[Federal Register Volume 61, Number 154 (Thursday, August 8, 1996)]
[Rules and Regulations]
[Pages 41312-41326]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-19511]
=======================================================================
-----------------------------------------------------------------------
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 701
Supervisory Committee Audits and Verifications
AGENCY: National Credit Union Administration (NCUA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The National Credit Union Administration (NCUA) is amending
its regulations governing credit union supervisory committee audits and
verifications. The final amendments clarify existing audit scope;
expand audit scope and reporting requirements for compensated auditors
only; require a comprehensive engagement letter setting forth minimum
contracting terms and conditions; clarify existing working paper access
requirements; expressly state available administrative sanctions for
failure to comply with supervisory
[[Page 41313]]
committee audit requirements and working paper access requirements; and
add relevant definitions of accounting/auditing terms use throughout
the regulation.
EFFECTIVE DATE: December 31, 1996.
FOR FURTHER INFORMATION CONTACT: Karen Kelbly, Accounting Officer,
Office of Examination and Insurance (703) 518-6360, or Michael McKenna,
Attorney, Office of General Counsel (703) 518-6540, at 1775 Duke
Street, Alexandria, Virginia 22314-3428.
SUPPLEMENTARY INFORMATION:
A. Background
Section 701.12 of NCUA's Regulations sets forth the supervisory
committee's responsibility in meeting the audit and verification
requirements of section 115 of the Federal Credit Union Act, 12 U.S.C.
Sec. 1761d. A supervisory committee audit is required at least once
every calendar year covering the period since the last audit. The scope
of the audit must be sufficient, at a minimum, to test the federal
credit union's assets, liabilities, equity, income, and expenses for
existence, proper cut off, valuations, ownership, disclosures and
classification, and internal controls. Section 741.202 of NCUA's Rules
and Regulations, 12 CFR 741.12, make these requirements applicable to
federally insured state-chartered credit unions.
NCUA continues to have concerns with the scope of the supervisory
committee audit and with access to working papers supporting such
audits. The Board felt there was a need to amend the regulation
because:
Many supervisory committee audits have been inadequate;
Examiners have been placed in the position of brokering
disputes between external auditors and supervisory committees relative
to audit inadequacy;
The standards supervisory committee have been held to are
not definitive;
Examiner access to ``proprietary working papers'' has been
limited;
Greater uniformity in audit scope is needed; and
The addition of definitions is needed to enhance clarity.
Consequently, on October 19, 1995, the Board issued proposed
amendments to the regulation governing credit union supervisory
committee audits and verifications (Section 701.12 of NCUA's
Regulations) 60 F.R. 55663 (November 2, 1995). On December 19, 1995,
the Board extended the comment period to January 18, 1996. 60 F.R.
66952 (December 27, 1995). The proposed amendments: (1) clarified
existing audit scope; (2) expanded audit scope and reporting
requirements for compensated auditors only; (3) required a
comprehensive engagement letter setting forth minimum contracting terms
and conditions; (4) clarified existing working paper access
requirements; (5) expressly stated available administrative sanctions
for failure to comply with supervisory committee audit requirements and
working paper access requirements; and (6) added relevant definitions
of accounting/auditing terms used throughout the regulation.
B. Comments
One hundred and eighteen comments were received. Comments were
received from sixty-nine federal credit unions, nine state chartered
credit unions, twenty-one state leagues, four national credit union
trade associations, eleven certified public accounting firms, one
internal auditor, one certified public accountant trade organization,
and one government agency. NCUA also received one anonymous electronic
mail.
Eight commenters express complete support for the proposal. Fifteen
commenters oppose the entire proposal. Twelve of these commenters
believe that the current system is working well and that the proposed
amendments will simply result in increased costs without any increased
service. Ninety-seven commenters express varied levels of support for
the proposal; however, most of these commenters had one or more
objections to the proposal. A recurring theme among these commenters
was that the proposal would hurt small credit unions. Another recurring
theme was that the proposed amendments, in effect, require an opinion
audit. Finally, a number of commenters believe the proposed amendments
would increase costs to credit unions.
The Board believes the final regulation reasonably balances the
concerns of those opposing additional burden for small credit unions
with the need for complete and reliable credit union audits. The Board
appreciates the obstacles small credit unions face when operating in
today's environment and does not wish to add to that burden
unnecessarily. The amendments to this regulation will not have a
significant impact on a credit union which meets its supervisory
committee audit obligations in any of the following ways:
The credit union's supervisory committee performs the
audit itself.
The credit union's internal auditor performs the audit.
The supervisory committee recruits a member or volunteer
who performs the audit (i.e., the member or volunteer is not in the
business of performing compensated audits for credit unions).
The supervisory committee obtains an opinion audit.
If the supervisory committee itself or its uncompensated designated
representative performs the supervisory committee audit as prescribed
in Sec. 701.12(c)(5)(i)(D), the following portions of the proposed
regulation will not apply to the supervisory committee audit:
Sec. 701.12(c)(4)--Increased scope requirements in
designated areas;
Sec. 701.12(c)(5)(i)(A-C)--Opinion audits and agreed-upon
procedures in relation to compensated auditors; and
Sec. 701.12(d)--Engagement letter requirements.
Additionally, NCUA will revise its Supervisory Committee Guide for
Federal Credit Unions for targeted release prior to December 31, 1996.
The revised Guide will provide guidance to assist a supervisory
committee itself or its uncompensated designated representative in
meeting the applicable requirements of this regulation.
If the supervisory committee employs an auditor who is defined as a
``compensated auditor'' to perform (or assist in performing) the audit,
the following additional requirements will be necessary:
An engagement letter between the credit union and the
compensated auditor;
Expanded audit scope in certain areas if the compensated
auditor is engaged to address, and agrees to take on, these areas; and
Notification in writing of reportable conditions or errors
and irregularities, if any, discovered in the normal course of the
audit.
------------------------------------------------------------------------
SC Audit performed by
---------------------------------------
Supervisory
Requirement addressed committee or
designated non- Compensated
compensated auditor
auditor
------------------------------------------------------------------------
Engagement Letter............... No engagement Engagement letter
letter required.
requirement.
[[Page 41314]]
Scope........................... As exists under As exists under
current current
regulation. regulation, plus
expanded scope in
identified
areas.1
Testing/Procedures Performed in Regulation Regulation
Accordance With. identifies identifies
specific specific
standards which standards which
apply. apply.
Reporting Standards............. As exists under As exists under
current current
regulation. regulation, plus
``reportable
conditions,'' if
any, and ``errors
and
irregularities,''
if any, simply
``reduced to
writing''.1
------------------------------------------------------------------------
1 Distinguishable from an opinion audit because the following are not
required: full scope of opinion audit, financial statements, related
disclosures, auditor's opinion, or negative assurance.
Comments Relating to Current Sec. 701.12. Throughout the comment
letters of accounting/auditing professionals were a series of comments
addressing conditions which apply equally to the current and to the
revised Sec. 701.12. These include:
1. Auditing work should not be performed by lay individuals; CPAs
alone have the professional proficiency to perform audits.
2. The proposed regulations put CPAs at an economic disadvantage to
compete in the credit union marketplace. A CPA performing a supervisory
committee audit would be bound by the professional auditing standards
promulgated by AICPA and the State Board of Accountancy, while a non-
CPA is not so burdened. CPA would not be able to charge fees
competitive with (i.e., as low as) that of non-CPA.
3. CPAs are concerned about the ability of non-CPA examiners to
review CPA's work.
4. CPAs may limit themselves to performing only opinion audits for
credit unions. A new auditing standard, Statement of Auditing Standard
(SAS) No. 75, governing agreed-upon procedures engagements requires
users of agreed-upon procedures reports to acknowledge the sufficiency
of such procedures in satisfying the requirements of the specified
user. If the CPA cannot get the specified user to do this (in advance
of the engagement), then the only work a CPA could perform for a
specified user would be an opinion audit. The thrust of this comment is
that NCUA would qualify as a ``specified user'' and would, therefore,
have to acknowledge the sufficiency of the procedures prior to each
credit union's engagement of a CPA.
Each of these comments applies equally to the current regulation
and the amended version being issued as a final rule; they are not
exacerbated by the amendments. The source of some of the conditions
addressed in the comments is not, if fact, any action by NCUA, but
rather, exists due to the actions of others. The first three
conditions, which we will address first, are relatively straight-
forward; the SAS No. 75 issue is more complex and is addressed in
section K.
The first condition will exist as long as NCUA allows auditors
other than licensed, independent certified public accountants to
perform supervisory committee audits. Since the NCUA Board is committed
to allowing credit union supervisory committees the option to engage
non-CPA accounting/auditing professionals, there can be no ready
resolution of this concern either under the current or the amended
final regulation.
As to the second area of concern, that CPAs are bound by
professional standards imposed by state licensing authorities and by
the AICPA (e.g., education, proficiency, peer review, AICPA
professional ethics, GAAS, etc.), while non-CPAs are not, this is not
the result of any additional requirements imposed by NCUA. The NCUA
Board has no jurisdiction over the imposition of auditing standards
governing the work of CPAs. The only way to ``regulate away'' the
purported ``economic disadvantage'' the CPAs would be to limit the
performance of supervisory committee audits to licensed, independent
certified public accountants. This would create an ``economic
disadvantage'' as to all other types of auditors, particularly those
who audit small credit unions. The NCUA Board does not believe this is
a viable solution.
Third, examiners review the work of compensated auditors for
compliance with this section. Wherein such examination requires the
non-CPA examiner to review compensated auditor's work for compliance
with GAAS and a deficiency is suspected, NCUA recognizes it is not an
authority on GAAP or GAAS. Referral to state accountancy licensing
authorities or the AICPA Ethics Division, where applicable, will be
NCUA's means of seeking assistance to make such determinations. NCUA is
sympathetic to the argument that non-CPAs do not have the knowledge and
proficiency necessary to determine the extent of substantive testing
required under GAAS, but it believes they can do so under this section
which is a lesser, and regulatory defined, standard.
As to the fourth area of comment, this area is somewhat more
perplexing. We have discussed SAS No. 75 and related issues in section
K. Suffice it to say here that this condition exists as a result of the
new auditing standard promulgated by auditing standards-setters which
became effective May 1, 1996. The condition exists under the current
regulation and was not created or aggravated by any NCUA effort to
amend this regulation. The timing of the SAS No. 75 effective date and
NCUA's efforts to revise this part are coincidental.
Areas Seemingly Misunderstood. The comment relative to ``burden on
small credit unions'' are believed to have resulted primarily from a
misunderstanding of the proposed amendments. Such comments made
include:
The regulations essentially require an opinion audit.
Audit scope will have to be expanded substantially to
generate the two additional reports required.
Working paper access requirements will generate increased
travel and credit union staff costs.
Each of these areas are discussed at length below.
C. Definitions
The proposal added a set of definitions for terms used in the
regulation. Many of these terms, while familiar to accounting/auditing
professionals, may be less well know to supervisory committee
volunteers. The proposed definitions included: (1) Agreed-upon
procedures; (2) Applicable generally accepted auditing standards
(GAAS); (3) Audit or Opinion audit; (4) Compensated auditor; (5)
Financial statements; (6) Generally accepted
[[Page 41315]]
accounting principles (GAAP); (7) Generally accepted auditing standards
(GAAS); (8) Independence or Independent; (9) Independent, licensed,
certified public accountant; (10) Internal controls; (11) Other
comprehensive basis of accounting; (12) Related party transactions;
(13) Reportable conditions; (14) Substantive testing; (15) Supervisory
committee; (16) Supervisory committee audit; and (17) Working papers.
The NCUA Board also requested comment on whether any additional terms
should be defined in the regulation.
Eight commenters believe no further terms should be defined while
three commenters believe the final amendments should define additional
terms. One commenter requests a definition of ``verifications.'' One
commenter requests NCUA define ``summary of operations'' One commenter
believes NCUA should define ``internal auditor'' and ``Standards for
the Professional Practice of Internal Auditing.'' Thirteen commenters
believe that the proposal adequately defined the terms listed. Three of
these commenters state that the definitions are valuable to credit
unions. Four commenters believed that the proposal does not adequately
define the listed terms.
Generally, if several commenters suggested redefinitions along the
same lines and the suggested language was technically correct, the
final regulation reflects the revised language. Definitions for
``internal auditor'' and ``Standards for the Professional Practice of
Internal Auditing'' were not added as neither of these terms are used
anywhere in the regulation. A definition for ``verifications'' was not
added since it is defined and discussed fully in the existing
regulation, Sec. 701.12(e). ``Summary of operations'' is simply a
phrase which was used within the ``financial statements'' definition
which is not critical to an understanding of the definition or the
regulation; this phrase was dropped. One definition was added and that
was the SAS No. 75 definition of ``specified elements, accounts or
items of a financial statement.''
The definition of ``applicable GAAS'' and the use of that term was
dropped throughout the regulation. In the proposed regulation, we had
defined ``applicable GAAS'' as GAAS excluding the second general
standard and the standards of reporting. In the final regulation, we
dropped the term ``applicable GAAS'' and instead spelled out five
specific standards, contained in paragraph (c)(2). The five standards
were adopted with modifications from the AICPA's ten generally accepted
auditing standards, again excluding the second general standard and the
standards of reporting. The Board believes that the use of the term
``applicable GAAS'' may intimidate laymen; spelling out the specific
standards intended should help eliminate any apprehension. The Board
believes these standards are reasonable and attainable.
The proposal defined ``audit or opinion audit'' in part, as an
examination of the financial statements performed by an independent,
licensed, certified public accountant in accordance with generally
accepted auditing standards. One commenter believes that this
definition must be modified. This commenter states that an ``audit''
and an ``opinion audit'' are not the same thing, and not all credit
unions need an opinion audit which is performed by an ``independent,
licensed, certified public accountant.'' One commenter states that
since the definition applies to the word ``audit'' alone it is unclear
if this requirement applies everywhere in the regulation where the term
is used. For example, this commenter states that ``Supervisory
Committee Audit'' could mean an ``audit'' by a CPA, which the commenter
believes is beyond the scope of what NCUA is requiring with this
proposal. This commenter suggests restricting the definition to only
``opinion audits.'' One commenter states that there is an inconsistency
between the definition of ``audit'' or ``opinion audit'' and the
proposed supervisory committee audit in Section 701.12(c). This
commenter states that the definition states an audit is to be performed
by an independent, licensed, certified public accountant; whereas
Section 701.12(c) provides other alternatives in the completion of an
audit and specifically provides that someone other than a certified
public accountant such as the supervisory committee may conduct audits.
Within the accounting profession and as represented in GAAS,
``audit'' is the term used for an ``opinion audit''. In fact, ``opinion
audit'' is jargon for ``audit''; the terms are synonymous. However,
since the use of the term ``audit'' in the regulation without an
accompanying adjective such as ``opinion'' or ``supervisory committee''
was confusing to some of the commenters, we have eliminated the
definition of ``audit,'' narrowed the definition to ``opinion audit''
and use only the term ``audit'' (when used as a noun) throughout the
regulation preceded by descriptive terms, e.g., opinion audit, or
supervisory committee audit. As to the alternatives set forth in
Sec. 701.12(c), these relate to the performance of a supervisory
committee audit. The scope of an opinion audit exceeds that a
supervisory committee audit. Thus, an opinion audit which complies with
GAAS, would exceed the requirements of the regulation.
The proposal defined a ``compensated auditor'' as any accounting/
auditing professional who is compensated for performing the supervisory
committee audit and/or verification services. Thirteen commenters
believe that the term ``compensated auditor'' should be revised so as
to distinguish between the credit union's internal auditor and the
credit union's contracted external auditor. These commenters believe
the proposal could be interpreted so that a compensated auditor is
defined as an accounting or auditing professional who is employed
directly by the credit union. Two commenters believe that the term
``compensated auditor'' should not include someone who simply lends a
hand to the supervisory committee in completing the audit. Two
commenters believe that external auditors should be licensed
professionals (such as CPAs) to ensure that audits are detailed and
reflect the actual financial condition of the institution.
The Board found the comments in this area helpful and has amended
the definitions in response to some of the suggestions. It is not the
Board's intent to include credit union employees acting in the course
of their employment (internal auditors) or someone who simply lends a
hand (volunteer). Nor is the Board comfortable with restricting the
performance of supervisory committee audits to licensed professionals.
The definition has been changed to exclude employees and to exclude
individuals who perform no more than one compensated supervisory
committee audit per calendar year. The later provision was added to
ease the burden for small credit unions who may benefit through the
assistance of a volunteer, someone who simply lends a hand, e.g., the
local bookkeeper who, while compensated, performs the supervisory
committee audit (one per calendar year) for a minimal and reasonable
remuneration.
The proposal defined generally accepted auditing standards (GAAS)
in part as the standards approved and adopted by the American Institute
of Certified Public Accountants which apply when ``independent,
licensed certified public accountants'' audit financial statements. One
commenter believes this definition will substantially increase the
costs of audits for smaller credit unions that do not use a CPA. One
commenter believes that the definition implies that a CPA is bound
[[Page 41316]]
by GAAS but non-CPAs are exempted from certain provisions and that this
is unfair to the CPA. One commenter states that the definition does not
identify which items of GAAS do not apply to the supervisory committee
or its uncompensated auditor.
In the final regulation, the Board has eliminated the use of the
term ``applicable GAAS'' and refers to GAAS only once in the final
regulation--in paragraph (c)(4), in conjunction with expanded scope for
compensated auditors. The term ``applicable GAAS'' appeared to
intimidate many commenters. The Board has replaced this approach by
listing five relevant standards in the body of the regulation. The
standards were adopted with modifications from the AICPA's ten
generally accepted auditing standards, again excluding the second
general standard and the standards of reporting. Procedures and testing
performed consistent with the five identified standards are required
for credit union supervisory committees, whether they hire a
compensated auditor or not. Scope of work within the guidelines of the
regulation, and degree of substantive testing (nature, extent and
timing), are set by the supervisory committee or its designated
representative based on its assessment of inherent risk, after gaining
an understanding of the internal control environment. This approach
does not bind a supervisory committee or its designated representatives
to those requirements of GAAS which are definitionally unattainable,
e.g., certain GAAS provisions a non-CPA cannot meet by virtue of the
fact that he is not a CPA.
There is no additional burden imposed in redefining the standard
supervisory committees must meet in the performance of procedures and
testing. By eliminating the term ``professional auditing procedures and
standards'' which is non-specific, and replacing it with a listing of
the five specific, relevant standards, the Board is issuing clearer
standards. The amendment will not substantially increase burden on
small credit unions because the regulation clearly does not require a
CPA opinion audit, neither in scope of work nor reporting burden. There
is no requirement for financial statements to accompany the report; no
opinion is necessary; and negative assurance is not required. Since
many of the commenters misunderstood certain provisions of the proposed
regulation, their estimates of burden were based on a scope of work and
reporting requirements substantially greater than what was actually
proposed and/or intended. An additional burden exists only in the area
of audit scope (not reporting) when the work is performed by a
compensated auditor. While there is increased burden to some credit
unions resulting from this requirement, the Board believes it is
necessary and minimal.
The proposal defines ``independence and independent'' as ``without
bias with respect to the credit union so as to maintain the
impartiality necessary for the reliability of the compensated auditor's
findings. Independence requires the exercise of fairness toward credit
union management, members, creditors and others who may rely upon the
independent, compensated auditor's report. Auditors must be independent
in fact and in appearance.''
Eighteen commenters believe that this definition may pose problems
for state leagues because some leagues are owned by credit unions for
which the league provides audit services. These commenters request that
the definition be clarified because they believe if the proposed
definition of ``independence'' is strictly applied it could put league
audit services out of business. They request that the preamble to the
final amendments specifically state that league auditing programs are
considered independent under the regulation. Seven commenters believe
that a league audit is considerably cheaper than an audit by an
accounting firm and if the state league was prohibited from doing the
audit it would result in increased costs to credit unions. Some
commenters also believe this definition should not be construed to mean
that only CPAs could perform audits for credit unions. Several
commenters recommend deleting the following sentence from the
definition: ``Auditors must be independent in fact and in appearance.''
NCUA has revised the definition for ``independence'' to exclude the
following: ``without bias with respect to the credit union'' and
``Auditors must be independent in fact and in appearance.'' Further, it
is not the Board's intent to exclude league auditing services from
performing supervisory committee audits or to require such services to
use report terminology reserved by state laws specifically for CPAs.
The Board is persuaded, however, that to be considered independent,
league auditors must be independently managed. League auditors will not
be considered independent in providing supervisory committee audits for
a credit union if the credit union to be audited has an executive/
employee on the affiliated league board who influences board decisions
relative to the league auditing service. League auditors would be
considered independent if the executive/employee on the affiliated
league board recuses himself from all discussions, decisions, or
actions directly or indirectly related to the league auditing service/
department/function and/or meeting any requirements of this section.
Additionally, the recusal must be documented in the written board
minutes. Another alternative would be for reciprocity of league
auditing services between leagues and credit unions subject to this
restrictive interpretation. A third alternative would be for the league
auditing service to periodically obtain a peer review from another
league auditing service, similar to current practice for AICPA-
affiliated, CPA firms in public practice. Such a peer review would
provide a reasonably independent quality review of the league auditing
service's compliance with required auditing standards in the
performance, documentation, and reporting of auditing services provided
to federally-insured credit unions. The written peer review report
would be available to NCUA, upon request, in conjunction with the
examination of a particular credit union's supervisory committee audit
and verification.
The proposal defined ``internal controls'' in part as the process,
established by the credit union's board of directors, officers and
employees designed to provide reasonable assurance of reliable
financial reporting and safeguarding of assets against unauthorized
acquisition, use or disposition. Furthermore, this definition stated
that a credit union's internal control structure consists of five
components: control environment; risk assessment; control activities;
information and communication; and monitoring. One commenter states
that this definition could result in a decrease in testing of internal
control structures.
The supervisory committee's responsibilities with regard to
internal controls is clearly set forth in Sec. 701.12(b)(2)(i) and
(c)(2). The compensated auditor's further responsibility with regard to
internal controls is set forth in Sec. 701.12(c). The proposed and
final regulation does not decrease the amount of testing of internal
control structures than is required in the existing regulation, nor
does it drastically expand required testing. The Board intends that the
supervisory committee attain an understanding of the internal control
structure; assess the level of control risk; and based thereon,
determine the nature, timing, and extent of substantive testing
necessary to comply with the
[[Page 41317]]
minimum supervisory audit scope. The materiality level the supervisory
committee chooses to govern scope and testing must encompass reasonable
tests of the internal control structure commensurate with the size and
complexity of the credit union under audit. Choosing a materiality
level which results in no reasonable testing of internal controls would
not be acceptable. Expanding audit scope to achieve a complete audit of
the credit union's system of internal controls (commenter terms this
``full compliance audit'') is not intended. The Board is simply seeking
the extent of internal control testing which is normal in the audit of
financial statements. The distinction would be clear to accounting/
auditing professionals; it may be less so to supervisory committee
member volunteers.
The proposal defined ``related party transactions'' as transactions
among or between parties where one party controls or can significantly
influence the management or operating policies of the other so as to
prevent the other party from pursuing exclusively its own interests.
The proposals provided the following examples of related parties:
credit union members and their families, and credit union officials and
their families. The proposal also stated that examples of ``related
party transactions'' include: interest-free loans or loans at below
market rates; sale of real estate significantly below appraised value;
nonmonetary exchange of property; and making of loans lacking scheduled
terms for repayment. Three commenters believe the definition of
``related party transactions'' should include examples of related
parties similar to those used in the preamble rather than those
provided in the proposed definition. Two commenters believe that the
examples of related parties in the definition is vague and obscures the
meaning of the term.
The definition of related parties has been changed to eliminate
credit union members and their families and to add examples of related
parties to include: executive management, board members, supervisory
committee members, credit committee members, employees and their
families.
The proposal defined ``supervisory committee audit'' in part as an
examination of the credit union's financial statement in accordance
with applicable GAAS, which is performed by the supervisory committee
or its designated representative as required by the regulation.
Furthermore, the last sentence of the definition stated that an opinion
audit as defined by this regulation satisfies the definition of
``supervisory committee audit.'' One commenter states that the
supervisory committee responsibilities need to be specifically defined,
as well as any sanctions or penalties, if any, that may be assessed and
how they will be determined. One commenter states that the last
sentence of this proposed definition should be eliminated. One
commenter states that this definition implies that a supervisory
committee audit must be undertaken by a certified public accountant.
This commenter suggests NCUA use ``supervisory committee review''
instead of ``supervisory committee audit'' to clarify this issue.
The Board changed the definition of ``supervisory committee audit''
to drop the ``applicable GAAS'' reference, consistent with the addition
of paragraph (c)(2) detailing five specific standards which must be met
in the conduct of the supervisory committee audit. We continue to
include the last sentence in the definition but have revised it to
indicate that an opinion audit is one of several ways to satisfy the
requirements of the regulation. It is a misinterpretation of the
proposed regulation to conclude that a supervisory committee audit must
be undertaken by a certified public accountant. The Board continues to
use the term ``supervisory committee audit'' because this is how the
function is identified in the Federal Credit Union Act. The Board is
satisfied that the final regulation clearly defines the supervisory
committee responsibilities, short of providing a written audit program.
Available sanctions and penalties are those that are normally available
to NCUA in dealing with regulatory non-compliance as granted throughout
the Federal Credit Union Act and administered through the NCUA's
Regulations.
The proposal defined ``working papers'' in part as the principal
record, in any form, of the work performed by the auditor and/or
supervisory committee to support its findings and/or conclusions
concerning significant matters. The definition provided the following
examples of documents that meet this definition: the written record of
procedures applied, tests performed, information obtained, and
pertinent conclusions reached in the engagement, audit programs,
analyses, memoranda, letters of confirmation and representation,
abstracts of credit union documents, reviewer's notes, if retained, and
schedules or commentaries prepared or obtained by the independent,
compensated auditor. One commenter specifically supports this
definition. Several commenters believe that although they agree with
the ``working papers'' definition, they do not agree that all of the
examples of working papers cited therein meet the definition. They
believe that all of the auditors' memoranda, personal notes, and
commentaries do not make up the principal record of the work performed.
They suggest references to these items be eliminated from the list of
examples provided in the definition of working papers. One commenter
believes the definition is so extensive that it may discourage the
compilation of notes and other internal memoranda, to the detriment of
the credit union having a thorough audit.
The Board believes that, in the past, accounting/auditing
professionals have afforded themselves broad license in determining
what they will provide to NCUA staff in the way of working papers. This
situation has resulted through a wide interpretation, by some
compensated auditors, of what constitutes ``proprietary information.''
The Board is persuaded that such discretion needs to be limited. NCUA
staff needs access to a complete set of working papers. The Board
believes much of what compensated auditors have held back as
``proprietary'' is integral to NCUA staff in assessing if the audit
meets regulatory requirements. Requiring full access to existing
working papers should in no way discourage the compilation of notes and
other internal memoranda, to the detriment of the credit union having a
thorough audit. The standards requiring working paper documentation is
not changed, lessened or strengthened by this final regulation which is
simply seeking full disclosure to NCUA staff of existing working paper
information. Photocopies are not required.
D. Expanded Audit Scope
The proposed amendments expanded the required audit scope when a
supervisory committee employs the services of a compensated auditor.
The Board proposed the changes to address practical enforcement
problems in the existing regulation, some of which have arisen through
the examination process as a matter of course and others of which have
arisen in litigation and in negotiating settlements. Additionally the
changes were intended to eliminate vagueness regarding the required
audit scope as well as improving supervisory committee audits. The
vagueness of audit scope has been the subject of complaints from both
credit unions and examiners.
The Board proposed that the supervisory committee audit shall be
made by the supervisory committee or
[[Page 41318]]
its designated representative using applicable GAAS. Furthermore, the
Board proposed that for the compensated auditor, audit testing of the
following areas must satisfy applicable GAAS for expressing an opinion
on the financial statements taken as a whole: internal controls, cash,
loans and interest thereon, shares and dividends and/or interest
thereon, related party transactions, and the detection and reporting of
errors and irregularities with regard to each of these areas.
Three commenters specifically support the new audit scope. Two
commenters believe the clarification eliminates any possible confusion
regarding the overall requirements of the audit. One commenter
recommends that this section be revised to state that the supervisory
committee shall determine whether the established internal controls are
sufficient to identify/detect material errors and fraud. The Board does
not believe it is necessary to revise this section to include the
suggested language because the responsibilities of the supervisory
committee with regard to ``internal controls'' and ``error,
carelessness, conflict of interest, self-dealing and fraud errors and
irregularities'' are already set forth.
Seventeen commenters believe a compensated auditor should follow
GAAS. Two of these commenters believe credit union auditors should be
held to the same high standards as auditors in other industries. One of
these commenters stated that GAAS is the acceptable standard for all
audits. One of these commenters believes that a compensated auditor
should be required to follow GAAS but it should not be required by
regulation. One supporting commenter believes that this amendment will
have numerous unintended consequences, one of which will result in
requiring any audit performed by a CPA to be an opinion audit. This
commenter also believes the proposal could harm small credit unions by
having them seek less qualified individuals.
As addressed above, the Board does not wish to require an opinion
audit for credit unions. To require compensated auditors to meet GAAS
in scope of work, audit testing and reporting would be to require an
opinion audit by a licensed, independent certified public accountant.
The Board believes adopting the five specific standards set forth in
the final regulation is preferable to the existing rule's reference to
``professional auditing procedures and standards''; the former is
specific while still allowing for reasonable judgment, the later is too
vague. And while the expanded audit scope may slightly increase costs
to some credit unions, the Board believes this burden is reasonable and
necessary in light of the substandard audits NCUA found in some credit
unions.
Twenty commenters believe compensated auditors should not be
required to follow GAAS. One of these commenters believes that it
appears to have the practical effect of requiring the performance of an
opinion audit, except the actual issuance of an opinion, whenever an
outside auditor is used. Six of the commenters believe such a
requirement will increase credit union costs. Three commenters believe
this requirement will hurt small credit unions. One commenter believes
that the proposed GAAS requirements could result in small credit unions
employing CPAs to perform the audit and could discourage members from
volunteering to serve on the supervisory committee. In the final
regulation, a standard far short of GAAS is being required. Five
specific standards governing performance of the work are set forth in
the final regulation. Financial statements are not necessary, an
opinion or attestation is not required, negative assurance is not
sought, and GAAS reporting standards do not have to be met, paragraph
(c)(4). Only compensated auditors are being held to GAAS-level scope
and testing (not reporting), and then, only in selected risk areas. We
continue to believe that the increased burden estimates were based on a
misunderstanding of proposed regulatory requirements.
One commenter states requiring non-CPA auditors to meet CPA
standards is tantamount to requiring CPA audits. Another commenter
states that league auditors are not allowed by AICPA rules to use the
terms GAAS and GAAP in their audit reports. Furthermore, the commenter
states that if these terms are required it will mean that only CPAs
could audit credit unions which would prohibit league audits as well as
increase credit union costs. The proposed and final regulations do not
require non-CPAs to use GAAS and GAAP references or language in
supervisory committee audit reports. In the proposed regulation the
definition of ``applicable GAAS'' excluded the ``standards of
reporting.'' The final regulation continues to exclude these reporting
standards. The relevant standards governing performance of work have
been more specifically identified in the final regulation in paragraph
(c)(2).
One commenter believes that NCUA should determine what additional
procedures should be performed, if any, on a credit union by credit
union basis, rather than requiring all compensated auditors to complete
an expanded scope. Another commenter also states that NCUA should not
require expanded scope for all credit unions. It is not practical for
NCUA to determine what additional procedures should be performed, if
any, on a credit union by credit union basis, thus this alternative of
requiring the supervisory committee or its designated representative to
attain an understanding of the internal control environment, assess
control risk, and based thereon, determine the extent of substantive
testing necessary to meet the requirements of this section. The
guidelines NCUA primarily will use in assessing the adequacy of the
expanded scope under paragraph (c)(4) will be the AICPA's guide,
``Audits of Credit Unions'', relevant chapters, subheading ``Audit
Objectives and Procedures'' where discussions are provided on audit
objectives, planning considerations, internal control structure, tests
of controls, and substantive tests. The expanded scope in selected,
identified areas for all credit unions that employ a compensated
auditor should contribute to improved consistency and uniformity.
One commenter believes the proposed amendments impose different and
higher standards for supervisory committee audits conducted by
compensated auditors than those performed by supervisory committees or
uncompensated auditors. Two commenters believe the proposed amendment
is an attempt to permit non-CPAs to perform the work of CPAs when
auditing credit unions. Both commenters believe that this poses an
increased risk of substandard audits which will fail in detecting
serious accounting deficiencies and internal control weaknesses.
Another commenter believes a non-licensed accountant attempting to
comply with the regulation may be violating state accountancy law by
performing duties which can only be performed by a licensed CPA.
Another commenter does not believe it is realistic or feasible to
require volunteer supervisory committee members to comply with a
complex body of standards that require significant education and
training to understand.
While the Board appreciates the seemingly unfairness of imposing a
different and higher standard for supervisory committee audits
conducted by compensated auditors than for those performed by
supervisory committees or uncompensated auditors, the Board must be
realistic in
[[Page 41319]]
recognizing that imposing an expanded scope requirement for supervisory
committee audits performed by layman would be to invite certain
disappointment. NCUA will need to review supervisory committee audits
for thoroughness and sufficiency, and recommend needed supplemental
procedures and testing to enhance the effectiveness of the audit
process. Furthermore, for those supervisory committees that continue to
perform the audit and/or verification themselves, where the credit
union's sophistication and complexity have grown beyond the
capabilities of the resident supervisory committee and its staff, it
will be incumbent upon NCUA to recognize the deficiencies in the audit
which diminish the committee's usefulness in the oversight process
assigned it under Sec. 701.12. NCUA has significant flexibility under
Sec. 701.13 of NCUA's Regulations, through FIRREA, to call for the
conduct of a second audit, one which will fulfill the intended
objectives of this regulation. The requirement for a second audit would
add burden since it must be performed by an independent public
accountant.
E. Engagement Letter Requirement
The Board proposed to require credit unions which employ
compensated auditors to memorialize the terms and conditions of the
engagement in a comprehensive engagement letter, which constitutes an
enforceable contract between the compensated auditor and the
supervisory committee. The proposal also set forth the minimum
requirements of an audit engagement to be addressed in such a letter.
The Board made this proposal to further reduce the confusion for
required scope components that are excluded from the audit engagement.
Thirty-eight commenters support this proposal. Fourteen of these
commenters believe the requirements for an engagement letter should
adequately protect the interests of the supervisory committee. Five
commenters believe the engagement letter will formalize the
expectations of the supervisory committee. Four commenters believe that
this proposal would eliminate any misunderstandings between the
supervisory committee and the auditing firm. One commenter supports the
requirement to provide an appendix to the engagement letter specifying
the procedures to be performed.
Seven commenters believe it should be left to the discretion of the
credit union to determine what specific details should be included in
the engagement letter. Conversely, two commenters believe that NCUA
should produce a form engagement letter in the final rule. In current
practice, the engagement letter has been written primarily by the
compensated auditor, for the compensated auditor. Many credit unions
have signed the engagement letters thus drafted without a real
knowledge or understanding of what specific details should be included.
Through the engagement letter requirement, the Board hopes to help
credit unions in its business dealings with the professional auditor.
The regulation sets forth minimums; the credit union has full
discretion to include other provisions.
The compensated auditor has the option to exclude from his scope of
work any areas for which he is uncomfortable/unwilling to perform the
expanded audit scope, if such exclusion is agreeable to his credit
union client. He is obligated then only to caution the supervisory
committee in the engagement letter that the supervisory committee will
remain obligated to perform or have performed this required but
excluded work. As concerns areas excluded from the audit engagement,
simple, general statements, such as is demonstrated in the current
AICPA Guide, Audits of Credit Unions, illustrative engagement letter,
with the added caution required in the rule, Sec. 701.12(d)(3)(i)(C),
is the minimum NCUA is seeking. For example, ``The scope of this audit
* * * does not include an evaluation of all areas that generally are of
higher risk in the credit union industry, such as securities held or
the collectibility of loans, the adequacy of collateral thereon, or the
reasonableness of the allowance for loan losses,'' plus cautionary
language required consistent with this section.
Five commenters stated that the requirement in the proposal that
the engagement letter specify a date of delivery of the written audit
report is unrealistic. They believe that the auditor can not complete
the audit if the required information is not available. One commenter
believes this requirement puts undue pressure on the auditor. One of
these commenters stated that we should not require an exact delivery
date but rather a ``target'' delivery date. The Board agrees with this
commenter. Delivery date has been changed to ``target date of
delivery.'' The intent is to provide the auditor with flexibility in
dealing with unforeseen events while providing NCUA with a target date
for receiving the report.
Nine commenters do not believe NCUA should require a formal
engagement letter. One commenter believes that the requirement for an
engagement letter will not adequately protect the interests of the
supervisory committee. One commenter states this should not be a
regulatory requirement since most credit unions already use an
engagement letter. One commenter states that the use of an engagement
letter is a management decision. One commenter believes the additional
cost for this separate letter far outweighs the perceived benefit. Two
commenters believe regulating the content of an engagement letter is
unnecessary. One commenter states that the criteria and the matter to
be included in the engagement letter as outlined by SAS 75 address
questions concerning the conditions for engagement preference, the
sufficiency of procedures, the nature, timing and extent of procedures
and will address issues that may arise between the auditor and the
supervisory committee.
The NCUA Board believes the engagement letter requirement will
protect the credit union, will compel communication concerning the
audit engagement, and will provide all parties with an enforceable
contract and a documented record of accountability which hopefully will
preclude NCUA from brokering disputes between the credit union and the
compensated auditor. Credit unions are free to include any additional
criteria, conditions, terms in the engagement letter beyond those
required (such as those additionally outlined in SAS No. 75); again,
the regulation is suggesting the minimum requirements. The final
amendment reflects engagement letter requirements, generally as
proposed, with the addition of target date of delivery, and working
paper retention requirements for 3 years from the date of the audit
report.
F. Requirement for a Written Report of Internal Control Exceptions or
Reportable Conditions and a Written Report of Irregularities or Illegal
Acts
The proposed amendments required written reports of any internal
control exceptions or reportable conditions noted and of any
irregularities or illegal acts noted. Eighteen commenters support the
requirement to report on internal controls and possible illegalities.
Ten commenters state that requiring these reports will not increase the
cost of a supervisory audit. Two commenters, although supporting the
requirement, believe it will increase credit union costs. Three
commenters state that the information in the reports is already
available in some form of report. We agree the information is already
available as a result of performing the supervisory committee
[[Page 41320]]
audit, but current requirements do not mandate written communication.
Thirty-seven commenters oppose this requirement. Twenty-six
commenters state that requiring these reports will increase the cost of
supervisory committee audits. Five commenters wondered why the auditor
cannot simply report any such findings in their normal report to the
supervisory committee instead of creating two new reports. This option
is agreeable to NCUA; we are simply seeking such information be
``reduced to writing.'' Three commenters believe that no report should
be required if no internal control exceptions, reportable conditions or
irregularities or illegal acts were noted. This is also agreeable to
NCUA; we are not seeking negative assurance. One commenter states that
auditors that find problems during the scope of their normal audit
already comment on internal controls and fraud when appropriate in the
audit report to the credit union. Not necessarily; CPAs are not
required to communicate such matters in writing. One commenter states
that one report should be able to handle both issues. The Board agrees
and the final regulation reflects this.
Two commenters believe this requirement will hurt smaller credit
unions since they usually have weaker controls due to small staffs.
This requirement was not added to ``hurt smaller credit unions,'' but
often these are the very credit unions where efforts are needed to
bolster internal controls. One commenter states that the requirement to
have the compensated auditor report on internal control and fraud may
not be valid for all credit unions. This commenter believes that credit
unions having an internal audit function should be exempted from this
requirement to avoid duplication of efforts and costs. The internal
audit function could be the means by which the supervisory committee
chooses to comply with this section.
This was one of the most misunderstood proposed amendments to the
regulation. NCUA is simply asserting that any instances of reportable
conditions or errors and irregularities which are identified in the
normal course of a supervisory committee audit, be reduced to writing.
Currently, while such information must be reported, GAAS does not
require this information to be in writing. Without written
communication of these items, NCUA has limited assurance of gaining
knowledge of the auditor's observations in these areas, unless the
credit union provides notification voluntarily.
NCUA does not expect or require any negative assurance; no report
is required if internal control exceptions, reportable conditions or
irregularities or illegal acts were not noted. In many supervisory
committee audit reports prepared by compensated auditors other than
CPAs under existing guidelines, such internal control and fraud
problems/weaknesses uncovered during the scope of their normal audit
are already commented upon, when appropriate, in the audit report to
the credit union. This practice continues to meet regulatory
requirements under the final regulation.
NCUA has no preference whether the auditor prepares one report
including this information, two reports or three; what matters is that
the information is reduced to writing. NCUA does not expect supervisory
committees to direct audit scope at discovering such problems. Nor is
NCUA seeking a specific report on the control structure and any
breaches of that structure or to specifically note the absence or
presence of any irregular or illegal act; NCUA recognizes this would
require a substantially different level of audit than heretofore has
been required. The NCUA Board believes it is possible that those who
argued ``burden to small credit unions'' in this reporting aspect
misunderstood the intended reporting requirements in this instance, and
mistakenly magnified cost estimates accordingly.
G. Clarification on Access to Original Working Papers
The proposal clarified that NCUA has unconditional access to a
complete set of original working papers including all the existing
documentation relative to the audit. Such access would be either at the
offices of the credit union or at a mutually acceptable location.
Thirty-four commenters provide varying support for the clarification.
Sixteen commenters believe that unconditional NCUA access to original
working papers is not overly burdensome and intrusive. Six commenters
do not believe unconditional access to working papers will cause an
increase in administrative and other expenses. One commenter believes
that such access to original working papers will assist NCUA in its
exams and that the clarification makes good business sense. Five
commenters state that it is important to maintain the confidentiality
of the working papers. NCUA appreciates the auditor's concerns about
maintaining the confidentiality of working papers and will cooperate
reasonably with auditors to achieve this end.
Two commenters believe this section should be clarified to provide
that copies, certified copies or electronic formatted data are
``originals'' for the purpose of this section. Relevant to the most
recent audit completed and awaiting NCUA review, the Board rejects the
notion that ``copies, certified copies or electronic formatted data are
``originals'' for the purpose of this section.'' Subsequently, and for
purposes of meeting the three year working papers retention
expectation, accessible alternative electronic storage is acceptable.
One commenter, although supporting the proposal, believes this proposal
may increase credit union costs. NCUA does not believe this
clarification to the existing regulation will increase the costs to
credit unions. This requirement would simply be included in the
engagement letter as a clarified condition of engagement.
Three commenters state that the location for viewing the working
papers must be flexible because the credit union may be located some
distance from the office of the auditor. Two commenters believe that
the location for NCUA access should include the external auditor's
place of business. The ``mutually agreeable location'' alternative does
provide for the external auditor's place of business. One commenter
recommends that working papers should be made available only at the
auditor's place of business for the NCUA to copy or review. This the
Board finds too restrictive and continues to prefer ``or at a mutually
agreeable location.'' One commenter requests that the final regulation
clarify that the working papers be available, either at the auditor's
or credit union's office with adequate notice and under the auditor's
supervision. The proposal stated that working paper access could be at
the offices of the credit union or at a mutually agreeable location. A
``mutually agreeable location'' could be at the credit union, at the
auditor's place of business, or other location agreeable to the
auditor. NCUA staff will be instructed to be reasonable in their
negotiation of ``mutually agreeable location.'' One commenter would
also put in the regulation that such access would be at an agreed upon
time and an agreed upon location. The Board believes this to be the
normal business practice. This commenter also believes that notes could
be made but not copies. Several other commenters state that copies of
the working papers should not be permitted. The Board did not propose
and will not incorporate in the final regulation any requirement for
NCUA to photocopy the working papers.
Twenty-seven commenters oppose the clarification on working papers.
Twelve commenters stated that complete access to the original working
papers is overly
[[Page 41321]]
burdensome and intrusive. Such access exists under the current
regulation. Eight commenters believe unconditional access to working
papers will cause an increase in administrative and other expenses.
This should not be the case since: such access exists under the current
regulation and such access will be a condition of engagement. Several
commenters believe that the working papers are the property of the
compensated auditor and not the credit union unless the papers are
prepared by the supervisory committee. NCUA recognizes that the working
papers prepared by a compensated auditor are the property of the
compensated auditor. Several commenters were concerned with an examiner
copying the working papers and then having the examiner retire and
compete with the auditor using the auditor's program. Examiners are
prohibited from copying audit programs for their personal use.
One commenter believes that the supervisory committee should not be
held accountable for making sure that an independent auditor makes his
or her original working papers available to NCUA since that provision
is already included in the engagement letter and, as a practical
matter, there is not much the supervisory committee can do to enforce
that provision beyond the confines of the engagement letter. NCUA
disagrees; the supervisory committee can enforce its audit contract.
Several commenters believe that original working papers are the
property of the auditor. NCUA acknowledges this. One of these
commenters states that while the auditor can and must agree to make
those papers available, NCUA has no role in enforcing that requirement
against an independent auditor over whom it has no regulatory powers.
NCUA acknowledges that enforcement lies with the supervisory committee.
One commenter states that the proposal puts the credit union in a ``no-
win'' situation. If the auditor fails to cooperate with the supervisory
committee by not making the papers available, rejection of the audit is
a possibility, which may result in additional expenses for a new audit
or the NCUA may seek formal administration sanctions against the
supervisory committee. This is true, but presently, without this
provision, NCUA is ``brokering disputes'' between compensated auditors
and supervisory committees. An enforceable contract should remove both
NCUA and supervisory committees from the middle. With an enforceable
contract, there will be a clearly defined line of responsibility and
thus, a business pressure, if not the possibility of litigative
pressure, for the honoring of contract terms. If a compensated auditor
does not wish for NCUA to review his working papers, he should not
agree to be engaged by a credit union.
One commenter believes NCUA should specify a working paper
retention policy to clarify how long the working papers must be
available for review. The Board agrees that an auditor should not have
to retain his/her working papers indefinitely. Therefore, the Board has
amended the regulation to require retention of working papers by
compensated auditors for a minimum of three years from the date of the
written audit report. The audit working papers for the most recent
audit would need to be retained in paper form; subsequently,
alternative, accessible storage would be acceptable.
H. Enforcement Mechanism
The Board proposed an enforcement mechanism to ensure compliance
with this regulation by authorizing the regional director, as a first
step toward enforcement, to reject as deficient the supervisory
committee audit and the reports thereof. Two commenters support this
proposal. One commenter encourages the NCUA Board to ensure that all
regional offices use the same criteria for determining whether or not
to accept a supervisory committee audit (whether or not performed by a
compensated auditor). Two commenters oppose the proposal. One of these
commenters believes that only state credit union supervisory agencies
should initiate administrative sanctions against the supervisory
committee of a state chartered credit union. Furthermore, this
commenter notes that the proposed amendments bestow a great deal of
discretionary authority upon regional directors and suggests the Board
instruct regional directors not to reject audits which are flawed by
minor technicalities.
In the case of a federally-insured state chartered credit union,
the Board believes it is appropriate for the state regulator to first
attempt to resolve any problems concerning the supervisory committee
audit. The Regional Director will take action after the state regulator
has had a reasonable opportunity to reach a satisfactory result. The
Board will instruct its regional offices on the proper criteria in
determining whether to accept or reject a supervisory committee audit
to minimize differences among the regions and provide more consistency.
NCUA will not be rejecting supervisory committee audits for minor
technicalities.
I. Effective Date
Section 302 of the Riegle Community Development and Regulatory
Improvement Act of 1994 requires the federal regulators of banks and
savings associations to make all regulations that impose new
requirements take effect on the first date of the calendar quarter
following publication of the rule unless good reason exists for some
other effective date. Although NCUA is not formally subject to this
requirement, Letter to Credit Unions #158 stated that the requirements
would be beneficial to credit unions and that NCUA planned to implement
it whenever practicable. NCUA believes that delaying the effective date
to December 31, 1996 is necessary so that credit unions and individuals
conducting supervisory committee audits have sufficient time to
understand the regulation and determine what type of audit will best
serve their needs. Therefore, the regulation will be effective for
audits conducted for, and covering, the audit period ending on December
31, 1996, and thereafter.
J. Request for Comment on Whether Credit Unions Should Have an
Ongoing Internal Audit Function
The Board requested comment on whether it should mandate an
internal audit function and, if so, whether such a requirement should
be imposed on all or only some credit unions, and on what basis.
Seventeen commenters support mandating an internal audit function. Ten
commenters believe an audit function should be required based on some
combination of asset size and complexity of operations. Two commenters
believe it should be required for credit unions with assets in excess
of $100 million. Another commenter believes it should be required for
credit unions with assets over $150 million. Another commenter believes
asset size should be the basis for requiring an internal audit
function. One commenter believes the audit function should be based on
complexity of operations and not asset size.
Fifty-three commenters oppose requiring a credit union to have an
ongoing internal audit function. Thirty-three commenters believe the
decision to have an internal audit function should be made by credit
union management. Four commenters believe that many credit unions can
not afford an internal audit function. Two commenters believe the
internal audit function is costly and that the internal auditor may not
adequately scrutinize operations. Several commenters believe NCUA
should not require but instead
[[Page 41322]]
encourage large and complex credit unions to have an internal audit
function.
Three commenters believe that both compensated auditors and
internal auditors should be hired, report to and receive instructions
from the supervisory committee. They believe any other line of
reporting compromises the integrity of the communication. Sixteen
commenters believe it is not always feasible or desirable for the
auditor to report directly to the supervisory committee, especially if
the credit union is relatively large. Most of these commenters believe
that each credit union should decide to whom the auditor reports.
The Board is not requiring an internal audit function at this time
because it believes that the costs of mandating such a function for all
credit unions outweighs the perceived benefit. The Board, however,
continues to encourage credit unions to have an ongoing internal audit
function if management believes it would be helpful as well as
economically prudent. The Board also believes it is important to
minimize possible conflicts of interest when determining to whom the
internal auditor reports. Management should carefully consider whether
it is feasible for their credit union to have the compensated or
internal auditor report to the supervisory committee.
K. Relevance of SAS No. 75 to CPAs and Its Impact on Supervisory
Committee Audits
Effective May 1, 1996, the AICPA adopted SAS No. 75 which provides
in pertinent part:
b. The accountant and the specified users agree upon the procedures
performed or to be performed by the accountant.
c. The specified users take responsibility for the sufficiency of
the agreed-upon procedures for their purposes. (emphasis added)
In essence, SAS No. 75 requires the CPA to identify the ``specified
users'' of a ``report on agreed-upon procedures'' and, in advance of
such an engagement, to obtain an acknowledgment from all identified
specified users that the procedures the auditor will perform are
sufficient to satisfy the ``specified user's'' needs. There is no doubt
that a credit union's supervisory committee and its board of directors
are ``specified users'' because they will rely on the auditor's report.
However, some may contend that, in addition, NCUA itself is a
``specified user'' of each credit union's supervisory committee audit
report. This would put NCUA in the position of having to agree with the
CPA and each credit union as to the agreed-upon procedures the CPA will
use to ensure that each credit union's audit satisfies the requirements
of Sec. 701.12.
To expect NCUA to acknowledge the sufficiency of a set of
procedures in meeting this part prior to the credit union's engagement
of a CPA is both infeasible and would shift the responsibility for the
supervisory audit from the credit union's supervisory committee to
NCUA. The supervisory committee or its designated representative, not
NCUA, is uniquely able to ``attain an understanding of the internal
control environment, assess control risk, and based on the control
risk, determine the substantive testing (nature, extent, and timing)
necessary'' to comply with this section.
Many credit union supervisory committees hire a compensated auditor
because they do not have the expertise necessary to perform the
supervisory committee audit. Supervisory committees consisting
primarily of volunteers cannot be expected to acknowledge the
sufficiency of a set of agreed-upon procedures developed by accounting
professionals. In such cases, the supervisory committee would naturally
rely upon the assistance of a CPA to attain an understanding of the
internal control environment, assess control risk, and based on the
control risk, determine the substantive testing that is necessary.
Since 1985, NCUA's objective has been to place with the credit
union and its supervisory committee the responsibility for sufficiency
of audit procedures and testing. This approach was enunciated in the
preamble to the 1985 rule, as follows:
The supervisory committee must carry out its duties in a manner
responsive to each credit union's circumstances, i.e., the supervisory
committee must use good judgment in determining the scope, the
frequency, and the detail of the committee's activities. (Deregulation
efforts recognized that) * * * a credit union's audits and reviews must
reflect each credit union's business activities and financial and
operating condition. The committee's work requires judgment of each
credit union's needs based on an analysis of each institution's
strengths and weaknesses * * * Since the committee is responsible for
the audit, it should determine the scope of the work to be performed.
The scope of the work should be varied based on the nature of risk and
exposure for each transaction or account being audited within each
federal credit union. [50 CFR 8710, March 5, 1985] (emphasis added).
NCUA's approach is consistent with the approach of the auditing
profession today. In fact, SAS No. 75 is premised upon this same line
of reasoning, shifting this burden away from the independent accountant
to the specified user.
The issue created by AICPA's adoption of SAS No. 75 exists under
both the current, and this revised supervisory committee audit
regulation. Some compensated auditors suggest that SAS No. 75 limits
them to performing only opinion audits for credit unions. To the extent
that this claim is true, both the cause and the remedy for this
limitation resides with the accounting profession.
The NCUA Board continues to welcome the CPA practitioner in the
performance of supervisory committee audits as one of several favorable
options for credit union supervisory committees. It is the NCUA Board's
intent to allow credit unions a full range of options in whom they may
contract with to have their audit work performed. NCUA will continue to
work with the AICPA toward a practicable solution to this question to
enable CPA practitioners to perform non-opinion, supervisory committee
audits.
L. Comments Received on Regulatory Procedures
Regulatory Flexibility Act
The NCUA Board has certified that small credit unions (less than $1
million in assets) will not see a significant impact because of this
proposal. Fourteen commenters believe that NCUA's assessment of the
monetary costs of these changes is wrong. Two of these commenters
believe it will effect credit unions under $50 million in assets by
doubling the cost of the supervisory committee audit. Another commenter
states it will substantially increase the cost for small credit unions.
NCUA believes these burden estimates are based on a misunderstanding of
the proposed requirements as discussed above, especially in the areas
of scope of work and reporting.
In the final analysis, a cost of doing business as a credit union
or any other financial institution is the conduct of an audit to ensure
member confidence. The audit must be performed by persons with audit
skills commensurate with the complexities of the credit union. For
credit unions under $1 million who are already hiring a compensated
auditor to perform the supervisory committee audit, NCUA believes the
engagement letter requirement, the expanded scope requirement, and
``reducing to writing'' identified reportable conditions/errors
[[Page 41323]]
or irregularities may minimally increase costs. It is a normal business
practice for compensated auditors to obligate audit clients to sign
engagement letters and many of the affected credit unions are already
doing so. Merely ``reducing to writing'' identified and known
reportable conditions and/or errors and irregularities cannot be
significantly burdensome. The expanded scope requirements then require
examination.
Cost can be controlled or reduced by the credit union establishing
or strengthening its system of sound internal controls which serve to
contain control risk. Favorable control risk can mean the reduced
necessity for extensive substantive testing, thus, lower audit costs.
We estimate that approximately 64% of the credit unions under $1
million have supervisory committee audits which are performed by the
supervisory committee itself (not affected); receive opinion audits
(already meet expanded scope); or engage outside auditors who do not
meet the definition of ``compensated auditor'' (not affected). Thus,
few, if any, of these estimated credit unions will be significantly
affected by the expanded scope requirements of this section.
Paperwork Reduction Act
In the proposal the NCUA Board estimated that for most credit
unions the additional paperwork will require only one to three hours a
year of additional time. One commenter asks if NCUA has determined the
extra time needed for auditors to complete the additional reports
required by the proposed regulation. Another commenter believes the
paperwork requirements are much higher than stated in the proposal.
The additional paperwork burden to the credit union is only
relevant to credit unions hiring compensated auditors and lies
primarily in the engagement letter requirement and in ``reducing to
writing'' reportable conditions and/or errors and irregularities, if
any, NCUA did not include paperwork burden as to the compensated
auditor, simply additional paperwork burden as to the credit union.
NCUA continues to believe the paperwork burden to credit unions is in
line with original estimates.
M. Miscellaneous
One commenter requested that the final rule or its preamble
explicitly state that this rule does not apply to corporate credit
unions. Section 701.12 does not apply to corporate credit unions. One
commenter believes that the proposal unfairly singles out those credit
unions that are attempting to upgrade their operation by hiring an
independent auditor to do the annual supervisory committee audit. NCUA
encourages supervisory committes to avail themselves of the services of
compensated auditors when it is advisable and feasible to do so; this
regulation is in no way designed to discourage credit unions from doing
so. The Board is persuaded in all but the exceptional case, supervisory
committees will choose the auditor alternative which is best for its
credit union under the circumstances. Failing this, the Board is
confident that the annual examination process will identify those
credit unions in which evoking the FIRREA provisions of Sec. 701.13
will become necessary.
The Board is not issuing any changes to the current regulation
regarding the independence and verification of members' accounts but
they will be redesignated as Sec. 701.12(g) and (h), respectively. The
Board is adopting in final the one proposed change to Sec. 701.13 to
redesignate the current Sec. 701.12(e) as Sec. 701.12(h).
N. Regulatory Procedures
Regulatory Flexibility Act
The Regulatory Flexibility Act requires NCUA to prepare an analysis
to describe any significant economic impact a proposed regulation may
have on a substantial number of small credit unions (primarily those
under $1 million in assets). As noted above, NCUA determined in the
proposed rule that there was no significant economic impact on small
credit unions. Comments received are discussed above. Accordingly, the
NCUA Board determines and certifies that this final amendment does not
have a significant economic impact on a substantial number of small
credit unions and that a Regulatory Flexibility Analysis is not
required.
Paperwork Reduction Act
Comments received on paperwork collection requirements are
discussed above. The information collection requirements in the final
rule have been submitted to the Office of Management and Budget. The
control number assigned for this rule is 3133-0059, approved for use
through April 30, 1997.
Executive Order 12612
Executive Order 12612 requires NCUA to consider the effect of its
actions on state interests. The final amendments will not have a
substantial direct effect on the states, on the relationship between
the national government and the states, or on the distribution of
rights and responsibilities among the various levels of government.
List of Subjects in 12 CFR Part 701
Credit unions, Reporting and recordkeeping requirements.
By the National Credit Union Administration Board on July 24,
1996.
Becky Baker,
Secretary of the Board.
Accordingly, NCUA amends 12 CFR part 701 as follows:
PART 701--ORGANIZATION AND OPERATIONS OF FEDERAL CREDIT UNIONS
1. The authority citation for Part 701 continues to read as
follows:
Authority: 12 U.S.C. 1752(5), 1755, 1756, 1757, 1759, 1761a,
1761b, 1766, 1767, 1782, 1784, 1787, 1789, 1798 and Public Law 101-
73. Section 701.6 is also authorized by 31 U.S.C. 3717. Section
701.31 is also authorized by 15 U.S.C. 1601, et seq., 42 U.S.C. 1981
and 42 U.S.C. 3601-3610.
2. Sec. 701.12 is amended by redesignating paragraphs (d) and (e)
as paragraphs (g) and (h), by revising paragraphs (a) through (c), and
by adding new paragraphs (d) through (f) to read as follows:
Sec. 701.12 Supervisory committee audits and verifications.
(a) Definitions. As used in this chapter:
(1) Agreed-upon procedures engagement refers to the performance by
an independent, licensed certified public accountant of an engagement
in which the scope is limited to applying specified agreed-upon
procedures to one or more specified elements, accounts or items of a
financial statement. Such procedures are insufficient to express an
opinion regarding either the financial statements taken as a whole, or
the specified elements, accounts or items under examination.
(2) Compensated auditor refers to any accounting/auditing
professional, excluding credit union employees, who is compensated for
performing more than one compensated supervisory committee audit and/or
verification of members' accounts, or opinion audit, per calendar year.
(3) Financial statements refers to a presentation of financial
data, including accompanying notes, derived from accounting records of
the credit union, and intended to disclose a credit union's economic
resources or obligations at a appoint in time, or the changes therein
for a period of time, in conformity with GAAP or RAP, as
[[Page 41324]]
defined herein. Each of the following is considered to be a financial
statement: a balance sheet or statement of financial condition;
statement of income or statement of operations; statement of undivided
earnings; statement of cash flows; statement of changes in members'
equity; statement of assets and liabilities that does not include
members' equity accounts; statement of revenue and expenses; and
statement of cash receipts and disbursements.
(4) GAAP is an acronym for ``generally accepted accounting
principles'' which refers to the conventions, rules, and procedures
which define accepted accounting practice. GAAP includes both broad
general guidelines and detailed practices and procedures, provides a
standard by which to measure financial statement presentations, and
encompasses not only accounting principles and practices but also the
methods of applying them.
(5) GAAS is an acronym for ``generally accepted auditing
standards'' which refers to the standards approved and adopted by the
American Institute of Certified Public Accountants which apply when an
``independent, licensed certified public accountant'' audits financial
statements. Auditing standards differ from auditing procedures in that
``procedures'' address acts to be performed, whereas ``standards''
measure the quality of the performance of those acts and the objectives
to be achieved by use of the procedures undertaken. In addition,
auditing standards address the auditor's professional qualifications as
well as the judgment exercised in performing the audit and in preparing
the report of the audit. Copies of GAAS may be obtained from the AICPA,
Order Department, Harborside Financial Center, 201 Plaza Three, Jersey
City, NJ 07311-3881, telephone (800) TO-AICPA or (800) 862-4272.
(6) Independence and Independent means the impartiality necessary
for the reliability of the compensated auditor's findings. Independence
requires the exercise of fairness toward credit union officials,
members, creditors and others who may rely upon the supervisory
committee audit report.
(7) Internal controls refers to the process, established by the
credit union's board of directors, officers and employees, designed to
provide reasonable assurance of reliable financial reporting and
safeguarding of assets against unauthorized acquisition, use, or
disposition. A credit union's internal control structure consists of
five components: control environment; risk assessment; control
activities; information and communication; and monitoring. Reliable
financial reporting refers to preparation of financial statements that
``present fairly'' the financial position of the credit union and
results of its operations and its cash flows, in conformity with GAAP
or RAP, as defined herein. Internal control over safeguarding of assets
against unauthorized acquisition, use, or disposition refers to
prevention or timely detection of transactions involving such
unauthorized access, use, or disposition of assets which could result
in a loss that is material to the financial statements.
(8) Licensed, certified public accountant refers to an accounting/
auditing professional who has received a certificate and license from a
duly-appointed state licensing authority to practice accounting/
auditing, and is independent as defined herein.
(9) Opinion audit refers to an examination of the financial
statements performed by an independent, licensed, certified public
accountant in accordance with GAAS. The objective of an ``opinion
audit'' is to express an opinion as to whether those financial
statements of the credit union present fairly, in all material
respects, the financial position and the results of its operations and
its cash flows in conformity with GAAP or RAP, as defined herein.
(10) RAP is an acronym for ``regulatory accounting practices''
which refer to the conventions, rules, and procedures governing
accepted accounting practices, other than GAAP, for credit unions and
having the substantial support of either the NCUA or the applicable
state credit union supervisor.
(11) Related party transactions refers to transactions among or
between parties where one party controls or can significantly influence
the management or operating policies of the other so as to prevent the
other party from pursuing exclusively its own interests. Examples of
related parties include: executive management, board members,
supervisory committee members, credit committee members, and employees,
and their families. Examples of ``related party transactions'' include:
interest-free loans or loans at below market rates; sale of real estate
significantly below appraised value; nonmonetary exchange of property;
below market fees, and making of loans lacking scheduled terms for
repayment.
(12) Reportable conditions refers to a matter coming to the
attention of the independent, compensated auditor which, in his or her
judgment, represents a significant deficiency in the design or
operation of the internal control structure of the credit union, which
could adversely affect its ability to record, process, summarize, and
report financial data consistent with the representations of management
in the financial statements.
(13) Specified elements, accounts or items of a financial statement
refers to accounting information that is a part of, but significantly
less than, a financial statement. These may be directly identified in a
financial statement or notes thereto; or they may be derived from a
financial statement by analysis, aggregation, summarization, or
mathematical computation.
(14) Substantive testing refers to testing of details and
analytical procedures to detect material misstatements in the account
balance, transaction class, and disclosure components of financial
statements.
(15) Supervisory committee refers to a supervisory committee as
defined in Section 111(b) of the Federal Credit Union Act, 12 U.S.C.
1786(r). For some federally-insured state chartered credit unions, the
``audit committee'' designated by state statute or regulation is the
equivalent of a supervisory committee.
(16) Supervisory committee audit refers to an examination of
specified elements, accounts or items of the credit union's financial
statement to the full extent required in this part. An opinion audit as
defined herein exceeds the requirements of a ``supervisory committee
audit.''
(17) Working papers refers to the principal record, in any form, of
the work performed by the auditor and/or supervisory committee to
support its findings and/or conclusions concerning significant matters.
Examples include the written record of procedures applied, tests
performed, information obtained, and pertinent conclusions reached in
the engagement, proprietary audit programs, analyses, memoranda,
letters of confirmation and representation, abstracts of credit union
documents, reviewer's notes, if retained, and schedules or commentaries
prepared or obtained by the independent, compensated auditor.
(b) Supervisory committee responsibilities. (1) The supervisory
committee is responsible for ensuring that:
(i) The financial condition of the credit union is accurately and
fairly presented in the credit union's financial statements; and
(ii) The credit union's management practices and procedures are
sufficient to safeguard members' assets.
[[Page 41325]]
(2) To meet its responsibilities, the supervisory committee shall
determine whether:
(i) Internal controls are established and effectively maintained to
achieve the credit union's financial reporting objectives which must be
sufficient to satisfy the requirements of the supervisory committee
audit, verification of members' accounts and its additional
responsibilities;
(ii) The credit union's accounting records and financial reports
are promptly prepared and accurately reflect operations and results;
(iii) The relevant plans, policies, and control procedures
established by the board of directors are properly administered; and
(iv) Policies and control procedures are sufficient to safeguard
against error, carelessness, conflict of interest, self-dealing and
fraud.
(c) Supervisory committee audit. (1) A supervisory committee audit
of each Federal credit union shall occur at least once every calendar
year and shall cover the period elapsed since the last audit period.
The supervisory committee audit shall be performed by the supervisory
committee or its designated representative, as prescribed in paragraph
(c)(5) of this section.
(2) Standards for Performing Supervisory Committee Audit. The
supervisory committee audit procedures/testing must be performed in
accordance with the following standards:
(i) The audit is to be performed by a person or persons having
adequate technical training and proficiency as an auditor commensurate
with the level of sophistication and complexity of the credit union
under audit.
(ii) Reasonable care is to be exercised in the performance of the
audit and the preparation of the report.
(iii) The work is to be adequately planned and assistants, if any,
are to be properly supervised.
(iv) The person or persons performing the audit must attain a
sufficient understanding of the internal control structure to plan the
audit and to determine the nature, timing, and extent of tests to be
performed.
(v) The person or persons performing the audit must, through
inspection, observation, inquiry, and confirmation obtain sufficient
evidence to afford a reasonable basis for the financial statement
elements, accounts or items under audit.
(3) Scope of Supervisory Committee Audit. The scope of the
supervisory committee audit shall consist of:
(i) Attaining an understanding of the internal control structure;
(ii) Assessing the level of control risk; and
(iii) Based on the level of control risk, determining the nature,
timing, and extent of substantive testing necessary to confirm the
assertions made by management regarding each of assets, liabilities,
equity, income, and expenses for the following attributes:
(A) Existence or occurrence;
(B) Completeness;
(C) Valuation or allocation;
(D) Rights and obligations; and
(E) Presentation and disclosures.
(4) In addition to scope requirements set forth in paragraph (c)(3)
of this section, an audit performed by an independent, compensated
auditor which includes any of the following areas must, with respect to
audit scope but not with respect to reporting, satisfy GAAS for
expressing an opinion on the financial statements taken as a whole:
(i) Internal controls;
(ii) Cash;
(iii) Loans and interest thereon;
(iv) Investments and interest thereon;
(v) Shares and dividends and/or interest thereon;
(vi) Related party transactions; and
(vii) The reporting of identified errors and irregularities with
regard to each of the items in paragraphs (c)(4) (i) through (vi) of
this section.
(5)(i) The requirements of the annual supervisory committee audit
may be satisfied by one of the following:
(A) An opinion audit of the credit union's financial statements
performed by an independent, licensed, certified public accountant;
(B) An ``agreed-upon procedures engagement'' performed by an
independent, licensed, certified public accountant, which by itself or
in combination with procedures performed by the supervisory committee,
fulfills the required scope of the supervisory committee audit;
(C) A supervisory committee audit performed by an independent,
compensated auditor other than an independent, licensed, certified
public accountant which by itself or in combination with procedures
performed by the supervisory committee, fulfills the scope of a
supervisory committee audit; or
(D) A supervisory committee audit by the supervisory committee or
its designated, uncompensated representative.
(ii) In all cases, an independent, compensated auditor is required
to contract directly with the supervisory committee for the audit
engagement and to deliver its written reports directly to the
supervisory committee.
(iii) For a supervisory committee audit performed by the
supervisory committee or its designated, uncompensated representative,
the supervisory committee shall prepare a written report of the
supervisory committee audit.
(d) Engagement letter. (1) The engagement of an independent,
compensated auditor to perform all or a portion of the scope of a
supervisory committee audit shall be evidenced by an engagement letter.
The engagement letter shall be signed by the compensated auditor and
acknowledged therein by the supervisory committee prior to commencement
of a supervisory committee audit. The engagement letter shall:
(i) Specify the terms, conditions, and objectives of engagement;
(ii) Identify the basis of accounting to be used, e.g., GAAP or
RAP;
(iii) Include an appendix setting forth the procedures to be
performed (if not an opinion audit);
(iv) Specify the rate of, or total, compensation to be paid for the
audit;
(v) Provided that the audit shall, upon completion of the
engagement, deliver to the supervisory committee:
(A) A written report of the supervisory committee audit; and
(B) Notice in writing, either within the report or communicated
separately, of any internal control reportable conditions and/or
irregularities or illegal acts which come to the auditor's attention
during the normal course of the audit (i.e., no additional duty is
imposed nor additional written communications beyond (A) is required if
none of these is noted);
(vi) Specify a target date of delivery of the written reports;
(vii) Certify that NCUA staff or its designated representative will
be provided unconditional access to the complete set of original
working papers either at the credit union or at a mutually agreeable
location, for purposes of inspection; and
(viii) Acknowledge that working papers shall be retained for a
minimum of three years from the date of the written audit report.
(2) In the case of a supervisory committee audit engagement which
addresses all of the financial statement elements, accounts or items
and attributes prescribed in paragraphs (c)(3) and (c)(4) of this
section, the engagement letter shall certify that the contracted scope
of the audit satisfies the requirements of a complete supervisory
committee audit.
(3) In the case of a supervisory committee audit engagement which
excludes any financial statement elements, accounts or items and
attributes prescribed in paragraphs (c)(3)
[[Page 41326]]
and (c)(4) of this section, the engagement letter shall:
(i) Identify the elements, accounts or items and attributes
excluded from the audit;
(ii) State that, because of the exclusion(s), the resulting audit
will not, by itself, fulfill the scope of a supervisory committee
audit; and
(iii) Caution that the supervisory committee will remain
responsible for fulfilling the scope of a supervisory committee audit
with respect to the excluded elements, accounts or items and
attributes.
(e) Audit reports and working paper access. (1) Upon completion or
receipt of the written supervisory committee audit reports, the
supervisory committee shall provide the reports to the board of
directors. The supervisory committee shall ensure that the independent,
compensated audit and its reports comply with the terms of the
engagement letter prescribed in this section. The supervisory committee
shall, upon request, provide to the National Credit Union
Administration a copy of the written reports received from the auditor.
(2) The supervisory committee shall be responsible for preparing
and maintaining, or making available, a complete set of original
working papers supporting each supervisory committee audit. The
supervisory committee shall, upon request, provide NCUA staff
unconditional access to such working papers either at the offices of
the credit union or at a mutually agreeable location, for purposes of
inspecting such working papers.
(f) Sanctions. (1) Failure of a supervisory committee and/or its
independent compensated auditor to comply with the requirements of this
section, or the terms of an engagement letter required by this section,
is grounds for:
(i) The regional director to reject the supervisory committee
audit;
(ii) The regional director to impose the remedies available in
Sec. 701.13, provided any of the conditions specified in Sec. 701.13 is
present; and
(iii) The NCUA to seek formal administrative sanctions against the
supervisory committee and/or its independent, compensated auditor
pursuant to section 206(r) of the Federal Credit Union Act, 12 U.S.C.
1786(r).
(2) In the case of a federally-insured state chartered credit
union, NCUA shall provide the state regulator an opportunity to timely
impose a remedy satisfactory to NCUA before seeking to impose a
sanction permitted under (f)(1) of this section.
* * * * *
Sec. 701.13 [Amended]
3. Section 701.13 is amended in paragraph (a)(2) by revising
``Sec. 701.12(e)'' to read ``Sec. 701.12(h)''.
[FR Doc. 96-19511 Filed 8-7-96; 8:45 am]
BILLING CODE 7535-01-M