1 / 163

Credit Union Supervisory Committee Training

Credit Union Supervisory Committee Training. Agenda. Session 1: Supervisory Committee and their Relationship with Auditors Session 2: Managing Enterprise and Regulatory Risk Session 3: Fraud Detection and Prevention and Results of Material Loss Reviews

latasha
Download Presentation

Credit Union Supervisory Committee Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Credit Union Supervisory Committee Training

  2. Agenda Session 1: Supervisory Committee and their Relationship with Auditors Session 2: Managing Enterprise and Regulatory Risk Session 3: Fraud Detection and Prevention and Results of Material Loss Reviews Session 4: Industry Trends, Financial Statement Basics, and Peer Analysis

  3. Session 1:Supervisory Committee and Their Relationship with Auditors

  4. Supervisory Committee Responsibilities • Current section 715.3 of NCUA’s rules and regulations states that the Supervisory Committee is responsible to determine that: • The financial condition of the credit union is accurately presented • Management practices are sufficient to safeguard assets • Accounting records are prepared promptly • Internal controls are established and effectively maintained • Plans, policies, and control procedures established by the Board of Directors are properly administered • Policies and control procedures to safeguard against error, carelessness, fraud, and self-dealing have been established

  5. NCUA Guidance Regarding Supervisory Oversight of the Internal Audit Function • Utilize the Services of an Internal Auditor where practical • Receive reporting directly of internal audits performed • Follow-up on issues identified in internal audit reporting • Oversee and approve the Internal Auditor’s work plans at least annually

  6. Key Responsibilities Related to Internal Audit

  7. Key Responsibilities – Oversight of Internal Audit • Understand and evaluate risk in the Credit Union • What are the most significant risks? • How are we mitigating those risks? • What role does internal audit play in mitigation? • Focus on high risk areas first • Credit risk • Interest Rate Risk • Operational Risks

  8. Key Responsibilities – Oversight of Internal Audit • Evaluate planned internal audit work based on assessment of risk • Review and discuss internal audit risk assessments for reasonability • Consider planned audits in relation to assessed risk • Interact with the Internal Auditor and Management as needed to understand planned work and timing of testing and reporting

  9. Key responsibilities – Oversight of Internal Audit • Allocate your time and resources to ensure risk is properly mitigated • Delegate testing and reporting activities to Internal Audit • Communicate Regularly with the Internal Auditor • Place reliance on Internal Auditor’s expertise and credentials for detailed testing and reporting

  10. Key responsibilities – Oversight of Internal Audit • Monitor significant issues and findings for proper follow-up • Review information provided by the internal auditor (reports, summary of findings, tracking) • Discuss findings of significant risk • Evaluate responsiveness of management in correcting findings (through internal auditor’s work and reporting)

  11. Supervisory Committee Role – Establish a Good Understanding of Risk • Discuss Enterprise Risk with management (ongoing): • What are our greatest risks? • How strong are our controls? • Rely on Your Internal Auditor • Request information regarding key risk areas • Evaluate risk levels whenever reviewing reporting • Expect summarization of risk rather than focus on less significant risk issues

  12. Supervisory Committee Role – Establish a Good Understanding of Risk • Obtain Outside Training • Utilize training to focus on better understanding risk in your institution • Always attempt to put advice and best practices in the context of your credit union • Discuss New Risk Issues as They Emerge • Rely on your Credit Union professionals to better understand risk

  13. Supervisory Committee Role – Establish Expectations for the Internal Audit Function • Supervisory Committee Charter • Responsibilities regarding internal audit oversight and appointment of internal auditor • Internal Audit Charter • Internal Auditor’s responsibilities • Management of internal audit plans and functions • Independence

  14. Supervisory Committee Role – Monitor Results of Internal Audits • Review reports for key risk findings • Ask questions regarding key areas of risk and the Credit Union’s exposure to loss or reputational damage • Rely on the internal auditor to summarize risk issues and report on progress of remediation and mitigation efforts

  15. Supervisory Committee Role – Evaluate Management Follow-Up • Utilize a tracking report for all findings, regardless of source • Review progress and promised corrective action dates • Authorize follow-up audits, as needed, to verify corrective action has been implemented • Discuss progress with the internal auditor and gauge the propriety of progress, based on the risk presented

  16. Internal Audit Planning – General • When was the last time you revisited your audit plan? • Fixed versus adaptive scheduling • Seeking management input when developing audit timing and procedures • Taking a cue from the external auditor • Understanding the entity • Risk assessment • Walkthroughs • Testing

  17. Internal Audit Planning – Risk Assessment • How is management monitoring risk? What controls and policies are in place? • Are these monitoring activities and policies effective? • What accepted risks is management taking? • What are the most important control systems? • Are certain areas being overlooked in audits? • Material estimates • Technology • Vendor management

  18. Internal Audit – How to Get Started • Gain an Understanding of the Area to be Audited • Develop an ‘”Audit Universe” to identify major controls that must be audited • Interview key personnel to gain an understanding of those products, services and functions the business unit is responsible for • Decide which controls are important in executing the audit • Is sampling an option?

  19. Developing an “Audit Universe” for Internal Auditing • Multiple approaches, which may include: • Process Level – This approach aligns the universe with key processes (examples: loan origination, loan servicing, new account opening, etc.). • Functional Level – This approach is developed by business or responsibility unit (i.e. branch or department) Audit universe is a list of all auditable entities or functions. • Product Level – This approach focuses on specific product (examples might be SBA Lending, certificate of deposit, etc.) • Business Level (Enterprise Risk)– This approach focuses on key risks in the organization and prioritization of internal audits in those key risk areas.

  20. Simple Example – Internal Audit Universe

  21. Key components of Risk Assessment – A Short Glossary Utilize a basic risk assessment scenario – avoid models that are exceedingly complex, unless your structure warrants this. • Audit Universe – Collection of all business units, functions or activities that should be subject to audit • Inherent Risk – Probability that loss or other undesirable event will occur absent of any controls to help mitigate or control risk • Controls – Activities or processes implemented by management which serve to reduce risk to an acceptable level • Mitigated Risk – Probability that loss or other undesirable event will occur taking control processes into consideration

  22. Example Risk Assessment

  23. Example Risk Assessment

  24. Tips for Successful Risk Assessment • Use your judgment to evaluate the final risk assessment product. • Dovetail your internal audit risk assessment to your institution’s Enterprise Risk Management (ERM) assessment, but don’t rely on the ERM to drive your risk assessment. • Be sure to include as complete a universe as possible.

  25. Resource Management and Planning • Should you outsource? • Advantages: • Scheduled audits and deliverable dates • Outside perspective • Improved time management • Added ability to focus on emerging risks/strategies • Disadvantages: • Vendor management • Initial time investment • Cost • You can’t outsource responsibility!

  26. Internal Audit – Adding Value • Vision shift from production to strategy • Recommendations that are business focused • Request involvement and briefings on new infrastructure projects (e.g. core conversion) • Internal rotations for auditors within the department and outside the department • Rotations into the audit department for management trainees

  27. Is a Financial Statement Audit Required? • Yes, if your credit union is federally insured with assets of $500 million or more • If your credit union is federally chartered with assets of more than $10 million but less than $500 million, you have four options: • As stated above. • An opinion audit on the credit union’s balance sheet performed by an independent accountant licensed by the state or jurisdiction in which the audit is conducted. • An examination of internal controls over call reporting conducted by an independent accountant licensed by the state or jurisdiction in which the audit is conducted. • A supervisory committee audit that meets the minimum requirements of this.

  28. Supervisory Committee and the External Auditor • Relationship with the independent auditor • Understanding the CPA firm’s quality control system • Making it clear who the CPA firm is working for • Communication with the CPA firm • At the audit planning stage • At the fieldwork completion stage • When the audit reports have been finalized

  29. Engagement Letters Are Required • Chapter 5 of the SC Guide states that engagement letters must contain the following: • Specify the terms, conditions, and objectives of the engagement. • Identify the basis of accounting to be used (examples: GAAP vs. regulatory accounting practices (RAP)). • Specify the rate of, or total, compensation to be paid for the audit. • Upon completion of the engagement, the auditor will deliver a written audit report to the supervisory committee. • Notice in writing, either within the audit report or a separate report, of any internal control reportable conditions and/or irregularities or illegal acts that come to the auditor’s attention during the normal course of the audit. • Specify a target date of delivery of the written reports.

  30. What is an audit? • The auditor is responsible for performing the audit in accordance with GAAS and that the audit is designed to obtain reasonable, rather than absolute, assurance… • What does “reasonable assurance” mean???

  31. What is an audit? • The auditor is responsible for performing the audit in accordance with GAAS and the audit is designed to obtain reasonable, rather than absolute, assurance….about whether the financial statements as a whole are free from material misstatement. • What does “free from material misstatement” mean???

  32. Audit Plan: Where to focus and utilize resources? Risk-based audit approach • Where are the risks? • LOANS • SIGNIFICANT ESTIMATES • ALLL • Impaired loans • OREO • Investments • Internal controls over financial reporting

  33. Audit Plan: Where to focus and utilize resources? You know what to test, but HOW do auditors test? • Internal control reliance • System reliance on 3rd party payroll processor • Testing sample of originated loans to ensure proper approval, underwriting, disbursement, and boarding into the loan sub-ledger • Substantive analytical review procedures • Testing interest expense through developing an independent expectation of cost of funds using peer yields and actual average deposit balances of the CU • Tests of details • Sending confirmations for cash balances to correspondent institutions • Vouching proceeds for sales of OREO properties

  34. Internal Control Considerations in an Audit “Don’t you test our internal controls?” • Yes and no! The auditor is required only to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement.

  35. Internal Control Considerations in an Audit Deficiency in internal control. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. Are all deficiencies of the same severity?

  36. Internal Control Considerations in an Audit • Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. • Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

  37. Internal Control Weakness Indicators • The following are typical situations that may be internal control warning signs: • Complex business arrangements that you can’t understand • Last-minute transactions that result in improvement in financial performance • Change in estimates that are hard to understand • Frequent accounting differences between management and the auditors • Management not receptive or responsive to auditor or regulator findings • Failure to enforce the credit union’s code of conduct

  38. Internal Control Weakness Indicators • Failure by management to display and communicate an appropriate attitude regarding internal control • High turnover of senior management • Rapid changes in the industry • Unusually rapid growth or profitability compared with other credit unions

  39. Supervisory Committee Responsibilities Regarding Internal Controls • Example questions to ask management: • Were any reported conflicts of interest or irregularities or other violations of the code of conduct identified during the year? • Have the independent auditors identified major control deficiencies? • Can we get a tracking report of audit and regulatory findings and status of management’s response? • Is there a specific management-level person designated as responsible for knowing and understanding relevant legal and regulatory requirements?

  40. What about fraud? • Auditing standards require the consideration of fraud during a financial statement audit. • During the planning phase, auditing standards require a discussion among the audit team to determine: • How may fraud occur? • Where in the financial statements is there a risk for fraud? • How could management perpetrate and conceal fraudulent financial reporting? • How could assets of the entity be misappropriated? • Required audit procedures • Brainstorming discussion • Inquiries of management and others within the CU • Unpredictable procedures to test for fraud

  41. The Audit is Complete. Now What? MEET WITH YOUR AUDITORS! • Questions the independent auditors should answer: • What are the significant accounting policies? • Did the credit union select the accounting policies that were most appropriate, given the options? • What are management’s judgments and estimates that affect the financial statements? Any bias noted? • Did you have to post any significant audit adjustments? • Were there any waived adjustments? • Did you have any disagreements with management?

  42. The Audit is Complete. Now What? • More questions the independent auditors should answer: • Did you encounter any difficulties in conducting the audit? • Are there significant risks that management is not addressing? • Were there any significant control findings? • Meet privately with the independent auditor in the absence of management: • Are there any issues the committee should be aware of concerning management?

  43. The Audit is Complete. Now What? • Questions to consider asking the external audit firm: • What did you perform as unpredictable procedures as part of the audit this year? • Are there any potential internal control issues discussed with management that didn’t end up in your written report? • Did you issue a separate comments letter to management that was not provided to the supervisory committee? • Did you rotate any staff on the audit job from the year before? • How do you ensure a fresh look each year? • If you had to mention one thing that could improve the effectiveness of the audit, what would it be?

  44. Final Thoughts When Thinking About Your External Auditor • Keep up to date on changes in your credit union: • New products and services being offered to membership • Credit quality trends within the loan portfolio • Changes in field of membership • Important issues being discussed by Board • Mergers, key personnel changes, new investments • Technology changes • Ask external and internal auditors how they have addressed any resulting new risks from these changes in their audit plans

  45. Session 2:Managing Enterprise and Regulatory Risk

  46. Session Discussion Objectives • An Overview of ERM • ERM & Your Regulators • How Your Institution Can Build an ERM Strategy: Implementation Overview • Phase 1 – Planning • Phase 2 – Implementing the Plan • Phase 3 – Refining • Regulatory Risk Considerations

  47. Questions to Ponder… • In today’s credit union environment what risks would you suggest directors, supervisory committees, audit committees (or even executive management) focus on? • What would you be looking for in Board Report packages today? • Do we understand these issues enough to appropriately report on them in each of our institutions today?

  48. What is “Enterprise Risk Management”? “Enterprise risk management (ERM) is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, (Sept. 2004)

  49. What is ERM? • A structured, consistent, and continuous risk management process that is applied across the entire organization • Identifies, assesses, prioritizes, and manages the internal and external risks that impact the organization • Driven by a decision-support process that is aligned with the management and execution of strategic objectives • Enhanced by the assignment of roles and responsibilities, • Reporting and communication, • policies and procedures, and • adoption of a risk-based culture • Measure, Monitor & Report • Identify & • Assess Business Objectives • Planning & Management

  50. Enterprise Risk Management“What might get in the way of my duty to deliver value to stakeholders?” Risk Risk Management Enterprise-Wide Risk Management The potential that events, expected or unanticipated, may have an adverse impact on capital or earnings. The employment of systems and processes to manage the critical tradeoff between risk and return in financial decision-making. The formal mechanism or structure for managing risks across the entire institution on an integrated basis.

More Related