Internal Controls

An internal control is a process or procedure that a credit union’s board of directors, management or other personnel establishes to provide reasonable—not absolute—assurance over the effectiveness of operations. Specifically, credit unions implement internal controls to:

• Safeguard assets

• Maintain accurate and reliable financial data

• Promote operational efficiency

• Comply with applicable laws and regulations

• Maintain adherence to board-established policies

Internal controls minimize the risk of errors and fraud, and increase the chances of detecting errors or fraud if they do occur.

The extent and formality of any internal control system will depend largely on a credit union’s size, as well as the sophistication of its operations, number of employees, and risk profile. In other words, small credit unions may require less formality and structure in their internal control systems, whereas a large credit union may require more formality and structure. The primary goal is to determine if the internal control system is adequate to ensure safe and sound credit union operations.

An internal control weakness occurs when management fails to correctly design or implement a control. Examples of internal control weaknesses include:

• Lack of segregation of duties

• Missing proper approvals

• Inadequate safeguarding of assets

• Insufficient access controls

A strong internal control environment fosters accurate financial reporting and deters fraud. The NCUA evaluates a credit union's system of internal controls in order to assess the reliability of the institution's financial data and its operational effectiveness.

Assessing a credit union’s internal control environment plays an important part in identifying the level of risk at the credit union and determining the scope of testing procedures that examiners will perform. Examiners base the scope, type, and depth of an internal control review on the credit union’s size, complexity, range of activities, known weaknesses, and risk profile.

Weak internal controls can create an environment of elevated risk. The FCUA § 1761b(19) requires the board of directors of each FCU to establish and maintain a system of internal controls consistent with the regulations of the NCUA Board. NCUA regulation § 715.3, General responsibilities of the Supervisory Committee, requires each FCU’s supervisory committee to determine if established internal controls are effectively maintained to achieve financial reporting objectives, and establish practices and procedures sufficient to safeguard members' assets.

Per NCUA regulation part 715, Appendix A: Supervisory Committee Audit—Minimum Procedures, practices must be sufficient to satisfy the requirements of the supervisory committee audit, the verification of members' accounts and its additional responsibilities.

This section of the Examiner's Guide addresses the following topics:

• Key Components

• Primary Risks

• Risk Management

• Exam Procedures

• Workpapers and Resources

Last Updated on October 14, 2021