the audit report

32
Inside This Issue: 11 for 2011 hoT Issues for chIef audITors ThIs year Who’s On First a look aT The InTernal audIT funcTIon wIThIn credIT unIons Knock Knock Is your cu safe from socIal engIneerIng aTTacks? Member Spotlight: doug wrIghT Volume 20, Issue 1, 2011 dennis dollar interview:

Upload: brad-todd

Post on 21-Mar-2016

217 views

Category:

Documents


1 download

DESCRIPTION

Volume 20, Issue 1 January 2011

TRANSCRIPT

Page 1: The Audit Report

Inside This Issue:

11 for 2011hoT Issues for chIef audITors ThIs year

Who’s On Firsta look aT The InTernal audIT funcTIon wIThIn credIT unIons

Knock KnockIs your cu safe from socIal engIneerIng aTTacks?

Member Spotlight:doug wrIghT

Volume 20, Issue 1, 2011

dennisdollar

interview:

Page 2: The Audit Report
Page 3: The Audit Report

Volume 20, Issue 1, 2011

taBle oF Contents

FeatUred artiClesCOVER STORYInterview: Dennis Dollar

Who’s On First

Chronicles In Employee Fraud

Sometimes You Shouldn’tAnswer the Knock at the Door!

The Standards

ON THE COVER6

1012 14

17

610121417

editorials4In This Issue

5Chairman’s Message

aCUia news20Member Spotlight:Doug Wright

23What’s Happening in the Forum

24People Helping People

26Regional News

31ACUIA Member Application

The Audit Report is the official publication of the Association of Credit Union Internal Auditors, Inc. It is published four times a year in Alexandria, VA, as a benefit of membership and circulated free of charge to ACUIA members.

Executive Editor: Tabitha Ernst-Chadwick

Information appearing in this publication is obtained from sources we believe to be reliable. The information may not be a complete statement of all available data and is not guaranteed as such. Conclusions are based solely on editorial judgment and analysis of technical factors and credit union industry information sources. The Audit Report is copyrighted and portions may be reprinted with the permission of the ACUIA. The Audit Report is not responsible for the contents of its advertisements and advises all members to investigate claims before making any purchases.

Permission requests to reproduce written material should be sent to:815 King Street, Suite 308, Alexandria, VA 22314, (703) 535-5757

© Copyright 2011, ACUIA. All rights reserved.

Page 4: The Audit Report

4 | www.acuia.org | The Audit Report

I anticipate that this year the magazine will be even better than before.

We have some new contributors in this issue, as well as some recurring favorites:

• An interview with former NCUA Chairman Dennis Dollar, about the credit union movement, past and present, and the role of internal audit in the credit union’s future;

• The importance of the internal audit function, by Bruce Jolly;

• Security awareness, by Tom Schauer; and

• Hot issues for internal auditors in the

upcoming year by Danny Goldberg. Thank you to all of our contributors.

I’m pleased to report that over the years the enthusiasm for writing for the magazine has certainly increased. Vendors are enjoying the benefits of sharing their expertise with our members, and members are enjoying the benefits of being published in a professional magazine. We’ve had some fantastic submissions. And I think we broke a speed record with this issue. All feature slots were taken within 5 minutes of sending out the Call for Authors e-mail!! I really hope to keep that trend going throughout 2011, so if you are interested in submitting articles, even if you think it might be later in the year, be sure to let me know ASAP. If you aren’t on our Call for Authors list and want to be, let me know.

Thanks to everyone who submitted articles, ideas, comments, and suggestions in 2010. Please continue sharing your thoughts and ideas. I hope 2010 was your best year ever, and I hope that 2011 will be even better!!

EDITORIALS

acuIa can now be found on:

Is it a new year already??? I am pretty sure I say this every year. But every year I think it flew by faster than the one before (is that because I’m getting old?).

Sam mentioned it in his article, but I also feel compelled to mention it in mine in relation to the magazine – transitions are always tough, and there are usually a few bumps. As many of you have noticed, there have been a few bumps with the transition to a new management company. We’ve been working hard to smooth out all of the bumps and now have everything moved over to the new company, and

in tHis issUe by Tabitha Ernst-Chadwick, CIA, LRP, CTGA, CUCE

2011 Board oF direCtorsChairsamuel capuano, cBa, crP, clroSunmark FCU(518) [email protected]: 2009-2011

Vice ChairJill chase, cIaWSECU(360) [email protected]: 2011-2013

TreasurerBarbara franco, cPa, cIaGECU(915) [email protected]: 2011-2013

Secretarydana mccranie, cBa, cuceEmpower FCU(315) [email protected]: 2010-2012

Directorlinda goff, cuceEnrichment FCU(865) 482-0045 [email protected]: 2010-2012

Directoramy schaefer, cuce Royal CU(715) [email protected]: 2009-2011

Directorgeoff meyerHVFCU(845) [email protected]: 2010-2012

Associate Directormarnie hardebeck, cucePurdue EFCU(765) [email protected]

Associate Directorkara giano, cIa, cIda Golden 1 CU(916) [email protected]

Associate Directordoug wrightBaxter CU(847) [email protected]

Page 5: The Audit Report

The Audit Report | www.acuia.org | 5

CHAIRMAN’S MESSAGE

In the last issue, I wrote about change. It’s no secret that change has been

the theme for your Association during my

two years as Chairman. The only constant, it

seems, has been transition.

Some of this has been beyond our control,

while some of it was a conscious decision by

the Board of Directors. And, I don’t think

it is a trade secret that the transition period

has been a tough one. Believe me, if I had

known in May of 2009 that we would have

three different association management firms

over a 15-month period, and two surprise

resignations of Board members, I would have

auctioned off the Chair position on eBay. And

offered a decent honorarium for anyone who

wanted the position.

One thing I always say in these Chair

Messages is to contact me with any concerns

and complaints you may have. Suffice it to

say, that message was received loud and clear.

I have heard from you in droves, either by

email, telephone, or in person, as I spoke at

a few Regional meetings last fall. My Board

colleagues have heard it as well. While there

have been some positives, there are an awful lot

of you who have expressed some unhappiness.

The loudest complaints have been

regarding the ACUIA website, so I just wanted

to provide a bit of explanation. The reason

the site was not working at first was basically

the whole site had to be recreated when we

switched firms to Bacino & Associates last

summer. This was unexpected, and all things

considered, the folks from Bacino did a great

job with this. This doesn’t mean it wasn’t a

huge inconvenience to you folks, though, and

on behalf of the Board, I apologize.

The other website issue was the ListServ.

The Board took a detailed review of what

we were paying for this service, and made a

decision to do away with it, in lieu of going

back to the forum system we had used prior to

this. The line item cost for ListServ was huge,

and we felt that because we could still have a

forum, this would be a reasonable cost to cut.

While I still feel this was the right decision

given the current economic client, and since

there was a viable substitute for ListServ, I

regret not communicating this to membership

at large in a better manner. We found out

the hard way how much some of you relied

on and liked the ListServ format, especially

getting email updates of postings.

The good news is, most, if not all, of

the website issues have been resolved. And

it also looks as though we will be bringing

back a ListServ-like system in the first

quarter of 2011.

With all of this behind us then, it is finally

time to look forward. As I expressed last issue,

I am excited at what lies ahead for ACUIA.

The 21st Annual Conference (June 14-17,

2011, so mark your calendars) in Austin,

Texas is shaping up quite nicely. The folks

from Bacino have some tremendous contacts

within our industry, and this combined

with the agenda Dana McCranie and her

committee have been putting together will

make for an outstanding lineup. Plus, Austin

is an awesome city.

And the Board is hard at work with

some positive member benefits, such as the

all new Audit Guide. We are also very near

having an active social networking presence,

which should be a done deal by the time

you read this.

2011 will mark not only my last year as

an ACUIA Board member after many years,

but also my last as Chairman. My promise to

all of you is the year will be bigger and better

than any prior one. Thanks for sticking with

us; you won’t be sorry you did.

GrowinG Pains by Sam Capuanoin tHis issUe by Tabitha Ernst-Chadwick, CIA, LRP, CTGA, CUCE

aCUia eXeCUtive oFFiCeACUIA Executive Office815 King StreetSuite 308Alexandria, VA 22314(703) [email protected]

“The Association of Credit Union Internal Auditors is committed to being the premier and quality provider of credit union internal audit resources.”

Page 6: The Audit Report

6 | www.acuia.org | The Audit Report

Dennis Dollar is one of those individuals who needs no introduction -- especially when it

involves credit union professionals. Dennis was nominated to the NCUA Board in 1997 and was

designated as Chairman by President George W. Bush in 2001. During his time on the NCUA

Board, credit unions experienced some of the most far-reaching legislative and regulatory

changes in their history. As part of the NCUA Board, Mr. Dollar oversaw the making of all

regulations for federal credit unions. In his capacity as NCUA Chairman, Mr. Dollar served as

the Vice Chairman of the Federal Financial Institutions Examination Council (FFIEC), which is

charged by Congress with the responsibility for coordinating the examination and supervision

programs of the five federal financial regulatory agencies.

dennisdollar

interview:

Page 7: The Audit Report

The Audit Report | www.acuia.org | 7

ON THE COVER

As a 22 year-old, Mr. Dollar was elected to the Mississippi House of Representatives where he served two terms. He won numerous awards for leadership on issues ranging from tax to education policies.

Immediately prior to being appointed to the NCUA Board, Mr. Dollar served as President/CEO of what is now Gulf Coast Community FCU. He won the Dora Maxwell Social Responsibility Award from CUNA and was a top five finalist for CEO of the Year by Credit Union Times. He has been inducted into the CUES Hall of Fame, was awarded the 2004 Ambassador Award from the World Council of Credit Unions, and has been honored by the National Credit Union Foundation.

The Audit Report was pleased to have the chance to sit down with former Chairman Dollar to discuss the important issues confronting credit unions and internal auditors.

Audit Report: Credit unions have taken their share of economic hits over the past year. On the whole, what is your impression of the credit union movement as we look at it today? Dennis Dollar: “These are challenging times for credit unions, no doubt about it. But there are some real opportunities hidden in those challenges. Collaboration among cooperatives can bring about some real victories in these challenging times, expanding shared branching, building more innovative CUSOs, restructuring our checking accounts to become market leaders, managing bankruptcies more effectively…all of these can differentiate credit unions even in troubled times.”

AR: The corporate recapitalization was a significant financial loss for credit unions. What is the future of the corporate system? Will it survive in its current state? DD: “I am convinced that there will be a corporate system in the future because of the reason corporates were created originally – credit unions need an industry outlet for services that we do not want to be forced to depend upon competitors to receive. Will it look exactly like corporates as we have come to know them? Certainly not with the new NCUA rules. But I believe we will see a corporate system with fewer corporates but more sustainable corporate credit unions long term. Remember that the same rules that saw conservatorships at five corporates also saw over twenty corporate credit unions remain viable enough to survive this crisis as potentially going concerns. Within those twenty-one surviving corporates, there were some like Corporate One and Volunteer Corporate whose members have not lost a penny in capital investment as of this date. The corporate model is changing, but it is far from dead. I believe we will see natural person credit unions re-investing as the corporates prove their business models will work under the new rules. It will be easier for the Corporate Ones and VolCorps that didn’t cost their members any capital, but I believe that most natural person credit unions will re-invest in corporates, despite the past two years of turmoil, because they would rather keep the bulk of their business inside the credit union system wherever they can – warts and all.”

AR: There has been a lot of talk about the increased role of credit union service organizations (CUSOs). Will CUSOs take the place of corporates? Can they soften the blow? DD: “I happen to believe that CUSOs are an integral part of the future of credit unions, both as a source of innovative service offerings and future earnings. There could be a number of marketable CUSO offerings that will stem from the corporate upheaval, but I believe the greatest source of future CUSO activity is in credit unions offering services to each other through CUSOs – perhaps even services not currently offered through corporates, such as regulatory compliance support, trust services, and marketing support. I am very bullish on CUSOs and believe that, within the next five years, the growth of CUSOs will combine with the reduced number of credit unions through mergers and result in their being as many CUSOs as there are credit unions.” AR: How has the role of the internal auditor changed during this time of financial upheaval? DD: “The current regulatory and supervisory environment has turned the role of internal auditor from a luxury to a necessity at most credit unions. I believe that the internal audit function will only grow in importance in today’s credit unions. If I were to list the credit union management positions least likely to be cut during these challenging times, I would put internal audit at the top of the category considered ‘least likely’ to face the chopping block. The role of the internal auditor is destined to only grow

Page 8: The Audit Report

CREDIT UNIONS DESERVE AN ADVANTAGE.

FOR MORE INFORMATION, VISIT US ONLINE AT WWW.WITTMARES.COM

OR CONTACT CRAIG ASCARI AT 804-323-0022

THE WITT MARES ADVANTAGEyour business is our highest priority. our financial institutions team

specializes in helping you take your organization to a whole new level by

confronting today’s challenges and capitalizing on tomorrow’s

opportunities. with the highest standards of service and integrity, we put

our industry knowledge to work for you and for the optimum financial

health of your institution.

Page 9: The Audit Report

The Audit Report | www.acuia.org | 9

in importance in an environment where over 70% of all credit unions are operating under some type of written administrative order from their regulator.” AR: Is the internal audit function the same as when you ran a credit union? DD: “The role of the internal auditor has grown with the regulatory and supervisory issues they deal with. I don’t think any credit union leader in the 1990s could have imagined the number of regulations he or she would be dealing with in 2011. I believe it has more than evolved – it has mass multiplied. While I believe there will eventually come a point where the regulatory pendulum must begin to swing back toward greater empowerment to avoid mass credit union failures or conversions to other charters, the question is when will this pendulum begin to swing? I do not see it swinging back in the next 18-24 months, so I believe the role of the internal auditor will only grow in 2011 and 2012.” AR: Fee income opportunities have been limited over the past few years. How can credit unions offset some of their expenses with fee income? What opportunities still exist? DD: “The most progressive credit unions are looking at ways to do what they already do better. For example, if interchange revenue and overdraft fees are going to be restricted by new regulation, credit unions are looking for ways to increase their checking account penetration in hopes of making up lost income through volume. Another example is through better bankruptcy management, which credit unions have never done as well as banks. Developing a strong private student lending program to

replace the student loan business now taken over by the US government. CUSO development is another area that credit unions are looking at for non-interest income. There just are not a lot of new products to offer, so the challenge becomes finding ways to do the existing products better. However, as pointed out above, there are some opportunities in the ‘do it better’ arena.” AR: The new NCUA proposed regulation regarding director knowledge has gotten a lot of attention. Do credit unions need more informed board members? Should they be compensated? DD: “When I look at the challenges facing credit unions today, I see regulatory overreach as a greater cost to credit unions than a small handful of directors who need additional training. Is a continuing education requirement for directors worth considering? Certainly. Is it the biggest problem facing credit unions? Far from it. That having been said, I believe directors should look at this regulatory requirement and find a way to make it beneficial to them and not merely meeting a

resented mandate. We at Dollar Associates are working to develop a director training module that will not only comply with the new rules, but which will help grow directors into even more valuable leaders of their credit unions through some very practical ‘how to’ information we have gathered through the years. While we don’t see the lack of director education as a major industry issue, it certainly will not hurt to see some innovative continuing education programs developed. There should be a longer period of time for compliance than six months however.” AR: Where do you see the credit union movement in five years? Ten years? DD: “In five years I believe credit unions will be coming out of the regulatory overkill brought about by the current financial crisis. That will be healthy, but it will require another five years before credit unions are hitting on all cylinders again. When credit unions are empowered rather than burdened with unnecessary

dennis dollar at one of his many speaking engagements across the country.

Cont’d on Pg. 22

Page 10: The Audit Report

10 | www.acuia.org | The Audit Report

The growth of an internal audit function within credit unions has brought a

new level of professionalism to the industry. It has also surfaced tensions that

ring true to the experience in the corporate and commercial banking world.

Management is not always comfortable with the independence and boards don’t

fully understand how to best use the information being made available.

by Bruce Jolly, Esq.

The first question is always – where does the audit function report?

The marker was laid down in the Sarbanes-Oxley Act of 2002:

TITLE II—AUDITOR INDEPENDENCESec. 204. Auditor reports to audit committees.

TITLE III—CORPORATE RESPONSIBILITYSec. 301. Public company audit committees.Sec. 302. Corporate responsibility for financial reports.Sec. 303. Improper influence on conduct of audits.

Page 11: The Audit Report

The Audit Report | www.acuia.org | 11

FEATURE ARTICLE

Certainly, a standard applicable to “public” companies cannot be applicable to volunteer boards of credit unions? Or can it and should it?

Without question, management, particularly in larger asset-sized credit unions, can and should use the internal audit function as a watchdog to identify problems and concerns and call them to the credit union’s attention before the issues reach the eyes of the external auditor or, worse, regulatory scrutiny.

NCUA’s recent regulatory proposal articulates the standards applicable to Federal credit union boards of directors (75 Federal Register 15574, March 29, 2010). To summarize the NCUA position, if adopted, the duty of each director is to “[C]arry out his or her duties as a director in good faith, in a manner such director reasonably believes to be in the best interests of the membership of the Federal credit union.” And, in keeping with the standards set out in the Sarbanes-Oxley Act NCUA states “… While

a Federal credit union board of directors may delegate the execution of operational functions to Federal credit union personnel, the ultimate responsibility of each Federal credit union’s board of directors for that Federal credit union’s management is non-delegable.” (75 FR p. 15587). Having grappled with these issues in the Nationwide FCU merger and other more contentious settings, the standard and direction of the proposal seem both an accurate statement of the law and solid guidance in structuring the role of the internal audit function. NCUA, without directing the result to the question – “internal audit works for and reports to” – makes clear that the Board is to: Understand the Federal credit union’s balance sheet and income statement and, ask, as appropriate, substantive questions of management and the internal and external auditors….

The tension is real. To which body does the internal auditor owe its loyalty? Management which is usually responsible for hiring and coordinating the internal audit

(3) AUDIT COMMITTEE.—The term ‘‘audit committee’’ means— (A) a committee (or equivalent body) established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer; and (B) if no such committee exists with respect to an issuer, the entire board of directors of the issuer.

What’s an Audit Committee?

The Act answers that question clearly:

functions or, the Board, which is ultimately responsible when things don’t go well? A number of decisions can il lustrate the answer in most organizations. For example, who hires and fires the internal auditor? Who sets the budget? How are decisions made on which aspect of operations internal audit is to examine and the scope of the review? And, who gets the reports first?

How are these questions answered in your credit union?

The assumption is that as credit unions, both state and federally-chartered, grow in size and complexity, the internal audit function will follow the path laid out in Sarbanes-Oxley for public companies. In the meantime, there is a solid role for the internal audit function that can be played out in every credit union – watching to make sure the critical decisions and information about those decisions are not discussed only by those that are executing them.

Bruce Jolly, Esq. is an attorney for Reed & Jolly PLLC located in Fairfax, VA.

Page 12: The Audit Report

12 | www.acuia.org | The Audit Report

FEATURE ARTICLE

As the dynamics of corporate governance continue to change, the role of internal audit must also evolve. Chief Auditors need to be on top of hot issues for the coming year; outlined below are 11 hot issues for 2011 (in no specific order).

Continuous Risk AssessmentCommon auditor guidance states that audit risk should be assessed at least annually. On the other hand, auditing methodology should evolve directly alongside changing economics. That being said, assessing risk annually is an antiquated view. Considering the instability of the market and of business, risk should be assessed continuously or as risk factors change or information arises. Audit committee members should feel more comfortable with this approach and be able to adjust work plans accordingly.

Renewed Focus on Operational Auditing

Regardless of economists’ statements that we came out of the recession in mid-2009, many companies and individuals are still struggling, and unemployment rates remain high. However, we definitely see signs of an improving economy. As the economy strengthens, auditors should focus on operational auditing to improve efficiency and effectiveness throughout the organization. Obviously, as internal auditors, we have obligations in regards to compliance and cannot accept roles that impair our independence, but ultimately we want our management to view us as a revenue generator and not an overhead cost. How does audit generate revenue? By decreasing costs.

Watching for the Mass ExodusIn many organizations, the Survivor employees can become very bitter about their current state. After a reduction in force, employees who are not released (Survivor) tend to fear for their livelihood and not add the value they were hired to add. Many major workforce surveys have shown that there could be significant turnover as the job market opens up. Chief Auditors should analyze current staffing levels and have a contingency plan to address changes in personnel over the next 12-24 months.

The Rise of Audit Flex TimeAs noted above, in order to have a flexible risk assessment process, you must have a flexible audit plan. Historically, most audit shops budget for 10-20% of flex time, which is general audit time that could be spent on a wide array of projects based on how the rest of the plan falls out. Chief auditors should build more flex time (25-30%) into the schedule in order to implement a continuous risk assessment.

About Danny M. GoldbergGRC Practice PartnerSOFT GRC - Advice from Colleagues Not Consultants15305 Dallas Parkway, Suite 300Addison, Texas 75001972.715.2039 – Main Phone972.715.2099 – Main Fax214.514.8883 - [email protected]

by Danny M. Goldberg

11for

2011

HotissUsesFor CHieFaUditors

Page 13: The Audit Report

The Audit Report | www.acuia.org | 13

Renewed Focus on Professional DevelopmentOver the past three years, many companies have cut back on expenses significantly. What are the first expenses to be cut during down economic times? Travel and professional development (PD). PD is, in all actuality, the last expense that should be cut back on at this time. With the changing dynamics of the economy and the workforce, companies should focus on continuing to develop their employees.

Involvement in ERMEnterprise Risk Management (ERM) has become very much in vogue over the past 5-10 years as companies begin to understand significant risks and focus on mitigating them. This movement was spearheaded by the numerous corporate failings of the first decade of this century, which also pushed the Sarbanes-Oxley Act of 2002 through as a regulation. As the economy turned for the worst, ERM implementations fell off significantly. If it was not required, it was not done. Now, as we begin to rise up from the harsh economic times, ERM will continue its ascent of the corporate importance ladder for two reasons. First, it makes sense that companies should make this effort and compile their risks based on likelihood and significance. Second, company management will feel it necessary to implement an ERM to acquiesce to constituents that all risks have been assessed and are actively being managed. How does this affect internal audit? Hypothetically, the ERM should feed a significant portion of the audit risk assessment. Auditors should attempt to take an active role in the ERM process, as it will provide significant value to the organization. Per the Institute of Internal Auditors (“The Role of Internal Audit in ERM”), internal audit can:

Reassessing Skills and Needs

As the dynamics and roles of internal audit continue to evolve, chief auditors should continue to reassess skills and current needs. Having a diverse skill set available in your department is very important and assessing the needs and attrition that will occur in the coming years will keep you ahead of the curve.

Changing Regulatory LandscapeConvergence to the International Financial Reporting Standards (IFRS) is happening as we speak. With FASB converging GAAP standards with IFRS, IFRS is not 5-7 years away; it is happening now. Significant changes in lease and inventory accounting, to name a few, are occurring as we speak. Regardless of an entity’s public or private status, all companies will be eventually affected by the changing standards, sooner rather than later. Additionally, there is the possibility for significant cost and complexity associated with changes in lending regulations including CARD Act (law and related regulations surrounding credit cards). Finally, there is the significant uncertainty and future regulatory impact associated with mortgage, consumer protection, and interchange regulations coming out of Frank-Dodd Financial Reform Act.

In these uncertain economic and political times, the regulatory landscape continues to morph continually. As CAEs, we must stay abreast of these changes and understand how they affect our organization.

Cont’d on Pg. 22

• Provide assurance on Risk Management processes and that risk are correctly evaluated

• Evaluate the Risk Management process and report on key risks

• Review the management of key risks

If internal audit provides the following, certain safeguards are necessary:

• Facilitate identification and evaluation of risks

• Coach management in response to risks• Coordinate ERM activities• Consolidate the reporting on risks• Maintain and develop the ERM

framework• Champion establishment of ERM• Develop risk management strategy for

board approval

On the other hand, internal audit should not perform in the following roles:

• Setting the Risk Appetite• Imposing risk management processes• Managing assurance on risks• Making decisions on risk responses• Implementing risk responses on

management’s behalf• Accountability for risk management

Continuous Auditing/Monitoring

Continuous auditing and monitoring (CA/CM) have been talked about for years as the next big thing. In the next five years, these talks will prove accurate. CA/CM will finally be embraced by many audit shops and, more importantly, IT shops to assist in streamlining the audit process, and increase its efficiency and effectiveness. Even those departments who have CA/CM products have not fully utilized and integrated these features into their organization, instead using them to pull samples or utilize for monthly reports. CA/CM is much like conducting operational auditing; if our goal with operational auditing is to make processes better, should our goal not be the same internally?

Page 14: The Audit Report

14 | www.acuia.org | The Audit Report

Credit Union employees are trained to focus on member service. One possible differentiator of credit unions over their bank counterparts is a keen focus on individual service and community involvement. But these very traits can make a credit union more susceptible to an attack method named “social engineering.” Social engineering is a form of hacking that relies on influencing, deceiving, or psychologically manipulating unwitting people to comply with a request.

sometimes YoU sHoUldn’t answer tHe KnoCK at tHe door!

by Tom Schauer, CISA, CISSP, CISM, CRISC, GCIH, CTGA

Page 15: The Audit Report

The Audit Report | www.acuia.org | 15

FEATURE ARTICLE

A while back a credit union hired our firm, TrustCC, to test its security efforts through social engineering. This particular credit union had a server in each branch and the servers recorded financial transactions throughout the day. The credit union asked us to try and trick employees into giving us access to the sensitive transaction data.

We devised a scheme to try and trick employees in to giving us the backup tape used to back up the financial data on a nightly basis. We selected five branches to visit. Armed with a blank tape we visited each branch claiming to be a consultant to IT that was hired to test the branch backup tapes to ensure the credit union could recover from the tapes. We offered to exchange our blank tape for the previous night’s backup that we’d “take back to the main branch to ensure the backup is recording correctly.”

In a perfect world the credit union’s personnel would have verified our identification and contacted known IT personnel to verify our authorization to obtain the tape.

This particular testing method is called “site visit social engineering.” Other forms include email phishing, dumpster diving, and pre-text calling. Email phishing generally involves an invitation to click on a link to visit a website and enter to win a prize. Dumpster diving involves searching through discarded materials in an attempt to find sensitive information or searching through offices after-hours to see if materials are not properly safeguarded. And pre-text calling involves scripted calls in to personnel in an effort to get them to divulge useful information.

The Gramm-Leach-Bliley Act (GLBA) requires that credit unions

regularly test the key controls deployed to protect sensitive member information. Social engineering tests the effectiveness of administrative policies/procedures and security awareness training.

Before learning how the credit union in our example fared, you should ask yourself a few questions.... What would your personnel do if asked to provide access to data by someone who claimed to be from your IT department? Your employees are trained to give service with a smile; but do they also know never to trust the identity of someone they have never met, especially those requesting access to sensitive information or asking questions that could lead to unauthorized access? Does your team understand that the value of information is often as great as or greater than the value of cash that the information represents? What would happen if sensitive personal or corporate information from your organization got into the wrong hands? Do you think members would be happy to find that their information was handed over to someone your institution blindly thought could be trusted?

Back to our story…. Four of the five branches gave us the backup tape we sought. That’s an 80% success (or failure) rate! The tapes provided us with account data, transactions from the past seven days, routine and confidential documents, and much more sensitive information.

What does an institution do to recover from such an enormous data intrusion? There is little reactive response to mitigate a breach like this. Therefore it is critically important to prevent data breaches.

The credit union sought to greatly improve security awareness and

developed a one hour security training course with mandatory attendance for all current and new personnel including contractors and vendors.

The session was conducted using the training staff from the financial institution and was fully integrated into the institution’s new hire training program. The total cost of designing and performing the training was around $1,000 for our assistance, plus the costs associated with reproducing training materials and time related to

The training curriculum included:

• Strong articulation on the value of information in all forms including electronic, written and spoken,

• Procedures to verify the identity of any site visitor or telephone caller asking for specific data,

• Procedures for reporting similar incidents to the appropriate security team,

• Procedures for identifying

and logging visitors attempting to gain access to secure areas, and

• A mindset of being cautious and wary of people lurking around, attempting to “shoulder surf” or steal your login credentials.

Cont’d on Pg. 16

Page 16: The Audit Report

16 | www.acuia.org | The Audit Report

The credit union sought to greatly improve security awareness and developed a one hour security training course with mandatory attendance for all current and new personnel including contractors and vendors.

FEATURE ARTICLE

sending trainers to visit each location. In comparison to the cost of a breach and the loss of reputation associated with a breach, the cost of training was exceptionally affordable.

After the new training was completed, social engineering testing was re-performed at four additional branches that had not been previously

tested. Of the four branches tested we were successful at one, representing a 25% success/failure rate. The hour of security awareness training clearly achieved its objective (yet also demonstrated that an organization cannot rely upon the absolute effectiveness of any one control)!

Every f inancial inst itution should have a security awareness program that is continuously refreshed in the minds of a l l personnel , for as t ime goes by people wil l let their guard down and fai l to remain watchful for intruders. In addit ion, as new personnel join your team they might not understand the consequences that a breach may incur or may not know how easy i t i s to get past a trust ing tel ler. And regular social engineering test ing should be performed in order to evaluate the effect iveness of your security awareness training efforts .

The safety of your sensitive data is as strong as the weakest link in your organization.

There isn’t a better time to start your security awareness training program than now. And of all the efforts you could undertake to improve your security, security awareness training will be one of the most affordable

and one of the most effective.

A typical security awareness training program may include classroom training, online training, brochures, posters, and some credit unions even host a “security awareness” week featuring effective yet funny training movies and give-a-

ways. Larger financial institutions should consider targeted training for specific groups including managers, IT personnel, compliance, and audit.

Notably, some credit unions also have security awareness training for their members. This is an excellent service for a credit union to provide.

In 2006 Microsoft published an excellent paper on “How to Protect Insiders from Social Engineering Threats” and this paper remains an excellent resource for the development of a security awareness training program. Find it at:

http://www.microsoft.com/downloads/en/details.aspx?familyid=05033e55-aa96-4d49-8f57-c47664107938&displaylang=en

Is security awareness training a beast you’re not sure you can tame? Trustcc is an excellent resource for all the materials needed to perform effective security awareness training including posters, handouts, and a multitude of video presentations. we offer these materials for no fee and charge only our cost for the production and distribution of materials. Please email us at [email protected] for more information.

About Tom Schauer, CISA, CISSP, CISM,

CRISC, GCIH, CTGA

Tom has been practicing in IT security,

audit and compliance for over 24 years.

He started his career as an information

security analyst at a $3.5B bank. Tom later

developed and led IT audit and security

practices for Ernst and Young and Deloitte.

In 2000, Tom recognized that community

size banks and credit unions were under-

served by existing consultancies so he

started TrustCC to specifically address this

un-met need. For the last ten years, TrustCC

has performed hundreds of IT audits and

security vulnerability and penetration

testing for credit union and banks through

out the United States. From 2003 to 2007,

Tom and his team performed IT exams

at approximately 85 Washington State

Credit Unions. A perfect trifecta, having

experience 1) as a security professional

within a financial institution, 2) as an

examiner of IT compliance for a regulatory

agency, and 3) as a consultant providing

IT audits and security assessments,

Tom brings a rare set of experiences and

expertise to any team.

Tom is a frequent speaker at numerous

national and international conferences

including those hosted by the IIA, AICPA,

ISSA, NASCUS, CMA, ACUIA, ISACA, OTS

and NCUA.

Page 17: The Audit Report

The Audit Report | www.acuia.org | 17

ACUIA NEWS

THESTANDARDSRESouRcEmANAgEmENT

By Pat Richey, CFE, NCCO, CTGA

The International Standards for the Professional Practice of Internal Auditing includes Standard 2030 - Resource Management. A credit union internal audit department must ensure that it has the resources to complete the audit plan. There’s no point in developing an ambitious audit plan if the audit department doesn’t have the resources needed to complete the plan.

I suppose a credit union internal auditor could develop an audit plan and then obtain the resources needed to complete the plan, but whoever heard of that! It is more likely that the auditor will be told “These are the resources you have and you need to develop an audit plan based on those resources.”

Standard 2030 says that the resources must be “appropriate, sufficient and effectively deployed to achieve the audit plan.” Appropriate and sufficient is a quality and quantity issue. In the case of human resources, are there enough internal auditors and do the internal auditors collectively possess the knowledge and skills necessary for a quality work product?

Page 18: The Audit Report

18 | www.acuia.org | The Audit Report

ACUIA NEWS

Effective deployment is maximizing what resources you have for the greatest efficiency and effectiveness in discharging the responsibilities outlined in the Internal Audit Charter.

Internal Audit Department SizeEvery credit union internal audit

department is understaffed when the magnitude of the audit universe is considered. All internal auditors would like to increase the size of the audit function; audit department size is a frequent topic on the ACUIA Listserve/Forum. I think the best way to justify increasing staff is to provide the decision-makers (Board, audit committee and/or management) with the audit universe and point out what is NOT getting audited because there are insufficient resources.

However, Internal Audit is a cost-center and therefore it can be hard to justify increasing credit union expenses. I feel very fortunate that there are two people in my audit department (myself and a Staff Auditor). I don’t know how a one-person audit department gets anything done.

We increased from one auditor to two full-fledged auditors very gradually, so there was never a significant budget impact from one year to the next. We started with a full-time internal auditor and a 20-hour a week “internal audit assistant” which

was a salary grade 4 - just one salary grade level above a teller. Then the next year the part-time position went to 30 hours, and then the next year the position went full-time. Then we slowly started adding responsibilities which required increasing the grade level until we got to a grade level that required an associate’s degree. Then we continued to increase responsibilities until the position required a bachelor’s degree, and now that salary grade 4 internal audit assistant position is a salary grade 11 staff auditor.

Increasing ResourcesOne way to increase resources is to

engage service providers to perform some audits (e.g. BSA, ACH). For guidance on using outside service providers see Practice Advisory 1210.A1-1 Obtaining Services to Support or Complement the Internal Audit Activity. I wrote about outsourcing in The Audit Report 2007 Issue 3, so I won’t cover that material

again. Also, I am not an expert on engaging service providers as the only audit I outsource is IT vulnerability assessments and penetration testing. I know of one credit union that engages a retired credit union internal auditor to perform audits. Also, some audit departments use credit union managers to augment their resources such as using a branch manager from one branch on the audit team to conduct an audit at a 2nd branch.

Financial Support

Professional ProficiencyResources include more than the

human resources issues of salary and benefit expense. The credit union must support internal audit with funds for continuing professional proficiency such as training, professional association dues, and certifications. Also, internal audit has to wisely manage those resources.

Standard 2030 says that the resources must be “appropriate, sufficient and effectively deployed to achieve the audit plan.”

Page 19: The Audit Report

The Audit Report | www.acuia.org | 19

Many credit union internal audit departments have had their training dollars slashed as credit unions try to rein in expenses. So far, my training budget has not been cut. My staff auditor and I each get one conference. However, internal audit has voluntarily been cutting back on expenses so that we can do our part in reducing expenses. I used to budget for 8 webinars a year but in 2011 we are only budgeting for 2. However, management is always registering for webinars and the great thing about webinars is that anyone can attend, so internal audit will go to management sponsored webinars. Also, more and more we are finding free webinars of which we take advantage. My staff auditor is a licensed attorney and the credit union allows her to use the credit union’s tuition reimbursement program for her required continuing legal education credits.

Space and EquipmentOf course, the credit union has to

provide space, furniture, equipment and supplies for the audit department. Fortunately, when my credit union renovated and started going to cubicles for everyone, Internal Audit was given a very large office which my staff auditor and I share, with windows along the length. Back in the old days when I started at the credit union, we had 1 computer for the two of us. Now, we each have a computer with 2 monitors!

SoftwareOne way to become more efficient

and effective is to use audit software. However, according to an article in the IIA Internal Auditor, some audit departments seem unwilling or unable to invest in such software. So far I have not asked the credit union to invest in audit software, not because I am unwilling or unable, but strictly from a budget standpoint. However, according to the Internal Auditor article, internal auditors can justify software expenses by examining the number of work hours audit staff could save, how that time could benefit audit activities, cost savings, and the number of additional audits from which the credit union could benefit. The article concludes that audit software investment might be a tough case to make in this economy but better software use could help ease the pain.

Deploying ResourcesOne of the roadblocks to deploying

resources is all the unanticipated items that internal audit needs to address that are not on the audit schedule, such as internal fraud investigations, or being asked to consult on a project. The way I plan for unanticipated activities is that my staff auditor follows the audit schedule with no deviations and I handle all the unanticipated activities. For audit planning purposes, we only schedule the number of audits that the staff auditor can handle. I only schedule one or two audits for myself and then handle all the unanticipated activities/audits. If I have time available I help out on the scheduled audits. In this way we always complete our audit schedule because we don’t over-schedule.

Staff DevelopmentOf course, like in any other

discipline, resource management includes developing staff. Internal auditors should consider succession planning, communication, and other

typical human resource activities. I have always developed my staff auditors to do a very broad range of audit activities, which I usually refer to as résumé building. Also, I develop my staff auditors to be able to replace me in my absence. In that regard I share all my knowledge with the staff auditor to ensure the staff auditor is up-to-date on all issues. During the performance evaluation process, the staff auditor communicates her training needs to keep up with ever changing conditions.

Communicating NeedsThe credit union internal auditor

needs an open line of communication with the Supervisory/Audit Committee and appropriate management about resource needs. As part of the audit planning process, ask senior management for their audit priorities, and if you can’t meet those priorities, let them know why. Also, be sure to communicate how effectively internal audit is managing the resources it does have. Credit union internal auditors should be sharing with the Audit/Supervisory Committee how it is performing compared to the audit plan. At each monthly Supervisory Committee meeting I give the Committee the list of planned activities for the month and at the next monthly meeting I share how we did compared to plan. If something was not completed as planned, I tell the committee why. At the end of the year we look at the plan as a whole and what got accomplished.

ConclusionInternal audit resources need to

be adequate to get a broad coverage of areas and to be able to look at some areas with a deep scope. Lack of resources could result in a narrow scope of activities with the internal auditor just skimming the top. Consider your audit universe and communicate with management and the audit committee the lack of coverage in significant areas.

Many credit union

internal audit departments

have had their training

dollars slashed as credit

unions try to rein in

expenses.

Page 20: The Audit Report

20 | www.acuia.org | The Audit Report

memBer sPotliGHt by Tabitha Ernst-Chadwick

Out spotlight this issue is Doug Wright, the newest ACUIA associate board member. Doug is the VP of Audit and Compliance at Baxter Credit Union, headquartered in Vernon Hills, IL.

Tell us about yourself Doug. Let’s start with the fun stuff. What do you do in your spare time? What spare time? (just kidding). I spend a lot of time working out (running when my knee allows it), golfing, boating, and this time of year, snowboarding.

Ok, how about professionally? Tell us about your background and your education. I have a BS in Accounting from Indiana University. Except for one year when I was a Financial Reporting Manager for a company that was being sold, I have spent my entire career as either an external or internal auditor. I previously have worked in the Public Accounting, Banking, Life & Health, and Property Casualty Insurance fields.

What about professional certifications? Which certifications have you received, and how have they enhanced your knowledge and/or career? CPA, CFE, CUCE. They have helped my career in several ways. Besides the knowledge and ongoing professional education, these certifications help establish a certain amount of credibility when dealing with management.

How did you initially become involved in auditing? When I was

still a freshman in college, my Dad (who was an accountant) convinced me to study accounting after I had switched my major for the 3rd time. The year I graduated, the job market was not very good, and the public accounting firms were the only companies hiring accountants. I managed to land a job with a “big 8” firm, found that I liked auditing, and have stayed with it ever since.

Is there anything you know now that you wish you would have known coming into the industry? How many hats a credit union internal auditor has to wear. When I interviewed for my current job, the job description basically was all internal audit related activities, with one sentence stating “and compliance related activities as needed.” Today, I only spend about a quarter of my time doing Internal Audit related work!

What have you found to be the

most useful tools in streamlining

audit processes, enhancing

efficiencies, and making audit a

value-added service? Access to data to run queries to support our audit testing. We just use Microsoft Access to query a SQL database, but have found it to be a very powerful tool.

Over the years you’ve been involved in auditing, how has the industry changed? Technology is the key thing. Not to date myself, but when I started my career, the public accounting firm I worked for was just

Doug Wright

FUn FaCtsaBoUt doUGfavorITe sPorTs Teams: chicago cubs(I know, 102 years and counting)

mosT haTed sPorTs Teams: The st. louis cardinals of course!

favorITe food: chile rellanos

favorITe vacaTIon desTInaTIon:vail, co

favorITe run aT vaIl:The star in Blue sky Basin

whaT mosT PeoPle don’T know aBouT me:I am a cable network news junkie, cnn, fox, msnBc, bring it on!

Page 21: The Audit Report

The Audit Report | www.acuia.org | 21

ACUIA NEWS

rolling out “mobile computers” (not laptops!) to take to client locations. These were the Compact Computers that were the size of a large suitcase, had a little 2 by 3 inch black and white screen, used floppy disks, and had a whopping 256K of RAM. I laugh at this memory when I consider how much power the laptops we use today have by comparison.

What are the major challenges you feel the industry faces today and how can internal auditors overcome those challenges? Like everyone else, we are increasingly asked to do more with the same or fewer resources. Specifically at my CU, some of the back office functions are struggling to keep up with what I like to refer to as basic “blocking and tackling” as they are also expected to complete projects and other member service initiatives. As auditors, we need to be cognizant of this, and when we do our audits, we need to look for process efficiency opportunities and help these areas understand and manage their primary risks. So besides the usual testing of controls, we also need to think of ourselves as process consultants to our internal clients.

What advice would you give to a new auditor just entering the field? I have managed a lot of new auditors over my career, and I would say the number one issue I have noticed for the majority of them is that they tend to lack professional skepticism. They tend to accept explanations without actually looking for collaborating evidence. It usually takes some time for them to learn the “trust, but verify” approach. On the other hand, I have also had one or two new auditors on the other extreme. One guy was so bad, he would not accept any management explanations and would spend an inordinate amount of time validating very minor, no-risk details.

What types of background/experience do you look for in

your staff auditors to make a well-rounded department? I tend to follow the Public Accounting model and try to hire Accounting or Finance majors. Basically, I look for smart people who are inquisitive, and have good communication and technical skills. The experience factor is more relevant to the level of position being filled.

What about your ACUIA experiences? How long have you been a member? I joined the same year I started working at Baxter Credit Union in 2003.

What ACUIA membership benefits do you find most rewarding? The networking opportunities and the resources on the web site.

What volunteer opportunities have you embraced in the organization and how has that enhanced your membership? The Associate Board Member gig is the first, so let’s see how it goes.

Thanks Doug! It was great getting to know you!

Page 22: The Audit Report

22 | www.acuia.org | The Audit Report

FEATURE ARTICLE

regulation, I think you’ll see the earnings growth and expansion of services that we saw during the RegFlex era of 2001-2007 even more robust in the 2014-2020 timeframe. Until then, credit unions are going to face a challenge with expanded regulation and stifled innovation. The only thing that can change that is a more reasoned and balanced regulatory approach, something that will happen but perhaps not until the current economy gets back on track in the 2012-2013 timeframe.” AR: What are the biggest obstacles facing credit unions over that same time period?

DD: “Income generation is the biggest need of credit unions in this period of heavy regulatory burden impacting historically steady income sources coupled with the increased costs of insurance assessments. A credit

union cannot meet its mission if it has no margin.” AR: Are you bullish or bearish on the credit union movement? DD: “I am bullish on the credit union future, but I am a realistic bull. Without a more balanced and effective regulatory approach that recognizes the value of growth and innovation, the bull could just be wandering for years barely surviving in a pasture of thorny regulations and fading grass. However, with the type of reasoned approach of earned regulatory flexibility that must inevitably come or the credit union charter itself will become non-viable, the bull can be unleashed. As we saw in the greatest period of credit union growth in American history from 2001-2007, a safe and sound credit union movement that is empowered to grow and innovate can make a tremendous difference for the American consumer. I prefer to be bullish, as I have seen the meat on a bull that is allowed to safely exercise itself.”

dennis with his business partner and fellow principal of dollar accociates, llc, kirk cuevas

Interview With Dennis Dollar cont’d from page. 911 for 2011 cont’d from page. 13

Cross-Training Your AuditorsThe strict separation of general and IT auditing continues to dissolve. Auditors must cross train and continue to push their own boundaries of learning and skills. All CPAs and CIAs should strive to obtain the necessary skills to complete IT audits and obtain their CISA certification, and vice-versa. As departments continue to look for ways to conduct efficient and effective audits, having multi-faceted auditors will be one of the first steps.

Practical application of Statistical SamplingThe art of statistical sampling has been lost in today’s audit world. Most auditors conduct sampling based on a haphazard methodology or judgmental selection. What many auditors do not realize is that in utilizing one of these methodologies, one cannot extrapolate the findings over the population to come to a focused conclusion as to how the sample affects the entire population. As these are non-statistical methods of sampling, extrapolation is not possible. That being said, utilizing statistical methods of sampling is easy, can be extrapolated and helps to alleviate any doubt or bias in sampling methodology. Additionally, with the sampling programs on the market today, sampling is easy to use and apply and a minimal monetary investment.

There are many topics

that should be addressed

by Chief Auditors in 2011,

including those outlined

above. The important

step is to make sure the

most significant issues

are on the top of your list

for the New Year.

Page 23: The Audit Report

The Audit Report | www.acuia.org | 23

wHat’s HaPPeninGon tHe ForUm by Warren Whiteoak, CUCE

ACUIA NEWS

For those of you who do not know the ListServ is history, and unfortunately all of the valuable insights contained on it are also gone. The ListServ was costing the Association too much money. The Board decided it was necessary to discontinue it as part of their due diligence and to keep membership dues at their present level.

The ListServ has been replaced with the Forum, which can be found on the new ACUIA web site. I encourage everyone to visit the Forum and participate in the discussions. The Forum has gotten off to a slow start. Hopefully as more folks find out about it, it will become more widely used. So spread the word.

One of the earliest topics was the scope of closed account confirmations. Are any types of closed accounts excluded?

The only types excluded were if the member was deceased or if the funds were transferred to an existing account.

What is the cash limit for a teller’s cash drawer?

Check out the new forum and website at www.acuia.org

What criteria is used to identify possible check kiting?

Do you have a full time security guard at your branches?

What are you doing to discover fictitious loans?

The replies ranged from $15,000 to $1,000, the lower limit being where the tellers used a cash dispensing machine.

See the Forum for some ideas.

Most respondents said no. One credit union in a major metropolitan area has a security guard at each branch.

See the Forum for some suggestions.

Question:

Question:

Question:

Question:

Question:Answer:

Answer:

Answer:

Answer:

Answer:

Summary of Recent Discussions on the ACUIA Forum

Page 24: The Audit Report

24 | www.acuia.org | The Audit Report

ACUIA NEWS

PeoPle HelPinG PeoPle by Linda Goff, CUCE

Coming to your area in 2011

Have you ever thought that it would be great if a group of local credit union internal auditors could get together periodically to discuss topics of interest, or maybe have a speaker come in and talk about current events in the credit union industry? If that is indeed something you have thought about, then why not start up a chapter in your area?

The great thing about chapters is that the group decides how they are run. Some chapters have regularly scheduled meetings, while other chapters meet as a need arises. The format varies as well, with some being all discussion on topics submitted by the participants. Others bring in speakers for the meeting. There is no right or wrong way to do a chapter meeting!

Chapters are easy to form. All you need to do is get together and then select a chapter coordinator. Once that’s done, you just need approval from the board of directors to make your chapter “official.” This is best done by contacting your Region Director and asking him/her to submit to the board your desire for a chapter. Chapters can be for an entire state, or a smaller geographical area.

The Tennessee Chapter is one of the oldest chapters and has been around since the late 90s. Mark Jenkins is the current

coordinator for the chapter. Mark feels the biggest benefit is the networking. He says it allows you to bounce things off of other auditors to get different viewpoints on what works and doesn’t work. He says the email discussions are good, but the local chapters allow you to get feedback from others in the same geographical area. The Tennessee chapter meets two to three times a year, and moves around so that more auditors get a chance to attend, since the state is long and narrow.

The Minnesota Chapter coordinator is Van Sprenger. Van says their chapter does two things and feels both are very useful. Once a year they hold a ¾ day meeting. They have three local CPA firms that specialize in credit unions, who are very willing to lead a session. They also have vendors that volunteer

their time. Van says that they invite non ACUIA members to the meeting as well. The inclusion of these non-members has resulted in several of them joining ACUIA. They limit their invitation to credit unions that are over $50,000,000. The other thing the chapter does is have a monthly luncheon, where the ACUIA members get together and just eat and talk about whatever comes up.

The New York City Chapter has been around since 2005 and Warren Whiteoak is the coordinator. The chapter meets quarterly. The agenda for these meetings are based on topics submitted by the participants. Warren feels the major benefit to chapter members is the networking that goes on during the meeting and throughout the year via emails.

acuIa chair sam capuano delivers an address at a recent regional meeting.

Page 25: The Audit Report

The Audit Report | www.acuia.org | 25

DeLeon & Stang has served credit unions for over 25 years. We pride

ourselves on an intricate knowledge of the specific issues that credit

unions face on a daily basis. Our CPAs can provide you insights to

your most complex challenges and, in the process, eliminate your

headaches and risks. In the end, DeLeon & Stang provides solutions

to help credit unions achieve longevity and prosperity through

increased profitability and confidence in the marketplace.

For a complete listing of our credit union services, please call 301-948-9825.

Service. Experience. Insight.

Please see Pages 26-28 for more InformaTIon on regIonal meeTIngs and JoInIng a chaPTer.

The Indiana Chapter doesn’t have a set schedule, but when they do meet they try to have an all-day meeting, since everyone is so spread out from one another. The central portion of the state has gotten together on occasion to discuss topics over lunch. Pat Richey is the chapter coordinator.

The Carolina Chapter is one of our newest chapters and the chapter coordinator is Roger Holcomb. They have just met twice, once to set up the chapter and discuss what direction the chapter wanted to go, and then right before the Region 6 meeting in September. Roger feels the emphasis of the chapter should be on the interaction between the members, sharing experiences and information. He looks at the chapter as more of a “peer group” of credit union internal auditors

who have something in common (the area in which they operate).

Shashawnee Newhouse is the chapter coordinator for the St. Louis Chapter. Shashawnee says she feels she can speak for everyone in her chapter, that the chapter is a great resource. Anytime you need assistance with anything, one of the group is always willing to answer your call or respond to an email. The St. Louis Chapter meets once a quarter to discuss any current issues.

So, if you wish to start a chapter in your area, or would like more information, contact your Region Director. I think Shashawnee sums it up best. She says “The best thing about credit unions is ‘people helping people.’ That is exactly what the chapter means to me.”

regional meeting attendees get “hands-on” experience at a recent acuIa meeting.

Page 26: The Audit Report

26 | www.acuia.org | The Audit Report

ACUIA NEWS

reGional news

REGION 1

REGION 3

REGION 4

REGION 2

Director Julie WilsonInternal Auditor, iQ [email protected]

No news for Region 1; contact Julie for regional information.

Director Claudia Rodriguez, CFEGECU Internal Audit [email protected]

The 2011 Region 4 Meeting is tentatively scheduled for August 2011. I would like to send out a survey to the membership to get suggestions on schedule, location, topics, and more! Check the ACUIA website for more details to come. Feel free to contact me if there are any specific topics or speakers you would like to see on the agenda for next year. I am open to any suggestions!

Meeting News, by Pat RicheyRegion 3 held its annual 2 ½ day meeting in Cleveland, OH September 22-24, 2010. Thank you to the following speakers who helped make the event a success:

• Scott Sturkie, CUDefense• Pat Richey, Finance Center FCU• Dan Shea, Zix Corporation• Adam Ciroli, Federal Reserve Bank, Cleveland• Robert Rutkowski, Weltman, Weinberg and Reis Co• Bonnie Gall, Century Federal FCU• Arvin Clar, Ohio Attorney General’s Office• Bob Parks and Andrea Badics, Doeren Mayhew

A special thank you to Bev McMahon, Century FCU and her CEO, Tony Coniglio, for arranging all the logistics - couldn’t have done it without them. I think the highlight of the meeting was Arvin Clar’s two sessions on robbery and fraud interviewing. I know several attendees were very interested in having Clar do robbery training at their credit unions after his entertaining presentations. Perhaps we can get Clar as a speaker in Austin, TX next June. Also, the meeting included a tour of the Federal Reserve Bank of Cleveland, but the highlight for me was the evening visit to the Rock and Roll Hall of Fame (my motivation for having the meeting in Cleveland to begin with). Thank you to all the participants.

Margaret Chamberlain Audit Manager, Arizona State [email protected]

No news for Region 2; contact the new regional director, Margaret Chamberlin, for regional information.

Dean Swenson General Auditor, Wings Financial FCU [email protected]

Region 3 said goodbye to Pat Richey as the region director. Many thanks go out to Pat for her guidance and assistance to the ACUIA members of Region 3. My name is Dean Swenson and I will follow Pat as the Region 3 director; I can’t say “replaced” because Pat cannot be replaced! I have been the General Auditor with Wings Financial in Apple Valley, MN for over five years and a member of ACUIA since I started there. I look forward to becoming more involved with ACUIA and Region 3 over the upcoming year.

Page 27: The Audit Report

The Audit Report | www.acuia.org | 27

ACUIA NEWS

REGION 5 REGION 6 Director Lorraine Heneka MBA, NCCODirector of Internal Audit, Hudson Valley Federal Credit [email protected]

Region 5 had another successful meeting this year, with 37 in attendance. The meeting was held on October 4th & 5th in Albany, NY. Attendees were educated on a wide variety of topics and also had time to network with both peers and speakers. Thank you to John Gallagher and his staff at SEFCU for hosting again this year—as always, you did a great job for us. Thank you also to the following individuals who gave presentations at the meeting:

• Jay Bowman (Accume Partners), The Supervisory Committee – Four Perspectives

• Mark Cantor (NCUA), NCUA Hot Topics • Victor Howe (McGladrey & Pullen LLP), Emerging

Hot Topics • Michael Carter (CUANY), Compliance Update • Christopher Dietter, James Flynn and Craig Zellar

(Firley, Moran, Freer and Eassa, P.C), Understanding the External Audit

• Dan Juneau (Security Compliance Associates), Auditing for PCI Compliance and E-commerce & Website Compliance

I will be starting plans for the 2011 meeting soon. Watch your email for details. If you have suggestions for speakers or topics, feel free to contact me at [email protected]. I wish you all a happy, healthy, and successful 2011.

Director Lora Worthy, CUCEInternal Audit Manager, Marine FCU [email protected]

The Region 6 meeting was held September 22 - 24, 2010 in North Charleston, South Carolina. I think we had a successful 2 ½ day meeting with great speakers and topics. I am tremendously grateful to all the speakers who donated their time and expertise to the organization. The list of the speakers included, Bonnie Karst Cuiffo, South Carolina FCU; Dan Moulton, OCM; Harvey L. Johnson, WittMares; Jay Bowman, Accume Partners; Frank Drake, Smith Debnam Naron Drake Sintsing & Myers, LLP; Sam Capuano, Sunmark FCU; Thomas Richardson, IIA; Scott Sturkie, CU Defense; and Richard Polanco, FBI, Columbia, SC Office. They were all a pleasure to work with. I would like to extend a special note of thanks to Scott Wood, President/CEO; Margaret Miller, Sr. VP; and the entire staff at South Carolina FCU for hosting the meeting. Their kindness, readiness to assist, and professionalism far exceeded my expectations.

Planning for next year’s meeting has begun, but I need your participation. If you have suggestions for topics or speakers, I would be glad to hear them. Please email me at [email protected]. I look forward to hearing from you.

Chapter News, by Roger HolcombThe recently organized Carolinas chapter held its second meeting on September 20th, at The Charleston Crab House in Charleston, SC, in conjunction with the Region 6 meeting. Lora Worthy, Region 6 Director, and Roger Holcomb, Chapter Coordinator were present, along with five other credit union internal auditors from the Carolinas. The group enjoyed a delicious dinner and held an informal roundtable discussion on various topics, including concentration risk, the change in ACUIA management firms, NCUA examinations, fraud, and other current topics. The next meeting will be scheduled in the spring at a location to be determined.

goT QuesTIons?

contact your regional director to find out the latest on region news and events.

Page 28: The Audit Report

28 | www.acuia.org | The Audit Report

ACUIA NEWS

reGion direCtors

CHaPter Coordinators

regIon 1Julie [email protected]

contact these volunteer leaders and get involved in local acuIa activities.

california chapterkara [email protected]

carolina chapterroger [email protected]

Indiana chapterPatricia richey, cfe, ncco, [email protected]

minnesota chaptervan sprenger, ncco, [email protected]

new york city chapterwarren whiteoak, cuce, [email protected]

st. louis chaptershashawnee d. [email protected]

Tennessee chaptermark [email protected]

utah chapterrandy manscill, cIa, cfe, [email protected]

regIon 3dean [email protected]

regIon 5lorraine heneka, mBa, [email protected]

regIon 6lora worthy, [email protected]

regIon 4claudia h. rodriguez, [email protected]

regIon 2margaret [email protected]

Page 29: The Audit Report

The Audit Report | www.acuia.org | 29

ACUIA NEWS

aCUia seleCt(as of January 1, 2011)

Benefactor Level ($5,000)

Sponsor Level ($4,000)

Supporter Level ($2,500)

ACUIA Select will give you exposure to the most qualified decision makers in this field, differentiating your company from others and significantly enhancing your visibility. If you have questions about joining ACUIA Select, please contact the Executive Office at (703) 535-5757.

Page 30: The Audit Report

30 | www.acuia.org | The Audit Report

O r t h , C h a k l e r , M u r n a n e & C o m p a n y , C P A s

“ R e a c h i n g N e w H e i g h t s ”

Our partners and managers work on-site, providing direct access to our most experienced professionals.

We provide free telephone support and advice throughout the year.

The 2nd Annual OCM Supervisory Committee Conference will take place on October 19 - 21, 2011, in Dallas, Texas. Please see our roster of speakers and relevant topics at http://www.ocmcpa.com

Services provided by our firm

Opinion Audits

Pension/401(k) Audits

CUSO Audits

Internal Audit - Co sourcing/Outsourcing

Information Technology Audits

ACH, BSA/OFAC, ATM PIN Audits

Credit Union and CUSO tax services

12060 SW 129th Court - Suite 201 Miami, FL 33186 Phone: (888) 676-3447 Fax: (305) 232-8388 www.ocmcpa.com

Partners

Douglas J. Orth, CPA, CFE

Hugh Chakler, CPA, CISA, CITP, CFE

John J. Murnane, CPA

Daniel C. Moulton, CPA

James A. Griner, CPA

Lori J. Carmichael, CPA

Office Locations

Miami, Florida

Charlotte, North Carolina

Dallas, Texas

(We currently serve credit unions in 28 states)

Page 31: The Audit Report

Payment Processing Center 815 King St., Suite 308, Alexandria, VA 22314 Toll Free (866) 254-8128 – Fax (703) 683-0295 Credit Union Information

Credit Union: ______________________________________ Website: __________________________________

Credit Union CEO: _________________________________ Toll Free Number: ______________________________

Address: _________________________________________ State: ________________ ZIP: __________________

DP Firm: __________________________________________ Audit Firm: _____________________________________ Membership Options

Regular (Internal Auditor) Supervisory/Audit Committee___$200 One Internal Auditor Member ____$100 per Supervisory/Audit Member

___$300 Two or Three Internal Auditor Members

___$400 Four Internal Auditor Members

___$100 Each Additional Auditor Beyond Four Primary Member Information Privacy Information: Do not include my name in the ACUIA Directory ଠ

First Name: ________________________ Last Name: _______________________ Suffix:

Title: _____________________________ Phone Number: ____________________ Extension:

Fax Number*: ______________________ Email address*:

2nd Member Information Privacy Information: Do not include my name in the ACUIA Directory ଠ

First Name: ________________________ Last Name: _______________________ Suffix:

Title: _____________________________ Phone Number: ____________________ Extension:

Fax Number*: ______________________ Email address*:

3rd Member Information Privacy Information: Do not include my name in the ACUIA Directory ଠ

First Name: ________________________ Last Name: _______________________ Suffix:

Title: _____________________________ Phone Number: ____________________ Extension:

Fax Number*: ______________________ Email address*:

4th Member Information Privacy Information: Do not include my name in the ACUIA Directory ଠ

First Name: ________________________ Last Name: _______________________ Suffix:

Title: _____________________________ Phone Number: ____________________ Extension:

Fax Number*: ______________________ Email address*:

*Fax and/or email will be used for member communications.

Payment Information

Payments to ACUIA are not deductible as charitable contributions for federal income tax purposes. However, they may be deductible under other provisions of the Internal Revenue Code. Federal Tax ID # 39-1666875

ଠ Credit Card (Circle One) ଠ Check or Money Order Enclosed #: ____________________

VISA MasterCard Discover

Card Number: ____________________________________ Expiration Date: ____________ Security Number: __________ (3 – 4 digit number on back)

Cardholder Name: _________________________________ Cardholder Address: _________________________________ Authorized Signature: ______________________________________________ Date: ______________________________ The Association of Credit Union Internal Auditors (ACUIA) collects credit card information to make it easier for you to sign up for membership, as well as pay for other services. ACUIA does not use or share credit card information for any other purpose. We retain such information as is needed for standard accounting record keeping requirements. Every step is taken to protect the loss, misuse, and alteration of the information under our control. If you prefer, please use a check or money order to make any necessary payments. Payments to ACUIA are not deductible as charitable contributions for federal income tax purposes. However, they may be deductible under other provisions of the Internal Revenue Code.

Membership ApplicationJanuary 1, 2011 – December 31, 2011

For additional memberships, make copies of this application; go to the website at www.acuia.org to download the form or to apply online.

Source: AR0210

O r t h , C h a k l e r , M u r n a n e & C o m p a n y , C P A s

“ R e a c h i n g N e w H e i g h t s ”

Our partners and managers work on-site, providing direct access to our most experienced professionals.

We provide free telephone support and advice throughout the year.

The 2nd Annual OCM Supervisory Committee Conference will take place on October 19 - 21, 2011, in Dallas, Texas. Please see our roster of speakers and relevant topics at http://www.ocmcpa.com

Services provided by our firm

Opinion Audits

Pension/401(k) Audits

CUSO Audits

Internal Audit - Co sourcing/Outsourcing

Information Technology Audits

ACH, BSA/OFAC, ATM PIN Audits

Credit Union and CUSO tax services

12060 SW 129th Court - Suite 201 Miami, FL 33186 Phone: (888) 676-3447 Fax: (305) 232-8388 www.ocmcpa.com

Partners

Douglas J. Orth, CPA, CFE

Hugh Chakler, CPA, CISA, CITP, CFE

John J. Murnane, CPA

Daniel C. Moulton, CPA

James A. Griner, CPA

Lori J. Carmichael, CPA

Office Locations

Miami, Florida

Charlotte, North Carolina

Dallas, Texas

(We currently serve credit unions in 28 states)

Page 32: The Audit Report