Risk Management

Creating an effective internal control system involves the people who design and implement the system, the policies and procedures that define and document how the internal controls are intended to be performed, and the systems and technology that facilitate the internal controls.

People

Employees at all levels play a role in establishing the internal control structure, whether they design or implement it. Ideally, all credit union officials and employees understand their role in the internal control process and are accountable for performing that role. Key stakeholders and their respective responsibilities include:

• Board of Directors

• Senior Management

• Supervisory Committee

• Internal Auditor(s)

• Other Staff

Board of Directors

The FCUA § 1761b(19) requires the board of directors to establish and maintain a system of internal controls. The board of directors sets the overall tone for the internal control environment. If the board of directors demonstrates honesty, integrity, and ethical behavior, management and employees are more likely to maintain those same values. An involved board of directors typically has a better understanding of credit union operations, which can lead to a better understanding of the need for strong internal controls. The example set by the board of directors is an important component of the control environment, and has a trickle-down effect to management and all employees.

The board of directors is responsible for establishing and maintaining a system of internal controls by:

• Understanding the importance of internal controls in establishing a sound operating environment

• Approving written policies that address key internal controls within the board of directors’ risk tolerance.

• Holding senior management accountable for compliance with established internal control systems

• Supporting the supervisory committee as it evaluates organization-wide adherence to internal controls

Senior Management

Senior management communicates the ethics and values of the organization throughout all areas of credit union operations. They do this formally through written procedures, staff meetings, and internal memorandums, and informally as part of normal operations.

Senior management is responsible for maintaining a system of internal controls, which includes:

• Establishing procedures that incorporate sound internal controls

• Hiring qualified staff

• Training staff, including cross-training programs, to perform daily operations

• Holding employees accountable for compliance with established policies, procedures, and internal controls

• Tracking risk exposure changes in operations

• Reporting existing and potential risk to the board of directors

Supervisory Committee

A FCU’s supervisory committee is responsible for reviewing and monitoring internal controls. In particular, the committee is responsible for:

• Performing or obtaining an annual audit that is independent of the board of directors and senior management (FCUA 1761d, Supervisory committee; powers and duties; suspension of members; passbook)

  Minimum audit procedures are detailed in NCUA regulation part 715, Appendix A: Supervisory Committee Audit—Minimum Procedures

• Verifying membership accounts every two years

• Resolving audit and exam findings

• Hiring an internal auditor, if necessary (with board of directors’ approval)

• Reviewing and appraising the work of internal audit staff

• Ensuring internal controls are established, effectively maintained, and are sufficient to guard against error, conflict of interest, self-dealing and fraud

State law may not require a FISCU to have a supervisory committee. In some states, an audit committee can serve the basic functions of the supervisory committee. FISCUs may have more restrictive audit requirements based on applicable state laws.

Internal Auditor

A credit union may use an internal auditor to review credit union operations for weak controls and practices. The auditor may recommend improvements. Depending on the size and complexity of the credit union, the internal auditor may be a part-time employee, third-party vendor, or an entire department.

Internal auditors may be responsible for a variety of tasks, such as:

• Reviewing internal controls and operating procedures

• Verifying that appropriate policies and procedures are in place

• Developing an audit plan based on the risk present

• Testing internal controls

• Reporting all findings to the supervisory committee and appropriate personnel

• Following up on audit and exam recommendations for appropriate resolution

Other Staff

Credit union staff in roles not already discussed are responsible for understanding and acknowledging the internal control system, following established policies and procedures, and reporting non-compliance.

Prohibited Positions

The FCUA, NCUA regulations, and FCU Bylaws prohibit officials, credit union staff, and family members from serving in specific FCU roles. The chart below identifies such positions. For FISCUs, positions may be prohibited by applicable state law.

Credit Union Position	Prohibition1 This table is intended to be an aid for examiners. Current laws and regulations govern.
Chief Executive Officer (CEO)/Management Official	Board Chair (Article VI Section 2, and Article VII Section 1)
Assistant Executive Officer/Assistant Management Official	Board Chair (Article VI Section 2, and Article VII Section 1)
Director	Employees, family members, or employees and family members cannot constitute a majority of the board (Article VI Section 2)
Board Chair	Management official and assistant management official (Article VI Section 2 and Article VII Section 1) Secretary (Article VII Section 1) Financial Officer (Article VII Section 1) Assistant Financial Officer (Article VII Section 6(f)(ii)) Assistant Secretary (Article VII Section 9)
Vice Chair	Secretary (Article VII Section 1) Financial Officer (Article VII Section 1) Assistant Financial Officer (Article VII Section 6(f)(ii)) Assistant Secretary (Article VII Section 9)
Financial Officer (Treasurer)	Board Chair (Article VII Section 1) Vice Chair (Article VII Section 1) Assistant Secretary (Article VII Section 9) Membership Officer (12 U.S.C. 1761b(1); Article VII Section 10) Supervisory Committee (Article IX Section 1)
Assistant Financial Officer	Board Chair (Article VII Section 6(f)(ii)) Vice Chair (Article VII Section 6(f)(ii)) Membership Officer (12 U.S.C. 1761b(1); Article VII Section 10)
Recording Secretary (Officer)	Board Chair (Article VII Section 1) Vice Chair (Article VII Section 1)
Assistant Secretary	Board Chair (Article VII Section 9) Vice Chair (Article VII Section 9) Financial Officer (Article VII Section 9)
Membership Officer	Board member paid as an officer or assistant (12 U.S.C. 1761b(1); Article VII Section 10) Financial Officer (12 U.S.C. 1761b(1); Article VII Section 10) Assistant Financial Officer (12 U.S.C. 1761b(1); Article VII Section 10) Loan Officer (12 U.S.C. 1761b(1); Article VII Section 10)
Executive Committee	Any officer or employee other than a director (only directors may serve on the executive committee) (Article VII Section 10)
Investment Committee	Any person compensated to be on the investment committee (there are no restrictions on who can be on the investment committee provided they are not compensated to be on the committee) (Article VII Section 11)
Supervisory Committee	More than one board member (only one board member may be on the supervisory committee) (12 U.S.C. 1761(b), Membership on supervisory committee; names and addresses of officers and committee members; Article IX Section 1) Financial Officer (Article IX Section 1) Compensated officer of the Board (12 U.S.C. 1761(b), Membership on supervisory committee; names and addresses of officers and committee members; Article IX Section 1) Member of the credit committee (Article IX Section 1) Employee of the credit union (Article IX Section 1)
Credit Committee	More than one loan officer (only one loan officer may be on the credit committee) (12 U.S.C. 1761c(a), Members; meetings; lines of credit and approval of loans; delegation to loan officers; Article VIII Section 4)
Compensated Auditor	A compensated auditor who performs a supervisory committee audit on behalf of a credit union shall not be related by blood or marriage to any management employee, member of either the board of directors, the supervisory committee or the credit committee, or loan officer of that credit union. (12 CFR 715.9, Assistance from outside, compensated person, this limitation also applies to FISCUs under 12 CFR 715.6(c), Other requirements)

Policies and Procedures

Policies

A credit union’s board of directors establishes policies governing credit union operations. Well-written policies are the foundation of a sound internal control system.

Sound policies address:

• Compliance with laws and regulations

• Authority and responsibilities

• Risk tolerances

• Approval and reporting of policy exceptions

NCUA regulations require credit unions to establish certain policies. The list below provides a sample of operational areas and the regulations that govern a credit union’s internal control policies over that operational area.

• Lending—§ 701.21(c)(2), Credit applications and overdrafts701.21(c)(2), for FCUs and § 741.3(b)(2), for FISCUs

• Commercial Lending—§ 723.4, Commercial loan policy, for most federally insured credit union; and § 723.10, State regulation of business lending, for rules related to state charter credit unions

• Investments—§ 703.3, Investment policies, for FCUs; and § 741.3(b)(3), for FISCUs

• BSA Compliance—§ 748.2, Procedures for monitoring Bank Secrecy Act (BSA) compliance, for all federally insured credit unions

• Privacy of consumer information—Part 748, Appendix A, Guidelines for Safeguarding Member Informations

Some credit unions are exempt from § 723.4, Commercial loan policy. For more information, see § 723.1(b), Credit unions and loans covered by this part.

While regulation requires policies for select areas of operations, regulation is not the only reason to establish strong internal controls. Policies and procedures—the keystone of a strong internal controls program—guide credit union staff in their daily activities, provide direction, and mitigate risk while the credit union realizes its objectives.

Controls over technology are increasingly important and a credit union following best practices will integrate technology controls into its control activities and policies.

Sarbanes-Oxley Act of 2002

SOX was designed to improve the corporate governance, financial disclosures, and auditing relationships of public companies. While SOX and the SEC’s implementing regulations do not apply specifically to FCUs, certain provisions may be appropriate to consider for some FCUs.

Sound FCUs periodically review their policies and procedures as they relate to corporate governance and auditing. The two relevant sections of SOX for credit unions include recordkeeping and whistleblower provisions.

Additionally, well-run FCUs maintain awareness of the requirements outlined in SOX, as many third parties are subject to the financial disclosure and auditing requirements.

Procedures

Senior management establishes procedures to implement board-approved policies. The procedures will vary depending upon the operations as well as the size and complexity of the credit union.

Examples of internal controls that are adopted by well-run credit unions are described below. This list is not exhaustive.

• General controls

  • Active board of directors and supervisory committee

  • Annual policy review by the board of directors

  • Board of directors conducts annual performance appraisal of manager

  • Effective and independent audit program

  • Board of directors approved business continuity plan

  • Budget and strategic plan

• Personnel

  • Insider account reviews by the supervisory committee or internal audit

  • Restricted access to own and family member accounts

  • Requirement to take at least five consecutive days of vacation annually

  • Cross-training and job rotation

  • Background checks, bondability verification, and verification of previous employers and references before hiring

  • Bondability verification for board members

  • Conflict of interest and anti-fraud policies

• Recordkeeping

  • Maintenance of supporting documentation—for example, invoices, transaction logs, audit workpapers, etc.

  • Board of directors’ review of financial statements, budget variance reports, and financial ratios and trends

  • Board of directors’ approval for large expenditures

  • Policy limits, restrictions on personal use, documentation requirements (receipts), and approvals for corporate credit cards

  • Segregation of duties

  • Physical counts of cash and monetary items

  • Reconciliations and trial balances

  • Access controls

• Lending

  • Policies and procedures for all loan types offered

  • Documented approval authority

  • Segregation of duties

  • Independent review of file maintenance reports for loan-related changes

• Third Party—Initial due diligence:

  • Conduct planning and risk assessment

  • Review financial projections

  • Conduct background check and verify references

  • Review business model and cash flows

  • Financial/operational control review

  • Contract issues and legal review

  • Identify accounting considerations

  • Technology review

• Third Party—Ongoing responsibilities:

  • Establish controls

  • Perform ongoing service provider oversight

Systems/Technology

A credit union’s data processing system produces a majority of the reports for monitoring internal controls including, but not limited to:

• File maintenance

• Intrusion detection

• Firewall and system intrusion attempts

• Supervisory override

• Exceptions

• User access limitations

• Dormant accounts

• New and closed loans

• New and closed membership accounts

Ideally, these reports are produced regularly and reviewed by personnel independent of the function.

Additionally, sound credit unions implement controls over systems and technology, including:

• Hard-to-guess password/passphrase that are frequently changed

• Computer access controls and levels (user profiles)

• Administrator function controls—such as Active Directory, core, payments systems

• Independent review of IT employee transactions

• Appropriate policies covering use of credit union computers and information, privacy, and data retention

• Procedures for regularly updating systems and security

For further information about IT controls, see the Information Technology (PDF) chapter of the Examiner’s Guide.