CUNA Comment Letter
Advance Notice of Proposed Rulemaking - Supervisory Committee Audits
April 24, 2006
Ms. Mary Rupp
Secretary of the Board National Credit Union Administration 1775 Duke Street Alexandria, VA 22314-3428
Dear Ms. Rupp:
CUNA appreciates the opportunity to comment on NCUAs Advance Notice of Proposed Rulemaking (ANPR) seeking input concerning whether the agency should modify its Supervisory Committee Audit Rules, and if so, how. The ANPR seeks input specifically on the following issues: whether credit unions should be required to secure an attestation on internal controls in connection with their annual audits; whether the audit options currently available to credit unions with less than $500 million in assets should be retained; and whether minimum qualifications for serving on a credit unions Supervisory Committee should be imposed. By way of background, CUNA represents approximately 90% of our nations 8,700 state and federal credit unions, which serve nearly 87 million members. This letter was developed under the auspices of CUNAs Accounting Task Force, chaired by Scott Waite, SVP and CFO of Patelco Credit Union, and incorporates input from discussion with credit unions, credit union leagues and other CUNA subcommittees.
Summary of CUNAs Comments
- CUNA has a long-standing policy of support for transparency to members regarding credit union operations. We understand a number of credit unions have obtained attestations on internal controls, based on their individual assessments that such activity is appropriate for their circumstances.
- In our view, based on sound public policy reasons described below, a regulatory approach that allows credit unions to exercise their business judgment and voluntarily obtain attestations is preferable to new, unwarranted regulation that mandates such action.
- We are not aware of, and NCUA has not cited, any material incidents at credit unions necessitating such a change in its regulation. As cooperatives, credit unions already have a significant level of regulatory oversight that is not routine in non-public companies that are required to obtain attestations. Officials of shareholder-owned companies face incentives that substantiate the need for attestations, while credit unions do not. For example, credit union officials have no stock holders and, therefore, have no incentive to unjustly enrich themselves through manipulation of the organizations stock price.
- With an attestation, there is duplication of effort, which means increased costs for the credit union and a corresponding lower level of benefits for the members. Redundancy would result in that annual auditors already conduct a considerable amount of testing when they conduct the annual audit. Under NCUAs examination process, examiners also review the credit unions internal controls.
- If NCUA decides to institute an attestation requirement, we believe the minimum asset threshold for requiring an attestation should be set at $1 billion, which is the threshold for banks. Going forward, we would urge NCUA to monitor the threshold set by the FDIC (Federal Deposit Insurance Corporation) for banks and raise the threshold for credit unions commensurate with FDIC action as needed to maintain consistency. (For credit unions, if attestations are required, we believe an even higher level could be justified.)
- The audit options for small credit unions should not be eliminated because they generally are cost effective and provide needed information without having to incur the expense of obtaining a certified public accountant (CPA) audit.
Discussion of CUNAs Comments
CUNA and the credit union system strongly support accuracy and transparency in credit union financial statements and regulatory reports. We believe that the current regulations in Part 715 (Supervisory Committee Audits and Verifications) ensure such that those statements and reports portray an accurate picture of the financial condition of the institution.
We are aware that some credit unions already voluntarily obtain attestations on internal controls and applaud them for doing so. At the same time, however, we believe the value of the information produced through an attestation may not justify the significant additional expense for all credit unions. Consequently, our view is that credit unions should not be required by regulation to obtain an attestation. Rather, credit unions should be able to exercise their sound business judgment and decide for themselves if and when an attestation is appropriate, given their size, activities, membership, and other relevant factors.
The ANPR does not identify any major problems at credit unions or sufficient public policy reasons to justify new attestation requirements. While we understand the 2005 Government Accountability Office (GAO) report entitled Credit Unions: Financial Condition Has Improved, but Opportunities Exist to Enhance Oversight and Share Insurance Management, recommends such a requirement, there is no statutory directive in the Credit Union Membership Access Act (CUMAA), Sarbanes-Oxley (SOX) or other statute that requires the kind of changes addressed in the ANPR.
As we discuss below, if NCUA determines changes to Part 715 are necessary, any modifications should be closely tailored to address any minor problems that exist in order to minimize regulatory burdens for credit unions. We would also encourage the initiation of discussions within the credit union system on ways to enhance and support best practices of a Supervisory Committee.
Internal Control Assessment and Attestation
Should Part 715 require, in addition to a financial statement audit, an attestation
on internal controls over financial reporting above a certain minimum asset size threshold?
Explain why or why not.
As discussed in the ANPR, attestation requirements to ensure the integrity of credit unions internal controls would be very similar to the ones outlined in Section 404 (internal control attestation requirements) of SOX for public companies. As cooperatives, credit unions already have a significant level of regulatory oversight. Credit unions have outstanding safety and soundness records; and there have been an extremely low number of institution failures, relative to those of banks and thrifts. In addition, credit unions have the highest relative capital levels of any insured financial institutions in the United States. Absent a documented need to address material problems, it is difficult to appreciate why the changes would be necessary.
Attestations would be particularly time-consuming, inefficient and costly for smaller credit unions. With an attestation, there is duplication of effort, which means increased cost for the credit union. There is redundancy in that annual auditors already perform a considerable amount of testing when they conduct the annual audit. Under NCUAs examination process, examiners also review the credit unions internal controls. Further, before a CPA can perform an attestation, management must document its internal controls assessment. That documentation process demands considerable effort as well as assistance from the credit unions staff or outside attorney. Some credit unions would not have the resources to provide the documentation and would have to hire external assistance. Again, this would increase the annual audit/review cost.
The added burden in obtaining an attestation has been discussed in studies conducted with banks and other companies that have been subject to this requirement. The ICBA Community Bank Survey: The Costs of Complying With Section 404 of the Sarbanes-Oxley Act, published in March 2005, attempts to quantify this extra burden. The Survey found that on average Section 404 required approximately 2,079 internal staff hours to comply. Additional outside costs were incurred averaging $202,142 encompassing consulting costs, outside audit fees, and vendor/software costs. Moreover, respondent banks anticipated having to document on average 78% of their internal control processes, covering 80% of revenues.
In fact, the costs to implement the internal controls provisions of SOX have exceeded original estimates such that the SECs Advisory Panel on Smaller Public Companies decided on April 20th to recommend that the SEC significantly curtail or eliminate the section 404 compliance rules for smaller public companies. The Advisory Panel's proposal would apply to two groups of smaller public companies: (1) microcap companies (those with an equity capitalization below $128 million based on current stock prices) with annual revenue of less than $125 million; and (2) small cap companies (those with an equity capitalization between $128 million and $787 million) with annual revenue under $10 million. Provided those companies have certain enhanced corporate governance provisions in place, they would be exempt from SOX 404 provisions altogether (exempt from filing a management report assessing internal controls over financial reporting and from hiring an outside auditor to assess controls) unless and until an appropriately scaled cost-effective standard for management's assessment, and the auditor's attestation, regarding internal control over financial reporting, is developed.
The Advisory Panel also recommended what they term 404-lite. Under that option, microcap companies with between $125 and $250 million in annual revenues and small cap companies with less than $250 million but more than $10 million in annual revenues would have to file a management report each year, but would be exempt from hiring an outside auditor. This relief would be subject to their compliance with the same enhanced corporate governance standards. These exemptions would also be effective unless and until a framework for assessing internal control over financial reporting for such companies is developed that recognizes their characteristics and needs.
What minimum asset size threshold would be appropriate for requiring, in addition to
a financial statement audit, an attestation on internal controls for financial reporting,
given the additional burden on management and its external auditor? Explain the reasons for
the threshold you favor.
As stated above, CUNA does not agree with implementing an attestation requirement for credit unions at this time. However, if NCUA should decide to put an attestation requirement in place, CUNA encourages the agency to set the threshold for requiring an attestation at no lower than $1 billion. We strongly feel that the threshold level for credit unions should be no less than the threshold for banks, which is $1 billion. We believe a credit unions threshold could be even higher, based on the lower risk credit unions generally pose as a result of their operations.
We also urge NCUA to monitor any increases the FDIC makes to the threshold for banks and similarly increase the threshold for credit unions.
Should the minimum asset size threshold for requiring attestation on internal
controls over financial reporting be the same for natural person credit unions and corporate
credit unions? Explain why.
Natural person credit unions and corporate credit unions should have the same threshold for requiring an attestation. We believe there should be consistency within the credit union system.
Should managements assessments of the effectiveness of internal controls and the
attestation by its external auditor cover all financial reporting, (i.e. financial statements
prepared in accordance with GAAP and those prepared for regulatory reporting purposes), or
should it be more narrowly framed to cover only certain types of financial reporting? If so,
CUNAs Accounting Task Force recommends that if there are attestation requirements, the attestation should cover all financial reports prepared in accordance with generally accepted accounting principles (GAAP) as well as call reports.
Should the same auditor be permitted to perform both the financial statement audit
and the attestation of internal controls over financial reporting, or should a credit union
be allowed to engage one auditor to perform the financial statement audit and another to
perform the attestation on internal controls? Explain the reasons for your answer.
Credit union management should be permitted to use one or two auditors. Basically, we think credit unions would utilize the same auditor to perform both the audit and the attestation but feel the choice should be provided. Integrating internal control reviews with financial audits would be both more cost efficient and allow for potential synergies. The auditor conducting the annual audit is already familiar with the credit unions operations and would not have to get up to speed to the extent a different auditor would. Furthermore, there are only a limited number of audit firms that perform credit union audits.
If an attestation on internal controls were required of credit unions, should it be
required annually or less frequently? Why?
If an attestation were mandated, we would support an attestation no more frequent than on an annual basis. The credit unions auditor could perform the attestation in the course of conducting the audit, which would be more efficient and cost-effective. Further, the attestation may serve to limit the scope of the audit. Depending on the complexity of the credit union and the cost burden of obtaining the attestation, we would encourage NCUA to consider requiring an attestation at even less frequent intervals.
If an attestation on internal controls were required of credit unions, when should
the requirement become effective (i.e. in the fiscal period beginning after December 15 of
The effective date for any attestation requirement should be a minimum of 24 months from the calendar year in which the final rule is issued. That time frame would provide sufficient time for management to document the design of internal controls, write up policies and procedures, and implement infrastructure changes. The internal controls would have to be in place long enough so they could be tested for effectiveness. There will be a learning curve, particularly for management. Standards Governing Internal Control Assessments and Attestations
If credit unions were required to obtain an attestation on internal controls,
should Part 715 require that those attestations, whether for a natural person or corporate
credit union, adhere to the Public Company Accounting Oversight Boards (PCAOBs) AS2
standard that applies to public companies, or to the American Institute of Certified Public
Accountants (AICPAs) revised AT 5012 standard that applies to non-public companies? Please
explain your preference.
If an attestation is required of credit unions, CUNA believes the appropriate standard would be the revised AICPAs (AT 501), which would apply to non-public companies. PCAOBs AS 2 standards are designed for large, complex companies with stockholders and as such go far beyond what would be needed for non-public companies such as credit unions.
Should NCUA mandate the Committee Of Sponsoring Organizations of the Treadway
Commissions (COSOs) Internal Control Integrated Framework as the standard all credit
union management must follow when establishing, maintaining and assessing the effectiveness
of the internal control structure and procedures, or should each credit union have the option
to choose its own standard?
The standard for internal control attestation should be consistent for all credit unions. If COSO is the accepted international standard, an auditor would likely not provide an attestation if the credit union does not adhere to the COSO standards. However, the COSO standard also is designed for complex publicly traded companies. Therefore, we think it would be better, given the unique nature of credit unions, for NCUA to consider developing a standard for credit unions which could be subject to public comment, if NCUAs analysis supports the adoption of attestation requirements. Qualifications of Supervisory Committee Members
Should Supervisory Committee members of credit unions above a certain minimum asset
size threshold be required to have a minimum level of experience or expertise in credit
union, banking or other financial matters? If so, what criteria should they be required to
meet and what should the minimum asset size threshold be?
A credit unions Supervisory Committee is a group of volunteers who come from within the credit unions field of membership. The use of volunteers is unique to credit unions, so far as financial institutions are concerned. No policy should be adopted that reduces the volunteer element, which overall is one of the great strengths of the credit union system.
In light of that fact, Supervisory Committees should naturally reflect the business approach of their credit union. For example, some credit unions may utilize information technology (IT) to a great extent and, therefore, require specific expertise on the Committee. If appropriate, the Committee should utilize outside parties/experts to supplement its expertise on specialized areas of risk. In other situations, if the Committee does not have appropriate expertise, the Committee members could attend training or utilize other outside resources.
We encourage NCUA to initiate a discussion within the credit union system regarding best practices in the area of Supervisory Committee member qualifications as well as internal controls, which are at the core of the risk-based examination process. We also urge NCUA to facilitate credit union access to resources available on these topics.
Should Supervisory Committee members of credit unions above a certain minimum asset
size threshold be required to have access to their own outside counsel? If so, at what
minimum size threshold?
In our view, the Supervisory Committee as an entity should be able to retain its own outside counsel if the Committee feels it necessary to fulfill its responsibilities. Any proposed rule should provide straightforward guidance on the circumstances in which this major and expensive step is and is not appropriate. This ability should not be contingent on the asset size of the credit union.
Should Supervisory Committee members of credit unions above a certain minimum asset
size threshold be prohibited from being associated with any large customer of the credit
union other than its sponsor? If so, at what minimum asset size threshold?
We are not certain what is meant by customer of the credit union. In general, credit unions do not have customers they have member-owners.
There should not be a blanket prohibition on Supervisory Committee members being associated with any large customer of the credit union other than the credit unions sponsor. A blanket prohibition would be at odds with the concept of member ownership. The board appoints the Committee members; the board members should be able to judge whether a potential Committee members association poses a significant conflict of interest such that he/she should not be appointed. In addition, most credit unions already have conflict of interest policies established. We think that credit union Supervisory Committee policies should include provisions requiring prospective/current Supervisory Committee members to disclose any potential conflicts.
If any of the potential qualifications mentioned in the questions above were required
of Supervisory Committee members, would credit unions have difficulty in recruiting and
retaining competent individuals to serve in sufficient numbers? If so, describe the
obstacles associated with each qualification.
The qualifications noted above make more sense in the for-profit environment where audit committee members are compensated and are recruited from a large pool of qualified individuals. In contrast, credit unions are always challenged to recruit and retain qualified non-compensated volunteers from their fields of membership. The above-mentioned qualifications would serve to exacerbate the challenge. Independence of State-Licensed, Compensated Auditors
Should a state-licensed, compensated auditor who performs a financial statement audit
and/or internal control attestation be required to meet just the AICPAs independence
standards, or should they be required to also meet SECs independence requirements and
interpretations? If not both, why not?
A state licensed, compensated auditor who performs a financial statement audit and/or internal control attestation should be required to meet only the AICPAs independence standards. Since credit unions are not public companies and are not regulated by the SEC, requiring credit union auditors to also meet the SECs independence standards would be excessive. Moreover, requiring an auditor to meet both sets of independence standards may simply further narrow the supply of auditors knowledgeable with respect to credit-union issues. Audit Options, Reports and Engagements (Miscellaneous Issues)
Is there value in retaining the balance sheet audit in Section 715.7(a) of NCUAs
rules as an audit option for credit unions with less than $500 million in assets?
Although statistics compiled by CUNA show that only a limited number of credit unions (approximately 250) avail themselves of the balance sheet audit, the CUNA Accounting Task Force felt it is beneficial to keep that option available. The small credit unions that choose the balance sheet audit find this option more appropriate given size of its operations and lesser risk profile, not to mention less expensive.
Is there value in retaining the Supervisory Committee Guide audit in Section
715.7(c) of NCUAs rules as an audit option for credit unions with less than $500 million in
There is definitely value in retaining the Supervisory Committee Guide audit option for small credit unions. CUNA statistics show that approximately 66% of all credit unions choose this option. Like the balance sheet audit, this type of review can be more cost effective and flexible. This is the sole option for small credit unions that does not involve engaging a CPA. If those small credit unions have to hire a CPA, that will raise the expense of the annual audit. Some small credit unions may even have to merge as a result.
This type of review is typically performed by credit union league auditors (and other non- CPAs) who are well-versed in the unique characteristics of credit union services. First, if credit unions are not able to utilize League auditors to perform these reviews, the cost of the annual audit will increase because they will have to engage a CPA (who will be able to charge more in light of lessened competition). Moreover, if the anchor service of the league audit department is eliminated, it is unclear if they will be able to viably continue to offer their other credit union accounting, auditing and compliance services. Credit unions can obtain many ancillary services from League auditors such as: internal audits; automated clearing house (ACH) audits; OFAC/BSA/CIP reviews; member account verification; security program development/review; IT consulting; and even such other services as loan reviews, bond claim reviews, bank/account reconciliation. If credit unions are forced to go elsewhere for those services, they will have to go the costly route of hiring a CPA.
The Office of the Comptroller of the Currency (OCC) also recognizes the value of this more limited exam. National banks with assets under $500 million have the option to obtain a directors examination, which is similar to (and in some aspects less rigorous than) a credit union supervisory committee audit review.
The options for credit unions with assets under $500 million are very important because if those options are eliminated, it may be cost prohibitive for them to hire a CPA. Small credit unions may feel pressure to merge as a result.
Should Part 715 require credit unions that obtain a financial statement audit and/or
an attestation on internal controls (whether as required or voluntarily) to forward a copy
of the auditors report to NCUA? If so, how soon after the audit-period end? If not, why
It would not be efficient or necessary to require credit unions to forward a financial statement audit and/or attestation to NCUA. Those documents would be readily available at the credit union. If NCUA determines it needs access to those documents, the examiner would be able to request and review them.
Should Part 715 require credit unions to provide NCUA with a copy of any management
letter, qualification, or other report issued by its external auditor in connection with
services provided to the credit union? If so, how soon after the credit union receives it?
If not, why not?
Currently, credit unions are not required to provide automatically to NCUA a copy of any report/letter received from its external auditor. Generally, the examiner will request such documents in advance of the examination. Again, the status quo seems to be working efficiently. If credit unions were required to proactively forward such documents, it would mean a large volume of confidential information is in storage or transit, which could be vulnerable to access by unauthorized individuals.
If credit unions were required to forward external auditors reports to NCUA, should
Part 715 require the auditor to review those reports with the Supervisory Committee before
forwarding them to NCUA?
We do not believe that it is necessary to require an auditor by regulation to review his/her reports with the Supervisory Committee before forwarding them to NCUA. Since the auditor is hired by the Committee, it is standard practice for auditors to communicate directly with the Committee. However, if credit unions were required to forward external auditors reports to NCUA (and we do not believe that would be prudent see responses to #17 and 18), the Supervisory Committee should be able to review them before they are sent to NCUA.
Existing Part 715 requires a credit unions engagement letter to prescribe a target
date of 120 days after the audit period-end for delivery of the audit report. Should this
period be extended or shortened? What sanctions should be imposed against a credit union
that fails to include the target delivery date within its engagement letter?
Existing regulations prescribe a target date of 120 days after the audit period-end for delivery of the audit report. This seems appropriate in most cases. However, we think the target date should be extended and waivers permitted if circumstances warrant. If a credit union has a December 31 year end audit, it is sometimes difficult for the credit union to obtain the audit report by April 30. This is particularly true if the CPA firm performing the audit has a large client base with identical fiscal year ends and/or conditions exist at the credit union preventing the CPA from completing the audit in a timely manner. Therefore, we suggest that the target date be moved to 150 days to reduce the number of waivers that need to be requested due to engagement wrap-up issues.
Many CPA firms do not want to commit to a target date in the engagement letter because the extent of audit work which may be necessary is not always known until the fieldwork is in process. Therefore, as long as the target is met in time for the audit report to be presented at the annual meeting there should be no sanctions imposed, even if the target date is not set out in the engagement letter. NCUA could address any such deficiencies during the examination process - perhaps simply requiring the credit union to obtain an acceptable engagement letter or by prohibiting the credit union from using the same auditor again the following year.
Should Part 715 require credit unions to notify NCUA in writing when they enter into
an engagement with an auditor, and/or when an engagement ceases by reason of the auditors
dismissal or resignation? If so, in cases of dismissal or resignation, should the credit
union be required to include reasons for the dismissal or resignation?
Notification to NCUA every time a credit union engages an auditor is unlikely to be helpful in NCUAs supervisory process. Notification should only be required for reasons of auditor ineptitude (gross negligence) or dishonesty.
NCUA recently published a joint Interagency Advisory on the Unsafe and Unsound Use of
Limitation of Liability Provisions in External Audit Engagement Letters, 71 FR 6847 (Feb. 9,
2006). Should credit union Supervisory Committees be prohibited by regulation from executing
engagement letters that contain language limiting various forms of auditor liability to the
credit union? Should Supervisory Committees be prohibited from waiving the auditors
punitive damages liability?
The Interagency Advisory already states that credit unions and other financial institutions should not execute engagement letters containing waiver of auditor liability provisions. We do not feel it is necessary to codify that in NCUA regulations. We understand that most CPA firms no longer try to include such waiver of liability provisions in their engagement letters because it casts suspicion on the firm.
Thank you for the opportunity to share our comments. If you have any further questions, please contact CUNAs General Counsel Eric Richard, SVP and Associate General Counsel Mary Dunn or me email@example.com at our e-mail address or at (202) 638-5777.
Senior Regulatory Counsel