Volume 27, Issue 4, 2018
The Magazine of the Association of Credit Union Internal Auditors, Inc.
IRR LIMITS WHAT’S RIGHT FOR YOUR CREDIT UNION?
COMPLIANCE THE NEW FRONTIER
DUE DILIGENCE EVALUATE YOUR CUSTOMERS INCENTIVE PAY PLANS A VIEW FROM THE INSIDE CLOUD SECURITY KNOW THE RIGHT DEFENSES
An Unmatched Experience
Internal Audit and Regulatory Compliance Tailoring each engagement, our Certified Internal Auditors and Certified Compliance Officers consider the credit union as a whole to execute a plan that will identify, monitor and assess risks before they threaten operations.
At Doeren Mayhew, we deliver a unique experience and a level of service that is unmatched in the industry.
Credit Risk Management Leveraging our hands-on experience, we deliver insight into the fundamentals of lending governance, administration and day-to-day operations.
IT Assurance Taking an integrated security management approach, our credentialed technology team ensures confidence in the integrity and security of IT control frameworks.
External Audit Remaining independent, while working collaboratively with credit union teams, Doeren Mayhew delivers practical solutions that improve internal controls and accounting efficiencies through accurate and timely financial reporting.
We invite you to experience what our clients do. Call us today at 888.433.4839.
Volume 27, Issue 4, 2018
6
10
{ contents }
The Magazine of the Association of Credit Union Internal Auditors, Inc.
F E AT U R E S
D E PA R T M E N T S
6
2 From the Editor Growing and Changing Dian Scott
Set the Tone at the Top
It’s a new frontier for compliance. Here’s how to meet the challenges with an effective and efficient program. Keith Salmon, CAMS
18
IRR Limits 10 How setting credit union specific
30 Communicating
IRR limits enhances ERM Randy C. Thompson, Ph.D.
14 The Measure of
a Customer
18
Credit Union Branch Incentive Pay Plans
4 Chairman’s Message Thinking Strategically for 2019 John Gallagher
BSA/AML customer due diligence procedures updates Joan Crenshaw & Lauren Hellman
Audit Findings
An Internal Auditor’s perspective Stephen Labarbera
36 Member Spotlight Shelley Engleman Tabitha Ernst-Chadwick 38 Regional News
Shifting Reality
Threats and defenses for Credit Unions in the cloud environment Brad Atkin, CPA, CISA, CITP-shareholder
26
As Internal Auditors, we are judged by several things, but perhaps none more so than our audit findings. Sam Capuano, CBA, CRP
26 Confronting a
29 The Standards Managing the Internal Audit Activity Pat Richey
30
39 Region Directors and Chapter Coordinators
The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Dian Scott Designer: Victoria Valentine Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases. Permission requests to reproduce written material should be sent to: ACUIA, 332 Commerce St., Suite 100, Alexandria, VA 22314, (703) 688-2284
© Copyright 2018, ACUIA. All rights reserved.
{ from the editor }
Growing and Changing Dian Scott
2018 Board of Directors
It’s a special time of year, and a good time to be a member of ACUIA.
I
t’s been another wonderful year here at ACUIA. Membership continues to grow, and training opportunities continue to expand across the country. Most scheduled events are booked solid well before the dates of the sessions. We are very fortunate to have such dedicated, hardworking Board members, who work tirelessly throughout the year to line up dynamic speakers for workshops and seminars. And we now have two associate directors, Tabitha Ernst-Chadwick and Tara Tocco, who have committed their talents and expertise to the Board. Tabitha is well-known for her articles in the Audit Report and her assistance with spotlights when needed. Tara will be assisting in providing stats on regional changes and additions. Many thanks to both of them. Five new state chapters were added this year (Alabama, Louisiana, Minnesota, Oregon and Washington state). All ACUIA members are encouraged to become chapter coordinators. If you are interested, contact your regional director, or Tara Tocco, ttocco@hughesfcu.org.
Chair John Gallagher, CUERME SEFCU (518)-464-5245 jgallagh@sefcu.com Term 2016–2019
Director Jill Meznarich Schools First FCU (714) 466-8676 jmeznarich@ schoolsfirstfcu.org Term 2018–2021
Vice Chair Margaret Chamberlain, CUERME Arizona State CU (602) 452-4960 Margaret.chamberlain@ azstcu.org Term 2017–2020
Director Doug Wright, CPA, CFE, CUCE, BSACS Baxter CU (847) 932-8765 doug.wright@bcu.org Term 2016–2019
Treasurer Barry Lucas, CPA, CIA, CFSE Desco FCU (740) 354-7791 (ext. 3334) barryl@descofcu.org. Term 2017–2020 Secretary Dean Swenson, CPA Wings Financial FCU (952) 997-8131 dwsenson2@ wingsfinancial.com Term 2018–2021
Warmest holiday wishes to you all. Dian Dilanto166@gmail.com 301-774-6484
Associate Director Tabitha Ernst-Chadwick Marine FCU (910) 355-5611 TErnst@marinefederal. org Associate Director Tara Tocco Hughes FCU (520) 205-5744 TTocco@hughesfcu.org
Director Bobby Nichols State Employees CU (919) 839-5338 bobby.nichols@ ncsecu.org Term 2018–2021
BY THE NUMBERS: COMPLIANCE
1 2
ACUIA execuve office 332 Commerce St. Suite 100 Alexandria. VA 22314 (703) 688-2284 acuia@acuia.org
3
1 Includes risk mgt, member-facing and support employees 2 Includes technology investments 3 Includes compliance, technology legal and training
2
www.acuia.org | TH E AU D I T R E P O RT
Follow us on:
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”
CLOSE THE AUDIT PERFORMANCE GAP ACL WHITE
How to shift working papers from ‘common practices’ to ‘best practices’ Download at acl.com/working-papers »
Integrati n Papers wg Working ith ManagemAudit ent How to
shift fro
m ‘com
mon pr actices ’ to ‘bes
t practic es’
Vice Pre
sident,
Dan Zitt ing, CPA , CISA, CIT Produc t Manag P ement & Design
PAPER
{ chairman’s message }
Thinking Strategically for 2019 John Gallagher
We look to offer more educational sessions, webinars, networking opportunities, and tools.
T
he ACUIA Board just completed our strategic planning session and are very much looking forward to 2019 and beyond. The Association as a whole continues to be strong and the changes and enhancements planned will make us even better. We look to provide more offerings in terms of educational sessions, webinars, networking opportunities, and tools than in previous years, which in turn makes your membership in ACUIA even more valuable. As you may have noticed, we continue to expand our offerings to those serving in a risk management capacity at their credit unions. While it is recognized that the roles of internal auditors and risk manag-
4
www.acuia.org | TH E AU D I T R E P O RT
ers are different, we believe there is value in these two professions working and learning together. That is why ACUIA continues to expand its membership out to credit union risk professionals. Planning for the 2019 annual conference in the mile-high city of Denver next June is well underway and is being overseen by the conference committee co-chairs Dean Swenson and Margaret Chamberlain. Early
indication is that the conference will again be filled with valuable educational sessions, networking opportunities, and just plain fun. So just like my plans to rake up some leaves this weekend, I encourage each of you to do your own “cleanup” so that you are prepared for what may lie ahead for you in 2019. It’s always better to start the year out prepared and strong than to be weighed done by what you simply didn’t get to or complete this year. Remember to always demonstrate your value to the credit union! Happy Holidays to everyone. Thank you all for your continued support of ACUIA. I look forward to seeing everyone in 2019. n
WE NEED YOU! The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership. Please email Dian Scott at acuia@acuia.org to learn more.
With Expertise Comes Confidence Crowe is one of the top 10 auditors of credit unions with more than $100 million in assets.1
Audit / Tax / Advisory / Risk / Performance
1
Smart decisions. Lasting value.™
2018 Supplier Market Share Guide: Credit Union Auditors, Callahan & Associates
Visit www.crowe.com/disclosure for more information about Crowe LLP, its subsidiaries, and Crowe Global. Š 2018 Crowe LLP.
FS-19009-011A
THE SET TON IT’S A NEW FRONTIER FOR COMPLIANCE. HERE’S HOW TO MEET THE CHALLENGES WITH AN EFFECTIVE AND EFFICIENT PROGRAM.
6
AT THE E TOP KEITH SALMON, CAMS, MOSS ADAMS
s national administrations turn over, changes are often made that affect credit unions and their regulatory requirements. Under the Trump administration, for example, the Economic Growth, Regulatory Relief, and Consumer Protection Act signed into law on May 24, 2018, provided targeted regulatory relief to financial institutions.
Without an effective and efficient compliance department, regulatory changes such as these can cause unnecessary stress to a financial institution and its officers and board of directors. Here are items to consider when building a compliance program.
O
RGANIZATIONS CAN ALSO BENEFIT FROM THINKING OF COMPLIANCE T
SET THE TONE AT THE TOP Instilling a culture of compliance at a credit union begins with senior-level management and buy-in from the board of directors. Together, these two populations set the tone for an entire institution. This can be accomplished through three key steps: ■■ Ensuring compliance efforts are mentioned in all job descriptions and annual employee reviews ■■ Implementing and overseeing an effective compliance management system, which includes a compliance monitoring system and audit programs ■■ Appointing a qualified compliance officer to fit the risk of the credit union, establish a reporting structure, and deal with compliance resolutions across all departments
BUILD A STRONG COMPLIANCE TEAM The size of an institution’s compliance team should directly correlate to the complexity and risk profile of the credit union. This may be influenced by an institution’s size, risk appetite, and the products and services offered. Compliance teams are commonly viewed as cost centers, which often results in them being leanly staffed. However, viewing them instead as profit pro8
www.acuia.org | TH E AU D I T R E P O RT
tectors may prove more beneficial because the expense of a civil money penalty will almost always greatly outweigh the expense of employing knowledgeable and professional staff as part of an effective compliance management system. Organizations can also benefit from thinking of compliance teams as an investment to help mitigate an institution’s reputational risk. To help achieve this goal, build a team with diverse experience from different types of financial-service organizations, such as: ■■ Prior employment at institutions in a different asset-size class Prior employment at different institution types, such as commercial or consumer banks, broker-dealers, and credit-card servicers ■■ Prior experience as a financial regulator or consultant ■■ In addition to building a team with wide-ranging experience, encourage staff members to earn certifications, such as: ■■ Certified Regulatory Compliance Manager ■■ Certified Community Bank Compliance Officer ■■ Credit Union Compliance Expert Financial regulators often prefer departments with certified staff members because it demonstrates a certain level of knowledge, and proves the institution is committed to investing in training. ■■
TEAMS AS AN INVESTMENT TO HELP MITIGATE AN INSTITUTION’S REPUTATIONAL RISK.
Additionally, encouraging staff to develop enhancements to compliance processes and then work with management and front-line staff to implement them can build a rapport and comfort with the compliance department that may pay dividends in the long run.
IMPLEMENT AN EFFECTIVE TRAINING PROGRAM Arguably, the most important aspect of a strong compliance program is a training program that’s required, customized, and ongoing for all employees. These trainings should cover applicable compliance policies, procedures, and regulations and include various quizzes to help assess knowledge retention. As compliance laws and regulations are frequently updated and modified, it’s imperative that staff stays up to date and knowledgeable on all upcoming changes. This can be accomplished in the following ways: Attending conferences ■■ Taking continuing-education classes ■■ Participating in local professional organizations ■■ Subscribing to regulatory-body newsletters The proactive dissemination of pertinent information to all institutional departments—through training sessions or other avenues of communication—can help further ensure compliance efforts are kept up to date. ■■
ADDITIONAL RESOURCES The following documents contain further information about building a regulatory compliance program: ■■ National Credit Union Administration Supervisory Letter: Evaluation Compliance Risk—Updated Compliance Risk Indicators ■■ Office of the Comptroller of the Currency Handbook on Compliance Management System ■■ Federal Deposit Insurance Corporation Compliance Examination Handbook—Compliance Management System ■■ Bureau of Consumer Financial Protection Examination Procedures—Compliance Management Review ■■ Federal Reserve Community Bank Risk-Focused Consumer Compliance Supervision Program n
About the Author Keith Salmon has worked in the banking industry since 2013 and focuses on consulting with financial institution clients, including banks, credit unions, and mortgage companies. He can be reached at (214) 242-7418 or keith.salmon@mossadams.com. Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.
www.acuia.org | TH E AUD IT R EPORT
9
IRR LIMITS How Setting Credit Union Specific IRR Limits Enhances ERM RANDY C. THOMPSON, PH.D
Recently, I had a discussion with an NCUA examiner regarding Interest Rate Risk (IRR) management at three credit unions he was examining. The examiner’s particular interest related to the IRR limits these credit unions were employing. He told me that the three credit unions he referenced had equity ratios of 6.78%, 9.35% and 13.46%, respectively. He then said that all three credit unions were using the same IRR limits, i.e., Net Interest Income (NII) at risk -35% and equity at risk -40%. The obvious point he was making was that it seemed implausible to him that three credit unions, with such different levels of capital, could justify having the same IRR limits. I agreed with him wholeheartedly.
10
www.acuia.org | TH E AU D I T R E P O RT
www.acuia.org | TH E AUD IT R EPORT
11
THE MORE EQUITY A CREDIT UNION HAS ON ITS BALANCE SHEET, THE HIGHER THE LEVEL OF RISK THAT CREDIT UNION CAN TAKE IN ITS OPERATIONS.
These three credit unions had identified meaningful limit types to support IRR management, namely Net Interest Income (NII) at risk, Equity at risk, and minimum equity ratio. The problem was that the actual limit values were not linked to their specific equity ratios or net interest income levels. Any credit union manager who has suffered through an examination will agree that interest rate risk is a hot button issue for regulators. It is an issue that will continue to be a major focus on examinations for the foreseeable future. It is also a critical element of Enterprise Risk Management. Federal regulations make it clear that credit union boards and manager must develop consistent and valid strategies for measuring and managing IRR in their institution. Foundational to any IRR management strategy is the creation of meaningful IRR limits. To be useful limits must be valid and directly connected to the current financial condition of an individual credit union. Limits provide a framework for planning, product development and management. IRR limits provide management and boards with benchmarks that will help them control the risk a credit union is, or will be, exposed to from longer term loans and investments. 12
www.acuia.org | TH E AU D I T R E P O RT
I have observed that many credit unions are using limits that are not necessarily derived from their specific financial condition. In some cases, the limits have been borrowed from nearby credit unions, as part of the cooperative nature of the credit unions, and in other cases limits have come from the suggestions of ALM providers. The problem with both of these sources is that they may not connect to the current actual condition of the credit union. Using limits that are derived in these ways, can obscure the actual impact of planning and management decisions and result in less than desirable outcomes. The core building blocks for setting meaningful IRR limits are equity and current net interest income. The correlation of these two variables presents an option to develop a limits setting protocol that is both statistically valid and reliable. Equity is the safety net that supports risk taking by a credit union. The more equity a credit union has on its balance sheet, the higher the level of risk that credit union can take in its operations. Net interest income is the primary source of income to support operations and fuel equity. The relationship of these two key indicators, if applied correctly, can provide a statistically valid basis for setting IRR limits that are both reliable and useful.
Many credit unions are reporting that examiners are asking for justification and support for the IRR limits employed by credit unions. It may be that IRR limits are becoming part of the IRR hot-button issue. Our CUSO, TCT Risk Solutions, is taking this issue seriously and has developed an online limits calculation tool that makes setting limits easy to accomplish for any credit union. By coupling the limits calculation tool with the CUSOs online ALM simulation tool, credit unions have easy access to a robust process that will guide them in managing and using interest rate risk to enhance their success. n
About the Author Randy C. Thompson, Ph.D. is the CEO and founder of TCT Risk Solutions LLC a CUSO. He has consulted with Credit Unions, for the past 32 years. He holds advanced degrees (Ph.D. and MS) in Finance, Statistics, Economics and Public Health and taught graduate courses in finance and statistics at several Universities in the western United States. He has been a frequent speaker at League and Association meetings across the United States and has authored papers and articles for Credit Union trade journals and for the New Jersey Credit Union League, California/Nevada Credit Union League, CU Times and CU Business trade magazines. He is the creator of TCT Suite of products including risk based pricing, deposit pricing, Credit Migration, with ALLL, and the CostPro Earnings at Risk ALM Simulation Model.
Service So Outstanding, Others Can Only Talk About It…
twhc.com TWHC Business Journal Ad REV-062612.indd 1
6/27/12 2:14 PM
Looking for an auditor that stands out from the crowd?
Contact the CPA firm that audits only credit unions.
www.nearman.com | 800.288.0293
www.acuia.org | TH E AUD IT R EPORT
13
THE MEASURE O
BSA/AML CUSTOMER DUE DILIGENCE PROCEDURES UPDATES
OF A CUSTOMER JOAN CRENSHAW & LAUREN HELLMAN n May 11, 2018, the Federal Financial Institutions Examination Council (FFIEC) issued new examination procedures for the final rule “Customer Due Diligence Requirements for Financial Institutions,” issued by the Financial Crimes Enforcement Network (FinCEN) on May 11, 2016. The examination procedures replace those in the current “Customer Due Diligence – Overview and Examination Procedures” section of the FFIEC’s “Bank Secrecy Act/Anti-Money Laundering Examination Manual.” So what do you need to know? First, the FFIEC expanded examination procedures for Customer Due Diligence (CDD) and issued new examination procedures for testing beneficial ownership requirements. The changes emphasize requirements for banks, savings and loan associations, savings associations, credit unions, and branches, agencies and representative offices of foreign banks (financial institutions) to develop and improve riskbased procedures addressing customer risk profiles/risk ratings and monitor
ing. Further, examiners will now be required to conduct transaction testing for beneficial ownership on accounts opened after May 11, 2018. Financial institutions must develop and implement risk-based procedures for conducting ongoing CDD. Procedures should develop sufficient understanding of the nature and purpose of the customer relationship to develop a risk profile. The financial institution’s procedures should be sufficient to establish ongoing monitoring for the identification and reporting of suspicious transactions. Finally, procedures should—on a risk basis—enable the financial institution to maintain updated customer information, including beneficial ownership information of its legal entity customers. CDD policies, procedures and processes should include a clear statement of management’s and staff’s responsibilities, including procedures, authority and responsibilities for reviewing and approving changes to customers’ risk profiles. Policies also should include standards for conducting and documenting analysis with the due diligence www.acuia.org | TH E AUD IT R EPORT
15
process, including guidance for resolving issues when insufficient or inaccurate information is obtained. Examiners have been tasked with determining whether the financial institution has effective processes to develop customer risk ratings as part of its overall CDD program. Similar to risk assessments, the financial institution’s customer risk profile/ risk rating system may be scalable according to its complexity and size. While this hasn’t changed from prior CDD guidance, financial institutions should review and update CDD policies to include expanded support and more detailed explanations of customer risk ratings and due diligence practices, with increased focus on higher risk customers. Guidance for resolving issues when insufficient or inaccurate information is obtained in the due diligence process should also be addressed. There’s now straightforward emphasis on ongoing monitoring for the purpose of identifying and reporting suspicious transactions as well as—on a risk basis—maintaining and updating customer information, including beneficial ownership information of legal entity customers. Similar to customer risk profile/risk rating systems, monitoring may be scalable according to the financial institution’s complexity and size. Financial institutions should establish policies and procedures for determining when obtaining additional customer information would be appropriate. The FFIEC doesn’t give direct guidance on using a continuous or periodic basis for these reviews, but the financial institution should consider what makes sense for its risk profile and customer base. What factors could trigger review of a customer’s risk profile/risk rating?
THERE’S NOW STRAIGHTFORWARD EMPHASIS ON ONGOING MONITORING FOR THE PURPOSE OF IDENTIFYING AND REPORTING SUSPICIOUS TRANSACTIONS… Significant and unexplained changes in account activity. ■■ Changes to business operations or employment known by the financial institution. ■■ Ownership changes of a business known by the financial institution. ■■ Red flags identified through suspicious activity monitoring. ■■ Receipt of criminal subpoenas, National Security Letters or Section 314(a) requests. ■■ Results on negative media search programs. ■■ Length of time since customer information and risk rating was last assessed. The second set of FFIEC procedures tasks examiners with determining whether appropriate written procedures are in place for gathering and verifying beneficial ownership of legal entity customers who open an account after May 11, 2018. Beneficial ownership is determined under both a control prong and an ownership prong. The control prong identifies a single individual who controls, manages or directs a legal entity customer such as an executive officer or senior manager. One beneficial owner must be identified under the control prong for each legal entity customer. Under the ownership prong, a beneficial owner is each individual who directly or indirectly owns 25 percent or more of a legal en■■
This article is for general information purposes only and is not to be considered as legal advice. This information was written by qualified, experienced BKD professionals, but applying this information to your particular situation requires careful consideration of your specific facts and circumstances. Consult your BKD advisor or legal counsel before acting on any matter covered in this update. Article reprinted with permission from BKD, bkd.com. All rights reserved.
16
www.acuia.org | TH E AU D I T R E P O RT
tity customer. If no individual owns 25 percent or more of the legal entity customer, no beneficial owner under the ownership prong is identified. In summary, legal entity customers will have a total of between one and five beneficial owners(s)—one individual under the control prong and zero to four individuals under the ownership prong. There are multiple exclusions that apply to beneficial ownership determination. Details can be found in Appendix 1 of the FFIEC’s Bank Secrecy Act/Anti-Money Laundering Examination Manual, dated May 5, 2018. The big takeaway is the need for robust policies and procedures surrounding customer risk profiles, beneficial ownership and ongoing monitoring under the CDD requirements. Read the full press release and updated examination procedures for CDD and beneficial ownership for legal entity customers on the FFIEC website. If you have questions regarding these changes, or to inquire about compliance review services, contact Lauren or Joan for more information. n
About the Authors Lauren Hellman is a member of BKD National Financial Services Group with more than five years of experience providing audit and consulting services to financial institutions. She also has more than six years of industry experience prior to joining BKD. She is a member of the American Institute of CPAs, ACFE, Heartland ACFE and the Junior League of Omaha.ALLL, and the CostPro Earnings at Risk ALM Simulation Model. Joan Crenshaw is a member of BKD National Financial Services Group, with more than 25 years of banking experience. She has experience with regulatory compliance, procedural analyses, loan documentation, portfolio administration, banking operations, foreclosures, talent recruitment and development and lending. She focuses on serving clients in the area of regulatory compliance, helping financial institutions with challenges within the regulatory environment.
No detail too small. You’re proud of your credit union for good reason—you’ve kept your house in order. Accounting for your aesthetic is important to us. Our diligent, disciplined internal audit pros can help you reduce risk and boost your financial street appeal so you can grow wisely.
Everyone needs a trusted advisor. Who’s yours?
bkd.com/fs | @bkdFS
CREDIT UNION BRANCH
INCENTIVE PAY PLANS
An Internal Auditor’s Perspective STEPHEN LaBARBERA CPA AUDIT MANAGER, DOEREN MAYHEW
18
www.acuia.org | TH E AU D I T R E P O RT
C
C
redit union branch incentive pay plan audits may present challenges for internal auditors, due to the complex and sensitive nature of these compensation programs. Although these plans consist of countless structures and methodologies, generally incentive plans can be broken down into two categories: branch or frontline incentives and institution-wide incentives. An example of a branch incentive would be paying a loan officer $25.00 every time he or she sells GAP insurance with an auto loan. Conversely, institution-wide incentives would include annual bonuses paid to management, back-office professionals or the entire credit union. Although there are many similarities between audit procedures and risk considerations for both types of incentives, this article is focused on auditing branch and other frontline incentives.
www.acuia.org | TH E AUD IT R EPORT
19
B
ranch incentive pay plans may not have been an area of focus for internal auditors prior to the Wells Fargo Cross-Selling Scandal. However, these plans have long been an area of risk for many financial institutions. These risks include employee manipulation, mismanagement, non-compliance with regulations, and maybe most importantly, the risk that incentives are causing members harm. This risk is emphasized because member care is a critical component of an organization’s culture, and highly regulated at consumer financial institutions. Therefore, internal audit needs to be assessing the risks associated with their institution’s branch incentive pay plans, at least annually. In 2014, Wells Fargo was paying significant incentives to branch employees for meeting cross-selling quotas/goals. And for good reason, the 2014 Wells Fargo Data to the
right shows that Retail Banking was making three times the profit from customers with five products, and five times the profit from customers with eight products. It is no wonder that John Stumpf – one time CEO of Wells Fargo – would often repeat “eight is great!” “Eight was great!” During 2014, Wells Fargo Retail Banking, fueled by its incentive pay plans, was outperforming its’ peer group. However, branch employees were under immense pressure to cross-sell customers’ additional products. Personal bankers were receiving up to 20% (a significant portion) of their compensation from incentives. This led to aggressive sales tactics and behavior, which ultimately lead to employee fraud. For example, Wells Fargo employees opened as many as 2 million accounts without customers’ knowledge, in some cases by forging member signatures. Consequently, Wells Fargo settled
a lawsuit with regulators on September 8, 2016 in the amount of $185 million. However, even more significant was the damage to Wells Fargo’s reputation, which is evidenced by Wells Fargo’s stock price falling by over 13% during September 2016. Many of the Wells Fargo facts included above are cited in Bryan Tayan’s article “The Wells Fargo Cross-Selling Scandal”. The Wells Fargo example demonstrates how frontline incentives can be a profitable strategy for a credit union but can also work against culture. Therefore, with the goal of testing the plan’s effectiveness, and the control environment surrounding branch incentive plans, credit union auditors should be auditing these plans periodically. To help with auditing branch incentives, Doeren Mayhew’s Financial Institutions Group, has provided the following road map for credit union internal auditors working to develop or improve their branch incentive pay plan audit programs.
PR OFI T PER CUSTO ME R
RETAIL BANKING PROFIT PER CUSTOMER
10x
3x
5 x
It is no wonder that John Stumpf—one time CEO of Wells Fargo—would often repeat “eight is great!”
1 x 3
5
8
1 0+
P R OD U CTS P ER CUSTO M E R Source: Wells Fargo, Investor Day (May 20, 2014)
20
www.acuia.org | TH E AU D I T R E P O RT
RESEARCH AND PLANNING
The first step for any audit is familiarizing yourself with applicable regulations, guidelines and industry best practices. Here are four excellent sources for incentive pay plans:
CFPB COMPLIANCE BULLETIN 2016 - 03 The subject of this CFPB (Consumer Financial Protection Bureau) Compliance Bulletin is “Detecting and Preventing Cons umer Harm from Production Incentives.” This is a very important source of guidance for internal auditors, and other risk professionals interested in understanding problematic incentive plans, and critical controls that should be used to mitigate risks.
NCUA REGUL ATIONS 701.21(C)(8), 801.23(G) AND 721.7 In short, NCUA regulations do not allow sales incentives for executive management, but these sale incentives can be paid to other employees “provided that the board of directors of the credit union establishes written policies and internal controls in connection with such incentive or bonus and monitors compliance with such policies and controls, at least annually.” An article written by Shereefat Balogun titled “Credit Union Incentive Plans Can Be a Useful Tool to Drive Performance, if Done Properly” cites and summarizes NCUA regulations and other regulations.
INTER-AGENCY PROPOSED RULE ON INCENTIVE COMPENSATION (“THE PROPOSED RULES”) This proposed guidance seeks to strengthen the incentive-based compensation practices at covered financial institutions, including federally insured credit unions over $1 billion in total assets. This guidance was first proposed in 2016 on the coattails of the Wells Fargo Cross-Selling Scandal, and since then it has lost much of its momentum. However, this proposed rule’s progress should be monitored, and it remains a valuable source of framework level guidance for incentive pay plans for financial institutions.
THE SCOREC ARD Incentive “scorecards” are used to track and measure incentive plans. Understanding key scorecard concepts and the wide-ranging structures of scorecards is helpful. An article written by Steven Reider titled “How To Create A Scorecard To Measure Branch Performance And Set Goals” highlights important considerations for branch scorecards. For risk professionals, the focus should be on balancing risks and rewards. Methods to balance risk include measuring service quality and member retention or negating payouts for low service quality or “needs improvement” branch audits.
www.acuia.org | TH E AUD IT R EPORT
21
FIELDWORK
Some high-level notes to remember throughout fieldwork: 1) Management and the board of directors should design a strong incentive pay program that fosters culture; 2) Control structures should appropriately vary, based on the size and complexity of an organization. POLICIES AND PROCEDURES Credit union policies and procedures should: 1) Clearly define and outline all incentive pay plans 2) Include organization wide and employee level objectives 3) Include the roles and responsibilities of the credit union’s departments, management, quality control, employees receiving incentives, board of directors and supervisory committee 4) Provide a method to achieve balance of risks and reward. In addition to the items noted above, the CFPB Compliance Bulletin 2016-03 and the proposed rules contain additional policy and procedure guidelines. INTERVIEWS AND WALKTHROUGHS A significant portion of the audit will likely be spent performing interviews and walkthroughs with a wide range of credit union employees. This should include executive management, managers/supervisors, risk management, quality control, human resources and employees receiving incentives. The list below includes interview topics to discuss with the above listed employees. Any sensitive interview topics, such as the first two listed below, should be discussed in private, while the other topics may be discussed while performing “cradle-to-grave” walkthroughs over an incentive payout process.
22
www.acuia.org | TH E AU D I T R E P O RT
■■
Pressures caused by incentives - ability to “whistle blow”
■■
Unethical behavior
■■
Understanding incentives available and the related policy and procedures
■■
Risks imposed by incentives and sufficiency of mitigating controls
■■
Training methodologies - understanding of products offered and ethical behavior
■■
Understanding of monitoring controls - Independent compliance review is in effect
■■
Method of handling corrective actions once issue is discovered
■■
Independence between employees who design and manage quality control review, and receive incentives
MONITORING Reviewing and critiquing incentive plan monitoring processes is an essential objective for internal audit. Monitoring methodologies should be reasonable and appropriate, and the supervising employee should be independent, have a method to analytically review data trends for risks, and be periodically sampling incentive payments for accuracy. This function may be
performed by operations, quality control, risk management and/or human resources. The CFPB Compliance Bulletin 2016-03 includes examples of possible monitoring metrics, which may include trends in: 1) cancellations 2) incentives earned by employee 3) incentives earned by incentive type 4) member complaint rates 5) employee turnover rates. INCENTIVE REVIEW WORK PAPER To perform transaction testing, first obtain a detailed transaction system report and/or tracking spreadsheets that capture periodic incentives earned by employees and by product-type. Before selecting a sample, be sure to review system parameters or spreadsheet formulas, and under-
stand the data input and the input level review process. Then select a sample of transactions from a system report or tracking sheet for a variety of products and employees. Prepare a work paper for testing, and include columns such as: Informational items: Employee’s name (who received incentive), approver’s name, member name, product or transaction type, date of sale, payout amount, date of payout, etc. Testing items: Proper period, accurate payout, cost-effective (view management profitability analysis), proper approval, compliance with policy and procedures, quality control review/ monitoring process in place, etc.
Reviewing and critiquing incentive plan monitoring processes is an essential objective for internal audit.
www.acuia.org | TH E AUD IT R EPORT
23
AUDIT CONCLUSION
Hopefully, the audit results in beneficial recommendations to management and the supervisory committee. Below are findings shared by ACUIA members, and the related procedures performed to consider:
AUDIT FINDING
AUDIT PROCEDURE
Employees back-dating product sales to achieve monthly product sales goals. Call center employees were overly aggressive about sales tactics and their behavior was determined to be in line with their training.
Call into the call center.
Employees habitually trading mortgage loan sales back and forth to ensure that at least one of the two reached the incentive quota.
Review trends, such as employees achieving goals every other period and question employees about unethical behavior.
Poor tracking or complex manual tracking method, or poor monitoring methodologies. In a certain example, the incentives were tracked using the “honor system.�
Performing walkthroughs to understand incentive tracking or monitoring.
Wells Fargo’s incentive plan issue served as a warning to the financial institution industry. And in reaction, Wells Fargo did make significant internal changes, such as eliminating product sales quotas, reconfiguring branch-level incentives to emphasize customer service rather than cross-selling metrics, and introducing additional training and monitoring controls, such as controls on opening new accounts. As internal auditors, we should heed this warning and conduct risk assessment and audits, so that we can recommend changes prior to 24
Review trends, such as employees achieving goals every other period, and test transactions at period end for proper cutoff.
www.acuia.org | TH E AU D I T R E P O RT
our organization experiencing significant problems. Still have questions about the incentive pay plans and how to audit them? Contact the credit union auditors at Doeren Mayhew. Want to reach the author? Email: Stephen LaBarbera slabarbera@doeren.com or call him at 908.268.1344.
About the Author Stephen LaBarbera has provided audit and assurance services to credit unions and credit union service organizations for more than eight years. Leveraging his knowledge and expertise, Stephen guides clients through the entire audit process, proactively addressing concerns, and offering recommendations along the way. Stephen represents the firm as an expert presenter at CFO round tables, ACUIA conferences, league conferences on a number of accounting and auditing-related topics, such as CECL, Leases: Topic 842, Derivatives and Hedging; Topic 815, Revenue Recognition; Topic 606, Incentive Pay Plans.
NICE Actimize Essentials for Credit Unions: Unified Fraud-AML solution on Cloud Rich behavioral analytics coupled with advanced anomaly detection and out-of-the-box rules Integrated case management for holistic view of risk Data integration expertise
Request a demo today at info@niceactimize.com! For more information, visit us at niceactimize.com/cloud
www.acuia.org | TH E AUD IT R EPORT
25
CONFRONTING A SHIFTING REALITY THREATS AND DEFENSES FOR CREDIT UNIONS IN THE CLOUD ENVIRONMENT BRAD ATKIN, CPA, CISA, CITP – SHAREHOLDER IT ADVISORY AND SECURITY GROUP, DOEREN MAYHEW
Business productivity and efficiency has quickly become revolutionized by the robust and flexible environment offered by the Cloud. As the Cloud becomes a household name, it is important to understand not only the business strategies, technologies and architectures represented, but also the risks and defenses. 26
www.acuia.org | TH E AU D I T R E P O RT
www.acuia.org | TH E AUD IT R EPORT
27
I
n general terms, the Cloud is a movement from owned resources to shared resources in which users receive information technology services on demand from a third-party provider. End users are being migrated to Cloud applications as default software in their hardware devices, while enterprise Cloud applications are being used as storage solutions to host, manage and share data. Reality is, Cloud-based services hold a significant foothold on the market now and don’t seem to be going anywhere soon. And, it’s no surprise credit unions want in on the action. With the ability to free up internal resources, credit unions are becoming increasingly dependent on the trend of adopting Cloud-based applications and services. The problem is, every technology is susceptible to misuse and mistreatment. Cloud-based applications are no exception. By nature, these applications involve a significant amount of shared resources. Like most security incidents, the nefarious actions on an application your credit union is using could potentially result in financial losses, compliance related problems and fines, and significant reputation risks to the credit union. If your credit union is using Cloud-based applications, it needs to have enterprise-wide approaches in place to identify the flow of information, mitigate potential risk and have action plans in place to remediate weak spots.
The Current Threat Landscape Major Cloud-based applications across the nation are exposing businesses to security breaches and malware. For example, Amazon Web Service, a Cloud-based storage application, has had configuration errors leading to data exposure and security breaches. Storage drives, like Dropbox, have also recently been used to distribute malware across organization. And, phishing attacks have re28
www.acuia.org | TH E AU D I T R E P O RT
DO YOU KNOW HOW THE LARGE AMOUNTS OF CONFIDENTIAL DATA ARE FLOWING IN AND OUT OF THE CLOUD APPLICATIONS? YOU SHOULD!
cently been used to steal credentials on Google Drive. Due to the design and continued vulnerabilities being exploited more and more, it is inevitable applications, regardless of their popularity, eventually will become victims of cyber crimes, if they haven’t already. These threats are real. Internal audit and management teams must understand them to protect the credit union and its members. Understanding the risks related to the Cloud starts with an understanding of the flow of data. Develop a full understanding of the channels data flows through between users and Cloud applications, especially those outside of the network. Do you know how the large amounts of confidential data are flowing in and out of the Cloud applications? You should! Knowing this will help minimize the overall risk exposure and determining how to defend against attacks in an industry where confidentiality and compliance are key.
The Three Main Culprits The three main culprits threatening the security of your credit union’s data held in the Cloud are employee mistakes, malicious insiders and hackers. 1. Employee Mistakes – Employees continue to be the weakest link in cybersecurity across the board. In the Cloud arena, this can include sharing
a URL to a confidential document or not specifying the proper access controls, which may lead to broad access or documents being shared beyond intended users. The functionalities of Cloud-based applications may be harder to control, therefore the risks need to be identified in order to properly control access. 2. Malicious Insiders – More often than not, malicious insiders tend to be disgruntled employees. Insiders can use their access privileges and position to circumvent your controls. This can include deleting or sharing of confidential files, abusing access through printing and taking screen shots, and changing access for other employees. 3. Hackers – Targeting both cloudbased applications and individual users, hackers use malware and phishing scams as common ways to indirectly gain access to Cloud-based applications through unsuspecting employees. Once the account is accessed, the data can be stolen. Some cloud-based applications already have known vulnerabilities, making them susceptible to hackers. Fully understanding the application and its risk by performing due diligence before just choosing a more economically friendly provider is important.
The Defenses: What Can Be Done Here are some things your credit union can do to prevent falling victim to cyber crimes when dealing with Cloud-based applications: Consider Overall Risk Fundamentals – Financial Institutions using outsourced Cloud computing have to consider the fundamentals of risk and its management defined by the FFIEC Information Technology Examination Handbook (IT Handbook), especially the Outsourcing Technology Services Booklet. Reviews these to ensure your following these guidelines. Proper Due Diligence – Your board of directors and management are responsible for ensuring Cloud activity is conducted in a safe and sound man-
ner, while remaining in compliance with applicable laws and regulations. Make sure they have addressed data classification, segregation and recoverability. Also, determine the adequacy of the provider’s internal controls. Business Continuity Concerns – Address business continuity and the recovery, resumption and maintenance of the entire credit union. Determine if the servicer and network carriers have adequate plans and resources to ensure continuity and recoverability. Understand the Network – Discover the types of Cloud-based applications used, how users interact with them and the risk posed to the credit union. This is especially critical in an environment when employees can connect to their own devices. Enforce Your Policies – Actively block the threats before they are distributed. Administrators need to enforce policies to detect malware and keep data confidential.
Scan All Files for Confidential Data – There are services available that can scan files for confidential data (PII, PCI, HPPA, etc.) during the upload to reduce the risk of attempts to steal data. Security applications also ensure these files are not shared too broadly and protects the confidential data from users without rights. Scan All Files for Malicious Content – All files coming in and out of the Cloud need to be scanned for viruses and malware. Active threat detection will reduce the risk of malicious files going in or out of the cloud, and reduces malicious files being spread to a significant amount of users. Look for a security service that integrates with the Cloud. Have a Strong Security Position – The Cloud application must be subject to vulnerability assessments, configuration reviews and penetration tests. If housed outside of your or-
ganization, ensure this is being done through the vendor due diligence process. The constant change in the threat landscape should be continually evaluated. For more information on how you can protect your credit union from Cloud-based application vulnerabilities, contact Doeren Mayhew’s cybersecurity advisors today. n
About the Author Brad Atkin is a Shareholder at Doeren Mayhew and leader in the firm’s Information Technology (IT) Assurance and Security Group. Since joining the firm in 2005, Brad has focused his efforts on providing audit and assurance services for clients in the financial institutions, service organization, technology, construction, manufacturing, service, leasing and retail industries. In his role, he oversees engagements to ensure clients are using effective accounting and auditing practices, as well as evaluating and designing internal control and system management processes.
Audit Management Software Audit Management Software Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful easy to use Audit Management System. Trusted by Companies, Governments andand Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System. From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward toauditors implement and affordable whatever the size of your audit team.straight From individual to State Audit Institutions MKinsight™ is easy to use, forward to implement and affordable whatever the size of your audit team. Key Functionality: Key Functionality: Dashboards
Audit Planning
Audit Scheduling
Audit Management
Dashboards Libraries
Audit Planning Electronic Working Papers
Audit Scheduling Controls Management
Audit Management On-line Questionnaires
Libraries ERM
Electronic Working Papers Time and Expense Recording
Controls Management Recommendation Tracking
On-line Questionnaires Comprehensive Reporting
ERM
Time and Expense Recording
Recommendation Tracking
Comprehensive Reporting
___________________________________ ___________________________________ www.mkinsight.com www.mkinsight.com United States: +1 847 440 5515 United Kingdom +44 113 2455558 United States: +1 847 440 5515
United Kingdom +44 113 2455558
www.acuia.org | TH E AUD IT R EPORT
29
COMMU NICATIN AUDIT FINDING As Internal Auditors, we are judged by several things (and, the list keeps growing), but perhaps none more so than our audit findings.
30
www.acuia.org | TH E AU D I T R E P O RT
UNG GS
SAM CAPUANO, CBA, CRP
M
ore so than our work papers, risk assessments, ongoing reviews or anything else, it’s our audit findings that define us in the eyes of our auditees, supervisory/audit committees and examiners. So, given their obvious importance, it stands to reason that we need to effectively communicate the findings as well. We could have the most important, material finding in years, and if we’re not getting the message across, then it really doesn’t matter. So, how best to ensure this happens? The IIA Standards address this, including the requirement that, “Communications must be accurate, objective, clear, concise, constructive and timely.” Not a lot of words there, but plenty to digest. Let’s start with the last word there, “timely.” Findings should be discussed not only in a timely manner, but frequently as applicable. This starts from the initial detection in the field. This helps with the “accurate” portion of the IIA Standards. There should never be any surprises when findings are ultimately presented. So, the first discussion of a finding should occur in the field, once the issue has been determined. Discuss, in detail if necessary the item or situation you’ve found. This conversation is typically held with the employee most directly associated with the issue. It is this person who is often most suited to be able let you know of the accuracy of the finding. Having this communication early also allows more time for additional research on the part of the auditee on the issue. Often, especially when the area audited is new and/or has new personnel, we in IA may not have the whole picture right away. This additional research helps in this regards, and also avoids any incon-
sistencies down the road when we have the formal exit, and issue the audit report draft. These discussions with staff should be documented in the work papers, along with any needed documentation to support the finding. This documentation should be clear, and well indexed. This allows the person reviewing the work papers and/ or presenting the findings an easier task to ensure everything is in order with the finding. Then it comes time for that aforementioned exit discussion. The question often arises as to who should be invited on the part of management. That is largely up to the auditee. Some of my CU clients are comfortable with just the direct manager being there. Others insist the CEO is along for the ride. Most fall somewhere in the middle. From an audit standpoint, while acquiescing to management, it is often a good idea to request additional personnel to be present if the issue is material enough. Remember, we don’t want any surprises when the report is issued. Also, IIA Standards note that we must communicate the final results to “parties who can ensure that the results are given due consideration.” This is the key point of that exit discussion. I always stress at the beginning of the exit that the meeting’s purpose is to communicate the findings of the audit, to ensure our issues are adequate, and that everyone is made aware of them prior to the report draft. I also ask that any disagreements be brought up at this time. These disagreements can be with the accuracy of the findings (especially if someone is hearing it for the first time, and may know something the direct manager doesn’t), and of course can also be due to the dreaded pushback.
There are some out there that want to know our findings, and want them all reported, with very little ado. There are others that will fight us tooth in nail over anything and everything. Those who fall into the latter category are sometimes just combative by nature. Others are more concerned about how the items in the audit report reflect on them. Regardless of where our audience falls here, we are still responsible for communicating everything we have
found in the audit, whether it is a verbal issue, or one that will make its way to the audit report draft. The results of the exit should be documented in the work papers. This includes date and those present at the meeting. Additionally, it is beneficial to note next to each finding whether or not management was in agreement with our well-meaning recommendations. Ideally, any such disagreement will be resolved prior to the report
Internal and Compliance Audit • External Audit • IT Audit
draft, but sometimes this is unavoidable. At the very least the disagreement will be known in advance of the issuance of the draft report. When that draft report is issued, for the most part the finding, and what will be responded will be known. Sometimes, that’s not the case as even with all this prior communication, some key individual may still not have been made aware of the issue, and may be able to provide support to have the finding revised and/ or removed. Once the written response the report draft is received, it is our job to verify that all items have been adequately addressed. If not, more communication is needed. For those issues that stay in the report, and for which management is still going to accept the risk, well we still have work to do. Again, the IIA standards address this. If that level of accepted risk is deemed unacceptable, IA needs to communicate this with senior management, and if still not sufficiently resolved, with the Board. While this process is not one that is preferable, it’s part of our job, and must be undertaken. At this time, we can issue the final version of the audit report. Depending on the wishes of our supervisory/ audit committees, they will either receive a full copy of the report, or a summary of the issues. In doing so, we will have effectively communicated our findings. n
About the Author CONNECT WITH US Tom Giglio, CIA, CFSA— Executive Vice President 315.214.7841 | tgiglio@bonadio.com
bonadio.com |
Samuel Capuano, CBA, CRP—Principal 518.250.7763 | scapuano@bonadio.com
Albany | Batavia | Buffalo | East Aurora | Geneva | New York City | Rochester | Rutland | Syracuse | Utica
32
www.acuia.org | TH E AU D I T R E P O RT
Sam Capuano, CBA, CRP, is a Principal at The Bonadio Group, working out of their Albany, NY and Rutland, Vermont offices. He has been a financial institution internal auditor since 1985, including 12 years as the Chief Audit Executive at Sunmark FCU in Albany, where he started their IA function there in 2002. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA.
{ the standards } Pat Richey, Retired credit union internal auditor
Managing the Internal Audit Activity The first Performance Standard addresses the importance of value added.
I
n the last 6 issues of The Audit Report, I discussed the Attribute Standards of the International Standards for the Professional Practice of Internal Auditing (Standards). The Attribute Standards describe the WHO in internal auditing – the quality and features of the individuals and departments performing internal audit work. The remaining standards are the Performance Standards which describe the WHAT of internal auditing – what services does internal audit provide, and how are the services provided. The first Performance Standard, 2000, says that the Chief Audit Executive (CAE) must effectively manage the internal audit activity so that it adds value to the credit union. This aligns with the definition of internal auditing which states that the purpose of internal auditing is to add value and improve the credit union’s operations.
pact the credit union. Also, individual auditors must conform with the Standards, and Code of Ethics. Therefore, according to Implementation Guide (IG) 2000, the CAE should start with forethought and preparation to manage internal audit effectively. The CAE should regularly review the International Professional Practices Framework (IPPF) and monitor conformance with the IPPF through the quality assurance and improvement program, and use metrics (including benchmarking) to evaluate the efficiency and effectiveness of internal audit. A key component of effective management is the internal audit charter, which defines internal audit’s role, purpose and responsibilities in the
credit union. Then, internal audit must produce work that fulfills that role and purpose. The CAE will periodically compare the results of internal audit work with the charter. Heaven forbid that the Board and/ or audit/supervisory committee approved the Charter and the CAE has not looked at it since that time. Internal audit charter was available on internal audit’s network webpage for all credit union employees to access. The CAE should review the credit union organizational chart and strategic plan, identify credit union stakeholders, structure and reporting relationships, and get insight into the credit union’s strategies, objectives and risks by talking with senior management and the board. With the above knowledge and preparation, the CAE can develop an internal audit strategy that dovetails with the credit union’s goals and expectations.
Adding Value The CAE is responsible for ensuring that internal audit adds value to the credit union. I’ve always had a difficult time with the
Effective Management The Interpretation of Standard 2000 says that the criteria for an effectively managed internal audit activity is an activity that achieves its purpose and responsibility as defined by the internal audit charter, conforms with the Standards, and evaluates trends and emerging issues that could im
www.acuia.org | TH E AUD IT R EPORT
33
concept of adding value. I am a very concrete sequential personality-type, and I don’t do well with abstract concepts. To me, “adding value” is one of those concepts. What does it mean? Fortunately, Standard 2000’s Interpretation states that adding value means considering strategies, objectives and risks; offering ways to enhance governance, risk management and control processes; and objectively providing relevant assurance. However, it seems to me that is just internal auditors doing their jobs through the entire audit process. In “Delivering Audit Value,” Eric Lundin states that it might be difficult to quantify audit value in terms of dollar savings, earnings, or reduced risks. Lundin says that internal audit adds value by simply performing its function effectively and efficiently, and being attuned to opportunities for enhancement. However, adding value might mean different things to different people.Therefore, internal audit departments may add value in different ways. One time I attended a presentation by an internal auditor whose department only did audits whereby they could quantify the impact of recommendations to the bottom line. I think the presentation attendees were skeptical of this audit strategy. Perhaps, this was before the Standard 2000 interpretation. In most cases, internal audit is not going to be able to quantify the value it brings to the credit union when management implements internal audit recommendations. However, perhaps one way an internal auditor can directly reduce costs is to perform tasks that had previously been done by external auditors. The Institute of Internal Auditors (IIA) brochure “Internal Auditing: Adding Value Across the Board” says 34
www.acuia.org | TH E AU D I T R E P O RT
[Eric] Lundin says that internal audit adds value by simply performing its function effectively and efficiently, and being attuned to opportunities for enhancement. that a changing world “points to the necessity for competent internal auditing.” Internal auditors must stay abreast of changes in technology, regulations, risks, opportunities and the credit union industry. Internal audit does not add value if internal audit does not use an up-to-date risk universe and work programs, or does not use the power of technology. The IIA’s Global Internal Audit Survey “Measuring Internal Audit’s Value ” found the key factors for adding value were independence and objectivity, access to the audit committee, and audit tools and technology. Performance metrics most frequently used were audit plan completion, recommendations implementation, surveys of stakeholders such as the Board, management and auditees, assurance of sound risk management, and reliance by external auditors on the internal audit activity. Internal audit’s basic role is to help the board, audit/supervisory committee, and management achieve their objectives. To add value to the credit union, internal audit must be a valuable resource to those governance stakeholders. Internal Audit should be helping the credit union manage its risks, and does that with
a deep understanding of the credit union, its processes, and its risks. To be a valuable resource, with a deep understanding of risks, requires expertise. In “How Do Internal Auditors Add Value?”, James Roth says that internal auditing as a training ground for recent college graduates does not add value. The best audit departments are highly trained, with certifications, active in professional organizations, and skilled in data analysis. However, this level of expertise requires the CAE to create a challenging work environment. Expertise can be obtained by bringing credit union staff into internal audit. Credit union employees have a better understanding of credit union risk than perhaps we give them credit for. Internal audit must understand the business rather than just verifying everything. The old joke was that internal auditors come in after the battle and bayonet the wounded. That is not the internal auditor of today. In “Find Your Voice ,” Karen Brady suggests the value statement “ external auditors audit the past, we audit the future”. That is the polar opposite of the old joke. However, can internal auditors look at the past as a way to improve the future? Internal audit does not add value by acting like a regulator. The credit union has its fill of regulators. It needs cutting-edge (but maybe not bleeding edge) business partners and creditable advisors. Brady encourages internal auditors to communicate audit’s value to credit union stakeholders. Internal auditors should not assume that the stakeholders understand audit’s value to the credit union. Stakeholders expectations may be far lower than what internal audit is able to provide. Stakeholders may expect procedure verification, or policy compliance rather than business improvement
{ from the editor }
Here’s to 25 More Tabitha Ernst-Chadwick
solutions. Internal audit’s value should be clear to stakeholders. To add value, internal auditors must make a difference. Sometimes that means doing something different, or innovative. This requires creativity and bravery. However, when doing something different, internal audit must be mindful of the credit union’s culture (which hopefully is on the high road). Internal audit should promote positive change. You know how much people like change. However, change is constant and never ending. If I went on a week-long vacation, my first thought returning to work was “what has changed?” Embracing change is a matter of survival. It may be hard for management to keep up with new business processes. Also, internal audit is not immune to critical examination of its work, to change, and its value perception to the credit union. Audit has to continually change and improve its structure, work programs, performance, or risk
assessments. etc. in order to improve efficiency and effectiveness. Management generally knows if a problem exists. and they need insight into how to fix the problem. This is solution-based auditing which is oriented to the future. Hopefully, the solutions make someone’s job easier. W. Edwards Deming said that an aim must relate directly to making life better for everyone. Therefore, like Walmart and IKEA, perhaps audit’s purpose is to make life better, rather than focusing on blame for deficiencies. If possible, internal audit should offer several solution alternatives for consideration that add value. This requires auditors to understand how the credit union operates credit-union wide in order to improve business performance. What is of value to one credit union may not be of value to another credit union. The key is to ask stakeholders what they need, and how internal audit can add value to their spheres. Perhaps one knows value when they see it. One year our lead regula-
tory examiner told our management team and Board that one of the best things the credit union had going for it was the internal audit department, because internal audit pulled no punches and provided a valuable service for the credit union. A commendation like that goes a long way in creating credibility.
Demonstrating Conformance The CAE can demonstrate conformance with Standard 2000 by conducting post-engagement surveys, or otherwise obtaining feedback. Internal and external assessments should be documented and include metrics and benchmarking. There should be evidence that individual internal auditors conform to the Attribute Standards. n About the Author Pat Richey was Director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.
ACET is here.
Are you ready? RedstoneConsultingGroup.org/acet-portal
Redstone Consulting Group’s ACET Collaboration Portal™ will help the NCUA cyber exam go smoothly. Know where you stand before the exam begins.
www.redstoneconsultinggroup.org
© 2018 Redstone Consulting Group, LLC. All rights reserved. Redstone Consulting Group, LLC and the Redstone Consulting Group logo are registered trademarks of Redstone Consulting Group, LLC or its subsidiaries.
www.acuia.org | TH E AUD IT R EPORT info@redstoneconsultinggroup.org | (256) 344-8600
35
{ member spotlight }
Shelley Engleman, CIA, CFE, CISA, CRMA Tabitha Ernst-Chadwick
As ACUIA is expanding to create a network for risk management professionals, we want to spotlight one of the amazing volunteers who are helping us build that group. Please help me welcome Shelley Engleman from 7-17 Credit Union in Ohio.
Shelley, we like to get up close and personal here at ACUIA. So let’s start with you sharing a little bit about yourself and your family. I have been married for 17 years to my husband, Jeff, and we have four children, four grandchildren (with another on the way!) and two cats. I love all types of sports.
In my spare time I like to run half marathons and work out. I also love to cook, travel, and spend time with my family. My alma mater is Malone College, where I received a bachelor’s degree in Accounting and Business Administration.
Ok, now for some business. How did you get into Risk Management? I have worked in Risk Management for the past 28 years, all at 7 17 Credit Union. I started as a Staff Auditor and progressed to my current role as SVP, Risk Management. Wow! That is amazing! I’m learning that Risk Management means something a little different in every credit union. What functions fall under your Risk Management umbrella? I am responsible for Internal Audit (IA), Fraud & Risk Management,
36
www.acuia.org | TH E AU D I T R E P O RT
Enterprise Risk Management (ERM), Corporate Insurance, Business Continuity, Incident Response, Security, and Compliance.
That is a pretty big umbrella. As someone who has been in the field for so long, can you share insight on how the role of risk management has changed? Risk management traditionally had been a function of IA. This seemed logical as IA knew the risks of the organization and the controls needed to mitigate the risks. However, in more recent years organizations are understanding that management is responsible for the risks of the organization, and risk management is becoming engrained throughout the organization, particularly at the strategic level. What strategies have you deployed to integrate risk management into credit union operations? We implemented ERM about 5 years ago, but it was more at the executive level. In the past year, we revamped our program to include Board, executive management, and middle management. All levels were involved in developing our risk appetite statement so everyone bought into the amount of risk our organization was willing to accept. We have ongoing reporting for the Risk Management Committee and have also provided training on risks at all levels of the organization. What advice would you give to someone who is just establishing a credit union ERM program? Engage your key stakeholders from the beginning. If they help create it, they will better support it. Use resources from known establishments like ACUIA and find a mentor at another credit union that you can bounce ideas off of and share resources. Most
{ from the editor }
Here’s to 25 More Tabitha Ernst-Chadwick
Is there any one risk at your Credit Union that keeps you awake at night? Cybersecurity. There are so many unknowns, and so much is out of our control.
place to mitigate the risk. IA uses the risk assessments to guide their audit plan every year and tests the controls for effectiveness. IA then reports on the effectiveness of the controls so the risk assessments (and corresponding level of risk) can be updated. IA also sits on the Risk Management Committee (as a non-voting member) so they are aware of the risks management is accepting and the priority of those they chose to mitigate further.
How does risk management and audit interact in your credit union? How are the roles different? Risk Management and IA work together to manage risk. Risk Management performs the risk assessments in conjunction with the business units and identifies the controls that are in
We are so lucky to have you helping us to build the risk management and compliance services with ACUIA. How long have you been involved with the ACUIA and what risk management benefits have you taken advantage of in the organization? I have no idea. A long time!
of all, an effective ERM program is a journey. It takes time and effort, and you will tweak it many times until you have a program that is fully integrated throughout the organization. So take your time and enjoy the process.
I and my staff have been taking advantage of the ACUIA webinars. Earlier this year I joined the risk management advisory group which held their first roundtable in Raleigh, NC in April. Our next roundtable is scheduled in Atlanta in December. I’m excited to work with this group and to share what we know about risk management and to learn from others. ACUIA has provided a wealth of information and more importantly, industry experts that I contact on a regular basis when I have questions or need assistance.
Shelley, thank you for sharing your experiences with us. ACUIA is very fortunate to have you in our family. Wishing you continued success. n
TeamMate+
Visibilty, Consistency, and Efficiency Learn more at TeamMateSolutions.com
www.acuia.org | TH E AUD IT R EPORT
37
{ the standards { regional news } } Pat Richey, Retired
1
REGION Julie Wilson, Director
Director Internal Audit, iQ CU 360.992.4233 juliew@iqcu.com Our next meeting is scheduled for Nov.2nd. It will be hosted by iQ Credit Union in Vancouver, WA. We will have a day full of great speakers and topics: Compliance Management & Auditing CMS; Risk-Based Auditing & Audit Plans; Common External Audit Findings; IS/T Exam Preparation and Ethics. We’d love to have you join us.
2
REGION Andrea Munoz, Director
Internal Audit, Senior Staff Auditor First Tech Federal Credit Union 916.660.4255 andrea.munoz@firsttechfed.com We are still in need of chapter coordinators for Hawaii, California, Nevada, Colorado and New Mexico. Plans are already underway for the 2019 Region 2 annual meeting, to be held next autumn in Utah.
3
REGION Gayle Gines, Director
Senior Internal Auditor Randolph-Brooks Federal Credit Union 210.637.4130 ggines@rbfcu.org We recently enjoyed our annual meeting, and it was a lively gathering. There were 15 attendees and 8 amazing speakers. Next year’s meeting is tentatively scheduled for May, and will be held somewhere in the lone star state of Texas.
5
REGION
Michael P. Moreau, CIA, CFE, CFSA, Director MACPAGE LLC 225 Cedar Hill St., #200 Marlborough, MA 01752 800-339-5701 cell: 978-760-0195
On October 1 and 2, 2018, CAPCOM FCU was the gracious host of our Regional Meeting. Over the day and a half, we had some great speakers and presentations, as well as some beneficial information sharing in our traditional roundtable. Many thanks to CAPCOM FCU for hosting, and also to our presenters from CliftonAllenLarson, the Bonadio Group, Wipfli/Macpage, Crowe, Doeren Mayhew and MossAdams.
REGION Tom Cosby, Director
Vice President Internal Auditing Crane Credit Union (812) 863-7000 ext 7142 tcosby@cranecu.org The Region 3 Conference was held in Eau Claire, WI, Oct. 3-5, and was well-attended, as always. The Indiana, Iowa, Illinois and Michigan chapters are having their meetings in November.
38
www.acuia.org | TH E AU D I T R E P O RT
4
REGION
6
Jason Alexander, CIA, MBA, CICA, Director Director of Internal Audit LGE Community Credit Union 770-421-2579 jasona@LGEccu.org Our Regional Meeting was held Oct. 17-19 in Nashville. The Tennessee Corporate Credit Union hosted the popular event. It was informative and well-attended. n
{ region directors }
{ the the standards standards } Pat Pat Richey, Richey, Retired Retired
1
REGION REGION
REGION REGION
Julie Julie Wilson Wilson juliew@iqcu.com juliew@iqcu.com
2
3
5
REGION REGION
Tom Cosby Cosby Tom tcosby@cranecu.org tcosby@cranecu.org
REGION
REGION
Andrea Munoz andrea.munoz@firsttechfed.com
Michael Michael P. P. Moreau, Moreau, CIA, CIA, CFE, CFE, CFSA CFSA MPM@macpage.com MPM@macpage.com
4
REGION
6
Jason Alexander, CIA, CICA jasona@lgeccu.org
Gayle Gines NEEDED! VOLUNTEER ggines@rbfcu.org
{ chapter coordinators } Contact these volunteer leaders and get involved in local ACUIA activities. REGION 1 REGION 1 CENTRAL CASCADES (OR/WA) CENTRAL CHAPTER CASCADES (OR/WA) CHAPTER Terry Robbins
Terry Robbins trobbins@mapscu.com trobbins@mapscu.com REGION 2 REGION 2 ARIZONA CHAPTER ARIZONA CHAPTER Jason Garlutzo Jason Garlutzo Jason.Garlutzo@azstcu.org Jason.Garlutzo@azstcu.org CALIFORNIA CHAPTER CALIFORNIA VOLUNTEER CHAPTER NEEDED!
VOLUNTEER NEEDED!
UTAH CHAPTER UTAH RandyCHAPTER Manscill, CIA, CFE,
Randy Manscill, CIA, CFE, CFSA CFSA rmanscill@americafirst.com rmanscill@americafirst.com HAWAII CHAPTER HAWAII Nikki IgeCHAPTER
REGION 3 ILLINOIS CHAPTER rtorres@CreditUnion1.org Rick Torres and Joel Lamm INDIANA CHAPTER rtorres@CreditUnion1.org Tom Cosby INDIANA CHAPTER tcosby@cranecu.org Tom Cosby MINNESOTA CHAPTER tcosby@cranecu.org Ashley Shrode
Nikki Torres NEEDED! VOLUNTEER nichele.torres@towerfcu.org
David Caster VOLUNTEER NEEDED! dcaster@firstcommunity.com
VOLUNTEER NEEDED! tammyf@scscu.com
ST. LOUIS CHAPTER NORTH TEX AS CHAPTER
SOUTH CAROLINA CHAPTER NORTH CAROLINA CHAPTER Tammy Farmer
ST. LOUIS CHAPTER
SOUTH CAROLINA CHAPTER TENNESSEE CHAPTER
Sarah Boyer REGION 4 sarahb@kembaCU.org
Lourdes Camacho VOLUNTEER NEEDED! lourdesc@sccu.com
Jessica Annis MICHIGAN CHAPTER Jessica.Annis@trustone.org Kathleen Schaefer MICHIGAN CHAPTER Kathleen.Schaefer@elgacu.
Kathleen Schaefer com Kathleen.Schaefer@elgacu. IOWA CHAPTER com Brittany Metz IOWA CHAPTER brittanymetz@uiccu.org
REGION 3
ARK ANSAS CHAPTER WISCONSIN CHAPTER
Patrick McCollough Karla Hodgkins pmccollough@AFCU.org khodgkin@Covantagecu.org
MARYLAND CHAPTER NORTH CAROLINA CHAPTER
VOLUNTEER NEEDED! VOLUNTEER NEEDED!
Brittany Metz WISCONSIN CHAPTER brittanymetz@uiccu.org Karla Hodgkins
MINNESOTA CHAPTER Ashley.Shrode@thrivent.com
OHIO CHAPTER khodgkin@Covantagecu.org
Rick Torres
NORTH TEX AS CHAPTER ARK ANSAS CHAPTER
REGION 5 David Caster dcaster@firstcommunity.com NEW YORK CITY CHAPTER VOLUNTEER NEEDED! REGION 5 REGION NEW YORK6CITY CHAPTER VOLUNTEER NEEDED! ALABAMA CHAPTER Adrienne Breckenridge, CPA REGION 6 abreckenridge@ ALABAMA CHAPTER avadiancu.com Adrienne Breckenridge, CPA GEORGIA CHAPTER abreckenridge@ VOLUNTEER NEEDED! avadiancu.com
Nikki Ige Nige@kcfcu.org Nige@kcfcu.org
ILLINOIS CHAPTER
REGION 4
Tammy Farmer Michelle Clark, CUCU tammyf@scscu.com mclarck@ecu.org
TENNESSEE CHAPTER
Michelle Clark, CUCU mclarck@ecu.org
FLORIDA CHAPTER GEORGIA CHAPTER
FLORIDA CHAPTER MARYLAND CHAPTER
Lourdes Camacho Nikki Torres lourdesc@sccu.com nichele.torres@towerfcu.org
www.acuia.org | TH E AUD IT R EPORT
39
{ acuia select }
{ member spotlight } Patrick McCullough
ACUIA will ad II_Layout 1 4/17/15 1:55Select PM Page 1 give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the Executive Office at (703) 688-2284.
P L AT I N U M
ngratulations to ACUIA
ars of outstanding service to credit union audit professionals.
elps credit unions meet their fiduciary responsibilities and internal control objectives by providing:
OLD on TechnologyG Assessments and System Reviews n Certified ACH Audits n Bank Secrecy Act ending Reviews n Audit of Risk-Based Lending Programs n Branch and Operational Audits ability Management Reviews n Human Resource and Payroll Reviews n Assistance with Risk t and Regulatory Compliance n Financial Statement Audits
Certified Public Accountants & Consultants
S I LV E R
TeamMate
BRONZE
40
Proudly serving credit unions throughout the Mid-Atlantic region.
www.acuia.orgFor | TH E AU D I T R E Pabout O RT PBMares, visit us online at www.pbmares.com. more information
MOSSADAMS.COM/CU MOSSADAMS.COM/CU
PROSPERITY PROSPERITY RISES RISES IN IN THE THE WEST WEST
Backed by decades of experience serving credit Backed by decades of experience servingtocredit unions, our professionals are committed unions, are committed to helping our youprofessionals grow your business with industryhelpingassurance, you grow your business with industrysmart tax, and consulting services. We smart assurance, tax,how and Moss consulting services. We invite you to discover Adams is helping invite youinstitutions to discoverthrive. how Moss Adams is helping financial financial institutions thrive.
RISE WITH THE WEST. RISE WITH THE WEST.
Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC. Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.
WHITE ROCK LWHITE AKE, ROCK TX L AKE, TX
6.49 AM CDT 6.49 AM CDT
AS SUR A NCE TA XSUR A NCE AS IT CONSULTING TA X STRCONSULTING ATEGY & OPER ATIONS IT TR A ATEGY NSACTIONS STR & OPER ATIONS W EA NSACTIONS LTH M A N AGEMENT TR W E A LTH M A N AGEMENT
RELATIONSHIPS BUILD BUSINESS RELATIONSHIPS RELATIONSHIPSBUILD BUILDBUSINESS BUSINESS Strengthen your relationships by using advisors with a strong professional network.
Strengthen your relationships bybyusing using advisors with professional network. Strengthenyour yourrelationships relationshipsby usingadvisors advisorswith withaa strong astrong strong professional network. Strengthen professional network.
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING WEALTH ADVISORY | are OUTSOURCING | AUDIT, TAX, AND CONSULTING WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING Investment advisory services offered through CliftonLarsonAllen Wealth Advisors, LLC,
Investment advisory services are offered through CliftonLarsonAllen Advisors, LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLPWealth | 28-1094 Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, Investment advisory services are offered through CliftonLarsonAllen Advisors, LLC,LLC, an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP Wealth | 28-1094 an SEC-registered investment advisor. ©2017 CliftonLarsonAllen LLP LLP | 28-1094 an SEC-registered investment advisor. ©2017 CliftonLarsonAllen | 28-1094
Dean Rohne | 800-657-4477 Dean Rohne || 800-657-4477 Dean Rohne 800-657-4477 Dean Rohne | 800-657-4477 CLAconnect.com CLAconnect.com CLAconnect.com CLAconnect.com