Audit Report Volume 23 Issue 4

The Magazine of the Association of Credit Union Internal Auditors, Inc.

Volume 23, Issue 4, 2014

HOUSERULES

A new proposal from CFPB will expose more

details about yourmortgage process

SOME THOUGHTS

ON LEVERAGINGYOUR AUDITRESOURCES

A NEW FOCUS ON REMOTE

DEPOSIT CAPTURE

THE STANDARDS: AUDIT SAMPLING

www.acuia.org

As Unique as Your InstitutionCREDIT UNION SERVICES

ocmcpa.com

As every credit union is unique, so too are their needs. Orth, Chakler, Murnane and Company, CPAs (OCM) was founded with the objective of providing independent, professional audit and consulting services to credit unions of all size and complexity.

Our approach to each audit and consulting engagement is to meet and exceed our client’s expectations. To accomplish this, our firm’s Partners, Managers and Supervisors work on site to provide our clients with access to our most experienced professionals. In addition, our professional staff are very familiar with credit union operations, internal control issues, regulatory and accounting requirements, and more. In other words, credit union personnel will not have to train our auditors.

To learn more, please call our Managing Partner, Doug Orth at 888.676.3447.

Orth, Chakler, Murnane and Company, CPAsA Professional Association

Working exclusively with Credit Unions

MIAMI | DALLAS | CHARLOTTE

· Opinion Audits

· Supervisory Committee Audits

· Pension/401 (K) Audits

· Consulting Services:

· Internal Audit Assistance · Information Technology Reviews · ATM/ACH Audits · BSA/OFAC Compliance Reviews · Tax Services: CUSOs, 990, 990-T · Supervisory Committee and Board Training

Rocky growth. Compliance cliffs. Steep risks.

You don’t have to make the ascent toward your financial institution’s goals alone.

At Doeren Mayhew, our highly specialized Financial Institutions Group has helped more than 200 institutions like yours find opportunities to drive growth – from climbing toward enterprise risk management, to overcoming steep compliance challenges, to harnessing technology to stay relevant on new delivery systems.

Simply put, we know the ropes. So whether your vision is to achieve new heights, or you need a rescue mission, you can always work in tandem with us. Call 248.244.3159 to start the climb.

Insight. Oversight. Foresight.sm

248.244.3159 | doeren.com

Go higher.

www.doeren.com

F E AT U R E S

8 Open House The CFPB has issued a proposal for significant new disclosure requirements under the HMDA.John Zadada and Zachary Pearlstein

12 How am I Going to Get All These Audits Done? Some Thoughts on Leveraging

Learn the five areas to consider that will allow you to maximize your audit resources.Doug Wright

16 All About “It”“It” is known by many names – Merchant Capture, Corporate Capture, Image deposit – but whatever you call “It” check out this article to learn how to establish a good audit plan for RDC. Sam Capuano

The Magazine of the Association of Credit Union Internal Auditors, Inc.

{ contents } }

Volume 23, Issue 4, 2014

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members.

Executive Editor: Tabitha Ernst-Chadwick

Designer: Victoria Valentine

Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases.

Permission requests to reproduce written material should be sent to: ACUIA, 1727 King Street Suite 300, Alexandria, VA 22314, (703) 688-2284 © Copyright 2014, ACUIA. All rights reserved.

D E P A R T M E N T S

4 From the Editor Bad News or Worse News? Tabitha Ernst-Chadwick

6 Chairwoman’s Message Gratitude Dana McCranie

20 The Standards Audit Sampling Pat Richey

24 Information Security Change Management Tom Schauer

26 Member Spotlight Tammy Farmer

28 Regional News

30 Region Directors and Chapter Coordinators

20

12

16

8

www.acuia.org

www.acuia.org

4 www.acuia.org | The Audit Report

The other day I hit a co-worker’s car. Because you will likely dismiss

them as silly excuses and because they aren’t really relevant to this story any-way, I will spare you my slew of ratio-nalizations and explanation of events that led to what I’ve dubbed the inci-dent. Bottom line – car crash, another VP at work, in the parking lot, my fault. This of course was not how I wanted my day to begin. Yet in total defiance to my own plans, begin this way it did.

Man did I dread that phone call. I actually contemplated whether or not I could somehow get my co-work-er’s car to the body shop, have the scratch buffed out, and back into his parking space without his knowl-edge. Alas as I have no experience with grand theft auto (not even the video game!), I had to make the call.

The tone in his voice when he answered the phone told me that al-ready knew about the incident. He was not happy to see my name on his caller ID. I launched into my spiel anyway (which included all of the rationalizations and explanation of events from which you have been spared) and ended with profuse apologies. You know what I heard in his voice after that? Relief.

Now I have a pretty good relation-ship with management, a great one in fact. I know very few internal audit col-leagues that share the total cooperative atmosphere that I enjoy every day. So I was more than a bit baffled at this ex-change. The man was actually happy that I called him to say I crashed into his car because that meant I was not calling about an audit. Whoa.

Well this exchange got me thinking. Have I overestimated the value of our management relationship? Or is audit just so daunting that even in a coop-erative atmosphere our clients prefer a fender bender to an audit? And if it’s the latter, is there a fix to that problem?

2014 BOARD OF DIRECTORSTabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

ACUIA EXECUTIVEOFFICE, CBSAO, CUCE, NCCO, CISA

ChairDana McCranie, CBA, CUCEEmpower FCU(315) 477-2200 x [email protected]: 2013-2015

Vice ChairJohn GallagherSEFCU(518) [email protected]: 2014-2016

TreasurerLinda Goff, CUCEEnrichment FCU(865) 482-0045 [email protected]: 2013-2015

SecretaryNathan Cunningham, CPA, CRMA,CGMAMountain America CU(801) [email protected]: 2012-2014

DirectorAmy Schaefer, CIARoyal CU(715) [email protected]: 2012-2014

DirectorKara Giano, CIA, CIDA, CRMAGolden 1 [email protected]: 2014-2016

Associate DirectorDoug Wright, CPA, CFE, CUCEBaxter CU(847) [email protected]

Associate DirectorKimberly Wiersema, CIAAssociate DirectorKimberly Wiersema, [email protected]

ACUIA Executive Office1727 King Street, Suite 300Alexandria, VA 22314(703) [email protected]

“The Associationof Credit UnionInternal Auditors iscommitted to beingthe premier andquality provider ofcredit union internalaudit resources.”Follow us on:

BAD NEWS OR WORSE NEWS?Tabitha Ernst-Chadwick, CIA, CFE, LRP, CBSAO, CUCE, NCCO, CISA

{from the editor}

30 | www.acuia.org | The Audit Report


ocmcpa.com







· Opinion Audits







ocmcpa.com







· Opinion Audits





Unfortunately my column is too short to answer all of audit’s philo-sophical questions. But I know that a new line item on my 2015 Audit To Do list is going to be looking be-yond the audit-client relationship to

enhancing the audit experience. And I’m updating my audit surveys with a new line item: Which is preferable? A fender bender or an audit?

Happy New Year everyone! n

www.acuia.org

mailto:[email protected]









https://www.facebook.com/pages/Association-of-Credit-Union-Internal-Auditors-ACUIA/150863554960742

https://www.linkedin.com/groups?gid=3710342&mostPopular=&trk=tyah&trkInfo=tarId%3A1415986812878%2Ctas%3AACUIA%2Cidx%3A2-1-4

https://twitter.com/theACUIA?lang=en



ocmcpa.com







· Opinion Audits







ocmcpa.com







· Opinion Audits





http://www.ocmcpa.com/


To reiterate what I’ve previously mentioned in these articles, there are numerous people working behind the scenes at the ACUIA, for which I am extremely grateful: the Execu-tive Office; fellow Board members; Associate Board members; Regional Directors and Chapter Coordinators; various Committees and The Au-dit Report editor and contributors. Thank you for everything that you do – it is your dedication that makes the ACUIA a success!

With the dawn of 2015, I will hand over the reins for the ACUIA Chair to John Gallagher. I am hon-ored by the support that I have been shown by my fellow Board members and the membership at large. My gratitude does not seem to be suffi-cient, but it is heartfelt. I will close out my tenure as a Board member next year, but I hope to continue to serve the Association in some capac-ity. It has been a pleasure to serve the membership and be a part of an organization such as ACUIA. n

As we come to the close of 2014, it is time for reflection of the past

year, hope for 2015 and beyond, and acknowledgement of those things that we typically take for granted. Thanksgiving is now just a memo-ry, but the feeling of gratitude has lingered, and promises to carry us through the celebrations of the next month. I, for one, have too many blessings to list individually; how-ever, one of the most treasured is that of family and friends. I am truly lucky to consider the ACUIA as part of my family.

2014 was another successful year for the Association. The annual conference and one-day seminar in Baltimore was a big success thanks to the hard work of the Conference Committee. Regional Directors orga-nized meetings around the country, offering members more education-al and networking opportunities. In addition, a number of webinars were available throughout the year covering a variety of topics.

GRATITUDEDana McCranie

{chairwoman’s message}

WE NEED YOU!The Audit Report needs contributors for upcoming issues. It’s a great way to promote your organization and help out our membership.

Please email Tabitha Ernst-Chadwick at [email protected] to learn more.

Credit Union security doesn’tstop at the vault.

SCA offers a full range of technology, compliance and training services that ensure your institution is safeguarded from potential risks, guaranteeing you compliance and satisfaction.

Securing Your Successwww.scasecurity.com

877-993-4472

Technology Services Compliance Services

Information Security Policy and ProceduresAwareness TrainingDisaster Recovery / Business ContinuityIncident Response ProgramsVendor Due-DiligenceWeb Site ComplianceRisk Assessment ServicesPCI Gap Analysis

Internal and External Vulnerability AssessmentsPenetration TestingPhysical SecuritySocial EngineeringWeb Application AssessmentsOn-line Banking & Mobile Banking AssessmentsCybersecurity Framework

My gratitude does not seem to be sufficient, but it is heartfelt.

www.acuia.org


Credit Union security doesn’tstop at the vault.

SCA offers a full range of technology, compliance and training services that ensure your institution is safeguarded from potential risks, guaranteeing you compliance and satisfaction.

Securing Your Successwww.scasecurity.com

877-993-4472

Technology Services Compliance Services

Information Security Policy and ProceduresAwareness TrainingDisaster Recovery / Business ContinuityIncident Response ProgramsVendor Due-DiligenceWeb Site ComplianceRisk Assessment ServicesPCI Gap Analysis

Internal and External Vulnerability AssessmentsPenetration TestingPhysical SecuritySocial EngineeringWeb Application AssessmentsOn-line Banking & Mobile Banking AssessmentsCybersecurity Framework

www.scasecurity.com


www.acuia.org

On February 7, 2014, the Con-sumer Financial Protection Bureau (CFPB) proposed

a series of changes to improve the Home Mortgage Disclosure Act (HMDA). Enacted in 1975, HMDA requires financial institutions to dis-close certain data and statistics re-garding the loans that they provide to borrowers. Although the original goal of HMDA was to ensure that financial institutions were providing access to credit and serving the needs of the public, over time the regulation be-came more focused on discovering and preventing patterns of lending that would discriminate against cer-tain groups of borrowers.

As a result of the recent mortgage crisis, the Dodd-Frank Wall Street Re-form and Consumer Protection Act assigned HMDA rulemaking authori-ty to the CFPB. While HMDA current-

John Zasada, Principal, CliftonLarsonAllenZachary Pearlstein, Regulatory Compliance Consultant,

CliftonLarsonAllen

ly requires financial institutions to report information such as property location, loan purpose, and the race, ethnicity, and gender of borrowers, the Dodd-Frank Act requires the CFPB to expand HMDA reporting to collect additional data, such as total points and fees, and the difference between the APR and a benchmark rate, along with any other data the CFPB determines to be necessary. Through these changes, the CFPB is seeking more comprehensive bor-rower/applicant information, which it believes will allow regulators to more effectively monitor and improve the mortgage market.

In addition to these required changes, the Dodd Frank Act allows the CFPB the discretion to require the reporting of other relevant data points as well. The CFPB is proposing exer-cising this discretion by requiring the

OPENHOUSE

www.acuia.org | The Audit Report 9

The CFPB has issued a proposal for significant new disclosure

requirements under the HMDA

www.acuia.org


reporting of several additional pieces of information not explicitly required by the Dodd-Frank Act.

Rather than providing these chang-es outright, the CFPB announced that it will organize a Small Business Review Panel to give feedback on the most effective ways to improve HMDA reporting, with comments ac-cepted through October 29, 2014. In addition, the CFPB will be seeking similar feedback from industry and consumer groups that may be impact-ed by changes to HMDA regulations.

Major Changes The proposal would ex-pand the types of trans-actions subject to HMDA although unsecured home improvement loans would no longer need to be re-ported. Under the current rule, you must report home purchase, home improve-ment, and refinancings. Currently, home-equity lines of credit (HELOCs) are optional. The propos-al would generally require financial institutions gener-ally to report all closed-end mortgage loans, HELOCs, and reverse mortgag-es secured by dwellings. Loans on un-improved land and temporary financ-ing would continue to be excluded from HMDA reporting.

The CFPB is seeking feedback on a variety of new HMDA reporting re-quirements, which have been man-dated by The Dodd Frank Act. Finan-cial institutions will be obligated to capture and report certain data that was not previously required.

For example, HMDA will require financial institutions to disclose the total points and fees, and rate spreads for all loans. This requirement will ostensibly help regulators get a bet-ter sense of how much borrowers are actually paying for their loans, as well as understand risk factors and

pricing outcomes for borrowers.HMDA will also require the re-

porting of certain loan features that may be risky to borrowers. These in-clude teaser rates, prepayment pen-alties, and non-amortizing features. The CFPB believes including this data in HMDA will help regulators monitor any detrimental effects that result from these features.

Further, HMDA will require finan-cial institutions to report information that will help regulators keep track of the personnel involved in each trans-

action. They will be required to re-port the unique identifier for the loan originator (and a unique identifier for each loan itself), and additionally report if a mortgage broker was in-volved in the transaction.

Another new requirement will be the reporting of property values. Be-cause of the critical role that property values play in the decision to lend, regulators will use this information to examine certain acceptance and de-nial decisions, and have more data about local markets.

Financial institutions will also be required to report borrower age. This requirement will principally help identify and prevent unfair lending practices aimed at the el-derly, to whom dishonest lenders may offer unfavorable loans.

Lastly, borrower credit scores will also be tracked. This information is to be used to help explain certain rate disparities, as well as denial decisions.

Additional Data Points under ConsiderationWhile the CFPB is required to add certain information to the HMDA reporting requirements, the Dodd Frank Act allows the CFPB the dis-cretion to require the reporting of other relevant data points as well. Although these additional points

have yet to be deter-mined, the CFPB is asking for comments from the Small Business Review Panel on a variety of pos-sibilities.

One possible addition to HMDA is the reporting of the reason for denial in all denied loans. Although certain lenders are cur-rently required to provide this information, it is still optional for most institu-tions. The CFPB would like to make this require-ment universally applica-ble in order help ensure

similarly situated applicants be treat-ed in a consistent manner.

The CFPB is also proposing to add debt-to-income (DTI) ratios to HMDA data. Under current regu-lations, financial institutions must assess a borrower’s DTI when un-derwriting a loan and determining the borrower’s ability to repay, and a high DTI is a common reason for denial. The CFPB believes that re-quiring DTI reporting would help regulators gain a better understand-ing of denial trends.

Another possible requirement is the disclosure of whether or not a lender determined that a loan was a “Qualified Mortgage,” which would have complied with the CFPB’s Abil-ity-to-Repay rule. The basic features of a Qualified Mortgage are that the

HMDA WILL REQUIRE

FINANCIAL INSTITUTIONS

TO REPORT INFORMATION

THAT WILL HELP

REGULATORS KEEP

TRACK OF THE

PERSONNEL INVOLVED IN

EACH TRANSACTION.

www.acuia.org


total points and fees charged to the borrower are less than or equal to 3% of the loan amount (for loan amounts less than $100k, higher percentage thresholds are allowed), there are no risky features such as negative amor-tization, interest-only, or balloon payments, and that the maximum loan term is less than or equal to 30 years. As this is a recent regulation, effective as of January 10, 2014, re-porting Qualified Mortgage status would help regulators determine the effectiveness of the new Qualified Mortgage rule.

While the Dodd-Frank Act mod-ified HMDA to mandate the report-ing of each borrower’s loan-to-value (LTV) ratio, the CFPB is consider-ing whether to further require the reporting of combined loan-to-val-ue (CLTV) ratios. These ratios are important in a lender’s decision to offer a loan, as they disclose more broadly the combined unpaid prin-cipal balance of multiple loans that the borrower holds, against the val-ue of the property.

The results of automatic under-writing systems (AUS), which make loan decisions based on algorithms, are also a consideration for HMDA reporting. Tracking the use and re-sults of such systems could help de-tect errors, and could also determine how they affect loan decisions as compared to manual underwriting.

As previously mentioned, the Dodd-Frank Act mandates that the total points and fees, as well as rate spreads, will become required HMDA data. However, the CFPB is also con-sidering requiring the reporting of more detailed pricing information, in an effort to identify discriminato-ry lending patterns and reduce “false positives” when making compari-sons. The CFPB is considering a re-quirement that lenders disclose their total origination charges, as will be calculated on the Closing Disclosure, which would include certain charges that would not be included in the to-

tal points and fees, such as bona fide discount points.

The CFPB is also considering a re-quirement for lenders to disclose each borrower’s pre-discounted interest rate. Regulators would use the infor-mation for a comparison between the base rate and discount points paid, to the final risk adjusted rate that the borrower actually receives.

Affordable housing programs are another area that is under consider-ation. For multiple unit dwellings, the CFPB believes that it might be useful to require a disclosure of whether or not the property is deed restricted for affordable housing. Regulators could then examine disparities in access to credit among different communities, which could in turn help direct pub-lic resources.

Finally, the CFPB is considering requiring lenders to report more de-tailed information regarding loans for manufactured housing. Current-ly, lenders are required to disclose whether a loan is for a manufactured home. The CFPB believes that ad-ditional data, such as the type of fi-nancing, and whether the borrower will own or lease the land, will help identify the sources of disparities in denial rates, and will help regulators learn more in general about financ-ing for manufactured housing.

Better Collection The CFPB is reviewing current HMDA reporting requirements, and looking for ways to make it easier for lenders to record and report their data.

The CFPB is looking to stan-dardize and streamline reporting. As many lenders are already col-lecting similar information in sim-ilar ways, the CFPB is seeking to create HMDA reporting require-ments that closely resemble the standards used by the majority of the mortgage market. The CFPB believes that this would improve both consistency and the quality of the information reported.

Under current regulations, banks and credit unions that meet various criteria must submit HMDA data an-nually, regardless of how many loans that they close. However, nonbank mortgage lenders are only required to report their data if they close one hundred or more loans, among oth-er requirements. Because of this dis-crepancy, the CFPB is considering a new standard that would require all financial institutions to report HMDA data if they close twenty-five or more loans in a given year.

Finally, the CFPB is looking into developing online HMDA data en-try software. By providing a simple and accessible uniform system of data collection, the CFPB is seeking to provide financial institutions with a more convenient and streamlined way of reporting of their data.

Financial institutions had until Oc-tober 29, 2014 to submit information to the CFPB. The proposal does not set forth when any final rule will be-come effective but many commenta-tors are guessing at a January 2016 effective date. n

About the Author

John Zasada leads the fi-nancial institution regulatory compliance practice of Clif-tonLarsonAllen. John assists financial institutions nation-

wide in establishing regulatory compli-ance programs, conducting compliance testing, training staff on regulations, and performing website compliance as-sessments. John also writes and edits the compliance newsletter and conducts compliance webinars. John is a frequent speaker at financial institutions’ indus-try conferences and state associations.

Prior to joining CliftonLarsonAllen, John was managing director at RSM McGladrey. He led a national financial in-stitution compliance practice, developed work programs, managed engagements, and consulted directly with clients. Prior to working at McGladrey, John was employed as the compliance officer of a large financial institution where he developed and implemented their first regulatory compliance program.

www.acuia.org

Some Thoughts on

Nothing tends to stay the same as our credit unions change: new services or products are introduced, new systems are implemented, and new third party vendors are contract-ed. We have many new regulations that must be dealt with (have you ex-perienced the pleasure of doing an Ability to Repay/Qualified Mortgage audit yet?). We also face new emerg-ing risks such as cyber security, in-terest rate risk, and student loans just to name a few hot topics identified in the NCUA’s examination focus Let-

By Doug Wright


LEVERAGING

HOW AM I GOING TO GET ALL OF THESE AUDITS

DONE?

ter to Credit Unions. And don’t forget those examiners who expect us to risk assess and have a policy for ev-erything the credit union does. How are we going to cover all of this in our Audit Plans?

Unfortunately, it is not realistic to expect that we can go hire more staff. Using my Credit Union as an example, we grew our membership over 10% last year, and we are push-ing for 8.5% growth this year, but our total audit staff has stayed the same over this time. So as our credit unions

During my audit planning process, I typically identify a lot of audit areas where there are valid reasons to conduct a review, mostly due to the extent of change at my credit union. However, internal audit resources just don’t exist to perform all of the audits targeted. I suspect a lot of you find yourself in the same situation.

www.acuia.org

Some Thoughts on

grow and change, how do we cope with this audit resource dilemma?

Here are some thoughts on how to leverage the resources you have to provide more audit coverage for your credit union.

First, calibrate what you need to audit: I know you have heard this a million times, but the starting

point is to do a thorough risk assess-ment of your credit union to identify the highest risk areas. As this is old news to most of you, I don’t want to go into details of how to do a risk assessment. The point is to have a process to quantify risk in some man-ner in order to allocate your available audit time to the areas that have the greatest risk to your organization. The process I use includes multiple inputs including a risk template, correlation with ERM risk assessments, conversa-tions with management (they actually will tell you what they think should be audited if you ask them), the cred-it union’s strategic plan (a lot of good stuff in these plans!) and “good old” auditor judgment.

Another thing to consider when preparing your audit plan is other audit coverage. For example, if your external auditor reviews the Allow-ance for Loan Losses every year, do you need to audit this area ev-ery year as well? In addition, many credit unions have a loan quality assurance group that you might be able to leverage. You might consider reviewing the scope of the quality group’s review process, and retest-ing a small number of their reviews instead of testing a larger sample of loan files yourself.

A third area to consider is to look at the audits you do annually, and cycle the ones that don’t pose as high of a risk, have had good past


LEVERAGING

www.acuia.org


audit results and/or no significant changes to policy, process, or per-sonnel that have occurred. Once the risk assessment is completed, you should be able to create and justify your Audit Plan of the highest risk areas to review.

Once you have selected the areas to include in the Audit Plan, the fi-nal part of “whittling down” the audit work to be performed (and I know everyone has heard this before as well), is to do a specific risk analy-sis of the process you are reviewing. Divide the audit into sub-processes, and for each area, think about what can go wrong, and assign a risk rat-ing to it. The extent of review pro-cedures can be adjusted based on your risk assessment of each area. For example, a high risk sub-process may involve more significant testing to ensure controls are functioning effectively, a medium rated risk may involve limited testing, and you may not do any testing for low risk areas. Another approach is to do a limit-ed scope audit that focuses only on a few key controls to test. Either of these methods will ensure that you are allocating your time appropriate-ly to the areas that pose the greatest risk to your credit union.

So you have done your annual risk assessment, cycled some audits, and have done specific risk assess-ments to narrow the scope of the audit procedures, AND YOU STILL DON’T HAVE ENOUGH RESOURC-ES! Now what? Here are some addi-tional ideas to consider.

Get Some Help: Look at the possibility of o u t s ou r c i n g some of your audit plan, or

hire a contract auditor to supple-ment your resources. I know this costs money that you might not have in your budget, but if your risk as-

sessment objectively determines that there are more audits to perform than there are internal resources available, then discussing the possibility of out-sourcing some of the work is a pru-dent conversation to have with your Supervisory Committee and Manage-ment Team. In the end, if they de-cide to accept the risk of not fulfilling the audit plan, be prepared to rec-ommend to them which audits you will want to drop, and the associated risks that will not be covered (hint: get them to squirm a little to see if they will free up some money!).

The two basic approaches to get-ting help involve completely outsourc-ing an entire audit to an external firm, or just hiring someone and supervis-ing the work yourself. The outsourc-ing option usually entails providing an external firm with an Agreed Upon Procedures Engagement Memo to es-tablish the scope of the review, and the external firm drives the process for the entire audit. They will be responsible for creating the work program, staff-ing, supervision, and writing the final audit report. While this approach will require minimal involvement from the Internal Auditor, in my experience, this process typically gets more pricey on a per hour basis.

The second co-sourcing option in-volves obtaining experienced auditors on an hourly basis. You will need to plan their work, train them on internal systems or procedures, supervise them, and review their work. As I am writ-ing this article, I have a contract audi-tor sitting outside my office who has been able to review a lot of loan files. In hindsight, his efficiency should be no surprise, as he does not go to a lot of meetings, have to review and an-swer hundreds of emails each day, or get calls from other credit union staff with their endless questions (all right, I am venting a little about my credit union’s culture!). But the point is that I think the hourly rate I have been pay-ing is well worth the productivity he has been able to provide!

At the risk of sounding like an “infomercial,” many of the firms that are the ACUIA’s Vendor Part-ners will work with you to provide you with the supplemental resources you need. The trick is to hit them up during the summer when they have staff unassigned (I used to work in public accounting, and remem-ber some of the “fun” busy work I was given during the slow summer months). If you wait until the end of the year when they get into their busy season, either staff will not be available, or the cost of hiring them will go up significantly.

Get Some Internal Help: Another ap-proach that my credit union uses is to enlist the help of staff

from other departments in what we call our Guest Auditor Program. We sell the Program by offering non audit staff the opportunity to learn about auditing and to see how other areas of the cred-it union function. Sometimes, you can also tie in the audit experience gained to the other employee’s development plan. The guest auditor approach typi-cally works best for routine, “checklist” types of audits such as your branch re-views. (You don’t have to provide a lot of training to count cash and negotia-ble items!) As I work for a SEG based credit union that has branches in 11 states and Puerto Rico, I have some interesting travel destinations to entice staff from other departments to volun-teer to go do a branch audit. We typ-ically pair an internal auditor with a guest auditor for each branch. The in-ternal auditor provides minimal train-ing to the guest auditor, they will per-form the pre-work together, and will then travel to the branch to complete the audit. The process works very well as we get a significant amount of assistance from guest auditors for the overall Audit Plan.

www.acuia.org

If you want to try this approach, here are some tips for making a guest auditor program successful. 1) Try to avoid complex process audits as the training needs will outweigh the ben-efit of any audit time gained; 2) if the audits involve travel, include the cost for the guest auditors in your bud-get as the other department won’t want to pay for an audit; 3) while the guest auditors are usually “gung-ho” about volunteering to do an au-dit, make sure you get the consent of their managers, as you don’t want to create any coverage issues in the other department; and 4) make sure you provide adequate supervision for the guest auditors so that they do not go off on tangents.

Delegate audit responsibility: Another ap-proach to con-sider is to have someone else provide the au-

dit coverage. There are some areas of operations that should be audit-ed, but it might make sense to have another department assume the re-sponsibility to audit those areas. For example, if your credit union has a separate Compliance Department, are they doing compliance audits, or are you doing these reviews?

In addition, every credit union au-dits their branches, but do all of the audits have to be done by Internal Audit? My credit union has a num-ber of Regional Directors, each who oversees several branches. The Re-gional Directors are required to con-duct and document a surprise audit of all of their assigned branches at least once annually. When the Inter-nal Audit team conducts our branch audits, we review this documentation to make sure the Regional Director audits were completed.

Another opportunity to delegate audit responsibility would be for oversight of your vendors. For ex-

ample, if your credit union uses out-side collection agencies, someone should audit them, but wouldn’t it make sense for the Collections De-partment to monitor their own ven-dors? My credit union uses several outside collection agencies, and we worked with the Collections Manager to create a work program specifical-ly designed for third party agencies that focuses on compliance with the Fair Debt Collections Practices Act. We conducted the first audit with the Collections Manager as our “guest auditor” to train him, and then turned over third party collection agency au-dit responsibility back to the Collec-tions Department. If you use outside agencies, this approach might be something you would want to con-sider for your credit union.

While the above examples would appear to have an issue with lack of independence, I don’t think there is any harm in having someone review a function for which he/she is ac-countable. Also, these management reviews do not necessarily remove the need to perform periodic audits of compliance, branches, or vendors, however it can provide for additional “audit” coverage and help stretch in-ternal audit resources.

Technology can be your friend:Another way to leverage your resources is to use technology.

There are a number of data analysis tools on the market that can be used in a variety of ways to support your audits. I am fortunate that my credit union utilizes a data warehouse that contains extracts from all core pro-cessing systems. We can run queries against this database to define audit populations, create samples, look for deviations or exceptions, or to perform regression testing on management re-ports. This ability not only creates a

much more efficient use of our time, we can cover a lot more ground than just utilizing traditional audit sampling techniques. There are several good data analysis tools on the market that can be used in a similar fashion. In addition, many core systems contain decent reporting tools that can also be used to query the data. If you don’t already use data analytics in your au-dit process, you may want to consider investing in a tool and being trained on how to use it to realize audit effi-ciencies down the road.

Another use of technology to con-sider would be to utilize a good audit software package to streamline some of your audit administrative and re-porting tasks. These systems can pro-vide a high degree of automation for some tasks such as maintaining audit work programs, scheduling audits, keeping audit budgets, writing audit reports and tracking comment reme-diation. Several audit software ven-dors attended the 2014 Annual ACUIA Conference, so hopefully you were able to talk to some of them about the benefits of using their applications.

In summary, we will always have more on our plate to audit than we have the resources to cover. Accord-ingly, we will need to look for ways of not only being risk-focused, but also being creative to provide addi-tional audit coverage for your credit union as well. Hopefully, this article will provide you with some ideas that you can possibly implement to stretch your limited resources. n

About the Author

Doug Wright, CPA, CFE and CUCE, started his career in public accounting, and has worked extensively as an internal auditor in the

insurance and banking sectors. Doug has worked at Baxter Credit Union in Vernon Hills, IL since 2003, where he is currently the Vice President of Audit and Compliance. Doug also currently serves as an Associate Board of Director for the ACUIA.


ALL ABOUT“IT”

www.acuia.org


While the process itself (members transmitting items electronically and re-

motely for deposit purposes) seems simple from a macro perspective, the corresponding risks are many. Which is why the NCUA has addressed it in each of the past two years in their annual “Supervisory Focus” Letters to Credit Unions.

In 13-CU-01 they met the issue head on, saying:

Credit unions are adopting new technology to meet evolving mem-ber service needs and to leverage automation for increased efficien-cies. Remote deposit capture, on-line banking, mobile banking, and social media are just a few exam-ples of new technologies credit unions are increasingly employing to serve members. If your credit union adopts such new technolo-gies, you need to implement con-trols commensurate with the risks involved, in particular ensuring the security and stability of these service delivery channels.In 2014’s Focus, NCUA discussed

cybersecurity threats, warning of the exposures to credit unions adopting “new technology to meet member service needs.”

And that, meeting such mem-ber service needs, is why RDC is

being offered by more and more credit unions. However, the NCUA, as they typically seem to do when new products are offered through-out the industry (such as Member Business Loans a dozen years ago, and Private Student Loans in 2014) worry that as more and more credit unions offer the service, they will jump into such products without proper due diligence. Hence, the increased focus.

The FFIEC perhaps states it best in their IT Examination Handbook, say-ing, “Although remote deposit taking is not a new activity, RDC should be viewed as a new delivery system and not simply as a new service.”

A look at the ACUIA Forum over the past year or so shows quite a few postings pertaining to RDC, so it certainly appears as though this has become not only an area which your credit unions are getting into, but also one in which many of us are looking for guidance as to how to best audit this increasingly hot topic.

First up then would be to take a look at how senior management and the Board of Directors reviewed the risks prior to implementing this new delivery system. The NCUA examin-ers start by looking for the existence of a formal strategic plan for RDC im-plementation. While this plan should

preferably be in writing, if it is not, have discussions with the key players to determine the plan. Ask them how they determined that RDC was some-thing that made sense for the credit union’s style of business.

Then take a look at the most re-cent RDC Risk Assessment. There are several risks which need to be con-sidered, including legal, compliance, operational, and reputational.

While these risks are perhaps self-evident, look for sufficient doc-umentation of each. Also ensure the assessments are specific to how RDC is set up at your credit union, and are not (as is sometimes seen) a generic review, or one which was just bor-rowed from another institution.

When evaluating these risk assess-ments, the NCUA will look for prod-uct scope, type of member, payment process, anticipated volume, member role/responsibility, member ability to download/retain non-public informa-tion, credit union-approved vendors and equipment, and systems in place.

And, as with any risk assessment, take a look at when it was last re-viewed. Have there been any chang-es — technology, field of member-ship, etc. — which would necessitate a revision in the assessment? Re-gardless, the assessment should be reviewed at least annually. Finally,

“IT”IT’S been called many things: Merchant

Capture, Corporate Capture, Image

Deposit…. IT’S also been deemed by the

examiners as an area on which credit

unions should place an increased focus.

“IT” is Remote Deposit Capture, or RDC.

By Sam Capuano

www.acuia.org


ensure the risk assess-ment has received input for all applicable areas in the credit union, such as deposit operations (obvi-ously), but also consum-er compliance, BSA/AML, GLBA, and internal audit.

That’s right, this in-cludes the fine folks in internal audit. Too often it seems that internal au-dit’s opinions are not in-cluded in the planning and/or implementation process of such critical services such as RDC. Even if the Chief Audit Executive is not on the Executive Management Team, he/she should still have a presence when any new products and services are introduced.

Lack of proper risk assessments for the RDC process was a common response when I was asking around about issues identified in RDC au-dits. These ranged from assess-ments which were weak, to some places in which there are no assess-ments at all.

Next up is to assess the internal controls in place. This includes a re-view of the policies and procedures. The examination procedures of both the FFIEC and NCUA have their folks looking for written policies, while the NCUA will also be looking for them to be reviewed by the Board.

This should include a review of due diligence procedures for new and existing retail members, and third-party processing members. Ap-ply your vendor management audit steps here.

This due diligence review should ensure that everything your credit union performed during the process is extremely well-documented. Fur-ther, the system in place to review and rate potential candidates for the RDC delivery system should be part of written procedures, and include CIP as well (this might be able to

be accomplished by taking a look at the BSA/AML manual). Finally, procedures for ongoing monitoring of members should similarly be in place, and be documented.

Items to be reviewed for poten-tial new members could include an application, financial analysis, loan/deposit history, credit score, etc.

Any contracts and agreements used in the function will need be re-viewed. Both the FFIEC and NCUA underscore the importance of this in their respective examination proce-dures. Such a review should firstly ensure that legal counsel was part of the process in putting any such doc-uments together.

There are several good sources out there (such as the examination procedures noted in the above para-graph) for a checklist of what you may want to look at during your re-view of contracts and agreements.

Which brings us to an item that was invariable cited by those I spoke to when researching this article, and that is in the area of training. Include in your audit program a step to ensure proper training of the members over the adequate security and controls to be implemented. Training can include making sure the work station where RDC is being used is protected, that there is proper segregation of duties, and proper destruction of checks.

The training program should be written and doc-umented, and it should include incident response procedures. Also veri-fy there has been proper training of credit union em-ployees, so they are able to meet the needs of the members in this area.

During your review of transactions, make sure to take a look at how “real time” RDC transactions real-ly are. For instance, would the system in place at your credit union allow someone

to remotely deposit an item then ne-gotiate the same item over the count-er? While such an issue is not new (the bad guys have been trying such she-nanigans for as long as checks have been around), having RDC provides yet another means for such activity.

Last up is the area of fraud. An ACUIA forum posting from earlier this year asked if there had been any RDC –related fraud, and none of the respondents had seen any to a ma-terial degree. This will likely change as more financial institutions imple-ment the service. As such, review for the presence of an appropriate fraud monitoring system for RDC.

As with any audit procedures what you include should be tailored to your credit union. And, it should also change as time goes by. When the NCUA issues their Supervisory Focus Letter in January 2015, I would not be surprised to perhaps see a change or two in what they will be looking for in RDC as well. More to follow, I’m sure. n

About the Author

Sam Capuano, CBA, CRP, Manager of Internal Audit at Wolf & Company, P.C., has over 25 years of experience as a financial institution

internal auditor. Capuano is a frequent contributor to The Audit Report, and is a Board Emeritus of ACUIA

Too often it seems that

internal audit’s opinions are

not included in the planning

and/or implementation

process of such critical

services such as RDC.

www.acuia.org


www.acuia.org

http://www.trustcc.com

Standard 2320 of the Interna-tional Standards for the Pro-fessional Practice of Internal Auditing (Standards) states

that internal auditors must base their conclusions and results on appro-priate analysis and evaluations. But what is appropriate? How much in-formation does the auditor have to evaluate?

Previously I discussed the advice of Practice Advisory (PA) 2240-1 on audit programs, which states that an audit program includes sampling tech-niques. PA 2320-3 is a 4-page adviso-ry on audit sampling. It is relatively technical and written by persons who know much more about sampling that I do. If I remembered anything from my graduate level statistics class, I would get into the technicalities, but I don’t, so I will not be discussing toler-able error rates, expected error rates, or confidence levels. The following is a simple guideline of audit sampling based on the PA.

The premise of audit sampling is that the auditor does not have to

WHY?


{ the standards }Pat Richey, Retired

www.acuia.org

look at EVERYTHING. It is okay to look at less than 100%. There just isn’t enough time or staff resources to look at everything. For example, if you are doing a loan audit, you do not need to look at every loan file. The auditor would look at a sample of files. If the auditor does a cash count, the auditor does not have to fine count every bill in the vault. I am forever indebted to Terry McEachern who recommended counting all the vault cash bundles to trace to financial records and then fine counting a sample of bills -– 100% of twenties and fifties, 50% of twenties, 30% of tens, etc.

PopulationOne key to sampling is population. Population is the entire set of data from which a sample is selected. For example, in a wire transfer audit, the population would be ALL the wire transfers performed during a partic-ular timeframe. From this popula-tion, the auditor selects a sample of transactions to evaluate. However, before picking a sample, it is very

important that the auditor validate that the population is complete and there are not any transactions miss-ing from the population.

Random SamplingThe other sampling key is random-ness. In a random sample, every item of the population has an equal chance of being selected for the sample, and the sample is chosen systematically. Generally, the auditor determines the sample size needed and divides the population by the sample number needed to determine an “nth”, and then selects every nth item.

As an example, the auditor is per-forming a loan audit for the 4th quar-ter 2014. In January 2015, the auditor determines that there were 500 loans closed in the 4th quarter, and wants to look at a sample of 50 loans. 500 divided by 50 is 10, and so the auditor selects every 10th loan to evaluate.

Stratified SamplingThere are other methods of sampling which I never found a need to use

AUDIT SAMPLING

‘‘How much information does the auditor have to evaluate?


such as monetary unit sampling, at-tribute sampling, variable sampling, and discovery sampling. However, I have used stratified sampling, which divides the population into sub-groups before sampling. In the loan example above, let’s suppose that the entire loan population consists of 50% auto loans, 30% mortgage loans, and 20% credit card loans. However, when the sample is randomly select-ed it happens that there are not any credit card loans in the sample. Is this sample representative of the popula-tion? No, so the auditor does a strat-ified sample. The auditor randomly selects 25 loans from the auto loan population, 15 loans from the mort-gage loan population and 10 loans from the credit card loan population, so that the sample is more represen-tative of the population.

Sampling RiskSampling risk is the risk that the audi-tor’s conclusion based on evaluating a sample is not the same conclusion that would result based on evaluating

www.acuia.org


the population. There is the risk that the auditor concludes that a condi-tion is unlikely when in fact it is like-ly. Or conversely, the auditor con-cludes that a condition is likely when actually it is quite unlikely.

Sample SizeThe big question is “How large a sample do I need?” I do not have a definitive answer to that. This is where tolerable errors, expected errors, confidence levels, and level of sampling risk come into play to determine the odds of an errone-ous conclusion. I recommend ask-ing your CPA firm for help if you want to become more proficient in statistical sampling, or it would be a good educational session at the conference.

I just used my judgment to se-lect a sample size, and our CPA firm never had a problem with my work, and management never contested my results. Audit standards requires that results be sufficient, reliable, relevant, and useful. If audit results do not appear to be reasonable, or there appears to be a signifi-cant problem, then the sample size should be increased to see if the re-sults change.

At one time I was told that 25 was the largest sample needed, no matter the population size. I do not know who to credit with that statement, or if it is correct. However, consider that when the population is all US resi-dents, a sample poll of 1000 persons is typical. Also, I was always taken aback by how few member confir-mations the CPA firm performed as part of their financial statement audit, considering the population size.

For repeated audits (ones per-formed annually), I usually found my-self decreasing the sample size each year. If you are spending too much time on a particular audit, generally reducing sample size will be more effective. It is a balance between the additional effort of a large sample,

About the Author

Pat Richey was director of Internal Audit at Financial Center FCU for 23 years, and a career-long supporter of ACUIA and its members. She is currently retired.

and a small sample not accurately re-flecting the population. Errors found in a sample should be analyzed to determine the cause of the errors. However, if significant problems are found in a sample, then a larger sam-ple should be evaluated to ensure the results are the same.

Over 23 years I changed the scope and sampling size for loan au-dits several times. When I first start-ed performing loan audits, I would audit 100 loans from the previous 12 months. However, it meant I was commenting on some loans that were 12 months old, which was not very useful. I switched to auditing 25 loans each quarter, which was more relevant. Then we switched to audit-ing a sample of a specific loan offi-cer’s population of closed loans, and audited 2 loan officers each month, about 20 loans a month. That was a lot of loans and we were spending too much time auditing loans. So we settled on auditing loans by product. One year we would audit mortgage loans, the next year indirect loans, then credit card loans, etc.

Exceptions to SamplingAn auditor may choose to evaluate the population if the population is comprised of a few highly material or risky items. Also, if there is a high degree of fraud suspicion, or fraud has been detected, a population of at risk transactions might be evaluated. Risk is always the trump.

In a conference expense reim-bursement audit, the finding of one fraudulent expense would lead the auditor to review all expenses at that conference. If additional fraud-ulent items are discovered, then all expense reimbursements for that per-son would be reviewed.

Also, continuous auditing tools efficiently allow the auditor to test a whole population. Continuous au-diting involves the use of advanced, specialized software to identify ex-ceptions in whole populations.

Workpapers and ReportingAudit workpapers should include sufficient detail to clearly describe the source of the population and the sampling technique. As always, an-other person should be able to follow your audit program and workpapers to arrive at the same conclusion. The audit report should clearly indicate that a sample was evaluated, and the conclusion is based on the sample. The report should not lead the read-er to believe that the population was evaluated.

Other ConsiderationsGenerally the auditor will randomly select a sample from list of items in the population, and then obtain the documentation for those items. If the supporting documentation cannot be obtained, the auditor can use al-ternative procedures to evaluate the sample item. For example, the audi-tor may send positive loan confirma-tions to a sample of borrowers. If a borrower does not return the positive confirmation, the auditor can evalu-ate the loan file to determine the va-lidity of the loan.

However, if the auditor selects a sample of loans to audit, and a loan file is missing for one or more of the sample loans, the loan officer can randomly select other loans, but the auditor must follow up on the missing loan file until the issue is re-solved, or reported as a deviation.

In conclusion, the cost of auditing should not outweigh the benefits. To be cost-effective the auditor should be using audit sampling to provide evidence of a reasonable conclu-sion about the population which is the scope of the audit. The auditor should keep in mind the audit objec-tive and the purpose of the sample. n

www.acuia.org


Strength.

Is your credit union built to last? Staying competitive in today’s complex regulatory environment requires tighter controls, smarter procedures, and an advisor that understands your industry.

Discover why more than 300 financial institutions across the nation turn to us to help them grow with confidence.

Opinion & Supervisory Committee AuditsInternal Audit Outsourcing

BSA/AML & Regulatory ComplianceTax Planning & Compliance

IT ConsultingCredit Review ServicesWWW.MOSSADAMS.COM/CU

www.acuia.org

http://www.mossadams.com/cu


WHY?{ information security }Tom Schauer

Common industry standards de-fine the goal of change manage-

ment as:■n [ITIL] To ensure standardized

methods and procedures are used for efficient and prompt handling of all changes, in order to mini-mize the impact of change-related incidents upon service quality, and consequently improve the day-to-day operations of the organization.

■n [ISO 20000 (part 1, 9.2)] To en-sure all changes are assessed, approved, implemented and re-viewed in a controlled manner.Some are surprised to find that

even GLBA, codified as NCUA reg-ulation 12 CFR Part 748, Appendix A, III. C. 1. d, addresses change management. The guidance recom-mends that “Procedures are designed to ensure that member information system modifications are consistent with the credit union’s information security program.”

Change management is a critical control category and when done well change management contributes to a secure environment with fewer con-tinuity issues and greater information integrity. Mistakenly, some believe change management only applies to major systems development such as an in-house loan system. Not true. Ef-fective change management controls all significant changes that could im-pact the operational environment in-cluding changes to routers, firewalls, servers, and even printers.

Common initiators of change management include software up-dates, hardware upgrades, regulatory changes that drive business process-es, or personnel role changes.

What systems, equipment or procedures does it use?Whenever an organization intends to make significant changes to sys-

CHANGE MANAGEMENTWhat is it?Change management in the context of information technology refers to the controls and processes that govern alterations to systems, networks, devices, applications, or privileges.

www.acuia.org


tems, networks, devices, applica-tions, or privileges it should activate its change management process. An effective formal change management process will ensure that the full ram-ifications and risks of the change are properly understood, and that the change is approved by management, appropriately documented, and suit-ably tested with a fail-back plan in place before moving to production.

Understanding the poten-tial risk of a change (includ-ing information security risks) should drive the complex-ity and rigor of the change management activities. Thus, a risk assessment should be part of the initial change de-scription and never skipped. Further the description of the change should indicate affected stakeholders (i.e. users), systems, documenta-tion, business processes and risk controls (i.e. GLBA risk assessment, business conti-nuity plans and incident re-sponse plans).

All changes should have an appropriate level of doc-umentation, ensuring the rationale, justification and approval for the change are available for post-change re-view and audit. The depth and formality of the docu-mentation will be depen-dent upon the change risk and com-plexity, and may include creating service desk tickets, archiving email, or developing formal project man-agement documentation.

It is a common mistake of small organizations to overlook proper change processes and documenta-tion. The result is unintended service impact when something goes wrong. A simple change log indicating the

system updated, a brief statement of the change, who made the change, and the time of the change will often point you in the direction of the core issue when unexpected issues occur.

Documentation should include a risk assessment for the change, along with any alterations the change may cause to the overall GLBA Informa-tion Security Risk Assessment, the business continuity plan, the incident

response plan, and any other poli-cies, procedures, or standards. Test-ing of the change before moving into production should be documented as well, along with a back-out pro-cedure in case issues arise once the change is formally implemented. Finally, management’s approval of the change should be documented. Documentation may be by creating a project file, archiving emails, or by

using help desk software like Track-It to open tickets for each change.

What controls does TrustCC test?TrustCC recommends all significant server and network device configura-tion or hardware changes be autho-rized, tested and approved prior to production implementation.

TrustCC recommends all signifi-cant system or application software

changes be authorized, tested and approved pri-or to production imple-mentation.

Documentation of changes could include risk assessment, security and BCP impacts, change impact ratings, dependen-cies, testing results, and back out procedures; ap-provals should be docu-mented and the documen-tation should be available.

TrustCC recommends that Software Develop-ment Life Cycle (SDLC) policies, procedures and standards be documented and include source code and library standards, separation of duties (test environment, production environment), testing and back out procedures, and management oversight and approval practices. n

About the Author

Tom Schauer – CISA, CISSP, CISM, CRISC, CTGA, CEHTom has been practicing in information technology security and auditing for 26 years. Tom is one of the country’s leading experts in IT compliance matters in the Financial Services sector. Tom is the founder of TrustCC and is frequently asked to speak at conferences and provide training to regulatory examiners.

Understanding the potential

risk of a change (including

information security risks)

should drive the complexity

and rigor of the change

management activities.

www.acuia.org


Tammy, after all these years I’m very excited to interview you for the Spotlight. As you know, we like to know the personal stuff about our ACUIA friends. So tell us a little. I’m an avid University of South Carolina Gamecock fan. My weekend calendar during football season is pretty much blocked off. I also have a special young man in my life - my 13 year old nephew, Hunter. He plays a lot of traveling baseball. Their games are fun so I go when they aren’t too far from home.

Ok, let’s talk business now. Tell us how you came to be where you are today, and any professional certifications you’ve attained along the way. I think audit is the best type of work – you get to see how everything operates and have an opportunity to learn so much. I’ve been auditing credit unions my entire career. Providing the information for the spotlight made me realize that it has been 25 years! I graduated from Francis Marion College (yes, it was

a college and not a university when I attended) in 1989 with a major in Accounting. I loved the auditing class in college. My first fulltime job was as a staff auditor for the SC Credit Union League in 1989. Then I moved to SC State FCU in 2001 and have been there ever since. I’m thinking this deserves some sort of anniversary present to myself!

I am a CIA. I’m certainly proud of the designation. It took me a while to get it but I became certified in 1994. I’m diligent about maintaining the designation by keeping up my CPE.

You’ve been in auditing a long time. Please share some of your wisdom about useful audit tools, processes, and industry challenges. You have to be a good communica-tor, open-minded and flexible. And you need to prove that the activi-ty adds value. Getting input from the stakeholders can help with that challenge.

How long have you been part of the ACUIA family and what is the best part of that experience? I’m not so sure about that but I think since the early 90s. Networking with peers is definitely the most valuable part of ACUIA. These people do exactly what you do every day. They can provide a wealth of information. n

This Issue’s Member Spotlight is Tammy Farmer. Tammy is a long-time auditor and ACUIA member. She is also the Chapter Coordinator for our newly created South Carolina Chapter.

Favorite sports team: University of South Carolina Gamecocks

Favorite food: I love pizza. Maybe it is the cheese.

Travel: I like to travel but haven’t gotten very far out of the southeast. I like the mountains and the sea and spend a good bit of time on a local lake.

Music: I like a variety but I’m still a little bit of an 80s hair band head banger. I like it loud!

Auditors: Who says they are boring?

FUN FACTS ABOUT TAMMY:

WHY?{ member spotlight }Tammy Farmer

NOMINATE A MEMBER!Do you know a member who should be featured in our member spotlight?

Send nominations to Tabitha Ernst-Chadwick at [email protected]

www.acuia.org


relationships Build BusinessStrengthen your relationships by using advisors with a strong professional network.

Dean Rohne | 800-657-4477CLAconnect.com

©20

14 C

lifton

Lars

onAl

len

LLP

Audit Regulatory Compliance Information Security

http://www.claconnect.com/creditunions/


R E G I O N 1

R E G I O N 2

R E G I O N 3

R E G I O N 4

R E G I O N 5

Director Julie WilsonDirector Internal Audit, iQ [email protected]

No News for Region 1. Contact Julie for information.

Director Margaret Chamberlain, CUERMEAVP Internal Audit, Arizona State Credit [email protected]

The Region 2 annual meeting was held October 16-17, hosted by Mountain America Credit Union in Salt Lake City Utah. Thank you to all of our awesome speakers and attendees!

Director Greg A. Czyzewski, CPA, CIAAVP Internal Audit, Teachers Credit Union [email protected]

The Minnesota and Indiana Chapters have nothing to report. Contact your Chapter Coordinators for Chapter information.

The Annual Region 3 Meeting was held in September at the University of Wisconsin Credit Union in Madison. The meeting covered a variety of topics including ALM, audit planning, fraud, compliance, and IT. Thanks to our sponsors Doeren Mayhew, Clifton Larson Allen, BKD, McGladrey, and Moss Adams. A special thanks to Jodi Dins and the staff at UW Credit Union for hosting a very successful meeting.

Director Patrick McCullough, CIA, CISA,CRMAAVP/Director of Internal Audit, Arkansas Federal Credit Union501.533. [email protected]

No news for Region 4. Please contact Patrick for information.

Open

{ the standards }Pat Richey, Retired

{ regional news }

Position Open! Region 5 needs you! Update provided by former Region 5 Director Lorraine Heneka:

Region 5 had another very successful regional meeting this year. The meeting was held September 29th & 30th and was hosted by Dana McCranie and her team at Empower FCU in Syracuse, NY.

Topics presented included: Top 10 Audit Issues by Carrie Kennedy of Moss Adams; Supervisory Committee Perspectives by Jay Bowman of Accume Partners; Online Security;how hackers really get in and how to stop them by Gavin Landless of Empower FCU; Panel discussion on Creating an IA Risk Assessment and Audit Plan by John Gallagher of SEFCU, Sam Capuano of Wolf & Co and Carrie Kennedy; ALL and Loan Documentation by Neal Keiffer and Michelle Perry of Firley, Moran, Freer & Eassa, CPA; and our annual Compliance Update by Michael Carter of CUANY.

Although we had to make some last minute schedule changes due our first speaker getting delayed at the airport in Chicago, it all worked out. On Monday night, we enjoyed dinner and drinks at Coleman’s Irish Pub. Food, drinks, and conversation were all great!!

Thank you to all of the speakers for donating their time and expertise to educate us, and to Dana and her team for hosting the event.

www.acuia.org






R E G I O N 6Director Bobby NicholsSVP - Audit Services, State Employees’ Credit Union 800.385.7014/[email protected]

No news for Region 6. Please contact Bobby for information.

Service So Outstanding, Others Can Only Talk About It…

TWHC has been providing credit unions with Audit,

Tax and Advisory services for over 25 years.

Today we are the number one credit union professional

services firm in California with clients that range in

size from $20M in assets to $6.5B in assets.

twhc.com

TWHC Business Journal Ad 082812.indd 1 8/28/12 11:17 AM

For those of you who haven’t heard, I have stepped down as Region 5 Director. I have accepted a different position within the credit union and will no longer be in Internal Audit, but you may still hear from me if I need your assistance in my new job. I truly enjoyed serving as your regional director and being a member of the ACUIA. The meetings and networking…and most importantly the friendships I’ve gained…have proven to be invaluable!

www.acuia.org


http://www.twhc.com/


WHY?WHY?{ the standards }Pat Richey, Retired

{ region directors }

R E G I O N 1

R E G I O N 2

R E G I O N 3

R E G I O N 4

R E G I O N 5

R E G I O N 6

Julie [email protected]

Margaret Chamberlain, [email protected]

Patrick [email protected]

Bobby [email protected]

Greg Czyzewski, CPA, [email protected]

Open

REGION 1

CENTRAL CASCADES (OR/WA) CHAPTER

Terry Robbins

REGION 2

ARIZONA CHAPTER

Allen [email protected]

CALIFORNIA CHAPTER

Jim [email protected]

UTAH CHAPTER

Randy Manscill, CIA, CFE, [email protected]

REGION 3

INDIANA CHAPTER

Jeff [email protected]

MINNESOTA CHAPTER

Van Sprenger [email protected]

REGION 4

NORTH TEXAS CHAPTER

Kimberly [email protected]

ST. LOUIS CHAPTER

David [email protected]

REGION 5

NEW YORK CITY CHAPTER

VOLUNTEER NEEDED!

REGION 6

GEORGIA CHAPTER

Jason [email protected]

NORTH CAROLINA CHAPTER

Staci [email protected]

SOUTH CAROLINA CHAPTER

Tammy [email protected]

TENNESSEE CHAPTER

Mark Jenkins, [email protected]

{ chapter coordinators }Contact these volunteer leaders and get involved in local ACUIA activities.

www.acuia.org


















Welcome Dashboards Audit Planning

Audit Management Audit Scheduling

Performance Reporting On-line Questionnaires

Comprehensive Reporting Electronic Working Papers

Enterprise Risk Management Time and Expense Recording

Recommendation/Action Tracking Libraries

Audit Management Software

Trusted by Companies, Governments and Individuals Worldwide, MKinsight™ is a comprehensive, highly configurable, powerful and easy to use Audit Management System.

From individual auditors to State Audit Institutions MKinsight™ is easy to use, straight forward to implement and affordable whatever the size of your audit team.

Key Functionality:

www.mkinsight.com

United States: +1 847 282 5000 United Kingdom +44 113 2455558

www.acuia.org

http://www.nearman.com

http://www.mkinsight.com

{ member spotlight }Patrick McCullough

{ acuia select }


P L AT I N U M

G O L D

S I LV E R

B R O N Z E


ACUIA SELECT(as of December 31, 2012)

Platinum

Gold

Silver

Bronze

Sponsors

ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the Executive Office at (703) 688-2284.




Platinum

Gold

Silver

Bronze

Sponsors




Platinum

Gold

Silver

Bronze

Sponsors


The Audit Report | www.acuia.org | 29

ACUIA extends a special thanks to our 2014, 24th Annual Conference and One Day Seminar Sponsors and Exhibitors, who help make the annual event great.

Conference Sponsors CCONFERENCEONFERENCE SSPONSORSPONSORS & E& EXHIBITORSXHIBITORS

PPLATINUMLATINUM

GGOLDOLD

SSILVERILVER

BBRONZERONZE

EEXHIBITORXHIBITOR

relationships Build BusinessStrengthen your relationships by using advisors with a strong professional network.

Dean Rohne | 800-657-4477CLAconnect.com

©20

14 C

lifton

Lars

onAl

len

LLP

Audit Regulatory Compliance Information Security




PPLATINUMLATINUM

GGOLDOLD

SSILVERILVER

BBRONZERONZE

EEXHIBITORXHIBITOR




PPLATINUMLATINUM

GGOLDOLD

SSILVERILVER

BBRONZERONZE

EEXHIBITORXHIBITOR




PPLATINUMLATINUM

GGOLDOLD

SSILVERILVER

BBRONZERONZE

EEXHIBITORXHIBITOR




PPLATINUMLATINUM

GGOLDOLD

SSILVERILVER

BBRONZERONZE

EEXHIBITORXHIBITOR



Platinum

Gold

Silver

Bronze

Sponsors



FINANCIAL STATEMENT AUDITS* • IT AUDITS • INTERNAL AUDITS

Tony Coble – Managing Director, CBIZ MHM, LLC andShareholder, Mayer Hoffman McCann P.C.

[email protected] • 913.234.1031www.cbiz.com • www.mhmcpa.com

© Copyright 2013. CBIZ, Inc. and Mayer Hoffman McCann P.C. All rights reserved.

*Mayer Hoffman McCann P.C. is an independent CPA firm providing audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider.

CBIZ & Mayer Hoffman McCann P.C.– Specialists in Credit Unions and Community Banks –

Quality & Precision at a Fair PriceWith national resources and credit union expertise, you can be assured your financial statement audit

will be performed with care and always in compliance with the industry’s professional standards.

www.acuia.org

www.scasecurity.com

www.doeren.com

http://www.ocmcpa.com/

http://www.mossadams.com/cu

http://www.claconnect.com/creditunions/

http://www.nearman.com/

http://cuaccelerator.com/index.php

http://www.twhc.com/

http://www.trustcc.com/

http://www.cm-co.com/

http://www.mhm-pc.com/

www.pmycu.com

http://www.wojeskico.com/credit_union_services.htm

http://www.sacherconsulting.com/

http://www.mkinsight.com/

Documents

Audit Report Volume 23 Issue 4