Resources

Internal Control Reporting Requirements for Credit Unions

Written by: Andrew Merlina

A major difference in reporting requirements between banks and credit unions is that credit unions are not mandated to have integrated audits conducted and we often get the question “why?” Simply put, credit union accounts are insured by the National Credit Union Administration (NCUA), while the Federal Deposit Insurance Corporation (FDIC) provides federal insurance for bank accounts. In an effort to bolster the banking environment, the FDIC passed the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), which includes an annual requirement for an audit of internal controls over financial reporting for banks with $1 billion or more in total assets.

On the other hand, credit unions are subject to an audit by the NCUA and/or external auditors with a greater focus on financial conditions under NCUA governance. NCUA governance does not require an audit of internal controls. It can be argued that the cooperative structure of a credit union lessens the need for strict oversight over internal controls due to their members’ personal stake in the institution’s financial health, but ensuring internal controls are designed and operating effectively further mitigates risks for credit unions.

Annual Reporting Requirements

Part 715 of Title 12 of the Code of Federal Regulations provides guidance on the annual reporting requirements for supervisory committee audits and verifications. The table below depicts the requirements based on the charter type and asset size:

Table 1 to § 715.4

In addition to the minimum audit requirements noted above, per part 715, supervisory committees must also acknowledge that “internal controls are established and effectively maintained to achieve the credit union’s financial reporting objectives which must be sufficient to satisfy the requirements of the supervisory committee audit, verification of members’ accounts, and its additional responsibilities.”

It is important to note that the regulations for corporate credit unions do mandate additional internal control over financial reporting requirements. The NCUA issued a notice to corporate credit unions, detailing changes to audit and reporting requirements, which became effective on January 1, 2012. The notice breaks down the changes under Section 704.15(a) of the NCUA’s Rules and Regulations, which added content regarding regulatory requirements (similar to those required of banks and other U.S. corporations in sections of the Sarbanes-Oxley Act of 2002).

As it pertains to internal controls, the notice requires corporate credit unions to include “an assessment by management of the effectiveness of the corporate’s internal control structure and procedures as of the end of the preceding calendar year.” The corporate credit union’s registered public accountant must vouch for the validity management’s report and evaluate their assessment.

Regardless of the audit requirements for internal controls, members’ credit union management are expected to maintain clear and concise documentation of internal control processes and procedures. Documentation should include, but is not limited to, control objectives, control activities, and monitoring mechanisms. Having a clear paper trail can make the process of evaluating control deficiencies smoother, as well as highlight areas at higher risk for potential deficiencies. Management’s report should provide reasonable assurance that internal controls are operating effectively, however, an opinion on the effectiveness of internal controls is not a requirement of the independent auditors (except as noted for corporate credit unions). So, are internal control risks truly alleviated by the alternate and unique structure of credit unions?

NCUA Guidance

The NCUA maintains ongoing communications with credit unions and their stakeholders to ensure the effectiveness of their regulation and supervision through direct contact and frequent updates to the agency’s website. Upon the enactment of the Sarbanes-Oxley Act of 2002, the NCUA strongly encouraged federal credit unions to consider its guidance, although regulations did not specifically apply to these institutions. Due to the fact this act only covers certain U.S and foreign corporations, the NCUA has established its own set of standards in supervising U.S. credit unions, providing alternative mechanisms for ensuring compliance and accountability.

For example, the NCUA is responsible for managing the National Credit Union Share Insurance Fund (NCUSIF). All federal and most state-chartered credit unions are covered by the insurance fund, which provides up to $250,000 in coverage for single owner accounts (as are FDIC insured accounts in other institutions). Credit unions rarely fault to the point where liquidation or closure is necessary and can mitigate the risk of financial difficulties due to regulatory oversight, and proactive risk management.

Additionally, the Federal Credit Union Act (FCUA) of 1934 is a federal law developed to set the basis for the organization and operation of credit unions. The FCUA originally appointed the NCUA to charter and regulate federal credit unions, although there are some limitations to their responsibilities. The operations that the NCUA is responsible for under the FCUA include accepting deposits, issuing loans, and offering several types of financial services to consumers.

Therefore, a credit union’s independent auditors must ensure compliance with internal control limitations, such as certain lending practices for safety and soundness to further emphasize the importance of internal control management. In addition, the FCUA grants the NCUA examination authority over federal credit unions. Therefore, the agency must conduct periodic audits to assess financial conditions, risk management practices, and the institution’s compliance with applicable laws and regulations.

Although the need for a formal audit over internal controls is not deemed necessary by the NCUA, credit union management is expected to have a strong understanding of their institution’s internal processes through formal documentation and internal evaluation.

If you have any further questions regarding internal controls, audit requirements, and the oversight of the NCUA over corporate credit unions, Wolf is here to help. Please reach out to a member of our team for more information.