[Federal Register Volume 61, Number 154 (Thursday, August 8, 1996)] [Rules and Regulations] [Pages 41312-41326] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 96-19511] ======================================================================= ----------------------------------------------------------------------- NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Part 701 Supervisory Committee Audits and Verifications AGENCY: National Credit Union Administration (NCUA). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The National Credit Union Administration (NCUA) is amending its regulations governing credit union supervisory committee audits and verifications. The final amendments clarify existing audit scope; expand audit scope and reporting requirements for compensated auditors only; require a comprehensive engagement letter setting forth minimum contracting terms and conditions; clarify existing working paper access requirements; expressly state available administrative sanctions for failure to comply with supervisory [[Page 41313]] committee audit requirements and working paper access requirements; and add relevant definitions of accounting/auditing terms use throughout the regulation. EFFECTIVE DATE: December 31, 1996. FOR FURTHER INFORMATION CONTACT: Karen Kelbly, Accounting Officer, Office of Examination and Insurance (703) 518-6360, or Michael McKenna, Attorney, Office of General Counsel (703) 518-6540, at 1775 Duke Street, Alexandria, Virginia 22314-3428. SUPPLEMENTARY INFORMATION: A. Background Section 701.12 of NCUA's Regulations sets forth the supervisory committee's responsibility in meeting the audit and verification requirements of section 115 of the Federal Credit Union Act, 12 U.S.C. Sec. 1761d. A supervisory committee audit is required at least once every calendar year covering the period since the last audit. The scope of the audit must be sufficient, at a minimum, to test the federal credit union's assets, liabilities, equity, income, and expenses for existence, proper cut off, valuations, ownership, disclosures and classification, and internal controls. Section 741.202 of NCUA's Rules and Regulations, 12 CFR 741.12, make these requirements applicable to federally insured state-chartered credit unions. NCUA continues to have concerns with the scope of the supervisory committee audit and with access to working papers supporting such audits. The Board felt there was a need to amend the regulation because:Many supervisory committee audits have been inadequate; Examiners have been placed in the position of brokering disputes between external auditors and supervisory committees relative to audit inadequacy; The standards supervisory committee have been held to are not definitive; Examiner access to ``proprietary working papers'' has been limited; Greater uniformity in audit scope is needed; and The addition of definitions is needed to enhance clarity. Consequently, on October 19, 1995, the Board issued proposed amendments to the regulation governing credit union supervisory committee audits and verifications (Section 701.12 of NCUA's Regulations) 60 F.R. 55663 (November 2, 1995). On December 19, 1995, the Board extended the comment period to January 18, 1996. 60 F.R. 66952 (December 27, 1995). The proposed amendments: (1) clarified existing audit scope; (2) expanded audit scope and reporting requirements for compensated auditors only; (3) required a comprehensive engagement letter setting forth minimum contracting terms and conditions; (4) clarified existing working paper access requirements; (5) expressly stated available administrative sanctions for failure to comply with supervisory committee audit requirements and working paper access requirements; and (6) added relevant definitions of accounting/auditing terms used throughout the regulation. B. Comments One hundred and eighteen comments were received. Comments were received from sixty-nine federal credit unions, nine state chartered credit unions, twenty-one state leagues, four national credit union trade associations, eleven certified public accounting firms, one internal auditor, one certified public accountant trade organization, and one government agency. NCUA also received one anonymous electronic mail. Eight commenters express complete support for the proposal. Fifteen commenters oppose the entire proposal. Twelve of these commenters believe that the current system is working well and that the proposed amendments will simply result in increased costs without any increased service. Ninety-seven commenters express varied levels of support for the proposal; however, most of these commenters had one or more objections to the proposal. A recurring theme among these commenters was that the proposal would hurt small credit unions. Another recurring theme was that the proposed amendments, in effect, require an opinion audit. Finally, a number of commenters believe the proposed amendments would increase costs to credit unions. The Board believes the final regulation reasonably balances the concerns of those opposing additional burden for small credit unions with the need for complete and reliable credit union audits. The Board appreciates the obstacles small credit unions face when operating in today's environment and does not wish to add to that burden unnecessarily. The amendments to this regulation will not have a significant impact on a credit union which meets its supervisory committee audit obligations in any of the following ways: The credit union's supervisory committee performs the audit itself. The credit union's internal auditor performs the audit. The supervisory committee recruits a member or volunteer who performs the audit (i.e., the member or volunteer is not in the business of performing compensated audits for credit unions). The supervisory committee obtains an opinion audit. If the supervisory committee itself or its uncompensated designated representative performs the supervisory committee audit as prescribed in Sec. 701.12(c)(5)(i)(D), the following portions of the proposed regulation will not apply to the supervisory committee audit: Sec. 701.12(c)(4)--Increased scope requirements in designated areas; Sec. 701.12(c)(5)(i)(A-C)--Opinion audits and agreed-upon procedures in relation to compensated auditors; and Sec. 701.12(d)--Engagement letter requirements. Additionally, NCUA will revise its Supervisory Committee Guide for Federal Credit Unions for targeted release prior to December 31, 1996. The revised Guide will provide guidance to assist a supervisory committee itself or its uncompensated designated representative in meeting the applicable requirements of this regulation. If the supervisory committee employs an auditor who is defined as a ``compensated auditor'' to perform (or assist in performing) the audit, the following additional requirements will be necessary: An engagement letter between the credit union and the compensated auditor; Expanded audit scope in certain areas if the compensated auditor is engaged to address, and agrees to take on, these areas; and Notification in writing of reportable conditions or errors and irregularities, if any, discovered in the normal course of the audit. ------------------------------------------------------------------------ SC Audit performed by --------------------------------------- Supervisory Requirement addressed committee or designated non- Compensated compensated auditor auditor ------------------------------------------------------------------------ Engagement Letter............... No engagement Engagement letter letter required. requirement. [[Page 41314]] Scope........................... As exists under As exists under current current regulation. regulation, plus expanded scope in identified areas.1 Testing/Procedures Performed in Regulation Regulation Accordance With. identifies identifies specific specific standards which standards which apply. apply. Reporting Standards............. As exists under As exists under current current regulation. regulation, plus ``reportable conditions,'' if any, and ``errors and irregularities,'' if any, simply ``reduced to writing''.1 ------------------------------------------------------------------------ 1 Distinguishable from an opinion audit because the following are not required: full scope of opinion audit, financial statements, related disclosures, auditor's opinion, or negative assurance. Comments Relating to Current Sec. 701.12. Throughout the comment letters of accounting/auditing professionals were a series of comments addressing conditions which apply equally to the current and to the revised Sec. 701.12. These include: 1. Auditing work should not be performed by lay individuals; CPAs alone have the professional proficiency to perform audits. 2. The proposed regulations put CPAs at an economic disadvantage to compete in the credit union marketplace. A CPA performing a supervisory committee audit would be bound by the professional auditing standards promulgated by AICPA and the State Board of Accountancy, while a non- CPA is not so burdened. CPA would not be able to charge fees competitive with (i.e., as low as) that of non-CPA. 3. CPAs are concerned about the ability of non-CPA examiners to review CPA's work. 4. CPAs may limit themselves to performing only opinion audits for credit unions. A new auditing standard, Statement of Auditing Standard (SAS) No. 75, governing agreed-upon procedures engagements requires users of agreed-upon procedures reports to acknowledge the sufficiency of such procedures in satisfying the requirements of the specified user. If the CPA cannot get the specified user to do this (in advance of the engagement), then the only work a CPA could perform for a specified user would be an opinion audit. The thrust of this comment is that NCUA would qualify as a ``specified user'' and would, therefore, have to acknowledge the sufficiency of the procedures prior to each credit union's engagement of a CPA. Each of these comments applies equally to the current regulation and the amended version being issued as a final rule; they are not exacerbated by the amendments. The source of some of the conditions addressed in the comments is not, if fact, any action by NCUA, but rather, exists due to the actions of others. The first three conditions, which we will address first, are relatively straight- forward; the SAS No. 75 issue is more complex and is addressed in section K. The first condition will exist as long as NCUA allows auditors other than licensed, independent certified public accountants to perform supervisory committee audits. Since the NCUA Board is committed to allowing credit union supervisory committees the option to engage non-CPA accounting/auditing professionals, there can be no ready resolution of this concern either under the current or the amended final regulation. As to the second area of concern, that CPAs are bound by professional standards imposed by state licensing authorities and by the AICPA (e.g., education, proficiency, peer review, AICPA professional ethics, GAAS, etc.), while non-CPAs are not, this is not the result of any additional requirements imposed by NCUA. The NCUA Board has no jurisdiction over the imposition of auditing standards governing the work of CPAs. The only way to ``regulate away'' the purported ``economic disadvantage'' the CPAs would be to limit the performance of supervisory committee audits to licensed, independent certified public accountants. This would create an ``economic disadvantage'' as to all other types of auditors, particularly those who audit small credit unions. The NCUA Board does not believe this is a viable solution. Third, examiners review the work of compensated auditors for compliance with this section. Wherein such examination requires the non-CPA examiner to review compensated auditor's work for compliance with GAAS and a deficiency is suspected, NCUA recognizes it is not an authority on GAAP or GAAS. Referral to state accountancy licensing authorities or the AICPA Ethics Division, where applicable, will be NCUA's means of seeking assistance to make such determinations. NCUA is sympathetic to the argument that non-CPAs do not have the knowledge and proficiency necessary to determine the extent of substantive testing required under GAAS, but it believes they can do so under this section which is a lesser, and regulatory defined, standard. As to the fourth area of comment, this area is somewhat more perplexing. We have discussed SAS No. 75 and related issues in section K. Suffice it to say here that this condition exists as a result of the new auditing standard promulgated by auditing standards-setters which became effective May 1, 1996. The condition exists under the current regulation and was not created or aggravated by any NCUA effort to amend this regulation. The timing of the SAS No. 75 effective date and NCUA's efforts to revise this part are coincidental. Areas Seemingly Misunderstood. The comment relative to ``burden on small credit unions'' are believed to have resulted primarily from a misunderstanding of the proposed amendments. Such comments made include: The regulations essentially require an opinion audit. Audit scope will have to be expanded substantially to generate the two additional reports required. Working paper access requirements will generate increased travel and credit union staff costs. Each of these areas are discussed at length below. C. Definitions The proposal added a set of definitions for terms used in the regulation. Many of these terms, while familiar to accounting/auditing professionals, may be less well know to supervisory committee volunteers. The proposed definitions included: (1) Agreed-upon procedures; (2) Applicable generally accepted auditing standards (GAAS); (3) Audit or Opinion audit; (4) Compensated auditor; (5) Financial statements; (6) Generally accepted [[Page 41315]] accounting principles (GAAP); (7) Generally accepted auditing standards (GAAS); (8) Independence or Independent; (9) Independent, licensed, certified public accountant; (10) Internal controls; (11) Other comprehensive basis of accounting; (12) Related party transactions; (13) Reportable conditions; (14) Substantive testing; (15) Supervisory committee; (16) Supervisory committee audit; and (17) Working papers. The NCUA Board also requested comment on whether any additional terms should be defined in the regulation. Eight commenters believe no further terms should be defined while three commenters believe the final amendments should define additional terms. One commenter requests a definition of ``verifications.'' One commenter requests NCUA define ``summary of operations'' One commenter believes NCUA should define ``internal auditor'' and ``Standards for the Professional Practice of Internal Auditing.'' Thirteen commenters believe that the proposal adequately defined the terms listed. Three of these commenters state that the definitions are valuable to credit unions. Four commenters believed that the proposal does not adequately define the listed terms. Generally, if several commenters suggested redefinitions along the same lines and the suggested language was technically correct, the final regulation reflects the revised language. Definitions for ``internal auditor'' and ``Standards for the Professional Practice of Internal Auditing'' were not added as neither of these terms are used anywhere in the regulation. A definition for ``verifications'' was not added since it is defined and discussed fully in the existing regulation, Sec. 701.12(e). ``Summary of operations'' is simply a phrase which was used within the ``financial statements'' definition which is not critical to an understanding of the definition or the regulation; this phrase was dropped. One definition was added and that was the SAS No. 75 definition of ``specified elements, accounts or items of a financial statement.'' The definition of ``applicable GAAS'' and the use of that term was dropped throughout the regulation. In the proposed regulation, we had defined ``applicable GAAS'' as GAAS excluding the second general standard and the standards of reporting. In the final regulation, we dropped the term ``applicable GAAS'' and instead spelled out five specific standards, contained in paragraph (c)(2). The five standards were adopted with modifications from the AICPA's ten generally accepted auditing standards, again excluding the second general standard and the standards of reporting. The Board believes that the use of the term ``applicable GAAS'' may intimidate laymen; spelling out the specific standards intended should help eliminate any apprehension. The Board believes these standards are reasonable and attainable. The proposal defined ``audit or opinion audit'' in part, as an examination of the financial statements performed by an independent, licensed, certified public accountant in accordance with generally accepted auditing standards. One commenter believes that this definition must be modified. This commenter states that an ``audit'' and an ``opinion audit'' are not the same thing, and not all credit unions need an opinion audit which is performed by an ``independent, licensed, certified public accountant.'' One commenter states that since the definition applies to the word ``audit'' alone it is unclear if this requirement applies everywhere in the regulation where the term is used. For example, this commenter states that ``Supervisory Committee Audit'' could mean an ``audit'' by a CPA, which the commenter believes is beyond the scope of what NCUA is requiring with this proposal. This commenter suggests restricting the definition to only ``opinion audits.'' One commenter states that there is an inconsistency between the definition of ``audit'' or ``opinion audit'' and the proposed supervisory committee audit in Section 701.12(c). This commenter states that the definition states an audit is to be performed by an independent, licensed, certified public accountant; whereas Section 701.12(c) provides other alternatives in the completion of an audit and specifically provides that someone other than a certified public accountant such as the supervisory committee may conduct audits. Within the accounting profession and as represented in GAAS, ``audit'' is the term used for an ``opinion audit''. In fact, ``opinion audit'' is jargon for ``audit''; the terms are synonymous. However, since the use of the term ``audit'' in the regulation without an accompanying adjective such as ``opinion'' or ``supervisory committee'' was confusing to some of the commenters, we have eliminated the definition of ``audit,'' narrowed the definition to ``opinion audit'' and use only the term ``audit'' (when used as a noun) throughout the regulation preceded by descriptive terms, e.g., opinion audit, or supervisory committee audit. As to the alternatives set forth in Sec. 701.12(c), these relate to the performance of a supervisory committee audit. The scope of an opinion audit exceeds that a supervisory committee audit. Thus, an opinion audit which complies with GAAS, would exceed the requirements of the regulation. The proposal defined a ``compensated auditor'' as any accounting/ auditing professional who is compensated for performing the supervisory committee audit and/or verification services. Thirteen commenters believe that the term ``compensated auditor'' should be revised so as to distinguish between the credit union's internal auditor and the credit union's contracted external auditor. These commenters believe the proposal could be interpreted so that a compensated auditor is defined as an accounting or auditing professional who is employed directly by the credit union. Two commenters believe that the term ``compensated auditor'' should not include someone who simply lends a hand to the supervisory committee in completing the audit. Two commenters believe that external auditors should be licensed professionals (such as CPAs) to ensure that audits are detailed and reflect the actual financial condition of the institution. The Board found the comments in this area helpful and has amended the definitions in response to some of the suggestions. It is not the Board's intent to include credit union employees acting in the course of their employment (internal auditors) or someone who simply lends a hand (volunteer). Nor is the Board comfortable with restricting the performance of supervisory committee audits to licensed professionals. The definition has been changed to exclude employees and to exclude individuals who perform no more than one compensated supervisory committee audit per calendar year. The later provision was added to ease the burden for small credit unions who may benefit through the assistance of a volunteer, someone who simply lends a hand, e.g., the local bookkeeper who, while compensated, performs the supervisory committee audit (one per calendar year) for a minimal and reasonable remuneration. The proposal defined generally accepted auditing standards (GAAS) in part as the standards approved and adopted by the American Institute of Certified Public Accountants which apply when ``independent, licensed certified public accountants'' audit financial statements. One commenter believes this definition will substantially increase the costs of audits for smaller credit unions that do not use a CPA. One commenter believes that the definition implies that a CPA is bound [[Page 41316]] by GAAS but non-CPAs are exempted from certain provisions and that this is unfair to the CPA. One commenter states that the definition does not identify which items of GAAS do not apply to the supervisory committee or its uncompensated auditor. In the final regulation, the Board has eliminated the use of the term ``applicable GAAS'' and refers to GAAS only once in the final regulation--in paragraph (c)(4), in conjunction with expanded scope for compensated auditors. The term ``applicable GAAS'' appeared to intimidate many commenters. The Board has replaced this approach by listing five relevant standards in the body of the regulation. The standards were adopted with modifications from the AICPA's ten generally accepted auditing standards, again excluding the second general standard and the standards of reporting. Procedures and testing performed consistent with the five identified standards are required for credit union supervisory committees, whether they hire a compensated auditor or not. Scope of work within the guidelines of the regulation, and degree of substantive testing (nature, extent and timing), are set by the supervisory committee or its designated representative based on its assessment of inherent risk, after gaining an understanding of the internal control environment. This approach does not bind a supervisory committee or its designated representatives to those requirements of GAAS which are definitionally unattainable, e.g., certain GAAS provisions a non-CPA cannot meet by virtue of the fact that he is not a CPA. There is no additional burden imposed in redefining the standard supervisory committees must meet in the performance of procedures and testing. By eliminating the term ``professional auditing procedures and standards'' which is non-specific, and replacing it with a listing of the five specific, relevant standards, the Board is issuing clearer standards. The amendment will not substantially increase burden on small credit unions because the regulation clearly does not require a CPA opinion audit, neither in scope of work nor reporting burden. There is no requirement for financial statements to accompany the report; no opinion is necessary; and negative assurance is not required. Since many of the commenters misunderstood certain provisions of the proposed regulation, their estimates of burden were based on a scope of work and reporting requirements substantially greater than what was actually proposed and/or intended. An additional burden exists only in the area of audit scope (not reporting) when the work is performed by a compensated auditor. While there is increased burden to some credit unions resulting from this requirement, the Board believes it is necessary and minimal. The proposal defines ``independence and independent'' as ``without bias with respect to the credit union so as to maintain the impartiality necessary for the reliability of the compensated auditor's findings. Independence requires the exercise of fairness toward credit union management, members, creditors and others who may rely upon the independent, compensated auditor's report. Auditors must be independent in fact and in appearance.'' Eighteen commenters believe that this definition may pose problems for state leagues because some leagues are owned by credit unions for which the league provides audit services. These commenters request that the definition be clarified because they believe if the proposed definition of ``independence'' is strictly applied it could put league audit services out of business. They request that the preamble to the final amendments specifically state that league auditing programs are considered independent under the regulation. Seven commenters believe that a league audit is considerably cheaper than an audit by an accounting firm and if the state league was prohibited from doing the audit it would result in increased costs to credit unions. Some commenters also believe this definition should not be construed to mean that only CPAs could perform audits for credit unions. Several commenters recommend deleting the following sentence from the definition: ``Auditors must be independent in fact and in appearance.'' NCUA has revised the definition for ``independence'' to exclude the following: ``without bias with respect to the credit union'' and ``Auditors must be independent in fact and in appearance.'' Further, it is not the Board's intent to exclude league auditing services from performing supervisory committee audits or to require such services to use report terminology reserved by state laws specifically for CPAs. The Board is persuaded, however, that to be considered independent, league auditors must be independently managed. League auditors will not be considered independent in providing supervisory committee audits for a credit union if the credit union to be audited has an executive/ employee on the affiliated league board who influences board decisions relative to the league auditing service. League auditors would be considered independent if the executive/employee on the affiliated league board recuses himself from all discussions, decisions, or actions directly or indirectly related to the league auditing service/ department/function and/or meeting any requirements of this section. Additionally, the recusal must be documented in the written board minutes. Another alternative would be for reciprocity of league auditing services between leagues and credit unions subject to this restrictive interpretation. A third alternative would be for the league auditing service to periodically obtain a peer review from another league auditing service, similar to current practice for AICPA- affiliated, CPA firms in public practice. Such a peer review would provide a reasonably independent quality review of the league auditing service's compliance with required auditing standards in the performance, documentation, and reporting of auditing services provided to federally-insured credit unions. The written peer review report would be available to NCUA, upon request, in conjunction with the examination of a particular credit union's supervisory committee audit and verification. The proposal defined ``internal controls'' in part as the process, established by the credit union's board of directors, officers and employees designed to provide reasonable assurance of reliable financial reporting and safeguarding of assets against unauthorized acquisition, use or disposition. Furthermore, this definition stated that a credit union's internal control structure consists of five components: control environment; risk assessment; control activities; information and communication; and monitoring. One commenter states that this definition could result in a decrease in testing of internal control structures. The supervisory committee's responsibilities with regard to internal controls is clearly set forth in Sec. 701.12(b)(2)(i) and (c)(2). The compensated auditor's further responsibility with regard to internal controls is set forth in Sec. 701.12(c). The proposed and final regulation does not decrease the amount of testing of internal control structures than is required in the existing regulation, nor does it drastically expand required testing. The Board intends that the supervisory committee attain an understanding of the internal control structure; assess the level of control risk; and based thereon, determine the nature, timing, and extent of substantive testing necessary to comply with the [[Page 41317]] minimum supervisory audit scope. The materiality level the supervisory committee chooses to govern scope and testing must encompass reasonable tests of the internal control structure commensurate with the size and complexity of the credit union under audit. Choosing a materiality level which results in no reasonable testing of internal controls would not be acceptable. Expanding audit scope to achieve a complete audit of the credit union's system of internal controls (commenter terms this ``full compliance audit'') is not intended. The Board is simply seeking the extent of internal control testing which is normal in the audit of financial statements. The distinction would be clear to accounting/ auditing professionals; it may be less so to supervisory committee member volunteers. The proposal defined ``related party transactions'' as transactions among or between parties where one party controls or can significantly influence the management or operating policies of the other so as to prevent the other party from pursuing exclusively its own interests. The proposals provided the following examples of related parties: credit union members and their families, and credit union officials and their families. The proposal also stated that examples of ``related party transactions'' include: interest-free loans or loans at below market rates; sale of real estate significantly below appraised value; nonmonetary exchange of property; and making of loans lacking scheduled terms for repayment. Three commenters believe the definition of ``related party transactions'' should include examples of related parties similar to those used in the preamble rather than those provided in the proposed definition. Two commenters believe that the examples of related parties in the definition is vague and obscures the meaning of the term. The definition of related parties has been changed to eliminate credit union members and their families and to add examples of related parties to include: executive management, board members, supervisory committee members, credit committee members, employees and their families. The proposal defined ``supervisory committee audit'' in part as an examination of the credit union's financial statement in accordance with applicable GAAS, which is performed by the supervisory committee or its designated representative as required by the regulation. Furthermore, the last sentence of the definition stated that an opinion audit as defined by this regulation satisfies the definition of ``supervisory committee audit.'' One commenter states that the supervisory committee responsibilities need to be specifically defined, as well as any sanctions or penalties, if any, that may be assessed and how they will be determined. One commenter states that the last sentence of this proposed definition should be eliminated. One commenter states that this definition implies that a supervisory committee audit must be undertaken by a certified public accountant. This commenter suggests NCUA use ``supervisory committee review'' instead of ``supervisory committee audit'' to clarify this issue. The Board changed the definition of ``supervisory committee audit'' to drop the ``applicable GAAS'' reference, consistent with the addition of paragraph (c)(2) detailing five specific standards which must be met in the conduct of the supervisory committee audit. We continue to include the last sentence in the definition but have revised it to indicate that an opinion audit is one of several ways to satisfy the requirements of the regulation. It is a misinterpretation of the proposed regulation to conclude that a supervisory committee audit must be undertaken by a certified public accountant. The Board continues to use the term ``supervisory committee audit'' because this is how the function is identified in the Federal Credit Union Act. The Board is satisfied that the final regulation clearly defines the supervisory committee responsibilities, short of providing a written audit program. Available sanctions and penalties are those that are normally available to NCUA in dealing with regulatory non-compliance as granted throughout the Federal Credit Union Act and administered through the NCUA's Regulations. The proposal defined ``working papers'' in part as the principal record, in any form, of the work performed by the auditor and/or supervisory committee to support its findings and/or conclusions concerning significant matters. The definition provided the following examples of documents that meet this definition: the written record of procedures applied, tests performed, information obtained, and pertinent conclusions reached in the engagement, audit programs, analyses, memoranda, letters of confirmation and representation, abstracts of credit union documents, reviewer's notes, if retained, and schedules or commentaries prepared or obtained by the independent, compensated auditor. One commenter specifically supports this definition. Several commenters believe that although they agree with the ``working papers'' definition, they do not agree that all of the examples of working papers cited therein meet the definition. They believe that all of the auditors' memoranda, personal notes, and commentaries do not make up the principal record of the work performed. They suggest references to these items be eliminated from the list of examples provided in the definition of working papers. One commenter believes the definition is so extensive that it may discourage the compilation of notes and other internal memoranda, to the detriment of the credit union having a thorough audit. The Board believes that, in the past, accounting/auditing professionals have afforded themselves broad license in determining what they will provide to NCUA staff in the way of working papers. This situation has resulted through a wide interpretation, by some compensated auditors, of what constitutes ``proprietary information.'' The Board is persuaded that such discretion needs to be limited. NCUA staff needs access to a complete set of working papers. The Board believes much of what compensated auditors have held back as ``proprietary'' is integral to NCUA staff in assessing if the audit meets regulatory requirements. Requiring full access to existing working papers should in no way discourage the compilation of notes and other internal memoranda, to the detriment of the credit union having a thorough audit. The standards requiring working paper documentation is not changed, lessened or strengthened by this final regulation which is simply seeking full disclosure to NCUA staff of existing working paper information. Photocopies are not required. D. Expanded Audit Scope The proposed amendments expanded the required audit scope when a supervisory committee employs the services of a compensated auditor. The Board proposed the changes to address practical enforcement problems in the existing regulation, some of which have arisen through the examination process as a matter of course and others of which have arisen in litigation and in negotiating settlements. Additionally the changes were intended to eliminate vagueness regarding the required audit scope as well as improving supervisory committee audits. The vagueness of audit scope has been the subject of complaints from both credit unions and examiners. The Board proposed that the supervisory committee audit shall be made by the supervisory committee or [[Page 41318]] its designated representative using applicable GAAS. Furthermore, the Board proposed that for the compensated auditor, audit testing of the following areas must satisfy applicable GAAS for expressing an opinion on the financial statements taken as a whole: internal controls, cash, loans and interest thereon, shares and dividends and/or interest thereon, related party transactions, and the detection and reporting of errors and irregularities with regard to each of these areas. Three commenters specifically support the new audit scope. Two commenters believe the clarification eliminates any possible confusion regarding the overall requirements of the audit. One commenter recommends that this section be revised to state that the supervisory committee shall determine whether the established internal controls are sufficient to identify/detect material errors and fraud. The Board does not believe it is necessary to revise this section to include the suggested language because the responsibilities of the supervisory committee with regard to ``internal controls'' and ``error, carelessness, conflict of interest, self-dealing and fraud errors and irregularities'' are already set forth. Seventeen commenters believe a compensated auditor should follow GAAS. Two of these commenters believe credit union auditors should be held to the same high standards as auditors in other industries. One of these commenters stated that GAAS is the acceptable standard for all audits. One of these commenters believes that a compensated auditor should be required to follow GAAS but it should not be required by regulation. One supporting commenter believes that this amendment will have numerous unintended consequences, one of which will result in requiring any audit performed by a CPA to be an opinion audit. This commenter also believes the proposal could harm small credit unions by having them seek less qualified individuals. As addressed above, the Board does not wish to require an opinion audit for credit unions. To require compensated auditors to meet GAAS in scope of work, audit testing and reporting would be to require an opinion audit by a licensed, independent certified public accountant. The Board believes adopting the five specific standards set forth in the final regulation is preferable to the existing rule's reference to ``professional auditing procedures and standards''; the former is specific while still allowing for reasonable judgment, the later is too vague. And while the expanded audit scope may slightly increase costs to some credit unions, the Board believes this burden is reasonable and necessary in light of the substandard audits NCUA found in some credit unions. Twenty commenters believe compensated auditors should not be required to follow GAAS. One of these commenters believes that it appears to have the practical effect of requiring the performance of an opinion audit, except the actual issuance of an opinion, whenever an outside auditor is used. Six of the commenters believe such a requirement will increase credit union costs. Three commenters believe this requirement will hurt small credit unions. One commenter believes that the proposed GAAS requirements could result in small credit unions employing CPAs to perform the audit and could discourage members from volunteering to serve on the supervisory committee. In the final regulation, a standard far short of GAAS is being required. Five specific standards governing performance of the work are set forth in the final regulation. Financial statements are not necessary, an opinion or attestation is not required, negative assurance is not sought, and GAAS reporting standards do not have to be met, paragraph (c)(4). Only compensated auditors are being held to GAAS-level scope and testing (not reporting), and then, only in selected risk areas. We continue to believe that the increased burden estimates were based on a misunderstanding of proposed regulatory requirements. One commenter states requiring non-CPA auditors to meet CPA standards is tantamount to requiring CPA audits. Another commenter states that league auditors are not allowed by AICPA rules to use the terms GAAS and GAAP in their audit reports. Furthermore, the commenter states that if these terms are required it will mean that only CPAs could audit credit unions which would prohibit league audits as well as increase credit union costs. The proposed and final regulations do not require non-CPAs to use GAAS and GAAP references or language in supervisory committee audit reports. In the proposed regulation the definition of ``applicable GAAS'' excluded the ``standards of reporting.'' The final regulation continues to exclude these reporting standards. The relevant standards governing performance of work have been more specifically identified in the final regulation in paragraph (c)(2). One commenter believes that NCUA should determine what additional procedures should be performed, if any, on a credit union by credit union basis, rather than requiring all compensated auditors to complete an expanded scope. Another commenter also states that NCUA should not require expanded scope for all credit unions. It is not practical for NCUA to determine what additional procedures should be performed, if any, on a credit union by credit union basis, thus this alternative of requiring the supervisory committee or its designated representative to attain an understanding of the internal control environment, assess control risk, and based thereon, determine the extent of substantive testing necessary to meet the requirements of this section. The guidelines NCUA primarily will use in assessing the adequacy of the expanded scope under paragraph (c)(4) will be the AICPA's guide, ``Audits of Credit Unions'', relevant chapters, subheading ``Audit Objectives and Procedures'' where discussions are provided on audit objectives, planning considerations, internal control structure, tests of controls, and substantive tests. The expanded scope in selected, identified areas for all credit unions that employ a compensated auditor should contribute to improved consistency and uniformity. One commenter believes the proposed amendments impose different and higher standards for supervisory committee audits conducted by compensated auditors than those performed by supervisory committees or uncompensated auditors. Two commenters believe the proposed amendment is an attempt to permit non-CPAs to perform the work of CPAs when auditing credit unions. Both commenters believe that this poses an increased risk of substandard audits which will fail in detecting serious accounting deficiencies and internal control weaknesses. Another commenter believes a non-licensed accountant attempting to comply with the regulation may be violating state accountancy law by performing duties which can only be performed by a licensed CPA. Another commenter does not believe it is realistic or feasible to require volunteer supervisory committee members to comply with a complex body of standards that require significant education and training to understand. While the Board appreciates the seemingly unfairness of imposing a different and higher standard for supervisory committee audits conducted by compensated auditors than for those performed by supervisory committees or uncompensated auditors, the Board must be realistic in [[Page 41319]] recognizing that imposing an expanded scope requirement for supervisory committee audits performed by layman would be to invite certain disappointment. NCUA will need to review supervisory committee audits for thoroughness and sufficiency, and recommend needed supplemental procedures and testing to enhance the effectiveness of the audit process. Furthermore, for those supervisory committees that continue to perform the audit and/or verification themselves, where the credit union's sophistication and complexity have grown beyond the capabilities of the resident supervisory committee and its staff, it will be incumbent upon NCUA to recognize the deficiencies in the audit which diminish the committee's usefulness in the oversight process assigned it under Sec. 701.12. NCUA has significant flexibility under Sec. 701.13 of NCUA's Regulations, through FIRREA, to call for the conduct of a second audit, one which will fulfill the intended objectives of this regulation. The requirement for a second audit would add burden since it must be performed by an independent public accountant. E. Engagement Letter Requirement The Board proposed to require credit unions which employ compensated auditors to memorialize the terms and conditions of the engagement in a comprehensive engagement letter, which constitutes an enforceable contract between the compensated auditor and the supervisory committee. The proposal also set forth the minimum requirements of an audit engagement to be addressed in such a letter. The Board made this proposal to further reduce the confusion for required scope components that are excluded from the audit engagement. Thirty-eight commenters support this proposal. Fourteen of these commenters believe the requirements for an engagement letter should adequately protect the interests of the supervisory committee. Five commenters believe the engagement letter will formalize the expectations of the supervisory committee. Four commenters believe that this proposal would eliminate any misunderstandings between the supervisory committee and the auditing firm. One commenter supports the requirement to provide an appendix to the engagement letter specifying the procedures to be performed. Seven commenters believe it should be left to the discretion of the credit union to determine what specific details should be included in the engagement letter. Conversely, two commenters believe that NCUA should produce a form engagement letter in the final rule. In current practice, the engagement letter has been written primarily by the compensated auditor, for the compensated auditor. Many credit unions have signed the engagement letters thus drafted without a real knowledge or understanding of what specific details should be included. Through the engagement letter requirement, the Board hopes to help credit unions in its business dealings with the professional auditor. The regulation sets forth minimums; the credit union has full discretion to include other provisions. The compensated auditor has the option to exclude from his scope of work any areas for which he is uncomfortable/unwilling to perform the expanded audit scope, if such exclusion is agreeable to his credit union client. He is obligated then only to caution the supervisory committee in the engagement letter that the supervisory committee will remain obligated to perform or have performed this required but excluded work. As concerns areas excluded from the audit engagement, simple, general statements, such as is demonstrated in the current AICPA Guide, Audits of Credit Unions, illustrative engagement letter, with the added caution required in the rule, Sec. 701.12(d)(3)(i)(C), is the minimum NCUA is seeking. For example, ``The scope of this audit * * * does not include an evaluation of all areas that generally are of higher risk in the credit union industry, such as securities held or the collectibility of loans, the adequacy of collateral thereon, or the reasonableness of the allowance for loan losses,'' plus cautionary language required consistent with this section. Five commenters stated that the requirement in the proposal that the engagement letter specify a date of delivery of the written audit report is unrealistic. They believe that the auditor can not complete the audit if the required information is not available. One commenter believes this requirement puts undue pressure on the auditor. One of these commenters stated that we should not require an exact delivery date but rather a ``target'' delivery date. The Board agrees with this commenter. Delivery date has been changed to ``target date of delivery.'' The intent is to provide the auditor with flexibility in dealing with unforeseen events while providing NCUA with a target date for receiving the report. Nine commenters do not believe NCUA should require a formal engagement letter. One commenter believes that the requirement for an engagement letter will not adequately protect the interests of the supervisory committee. One commenter states this should not be a regulatory requirement since most credit unions already use an engagement letter. One commenter states that the use of an engagement letter is a management decision. One commenter believes the additional cost for this separate letter far outweighs the perceived benefit. Two commenters believe regulating the content of an engagement letter is unnecessary. One commenter states that the criteria and the matter to be included in the engagement letter as outlined by SAS 75 address questions concerning the conditions for engagement preference, the sufficiency of procedures, the nature, timing and extent of procedures and will address issues that may arise between the auditor and the supervisory committee. The NCUA Board believes the engagement letter requirement will protect the credit union, will compel communication concerning the audit engagement, and will provide all parties with an enforceable contract and a documented record of accountability which hopefully will preclude NCUA from brokering disputes between the credit union and the compensated auditor. Credit unions are free to include any additional criteria, conditions, terms in the engagement letter beyond those required (such as those additionally outlined in SAS No. 75); again, the regulation is suggesting the minimum requirements. The final amendment reflects engagement letter requirements, generally as proposed, with the addition of target date of delivery, and working paper retention requirements for 3 years from the date of the audit report. F. Requirement for a Written Report of Internal Control Exceptions or Reportable Conditions and a Written Report of Irregularities or Illegal Acts The proposed amendments required written reports of any internal control exceptions or reportable conditions noted and of any irregularities or illegal acts noted. Eighteen commenters support the requirement to report on internal controls and possible illegalities. Ten commenters state that requiring these reports will not increase the cost of a supervisory audit. Two commenters, although supporting the requirement, believe it will increase credit union costs. Three commenters state that the information in the reports is already available in some form of report. We agree the information is already available as a result of performing the supervisory committee [[Page 41320]] audit, but current requirements do not mandate written communication. Thirty-seven commenters oppose this requirement. Twenty-six commenters state that requiring these reports will increase the cost of supervisory committee audits. Five commenters wondered why the auditor cannot simply report any such findings in their normal report to the supervisory committee instead of creating two new reports. This option is agreeable to NCUA; we are simply seeking such information be ``reduced to writing.'' Three commenters believe that no report should be required if no internal control exceptions, reportable conditions or irregularities or illegal acts were noted. This is also agreeable to NCUA; we are not seeking negative assurance. One commenter states that auditors that find problems during the scope of their normal audit already comment on internal controls and fraud when appropriate in the audit report to the credit union. Not necessarily; CPAs are not required to communicate such matters in writing. One commenter states that one report should be able to handle both issues. The Board agrees and the final regulation reflects this. Two commenters believe this requirement will hurt smaller credit unions since they usually have weaker controls due to small staffs. This requirement was not added to ``hurt smaller credit unions,'' but often these are the very credit unions where efforts are needed to bolster internal controls. One commenter states that the requirement to have the compensated auditor report on internal control and fraud may not be valid for all credit unions. This commenter believes that credit unions having an internal audit function should be exempted from this requirement to avoid duplication of efforts and costs. The internal audit function could be the means by which the supervisory committee chooses to comply with this section. This was one of the most misunderstood proposed amendments to the regulation. NCUA is simply asserting that any instances of reportable conditions or errors and irregularities which are identified in the normal course of a supervisory committee audit, be reduced to writing. Currently, while such information must be reported, GAAS does not require this information to be in writing. Without written communication of these items, NCUA has limited assurance of gaining knowledge of the auditor's observations in these areas, unless the credit union provides notification voluntarily. NCUA does not expect or require any negative assurance; no report is required if internal control exceptions, reportable conditions or irregularities or illegal acts were not noted. In many supervisory committee audit reports prepared by compensated auditors other than CPAs under existing guidelines, such internal control and fraud problems/weaknesses uncovered during the scope of their normal audit are already commented upon, when appropriate, in the audit report to the credit union. This practice continues to meet regulatory requirements under the final regulation. NCUA has no preference whether the auditor prepares one report including this information, two reports or three; what matters is that the information is reduced to writing. NCUA does not expect supervisory committees to direct audit scope at discovering such problems. Nor is NCUA seeking a specific report on the control structure and any breaches of that structure or to specifically note the absence or presence of any irregular or illegal act; NCUA recognizes this would require a substantially different level of audit than heretofore has been required. The NCUA Board believes it is possible that those who argued ``burden to small credit unions'' in this reporting aspect misunderstood the intended reporting requirements in this instance, and mistakenly magnified cost estimates accordingly. G. Clarification on Access to Original Working Papers The proposal clarified that NCUA has unconditional access to a complete set of original working papers including all the existing documentation relative to the audit. Such access would be either at the offices of the credit union or at a mutually acceptable location. Thirty-four commenters provide varying support for the clarification. Sixteen commenters believe that unconditional NCUA access to original working papers is not overly burdensome and intrusive. Six commenters do not believe unconditional access to working papers will cause an increase in administrative and other expenses. One commenter believes that such access to original working papers will assist NCUA in its exams and that the clarification makes good business sense. Five commenters state that it is important to maintain the confidentiality of the working papers. NCUA appreciates the auditor's concerns about maintaining the confidentiality of working papers and will cooperate reasonably with auditors to achieve this end. Two commenters believe this section should be clarified to provide that copies, certified copies or electronic formatted data are ``originals'' for the purpose of this section. Relevant to the most recent audit completed and awaiting NCUA review, the Board rejects the notion that ``copies, certified copies or electronic formatted data are ``originals'' for the purpose of this section.'' Subsequently, and for purposes of meeting the three year working papers retention expectation, accessible alternative electronic storage is acceptable. One commenter, although supporting the proposal, believes this proposal may increase credit union costs. NCUA does not believe this clarification to the existing regulation will increase the costs to credit unions. This requirement would simply be included in the engagement letter as a clarified condition of engagement. Three commenters state that the location for viewing the working papers must be flexible because the credit union may be located some distance from the office of the auditor. Two commenters believe that the location for NCUA access should include the external auditor's place of business. The ``mutually agreeable location'' alternative does provide for the external auditor's place of business. One commenter recommends that working papers should be made available only at the auditor's place of business for the NCUA to copy or review. This the Board finds too restrictive and continues to prefer ``or at a mutually agreeable location.'' One commenter requests that the final regulation clarify that the working papers be available, either at the auditor's or credit union's office with adequate notice and under the auditor's supervision. The proposal stated that working paper access could be at the offices of the credit union or at a mutually agreeable location. A ``mutually agreeable location'' could be at the credit union, at the auditor's place of business, or other location agreeable to the auditor. NCUA staff will be instructed to be reasonable in their negotiation of ``mutually agreeable location.'' One commenter would also put in the regulation that such access would be at an agreed upon time and an agreed upon location. The Board believes this to be the normal business practice. This commenter also believes that notes could be made but not copies. Several other commenters state that copies of the working papers should not be permitted. The Board did not propose and will not incorporate in the final regulation any requirement for NCUA to photocopy the working papers. Twenty-seven commenters oppose the clarification on working papers. Twelve commenters stated that complete access to the original working papers is overly [[Page 41321]] burdensome and intrusive. Such access exists under the current regulation. Eight commenters believe unconditional access to working papers will cause an increase in administrative and other expenses. This should not be the case since: such access exists under the current regulation and such access will be a condition of engagement. Several commenters believe that the working papers are the property of the compensated auditor and not the credit union unless the papers are prepared by the supervisory committee. NCUA recognizes that the working papers prepared by a compensated auditor are the property of the compensated auditor. Several commenters were concerned with an examiner copying the working papers and then having the examiner retire and compete with the auditor using the auditor's program. Examiners are prohibited from copying audit programs for their personal use. One commenter believes that the supervisory committee should not be held accountable for making sure that an independent auditor makes his or her original working papers available to NCUA since that provision is already included in the engagement letter and, as a practical matter, there is not much the supervisory committee can do to enforce that provision beyond the confines of the engagement letter. NCUA disagrees; the supervisory committee can enforce its audit contract. Several commenters believe that original working papers are the property of the auditor. NCUA acknowledges this. One of these commenters states that while the auditor can and must agree to make those papers available, NCUA has no role in enforcing that requirement against an independent auditor over whom it has no regulatory powers. NCUA acknowledges that enforcement lies with the supervisory committee. One commenter states that the proposal puts the credit union in a ``no- win'' situation. If the auditor fails to cooperate with the supervisory committee by not making the papers available, rejection of the audit is a possibility, which may result in additional expenses for a new audit or the NCUA may seek formal administration sanctions against the supervisory committee. This is true, but presently, without this provision, NCUA is ``brokering disputes'' between compensated auditors and supervisory committees. An enforceable contract should remove both NCUA and supervisory committees from the middle. With an enforceable contract, there will be a clearly defined line of responsibility and thus, a business pressure, if not the possibility of litigative pressure, for the honoring of contract terms. If a compensated auditor does not wish for NCUA to review his working papers, he should not agree to be engaged by a credit union. One commenter believes NCUA should specify a working paper retention policy to clarify how long the working papers must be available for review. The Board agrees that an auditor should not have to retain his/her working papers indefinitely. Therefore, the Board has amended the regulation to require retention of working papers by compensated auditors for a minimum of three years from the date of the written audit report. The audit working papers for the most recent audit would need to be retained in paper form; subsequently, alternative, accessible storage would be acceptable. H. Enforcement Mechanism The Board proposed an enforcement mechanism to ensure compliance with this regulation by authorizing the regional director, as a first step toward enforcement, to reject as deficient the supervisory committee audit and the reports thereof. Two commenters support this proposal. One commenter encourages the NCUA Board to ensure that all regional offices use the same criteria for determining whether or not to accept a supervisory committee audit (whether or not performed by a compensated auditor). Two commenters oppose the proposal. One of these commenters believes that only state credit union supervisory agencies should initiate administrative sanctions against the supervisory committee of a state chartered credit union. Furthermore, this commenter notes that the proposed amendments bestow a great deal of discretionary authority upon regional directors and suggests the Board instruct regional directors not to reject audits which are flawed by minor technicalities. In the case of a federally-insured state chartered credit union, the Board believes it is appropriate for the state regulator to first attempt to resolve any problems concerning the supervisory committee audit. The Regional Director will take action after the state regulator has had a reasonable opportunity to reach a satisfactory result. The Board will instruct its regional offices on the proper criteria in determining whether to accept or reject a supervisory committee audit to minimize differences among the regions and provide more consistency. NCUA will not be rejecting supervisory committee audits for minor technicalities. I. Effective Date Section 302 of the Riegle Community Development and Regulatory Improvement Act of 1994 requires the federal regulators of banks and savings associations to make all regulations that impose new requirements take effect on the first date of the calendar quarter following publication of the rule unless good reason exists for some other effective date. Although NCUA is not formally subject to this requirement, Letter to Credit Unions #158 stated that the requirements would be beneficial to credit unions and that NCUA planned to implement it whenever practicable. NCUA believes that delaying the effective date to December 31, 1996 is necessary so that credit unions and individuals conducting supervisory committee audits have sufficient time to understand the regulation and determine what type of audit will best serve their needs. Therefore, the regulation will be effective for audits conducted for, and covering, the audit period ending on December 31, 1996, and thereafter. J. Request for Comment on Whether Credit Unions Should Have an Ongoing Internal Audit Function The Board requested comment on whether it should mandate an internal audit function and, if so, whether such a requirement should be imposed on all or only some credit unions, and on what basis. Seventeen commenters support mandating an internal audit function. Ten commenters believe an audit function should be required based on some combination of asset size and complexity of operations. Two commenters believe it should be required for credit unions with assets in excess of $100 million. Another commenter believes it should be required for credit unions with assets over $150 million. Another commenter believes asset size should be the basis for requiring an internal audit function. One commenter believes the audit function should be based on complexity of operations and not asset size. Fifty-three commenters oppose requiring a credit union to have an ongoing internal audit function. Thirty-three commenters believe the decision to have an internal audit function should be made by credit union management. Four commenters believe that many credit unions can not afford an internal audit function. Two commenters believe the internal audit function is costly and that the internal auditor may not adequately scrutinize operations. Several commenters believe NCUA should not require but instead [[Page 41322]] encourage large and complex credit unions to have an internal audit function. Three commenters believe that both compensated auditors and internal auditors should be hired, report to and receive instructions from the supervisory committee. They believe any other line of reporting compromises the integrity of the communication. Sixteen commenters believe it is not always feasible or desirable for the auditor to report directly to the supervisory committee, especially if the credit union is relatively large. Most of these commenters believe that each credit union should decide to whom the auditor reports. The Board is not requiring an internal audit function at this time because it believes that the costs of mandating such a function for all credit unions outweighs the perceived benefit. The Board, however, continues to encourage credit unions to have an ongoing internal audit function if management believes it would be helpful as well as economically prudent. The Board also believes it is important to minimize possible conflicts of interest when determining to whom the internal auditor reports. Management should carefully consider whether it is feasible for their credit union to have the compensated or internal auditor report to the supervisory committee. K. Relevance of SAS No. 75 to CPAs and Its Impact on Supervisory Committee Audits Effective May 1, 1996, the AICPA adopted SAS No. 75 which provides in pertinent part: b. The accountant and the specified users agree upon the procedures performed or to be performed by the accountant. c. The specified users take responsibility for the sufficiency of the agreed-upon procedures for their purposes. (emphasis added) In essence, SAS No. 75 requires the CPA to identify the ``specified users'' of a ``report on agreed-upon procedures'' and, in advance of such an engagement, to obtain an acknowledgment from all identified specified users that the procedures the auditor will perform are sufficient to satisfy the ``specified user's'' needs. There is no doubt that a credit union's supervisory committee and its board of directors are ``specified users'' because they will rely on the auditor's report. However, some may contend that, in addition, NCUA itself is a ``specified user'' of each credit union's supervisory committee audit report. This would put NCUA in the position of having to agree with the CPA and each credit union as to the agreed-upon procedures the CPA will use to ensure that each credit union's audit satisfies the requirements of Sec. 701.12. To expect NCUA to acknowledge the sufficiency of a set of procedures in meeting this part prior to the credit union's engagement of a CPA is both infeasible and would shift the responsibility for the supervisory audit from the credit union's supervisory committee to NCUA. The supervisory committee or its designated representative, not NCUA, is uniquely able to ``attain an understanding of the internal control environment, assess control risk, and based on the control risk, determine the substantive testing (nature, extent, and timing) necessary'' to comply with this section. Many credit union supervisory committees hire a compensated auditor because they do not have the expertise necessary to perform the supervisory committee audit. Supervisory committees consisting primarily of volunteers cannot be expected to acknowledge the sufficiency of a set of agreed-upon procedures developed by accounting professionals. In such cases, the supervisory committee would naturally rely upon the assistance of a CPA to attain an understanding of the internal control environment, assess control risk, and based on the control risk, determine the substantive testing that is necessary. Since 1985, NCUA's objective has been to place with the credit union and its supervisory committee the responsibility for sufficiency of audit procedures and testing. This approach was enunciated in the preamble to the 1985 rule, as follows: The supervisory committee must carry out its duties in a manner responsive to each credit union's circumstances, i.e., the supervisory committee must use good judgment in determining the scope, the frequency, and the detail of the committee's activities. (Deregulation efforts recognized that) * * * a credit union's audits and reviews must reflect each credit union's business activities and financial and operating condition. The committee's work requires judgment of each credit union's needs based on an analysis of each institution's strengths and weaknesses * * * Since the committee is responsible for the audit, it should determine the scope of the work to be performed. The scope of the work should be varied based on the nature of risk and exposure for each transaction or account being audited within each federal credit union. [50 CFR 8710, March 5, 1985] (emphasis added). NCUA's approach is consistent with the approach of the auditing profession today. In fact, SAS No. 75 is premised upon this same line of reasoning, shifting this burden away from the independent accountant to the specified user. The issue created by AICPA's adoption of SAS No. 75 exists under both the current, and this revised supervisory committee audit regulation. Some compensated auditors suggest that SAS No. 75 limits them to performing only opinion audits for credit unions. To the extent that this claim is true, both the cause and the remedy for this limitation resides with the accounting profession. The NCUA Board continues to welcome the CPA practitioner in the performance of supervisory committee audits as one of several favorable options for credit union supervisory committees. It is the NCUA Board's intent to allow credit unions a full range of options in whom they may contract with to have their audit work performed. NCUA will continue to work with the AICPA toward a practicable solution to this question to enable CPA practitioners to perform non-opinion, supervisory committee audits. L. Comments Received on Regulatory Procedures Regulatory Flexibility Act The NCUA Board has certified that small credit unions (less than $1 million in assets) will not see a significant impact because of this proposal. Fourteen commenters believe that NCUA's assessment of the monetary costs of these changes is wrong. Two of these commenters believe it will effect credit unions under $50 million in assets by doubling the cost of the supervisory committee audit. Another commenter states it will substantially increase the cost for small credit unions. NCUA believes these burden estimates are based on a misunderstanding of the proposed requirements as discussed above, especially in the areas of scope of work and reporting. In the final analysis, a cost of doing business as a credit union or any other financial institution is the conduct of an audit to ensure member confidence. The audit must be performed by persons with audit skills commensurate with the complexities of the credit union. For credit unions under $1 million who are already hiring a compensated auditor to perform the supervisory committee audit, NCUA believes the engagement letter requirement, the expanded scope requirement, and ``reducing to writing'' identified reportable conditions/errors [[Page 41323]] or irregularities may minimally increase costs. It is a normal business practice for compensated auditors to obligate audit clients to sign engagement letters and many of the affected credit unions are already doing so. Merely ``reducing to writing'' identified and known reportable conditions and/or errors and irregularities cannot be significantly burdensome. The expanded scope requirements then require examination. Cost can be controlled or reduced by the credit union establishing or strengthening its system of sound internal controls which serve to contain control risk. Favorable control risk can mean the reduced necessity for extensive substantive testing, thus, lower audit costs. We estimate that approximately 64% of the credit unions under $1 million have supervisory committee audits which are performed by the supervisory committee itself (not affected); receive opinion audits (already meet expanded scope); or engage outside auditors who do not meet the definition of ``compensated auditor'' (not affected). Thus, few, if any, of these estimated credit unions will be significantly affected by the expanded scope requirements of this section. Paperwork Reduction Act In the proposal the NCUA Board estimated that for most credit unions the additional paperwork will require only one to three hours a year of additional time. One commenter asks if NCUA has determined the extra time needed for auditors to complete the additional reports required by the proposed regulation. Another commenter believes the paperwork requirements are much higher than stated in the proposal. The additional paperwork burden to the credit union is only relevant to credit unions hiring compensated auditors and lies primarily in the engagement letter requirement and in ``reducing to writing'' reportable conditions and/or errors and irregularities, if any, NCUA did not include paperwork burden as to the compensated auditor, simply additional paperwork burden as to the credit union. NCUA continues to believe the paperwork burden to credit unions is in line with original estimates. M. Miscellaneous One commenter requested that the final rule or its preamble explicitly state that this rule does not apply to corporate credit unions. Section 701.12 does not apply to corporate credit unions. One commenter believes that the proposal unfairly singles out those credit unions that are attempting to upgrade their operation by hiring an independent auditor to do the annual supervisory committee audit. NCUA encourages supervisory committes to avail themselves of the services of compensated auditors when it is advisable and feasible to do so; this regulation is in no way designed to discourage credit unions from doing so. The Board is persuaded in all but the exceptional case, supervisory committees will choose the auditor alternative which is best for its credit union under the circumstances. Failing this, the Board is confident that the annual examination process will identify those credit unions in which evoking the FIRREA provisions of Sec. 701.13 will become necessary. The Board is not issuing any changes to the current regulation regarding the independence and verification of members' accounts but they will be redesignated as Sec. 701.12(g) and (h), respectively. The Board is adopting in final the one proposed change to Sec. 701.13 to redesignate the current Sec. 701.12(e) as Sec. 701.12(h). N. Regulatory Procedures Regulatory Flexibility Act The Regulatory Flexibility Act requires NCUA to prepare an analysis to describe any significant economic impact a proposed regulation may have on a substantial number of small credit unions (primarily those under $1 million in assets). As noted above, NCUA determined in the proposed rule that there was no significant economic impact on small credit unions. Comments received are discussed above. Accordingly, the NCUA Board determines and certifies that this final amendment does not have a significant economic impact on a substantial number of small credit unions and that a Regulatory Flexibility Analysis is not required. Paperwork Reduction Act Comments received on paperwork collection requirements are discussed above. The information collection requirements in the final rule have been submitted to the Office of Management and Budget. The control number assigned for this rule is 3133-0059, approved for use through April 30, 1997. Executive Order 12612 Executive Order 12612 requires NCUA to consider the effect of its actions on state interests. The final amendments will not have a substantial direct effect on the states, on the relationship between the national government and the states, or on the distribution of rights and responsibilities among the various levels of government. List of Subjects in 12 CFR Part 701 Credit unions, Reporting and recordkeeping requirements. By the National Credit Union Administration Board on July 24, 1996. Becky Baker, Secretary of the Board. Accordingly, NCUA amends 12 CFR part 701 as follows: PART 701--ORGANIZATION AND OPERATIONS OF FEDERAL CREDIT UNIONS 1. The authority citation for Part 701 continues to read as follows: Authority: 12 U.S.C. 1752(5), 1755, 1756, 1757, 1759, 1761a, 1761b, 1766, 1767, 1782, 1784, 1787, 1789, 1798 and Public Law 101- 73. Section 701.6 is also authorized by 31 U.S.C. 3717. Section 701.31 is also authorized by 15 U.S.C. 1601, et seq., 42 U.S.C. 1981 and 42 U.S.C. 3601-3610. 2. Sec. 701.12 is amended by redesignating paragraphs (d) and (e) as paragraphs (g) and (h), by revising paragraphs (a) through (c), and by adding new paragraphs (d) through (f) to read as follows: Sec. 701.12 Supervisory committee audits and verifications. (a) Definitions. As used in this chapter: (1) Agreed-upon procedures engagement refers to the performance by an independent, licensed certified public accountant of an engagement in which the scope is limited to applying specified agreed-upon procedures to one or more specified elements, accounts or items of a financial statement. Such procedures are insufficient to express an opinion regarding either the financial statements taken as a whole, or the specified elements, accounts or items under examination. (2) Compensated auditor refers to any accounting/auditing professional, excluding credit union employees, who is compensated for performing more than one compensated supervisory committee audit and/or verification of members' accounts, or opinion audit, per calendar year. (3) Financial statements refers to a presentation of financial data, including accompanying notes, derived from accounting records of the credit union, and intended to disclose a credit union's economic resources or obligations at a appoint in time, or the changes therein for a period of time, in conformity with GAAP or RAP, as [[Page 41324]] defined herein. Each of the following is considered to be a financial statement: a balance sheet or statement of financial condition; statement of income or statement of operations; statement of undivided earnings; statement of cash flows; statement of changes in members' equity; statement of assets and liabilities that does not include members' equity accounts; statement of revenue and expenses; and statement of cash receipts and disbursements. (4) GAAP is an acronym for ``generally accepted accounting principles'' which refers to the conventions, rules, and procedures which define accepted accounting practice. GAAP includes both broad general guidelines and detailed practices and procedures, provides a standard by which to measure financial statement presentations, and encompasses not only accounting principles and practices but also the methods of applying them. (5) GAAS is an acronym for ``generally accepted auditing standards'' which refers to the standards approved and adopted by the American Institute of Certified Public Accountants which apply when an ``independent, licensed certified public accountant'' audits financial statements. Auditing standards differ from auditing procedures in that ``procedures'' address acts to be performed, whereas ``standards'' measure the quality of the performance of those acts and the objectives to be achieved by use of the procedures undertaken. In addition, auditing standards address the auditor's professional qualifications as well as the judgment exercised in performing the audit and in preparing the report of the audit. Copies of GAAS may be obtained from the AICPA, Order Department, Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311-3881, telephone (800) TO-AICPA or (800) 862-4272. (6) Independence and Independent means the impartiality necessary for the reliability of the compensated auditor's findings. Independence requires the exercise of fairness toward credit union officials, members, creditors and others who may rely upon the supervisory committee audit report. (7) Internal controls refers to the process, established by the credit union's board of directors, officers and employees, designed to provide reasonable assurance of reliable financial reporting and safeguarding of assets against unauthorized acquisition, use, or disposition. A credit union's internal control structure consists of five components: control environment; risk assessment; control activities; information and communication; and monitoring. Reliable financial reporting refers to preparation of financial statements that ``present fairly'' the financial position of the credit union and results of its operations and its cash flows, in conformity with GAAP or RAP, as defined herein. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition refers to prevention or timely detection of transactions involving such unauthorized access, use, or disposition of assets which could result in a loss that is material to the financial statements. (8) Licensed, certified public accountant refers to an accounting/ auditing professional who has received a certificate and license from a duly-appointed state licensing authority to practice accounting/ auditing, and is independent as defined herein. (9) Opinion audit refers to an examination of the financial statements performed by an independent, licensed, certified public accountant in accordance with GAAS. The objective of an ``opinion audit'' is to express an opinion as to whether those financial statements of the credit union present fairly, in all material respects, the financial position and the results of its operations and its cash flows in conformity with GAAP or RAP, as defined herein. (10) RAP is an acronym for ``regulatory accounting practices'' which refer to the conventions, rules, and procedures governing accepted accounting practices, other than GAAP, for credit unions and having the substantial support of either the NCUA or the applicable state credit union supervisor. (11) Related party transactions refers to transactions among or between parties where one party controls or can significantly influence the management or operating policies of the other so as to prevent the other party from pursuing exclusively its own interests. Examples of related parties include: executive management, board members, supervisory committee members, credit committee members, and employees, and their families. Examples of ``related party transactions'' include: interest-free loans or loans at below market rates; sale of real estate significantly below appraised value; nonmonetary exchange of property; below market fees, and making of loans lacking scheduled terms for repayment. (12) Reportable conditions refers to a matter coming to the attention of the independent, compensated auditor which, in his or her judgment, represents a significant deficiency in the design or operation of the internal control structure of the credit union, which could adversely affect its ability to record, process, summarize, and report financial data consistent with the representations of management in the financial statements. (13) Specified elements, accounts or items of a financial statement refers to accounting information that is a part of, but significantly less than, a financial statement. These may be directly identified in a financial statement or notes thereto; or they may be derived from a financial statement by analysis, aggregation, summarization, or mathematical computation. (14) Substantive testing refers to testing of details and analytical procedures to detect material misstatements in the account balance, transaction class, and disclosure components of financial statements. (15) Supervisory committee refers to a supervisory committee as defined in Section 111(b) of the Federal Credit Union Act, 12 U.S.C. 1786(r). For some federally-insured state chartered credit unions, the ``audit committee'' designated by state statute or regulation is the equivalent of a supervisory committee. (16) Supervisory committee audit refers to an examination of specified elements, accounts or items of the credit union's financial statement to the full extent required in this part. An opinion audit as defined herein exceeds the requirements of a ``supervisory committee audit.'' (17) Working papers refers to the principal record, in any form, of the work performed by the auditor and/or supervisory committee to support its findings and/or conclusions concerning significant matters. Examples include the written record of procedures applied, tests performed, information obtained, and pertinent conclusions reached in the engagement, proprietary audit programs, analyses, memoranda, letters of confirmation and representation, abstracts of credit union documents, reviewer's notes, if retained, and schedules or commentaries prepared or obtained by the independent, compensated auditor. (b) Supervisory committee responsibilities. (1) The supervisory committee is responsible for ensuring that: (i) The financial condition of the credit union is accurately and fairly presented in the credit union's financial statements; and (ii) The credit union's management practices and procedures are sufficient to safeguard members' assets. [[Page 41325]] (2) To meet its responsibilities, the supervisory committee shall determine whether: (i) Internal controls are established and effectively maintained to achieve the credit union's financial reporting objectives which must be sufficient to satisfy the requirements of the supervisory committee audit, verification of members' accounts and its additional responsibilities; (ii) The credit union's accounting records and financial reports are promptly prepared and accurately reflect operations and results; (iii) The relevant plans, policies, and control procedures established by the board of directors are properly administered; and (iv) Policies and control procedures are sufficient to safeguard against error, carelessness, conflict of interest, self-dealing and fraud. (c) Supervisory committee audit. (1) A supervisory committee audit of each Federal credit union shall occur at least once every calendar year and shall cover the period elapsed since the last audit period. The supervisory committee audit shall be performed by the supervisory committee or its designated representative, as prescribed in paragraph (c)(5) of this section. (2) Standards for Performing Supervisory Committee Audit. The supervisory committee audit procedures/testing must be performed in accordance with the following standards: (i) The audit is to be performed by a person or persons having adequate technical training and proficiency as an auditor commensurate with the level of sophistication and complexity of the credit union under audit. (ii) Reasonable care is to be exercised in the performance of the audit and the preparation of the report. (iii) The work is to be adequately planned and assistants, if any, are to be properly supervised. (iv) The person or persons performing the audit must attain a sufficient understanding of the internal control structure to plan the audit and to determine the nature, timing, and extent of tests to be performed. (v) The person or persons performing the audit must, through inspection, observation, inquiry, and confirmation obtain sufficient evidence to afford a reasonable basis for the financial statement elements, accounts or items under audit. (3) Scope of Supervisory Committee Audit. The scope of the supervisory committee audit shall consist of: (i) Attaining an understanding of the internal control structure; (ii) Assessing the level of control risk; and (iii) Based on the level of control risk, determining the nature, timing, and extent of substantive testing necessary to confirm the assertions made by management regarding each of assets, liabilities, equity, income, and expenses for the following attributes: (A) Existence or occurrence; (B) Completeness; (C) Valuation or allocation; (D) Rights and obligations; and (E) Presentation and disclosures. (4) In addition to scope requirements set forth in paragraph (c)(3) of this section, an audit performed by an independent, compensated auditor which includes any of the following areas must, with respect to audit scope but not with respect to reporting, satisfy GAAS for expressing an opinion on the financial statements taken as a whole: (i) Internal controls; (ii) Cash; (iii) Loans and interest thereon; (iv) Investments and interest thereon; (v) Shares and dividends and/or interest thereon; (vi) Related party transactions; and (vii) The reporting of identified errors and irregularities with regard to each of the items in paragraphs (c)(4) (i) through (vi) of this section. (5)(i) The requirements of the annual supervisory committee audit may be satisfied by one of the following: (A) An opinion audit of the credit union's financial statements performed by an independent, licensed, certified public accountant; (B) An ``agreed-upon procedures engagement'' performed by an independent, licensed, certified public accountant, which by itself or in combination with procedures performed by the supervisory committee, fulfills the required scope of the supervisory committee audit; (C) A supervisory committee audit performed by an independent, compensated auditor other than an independent, licensed, certified public accountant which by itself or in combination with procedures performed by the supervisory committee, fulfills the scope of a supervisory committee audit; or (D) A supervisory committee audit by the supervisory committee or its designated, uncompensated representative. (ii) In all cases, an independent, compensated auditor is required to contract directly with the supervisory committee for the audit engagement and to deliver its written reports directly to the supervisory committee. (iii) For a supervisory committee audit performed by the supervisory committee or its designated, uncompensated representative, the supervisory committee shall prepare a written report of the supervisory committee audit. (d) Engagement letter. (1) The engagement of an independent, compensated auditor to perform all or a portion of the scope of a supervisory committee audit shall be evidenced by an engagement letter. The engagement letter shall be signed by the compensated auditor and acknowledged therein by the supervisory committee prior to commencement of a supervisory committee audit. The engagement letter shall: (i) Specify the terms, conditions, and objectives of engagement; (ii) Identify the basis of accounting to be used, e.g., GAAP or RAP; (iii) Include an appendix setting forth the procedures to be performed (if not an opinion audit); (iv) Specify the rate of, or total, compensation to be paid for the audit; (v) Provided that the audit shall, upon completion of the engagement, deliver to the supervisory committee: (A) A written report of the supervisory committee audit; and (B) Notice in writing, either within the report or communicated separately, of any internal control reportable conditions and/or irregularities or illegal acts which come to the auditor's attention during the normal course of the audit (i.e., no additional duty is imposed nor additional written communications beyond (A) is required if none of these is noted); (vi) Specify a target date of delivery of the written reports; (vii) Certify that NCUA staff or its designated representative will be provided unconditional access to the complete set of original working papers either at the credit union or at a mutually agreeable location, for purposes of inspection; and (viii) Acknowledge that working papers shall be retained for a minimum of three years from the date of the written audit report. (2) In the case of a supervisory committee audit engagement which addresses all of the financial statement elements, accounts or items and attributes prescribed in paragraphs (c)(3) and (c)(4) of this section, the engagement letter shall certify that the contracted scope of the audit satisfies the requirements of a complete supervisory committee audit. (3) In the case of a supervisory committee audit engagement which excludes any financial statement elements, accounts or items and attributes prescribed in paragraphs (c)(3) [[Page 41326]] and (c)(4) of this section, the engagement letter shall: (i) Identify the elements, accounts or items and attributes excluded from the audit; (ii) State that, because of the exclusion(s), the resulting audit will not, by itself, fulfill the scope of a supervisory committee audit; and (iii) Caution that the supervisory committee will remain responsible for fulfilling the scope of a supervisory committee audit with respect to the excluded elements, accounts or items and attributes. (e) Audit reports and working paper access. (1) Upon completion or receipt of the written supervisory committee audit reports, the supervisory committee shall provide the reports to the board of directors. The supervisory committee shall ensure that the independent, compensated audit and its reports comply with the terms of the engagement letter prescribed in this section. The supervisory committee shall, upon request, provide to the National Credit Union Administration a copy of the written reports received from the auditor. (2) The supervisory committee shall be responsible for preparing and maintaining, or making available, a complete set of original working papers supporting each supervisory committee audit. The supervisory committee shall, upon request, provide NCUA staff unconditional access to such working papers either at the offices of the credit union or at a mutually agreeable location, for purposes of inspecting such working papers. (f) Sanctions. (1) Failure of a supervisory committee and/or its independent compensated auditor to comply with the requirements of this section, or the terms of an engagement letter required by this section, is grounds for: (i) The regional director to reject the supervisory committee audit; (ii) The regional director to impose the remedies available in Sec. 701.13, provided any of the conditions specified in Sec. 701.13 is present; and (iii) The NCUA to seek formal administrative sanctions against the supervisory committee and/or its independent, compensated auditor pursuant to section 206(r) of the Federal Credit Union Act, 12 U.S.C. 1786(r). (2) In the case of a federally-insured state chartered credit union, NCUA shall provide the state regulator an opportunity to timely impose a remedy satisfactory to NCUA before seeking to impose a sanction permitted under (f)(1) of this section. * * * * * Sec. 701.13 [Amended] 3. Section 701.13 is amended in paragraph (a)(2) by revising ``Sec. 701.12(e)'' to read ``Sec. 701.12(h)''. [FR Doc. 96-19511 Filed 8-7-96; 8:45 am] BILLING CODE 7535-01-M