5 minutes
An outline of key actions from audits to meetings to working with management
A supervisory committee is responsible for ensuring that both the board of directors and management meet required financial reporting objectives and establish practices and procedures sufficient to safeguard members’ assets.
To meet these responsibilities, the supervisory committee must determine that internal controls are established and effectively maintained; financial reports and records of the credit union are accurately and promptly prepared; plans, policies and control procedures established by the board of directors are properly administered; and policies and control procedures to safeguard against error, carelessness, fraud and self-dealing have been established.
Credit unions should have the following in place, with oversight from the supervisory committee:
- A risk assessment to develop the internal audit plan, which should also consider IT/cybersecurity and regulatory compliance
- An internal audit function to ensure effectiveness of internal controls
- An audit function to ensure regulatory compliance and effective IT and cybersecurity processes
- An independent financial audit to meet the requirement set forth in CFR 715.5, which may include a financial statement opinion audit by a CPA or a supervisory committee exam
- Appropriate tracking and follow-up of various audit findings and issues
- Follow-up on any complaints that have been communicated through the National Credit Union Administration, as well as consider follow-up on complaints maintained from internal channels
- Consider an independent whistleblower hotline, with results communicated to the committee
What is Required from Supervisory Committees?
Under current regulation, the annual audit requirement can be satisfied in one of two ways depending on the size of the institution: an opinion audit, performed by a CPA, or a supervisory committee guide audit, which can be completed by the supervisory committee, an internal auditor or a third party such as a CPA.
Furthermore, Section 115 of the Federal Credit Union Act and NCUA Rules and Regulations 715.8 requires member verifications every two years, which can be conducted using one of the following methods:
- 100% of the membership
- Random statistical sample
- CPA only, non-statistical sample
Verifications must be conducted independently with mailings/returns controlled by the supervisory committee or auditor, preferably through a P.O. Box. If a credit union chooses to rely on the CPA audit for verifications, this should be included in the engagement letter with all verification results reported to the supervisory committee.
Credit unions may use positive or negative verifications and should take care not to forget the accounts that may not be on their core system, such as credit cards, student loans, participations, etc. They must also ensure no-mails and e-statements are included.
How Should Supervisory Committee Meetings Run?
Getting the right information at the right time is crucial to an effective meeting. Before setting a new agenda, agendas from the last 18 months should be reviewed and evaluated for relevance. A productive meeting will include enough time to meet with auditors and help them set an agenda for their own meeting time. Any items that may require lengthy discussion should be planned for accordingly. An example agenda could look like this:
- Acceptance of prior meeting minutes
- Review of any audit activity (internal/CPA/IT), preferably with the auditors
- Meeting with regulators
- Update on internal audit plan
- Tracking report of prior findings and what management has done to follow-up
- Discussion of any fraud occurrences both internal and external
- Whistleblower activity
- Follow-up on any complaints
- Old business/new business
- Executive session (it is highly recommended each meeting have a documented executive session to ensure the committee members have an opportunity to speak freely among themselves and with auditors)
Whether a credit union has opted for an internal or external auditor will dictate the best practices for the types of questions to be asked when reviewing audit activity. For an internal auditor, the discussion should include the following:
- Review of any upcoming internal audits
- Results of any recent internal audits, including recommendations and management’s responses
- Discussion and approval of any proposed changes, as well as any potential changes to the risk assessment and internal audit plan
- An inquiry into the comfort and expertise of the internal auditor to perform more technical audits, and whether outsourcing is necessary
For an external auditor, some points that should be considered in the discussion include:
- What was performed for unpredictable procedures as part of your audit?
- Are there any potential internal control problems that were discussed with management and deemed immaterial?
- How do they ensure a fresh look each year, such as staff rotation?
- Any applicable industry or audit-related changes
Keeping Management in the Loop
Because credit union management is responsible for establishing, maintaining and monitoring internal controls, it is important for the supervisory committee and the management team to maintain open lines of communication. The management team can help keep the supervisory committee up-to-date about any changes happening within the credit union, such as new products and services, key personnel changes, investment activity, software and vendor changes, technology shifts, etc.
Some questions to consider asking management include:
- What is your assessment of the internal control system and what criteria did you use for your assessment?
- Discuss the “tone at the top.” What does management do to maintain an ethical environment?
- How do you think the credit union is handling and staying up-to-date on legal and regulatory compliance requirements? Were any reported conflicts of interest, irregularities or other violations of the code of conduct identified during the year?
- Have there been any concerning trends (fraud, complaints, loan deferrals/ modifications)?
The supervisory committee serves an important function. It is considered the watchdog of the credit union, tasked with asking the tough questions and following up on any findings with management to ensure remediation follows. Keeping up-to-date on changes in the industry and changes within the credit union will ensure that the supervisory committee can continue to fulfill its vital roles and responsibilities.
While the Current Section 715.3 of the NCUA Rules and Regulations does not specifically address COVID-19, it is important to note that processes could be impacted and general controls may be altered due to the current pandemic-related conditions. Some of these changes may not be realized until further down the road. NCUA recently issued a letter to credit unions updating the exam priorities from earlier this year, Letter 20-CU-22, following the interagency examiner guidance released by the federal financial institution regulatory agencies (Federal Reserve, FDIC, OCC,NCUA and state financial regulators) on assessing safety and soundness considering the effect of the COVID-19 pandemic on institutions. These publications provide insight into what examiners will be focusing on with respect to the COVID-19 response.
Alison J. Herrick, CPA, is a partner with Wipfli LLP, providing audit services to credit unions, including evaluating lending programs, financial statement audits, conducting internal control studies, and consulting on accounting principles generally accepted in the United States. She leads the credit union practice and specializes in developing audit plans and providing credit unions with regulatory compliance audits and internal audit outsourcing and co-sourcing.
Apply It to Your Boardroom
- Based on this article, what are some key areas of oversight for the supervisory committee?
- What are the key elements of a supervisory committee meeting? Are there any listed here your committee might want to consider adding?
- What is your supervisory committee’s current relationship to senior management? How could that exchange be improved?