My business partner John and I spend a lot of time talking to Internal Auditors, noting trending topics and emerging issues. While The Audit Library is for auditors everywhere, the vast majority of our subscribers come from the Credit Union industry. For the past several months, one topic has come up more and more: COMPLIANCE!
Credit Union auditors are struggling right now. The industry has always been subject to intense regulatory pressures, which are only becoming more onerous. As not-for-profit institutions, Credit Unions often have limited resources to handle this burden. While some Credit Unions are able to support a compliance team, this is not always the case. Often, auditors are expected to step in and fill the gaps.
After hearing these concerns, we have responded in two ways. First, we keep a list of compliance experts on hand to send our clients in the right direction when they need to outsource or co-source this area. Second, we have created a lot of new content under the umbrella of compliance, all at the direct request of our subscribers.
This post is the first in a two-part series. Today, we’ll clearly define compliance audit work, break it down into components, and demystify this topic. In an upcoming post, we’ll dig deeper into the issues auditors face, and provide practical advice to appropriately fulfill the role of compliance auditor while avoiding potential conflicts.
A Compliance Audit: Defined
Before we go any further into this topic, we need to clearly define what a compliance audit is. A compliance audit is an assurance engagement performed because it is required by a rule, law, or regulation. Most of the time, the regulatory guidance you will be following comes from the United States government by way of the NCUA. State governments could regulate your Credit Union as well. Here are some examples of typical compliance audits at Credit Unions, with links to audit programs for our subscribers:
- Bank Secrecy Act, OFAC, & Member ID Program Compliance Audit
- Fair Lending Compliance Audit
- Regulation CC (Funds Availability) Compliance Audit
- Regulation G (S.A.F.E. Act) Compliance Audit
- Fair Credit Reporting Act Compliance Audit
- Truth in Savings Act Compliance Audit
This list is not all-inclusive, but it covers our greatest hits. Hopefully readers are at least familiar with the regulations and acts above. If you read the guidelines, you’ll see that our regulators impose audit requirements and time frames, which need to be built into your audit plan. For example, BSA, OFAC, & MIP audits must be performed every 18 months. A Fair Lending Compliance Audit, which incorporates the requirements of the Equal Credit Opportunity Act (Regulation B), the Fair Housing Act, and the Home Mortgage Disclosure Act (Regulation C), should be performed within each calendar year, according to the NCUA Fair Lending Guide.
Compliance audits can be performed in-house or outsourced. If you or your team will be performing these audits, include ample time in the budget. If you need a refresher, read our blog post about budgeting hours. Outsourcing is a great option, too. There are firms that keep up on all the requirements and employ experts to do this work for you. Figure out what you will outsource during the annual planning process, get the ball rolling on the RFP process, and include outsourced engagements in your monetary budget.
Sounds Like Compliance… But it’s Not!
There are many required assurance projects that seem like compliance at first glance, but don’t quite meet the definition I gave earlier. Credit Unions work with many official-sounding entities, that are actually private sector organizations, which also impose audit requirements on us.
One obvious example is the National Automated Clearinghouse Association (NACHA). If your Credit Union participates in the Automated Clearinghouse (ACH) network, and I’m sure y’all do, NACHA requires an annual audit. This audit is NACHA’s way of monitoring and self-policing the system. According to their website, “NACHA manages the development, administration, and governance of the ACH Network, the backbone of the electronic movement of money in the United States. It is funded by the financial institutions it governs.” Another example that’s common at Credit Unions is Instant Issue card programs, which may have annual audit requirements that vary by issuer.
These are powerful organizations, and your Credit Union probably couldn’t function without them. But, they aren’t the federal or state government. Include these projects in your audit plan as needed, but for the purposes of this post, kindly forget they exist!
The Basics of Performing a Compliance Audit
Now let’s assume you will be performing all your required compliance audits in-house. What work steps are taken, and how are these engagements performed? The first step is figuring out what needs to be done and creating your audit program. Compliance is an open book subject, but the book is… not very interesting! Often, the meat of the subject is hidden in legal jargon, making it extremely difficult to figure out what our regulatory overlords are even asking of us!
The good news is that The Audit Library has done most of the work for you! If you are a subscriber, here is the process used to create the programs you are currently using. I hope this makes you feel even better about your subscription, seeing how much work is involved! If you are not a subscriber, here is a process that you can follow to get a similar quality product to ours.
Step 1: Read the Regulation and NCUA Guidance
Start by giving the regulation a cursory review. Take notes, make a basic outline, and familiarize yourself with the regulation. Then, read the guidance from our regulators, the NCUA. Our government is required to publish this type of information, so all of NCUA’s examination guides are available on their website, and a simple Google search like “Fair Lending Audit Requirements Credit Union” will typically get you to the right place on the first page of results.
Step 2: Understand History and Context
After learning the basics, read articles or the Wikipedia page to try to understand why the regulation came to be. What problem in society was it trying to solve? Whether or not the regulation was effective, or whether the objectives agree with your personal views, is not the point. Having the perspective of “Why?” is really helpful here. It can give your work purpose and meaning, and engage you on a dry topic. Doing an audit because the government told you to isn’t motivating for many people, so putting in this effort can go a long way.
Step 3: Figure Out the Policy Requirements
Almost all regulations have a policy component, so your audit program must have a work step to address it. Figure out what these policy requirements are, and include them in your policy/procedure review step. A piece of advice from going through this process many times; don’t assume the regulation or guidance has a “policy” section. Often, little nuggets about policy requirements are peppered throughout the guides. Frustrating, I know!
Step 4: Figure Out the Disclosure Requirements
I can’t think of a regulation without disclosure requirements. You’ll need to look through public signage, website disclosures, pamphlets available in your branches, templates, and printed disclosures given to members for certain transactions and events. Include a work step to review the disclosures, and include any requirements from the regulatory guides. This work requires you to read and understand the disclosures, and to gauge whether or not the responsible staff understand them.
Step 5: Figure Out Testing Requirements
Sounds complicated, but it really isn’t. What does the regulation say the Credit Union must do? What documentation would prove pass/fail? What does the regulation forbid? How can the Credit Union prove they have not broken the rule? If you get stuck, ask a leader for guidance. Walk through a few examples with a trusted staff member. This is simple stuff that you do all the time, don’t overcomplicate it!
Step 6: Determine What Counts as Evidence
Determine what non-public information and documentation you need access to, and get it. You may need loan systems access, core processor access, or digital image access. You are probably used to using these systems already, if not, line up someone in the proper department to teach you the basics. Make sure you have read only access levels, and cannot post transactions or make changes.
Step 7: Test!
Now that you have a program to work off of, it’s time for some sampling and testing. This is the part of any compliance audit that is probably most familiar and comfortable. Start reviewing documents, looking for signatures, obtaining proof that members were provided with disclosures, etc. If you get stuck, go to your source and ask how they would prove something to NCUA.
Step 8: Report & Close Your Audit
As a final step, write up your exceptions, calculate pass/fail rates, meet with leadership, prepare your report, and close your workpapers just like any other audit.
Relax, You’ve Got This!
Auditors get nervous when faced with a monumental task like auditing compliance, especially if you’re like me and these aren’t your favorite kinds of projects. I want to encourage auditors to feel confident in their ability to meet this challenge. I knowThe Audit Library’s resources, and the information in this post, will give you a boost of confidence. You absolutely have the skill set to complete these projects efficiently and with the level of quality your Credit Unions have come to expect!
What compliance topics or projects do you struggle with? What documents would you like to see in the Library? Leave a comment! Make sure you are following our newsletter so you can catch our next post and find out where to draw the line between audit and compliance.