Internal/External Audit Self-Assessment Program 12/03 Chapter 23
advertisement
Chapter 23 Internal/External Audit Self-Assessment Program Introduction ........................................................................................................................................ 23 — 1 Regulatory Background ..................................................................................................................... 23 — 1 Overview of the Internal/External Audit Self-assessment Program .................................................. 23 — 1 Audit Objectives ........................................................................................................................... 23 — 2 Audit Supervision .............................................................................................................................. 23 — 3 Supervisory Principles .................................................................................................................. 23 — 3 Supervisory Process and Validation ............................................................................................. 23 — 4 Work Paper Review ................................................................................................................. 23 — 4 Use of Additional Procedures .................................................................................................. 23 — 5 Direct Verification ................................................................................................................... 23 — 6 Audit Evaluation ................................................................................................................................ 23 — 6 Board and Management Oversight .................................................................................................... 23 — 7 Risk Assessment and Risk-Based Auditing ....................................................................................... 23 — 8 Internal Audit Function ...................................................................................................................... 23 — 9 Objectives ..................................................................................................................................... 23 — 9 Internal Audit Program ................................................................................................................. 23 — 9 Independence .............................................................................................................................. 23 — 11 Competence ................................................................................................................................ 23 — 12 Outsourcing Internal Audit ......................................................................................................... 23 — 12 External Audit Function ................................................................................................................... 23 — 14 Objectives ................................................................................................................................... 23 — 14 Types of External Auditing Programs ........................................................................................ 23 — 15 Audit Opinions............................................................................................................................ 23 — 16 Independence .............................................................................................................................. 23 — 16 Competence ................................................................................................................................ 23 — 17 Other Audits ..................................................................................................................................... 23 — 17 Information Technology Audits.................................................................................................. 23 — 17 Fiduciary Audits ......................................................................................................................... 23 — 18 Consumer Compliance Audits .................................................................................................... 23 — 18 Exhibit 23.1: Sample Internal Audit Review Procedures ...................................................... 23 — 19 Exhibit 23.2: Internal Audit Review...................................................................................... 23 — 28 Exhibit 23.3: Internal Audit Review Questionnaire .............................................................. 23 — 31 Exhibit 23.4: External Audit Review .................................................................................... 23 — 37 Exhibit 23.5: Internal Audit Review Worksheet ................................................................... 23 — 44 Exhibit 23.6: Proposed NCUA Statement on the Internal Audit Function and Its Outsourcing................................................................................................................ 23 — 49 Exhibit 23.7: Interagency Policy Statement on the Internal Audit Function and Its Outsourcing................................................................................................................ 23 — 59 Exhibit 23.8: Audit Function Related to IT Review .............................................................. 23 — 78 Exhibit 23.9: Work Paper Review ......................................................................................... 23 — 82 4/05 23-i 4/05 Internal Auditing Manual for Credit Unions 23-ii Chapter 23 Internal/External Audit Self-Assessment Program INTRODUCTION This chapter provides some guides to test the competency of your audit program. It also gives insight in what internal and external auditors should perform. An outsourced auditor’s requirements and responsibilities are also covered. The external or outsourcing programs can include the year-end examination of your credit union’s financial statements. Internal, external, and outsourcing audits or auditors are separate entities in this chapter. This chapter can be considered a self-assessment guide for your internal auditing function. You can test your own function, without asking others to come and rate you, whether on a volunteer or paid basis. You can, when you are aware of how your own function is rated, then ask for an outside review to augment your original findings, if so desired or required by the supervisory committee. REGULATORY BACKGROUND The purpose of this chapter is to help assess your credit union’s audit function. It is based on the proposed Interagency Policy Statement of the Internal Audit Function and its Outsourcing, which was presented to the National Credit Union Administration (NCUA) Board of Governors in March 1998. Though this statement has not been adopted, it provides useful guidance for the internal audit function. (A copy of this proposed statement is included as Exhibit 23.1.) Another source of regulatory guidance used as a basis for this chapter is the Interagency Policy Statement on Coordination and Communication Between External Auditors and Examiners. This statement has not been submitted to NCUA for possible approval, but has been approved by the other regulators (in July 1992). This statement covers such items as (1) Coordination of External Audit and Examination, (2) External Auditor Attendance at Meeting Between Management and Examiners, and (3) Meetings and Discussions Between External Auditors and Examiners. OVERVIEW OF THE INTERNAL/EXTERNAL AUDIT SELF-ASSESSMENT PROGRAM Well-planned, properly structured auditing programs are essential to strong risk management (see Chapter 22) and comprehensive internal control systems (see Chapter 14). Effective internal and external audit programs are also a critical defense against fraud and provide vital information to the board about the effectiveness of internal control systems. Regulators will assess and draw conclusions about the adequacy of internal and external audits as part of every credit union examination. This assessment will include some level of audit validation, as well as verification procedures as necessary. The conclusions will significantly influence the scope of other supervisory activities at the credit union. Regulatory examiners will expand examination activities if significant issues are identified that require further investigation. 4/05 23-1 4/05 Internal Auditing Manual for Credit Unions The following guidelines govern the assessment of credit union audit programs: The board and senior management cannot delegate their responsibilities for establishing, maintaining, and operating effective audit programs. Examiners must verify the adequacy of a credit union’s audit programs. Independent and competent staff that is objective in evaluating the credit union’s control environment should perform credit union audit programs. This chapter discusses the characteristics of effective audit functions. It will: Help auditors and credit unions assess the quality and effectiveness of internal/external and outsourced audit programs. Describe the roles and responsibilities of the board and management. Identify effective practices for these audit programs. Detail examination objectives and possible procedures that examiners may use to assess the adequacy of a credit union’s audit programs. Audit Objectives Effective audit programs should: Provide objective, independent reviews and evaluations of credit union activities, internal controls, and management information systems. Help maintain or improve the effectiveness of credit union risk management processes, controls, and governance. Provide reasonable assurance about the accuracy and timeliness with which transactions are recorded and the accuracy and completeness of financial and regulatory reports. Audit programs may comprise several individual audits that provide various types of information to the board about the credit union’s financial condition and effectiveness of internal control systems. The most common types of audits are financial, operational, compliance, and information systems (technology audits). Financial audits review the credit union’s financial statements, a specific account, or a group of accounts within the financial statements. The purpose of a financial audit is to determine whether the financial statements fairly present the financial position, results of operations, and cash flows as of a certain date or for a period ending on that date. Independent public accountants (IPAs)1 perform this type of audit primarily to render an opinion about whether the financial statements are presented fairly and in 1. IPAs are accountants who are independent of the credit union they audit; are registered or licensed to practice accounting; hold themselves out as public accountants; and are in good standing under the laws of the state or other political subdivision of the U. S. in which their home office is located. 23-2 Internal/External Audit Self-Assessment Program 4/05 accordance with generally accepted accounting procedures (GAAP). An internal auditor may assist the external auditor during such an audit. Operational audits review a specific department, division, or area of a credit union. This type of audit includes a review of policies, procedures, and operational controls (e.g., loan review) to determine whether risk management, internal controls, and internal processes are adequate and efficient. Operational audits generally include procedures to test integrity of accounts, regulatory reports, and other aspects of operations. These audits may also include a review of management and employee compliance with credit union policies and procedures. Compliance audits determine whether the credit union is complying with credit union procedures, internal controls, and applicable laws and regulations. A consumer compliance audit is as example of this type of audit. Information system (technology) audits assess the controls over a credit union’s electronic data processing and computer areas. These audits focus on management, development and acquisition, support and delivery, data security, and physical security. Information system audits might also include a review of computer and client/server systems, end-user reports, electronic fund transfers, and service provider activities. Credit union audit programs should include each of these types of audits, though the level of formality and detail will vary. Auditors may perform these audits separately or blend elements of each to achieve overall credit union audit objectives. In some credit unions, the external auditors may perform some of the work that is traditionally thought to be internal audit’s work or the credit union can rely on the work of the internal auditor. The credit union’s size, complexity, scope of activities, and risk profile determines the extent of its audit program. AUDIT SUPERVISION Assessments of a credit union’s audit programs are fundamental to the overall supervisory process. Audit assessments help leverage regulatory resources, establish the scopes of other current supervisory activities, and contribute to supervisory strategies that outline future examination activity. Supervisory Principles Effective regulatory audit supervision encompasses the following six principles: □ Integration. The examiners should integrate audit reviews, including validation, into the supervisory activities for each functional, specialty, and risk area as needed. Specialists should be consulted about the audit functions for complex activities or should assist in assessing those activities. The examiners should use core assessment standards and other tools in assessing and documenting conclusions about individual areas and combining conclusions into an overall audit assessment. □ Analysis. The examiners should review audit reports and management responses, supervisory committee minutes, and regulator findings to identify changes in the credit union’s risk profile, systemic control issues, or changing audit trends. This review should also include other information maintained by the internal auditor, such as organizational charts, audit charter and mission statement, external auditor or outsourcing vendor engagement letters, audit manuals, 23-3 4/05 Internal Auditing Manual for Credit Unions operating instruction, job specifications and descriptions, directives to employees, flow charts, and internal control and risk assessments. □ Communication. The examiners should maintain ongoing and clear communications with credit union personnel. Communication regarding audit supervision and audit findings should occur throughout an examination. Communication regarding supervisory and audit findings should occur throughout an examination or supervisory cycle. Examination reports and other written communications to a credit union will include comments about the adequacy of the credit union’s audit programs and summarize other appropriate findings and conclusions. □ Linkage. Examiners should link audit conclusions to assigned credit union ratings, risk assessments, and supervision strategies. In particular, management ratings, audit component ratings in the specialty areas, and individual risk assessments should be linked directly to the quality and reliability of a credit union’s audit functions. □ Documentation. The examiners should document working papers. Working papers need not be voluminous, but they should leave a clear audit trail that supports findings and conclusions and allows the reader to understand how conclusions were reached. Supervisory Process and Validation Examiners will draw an overall conclusion and assess as strong, satisfactory, or weak the adequacy of the credit union’s internal and external audit programs during every supervisory cycle. The supervisory assessment of the audit program will influence how much work examiners will perform during onsite examinations. In developing the appropriate scope for audit activities, examiners will begin with core assessment objectives and procedures, using objectives and procedures to fit the size, complexity, scope of activities, and risk profile of the credit union being examined. Examiners responsible for audit program reviews will determine how much reliance examiners can place on internal and external audit work by validating the audit program at each regular onsite examination. The objective of examiner’s validation work is to gain a better understanding of audit-related policies, procedures, practices, and findings, and to substantiate conclusions about the quality and reliability of internal and external audits. Validation encompasses observation, inquiry, and testing, and generally consists of a combination of examiner discussions with credit union management and audit personnel, audit work paper reviews, and process reviews (e.g., reviews of policy adherence, risk assessments, follow-up activities). Note. To validate the adequacy of the credit union’s audit program, examiners may progress through three steps: work paper review, use of additional procedures, and direct supervision. Work Paper Review During each supervisory cycle, examiners will review an appropriate sample of internal audit’s work papers, including those from outsourced internal audit work and supervisory committee examinations. The sample for internal audit should represent a cross-section of credit union functions, activities, and assigned internal audit ratings, with a bias toward high-risk and rapid growth areas, technology audits, and activities that are new to the credit union. The sample should provide a sufficient basis to validate the scope and quality of the audit programs. 23-4 Internal/External Audit Self-Assessment Program 4/05 For credit unions with relatively low complexity and internal audit functions previously assessed at least satisfactory, the extent of work paper reviews may be limited to confirming that the audit program has not changed substantially since the last examination. If the examination discloses significant problems or issues with external audit, or if the examiners become aware of information that raises questions about the adequacy of the external audit program, examiners should review appropriate external audit work papers. Examples of situations that might trigger an external audit work paper review are: Credit union reliance on external audit in lieu of an internal audit program. Unexpected or sudden changes in the external auditor. Significant changes in the external audit program. Significant safety and soundness concerns. Issues about independence, objectivity, or competence of the external auditor. For external audits conducted at credit unions, IPAs are required to provide the examiners access to auditrelated work papers, policies and procedures upon request. Examiners should initially request access to such audit work papers through credit union management, but will not hesitate to communicate directly with the external auditor if credit union management fails to provide access.2 For credit unions that have outsourced internal audit activities or external audit programs, engagement letters or written contracts should explicitly provide for examiner access to audit work papers. An IPA may request that examiners view external audit work papers at the IPA’s office. The IPA may also require that their representative be present during the reviews and may not allow photocopying. An examiner’s request for work papers should be specific to the areas of greatest interest and should set forth the reason for the request. Because the IPA or outsourced vendor may bill the credit union for time spent by IPA staff in conjunction with an examiner’s review of external audit or outsourced internal audit work papers, the review should be focused and efficient. Use of Additional Procedures If the audit work paper review identifies significant discrepancies or weaknesses in the audit function, examiners will expand the examination of the audit program and determine if the examination work in affected operational or functional business area(s) should be expanded. For example, examiners could expand audit program procedures if they encounter or identify: 2. Issues of competency or independence relating to internal or external auditors. Unexplained or unexpected changes in external auditor or significant changes in the audit program. Inadequate scope of the audit program. Examiners could refer to the 1994 AICPA Interpretation of Statement on Auditing Standard (SAS 41), entitled “Providing Access to or Photocopies of Working Papers to a Regulator”. 23-5 4/05 Internal Auditing Manual for Credit Unions Audit work papers that are deficient or do not support audit or internal controls. High-growth areas in the credit union without adequate audit or internal controls. Inappropriate actions by insiders to influence the findings or scope of audits. The scope of work must be sufficient to determine the extent of problems and their effect on credit union operations. Examiners should include appropriate internal control questionnaires in the expanded procedures. Direct Verification If after completion of the expanded procedures, concerns remain about the adequacy of audit, internal controls, or the integrity of the credit union’s financial controls, examiners may use verification procedures to substantiate the internal or external auditor’s work. Verification should include, but not be limited to, direct confirmation with members, servicers, and others as appropriate. Examiners can perform verification even in situations in which the external auditor has issued an unqualified opinion if discrepancies or weaknesses call into question the accuracy of the opinion. Verification procedures should be used whenever: Account records are significantly out of balance. Management is uncooperative or poorly manages the credit union. Management restricts access to credit union records. Significant accounting, audit, or internal control deficiencies remain uncorrected from previous examinations or from one audit to the next. Credit union auditors are unaware of, or unable to sufficiently explain, significant deficiencies. Management engages in activities that raise questions about its integrity. Repeated violations of law affect audit, internal controls, or regulatory reports. Other situations exist that examiners believe warrant further investigation. For less problematic situations than those identified above, the examiner may require the credit union to expand its audit program to include the areas containing weaknesses or deficiencies. However, this alternative will only be used if management has demonstrated a capacity and willingness to address regulatory problems, if there are no concerns about management’s integrity, and management has initiated timely corrective action in the past. If used, this alternative must resolve each identified supervisory problem in a timely manner. If examiners use this alternative, supervisory follow-up can include a review of audit work papers in areas where the credit union audit was expanded. AUDIT EVALUATION The remaining sections of the chapter discuss characteristics and practices of effective internal and external audit programs. Examiners will evaluate the extent to which the credit union uses these practices 23-6 Internal/External Audit Self-Assessment Program 4/05 in light of the credit union’s size, complexity, scope of activities, and risk profile. During each credit union’s supervisory cycle, examiners will evaluate the quality and scope of the audit program considering whether: The board or its supervisory committee reviews and approves audit policies at least annually. The board or its supervisory committee monitors the implementation of the audit program and its audit schedule. The internal and/or external audit functions are sufficiently independent and their staffs are competent. The audit’s scope and frequency, risk assessments, plans, and work programs are appropriate. Audit findings are promptly communicated to the board or its supervisory committee and appropriate credit union management. The board and management properly followup on the results of audits and appropriately monitor any significant issues. Internal and/or external auditors maintain an appropriate level of professional standards and training/development. If significant audit weaknesses are identified, the examiner will determine whether to recommend to the appropriate supervisory office that credit union management develop a compliance plan to address the weaknesses or be subject to other types of enforcement actions. In making a decision, the regulatory office will consider the significance of the weaknesses, management’s ability and commitment to effect corrective action, and the risks posed to the credit union. BOARD AND MANAGEMENT OVERSIGHT A credit union’s board is responsible for establishing and maintaining effective audit functions that satisfy regulatory and supervisory requirements. Directors cannot delegate these responsibilities. However, they may delegate the design, implementation, and monitoring of specific internal controls to management and the testing and assessment of internal controls to auditors and others. Board or supervisory committee minutes should reflect decisions regarding audits, such as external audit engagement terms (including any decision to forgo an external audit), the scope of audits to be performed, or why an audit of a particular area is not necessary. Directors are specifically responsible for reviewing and approving audit strategies, policies, programs, and organization structure. They should also monitor the effectiveness of the audit function. The formality and extent of a credit union’s internal and external audit programs depend on the credit union’s size, complexity, scope of activities, and risk profile. The board must carefully consider how extensive the audit program must be to effectively test and monitor internal controls and ensure the reliability of the credit union’s financial statements and reporting. The directors (and audit management if the credit union employs them) must ensure that the credit union’s audit programs test internal controls to identify: 23-7 4/05 Internal Auditing Manual for Credit Unions Inaccurate, incomplete, or unauthorized transactions. Deficiencies in the safeguarding of assets. Unreliable financial and regulatory reporting. Violations of laws and regulations. Deviations from the credit union’s policies and procedures. At least annually, audit management should identify the major risks faced by the credit union to assist the board or the supervisory committee in establishing appropriate audit coverage. The board or supervisory committee should also ensure that internal and external auditors are independent of credit union management and are objective. The supervisory committee normally should be involved in hiring senior internal audit personnel, setting compensation for internal audit staff, reviewing audit schedules, and evaluating the performance of internal auditors. It should seek to retain personnel who are qualified to audit the activities in which the credit union engages, evaluate internal controls, and determine whether management is properly following up on the auditor’s or the regulator’s recommendations and concerns. The supervisory committee also may meet with examiners as necessary to review reports and discuss findings. Directors must be aware of all risks and control issues for the credit union’s operations, including risks in new products, emerging technologies, information systems, and electronic banking. Control issues and risks associated with increasing reliance on technology include: Increased user access to information systems Reduced segregation of duties A shift from paper to electronic audit trails A lack of standards and controls for end-user systems Increased complexity of contingency plans and information system recovery plans Audit management is responsible for implementing board-approved audit directives. They oversee audit operations and provide leadership and direction in communicating and monitoring audit policies, practices, programs, and processes. Audit management should establish clear lines of authority and reporting responsibility for all levels of audit personnel and activities. They also should ensure that members of the audit staff possess the necessary experience, education, training, and skills to properly conduct assigned activities. RISK ASSESSMENT AND RISK-BASED AUDITING NCUA encourages risk assessment and risk-based auditing for all credit unions, as NCUA instituted riskfocused examinations in late 2002. Risk assessment is the means by which a credit union identifies and evaluates the quantity of the credit union’s risk and the quality of its controls. With risk-based auditing, the board and auditors use the results of the risk assessments to focus on the areas of greatest risk and to set priorities for audit work. An effective risk-based auditing program will cover all of a credit union’s 23-8 Internal/External Audit Self-Assessment Program 4/05 activities. The frequency and depth of each area’s audit will vary according to the area’s risk assessment. (See Chapter 22 for detailed coverage of risk-based audits.) INTERNAL AUDIT FUNCTION The primary role of the internal auditor is to independently and objectively review and evaluate the credit union’s activities to maintain or improve the efficiency and effectiveness of the credit union’s risk management, internal controls, and corporate governance. Internal auditors must understand a credit union’s strategic direction, objectives, products, services, and processes. The auditors communicate findings to the board or its supervisory committee and senior management. Objectives The objectives of internal audit are to: Evaluate the reliability, adequacy, and effectiveness of accounting, operating, and administrative controls. Ensure the credit union’s internal controls result in prompt and accurate recording of transactions and proper safeguarding of assets. Determine whether the credit union complies with laws and regulations and adheres to established credit union policies, and whether management is taking appropriate steps to address control deficiencies. Internal auditors are increasingly responsible for providing constructive business advice on adding new products or services. They also help the credit union formulate new policies, procedures, and practices and revise existing ones. How an internal audit function is organized depends on the credit union’s size, complexity, scope of activities, and risk profile, as well as the audit function’s board-assigned responsibilities. In larger credit unions the chief auditor is often a manager who fills his or her responsibilities with the help of an audit staff. An outside vendor also can perform the internal audit function. In many small credit unions, an officer or employee designated a part-time auditor may have operational responsibilities. To maintain independence, the employee reviewing a particular function should be independent of that function and should report findings directly to the board or its supervisory committee. Internal Audit Program A credit union’s internal audit program consists of the policies and procedures that govern its internal audit functions, including risk-based auditing programs and outsourced internal audit work, if applicable. All audit programs include the following: □ Mission statement or audit charter. This outlines the purpose, objectives, organization, authorities, and responsibilities of the internal auditor, audit department, audit staff, and the supervisory committee. □ Risk assessments that document the credit union’s significant business activities and their associated risks. Results of these risk assessments guide the development of an audit plan and audit cycle and the scope and objectives of individual audit programs. (See Chapter 22.) 23-9 4/05 Internal Auditing Manual for Credit Unions □ An audit plan that details an internal auditor’s budgeting and planning processes. The plan should describe audit goals, schedules, staffing, and reporting. Audit plans usually include overall and individual audit objectives, summary risk assessments for each audit area or business activity, the timing and frequency of planned internal audit work, and a resource budget (budgeted staff hours). The supervisory committee should formally approve the audit plan at least annually. The internal auditor should present any updated audit plan to the supervisory committee regularly (in accordance with established policy). Updated audit plans should compare actual with planned audits and audit hours and explain significant variances from the approved plan. □ An audit cycle that identifies the frequency of audits. The frequency of audits is usually determined by risk assessments of business activities or areas to be audited and the staff and time available. It is often not practical to audit each area or business activity annually. Areas of high risk, such as information systems, funding, lending, or investment operations, normally warrant more frequent audits than low-risk areas, such as credit union premises. □ Audit work programs that set out, for each audit area, the scope and timing of audit procedures, the extent of testing (including criteria for selecting items to be tested), and the basis for conclusions. Work programs should be detailed, cover all areas of the credit union’s operation, and guide the auditor in gathering information, documenting procedures performed, arriving at conclusions, and issuing the audit reports. By completing the audit work programs, an internal auditor should be able to reach conclusions that satisfy internal audit objectives. Work programs normally include procedures for: Surprise audits as appropriate. Control over records selected for an audit. Review and evaluation of policies, procedures, and control systems. Risk assessments. Review of laws, regulations, and rulings. Sample selection methods and results. Verification of selected transactions or balances through: Proof of subsidiary records/ledgers to related general ledger/control records. Examination of supporting documentation. Direct confirmation and appropriate follow-up for exceptions. Physical inspection. As part of audit work programs, auditors generally use sampling methods and techniques to select, verify, and test transactions, controls, and account balances for the period covered by the audit review. The audit work program should determine the objectives of testing, the procedures to meet the objectives, and how many items to review (i.e., all items in a group or a sample of items). When auditors choose to review a sample, they must decide whether to use statistical or nonstatistical sampling methods. Auditors often use nonstatistical sampling for small populations when internal controls are effective and it is not cost-effective to use statistical sampling. Auditors use statistical sampling methods when quantification is appropriate and they want to infer with a certain degree of reliability and precision that the sample’s characteristics are indicative of the entire population. In either case, the auditor determines a representative sample size based on relevant factors, selects a representative sample, applies audit procedures, evaluates 23-10 Internal/External Audit Self-Assessment Program 4/05 results, and documents conclusions. There are no hard and fast rules regarding the appropriate size of a “representative sample.” □ Audit reports that tell the board and management whether a department, division, or activity adheres to policies and procedures, whether operating processes and internal controls are effective, and what corrective action the credit union has taken or must take. The auditor must communicate findings and recommendations to appropriate parties and distribute audit reports as soon as practical after completing the related work. Audit work papers should adequately document and support these reports. Internal audit reports should be structured to fit the needs of the credit union’s internal audit function and the areas being audited. The reports usually contain the following information: A concise summary of key results (conclusions). The auditor’s scope and objectives. Audit results (findings), including any summary rating. Recommendations, if any, including benefits to be derived. Management’s comments to correct material weaknesses. □ Follow-up activities that allow internal auditors to determine the disposition of any agreed-upon actions and to focus future auditor activities on new areas. The auditors should perform followup activities promptly and report the results to the board or its supervisory committee, or both. Follow-up generally consists of first obtaining and reviewing management’s response and then confirming that corrective action has been timely and effective. □ Professional development programs for the credit union’s audit staff. Such programs should offer opportunities for continuing education and professional development through orientation programs, in-house training, and external training (e.g., format or self-study courses offered by industry associations or professional societies). □ Quality assurance programs, generally seen in large or mid-sized credit unions that evaluate audit operations. In such programs, internal or external parties periodically assess the performance of the internal auditor or audit department. The auditor or audit department’s performance is normally measured against credit union-established standards, the audit charter or mission statement, and any other criteria determined appropriate for the internal audit function. Independence Internal auditors must be independent of the activities they audit so that they can carry out their work freely and objectively. They must render impartial and unbiased judgments. The internal auditor or the manager (director) of internal audit should report directly and regularly to the board and supervisory committee. The board is responsible for delegating the authority necessary to effectively allow internal auditors to perform their job. Auditors must have the power to act on their own initiative in all departments, divisions, and functions in the credit union; to communicate directly with any credit union personnel; and to have access to all records, files or data necessary for the proper conduct of the audit. Clear communication between the board, the internal auditors, and management is critical to timely identification and correction of weaknesses in internal controls and operating management. 23-11 4/05 Internal Auditing Manual for Credit Unions In some credit unions, the head auditor reports to a senior manager, rather than the board, for day-to-day administrative issues. In such cases, the board must take extra measures to ensure that the relationship does not impair or unduly influence the auditor’s independence. Functionally, the auditor, on an as needed basis, would report to the supervisory committee. Competence Internal audit staff should possess the necessary knowledge, skills, and disciplines to successfully implement the audit program in a proficient and professional manner. The evolving roles of internal auditors require that they expand their skills in analysis, technology, decision making and communication. At a minimum, members of the audit staff should: Have appropriate education and/or experience. Have organizational and technical skills commensurate with the responsibilities assigned. Be skilled in oral and written communication. Understand accounting and auditing standards, principles, and techniques. Recognize and evaluate the materiality and significance of deviations from sound business practices. Recognize existing or potential problems and expand procedures as applicable. It is important for each member of the internal audit staff, including the audit manager (director), to commit to a program of continuing education and development. Outsourcing Internal Audit Credit unions are increasingly contracting with independent public accounting firms or other outside professionals to perform work traditionally conducted by internal auditors. These arrangements are frequently referred to as “internal audit outsourcing.” In any outsourcing arrangement, the credit union should have a designated employee (generally an internal auditor or internal audit manager/director) who is independent and responsible for managing the relationship with the outside firm. Credit unions generally enter into outsourcing arrangements to gain operational or financial efficiencies by engaging a vendor to: Assist its internal audit staff when the credit union’s internal auditors lack the expertise required for an assignment. Such assignments are most often in specialized areas such as information technology, fiduciary relationships, and mortgage lending. The vendor normally performs only certain agreed-upon procedures in specific areas and reports findings directly to the credit union’s internal audit manager. Perform the internal audit. The credit union’s only internal audit staff may be an audit manager. The vendor usually assists the board and audit manager in determining the critical risks to be reviewed during the engagement, recommends and performs audit procedures approved by the internal auditor, and, jointly with the internal auditor, reports significant findings to the board or its supervisory committee. 23-12 Internal/External Audit Self-Assessment Program 4/05 Examiners assess outsourced internal audit programs using the same standards applied to internal audit programs. Outsourcing arrangements create a variety of safety and soundness issues that will vary with the size, complexity, scope of activities, and risk profile of the credit union and the nature of the outsourcing arrangement. Accordingly, outsourced arrangements should meet the following guidelines: □ The arrangement maintains or enhances the quality of a credit union’s internal audit function and internal controls. The director’s remain responsible for ensuring that any outsourcing arrangement is competently managed and does not detract from the scope or quality of a credit union’s internal audit work, overall internal control structure of the credit union, or audit and control evaluations. The credit union should subject the vendor to objective performance criteria such as whether an audit is completed on time and whether overall performance meets the objectives of the audit plan. The supervisory committee or a designated credit union staff responsible for oversight should sample outsourced audit work to determine the adequacy of the vendor’s work and compliance with contractual and coverage requirements. □ Key credit union employees and the vendor clearly understand the lines of communication and how the credit union will address internal control or other problems noted by the vendor. The engagement of a vendor should not diminish communication between the internal audit function and a credit union’s directors and senior management. Results of outsourced work must be well documented and reported promptly to the board or its supervisory committee by the internal auditor, the vendor, or both, jointly. □ The board and management perform sufficient due diligence to verify the vendor’s competence and objectivity before entering into the outsourcing arrangement. The internal audit manager and the board must be assured that a vendor can acceptably complete the work to be outsourced. □ The credit union has adequate procedures for ensuring that the outside vendor maintains sufficient expertise to perform effectively throughout the life of the arrangement. The board should hold the outside provider to the same standards as they would their own internal audit management and staff. Credit union management should perform enough due diligence to be satisfied that the expertise and quality of the vendor’s staff is sufficient to effectively meet contractual obligations. The vendor should provide the credit union prior notice of any staffing changes affecting contracted work. □ The arrangement does not compromise the role or independence of a vendor who also serves as the credit union’s external auditor. Examiners discourage credit unions from outsourcing internal audit to firms that perform its financial statement audits and other attestation services. When one firm performs both assignments, the credit union’s board, management, the auditor and the NCUA must pay particular attention to independence issues.3 All credit unions engaged in outsourcing internal audit activities must execute a written contract that governs the terms of the outsourcing arrangement and specifies the roles and responsibilities of both the credit union and the vendor. At a minimum, the contract should: 3. Some things that might compromise independence are: an IPA reporting to the board or supervisory committee on behalf of credit union management or the individual responsible for the credit union’s audit function, an IPA acting or appearing to act as if he or she were credit union management or a credit union employee, or an IPA providing the primary support for credit union management’s assertion on financial reporting controls. 23-13 4/05 Internal Auditing Manual for Credit Unions Set the scope and frequency of the vendor’s work Describe how and when the vendor provides results to the credit union’s audit manager, senior management, and the board Describe how the terms of the engagement can be changed, including how audit services can be expanded when significant issues arise Stipulate that the audit reports are the property of the credit union, the credit union can get copies of the vendor’s work papers when it deems necessary, and credit union employees have reasonable and timely access to vendor work papers State where work papers will be stored Give examiners immediate and full access to all outsourced audit reports and related work papers Establish a dispute resolution process for determining who bears the cost of consequential damages arising from errors, omissions, and negligence EXTERNAL AUDIT FUNCTION A well-planned external audit complements the credit union’s internal audit function, strengthens internal controls, and contributes to safe and sound operations. Objectives An effective external audit function provides the board and management with: Reasonable assurance about the effectiveness of internal controls over financial reporting, the accuracy and timeliness in recording transactions, and the accuracy and completeness of financial and regulatory reporting. An independent and objective view of the credit union’s activities, including processes relative to financial reporting. Information useful to directors and management in maintaining the credit union’s risk management process. External auditors often provide services throughout the year, including in-depth reviews of operations of specific departments, such as member business loans or information technology. Such reviews often focus on operational procedures, personnel requirements, or other specific areas of interest. Credit unions employ external auditors to help management in specialized fields such as taxes and management information systems. External auditors may, when requested, also help credit unions prepare or review call reports. The credit union’s board should require external auditors to submit engagement letters before commencing audit work. The letters usually reflect preliminary discussions between the credit union’s board or senior management and the external auditor. Engagement letters stipulate, among other things, the audit’s purpose, its scope, the period to be covered, and the reports the external auditor will develop. Schedules or appendixes may accompany the letter to provide more detail. The letter may briefly describe 23-14 Internal/External Audit Self-Assessment Program 4/05 procedures to be used in specific areas. In addition, if the scope of the audit is limited in any way, the letter may specify procedures that the auditors will omit. Additionally, the letter should specify if the auditor is expected to render an opinion on the credit union’s financial condition. After an audit has taken place, external auditors often make suggestions for improving the credit union’s internal control structure. They normally do so in a letter addressed to credit union management and the supervisory committee that is separate from the audit report.4 NCUA encourages communication and cooperation between credit union management and external auditors. Communication and cooperation can benefit all parties by helping to improve the quality of internal controls and credit union supervision while promoting a better understanding of the regulator’s and the external auditor’s policies and practices. Examiners will meet with external auditors during an examination, especially if there are questions or issues regarding the external audit. Topics of discussion should include examination and audit results or major findings; upcoming audit and examination activities; assessment of internal controls; reports, management letters, or documents; and other appropriate audit and supervisory topics. Types of External Auditing Programs When the board analyzes the credit union’s external auditing needs, it should decide which of the following types of external audits best fits its needs. 4. □ Financial statement audit by an IPA. External auditing is traditionally associated with independent audits of a credit union’s financial statements. An independent audit of financial statements is designed to ensure that financial reports are prepared in accordance with GAAP. Independent financial statement audits are performed in accordance with generally accepted auditing standards (GAAS). Their scope is sufficient to enable an IPA to express an opinion on the credit union’s financial statements. □ Reporting by an IPA on a credit union’s internal control governing financial reporting. This type of audit examines and reports on management’s assertion concerning the effectiveness of the credit union’s internal controls relating to annual financial statement preparation or specified schedules of call reports. Under this engagement, credit union management documents its assessment of internal controls and prepares a written assertion specifying the criteria used and opining on control effectiveness. The IPA performs the attestation in accordance with generally accepted standards for attestation engagements (GASAE). □ Balance sheet audit performed by an IPA. In this type of audit, an IPA examines and reports only on the credit union’s balance sheet. As with financial statement audits, the IPA audits in accordance with GAAS, but does not examine or report on whether statements of income, changes, or equity capital or cash flow are fairly presented. Statement of Auditing Standards (SAS) 60, “Communication of the Internal Control Structure Related Matters Noted in an Audit,” requires the auditor to communicate such matters to management. 23-15 4/05 Internal Auditing Manual for Credit Unions Audit Opinions An IPA standard report consists of three paragraphs. The first paragraph identifies the financial statements and differentiates management’s responsibilities from those of the auditor. The second paragraph, covering scope, describes the nature of the audit and explicitly acknowledges that an audit provides reasonable assurance about whether the financial statements are free of material misstatement. The third paragraph expresses the IPA’s opinion. There are four types of opinions: unqualified, qualified, adverse, and a disclaimer of opinion.5 An IPA issues an unqualified opinion when financial statements present fairly, in all material respects, the financial position, results of operations (i.e., earnings), and cash flows of the entity in conformity with GAAP. Certain circumstances, while not affecting the IPA’s unqualified opinion on the financial statements, may require that the auditor add an explanatory paragraph to the report. These circumstances include, but are not limited to: (1) the auditor basing an opinion in part on the report of another auditor and (2) accounting principles changing materially between reporting periods. IPAs use a qualified opinion when the financial statements present fairly the condition of the credit union except in the matters pertinent to the qualification. IPAs use such an opinion when a lack of information or restrictions placed upon the audit prevent them from expressing an unqualified opinion or the financial statements contain a material departure from GAAP. IPAs use an adverse opinion when the matter taken exception to is so substantive that the financial statements do not present fairly the financial condition of the credit union. The opinion also covers financial statements that do not conform to GAAP. IPAs issue a disclaimer opinion when credit union management or circumstances restrict in a material way the scope of the auditor’s examination. Independence IPAs are subject to the professional standards adopted by their national or state accounting societies or the state agency issuing their licenses. Traditionally, these standards have defined independence as the ability to act with integrity and objectivity. When an IPA expresses an opinion on financial statements, not only the fact, but also the appearance, of integrity and objectivity is of particular importance. For this reason, the profession has adopted rules to prohibit the expression of such an opinion when relationships exist that might pose such a threat to integrity and objectivity as to exceed the strength of countervailing forces and restraints. These relationships fall into two general categories: (1) certain financial relationships with clients, and (2) a relationship in which the IPA is virtually part of management or an employee under management’s control. Regulatory agencies require that all public accounting firms that practice in the financial arena be independent. Such firms can neither have, nor commit to acquire, a direct financial interest or any material indirect financial interest in the credit union they are auditing, nor can they be connected as an organizer, underwriter, director, officer, or employee of such a credit union. 5. For specific standards governing how an IPA derives an audit opinion, credit union’s should refer to SAS 58, “Reports on Audited Financial Statements.” 23-16 Internal/External Audit Self-Assessment Program 4/05 Competence IPAs are required to perform their audits in accordance with GAAS. There are three categories of GAAS standards: general standards, standards of fieldwork, and standards of reporting. □ General standards require that an auditor be proficient, having had adequate training in auditing and accounting. The auditor must also be independent in attitude in all matters relating to the assignment. Audits must be conducted using due professional care in the performance of the audit and the preparation of the report. CPAs must have basic education in accounting and auditing that is a prerequisite to taking the uniform CPA examination. □ Fieldwork standards require the auditor to adequately plan the audit and to properly supervise any assistants. The auditor must have sufficient understanding about the credit union’s internal control structure to plan the audit and to determine the nature, timing, and extent of testing to be performed. The scope of the audit must be sufficient to allow the auditor to obtain enough information through inspection, observation, inquiries, and confirmations to draw a reasonable opinion regarding the financial statements under audit. □ Reporting standards require the auditor to state whether the financial statements are presented according to GAAP and to identify circumstances in which GAAP has not consistently been followed. The auditor must ensure that the financial statements or the audit report provide adequate disclosures of material items. The report must express an opinion regarding the financial statements taken as a whole or to state that an opinion cannot be expressed. If an overall opinion cannot be expressed, the auditor must state the reasons. The report must give a clear indication of the auditor’s work and the degree of responsibility the auditor is taking when their name is associated with the financial statements. OTHER AUDITS Information Technology Audits There are no specific statutory requirements for information technology (IT) audits, but Part 748 of NCUA’s Rules and Regulations strongly recommends an annual review of the security of member information. Guidance such as Information Systems and Technology (IST) and FFIEC’s IS Examination Handbook are available at NCUA’s Web site. However, credit unions and their service providers are expected to conduct independent assessments of risk exposures and internal controls associated with the acquisition, implementation, and use of information technology. The credit union’s own internal or external auditor, a servicer’s internal auditor, or a third party can perform these assessments. IT audits have two primary goals: Verifying the adequacy of technology risk controls. Validating the accuracy of automated information. IT audits should address the risk exposures in information technology throughout the credit union and at its service provider(s). The audits should cover such areas as user and data center support and delivery, local and wide area networks, telecommunications, information security, electronic data interchange, development and acquisition, and contingency planning as applicable. 23-17 4/05 Internal Auditing Manual for Credit Unions The audit usually validates the accuracy of automated information during departmental audits. It involves such activities as transaction testing, reconciling input with output, and balancing subsidiary records to general ledger control totals. These validation procedures can be performed either “around the computer” using source documents and automated reports or “through the computer” by using independent audit software to independently test the production processing environment. IT audits must cover the processing of transactions by servicing organizations.6 Fiduciary Audits The audit requirements for credit union fiduciary activities are set forth in regulations generally requiring credit unions with fiduciary powers to perform a suitable audit of all significant fiduciary activities during each calendar year. The board minutes must note the audit results, including significant actions the credit union has taken as a result of the fiduciary audit. The regulations do not define a “suitable audit” or establish minimum audit standards for fiduciary audits. The scope and coverage of fiduciary audits is left to the discretion of the board. The board should base those audits on an appropriate assessment of fiduciary business risk and internal control systems. Consumer Compliance Audits The audit of consumer compliance, as part of a credit union’s compliance management system, enables the board and senior management to monitor the effectiveness of a credit union’s compliance program. (Also, see Chapter 13.) The formality and structure of a compliance audit depends on a credit union’s size, the nature of its activities, and its risk profile. In some credit unions, for example, compliance audits are done on a systemic basis or on a business-by-business basis as appropriate to the structure of the credit union. The function may be under the auspices of a credit union’s internal audit department, or it may be a direct responsibility of a credit union’s compliance officer. The audit tests compliance with consumer protection laws and regulations as well as staff adherence to established policies and procedures. The audit should address all products and services offered by a credit union, all aspects of applicable operations, and all departments and branch locations. Examiners evaluate the compliance audit using the same criteria they use for any other type of audit. When assigning the consumer compliance rating, examiners and auditors must consider the adequacy of operating systems, including internal procedures, controls, and audit activities that the credit union uses to ensure compliance with applicable consumer laws, rules, and regulations. 6. AICPA SAS 70, “Reports on the Processing of Transactions by Servicing Organizations.” 23-18 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.1 Sample Internal Audit Review Procedures These procedures are intended to help examiners determine the quality and reliability of the credit union’s policies, procedures, personnel, and controls with respect to the internal audits. The procedures are not meant to be performed strictly in the order presented, but should be fit to the credit union’s particular circumstances. As the internal auditor, you will review your work by standing in the “shoes” of an examiner. Planning the Audit Review Objective: Determine the scope and objectives of the examination of the internal audit function. 1. Obtain and review the following documents to identify any previous problems that require follow-up: • Previous report of regulatory examination and key supervision information (e.g., strategy, analyses, other significant events). • Examiner’s scope memorandum, if applicable. • Examiner’s audit summary memos and working papers from the previous examination. • Internal audit reports, including audit reports that the auditors may have participated in or relied on to any extent, such as SAS 70.7 • Audit policies and manuals, including those applicable to sampling plans, risk-based auditing, or outsourcing internal audit functions. • Minutes of the supervisory committee, and the date of each member’s appointment to committee. • Audit plans and scopes, including any internal audit outsourcing engagement letters. • The credit union’s annual reports. • Any pertinent correspondence regarding internal audit. 2. Identify the following through discussions with management and review of the most recent internal audit reports: 7. • How management supervises audit activities. • Any significant changes in business strategy or activities that could affect the audit function. • Any material changes in the audit program, scope, schedule, or staffing related to internal audit activities. • Any other internal factors that could affect the audit function. Reports on the Processing of Transactions by Servicing Organizations. 23-19 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.1 (cont.) 3. Obtain a list of outstanding audit items and compare the list with audit reports to ascertain completeness. Determine whether all significant deficiencies noted in the audit reports have been corrected and, if not, ascertain why corrective action has not been initiated. Make those determinations by: • Distributing a copy of the affected audit report or a list of significant audit deficiencies to the proper managers for comment. • Requesting that the manager(s) prepare and return a memorandum stating whether the board or management has addressed the audit deficiencies and whether their actions were adequate. 4. Identify internal audit work programs from which to select a reasonable sample of internal audit work papers for validation purposes. • Secure audit program(s) and audit report(s) for the specific area(s) to be tested. • Ascertain that the applicable work papers are available for review. Note. A sample of internal audit work papers will be reviewed during every regulatory examination cycle. The sample should be sufficient to provide a basis to validate the scope and quality of the internal audit program. The sample should represent a cross-section of credit union activities, functions, and internally assigned audit ratings, with a bias toward high-risk and rapid growth areas, technology audits, and products or activities new to the credit union. Policy Objective: Document the adequacy of written policies relative to the internal audit program. 1. If not previously provided, obtain: • Audit charter or mission statement, or both. • Internal audit manuals and policies. 2. Review policies and manuals pertaining to the credit union’s internal audit function, including, as applicable, those related to risk-based audits. Consider whether written policies: • Are adequately reviewed and approved by the board or its supervisory committee annually. • Properly reflect authorities and responsibilities established by the audit charter or mission statement. • Establish proper scope and frequency for an audit review. Consider: Statutory requirements and regulatory guidelines. Purpose and objectives of audits. Control and risk assessments. 23-20 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.1 (cont.) Audit cycles. Reporting relationships and requirements. Note. Credit unions using traditional auditing typically will have audit cycles of 12 to 18 months. However, credit unions using risk-based auditing, which more closely parallels NCUA’s riskfocused examinations, or internal risk assessments generally have audit cycles of varying lengths based on the level of risk in an activity. Conclusion: The board has established (strong, satisfactory, weak) policies governing the internal audit function. Personnel Objective: Evaluate the competence of those who manage and perform internal audit functions. 1. Obtain the following: • Resumes of the internal auditor/manager, new internal audit staff, or those recently promoted to senior levels. • Job descriptions for various audit positions. • As deemed appropriate, performance evaluations of the audit manager and selected staff. 2. Assess the educational and professional experience of the internal auditor and staff by reviewing resumes and noting: • The level of education attained. • Significant work experience, especially in the credit union auditing arena, including specialized areas such as information technology and subsidiary activities. • Any certification as a certified internal auditor, certified information systems auditor, or certified public accountant. • Membership in professional associations. 3. Review job descriptions and discuss with audit manager: • Educational and experience requirements for various audit positions, including those in specialized areas. • Programs of continuing education and professional development, including auditing technology and specialized areas. • Supervision of auditors. 4. If deemed appropriate, review performance evaluations of the audit manager and audit staff. Determine how identified strengths and weaknesses in supervisory, technical, or interpersonal skills or abilities affect the quality of the internal audit function. 23-21 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.1 (cont.) 5. Assess audit personnel turnover and vacancies, focusing on the reasons for turnover/vacancies and their effect of the internal auditing function. 6. Evaluate the ability of the audit manager and staff to communicate and interact with other credit union personnel. Conclusion: The board has established a (strong, satisfactory, weak) internal audit function with respect to the competence and independence of those who provide the internal audit function and those who supervise internal audit activities to ensure their adequacy. Board Oversight Objective: Evaluate board oversight and independence of the internal audit function. 1. Determine whether any operation duties assigned to the auditor are incompatible with the internal audit function. 2. Ascertain whether any auditor relationships, such as family or business ties with other credit union employees, are incompatible with the internal audit function. 3. Determine whether any restrictions are placed on the internal audit program, including scheduling or budgetary restraints imposed by management. 4. Ensure that the board or its supervisory committee reviews or approves the budget, and salary and performance evaluation of the internal audit manager. Conclusion: The board oversight of the internal audit function is (strong, satisfactory, weak). Processes Objective: Document whether the internal risk analysis processes are adequate for the credit union’s size, the nature and extent of its financial activities, and its risk profile. 1. Determine whether the credit union has appropriate standards and processes for risk-based auditing and internal risk assessments. Such standards and processes should: • Identify business, product lines, services, or functions and the activities within those that should be audited. • Develop risk profiles that identify and define the risk and control factors to assess the risk management and control structures for each business, product line, service, or function. • Establish the process for grading or assessing risk factors for business units, departments, products, or functions, including time frames. • Describe how the process is used to set audit plans, resource allocations, and scope of audits and audit cycle frequency. 23-22 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.1 (cont.) • Implement audit plans through planning, execution, reporting, and follow-up. • Establish minimum documentation requirements to support scoring or assessment decisions and draw conclusions. • Define when overrides of risk-based scores or assessments are acceptable or necessary, including which level of authority approves overrides. • Provide for confirming the system regularly (i.e., annually or whenever significant changes occur within a department or function. 2. Select a sample of auditable units (i.e., business lines, product lines, services, or functions) and determine the reasonableness of the internal risk analysis decision, including application of any risk models used. 3. Verify whether audit cycle frequencies are reasonable and are being met. Note. In a risk-based audit system, credit unions set audit cycles based on risk scores/assessments. Customarily, credit unions may set audit cycles at 12 months or less for high-risk areas, 24 months or less for moderate-risk areas, and more than 24 months for low-risk areas. Individual circumstances at each credit union will determine how it establishes audit cycle lengths. 4. If audit management has overridden risk-based audit schedules, discuss justifications with the audit manager. 5. If applicable, determine the quality and effectiveness of internal audit’s ongoing monitoring of the credit union’s business operations. Objective: Ascertain the adequacy and the reliability of work performed by the internal auditors. 1. If not previously provided, obtain copies of or access to: • Internal audit reports. • Internal audit work papers. 2. Obtain or request access to audit work papers to complete the remaining objectives and steps. Note. In most situations, reviewing the work papers that document the procedures and testing performed by the internal auditor should be sufficient to substantiate conclusions about the quality and reliability of the internal auditing function. Findings from the work paper reviews will help determine whether further verification or testing is warranted. 3. Review the credit union’s internal audit program for completeness and compliance with prior board or supervisory committee approval. 4. Analyze the internal auditor’s evaluation of departmental internal controls and compare it with the control evaluations done in the last regulatory examination. 23-23 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.1 (cont.) 5. Review internal audit reports to determine whether they are adequate and prepared in accordance with established audit policy. Consider the reports: • Distribution To division heads/senior management responsible for taking action. To internal audit staff, as appropriate. To board and its supervisory committee. • Time frames Audit findings discussed with appropriate parties (i.e., division personnel or senior management) after completion of audit work. Responses obtained from appropriate parties after discussion of audit findings. Final report issued after discussion of audit findings and receipt of responses. • Content Conclusions, executive summary, or opening paragraph. Statements of the audit’s purpose, objectives, scope. Findings, comments, and recommendations. Management responses (if applicable). Opinion or grading summary. • Follow-up Written responses from audited parties to division or senior management and the internal auditor. Auditor’s review and discussion of corrective action efforts or results with appropriate parties. A re-audit, if performed. 6. Review the most recent audit plan (schedule) and determine whether adequate coverage and internal risk assessment is provided for all areas of credit union operations (e.g., cash, loans, conflict of interest, negotiable instruments, due from banks, employee accounts, overdrafts, and payments against uncollected funds). 7. If the credit union uses sampling in asset verification, transactional testing, or administrative audits, determine whether the audit work program addresses: • Objective of testing. • Procedures to meet objectives. • Populations subject to sampling. • Method of sampling (i.e., statistical or judgmental). 23-24 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.1 (cont.) • Selecting a representative sample sufficient to support conclusions. • Evaluation of results and documentation of conclusions. 8. Evaluate the scope of internal auditor’s work as it relates to the credit union’s size, the nature and extent of financial activities, and the credit union’s risk profile. • Do the work papers disclose that specific program steps, calculations, or other evidence support the procedures and conclusions set forth in the reports? Consider: Verification of account balances (reconciliation, confirmation, and physical count). Review/test of income and expense accounts, accruals, and gains/losses, including computations. Transaction testing and testing the value or pricing of assets (i.e., investments or collateral). Physical inspection of legal and supporting documentation, including validation of authorities granted (i.e., making/approving loans, signing official checks, etc.). Review of information system data controls. Review and evaluation of policies, procedures, and internal controls. Checks of compliance with laws and regulations. Checks to adherence to credit union policy. • Is the scope of the internal audit procedures adequate and properly documented? Consider: Audit planning memoranda. Checklists. Internal control questionnaires. Control and risk assessments. Previous audit reports, responses, and follow-up. Procedures performed (general and specific). Testing conducted. Conclusion: The adequacy and reliability of the internal auditor’s work shows that management and the board have established (strong, satisfactory, weak) internal audit processes. Controls Objective: Establish whether the board and management have instituted controls that are appropriate for the type and level of risk arising from the internal audit function. 1. Determine whether the board has established an audit program that employs: • An audit charter or mission statement that sets forth the audit department’s purpose, objectives, organization, authority, and responsibilities. 23-25 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.1 (cont.) • An audit plan that addresses goals, schedules, staffing budget, reporting and, if applicable, financial budgets. • A policies and procedures manual for audit work programs and, if applicable, risk-based auditing/risk assessments and outsourcing of internal audit work. • A program for training audit staff, including orientation and in-house and external training opportunities. • A quality assurance program, performed by internal or external parties, to evaluate the operations of the internal audit department. 2. Review board or supervisory committee minutes, or summaries thereof, and determine whether: • The audit program and schedule have been formally approved by the board or its supervisory committee. • Audit reports are monitored to determine whether approved programs and schedules are followed. • The audit program and schedule are periodically reviewed and updated by the internal audit department. • Progress has been made toward completing the audit program or schedule and the board and supervisory committee has approved significant audit programs/schedule changes. • Reasonable consideration is given to staffing, compensation, and training requirements. • Management does not unduly participate in or dominate the board’s supervision of the internal audit function. 3. Review management’s records supporting any assertions concerning the effectiveness of internal controls over financial reporting and compliance with designated laws and regulations. 4. Validate whether management’s standards for measuring the adequacy and effectiveness of internal controls over financial reporting are appropriate. Consider: • Sources of established standards. • Risk analysis or assessments. • Control assessments. • Audit report findings. 5. Establish whether the internal auditor reports directly to the board or to an appropriate supervisory committee. 6. Document whether management takes appropriate and timely action on internal audit findings and recommendations and whether it reports the action to the board and supervisory committee. 7. Assess whether the activities of the internal audit function are consistent with the long-range goals of the credit union and are responsive to its internal control needs. 23-26 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.1 (cont.) 8. For credit unions that have a quality assurance program, evaluate the adequacy and effectiveness of the program by verifying whether: • Standards and criteria have been established for evaluating the performance of the internal audit function. • Quality assurance is conducted by: Continuous supervision by the internal audit manager, Periodic internal reviews by a team or individual from the internal audit staff, or External reviews by qualified persons independent of the credit union. • Any type of formal report, written or oral, is generated and to whom the report is generated (i.e., internal audit manager, senior management, board, or supervisory committee). • Quality assurance reviews are conducted regularly. Conclusion: The board and management (have/have not) established effective control systems for internal audits. 23-27 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.2 Internal Audit Review Performed by: ___________ Reviewed by: ___________ W/P Reference: ___________ Note. This is written as if an examiner is reading the review for the direction of the audit. AUDIT OBJECTIVES To determine whether internal audit functions exist consistent with the credit union’s size, complexity of operations, level of growth, and nature and severity of previous examination findings. To evaluate the independence and competence of internal auditing staff. To document the adequacy of the procedures performed by the internal auditors. To ensure that the internal audit has identified areas of risk within the credit union and has structured the overall audit approach to cover these areas of risk. To verify whether the audit reports and the work performed by internal auditors are reliable. To establish if the internal auditor has an effective system for following up on problems, and if the credit union has taken corrective action for deficiencies noted by the internal auditor. To authenticate the overall effectiveness of the internal audit department in strengthening internal controls and in monitoring adherence to controls, procedures, and regulatory requirements by management and employees. AUDIT PROCEDURES Date Completed _____ 1. Determine the scope of the internal audit examination based on the answers to the internal audit questionnaire and on the results of any previous reviews of the auditor’s work. Review minutes of the supervisory committee and follow up on any areas of concern. _____ 2. Document if the credit union has recently changed internal auditing personnel and, if so, discuss with management the reasons for such change. Pay particular attention to any disagreements between the auditor and the credit union regarding matters of accounting principles or practices, financial statement disclosures, internal controls, or auditing procedures. Determine the validity of reasons given for any such changes. 23-28 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.2 (cont.) Date Completed _____ 3. Interview the auditor and observe the operation of the audit department to determine its functional responsibilities. Determine whether the auditor maintains independence in appearance as well as in fact, and approaches the audit process in an ethical and professional manner. Be alert to any information indicating lack of independence of the internal auditor or the auditing staff, including whether any restrictions have been placed on the audit programs or whether management has imposed any scheduling or budgetary restraints. _____ 4. Discuss with the audit manager or other personnel assigned internal audit duties whether they have been assigned any operational duties, or have any relationships, such as family ties with other employees, that are incompatible with the internal audit function. _____ 5. Review the audit program for completeness and for compliance with proper board or supervisory committee approval procedures. _____ • Review the organizational chart and the credit union’s chart of accounts. Note whether the internal auditor has audited all existing service operations or subsidiaries. Ensure the internal auditor performed an assessment of risk for each audit area. Check for evidence that the auditor has investigated areas with the greatest risk of losses. _____ • During the initial review of the department, review audit manual(s) and associated internal control questionnaires to determine whether prescribed procedures are sufficient for accomplishing the objectives. _____ 6. Note whether the internal audit program is modified in a timely manner to keep pace with changes in credit union activities, economic environment, technology, and regulation. _____ 7. Review audit reports and recommendations for changes by internal auditors and determine whether management, the board, or the supervisory committee has adopted those changes or provided other satisfactory responses. Extended Review _____ 8. Determine that all significant deficiencies noted in the audit reports have been corrected or determine the reason that corrective action has not been initiated by (1) distributing to each responsible manager a copy of significant audit deficiencies for that area, and (2) requesting that the responsible manager prepare and return a memorandum on the status of corrective action. 23-29 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.2 (cont.) Date Completed _____ 9. Review a representative sample of audit reports and associated work papers to determine that they are adequate, prepared in accordance with the audit program, in compliance with prescribed procedures, and properly documented. Ensure that the auditor has tested the reliability of information produced in the credit union. Note to whom the reports are distributed. _____ 10. For audit department personnel hired since the last examination (or for the entire audit department staff if not previously examined), review personnel files for information such as level of education attained, significant work experience, certification as an internal auditor or a public accountant, and membership in professional societies. In a large internal audit department, the initial review should include the department manager and a sample of audit supervisors and staff. _____ 11. On a test basis or if concerns about the auditor’s work exist, check the accuracy of selected audit findings by duplicating the procedures of the auditor (e.g., review loan files that the auditor reviewed, following the same procedures, and note if the findings differ significantly). _____ 12. Review the auditor’s evaluation of departmental internal controls and compare it with the evaluation done in the examination. _____ 13. Determine the internal audit department’s role in automated system design. Review uses of the computer and means of access to the files for audit purposes. _____ 14. Ensure that the objectives have been met. State your findings and conclusions, as well as appropriate recommendations for any necessary corrective measures. 23-30 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.3 Internal Audit Review Questionnaire Note. Review reports and the appropriate programs and work papers of the auditors to answer the following credit function questions. 1. 2. 3. 4. 5. 6. Yes No Remarks Has the auditor devised an overall audit plan identifying areas of risk? ____ ____ ____________ Have programs and questionnaires been developed for each area? ____ ____ ____________ Is the independence of the internal auditor assured, based on review of documentation, such as the function’s charter or the organization chart of the credit union? ____ ____ ____________ Where the auditor used operating personnel, does documentation show that: • Their work was closely supervised? ____ ____ ____________ • They were used to audit neither records of the department to which they are assigned nor the work for which they are responsible? ____ ____ ____________ ____ ____ ____________ ____ ____ ____________ Does the internal auditor meet with the directors at least annually to discuss written reports of audit? Were sufficient tests of physical and accounting controls performed in the following areas (at a minimum): Cash • Is cash on hand counted and balanced? How often? ___________________ • Are cash counts made on a surprise basis? ____ ____ ____________ • Are bank account reconciliations tested for accuracy? ____ ____ ____________ • Are cash receipt procedures tested? ____ ____ ____________ 23-31 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.3 (cont.) • Are cash disbursement procedures tested? Yes No Remarks ____ ____ ____________ ____ ____ ____________ Consigned Items and Other Non-ledger Control Accounts • Are consigned items balanced and confirmed? How often? ___________________ • Confirmed on a surprise basis? ____ ____ ____________ • Is income from the sale of consignment items tested? ____ ____ ____________ Were all investment securities either examined or confirmed? ____ ____ ____________ Does the internal auditor verify that all investment securities transactions are authorized? ____ ____ ____________ • Has the auditor verified investment securities balances? ____ ____ ____________ • Has the auditor checked the book and market values of investment securities? ____ ____ ____________ Were the accrued interest accounts reviewed, and were computations of interest income checked? ____ ____ ____________ Does the auditor maintain up-to-date documentation showing lending policies and procedures? ____ ____ ____________ Was the extent of audit tests to determine compliance with policies and procedures adequate? ____ ____ ____________ Are delinquency lists tested? ____ ____ ____________ Are loan and escrow (impound) account balances verified? ____ ____ ____________ Are notes and other legal documentation examined for authorized approvals and compliance with policies? ____ ____ ____________ Investments • • • Loans • • • How often? ___________________ • • 23-32 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.3 (cont.) Yes No Remarks The number and percent of new loan files examined compared with the total originated during the period? ____ ____ ____________ The number and percent of files applicable to previous audit periods examined compared with the total numbered outstanding as of the audit date? ____ ____ ____________ The basis used for selection of loan accounts for inspection and the specific documents inspected? ____ ____ ____________ • Were all material exceptions noted? ____ ____ ____________ • Is the adequacy of insurance coverage determined and a review performed to ensure that the credit union is named as loss payee? ____ ____ ____________ • Are the loan-in-process accounts verified? ____ ____ ____________ • Were the sales of OREO mortgages reviewed to determine the propriety of the entries made to record loan sales? ____ ____ ____________ ____ ____ ____________ Significant balances of loans and participations sold or purchased? ____ ____ ____________ Significant terms of purchase or sales agreements? ____ ____ ____________ Do the work papers disclose the methods used to determine the adequacy of auditing procedures on loans serviced by others? ____ ____ ____________ Do procedures include, when appropriate, obtaining letters from the servicing company’s auditors confirming the extent of their audit procedures? ____ ____ ____________ • Do the work papers disclose: Loans and Participations Sold or Purchased • • • • Do the work papers indicate the extent of audit procedures performed and conclusions reached? Were confirmation made of: 23-33 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.3 (cont.) • Yes No Remarks The underwriting meets the credit union’s underwriting standards? ____ ____ ____________ All pertinent documents are obtained, reviewed, and retained? ____ ____ ____________ Were loan balances verified for the loans charged off since the last audit? ____ ____ ____________ Was the supporting documentation for loans charged off examined? ____ ____ ____________ Were loan recovery amounts reconciled to credit entries in the appropriate general ledger accounts? ____ ____ ____________ What method was used to determine the need for an adequacy of valuation allowances? ____ ____ ____________ Is an adequate record available indicating which assets were reviewed for classification and when? ____ ____ ____________ Were self-classifications of loans considered in determining the adequacy of the loss reserves? ____ ____ ____________ Does the audit maintain up-to-date documentation showing share policies and practices? ____ ____ ____________ Was the extent of testing to determine compliance with policies and practices adequate? ____ ____ ____________ For loans purchased, do procedures include verifying: General Valuation Allowances (if the internal audit department is responsible) • • • • In determining the adequacy of the general and specific valuation allowances: Deposit Accounts • • • Are the following areas addressed for dual control and segregation of duties: 23-34 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.3 (cont.) Yes No Remarks Inactive accounts? ____ ____ ____________ Opening accounts? ____ ____ ____________ Closing accounts? ____ ____ ____________ Loans on deposits? ____ ____ ____________ Account transfers? ____ ____ ____________ Dividend computation? ____ ____ ____________ What method was used to determine the extent of confirmation? ____ ____ ____________ Do work papers show the number and percent of loans and deposit accounts confirmed? ____ ____ ____________ The method used? ____ ____ ____________ A selection system with a random start? ____ ____ ____________ The confidence level achieved? ____ ____ ____________ • Are all types of accounts considered for confirmation? ____ ____ ____________ • Were all material exceptions reported? ____ ____ ____________ ____ ____ ____________ ____ ____ ____________ Confirmation of Loans and Deposit Accounts • • What basis was used to select accounts to confirm? ________________________________ • If statistical sampling was used, do the work papers disclose: Other • Are borrowed money transactions tested for approval and regulatory compliance? How often? ___________________ • Was the scope of auditing procedures for other liabilities and deferred credit adequate? 23-35 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.3 (cont.) Yes No Remarks • Is the scope for auditing OREO accounts adequate? ____ ____ ____________ • Is the scope for auditing fixed assets adequate? ____ ____ ____________ • Did the audit’s scope adequately address all income and expense accounts? ____ ____ ____________ Prepared by: Title: Date: ADDITIONAL COMMENTS: 23-36 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.4 External Audit Review Objective: To determine the adequacy of any policies pertaining to the external audit program. 1. Review any policies pertaining to the credit union’s external function and determine whether they: • Are adequately reviewed and approved by the board or its supervisory committee at least annually. • Establish proper scope and frequency for audit reviews. Consider: Statutory requirements and regulatory guidelines. Purpose and objectives of audit or reviews. Type of audit or review performed. Reports issued. • Establish adequate guidelines for human resources involved in the audit function. Consider: External auditor qualifications, education, and experience. Involvement of internal audit staff. 2. If a credit union does not have an external auditing program, discuss the circumstances with the board and management. Focus on: • Why the board decided not to have an external audit. • The benefits (if any) of an external auditing program. • Whether such benefits are being provided by an alternative means, such as internal expertise or other outside sources. 3. End the review at this point if the audit function is not utilizing external audits. If the credit union has an external audit function, continue this review. Personnel Objective: Evaluate the independence, objectivity, and competence of those who provide the external audit function. 1. Arrange a meeting with knowledgeable officials of the credit union to discuss the following: • The relationship of the external auditors to the credit union and to any director, officer, or employee to determine whether such relationships compromise the auditor’s independence. • Whether the external auditor also performs any of the credit union’s outsourced internal audit work. If so, determine that the auditor’s independence is not compromised and is maintained. • The professional experience and reputation of the auditors. 23-37 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.4 (cont.) 2. Document whether the credit union has recently changed external auditors and discuss with appropriate management the reasons for such change. Particular attention should be given to disagreements between the external auditor and management about the appropriate accounting principles applicable to specific transactions or matters. 3. Arrange to meet with noncertified public accountant external auditors, if applicable, to discuss relevant education and experience. Consider the following: • Level of education attained, including any training in specialized areas such as capital markets, information systems, fiduciary activities, and subsidiary activities. • Significant financial industry audit experience, including specialized areas. • Certification as a certified internal auditor, etc. • Their commitment to a program of continuing education and professional development. 4. If, in performing the preceding “Personnel” steps and the following “Processes” steps, there is sufficient reason to question the external auditor’s independence, objectivity, or competence, discuss the situation with senior management and/or the supervisory committee. • If it is determined that no reliance can be placed on the external auditor’s work, discuss that assessment with the board, management, and the affected party before finalizing the report of examination. Conclusion: The board has established a (strong, satisfactory, weak) external audit function with respect to the competence and independence of those who provide the external audit function and those who supervise the audit activities. Processes Objective: To verify the adequacy and the reliability of work performed by the external auditors. 1. Establish whom the credit union engages for performing the credit union’s external audit. 2. Obtain copies of: • Engagement letters. • Annual reports. • Other external audit reports, including audit reports that the internal auditors may have participated in or relied on to any extent. • Letters to management. 3. Read the engagement letter covering activities of external auditors for statement certification, operational reviews, or appraisal of the internal audit function. Determine whether the letter addresses the following: 23-38 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.4 (cont.) • Purpose and scope of the audit. • Period to be covered by the audit. • Reports expected to be rendered. • Any limits on the scope of the audit. • Access to work papers. 4. Determine the type of opinion (unqualified, qualified, adverse, or disclaimer) rendered by an independent public accountant (IPA) from an audit of the credit union’s financial statements. 5. Determine how reliable the report is in assessing overall audit effectiveness. Consider: • The scope of the audit. • Whether the auditor tested controls at the credit union. If deemed appropriate, request to review work papers supporting conclusions. 6. Review the external auditor’s evaluation of departmental internal controls and compare it with the control evaluations done by the examiners. 7. Verify whether internal accounting controls have any material weaknesses. • Read the report of material weaknesses. • Discuss any other communication between credit union management and representatives of the external firm. 8. Obtain and review the list of audit differences or adjusted journal entries made and any list of waived adjustments. Determine whether such differences or entries are normal recurring accruals or indicate inadequate accounting records. 9. Request, through management, to review appropriate external audit work papers if the previous steps disclose problems or issues with the external audit of if there is information that raises questions about the external audit program’s adequacy. The following situations should trigger a review of external audit work papers: • Credit union reliance on external audit in lieu of an internal audit program. • Unexpected or sudden change in the external auditor. • Significant changes in the external audit staff. • Significant safety and soundness concerns. • Issues about the independence, objectivity, or competence of the external auditor. 10. Document whether work papers disclose that specific program steps, calculations, or other evidence support the procedures and conclusions set forth. If individual audit work program work papers are minimal, request to see the auditor’s planning documents. 23-39 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.4 (cont.) 11. If, after performing the preceding steps, concerns remain about the adequacy of the external audit, internal controls, or financial control integrity, perform applicable verification procedures or complete appropriate internal control questionnaires. If deemed appropriate, the credit union should ask its external auditor to perform verification procedures for areas that contain weaknesses or deficiencies. 12. Arrange, through management, to meet with the external auditor. Consider the following possible topics for discussion: • Examination and audit results or significant audit findings. • Upcoming audit and examination activities. • Reports, management letters, or other documents issued by the auditors. • Assigned audit staff experience and familiarity with financial and credit union auditing, particularly in specialized areas. • Any other pertinent information. Conclusion: The adequacy and reliability of the external auditor’s work shows that management and the board have established (strong, satisfactory, weak) external audit processes. Controls Objective: To evaluate the adequacy of systems designed to monitor and assess control systems. Determine whether the board and management have instituted controls that are appropriate for the type and level of risks arising from the external audit function. 1. Review board or supervisory committee minutes, or summaries thereof, and determine whether the following is noted: • Formal approval of the external audit program and schedule, or reasons supporting any decisions to forgo an external audit program. • The monitoring of audit reports to determine whether approved programs and schedules are followed. • The results of any vote taken regarding external audit. • Confirmation that the audit committee reviewed external audit reports with management and the external auditors. • Discussion of the external auditor’s independence. 2. Trace distribution of the external audit reports to determine whether the external auditor reports were distributed to the board and/or the supervisory committee. 3. Determine whether external audit findings and recommendations are met with appropriate and timely responses. 23-40 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.4 (cont.) 4. Document whether the activities of the external audit function are consistent with the credit union’s long-term goals and are responsive to its internal control and financial reporting needs. 5. Verify whether the board or supervisory committee, at least annually, identifies the major risk areas in the credit union’s activities and assesses the extent of external audit needed for each area. Conclusion: The board and management (have/have not) established effective control systems for external audits. Outsourcing Audit Objective: If the internal audit function, or any portion of it, is outsourced to outside vendors, ascertain the effectiveness of and reliance to be placed on the outsourced internal auditing. 1. Obtain copies of: • Outsourcing contracts or engagement letters. • Outsourced internal audit reports. • Policies on outsourced audit, if any. 2. Review the outsourcing contracts/engagement letters and policies to determine whether they adequately: • Set the scope and frequency of work to be performed by the outside vendor. • Set the manner and frequency of reporting to the credit union’s audit manager, senior management, and supervisory committee or board about the status of work. • Establish protocol for changing terms of the service contract, especially for expansion of audit work if significant issues are found. • State that internal audit reports are the property of the credit union, and the vendor will provide copies of related work papers the credit union deems necessary, and that authorized employees of the credit union will have reasonable and timely access to work papers prepared by the outside vendor. • Identify the locations of outsourced internal audit reports and related work papers. • Grant regulators immediate and full access to outsourced internal audit reports and related work papers. • Prescribe an alternate dispute resolution process for determining who bears the cost of consequential damages arising from errors, omissions, and negligence. • State that outside vendors will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of an employee of the credit union. 3. Document whether the outsourcing arrangement maintains or improves the quality of the internal audit function and the credit union’s internal controls. 23-41 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.4 (cont.) • Review the performance and contractual criteria for the vendors and any internal evaluations of the vendor. • Review outsourced internal audit reports and a sample of audit work papers. Determine whether they are adequate and prepared in accordance with the audit program and the outsourcing agreement. Determine whether work papers disclose that specific program steps, calculations, or other evidence support the procedures and conclusions set forth in the outsourced reports. Document whether the scope of the outsourced internal audit procedures is adequate. Consider: – Procedures performed. – Testing conducted. – Approval of the internal audit manager. 4. Evaluate whether key employees of the credit union and the vendor clearly understand the lines of communication and how any internal control problems or other matters noted by the outside vendor are to be addressed. Consider whether: • Results of outsourced work are first reported to the credit union’s audit manager or other employee responsible for overseeing the credit union’s internal audit function. • The internal auditor or audit manager, individually or jointly with the vendor, reports findings to the board and its supervisory committee and senior management. 5. Ascertain whether the scope of outsourced audit work is revised appropriately when the credit union’s environment, activities, risk exposures, or systems change significantly. 6. Establish whether the directors have ensured that any outsourced internal audit function is effectively managed by the credit union. 7. Authenticate whether the directors have performed sufficient due diligence to satisfy themselves of the vendor’s competence before entering the outsourcing arrangement. 8. Verify whether the credit union has adequate procedures for ensuring that the vendor maintains sufficient expertise to perform effectively throughout the arrangement. 9. If the vendor is a CPA who does not also perform the external audit, determine whether any potential conflicts of interest have been properly addressed. 10. If the vendor also performs the credit union’s external audit, determine whether independence is compromised. 11. If, in performing the preceding steps, there is sufficient reason to question the independence, objectivity, or competence of the vendor, discuss the situation with senior management and/or the supervisory committee. 23-42 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.4 (cont.) 12. If it is determined that the credit union cannot rely on the vendor’s work, discuss that assessment with the board, management, and the affected party before having the report finalized. Conclusion: The board has established (strong, satisfactory, weak) policies governing the outsourcing of the audit function. 23-43 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.5 Internal Audit Review Worksheet Note: This worksheet is designed to help evaluate the quality of internal audit programs, work papers, and related reporting for individual departments, activities, products, or services. When completed, the worksheet should be shared with others as appropriate to facilitate an overall internal audit assessment. Unit audited: ____________________________ Date of audit report:__________________________ Auditor in charge: ________________________ Audit frequency: ____________________________ Audit rating: ____________________________ Agree w/rating: Y____ N____ Management response: Y____ N____ Response adequate: Y____ N____ Risk rating: _____________________________ Scope 1. Was the scope of the audit adequate? Y____ N____ Why/why not: 2. Comment on quality of the planning Adequate: ____ document. Inadequate:____ N/A:____ Why: 3. Is the audit frequency appropriate relative Y____ to the level of risk in the unit? N____ Why/why not: 4. Is any portion of this audit outsourced? a. If so, is the audit work of sufficient detail to draw appropriate conclusions? All: ____ Partial:____ N/A:____ Y____ N____ Why not: 5. Were risk assessment matrices used to Y____ describe the risk? N____ Why not: Risk Assessment a. If yes, were they sufficient? Y____ N____ 23-44 Why not: Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.5 (cont.) 6. Was risk assessment used to determine when to audit this area? ____ Yes ____ No Why not: 7. Was risk assessment used to determine the scope of the audit? ____ Yes ____ No Why not: 8. Is the risk assessment of this area adequate? ____ Yes ____ No Why not: ____ Yes ____ No Describe the deficiencies: Audit Work/Findings 9. Were the audit program and procedures sufficient? 10. Were audit procedures performed to ensure compliance with applicable: a. Policies? ____ Yes ____ No ____ Not Applicable b. Procedures? ____ Yes ____ No ____ Not Applicable c. Plans? ____ Yes ____ No ____ Not Applicable d. Laws/regulations? ____ Yes ____ No ____ Not Applicable 11. Were internal controls for the area sufficiently detailed? ____ Yes ____ No 12. Did the audit contain tests of administrative or operational: a. Controls? ____ Yes ____ No 23-45 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.5 (cont.) b. Policies? ____ Yes ____ No c. Procedures? ____ Yes ____ No 13. Did the audit note the cause of deficiencies or symptoms of problems? ____ Cause ____ Symptom ____ Both ____ Not Applicable 14. Was a review of pertinent MIS performed as part of the audit? ____ Yes ____ No ____ Not applicable Why not: 15. What is the quality of the procedures documentation? ____ High ____ Acceptable ____ Unacceptable Support: ____ Yes ____ No Why not: 16. How well does the audit describe the risk represented in individual findings or groups of findings? ____ Well ____ Acceptable ____ Unacceptable ____ Not Applicable Support: 17. If the area/unit is internally rated satisfactory, how well does the audit mitigate the existence of significant findings? ____ Well ____ Acceptable ____ Unacceptable ____ Not Applicable Support: 18. Were all exceptions or weaknesses in the audit WPs noted in the final audit report? ____ Yes ____ No ____ Not Applicable Why not: 19. Were the internal auditors, including outsourced vendors, adequately trained and experienced to complete this program? ____ Yes ____ No How determined: 20. How well does the auditor-in-charge (AIC) support the final audit rating? ____ Well ____ Acceptable ____ Unacceptable ____ Not Applicable Support: a. Are audit trails sufficient? 23-46 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.5 (cont.) 21. Do you agree with the final rating? ____ Yes ____ No ____ Not Applicable Why not: Sampling 22. Did the auditor use statistical sampling? ____ Yes ____ No ____ Not Applicable a. Was the population accurately defined? ____ Yes ____ No Why not: b. Was the selection of the sampling method disclosed? ____ Yes ____ No Why not: c. Were the sample selection techniques disclosed? ____ Yes ____ No Why not: d. Were sample evaluation and reporting results criteria established? ____ Yes ____ No Why not: 23. Does the audit report articulate the appropriate conclusions, findings, and recommendations? ____ Yes ____ No Why not: 24. Does the audit report address the root cause of problems and provide recommendations or actions to correct problems? ____ Yes ____ No ____ Not Applicable Audit Reports 25. What level of management was notified of the audit findings? a. Is this the appropriate level or person? ____ Yes ____ No If not, who: 26. Does the AIC or supervisor make effective use of MIS and have periodic contact with area/unit management? ____ Yes ____ No Why not: Audit Follow-up 27. Was there evidence that prior audit issues were properly followed up during the current audit? ____ Yes ____ No ____ Not Applicable 23-47 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.5 (cont.) 28. Was management’s response to audit findings timely? ____ Yes ____ No 29. Was management’s response to audit findings acceptable? ____ Yes ____ No 30. Are corrective action time frames included in management’s response? ____ Yes ____ No ____ Not Applicable 31. How effective and timely are management’s plans for addressing deficiencies? ____ Adequate ____ Inadequate ____ Not Applicable Why inadequate: 32. Are audit exceptions in this area sufficiently detailed on an exception tracking report? ____ Yes ____ No ____ Not Applicable Why not: 33. Is there sufficient follow-up activity for high-risk areas/units or areas/units adversely rated? ____ Yes ____ No ____ Not Applicable Why not: ____ Yes ____ No ____ Not Applicable Why not: ____ Yes ____ No Why or why not and what adjustments should be made? Why not: Quality Assurance 34. Was the audit subject to a Quality Control Review? Meetings with Auditors 35. Summarize any discussions with internal auditors or outsourced internal auditor vendors (summary should include but not be limited to: participants, date, subject, conclusions or recommendations, and the participants’ receptiveness and responses). Overall Conclusion 36. Should the NCUA adjust its strategy for this credit union/business unit based upon your review of the audit reports, memos, and WPs? 37. Provide any other information deemed appropriate. 23-48 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.6 Proposed NCUA Statement on the Internal Audit Function and Its Outsourcing FEBRUARY 22, 1998 INTRODUCTION Effective internal control1 is a foundation for the safe and sound operation of a credit union. The board of directors and senior managers of a credit union are responsible for ensuring that the system of internal control operates effectively. Their responsibility cannot be delegated to others within the credit union or to outside parties. An important element of an effective internal control system is an internal audit function. When properly structured and conducted, internal audit provides directors and senior management with vital information about weaknesses in the system of internal control so the management can take prompt remedial action. The NCUAs’ long-standing examination policies call for examiners to review a credit union’s internal audit function and recommend improvements if needed. In addressing various quality and resource issues, many credit unions have been engaging independent public accounting firms and other outside professionals to perform work that has been traditionally done by internal auditors. These arrangements are called outsourcing. Such outsourcing may be beneficial to a credit union if it is properly structured, carefully conducted, and prudently managed. However, NCUA has concerns that the structure, scope and management of some internal audit outsourcing arrangements may not contribute to the credit union’s safety and soundness. Furthermore, NCUA wants to ensure that these arrangements for outsourcing do not leave directors with the impression that they have been relieved of their responsibilities for maintaining an effective system of internal control and for overseeing the internal audit function.2 This policy statement sets forth some characteristics of sound practices for the internal audit function and the use of outsourcing for audit activities. In addition, it provides guidance on how these outsourcing arrangements may affect an examiner’s assessment of internal control. It also discusses the effect these arrangements may have on the independence of an external auditor who also is providing internal audit services to a credit union. Finally, this policy statement provides guidance to examiners concerning their reviews of internal audit functions and related matters. This policy statement applies to federal credit unions and state credit unions that are federally insured. 1. 2. In summary, internal control is a process, brought about by a credit union’s board of directors, management and other personnel, designed to provide reasonable, but not absolute, assurance that the credit union will achieve the following internal control objectives: efficient and effective operations, including safeguarding of assets; reliable financial reporting; and, compliance with applicable laws and regulations. Internal control consists of five components that are a part of the management process: control environment, risk assessment, control activities, information and communication, and monitoring activities. The effective functioning of these components is essential to achieving the internal control objectives. The final amendments to Parts 701.12 and 701.13 Governing Supervisory Committee Audits and Verifications does not require credit unions to have an internal audit function to assist the supervisory committee in their duties. 23-49 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.6 (cont.) THE INTERNAL AUDIT FUNCTION Director and Senior Management Responsibilities The board of directors and senior management are responsible for having an effective system of internal control 3 and for ensuring that the importance of internal control is understood and respected throughout the credit union. This overall responsibility cannot be delegated to anyone else. They may, however, delegate the design implementation and monitoring of specific internal controls to lower-level management and the testing and assessment of internal controls to others.4 In discharging their responsibilities, directors and senior management should have reasonable, but not absolute, assurance that the system of internal control prevents or detects inaccurate, incomplete or unauthorized transactions; deficiencies in the safeguarding of assets; unreliable financial and regulatory reporting; and deviations from laws, regulations, and the credit union’s policies. Some credit union’s have chosen to rely on so-called “management self-assessments” or “control selfassessments”5 wherein operational line managers and their staff evaluate the performance of internal controls within their purview. Such reviews help to underscore management’s responsibility for internal control, but they are not impartial. Directors and senior managers who rely too much on these reviews may not learn of control weaknesses until they have become problems — particularly if directors are not intimately familiar with the credit union’s operations. Therefore, credit unions generally should also have their internal controls tested and assessed by units without operational-line responsibilities, such as internal audit groups. Directors should be confident that the internal audit function meets the demands posed by the credit union’s current and planned activities. Directors and the supervisory committee should ensure that the following matters are reflected in their internal audit function. Structure. Careful thought should be given to placement of the audit function in the credit union’s management’s structure.6 The function should be positioned so that directors have confidence that the internal audit function will perform its duties with impartiality and not be influenced by managers of dayto-day operations. Accordingly, the internal audit manager should report directly to the supervisory committee, which should oversee the internal audit function. The supervisory committee should develop objective performance criteria to evaluate the work of the internal audit function, which is then approved by the board of directors.7 3. 4. 5. 6. 7. The supervisory committee has the regulatory requirements for audits and verifications. By extension, they have responsibility for the internal audit or outsourcing function. Ibid. A word of caution. If these types of reports may be considered a “self-test”, therefore, the credit union’s right of privilege in keeping the report confidential may be waived. The internal function should not be considered line management in the usual sense. The audit manager should not have any operational nor direct line management duties (i.e., no authority to sign checks). For example, the performance criteria could include the timeliness of each completed audit, comparison of overall performance to plan, etc. 23-50 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.6 (cont.) Management, staffing and audit quality. The directors should assign responsibility for the internal audit function to a qualified individual (internal audit manager)8 who understands the function and has no operational responsibilities. The internal audit manager should be responsible for control risk assessments, audit schedule, programs and reports. A control risk assessment documents the internal auditor’s understanding of the credit union and its associated risks. These assessments typically analyze the risks inherent in the operation of a credit union and any potential risk due to control deficiencies. They should be updated as needed to reflect changes to the system of internal control or work processes, and incorporate new directions taken by the credit union. The audit plan is based on the control risk assessment and includes a summary of key internal controls within each operational activity, the timing and frequency of planned internal audit work, and resource budget. An audit program describes the objectives of the audit work and lists the procedures that will be performed during each internal audit review. An audit report generally presents the objective, scope and results of an audit, which include findings, conclusions and recommendations. Work papers should be maintained that adequately document the work performed and support the audit report. The internal audit manager should oversee the staff assigned to perform the internal audit work and should establish policies and procedures to guide the audit staff.9 The internal audit function should be competently supervised and staffed by personnel with sufficient expertise and resources to identify risks inherent in the credit union’s operations and assess whether internal controls are effective. Credit unions should consider conducting their internal audit activities in accordance with professional standards, such as the Institute for Internal Auditors’ (IIA) Standards for the Professional Practice of Internal Auditing. These standards address the independence, professional proficiency, scope of work, performance of audit work and management in internal audit. Scope. The frequency and extent of internal audit review and testing should be consistent with the nature, complexity and risk of the credit unions on - and off - balance sheet activities. At least annually, the supervisory committee should review and approve the internal audit manager’s control risk assessment and the scope of the audit schedule, including how much the manager relies on outsourcing. It should also periodically review internal audit’s adherence to the audit schedule. The supervisory committee should consider requests for expansion of basic internal audit work when significant issues arise or when 8. 9. See footnote 6. The form and content of policies and procedures should be consistent with the size and complexity of the department and the credit union, and should be reduced to writing and approved by the supervisory committee, CEO and ratified by the board of directors (Refer to NAFCU’s Internal Audit Guide for Credit Unions.) 23-51 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.6 (cont.) significant changes occur in the credit union’s environment, structure, activities, risk exposure or systems.10 Communication. To properly discharge their responsibility for internal control, directors should foster forthright communications and critical examination of issues so that they will have knowledge of the internal auditor’s findings and operating management’s solutions to identify internal control weaknesses. Internal auditors should report internal control deficiencies to the supervisory committee and management as soon as they are identified. Significant matters should be promptly reported directly to the supervisory committee and senior management. In periodic meetings with management and the internal audit manager, the supervisory committee should assess whether management is resolving internal control weaknesses or other exceptions expeditiously. Moreover, the supervisory committee should give internal audit manager the opportunity to discuss any findings without management being present. Small Credit Unions An effective system of internal control, including an independent internal audit function, is a foundation for safe and sound operations, regardless of a credit union’s size. As mentioned previously in the policy statement, each credit union should have an internal; audit function that is appropriate to its size and the nature and scope of its activities. The procedures assigned to this function should include adequate testing and review of internal controls and information systems. It is the board’s responsibility to carefully consider the level of auditing that will effectively monitor the internal control system after taking into account the audit function’s costs and benefits. For many credit union’s that have reached a certain size or complexity of operations, the benefits derived from a full-time internal audit manager or auditing staff more than outweigh its costs.11 However, for smaller credit unions with few employees and less complex operations, theses cost may outweigh the benefits. Nevertheless, a small credit union without an internal auditor can ensure that it maintains an objective internal audit function by implementing a system of independent reviews of key internal controls.12 The employee conducting the review of a particular function should be independent of the function and able to report findings directly to the supervisory committee. 10. Major changes in a credit union’s environment and conditions may compel changes to the internal control system and also warrant additional internal audit work. These include: (a) new management; (b) areas or activities experiencing rapid growth; (c) new lines of products or technologies; and, (d) corporate restructuring, mergers, and acquisitions. 11. The final amendments to Parts 701.12 and 701.13 Governing Supervisory Committee Audits and Verifications does not require credit unions to have an internal audit function to assist the supervisory committee in their duties. 12. The supervisory committee is able to have a compensated auditor (any accounting/auditing professional, excluding credit union employees, who is performing more than one compensated supervisory committee audit of member’s accounts, or opinion audit) as proscribed under Part 701.12 (a) 23-52 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.6 (cont.) INTERNAL AUDIT OUTSOURCING ARRANGEMENTS13 Examples of Arrangements Outsourcing is a contract between the credit union and a vendor who is to provide internal audit services. Outsourcing takes many forms and can be used by credit unions of all sizes. The services under contract can be limited to helping internal audit staff in an assignment for which they lack expertise. Such an arrangement is typically under the control of the credit union’s internal audit manager and the vendor reports to this manager. Credit unions use outsourcing for audits of areas requiring technical expertise, such as informational systems and capital activities. Such use is often listed in the credit union’s balance sheet as “Professional Services” and referred to as internal audit assistance. Some outsourcing arrangements may require a vendor to perform virtually all-internal audit work. Under such arrangement, the credit union may maintain an internal audit manager with no internal audit staff. The vendor assists the internal audit manager in determining risks to be reviewed, recommends and performs audit procedures as approved by the internal audit manager, and reports jointly to the supervisory committee. Additional Considerations for Internal Audit Outsourcing Arrangements Even when outsourcing vendors provide internal audit services, the board of directors and senior managers of the credit union are responsible for ensuring that the system of internal control (including the internal audit function) operates effectively. When negotiating the outsourcing arrangement, the credit union should carefully consider its current and anticipated operating risks in setting each party’s internal audit responsibilities. The outsourcing arrangement should not increase the risk that a breakdown of internal control can occur. To clearly set forth its duties from those of the vendor, the credit union should have a written contract, often referred to as an engagement letter. The contract should have the following minimal requirements.14 Specify the terms, conditions, and objectives of engagement. Identify the basis of accounting to be used (e.g., GAAP). Include an appendix setting forth the procedures to be performed (if not an opinion audit). Specify the rate of, or total, compensation of the engagement, deliver to the supervisory committee: A written report of the supervisory committee audit, and Notice in writing ... of any internal control conditions ... . 13. The guidance in the proceeding section of this policy statement (“The Internal Audit Function”) also applies to internal outsourcing arrangements. 14. Refer to Part 701.12 (d) Engagement Letter. 23-53 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.6 (cont.) Specify a target date of delivery of the written reports. Certify that NCUA staff or its designated representative will be provided unconditional access to the complete set of original work papers ... . Management. Directors and the supervisory committee should ensure that the outsourced internal audit function is competently managed. Communication. Communication between the internal audit function and directors and the supervisory committee should not diminish because the credit union engages an outsourcing vendor. All work by the vendor should be well documented and all findings of control weaknesses should be promptly reported to the credit union’s internal audit manager. Decisions not to report the outsourcing findings to directors and senior management should be the mutual decision of the supervisory committee and the vendor. In deciding what issues should be brought to the board’s attention, the concept of “materiality,” as the term is used in financial audits, is generally not a good indicator of which control weakness to report. For example, when evaluating a credit union’s compliance with laws and regulations, any exception is important. Vendor Competence. Before entering an outsourcing arrangement the credit union should perform enough due diligence to satisfy itself that the vendor has sufficient staff qualified to perform the contracted work. Because the outsourcing arrangement is a personal services contract, the credit union’s supervisory committee should have confidence in the competence of the staff assigned by the vendor and receive prior notice of staffing changes. Throughout the outsourcing arrangement the supervisory committee should ensure that the vendor maintains sufficient expertise to perform effectively its contractual obligations. Contingency Planning. When a credit union enters into an outsourcing arrangement (or significantly changes the mix of internal and external resources used by internal audit), it increases operating risk. Because the arrangement might be suddenly terminated, the credit union should have a contingency plan to mitigate any significantly discontinuity in audit coverage, particularly in the high risk areas. Planning for a successor to the prospective vendor should be part of negotiating the latter’s service contract. Conflict of Interest. Whenever a credit union uses an outside source to conduct the supervisory committee audit, or to conduct an opinion audit, and is also utilizing the same vendor for the audit of internal controls, a conflict of interest can exist. The credit union has one person/firm under these conditions, auditing itself. The outsource vendor for internal control functions should be different entity, than that of the compensated professional or CPA, as defined in Part 701.12 (a). 23-54 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.6 (cont.) Independence of the External Auditor This section of the policy statement applies to an outsourcing vendor who is a certified public accountant and who performs a financial statement audit or some other service for the credit union that requires independence under AICPA rules or a compensated auditor as defined in Part 701.12 (a).15 Many credit unions engage certified public accountants to audit their financial statements and furnish other attestation services requiring independence. A CPA firm that provides other services for its client (such as consulting, benefits administration, or acting as an outsourcing vendor) risks compromising the independence necessary to perform attestation services. The professional ethics committee of the AICPA has issued rulings and interpretations specifically addressing whether a CPA that furnishes both audit outsourcing and external audit or other attestation services to a client can still be considered independent. Federal agencies are concerned that outsourcing arrangements may involve activities that compromise, in fact or appearance (conflict of interest), the independence of an external auditor. The AICPA has issued guidance to CPAs on independence that addresses these issues. Under interpretation 101-13, the CPA’s performance of services required by the outsourcing arrangements “would not be considered to impair independence with respect to a [credit union] for which the [CPA] also performs a service requiring independence, provided the [CPA or CPAs firm] does not act or appear to act in a capacity equivalent to a member of the [credit union’s] management or as an employee.” The interpretation lists activities that would be considered to compromise a CPA’s independence.16 15. Although outsourcing arrangements involving CPAs who are not performing external audit or attestation services for a client are subject to this independence guidance, they are subject to the other sections of this policy statement. 16. Other examples of outsourcing activities that would compromise a CPA’s independence that are listed in Interpretation 101-13 include: Performing ongoing monitoring or control activities (i.e., reviewing loan originations as part of the client’s approval process or reviewing member credit information as part of the client sales authorization process) that effect the execution of transactions or ensure that transactions are properly executed, accounted for, and performing routine activities in connection with the client’s operations that are equivalent to those of an ongoing compliance quality control function; Reporting to the board or supervisory committee on behalf of management or the individual responsible for the internal audit function; Preparing source documents on transactions; Having custody of assets; Approving or being responsible for the overall internal audit schedule, including the determination of the internal audit risk and scope, project priorities, and frequency of performance for audit procedures; Being connected with the client in any activity equivalent to a member of client management or as an employee; or Authorizing, executing or consummating transactions or otherwise exercising authority on behalf of a client. 23-55 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.6 (cont.) Also, the AICPA’s Ruling 103 sets forth three criteria for evaluating the independence of a CPA who concurrently provides internal audit outsourcing services and the internal control attestation report. One criterion requires that management “does not rely on [the CPA’s] work as the primary assertion and accordingly has (a) evaluated the results of its ongoing monitoring procedures built into the normal recurring activities of the entity (including regular management and supervisory activities) and (b) evaluated the findings and results of the [CPA’s] work and separate evaluations of controls, if any.” Accordingly, a CPA’s independence would be impaired if the CPA provides the primary support for management’s assertion on the effectiveness of internal control over financial reporting. NCUAs’ Views on Independence. NCUA believes that other actions compromise independence in addition to those in Interpretation 101-13.17 Such actions include: Contributing in a decision-making capacity or otherwise actively participating (e.g., advocating positions or actions rather than merely advising) in committees, task forces, and meetings that determine the credit union’s direction; and Contributing in a decision-making capacity to the design, implementation, ... and evaluation of new product, services, internal control or software that are significant to the credit union’s activities. EXAMINATION GUIDANCE Review of the Internal Audit Function and Outsourcing Arrangements Examiners should have full and timely access to a credit union’s internal audit resources, including personnel, work papers, risk assessments, work schedule, program, reports, and budgets. A delay may require examiners to widen the scope of their examination work and may subject the credit union to follow-up supervisory actions. Examiners will assess the quality and scope of the internal audit work, regardless of whether it is performed by the credit union’s employees or by an outsourcing vendor. Specifically, examiners will consider whether: The supervisory committee promotes the internal audit manager’s impartiality and independence by having him/her directly report audit findings to it, and a copy to management (the supervisory committee submits any findings to the board); The internal audit function’s risk assessment, schedule and programs are appropriate for the credit union’s activities; The internal audit function is adequately managed to ensure that the audit schedule is met, programs carried out, and results of audits are promptly communicated to the supervisory committee and management; 17. NCUA believes that this guidance is consistent with the AICPA interpretation. 23-56 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.6 (cont.) The credit union has promptly responded to identified internal control weaknesses; Supervisory committee and management use reasonable standards when assessing the performance of internal audit; The internal audit schedule and program have been adjusted for significant changes in the credit union’s environment, structure, activities, risk exposures or systems; The activities of internal audit are consistent with the long-range goals of the credit union and are responsive to its internal control needs; and The audit function provides high-quality advice and counsel to the supervisory committee, board of directors and management on current developments in risk management, internal control and regulatory compliance. The examiner should assess the competence of the credit union’s internal audit staff and management by considering the education and professional background of the principal internal auditor (this assessment should be consistent with any CPA report as to competency). Additional Aspects of the Examiner’s Review of Outsourcing Arrangements. Examiners should also determine whether: The arrangement maintains or improves the quality of the internal audit function and the credit union’s internal control; Key employees of the credit union and the outsourcing vendor clearly understand the lines of communication and how any internal control problems or other matters noted by the vendor are to be addressed; The schedule of work is revised appropriately when the credit union’s environment, structure, activities, risk exposure or systems change significantly; The board have ensured that the outsourced internal audit function is effectively managed by the supervisory committee; The arrangement with the outsourcing vendor compromises its role as external auditor; and The credit union has performed sufficient due diligence to satisfy itself of the vendor’s competence before entering into the outsourcing arrangement and has adequate procedures for ensuring that the vendor maintains sufficient expertise to perform effectively throughout the arrangement. If the examiner’s evaluation of the outsourcing arrangement indicates that the outsourcing arrangement has diminished the quality of the credit union’s internal audit function, the examiner should consider adjusting the scope of the examination. The examiner also should bring that matter to the attention of the supervisory committee and the board and consider it in the credit union’s subsequent CAMEL rating. 23-57 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.6 (cont.) Concerns about Auditor Independence When an examiner’s initial review of an outsourcing arrangement raises doubts about the external auditor’s independence, the examiner should first ask the credit union and the external auditor to demonstrate that the arrangement has not compromised the auditor’s independence. If the examiner’s concerns are not adequately addressed, the examiner should discuss the matter with appropriate agency staff. If the agency’s staff concurs that the independence of the external auditor appears to be compromised, the examiner will discuss their findings and the actions the agency may take with the supervisory committee, board, senior management and the external auditor. These actions may include referring the external auditor to the state board of accountancy and the AICPA for possible violations, and barring the external auditor from engagements with regulated credit unions. Moreover, the agency may conclude that the organization’s external auditing program is inadequate and that it does not comply with auditing, and reporting requirements. 23-58 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 Interagency Policy Statement on the Internal Audit Function and Its Outsourcing Note: On March 17, 2003, the Fed, the OCC, the OTS, and the FDIC jointly issued an Interagency Policy Statement on the Internal Audit Function and Its Outsourcing. This is a revision of their 1997 internal audit policy to update guidance (in light of the Sarbanes-Oxley Act) on the independence of an external audit and internal audit services to an institution. Other parts have also been revised. The NCUA did not endorse this statement. Credit unions are not public companies and, therefore, at this time are not subject to the Sarbanes-Oxley Act. Nevertheless, this statement may be useful to credit unions in establishing best practices. 23-59 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) Press Releases Joint Release Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation Office of the Comptroller of the Currency Office of Thrift Supervision AGENCIES ISSUE UPDATED POLICY STATEMENT ON INTERNAL AUDITING For Immediate Release FDIC-PR-24-2003 March 17, 2003 The federal banking and thrift regulatory agencies today revised their guidance on the independence of accountants who provide institutions with both external and internal audit services to reflect the provisions of the Sarbanes-Oxley Act of 2002. The updated Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, which replaces a policy issued in 1997, also reflects the agencies’ experience with the 1997 policy and incorporates recent developments in internal auditing. It was issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. The Sarbanes-Oxley Act and recently adopted Securities and Exchange Commission (SEC) rules prohibit an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit services to the company. The revised policy statement separately discusses the applicability of this prohibition to institutions that are public companies; insured depository institutions with $500 million or more in assets that are subject to the annual audit and reporting requirements of Section 36 of the Federal Deposit Insurance Act; and non-public institutions that are not subject to Section 36. The existing guidelines for institutions subject to Section 36 provide for their external auditors to meet the SEC’s independence requirements. Auditors for these institutions, whether or not they are public companies, should comply with the prohibition on internal audit outsourcing in the SEC’s rules. The policy statement encourages non-public institutions not subject to Section 36, which includes nonpublic depository institutions with less than $500 million in assets, to refrain from outsourcing internal audit activities to their external auditor. If such an institution decides to use the same firm for both internal and external audit work, however, the audit committee should document its consideration of the independence issues associated with this arrangement. 23-60 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) In addition to changes related to the Sarbanes-Oxley Act, the agencies enhanced the 1997 policy statement’s discussion of the responsibilities of the board of directors and senior management with respect to the internal audit function and its placement within an organization, its management and staffing, and the communication of concerns and weaknesses in accounting and internal control. The policy also reiterates the need for institutions to maintain strong systems of internal control, including internal controls over financial and regulatory reporting, and high quality internal audit programs. Expanded guidance has been provided on the use of independent reviews of significant internal controls by small institutions that do not have a formal internal audit manager or staff. The policy statement also includes guidance for examiners on addressing concerns they may have about the adequacy of the internal audit function or related outsourcing arrangements. ### Attachment 23-61 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation Office of the Comptroller of the Currency Office Of Thrift Supervision Interagency Policy Statement on the Internal Audit Function and Its Outsourcing March 17, 2003 INTRODUCTION Effective internal control1 is a foundation for the safe and sound operation of a financial institution (institution).2 The board of directors and senior management of an institution are responsible for ensuring that the system of internal control operates effectively. Their responsibility cannot be delegated to others within the institution or to outside parties. An important element in assessing the effectiveness of the internal control system is an internal audit function. When properly structured and conducted, internal audit provides directors and senior management with vital information about weaknesses in the system of internal control so that management can take prompt, remedial action. The federal banking agencies’ 3 (agencies) long standing examination policies call for examiners to review an institution’s internal audit function and recommend improvements, if needed. In addition, pursuant to Section 39 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831p-1), the agencies have adopted Interagency Guidelines Establishing Standards for Safety and Soundness that apply to insured depository institutions.4 Under these guidelines and policies, each institution should have an internal audit function that is appropriate to its size and the nature and scope of its activities. 1. 2. 3. 4. In summary, internal control is a process designed to provide reasonable assurance that the institution will achieve the following internal control objectives: efficient and effective operations, including safeguarding of assets; reliable financial reporting; and, compliance with applicable laws and regulations. Internal control consists of five components that are a part of the management process: control environment, risk assessment, control activities, information and communication, and monitoring activities. The effective functioning of these components, which is brought about by an institution’s board of directors, management, and other personnel, is essential to achieving the internal control objectives. This description of internal control is consistent with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) report Internal ControlIntegrated Framework. In addition, under the COSO framework, financial reporting is defined in terms of published financial statements, which, for purposes of this policy statement, encompasses both financial statements prepared in accordance with generally accepted accounting principles and regulatory reports (such as the Reports of Condition and Income and the Thrift Financial Report). Institutions are encouraged to evaluate their internal control against the COSO framework if they are not already doing so. The term “institution” includes depository institutions insured by the Federal Deposit Insurance Corporation (FDIC), U.S. financial holding companies and bank holding companies supervised by the Federal Reserve System, thrift holding companies supervised by the Office of Thrift Supervision (OTS), and the U.S. operations of foreign banking organizations. Board of Governors of the Federal Reserve System, FDIC, Office of the Comptroller of the Currency, and OTS. For national banks, Appendix A to Part 30; for state member banks, Appendix D-1 to Part 208; for insured state nonmember banks and insured state-licensed branches of foreign banks, Appendix A to Part 364; for savings associations, Appendix A to Part 570. 23-62 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) In addressing various quality and resource issues, many institutions have been engaging independent public accounting firms and other outside professionals (outsourcing vendors) in recent years to perform work that traditionally has been done by internal auditors. These arrangements are often called “internal audit outsourcing,” “internal audit assistance,” “audit co sourcing,” and “extended audit services” (hereafter collectively referred to as outsourcing). Typical outsourcing arrangements are more fully illustrated in Part II below. Outsourcing may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. However, the agencies have concerns that the structure, scope, and management of some internal audit outsourcing arrangements do not contribute to the institution’s safety and soundness. Furthermore, the agencies want to ensure that these arrangements with outsourcing vendors do not leave directors and senior management with the erroneous impression that they have been relieved of their responsibility for maintaining an effective system of internal control and for overseeing the internal audit function. This policy statement sets forth key characteristics of the internal audit function in Part I. Sound practices concerning the use of outsourcing vendors are discussed in Part II. Part III discusses the effect outsourcing arrangements have on the independence of an external auditor who also provides internal audit services to an institution. Part III also discusses the prohibition on internal audit outsourcing to a public company’s external auditor under the Sarbanes-Oxley Act of 2002,5 the effect of this prohibition on insured depository institutions subject to the annual audit and reporting requirements of Section 36 of the FDI Act (12 U.S.C. 1831m), and the agencies’ views on compliance with this provision of the Sarbanes-Oxley Act by institutions not subject to Section 36 (including smaller depository institutions) that are not publicly-held. Finally, Part IV of this statement provides guidance to examiners concerning their reviews of internal audit functions and related matters. PART I —THE INTERNAL AUDIT FUNCTION Board and Senior Management Responsibilities The board of directors and senior management are responsible for having an effective system of internal control and an effective internal audit function in place at their institution. They are also responsible for ensuring that the importance of internal control is understood and respected throughout the institution. This overall responsibility cannot be delegated to anyone else. They may, however, delegate the design, implementation and monitoring of specific internal controls to lower-level management and the testing and assessment of internal controls to others. Accordingly, directors and senior management should have reasonable assurance that the system of internal control prevents or detects significant inaccurate, incomplete, or unauthorized transactions; deficiencies in the safeguarding of assets; unreliable financial reporting (which includes regulatory reporting); and deviations from laws, regulations, and the institution’s policies.6 5. 6. Pub. L. 107-204, 116 Stat. 745 (2002). Under Section 36 of the FDI Act, as implemented by Part 363 of the FDIC’s regulations (12 CFR 363), FDIC insured depository institutions with total assets of $500 million or more must submit an annual management report signed by the chief executive officer (CEO) and chief accounting or chief financial officer. This report 23-63 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) Some institutions have chosen to rely on so-called “management self-assessments” or “control selfassessments,” wherein business line managers and their staff evaluate the performance of internal controls within their purview. Such reviews help to underscore management’s responsibility for internal control, but they are not impartial. Directors and members of senior management who rely too much on these reviews may not learn of control weaknesses until they have become costly problems, particularly if directors are not intimately familiar with the institution’s operations. Therefore, institutions generally should also have their internal controls tested and evaluated by units without business-line responsibilities, such as internal audit groups. Directors should be confident that the internal audit function addresses the risks and meets the demands posed by the institution’s current and planned activities. To accomplish this objective, directors should consider whether their institution’s internal audit activities are conducted in accordance with professional standards, such as the Institute of Internal Auditors’ (IIA) Standards for the Professional Practice of Internal Auditing. These standards address independence, professional proficiency, scope of work, performance of audit work, management of internal audit, and quality assurance reviews. Furthermore, directors and senior management should ensure that the following matters are reflected in their institution’s internal audit function. Structure. Careful thought should be given to the placement of the audit function in the institution’s management structure. The internal audit function should be positioned so that the board has confidence that the internal audit function will perform its duties with impartiality and not be unduly influenced by managers of day-to-day operations. The audit committee,7 using objective criteria it has established, should oversee the internal audit function and evaluate its performance.8 The audit committee should assign responsibility for the internal audit function to a member of management (hereafter referred to as the manager of internal audit or internal audit manager) who understands the function and has no responsibility for operating the system of internal control. The ideal organizational arrangement is for this manager to report directly and solely to the audit committee regarding both audit issues and administrative matters, e.g., resources, budget, appraisals, and compensation. Institutions are encouraged to consider the IIA’s Practice Advisory 2060-2: Relationship with the Audit Committee, which provides more guidance on the roles and relationships between the audit committee and the internal audit manager. 7. 8. must discuss management’s responsibility for financial reporting controls and assess the effectiveness of those controls as well as the institution’s compliance with designated laws and regulations. Depository institutions subject to Section 36 of the FDI Act and Part 363 of the FDIC’s regulations must maintain independent audit committees (i.e., comprised of directors who are not members of management). Consistent with the 1999 Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations, the agencies also encourage the board of directors of each depository institution that is not otherwise required to do so to establish an audit committee consisting entirely of outside directors. Where the term “audit committee” is used in this policy statement, the board of directors may fulfill the audit committee responsibilities if the institution is not subject to an audit committee requirement. For example, the performance criteria could include the timeliness of each completed audit, comparison of overall performance to plan, and other measures. 23-64 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) Many institutions place the manager of internal audit under a dual reporting arrangement: functionally accountable to the audit committee on issues discovered by the internal audit function, while reporting to another senior manager on administrative matters. Under a dual reporting relationship, the board should consider the potential for diminished objectivity on the part of the internal audit manager with respect to audits concerning the executive to whom he or she reports. For example, a manager of internal audit who reports to the chief financial officer (CFO) for performance appraisal, salary, and approval of department budgets may approach audits of the accounting and treasury operations controlled by the CFO with less objectivity than if the manager were to report to the chief executive officer. Thus, the chief financial officer, controller, or other similar officer should ideally be excluded from overseeing the internal audit activities even in a dual role. The objectivity and organizational stature of the internal audit function are best served under such a dual arrangement if the internal audit manager reports administratively to the CEO. Some institutions seek to coordinate the internal audit function with several risk monitoring functions (e.g., loan review, market risk assessment, and legal compliance departments) by establishing an administrative arrangement under one senior executive. Coordination of these other monitoring activities with the internal audit function can facilitate the reporting of material risk and control issues to the audit committee, increase the overall effectiveness of these monitoring functions, better utilize available resources, and enhance the institution’s ability to comprehensively manage risk. Such an administrative reporting relationship should be designed so as to not interfere with or hinder the manager of internal audit’s functional reporting to and ability to directly communicate with the institution’s audit committee. In addition, the audit committee should ensure that efforts to coordinate these monitoring functions do not result in the manager of internal audit conducting control activities nor diminish his or her independence with respect to the other risk monitoring functions. Furthermore, the internal audit manager should have the ability to independently audit these other monitoring functions. In structuring the reporting hierarchy, the board should weigh the risk of diminished independence against the benefit of reduced administrative burden in adopting a dual reporting organizational structure. The audit committee should document its consideration of this risk and mitigating controls. The IIA’s Practice Advisory 1110-2: Chief Audit Executive Reporting Lines provides additional guidance regarding functional and administrative reporting lines. Management, staffing, and audit quality. In managing the internal audit function, the manager of internal audit is responsible for control risk assessments, audit plans, audit programs, and audit reports. A control risk assessment (or risk assessment methodology) documents the internal auditor’s understanding of the institution’s significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business. An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget. 23-65 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) An internal audit program describes the objectives of the audit work and lists the procedures that will be performed during each internal audit review. An audit report generally presents the purpose, scope, and results of the audit, including findings, conclusions, and recommendations. Workpapers that document the work performed and support the audit report should be maintained. Ideally, the internal audit function’s only role should be to independently and objectively evaluate and report on the effectiveness of an institution’s risk management, control, and governance processes. Internal auditors increasingly have taken a consulting role within institutions on new products and services and on mergers, acquisitions, and other corporate reorganizations. This role typically includes helping design controls and participating in the implementation of changes to the institution’s control activities. The audit committee, in its oversight of the internal audit staff, should ensure that the function’s consulting activities do not interfere or conflict with the objectivity it should have with respect to monitoring the institution’s system of internal control. In order to maintain its independence, the internal audit function should not assume a business-line management role over control activities, such as approving or implementing operating policies or procedures, including those it has helped design in connection with its consulting activities. The agencies encourage internal auditors to follow the IIA’s standards, including guidance related to the internal audit function acting in an advisory capacity. The internal audit function should be competently supervised and staffed by people with sufficient expertise and resources to identify the risks inherent in the institution’s operations and assess whether internal controls are effective. The manager of internal audit should oversee the staff assigned to perform the internal audit work and should establish policies and procedures to guide the audit staff. The form and content of these policies and procedures should be consistent with the size and complexity of the department and the institution. Many policies and procedures may be communicated informally in small internal audit departments, while larger departments would normally require more formal and comprehensive written guidance. Scope. The frequency and extent of internal audit review and testing should be consistent with the nature, complexity, and risk of the institution’s on- and off-balance-sheet activities. At least annually, the audit committee should review and approve internal audit’s control risk assessment and the scope of the audit plan, including how much the manager relies on the work of an outsourcing vendor. It should also periodically review internal audit’s adherence to the audit plan. The audit committee should consider requests for expansion of basic internal audit work when significant issues arise or when significant changes occur in the institution’s environment, structure, activities, risk exposures, or systems.9 9. Major changes in an institution’s environment and conditions may compel changes to the internal control system and also warrant additional internal audit work. These include: (a) new management; (b) areas or activities experiencing rapid growth or rapid decline; (c) new lines of business, products, or technologies or disposals thereof; (d) corporate restructurings, mergers, and acquisitions; and (e) expansion or acquisition of foreign operations (including the impact of changes in the related economic and regulatory environments). 23-66 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) Communication. To properly carry out their responsibility for internal control, directors and senior management should foster forthright communications and critical examination of issues to better understand the importance and severity of internal control weaknesses identified by the internal auditor and operating management’s solutions to these weaknesses. Internal auditors should report internal control deficiencies to the appropriate level of management as soon as they are identified. Significant matters should be promptly reported directly to the board of directors (or its audit committee) and senior management. In periodic meetings with management and the manager of internal audit, the audit committee should assess whether management is expeditiously resolving internal control weaknesses and other exceptions. Moreover, the audit committee should give the manager of internal audit the opportunity to discuss his or her findings without management being present. Furthermore, each audit committee should establish and maintain procedures for employees of their institution to submit confidentially and anonymously concerns to the committee about questionable accounting, internal accounting control, or auditing matters.10 In addition, the audit committee should set up procedures for the timely investigation of complaints received and the retention for a reasonable time period of documentation concerning the complaint and its subsequent resolution. Contingency Planning. As with any other function, the institution should have a contingency plan to mitigate any significant discontinuity in audit coverage, particularly for high-risk areas. Lack of contingency planning for continuing internal audit coverage may increase the institution’s level of operational risk. Small Institutions An effective system of internal control and an independent internal audit function form the foundation for safe and sound operations, regardless of an institution’s size. As noted in the Introduction, each institution should have an internal audit function that is appropriate to its size and the nature and scope of its activities. The procedures assigned to this function should include adequate testing and review of internal controls and information systems. It is the responsibility of the audit committee and management to carefully consider the extent of auditing that will effectively monitor the internal control system after taking into account the internal audit function’s costs and benefits. For institutions that are large or have complex operations, the benefits derived from a full-time manager of internal audit or an auditing staff likely outweigh the cost. For small institutions with few employees and less complex operations, however, these costs may outweigh the benefits. Nevertheless, a small institution without an internal auditor can ensure that it maintains an objective internal audit function by implementing a comprehensive set of independent reviews of significant internal controls. The key characteristic of such reviews is that the person(s) directing and/or performing the review of internal controls is not also responsible for managing or operating those controls. A person who is competent in evaluating a system of internal control should design the review 10. Where the board of directors fulfills the audit committee responsibilities, the procedures should provide for the submission of employee concerns to an outside director. 23-67 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) procedures and arrange for their implementation. The person responsible for reviewing the system of internal control should report findings directly to the audit committee. The audit committee should evaluate the findings and ensure that senior management has or will take appropriate action to correct the control deficiencies. U.S. Operations of Foreign Banking Organizations The internal audit function of a foreign banking organization (FBO) should cover its U.S. operations in its risk assessments, audit plans, and audit programs. Its U.S. domiciled audit function, head-office internal audit staff, or some combination thereof normally performs the internal audit of the U.S. operations. Internal audit findings (including internal control deficiencies) should be reported to the senior management of the U.S. operations of the FBO and the audit department of the head office. Significant adverse findings also should be reported to the head office’s senior management and the board of directors or its audit committee. PART II — INTERNAL AUDIT OUTSOURCING ARRANGEMENTS Examples of Arrangements An outsourcing arrangement is a contract between an institution and an outsourcing vendor to provide internal audit services. Outsourcing arrangements take many forms and are used by institutions of all sizes. Some institutions consider entering into these arrangements to enhance the quality of their control environment by obtaining the services of a vendor with the knowledge and skills to critically assess, and recommend improvements to, their internal control systems. The internal audit services under contract can be limited to helping internal audit staff in an assignment for which they lack expertise. Such an arrangement is typically under the control of the institution’s manager of internal audit, and the outsourcing vendor reports to him or her. Institutions often use outsourcing vendors for audits of areas requiring more technical expertise, such as electronic data processing and capital markets activities. Such uses are often referred to as “internal audit assistance” or “audit co-sourcing.” Some outsourcing arrangements are structured so that an outsourcing vendor performs virtually all the procedures or tests of the system of internal control. Under such an arrangement, a designated manager of internal audit oversees the activities of the outsourcing vendor and typically is supported by internal audit staff. The outsourcing vendor may assist the audit staff in determining risks to be reviewed and may recommend testing procedures, but the internal audit manager is responsible for approving the audit scope, plan, and procedures to be performed. Furthermore, the internal audit manager is responsible for the results of the outsourced audit work, including findings, conclusions, and recommendations. The outsourcing vendor may report these results jointly with the internal audit manager to the audit committee. 23-68 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) Additional Considerations for Internal Audit Outsourcing Arrangements Even when outsourcing vendors provide internal audit services, the board of directors and senior management of an institution are responsible for ensuring that both the system of internal control and the internal audit function operate effectively. In any outsourced internal audit arrangement, the institution’s board of directors and senior management must maintain ownership of the internal audit function and provide active oversight of outsourced activities. When negotiating the outsourcing arrangement with an outsourcing vendor, an institution should carefully consider its current and anticipated business risks in setting each party’s internal audit responsibilities. The outsourcing arrangement should not increase the risk that a breakdown of internal control will go undetected. To clearly distinguish its duties from those of the outsourcing vendor, the institution should have a written contract, often taking the form of an engagement letter.11 Contracts between the institution and the vendor typically include provisions that: Define the expectations and responsibilities under the contract for both parties; Set the scope and frequency of, and the fees to be paid for, the work to be performed by the vendor; Set the responsibilities for providing and receiving information, such as the type and frequency of reporting to senior management and directors about the status of contract work; Establish the process for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract; State that internal audit reports are the property of the institution, that the institution will be provided with any copies of the related workpapers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the workpapers prepared by the outsourcing vendor; Specify the locations of internal audit reports and the related workpapers;12 Specify the period of time (for example, seven years) that vendors must maintain the workpapers; 11. The engagement letter provisions described are comparable to those outlined by the American Institute of Certified Public Accountants (AICPA) for financial statement audits (see AICPA Professional Standards, AU section 310). These provisions are consistent with the provisions customarily included in contracts for other outsourcing arrangements, such as those involving data processing and information technology. Therefore, the federal banking agencies consider these provisions to be usual and customary business practices. 12. If the workpapers are in electronic format, contracts often call for the vendor to maintain proprietary software that enables the bank and examiners to access the electronic workpapers for a specified time period. 23-69 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) State that outsourced internal audit services provided by the vendor are subject to regulatory review and that examiners will be granted full and timely access to the internal audit reports and related workpapers prepared by the outsourcing vendor; Prescribe a process (arbitration, mediation, or other means) for resolving disputes and for determining who bears the cost of consequential damages arising from errors, omissions, and negligence; and State that the outsourcing vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with AICPA, U.S. Securities and Exchange Commission (SEC), Public Company Accounting Oversight Board (PCAOB), or regulatory independence guidance. Vendor Competence. Before entering an outsourcing arrangement, the institution should perform due diligence to satisfy itself that the outsourcing vendor has sufficient staff qualified to perform the contracted work. The staff’s qualifications may be demonstrated, for example, through prior experience with financial institutions. Because the outsourcing arrangement is a personal-services contract, the institution’s internal audit manager should have confidence in the competence of the staff assigned by the outsourcing vendor and receive timely notice of key staffing changes. Throughout the outsourcing arrangement, management should ensure that the outsourcing vendor maintains sufficient expertise to effectively perform its contractual obligations. Management. Directors and senior management should ensure that the outsourced internal audit function is competently managed. For example, larger institutions should employ sufficient competent staff members in the internal audit department to assist the manager of internal audit in overseeing the outsourcing vendor. Small institutions that do not employ a full-time audit manager should appoint a competent employee who ideally has no managerial responsibility for the areas being audited to oversee the outsourcing vendor’s performance under the contract. This person should report directly to the audit committee for purposes of communicating internal audit issues. Communication. Communication between the internal audit function and the audit committee and senior management should not diminish because the institution engages an outsourcing vendor. All work by the outsourcing vendor should be well documented and all findings of control weaknesses should be promptly reported to the institution’s manager of internal audit. Decisions not to report the outsourcing vendor’s findings to directors and senior management should be the mutual decision of the internal audit manager and the outsourcing vendor. In deciding what issues should be brought to the board’s attention, the concept of “materiality,” as the term is used in financial statement audits, is generally not a good indicator of which control weakness to report. For example, when evaluating an institution’s compliance with laws and regulations, any exception may be important. Contingency Planning. When an institution enters into an outsourcing arrangement (or significantly changes the mix of internal and external resources used by internal audit), it may increase its operational risk. Because the arrangement may be terminated suddenly, the institution should have a contingency plan to mitigate any significant discontinuity in audit coverage, particularly for high-risk areas. 23-70 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) PART III — INDEPENDENCE OF THE INDEPENDENT PUBLIC ACCOUNTANT This part of the policy statement relates only to an outsourcing vendor who is a public accountant and is considering providing both external audit and internal audit services to an institution. When one accounting firm performs both the external audit and the outsourced internal audit function, the firm risks compromising its independence. These concerns arise because, rather than having two separate functions, this outsourcing arrangement places the independent public accounting firm in the position of appearing to audit, or actually auditing, its own work. For example, in auditing an institution’s financial statements, the accounting firm will consider the extent to which it may rely on the internal control system, including the internal audit function, in designing audit procedures. The next three sections outline the applicability of the SEC’s auditor independence requirements to public companies, insured depository institutions subject to Section 36 of the FDI Act, and non-public institutions that are not subject to Section 36. They are followed by information on the AICPA’s independence guidance. Institutions that are Public Companies To strengthen auditor independence, Congress passed the Sarbanes-Oxley Act of 2002. Title II of this act applies to any company that has a class of securities registered with the SEC or the appropriate federal banking agency under Section 12 of the Securities Exchange Act of 1934 or that is required to file reports with the SEC under Section 15(d) of that act,13 i.e., a public company. Within Title II, Section 201(a) prohibits an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit outsourcing services to the company. 14 In addition, if a public company’s external auditor will be providing auditing services and non-audit services, such as tax services, that are not otherwise prohibited by Section 201(a) of the Sarbanes-Oxley Act, Title II also provides that the company’s audit committee must pre-approve each of these services. 13. 15 U.S.C. 78l and 78o(d). 14. In addition to prohibiting internal audit outsourcing, Section 201(a) of the Sarbanes-Oxley Act also identifies other non-audit services that an external auditor is prohibited from providing to a public company whose financial statements it audits. The legislative history of Section 201(a) indicates that three broad principles should be considered when determining whether an auditor should be prohibited from providing a non-audit service to an audit client. These principles are that an auditor should not (1) audit his or her own work, (2) perform management functions for the client, or (3) serve in an advocacy role for the client. To do so would impair the auditor’s independence. Based on these three broad principles, the other non-audit services that Section 201(a) prohibits an auditor from providing for a public company audit client include bookkeeping or other services related to the client’s accounting records or financial statements; financial information systems design and implementation; appraisal or valuation services, fairness opinions, or contribution-in-kind reports; actuarial services; management functions or human resources; broker or dealer, investment adviser, or investment banking services; legal services and expert services unrelated to the audit; and any other service determined to be impermissible by the PCAOB. 23-71 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) The SEC adopted final rules implementing the non-audit service prohibitions and audit committee preapproval requirements of Title II on January 22, 2003.15 According to these rules, an accountant is not independent if, at any point during the audit and professional engagement period, the accountant provides internal audit outsourcing or other prohibited non-audit services to a public company audit client. These rules generally become effective on May 6, 2003, although a one-year transition period is provided for contractual arrangements in place as of that date. Under this transition rule, an external auditor’s independence will not be deemed to be impaired until May 6, 2004, if the auditor is performing internal audit outsourcing and other prohibited non-audit services for a public company audit client pursuant to a contract in existence on May 6, 2003. However, the services being provided must not have impaired the auditor’s independence under the pre-existing independence requirements of the SEC, the Independence Standards Board, and the AICPA. The SEC’s pre-existing auditor independence requirements are contained in regulations that were adopted in November 2000 and became fully effective in August 2002.16 Although the SEC’s November 2000 regulations do not prohibit the outsourcing of internal audit services to a public company’s independent public accountant, they place conditions and limitations on internal audit outsourcing. Depository Institutions Subject to the Annual Audit and Reporting Requirements of Section 36 of the FDI Act Under Section 36 as implemented by Part 363 of the FDIC’s regulations, each FDIC-insured depository institution with total assets of $500 million or more is required to have an annual audit performed by an independent public accountant.17 The Part 363 guidelines address the qualifications of an independent public accountant engaged by such an institution by stating that “[t]he independent public accountant should also be in compliance with the AICPA’s Code of Professional Conduct and meet the independence requirements and interpretations of the SEC and its staff.”18 Thus, the guidelines provide for each FDIC-insured depository institution with $500 million or more in total assets, whether or not it is a public company, and its external auditor to comply with the SEC’s auditor independence requirements that are in effect during the period covered by the audit. These requirements include the non-audit service prohibitions and audit committee pre-approval requirements implemented by the SEC’s January 2003 auditor independence rules once they take effect May 6, 2003, subject to the transition rule for internal audit outsourcing and other contracts in existence on that date described in the preceding section. That transition rule provides that such outsourcing arrangements will not impair an auditor’s independence until May 6, 2004, provided certain conditions are met.19 15. 16. 17. 18. 19. 68 Fed. Reg. 6006, February 5, 2003 65 Fed. Reg. 76007, December 5, 2000. 12 CFR 363.3(a). Appendix A to Part 363-Guidelines and Interpretations, Paragraph 14. Independence. If a depository institution subject to Section 36 and Part 363 satisfies the annual independent audit requirement by relying on the independent audit of its parent holding company, once the SEC’s January 2003 regulations prohibiting an external auditor from performing internal audit outsourcing services for an audit client take effect May 6, 2003, or May 6, 2004, depending on the circumstances, the holding company’s external auditor cannot perform internal audit outsourcing work for that holding company or the subsidiary institution. 23-72 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) Institutions Not Subject to Section 36 of the FDI Act that are Neither Public Companies nor Subsidiaries of Public Companies The agencies have long encouraged each institution not subject to Section 36 of the FDI Act 20 that is neither a public company nor a subsidiary of a public company to have its financial statements audited by an independent public accountant.21 The agencies also encourage each such non-public institution to follow the internal audit outsourcing prohibition in Section 201(a) of the Sarbanes-Oxley Act when the SEC’s January 2003 regulations implementing this prohibition take effect, as discussed above for institutions that are public companies. As previously mentioned, some institutions seek to enhance the quality of their control environment by obtaining the services of an outsourcing vendor who can critically assess their internal control system and recommend improvements. The agencies believe that a small non-public institution with less complex operations and limited staff can, in certain circumstances, use the same accounting firm to perform both an external audit and some or all of the institution’s internal audit activities. These circumstances include, but are not limited to, situations where: Splitting the audit activities poses significant costs or burden; Persons with the appropriate specialized knowledge and skills are difficult to locate and obtain; The institution is closely held and investors are not solely reliant on the audited financial statements to understand the financial position and performance of the institution; and The outsourced internal audit services are limited in either scope or frequency. In circumstances such as these, the agencies view an internal audit outsourcing arrangement between a small non-public institution and its external auditor as not being inconsistent with their safety and soundness objectives for the institution. When a small non-public institution decides to hire the same firm to perform internal and external audit work, the audit committee and the external auditor should pay particular attention to preserving the independence of both the internal and external audit functions. Furthermore, the audit committee should document both that it has pre-approved the internal audit outsourcing to its external auditor and has 20. FDIC-insured depository institutions with less than $500 million in total assets are not subject to Section 36 of the FDI Act. Section 36 does not apply directly to holding companies, but it provides that, for an insured depository institution that is a subsidiary of a holding company, its audited financial statements requirement and certain of its other requirements may be satisfied by the holding company. 21. See, for example, the 1999 Interagency Policy Statement on External Auditing Programs of Banks and Savings Institutions 23-73 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) considered the independence issues associated with this arrangement.22 In this regard, the audit committee should consider the independence standards described in Parts I and II of this policy statement, the AICPA guidance discussed in the following section, and the broad principles that the auditor should not perform management functions or serve in an advocacy role for the client. Accordingly, the agencies will not consider an auditor who performs internal audit outsourcing services for a small non-public audit client to be independent unless the institution and its auditor have adequately addressed the associated independence issues. In addition, the institution’s board of directors and management must retain ownership of and accountability for the internal audit function and provide active oversight of the outsourced internal audit relationship. A small non-public institution may be required by another law or regulation, an order, or another supervisory action to have its financial statements audited by an independent public accountant. In this situation, if warranted for safety and soundness reasons, the institution’s primary federal regulator may require that the institution and its independent public accountant comply with the auditor independence requirements of Section 201(a) of the Sarbanes-Oxley Act.23 AICPA Guidance As noted above, the independent public accountant for a depository institution subject to Section 36 of the FDI Act also should be in compliance with the AICPA’s Code of Professional Conduct. This code includes professional ethics standards, rules, and interpretations that are binding on all certified public accountants (CPAs) who are members of the AICPA in order for the member to remain in good standing. Therefore, this code applies to each member CPA who provides audit services to an institution, regardless of whether the institution is subject to Section 36 or is a public company. The AICPA has issued guidance indicating that a member CPA would be deemed not independent of his or her client when the CPA acts or appears to act in a capacity equivalent to a member of the client’s management or as a client employee. The AICPA’s guidance includes illustrations of activities that would be considered to compromise a CPA’s independence. Among these are activities that involve the CPA authorizing, executing, or consummating transactions or otherwise exercising authority on behalf of the client. For additional details, refer to Interpretation 101-3-Performance of Other Services and Interpretation 101-13-Extended Audit Services in the AICPA’s Code of Professional Conduct. 22. If a small non-public institution is considering having its external auditor perform other non-audit services (see footnote 14 for examples of such services), its audit committee may wish to discuss the implications of the performance of these services on the auditor’s independence. 23. For OTS-required audits under 12 CFR 562.4, independent public accountants performing such audits must meet the independence requirements and interpretations of the SEC and its staff. 23-74 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) PART IV — EXAMINATION GUIDANCE Review of the Internal Audit Function and Outsourcing Arrangements Examiners should have full and timely access to an institution’s internal audit resources, including personnel, workpapers, risk assessments, work plans, programs, reports, and budgets. A delay may require examiners to widen the scope of their examination work and may subject the institution to followup supervisory actions. Examiners will assess the quality and scope of an institution’s internal audit function, regardless of whether it is performed by the institution’s employees or by an outsourcing vendor. Specifically, examiners will consider whether: The internal audit function’s control risk assessment, audit plans, and audit programs are appropriate for the institution’s activities; The internal audit activities have been adjusted for significant changes in the institution’s environment, structure, activities, risk exposures, or systems; The internal audit activities are consistent with the long-range goals and strategic direction of the institution and are responsive to its internal control needs; The audit committee promotes the internal audit manager’s impartiality and independence by having him or her directly report audit findings to it; The internal audit manager is placed in the management structure in such a way that the independence of the function is not impaired; The institution has promptly responded to significant identified internal control weaknesses; The internal audit function is adequately managed to ensure that audit plans are met, programs are carried out, and results of audits are promptly communicated to senior management and members of the audit committee and board of directors; Workpapers adequately document the internal audit work performed and support the audit reports; Management and the board of directors use reasonable standards, such as the IIA’s Standards for the Professional Practice of Internal Auditing, when assessing the performance of internal audit; and The audit function provides high-quality advice and counsel to management and the board of directors on current developments in risk management, internal control, and regulatory compliance. 23-75 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.7 (cont.) The examiner should assess the competence of the institution’s internal audit staff and management by considering the education, professional background, and experience of the principal internal auditors. In addition, when reviewing outsourcing arrangements, examiners should determine whether: The arrangement maintains or improves the quality of the internal audit function and the institution’s internal control; Key employees of the institution and the outsourcing vendor clearly understand the lines of communication and how any internal control problems or other matters noted by the outsourcing vendor are to be addressed; The scope of the outsourced work is revised appropriately when the institution’s environment, structure, activities, risk exposures, or systems change significantly; The directors have ensured that the outsourced internal audit activities are effectively managed by the institution; The arrangement with the outsourcing vendor satisfies the independence standards described in this policy statement and thereby preserves the independence of the internal audit function, whether or not the vendor is also the institution’s independent public accountant; and The institution has performed sufficient due diligence to satisfy itself of the vendor’s competence before entering into the outsourcing arrangement and has adequate procedures for ensuring that the vendor maintains sufficient expertise to perform effectively throughout the arrangement. Concerns about the Adequacy of the Internal Audit Function If the examiner concludes that the institution’s internal audit function, whether or not it is outsourced, does not sufficiently meet the institution’s internal audit needs, does not satisfy the Interagency Guidelines Establishing Standards for Safety and Soundness, if applicable,24 or is otherwise inadequate, he or she should consider adjusting the scope of the examination. The examiner should also discuss his or her concerns with the internal audit manager or other person responsible for reviewing the system of internal control. If these discussions do not resolve the examiner’s concerns, he or she should bring these matters to the attention of senior management and the board of directors or audit committee. Should the examiner find material weaknesses in the internal audit function or the internal control system, he or she should discuss them with appropriate agency staff in order to determine the appropriate actions the agency should take to ensure that the institution corrects the deficiencies. These actions may include formal and informal enforcement actions. The institution’s management and composite ratings should reflect the examiner’s conclusions regarding the institution’s internal audit function. The report of examination should contain comments concerning the adequacy of this function, significant issues or concerns, and recommended corrective actions. 24. See footnote 4. 23-76 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.7 (cont.) Concerns about the Independence of the Outsourcing Vendor An examiner’s initial review of an internal audit outsourcing arrangement, including the actions of the outsourcing vendor, may raise questions about the institution’s and its vendor’s adherence to the independence standards described in Parts I and II of this policy statement, whether or not the vendor is an accounting firm, and in Part III if the vendor provides both external and internal audit services to the institution. In such cases, the examiner first should ask the institution and the outsourcing vendor how the audit committee determined that the vendor was independent. If the vendor is an accounting firm, the audit committee should be asked to demonstrate how it assessed that the arrangement has not compromised applicable SEC, PCAOB, AICPA, or other regulatory standards concerning auditor independence. If the examiner’s concerns are not adequately addressed, the examiner should discuss the matter with appropriate agency staff prior to taking any further action. If the agency staff concurs that the independence of the external auditor or other vendor appears to be compromised, the examiner will discuss his or her findings and the actions the agency may take with the institution’s senior management, board of directors (or audit committee), and the external auditor or other vendor. In addition, the agency may refer the external auditor to the state board of accountancy, the AICPA, the SEC, the PCAOB, or other authorities for possible violations of applicable independence standards. Moreover, the agency may conclude that the institution’s external auditing program is inadequate and that it does not comply with auditing and reporting requirements, including Sections 36 and 39 of the FDI Act and related guidance and regulations, if applicable. 23-77 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.8 Audit Function Related to IT Review Performed by: ___________ Reviewed by: ___________ W/P Reference: ___________ AUDIT OBJECTIVES To determine the quality and effectiveness of the audit function related to IT controls. These procedures will disclose the adequacy of audit coverage and to what extent, if any, it may be relied upon. AUDIT PROCEDURES Date Completed _____ 1. Review board resolutions and audit charter to determine the authority and mission of the IT audit function. _____ 2. Review and summarize the minutes of the board or supervisory committee for member attendance and supervision of IT audit activities. _____ 3. Determine if the board reviews and approves IT policies, procedures, and processes. _____ 4. Analyze if the board approves audit plans and schedules, reviews actual performance of plans and schedules, and approves major deviations to the plan. _____ 5. Ascertain if the content and timeliness of audit reports and issues presented to and reviewed by the board or supervisory committee are appropriate. _____ 6. Confirm that the internal audit manager and the external auditor report directly to the board or to an appropriate committee and, if warranted, have the opportunity to escalate issues to the board through the normal committee process. _____ 7. Review credentials of the board members related to abilities to provide adequate oversight. Determine if directors responsible for oversight have appropriate level of experience and knowledge of IT and related risks. 23-78 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.8 (cont.) Date Completed If directors are not qualified in relation to IT tasks, determine if they bring in outside independent consultants to support their oversight efforts through education and training. _____ 8. Certify if the composition of the supervisory committee is appropriate considering entity type and complies with all applicable laws and regulations. _____ 9. Corroborate if the IT audit staff is adequate in number and technical competency to accomplish its mission. Consider: IT audit personnel qualifications and compare them to the job description. Whether staff competency is commensurate with the technology in use at the credit union. Trends in IT audit staffing to identify any negative trends in the adequacy of staffing. _____ 10. Document if the reporting process for the IT audit is independent in fact and in appearance by reviewing the degree of control persons outside of the audit function have on what is reported to the board or supervisory committee. _____ 11. Review the internal audit organization structure for independence and clarity of the reporting process. Determine whether independence is compromised by: The internal audit manager reporting functionally to a senior management official. The internal audit manager’s compensation and performance appraisal being done by someone other than the board or supervisory committee. Auditors responsible for operating a system of internal controls or actually performing operational duties or activities. _____ 12. Establish whether management takes appropriate and timely action on IT audit findings and recommendations and whether auditors or management report the action to the board or its supervisory committee. _____ 13. Obtain a list of outstanding IT audit items and compare the list with audit reports to ascertain completeness. _____ 14. Examine whether management sufficiently corrects the root causes of all significant deficiencies noted in the audit reports and, if not, determine why corrective action is not sufficient. 23-79 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.8 (cont.) Date Completed _____ 15. Interview management and review examination information to identify changes to the credit union’s risk profile that would affect the scope of the audit function. _____ 16. Review the credit union’s IT audit standards manual and/or IT-related sections of the credit union’s general audit manual. Assess the adequacy of policies, practices, and procedures covering the format and content of reports, distribution of reports, resolution of audit findings, format and content of reports, distribution of reports, resolution of audit findings, format and contents of work papers, and security over audit materials. _____ 17. Evaluate audit planning and scheduling criteria, including risk analysis, for selection, scope, and frequency of audits. Determine if: _____ The audit universe is well defined. Audit schedules and audit cycles support the entire audit universe, are reasonable, and are being met. 18. Identify whether the credit union has appropriate standards and processes for risk-based auditing and internal risk assessments that: Include risk profiles identifying and defining the risk and control factors to assess the risk management and control structures for each IT product, service, or function. Describe the process for assessing and documenting risk and control factors and its application in the formulation of audit plans, resource allocations, audit scopes, and audit cycle frequency. _____ 19. Review a sample of the credit union’s IT-related audit reports and work papers for specific audit ratings, completeness, and compliance with board and supervisory committee-approved standards. _____ 20. Analyze the internal auditor’s evaluation of IT controls and compare it with any completed evaluations. _____ 21. Evaluate the scope of the auditor’s work as it relates to the credit union’s size, the nature and extent of its activities, and the credit union’s risk profile. _____ 22. Justify if the work papers disclose that specific program steps, calculations, or other evidence support the procedures and conclusions set forth in the reports. _____ 23. Ratify through review of the audit reports and work papers if the auditors accurately identify and consistently report weaknesses and risks. 23-80 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.8 (cont.) Date Completed _____ 24. Substantiate if audit report content is: Timely. Constructive. Accurate. Complete. _____ 25. Review the methodology management employs to notify the IT auditor of proposed new applications, major changes to existing applications, modifications/additions to the operating system, and other changes to the data processing environment. _____ 26. Review audit policies related to audit participation in application development, acquisition, and testing. Discuss with audit management. _____ 27. Validate the adequacy and independence of audit in: Participating in the systems development life cycle. Reviewing major changes to applications or the operating system. Updating audit procedures, software, and documentation for changes in the systems or environment. Recommending changes to new proposals or to existing applications and systems to address audit and control issues. 23-81 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.9 Work Paper Review Performed by: ___________ Reviewed by: ___________ W/P Reference: ___________ AUDIT OBJECTIVES To review work papers for evidence of the performance of risk assessment. (Standards require auditors to document in the work papers evidence of the performance of the risk assessment.) To review the auditor’s planning memorandum, which would include a discussion of the audit and its objectives. AUDIT PROCEDURES Date Completed _____ 1. Determine if the work papers contain any written notification to management and the supervisory committee relative to the evidence of fraud. _____ 2. Review the auditor’s evaluation of the credit union’s internal controls. Auditors are required to obtain an understanding of internal control sufficient to plan the audit. Auditor work papers related to the credit union’s internal controls should include information about the flow of operations and financial reporting systems. _____ 3. Analyze if the work papers contain an attestation report on internal control. _____ 4. Review management’s assessment of internal control over financial reporting. Determine if it contains sufficient information to enable the accountant to report on its assertions. _____ 5. Review the auditor’s summary of management letter, or other similar document, which should include the following: Comments issued in the prior year’s management letter. Comments included in the current year’s management letter. 23-82 Internal/External Audit Self-Assessment Program 4/05 Exhibit 23.9 (cont.) Date Completed Recommended comments that were not included in the current year’s management letters. If there are comments that were not included in the current year’s management letter, determine if the auditor communicated the comments to management by other means, such as through an informal memo or discussion. _____ 6. Review documentation of any “reportable conditions” contained in the work papers. Reportable conditions include deficiencies in internal control design and failures in the operation of internal control. _____ 7. If audit results indicate the credit union has concentrations of assets for which valuation methods are complex or uncertain, review the testing performed by the accountant to assess management’s valuations and the evidence obtained to determine the reasonableness of management’s assumptions and methodologies used to value the assets. _____ 8. If audit results indicate concerns about fraudulent activities related to loans, securities, deposits, or outstanding debt, review the number and type of verifications sent out by the auditors to confirm these assets and liabilities. Determine whether the verifications were sent out by the auditor and returned directly to the auditor. In addition, consider reviewing such verifications if the credit union has a substantial volume of securitized assets that are serviced by others. _____ 9. If audit results indicate the credit union has experienced excessive growth, particularly through low liabilities, review the testing performed by the auditor to assess management’s valuations of assets and the evidence obtained to determine the reasonableness of management’s assumptions and methodologies used to value the assets. _____ 10. If audit results indicate the credit union has poor or incomplete documentation of assets or liabilities, review the testing performed by the auditor to determine the existence of the assets. Assess management’s valuations of assets and the evidence obtained to determine the reasonableness of management’s assumptions and methodologies used to value the assets. _____ 11. If audit results indicate the credit union has had significant insider transactions and/or transactions with affiliates, review audit evidence obtained to verify that the credit union’s reporting of these transactions is in accordance with GAAP. _____ 12. Review the tests performed by the auditors to assess the appropriateness of the methodology used, documentation maintained, and adequacy of the ALLL. _____ 13. If audit results indicate the credit union has out-of-balance accounts, review procedures performed by the auditors to test the credit union’s reconcilements. 23-83 4/05 Internal Auditing Manual for Credit Unions Exhibit 23.9 (cont.) Date Completed _____ 14. If audit results indicate the credit union utilizes questionable accounting methods, review tests performed by the auditor to determine whether the accounting method is appropriate under GAAP. _____ 15. Review the audit engagement summary, which addresses the results of procedures performed and conclusions for the major audit areas. _____ 16. Consider discussing with the auditor any material issues disclosed by the work paper review that were not presented to the credit union’s board and management through the management letter, adjusting entries, or other matters. 23-84
