspective
BKD National Financial Services Group
1400
FINANCIAL INSTITUTIONS
What are you reflecting on? Improved financial reporting? Strategic planning? Regulatory compliance? BKD helps approximately 1,400 financial institutions across the country with their risk management and internal audit issues. Experience how our expertise can give your institution a better vantage point.
Chad Garber, CPA // Director 317.383.4000 // cgarber@bkd.com bkd.com
www.acuia.org | TH E AUD IT R EPORT
17
WHAT WHEN HOW AND
TO AUDIT
CYNTHIA AUSTIN, MBA, NCCO, CICA
Whether it’s done internally within the organization or outsourced, preparing an Annual Audit Plan is a daunting task. Internal Audit is a vital component in the achievement of an organization’s objectives, so selecting areas that will make an impact is very important. 18
www.acuia.org | TH E AU D I T R E P O RT
WHAT TO AUDIT? The first step is to identify business functions and their associated risks. This is typically done by completing a risk assessment. Business functions are the core processes of an organization. Every function has associated risk. Risk factors include: ■■ Quality of the Control Environment (policies, procedures, security controls) ■■ Confidence/Integrity of Management (ethics policy and compliance) ■■ Recent Changes in Systems/Key Personnel (system conversions or turnover rates of personnel)
Growth Rates/Transaction Volume (changes in volume or dollars) ■■ Asset Sensitivity (susceptibility of the asset to theft or manipulation) ■■ Complexity of Systems/Operations (manual or automated processes) ■■ Extent of Government Regulations ■■ Time Since Last Audit Rating the risk of each business operation will determine which function should take priority over another in terms of deciding what to audit. ■■
WHEN TO AUDIT? Once the risk assessment is completed and all business operations are risk rated, the frequency of the audit can be determined. With the exception of mandatory regulatory audits, each operation can’t be audited each year; therefore, logically, higher risk rated operations should be audited more often than lower risk rated operations. The higher risk operations are typically the organization’s significant business activities.
HOW TO AUDIT? The final step is the actual specifics on how to conduct the audit. The specifics should include the following details:
Audit Objectives and Procedures Audit Scope ■■ Date of the Audit ■■ Length of Audit ■■ Number of auditors needed to complete the audit By addressing these specifics, the budget can be implemented, audit programs can be determined, appropriate documentation will be obtained, potential problems can be identified, and proper communication with the management can be achieved. Once the plan has been established, it will need to be approved by the Supervisory or Audit Committee. Any changes to the plan should also be reported and approved. The fundamental keys to preparing an Annual Audit Plan is to know the what, when, and how. n ■■ ■■
About the Author Cynthia Austin joined Nearman, Maynard, Vallez, CPAs, P.A., in November 2007 and currently holds the position of Internal Audit Manager. Cynthia received her Bachelor of Science in Information Management from the University of South Carolina and her Masters of Business Administration from Strayer University. Cynthia brings more than five years experience as an internal auditor to assist our clients with auditing and consulting services.
Looking for an auditor that stands out from the crowd?
Contact the CPA firm that audits only credit unions.
www.nearman.com | 800.288.0293
www.acuia.org | TH E AUD IT R EPORT
19
{Here’s } the standards to 25 More
{ from the editor }
Pat Richey, Retired credit union internal auditor Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA
Independence Independence is what makes internal auditors different from the rest of the credit union employees.
I
ndependence is a key word for internal auditors. Independence is what makes internal auditors different from other credit union employees. Standard 1100 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that the internal audit activity must be independent, and
20
www.acuia.org | T H E AU D I T R E P O RT
defines independence as internal auditors’ freedom to carry out their responsibilities in an unbiased manner. To achieve the necessary level of independence, the chief audit executive (CAE) must have direct and unrestricted access to the credit union’s senior management and Board of Directors. The Standards allows the
Board to delegate its internal audit responsibilities to an audit committee (or Supervisory Committee). Therefore, wherever I have stated “board” in this article, you can substitute audit committee, if the audit committee is assuming the Board duties related to internal audit. The Standards do not define the term “senior management”, or differentiate between senior and executive management.
Organization Chart Standard 1110 states that the CAE must report to a level within the credit union that allows the internal audit activity to fulfill its responsibilities. To whom does your internal audit activity report? The credit union’s organization chart is the clue to internal
audit independence, and is the best evidence of conformance with the independence Standards. The Board, senior management and the CAE need to jointly determine how best to place the internal audit activity in the credit union to maximize independence. Therefore, senior management and the Board should have a good understanding of internal audit independence, responsibilities and authority; and all stakeholders should agree to the expectations for the internal audit activity. Other key considerations in this joint discussion should include reporting lines, Board or senior management supervision, professional requirements, regulatory requirements (if any), benchmarking and the credit union’s cultural issues. Ultimately, the internal audit charter will reflect the results of these discussions, and the audit committee charter should include its oversight responsibilities for internal audit. Internal Audit should not report to a manager of a function that is subject to an internal audit. Needless to say, internal audit should not be reporting to operations, lending, finance, risk management or compliance if the internal audit activity is auditing those areas.
Reporting Lines According to Implementation Guide (IG) 1100, often the CAE has a direct functional reporting line to the Board and an administrative reporting line (sometimes called a dotted line) to a senior manager. These reporting lines are important for conveying the internal audit’s status in the credit union. The unrestricted, direct line to the Board enables secure communication of sensitive issues between the Board and the CAE, and reporting administratively to a senior manager helps
address difficult issues with other senior managers. IG 1100 states that the CAE should not report to a controller or mid-level manager who may be subject to audit routinely. However, aren’t senior managers subject to audits? The Institute of Internal Auditors (IIA) recommends that the CAE report administratively to the chief executive officer (CEO). This sends a signal that the CAE is in a senior position outside of functional areas. At my credit union, the CAE reported functionally and administratively to the audit committee, although this was not common among credit union internal auditors.
crafting board meeting agendas. Although I reported to the board at each board meeting, I’ve never heard of a credit union CAE developing board meeting agendas. At board meetings the CAE can apprise the board of key findings or risks that require the board’s attention. The Standards place importance on the CAE being able to demonstrate conformance with all the Standards. The CAE can demonstrate independence Standards conformance with the audit charter and policy manual; CAE hiring documentation, job description and performance evaluations; and Board minutes or agendas.
Functional Reporting Standard 1110’s interpretation gives examples of CAE functional reporting to the Board, including the Board’s approval of the internal audit charter, plan, and budget; approval of the CAE’s hiring, firing and salary; receiving reports from the CAE as to internal audit’s performance relative to its plan; and determining if there are inappropriate scope or resource limitations, pressures or impediments. The interpretation does not include communicating audit results. As I mentioned, although the Board may delegate its’ audit responsibilities to an audit committee, the CAE should educate the Board on its responsibilities related to internal audit. The Board is important to the credit union’s culture, and attitude toward internal audit. At my credit union, we reported functionally to the audit committee, however the committee and the Board approved the internal audit charter because the charter was policy which was the Board’s domain. IG 1110 states the CAE should routinely provide the Board with performance updates at board meetings, and that often the CAE is involved in
Administrative Reporting Implementation guidance does not address the meaning of administrative reporting. An old Practice Advisory 1110-2 (no longer part of the standards) stated that administrative reporting facilitates the day-to-day operations of internal audit, which generally includes budgeting and management accounting; human resource administration including personnel evaluations and compensation; internal communications and information flow; and administration of internal policies and procedures. Due to my administrative reporting to the audit committee, I created my budget which was approved by the committee and forwarded to Finance for inclusion in the credit union’s budget. The audit committee performed my personnel evaluations, but compensation was based on credit union-wide policy. I advised the audit committee of absences, and input those absences in the human resources attendance system.
Board Interaction Standard 1111 states the CAE must communicate and interact directly www.acuia.org | TH E AUD IT R EPORT
21
with the Board. Due to the Board’s internal audit responsibilities, internal audit has many opportunities to communicate and interact directly with the Board. IG 1111 says the CAE should participate in audit committee meetings and Board meetings, have the authority to contact any Board member to communicate issues facing internal audit or the credit union, and at least annually meet privately with the Board or audit committee without senior management present. At my credit union, senior management did not regularly attend audit committee meetings. About once a year, the audit committee invited the CEO to a meeting (unfortunately for the CEO, the meetings were at 6:45a.m.)
Standard 1110 states that the CAE must confirm to the Board, at least annually, the organizational independence of the internal audit activity. Independence also means lack of interference. Is internal audit independent if a VP asks that an operation in his area not be subject to audit, the CEO asks the CAE to not advise the Board of a significant financial error, or a senior manager restricts access to her expense reports? Would you report these situations to the Board, and be able to confirm that internal audit is independent because you did not succumb to these interferences? If the CAE is truly independent, the CAE can report interference to the Board without fear of being fired.
The key word in the independence definition is “freedom.”
22
www.acuia.org | TH E AU D I T R E P O RT
Non-Audit Roles Sometimes management may ask internal audit to take on non-audit roles. As an example, to management it may seem that internal audit is a natural choice to undertake responsibility for risk management. Can the CAE be responsible for risk management and be independent? Not if risk management is subject to internal audits. Is internal audit’s risk assessment objective if the CAE is responsible for a functional area? The IIA recommends that the CAE not take on other responsibilities beyond internal audit. However, Standard 1112 states that if the CAE is asked to take on other responsibilities, the Board and senior management should ensure there are safeguards to limit impairments to independence. The Board will have to effectively provide oversight, and obtain external audits of the CAE’s additional areas of responsibility. IG 1112 states that the CAE should first understand The IIA’s Code of Conduct, the independence standards, The IIA’s Core Principles that are related to independence Board. IG 1112 gives examples of situations when the CAE may be asked to perform management roles. There may be changes in the credit union or key personnel that require repositioning or redefinition. An example of a CAE taking on an additional role for the long-term would be when the credit union cannot afford additional personnel, the credit union is too small to afford separate functions; or the credit union’s risk management is immature and the CAE has the most appropriate expertise. If the CAE’s non-audit responsibilities are not temporary, the internal audit charter should discuss the additional roles. However, in some situations, the CAE may take on temporary roles such as a pressing need to develop policies or procedures to ensure regulatory compliance; or the credit union needs current risk manage-
ment activities to be adapted for a new business function or market. If the CAE takes on short-term responsibilities, there should be a transition plan with timeline to divest of these responsibilities. I have to admit I wrote policies all the time; not because management asked me, but because in an audit report I would recommend that management write a policy and what they produced was not, in my opinion, adequate or complete. So I began writing policies, instead of recommending that management write a policy. As part of my audit report, I would offer my policy for management’s consideration and approval. Another example of a non-audit role is I had a licensed attorney on my internal audit staff who worked as an internal auditor. Management made periodic requests for this auditor to look at contracts. However, this internal auditor audited vendor management, and reviewed contracts when auditing functional areas; so it was an iffy situation for us. One time, I performed an external assessment for a credit union’s quality assurance and improvement program. The CAE was very proud of her internal audit department, and was very confident of excelling in the external assessment. However, the CAE had taken on so many management responsibilities, that she was doing very little auditing. She was not happy with the assessment report. However, I had a very nice meeting with the credit union’s audit committee chair and was able to explain to him the difference between auditing and non-audit roles. One area of credit union auditing, that I think is a management role, is internal control monitoring. I may be in the minority on this point. According to the COSO framework of internal controls, there are 5 internal control components including monitoring. Management is responsible for internal controls, so that includes monitoring. Internal audit’s
role is to evaluate the effectiveness of internal controls. If internal audit is monitoring, then internal audit is being the internal control point. Instead, internal audit should ensure that management has monitoring controls in place.
Freedom The key word in the independence definition is “freedom” - freedom from interference, freedom of com-
munication, freedom of access. The internal auditor is free to determine what to audit, how to audit, when to audit and whom to talk to (of course, always complying with the Standards on audit risk assessment). n
About the Author Pat Richey was Director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.
www.acuia.org | TH E AUD IT R EPORT
23
{ member spotlight }
security } WHY? Julie Wilson{ information Tom Schauer, Principal, CliftonLarsonAllen Dian Scott
For this issue, the ACUIA Spotlight is shining on Julie Wilson—Regional Director, busy mom, hay farmer, sports coach, collector of fine old tractors, charity worker
Julie, please Tell us a bit about yourself (family, hobbies, sports, travels, pets, etc.) I have a great family. Twin boys, seniors in high school; and a daughter in her second year of college. My hus-
24
www.acuia.org | TH E AU D I T R E P O RT
band and I are weekend hay farmers. We have 6 vintage red tractors (Internationals); tractors are red, crops are green; horses, cows and a lot of fresh air, peace and quiet. Country life is good. We are close to the mountains,
so we snowmobile in the winter, and close the beach for spring and summer as well as watching winter storms. Nothing like a campfire in the mountains or bonfire on the beach for relaxing. I enjoy the outdoors, hiking, gardening, sports. I am an old college volleyball player and I have the knees to prove it. During my 35 plus years of playing volleyball I’ve won many tournaments – 6 person, doubles and triples; grass and sand, even a 3rd place finish at a national sand tournament. I’m an avid softball player as well, placing 9th in a national co-ed tournament was a highlight. I have coached volleyball and softball and baseball for many years. I’m currently coaching girls high school volleyball and have gone to the State tournament 4 of the last 5 years – and yes, we’re going this year as well (go Cats!) I love to travel! We take a lot of driving trips around the US, trying to visit as many places as we can. My husband and I have been known to drive 1800 miles to pick up a tractor (more than once). I also have traveled outside the US. I enjoy experiencing different cultures – trying foods and talking with people to get a feel for their lives. For the past 15 years, I have organized coworkers, family and friends to provide Christmas for many families in need. We provide Christmas presents for kids, warm clothing and shoes, kitchen items, food baskets, personal items, bus passes, gas cards; we’ve paid heating bills, car repairs and rent. It’s a great feeling to help others. iQCU has a great program for their employees; we get paid to volunteer in the community. Through our programs I’ve cleaned up parks, worked at food banks and read to elementary
school classes. It’s a great way to help my community.
What drew you to the world of internal audit. What advice would you offer to newbies in the field? While earning my degree, I took an Auditing class. I enjoyed it so much I took another. Auditing felt natural for me, like I belonged there. I really work to keep in mind that we are all on the same team, working towards the same goals as all other employees. Working together with management and staff is the best way to reach those goals. Develop good relationships with management and your IS staff. Talk to them, ask them what they see and what their concerns are. Visit your branches when you’re not doing an audit, spend 30 mins talking with the manager and staff, get to know them. Continue to learn and grow with your organization. Don’t get left behind. How long have you been an ACUIA member, and what background experience and accreditations, etc. do you have? I’ve been an ACUIA member for 17 years. I joined within a month of being hired at iQ Credit Union. I have a degree in Accounting from Western Washington University and my CFE. I worked for Red Lion Hotels for 7 years as an Internal Auditor, Hotel Controller and Regional Controller. I’ve also worked as a Financial Accountant for an advertising/PR firm and a Computer sales/ service company (my first job out of college). The Ad/PR firm I worked for has a local brewery as a client – written in the contract was that the brewery provided a keg of beer for our breakroom. We also had a pool table and multiple TVs with ESPN. Great to stay after work, shoot some pool, have a beer and watch the Portland Trail Blazers.
I worked for iQCU as a teller during summer/spring/Christmas breaks during my college years. After getting my first accounting job out of college, I thought I’d never be back in the Credit Union world, but here I am. My mom was CEO for a credit union for many of my teenage and adult years. I guess you could say credit unions are in my blood; part of my family.
What ACUIA membership benefits do you find most rewarding? I have gained so much from ACUIA over the years from education and networking at the annual conferences to the support from my colleagues in my region and ACUIA-wide. I appreciate the willingness to share audit programs, experiences and stories with ACUIA members. What are the major challenges you feel the industry faces today, and how can internal auditors overcome these challenges? A burdensome and constantly-changing regulatory environment, as well as the dangerous necessity of technology, are both major challenges for credit unions.
Auditors need to keep up to date with regulatory changes, which is an ongoing process. Subscribing to a service that monitors and alerts you to new and changing regulations can be very helpful. Join a listserv, follow a blog on compliance. Ask your CU league for support on regulations. Webinars and ACUIA annual conferences can provide great resources as well. The speed at which technology changes and new services are available is amazing and troubling. Younger generations will ask for, and expect, new technology-based services. These services can be expensive and higher risk for all Credit unions. If we don’t provide them, we risk losing members or attracting new members. Audit can help by ensuring vendor contracts are reviewed prior to commitment for service. Audit procedures and controls to ensure risk is mitigated to an acceptable level. Education is key to both of these challenges.
Julie, thanks for sharing with us all these interesting details about your life! n
FUN FACTS ABOUT JULIE 1. Played violin with the Oregon Youth Symphony 2. Has coached numerous softball, baseball and volleyball teams to tournament victories 3. Has driven 1800 miles (more than once) to pick up yet another red tractor
www.acuia.org | TH E AUD IT R EPORT
25
{ the standards { regional news } } Pat Richey, Retired
1
REGION
Julie Wilson, Director Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com Columbia Credit Union hosted the Region 1, October 13 meeting in Vancouver, Wash. We had a great line-up of speakers and topics: Eileen Iles and Crystal Jareske, with Crowe Horwath, discussed “Can Culture Be Audited?” & “How to Determine A CU’s Risk Appetite’’; Ryan Sturgis (Moss Adams) discussed CECl; Our very own Brandon Ely discussed Risk-Based Audit Plans and Stephen Schiltz (CliffordLawsonAllen) discussed “Audit’s Role in Financial Statement Audits”. The meeting was very usefull and well attended. Region 1 is currently planning a two-day meeting hosted by Denali CU in Anchorage, Alaska. The meeting will be May 24-25 next year, Come join us for a long weekend in Alaska. It’s beautiful, and I hear the fishing is great! Watch the ACUIA website for more information: https:// www.acuia.org/event/region-1-meeting-spring-2018.
2
REGION
Andrea Munoz, Director andrea.munoz@firsttechfed.com No news for Region 2. Contact Andrea for information.
3
REGION
Tom Cosby, Director
Vice President Internal Auditing Crane Credit Union (812) 863-7000 ext 7142 tcosby@cranecu.org Region 3’s Conference, Oct. 18-–20 in Indianapolis, was well-attended and informative.
26
www.acuia.org | TH E AU D I T R E P O RT
Open
4
REGION
ACUIA NEEDS YOU! This Position is still open. Please contact a member of the ACUIA Board if you are interested in volunteering.
5
REGION
Michael P. Moreau, CIA, CFE, CFSA, Director MACPAGE LLC 225 Cedar Hill St., #200 Marlborough, MA 01752 800-339-5701 978-760-0195 - cell The Region 5 meeting was held October 2-3 in Portsmouth, NH. Many thanks to Service CU for hosting! The topics covered were Common Internal Audit Findings, Auditing Compliance Management, Recent Fraud Cases, NCUA Hot Topics, Three Lines of Defense and Sustainable Vendor Risk Management Program. We also had a lively roundtable discussion. Planning has begun for the 2018 meeting. Watch for details.
REGION
6
Jason Alexander, CIA, MBA, CICA, Director Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org Region 6 had a wonderful time in Orlando at our conference on Sept. 18-20. Details to come on the conference next Fall in Tennessee. n
{ region directors }
{ the standards } Pat Richey, Retired
1
REGION
REGION
Julie Wilson juliew@iqcu.com
3
Tom Cosby tcosby@cranecu.org
2
REGION
REGION
Andrea Munoz andrea.munoz@firsttechfed.com
5
REGION
4
Michael P. Moreau, CIA, CFE, CFSA MPM@macpage.com
REGION
VOLUNTEER NEEDED!
6
Jason Alexander, CIA, CICA jasona@lgeccu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1
rtorres@CreditUnion1.org
CENTRAL CASCADES (OR/WA) CHAPTER
INDIANA CHAPTER
Terry Robbins trobbins@mapscu.com REGION 2 ARIZONA CHAPTER
Jason Garlutzo Jason.Garlutzo@azstcu.org
Tom Cosby tcosby@cranecu.org MINNESOTA CHAPTER
Nikki Ige Nige@kcfcu.org REGION 3
ILLINOIS CHAPTER
Rick Torres
SOUTH CAROLINA CHAPTER
David Caster dcaster@firstcommunity.com
VOLUNTEER NEEDED!
IOWA CHAPTER
HAWAII CHAPTER
ST. LOUIS CHAPTER
MICHIGAN CHAPTER
UTAH CHAPTER
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com
VOLUNTEER NEEDED!
REGION 5
VOLUNTEER NEEDED!
Brittany Metz brittanymetz@uiccu.org WISCONSIN CHAPTER
Karla Hodgkins khodgkin@Covantagecu.org
NEW YORK CITY CHAPTER
REGION 6 ALABAMA CHAPTER
Adrienne Breckenridge, CPA abreckenridge@ avadiancu.com GEORGIA CHAPTER
VOLUNTEER NEEDED! FLORIDA CHAPTER
REGION 4
Lourdes Camacho lourdesc@sccu.com
ARK ANSAS CHAPTER
MARYLAND CHAPTER
Patrick McCollough pmccollough@AFCU.org
NORTH CAROLINA CHAPTER
VOLUNTEER NEEDED!
Ashley Shrode Ashley.Shrode@thrivent.com Kathleen Schaefer Kathleen.Schaefer@elgacu. com
CALIFORNIA CHAPTER
NORTH TEX AS CHAPTER
Nikki Torres nichele.torres@towerfcu.org
Tammy Farmer tammyf@scscu.com
TENNESSEE CHAPTER
Michelle Clark, CUCU mclarck@ecu.org
{ acuia select }
{ member spotlight } Patrick McCullough
ns to ACUIA
ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the dit union audit professionals. Executive Office at (703) 688-2284. P L AT I N U M
nsibilities and internal control objectives by providing:
eviews n CertiďŹ ed ACH Audits n Bank Secrecy Act nding Programs n Branch and Operational Audits source and Payroll Reviews n Assistance with Risk tatement Audits
GOLD
CertiďŹ ed Public Accountants & Consultants
S I LV E R
TeamMate
BRONZE
dly serving credit unions throughout the Mid-Atlantic region. mation about PBMares, visit us online at www.pbmares.com.
28
www.acuia.org | TH E AU D I T R E P O RT
MOSSADAMS.COM/FI
INNOVATION RISES IN THE WEST
Out here, the sun rises on endless possibility. Backed by decades of experience serving credit unions, our professionals are committed to helping you grow your business with industrysmart assurance, tax, and consulting services. We invite you to discover how Moss Adams is helping financial institutions thrive.
RISE WITH THE WEST.
Assurance, tax, and consulting offered through Moss Adams LLP. Wealth management offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.
SAN DIEGO, CA
6:37 AM PDT
AS SUR A NCE INTERN A L AUDIT REGUL ATORY COMPLI A NCE IT CONSULTING CREDIT RE V IE W SERV ICES STR ATEGY & OPER ATIONS
RELATIONSHIPS BUILD BUSINESS RELATIONSHIPS BUILD BUSINESS Strengthen your relationships by using advisors with a strong professional network. Strengthen your relationships by using advisors with a strong professional network.
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP Wealth | 28-1094 Investment advisory services are offered through CliftonLarsonAllen Advisors, LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP | 28-1094
Dean Rohne | 800-657-4477 Dean Rohne | 800-657-4477 CLAconnect.com CLAconnect.com