ACUIA Audit Report volume 27 issue 2 by pstraubel

Volume 27, Issue 2, 2018

The Magazine of the Association of Credit Union Internal Auditors, Inc.

ESTIMATING

CREDIT LOSS MONITOR YOUR RISKS THE SEVEN TYPES YOU’LL FACE

UBI AND THE IRS ARE YOU REPORTING EVERYTHING YOU SHOULD?

ACH FRAUD WHAT TO LOOK FOR AND HOW TO STOP IT

MORTGAGE DISCLOSURE THE CHANGES YOU’VE BEEN DREADING

MOSSADAMS.COM/CU

PROSPERITY RISES IN THE WEST

Backed by decades of experience serving credit unions, our professionals are committed to helping you grow your business with industrysmart assurance, tax, and consulting services. We invite you to discover how Moss Adams is helping financial institutions thrive.

RISE WITH THE WEST.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

WHITE ROCK L AKE, TX

6.49 AM CDT

AS SUR A NCE TA X IT CONSULTING STR ATEGY & OPER ATIONS TR A NSACTIONS W E A LTH M A N AGEMENT

Volume 27, Issue 2, 2018

The Magazine of the Association of Credit Union Internal Auditors, Inc.

{ contents }

F E AT U R E S

We’re Trying Not to Lose It The FASB Update will change how financial Institutions account for estimated credit losses. Gabe Nachand, CPA, and John Donohue, CPA

Monitor Your Risks 10 In many ways, managing a

UBI

What is it and why should you care? Michael Summers and Nicole Fishback

HMDA Changes The changes to the regulations, dreaded by many, have kicked in D E PA R T M E N T S Sam Capuano, CBA, CRP

credit union is just like flying a plane. Randy C. Thompson, Ph.D.

2 From the Editor Summer Fun in Chicago Dian Scott

Making the Case for John

Do you know your members?

4 Chairman’s Message ACUIA Is a Team Effort John Gallagher

28 The Standards Proficiency and Due Professional Care Pat Richey

ACH Fraud Schemes 101 How to detect and how to prevent Jennifer Hoskins

33 Member Spotlight Gayle Gines 34 Regional News

35 Region Directors and Chapter Coordinators

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Dian Scott Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 332 Commerce St., Suite 100, Alexandria, VA 22314, (703) 688-2284

{ from the editor }

Summer Fun in Chicago Dian Scott

Chicago’s calling! Pack your bags! Be prepared to have fun!

2018 Board of Directors Chair John Gallagher, CUERME SEFCU (518)-464-5245 jgallagh@sefcu.com Term 2016–2019

Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org Term 2015–2018

Vice Chair Margaret Chamberlain, CUERME Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2017–2020

Director Doug Wright, CPA, CFE, CUCE, BSACS Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019

i, dear hearts. Hope you’re all enjoying this milder weather after the dreary days lately. Now it’s time to delight in Spring, and of course, baseball. We can all look forward to lots and lots of baseball smiles. There are several regular features missing in this issue, due to the fact that several of our authors were having health issues and were unable to submit anything this time. Not to worry, though. Everyone is recovering nicely. We are very pleased to have Dr. Randy Thompson, P.h.d as a featured speaker at the conference in Chicago. You don’t want to miss meeting this fascinating globe-trotting speaker and trainer, private pilot, avid gardener. and doting father of 12 and grandfather to 25. Dr. Robertson is also the CEO and Founder of TCT Risk Solutions. Be sure to register for his sessions in Chicago. You’ll be so glad you did. Warm regards, Dian Scott Dilanto166@gmail.com 301-774-6484

BY THE NUMBERS: EMBEZZLEMENT

Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org. Term 2017–2020 Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dwsenson2@ wingsfinancial.com Term 2015–2018

Associate Director Tabitha Ernst-Chadwick Marine FCU (910) 355-5611 TErnst@marinefederal. org Associate Director Tara Tocco Hughes FCU (520) 205-5744 TTocco@hughesfcu.org

Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ ncsecu.org Term 2015–2018

ACUIA execuve office 332 Commerce St. Suite 100 Alexandria. VA 22314 (703 688-2284 acuia@acuia.org

www.acuia.org | TH E AU D I T R E P O RT

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”

CLOSE THE AUDIT PERFORMANCE GAP ACL WHITE

How to shift working papers from ‘common practices’ to ‘best practices’ Download at acl.com/working-papers »

Integrati n Papers wg Working ith ManagemAudit ent How to

shift fro

m ‘com

mon pr actices ’ to ‘bes

t practic es’

Vice Pre

sident,

Dan Zitt ing, CPA , CISA, CIT Produc t Manag P ement & Design

PAPER

{ chairman’s message }

ACUIA Is a Team Effort John Gallagher

I am grateful to all the members who contribute to the growth of our organization.

ard to believe that as I am writing this message our signature education event, the Annual Conference in Chicago, is just around the corner. Of course by the time you are reading this that too will have come and gone. Really is funny how fast time seems to slip us by. I am happy to report that not all is lost and ACUIA is continuing to expand in terms of members, educational offerings, chapters, and internal audit resources. This year’s conference in Chicago is nearing record attendance figures and the corresponding session offerings is being expanded to include specific sessions and course offerings for credit union risk management professionals. While just getting organized, ACUIA is positioned to provide the same level and quality of resources to these professionals as we have done for internal audit professionals for almost 30 years. And yes, while their view

and focus within the credit union is somewhat different than that of internal audit, it is believed that strong and effective collaboration between these individuals will prove beneficial to our members, ACUIA, and the individual credit unions. We look forward to welcoming more risk professionals into ACUIA. We have seen significant growth in the number of regional chapters over the past year and I for one am thrilled to see the involvement of our membership at the chapter level. It is evidence that our members want more educational and networking opportunities provided through ACUIA. I thank all of the chapter coordinators for their willingness to accept a volunteer leadership position as, without you, ACUIA would not be able to connect with some of our members. Keep up the good work! I would be remiss if I didn’t also give a shout out to the Regional Directors as well.

UPCOMING EVENTS For complete details click here or go to www.acuia.org/calendar

JUNE 2018 19 – 22 ACUIA Annual Conference & One Day Seminar JULY 2018 25 Cyber Security Webinar AUGUST 2018 15 ACUIA Webinar – Continuous Monitoring OCTOBER 2018 1 – 2 Region 5 Meeting – Albany, NY 3–5 Region 3 Meeting – Eau Claire, WI 8 – 11 ACUIA / CUNA CCUIA Certification School

www.acuia.org | TH E AU D I T R E P O RT

Having served in that capacity in the past I realize it is no easy task. However, you all seem to perform flawlessly and are a big reason for ACUIA’s continued growth and success. In March, we completed our fourth joint internal audit certification program, in conjunction with CUNA to a more than sold out crowd. I am proud to report that we now have over 300 individuals who have been awarded the CCUIA (Certified Credit Union Internal Auditor) designation. I truly believe that this program has raised awareness as to the importance of credit union internal auditors as a recognized profession. The next program will be offered in October 2018, which will again be held in Tempe, Arizona. I will also note that beginning in 2019, this program will only be offered in the Spring (March) of each year. So I encourage everyone who is interested to consider joining those who have received their CCUIA designation and attend an upcoming program. Lastly, on behalf of myself and all the Board members, we extend the happiest of retirement wishes to our friend and colleague, Randy Manscill, who retired from America First Credit Union earlier this year. I personally looked up to Randy and considered him a role model for his volunteerism and leadership of ACUIA. I will miss seeing him at our annual conferences. n

WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Dian Scott at acuia@ acuia.org to learn more.

With Expertise Comes Confidence Crowe Horwath LLP is one of the top 10 auditors of credit unions with more than $100 million in assets.1

crowehorwath.com/cu

Audit / Tax / Advisory / Risk / Performance

Smart decisions. Lasting value.â&#x201E;˘

2017 Guide to Credit Union Auditors published by Callahan & Associates

In accordance with applicable professional standards, some firm services may not be available to attest clients. ÂŠ 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure

FS-18500-001D

WEâ&#x20AC;&#x2122;RE TRYING NOT TO LOSE IT

www.acuia.org | T H E AU D I T R E P O RT

THE FASB UPDATE WILL CHANGE HOW FINANCIAL INSTITUTIONS ACCOUNT FOR ESTIMATED CREDIT LOSSES GABE NACHAND, CPA, AND JOHN DONOHUE, CPA MOSS ADAMS

he Current Expected Credit Loss (CECL) standard remains a hot topic for financial institutions—even two years after its release by the Financial Accounting Standards Board (FASB). The standard has impacted, and will continue to impact, entire institutions—not only the accountants. Specifically, loan officers, internal auditors, chief credit officers, and IT personnel can expect an increased workload as a result of the new standard. Some of the new standard’s key conceptual changes include: ■■ Removing the probable and incurred loss recognition thresholds used to estimate the allowance for credit losses today, effectively doing away with existing practices for determining the allowance for credit losses ■■ Basing loss estimates on lifetime expected credit losses ■■ Requiring that determination of lifetime credit loss estimates using past and current events be supplemented with reasonable and supportable expectations about the future

www.acuia.org | TH E AUD IT R EPORT

hese changes fundamentally alter the way financial institutions will account for estimated credit losses on not only their loans, but also debt securities. With nonpublic financial institutions scheduled to adopt the standard in 2021, implementation activities have seen a significant increase. Why Does This Matter to You? The allowance for credit losses is the most significant estimate at virtually every financial institution. Identifying and evidencing controls around such a complex estimate has always been challenging. Adding further complexity to an already-challenging estimate is certain to challenge internal audit departments even further. In addition to considering the steady state of the needed controls, institutions will need to make sure that the adoption process has strong governance principles and controls. That’s likely to bring internal audit into the implementation process and spill over to employees who historically have had limited-to-no involvement in the allowance estimation process. The following examples address how internal audit will need to monitor CECL adoption activities. Internal Auditors & Data Accuracy Expectations Auditors, along with regulators, are likely to push for increased rigor with regard to model validation as complexities arise within the CECL models. Institutions also may stratify, segment, or group loan portfolios by loan type as well as origination year, maturity date, and numerous other factors. Segmenting the portfolio will be heavily reliant on system data, making data accuracy and integrity more important. Having an inaccurate origination date, maturity date, interest rate, or collateral value in the system today probably won’t significantly impact your allowance estimate, if at all. However, calculations of future allowance estimates will likely utilize this data and become more complex once the standard takes effect. Controls to ensure accuracy, proper updating, and security of the data will take on increased importance, as well as a renewed focus on validating the data itself. Bud-

www.acuia.org | TH E AU D I T R E P O RT

geting and forecasting will inevitably become more complex and expectations on what constitutes reasonable and supportable assumptions will be subject to greater scrutiny—and audit. Designing Appropriate Internal Controls In assessing the design of internal controls over CECL, the internal auditor will need to understand the judgments made about model selection, necessary data for the model, and similar considerations. For example, if management adopts a CECL methodology that’s heavily based on cash flows, those closest to the customer—the loan officers—will inevitably be involved in forecasting loan-level cash flows, and controls will need to be put into place around the estimate. In contrast, if this were a more homogenous portfolio—where the focus of the model is historical loss, age, and economic data—management would identify a different set of controls to address the risks of material misstatement. Reasonable and Supportable Forecasts The larger the institution, the greater the expectation will be that all the underlying loan data is appropriately maintained to determine correlation to predictive internal data or external economic data. In the simplest example, an institution could apply a CECL methodology that analyzes historical national unemployment rates and correlates losses in a particular portfolio segment to those rates. As a result, the institution would be able to make a reasonable prediction about

CONTROLS TO ENSURE ACCURACY, PROPER UPDATING, AND SECURITY OF THE DATA WILL TAKE ON INCREASED IMPORTANCE, AS WELL AS A RENEWED FOCUS ON VALIDATING THE DATA ITSELF.

loss rates in the future for that segment based on the losses experienced in the past and on forecasted unemployment. Practically speaking, though, an institution would really need to correlate more than just the single factor used in this example for statistical accuracy and also make adjustments for borrower-specific considerations. In this example, having an appropriate control environment and governance structure is critical to helping ensure an institution correctly vets alternative approaches. It also helps promote appropriate use of economic and other data. Loan Production The expected enhancements to portfolio segmentation in determining the allowance will also inevitably impact loan production. If a specific loan segment is performing poorly, it will likely have a higher forecasted expected loss rate, absent specifically supported adjustments. That means you’ll need additional incremental reserves relative to the rest of the portfolio every time you book a loan in that segment. Next Steps If your financial institution hasn’t yet had the CECL implementation discussion, open a dialogue with those typically charged with adopting new accounting standards and determine if an implementation team has been established to address CECL’s far-reaching impacts. If not, suggest one be formed. Internal audit’s involvement with the implementation team will facilitate adoption of strong controls early in the process. If your team is still working on assembling its CECL plan, start by focusing on data—internal and external. Next, educate yourselves on the requirements of the standard and talk with peers about their plans. Effective communication between the right parties can help you get in front of the implementation process. Here are some practical first steps for the implementation team: ■■ Preserve your loan data ■■ Develop a formal loan information management process ■■ Identify what data can be recovered quickly and economically ■■ Determine missing data and the cost of acquiring it

Enhance understanding of collateral values and credit scores data as well as your ability to archive and update it in your system ■■ Improve the quality of guarantor data ■■ Understand which systems your data interfaces with ■■ Accumulate historical and forecasted national economic data (unemployment rate, treasury rates, or consumer price index, for example) to correlate to historical losses for forecasting purposes Adjusting to the CECL standard will require collaboration. Accountants will have a good understanding of when the standard will need to be implemented and of the new accounting and disclosure requirements. Credit risk management should be thinking about modeling options and portfolio risk management. Both of those groups of people will likely benefit from collaborating with individuals who have intimate knowledge of the following: ■■ Loans ■■ Customer operations supporting repayment of the loan ■■ Guarantors ■■ Loan data—inside and outside of the system Internal audit should move in lockstep with these constituents to provide key insights and help financial institutions navigate one of the most significant accounting changes in recent history. n ■■

About the Authors Gabe Nachand has been auditing and consulting with financial institutions for over 20 years. He specializes in credit review and allowance methodologies. Gabe can be reached at (503) 471-1277 or gabe.nachand@ mossadams.com. John Donohue specializes in auditing and consulting for public and private companies in a variety of industries. He also works with clients and engagement teams on multiple technical auditing and accounting matters. John can be reached at 503-478-2157 or john. donohue@mossadams.com. Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

www.acuia.org | TH E AUD IT R EPORT

MONITOR YOUR RISKS RANDY C. THOMPSON, PH.D

www.acuia.org | T H E AU D I T R E P O RT

For as long as I can remember, I have dreamed of being able to fly. This is a dream that is shared by many people of all ages. In 1986, I had the opportunity to make that dream come true as I enrolled in a flight course at the Ogden, Utah municipal airport. Climbing in the left seat of the two-seat Piper Tomahawk, I listened to my instructor in the right seat tell of all the risks associated with flying, and the most effective ways of controlling each risk. I learned that a plane has a dashboard with six key instruments that monitor indicators that effect flight safety. The altimeter tells you the plane is high enough, the speed indicator tells you the plane is going fast enough to create lift and keep you in the air, other indicators tell you if the plane is flying level, if it is flying straight and if you have sufficient fuel. In the air these six indicators are your lifeline to safety. Every pilot knows that a safe take-off, flight and landing requires the pilot to constantly monitor all six indicators from engine on to engine off. Failure to keep all six indicators in healthy ranges can lead to a crash. For example, a plane can be flying level and straight but lose airspeed, stall and fall from the sky. In many ways, managing a credit union is much like flying a plane. Credit Unions are complex systems that are affected by multiple types of risk. Understanding each type of risk and how to manage each one is critical to keep your credit union flying safely while protecting your members.

Each day credit unions are faced by seven distinct types of risk. They are: ■■ Credit Risk – the risk of non-repayment where your credit union invests or loans funds. ■■ Interest Rate Risk – the risk that your credit union won’t adequately manage changes in market rates to maintain an appropriate net interest margin. ■■ Liquidity Risk – the risk your credit union won’t be able to liquidate assets quickly and with minimal loss in value to meet your obligations. ■■ Transaction Risk – the risk that fraud or errors will cause a loss to your credit union. This risk is a function of internal controls, information systems, employee integrity, and operating processes. ■■ Compliance Risk – the risk that failure to comply with laws and regulations, prudent ethical standards, and contractual obligations will harm your credit union. ■■ Strategic Risk – the risk that poor business decisions or improper implementation of strategic goals will reduce your credit union’s earnings and net worth. ■■ Reputation Risk – the risk that your credit union’s public image will be tarnished, due to improper actions on the part of officials, management, or staff. These seven risk types combine to create the risk environment that credit unions must manage. The term most commonly used to address the composite risk picture is Enterprise Risk

www.acuia.org | TH E AUD IT R EPORT

MAKING THE CASE FOR JOHN

DO YOU KNOW YOUR MEMBERS? Randy Thompson

fter graduating from college, I was hired as a teacher at Bonneville High School in Ogden, Utah. On my first day in school I passed by the office and saw a sign on one of the desks that read: “Don’t lend money to family or friends. It causes them to get amnesia”. This humorous saying provides a down to earth description of what we call Credit Risk. When we extend money in the form of a loan to a member we need to make sure they remember to pay the money back. Credit risk management is the combination of tools and skills credit unions employ to assure that member loans are paid back as agreed. Credit Risk Management may be divided into two specific sets of tools and procedures; (1) Underwriting and (2) Portfolio Management. All credit unions employ underwriting guidelines to support the decision to approve and fund a loan. Many credit union lending policies focus on the guidelines for making prime loans. However, In Guidance Letter 174 NCUA emphasizes the importance of creating clear “parame-

ters” guiding the extension of loans to members from all credit ranges. In response to this guidance several credit unions have created what we call decision trees that detail specific underwriting guidelines for both prime and non-prime loans. These guidelines help a lender create an opinion as to whether the member has the ability and will remember to pay the loan back. Members who borrow from the credit union have every intention of repaying the loan. Unfortunately, situations may change for members in ways that reduce or increase their ability to pay. Monitoring and responding to these changes is the other half of credit risk management. To better understand this point let me introduce four sample members. Ruth is a long-term member with a stable life-style and consistent habits. She takes few, well calculated risks and for this reason her credit condition remains fairly constant over many years. Henry is also a long-term member who has uses multiple credit union services. He has maintained a prime credit standing but recently had a fi-

Management (ERM). In order to keep your credit union flying, you must implement a comprehensive ERM program that helps you maintain a constant focus on each risk component, just as pilots monitor each dashboard indicator during flight. Over the next several issues we will provide articles that address each of the specific risk types listed above, and discuss best practices for

staying focused and implementing a full view, ERM program that works. n

www.acuia.org | TH E AU D I T R E P O RT

About the Author Randy C. Thompson, Ph.D. is the CEO and founder of TCT Risk Solutions LLC a CUSO. He has consulted with Credit Unions, for the past 32 years. He holds advanced degrees (Ph.D. and MS) in Finance, Statistics, Economics and Public Health and taught graduate courses in

nancial set back and his credit standing plunged from A to D. Liz is a credit “newbie”. She recently obtained her first career job and her first car loan from the credit union. Over the next year she is careful with payments and credit and builds an A+ credit score. John has been through some real tough times losing his job and seeing his credit score drop to a D. He worked hard to learn new skills, obtain a new job. He obtained a car loan from the credit union and paid it pack as expected. He also repaired his credit by clearing old debts. His credit score is now an A. These four individuals represent all the borrowers at a credit union. So, why should you care to know about Henry and John? Henry accounts for 60%-80% of all loan losses. On the other hand, John becomes the most loyal and low risk of all your members. The key to portfolio management is to identify each group early on and take appropriate action to minimize loss from Henry and increase loans and services to Liz and John. Credit Migration is the most powerful way to manage the risk in a credit union’s loan portfolio and know your members. Coupling tiered decisioning with credit migration has helped many credit unions lend deeper, lend more efficiently and lend more profitably. Could it do the same for your credit union? n

finance and statistics at several Universities in the western United States. He has been a frequent speaker at League and Association meetings across the United States and has authored papers and articles for Credit Union trade journals and for the New Jersey Credit Union League, California/Nevada Credit Union League, CU Times and CU Business trade magazines. He is the creator of TCT Suite of products including risk based pricing, deposit pricing, Credit Migration, with ALLL, and the CostPro Earnings at Risk ALM Simulation Model.

Strategic Business Management General & Private Accounting Macpage believes in developing relationships, earning trust, addressing complex issues and making a diﬀerence. We enjoy the people we serve, and care about the work we do providing integrated accounting, consulting, ﬁnancial statement, IT, internal and compliance auditing services for credit unions throughout the Northeast.

For more information www.macpage.com/creditunions

Service So Outstanding, Others Can Only Talk About It…

twhc.com TWHC Business Journal Ad REV-062612.indd 1

6/27/12 2:14 PM

www.acuia.org | TH E AUD IT R EPORT

www.acuia.org | TH E AU D I T R E P O RT

ACH FRAUD SCHEMES 101 HOW TO DETECT AND HOW TO PREVENT JENNIFER HOSKINS

As consumers and businesses move to more electronic payments due to ease and quickness, an increase in ACH (Automated Clearing House) fraud can be expected. ACH fraud is easy to perpetrate since only two pieces of information are needed to generate an ACH; the routing number of the credit union and the account number at that credit union. Since credit union routing numbers are easily found on the internet, a fraudster only needs to know the credit union name and the account number of the target account, to commit ACH fraud. ACH fraud schemes can be perpetuated by both an external fraudster or an insider at a credit union.

www.acuia.org | TH E AUD IT R EPORT

Another common scheme is consumers receiving an email that they believe is from their credit union with a link. Once the link is clicked, the person has unknowingly installed malware onto their computer that is logging every keystroke.

External Frauds Criminals can obtain this information easily through phone scams or phishing attacks. Phishing is the attempt to acquire sensitive information such as usernames, passwords, and account or credit card information, by masquerading as a trustworthy entity in an electronic communication. Once this information is obtained the fraudster uses it to initiate payments for purchases or funds transfers. One of the most common schemes, especially at the beginning of each year, is an email that is received appearing to be from the Internal Revenue Service (IRS). This email states the person or entity owes the IRS money and must settle the account immediately. This tactic scares the person into giving their bank account information to the fraudster and thus the account gets compromised. Another common scheme is consumers receiving an email that they believe is from their credit union with a link. Once the link is clicked, the person has unknowingly installed malware onto their computer that is logging every keystroke. The fraudsters then wait to capture online credit union login information and utilize that to send out fraudulent ACH payments. Internal Frauds An employee with access to the ACH edit files can steal funds by either: ■■ Modifying the ACH edit file by adding a fictitious credit entry prior to posting ■■ Creating a fictitious ACH edit file and posting it ■■ Modifying the account numbers in the ACH edit file, prior to posting. The employee may either have access to the account where they have placed the funds or have a relative or friend withdrawal the funds for them. This internal ACH fraud can go undetected for a very long period without timely reconciliation procedures. An employee with access to initiate an ACH origination file adds

www.acuia.org | TH E AU D I T R E P O RT

fraudulent entries debiting another account at another credit union or bank and places the money in an account at the credit union where they are employed. The employee may either have access to the account where they have placed the funds or have a relative or friend withdraw the funds for them. This internal ACH fraud would only be found by the timely review of the account activity by the victim of the fraud at the other credit union or bank. Consumers, businesses, and credit unions can help protect themselves from ACH fraud by shredding used checks and other documents with the credit union’s name and account number on it, reviewing account activity frequently, reconciling accounts frequently, using strong passwords and changing them often. Credit unions can help prevent ACH fraud by restricting access to computers that are used for originating ACH files, reconciling their ACH settlements daily, and having segregation of duties between posting ACH files and reconciling the settlement accounts. Failing to monitor ACH activity can be costly both for the customer as well as the credit union. There have been cases of customers suing their financial institution as well as the financial institution suing their customers for lost funds due to fraudulent ACH activity. Thus, it is everyone’s responsibility to help prevent and detect ACH fraud. n

About the Author Jennifer Hoskins has been Partner with Nearman, Maynard and Vallez since receiving her Master’s degree in 1994. She is the firm’s network administrator. and develops new services to meet client requirements. Jennifer conducts training for her peers on new accounting pronouncements. She also is responsible for training Board and volunteer members and has been a speaker at Credit Union conferences and workshops.

Looking for an auditor that stands out from the crowd?

Contact the CPA firm that audits only credit unions.

www.nearman.com | 800.288.0293

Audit Management Software Audit Management Software

Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful easy to use Audit Management System. Trusted by Companies, Governments andand Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward toauditors implement and affordable whatever the size of your audit team.straight From individual to State Audit Institutions MKinsight™ is easy to use, forward to implement and affordable whatever the size of your audit team. Key Functionality: Key Functionality: Dashboards

Audit Planning

Audit Scheduling

Audit Management

Dashboards Libraries

Audit Planning Electronic Working Papers

Audit Scheduling Controls Management

Audit Management On-line Questionnaires

Libraries ERM

Electronic Working Papers Time and Expense Recording

Controls Management Recommendation Tracking

On-line Questionnaires Comprehensive Reporting

ERM

Time and Expense Recording

Recommendation Tracking

Comprehensive Reporting

___________________________________ ___________________________________ www.mkinsight.com www.mkinsight.com United States: +1 847 440 5515 United Kingdom +44 113 2455558 United States: +1 847 440 5515

United Kingdom +44 113 2455558

www.acuia.org | TH E AUD IT R EPORT

WHAT IS IT AND WHY SHOULD YOU CARE?

MICHAEL SUMMERS AND NICOLE FISHBACK

www.acuia.org | TH E AU D I T R E P O RT

State-chartered credit unions (SCCU) are exempt under Internal Revenue Code (IRC) Section 501(c)(14)(A) from income taxes on their net exempt income. As exempt organizations, they must file a Form 990 each year to report their activity. SCCUs also need to consider whether they need to file a Form 990-T to report unrelated business income (UBI). The IRS has been scrutinizing the activities of tax-exempt organizations lately, especially in the area of unrelated business income tax (UBIT).

www.acuia.org | TH E AUD IT R EPORT

CCUs not currently reporting any UBI on Form 990-T and applicable state tax return(s) are at risk of incurring penalties from the IRS and applicable states for all prior taxable years as well as potentially failing to report any uncertain tax positions on the audited financial statements. UBI is defined in Regulation §1.513-1(a) as gross income derived by an organization from any unrelated trade or business the organization regularly carries on, less the deductions. When looking at income, there are three criteria that must be met for UBI:Income must be from a trade or business. 1. Such trade or business must be regularly carried on. 2. Conduct of such trade or business must not be substantially related to the organization’s performance of its exempt purpose, other than through the production of funds. When looking at income-producing activities, each activity—and all the facts and circumstances surrounding the activity—must be examined to determine the activity’s relation to the organization’s exempt purpose.

UBI is defined in Regulation §1.513-1(a) as gross income derived by an organization from any unrelated trade or business the organization regularly carries on, less the deductions.

www.acuia.org | TH E AU D I T R E P O RT

Background On March 24, 2015, the IRS Tax Exempt and Government Entities Division issued a memorandum outlining the applicability of UBI to SCCUs. The memorandum includes four main points to consider when looking at UBI: 1. Income from the following income-producing activities is considered substantially related and not subject to UBIT: ■■ Sale of checks/fees from a check printing company

Debit card program’s interchange fees ■■ Credit card program’s interchange fees ■■ Interest from credit card loans ■■ Sale of collateral protection insurance 2. Income from marketing the following products and ATM fees is subject to UBIT: ■■ Automobile warranties ■■ Dental insurance ■■ Cancer insurance ■■ Accidental death and dismemberment ■■ Life insurance ■■ Health insurance ■■ ATM “per-transaction” fees from nonmembers 3. Income from these products is subject to UBIT, if sold to nonmembers: ■■ Credit life and credit disability insurance ■■ GAP auto insurance 4. All other insurance products, unless there’s a royalty agreement, are generally subject to UBIT. Bellco Credit Union v. U.S. also should be considered when reviewing income-producing activities for UBI. This case is one of the key reasons the above-mentioned memorandum was released—it provides more insight to IRS examiners when reviewing the SCCU activity. The case provides more support for additional investment advisory services to members not being subject to UBIT. Another UBI area to be aware of is debt-financed income. IRC §512(b)(4) notes income derived from debt-financed property, which is defined in IRC §514, shall be included in UBI. Under IRC §514 (b) (1), debt-financed property means any property that’s held to produce income and with respect to which ■■

there’s an acquisition indebtedness any time during the taxable year. It does provide an exception for property substantially related to the performance of an organization’s exempt purpose. In Alabama Central Credit Union v. U.S., interest income a credit union earned on bonds it purchased on margin and with borrowed funds was considered to generate UBI. The court rejected the argument that the purchase on margin was related to the credit union’s tax-exempt function. It said the purchase of securities on margin and with borrowed funds to maximize the yield or income therefrom doesn’t constitute a purchase of property substantially related to the debtor’s tax-exempt function.

Next Steps In most cases, SCCUs have some income-producing activities that give rise to UBI. The most likely source is from nonmember ATM fees. A review of income-producing activities and documentation on whether the income should be classified as UBI is an important next step. Once an SCCU has determined it has UBI to report, it also should look at the deductions directly connected with carrying out a specific UBI activity that can be reported to offset this income. In general, for a deduction to be directly connected with the conduct of an unrelated business activity, an item of deduction must have a proximate and primary relationship to the carrying on of that business. Per Reg. §1.512(a)-(1)(c), when facilities are used both to carry on exempt activities and to conduct unrelated trade or business activities, expenses, depreciation and similar items attributable to such facilities—

for example, items of overhead— shall be allocated between the two uses on a reasonable basis. Similarly, where personnel are used to carry on exempt activities and conduct unrelated trade or business activities, expenses and similar items attributable to such personnel—for example, items of salary—shall be allocated between the two uses on a reasonable basis. The portion of any such item so allocated to the unrelated trade or business activity is proximately and primarily related to that business activity and shall be allowable as a deduction in computing UBI. Per Reg. §1.512(a)-1(f)(6)(i), the method of allocation will vary with the nature of the item, but once adopted, a reasonable method of allocation with respect to an item must be used consistently. Thus, for example, salaries may generally be allocated among various activities on the basis of the time devoted to each activity; occupancy costs such as rent, heat and electricity may be allocated on the basis of the portion of space devoted to each activity; and depreciation may be allocated on the basis of space occupied and the portion of the particular asset used in each activity. Allocations based on dollar receipts from various exempt activities generally won’t be reasonable since such receipts usually aren’t an accurate reflection of the costs associated with activities carried on by exempt organizations. Proper documentation of the methodology used for allocation of indirect costs should be considered. State treatment of UBI varies, including some states that don’t tax UBI. We recommend you evaluate each state where UBI is earned and look at the filing requirements for those specific states. www.acuia.org | TH E AUD IT R EPORT

Taxable UBI will now be taxed at the corporate income tax rate of 21 percent.

www.acuia.org | TH E AU D I T R E P O RT

ew Items to Consider with the Tax Cuts and Jobs Act There are several additional items SCCUs should watch out for due to the passage of the Tax Cuts and Jobs Act. First, taxable UBI will now be taxed at the corporate income tax rate of 21 percent, instead of the previous graduated rates that topped off at 35 percent. Any future net operating losses only will be able to offset 80 percent of taxable income and can be carried forward indefinitely. Second, SCCUs will need to look at each UBI activity separately for reporting purposes. Activities that produce losses won’t be able to offset activities that produce income. If an SCCU has mainly been reporting losses, but has any activities with income, it will now have to pay tax on those income-producing activities. If there are income-producing activities, the SCCU should consider making estimated tax payments for 2018 to avoid underpayment penalties and interest. Third, an SCCU will be required to pay a 21 percent excise tax on compensation exceeding $1 million paid to one of the organization’s five highest-compensated employees. This tax also will apply to parachute payments three times greater than

the average of the last five years of the person’s salary.

Conclusion SCCUs should review income-producing activities and document their conclusions to support reasons for not reporting income as UBI. If the SCCU has nonmember income, there’s a possibility this income should be reported as UBI. If the SCCU has UBI to report, it should file a Form 990-T to report this income and applicable expenses. If the organization has an activity that continues to produce UBI losses, the SCCU should periodically review the expense allocation for reasonability. Contact your trusted BKD advisor with questions or for more information. n About the Authors Nicole B. Fishback, CPA has more than 13 years of experience and focuses on not-forprofit tax planning and compliance. She provides guidance and research to help tax-exempt organizations comply with dynamic requirements and reporting. Nicole also has experience providing tax and accounting services for individuals and trusts. She frequently speaks at seminars regarding IRS Form 990 and other tax-exempt organization topics. Michael J. Summers, CPA is a member of BKD National Financial Services Group. Mike’s focus is on providing tax solutions and consulting services to BKD’s corporate clients. His more than 14 years of experience working with closely held and publicly traded financial institutions includes corporate tax planning and compliance, mergers and acquisitions and tax information reporting under Financial Accounting Standards Board ASC 740 and FIN 48. He also assists clients in the areas of multistate taxation, accounting method strategies and state property tax return preparation.

No detail too small. You’re proud of your credit union for good reason—you’ve kept your house in order. Accounting for your aesthetic is important to us. Our diligent, disciplined internal audit pros can help you reduce risk and boost your financial street appeal so you can grow wisely.

Everyone needs a trusted advisor. Who’s yours?

bkd.com/fs | @bkdFS

www.acuia.org | TH E AU D I T R E P O RT

HMDA

CHANGES

SAM CAPUANO, CBA, CRP

n January 1 of

this year, the changes to Regulation C/Home Mortgage Disclosure Act (HMDA) that many have dreaded for some time, kicked in. HMDA seems to have been around forever. And, to quote FFIEC from last August, when new examiner guidelines were issued (included as part of NCUA Letter to Credit Unions 17-CU04), the regulation would appear to be simple: HMDA requires certain financial institutions to collect, record and report information about their mortgage lending activity. If only it was that simple.

www.acuia.org | TH E AUD IT R EPORT

HMDA has always been a necessary evil for those who must report, and now that that there have been material changes, it will likely invite increased regulatory scrutiny. Indeed, as noted in this space last issue, it is included in the NCUA Supervisory Priorities for 2018. In that Supervisory Priorities letter, NCUA stated examiners would perform limited reviews of quarterly HMDA Loan/Application Resisters

(LAR) starting in the second quarter of 2018. While it looks like for the time being examiners will cut CU’s some slack (they “will credit good faith compliance efforts”), those required to report are still expected to collect data, develop the quarterly LAR, and submit 2018 data in a timely manner (by March 1, 2019.) More on those examination procedures in a bit. It’s probably a good idea to also look at the changes they’ll

Internal and Compliance Audit • External Audit • IT Audit

CONNECT WITH US Tom Giglio, CIA, CFSA— Executive Vice President 315.214.7841 | tgiglio@bonadio.com

bonadio.com |

Samuel Capuano, CBA, CRP—Principal 518.250.7763 | scapuano@bonadio.com

www.acuia.org | TH E AU D I T R E P O RT

be examining. The CFPB amendments changed the following: 1. Types of Institutions that are subject to Regulation C 2. Types of Transactions that are subject to Regulation C 3. Specific information that covered institutions are required to collect, record, and report, and 4. Processes for reporting and disclosing data. Beginning this year, an institution will not be subject to the Regulation unless it has originated at least 25 covered closed-end mortgages, or at least 500 covered open-end lines of credit in each of the previous two years (this is in effect from January 1, 2018 through December 31, 2019; on January 1, 2020 the open-end threshold will adjust to 100), and meets the existing HMDA asset-size, location, etc., thresholds. This is expected to reduce the number of covered institutions. As for transactional coverage changes, the general rule of thumb, beginning in 2018, is that a loan will be covered if it’s secured by a dwelling. Agricultural-purpose loans are excluded, even if secured by a dwelling. Home improvement loans will also be excluded, unless secured by a dwelling. Then there are the changes in reportable data. From January 1 of this year, going forward, covered institutions are required to collect, record and report additional information. This seems to be what’s getting the most attention. There are all kinds of new data points which are now part of the HMDA Rule, as well as changes to several data points which were already in place. A quick look at CFPB’s “Summary of Reportable HMDA Data – Regulatory Reference Chart” shows 25 (!) new data points and 12 others which have been modified. The chart itself is a pretty handy summary, and includes the specific Reg. C reference next to each of the data points. Also changed for 2018 are requirements for collection and reporting of information. Covered institutions

now need to report how they collected an applicant’s or borrower’s ethnicity, race and sex, via visual observation or surname. Similarly now required is to allow the applicants to self-identify their ethnicity and race using disaggregated ethnic and racial subcategories. The final change category is reporting data. CFPB has a new webbased tool for submitting HMDA data. The data submission changes are detailed in the amended Appendix A of the regulation. This Appendix goes away at the beginning of next year, when covered institutions will be required to report via the aforementioned web-based tool. A year after that, in 2020, covered institutions which reported 60,000 applications and covered loans the previous calendar year will have to report quarterly. A final note on the changes, starting this year, regarding LAR requests from the public. Covered institutions

don’t have to provide disclosure statements for such requests. A notice that the disclosure statement, and modified LAR, available on the CFPB website, will now suffice. Now, as promised, another look at NCUA examination of this. NCUA exam procedures will follow the guidelines revised in August of 2017 by FFIEC. NCUA, in January of this year, began implementing new examiner transaction testing guidelines. This will apply for 2017 data and beyond. If, during the review of sample HMDA data, errors appear to be excessive, credit unions will be expected to correct and re-submit its data. Again, this is still early in the game. As noted above, examiners have said they expect some errors, but also expect that credit unions have infrastructure in place to comply. In in our HMDA internal audits thus far, we’ve seen from our clients

using software from their loan system to get information onto the LAR, that the data is not always mapping accurately. Fields in the loan system are not mapped correctly to the data filed in the software. As such, we’re monitoring this monthly for the time being, until some of these inaccuracies have been corrected. There are changes ahead for us in IA, and for examiners as well. But they pale in comparison to those in the trenches. n

About the Author Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started their IA function there in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.

www.acuia.org | TH E AUD IT R EPORT

{ the standards } Pat Richey, Retired credit union internal auditor

Proficiency and Due Professional Care Standard 1200 requires we continually seek to improve our effectiveness.

n the last 5 issues of The Audit Report, I discussed the International Professional Practices Framework (IPPF); the IPPF elements related to the Core Principles and the Code of Ethics; and the International Standards for the Professional Practice of Internal Auditing (Standards) related to the internal audit charter, independence and objectivity. Now weâ&#x20AC;&#x2122;ll turn our attention to two more attributes addressing the characteristics of internal auditors - proficiency and due professional care. The Core Principles include the principle of demonstrating competence and due professional care. In relation to proficiency, one of the Code of Ethics principles is that internal auditors apply the knowledge, skills and experience necessary for the performance of internal audit services. The related Code of Ethics Rules of Conduct states that internal auditors engage only in those services for which they have the necessary knowledge, skills and experience; perform internal audit activities in accordance with the Stan-

www.acuia.org | TH E AU D I T R E P O RT

dards; and continually improve their proficiency and the effectiveness and quality of their services. Standard 1200 states that engagements must be performed with proficiency and due professional care. Although the Standard uses the term proficiency, the term competency is also used frequently. Standard 1210 states that for internal auditors to be proficient, the auditors must possess the knowledge, skills

and other competencies needed to perform their individual responsibilities. Professional proficiency is a personal responsibility. The Interpretation of Standard 1210 states that proficiency includes consideration of current activities, trends and emerging issues so that the internal auditor can give relevant advice and recommendations to credit union management. The result of proficiency and professionalism is credibility.

Global Internal Audit Competency Framework The Institute of Internal Auditors (IIA) has a Global Internal Audit Competency Framework that defines the core competencies needed to fulfill IPPF requirements. The Framework is an 18-page document that outlines the competencies required for the Chief Audit Executive (CAE), internal audit man-

ager, and staff auditor. There are 10 Core Competencies supported by over 160 detailed competencies that support the Core Competencies. The Core Competencies are professional ethics; internal audit management; IPPF; governance, risk and control; business acumen; communication; persuasion and collaboration; critical thinking; internal audit delivery; and improvement

{ from the editor }

Here’s to 25 More Tabitha Ernst-Chadwick

and innovation. The Competency Framework can be obtained from the “About Us” section of the IIA website. Implementation Guide (IG) 1210 says that internal auditors should review and understand the Framework’s competencies, and use the Framework for self-assessments. The CAE can develop a skills assessment tool based on this Framework, and include the basic criteria in recruitment material and job descriptions to attract internal auditors with the requisite education and experience.

Collective Proficiency The CAE must manage the internal audit activity so that, collectively, all the internal auditors in a department possess the skills, knowledge and competencies to perform the department’s responsibilities. This means that not all internal auditors in a department have the same skills, knowledge and competencies. An internal audit department may have a mix of knowledge, skills and competencies. For instance, one auditor may have IT skills, another may have regulatory compliance certifications, and another may be a Certified Fraud Examiner. Collectively, they have the skills necessary to fulfill the internal audit plan. Standard 1210.A1 states that the CAE must obtain competent advice and assistance if the internal audit activity does not have the knowledge, skills or competencies needed to perform all or part of an engagement. The CAE can use the Competency Framework to identify any gaps in the collective competency, and then fill those gaps through hiring, training or outsourcing. If possible, I would rather my internal audit activity fill any competency gaps through training rather than go to an outside source.

Business Acumen Business acumen is one of the Core Competencies of the Competency Framework. The credit union internal auditor has to understand the business of credit unions. This requires that the credit union internal auditor understand not only the credit union industry but the auditor’s credit union specifically. The internal auditor needs to understand credit union strategic objectives (the big picture); the interrelationships between credit union stakeholders; risks, controls, compliance; and the credit union’s culture. This proficiency is learned by being engaged with all aspects of the credit union and its personnel, and participating in in-house training. Soft Skills Many of the detailed Core Competencies involve soft skills or people skills. That is the ability to get along and work well with other persons. Credit union internal auditors deal with volunteers, executive management and member service representatives, which takes a wide range of relationship skills. The credit union internal auditor should be skilled in understanding cultural differences, treating others with respect, taking personal accountability, fostering trust and open communications, listening, having a service attitude, managing conflict, diplomacy, building constructive relationships, collaboration and resilience. Another soft skill is understanding personality differences and how that impacts communication and thinking processes. My credit union had all managers take the Myers Briggs personality type test, to give managers an understanding of personality differences. According to the Myers Briggs webpage MBTI Type at Work, “Type

can be introduced into any organization to support many functions and situations, including managing others development of leadership skills, conflict resolution, executive coaching, change management and other customized needs.” The test results were very enlightening as to personality differences among managers.

Fraud and Information Technology Standards 1210.A2 and 1210.A3 address fraud and information technology (IT). In the case of fraud, internal auditors must have enough knowledge to evaluate the risk of fraud and how the credit union manages fraud risk. However, internal auditors are not expected to have the expertise of persons whose primary responsibility is detecting and investigating fraud. Likewise, internal auditors must have enough knowledge of key IT risks and controls, and available technology-based audit techniques to perform their assigned audits. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is IT auditing. Internal auditors are not the experts on every facet of credit union operations and risks. As these standards point out, internal audit is expected to have “enough knowledge” to perform their responsibilities. However, internal auditors should have a thirst for knowledge which drives them to continuing professional development. Continuing Professional Development Internal auditors may have obtained a relevant college education and have years of experience. However, the key to proficiency is continuing professional development. Internal www.acuia.org | TH E AUD IT R EPORT

Standard 1220 states that due professional care does not imply infallibility, which means that internal auditors are capable of making errors. You’re not perfect!

auditors cannot rely solely on past experience. Standard 1230 states that internal auditors must enhance their knowledge, skills and competencies through continuing professional development. Professional development should be addressed in performance evaluations and subsequently a plan developed to fill any gaps in internal audit competencies. The development plan can include on-the-job training, publications, news services, webinars, seminars, conferences and professional certifications. There is no end to the opportunities for professional development. When creating a professional development plan, the credit union internal auditor should take a long-term view and consider ultimate career goals. It is helpful to have a relationship with a coach or mentor to aid in planning and coming to terms with gaps in proficiency. However, it is up to the internal auditor to advocate for the auditor’s development needs. Budget constraints are the biggest obstacle to professional development, so the internal auditor has to be aware of and taken advantage of many different methods of development.

Certifications IG 1200 states that the internal audit profession’s most relevant certification is the Certified Internal Auditor granted by the IIA. Other certifications offered by the IIA include, among others, Certified Financial Services Auditor, Certification in Control Self-Assessment, and Certification in Risk Management Assurance. According to the IIA’s “Why Become Certified”, becoming certified increases internal auditors earning potential by 51%. Other organizations offer relevant certifications. As the name im30

www.acuia.org | TH E AU D I T R E P O RT

plies, the Association of Certified Fraud Examiners (ACFE) offers a certification in fraud examination. The CFE can aid with conformance to Standard 1210.A2’s requirement for knowledge about fraud risk. I was a CFE and found the monthly ACFE chapter meetings to be very informative. The National Association of Federal Credit Unions (NAFCU) and Credit Union National Association (CUNA) offer compliance certifications - the NAFCU Certified Compliance Officer (NCCO) and the Credit Union Compliance Expert (CUCE) respectively. Certifications require continuing education to maintain the certifications. Certified internal auditors must be aware of the requirements for maintaining certification including time frames and number of continuing education hours needed. The certification requirements should dovetail with the internal audit activity’s training and development policy.

Networking It is important to get involved with a professional organization. For me, the most important professional development tool was networking with fellow ACUIA members. I learned as much about best practices and techniques from my peers as I did from seminars and conferences. Knowledge transfer is helpful in understanding how credit unions and their internal auditors handle the issues that you are dealing with. With ACUIA members help, an internal auditor never has to re-create the wheel (e.g. an audit program). From the very first ACUIA conference in 1991 in Bloomington MN, I knew that the ACUIA conference was the best place for a credit union

{ from the editor }

Here’s to 25 More Tabitha Ernst-Chadwick

auditor to develop professionally. I attended the first 18 conferences and learned so much from other ACUIA members, along with the educational sessions. I was also an IIA member and attended local chapter meetings, but I never found those meetings to be as useful as networking with other credit union auditors.

infallibility, which means that internal auditors are capable of making errors. You’re not perfect! Hopefully, internal auditors are not making many errors because they are competent, being reasonably prudent and exercising due professional care. However, imperfection means that internal audit work must be

checked and rechecked. We were a two-person audit shop. I reviewed my staff auditor’s work and she reviewed my work. We proof-read, proof-read, proof-read every audit report. Then we issued a preliminary draft of the report to management for their perusal, to make sure we had considered everything of

Demonstrating Proficiency Conformance Internal auditors can demonstrate conformance with Standard 1210 by keeping their resumés up-to-date and maintaining records of professional development. Generally, those with professional certifications will maintain professional development records in order to maintain the certification, but all internal auditors should maintain records. Recruitment materials, job descriptions, a competency assessment tool, performance evaluations and internal audit training policies, procedures and materials can all be used to demonstrate proficiency. Due Professional Care Standard 1220 states that internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. According to Merriam-Webster, prudent means marked by wisdom or judiciousness or circumspection; or shrewd in the management of practical affairs. I would say that internal auditors must exercise good judgement and common sense. IG 1220 says that internal auditors should understand and apply the Mandatory Guidance of the IPPF, including the Code of Ethics. Internal auditors should also comply with the credit union’s code of ethics. Standard 1220 states that due professional care does not imply

www.acuia.org | TH E AUD IT R EPORT

significance and nothing appeared unreasonable. Standard 1220.A1 describes several elements that internal auditors must consider in exercising due professional care. Internal auditors must consider the extent of work needed to achieve the engagementâ&#x20AC;&#x2122;s objectives. How much work is enough? Due professional care depends on the complexity, materiality or significance of issues. IG 1220 says that internal audit policies and procedures provide a systematic and disciplined approach to the full scope of internal audit work. Internal auditors are applying due professional care when they follow this approach. Internal auditors must also consider the adequacy and effectiveness of governance, risk management and control processes; probability of

significant errors, fraud, or noncompliance; and audit cost in relation to potential benefits. There is the expectation that internal auditors will conduct activities to the same extent as a reasonably prudent and competent internal auditor in the same circumstance. Networking and benchmarking are ways to determine how other internal auditors are conducting their activities. Standards 1220.A2 and 1220.A3 state that in exercising due professional care, internal auditors must consider the use of technology-based audit and other data analysis techniques, and must be alert to the significant risks that might affect objectives, operations or resources. However, audit procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

Demonstrating Due Professional Care Conformance Internal auditors can demonstrate conformance with Standard 1220 by applying the IPPF mandatory guidance to engagement plans, work programs, workpapers, and supervisory review. Performance reviews should consider due professional care. Post-engagement meetings and audit client surveys are tools for obtaining information. Proficiency and due professional care are attributes that internal auditors exhibit day in and day out. These attributes make internal auditors role models in their credit unions. n About the Author Pat Richey was Director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

TeamMate+

Visibilty, Consistency, and Efficiency Learn more at TeamMateSolutions.com 32

www.acuia.org | TH E AU D I T R E P O RT

{ member spotlight }

Gayle Gines Dian Scott

This issue we’re shining the ACUIA spotlight on Gayle Gines, our new Region 4 director, devoted mom, animal lover and crafter.

Gayle, tell us about yourself. I am a mom of one two-legged child (he’s 19) and five 4-legged babies (2 dogs and 3 cats). I enjoy crafting, reading and cleaning house, apparently – 5 furry pets keep me busy. Describe your education and any special training, credentialing, etc. I received a bachelor’s degree in Business , with an emphasis in Accounting, and just sort of ended up in Audit right out of college. I thought I was applying for an internship, but halfway through my first interview I was told that the interview was actually for a full-time permanent position. I got the job. How long have you been involved in auditing?

a priceless source of information and networking for me.

I’ve been involved in audit almost 14 years now, in three different industries. CUs have been my chosen industry for a little more than five years. I have my CPA, CIA, CFE, CISA and ACDA. However, I have no idea what I want to be when I finally grow up!

What are the major challenges you feel the industry faces today? As with any government-regulated industry, change is always the biggest challenge, and this is even more so with credit unions over the last decade. When did you join ACUIA? I joined ACUIA in 2012 when I started at my first CU. I created the audit department and was the sole auditor for the five years I was there. ACUIA was

What advice would you offer to new auditors just getting started? Use your resources. There are so many resources available to you. You just need to know where to look and who to ask. Which ACUIA membership benefits do you find most rewarding? I think networking is the most rewarding relationship for ACUIA members. They have a great member base, with amazing knowledge, and the desire to assist whenever they can. Which type of background experience do you look for in your staff auditors? I think CU experience is very important, as each CU is unique in how it operates. Audit skills can be taught, and programs and processes are easy to follow, but knowing the business and who to ask/where to look is very important. Gayle, thanks for sharing a moment in your busy life with us.

ACET is here.

Are you ready? RedstoneConsultingGroup.org/acet-portal

Redstone Consulting Group’s ACET Collaboration Portal™ will help the NCUA cyber exam go smoothly. Know where you stand before the exam begins.

www.redstoneconsultinggroup.org

www.acuia.org | TH EConsulting rights reserved. Redstone AUD ITGroup, R EPORT

info@redstoneconsultinggroup.org | (256) 344-8600

LLC and the Redstone Consulting Group logo are registered trademarks of Redstone Consulting Group, LLC or its subsidiaries.

{ the standards { regional news } } Pat Richey, Retired

REGION

Julie Wilson, Director Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com We’re doing something different for our Spring, 2018, Region One meeting. We’re headed north to Alaska! Our Alaska members are rarely able to join our regional meetings. So, we’re taking the meeting to them. The dates are Thursday–Friday, May 24–25, just before Memorial Day weekend. This will enable everyone to enjoy the sights, charter out for fishing or just enjoy the spectacular beauty of the state. Denali Credit Union will host the 2-day event. It promises to be jam-packed with exciting discussions by excellent speakers. Look for more information on www.acuia.org, coming soon.

REGION

Andrea Munoz, Director Internal Audit, Senior Staff Auditor First Tech Federal Credit Union 916.660.4255 andrea.munoz@firsttechfed.com No news to report for Region 2.

REGION

Gayle Gines, Director Senior Internal Auditor Randolph-Brooks Federal Credit Union 210.637.4130 ggines@rbfcu.org We are learning and growing within our ACUIA environment. We have added a new director (me) and we’re beginning to add some chapter coordinators. We have also started an email network (thanks, Julie, for the idea) that allows us to ask questions, and receive feedback directly from our ACUIA peers. Happy Internal Auditor Awareness Month (May) everybody!

REGION

Michael P. Moreau, CIA, CFE, CFSA, Director MACPAGE LLC 225 Cedar Hill St., #200 Marlborough, MA 01752 800-339-5701 978-760-0195 – cell The Region 5 meeting has been set for Oct. 1-2, 2018. Our host will be Mike Shoen and CapCom FCU in Albany, NY. We are starting to pull together some thoughts for the meeting, and plan on offering a great lineup of speakers and topics. Hope to see you there!

REGION

Tom Cosby, Director

Vice President Internal Auditing Crane Credit Union (812) 863-7000 ext 7142 tcosby@cranecu.org The Illinois chapter conducted its quarterly meeting on March 16th. The Indiana chapter will have an all-day training session on May 10th. The Minnesota chapter is having a meeting on May 18th. The Michigan chapter is having their next meeting in August. All plans for the Region 3 Conference, Oct. 3–5, 2018 have been finalized. 34

www.acuia.org | TH E AU D I T R E P O RT

REGION

Jason Alexander, CIA, MBA, CICA, Director Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org Region 6 had two chapter meetings in April. We are also looking for new chapter coordinators. Interested? Give Jason a call – he’d love to chat with you about that. n

{ region directors }

{ the the standards standards } Pat Pat Richey, Richey, Retired Retired

REGION REGION

Julie Julie Wilson Wilson juliew@iqcu.com juliew@iqcu.com

REGION REGION

Tom Cosby Cosby Tom tcosby@cranecu.org tcosby@cranecu.org

REGION

Andrea Munoz andrea.munoz@firsttechfed.com

Michael Michael P. P. Moreau, Moreau, CIA, CIA, CFE, CFE, CFSA CFSA MPM@macpage.com MPM@macpage.com

REGION

Jason Alexander, CIA, CICA jasona@lgeccu.org

Gayle Gines NEEDED! VOLUNTEER ggines@rbfcu.org

{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1 REGION 1 CENTRAL CASCADES (OR/WA) CENTRAL CHAPTER CASCADES (OR/WA) CHAPTER Terry Robbins

Terry Robbins trobbins@mapscu.com trobbins@mapscu.com REGION 2 REGION 2 ARIZONA CHAPTER ARIZONA CHAPTER Jason Garlutzo Jason Garlutzo Jason.Garlutzo@azstcu.org Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER CALIFORNIA VOLUNTEER CHAPTER NEEDED!

VOLUNTEER NEEDED!

UTAH CHAPTER UTAH RandyCHAPTER Manscill, CIA, CFE,

Randy Manscill, CIA, CFE, CFSA CFSA rmanscill@americafirst.com rmanscill@americafirst.com HAWAII CHAPTER HAWAII Nikki IgeCHAPTER

Nikki Ige Nige@kcfcu.org Nige@kcfcu.org REGION 3 REGIONCHAPTER 3 ILLINOIS ILLINOIS CHAPTER Rick Torres Rick Torres rtorres@CreditUnion1.org

INDIANA CHAPTER

Tom Cosby rtorres@CreditUnion1.org tcosby@cranecu.org INDIANA CHAPTER MINNESOTA Tom Cosby CHAPTER

Ashley Shrode tcosby@cranecu.org Ashley.Shrode@thrivent.com MINNESOTA CHAPTER MICHIGAN CHAPTER Ashley Shrode

Kathleen Schaefer Ashley.Shrode@thrivent.com Kathleen.Schaefer@elgacu. MICHIGAN CHAPTER com Kathleen Schaefer IOWA CHAPTER Kathleen.Schaefer@elgacu. Brittany Metz com brittanymetz@uiccu.org IOWA CHAPTER WISCONSIN Brittany MetzCHAPTER

Karla Hodgkins brittanymetz@uiccu.org khodgkin@Covantagecu.org WISCONSIN CHAPTER

Karla Hodgkins REGION 4 khodgkin@Covantagecu.org ARK ANSAS CHAPTER

ST. LOUIS CHAPTER NORTH TEX AS CHAPTER David Caster

SOUTH CAROLINA CHAPTER NORTH CAROLINA CHAPTER

ST. LOUIS CHAPTER

SOUTH CAROLINA CHAPTER TENNESSEE CHAPTER

VOLUNTEER NEEDED! dcaster@firstcommunity.com REGION 5 David Caster NEW YORK CITY CHAPTER dcaster@firstcommunity.com VOLUNTEER NEEDED! REGION 5 REGION 6 NEW YORK CITY CHAPTER ALABAMA CHAPTER VOLUNTEER NEEDED!

Tammy Farmer Michelle Clark, CUCU tammyf@scscu.com mclarck@ecu.org

TENNESSEE CHAPTER

Michelle Clark, CUCU mclarck@ecu.org

Adrienne Breckenridge, CPA REGION 6 abreckenridge@ avadiancu.com ALABAMA CHAPTER Adrienne Breckenridge, CPA GEORGIA CHAPTER abreckenridge@ VOLUNTEER NEEDED! avadiancu.com FLORIDA CHAPTER GEORGIA CHAPTER Lourdes Camacho

VOLUNTEER NEEDED! lourdesc@sccu.com FLORIDA CHAPTER MARYLAND CHAPTER

Patrick McCollough REGION 4 pmccollough@AFCU.org

Lourdes Camacho Nikki Torres lourdesc@sccu.com nichele.torres@towerfcu.org

VOLUNTEER NEEDED! pmccollough@AFCU.org

Nikki Torres NEEDED! VOLUNTEER nichele.torres@towerfcu.org

ARK ANSAS CHAPTER NORTH TEX AS CHAPTER Patrick McCollough

Tammy Farmer VOLUNTEER NEEDED! tammyf@scscu.com

MARYLAND CHAPTER NORTH CAROLINA CHAPTER

www.acuia.org | TH E AUD IT R EPORT

{ acuia select }

{ member spotlight } Patrick McCullough

ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the Executive Office at (703) 688-2284.

ns to ACUIA

dit union audit professionals. PLA TINUM

nsibilities and internal control objectives by providing:

eviews n CertiďŹ ed ACH Audits n Bank Secrecy Act nding Programs n Branch and Operational Audits source and Payroll Reviews n Assistance with Risk tatement Audits

GOLD

CertiďŹ ed Public Accountants & Consultants

S I LV E R

TeamMate BRONZE

dly serving credit unions throughout the Mid-Atlantic region. mation about PBMares, visit us online at www.pbmares.com.

www.acuia.org | TH E AU D I T R E P O RT

An Unmatched Experience

Internal Audit and Regulatory Compliance Tailoring each engagement, our Certified Internal Auditors and Certified Compliance Officers consider the credit union as a whole to execute a plan that will identify, monitor and assess risks before they threaten operations.

At Doeren Mayhew, we deliver a unique experience and a level of service that is unmatched in the industry.

Credit Risk Management Leveraging our hands-on experience, we deliver insight into the fundamentals of lending governance, administration and day-to-day operations.

IT Assurance Taking an integrated security management approach, our credentialed technology team ensures confidence in the integrity and security of IT control frameworks.

External Audit Remaining independent, while working collaboratively with credit union teams, Doeren Mayhew delivers practical solutions that improve internal controls and accounting efficiencies through accurate and timely financial reporting.

We invite you to experience what our clients do. Call us today at 888.433.4839.

RELATIONSHIPS RELATIONSHIPS BUILD BUSINESS

Strengthen Strengthenyour yourrelationships relationships by by using using advisors advisors with with aa strong strong professional professional network. network.

WEALTHADVISORY ADVISORY ||| OUTSOURCING OUTSOURCING ||| AUDIT, AUDIT,TAX, TAX,AND ANDCONSULTING CONSULTING WEALTH ADVISORY OUTSOURCING AUDIT, TAX, AND CONSULTING WEALTH Investment advisory advisory services services are are offered offered through through CliftonLarsonAllen CliftonLarsonAllen Wealth Wealth Advisors, Advisors, LLC, LLC, Investment Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered SEC-registered investment investment advisor. advisor. ©2017 ©2017 CliftonLarsonAllen CliftonLarsonAllen LLP LLP | 28-1094 28-1094 ananSEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP || 28-1094

Dean Rohne Rohne || 800-657-4477 800-657-4477 Dean CLAconnect.com CLAconnect.com