ACUIA Audit Report volume 27 issue 1 by pstraubel

Volume 27, Issue 1, 2018

Fear ! Not

The Magazine of the Association of Credit Union Internal Auditors, Inc.

WE’VE GOT THE TOP OPERATIONAL RISK LESSONS SO YOU DON’T HAVE TO LEARN THE HARD WAY PHISHING PHORENSICS HOW TO AVOID EMAIL SCAMS NCUA PRIORITIES THE 2018 RUNDOWN THE STANDARDS OBJECTIVITY

An Unmatched Experience

Internal Audit and Regulatory Compliance Tailoring each engagement, our Certified Internal Auditors and Certified Compliance Officers consider the credit union as a whole to execute a plan that will identify, monitor and assess risks before they threaten operations.

At Doeren Mayhew, we deliver a unique experience and a level of service that is unmatched in the industry.

Credit Risk Management Leveraging our hands-on experience, we deliver insight into the fundamentals of lending governance, administration and day-to-day operations.

IT Assurance Taking an integrated security management approach, our credentialed technology team ensures confidence in the integrity and security of IT control frameworks.

External Audit Remaining independent, while working collaboratively with credit union teams, Doeren Mayhew delivers practical solutions that improve internal controls and accounting efficiencies through accurate and timely financial reporting.

We invite you to experience what our clients do. Call us today at 888.433.4839.

Volume 27, Issue 1, 2018

The Magazine of the Association of Credit Union Internal Auditors, Inc.

{ contents }

F E AT U R E S

D E PA R T M E N T S

2 From the Editor Renewal Is in the Air Dian Scott

Get Smart!

Operational risk lessons you don’t want to learn the hard way Tabitha Ernst-Chadwick

4 Chairman’s Message My Forecast John Gallagher

10 Business Email

20 The Standards Objectivity Pat Richey

Compromise Schemes

How to avoid becoming an unwilling participant Shauna Woody-Coussens

Gearing Up for NCUA’s 2018 Priorities

24 Member Spotlight Michael Moreau 26 Regional News 27 Region Directors and Chapter Coordinators

It’s an annual tradition to see what supervisory priorities are in store. Sam Capuano, CBA,CRP

18 20 The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Dian Scott Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 332 Commerce St., Suite 100, Alexandria, VA 22314, (703) 688-2284

{ from the editor }

Renewal Is in the Air Dian Scott

Adjusting to my fun, challenging and altogether interesting affiliation with ACUIA. And, what a colorful cast of characters I’m meeting.

2018 Board of Directors Chair John Gallagher, CUERME SEFCU (518)-464-5245 jgallagh@sefcu.com Term 2016–2019

Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org Term 2015–2018

Vice Chair Margaret Chamberlain, CUERME Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2017–2020

Director Doug Wright, CPA, CFE, CUCE, BSACS Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019

i, dear hearts. Hope you’ve been coping well with all the moody weather changes that keep popping up all across the country. Spring will be very welcome this year, and thankfully, it’s not all that far off. And, Chicago is beckoning. I’m getting used to the world of internal auditing, slowly but surely. I’m no longer completely stymied by the many facets of auditing, and I’m even learning a bit of the lingo. However, I’m not sure I’ll ever be able to translate all those intriguing letters after your names. I’m sure they’re hard-won and very impressive, but a little beyond my understanding. Or, maybe I just feel a little left out of the mix – not a single “after” letter to my name. Sigh… Thanks to all of you who have offered advice, and have submitted articles for The Audit Report. Your participation is appreciated. And, if there is an article you would like to see in the magazine, please let me know. Beginning with this issue, we will be adding a new feature to the magazine. Suzy Parker, former award-winning illustrator for USA TODAY, will submit an original “snapshot”, or infographic, for each issue. Warm regards, Dian Scott Dilanto166@gmail.com 301-774-6484

BY THE NUMBERS

www.acuia.org | TH E AU D I T R E P O RT

Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dwsenson2@ wingsfinancial.com Term 2015–2018

Associate Director Tabitha Ernst-Chadwick Marine FCU (910) 355-5611 TErnst@marinefederal. org Associate Director Tara Tocco Hughes FCU (520) 205-5744 TTocco@hughesfcu.org

Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ ncsecu.org Term 2015–2018

WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Dian Scott at acuia@acuia.org to learn more.

Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org. Term 2017–2020

ACUIA execuve office 332 Commerce St. Suite 100 Alexandria. VA 22314 (703 688-2284 acuia@acuia.org

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”

RELATIONSHIPS BUILD BUSINESS RELATIONSHIPS BUILD BUSINESS Strengthen your relationships by using advisors with a strong professional network. Strengthen your relationships by using advisors with a strong professional network.

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP Wealth | 28-1094 Investment advisory services are offered through CliftonLarsonAllen Advisors, LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP | 28-1094

Dean Rohne | 800-657-4477 Dean Rohne | 800-657-4477 CLAconnect.com CLAconnect.com

{ chairman’s message }

My Forecast John Gallagher

The outlook: Windy with a high probability of education, development, and fun.

ard to believe that we have already changed our calendars over to 2018, and are moving ahead so quickly. Sometimes I just wonder if it will slow down at some point. In a good way, so many of us have so much on our plates. While we joke that it serves as job security, the reality of it, as least in my opinion, is that the profession of credit union internal auditors and other risk professionals is finally being recognized for the value we each bring to our respective credit unions as well as the overall industry. For many years I have stated that we can judge our success by who comes knocking on our door to solicit guidance or assistance, or for how many internal committees do we serve as a resource or subject matter expert. We (internal auditors) can no longer just be internal auditors that issue reports that management really does want to read. Instead, we need to be leaders of our organizations.

Traditional auditing is quickly becoming a way of the past so internal auditors, more now than in the past, must be prepared to adopt new strategies and methods. Let’s face it, how things are done today is far different from the way they were done in the past. We must be prepared to address these changes, long before they are implemented. Of course, that, we all know, is a constant challenge in itself. Finding the time to both develop and further expand our skills and competencies, while attempting to complete our audit plans. is essential. It is imperative that we continue to strive to provide the most value to our respective credit unions. So, tackling this challenge is one that we must do, and do it well. With that said, there is no better place to start than with ACUIA’s annual conference coming in June. We will be in the “Windy City” of Chicago. While the conference agenda is not

yet finalized, it is promised that it will be packed with sessions of the most timely of topics. We are also gearing up to enhance sessions applicable to risk management professionals. In my opinion, and as I have stated to many of you in the past, the roles of internal audit and risk management must be aligned. Working in collaboration and having a common mindset will provide the most value to the credit union. I hope you will consider attending the conference and networking with your peers. Continuing on the topic of education and development, there is intent to provide two additional internal audit certification schools during 2018. While the Spring program is already sold out, a Fall program is being added and the date announced shortly. To date we have bestowed the designation of Certified Credit Union Internal Auditor to over 200 and, by the end of 2018, we hope to surpass 350. I truly believe this certification program is raising the value of our profession. My personal thanks to everyone who has participated in this program thus far. Hoping to see all of you soon. Here’s to having a successful 2018! n

UPCOMING EVENTS For complete details click here or go to www.acuia.org/calendar

APRIL 2018 13 Florida Chapter Meeting – Orlando, FL

AUGUST 2018

MAY 2018 10 Indiana Chapter Meeting – Indianapolis, IN 18 Minnesota Chapter Meeting – Plymouth, MN 24 – 25 Region 1 Meeting – Denali, AK

OCTOBER 2018 1 – 2 Region 5 Meeting – Albany, NY 3–5 Region 3 Meeting – Eau Claire, WI 8 – 11 ACUIA / CUNA CCUIA Certification School

JUNE 2018 19 – 22 ACUIA Annual Conference & One Day Seminar

www.acuia.org | TH E AU D I T R E P O RT

ACUIA Webinar – Continuous Monitoring

With Expertise Comes Confidence Crowe Horwath LLP is one of the top 10 auditors of credit unions with more than $100 million in assets.1

crowehorwath.com/cu

Audit / Tax / Advisory / Risk / Performance

Smart decisions. Lasting value.â&#x201E;˘

2017 Guide to Credit Union Auditors published by Callahan & Associates

In accordance with applicable professional standards, some firm services may not be available to attest clients. ÂŠ 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure

FS-18500-001D

{ new board members }

Welcome to The Board, Ladies The ACUIA Board of Directors recently increased its number by two, with the welcome appointment of Tabitha Ernst-Chadwick and Tara Tocco as Associate Board Members.

TABITHA ERNST-CHADWICK

TARA TOCCO

Chief Risk & Compliance Officer Marine FCU

Internal Audit Manager Hughes FCU

early 18 years of Tabitha’s financial institution career has been spent in Internal Audit at Marine FCU. In October. 2015, she made the move from VP Internal Audit to Chief Risk & Compliance Officer. In addition to audit, her experience includes risk management, fraud, BSA/AMI, strategic planning, vendor management, business continuity/ disaster recovery, professional training, compliance management, and security. Tabitha first became involved with ACUIA in 1999. Several years later she was given the opportunity to serve as Region 6 Director. Then, on to the editor position of ACUIA’s Audit Report magazine, a position she held for 13 years. Her ACUIA skills and commitment have lead to her appointment as Associate Board Member. Her new role will be to assist with establishing ACUIA’s Risk Management group. She has a BA in Political Science from Slippery Rock University. She is certified as an Internal Auditor, Fraud Examiner, Information Systems Auditor, Loan Review Professional, Anti-Money Specialist and NAFCU Certified Compliance Office.

Awards and Recognitions North Carolina Volunteer of the Year, 2006; Auditor of the Year ACUIA, 2006; and Randy Mancsill Excellence in Service, ACUIA, 2017.

www.acuia.org | TH E AU D I T R E P O RT

ara has 38 years experience in the financial services industry. She has been with Hughes FCU for 17 years, where she is the Internal Audit Manager. She has been actively involved with ACUIA since 2011. She became the Region 2 Regional Director in 2015. She regularly attends ACUIA conferences, both national and regional. She also planned and managed a regional conference. Tara is excited to work with the Board and members, and looks forward to assisting the Regional Directors and the social media.

Certifications CUNA Credit Union Compliance Expert (CUCE) since 2003: CUNA Credit Union Internal Audit Certification (CCUIA) since 2017.

Service So Outstanding, Others Can Only Talk About It…

twhc.com TWHC Business Journal Ad REV-062612.indd 1

6/27/12 2:14 PM

Audit Management Software Audit Management Software

Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful easy to use Audit Management System. Trusted by Companies, Governments andand Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward toauditors implement and affordable whatever the size of your audit team.straight From individual to State Audit Institutions MKinsight™ is easy to use, forward to implement and affordable whatever the size of your audit team. Key Functionality: Key Functionality: Dashboards

Audit Planning

Audit Scheduling

Audit Management

Dashboards Libraries

Audit Planning Electronic Working Papers

Audit Scheduling Controls Management

Audit Management On-line Questionnaires

Libraries ERM

Electronic Working Papers Time and Expense Recording

Controls Management Recommendation Tracking

On-line Questionnaires Comprehensive Reporting

ERM

Time and Expense Recording

Recommendation Tracking

Comprehensive Reporting

___________________________________ ___________________________________ www.mkinsight.com www.mkinsight.com United States: +1 847 440 5515 United Kingdom +44 113 2455558 United States: +1 847 440 5515

United Kingdom +44 113 2455558

m a r t ! S

t e G

Operational Risk Lessons You Donâ&#x20AC;&#x2122;t Want to Learn the Hard Way TABITHA ERNST-CHADWICK CI A, CI SA, CFE , CA MS , LR P, NCCO

www.acuia.org | T H E AU D I T R E P O RT

Whether your daily grind is audit, risk, or compliance, the burden of the everincreasing complexities of credit union operations make it tough to even keep pace, let alone stay ahead of it. More responsibilities with fewer resources mean that some of those age-old controls can easily become distant memories. And the lack of time and resources can sometimes prevent us from identifying the need for new and improved controls. I can’t compile a list of every risk and control we need to monitor into one little article, but I’ve put together some of the hot topics that I know have

LESSON

Dealing with the Dealer

f your credit union is involved in indirect lending, you undoubtedly have some loan and dealer monitoring programs in place. (And if you don’t, you probably will shortly after your next Exam). Indirect lending opportunities continue to evolve, bringing additional opportunities for increasing volume. As volume increases, so do the risks – and consequently, the need for controls.

Profitability All credit unions have profitability analysis on their loan portfolios. But as the indirect lending portfolio grows in dollars and complexity, more in-depth analysis is important. Some reports that can be critical to mitigating indirect lending risk1 include: ■■ Charge off and delinquency trends by dealer – It’s important to know if your charge off and delinquency risks are spread evenly throughout your portfolio, or if they are concentrated with just a few problem dealers. ■■ Net Yield Analysis – You probably already have this established for specific loan types and buyer risk, but consider putting this in place for dealers as well. If you know how much you have yielded from a particular dealer, that can be very effective in setting your dealer reserve standards (or tightening up controls on loans offered through that dealer). ■■ Concentration limits by dealer – This is important to know when you are looking at those profitability and loss reports. Your standards and expectations may differ between the dealer that brings you over 25% of your indirect deals versus the dealer that brings you just a few deals per year.

plagued one credit union or

Once you determine which profitability reports are most important to your credit union’s operations, validate the data in those reports before you start relying on

another in recent history.

1 See NCUA LTR 10-CU-15

www.acuia.org | TH E AUD IT R EPORT

My crystal ball predicts that when you start monitoring vendor performance, you will find many balls dropped by even your most trusted vendor. them for decision-making. Some level of error tolerance may be acceptable, but you need to be comfortable with the data you are using; and you will need to be able to justify it to auditors and examiners.

Fraud Risk We’ve all heard the tales of dealer deception – fake pay stubs, fake ID, power booking, etc. This type of risk can potentially lie dormant for years, and then rear its ugly head at the worst possible time. By the time it’s discovered, you may have stacked up hundreds or even thousands of deals and millions in potential losses. To avoid the surprises, establish review processes that will be effective in identifying dealer fraud. ■■ With lending processes now managed almost exclusively by electronic delivery between dealers and the credit union, the buyer doesn’t necessarily see the Options page that your lenders are seeing, and the buyer doesn’t always know what income is reported on that electronic application. Consider establishing verification processes that involve speaking directly with the buyer. When you get the buyer on the phone, verify the vehicle options, reported income, and any other parameters that are critical to your underwriting decision. You may be surprised how often those extra options “accidently” get added to the paperwork or the income had an added extra zero. ■■ Automated lending is great. It can make everything work more smoothly and helps to reduce personnel costs. Automated lending can also be a great resource for fraudsters. Evaluate those loans approved through the automated system periodically to ensure they aren’t adding unacceptable fraud risk. If the dealer is complicit in the fraud, then he/she will take steps to ensure the fraudulent loans fall under those automated system approvals and avoid the loan officer’s eyes. ■■ When you do establish fraud review processes, don’t set ’em and forget ’em. Switch them up periodically so you can cover all the bases. For example, if your riskbased verification procedures only trigger loans at certain dollar amounts, you could inadvertently omit entire dealerships from the review. ■■ Don’t let the dealer analysis program die after the loan is approved. Quality Control and Collections are also in a great position to identify problem loan trends. If these are reported to lending in a timely manner, it can help stop the bleeding before your credit union ends up in critical condition. 10

www.acuia.org | TH E AU D I T R E P O RT

Monitoring requires time, money, and probably people and software. But the costs of monitoring are usually far less devastating than fixing a problem that has gone undetected for a long period of time. Either way you will end up with monitoring – I recommend mitigating the risk before it occurs rather than waiting to say “I told you so” later (no matter how satisfying it might be to say it…)

LESSON

Vendor Validation

t’s nearly impossible to discuss risk without mentioning vendors because they impact so many facets of the credit union. Poor vendor management controls can be some of the most dangerous omissions in your risk programs. Most credit unions have established vendor management programs. Even a program still in its infancy probably has basic risk and evaluation standards at the time of the contract and periodic reviews throughout the duration of the relationship. Depending on the criticality and risk of the vendor, this may range from fullblown annual analysis of SSAE16/SSAE18 reports, financial statements, performance reviews and cost/benefit breakdowns, to basic review prior to contract renewal. As important as those reviews are, however, they don’t mean much if you aren’t managing the space in between. How many times have you evaluated your vendors to make sure they are actually doing what you pay them to do? That is difficult to justify because you pay the vendor to do a job and expect it to be done. Plus, if you had the time to verify everything you would probably not need the vendor in the first place. Failure to perform at least periodic validation, however, usually brings unexpected and expensive surprises.

I could write an entire article dedicated only to vendor errors, but for now I will focus on a few common examples just to provoke some thought. ■■ Statement vendors – Depending on how you manage your statements and what you include, you may be relying on that vendor to satisfy numerous compliance requirements. But that “Change In Terms Notice” included with your statements isn’t doing you any good if the vendor failed to include it. A good rule of thumb – for any communications that are critical to compliance or create significant liability, invoke the Trust But Verify rule. And invoke it sooner than later. It’s never an easy fix when you find an error two years after it occurred. ■■ Debit card processors – If you use a processor to manage your debit disputes, you might want to review the vendor processes to ensure they are actually complying with Regulation E (Hint: Most of them Don’t). Unfortunately, if your vendor doesn’t comply with Regulation E, the answer you will likely receive is “We follow Visa rules.” That’s awesome, but doesn’t help you at all in a regulation E discussion with examiners (or worse, the court!). You may find yourself in a situation that requires you to do some extra work internally to maintain compliance. ■■ Credit card processors – For many credit unions, this is a very robust relationship because the credit cards often reside on the vendor’s system. Some credit unions just exhale and let the credit cards run on vendor auto-pilot, but that can be disastrous. If you make a critical change, like a rate adjustment per the CARD Act or added benefits to a specific card program, double check to ensure the vendor processed the change correctly. Again, I don’t advise waiting months or years to perform that validation. ■■ Data lines – You probably don’t even notice the gang that IT hires to run data lines throughout your buildings. They aren’t even “real” vendors, right? Wrong. While I wouldn’t recommend the internal auditor, compliance manager, or risk manager climbing up into ceiling tiles to look at data lines, I definitely recommend that you ensure IT and/or Facilities is doing just that. I’ve heard tales of data lines being left lying in puddles of water near leaking water pipes. I don’t think I need to be a lawyer to say that is a liability you do not want to risk. My crystal ball predicts that when you start monitoring vendor performance, you will find many balls dropped by even your most trusted vendor. Track these issues! They can be critical when it comes time for contract negotiation (or when you are forced to pull out the checkbook to pay for an error…).

LESSON

Credit Dispute Case

B C

air Credit Reporting Act (FCRA) and FACT Act provide great protection for consumers who are victims of Identity Theft or who suffer from a financial institution’s poor creditor reporting controls. Those Acts also provide an excellent venue for ill-intentioned consumers to try and “clean up” their credit through the “burythem-with-paperwork-so-they-just-remove-the-badstuff” method. For many credit unions, the volume of unfounded credit disputes is nearly impossible to manage. For that reason, it is common to put quick-fixes in place for credit reporting disputes, which often include cursory review of the account and pre-established form letters for responses. That set up can work without incident for a while – sometimes for a very long while – until it doesn’t. Credit unions need to be careful not to slip into credit dispute complacency.

All Systems Go Make sure your credit dispute personnel understand exactly how the credit reporting process works and every system/vendor used. (Don’t forget, collection agencies are vendors too!!). ■■ How many different systems are involved? ■■ Do any vendors report on your behalf? ■■ If so, that raises many more questions. • Do your processes address how to manage the vendor-related requests? And have you verified those processes against your most recent contract? • Who is responsible for answering disputes, you or the vendor? • Have you confirmed the vendor is meeting compliance standards? • Who is responsible for reporting errors? Very often contract management is performed by a department outside of the actual credit dispute function. Without proper communication between the functional areas, the employee who has been managing credit disputes for the past 15 years won’t have a clue that the

www.acuia.org | TH E AUD IT R EPORT

Credit unions are famous for “we’ve always done it that way” infractions and often fail to double check to ensure things are happening the way they should.

credit union’s obligations have changed. Even if none of your reporting is out-sourced to or impacted by a vendor, there could still be multiple systems involved in correcting a reporting error. Make sure you know all the steps required in correcting reporting and that all of those steps are being performed. And it doesn’t hurt to follow up and make sure what you’ve done actually fixed the problem. It may be inconceivable, but the credit bureaus do occasionally make an error…

his attorney) will bury that important language in the middle of a letter that otherwise looks like it was downloaded from a bad internet site. Don’t just glaze over the letters; make sure you know exactly where the disputes fall and which regulations govern.

Actual Verification, like for real, look at the account First and foremost, make sure the personnel involved in credit disputes have a good understanding of FCRA and FACT Act. Ask your compliance person to compare the credit dispute procedures to even the minute details of the Acts. Credit unions are famous for “we’ve always done it that way” infractions and often fail to double check to ensure things are happening the way they should. Look under the rug every now and then to make sure there isn’t any dirt. (And I hope it goes without saying – clean up the dirt! Don’t just put the rug back.) ■■ Consider creating a checklist so disputes personnel remember all of the critical points of information and where to find them. ■■ Make sure credit dispute personnel understand the codes used in the process and how your core system translates those codes into reporting. ■■ Don’t get tripped up on the “little” details that might seem to be less important. Getting that last payment date wrong can be just as costly as reporting the wrong number of late payments. ■■ Understand how the compliance rules apply to your credit union. Some credit unions are not subject to FDCPA and simply dismiss those requests; however your state may require you to follow similar (or even more stringent) verification requirements.

Measure Twice, Cut Once Before printing out that form letter, make sure that you’ve covered all of the bases. Each credit dispute is a little bit different, and two or three standard form letters are unlikely to be sufficient to manage the unique circumstances of every dispute. Look over the letters with legal counsel and discuss how they are used. Make sure dispute personnel know when the “special” rules kick in for things like UCC-9 Statements of Account requests or Qualified Written Requests for mortgages. Sometimes the borrower (or 12

www.acuia.org | T H E AU D I T R E P O RT

LESSON

The Lessons

Never End!

nfortunately, the examples listed herein came from one or more credit unions that did have to learn the hard way, and there is a whole lot more where that came from. Everyone reading this article could undoubtedly add at least 10 more without breaking a sweat. So how on earth do we stay ahead of the game? Since my crystal ball’s expertise is pretty much limited to predicting vendor pitfalls, there is no easy answer. But there is hope. There is hope because you are a part of this network of professionals who are willing to help. Take the opportunity to talk with others in the credit union industry; auditors, risk professionals, compliancers (oh yes, still working that one), attorneys, and dare I say even vendors. Learn from those who have forged the trail already – whether said forging was elegant and seamless or wrought with disaster and hellfire – there are lessons to learn. Whatever you do, never stop looking under those rugs. n

About the Author Tabitha Ernst-Chadwick is the Chief Risk & Compliance Officer for Marine Federal Credit Union. She has over 20 years of experience in the credit union industry, specializing in audit, fraud, security, compliance, and risk and is a long-time member of ACUIA.

Looking for an auditor that stands out from the crowd?

Contact the CPA firm that audits only credit unions.

www.nearman.com | 800.288.0293

Strategic Business Management General & Private Accounting Macpage believes in developing relationships, earning trust, addressing complex issues and making a diďŹ&#x20AC;erence. We enjoy the people we serve, and care about the work we do providing integrated accounting, consulting, ďŹ nancial statement, IT, internal and compliance auditing services for credit unions throughout the Northeast.

For more information www.macpage.com/creditunions

www.acuia.org | TH E AUD IT R EPORT

www.acuia.org | TH E AU D I T R E P O RT

BUSINESS EMAIL COMPROMISE SCHEMES HOW TO AVOID BECOMING AN UNWILLING PARTICIPANT SHAUNA WOODY-COUSSENS

business email compromise scheme targets a financial institution’s business members. A fraudster may gain access to (compromise) the email account of a business member’s employee and send fraudulent wire transfer instructions directly to the financial institution. Or, the fraudster may compromise or “spoof” the email of the business member’s CEO, CFO or a long-time vendor and send an email to the business member’s accounting personnel instructing them to institute a wire transfer to a new partner or vendor or to a new bank or member account for an existing partner or vendor. The email seems perfectly normal in format and the language is similar, if not identical, to previous emails of the same type.

So, the financial institution sends the wire or the corporate accounting employee instructs the financial institution to send the wire. The problem is, the email came from an outsider, a fraudster. One of my clients was recently victimized in this manner. It resulted in the organization paying nearly $600,000 of funds owed a legitimate vendor for legitimate services to a fraudulent bank account. The fraudster pretended to be the CEO of a large vendor and emailed my client’s accounts payable employee requesting a change to the vendor’s banking information. My client had no required verification procedures in place, so the change was implemented. A few days later, the legitimate vendor requested a large payment for actual services provided. My cliwww.acuia.org | TH E AUD IT R EPORT

ent paid the invoice, but the payment went to the fraudulent bank account. In hindsight, there were telling red flags, but unfortunately my client hadn’t trained their employees to look for them. These types of fraud schemes, which rely on online ploys such as spear phishing, social engineering, identity theft, email spoofing and the use of malware, appear to be on the rise. The FBI indicated that this

type of fraud has cost global businesses over $3 billion since 2013. This fraud can be difficult to defend against, but financial institution personnel can help. Financial Crimes Enforcement Network (FinCEN) Advisory FIN-2016-A003 recommends to be on the lookout for: ■■ Emailed transaction instructions containing different vernacular or terminology, timing and amounts than previously verified

■■

and authenticated transaction instructions. Transaction instructions originating from an email account closely resembling a known member’s email account. Pay attention to small variances like @abc.com versus @abc.net. Emailed transaction instructions direct payment to a previous beneficiary, but the account information has changed. Emailed transaction instructions direct the wire transfer to a foreign financial institution account. Emailed transaction instructions for significant wire amounts to beneficiaries that have not previously received a wire payment from that business member. Emailed transaction instructions that signify the transaction is “secret,” “confidential” or “urgent.” Emailed transaction instructions that leave the financial institution limited time or opportunity to confirm the authenticity of the request.

If you notice potential red flags, multifaceted transaction verification processes can help. Consider verifying the authenticity of the suspicious transaction payment in structions through multiple means. Always rely on your existing contact information for the business member. Never reply to the email address or phone number accompanying the suspicious request. It may take a little extra time to verify suspicious transactions, but it will be time well spent. n

About the Author Shauna is a managing director in BKD’s Forensic & Valuation Services division. She has more than 20 years of experience performing forensics accounting, dispute analysis and consulting services in the fraud, abuse, complex commercial litigation, class action, merger, acquisition and valuation areas. She has worked in a variety of industries.

www.acuia.org | TH E AU D I T R E P O RT

experience perspective experience experienceperspective perspective

BKD National Financial Services Group

1400 1400 1400

BKD BKD National National Financial Financial Services Services Group Group

FINANCIAL INSTITUTIONS FINANCIAL FINANCIALINSTITUTIONS INSTITUTIONS

What are you reflecting on? Improved financial reporting? Strategic planning? Regulatory compliance? BKD helpson? approximately 1,400 financial institutions across theRegulatory country with What Whatare areyou you reflecting reflecting on?Improved Improvedfinancial financial reporting? reporting? Strategic Strategicplanning? planning? Regulatory their risk management and internal audit issues. Experience how our expertise can give your compliance? compliance? BKD BKDhelps helps approximately approximately 1,400 1,400 financial financial institutions institutions across across the thecountry country with with institution amanagement better vantage point. their theirrisk riskmanagement and and internal internalaudit auditissues. issues.Experience Experiencehow howour ourexpertise expertisecan cangive giveyour your institution institutiona abetter bettervantage vantagepoint. point.

Chad Garber, CPA // Director 317.383.4000 // cgarber@bkd.com Chad Chad Garber, Garber, CPA CPA// // Director Director bkd.com 317.383.4000 317.383.4000 // // cgarber@bkd.com cgarber@bkd.com bkd.com bkd.com

www.acuia.org | TH E AUD IT R EPORT

GEARING UP FOR

NCUA’ s 2018 PRIORITIES

SAM CAPUANO, CBA, CRP

n annual tradition for many of us is to see what the NCUA has in store in regards to supervisory priorities for the coming year. NCUA was clearly excited about it this year, as their annual Letters to Credit Unions detailing these priorities came out in December this time, as opposed to the usual January time frame. While that may have been a change, what wasn’t all that different was the primary areas focus which Letter 17-CU-09 discussed. There were several holdovers from the past, Cybersecurity, BSA, Interest Rate & Liquidity Risk, Commercial Lending, Consumer Compliance and Internal Controls/Fraud Prevention. While these were indeed repeat categories from 2017 (and, for some, they have been repeated over several years), NCUA will have some new areas of focus within the topics. 18

www.acuia.org | TH E AU D I T R E P O RT

The one new priority this year pertains to Automobile Lending. Let’s take a closer look at all of these.

Cybersecurity Assessment Cybersecurity controls has been seemingly the most common topic discussed in the Supervisory/Audit Committee meetings I’ve attended over the past 18 months. In both 2016 and 2017’s Priorities Letter, NCUA “encouraged” credit unions to use the FFIEC Cybersecurity Assessment Tool as a means to manage Cybersecurity risk, and 2018 is no different. For good measure, in 2018, NCUA will be implementing the Automated Cybersecurity Examination Tool (ACET) in their cybersecurity assessments. They will start with CU’s in excess of $1 billion in assets. The NCUA website’s Cybersecurity Resources page continues to be a helpful resource to prepare for all of this.

Bank Secrecy Act Compliance 2018 marks five years in a row for BSA to make the priority list. While last year the focus was on classifying risk at MSB’s, 2018 looks to be the year of the Customer Due Diligence regs, 31 CFR 1010.230, which become effective on May 11, 2018. 17-CU-09 notes that examiners will wait until the second half of 2108 to test compliance with this. While not specifically mentioned as a supervisory priority, BSA validations have become a hot topic. At a BSA breakout session during the ACUIA Annual Conference last June, I polled the audience, and roughly half have had it recommended and/ or required by the NCUA to have a formal BSA validation. Further discussion with an NCUA examiner at the ACUIA Region 5 meeting last fall reiterated this: required, periodic BSA validations are well on their way to becoming the norm. Internal Controls and Fraud Prevention Since 17-CU-09 doesn’t mention too much about this topic, except to say the examiners will continue to evaluate overall controls and fraud, I’ll add risk assessments as a priority. Examiners continue to look for more robust risk assessments to support corresponding audit plans. Anything you can add to your existing assessment going forward just might save you an exam comment. Interest Rate and Liquidity Risk In 2017, the new exam procedures contained in Letter 16-CU-08, Revised Interest Rate Risk Supervision, began to be implemented. If you haven’t been examined since then, be prepared for it in 2018. 17-CU-09 further states that liquidity risk management will be more closely scrutinized. On-balance sheet liquidity has become a frequent mention since January 2017. Asset/Liability Management is often challenging; the enclosures

included in 16-CU-08 can help meet these challenges.

Automobile Lending As noted above, this topic is the sole new one for 2018. Be prepared for increased examiner focus on portfolios with concentrations in extended loan maturities over 7 years, high loan-tovalue, near-prime or subprime, and indirect lending programs. It’s the latter topic which jumped out to me when I read it. Indirect loans always create additional risk. Two areas to ensure you look at during your audits are controls in place pertaining to field of membership (because the automobile dealers sure won’t care about it), and properly segregating these loan pools from the direct portfolio when assessing the adequacy of the Allowance. Commercial Lending The much ballyhooed changes to NCUA Part 723, pertaining to commercial loans took effect on January 1st of last year. This year’s supervisory priority letter reiterates the NCUA’s focus on reviewing commercial loan policy and processes. Not a surprise, as Part 723.4 contained minimum requirements of policy. Consumer Compliance The last topic of supervisory priorities for 2018 is Consumer Compliance. 17-CU-09 makes mention of HMDA, the Military Lending Act and Overdraft Policies as they relate to Regulation E. The dreaded, new HMDA LAR requirements kicked in on January 1, 2018. In reading this Letter, it seems as though the NCUA will cut CU’s some slack in this area, assuming there have been “good faith efforts” to comply. As for the Military Lending Act (MLA), its credit card provision took effect in October 2017. While it seems as though most CU’s were ready when the majority of the MLA was appli-

cable a year earlier, now would be a good time to verify the credit card issue was properly dealt with as well. Although not mentioned in this Letter, evaluating overall compliance risk still seems to be a hot topic. Supervisory Letter SL 17-01 from March 2017 provided information on the NCUA’s focus in this area, and included a new AIRES questionnaire, along with an updated list of Compliance Risk Indicators. n

About the Author Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started their IA function there in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.

Internal and Compliance Audit • External Audit • IT Audit

CONNECT WITH US Tom Giglio, CIA, CFSA— Executive Vice President 315.214.7841 | tgiglio@bonadio.com Samuel Capuano, CBA, CRP—Principal 518.250.7763 | scapuano@bonadio.com

bonadio.com |

www.acuia.org | TH E AUD IT R EPORT

{ the standards } Pat Richey, Retired credit union internal auditor

Objectivity The Interpretation of Standard 1100 requires us to be unbiased and even-handed.

tandard 1100 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that internal auditors must be independent and objective in performing their work. In the last issue of The Audit Report, I discussed independence, which is easy to demonstrate on a credit union organization chart. However, objectivity is not as clear. The Interpretation of Standard 1100 defines objectivity as having an unbiased mental attitude. The Merriam Webster dictionary says that to be unbiased means to be free from all prejudice and favoritism, and to be eminently fair. The interpretation used to include the word impartial, but I suppose impartial and unbiased are redundant. According to dictionaries, other synonyms for unbiased are unprejudiced, neutral, nonpartisan, disinterested, dispassionate, detached, value-free, open-minded, equal, equitable, even-handed, fair, objective candid, indifferent, just, square, and objective. Merriam Webster says that words related to

www.acuia.org | TH E AU D I T R E P O RT

unbiased include frank, forthright, straight, straightforward, balanced, rational and reasonable. So many words to choose from. I love words1. I hope these words describe you. If a credit union internal auditor does not fit these terms for unbiased, what terms would we use to describe that internal auditor? The auditor would be biased, inequitable, nonobjective, one-sided, partial, unjust, ex parte, and parti pris. (I 1 If you love words like I do, have you read Norman Juster’s “Phantom Tollbooth”? Also, I recommend Merriam Webster’s “Word of the Day” subscription.

had to look up the last two - ex parte (one-sided) is used in legal proceedings, and partis pris means a preconceived opinion.

Code of Ethics Objectivity is one of the five principles of the Institute of Internal Auditors (IIA) Code of Ethics. The principle states that internal auditors must have the highest level of professional objectivity in gathering, evaluating and communicating information about the activity being examined; make a balanced assessment of all the relevant circumstances; and not be unduly influenced by their own or others’ interests in forming judgments. The Code of Ethics Rules of Conduct regarding objectivity says that internal auditors shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the credit union. Internal audits

{ from the editor }

Here’s to 25 More Tabitha Ernst-Chadwick

must not accept anything that may impair or be presumed to impair their professional judgment; and disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

Threats to Objectivity Standard 1100’s interpretation says that threats to objectivity must be managed at many different levels – the individual auditor, the audit engagement, the audit function, and the credit union. Credit union internal auditors must not subordinate their judgment on audit matters to others, and not make quality compromises. Early in my career before I was the Chief Audit Executive (CAE), the then-CAE would write an audit report, give a preliminary draft to management, re-write the report, give a 2nd draft to management, re-write the report, give 3rd draft to management etc. I got the impression that management was making significant changes to the drafts, and I resolved that when I became a CAE, that would not happen. Write it right the first time. When I wrote an audit report, I gave a draft of the final report to management, before it was formally issued, to ensure that I did not have any factual errors and I asked for management’s comments and suggestions. However, it was very rare that the final published report was in any way different than the draft.

Implementation Guide (IG) 1100 says that the CAE should understand what credit union policies and internal audit activities could hinder or enhance an unbiased mental attitude. For example, does the credit union have standard performance evaluation, compensation, training, and conflict of interest policies for all employees, including internal audit? In the case of internal audit, one size does not fit all. IG1100 says that performance and compensation practices can significantly and negatively affect the internal auditor’s objectivity, particularly if the internal auditor’s evaluation and enumeration are based on management satisfaction surveys. How satisfied is the credit union manager if the internal auditor reports negative results related to the manager’s area? IG 1120 says that if the auditor’s evaluation is focused on the number of observations or staying within the audit budget, then the auditor may make frivolous observations or ignore avenues of further examination in order to meet evaluation criteria. The CAE, not senior management, should design the internal audit evaluation and compensation system with appropriate measurements that do not impair objectivity. Internal audit should have policies that address objectivity’s critical importance to the credit union and threats to objectivity. Also, internal auditors should be trained on these concepts. A good training method is case studies. Internal audit can demonstrate conformance with objectivity standards with a policy manual that includes policies on objectivity, conflict of interest, performance evaluations, training records and conflict-of interest disclosure forms. These policies should explain expec

tations and requirements for objectivity, and audit workpapers should document the auditors assigned to the engagement.

Conflict of Interest Standard 1120 states that internal auditors must avoid any conflict of interest, which is a threat to objectivity. The interpretation of this standard says that conflict of interest is when a person who is in a position of trust has a competing professional or personal interest. These conflicting interests make it difficult to be impartial. There is still a conflict of interest even if the internal auditor does not act unethically or improperly. Conflict of interest can undermine the internal auditor’s credibility, and should be avoided. –IG 1120 gives other examples of situations that must be considered. A conflict of interest could arise if the internal auditor has a family member or good friend who works for the credit union. At one time I had a staff auditor who became romantically involved with (and later married) the credit union’s facilities manager. I was very uncomfortable by the turn of events; but the staff auditor resigned shortly thereafter. I ran into conflict of interest personally. When my daughter was in high school and college, she worked as a teller at the credit union during all her school breaks (she hated teller work but it was easier than looking for a job). In my role of internal auditor, I was not comfortable with my daughter working at the credit union, but in the role of mother I was very happy with her steady employment. However, I had the dilemma of choosing when to schedule that branch audit. Also, that branch had a significant fraud. The Fraud Policy requires that employees immediatewww.acuia.org | TH E AUD IT R EPORT

Standard 1130 says that IF objectivity is impaired (whether in fact or appearance), the impairment details must be disclosed to the appropriate parties.

ly notify internal audit of suspected fraud and internal audit is responsible for investigating fraud. However, in this fraud case, operations management did the preliminary investigation to ensure my daughter was not involved before notifying me of the fraud. Another example of conflict of interest is when internal audit benefits from a program that the internal auditor might otherwise have questioned the purpose and/or expense. For example, what if the credit union provided every C level executive, including the CAE, with a management retreat on a cruise ship. In the role of auditor, the CAE might have questioned the business reason and stakeholder benefit for the expense, but as a C manager the CAE was very happy with the program. A conflict of interest would include an auditor who discovers that the adjustable rate home equity loan contract does not have a floor rate, and rates are dropping. However, instead of reporting the problem to management so that a new contract could be used going forward, the internal auditor applies for a home equity loan to take advantage of the credit union’s oversight.

Non-Audit Roles If the CAE is responsible for non-audit roles (which I discussed last quarter under Independence), Standard 1130.A2 says that audits of those functions must be performed by outside parties. However, Standard 1130.A3 says that internal audit can audit a function where it had previously performed consulting services if the consulting work did not impair objectivity, and the CAE manages the individual internal auditor’s objectivity when assigning individuals to the audit. 22

www.acuia.org | TH E AU D I T R E P O RT

Impaired Objectivity Standard 1130 says that IF objectivity is impaired (whether in fact or appearance), the impairment details must be disclosed to the appropriate parties. The type of disclosure depends on the type of impairment and the CAE’s responsibilities to senior management and the board of directors (board). The Standard’s interpretation includes impairments related to scope limitations; restrictions on access to records, personnel and properties; and funding limitations. IG 1130 says that the CAE should discuss objectivity requirements with senior management and the board of directors, and determine how and to whom impairments are communicated. The CAE should document the results of these discussions in the internal audit policy manual. IG 1130 includes impairments related to self-interest, self-review, familiarity, or bias. Also, impairment includes undue influence – audit plans and results are unjustifiably modified due to the influence of another person, typically a senior manager. What happens when you write an audit report and management wants you to change the report? Management may not have an impartial and unbiased perspective on the topic. Certainly, there is no reason why internal audit cannot consider management’s perspective, hash out the differences, and come to a compromise on an issue. However the compromises should not be significant so that the quality of the audit comes in to play. The internal audit should objectively assess all opinions and in the auditor’s professional judgment determine the opinion that has the most merit. However, the credit union internal auditor should ensure that the judgments

{ from the editor }

Here’s to 25 More Tabitha Ernst-Chadwick

are internal audit’s own, and that internal audit is not bending to the will of credit union management. According to IG 1130, the following are organizational impairments: the CAE executes an audit of a functional area under the CAE’s oversight; the CAE’s supervisor has a broader responsibility than internal audit, and the CAE executes an audit within the supervisor’s responsibility; the CAE does not have direct communication with the board (non-compliance with Standard 1111); and internal audit’s budget precludes internal audit from fulfilling its responsibilities. The first step for an internal auditor is to discuss the impairment with the auditor’s manager or CAE. IG 1130 says that if there is a per-

ception of impairment, but not a bona fide impairment, the CAE can discuss the concern in engagement planning and/or include the disclosure in the audit report. In the case of a real impairment to objectivity, the CAE should discuss the impairment with the board and senior management to resolve the issue, and determine the best disclosure approach. To demonstrate conformance with Standard 1130, the CAE should retain board meeting minutes and disclosure reports. One time I contacted the American Bar Association (ABA) because I questioned whether the credit union’s outside counsel had a conflict of interest due to his significant account relationship at the credit union. According to the ABA, there was not a

conflict of interest as long as the credit union knew of the account relationship. Disclosure was the key. In my personal conflict of interest example, credit union management and the Supervisory Committee knew of my daughter’s employment at the credit union. Does this make it okay? I don’t think so. Did I do the right thing and forbid my daughter from working at the credit union. No. However, I was relieved when my daughter graduated from college and no longer needed school break employment. n

About the Author Pat Richey was Director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

www.acuia.org | TH E AUD IT R EPORT

{ member spotlight }

Michael Moreau Dian Scott

This issue we’re shining the ACUIA spotlight on Michael Moreau - hard-working, dedicated Region 5 Director, nature lover, proud dad of 2 softball/ basketball players who squeezes frequent family trips to the Magic Kingdom into a very busy schedule. Mike, tell us a bit about yourself (family, sports, hobbies, pets, special interests, etc.) I live in Berkley Massachusetts (a beautiful slice of ruralness surrounded by the cities of Southeastern Massachusetts) with my wife and two kids. We spend as much time as we can outside, all year ‘round. If we are not out in the woods someplace, we are likely at one of the kids’ softball or basketball games. We also like to go on vacations to places of historical interest, and of course, the occasional trip to Disney World (truly the happiest place on earth, after Berkley).

Describe your educational background, credentials and any special training. I have a BS in Accountancy from Bentley College, now Bentley University. I am a Certified Internal Auditor, a Certified Fraud Examiner, and a Certified Financial Services Auditor. I have been fortunate to attend many ACUIA conferences (twelve by my count) and Regional meetings (many) over the years, where the quality of credit union-specific training has been outstanding. How long have you been involved in auditing? I have been an internal auditor in financial institutions for almost 29 years. I have been an internal auditor in the credit union industry for almost 25 years. I started out in a large bank, with approximately 40 auditors in my location. When the bank failed, 24

www.acuia.org | TH E AU D I T R E P O RT

we merged with another bank, with approximately 45 auditors in my location, and approximately 200 auditors throughout the bank’s various locations. After a few years of banking, I left that world and entered the credit union industry.

Over the years you’ve been involved in auditing, how do you think the industry has changed? When I started as an internal auditor in a bank, all those years ago, internal auditing was not a career. At the bank, you were expected to stay in the internal audit department for a couple of years, learn about internal controls, then find a position elsewhere within the bank, and apply the internal control concepts you learned into your new position. Here I am, almost 30 years later, and still haven’t found an area I think I would like better. Now, the internal audit department is a critical piece of the credit union’s puzzle, and longevity brings an experience and knowledge base that only comes with experience. We’ve gone from Internal Audit being a stepping stone to Internal Audit being a career. What have you found to be the most useful tools in streamlining audit processes? Electronics – email, secure uploads, electronic workpapers. I remember the day (now I sound old) where all work was done on paper (exceptions marked in red pencil, first review sign offs in blue pencil, final review sign offs in green pencil). Someone had a

question, or needed to see what was done, you had to go to the log, find out where the binders were, then go get them. Maybe find out that the work was misfiled, or someone took them without signing them out, or that the log was wrong. Was the audit completed too long ago for onsite storage – fill out the form, and request the workpapers from archives. Oh, and be prepared to justify the bill for the retrieval. Just to find out what you were looking for isn’t where you thought it would be. Well, you could just call the person, and see if they remember. Oh, they’re offsite, with no access to their voicemail? Yikes. Now, someone has a question, you can immediately call up the work and take a look, even if someone is working remotely. Auditors are available by cell phone, email, and text. Scanning is much quicker than running things through the copy machine, indexing the pages, etc. And maybe the biggest benefit of electronic work? No more trying to decipher my chicken scratching on a handwritten workpaper!

What are the major challenges you feel the industry faces today? Where to start. Regulations that don’t keep up with the times/current environment. It’s hard to convince someone that a certain procedure needs to be done when a reg is outdated. Fraud is always a concern – there are people out there just trying to separate members from their money. A related challenge is that members, when embracing new technology, sometimes don’t read the fine print and implement the recommendations. Passwords have been around most, if not all, of my professional career – but how many unsecured passwords (cleverly hidden under the keyboard) do we hear about? How many reports

{ from the editor }

Here’s to 25 More Tabitha Ernst-Chadwick

to credit unions from members claiming unauthorized activity tell us they gave their credentials to someone they knew (or worse – someone they didn’t know!!!)?

What advice would you give to a new auditor just entering the field? Learn everything you can. Ask a lot of questions. Listen and remember. Become active in a professional group (preferably ACUIA). Try to give at least as much help as you ask for. Don’t play gotcha – internal auditors are independent, but are also partners with the folks they audit. Explain your reasoning, and work with the department to help. When did you become a member of ACUIA? I first joined ACUIA around 19951996. I attended my first annual

conference in 1996 in New Orleans. I have been able to have varying levels of involvement and activity through my job changes, but now I am able to be pretty active. I was the Annual Conference Chair in 2015 for the Boston Conference, and have been the Region 5 Director for a few years now.

What ACUIA membership benefits do you find most rewarding? When I first joined ACUIA, I had just started the internal audit department at my credit union. One person – just me. No one to answer my questions. No one to bounce things off of. So I joined, hoping to gain some knowledge on topics of importance to me. I got all of that, and more. I met some great people (I still periodically talk to someone I met at that New Orleans conference!!). Now, when I go to an ACUIA event, sure, I look forward to

learning something new, but I also look forward to seeing the friends I have made over the years.

What type of background/experience do you look for in your staff auditors to enhance a well-rounded department? We look for inquisitive people. Those with that professional skepticism that is so important in our jobs. Don’t be afraid of someone because they don’t have a business background. Some of the best auditors I have worked with over the years had non-business degrees – people with varied backgrounds look at things differently, and that can only be a good thing in internal auditing. Mike, thank you for sharing a glimpse of your active, interesting life with us. n

TeamMate+ The future is here

TeamMate+ is a fully configurable, web-based internal audit platform that seamlessly consolidates and reports issues and risks for management action.

www.acuia.org | TH E AUD IT R EPORT

{ the standards { regional news } } Pat Richey, Retired

Julie Wilson, Director Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com We’re doing something different for our Spring, 2018, Region One meeting. We’re headed north to Alaska! Our Alaska members are rarely able to join our regional meetings. So, we’re taking the meeting to them. The dates are Thursday-Friday, May 24-25, just before Memorial Day weekend. This will enable everyone to enjoy the sights, charter out for fishing or just enjoy the spectacular beauty of the state. Denali Credit Union will host the 2-day event. We are currently developing the agenda. It promises to be jam-packed, with exciting discussions by excellent speakers. Would love to have you join us. Look for more information on www.acuia.org, coming soon.

Tom Cosby, Director

Vice President Internal Auditing Crane Credit Union (812) 863-7000 ext 7142 tcosby@cranecu.org The Indiana chapter members participated in a quarterly roundtable on Feb. 15th. The Illinois chapter will be having its quarterly meeting on March 16th.

Open

Introducing your new Region 2 Director, Andrea Muñoz Andrea is a Senior Staff Auditor at First Tech Federal Credit Union. She has worked with First Tech for almost ten years and has 18 years in the finance industry. Her career began in the branch, as a teller, but she has advanced into management roles and Internal Audit. She holds numerous certifications, and recently earned her CCUIA Certified Credit Internal Auditor certification. In recent years, she championed First Tech’s Branch Audit, visiting 30 of the 40 branches each year while also conducting a branch risk assessment. Andrea spends much of her spare time enjoying the many activities her children participate in. The family also loves taking road trips to the baseball parks of America.

ACUIA NEEDS YOU! This Position is still open. Please contact a member of the ACUIA Board if you are interested in volunteering.

REGION

Michael P. Moreau, CIA, CFE, CFSA, Director MACPAGE LLC 225 Cedar Hill St., #200 Marlborough, MA 01752 800-339-5701 978-760-0195 - cell Greetings from Region 5. We are still in the process of getting our new chapter up and running. Watch your emails for news as it happens. We recently surveyed our membership, and are in the early planning stages of the 2018 Region 5 meeting, which will be held Mon.–Tues., Oct. 1–2, 2018, at CapCOM, in Albany, NY.

REGION

www.acuia.org | TH E AU D I T R E P O RT

Jason Alexander, CIA, MBA, CICA, Director Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org No news to report. n

REGION

Andrea Munoz, Director Internal Audit, Senior Staff Auditor First Tech Federal Credit Union 916.660.4255 andrea.munoz@firsttechfed.com

REGION

{ region directors }

{ the the standards standards } Pat Pat Richey, Richey, Retired Retired

REGION REGION

Julie Julie Wilson Wilson juliew@iqcu.com juliew@iqcu.com

REGION REGION

Tom Cosby Cosby Tom tcosby@cranecu.org tcosby@cranecu.org

REGION

Andrea Munoz andrea.munoz@firsttechfed.com

Michael Michael P. P. Moreau, Moreau, CIA, CIA, CFE, CFE, CFSA CFSA MPM@macpage.com MPM@macpage.com

REGION

Jason Alexander, CIA, CICA jasona@lgeccu.org

VOLUNTEER NEEDED!

{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION REGION 11 CENTRAL CENTRAL CASCADES CASCADES (OR/WA) (OR/WA) CHAPTER CHAPTER

Terry Terry Robbins Robbins trobbins@mapscu.com trobbins@mapscu.com REGION REGION 2 2

ARIZONA ARIZONA CHAPTER CHAPTER

Jason Jason Garlutzo Garlutzo Jason.Garlutzo@azstcu.org Jason.Garlutzo@azstcu.org

rtorres@CreditUnion1.org rtorres@CreditUnion1.org INDIANA INDIANA CHAPTER CHAPTER

Tom Tom Cosby Cosby tcosby@cranecu.org tcosby@cranecu.org MINNESOTA MINNESOTA CHAPTER CHAPTER

VOLUNTEER NEEDED! NEEDED! VOLUNTEER

UTAH UTAH CHAPTER CHAPTER

IOWA IOWA CHAPTER CHAPTER

REGION REGION 3 3

ILLINOIS ILLINOIS CHAPTER CHAPTER

Rick Rick Torres Torres

David David Caster Caster dcaster@firstcommunity.com dcaster@firstcommunity.com

MICHIGAN MICHIGAN CHAPTER CHAPTER

VOLUNTEER VOLUNTEER NEEDED! NEEDED!

Nikki Nikki Ige Ige Nige@kcfcu.org Nige@kcfcu.org

ST. LOUIS LOUIS CHAPTER CHAPTER ST.

REGION REGION 5 5

CALIFORNIA CALIFORNIA CHAPTER CHAPTER

HAWAII HAWAII CHAPTER CHAPTER

VOLUNTEER VOLUNTEER NEEDED! NEEDED!

Ashley Ashley Shrode Shrode Ashley.Shrode@thrivent.com Ashley.Shrode@thrivent.com Kathleen Kathleen Schaefer Schaefer Kathleen.Schaefer@elgacu. Kathleen.Schaefer@elgacu. com com

Randy Randy Manscill, Manscill, CIA, CIA, CFE, CFE, CFSA CFSA rmanscill@americafirst.com rmanscill@americafirst.com

NORTH TEX TEX AS AS CHAPTER CHAPTER NORTH

NEW NEW YORK YORK CITY CITY CHAPTER CHAPTER

WISCONSIN WISCONSIN CHAPTER CHAPTER

GEORGIA GEORGIA CHAPTER CHAPTER

ARK ARK ANSAS ANSAS CHAPTER CHAPTER

Patrick Patrick McCollough McCollough pmccollough@AFCU.org pmccollough@AFCU.org

Tammy Farmer SOUTH CAROLINA CHAPTER tammyf@scscu.com Tammy Farmer TENNESSEE CHAPTER tammyf@scscu.com Michelle Clark, CUCU TENNESSEE CHAPTER mclarck@ecu.org Michelle Clark, CUCU mclarck@ecu.org

ALABAMA ALABAMA CHAPTER CHAPTER

Adrienne Breckenridge, Breckenridge, CPA Adrienne CPA abreckenridge@ abreckenridge@ avadiancu.com avadiancu.com

REGION REGION 4 4

NORTH CAROLINA CHAPTER SOUTH CAROLINA CHAPTER VOLUNTEER NEEDED!

REGION 6 6 REGION

Brittany Brittany Metz Metz brittanymetz@uiccu.org brittanymetz@uiccu.org Karla Karla Hodgkins Hodgkins khodgkin@Covantagecu.org khodgkin@Covantagecu.org

NORTH CAROLINA CHAPTER nichele.torres@towerfcu.org VOLUNTEER NEEDED!

VOLUNTEER NEEDED! NEEDED! VOLUNTEER FLORIDA FLORIDA CHAPTER CHAPTER

Lourdes Lourdes Camacho Camacho lourdesc@sccu.com lourdesc@sccu.com MARYLAND MARYLAND CHAPTER CHAPTER

Nikki Torres Torres Nikki nichele.torres@towerfcu.org

www.acuia.org | TH E AUD IT R EPORT

{ acuia select }

{ member spotlight } Patrick McCullough

ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the Executive Office at (703) 688-2284.

ns to ACUIA

dit union audit professionals. PLA TINUM

nsibilities and internal control objectives by providing:

eviews n CertiďŹ ed ACH Audits n Bank Secrecy Act nding Programs n Branch and Operational Audits source and Payroll Reviews n Assistance with Risk tatement Audits

GOLD

CertiďŹ ed Public Accountants & Consultants

S I LV E R

TeamMate BRONZE

dly serving credit unions throughout the Mid-Atlantic region. mation about PBMares, visit us online at www.pbmares.com.

www.acuia.org | TH E AU D I T R E P O RT

MOSSADAMS.COM/CU

PROSPERITY RISES IN THE WEST

Backed by decades of experience serving credit unions, our professionals are committed to helping you grow your business with industrysmart assurance, tax, and consulting services. We invite you to discover how Moss Adams is helping financial institutions thrive.

RISE WITH THE WEST.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

L AKE WENATCHEE, WA

6:4 4 AM PDT

AS SUR A NCE TA X IT CONSULTING STR ATEGY & OPER ATIONS TR A NSACTIONS W E A LTH M A N AGEMENT

MOVE OVER TICK MARKS Audit Auditmanagement managementisisbetter betterwith withdata dataautomation automation

ACL EBOOK ACL EBOOK

ARAKR,K, R M K C I T M E K H C I T TE DEDAETAHTHOOFFOTF HTEHEESOSTUOGUHGTH-TA-FAFTER BIBRITRHTHNAOLF ATHUDUIDTIOTROR INITNETRERNAL A r al audito r al intern adition al audito of the tr al intern ce on en iti sc ad e tr obsole ce of th me the solescen overco ob to e th ow H me overco How to

Automate Automatedata datatotouncover uncoverthe therisks risksthat thatmatter mattermost mostinina asingle singlelens lens across your organization across your organization

Death the Tick data totomanual Deathofof the TickMark: Mark:How How dataautomation automationcan canput putananend end manualprocesses processes

Download Downloadatatacl.com/clicks-not-ticks acl.com/clicks-not-ticks» »