RB-2002-02 Internal Controls
Credit unions facing increased competition often consider implementing new strategies including cutting costs, offering different products, and pursuing other activities that have higher yields. While the Department recognizes that credit unions must adapt to changing business conditions, we want to remind management that effective internal control is a foundation for the safe and sound operations of a credit union.
Internal control is a process, brought about by a credit union’s board of directors, management, and other personnel, designed to provide reasonable assurance that the credit union will achieve certain internal control objectives. These include efficient and effective operations, including safeguarding of assets; reliable financial reporting; and compliance with applicable laws and rules. Internal control consists of five components that are a part of the management process; control environment, risk assessment, control activities, information and communication, and monitoring activities. The effective functioning of these components is essential to achieving the internal control objectives.
The board of directors and senior executive staff of a credit union are responsible for ensuring that the system of internal control operates effectively. The board may delegate certain duties to others within the credit union or to outside parties; however, the board in delegating such duties is not relieved from the responsibility for ensuring that prudent internal controls are in place. Audits by public accountants and examinations by the Department will continue to place greater emphasis on evaluating the appropriateness of the processes in place, and less reliance on transaction testing.
The Department is in the process of revising its examination program to a more risk-focused program. The changes will enable the Department to concentrate its resources in areas that present the most risk to the system and to spend less effort in areas of low risk. The risk-focused approach will entail many changes to our examination and supervisory program. There will also be increased emphasis on internal controls and due diligence by credit union management. Examiners will spend more of their time reviewing management’s ability to identify, measure, monitor, and control risks in the credit union. Therefore, it is the Department’s expectation that management and the board of directors will continue to implement and support effective internal controls appropriate to the size of the credit union, its nature, and scope of activities.
The board of directors has the primary responsibility of establishing and maintaining an adequate and effective system of internal control. The board is also responsible for approving and periodically reviewing the overall business strategy and significant policies of the credit union, as well as understanding the major risks the institution takes. The board should set acceptable levels for these risks, and ensure that senior management takes the required steps to identify, measure, monitor, and control these risks. To remain effective in the dynamic and ever broadening environment that credit unions operate in, the board of directors must periodically review and update the internal control system.
An active board sets the institution’s control consciousness. The following parameters determine effectiveness:
- The extent of its involvement in and its scrutiny of the credit union’s activities.
- The ability to take appropriate actions.
- The degree to which the board asks difficult questions and pursues the answers with management.
INTERNAL CONTROL COMPONENTS
The Auditing Standard Board’s Statement of Auditing Standard (SAS) No. 78 provides guidance on the independent auditor’s consideration of an entity’s internal control in and audit of financial statements in accordance with Generally Accepted Auditing Standards. SAS No. 78 recognizes the definition and description of internal control contained in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) report, and provides an overview of the framework and evaluation tools needed for a strong system of internal control. The Department encourages credit union management and boards of directors to consider SAS No. 78, or other recognized standards in developing and maintaining an effective system of internal control.
SAS No. 78 consists of five interrelated components derived from the way management runs a business, and integrated with the management process. The components are:
- Control environment
- Risk assessment
- Control activities
- Information and communication
ASSESSING CONTROL RISK
Under SAS No. 78 control risk is the risk that the credit union’s internal control system will not prevent or detect on a timely basis a material misstatement. Assessing control risk is the process of evaluating the design and operating effectiveness of a credit union’s internal control.
The Control Environment
The effectiveness of internal controls rests with the people of the organization who create, administer, and monitor them. Integrity and ethical values are essential elements of a sound foundation for all other components of internal control. The commitment for effective control environment rests at the top.
All credit unions, regardless of size, encounter risk in their organizations. The ability to identify and manage these risks will affect a credit union’s ability to survive in a competitive market. In order to assess risk, management must first set objectives to quantify the amount of risk they can prudently accept.
Risks relevant to financial reporting include external and internal events, and circumstances that may adversely affect a credit union’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Such risk can arise or change due to the following circumstances:
- Operating environment changes
- New personnel
- New or revamped information systems
- Rapid growth
- New technology
- New lines, products, or activities
- Corporate restructuring
- Accounting pronouncements
Control activities are the policies and procedures that help ensure management carries out its directives. Control activities should assure accountability in the credit union’s operations, financial reporting, and compliance areas.
Information and Communication Systems
Management must identify, capture, and communicate information to enable people to carry out their responsibilities. Internally generated data, along with external events, activities, and conditions is necessary for a business to make informed decisions. Management must design ways to downstream messages from the top, as well as upstream significant information.
An information system should also provide sufficient detail to properly classify the transaction for financial reporting, and measure the value of the transactions in a manner that permits recording the proper monetary value in the financial statement in accordance with Generally Accepted Accounting Principles (GAAP).
Monitoring is a process that assesses the quality of the internal control performance over time. Management must build ongoing monitoring activities into the normal recurring activities of their institution, and monitor the internal control system on an ongoing basis to ensure that the system continues to be relevant and addresses new risks.
LIMITATIONS OF INTERNAL CONTROL
When operating under the best of conditions, internal control provides only reasonable assurance to management and the board of directors that the institution is achieving its objectives. Reasonable assurances do not imply that the internal control systems will never fail. Many factors, individually and collectively, serve to provide strength to the concept of reasonable assurance. However, because of inherent limitations, management has no guarantee that, for example, an uncontrollable event, a mistake, or improper reporting incident could never occur. Thus, it is possible for the best internal control system to fail. The limitations inherent to internal control are:
- Management override
- Cost versus benefits
Human judgment can limit the effectiveness of internal controls. Management makes business decisions based on the information at hand and under time constraints. With hindsight, these decisions may produce less than desirable results.
The best internal control system can experience any of the following breakdowns:
- Misunderstood instructions
- Careless employees
- Inadequate training
- Time limitations
Management override means management overrules prescribed policies or procedures or illegitimate purposes with the intent of personal gain or to enhance the presentation of financial statements. Override practices include deliberate misrepresentations.
Do not confuse management override with management intervention. Management intervention represents management’s actions that depart from prescribed policies for legitimate purposes. At times, management intervention is necessary to deal with nonrecurring and nonstandard transactions or events, that otherwise might be handled inappropriately by the control system.
When two or more individuals act in concert to perpetrate and conceal an action from detection, they can circumvent any system of internal control.
Fraud is a broad legal concept, and involves intentional illegal acts that generally cause misstatement in the financial statements. Management bears the primary responsibility for detecting fraud. Internal control systems implementation is part of management’s fiduciary responsibilities to prevent fraud and abuse by insiders.
Cost versus Benefits
The challenge is to find the right balance between the proper controls and the costs to design and implement internal controls. Excessive control is costly and counterproductive. Too few controls present undue risks.
Credit unions rely increasingly on services provided by third parties to support a wide range of activities. Outsourcing to third parties may help manage costs, improve and expand services offered, and obtain expertise not internally available. At the same time, reduced operational control over outsourced activities may expose credit unions to additional risks.
Outsourcing involves some of the same operational risks that arise when a credit union performs a function internally. Such risks include the following:
- Threats to the availability of systems used to support member transactions.
- The integrity or security of member account information.
- The integrity of risk management information systems.
Under outsourcing arrangements, however, the risk management measures commonly used to address these risks, such as internal controls, are generally under the direct control of the service provider, rather than the credit union that bears the risk of financial loss, damage to reputation, or other adverse consequences.
The Department expects credit unions to ensure that controls over outsourced activities are equivalent to that the institution would implement if they conducted the activity internally. The credit union’s board of directors and senior management should understand the key risks associated with the use of service providers. They should ensure that an appropriate oversight program is in place to monitor each service provider’s controls, condition, and performance.
No system of internal controls is foolproof; however, strong internal control systems can reduce risk and minimize loss. We encourage all credit unions to carefully review and, where appropriate, strengthen their internal control systems.