The internal audit profession has undergone significant changes over the last three decades. For example, previous internal audit plans of credit unions (CUs) involved extended deep dives and large sample selections. Today, internal audit plans are based on risk and sample selections are based on controls. This change has allowed internal auditors to focus on the big picture and address the biggest risks first – a critical shift that has mitigated challenges presented by chronic understaffing. Furthermore, evolving examiner expectations regarding the regular auditing of corporate governance systems have also influenced internal audit plans. As a result, such corporate governance audits should be considered when auditors and supervisory committees are putting together annual internal audit plans.
According to the Basel Committee on Banking Supervision, corporate governance is a set of relationships between a company’s management, its board, its shareholders and other stakeholders. This set of relationships provides the structure through which a company’s objectives are set and performance is monitored.
Below are examples of ways to audit each level of leadership associated with a corporate governance system to ensure the strength of a CU’s Enterprise Risk Management (ERM) plan.
When conducting an internal audit of CU corporate governance systems, it’s critical to review board functions, approval of policies and oversight of senior management. This can be done through a thorough audit of board meeting minutes, which requires sufficient notes be taken at every meeting. Internal auditors will be looking for discussions in which the board questions or challenges senior management’s updates or proposals. This allows the auditor to discern the board’s level of involvement in the CU’s business operations and the health of the relationship amongst management.
Additionally, internal auditors may also review board packets to keep tabs on the overall loan and deposit operations of the CU. These packets should contain sufficient and accurate information to ensure that internal auditors can verify the accuracy of critical transaction reporting around deposits, delinquencies, liability management and more.
Among the most important aspects of “C” level management to review during a corporate governance audit are cooperation and communication. In order to have an effective ERM plan in place, senior leaders across the entire CU must foster ongoing communication. This communication should include updates on new and existing projects as well as performance reports of each area of the institution. Like the board, these communications should be thoroughly documented via minutes for the internal auditor to review.
While communication amongst management is of high importance, effective corporate governance systems include further “C” level management requirements. For example, leaders are expected to be accountable and transparent in all conversations with board members, maintain a strong roster of leaders and competent staff, and clearly define roles and responsibilities at every level of leadership.
To help internal auditors in their review of financial transactions across the organization, “C” level leaders should consistently maintain and update all financial records related to their business focus within the institution.
As one might expect, the examiners have been looking at corporate governance more closely in recent years as well. We have seen report comments relating to this area, such as recommending more board oversight and enhanced committee meeting minutes (ALCO, Enterprise Risk Management, Compliance Management, etc.).
The steps in the “Management Review” section of the NCUA AIRES checklist contain some relevant questions, which may be advantageous to add to your audit programs.
Credit unions are truly only as good and competent as those running the show. Regular internal audits of corporate governance are a great way to maintain organizational accountability, discern the effectiveness of management and avoid major enterprise risks.
Samuel Capuano, principal at The Bonadio Group, is responsible for providing internal audit and compliance services to financial institution clients. He has been a internal auditor for 30 years. Sam is also a freelance writer, whose work has been published in several newspapers. Any spare time apart from that is spent with his two kids.
Disclaimer: The summary information presented in this article should not be considered legal advice or counsel and does not create an attorney-client relationship between the author and the reader. If the reader of this has legal questions, it is recommended they consult with their attorney.