CUNA Comment Letter

Proposed Statement on Standards for Attestation Engagements, Reporting on an Entity’s Internal Control Over Financial Reporting

May 19, 2006

Ms. Sharon Macey
Audit and Attest Standards
American Institute of Certified Public Accountants
1211 Avenue of the Americas
New York, NY 10036-8775

Dear Ms. Macey:

CUNA appreciates the opportunity to comment on the American Institute of Certified Public Accountants’ (AICPA’s) Exposure Draft containing a proposed Statement on Standards for Attestation Engagements (SSAE) entitled Reporting on an Entity’s Internal Control Over Financial Reporting (AT 501). This proposed Statement would revise the requirements and guidance for an independent certified public accountant (CPA) for reporting on the internal control of nonpublic companies. By way of background, CUNA represents approximately 90% of our nation’s 8,700 state and federal credit unions, which serve nearly 87 million members. This letter was developed under the auspices of CUNA’s Accounting Task Force, chaired by Scott Waite, Senior Vice President and Chief Financial Officer of Patelco Credit Union in San Francisco.

The proposed SSAE provides guidance to a CPA on evaluating management’s basis or substantiation for making an assertion about an entity’s internal control over financial reporting. Under the proposal, the CPA would be required to obtain a representation letter from management that includes a written assertion about the effectiveness of the entity's internal control. The proposal also details management’s documentation requirements to support the assertion.

According to the proposal, the CPA should evaluate identified control deficiencies by significant account balance, disclosure and component of internal control to determine whether the deficiencies, individually or in combination result in a significant deficiency or a material weakness. The proposal discusses the types of testing the CPA should perform in conducting the evaluation. The CPA would be required to communicate, in writing, to management and those charged with governance any significant deficiencies and material weaknesses that exist as of the date of management’s assertion, those the CPA becomes aware of during the examination, and any known or suspected fraud.

Summary of CUNA’s Comments

Discussion of CUNA’s Comments

CUNA is interested in these proposed revisions because the NCUA, which regulates and supervises federal credit unions, has issued an ANPR seeking input on whether NCUA should modify its Supervisory Committee Audit Rules (12 C.F.R. Part 715 - Supervisory Committee Audits and Verifications), and if so, how. An ANPR does not reflect a specific proposal but rather requests comments on issues and concerns raised by an agency. If NCUA were to pursue this issue, the next step would likely be a proposed rule. One of the specific issues NCUA raised in the ANPR is whether credit unions should be required to secure an “attestation on internal controls” in connection with their annual audits.

In our comment letter to NCUA, CUNA stated our position that there is sufficient regulatory oversight currently in place for credit unions to ensure that members are provided with accurate statements of financial condition.

CUNA has a long-standing policy of support for transparency to members regarding credit union operations, including financial statements and regulatory reports. In fact, we understand that a number of credit unions have obtained attestations on internal controls on their own initiative, based on their individual assessments that such activity is appropriate for their circumstances, and we support their decision. However, no significant internal control problems at credit unions or public policy reasons have been cited to justify a new attestation requirement.

While it is critical that credit unions have good internal controls, we believe that the costs to create, document and test these controls outweigh any potential benefits to the members in terms of additional valuable information likely to be produced from an attestation. In particular, with an attestation, there is duplication of effort. Auditors already conduct a considerable amount of testing when they conduct the annual audit. Under NCUA’s examination process, examiners also review the credit union’s internal controls at a minimum every eighteen months. The added burden for banks and other public companies in obtaining an attestation has been borne out in practice. In fact, the costs to implement the internal controls provisions of the Sarbanes-Oxley Act (Section 404) have so exceeded original estimates that in April the Securities and Exchange Commission’s (SEC’s) Advisory Panel on Smaller Public Companies recommended that the SEC significantly reduce or eliminate the section 404 compliance rules for smaller public companies.

Consequently, it is CUNA’s view that credit unions should be able to exercise their sound business judgment and decide for themselves if and when an attestation is appropriate, given their size, activities, membership, and other relevant factors. If NCUA ultimately decides to institute an attestation requirement for credit unions, the agency should set the minimum asset threshold for requiring an attestation at no lower than $1 billion, which is the current threshold for banks supervised by the Federal Deposit Insurance Corporation (FDIC).

If credit unions are required to obtain attestations and comply with the provisions of AT 501 as currently proposed, we have some concerns with the AICPA’s proposal. We understand that the AICPA’s proposed modifications are designed to make AT 501 a more robust standard. Proposed AT 501 reflects guidance from the Public Company Accounting Oversight Board’s (PCAOB’s) Auditing Standard No. 2 (AS 2), which establishes the standards for an audit of the internal controls of a public company. The AICPA indicates that the revised AT 501 provisions would be more appropriate for examinations of the internal control of non-public companies and useful to regulated entities, such as financial institutions, than AS 2. However, overall we feel AT 501 is very stringent and does not take into account the important differences between public and non-public companies.

If credit unions must comply with attestation requirements, there are three provisions in AT 501 that should be retained. First, the option enabling non-public companies to engage the same auditor to perform both the audit and the attestation (paragraph 53) or hire a separate auditor for each engagement is positive. Under the AS2 framework, the same CPA must audit the financial statements and the company’s internal control. We think that most credit unions would choose to utilize a single auditor for both. Integrating internal control reviews with financial audits would be both more cost efficient and allow for potential synergies. The auditor conducting the annual audit is already familiar with the credit union’s operations and would not need the additional acclimation time to the extent a different auditor would. Furthermore, there are only a limited number of audit firms that perform credit union audits. In light of this fact, we think it is valuable to provide the option of hiring two different auditors.

Second, Footnote 4 permits a CPA to perform an attestation covering only the design effectiveness of a non-public company’s internal controls or both the design and effectiveness of the internal controls. There may be cases where it makes sense for a non-public company to obtain only an attestation on design effectiveness. Further, the CPA could report the attestation as of a point in time or for a period.

Third, the proposed provision (paragraph 33) stating that “[i]n addition to examining an entity’s internal control, a [CPA] might be engaged to perform other services for an entity related to its internal control, such as assisting management in preparing or gathering documentation of its internal control or recommending improvements to its internal control.” It is likely that many non-public companies will need to hire outside expertise to initially assist them with designing their internal control and documentation processes. This provision could assist them in doing so.

When the final revised AT 501 is issued, we encourage the AICPA to publish an accompanying side-by-side comparison of AT 501 and AS2 so non-public companies can understand how the standards in AT 501 differ.

Thank you for the opportunity to share our comments. If you have any further questions, please contact CUNA’s SVP and Deputy General Counsel Mary Dunn or me ( at our e-mail address or at (202) 638-5777.


Catherine Orr
CUNA Senior Regulatory Counsel