ACUIA Audit Report Volume 27 Issue 3 by pstraubel

Volume 27, Issue 3, 2018

The Magazine of the Association of Credit Union Internal Auditors, Inc.

FRAUD NEVER SLEEPS FAIR LENDING ONLINE AVOID THE PITFALLS LIQUIDITY HOW IMPORTANT IS IT?

BITCOIN EVERYTHING YOUâ&#x20AC;&#x2122;VE ALWAYS WANTED TO ASK THE STANDARDS QUALITY ASSURANCE

RELATIONSHIPS BUILD BUSINESS RELATIONSHIPS RELATIONSHIPSBUILD BUILDBUSINESS BUSINESS Strengthen your relationships by using advisors with a strong professional network.

Strengthen your relationships bybyusing using advisors with professional network. Strengthenyour yourrelationships relationshipsby usingadvisors advisorswith withaa strong astrong strong professional network. Strengthen professional network.

Investment advisory services are offered through CliftonLarsonAllen Advisors, LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLPWealth | 28-1094 Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, Investment advisory services are offered through CliftonLarsonAllen Advisors, LLC,LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP Wealth | 28-1094 an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP LLP | 28-1094 an SEC-registered investment advisor. ©2017 CliftonLarsonAllen | 28-1094

Dean Rohne | 800-657-4477 Dean Rohne || 800-657-4477 Dean Rohne 800-657-4477 Dean Rohne | 800-657-4477 CLAconnect.com CLAconnect.com CLAconnect.com CLAconnect.com

Volume 27, Issue 3, 2018

The Magazine of the Association of Credit Union Internal Auditors, Inc.

{ contents } F E AT U R E S

Fraud Never Sleeps!

Strategies to mitigate the scams against your Credit Union Doug Wright and Stacy Bausch

Keep Online Lending Fair

Avoid Fair Lending and UDAAP Pitfalls Todd Sherpy 16

D E PA R T M E N T S 2 From the Editor Turning to Fall Dian Scott

Volunteer

ACUIA’s one great constant has been the volunteers who are the lifeblood of the organization Sam Capuano, CBA, CRP

Bitcoin 24 What it is and why it matters

20 Liquidity How it sustains Credit

Union health Randy C. Thompson, Ph.D.

22 Highlights Chicago

Nik Fahrer

4 Chairman’s Message As Time Goes By Dian Scott 29 The Standards Quality Assurance and Improvment Program Pat Richey 33 Member Spotlight Pat Richey

34 Regional News 35 Region Directors and Chapter Coordinators

Photos from a great convention in the windy city

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Dian Scott Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 332 Commerce St., Suite 100, Alexandria, VA 22314, (703) 688-2284

{ from the editor }

Turning to Fall Dian Scott

Chicago is behind us and a new season of collaboration is here.

ope everyone who was able to attend the conference in Chicago had a terrific, energizing time. I’ve heard nothing but high praise for the event and for everyone who helped make it happen. Now that the long, soft days of summer are waning, we’re quickly slipping into the colors and excitement of Fall. It also means this is a great time to start planning for the upcoming series of region meetings, webinars and training classes. Some of the events sell out quickly, so register as early as you can, to ensure there’ll be a seat waiting for you. If you would like to submit an article you’ve written (or plan to write), now is a good time to do it. Or, if there is a topic you would like to learn more about, let us know. Good ideas are always welcome. Warm regards, Dian Scott Dilanto166@gmail.com 301-774-6484

BY THE NUMBERS: FRAUD

2018 Board of Directors Chair John Gallagher, CUERME SEFCU (518)-464-5245 jgallagh@sefcu.com Term 2016–2019

Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org Term 2018–2020

Vice Chair Margaret Chamberlain, CUERME Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2017–2020

Director Doug Wright, CPA, CFE, CUCE, BSACS Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019

Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org. Term 2017–2020 Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dwsenson2@ wingsfinancial.com Term 2018–2020

Associate Director Tabitha Ernst-Chadwick Marine FCU (910) 355-5611 TErnst@marinefederal. org Associate Director Tara Tocco Hughes FCU (520) 205-5744 TTocco@hughesfcu.org

Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ ncsecu.org Term 2018–2020

ACUIA execuve office 332 Commerce St. Suite 100 Alexandria. VA 22314 (703) 688-2284 acuia@acuia.org

www.acuia.org | TH E AU D I T R E P O RT

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”

CLOSE THE AUDIT PERFORMANCE GAP ACL WHITE

How to shift working papers from ‘common practices’ to ‘best practices’ Download at acl.com/working-papers »

Integrati n Papers wg Working ith ManagemAudit ent How to

shift fro

m ‘com

mon pr actices ’ to ‘bes

t practic es’

Vice Pre

sident,

Dan Zitt ing, CPA , CISA, CIT Produc t Manag P ement & Design

PAPER

{ chairman’s message }

As Time Goes By Dian Scott

Thoughts on Growing and Saving

i, dear hearts. Obviously, I’m not the well-respected, over-worked Chairman of the Board. I’m just Dian. John’s column will return in the next issue. Growing up, I didn’t have much experience with credit unions or savings banks or such. I was always a bit skeptical of them. The men were intimidating, and wore ugly suits. Growing up on army bases, I was accustomed to clean, pressed uniforms. And, my dad was an army chaplain, so he was given deferential treatment by anyone in a uniform. The ugly suits just didn’t follow protocol. As I grew older, my “bank” of choice consisted of hundreds of buffalo nickels. I collected them for years in quart-sized glass milk bottles. Daddy was transferred from Virginia to

Germany for his last overseas tour. We went with him, as usual. That, of course, meant packing up the household for shipping. I was scrambling around, gathering up everything I wanted to keep. My “valuables” consisted of numerous quart glass bottles filled with buffalo nickels. I dropped one of the jars when I stumbled going downstairs, and buffaloes went flying everywhere! I scrambled frantically to catch them, but they were all over the place! I did have help, sort of. My sweet collie, Ginger, came rushing to my side to help with the retrieval process. While scrambling for my nickels, I noticed Ginger picking them up, one at a time, and walking off with them. I followed her and caught her nosing her loot under the pillow in her dog bed, and then lying on top of

her “stash”. She managed to dry my tears and replace them with a smile. Collies do that so easily. Years later, I was all grown up (sort of) and working for USA TODAY. Our building housed a Kinecta FCU branch, and it was my banking choice. I had stopped in one morning on my way to work. As soon as I walked up to a window, I heard coins skittering along the marble counter. Wasn’t close enough to check for my favorite nickels, but I’m quite sure that somewhere a collie was smiling. n Warm regards, Dian

WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Dian Scott at acuia@ acuia.org to learn more.

UPCOMING EVENTS For complete details click here or go to www.acuia.org/calendar

REGION AND CHAPTER MEETINGS

WEBINARS

October

Sept 12

Compliance Hot Topics https://www.acuia.org/calendar/day/2018-09-12

Sept 26

Collection Pitfalls https://www.acuia.org/calendar/day/2018-09-26

1 – 2

Region 5 Meeting – Albany, NY

3–5

Region 3 Meeting – Eau Claire, WI

4–5

Region 2 Fall Meeting – Burbank, CA

4 – 5

Region 4 Fall Meeting – Live Oak (San Antonio), TX

ON-SITE CLASSES

7–19

Region 6 Fall Meeting – Nashville, TN

Region 1 Fall Meeting – Vancouver, WA

Oct 8 – 11 Internal Audit Certification School The Fall 2018 1A certification school is filling fast, with only a limited number of seats still available. If you have any interest in becoming a CCUIA, and attending school in Tempe this October, now is the time to take action. Attendees of this school expand their auditing skillset, develop their analytical acumen and get the opportunity to earn the Certified Credit Union Internal Auditor (CCUIA) designation.

For more details, see the Regional News page, or contact your Regional Director.

www.acuia.org | TH E AU D I T R E P O RT

With Expertise Comes Confidence Crowe is one of the top 10 auditors of credit unions with more than $100 million in assets.1

Audit / Tax / Advisory / Risk / Performance

Smart decisions. Lasting value.â&#x201E;˘

2017 Supplier Market Share Guide: Credit Union Auditors, Callahan & Associates

Visit www.crowe.com/disclosure for more information about Crowe LLP, its subsidiaries, and Crowe Global. ÂŠ 2018 Crowe LLP.

FS-19009-011A

www.acuia.org | T H E AU D I T R E P O RT

FRAUD NEVER SLEEPS!

STRATEGIES TO MITIGATE THE SCAMS AGAINST YOUR CREDIT UNION DOUG WRIGHT AND STACY BAUSCH

ll credit unions, no matter how big or small, experience fraud attempts against them in some form. In our experience, the attempts just keep coming, and never stop. While fraud schemes come in many flavors, with many variations, this article focuses on external fraud schemes against credit unions. It explores some of the more common types of fraud that we have experienced, based on the number of Suspicious Activity Reports that we have filed. For most fraud schemes, there are usually red flags associated with them that, if detected in real time, could prevent significant losses from occurring. Unfortunately, the fraudsters know this, and they continually change their tactics to circumvent your monitoring controls. It is a constant challenge in both human resources and reconfiguring technology to stay ahead (or at least keep up) with them.

www.acuia.org | TH E AUD IT R EPORT

he following lists the recent types of fraud schemes that we continue to see, and explores possible tactics to combat the fraudsters:

CARD FRAUD: Card fraud is by far our largest type, in terms of both number of cases and dollars of loss. Card fraud is basically the result of compromised cards due to the numerous retailer breaches. It seems we hear of a new breach almost every week. In October 2015, the Europay, Mastercard and VISA (EMV) rules for fraud liability went into effect, whereas the liability for fraud fell on the merchants for “Card Present” types of transactions if they did not accept chip-enabled credit and debit cards. The impact of this rule change pushed the bulk of card fraud to “Card Not Present” transactions. In other words, online or phone purchases. However, we continue to see a significant amount of fraud for “Card Present” transactions at merchant locations, due to lost or stolen cards. To combat this trend, educate your members to promptly notify your credit union for lost or stolen cards. To mitigate losses from card fraud, ensure that you have robust monitoring processes in place. Screen purchase authorizations against known fraud patterns, or have a fraud-scoring model in place. Other card fraud mitigation strategies are to use systems that detect anomalous purchasing behavior by your members that might indicate fraud. Also, implement a process to provide your members with text or email alerts for large or unusual transactions. Note that when configuring your transaction monitoring processes, care should be taken to minimize false positives. This will avoid a negative experience for your members when their legitimate transactions are blocked! Finally, make sure your fraud areas are well versed in Electronic Funds Transfers Act (Regulation E) dispute requirements for debit card, and Truth in Lending Act (Regulation Z) dispute requirements for credit cards. Unfortunately, we see a large number of false claims from members when they are unhappy with a product or service, and expect their credit union to cover them.

DENTITY THEFT — APPLICATION FRAUD: Application fraud is our second largest category by the number of SARs filed. This type of fraud essentially applies for membership, or a loan, using someone else’s stolen identity, or sometimes, the fraudster creates a fictitious person using a combination of real and made up information, which is known as Synthetic Identity Theft. We have seen application fraud growing over the past several years, fueled by the availability of consumer data for sale on the Dark Web from several large healthcare provider breaches, and the Equifax breach in 2017.

www.acuia.org | TH E AU D I T R E P O RT

To combat application fraud, ensure that you have an adequate Red Flag Identity Theft Prevention Program that reviews Social Security Number or address mismatches, and follows procedures for Initial and Extended Identity Theft Alerts. For online applications taken, if your system has the capability, flag the location of the IP address where the application is being submitted from, and compare this to the stated location where they claim to live or work. We frequently detect fraudulent applications using this technique. Also, specific to credit unions, your field of membership may provide an advantage for screening out potentially fraudulent applications. Other mitigation tips are to train your loan officers and underwriters to recognize inconsistencies and patterns that may indicate fraud, such as an excessive number of recent credit inquiries, limited credit history, and other inconsistencies with application information provided. Related to this, implement loan stipulations in your loan origination system to refer suspected applications to your Fraud Department for further review. Also, fraud rings will submit multiple applications simultaneously, hoping that one or two slip through your screening processes and get approved. To combat this “brute force attack” method, maintain a database of street addresses, IP addresses and phone numbers associated with previous fraud attempts, and screen your applications against this list.

DENTITY THEFT – ACCOUNT TAKEOVERS: For Account Takeover or ATO fraud, the fraudsters will also use stolen personal data to take over an existing account. Once a fraudster has control over an account, they will attempt to make advances on Home Equity Lines of Credit or Unsecured lines, and transfer funds out by wire or ACH transfer. Another common scheme is to take over an account and use it as a “mule” account to receive funds from compromised accounts at other financial institutions. They will then transfer these funds to a third institution, in an effort to launder the stolen money. We continue to see social engineering calls to our call center in an attempt to obtain, or change, account access codes. For online banking ATO’s, the point of compromise is typically on the member’s end, where theyww have malware on their home computer that will harvest their login credentials. We have also seen cases where the members’ are logging from where they work, and their employer’s network has been compromised. To combat this vulnerability, educate your members about online safety and protecting their devices, and utilize a strong two factor authentication process for your online banking logins. Also use a 2nd factor of authentication, if possible, for your call center. Consider using a

one-time passcode sent to the member’s mobile device, or use knowledge-based security questions to authenticate your caller. And make sure your call center staff are well trained in social engineering tactics, such as a caller trying to pressure or threaten them, or some sort of emergency situation that requires immediate assistance, to circumvent your normal security processes.

an emotionally vulnerable member, typically a lonely senior, who is socially engineered to send money to a fraudster who nearly always lives overseas. Typically, the fraudster will concoct a story that involves some hardship or made-up tragic event, and the member will wire funds to help them. A variation of this scheme may involve some sort of fictitious charity. Members may take out personal loans or draw on lines of credit, and in our experience, will lie about the purpose of the loans. Finally, when confronted about the suspicious transactions, the victim members may not help to investigate the fraud, as they will continue to want to believe their online romance is still alive, or they are embarrassed that they fell for the scam.

PPLE OR SAMSUNG PAY FRAUD: This type of fraud is a subset of ATO fraud where a compromised credit or debit card is linked to a mobile phone using the Apple or Samsung Payment platforms. The concept of these payment platforms is to use a dynamic, one-time use token to keep the credit card information from being stored by the merchant. To get around this, the fraudsters impersonate the member TRAIN YOUR LOAN OFFICERS AND to link the member’s comUNDERWRITERS TO RECOGNIZE promised card info to the INCONSISTENCIES AND PATTERNS. fraudster’s phone during the card setup process. When requesting Apple Pay, Apple will review setup and will evaluate information, like device location iTunes To counter this fraud, educate your members about for history, prior mobile activity to identify the risk assothese online dating schemes, monitor large or unusual wire ciated with the request. Requests are approved, denied or ACH transfers outside their normal past behavior, espeor referred back to the card issuer. For referral requests, cially international transfers. Be alert to the loan purpose utilize a strong verification process. To mitigate this type stated on applications, and question your member when fraud, utilize a strong verification process to ensure the the stated purpose is to send funds overseas. Finally, make requesting party is in fact, your member by implementing sure your front line staff are properly educated in how to a one-time passcode, for example, a text sent to the modetect Financial Abuse against the Elderly, as this training bile phone you already have on record. This causes less is now a regulatory requirement in nearly all states. friction for true members and is more secure. NDIRECT LOAN FRAUD: Another specific type RACKING CARDS” FRAUD: Another subof application fraud where we have seen a steady inset of ATO fraud is what is known as “Cracking crease involves indirect loans. While this fraud may Cards”, whereas a legitimate member, typically involve using some else’s identity, in our experience, the an “underbanked” person, literally sells their debit card fraud is typically true name fraud, but income may be and/or online login credentials to the bad guys for a few inflated, false employment could be claimed, fake social hundred dollars. The Fraudsters use the acquired acsecurity numbers may be used, or a fictitious driver’s count to deposit counterfeit checks and cash them out. license may be involved. We have also seen numerous The member then claims fraud on their account when cases that involve a straw borrower, someone who may you inquire about their activity. To mitigate this scheme, have been recruited by a fraud ring. The straw buyer monitor anomalous account activity in real time, and use will use their own identity to purchase a vehicle, and multifactor authentication for online logins. will disappear after the car is shipped overseas. Also note that dealers may or may not be complicit in these WEETHEART SCAM: We find it hard to believe scams, because after all, they want to sell a car and may that people continue to fall for these online dating not be concerned about the loan. scams, but unfortunately, this type of fraud must To combat indirect fraud, we use strong underwriting be lucrative, as we continue to see a number of these standards that verify employment and income, and obtain throughout the year. Basically, this type of fraud involves a copy of the driver’s license with the photo blacked out to

“

www.acuia.org | TH E AUD IT R EPORT

(members with large available credit limits or balances) and the service will monitor if their data is for sale on the Dark Web. YOUR FRONT LINE STAFF SHOULD ■■ Reward your staff for BE TRAINED TO FLAG SUSPICIOUS detecting and stopping fraud. DEPOSITS, AND ESCALATE THEM TO We call ours the “Cuff’s YOUR FRAUD DEPARTMENT. Awards”, and staff who prevent fraud are given a monetary award and recognition in eliminate potential fair lending concerns. Also, monitor the a weekly credit union online publication. dealers in your indirect network. Track the frequency of first ■■ Member Fraud education – we use website content payment defaults, “fast track” delinquency (loans that beand Plasma TVs in branches to educate our members. come delinquent in a relative short amount of time, such as ■■ Participate in networking events with other credit within 12 months), ongoing dealer portfolio performance, unions to keep up with fraud trends. and consumer complaints involving a specific dealer. In conclusion, staying ahead of fraud continues to be an increasing challenge, as the fraudsters continue EPOSIT FRAUD: Last, but certainly not least, we to probe for weaknesses in our screening processes and continue to see counterfeit checks being deposited, frequently change their tactics to get through. And in despite the rapid clearing of checks electronically many cases, the fraudsters have a huge advantage as they that is afforded by Check 21. Overpayments on loans are are already well armed with data about your members a variation of this scheme, whereas the member demands from the multitude of data breaches that have occurred. an immediate refund for the amount overpaid. ACH deTherefore, using some form of multifactor authenticaposits that are returned NSF are another variation on detion through trusted channels has become more critical. posit fraud. Finally, some members act as “money mules” In addition, we find it is better to rely on multiple and use their accounts to launder funds stolen from comstrategies to prevent or detect fraud, as the fraudsters promised accounts at other financial institutions. will eventually find their way around single points of deTo fight Deposit Fraud, enforce extended check holds tection. The other consideration is that credit unions difon new members, as allowed by the Expedited Funds fer in terms of field of membership, products and services Availability Act (Regulation CC), and if possible, use a offered, so one credit union may have vulnerabilities that risk-based check hold policy. Verify large bank checks are very different than another credit union. Hopefully, (teller checks, cashier’s checks or official checks) with you have done risk assessments of your credit union to the issuing financial institution, and if your credit union understand what some of those vulnerabilities are, and uses remote deposit capture, consider verifying first hopefully, some of the mitigation techniques we have deposits made, and enforce deposit limits through this discussed in this article, if not already in place, might be channel to minimize losses. Finally, your front line staff worth considering to address those vulnerabilities to reshould be trained to flag suspicious deposits, and escaduce your risk of fraud. n late them to your Fraud Department. About the Authors THER PREVENTION STRATEGIES TO Doug Wright, Stacy Bausch, CPA, CFE, CUCE, who earned an CONSIDER: Other prevention strategies to BSACS, started his MBA from Keller consider to combat fraud include: career in public Graduate School, ■■ Train your staff – Make sure they have a comprehenaccounting, and is the Senior sive understanding of anti-fraud procedures relevant has worked extensively as an Manager of Fraud at Baxter to their jobs. internal auditor in the Credit Union. Stacey began her insurance and banking sectors. career at BCU in 2000, and has ■■ Figure out your pain point – There is no way to review Doug has worked at Baxter a significant amount of all suspicious activity, so figure out what your tolerance Credit Union in Vernon Hills, Il operations experience from for individual and aggregate fraud losses, and focus since 2003, where he is previous positions held, your process on transactions that exceed these limits. currently the Vice President of including the Call Center, Loan ■■ Consider a Dark Web monitoring service that can deAudit and Compliance. Doug Processing, Sales and tect your data for sale. Use the service by uploading also currently serves on the Collections Board of Directors for ACUIA. the data of your members who have high exposure

www.acuia.org | TH E AU D I T R E P O RT

AVOID FAIR LENDING AND UDAAP PITFALLS

KEEP ONLINE LENDING FAIR TODD SHERPY

One of the most common themes over the last 18-months has been the evolution of Fintech and the discussion of the interplay with Consumer Fair Lending Rule in the context of online lending and alternate credit data (or levels), but have urged caution and study. The reason is based on the much discussed theme that the use of alternative data in connection with online lending, computer-assisted underwriting, and artificial intelligence to provide consumer financial services can lead to unintended fair lending and UDAAP risks. 12

www.acuia.org | TH E AU D I T R E P O RT

www.acuia.org | TH E AUD IT R EPORT

WHAT ARE THE PRIMARY RISKS? 1. Fair Lending Risks in Fintech The central theme is that Fintech may raise the same types of fair lending risks present in traditional banking, including underwriting discrimination, pricing discrimination, redlining, and steering. This runs the gauntlet of the two fair lending laws, the Equal Credit Opportunity Act and the Fair Housing Act, which broadly prohibit two kinds of discrimination: disparate treatment and disparate impact that are most likely relevant here (we omit overt discrimination for apparent reasons). 2. UDAAP and UDAP in Financial Services If there’s one thing we’ve observed since the passage of the Dodd-Frank Act, it is the CFPB’s ability and willingness to bring claims using its enforcement authority to enforce the

Dodd-Frank prohibition on unfair, deceptive, or abusive acts or practices (UDAAP). In addition, the FTC, Federal Reserve, and FDIC have similar authority under Section 5 of the Federal Trade Commission Act, and most states have their own UDAP laws. Thus, the entire process needs to be assessed with UDAAP in mind.

Recommendations: 1. Ask Questions to Evaluate Alternative Data – Examples: ■■ Is there a nexus with creditworthiness? ■■ Is the data accurate, reliable, and representative of all consumers? ■■ Will the predictive relationship be ephemeral or stable over time? ■■ Are you using the data for the purpose for which it has been validated? ■■ Do consumers know how you are using the data?

Is the data being used to determine content shown to consumers? ■■ Which consumers are evaluated with the data? 2. Consider careful legal review as a part of any assessment of these considerations. 3. Review all marketing materials with regard to the considerations addressed above, and per Fair Lending laws generally. 4. Stay tuned – there is likely more to come as this area evolves. n ■■

About the Author Todd Sherpy is a founding partner in the law firm of Sherpy & Jones, P.A. with offices in South Carolina and Georgia; and is entering his 30th year of practice in the Credit Union compliance arena. The firm is dedicated to serving all legal needs of Credit Unions; and provides day-to-day compliance, compliance auditing, training and consulting services to Credit Unions throughout the United States.

FAIR LENDING RISKS UNIQUE TO FINTECH 1. Complexity of underwriting and pricing models – Fintech relies on large datasets to build models in which to predict behavior. Such models rely on correlations within the data. There is an implicit causal component to interpretation of those models, and as more factors are added the likelihood that spurious or distorted correlations are produced increases. This can lead to, at best, unintended disparate effect or, at worst, mistaken conclusions that create fair lending issues. 2. Dynamic systems could prove problematic in an exam. Having access to and relying on vast datasets creates opportunities to have flexible systems which make adjustments in real time. Rapidly adapting processes undergo significant changes over the course of a year and, as such, can be difficult to track. This could prove difficult in navigating a fair lending examination. 3. Use of alternative data may pose unknown risks – To the extent a firm uses so- called “alternative”

www.acuia.org | TH E AU D I T R E P O RT

data for credit or pricing decisions may produce fair lending risks. Unlike proven measures such as credit scores, others that rely simply on correlations in data may produce unintended consequences. This can include disparate impact or treatment and, in some cases, overt discrimination. (Ms. Evans’ article cites a few examples – which is why we encourage your reading of same.) Elevated marketing-related risks – Over the last two decades, advertising has undergone a transformation from mass communication, with information flowing in only one direction, to more of an interactive process made possible by the digital age. Such systems again rely on correlations from data and can be thought of as “smart” systems that “learn” and “change” in real time. Because such systems are automated, there is little opportunity given to understanding the potential risks of such efforts, i.e., its potential for discriminatory effects.

ADDITIONAL RESOURCES

■■

For a more complete assessment of the topic and issues I encourage reading:

https://www.consumercomplianceoutlook.

“Keeping Fintech Fair: Thinking About Fair Lending and UDAP Risks,” a detailed primer by Carol A. Evans, published by Consumer Compliance Outlook, details general guideposts for evaluating unfair or deceptive acts or practices (UDAP) and fair lending risks related to Fintech. Ms. Evans uses highlights from CFPB, FTC, the various banking agencies, and DOJ enforcement actions, “Keeping Fintech Fair” showcases fair lending and UDAP concepts to “help guide thinking early on in the business development process.” There are a tremendous number of links to resources associated with this article: (A must read!)

thinking-about-fair-lending-and-udap-risks/

org/2017/second-issue/keeping-fintech-fair-

■■

Also, the FRB held an outlook live webinar on this on July 16, 2018. It has yet to be archived, but I expect it soon will be. You may want to check in the next week or so to access the recording: https://consumercomplianceoutlook.org/outlooklive/archives/

I strongly feel the resources addressed in “Keeping Fintech Fair” is a significant resource for regulators, enforcement agencies, industry, and advocates seeking to understand and avoid potential Fintech legal pitfalls.

Looking for an auditor that stands out from the crowd?

Contact the CPA firm that audits only credit unions.

www.nearman.com | 800.288.0293

www.acuia.org | TH E AUD IT R EPORT

The history of ACUIA is an interesting one, and is neatly summarized on the Associationâ&#x20AC;&#x2122;s website. Itâ&#x20AC;&#x2122;s grown from a few credit unions in Wisconsin in 1989, to an industry-respected group more than 800 members strong across the country and into Canada. SAM CAPUANO, CBA, CRP

www.acuia.org | TH E AU D I T R E P O RT

While much has obviously changed over the years, there has been one constant: the Association is largely run by volunteers. While the Executive Office duties have been capably handled by a few different association management firms over the years, it’s the volunteers that are the lifeblood. While at the Annual Conference in Chicago in June, I had a few discussions with some ACUIA regulars (all of whom have volunteered over the years) about a different type of article for this issue. Someone suggested highlighting the volunteer opportunities within ACUIA. Not a bad idea, as this group, including

your writer, all have served many roles over the years volunteering for this great association. So, what’s out there? Well, if you have the time, ACUIA has the role.

CHAPTERS At the aforementioned 2018 Annual Conference, ACUIA Chair John Gallagher noted that there has been a good number of new chapters being formed. These local chapters tend to have more informal gatherings than the regional meetings (more on them in a bit) do. They can be a lunch & learn type of format, or some similar get together. They provide a relative-

ly easy way to network with some of your local colleagues. If you’re interested in forming a new chapter (a current list of existing chapters can be found in the back of this magazine) contact your Regional Director.

REGIONS ACUIA has six regions covering North America. As a former Regional Director (RD), I can tell you that any of the fine folks who currently serve as an RD would welcome any volunteer work in their regions, especially in putting together annual regional meetings. Volunteer work

www.acuia.org | TH E AUD IT R EPORT

at the regional level can also include helping new CU auditors get on their feet. The contact information for the RDs is also located in the back of this publication. I am positive they would welcome your call or email.

ANNUAL CONFERENCE If putting together a regional meeting needs some volunteers, imagine what it is like for the Annual Con-

ference. Volunteer opportunities include a Conference Chair (or Chairs, as it’s often handled by a duo), and those on the committee. The time commitment is typically meetings throughout the year. These often consist of brainstorming sessions on hot topics for the conference sessions, potential speakers, etc. While the conference location and weather (hello, rainy Chicago) go a long way in determining the popularity

Internal and Compliance Audit • External Audit • IT Audit

of the Annual Conferences, it’s the sessions that are the heart and soul. And those sessions are only as good as the volunteers that help determine them.

LEADERSHIP ACUIA’s Board of Directors and Associate Directors set the tone for the Association. And, they are all volunteers. The current group of nine all have served in many of the volunteer capacities noted above. Indeed, it seems to be a natural progression. Because of this, I’m sure those serving in these roles now are quite familiar to most of you. Of all the volunteer opportunities noted thus far, being a Director or Associate Director is by far the most time consuming. And the most rewarding. I spent eight years involved in this, and loved doing it. If you think that’s a long time, have a conversation with Mr. Gallagher and Mr. Lucas. They left and came back, and we’re all better off as a result. For those of us who are passionate about ACUIA, there is no greater way to volunteer and have a say in the Association’s direction and strategy, both short and long term. So, to summarize, there is a volunteer role that can fit anyone’s experience and time availability. If you decide to do so, you will not regret it. And, you’ll derive terrific benefits and make lifelong relationships along the way. n

About the Author CONNECT WITH US Tom Giglio, CIA, CFSA— Executive Vice President 315.214.7841 | tgiglio@bonadio.com

bonadio.com |

Samuel Capuano, CBA, CRP—Principal 518.250.7763 | scapuano@bonadio.com

www.acuia.org | TH E AU D I T R E P O RT

Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started their IA function there in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.

Audit Management Software Audit Management Software

Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful easy to use Audit Management System. Trusted by Companies, Governments andand Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward toauditors implement and affordable whatever the size of your audit team.straight From individual to State Audit Institutions MKinsight™ is easy to use, forward to implement and affordable whatever the size of your audit team. Key Functionality: Key Functionality: Dashboards

Audit Planning

Audit Scheduling

Audit Management

Dashboards Libraries

Audit Planning Electronic Working Papers

Audit Scheduling Controls Management

Audit Management On-line Questionnaires

Libraries ERM

Electronic Working Papers Time and Expense Recording

Controls Management Recommendation Tracking

On-line Questionnaires Comprehensive Reporting

ERM

Time and Expense Recording

Recommendation Tracking

Comprehensive Reporting

___________________________________ ___________________________________ www.mkinsight.com www.mkinsight.com United States: +1 847 440 5515 United Kingdom +44 113 2455558 United States: +1 847 440 5515

United Kingdom +44 113 2455558

Service So Outstanding, Others Can Only Talk About It…

experience reach

BKD National Financial Services Group

BKD National Financial Services Group can help you effectively identify and manage operational risks. Our advisors offer tailored internal audit solutions to credit unions across the country. Experience how our insight can help you choose the right path to pursue your strategic objectives with confidence.

Chad Garber // Director 317.383.4200 // cgarber@bkd.com bkd.com

twhc.com

TWHC Business Journal Ad REV-062612.indd 1

6/27/12 2:14 PM

www.acuia.org | TH E AUD IT R EPORT

HOW IT SUSTAINS CREDIT UNION HEALTH

RANDY C. THOMPSON, PH.D 20

www.acuia.org | TH E AU D I T R E P O RT

ater is an amazing substance. It covers about 71% of the earth’s surface. We use it to drink, wash, water crops and float boats. It can easily convert from a solid (ice) to a liquid, to a gas (steam or mist) and back to a solid again.

As a liquid it flows freely and maintains a constant volume. It is essential for sustaining life. Human beings can exist for up to 6 weeks without food, but only 3 to 5 days without water. Liquids are central to life in all forms, human, animal or vegetation. How fitting then that financial management uses the term liquidity to describe a critical element of any balance sheet. Liquidity is defined as the ability of an asset to convert to cash to meet immediate and short-term obligations. Just like water, a liquid asset can convert from its present status to cash without losing its’ current value. Credit unions see the need for liquidity every day. During a typical working day, members deposit and withdraw money from their accounts, members make payments on loans, members receive new loans and accounting pays bills to credit union vendors. Each of these activities affects liquidity by either moving cash into the credit union, or sending it away. A lack of liquidity for a credit union, like any other financial institution, can be devastating. Credit union operations are based on trust (members certainty that their money is safe and available) and having adequate liquidity reinforces that trust relationship. If members attempt to access money in their account, and it is not readily available, that trust is broken, and a run on deposit can easily start. The two primary sources of liquidity are new deposits and the repayment of loan principal balances. The two most significant uses of liquidity are withdrawals of deposited money,

and the funding of new loans. A good risk management program includes tools and procedures for monitoring and managing the credit union’s liquidity. In fact, NCUA guidance requires credit unions to take steps to ensure adequate liquidity. As you create and implement a credit union liquidity management plan, please consider including the following elements: 1. Consistent with NCUA guidance, create a measurement of your credit union’s “balance sheet cushion”. Balance sheet cushion is NCUA’s term for the total of cash and equivalents, plus the balance of investments, in your 12-month investment ladder. Use this measure as a key policy guideline for liquidity. 2. Monitor your balance sheet cushions regularly to quantify your ongoing capacity to meet liquidity needs. 3. Regularly, at least quarterly, shock your balance sheet cushion to determine how much deposit runoff your credit union can absorb with your anticipated balance sheet cushion. 4. Calculate the effect of loan growth on your balance sheet cushion,

and then re-shock liquidity to determine its adequacy in the current environment. 5. If you are planning to add participation loan pools to your balance sheet, calculate that impact on your balance sheet cushion to determine its impact on liquidity. Including these steps in your liquidity management plan will help you ensure that liquidity is never an issue for your credit union.

About the Author Randy C. Thompson, Ph.D. is the CEO and founder of TCT Risk Solutions LLC a CUSO. He has consulted with Credit Unions, for the past 32 years. He holds advanced degrees (Ph.D. and MS) in Finance, Statistics, Economics and Public Health and taught graduate courses in finance and statistics at several Universities in the western United States. He has been a frequent speaker at League and Association meetings across the United States and has authored papers and articles for Credit Union trade journals and for the New Jersey Credit Union League, California/Nevada Credit Union League, CU Times and CU Business trade magazines. He is the creator of TCT Suite of products including risk based pricing, deposit pricing, Credit Migration, with ALLL, and the CostPro Earnings at Risk ALM Simulation Model. www.acuia.org | TH E AUD IT R EPORT

CHIC ACUIA 28th Annual Conference Recap

e blew into the Windy, Chicago for ACUIA’s 28th Annual Conference and One Day Seminar, for what is now in the record books as ACUIA’s largest annual conference to date. With over 250 attendees from across the US, including Alaska and Hawaii, Chicago became the ACUIA epi-center for four event filled days and evenings. It was a week filled with camaraderie, educational sessions, some fun and games…and rain. Lots and lots and lots of record breaking rain, almost eight inches for the month, with much of it falling during the conference week. As ACUIA members are well known for being sports fans they were unfortunately rained out of both a Cubs and Sox game. What are the odds… The One-Day Seminar sessions held on Tuesday highlighted the ACUIA’s continued emphasis on expanding educational resources to ERM and Compliance professions. The evening kicked-off the Windy City Welcome Reception and the fourth installment of ACUIA’s game show night. This years’ opening event, complete with a lavish buffet, featured ACUIA’s version of ‘Jeopardy’. Much hilarity ensued through several rounds of fast-paced play. In the end, team ‘The Three Deans’ was edged out…well wiped out by the dynamic duo of Christine Donaubauer and Marilyn Pruitt. Wednesday morning brought the official opening of the 28th Annual Conference with a wealth of general session speakers including the always popular Ann Butera who shared key insights on managing a multi-generational workforce, Scott Hood from Rochdale Paragon who shared ways to maximize the relationships between ERM and audit professionals and Ian Lampl from Loan Street enlightened the audience on the inner workings of Loan Participations. The annual business meeting and awards ceremony highlighted Wednesday’s lunch with the following winners announced: BEST AUDIT PRACTICE AWARD 1ST PLACE

Dennis Burnette, Coastal FCU

PAT RICHEY ARTICLE OF THE YEAR

Shauna Woody-Coussens, BKD TERRY MCEACHERN AUDITOR OF THE YEAR

Bobby Nichols, State Employees CU (NC)

www.acuia.org | TH E AU D I T R E P O RT

The evening, which dodged the perpetually poor weather motor coached over 120 guests to Bella Bacino’s restaurant for an authentic and delightful Italian feast, followed by a much-anticipated downtown Chicago Architectural River tour. The guided boat tour wound through the historic Chicago skyline, highlighting the history of many of the award winning and historical architectural wonders of the city. The tour concluded with phenomenal fireworks show over lake Michigan as the boat returned to dock at famed Navy Pier. Heading into Thursday morning, the program again featured a cross section of topics from Doeren Mayhews’ Robin Hoag’s look at utilizing artificial intelligence in Audit to Tom Harper’s insights from the Federal Home Loan Bank of Chicago. The morning reached it’s crescendo with Amanda Wick, Trial Attorney with the Money Laundering and Asset Recovery Section of the Department of Justice. Her engaging and enlightening presentation captivated attendees’ attention and spilled over into her overflow attendance afternoon breakout session. Friday morning wrapped up the conference and served as a well-deserved send-off for one of ACUIA’s longtime members and former Board Chair Jill Chase. Jill announced this was her last conference and would be retiring in the coming year, with he grandkids becoming the new focus of her time and attention. In true ACUIA send-off style, conference host Todd Newton asked Jill to join him on stage for a few moments of levity as names were drawn and winners announced for this years’ wealth of door prizes. She was recognized with a rousing round of applause. Final speakers included the always effervescent, and perennially popular Catherine Bruder who once again delivered an insightful, up-to-the-minute presentation. Closing out the week was long-time NCUA E&I Director and regular ACUIA presenter, Larry Fazio. He peeled back the layers of the increasing threats of online fraud being perpetrated against credit unions and a key NCUA focus in the coming year. With flights to catch and miles to go, the conference adjourned as attendees returned to their respective credit unions richer for the knowledge gained and networking relationships forged.

CAGO Always a crowd pleaser, ConferAmanda Wick, Trial Attorney ence Host Todd Newton for the U.S. Dept of Justice Money Laundering and Asset Recovery Section captivated attendees with her presentation.

Terry McEachern Auditor of the Year recipient Bobby Nichols (C) is recognized by Auditor of the Committee Chair Dean Rohne(L) and ACUIA Board Chair John Gallagher(R)

Dennis Burnette(R) receives the 1st place Best Audit Practice from ACUIA Chair John Gallagher

Attendees listen during the general session presentations.

The winning Jeparody! team Christine Associate board member Donaubauer (L) and Marilyn Pruitt (R) with Tara Tocco with former Board Dean Swenson from team The Three Deans Chair Dana McCranie enjoying the welcome reception

www.acuia.org | TH E AUD IT R EPORT

BITC WHAT IT IS AND WHY IT MATTERS NIK FAHRER

www.acuia.org | TH E AU D I T R E P O RT

COIN Bitcoin has garnered much attention lately with stories of overnight millionaires and wild price fluctuations. In December 2017, bitcoin futures became more accessible to Wall Street and average investors through the listings of futures contracts. But what exactly is bitcoin and why is it spurring so much attention and wild price fluctuation into 2018? What personal or tax-related risks exist for those invested in bitcoin or another cryptocurrency? Article reprinted with permission from BKD, bkd.com. All rights reserved.

www.acuia.org | TH E AUD IT R EPORT

What Is Bitcoin? Bitcoin isn’t a currency in the traditional sense. It’s an electronic payment system that allows two parties to directly transact through the use of complex encryption and verification techniques. Each bitcoin transaction is distributed with a timestamp that’s confirmed through a complex computational proof with a permanent link to a prior set of computations. This linked series of proofs is referred to as the blockchain, which is simply a ledger of each transaction in chronological order. The revolutionary idea behind the bitcoin blockchain system is the absence of a third-party processor through the use of a decentralized ledger. The decentralized ledger processes transactions through competing bitcoin miners using specialized computing hardware and doesn’t rely on a centralized authority, e.g., a bank, for verification and reporting. Bitcoin is created through a process called mining. Mining is the process of solving highly technical algorithmic problems in transaction blocks. Miners are rewarded for mining a transaction block with a reward consisting of transaction fees paid by users plus a network consensus amount of bitcoin. Bitcoin is most commonly stored in a digital wallet. Digital wallets allow users to authorize electronic transactions or receive bitcoin from other users. Receipts are facilitated through a unique identifier known as a public address, which directs payments to a specific user’s wallet. Wallets also require a private key, similar to a complex password, allowing users access to the bitcoin stored in their digital wallet. Misdirected bitcoin transmissions are unlikely since very specific transmission details are needed and these details are verified through a checksum process. If just one letter or number is altered, the user will receive an error preventing the funds from being sent to the wrong address. 26

www.acuia.org | TH E AU D I T R E P O RT

likely to be stolen since it’s secured through a user’s private key. Many users maintain these private keys in electronic or paper form due to the key’s complex nature. There’s no centralized management of bitcoin by design, though, which means there’s no ‘forgot password’ service. This subjects users to loss of access to their bitcoin wallet if this private key is exposed or misplaced.

MISDIRECTED BITCOIN TRANSMISSIONS ARE UNLIKELY SINCE VERY SPECIFIC TRANSMISSION DETAILS ARE NEEDED AND THESE DETAILS ARE VERIFIED THROUGH A CHECKSUM PROCESS.

Uncertainties & Risks With any new technology comes risks. Transacting or investing in bitcoin requires technical knowledge of the software involved and the various associated risks of loss. The associated risks have less to do with the security of the bitcoin network itself, which has been referred to as the world’s most secure network, but rather with services involved in the transmission or unsecured storage of bitcoin. Hacked bitcoin exchanges have resulted in the theft of bitcoin stored on those exchanges. However, bitcoin stored in digital wallets is less

Tax/Financial Implications While bitcoin is legally traded in 96 of 246 countries/regions, including the U.S., it’s not currently considered legal tender in any country or region. The U.S. Commodity Futures Trading Commission has ruled bitcoin is a commodity. The IRS indicates bitcoin should be treated as intangible property similar to other stocks or futures contracts. Reporting Taxable Transactions Many taxpayers rely on Form 1099 or W-2 details from their brokerage firm or employer to report taxable transactions for the year. Transactions conducted through bitcoin that would otherwise be reported on these forms may be omitted due to the lack of a centralized reporting authority. However, paying employees or independent contractors with cryptocurrencies won’t circumvent payroll tax, backup withholding, W-2 or 1099 reporting requirements. In addition, the scope of what constitutes a taxable bitcoin transaction to the holder of the coin is more involved than other traditional investments and may include the exchange or sale of bitcoin units, purchasing goods or services using bitcoin or receiving bitcoin as compensation for services. More merchants are starting to accept bitcoin payments for goods or services. With the IRS opinion that bitcoin is intangible property, each payment for goods or services made through bitcoin will trigger a taxable transaction. For example, purchasing

No detail too small. You’re proud of your credit union for good reason—you’ve kept your house in order. Accounting for your aesthetic is important to us. Our diligent, disciplined internal audit pros can help you reduce risk and boost your financial street appeal so you can grow wisely.

Everyone needs a trusted advisor. Who’s yours?

bkd.com/fs | @bkdFS

a cup of coffee with bitcoin effectively involves selling the bitcoin asset back to U.S. dollars before completing the purchase, which may carry a taxable gain or loss. The character and amount of any gain or loss will depend on the specific facts and circumstances of the taxpayer’s bitcoin holdings. An area of uncertainty regarding bitcoin taxation involves several splits of the core bitcoin that occurred in 2017, known as hard forks. Groups such as the American Bar Association and the American Institute of CPAs have, or are issuing, requests to the IRS to provide clarity on the effect of these transactions.

Computing Gains & Losses There are challenges when reporting the gain on the buying and selling of bitcoin. Taxpayers have the option to sell specifically- identified coin shares or default to selling either the most recently or most distant shares held.

Since the circumstances around selling coin may carry a different level of intentionality from what investors are used to with stocks or other securities, considerations of what specific coin is sold may not be front of mind. In addition, determining the basis and holding period of a taxpayer’s bitcoin can be a risk if the user bought bitcoin at different prices or differing amounts or held units through a hard fork event (similar to a security split transaction). The opportunities for taxable transactions are broad and not always readily known to the casual bitcoin investor.

IRS Compliance Since transacting bitcoin is a taxable event in most cases, it’s important to remain compliant with available guidance and current tax laws. Recently, the IRS Criminal Investigation division hired a team of 10 investigators to build cases against tax evaders who

use cryptocurrencies. The IRS has even been successful in identifying customers of Coinbase, which is one of the most commonly used digital asset exchanges in the United States. This trend shows no sign of slowing and cryptocurrency transactions remain a high-risk area for the IRS. If bitcoin holdings are part of your investment portfolio, you’re active in bitcoin mining or you otherwise invest in cryptocurrencies, contact Nik to further discuss proper treatment and the related tax risks. n

About the Author Nikolaus Fahrer serves corporate, partnership and individual clients in a number of different industries. His technical knowledge includes tax planning and compliance, including multistate compliance and accounting method strategies. Nik has experience with cryptocurrencies and is a member of BKD’s internal Blockchain Committee.

NICE Actimize Essentials for Credit Unions: Unified Fraud-AML solution on Cloud Rich behavioral analytics coupled with advanced anomaly detection and out-of-the-box rules Integrated case management for holistic view of risk Data integration expertise

Request a demo today at info@niceactimize.com! For more information, visit us at niceactimize.com/cloud

www.acuia.org | TH E AU D I T R E P O RT

{ the standards } Pat Richey, Retired credit union internal auditor

Quality Assurance and Improvement Program Standard 1300 requires support and oversight.

Ongoing Monitoring IG1300 says that ongoing monitoring is internal audit’s continuous, day-today activities, such as engagement planning and supervision, standardized work practices, workpaper procedures, testing audit work, report reviews, identifying internal audit areas in need of improvement and action plans to address the weaknesses. Ongoing monitoring focuses on the engagement level. These activities determine if each and every engagement is conducted with the expected qual-

RD 130 A 0 D N

ST A

Internal Assessments Standard 1311 states there are two required components of an internal assessment: ongoing monitoring and periodic self-assessment. An internal assessment includes a rigorous and comprehen-

ST A

departments are quality departments. Quality will be an integral part of the internal audit activity if all engagements are based on procedures that conform with the Standards Implementation Guide (IG) 1300 says that to get started on a QAIP the Chief Audit Executive (CAE) must have a thorough understanding of the Standards and the Code of Ethics. I think that to be a CAE an internal auditor should have that understanding in order to get the title, and all internal auditors should have that same understanding (which is why I am writing this Standards series of articles) The CAE should get the board of directors or audit committee’s support for the Standards and the QAIP, and the audit committee should provide program oversight. The QAIP should cover all internal audit activities, including consulting engagements. Standard 1310 requires both internal and external assessments.

ARD 1300 D N

tandard 1300 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that the internal audit department must have a quality assurance and improvement program (QAIP). This Standard answers the question “Who audits the audit department?” Standards1300-1322 and related Implementation Guides are 32 pages long, most of it redundant. This article attempts to summarize the guidance in 2000 words. Also, The Institute of Internal Auditors (IIA) offers a sample QAIP and a $230 “Quality Assessment Manual for The Internal Audit Activity.” So, there is plenty of QAIP guidance for credit union internal auditors. One of internal audit’s functions is to assess the efficiency and effectiveness of credit union operations, and make recommendations for improvement. However, internal audit has to use the same systematic and disciplined method for improving the internal audit function. Improvement should not be a random shot in the dark The credit union should have assurance that the internal audit function is a “quality” function. In the book Zen and the Art of Motorcycle Maintenance by Robert Pirsig, the narrator drives himself crazy (literally) trying to define “Quality”. However, for internal auditors, the Standards and Code of Ethics are the benchmarks for determining whether internal audit

sive evaluation of conformance with the Standards and Code of Ethics, the quality and supervision of audit work, internal audit policy and procedures, internal audit’s value to the credit union, the achievement of key performance indicators (KPIs), and meeting stakeholder expectations. Internal assessments mean being hard on yourself and your harshest critic. You’re not doing anyone any favors by attempting half-hearted or watered-down internal assessments.

www.acuia.org | TH E AUD IT R EPORT

ST A

There are two required components of an internal assessment: ongoing monitoring and periodic selfassessment.

RD 130 0 DA N

ST A

ARD 1300 D N 30

www.acuia.org | TH E AU D I T R E P O RT

ity. Ongoing monitoring is the routine management of standard work practices. Your internal audit activity should have standard templates used consistently for all engagements. The key to ongoing monitoring is supervision from planning through reporting. IG 1311 lists mechanisms used for ongoing monitoring, including setting expectations, communications, work paper review, procedure checklists, or automation tools, client feedback, KPIs, and efficiency and effectiveness measurements. KPIs include the number of certified internal auditors (CIA) on staff, years of internal audit experience, the number of continuing professional development hours, engagement timeliness, percentage of audit recommendations implemented, timeliness of corrections and client satisfaction. Efficiency and effectiveness measures include project budgets, budget-to-actual variance, timekeeping systems, and audit plan completion. The purpose of ongoing monitoring is to identify internal audit improvement opportunities, which in turn improves the credit unionâ&#x20AC;&#x2122;s overall operations. After the CAE develops an action plan for improvement, KPIs can be used to monitor success.

Periodic Self-Assessments Periodic assessment is different from ongoing monitoring in that the assessments provide a comprehensive review of every Standard and the internal audit activity as a whole. Periodic assessments validate that ongoing monitoring is effective. The ACUIA website has a link to self-assessment questionnaires. Self-assessments must be conducted by persons with an understanding of all the elements of the International Professional Practices Framework.

Assessments can be performed by one assessor or a team that includes various internal auditors from the internal audit activity. The assessor, or team, evaluates whether the internal audit activity complies with each and every Standard. The assessment can include interviews, surveys and KPI analysis. The assessor may select a sample of engagements and review compliance with internal audit policies and the Standards. However, a post-engagement review should not be conducted by audit staff who were involved in the respective engagement.

External Assessments Standard 1312 states that external assessments must be conducted at least once every 5 years by a qualified, independent assessor (or team) outside the credit union. Wouldnâ&#x20AC;&#x2122;t your auditees love to have audits every 5 years! The assessor must give an opinion as to whether the internal audit activity conforms with the Standards and Code of Ethics, and identify areas of improvement. Notice that the standard says an external assessment is required at least once every five years. You and your audit committee may decide that an external assessment needs to be conducted more often if there are changes in leadership or significant audit policies, the merger of two or more audit organizations, or significant staff turnover. The CAE must discuss with the Board the form and frequency of external assessments, and the qualifications and independence of the assessor, including any conflict of interest. Assessor Qualifications The assessor must be competent in the professional practice of internal auditing, and the external assess-

{ from the editor }

Here’s to 25 More Tabitha Ernst-Chadwick

ment process. IG 1312 says that the preferred qualifications for an assessor is CIA certification, knowledge of leading internal audit practices, and audit management experience. Additional qualifications include previous external assessment work, and completing the IIA’s quality assessment training course. According to the Interpretation of Standard 1312, in the case of an assessment team, not all members need to have all the competencies; it is the team as a whole that is qualified. Assessors must be independent and objective. They must be free of perceived conflicts of interest that could impair objectivity, such as any relationship with the credit union or its internal audit activity. IG 1312 says this relationship includes consulting services, performing financial statement audits when the external audit relies on internal audit work, previous internal audit employees, or employees of other credit union departments or affiliate. There are several resources for obtaining external assessments. Many external audit firms provide external assessments, as does IIA Quality Services (you can obtain their brochure on the IIA website). It is more valuable if the assessor’s experience was gained in a institution of similar industry, size or complexity than less relevant experience. For this reason, external assessments by other credit union auditors can work well – auditor from one credit union assessing the audit activity at another credit union. I am most familiar with peer assessments. For instance, I performed an external assessment at a California ACUIA member credit union, and a North Carolina ACUIA member performed an external assessment at my Indiana credit union. In a peer assessment, the auditor is critiqued by a credit union

auditor who walks in the same shoes, experiences the same rewards and struggles of implementing an internal audit function, perhaps with limited resources. However, a peer assessment is NOT an “You audit me and I’ll audit you” arrangement, which would be a conflict of interest and is not independent. However, if I audit you, and you audit Jane Doe, and Jane Doe audits me, then that is acceptable. There is the expectation that if a peer performs an external assessment for you, you will, in turn, perform an assessment for another auditor.

Self-Assessment with Independent External Validation An alternative to a full external assessment is a self-assessment with independent external validation (SAIV) by a qualified, independent external assessor. In this approach, the audit activity would conduct a comprehensive and documented self-assessment that mirrors a full external assessment’s evaluation of Standards conformance. Then the external assessor would perform an onsite validation of the self-assessment.

cedures manual. The internal audit charter includes the scope of the internal audit activity’s responsibilities and expectations of stakeholders. The QAIP report scope may include the internal audit practices assessed against the Standards. The CAE reports the results of external assessments upon completion. The Interpretation of Standard 1320 states that the results of periodic internal assessments are communicated upon assessment completion, and the results of ongoing monitoring are communicated at least annually. IG 1320 suggests that while larger credit unions may conduct periodic internal assessments annually, smaller or less mature internal audit departments may perform a periodic assessment over a multi-year period and report on the results of the work during each period separately. Ongoing monitoring includes reporting on internal audit KPIs.

Reporting on the QAIP Standard 1320 says the CAE must communicate the results of the QAIP to senior management, and the Board, and include the scope and frequency of the internal and external assessments, the qualifications and independence of the assessor(s), assessors conclusions, and corrective action plans.

External Assessors Conclusions The external assessor must include an opinion or conclusion on the overall degree of conformance with the Standards. IG 1320 says the assessor’s report can include the assessment for each standard or standard series. However, I would not include that detailed an assessment in the Board report. The assessor can simply use a “does conform” or “does not conform” rating, or a rating system that shows degrees of conformance, such as “generally conforms”, “partially conforms’ and “does not conform”.

Scope and Frequency The CAE must discuss with senior management, and the Board, the form, content and frequency of reporting QAIP results. Details of the QAIP are documented in internal audit’s charter and policies and pro-

Corrective Action Plans After the CAE has reported the corrective action plans to the Board, the assessors recommendations and the action plans should be added to internal audit’s mechanism for monitoring progress of all audit recom-

www.acuia.org | TH E AUD IT R EPORT

mendations (e.g. follow-up table). The CAE can report on the status of the external assessment action plans as part of internal auditâ&#x20AC;&#x2122;s monitoring progress reporting, or after the next internal assessment.

Conformance Statement Standard 1321 says the internal audit activity can use the phrase â&#x20AC;&#x153;Conforms with the International Standards for the Professional Practice of Internal Auditingâ&#x20AC;? only if supported by the results of a QAIP that includes internal and external assessments. Internal audit can use the conformance statement until the next external assessment (and assuming internal assessments continue to support the statement). So internal audit can only use the statement for 5 years,

and it should not be used thereafter if there are is not a subsequent external assessment. I used the statement as a footnote on all my audit reports. Internal audit should consider the overall conformance conclusion when determining its ability to use the conformance statement. If an internal audit activity did not have the collective skills and knowledge to conduct a particular audit (Standard 1210 Proficiency), that does not affect overall conformance. However, if the internal audit activity does not have the knowledge and skills to perform any audit work, that would affect overall conformance. If internal audit only partially conformed with one or more standards and has an action plan to achieve full conformance with the Standards, then internal au-

dit can use the statement if there is an overall conformance conclusion.

Nonconformance Assessments may conclude that the internal audit activity is unable to fulfill its responsibilities to stakeholders. Standard 1322 states that if nonconformance with the Code of Ethics, or the Standards, impacts the overall scope of operation of the internal audit activity, the CAE must disclose the nonconformance, and the impact, to senior management and the Board. Nonconformance must be disclosed annually. n About the Author Pat Richey was Director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

TeamMate+

Visibilty, Consistency, and Efficiency Learn more at TeamMateSolutions.com 32

www.acuia.org | TH E AU D I T R E P O RT

{ member { from spotlight the editor}}

Richey Here’sPat to 25 More Dian ScottErnst-Chadwick Tabitha

The ACUIA spotlight for this issue is shining brightly on our “Standards” authority, Pat Richey.

n The Audit Report, Pat has been diligently breaking down all aspects of the International Professional Practices Framework (IPPF): the IPPF elements related to the Core Principles and the Code of Ethics. Pat is a Canadian citizen, from beautiful Montreal. When she was 18, she moved to Bloomington, IN, home of Indiana University, to be a nanny. She stayed there because she met the man who would become her husband. She also earned her accounting degree from IU, while raising two daughters. After earning her degree, Pat was substitute teaching, and really not planning on working full-time. However, that changed when she received a call from a local cred-

it union, offering her a job. Seems that the IU auditing professor had strongly recommended her for the credit union’s opening in internal audit. At the time Pat didn’t know what a credit union is, or anything about internal audit. However, she quickly became an expert in all things relating to internal audit. She spent 23 years in the field, and loved every minute of it. Pat was a very active member of ACUIA from its inception in 1991 until she retired 5 years ago. Along the way, she served on the ACUIA Board of Directors, was a regional director and the Indiana chapter coordinator. She attended the first Annual Conference and continued attending conferences regularly over the years.

Pat has four grandchildren, and much of her free time revolves around them. The oldest is in the US Army now, but he attended ACUIA conferences with her when he was young. This busy lady belongs to three bridge groups, plays Maj Jong every week, volunteers at the elementary school library and at a local food pantry. She and her husband travel A LOT, enjoying the life of carefree retirees. Many thanks, Pat, for sharing your ACUIA life with us. We look forward to enjoying more of your informative articles in this magazine. Happy travelin’. n

ACET is here.

Are you ready? RedstoneConsultingGroup.org/acet-portal

Redstone Consulting Group’s ACET Collaboration Portal™ will help the NCUA cyber exam go smoothly. Know where you stand before the exam begins.

www.redstoneconsultinggroup.org

© 2018 Redstone Consulting Group, LLC. All rights reserved. Redstone Consulting Group, LLC and the Redstone Consulting Group logo are registered trademarks of Redstone Consulting Group, LLC or its subsidiaries.

www.acuia.org | TH E AUD IT R EPORT info@redstoneconsultinggroup.org | (256) 344-8600

{ the standards { regional news } } Pat Richey, Retired

REGION Julie Wilson, Director

Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com Denali Credit Union hosted the Region One meeting (May 24-25) in Anchorage AK. We had two days of great speakers and topics: Patrick Mathew, IRS (SAR Data & Fraud); Kris Bullinger, Compliance Services Group (Compliance Audit Program and HMDA); Chris Wetzel, Moss Adams Sr.Manager (BSA System Validations). We spent 3 hours with Lia Patton and Sam Thompson, 800 (Data Analytics); Ellen Sas and Roger Jones, Hauser, Jones & Sas (BSA â&#x20AC;&#x201C; 5th Pillar Requirements). Roger also hosted our round table discussion. The meeting was well-attended, with 22 participants. Region One is currently planning another meeting, to be held in October. Look for more information on www.ACUIA.org as we get closer to October.

REGION Andrea Munoz, Director

Internal Audit, Senior Staff Auditor First Tech Federal Credit Union 916.660.4255 andrea.munoz@firsttechfed.com Region 2 attendees at the convention in Chicago shared feedback at a round table discussion on the last day. Going forward, members will have the chance to share thoughts and ask questions of the collective group, via a forum conducted by myself. A link was emailed to those members. Save the date! ACUIA Region 2 Annual Meeting will be at the Burbank City Federal Credit Union in Hollywood, CA. Oct. 4-5. Region 2 is looking for chapter coordinators for California, Nevada, Colorado, New Mexico and Hawaii. CA/NV can be one person, as can CO/NM.

REGION Tom Cosby, Director

Vice President Internal Auditing Crane Credit Union (812) 863-7000 ext 7142 tcosby@cranecu.org The Region 3 Conf. will be Oct. 3-5 at Royal Credit Union in Eau Claire, WI. Registration opens Aug. 20. Region 3 has a new ACUIA chapter in Ohio. Sarah Boyer is the chapter coordinator.

REGION Gayle Gines, Director

Senior Internal Auditor Randolph-Brooks Federal Credit Union 210.637.4130 ggines@rbfcu.org No news reported.

REGION

Michael P. Moreau, CIA, CFE, CFSA, Director MACPAGE LLC 225 Cedar Hill St., #200 Marlborough, MA 01752 800-339-5701 cell: 978-760-0195 The Region 5 meeting will be held Oct.1-2 in Albany. Details soon.

REGION

Jason Alexander, CIA, MBA, CICA, Director Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org The Region 6 regional meeting is set for Oct.17-19 in exciting Nashville,TN. Check the ACUIA website for registration details. This meeting is special because the Tennessee Corporate Credit Union (volcorp.org) will be hosting the event. Please reach out to me (Jason@LGEccu.org) if you would like to join the team as a coordinator. Weâ&#x20AC;&#x2122;d love to have you on board. n

www.acuia.org | TH E AU D I T R E P O RT

{ region directors }

{ the the standards standards } Pat Pat Richey, Richey, Retired Retired

REGION REGION

Julie Julie Wilson Wilson juliew@iqcu.com juliew@iqcu.com

REGION REGION

Tom Cosby Cosby Tom tcosby@cranecu.org tcosby@cranecu.org

REGION

Andrea Munoz andrea.munoz@firsttechfed.com

Michael Michael P. P. Moreau, Moreau, CIA, CIA, CFE, CFE, CFSA CFSA MPM@macpage.com MPM@macpage.com

REGION

Jason Alexander, CIA, CICA jasona@lgeccu.org

Gayle Gines NEEDED! VOLUNTEER ggines@rbfcu.org

{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1 REGION 1 CENTRAL CASCADES (OR/WA) CENTRAL CHAPTER CASCADES (OR/WA) CHAPTER Terry Robbins

Terry Robbins trobbins@mapscu.com trobbins@mapscu.com REGION 2 REGION 2 ARIZONA CHAPTER ARIZONA CHAPTER Jason Garlutzo Jason Garlutzo Jason.Garlutzo@azstcu.org Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER CALIFORNIA VOLUNTEER CHAPTER NEEDED!

VOLUNTEER NEEDED!

UTAH CHAPTER UTAH RandyCHAPTER Manscill, CIA, CFE,

Randy Manscill, CIA, CFE, CFSA CFSA rmanscill@americafirst.com rmanscill@americafirst.com HAWAII CHAPTER HAWAII Nikki IgeCHAPTER

REGION 3 ILLINOIS CHAPTER rtorres@CreditUnion1.org Rick Torres INDIANA CHAPTER rtorres@CreditUnion1.org Tom Cosby INDIANA CHAPTER tcosby@cranecu.org Tom Cosby MINNESOTA CHAPTER tcosby@cranecu.org Ashley Shrode

VOLUNTEER NEEDED! VOLUNTEER NEEDED!

ST. LOUIS CHAPTER NORTH TEX AS CHAPTER

David Caster VOLUNTEER NEEDED! dcaster@firstcommunity.com ST. LOUIS CHAPTER

Brittany Metz WISCONSIN CHAPTER brittanymetz@uiccu.org Karla Hodgkins Sarah Boyer REGION 4 sarahb@kembaCU.org

Lourdes Camacho VOLUNTEER NEEDED! lourdesc@sccu.com

Ashley Shrode MICHIGAN CHAPTER Ashley.Shrode@thrivent.com Kathleen Schaefer MICHIGAN CHAPTER Kathleen.Schaefer@elgacu.

Kathleen Schaefer com Kathleen.Schaefer@elgacu. IOWA CHAPTER com Brittany Metz IOWA CHAPTER brittanymetz@uiccu.org

OHIO CHAPTER khodgkin@Covantagecu.org

REGION 3

ARK ANSAS CHAPTER WISCONSIN CHAPTER

Rick Torres

NORTH TEX AS CHAPTER ARK ANSAS CHAPTER

REGION 5 David Caster dcaster@firstcommunity.com NEW YORK CITY CHAPTER VOLUNTEER NEEDED! REGION 5 REGION NEW YORK6CITY CHAPTER VOLUNTEER NEEDED! ALABAMA CHAPTER Adrienne Breckenridge, CPA REGION 6 abreckenridge@ ALABAMA CHAPTER avadiancu.com Adrienne Breckenridge, CPA GEORGIA CHAPTER abreckenridge@ VOLUNTEER NEEDED! avadiancu.com

MINNESOTA CHAPTER Ashley.Shrode@thrivent.com

Nikki Ige Nige@kcfcu.org Nige@kcfcu.org

ILLINOIS CHAPTER

REGION 4

Patrick McCollough Karla Hodgkins pmccollough@AFCU.org khodgkin@Covantagecu.org

MARYLAND CHAPTER NORTH CAROLINA CHAPTER Nikki Torres

VOLUNTEER NEEDED! nichele.torres@towerfcu.org SOUTH CHAPTER NORTH CAROLINA CAROLINA CHAPTER

Tammy Farmer VOLUNTEER NEEDED! tammyf@scscu.com

SOUTH CAROLINA CHAPTER TENNESSEE CHAPTER Tammy Farmer

Michelle Clark, CUCU tammyf@scscu.com mclarck@ecu.org

TENNESSEE CHAPTER

Michelle Clark, CUCU mclarck@ecu.org

FLORIDA CHAPTER GEORGIA CHAPTER

FLORIDA CHAPTER MARYLAND CHAPTER

Lourdes Camacho Nikki Torres lourdesc@sccu.com nichele.torres@towerfcu.org

www.acuia.org | TH E AUD IT R EPORT

{ acuia select }

{ member spotlight } Patrick McCullough

ACUIA will ad II_Layout 1 4/17/15 1:55Select PM Page 1 give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the Executive Office at (703) 688-2284.

P L AT I N U M

ngratulations to ACUIA

ars of outstanding service to credit union audit professionals.

elps credit unions meet their ﬁduciary responsibilities and internal control objectives by providing:

OLD on TechnologyG Assessments and System Reviews n Certiﬁed ACH Audits n Bank Secrecy Act ending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits ability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk t and Regulatory Compliance n Financial Statement Audits

Certiﬁed Public Accountants & Consultants

S I LV E R

TeamMate

BRONZE

Proudly serving credit unions throughout the Mid-Atlantic region.

www.acuia.orgFor | TH E AU D I T R E Pabout O RT PBMares, visit us online at www.pbmares.com. more information

An Unmatched Experience

Internal Audit and Regulatory Compliance Tailoring each engagement, our Certified Internal Auditors and Certified Compliance Officers consider the credit union as a whole to execute a plan that will identify, monitor and assess risks before they threaten operations.

At Doeren Mayhew, we deliver a unique experience and a level of service that is unmatched in the industry.

Credit Risk Management Leveraging our hands-on experience, we deliver insight into the fundamentals of lending governance, administration and day-to-day operations.

IT Assurance Taking an integrated security management approach, our credentialed technology team ensures confidence in the integrity and security of IT control frameworks.

External Audit Remaining independent, while working collaboratively with credit union teams, Doeren Mayhew delivers practical solutions that improve internal controls and accounting efficiencies through accurate and timely financial reporting.

We invite you to experience what our clients do. Call us today at 888.433.4839.

MOSSADAMS.COM/CU

PROSPERITY RISES IN THE WEST

Backed by decades of experience serving credit unions, our professionals are committed to helping you grow your business with industrysmart assurance, tax, and consulting services. We invite you to discover how Moss Adams is helping financial institutions thrive.

RISE WITH THE WEST.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

WHITE ROCK L AKE, TX

6.49 AM CDT

AS SUR A NCE TA X IT CONSULTING STR ATEGY & OPER ATIONS TR A NSACTIONS W E A LTH M A N AGEMENT