CUSO examinations by the NCUA and state supervisory agencies tend to be rarer than credit union examinations. When the NCUA examines a CUSO, these reviews are usually for the purpose of determining the level of risk to federally insured credit unions investing in, loaning to, or obtaining services from the CUSO. Examiners tend to focus on the overall soundness of the CUSOs business strategy, internal control structure, and services delivered in compliance with information security standards, other compliance requirements, and NCUA Rules and Regulations Part 712.
These reviews can be stressful for both employees and stakeholders in the CUSO, but also for the examiners themselves. Examiners are used to reviewing credit union compliance in operations and financials, and many examiners have limited experience in reviewing private businesses that may or may not be subject to the same requirements as a financial institution. While there is no easy solution to the occasional disconnect in communication between a CUSO and the NCUA, there are many steps a CUSO can take to reduce both employer and examiner anxiety, as well as minimize disruption of the business.
Examination plan and protocol
The first is to have an Examination Plan and Protocol. The purpose of having a protocol is to streamline the process, ensure that all appropriate individuals are involved from the outset of the audit or review, reduce the overall time associated with the process, and ensure that any audit findings are based on correct information. Examiners are asked to send written or electronic requests for information and evidence to one or more CUSO representatives designated for this task, and to schedule interviews with staff rather than by an in-person drive-by or unscheduled phone calls.
The trade-off is the CUSO must promise to fulfill most requests within 24 business hours. The designated representative(s) of the CUSO need to be informed as soon as possible of any known changes in audit timelines, deadlines or changes in scope, external audit team personnel, contact information, or other pertinent or important information. If a request for information is considered informal, the examiner may contact the designated representative, but the request must be followed up in writing. The designated representative will inform the external auditors if the audit requests cannot be reasonably accommodated in the requested time and provide an estimated deliverable date.
The designated representative of the CUSO must advise the examiners in writing if information requests made during the on‐site portion of the exam may take more than one day to provide. All employees need to agree that the requests made by the designated representative have high priority and every reasonable effort must be made to provide information in an efficient manner to external auditors. The designated representative and any appropriate personnel should accompany examiners on all interviews with staff or walk-through visits of any facility. The designated representative should take notes and request follow-up meetings for clarification. If any examiner experiences a delay, lack of responsiveness, or an item of concern from CUSO personnel, the examiner needs to inform the designated representative of the issue immediately. The designated representative must make every reasonable effort to assist in the resolution of the problem.
Expectations on findings also need to be addressed. Examiners need to provide written documentation of potential findings to the designated representative. A mutually agreed-upon response time shall be discussed during the exit interview or subsequent communication between the examiners and the CUSO. Remediation of findings, if any, are for executive management and potentially the board of directors to discuss.
Indexing evidence
Another valuable tip is to develop an indexing system for evidence to be provided to the examination team. The NCUA and state supervisory examiners tend to ask for requests that can be grouped under general headings. An example of such groupings is below:
GENERAL SUBJECT MATTER REQUESTS | |
Plans | CUSO Strategic and Business Continuity Plans |
Policies, Procedures, and Methodologies | Used to determine if the CUSO has proper policies and if these policies are followed |
Contracts, Agreements, Legal Documents | Used to document the legal relationships of the CUSO |
General Ledger, Tax Compliance, CPA Audits | Used to determine the CUSO’s financial condition |
IS&T REQUESTS | |
Board and Management Oversight | All IT plans and governance |
Vendor Management | Review of the vendor management program |
Because examiners may ask for dozens or even hundreds of documents and other evidence, developing a naming convention and index can help reduce confusion about what requests have been fulfilled and what information is still outstanding.
An example of an evidence index is below. In this case, assume the examiners have asked for evidence of the CUSO’s Disaster Recovery Plan, proof that the plan was tested during the fiscal year, and a copy of the latest Strategic Business Plan. In this case, the CUSO may wish to put an index of “PL” to indicate these documents are part of the “Plans” subject matter requests.
Plans
Disaster recovery plan | |
INDEX | DESCRIPTION |
PL-1a | CUSO Disaster Recovery Plan |
PL-1b | Evidence of the test of the CUSO Disaster Recovery Plan during the Fiscal Year |
Strategic business plan | |
INDEX | DESCRIPTION |
PL-2 | CUSO Strategic Business Plan as Approved by the Board of Directors |
There is no “correct” or standard way to index examiner requests. As long as the index helps the CUSO stay organized during the examination, the format used can be considered a success. Providing a copy of the index to the examiners and keeping the index updated during the examination process is a critical part of the process, especially as the examiners ask for new information during the on-site portion of the audit.
Subject matter experts
Another way to stay organized is to establish a list of Subject Matter Experts. Subject Matter Experts are not necessarily the same staff that will be tasked with providing the information. Rather, these are the individuals who can answer questions either as provided in writing or during interviews. An example of a Subject Matter Expert list is below:
SUBJECT MATTER | NAME | TITLE | EXT | EMAIIL |
Plans – Strategic Business | Chris Seeo | CEO | 100 | c.seeo@cuso.com |
Plans – Disaster Recovery | Robin Tecch | Network Engineer | 134 | r.tecch@cuso.com |
Financial Condition | Pat Number | Sr. Accountant | 121 | p.number@cuso.com |
In some cases, the CUSO may find it valuable to have backup personnel on the index as well in case the primary Subject Matter Expert is unavailable during the examination. This list is not for the examiners but is rather an internal list that allows the CUSO to quickly respond during what may be at times be an intense period during the on-site portion of the examination.
Conducting interviews
Prior to the exam, Subject Matter Experts and other individuals that are likely to be interviewed should be educated on how to provide interviews. Going through an audit or regulatory exam interview can be a stressful experience. An examiner is given wide latitude with few restrictions on the types of questions that may be asked or the manner in which the questions may be asked. To help reduce stress and improve interview effectiveness, staff should be given some education on how to respond.
A valuable tip is to reassure employees that if an examiner challenges the compliance of a person or department, CUSO management will work with the employee to help remedy whatever issues came up, if executive management agrees with the examiner that there is, in fact, a problem. Examinations should be part of a continuous improvement process, and the CUSO’s reputation depends on the CUSO’s ability to honestly evaluate compliance and security protocols and revise them if necessary.
The CUSO should stress that employees are to be polite, sincere, and courteous at all times. A vigorous examination may occasionally seem like a personal attack, but it is the CUSO’s adherence to good practices that the auditor is interested in, not the person. Employees should be instructed to avoid being defensive and should be reminded to answer examiner questions as truthfully as possible within their realm of understanding. In addition, employees need to understand the questions being asked. Employees should never answer a question they do not understand.
Employees should request clarification from the examiner at any time, and never answer a question outside the scope of the employee’s expertise. The primary goal during an interview is to ensure any findings made during the interview are based on true and accurate information; if findings are based on inaccurate facts, they will be of no value. Argumentative or evasive confrontations with examiners will not achieve this goal. Employees should be coached that the responsibility for adhering to or challenging the findings of any examiner lies with the Executive Management of the CUSO.
Preparation is key
There is no such thing as a worry-free examination. All examinations create stress and disruptions to the business. By following these tips, the CUSO can remain organized and focused during the most challenging times of the process. Examinations are an opportunity for the CUSO to demonstrate resiliency under difficult circumstances and having an Examination Plan and Protocol greatly enhances the chances that the examination will be a valuable experience rather than merely a painful one.
chip+filson#1
this is a super article and should be sent gratis to every CUSO out there. BAsed on good experience as well.
You should consult with cu’s to help them through the process!