RB-2004-01 Annual Audit and Account Verification
The board of directors and senior management of a credit union are responsible for ensuring that the institution operates in a safe and sound manner. To achieve this goal and meet the requirements of Commission Rule 91.515, the credit union must maintain effective systems and internal controls to produce reliable and accurate financial reports.
Accurate financial reporting is essential to a credit union’s safety and soundness for numerous reasons. First, accurate financial information enables the board and management to effectively manage the credit union’s risk and make sound business decisions. In addition, credit unions are required by law to provide accurate and timely financial reports (e.g., 5300 Call Reports) to the Department. These reports serve an important role in the Department’s risk-focused examination program by contributing to our pre-examination planning, off-site monitoring programs, and assessment of a credit union’s net worth adequacy and financial strength.
To help ensure accurate and reliable financial reporting, Section 122.102 of the Finance Code and Commission Rule 91.516 require the board of directors of each credit union to obtain an audit annually and cause a verification of accounts to be performed, at least once every two years. The annual audit and verification should be important components of a credit union’s overall risk management process. For example, the annual audit provides management and the board of directors with an independent and objective view of the reliability of the credit union’s financial statements and the adequacy of its financial internal controls. Additionally, an effective audit program contributes to the efficiency of the Department’s risk-focused examination process. By considering the significant risk areas of a credit union, an effective audit program may reduce the examination time the Department spends in such areas. Moreover, it can improve the safety and soundness of a credit union substantially and lessen the risk the institution poses to the share insurance fund administered by the NCUA.
Responsibilities of the Board of Directors
Each credit union should have an audit function that is appropriate to its size and the nature, scope, and complexity of its activities. The board of directors of a credit union is responsible for determining how to best obtain reasonable assurance that the institution’s financial statements and regulatory reports are reliably prepared. In this regard, the board is also responsible for ensuring that its annual audit is appropriate for the credit union, and adequately addresses the financial reporting aspects of the significant risk areas and any other areas of concern of the institution’s business. The reasons supporting the decision for obtaining a particular type of audit should be recorded in the board’s minutes.
It is the responsibility of the board to carefully consider the extent of auditing that will effectively monitor the risks after taking into account the audit functions costs and benefits. For institutions that are large or have complex operations, the benefits derived from an annual audit performed by an independent public accountant likely outweigh the cost. For small institutions with less complex operations, however, these costs may outweigh the benefits.
The board of directors is also responsible for selecting the persons or the firm that will carry out the audit functions. An engagement letter that details the purpose and scope of the auditing work to be performed and reported must evidence audits completed by an independent auditor. In order to preserve the independence and objectivity of the audit, the board must contract directly with the selected auditor. It is not appropriate for the board to delegate this responsibility to the credit union’s president or other employees.
To help ensure the adequacy of the annual audit, the board of directors may designate persons to constitute an audit committee, which shall have and may exercise such powers as the board determines and specifies. Although the board may delegate to the audit committee the performance of certain duties, the board is not relieved from the responsibility for the performance of such duties.
The annual audit should provide the board of directors with information about the credit union’s financial reporting risk areas, e.g. the institution’s internal control over financial reporting, the accuracy of its recording transactions, and the completeness of its financial reports prepared in accordance with Generally Accepted Accounting Principles (GAAP).
The board or audit committee of each institution should, at least annually, review the risks inherent in the credit union’s particular activities to determine the scope of its annual audit. For most credit unions, the lending and investment activities present the most significant risks that affect financial reporting. Thus, the annual audit should include specific procedures designed to test the risks associated with the loan and investment portfolios. This includes testing of internal control over financial reporting, such as the process to determine the adequacy of the allowance for loan and lease losses and whether this process is adequately documented, and consistently applied when analyzing the credit union’s loan portfolio.
Types of Audits
Although the Department considers an audit of a credit union’s financial statements to be the preferred type of annual audit, it recognizes that, depending on its size, a credit union’s audit responsibilities may be fulfilled by other engagements. Specifically, a credit union having total assets of $500 million or greater is required to obtain an annual audit of its financial statements performed by an independent public accountant who is licensed by the State of Texas. For those credit unions with total assets of less than $500 million, the Board of Directors may select a financial statement audit, a balance sheet audit, a report on examination of internal control over financial reporting, or an audit per NCUA’s Supervisory Committee Guide (12 CFR, Chapter VII, Part 715), as it deems appropriate.
Financial Statement Audit by an Independent Public Accountant. The Department encourages credit unions to have an audit performed in accordance with generally accepted auditing standards (GAAS) by an independent person who is licensed by the State of Texas. The object of a financial statement audit is to express an opinion as to whether the financial statements of the credit union present fairly, in all material respects, the financial position and the results of its operations and its cash flows in conformity with GAAP. In addition, an audit may provide recommendations for management in carrying out its control responsibilities. For example, an audit may provide management with guidance on establishing or improving accounting and operating policies, and include recommendations on internal controls necessary to ensure the fair presentation of the financial statements.
Balance Sheet Audit Performed by an Independent Public Accountant. With this program the credit union engages an independent public accountant to examine and report only on the institution’s assets, liabilities, and equity for the purpose of opining on the fairness of the presentation of the balance sheet. As with the audit of the financial statements, this audit is performed in accordance with GAAS. The cost of a balance sheet audit is likely to be less than a financial statement audit. However, under this type of program, the accountant does not examine or report on the fairness of the presentation of the credit union’s income statement, statement of changes in equity capital, or statement of cash flows.
Reporting by an Independent Public Accountant on an Institution’s Internal Control Structure Over Financial Reporting. Another auditing program is an independent public accountant’s examination and report on management’s assertion on the effectiveness of the credit union’s internal control over financial reporting with a concentration in high-risk areas, such as lending activity, investment activity, and cash handling and deposit taking activity. For a smaller credit union with less complex operations, this type of engagement is likely to be less costly than an audit of its financial statements or its balance sheet and normally provides recommendations for improving internal control, including suggestions for compensating controls, to mitigate the risks due to staffing and resource limitations. This type of engagement is performed under generally accepted standards for attestation engagements (GASAE).
Audit per NCUA’s Supervisory Committee Guide. With this program the credit union causes an audit to be performed by a qualified person or committee in accordance with the procedures prescribed in NCUA’s Supervisory Committee Guide. NCUA’s Guide does not attempt to address every possible situation that may be encountered, nor does it contend that many of the procedures described are the only ones that can be used. Procedures appropriate for one credit union may vary widely from those of another credit union. Therefore, any person using this Guide must plan and carry out the duties in a manner consistent with and responsive to the particular situation and needs of the credit union. Qualified persons who are not licensed by the State of Texas cannot provide assurance services under this program.
A credit union is required to obtain an annual audit which occurs at least once every calendar year and must cover the period elapsed since the last audit period. The preferable time to schedule the performance of an audit is as of the institution’s fiscal year-end.
Access to Information
A credit union should provide its auditor with access to all examination reports and written communication between the credit union and the Department since the last auditing activity. The credit union should also provide access to any letters of understanding, supervisory agreements, or administrative orders initiated or taken by the Department. The auditor must maintain the confidentiality of examination reports and other confidential supervisory information. In addition, an outside auditor should agree in the engagement letter to grant examiners access to all of the workpapers and other materials pertaining to the credit union that were prepared in the course of performing the audit.
Upon receipt of the written report of a financial statement audit or other audit program, the Board or Audit Committee must verify that the audit was performed and reported in accordance with the terms of the engagement letter. The Board shall review the results of the audit and take appropriate action to rectify any deficiencies noted. A summary of the result of the audit shall be provided to the members of the credit union orally or in writing at the next annual meeting.
Adequacy of Audit Function
If an examiner concludes that a credit union’s audit function does not sufficiently meet the institution’s audit needs, or is otherwise inadequate, he or she will bring these matters to the attention of senior management and the board of directors. If these discussions do not resolve the examiner’s concerns, he or she will discuss the weaknesses with appropriate Department staff in order to determine the appropriate action the Department should take to ensure that the credit union corrects the deficiencies. These actions may include compelling a credit union to have a new audit performed by an independent public accountant who is acceptable to the Department.
The board of directors is also responsible for causing the shares, deposits, and loan accounts to be verified against the records of the credit union. The credit union must verify accounts that are currently outstanding, as well as those that members have closed since the prior closed account verification. The verification must be performed by a qualified person or committee in accordance with the procedures prescribed in Section 715.8 of the NCUA’s Rules and Regulations (12 CFR, Chapter VII, Part 715). The purpose of the verification is to detect errors, and it is also a good control to prevent fraud.
Account verification means requesting that members respond if the activity or balance on their statements is not accurate. The qualified person or committee may mail verifications to the members by either independently mailing a confirmation letter to the members, or by mailing the members’ statement of account along with a verification notice.
The qualified person or committee conducting the verification must ensure, at a minimum, the following controls:
- Be sure to use an independent address. This is true of both the return address on the envelope, and the contact person for problems.
- Do not use management or operating staff to prepare and mail the forms, or select the sample. In some cases, the qualified person or committee may require staff assistance. If so, staff should be well supervised.
- Select a date for the verification that is unknown to staff. Conducting the verification on a surprise basis allows little time to adjust or manipulate records prior to the verification.
- All information that is needed for the verification should be gathered at one time. If feasible, control should be maintained over all records while conducting the verification.
The date of the verification is at the Board’s discretion, as long as one is completed at least once every two years, or as otherwise, specified in the credit union’s bylaws. The Board may want to consider completing the verification with the annual audit.
Retention of Records
The qualified person or committee must retain the records of each verification of members’ accounts until it completes the next verification of members’ accounts.
The annual audit and account verification complement the Department’s supervisory process and the credit union’s internal auditing program by identifying or further clarifying issues of potential concern or exposure. These programs also can greatly assist management in taking corrective action, particularly when weaknesses are detected in internal control or management information systems affecting financial reporting.