Key Components

While each credit union can establish a system of internal controls that is suited to its size and operations, a number of elements are common among all effective internal control systems. Effective internal control systems will include the following key components:

• Control Environment

• Risk Assessment

• Control Activities

• Accounting, Information, and Communication Systems

• Monitoring Activities

The internal control elements described in this guide are derived from the Committee of Sponsoring Organizations of the Treadway Commission – Framework on Internal Controls. This framework is widely recognized throughout the financial services industry as an authoritative source on the internal control process.

Control Environment

A control environment is the foundation for an effective system of internal controls. A sound control environment provides reliable financial reporting, fosters compliance with applicable laws and regulations, and safeguards assets. Indicators of a sound control environment include:

• Commitment to integrity and ethical values (tone at the top)

• Board of directors’ oversight of management

• Commitment to attract, develop, and retain competent individuals in alignment with objectives

• Accountability for internal control responsibilities

• Clear organizational structure and reporting lines

• Proper assignment of authority and responsibility

• Personnel policies and a training program that, at a minimum, addresses sexual harassment, violence in the workplace, and dealing with the media

• Regular, independent audits and examinations

• Educated and active supervisory committee (if applicable)

Risk Assessment

Risk assessment is the ongoing, written process of identifying variables that have the potential to impact the credit union’s ability to conduct business. Assessing risk requires management to:

• Specify objectives—for example, operational, financial, and compliance objectives

• Identify potential internal risks, such as the introduction or cancellation of products and services, external risks, and how best to manage them

• Estimate the significance of each risk they can prudently accept

• Assess the likelihood of the occurrence of a risk event, including fraud

• Implement control activities or take other steps to accept, avoid, transfer, or mitigate those risks

• Update risk assessments in response to changes in the business and operational environment

• Document and maintain support for the risk assessment

The board of directors reviews risk assessment objectives, mitigating controls, and remaining risk exposure. Through this review process, the board indicates acceptance of risks that are not fully mitigated or provides additional guidance to management on necessary action. The risk assessment process is expected to be less formal in smaller institutions and more formalized in larger complex institutions.

Control Activities

Control activities are the policies and procedures established by credit union management and board of directors to protect the integrity of operations, safeguard assets, and hold staff accountable. Sound internal controls provide a working environment where opportunities to exploit weaknesses and controls for personal gain are mitigated. User access control is an example of an internal control that limits the access to systems and data to those users with roles and duties that require access.

Control activities are typically categorized as directive, detective, corrective, or preventative. These controls may be automated, manual, or a hybrid of both.

• Directive controls ensure a particular outcome is achieved. Some examples include the development of policies, guidelines, and training.

• Detective controls are structured to detect errors or irregularities that may have occurred. Smaller credit unions can rely more heavily on detective controls to mitigate risk given their limited ability to segregate duties.

• Corrective controls are intended to correct errors or irregularities that have been detected. An example is the implementation of controls resulting from weaknesses identified during an audit or examination.

• Preventative controls keep errors and irregularities from occurring, but may be cost prohibitive. Thus, effective supervisory committee oversight is crucial to minimize risk. A supervisory committee may consider using an outside audit firm if they lack the technical expertise or time to perform this function.

Effective controls function consistently and are:

• Appropriate for a credit union’s size and complexity

• Directly related to a control objective

• Derived from an identified risk

Credit unions may also perform a cost/benefit analysis for proposed controls. Excessive controls can be costly and counterproductive, and minimal controls can present undue risk.

Control activities may include, but are not limited to:

• Segregating duties

• Establishing and managing access controls—for example, to the building, vault, and data processing systems

• Conducting independent internal reviews

• Completing member account verifications

• Ensuring proper documentation

• Maintaining trial balances

• Preparing timely reconciliation

• Approving authority limitations

Accounting, Information, and Communication Systems

Internal controls and financial reporting depend on efficient and secure information and communication systems for data that is available and timely. Accounting, information, and communication systems capture and distribute the credit union’s information to enable a credit union’s board of directors, supervisory committee, management, employees, and regulators to carry out their responsibilities.

Accounting systems contain the methods and records that identify, assemble, classify, record, and report a credit union’s transactions. Instituting appropriate internal controls involves determining and defining role-specific information and making it available to the right people at the right time.

Monitoring Activities

Monitoring is the board’s oversight of the internal control system’s performance. It is the board's responsibility to examine the operation of the credit union’s internal controls to verify controls are operating as intended. This verification can be as simple as the supervisory committee audit or as complex as having an internal audit department which reports to the board. The verification of the internal controls in place will depend upon the size and complexity of the credit union.

Management is responsible for the implementation and maintenance of the internal controls, including making changes to controls when appropriate. Internal and external audit functions, as part of the monitoring system, may provide independent assessments of the quality and effectiveness of a control system’s design and performance. When monitoring reveals control weaknesses or deficiencies, a credit union following best practices will communicate those issues to appropriate staff. Supervisory committee members and the board of directors monitor management’s corrective actions to address control concerns.

Credit unions of all sizes can implement internal controls that reduce the risk of undetected fraud or inaccurate financial statements. For small credit unions, an active board of directors and supervisory committee are key to an effective internal control program.

Last Updated on October 14, 2021