Exam Procedures
The NCUA examines the supervisory committee to assess whether the institution operates with appropriate oversight and controls that support the NCUA’s reliance on credit union records and management’s representations. NCUA staff may reduce reviews and transactions testing and place increased reliance on the work performed by the supervisory committee when the committee is active and performs regular reviews.
In addition, the NCUA examines whether a credit union is meeting regulatory requirements, and whether the supervisory committee is satisfying its obligations. Examiners accomplish this by assessing a supervisory committee’s work as documented by:
-
The annual audit
-
MAV
-
Internal control testing
-
Process for ensuring member complaints are resolved in a timely manner
The result of the examination will help an examiner determine if a supervisory committee is fulfilling its responsibilities. If not, the examiner may recommend process improvements or administrative action depending upon the severity of deficiencies.
Review Supervisory Committee
NCUA examiners are required to evaluate the effectiveness of the supervisory committee at each exam in accordance with the NCUA Instruction 5000.20,
People to Interview
Meet with the committee chair to gain an understanding of the supervisory committee’s activities and how the committee operates.
Documents to Review
-
Supervisory committee meeting minutes to determine the types and frequency of activities being performed
-
Supervisory committee work plan to determine the scope of reviews planned to be performed
-
Verification of member accounts for timeliness, accuracy, completeness, and compliance with FCUA § 1761d, Supervisory committee; powers and duties; suspension of members; passbook, and NCUA regulation § 715.8, Requirements for verification of accounts and passbooks
-
Audit and MAV workpapers
-
Reconciliation of the totals from the member statement report (print processor) to the share and loan trial balance and general ledger for the period covered
-
Supervisory committee reports to the board of directors and membership to inform the board of how internal controls operate and educate members on supervisory committee activities at their annual meeting
The supervisory committee is required to report to the board of directors upon completion of the audit. For more information, see NCUA regulation § 715.10, Audit report and working paper maintenance and access. The supervisory committee is also responsible for the verification of member accounts. For more information, see NCUA regulation § 715.8, Requirements for verification of accounts and passbooks.
The supervisory committee should also report any supplementary audits to the board of directors.
Review Audit Activities and Reports
Examiners begin their evaluation of a supervisory committee’s audit activities and reports by reviewing, when available, the internal audit plan/charter and selecting internal audits for analysis of the internal audit program’s framework.
Prerequisites
Obtain the audit report and workpapers directly from the auditor.
Documents to Review
-
Other Supervisory Committee Audits—see § 715.7, Supervisory Committee alternatives to a financial statement audit
Engagement Letters
Engagement letters can provide an examiner with information such as the audit scope and its limitations—including omission of auditing procedures—the audit period and expected reports. Omitted procedures may result in NCUA staff expanding reviews in the areas not included in the audit.
Examiners should review engagement letters to:
-
Determine if they comply with the minimum requirements set forth in §§ 715.9(b), Engagement letter, through 715.9(e), Exclusions from scope
-
Confirm the supervisory committee met with the external auditor at the end of the audit to verify the auditor complied with the terms of the engagement letter
Audit Workpapers
Examiners review audit workpapers to:
-
Gain assurance of the reliability of the financial statements
-
Obtain an understanding of the scope and quality of an audit
-
Assist in determining the scope for risk-focused examinations—the scope for a SCUEP exam is set and identified in the SCUEP-Defined Scope Procedures job aid.
To start a review of audit workpapers, examiners contact the supervisory committee early in the examination process to determine:
-
Who completed the audit
-
The qualifications of those who completed the audit
-
How the auditor was selected
-
How to arrange for access to the workpapers if a review is desired or required
Access can be at the credit union office, the auditor’s office, another mutually agreeable location, or provided electronically. The ability to review audit workpapers is a requirement that must be stipulated in an auditor’s engagement letter. For more information, see NCUA regulation § 715.9(c)(7).
Examiners do not sign any document or release for access to audit workpapers. Contact the EIC or a supervisor for guidance if an external auditor asks you to sign for access. For more information, see the NSPM.
A review of the audit workpapers is not required if a state-licensed person performed the annual audit. Examiners include the following materials in a review of workpapers:
-
The engagement letter
-
The audit report and any accompanying management letter
-
Materiality calculation, found in the workpapers
-
Preliminary risk assessment—Auditors’ preliminary risk assessment results help plan the substantive procedures performed during the audit
-
Review of risk assessment may also reveal areas which were not substantively tested
-
Those areas not tested might be considered for review during the examination
-
-
The audit plan and scoping—Auditors should have documentation within the workpapers to support every step in the audit plan
-
A sample of specific documentation
-
The audit procedures performed will depend on the auditor’s assessed level of risk for each area—documentation and audit testing generally include evidence that:
-
All cash and investment accounts were reconciled and confirmed directly with the institution and/or the safekeeper
-
All material general ledger accounts were reconciled with supporting subsidiary ledgers
-
Significant transactions were traced to source documents
-
The ALLL methodology and adequacy was analyzed and verified
-
Share and loan trial balances were tied to appropriate general ledger accounts with an adequate sample of loans reviewed for documentation adequacy
-
For more information, see AU-C Section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained.
-
Auditors reviewed and maintained documentation of any off-balance sheet items including any lines of credit, notes, contracts, lawsuits or contingent liabilities
-
Any audit journal adjustments and/or any past journal entries
-
Examiners should maintain documentation of their review of the audit workpapers
-
Examiners may use the Supervisory Committee General Responsibilities job aid to assist with the review
Auditors are generally willing to answer questions related to their audits. If an examiner feels an audit is missing material steps or if work performed does not appear adequate, they may discuss this with the auditor, who may be able to provide more information, documentation, or support of any steps the examiner believes are missing, explanation of the workpapers and/or rationale for any reduction or limitation in the audit scope. If audit steps remain incomplete or concerns are noted with audit work or scope, examiners can arrange for the supervisory committee or internal audit department to complete the missing steps.
Examiners discuss any concerns regarding the audit with their supervisor and follow the NSPM concerning unacceptable audits. Such audits may be completed by the supervisory committee or an external auditor that is not a licensed independent auditor or CPA. The NSPM requires the examiner to:
-
Notify their supervisor
-
Determine if the audit can be corrected in a timely manner—if not, discuss alternatives with their supervisor
-
Rate transaction risk as high, or document the rationale for a different risk rating
-
Prepare a DOR that:
-
provides a reasonable time period for the supervisory committee to correct deficiencies (not longer than 120 days from the completion date
-
requires the supervisory committee to provide the examiner a monthly status report of their progress resolving audit deficiencies
-
-
Complete a follow-up supervision contact within 60 days of the DOR due date
The Examination Report section of the NSPM requires proper identification and comprehensive documentation of all material concerns, including an unacceptable audit.
Internal Audit Department
To determine if a credit union has proper internal controls, examiners can evaluate the effectiveness of the internal audit department, quality of the work performed, and knowledge and independence of the internal audit staff. As part of the review, examiners determine if internal auditors have developed a risk assessment that evaluates credit union operations and business units and identifies areas that may expose the credit union to the highest risk. Examiners evaluate the adequacy of the risk assessment and audit plan, which is derived from the risk assessment.
Examiners reviewing an internal audit department:
-
Obtain the audit charter and/or plan and verify it includes:
-
Credit union’s potential areas subject to audit such as financial and key operational systems
-
Definitions of factors used in assessing risk
-
Quantified potential risk associated with each of the defined audit areas
-
Information indicating audit staff possess adequate expertise to complete reviews
-
-
Obtain the audit schedule and verify it provides or defines:
-
Adequate allocation of internal audit resources according to established priorities
-
Feasible timelines to accomplish deliverables
-
Frequency of specific reviews
-
-
Obtain the audit progress report to confirm audit schedule is on track to meet established goals
-
Obtain risk assessment for each department—guidelines should specify:
-
Maximum length for audit cycles, based on the risk
-
For example, some institutions set audit cycles at 12 months or less for high-risk areas, 24 months or less for medium-risk areas, and up to 36 months for low-risk areas
-
Audit cycles should not be open-ended
-
-
The timing of risk assessments for each department or activity
-
Risks are normally assessed each year, but more frequent assessments may be necessary if a credit union experiences rapid growth or a significant change in operation or activities
-
-
Documentation requirements to support risk scoring decisions
-
Guidelines for overriding risk assessments in special cases and the circumstances under which they can be overridden
-
For example, the guidelines should define who can override assessments and how an override is approved, reported, and documented
-
-
-
Obtain any documentation regarding supervisory committee authority and oversight to confirm that the work performed is an authorized activity
-
The internal audit plan is approved by the supervisory committee and provides sufficient information on the audit/task scope, objectives, and resource restrictions—such as allocated hours and expected completion date—so the internal auditors will have a clear understanding of the supervisory committee’s expectations
-
-
Obtain audit work programs that serve as the primary evidence of the audit procedures planned and performed to define the scope of the audit review
-
The scope should encompass the risks identified in the risk assessment—most audit work programs should include:
-
Surprise cash audits
-
Maintenance of control over records selected for audit
-
Review and evaluation of the credit union's policies and procedures and the system of internal control
-
Review of reconciliations of transaction accounts
-
Verification of selected transactions or balances
-
-
-
Obtain completed audit reports and supporting workpapers
-
The audit report notes areas of review and any findings identified in the audit
-
Audit workpapers identify the scope/audit plan, who performed the audit work, who supervised the work, and the results of any testing
-
-
Obtain a tracking report that indicates management’s resolution of any findings or recommendations identified in an internal audit
The timing of interim audits will vary based on other internal audit responsibilities, such as primary follow-up on audit and examination findings, meetings with examiners, and member complaints.
Annual Audits
For annual audits, examiners review the audit to:
-
Determine whether the audit meets the requirements of NCUA regulation part 715, Supervisory Committee Audits and Verifications
-
Identify any findings that require follow up
-
Determine whether there are any relevant areas—internal controls, accuracy of financial statements, and accounting transactions prepared by management—that were not reviewed as part of the audit
-
Review the annual audit engagement letter for compliance with NCUA regulations §§ 715.9(b), Engagement letter, and 715.9(c), Contents of letter
-
Review the audit report and workpapers for timeliness, accuracy, completeness, and compliance with the FCUA § 1761d, Supervisory committee; powers and duties; suspension of members; passbook, and NCUA regulation § 715.4, Audit responsibility of the Supervisory Committee.
Any findings or issues will provide an indication of management’s ability to maintain accurate financial reporting and adequate internal controls.
Other Supervisory Committee Audits
Other supervisory committee audits are also referred to as agreed-upon procedures audits.
The Other Supervisory Committee Audit, Minimum Procedures Guide provides a simplified list of procedures examiners will use to:
-
Evaluate the audit report and verify the minimum procedures have been completed and documented
-
Determine if individuals performing the work used procedures adequate to fulfill the scope requirements (that is, can users place full reliance on the procedures performed)
-
Assess the adequacy of the audit to verify it meets the requirements of § 715.7, Supervisory Committee alternatives to a financial statement audit
NCUA published the Other Supervisory Committee Audit, Minimum Procedures Guide to aid federally insured credit unions and others in performing procedures that would meet the minimum requirements of part 715, Appendix A: Supervisory Committee Audit—Minimum Procedures.
A CPA’s report will document the procedure performed and the results of those procedures; however, the CPA will not exercise judgment as to the adequacy of the ALLL or the fair presentation of the financial statements.
A supervisory committee cannot delegate its responsibility to ensure the scope of work in the agreed-upon procedures audit meets the minimum requirements of NCUA regulation part 715, Supervisory Committee Audits and Verifications, to an independent auditor. Examiners direct findings and exceptions about scope to the supervisory committee, not the independent auditor.
-
Determine if the audit is acceptable
-
If the supervisory committee audit meets the requirements and is competently performed by the supervisory committee or its designated auditor, the audit is considered acceptable
-
An unacceptable audit does not meet the requirements, but exact acceptability standards for audits performed in credit unions do not exist
-
Examiners must judge the risk and exposure in each case to determine if an audit fulfills the NCUA regulation’s requirements
-
-
The Other Supervisory Committee Audit, Minimum Procedures Guide , identifies minimum procedures for a supervisory committee audit
-
If an independent auditor did not meet the obligations outlined in the engagement letter, or an examiner has concerns about an auditor’s independence or thoroughness, examiners should follow the procedures outlined in the NSPM for taking action regarding the independent auditor
-
Determine if the supervisory committee properly documented the completed audit procedures in workpapers included in the audit report (all material accounts or services should be reviewed)
SCUEP Defined-Scope Exams
Audits performed by a credit union's supervisory committee are subject to a full-scope general ledger review as described in NCUA Instruction 5000.20,
Last updated on October 14, 2022.