Risk Management

A credit union’s ability to effectively manage the risks associated with the supervisory committee’s responsibilities depends on the following key elements:

People

Board of Directors

While the supervisory committee oversees the board of directors, the board is ultimately responsible for ensuring the supervisory committee fulfills its role and duties. In this way, the board and supervisory committee serve as a system of checks and balances.

The supervisory committee documents its work and provides reports to the board, including:

  • Work reports

  • Internal and external audit reports

  • MAV

  • Committee meeting minutes

The supervisory committee also presents a report of its activities and audit results at the annual membership meeting. Annual audits and ongoing reviews validate management’s representations.

The board reviews these materials to stay apprised of how internal controls are operating and may determine that the supervisory committee—or any committee member—is not fulfilling its responsibilities. The board has the authority to suspend a supervisory committee member by a majority vote, but the suspension must be acted upon by the credit union members at a special meeting. For more information, see FCUA § 1761d, Supervisory committee; powers and duties; suspension of members; passbook.

Internal Auditor

Credit unions may employ internal auditors or outsource the internal audit function to a third party to perform some of the committee’s oversight responsibilities and monitor internal controls. Internal auditors report directly to the supervisory committee and are independent of management and the board of directors.

Independence protects the internal audit function from management influence. See Internal Audit Department for more information.

External Auditor

NCUA regulations §§ 715.5, Audit of Federal credit unions, and 715.6, Audit of Federally-insured State-chartered credit unions, require some federally insured credit unions to engage an external auditor to perform the annual audit and biennial MAV.

NCUA regulation § 715.9(a), Unrelated to officials, states that a compensated auditor may not be related by blood or marriage to:

  • Any management employee

  • A member of

    • the board of directors

    • supervisory committee

    • credit committee

  • A loan officer of the credit union

NCUA regulations §§ 715.9(b), Engagement letter and 715.9(c), Contents of letter, discuss engagement letter specifications. For more information, see Engagement Letters and Audit Workpapers.

Policies and Processes

Ideally, internal controls are part of the policies and procedures governing every operational area—for example, lending, cash, and investments. Good internal control policies and/or procedures address:

  • Segregation of duties

  • Systems access

  • Approvals

  • Override abilities

  • Reporting

At larger credit unions, management may adopt detailed, written procedures. Prudent credit unions have policies that are approved by the board of directors.

As part of its responsibility to review internal controls, a supervisory committee verifies that adequate internal controls are in place and operate in compliance with credit union policies and processes.

Audit Program Charter

Credit unions with a formal internal audit function may have an internal audit charter, which is a written document that authorizes the audit program and defines the program’s:

  • Mission

  • Goals

  • Roles

  • Responsibilities

  • Schedule

  • Reporting

  • Independence

  • Scope

Generally, internal auditors develop the internal audit charter, which is approved by the supervisory committee. It provides a framework for managing risk by reviewing and testing internal controls.

Credit unions that do not have a formal internal audit function may establish a work plan or program to address the schedule and procedures for testing internal controls by the supervisory committee throughout the year. The supervisory committee develops and manages the work plan. The committee may solicit recommendations or input from management when developing the work plan, but the committee’s independence is importance because they have ultimate responsibility for the plan.

Vendor Management Policy

A credit union’s vendor management policy provides guidelines for selecting and monitoring vendors that perform any audit function. An effective policy directs the supervisory committee to solicit proposals from a range of potential vendors and to verify that the selected external auditor has relevant experience, independence, and industry expertise.

Member Complaint Policy

A credit union’s member complaint policy governs how the credit union receives, reviews, and attempts to resolve complaints from members. The policy defines roles and responsibilities, including timelines for responding to complaints.

Credit unions may consider developing a member complaint policy that follows the NCUA’s guidance on processing consumer complaints. For more information, see NCUA Letter to Credit Unions 15-CU-04, Improving the Process for Consumer Complaints. This letter details best practices for handling consumer complaints and may serve as a resource for policy development.

Systems/Technology

The supervisory committee has the audit responsibility for adequate internal controls. The committee assesses the accuracy, reliability, and security of a credit union’s data processing and financial reporting systems. These systems are used to process and store member data and accounting records.

Securing systems access minimizes the risk of compromised or manipulated data. For example, internal controls for these systems would include adequate training, password protection, role-based access, and dual controls/supervisor approvals for certain transactions. A supervisory committee regularly reviews and tests the system parameters for each employee to verify the employee has the appropriate access and privileges. After an employee leaves or is terminated, the supervisory committee should review the system parameters to confirm the former employee no longer has access.

Supervisory committees and internal auditors have a broad array of control-related reports to help evaluate the quality of electronic reporting, depending on the size of the credit union and its data processing system. Some reports generated by the data processing system and reviewed by the supervisory committee may include, but are not limited to:

Last updated on October 14, 2022.