4 minutes
A guide published in January expands on the October 2019 streamlining of the previous regulation.
The National Credit Union Administration recently updated it rules and guidance to modernize its audit compliance requirements for federally insured credit unions with less than $500 million in assets.
Credit union supervisory committees are a unique corporate governance structure in the United States because they operate independently of the credit union’s board of directors and are responsible for engaging the credit union’s outside auditor or conducting the audit itself.
Audit responsibilities at most American corporations as well as at state-chartered credit unions in some states, however, are typically handled by an “audit committee” that is a subcommittee of the board of directors. The audit committees of these state-chartered credit unions qualify as “supervisory committees” for purposes of the new NCUA audit rules and guidance.
The Federal Credit Union Act requires federally insured credit unions with more than $500 million in assets to obtain an annual independent audit performed in accordance with generally accepted auditing standards, also known as a “financial statement audit.” The act, however, gives NCUA authority to set less stringent audit rules for smaller credit unions, such as an “other supervisory committee audit” performed by the supervisory committee, its internal auditor, or another qualified person such as a certified public accountant.
NCUA’s October 2019 final rule on Supervisory Committee Audits and Verifications replaced the agency’s 367-page Supervisory Committee Guide for Federal Credit Unions issued in 1999 and also granted supervisory committees more time to complete their audits when they use an external audit professional by removing a 120-day time limit. The new regulation’s minimum audit requirements for an “other supervisory committee audit” are as follows:
- reviewing the minutes of the board of directors’ meetings;
- testing and confirming material asset and liabilities accounting including loans, cash on deposit, investments, shares and borrowings;
- testing the credit union’s equity, income and expense accounts;
- testing for unrecorded liabilities;
- reviewing key internal controls, such as bank account reconciliation procedures, cash controls, dormant account controls, electronic payment transfer controls, loan approval and disbursement procedures, control over the accounts of credit union employees or officials, the value of “other real estate owned” by the credit union, and the values of foreclosed and repossessed assets;
- testing the allowance for loan and lease losses; and
- testing loan delinquencies and charge-offs.
NCUA’s 23-page Other Supervisory Committee Audit Minimum Procedures Guide issued in January 2020 provides additional details regarding the agency’s audit procedures expectations for each of the categories listed in the regulation.
The guide’s minimum audit procedures for reviewing the minutes of the credit union’s board of directors, for example, include reviewing the minutes of all board meetings during the year and determining that the board reviewed or approved: (a) the interest rate changes for loans (unless this is delegated to management); (b) the dividend rate for share accounts (unless this is delegated to management); (c) the credit union’s policies on investments, asset/liability management, Bank Secrecy Act compliance and lending; (d) the allowance for loan and lease loss policy; (e) delinquent loan reports; and (f) loan charge-offs.
Similarly, the guide’s audit procedures for testing electronic payment transfers controls include: (a) determining that at least two credit union employees are required to complete a wire transfer; (b) sampling at least five transfers to determine if at least two employees were involved in each of those transfers; (c) determining whether any of the employees who perform wire transfers also have correspondent account reconciliation responsibilities; and (d) determining whether an annual audit of the credit union’s automated clearing house transactions is being performed.
The guide also includes a few minimum audit procedure categories not mentioned in the October 2019 regulation per se, but that test the credit union’s internal controls for information systems and personnel. For information systems, the minimum audit procedures include obtaining a system-generated report of the active users of the credit union’s core banking system and comparing that report to a list of current credit union employees (to make sure that no outsiders are able to access the core banking system) and determining whether the credit union has a written information security program.
Personnel-related minimum audit procedures include sampling the personnel files of at least 10% of the credit union’s staff by reviewing hiring documents, performance reviews and salary authorizations; making sure that these employees are being paid at the pay rate stated in their personnel file; and also checking at least three random payroll journals to determine if there are any individuals being paid wages who are not employees of the credit union.
NCUA’s new supervisory committee audit rules and guidance are more streamlined than the agency’s prior audit rules but still focus on the key areas where potential accounting errors or insider abuse of a credit union are likely to crop up. Financial statement audits of credit unions using generally accepted auditing standards also typically test at least the same accounts and internal controls, meaning that reviewing NCUA’s new supervisory committee audit rules and guidance can be a helpful audit-preparation resource for any federally insured credit union. As audit season begins, reviewing NCUA’s new rules and guidance on supervisory committee audits will help make your credit union’s annual audit a test that you can study for.
Michael S. Edwards is an attorney-at-law with extensive experience representing credit unions, community banks and credit union organizations in the United States and around the world on a wide range of regulatory, compliance and other legal matters. Now with his own law firm based in the Washington, D.C., area, Edwards previously served as SVP/advocacy and general counsel of the World Council of Credit Unions and was senior assistant general counsel in the regulatory advocacy section of the Credit Union National Association.
Apply It to Your Boardroom
1. What are the key changes to the NCUA rule about credit union audits as outlined in this article?
2. What changes do you need to make to your audit procedures in response to the new rule?