Introduction – A Sea Change Has Occurred

Lare historical shifts are always difficult to discern when one is in the middle of the shift. It is our belief that in a few years, we will look back on this time and realize that we began a marked transformation in corporate governance in the United States in 2003.

Corporate failures have wrought this sea change in corporate governance, and audit committees (also known as Supervisory Committees in the credit union environment) are going through a period of deep introspection to determine how this sea change will influence their committee’s operations in the future. The objective of this white paper is to discuss how your responsibilities as members of the credit union’s audit committee will be impacted, while also recognizing that credit unions are vastly different from the muti-conglomerate enterprises that created the problems which shook the confidence in Corporate America’s financial reporting.

The Earthquake And The Aftershocks

The earthquake caused by fraudulent financial reporting by several enormous publicly-held corporations has spawned three aftershocks which directly impact audit committees:

Sarbanes Oxley Act
Public Companies Accounting Oversight Board
Statement on Audit Standards #99 – Consideration of Fraud in a Financial Statement Audit

We’ll discuss each of these aftershocks in general terms, describing the impact they will have on publicly-held companies, and then focus on what is relevant for credit unions and make recommendations of actions that should be considered by the Supervisory Committee.

The Sarbanes Oxley Act

Accurate and transparent financial reporting is the keystone on which the United States capital and credit market is based. The threat that fraudulent financial reporting by Enron, World Com, Adelphia, Global Crossing, and others poses to our capitalist system is so serious that Congress responded with remarkable swiftness and uncharacteristic unanimity and passed the Sarbanes Oxley Act (SOX) in 2002.

SOX represents sweeping changes that will affect and influence publicly held corporate boards, audit committes, and their independent auditors. Although the legislation applied only to publicly-held corporations, the regulators of financial institutions evaluated the legislation to determine if it contained useful measures that could reduce the risk of fraudulent or erroneous financial reporting in financial institutions.

The primary credit union regulator, the National Credit Union Administration (NCUA), analyzed SOX and worked hard to understand how the member-owned non-profit credit union industry could benefit from legislations. It ultimately became apparent to the NCUA that the credit union industry was markedly different from the multi-conglomerate publicly-held enterprises at with SOX was aimed. The following discusses those differences.

The Incentives Are Vastly Different

Credit unions are not only different in size (they are miniscule on the financial landscape), but more importantly, they are vastly different when it comes to incentives to issue fraudulent financial statements. The essential question is “What’s in it for a credit union CEO to issue financial statements that fraudulently overstate the financial performance of the credit union?”

In a publicly-held corporation, there is a tremendous incentive to manage earnings (lie about financial performance) through fraudulent accounting and financial reporting. Hundreds of millions, and often billions, of dollars of personal wealth are in the balance with regard to the stock market’s valuation of the company each time financial statements are issued. The incentive to lie about the numbers for a CEO or a member of the management tema who owns tens of thousans of stock options, or who has millions in bonuses at stake, is enormous.

However, in credit unions, the incentive to lie about financial performance is miniscule. Wall Street, and indeed even the credit union membership, cares very little about the credit union’s earnings. That’s an overstatement to make a point, but it’s essentially correct. Granted, if management has a bonus program that is in part based on earnings, then there may be a slight teptation to manage earnings. But the risk of the CEO losing their job and getting driven out of the industry if they are caught is enormous when compared to the paltry reward of a few additional bonus dollars. Typicallly, a credit union CEO bonus can run to about 20-30% ($30-$60K) of one year’s salary for a CEO of a $200 million credit union. The CEOs and CFOs of the multi-conglomerates named earlier were making tens of millions, and in the most egregious cases hundreds of millions, of dollars in personal fortunes as a result of the accounting fraud the perpetrated. The risk/reward evaluation makes it clear why SOX was pointed at the multi-conglomerates, and why it was not pointed at credit unions.

In essence, SOX was prescribed for a specific Wall Street disease. However, while it is unhealthy to take medicine prescribed for someone else’s illness, it’s still important to learn what we can from these failures in corporate governance. In other words, it’s not a good idea to take someone else’s medicine if you aren’t sick, but it is a good idea to follow a healthy diet and exercise. In our opinion, SOX represents an opportunity for credit unions to cherry-pick the good ideas that are useful, and to cull out the irrelevant or overly costly requirements that present little value to them.

SOX Is Voluntary For Credit Unions

After careful consideration, the NCUA concluded that the SOX should not be imposed on credit unions. Instead, the NCUA in October 2003 issued Letter No. 03-FCU-07 entitled “Guidance on Selected Provisions of the Sarbanes Oxley Act of 2002 for Federal Credit Unions.” The Essential point for Federal Credit Union (FCUs) to understand is that FCUs are not required to implement any specific provisions of SOX. Rather, Supervisory Committees are encouraged to review selected selections of SOX and make judgements as to which of those sections, if any, may be beneficial for their credit union to voluntarily adopt. Implementing parts of SOX is essentially left to the discretion of the Credit Union’s Board of Directors and Supervisory Committee. We recomment that the Supervisory Committee review the NCUA Letter to familiarize itself with the perspective of the NCUA. Appendix A contains our recommentations for SOX-related controls that we believe make very good sense for credit unions to consider.

The Public Companies Accounting Oversight Board

The second aftershock is the Public Companies Accounting Oversight Board (PCAOB). The PCAOB is a private sector, non-profit corporations, created by SOX to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair and independent audit reports. Specifically, the PCAOB is responsible for establishing auditing and related attestation, quality control, ethics and independence standards applicable to audits of public companies. It is responsible for conducting inspection, investigations, and disciplianary proceedings of public accounting firms registered with the PCAOB. Make no mistake about it, the establishment of the PCAOB represents a profound change to the world of accounting and auditing. Again, it’s important to note that the PCAOB does not apply to credit unions or auditors of credit unions. However, like SOX, the PCAOB’s procalmations will be evaluated for their relevance to credit unions. Stay tuned.

On March 9, 2004, the PCAOB issued Auditing Standard No. 2, “An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” This standard, which requires an audit of internal control, sayd in the simplest terms that investors can have much more confidence in the reliability of corporate financial statements if corporate management demonstrates that it has adequately designed internal controls over the financial reporting system, and executes those controls.

This standard requires company management to assess and report on the company’s internal controls over financial reporting. In effect, management is telling the investor and other interested parties that the company has appropriate internal checks and balances and quality control procedures to assure that the financial statements are free from material error or fraud. Examples of internal controls over financial reporting include: account reconcilements; approval of journal entries; review of large journal entries posted near year-end; review of major transactions; balance shee and income statement fluctuation analysis; CEO, CFO and others’ quarterly certifications of financial statements; comprehensive written policies addressing lending, investing, and branch operations; and written job descriptions for accounting and financial personnel, among others. It should be emphasized that this listing represents only a handful of the internal controls necessary to ensure the accuracy of the financial reporting process; the purpose of listing them is to give the reader a glimpse of the range of the activities encompassed within the definition of internal control over financial reporting.

Under PCAOB Auditing Standards No. 2, a public company will be required to have two audits performed – the traditional financial statement audit, and a new audit of internal control over financial reporting. the new audit of internal control over financial reporting is a two-step process. First, management is required to report to the Board of Directors its assessment of the effectiveness of the design of the credit union’s internal control system, and its assessment of the operating effectiveness of the internal controls themselves. To begin with, the entire system of internal controls over financial reporting would be documented and most likely flow-charted. Management would then step back and evaluate the effectiveness of the design and determine if there are any gaps in the system of internal controls. The first component of the management’s assessment would include a statement by management as to the adequacy of the design of the internal control system based upon management’s evaluation.

The second component of management’s assessment would include management’s evaluation of the operating effectiveness of the actual internal controls. For example, management would test the operating effectiveness of the internal controls identified above as well as any other important internal controls. Those tests would include observation, interviews, walkthroughs, re-performance of the control, re-calculations, and other tests to determine if the internal control is actually operating as designed. Based upon these tests, managment would assess the actual operating effectiveness of the internal controls. The completion of both componenets would result in a written report by management to the Board of Directors and Supervisory Committee on their assesment of the company’s internal controls over financial reporting.

Finally, the company’s independent outside auditor wll be asked to issue an opinion not only to the reliability of the financial statements, as has been done traditionally, but also on management’s assessment of internal control, and on the auditor’s own assessment of the effectiveness of internal control over financial reporting.

This new auditing requirement has profound implications for management, who will be required to invest considerable resources to evaluate the effectiveness of the design and operation of the company’s internal control systems. There are also profound implications for the auditor, who will now be required to devote considerable resources to evaluating managment’s assessment process, as well as separately evaluating the actual oeprating effectiveness of the internal controls.

Again, Why Was This Done?

Remember, it was fraudulent financial reporting and, in some cases, simply erroneous financial reporting that wreaked havoc on Wall Street, costing individual investors billions of dollars. Again, the theory behind this new standard is that investors can have more confidence in the reliability of financial statements if management demonstrates that the internal control system is adequately designed and functioning effectively; and in addition, if the auditor opines that management’s assessment process is crdible and that the control, as also tested by the auditor, are functioning effectively.

The reality is that this new standard requires management and the independent auditor to put more skin in the game when it comes to telling the Board of Directors, the Audit Committee, and the investors about the efficacy of the internal control system over financial reporting.

How Will PCAOB Statement No. 2 Impact the Supervisory Committee in the Short Term?

It has always been clear that management is responsible for establishing and maintaining adequate internal controls. It only makes sense that management should periodically report, at least to the Board of Directors and the Supervisory Committee, on their assessment of the efficacy of the internal control system – an annual global state of the internal control system, if you will. It’s just that up to this point, no one has asked management to do this. Since both the Board of Directors and the supervisory Committee are responsible for overseeing management with regard to the internal control system, it makes a lot of sense that this reporting by management should have alwys been required. We will begin to see more credit unions requiring management to provide the Board of Directors and the Supervisory Committee with an annual assessment of internal control.

However, credit unions will most likely assess the experience of publicly held corporations before taking the second step of requiring the independent auditor to corroborate management’s assessment by issuing a separate opinion on internal control over financial reporting. Boards and Committees may ultimately require the independent auditor to opine on internal control – bit if it does happen, we expect it to evolve over time rather than occur immediately.

Statement of Auditing Standards #99 – Consideration of Fraud in a Financial Statement Audit

As we’ve noted, fraudulent financial reporting was the underlying cause of severa of the high profile failures of publicly-held multi-conglomerates. The infamous WorldCom is a prime example of financial reporting fraud. The fraud was blatant and involved a senior level accounting manager who was instructed by her boss to post large fictitious journal entries that, over the course of five quarters, inflated WorldCom’s earnings to $3.7 billion. Enron provides another example. In this case, the fraud was more sophisticated – Enron exploited fuzzy accounting standards and bend not so fuzzy standards to their breaking point in order to achieve the level of earnings they desired. Other fraudulent financial reporting schemes involved corporate CFOs who prepared hundreds of thousands of small dollar-value journal entries thatwere designed to stay below the auditor’s radar. Fraud of the more crude variety included the traditional embezzling of receipts, stealing assets, or causing the entity to pay for good not received.

The costs of these highly publicized and massive frauds gave impetus to the American Institute of Certified Public Accountants to clarify the role of the independent auditor with respect to fraud. Statement on Auditing Standards #99 (SAS 99) has raised the bar for auditors with respect to their responsibilities for considering fraud when conducting an audit. SAS 99 has implications not only for auditors, but also for management and the Supervisory Committee. Financial statement auditors are now required to perform the following:

Conduct a fraud “brainstorming” session focusing on the identification of possible fraud risks, and how and where the credit union’s financial statements might be susceptible to fraud.
Make inquiries of the CEO and CFO about:
Whether they have knowledge of any fraud or suspected fraud or are aware of allegations related to fraud.
Their understanding of the risks of fraud to the credit union.
The programs and controls the credit union has established to mitigate specific fraud risks for all credit union locations and business units.
Management communications to employees about ethical behavior and acceptable business practices
Whether management has reported to the Supervisory Committee on how the credit union’s internal control serves to prevent, deter, or detect material misstatements on financial reports due to fraud.
Make inquiries of the Supervisory Committee regarding their views about the risks of fraud and whether the audit committee has knowledge of any fraud or suspected fraud.
Make inquiries of the leader of the internal audit function as to their views on the risks of fraud, whether they have performd any procedures to identify or detect fraud during the yer, whether management has satisfactorily responded to any findings resulting from these procedures, and whether the internal auditors have knowledge of any fraud or suspected fraud.
Other procedures as identified in the standard.

Even though SAS 99 was introduced in late 2003, the standard has already had two positive impacts. It has raised the consciousness of credit union management, the Supervisory Committee and the auditor about their responsibilities with respect to fraud. Simply having the auditor and the management team engage in a discussion about how fraud could be perpetrated in the credit union has produced many beneficial insights and resulted in a strengthening of controls. Additionally, a number of credit unions are finding out that their internal control systems, which may have operated effectively twenty years ago, have not kept pace with repsect to fraud risk in today’s information technology environment.

As an example of the consciousness-raising experience, one of our partners launched the fraud risk discussion with the credit union management team by asking them “What keeps you awake at night with respect to fraud?” There was silence, until the CEO spoke up and said that if we had asked him the same questions about credit union’s strategy or their financial management or about any operational area, he would have been able to tick off any number of areas of concern. Then he admitted that frankly they had not, as a matter of course, given much formal attention to fraud risk. They really had never talked much about fraud among themselves. The credit union was $400 million in assets, a top financial performer with high quality services and a well-deserved reputation for running a sophisticated operation. Yet this CEO’s response is fairly typical, based upon the SAS 99 fraud risk discussions we have been having with CEOs and their management teams.

To help this management team work a litter harder at identifying where the fraud risk might lie in the credit union, our partner recounted a story of an event that occurred at one of our very large clients. Thieves had broken into the credit union and stolen a laptop that contained personal credit card data on approximately 8,000 members. The operation seemed to be so efficiently executed that there was and still is consideration that the theives may have had internal assistance. They seemed to know where to go and all that was taken was this particular laptop.

Due to recent California privacy legislation, the credit union had to disclose the theft of their personal information to each of the 8,000 members. The consequences of the theft of member data were that the credit union suffered tens of millions of share withdrawals the month the disclosures were made, and the credit union had to hire a security firm to track the credit card usage of the 8,000 members in order to detect if fraudulent transactions were being executed. This tracking service will be maintained for one year and wil cost the credi tunion several hundred thousand dollars. At this point the credit union has suffered significant financial loss, and reputation loss, and still has a contingent liability for misuse of the credit card data. Our partner offered this story to the management team as a means of stimulating their thinking about the range of fraud risk that might exist at their credit union.

The CEO, one short moment after the story was related, said the story really helped frame the question about fraud risk. He then proceeded to recount a concern that was in the back of his mind. He described a situation that exists in every credit union branch. All of the teller terminals are “dumb” terminals with USB ports. He has been concerned that a teller could easily purchase a USB memory device, which is only about half the size of a thumb, plug it into the USB port and download member credit files all day long. The teller could walk out the door with this data at any time.

This is exactly the kind of fraud brainstorming that SAS 99 contemplates management should engage in and discuss with the auditor. Our experience to date tells us that for many credit unions, fraud risk is the elephant in the living room that no one has been talking about. When credit unions are engaging in vigorous introspection with regard to fraud risk and when the management team, together with input from the auditor and oversign from the Supervisory Committee, is meeting the required standards then the intent of SAS 99 will have been fulfilled and internal controls over fraud risk will be considerably strengthened. We firmly believe that SAS 99, if implemented conscientiously, can result in a significant reduction of a credit union’s risk of fraud.

The Supervisory Committee’s role with respect to fraud is one of oversigh. This can be best accomplished by making it clear to management and the independent auditor that the committee expects full compliance with SAS 99, and that both management and the independent auditor should annually report to the committee the results of their SAS 99 related procedures.

Conclusion

This white paper has addressed each of the three aftershocks created by the discovery of multiple instances of fraudulent financial reporting by some of America’s largest enterprises. We have also detailed in the attached appendix best practices we have gleaned from SOX, PCAOB No. 2 and SAS 99 which we believe are relevant to Credit Union Supervisory Committees.

Should you committee or board have questions on the subjects covered in this white paper, or need assistance in the implementation of any of the best practices, please contact Gene O’Rourke, Managing Director, RSM McGladrey, Inc., 415.715-5857 or gene.orourke@rsmi.com.

Appendix A

Best Practices for Credit Union Supervisory Committees Based Upon the Sarbanes Oxley Act of 2002

1. Require the CEO, CFO, Controller, Chief Lending Officer, Chief Investment Officer, and Chief Operations Officer to certify the accuracy of financial statements and the adequacy of the internal controls over financial reporting, for those areas over which they have responsibility.
2. Establish and maintain a “whistle-blower” channel through which employees can anonymously submit complaints or concerns about accounting, internal control and auditing matters.
3. Establish and maintain a highly ethical tone at the top, through policy, training and example. Ensure that the corporate ethics policy includes a statement that misleading or coercing an auditor is grounds for termination.
4. Affirm the right of the Supervisory Committee to obtain outside professional advisors for any instances in which the committee feels that advise is needed in order for them to competently fulfill their responsibilities.
5. Document the Supervisory Committee charter and key responsibilities.
6. Create a structured professional development program and committ appropriate resources to Supervisory Committee orientation and continuing education.
7. Recruit Supervisory Committee members for expertise and balance, particularly focusing on having at least one member who has financial expertise.
8. Require management to annually report to the Supervisory Committee on the effectiveness of the design and operation of the credit union’s internal control system.
9. Oversee management’s risk assessment responsibilities.
10. Oversee management’s and the independent auditor’s compliance with SAS 99 requirements
11. Perform an evaluation of the effectiveness of the Supervisory Committee.
12. Play an active role in setting the Supervisory Committee agendas.

RSM McGladrey Copyright 2004, RSM McGladrey, Inc. All rights reserved. No part of this intellectual property may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopies, recorded, or otherwise, without the prior written permission of RSM McGladrey, Inc. Information herein is based on best available resources. Opinions reflect our judgement at this time and are subject to change, baseed on conditions in the financial environment.

Used With Permission