Volume 20, Issue 1, 2011
interview:
dennis dollar Inside This Issue:
11 for 2011 hot issues for chief auditors this year Who’s On First A look at the internal audit function within credit unions Knock Knock is your cu safe from social engineering attacks? Member Spotlight: doug wright
Volume 20, Issue 1, 2011
TABLE OF CONTENTS
17
6
ON THE COVER
10 12 14
FEATURED ARTICLES
6 10 12 14 17
EDITORIALS
COVER STORY
Interview: Dennis Dollar
4 In This Issue
Who’s On First
5 Chairman’s Message
Chronicles In Employee Fraud Sometimes You Shouldn’t Answer the Knock at the Door! The Standards
The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members. Executive Editor: Tabitha Ernst-Chadwick Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases.
ACUIA NEWS 20 Member Spotlight: Doug Wright 23 What’s Happening in the Forum 24 People Helping People 26 Regional News 31 ACUIA Member Application
Permission requests to reproduce written material should be sent to: 815 King Street, Suite 308, Alexandria, VA 22314, (703) 535-5757 © Copyright 2011, ACUIA. All rights reserved.
EDITORIALS
IN THIS ISSUE
Is it a new year already??? I am pretty sure I say this every year. But every year I think it flew by faster than the one before (is that because I’m getting old?). Sam mentioned it in his article, but I also feel compelled to mention it in mine in relation to the magazine – transitions are always tough, and there are usually a few bumps. As many of you have noticed, there have been a few bumps with the transition to a new management company. We’ve been working hard to smooth out all of the bumps and now have everything moved over to the new company, and
by Tabitha Ernst-Chadwick, CIA, LRP, CTGA, CUCE
I anticipate that this year the magazine will be even better than before.
upcoming year by Danny Goldberg. Thank you to all of our contributors.
We have some new contributors in this issue, as well as some recurring favorites:
I’m pleased to report that over the years the enthusiasm for writing for the magazine has certainly increased. Vendors are enjoying the benefits of sharing their expertise with our members, and members are enjoying the benefits of being published in a professional magazine. We’ve had some fantastic submissions. And I think we broke a speed record with this issue. All feature slots were taken within 5 minutes of sending out the Call for Authors e-mail!! I really hope to keep that trend going throughout 2011, so if you are interested in submitting articles, even if you think it might be later in the year, be sure to let me know ASAP. If you aren’t on our Call for Authors list and want to be, let me know.
• A n interview with former NCUA Chairman Dennis Dollar, about the credit union movement, past and present, and the role of internal audit in the credit union’s future; • T he importance of the internal audit function, by Bruce Jolly; • Security awareness, by Tom Schauer; and • Hot issues for internal auditors in the
2011 BOARD OF DIRECTORS Chair Samuel Capuano, CBA, CRP, CLRO Sunmark FCU (518) 347-3156 scapuano@sunmarkfcu.org Term: 2009-2011
Director Linda Goff, CUCE
Enrichment FCU (865) 482-0045 x1201 lgoff@enrichmentfcu.org Term: 2010-2012
Vice Chair Jill Chase, CIA
Director Amy Schaefer, CUCE
Treasurer Barbara Franco, CPA, CIA
Director Geoff Meyer
GECU (915) 774-1718 barbara.franco@gecu-ep.org Term: 2011-2013
HVFCU (845) 463-3011 meyeg@hvfcu.org Term: 2010-2012
Secretary Dana McCranie, CBA, CUCE
Associate Director Marnie Hardebeck, CUCE
WSECU (360) 754-6341 jchase@wsecu.org Term: 2011-2013
Empower FCU (315) 214-6582 dmccranie@empowerfcu.com Term: 2010-2012
4 | www.acuia.org | The Audit Report
Royal CU (715) 833-7292 amy.schaefer@rcu.org Term: 2009-2011
Purdue EFCU (765) 497-7480 mhardebeck@purdueefcu.com
Thanks to everyone who submitted articles, ideas, comments, and suggestions in 2010. Please continue sharing your thoughts and ideas. I hope 2010 was your best year ever, and I hope that 2011 will be even better!!
Associate Director Kara Giano, CIA, CIDA Golden 1 CU (916) 817-6522 kgiano@golden1.com
Associate Director Doug Wright Baxter CU (847) 522-8600 doug.wright@bcu.org
ACUIA can now be found on:
CHAIRMAN’S MESSAGE
GROWING PAINS
by Sam Capuano
In the last issue, I wrote about change. It’s no secret that change has been
switched firms to Bacino & Associates last
2011, so mark your calendars) in Austin,
summer. This was unexpected, and all things
Texas is shaping up quite nicely. The folks
the theme for your Association during my
considered, the folks from Bacino did a great
from Bacino have some tremendous contacts
two years as Chairman. The only constant, it
job with this. This doesn’t mean it wasn’t a
within our industry, and this combined
seems, has been transition.
huge inconvenience to you folks, though, and
with the agenda Dana McCranie and her
on behalf of the Board, I apologize.
committee have been putting together will make for an outstanding lineup. Plus, Austin
Some of this has been beyond our control, while some of it was a conscious decision by
The other website issue was the ListServ.
the Board of Directors. And, I don’t think
The Board took a detailed review of what
it is a trade secret that the transition period
we were paying for this service, and made a
And the Board is hard at work with
has been a tough one. Believe me, if I had
decision to do away with it, in lieu of going
some positive member benefits, such as the
known in May of 2009 that we would have
back to the forum system we had used prior to
all new Audit Guide. We are also very near
three different association management firms
this. The line item cost for ListServ was huge,
having an active social networking presence,
over a 15-month period, and two surprise
and we felt that because we could still have a
which should be a done deal by the time
resignations of Board members, I would have
forum, this would be a reasonable cost to cut.
you read this.
is an awesome city.
auctioned off the Chair position on eBay. And While I still feel this was the right decision
2011 will mark not only my last year as
given the current economic client, and since
an ACUIA Board member after many years,
there was a viable substitute for ListServ, I
but also my last as Chairman. My promise to
One thing I always say in these Chair
regret not communicating this to membership
all of you is the year will be bigger and better
Messages is to contact me with any concerns
at large in a better manner. We found out
than any prior one. Thanks for sticking with
and complaints you may have. Suffice it to
the hard way how much some of you relied
us; you won’t be sorry you did.
say, that message was received loud and clear.
on and liked the ListServ format, especially
I have heard from you in droves, either by
getting email updates of postings.
offered a decent honorarium for anyone who wanted the position.
email, telephone, or in person, as I spoke at a few Regional meetings last fall. My Board
The good news is, most, if not all, of
colleagues have heard it as well. While there
the website issues have been resolved. And
have been some positives, there are an awful lot
it also looks as though we will be bringing
of you who have expressed some unhappiness.
back a ListServ-like system in the first quarter of 2011.
The loudest complaints have been regarding the ACUIA website, so I just wanted
With all of this behind us then, it is finally
to provide a bit of explanation. The reason
time to look forward. As I expressed last issue,
the site was not working at first was basically
I am excited at what lies ahead for ACUIA.
the whole site had to be recreated when we
The 21st Annual Conference (June 14-17,
ACUIA EXECUTIVE OFFICE ACUIA Executive Office 815 King Street Suite 308 Alexandria, VA 22314 (703) 535-5757 acuia@acuia.org www.acuia.org
“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”
The Audit Report | www.acuia.org | 5
interview:
dennis dollar Dennis Dollar is one of those individuals who needs no introduction -- especially when it involves credit union professionals. Dennis was nominated to the NCUA Board in 1997 and was designated as Chairman by President George W. Bush in 2001. During his time on the NCUA Board, credit unions experienced some of the most far-reaching legislative and regulatory changes in their history. As part of the NCUA Board, Mr. Dollar oversaw the making of all regulations for federal credit unions. In his capacity as NCUA Chairman, Mr. Dollar served as the Vice Chairman of the Federal Financial Institutions Examination Council (FFIEC), which is charged by Congress with the responsibility for coordinating the examination and supervision programs of the five federal financial regulatory agencies.
6 | www.acuia.org | The Audit Report
ON THE COVER
As a 22 year-old, Mr. Dollar was elected to the Mississippi House of Representatives where he served two terms. He won numerous awards for leadership on issues ranging from tax to education policies. Immediately prior to being appointed to the NCUA Board, Mr. Dollar served as President/CEO of what is now Gulf Coast Community FCU. He won the Dora Maxwell Social Responsibility Award from CUNA and was a top five finalist for CEO of the Year by Credit Union Times. He has been inducted into the CUES Hall of Fame, was awarded the 2004 Ambassador Award from the World Council of Credit Unions, and has been honored by the National Credit Union Foundation. The Audit Report was pleased to have the chance to sit down with former Chairman Dollar to discuss the important issues confronting credit unions and internal auditors.
Audit Report: Credit unions have taken their share of economic hits over the past year. On the whole, what is your impression of the credit union movement as we look at it today? Dennis Dollar: “These are challenging times for credit unions, no doubt about it. But there are some real opportunities hidden in those challenges. Collaboration among cooperatives can bring about some real victories in these challenging times, expanding shared branching, building more innovative CUSOs, restructuring our checking accounts to become market leaders, managing bankruptcies more effectively…all of these can differentiate credit unions even in troubled times.”
AR: The corporate recapitalization was a significant financial loss for credit unions. What is the future of the corporate system? Will it survive in its current state? DD: “I am convinced that there will be a corporate system in the future because of the reason corporates were created originally – credit unions need an industry outlet for services that we do not want to be forced to depend upon competitors to receive. Will it look exactly like corporates as we have come to know them? Certainly not with the new NCUA rules. But I believe we will see a corporate system with fewer corporates but more sustainable corporate credit unions long term. Remember that the same rules that saw conservatorships at five corporates also saw over twenty corporate credit unions remain viable enough to survive this crisis as potentially going concerns. Within those twentyone surviving corporates, there were some like Corporate One and Volunteer Corporate whose members have not lost a penny in capital investment as of this date. The corporate model is changing, but it is far from dead. I believe we will see natural person credit unions re-investing as the corporates prove their business models will work under the new rules. It will be easier for the Corporate Ones and VolCorps that didn’t cost their members any capital, but I believe that most natural person credit unions will re-invest in corporates, despite the past two years of turmoil, because they would rather keep the bulk of their business inside the credit union system wherever they can – warts and all.”
AR: There has been a lot of talk about the increased role of credit union service organizations (CUSOs). Will CUSOs take the place of corporates? Can they soften the blow? DD: “I happen to believe that CUSOs are an integral part of the future of credit unions, both as a source of innovative service offerings and future earnings. There could be a number of marketable CUSO offerings that will stem from the corporate upheaval, but I believe the greatest source of future CUSO activity is in credit unions offering services to each other through CUSOs – perhaps even services not currently offered through corporates, such as regulatory compliance support, trust services, and marketing support. I am very bullish on CUSOs and believe that, within the next five years, the growth of CUSOs will combine with the reduced number of credit unions through mergers and result in their being as many CUSOs as there are credit unions.” AR: How has the role of the internal auditor changed during this time of financial upheaval? DD: “The current regulatory and supervisory environment has turned the role of internal auditor from a luxury to a necessity at most credit unions. I believe that the internal audit function will only grow in importance in today’s credit unions. If I were to list the credit union management positions least likely to be cut during these challenging times, I would put internal audit at the top of the category considered ‘least likely’ to face the chopping block. The role of the internal auditor is destined to only grow
The Audit Report | www.acuia.org | 7
CREDIT UNIONS DESERVE AN ADVANTAGE. THE WITT MARES ADVANTAGE your business is our highest
specializes
today ’s
opportunities.
health
our financial institutions team
in helping you take your organiz ation to a whole
confronting
our industry
priorit y.
challenges
and
capitalizing
new level
by
on tomorrow ’s
with the highest standards of service and integrit y, we put
k nowledge
to work for you and for the optimum
financial
of your institution .
FOR MORE INFORMATION, VISIT US ONLINE AT W W W.WITTMARES.COM OR CONTACT CR AIG ASCARI AT 804-323-0022
in importance in an environment where over 70% of all credit unions are operating under some type of written administrative order from their regulator.” AR: Is the internal audit function the same as when you ran a credit union? DD: “The role of the internal auditor has grown with the regulatory and supervisory issues they deal with. I don’t think any credit union leader in the 1990s could have imagined the number of regulations he or she would be dealing with in 2011. I believe it has more than evolved – it has mass multiplied. While I believe there will eventually come a point where the regulatory pendulum must begin to swing back toward greater empowerment to avoid mass credit union failures or conversions to other charters, the question is when will this pendulum begin to swing? I do not see it swinging back in the next 18-24 months, so I believe the role of the internal auditor will only grow in 2011 and 2012.” AR: Fee income opportunities have been limited over the past few years. How can credit unions offset some of their expenses with fee income? What opportunities still exist? DD: “The most progressive credit unions are looking at ways to do what they already do better. For example, if interchange revenue and overdraft fees are going to be restricted by new regulation, credit unions are looking for ways to increase their checking account penetration in hopes of making up lost income through volume. Another example is through better bankruptcy management, which credit unions have never done as well as banks. Developing a strong private student lending program to
Dennis Dollar at one of his many speaking engagements across the country. replace the student loan business now taken over by the US government. CUSO development is another area that credit unions are looking at for non-interest income. There just are not a lot of new products to offer, so the challenge becomes finding ways to do the existing products better. However, as pointed out above, there are some opportunities in the ‘do it better’ arena.” AR: The new NCUA proposed regulation regarding director knowledge has gotten a lot of attention. Do credit unions need more informed board members? Should they be compensated? DD: “When I look at the challenges facing credit unions today, I see regulatory overreach as a greater cost to credit unions than a small handful of directors who need additional training. Is a continuing education requirement for directors worth considering? Certainly. Is it the biggest problem facing credit unions? Far from it. That having been said, I believe directors should look at this regulatory requirement and find a way to make it beneficial to them and not merely meeting a
resented mandate. We at Dollar Associates are working to develop a director training module that will not only comply with the new rules, but which will help grow directors into even more valuable leaders of their credit unions through some very practical ‘how to’ information we have gathered through the years. While we don’t see the lack of director education as a major industry issue, it certainly will not hurt to see some innovative continuing education programs developed. There should be a longer period of time for compliance than six months however.” AR: Where do you see the credit union movement in five years? Ten years? DD: “In five years I believe credit unions will be coming out of the regulatory overkill brought about by the current financial crisis. That will be healthy, but it will require another five years before credit unions are hitting on all cylinders again. When credit unions are empowered rather than burdened with unnecessary Cont’d on Pg. 22
The Audit Report | www.acuia.org | 9
by Bruce Jolly, Esq.
The growth of an internal audit function within credit unions has brought a new level of professionalism to the industry. It has also surfaced tensions that ring true to the experience in the corporate and commercial banking world. Management is not always comfortable with the independence and boards don’t fully understand how to best use the information being made available.
The first question is always – where does the audit function report? The marker was laid down in the SarbanesOxley Act of 2002: 10 | www.acuia.org | The Audit Report
TITLE II—AUDITOR INDEPENDENCE Sec. 204. Auditor reports to audit committees. TITLE III—CORPORATE RESPONSIBILITY Sec. 301. Public company audit committees. Sec. 302. Corporate responsibility for financial reports. Sec. 303. Improper influence on conduct of audits.
FEATURE ARTICLE
What’s an Audit Committee? The Act answers that question clearly: Certainly, a standard applicable to “public” companies cannot be applicable to volunteer boards of credit unions? Or can it and should it? Without question, management, particularly in larger asset-sized credit unions, can and should use the internal audit function as a watchdog to identify problems and concerns and call them to the credit union’s attention before the issues reach the eyes of the external auditor or, worse, regulatory scrutiny. NCUA’s recent regulatory proposal articulates the standards applicable to Federal credit union boards of directors (75 Federal Register 15574, March 29, 2010). To summarize the NCUA position, if adopted, the duty of each director is to “[C]arry out his or her duties as a director in good faith, in a manner such director reasonably believes to be in the best interests of the membership of the Federal credit union.” And, in keeping with the standards set out in the SarbanesOxley Act NCUA states “… While
(3) AUDIT COMMITTEE.—The term ‘‘audit committee’’ means— (A) a committee (or equivalent body) established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer; and (B) if no such committee exists with respect to an issuer, the entire board of directors of the issuer.
a Federal credit union board of directors may delegate the execution of operational functions to Federal credit union personnel, the ultimate responsibility of each Federal credit union’s board of directors for that Federal credit union’s management is non-delegable.” (75 FR p. 15587). Having grappled with these issues in the Nationwide FCU merger and other more contentious settings, the standard and direction of the proposal seem both an accurate statement of the law and solid guidance in structuring the role of the internal audit function. NCUA, without directing the result to the question – “internal audit works for and reports to” – makes clear that the Board is to: Understand the Federal credit union’s balance sheet and income statement and, ask, as appropriate, substantive questions of management and the internal and external auditors…. The tension is real. To which body does the internal auditor owe its loyalty? Management which is usually responsible for hiring and coordinating the internal audit
functions or, the Board, which is ultimately responsible when things don’t go well? A number of decisions can illustrate the answer in most organizations. For example, who hires and fires the internal auditor? Who sets the budget? How are decisions made on which aspect of operations internal audit is to examine and the scope of the review? And, who gets the reports first? How are these questions answered in your credit union? The assumption is that as credit unions, both state and federallychartered, grow in size and complexity, the internal audit function will follow the path laid out in Sarbanes-Oxley for public companies. In the meantime, there is a solid role for the internal audit function that can be played out in every credit union – watching to make sure the critical decisions and information about those decisions are not discussed only by those that are executing them. Bruce Jolly, Esq. is an attorney for Reed & Jolly PLLC located in Fairfax, VA.
The Audit Report | www.acuia.org | 11
11 FEATURE ARTICLE
for
2011
hot issuses for chief auditors
by Danny M. Goldberg
As the dynamics of corporate governance continue to change, the role of internal audit must also evolve. Chief Auditors need to be on top of hot issues for the coming year; outlined below are 11 hot issues for 2011 (in no specific order). Continuous Risk Assessment Common auditor guidance states that audit risk should be assessed at least annually. On the other hand, auditing methodology should evolve directly alongside changing economics. That being said, assessing risk annually is an antiquated view. Considering the instability of the market and of business, risk should be assessed continuously or as risk factors change or information arises. Audit committee members should feel more comfortable with this approach and be able to adjust work plans accordingly.
The Rise of Audit Flex Time As noted above, in order to have a flexible risk assessment process, you must have a flexible audit plan. Historically, most audit shops budget for 10-20% of flex time, which is general audit time that could be spent on a wide array of projects based on how the rest of the plan falls out. Chief auditors should build more flex time (25-30%) into the schedule in order to implement a continuous risk assessment.
Watching for the Mass Exodus In many organizations, the Survivor employees can become very bitter about their current state. After a reduction in force, employees who are not released (Survivor) tend to fear for their livelihood and not add the value they were hired to add. Many major workforce surveys have shown that there could be significant turnover as the job market opens up. Chief Auditors should analyze current staffing levels and have a contingency plan to address changes in personnel over the next 12-24 months.
12 | www.acuia.org | The Audit Report
Renewed Focus on Operational Auditing Regardless of economists’ statements that we came out of the recession in mid-2009, many companies and individuals are still struggling, and unemployment rates remain high. However, we definitely see signs of an improving economy. As the economy strengthens, auditors should focus on operational auditing to improve efficiency and effectiveness throughout the organization. Obviously, as internal auditors, we have obligations in regards to compliance and cannot accept roles that impair our independence, but ultimately we want our management to view us as a revenue generator and not an overhead cost. How does audit generate revenue? By decreasing costs. About Danny M. Goldberg
GRC Practice Partner SOFT GRC - Advice from Colleagues Not Consultants 15305 Dallas Parkway, Suite 300 Addison, Texas 75001 972.715.2039 – Main Phone 972.715.2099 – Main Fax 214.514.8883 - Cell Danny.Goldberg@thesoftaudit.com www.thesoftaudit.com
Continuous Auditing/Monitoring Continuous auditing and monitoring (CA/CM) have been talked about for years as the next big thing. In the next five years, these talks will prove accurate. CA/CM will finally be embraced by many audit shops and, more importantly, IT shops to assist in streamlining the audit process, and increase its efficiency and effectiveness. Even those departments who have CA/CM products have not fully utilized and integrated these features into their organization, instead using them to pull samples or utilize for monthly reports. CA/CM is much like conducting operational auditing; if our goal with operational auditing is to make processes better, should our goal not be the same internally? Renewed Focus on Professional Development Over the past three years, many companies have cut back on expenses significantly. What are the first expenses to be cut during down economic times? Travel and professional development (PD). PD is, in all actuality, the last expense that should be cut back on at this time. With the changing dynamics of the economy and the workforce, companies should focus on continuing to develop their employees.
Involvement in ERM Enterprise Risk Management (ERM) has become very much in vogue over the past 5-10 years as companies begin to understand significant risks and focus on mitigating them. This movement was spearheaded by the numerous corporate failings of the first decade of this century, which also pushed the Sarbanes-Oxley Act of 2002 through as a regulation. As the economy turned for the worst, ERM implementations fell off significantly. If it was not required, it was not done. Now, as we begin to rise up from the harsh economic times, ERM will continue its ascent of the corporate importance ladder for two reasons. First, it makes sense that companies should make this effort and compile their risks based on likelihood and significance. Second, company management will feel it necessary to implement an ERM to acquiesce to constituents that all risks have been assessed and are actively being managed. How does this affect internal audit? Hypothetically, the ERM should feed a significant portion of the audit risk assessment. Auditors should attempt to take an active role in the ERM process, as it will provide significant value to the organization. Per the Institute of Internal Auditors (“The Role of Internal Audit in ERM”), internal audit can:
• P rovide assurance on Risk Management processes and that risk are correctly evaluated • Evaluate the Risk Management process and report on key risks • Review the management of key risks If internal audit provides the following, certain safeguards are necessary: • Facilitate identification and evaluation of risks • Coach management in response to risks • Coordinate ERM activities • Consolidate the reporting on risks • Maintain and develop the ERM framework • Champion establishment of ERM • Develop risk management strategy for board approval On the other hand, internal audit should not perform in the following roles: • Setting the Risk Appetite • Imposing risk management processes • Managing assurance on risks • Making decisions on risk responses • Implementing risk responses on management’s behalf • Accountability for risk management
Reassessing Skills and Needs As the dynamics and roles of internal audit continue to evolve, chief auditors should continue to reassess skills and current needs. Having a diverse skill set available in your department is very important and assessing the needs and attrition that will occur in the coming years will keep you ahead of the curve. Changing Regulatory Landscape Convergence to the International Financial Reporting Standards (IFRS) is happening as we speak. With FASB converging GAAP standards with IFRS, IFRS is not 5-7 years away; it is happening now. Significant changes in lease and inventory accounting, to name a few, are occurring as we speak. Regardless of an entity’s public or private status, all companies will be eventually affected by the changing standards, sooner rather than later. Additionally, there is the possibility for significant cost and complexity associated with changes in lending regulations including CARD Act (law and related regulations surrounding credit cards). Finally, there is the significant uncertainty and future regulatory impact associated with mortgage, consumer protection, and interchange regulations coming out of FrankDodd Financial Reform Act. In these uncertain economic and political times, the regulatory landscape continues to morph continually. As CAEs, we must stay abreast of these changes and understand how they affect our organization. Cont’d on Pg. 22
The Audit Report | www.acuia.org | 13
Sometimes You Shouldn’t Answer the Knock at the Door! by Tom Schauer, CISA, CISSP, CISM, CRISC, GCIH, CTGA
Credit Union employees are trained to focus on member service. One possible differentiator of credit unions over their bank counterparts is a keen focus on individual service and community involvement. But these very traits can make a credit union more susceptible to an attack method named “social engineering.” Social engineering is a form of hacking that relies on influencing, deceiving, or psychologically manipulating unwitting people to comply with a request. 14 | www.acuia.org | The Audit Report
FEATURE ARTICLE
A while back a credit union hired our firm, TrustCC, to test its security efforts through social engineering. This particular credit union had a server in each branch and the servers recorded financial transactions throughout the day. The credit union asked us to try and trick employees into giving us access to the sensitive transaction data. We devised a scheme to try and trick employees in to giving us the backup tape used to back up the financial data on a nightly basis. We selected five branches to visit. Armed with a blank tape we visited each branch claiming to be a consultant to IT that was hired to test the branch backup tapes to ensure the credit union could recover from the tapes. We offered to exchange our blank tape for the previous night’s backup that we’d “take back to the main branch to ensure the backup is recording correctly.” In a perfect world the credit union’s personnel would have verified our identification and contacted known IT personnel to verify our authorization to obtain the tape. This particular testing method is called “site visit social engineering.” Other forms include email phishing, dumpster diving, and pre-text calling. Email phishing generally involves an invitation to click on a link to visit a website and enter to win a prize. Dumpster diving involves searching through discarded materials in an attempt to find sensitive information or searching through offices afterhours to see if materials are not properly safeguarded. And pre-text calling involves scripted calls in to personnel in an effort to get them to divulge useful information. The Gramm-Leach-Bliley Act (GLBA) requires that credit unions
regularly test the key controls deployed to protect sensitive member information. Social engineering tests the effectiveness of administrative policies/procedures and security awareness training. Before learning how the credit union in our example fared, you should ask yourself a few questions.... What would your personnel do if asked to provide access to data by someone who claimed to be from your IT department? Your employees are trained to give service with a smile; but do they also know never to trust the identity of someone they have never met, especially those requesting access to sensitive information or asking questions that could lead to unauthorized access? Does your team understand that the value of information is often as great as or greater than the value of cash that the information represents? What would happen if sensitive personal or corporate information from your organization got into the wrong hands? Do you think members would be happy to find that their information was handed over to someone your institution blindly thought could be trusted? Back to our story…. Four of the five branches gave us the backup tape we sought. That’s an 80% success (or failure) rate! The tapes provided us with account data, transactions from the past seven days, routine and confidential documents, and much more sensitive information. What does an institution do to recover from such an enormous data intrusion? There is little reactive response to mitigate a breach like this. Therefore it is critically important to prevent data breaches. The credit union sought to greatly improve security awareness and
The training curriculum included: • Strong articulation on the value of information in all forms including electronic, written and spoken, • Procedures to verify the identity of any site visitor or telephone caller asking for specific data, • Procedures for reporting similar incidents to the appropriate security team, • Procedures for identifying and logging visitors attempting to gain access to secure areas, and • A mindset of being cautious and wary of people lurking around, attempting to “shoulder surf” or steal your login credentials. developed a one hour security training course with mandatory attendance for all current and new personnel including contractors and vendors. The session was conducted using the training staff from the financial institution and was fully integrated into the institution’s new hire training program. The total cost of designing and performing the training was around $1,000 for our assistance, plus the costs associated with reproducing training materials and time related to
Cont’d on Pg. 16
The Audit Report | www.acuia.org | 15
FEATURE ARTICLE
sending trainers to visit each location. In comparison to the cost of a breach and the loss of reputation associated with a breach, the cost of training was exceptionally affordable.
The safety of your sensitive data is as strong as the weakest link in your organization.
16 | www.acuia.org | The Audit Report
CRISC, GCIH, CTGA Tom has been practicing in IT security,
There isn’t a better time to start your security awareness training program After the new training was than now. And of all the efforts you completed, social engineering testing could undertake to improve your was re-performed at four additional security, security awareness training branches that had not been previously will be one of the most affordable and one of the most effective. A typical security The credit union sought training to greatly improve security awareness program may include awareness and developed a one classroom training, hour security training course online training, with mandatory attendance for brochures, posters, all current and new personnel and some credit unions even host a “security including contractors and awareness” week featuring effective vendors. yet funny training movies and give-aLarger financial institutions tested. Of the four branches tested we ways. were successful at one, representing should consider targeted training for a 25% success/failure rate. The specific groups including managers, IT hour of security awareness training personnel, compliance, and audit. clearly achieved its objective (yet also Notably, some credit unions also demonstrated that an organization cannot rely upon the absolute have security awareness training for their members. This is an excellent effectiveness of any one control)! service for a credit union to provide. Ever y financial institution should In 2006 Microsoft published an have a security awareness program excellent paper on “How to Protect that is continuously refreshed in the minds of all personnel, for as time Insiders from Social Engineering goes by people will let their guard Threats” and this paper remains an down and fail to remain watchful excellent resource for the development for intruders. In addition, as new of a security awareness training personnel join your team they might program. Find it at: not understand the consequences that a breach may incur or may not know how easy it is to get past a trusting teller. And regular social engineering testing should be performed in order to evaluate the effectiveness of your security awareness training efforts.
About Tom Schauer, CISA, CISSP, CISM,
http://www.microsoft.com/ downloads/en/details. aspx?familyid=05033e55aa96-4d49-8f57c47664107938&displaylang=en
audit and compliance for over 24 years. He started his career as an information security analyst at a $3.5B bank. Tom later developed and led IT audit and security practices for Ernst and Young and Deloitte. In 2000, Tom recognized that community size banks and credit unions were underserved by existing consultancies so he started TrustCC to specifically address this un-met need. For the last ten years, TrustCC has performed hundreds of IT audits and security
vulnerability
and
penetration
testing for credit union and banks through out the United States. From 2003 to 2007, Tom and his team performed IT exams at approximately 85 Washington State Credit Unions. A perfect trifecta, having experience 1) as a security professional within a financial institution, 2) as an examiner of IT compliance for a regulatory agency, and 3) as a consultant providing IT
audits
and
security
assessments,
Tom brings a rare set of experiences and expertise to any team. Tom is a frequent speaker at numerous national and international conferences including those hosted by the IIA, AICPA, ISSA, NASCUS, CMA, ACUIA, ISACA, OTS and NCUA.
Is security awareness training a beast you’re not sure you can tame? TrustCC is an excellent resource for all the materials needed to perform effective security awareness training including posters, handouts, and a multitude of video presentations. We offer these materials for no fee and charge only our cost for the production and distribution of materials. Please email us at info@ trustcc.com for more information.
THE STANDARDS
ACUIA NEWS
resource management
By Pat Richey, CFE, NCCO, CTGA
The International Standards for the Professional Practice of Internal Auditing includes Standard 2030 - Resource Management. A credit union internal audit department must ensure that it has the resources to complete the audit plan. There’s no point in developing an ambitious audit plan if the audit department doesn’t have the resources needed to complete the plan.
I suppose a credit union internal auditor could develop an audit plan and then obtain the resources needed to complete the plan, but whoever heard of that! It is more likely that the auditor will be told “These are the resources you have and you need to develop an audit plan based on those resources.” Standard 2030 says that the resources must be “appropriate, sufficient and effectively deployed to achieve the audit plan.” Appropriate and sufficient is a quality and quantity issue. In the case of human resources, are there enough internal auditors and do the internal auditors collectively possess the knowledge and skills necessary for a quality work product?
The Audit Report | www.acuia.org | 17
ACUIA NEWS Effective deployment is maximizing what resources you have for the greatest efficiency and effectiveness in discharging the responsibilities outlined in the Internal Audit Charter. Internal Audit Department Size Every credit union internal audit department is understaffed when the magnitude of the audit universe is considered. All internal auditors would like to increase the size of the audit function; audit department size is a frequent topic on the ACUIA Listserve/Forum. I think the best way to justify increasing staff is to provide the decision-makers (Board, audit committee and/or management) with the audit universe and point out what is NOT getting audited because there are insufficient resources.
Standard 2030 says that the resources must be “appropriate, sufficient and effectively deployed to achieve the audit plan.”
However, Internal Audit is a costcenter and therefore it can be hard to justify increasing credit union expenses. I feel very fortunate that there are two people in my audit department (myself and a Staff Auditor). I don’t know how a one-person audit department gets anything done. We increased from one auditor to two full-fledged auditors very gradually, so there was never a significant budget impact from one year to the next. We started with a fulltime internal auditor and a 20-hour a week “internal audit assistant” which
was a salary grade 4 - just one salary grade level above a teller. Then the next year the part-time position went to 30 hours, and then the next year the position went full-time. Then we slowly started adding responsibilities which required increasing the grade level until we got to a grade level that required an associate’s degree. Then we continued to increase responsibilities until the position required a bachelor’s degree, and now that salary grade 4 internal audit assistant position is a salary grade 11 staff auditor.
again. Also, I am not an expert on engaging service providers as the only audit I outsource is IT vulnerability assessments and penetration testing. I know of one credit union that engages a retired credit union internal auditor to perform audits. Also, some audit departments use credit union managers to augment their resources such as using a branch manager from one branch on the audit team to conduct an audit at a 2nd branch.
Increasing Resources One way to increase resources is to engage service providers to perform some audits (e.g. BSA, ACH). For guidance on using outside service providers see Practice Advisory 1210.A1-1 Obtaining Services to Support or Complement the Internal Audit Activity. I wrote about outsourcing in The Audit Report 2007 Issue 3, so I won’t cover that material
Professional Proficiency Resources include more than the human resources issues of salary and benefit expense. The credit union must support internal audit with funds for continuing professional proficiency such as training, professional association dues, and certifications. Also, internal audit has to wisely manage those resources.
18 | www.acuia.org | The Audit Report
Financial Support
Many credit union internal audit departments have had their training dollars slashed as credit unions try to rein in expenses. So far, my training budget has not been cut. My staff auditor and I each get one conference. However, internal audit has voluntarily been cutting back on expenses so that we can do our part in reducing expenses. I used to budget for 8 webinars a year but in 2011 we are only budgeting for 2. However, management is always registering for webinars and the great thing about webinars is that anyone can attend, so internal audit will go to management sponsored webinars. Also, more and more we are finding free webinars of which we take advantage. My staff auditor is a licensed attorney and the credit union allows her to use the credit union’s tuition reimbursement program for her required continuing legal education credits.
Many credit union internal audit departments have had their training dollars slashed as credit unions try to rein in expenses.
Space and Equipment Of course, the credit union has to provide space, furniture, equipment and supplies for the audit department. Fortunately, when my credit union renovated and started going to cubicles for everyone, Internal Audit was given a very large office which my staff auditor and I share, with windows along the length. Back in the old days when I started at the credit union, we had 1 computer for the two of us. Now, we each have a computer with 2 monitors!
Software One way to become more efficient and effective is to use audit software. However, according to an article in the IIA Internal Auditor, some audit departments seem unwilling or unable to invest in such software. So far I have not asked the credit union to invest in audit software, not because I am unwilling or unable, but strictly from a budget standpoint. However, according to the Internal Auditor article, internal auditors can justify software expenses by examining the number of work hours audit staff could save, how that time could benefit audit activities, cost savings, and the number of additional audits from which the credit union could benefit. The article concludes that audit software investment might be a tough case to make in this economy but better software use could help ease the pain. Deploying Resources One of the roadblocks to deploying resources is all the unanticipated items that internal audit needs to address that are not on the audit schedule, such as internal fraud investigations, or being asked to consult on a project. The way I plan for unanticipated activities is that my staff auditor follows the audit schedule with no deviations and I handle all the unanticipated activities. For audit planning purposes, we only schedule the number of audits that the staff auditor can handle. I only schedule one or two audits for myself and then handle all the unanticipated activities/ audits. If I have time available I help out on the scheduled audits. In this way we always complete our audit schedule because we don’t over-schedule. Staff Development Of course, like in any other discipline, resource management includes developing staff. Internal auditors should consider succession planning, communication, and other
typical human resource activities. I have always developed my staff auditors to do a very broad range of audit activities, which I usually refer to as résumé building. Also, I develop my staff auditors to be able to replace me in my absence. In that regard I share all my knowledge with the staff auditor to ensure the staff auditor is up-to-date on all issues. During the performance evaluation process, the staff auditor communicates her training needs to keep up with ever changing conditions. Communicating Needs The credit union internal auditor needs an open line of communication with the Supervisory/Audit Committee and appropriate management about resource needs. As part of the audit planning process, ask senior management for their audit priorities, and if you can’t meet those priorities, let them know why. Also, be sure to communicate how effectively internal audit is managing the resources it does have. Credit union internal auditors should be sharing with the Audit/Supervisory Committee how it is performing compared to the audit plan. At each monthly Supervisory Committee meeting I give the Committee the list of planned activities for the month and at the next monthly meeting I share how we did compared to plan. If something was not completed as planned, I tell the committee why. At the end of the year we look at the plan as a whole and what got accomplished. Conclusion Internal audit resources need to be adequate to get a broad coverage of areas and to be able to look at some areas with a deep scope. Lack of resources could result in a narrow scope of activities with the internal auditor just skimming the top. Consider your audit universe and communicate with management and the audit committee the lack of coverage in significant areas.
The Audit Report | www.acuia.org | 19
MEMBER SPOTLIGHT
by Tabitha Ernst-Chadwick
Doug Wright Out spotlight this issue is Doug Wright, the newest ACUIA associate board member. Doug is the VP of Audit and Compliance at Baxter Credit Union, headquartered in Vernon Hills, IL. Tell us about yourself Doug. Let’s start with the fun stuff. What do you do in your spare time? What spare time? (just kidding). I spend a lot of time working out (running when my knee allows it), golfing, boating, and this time of year, snowboarding. Ok, how about professionally? Tell us about your background and your education. I have a BS in Accounting from Indiana University. Except for one year when I was a Financial Reporting Manager for a company that was being sold, I have spent my entire career as either an external or internal auditor. I previously have worked in the Public Accounting, Banking, Life & Health, and Property Casualty Insurance fields. What about professional certifications? Which certifications have you received, and how have they enhanced your knowledge and/or career? CPA, CFE, CUCE. They have helped my career in several ways. Besides the knowledge and ongoing professional education, these certifications help establish a certain amount of credibility when dealing with management. How did you initially become involved in auditing? When I was
still a freshman in college, my Dad (who was an accountant) convinced me to study accounting after I had switched my major for the 3rd time. The year I graduated, the job market was not very good, and the public accounting firms were the only companies hiring accountants. I managed to land a job with a “big 8” firm, found that I liked auditing, and have stayed with it ever since. Is there anything you know now that you wish you would have known coming into the industry? How many hats a credit union internal auditor has to wear. When I interviewed for my current job, the job description basically was all internal audit related activities, with one sentence stating “and compliance related activities as needed.” Today, I only spend about a quarter of my time doing Internal Audit related work! What have you found to be the most useful tools in streamlining audit processes, enhancing efficiencies, and making audit a value-added service? Access to data to run queries to support our audit testing. We just use Microsoft Access to query a SQL database, but have found it to be a very powerful tool. Over the years you’ve been involved in auditing, how has the industry changed? Technology is the key thing. Not to date myself, but when I started my career, the public accounting firm I worked for was just
20 | www.acuia.org | The Audit Report
FUN FACTS ABOUT DOUG Favorite sports teams:
Chicago Cubs (I know, 102 years and counting)
MOST HATED sports teams: The St. Louis Cardinals of course!
Favorite food: Chile Rellanos
Favorite Vacation Destination: Vail, CO
Favorite Run at vail:
The Star in Blue Sky Basin
what most people don’t know about me:
I am a cable network news junkie, CNN, Fox, MSNBC, bring it on!
ACUIA NEWS rolling out “mobile computers” (not laptops!) to take to client locations. These were the Compact Computers that were the size of a large suitcase, had a little 2 by 3 inch black and white screen, used floppy disks, and had a whopping 256K of RAM. I laugh at this memory when I consider how much power the laptops we use today have by comparison.
your staff auditors to make a well-rounded department? I tend to follow the Public Accounting model and try to hire Accounting or Finance majors. Basically, I look for smart people who are inquisitive, and have good communication and technical skills. The experience factor is more relevant to the level of position being filled.
What are the major challenges you feel the industry faces today and how can internal auditors overcome those challenges? Like everyone else, we are increasingly asked to do more with the same or fewer resources. Specifically at my CU, some of the back office functions are struggling to keep up with what I like to refer to as basic “blocking and tackling” as they are also expected to complete projects and other member service initiatives. As auditors, we need to be cognizant of this, and when we do our audits, we need to look for process efficiency opportunities and help these areas understand and manage their primary risks. So besides the usual testing of controls, we also need to think of ourselves as process consultants to our internal clients.
What about your ACUIA experiences? How long have you been a member? I joined the same year I started working at Baxter Credit Union in 2003.
What ACUIA membership benefits do you find most rewarding? The networking opportunities and the resources on the web site. What volunteer opportunities have you embraced in the organization and how has that enhanced your membership? The Associate Board Member gig is the first, so let’s see how it goes. Thanks Doug! It was great getting to know you!
What advice would you give to a new auditor just entering the field? I have managed a lot of new auditors over my career, and I would say the number one issue I have noticed for the majority of them is that they tend to lack professional skepticism. They tend to accept explanations without actually looking for collaborating evidence. It usually takes some time for them to learn the “trust, but verify” approach. On the other hand, I have also had one or two new auditors on the other extreme. One guy was so bad, he would not accept any management explanations and would spend an inordinate amount of time validating very minor, no-risk details. What types of background/ experience do you look for in
The Audit Report | www.acuia.org | 21
FEATURE ARTICLE 11 for 2011 cont’d from page. 13
Interview With Dennis Dollar cont’d from page. 9
Cross-Training Your Auditors The strict separation of general and IT auditing continues to dissolve. Auditors must cross train and continue to push their own boundaries of learning and skills. All CPAs and CIAs should strive to obtain the necessary skills to complete IT audits and obtain their CISA certification, and viceversa. As departments continue to look for ways to conduct efficient and effective audits, having multifaceted auditors will be one of the first steps. Practical application of Statistical Sampling The art of statistical sampling has been lost in today’s audit world. Most auditors conduct sampling based on a haphazard methodology or judgmental selection. What many auditors do not realize is that in utilizing one of these methodologies, one cannot extrapolate the findings over the population to come to a focused conclusion as to how the sample affects the entire population. As these are non-statistical methods of sampling, extrapolation is not possible. That being said, utilizing statistical methods of sampling is easy, can be extrapolated and helps to alleviate any doubt or bias in sampling methodology. Additionally, with the sampling programs on the market today, sampling is easy to use and apply and a minimal monetary investment.
There are many topics that should be addressed by Chief Auditors in 2011, including those outlined above. The important step is to make sure the most significant issues are on the top of your list for the New Year. 22 | www.acuia.org | The Audit Report
Dennis with his business partner and fellow principal of Dollar Accociates, LLC, Kirk Cuevas regulation, I think you’ll see the earnings growth and expansion of services that we saw during the RegFlex era of 2001-2007 even more robust in the 2014-2020 timeframe. Until then, credit unions are going to face a challenge with expanded regulation and stifled innovation. The only thing that can change that is a more reasoned and balanced regulatory approach, something that will happen but perhaps not until the current economy gets back on track in the 2012-2013 timeframe.” AR: What are the biggest obstacles facing credit unions over that same time period? DD: “Income generation is the biggest need of credit unions in this period of heavy regulatory burden impacting historically steady income sources coupled with the increased costs of insurance assessments. A credit
union cannot meet its mission if it has no margin.” AR: Are you bullish or bearish on the credit union movement? DD: “I am bullish on the credit union future, but I am a realistic bull. Without a more balanced and effective regulatory approach that recognizes the value of growth and innovation, the bull could just be wandering for years barely surviving in a pasture of thorny regulations and fading grass. However, with the type of reasoned approach of earned regulatory flexibility that must inevitably come or the credit union charter itself will become nonviable, the bull can be unleashed. As we saw in the greatest period of credit union growth in American history from 2001-2007, a safe and sound credit union movement that is empowered to grow and innovate can make a tremendous difference for the American consumer. I prefer to be bullish, as I have seen the meat on a bull that is allowed to safely exercise itself.”
What’s Happening On the forum
ACUIA NEWS
by Warren Whiteoak, CUCE
Summary of Recent Discussions on the ACUIA Forum For those of you who do not know the ListServ is history, and unfortunately all of the valuable insights contained on it are also gone. The ListServ was costing
Check out the new forum and website at www.acuia.org
the Association too much money. The Board decided it was necessary to discontinue it as part of their due diligence and to keep membership dues at their present level. The ListServ has been replaced with the Forum, which can be found on the new ACUIA web site. I encourage everyone to visit the Forum and participate in the discussions. The Forum has gotten off to a slow start. Hopefully as more folks find out about it, it will become more widely used. So spread the word.
Question:
What is the cash limit for a teller’s cash drawer?
Answer:
The replies ranged from $15,000 to $1,000, the lower limit being where the tellers used a cash dispensing machine.
Question:
What criteria is used to identify possible check kiting?
Answer:
See the Forum for some ideas.
Question:
One of the earliest topics was the scope of closed account confirmations. Are any types of closed accounts excluded?
Answer:
The only types excluded were if the member was deceased or if the funds were transferred to an existing account.
Question:
Do you have a full time security guard at your branches?
Answer:
Most respondents said no. One credit union in a major metropolitan area has a security guard at each branch.
Question:
What are you doing to discover fictitious loans?
Answer:
See the Forum for some suggestions.
The Audit Report | www.acuia.org | 23
ACUIA NEWS
people helping people
by Linda Goff, CUCE
Coming to your area in 2011
Have you ever thought that it would be great if a group of local credit union internal auditors could get together periodically to discuss topics of interest, or maybe have a speaker come in and talk about current events in the credit union industry? If that is indeed something you have thought about, then why not start up a chapter in your area? The great thing about chapters is that the group decides how they are run. Some chapters have regularly scheduled meetings, while other chapters meet as a need arises. The format varies as well, with some being all discussion on topics submitted by the participants. Others bring in speakers for the meeting. There is no right or wrong way to do a chapter meeting! Chapters are easy to form. All you need to do is get together and then select a chapter coordinator. Once that’s done, you just need approval from the board of directors to make your chapter “official.” This is best done by contacting your Region Director and asking him/her to submit to the board your desire for a chapter. Chapters can be for an entire state, or a smaller geographical area. The Tennessee Chapter is one of the oldest chapters and has been around since the late 90s. Mark Jenkins is the current
ACUIA Chair Sam Capuano delivers an address at a recent regional meeting. coordinator for the chapter. Mark feels the biggest benefit is the networking. He says it allows you to bounce things off of other auditors to get different viewpoints on what works and doesn’t work. He says the email discussions are good, but the local chapters allow you to get feedback from others in the same geographical area. The Tennessee chapter meets two to three times a year, and moves around so that more auditors get a chance to attend, since the state is long and narrow. The Minnesota Chapter coordinator is Van Sprenger. Van says their chapter does two things and feels both are very useful. Once a year they hold a ¾ day meeting. They have three local CPA firms that specialize in credit unions, who are very willing to lead a session. They also have vendors that volunteer
24 | www.acuia.org | The Audit Report
their time. Van says that they invite non ACUIA members to the meeting as well. The inclusion of these non-members has resulted in several of them joining ACUIA. They limit their invitation to credit unions that are over $50,000,000. The other thing the chapter does is have a monthly luncheon, where the ACUIA members get together and just eat and talk about whatever comes up. The New York City Chapter has been around since 2005 and Warren Whiteoak is the coordinator. The chapter meets quarterly. The agenda for these meetings are based on topics submitted by the participants. Warren feels the major benefit to chapter members is the networking that goes on during the meeting and throughout the year via emails.
The Indiana Chapter doesn’t have a set schedule, but when they do meet they try to have an all-day meeting, since everyone is so spread out from one another. The central portion of the state has gotten together on occasion to discuss topics over lunch. Pat Richey is the chapter coordinator. The Carolina Chapter is one of our newest chapters and the chapter coordinator is Roger Holcomb. They have just met twice, once to set up the chapter and discuss what direction the chapter wanted to go, and then right before the Region 6 meeting in September. Roger feels the emphasis of the chapter should be on the interaction between the members, sharing experiences and information. He looks at the chapter as more of a “peer group” of credit union internal auditors
who have something in common (the area in which they operate). Shashawnee Newhouse is the chapter coordinator for the St. Louis Chapter. Shashawnee says she feels she can speak for everyone in her chapter, that the chapter is a great resource. Anytime you need assistance with anything, one of the group is always willing to answer your call or respond to an email. The St. Louis Chapter meets once a quarter to discuss any current issues. So, if you wish to start a chapter in your area, or would like more information, contact your Region Director. I think Shashawnee sums it up best. She says “The best thing about credit unions is ‘people helping people.’ That is exactly what the chapter means to me.”
Service. Experience. Insight. DeLeon & Stang has served credit unions for over 25 years. We pride ourselves on an intricate knowledge of the specific issues that credit unions face on a daily basis. Our CPAs can provide you insights to your most complex challenges and, in the process, eliminate your headaches and risks. In the end, DeLeon & Stang provides solutions to help credit unions achieve longevity and prosperity through increased profitability and confidence in the marketplace. For a complete listing of our credit union services, please call 301-948-9825.
Please see pages 26-28 for more information on regional Meetings and joining a chapter. Regional meeting attendees get “hands-on” experience at a recent ACUIA meeting. The Audit Report | www.acuia.org | 25
ACUIA NEWS
REGIONAL NEWS REGION 1 Director Julie Wilson Internal Auditor, iQ CU juliew@iqcu.com
No news for Region 1; contact Julie for regional information.
REGION 2
Margaret Chamberlain
Audit Manager, Arizona State CU margaret.chamberlain@azstcu.org
No news for Region 2; contact the new regional director, Margaret Chamberlin, for regional information.
Meeting News, by Pat Richey Region 3 held its annual 2 ½ day meeting in Cleveland, OH September 22-24, 2010. Thank you to the following speakers who helped make the event a success: • • • • • • • •
Scott Sturkie, CUDefense Pat Richey, Finance Center FCU Dan Shea, Zix Corporation Adam Ciroli, Federal Reserve Bank, Cleveland Robert Rutkowski, Weltman, Weinberg and Reis Co Bonnie Gall, Century Federal FCU Arvin Clar, Ohio Attorney General’s Office Bob Parks and Andrea Badics, Doeren Mayhew
A special thank you to Bev McMahon, Century FCU and her CEO, Tony Coniglio, for arranging all the logistics couldn’t have done it without them. I think the highlight of the meeting was Arvin Clar’s two sessions on robbery and fraud interviewing. I know several attendees were very interested in having Clar do robbery training at their credit unions after his entertaining presentations. Perhaps we can get Clar as a speaker in Austin, TX next June. Also, the meeting included a tour of the Federal Reserve Bank of Cleveland, but the highlight for me was the evening visit to the Rock and Roll Hall of Fame (my motivation for having the meeting in Cleveland to begin with). Thank you to all the participants.
REGION 3
Dean Swenson General Auditor, Wings Financial FCU dswenson2@wingsfinancial.com
Region 3 said goodbye to Pat Richey as the region director. Many thanks go out to Pat for her guidance and assistance to the ACUIA members of Region 3. My name is Dean Swenson and I will follow Pat as the Region 3 director; I can’t say “replaced” because Pat cannot be replaced! I have been the General Auditor with Wings Financial in Apple Valley, MN for over five years and a member of ACUIA since I started there. I look forward to becoming more involved with ACUIA and Region 3 over the upcoming year.
26 | www.acuia.org | The Audit Report
REGION 4
Director Claudia Rodriguez, CFE GECU Internal Audit claudia.rodriguez@gecu-ep.org
The 2011 Region 4 Meeting is tentatively scheduled for August 2011. I would like to send out a survey to the membership to get suggestions on schedule, location, topics, and more! Check the ACUIA website for more details to come. Feel free to contact me if there are any specific topics or speakers you would like to see on the agenda for next year. I am open to any suggestions!
ACUIA NEWS
REGION 5
REGION 6
Director Lorraine Heneka MBA, NCCO Director of Internal Audit, Hudson Valley Federal Credit Union henel@hvfcu.org
Director Lora Worthy, CUCE Internal Audit Manager, Marine FCU lworthy@marinefederal.org
Region 5 had another successful meeting this year, with 37 in attendance. The meeting was held on October 4th & 5th in Albany, NY. Attendees were educated on a wide variety of topics and also had time to network with both peers and speakers. Thank you to John Gallagher and his staff at SEFCU for hosting again this year—as always, you did a great job for us.
The Region 6 meeting was held September 22 - 24, 2010 in North Charleston, South Carolina. I think we had a successful 2 ½ day meeting with great speakers and topics. I am tremendously grateful to all the speakers who donated their time and expertise to the organization. The list of the speakers included, Bonnie Karst Cuiffo, South Carolina FCU; Dan Moulton, OCM; Harvey L. Johnson, WittMares; Jay Bowman, Accume Partners; Frank Drake, Smith Debnam Naron Drake Sintsing & Myers, LLP; Sam Capuano, Sunmark FCU; Thomas Richardson, IIA; Scott Sturkie, CU Defense; and Richard Polanco, FBI, Columbia, SC Office. They were all a pleasure to work with. I would like to extend a special note of thanks to Scott Wood, President/CEO; Margaret Miller, Sr. VP; and the entire staff at South Carolina FCU for hosting the meeting. Their kindness, readiness to assist, and professionalism far exceeded my expectations.
Thank you also to the following individuals who gave presentations at the meeting: • J ay Bowman (Accume Partners), The Supervisory Committee – Four Perspectives • Mark Cantor (NCUA), NCUA Hot Topics • Victor Howe (McGladrey & Pullen LLP), Emerging Hot Topics • Michael Carter (CUANY), Compliance Update • Christopher Dietter, James Flynn and Craig Zellar (Firley, Moran, Freer and Eassa, P.C), Understanding the External Audit • Dan Juneau (Security Compliance Associates), Auditing for PCI Compliance and E-commerce & Website Compliance I will be starting plans for the 2011 meeting soon. Watch your email for details. If you have suggestions for speakers or topics, feel free to contact me at henel@hvfcu.org. I wish you all a happy, healthy, and successful 2011.
GOT QUESTIONS? Contact your regional director to find out the latest on region news and events.
Planning for next year’s meeting has begun, but I need your participation. If you have suggestions for topics or speakers, I would be glad to hear them. Please email me at lworthy@ marinefederal.org. I look forward to hearing from you. Chapter News, by Roger Holcomb The recently organized Carolinas chapter held its second meeting on September 20th, at The Charleston Crab House in Charleston, SC, in conjunction with the Region 6 meeting. Lora Worthy, Region 6 Director, and Roger Holcomb, Chapter Coordinator were present, along with five other credit union internal auditors from the Carolinas. The group enjoyed a delicious dinner and held an informal roundtable discussion on various topics, including concentration risk, the change in ACUIA management firms, NCUA examinations, fraud, and other current topics. The next meeting will be scheduled in the spring at a location to be determined.
The Audit Report | www.acuia.org | 27
ACUIA NEWS
REGION Directors Region 3
Region 1
Region 5
Dean Swenson dswenson2@wingsfinancial.com
Julie Wilson juliew@iqcu.com
Lorraine Heneka, MBA, NCCO henel@hvfcu.org
Region 6
Lora Worthy, CUCE dswenson2@wingsfinancial.com
Region 2
Margaret Chamberlain margaret.chamberlain@azstcu.org
Region 4
Claudia H. Rodriguez, CFE claudia.rodriguez@gecu-ep.org
chapter coordinators California Chapter
New York City Chapter
Carolina Chapter
St. Louis Chapter
Indiana Chapter
Tennessee Chapter
Minnesota Chapter
Utah Chapter
Kara Giano kgiano@golden1.com
contact these volunteer leaders and get involved in local ACUIA activities. 28 | www.acuia.org | The Audit Report
Roger Holcomb roger.holcomb@sharonview.org
Patricia Richey, CFE, NCCO, CTGA prichey@fcfcu.com
Van Sprenger, NCCO, CIA vsprenger@toplinecu.com
Warren Whiteoak, CUCE, CFSA wwhiteoak@progressivecu.org
Shashawnee D. Newhouse shewhouse@firstcommunity.com
Mark Jenkins mjenkins@tvacreditunion.com
Randy Manscill, CIA, CFE, CFSA rmanscill@americafirst.com
ACUIA NEWS
ACUIA SELECT (as of January 1, 2011)
Benefactor Level ($5,000)
Sponsor Level ($4,000)
Supporter Level ($2,500)
ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the Executive Office at (703) 535-5757.
The Audit Report | www.acuia.org | 29
Orth, Chakler, Murnane & Company, CPAs “Reaching New Heights”
Partners Douglas J. Orth, CPA, CFE Hugh Chakler, CPA, CISA, CITP, CFE John J. Murnane, CPA
Our partners and managers work on-site, providing direct access to our most experienced professionals.
We provide free telephone support and advice throughout the year.
The 2nd Annual OCM Supervisory Committee Conference will take place on October 19 - 21, 2011, in Dallas, Texas. Please see our roster of speakers and relevant topics at http://www.ocmcpa.com
Daniel C. Moulton, CPA James A. Griner, CPA Lori J. Carmichael, CPA
Services provided by our firm
Opinion Audits
Office Locations
Pension/401(k) Audits
Miami, Florida
CUSO Audits
Charlotte, North Carolina
Internal Audit - Co sourcing/Outsourcing
Dallas, Texas
Information Technology Audits
(We currently serve credit unions in 28 states)
ACH, BSA/OFAC, ATM PIN Audits
Credit Union and CUSO tax services
12060 SW 129th Court - Suite 201 Miami, FL 33186 Phone: (888) 676-3447 Fax: (305) 232-8388 www.ocmcpa.com
30 | www.acuia.org | The Audit Report
Membership Application
January 1, 2011 – December 31, 2011
For additional memberships, make copies of this application; go to the website at www.acuia.org to download the form or to apply online.
Payment Processing Center 815 King St., Suite 308, Alexandria, VA 22314 Toll Free (866) 254-8128 – Fax (703) 683-0295
Source: AR0210
Credit Union Information
Credit Union: ______________________________________
Website: __________________________________
Credit Union CEO: _________________________________
Toll Free Number: ______________________________
Address: _________________________________________
State: ________________
DP Firm: __________________________________________
Audit Firm: _____________________________________
ZIP: __________________
Membership Options Regular (Internal Auditor) ___$200 One Internal Auditor Member
Supervisory/Audit Committee ____$100 per Supervisory/Audit Member
___$300 Two or Three Internal Auditor Members ___$400 Four Internal Auditor Members ___$100 Each Additional Auditor Beyond Four
Primary Member Information
Privacy Information: Do not include my name in the ACUIA Directory ଠ
First Name: ________________________
Last Name: _______________________
Suffix:
Title: _____________________________
Phone Number: ____________________
Extension:
Fax Number*: ______________________
Email address*:
2nd Member Information
Privacy Information: Do not include my name in the ACUIA Directory ଠ
First Name: ________________________
Last Name: _______________________
Suffix:
Title: _____________________________
Phone Number: ____________________
Extension:
Fax Number*: ______________________
Email address*:
3rd Member Information
Privacy Information: Do not include my name in the ACUIA Directory ଠ
First Name: ________________________
Last Name: _______________________
Suffix:
Title: _____________________________
Phone Number: ____________________
Extension:
Fax Number*: ______________________
Email address*:
4th Member Information
Privacy Information: Do not include my name in the ACUIA Directory ଠ
First Name: ________________________
Last Name: _______________________
Suffix:
Title: _____________________________
Phone Number: ____________________
Extension:
Fax Number*: ______________________
Email address*:
*Fax and/or email will be used for member communications.
Payment Information Payments to ACUIA are not deductible as charitable contributions for federal income tax purposes. However, they may be deductible under other provisions of the Internal Revenue Code. Federal Tax ID # 39-1666875
ଠ Credit Card (Circle One) VISA
MasterCard
ଠ Check or Money Order Enclosed #: ____________________
Discover
Card Number: ____________________________________ Expiration Date: ____________ Security Number: __________ (3 – 4 digit number on back)
Cardholder Name: _________________________________ Cardholder Address: _________________________________ Authorized Signature: ______________________________________________ Date: ______________________________ The Association of Credit Union Internal Auditors (ACUIA) collects credit card information to make it easier for you to sign up for membership, as well as pay for other services. ACUIA does not use or share credit card information for any other purpose. We retain such information as is needed for standard accounting record keeping requirements. Every step is taken to protect the loss, misuse, and alteration of the information under our control. If you prefer, please use a check or money order to make any necessary payments. Payments to ACUIA are not deductible as charitable contributions for federal income tax purposes. However, they may be deductible under other provisions of the Internal Revenue Code.