This part implements section 202(a)(6)(D) of the Federal Credit Union Act, 12 U.S.C. 1782(a)(6)(D), as added by section 201(a) of the Credit Union Membership Access Act, Pub. L. No. 105-219, 112 Stat. 918 (1998). This part prescribes the responsibilities of the Supervisory Committee to obtain an annual audit of the credit union according to its charter type and asset size, and to conduct a verification of members' accounts.

As used in this part:

(a) [Reserved]

(b) Compensated person refers to any accounting/auditing professional, excluding a credit union employee, who is compensated for performing more than one supervisory committee audit and/or verification of members' accounts per calendar year.

(c) Financial statements refers to a presentation of financial data, including accompanying notes, derived from accounting records of the credit union, and intended to disclose a credit union's economic resources or obligations at a point in time, or the changes therein for a period of time, in conformity with GAAP, as defined herein, or regulatory accounting procedures. Each of the following is considered to be a financial statement: a balance sheet or statement of financial condition; statement of income or statement of operations; statement of undivided earnings; statement of cash flows; statement of changes in members' equity; statement of revenue and expenses; and statement of cash receipts and disbursements.

(d) Financial statement audit (also known as an “opinion audit”) refers to an audit of the financial statements of a credit union performed in accordance with GAAS by an independent person who is licensed by the appropriate State or jurisdiction. The objective of a financial statement audit is to express an opinion as to whether those financial statements of the credit union present fairly, in all material respects, the financial position and the results of its operations and its cash flows in conformity with GAAP, as defined herein, or regulatory accounting practices.

(e) GAAP is an acronym for “generally accepted accounting principles” which refers to the conventions, rules, and procedures which define accepted accounting practice. GAAP includes both broad general guidelines and detailed practices and procedures, provides a standard by which to measure financial statement presentations, and encompasses not only accounting principles and practices but also the methods of applying them.

(f) GAAS is an acronym for “generally accepted auditing standards” which refers to the standards approved and adopted by the American Institute of Certified Public Accountants which apply when an “independent, licensed certified public accountant” audits financial statements. Auditing standards differ from auditing procedures in that “procedures” address acts to be performed, whereas “standards” measure the quality of the performance of those acts and the objectives to be achieved by use of the procedures undertaken. In addition, auditing standards address the auditor's professional qualifications as well as the judgment exercised in performing the audit and in preparing the report of the audit.

(g) Independent means the impartiality necessary for the dependability of the compensated auditor's findings. Independence requires the exercise of fairness toward credit union officials, members, creditors and others who may rely upon the report of a supervisory committee audit report.

(h) Internal control refers to the process, established by the credit union's board of directors, officers and employees, designed to provide reasonable assurance of reliable financial reporting and safeguarding of assets against unauthorized acquisition, use, or disposition. A credit union's internal control structure consists of five components: control environment; risk assessment; control activities; information and communication; and monitoring. Reliable financial reporting refers to preparation of Call Reports (NCUA Forms 5300 and 5310) that meet management's financial reporting objectives. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition refers to prevention or timely detection of transactions involving such unauthorized access, use, or disposition of assets which could result in a loss that is material to the financial statements.

(i) Reportable conditions refers to a matter coming to the attention of the independent, compensated auditor which, in his or her judgment, represents a significant deficiency in the design or operation of the internal control structure of the credit union, which could adversely affect its ability to record, process, summarize, and report financial data consistent with the representations of management in the financial statements.

(j) [Reserved]

(k) State-licensed person refers to a certified public accountant or public accountant who is licensed by the State or jurisdiction where the credit union is principally located to perform accounting or auditing services for that credit union.

(l) Supervisory committee refers to a supervisory committee as defined in Section 111(b) of the Federal Credit Union Act, 12 U.S.C. 1761(b). For some federally-insured state chartered credit unions, the “audit committee” designated by state statute or regulation is the equivalent of a supervisory committee.

(m) Supervisory committee audit refers to an engagement under either § 715.5 or § 715.6 of this part.

(n) Working papers refers to the principal record, in any form, of the work performed by the auditor and/or supervisory committee to support its findings and/or conclusions concerning significant matters. Examples include the written record of procedures applied, tests performed, information obtained, and pertinent conclusions reached in the engagement, proprietary audit programs, analyses, memoranda, letters of confirmation and representation, abstracts of credit union documents, reviewer's notes, if retained, and schedules or commentaries prepared or obtained in the course of the engagement.

(a) Basic. The supervisory committee is responsible for ensuring that the board of directors and management of the credit union—

(1) Meet required financial reporting objectives and

(2) Establish practices and procedures sufficient to safeguard members' assets.

(b) Specific. To carry out the responsibilities set forth in paragraph (a) of this section, the supervisory committee must determine whether:

(1) Internal controls are established and effectively maintained to achieve the credit union's financial reporting objectives which must be sufficient to satisfy the requirements of the supervisory committee audit, verification of members' accounts and its additional responsibilities;

(2) The credit union's accounting records and financial reports are promptly prepared and accurately reflect operations and results;

(3) The relevant plans, policies, and control procedures established by the board of directors are properly administered; and

(4) Policies and control procedures are sufficient to safeguard against error, conflict of interest, self-dealing and fraud.

(c) Mandates. In carrying out the responsibilities set forth in paragraphs (a) and (b) of this section, the Supervisory Committee must:

(1) Ensure that the credit union adheres to the measurement and filing requirements for reports filed with the NCUA Board under § 741.6 of this chapter;

(2) Perform or obtain a supervisory committee audit, as prescribed in § 715.4 of this part;

(3) Verify or cause the verification of members' passbooks and accounts against the records of the credit union, as prescribed in § 715.8 of this part;

(4) Act to avoid imposition of sanctions for failure to comply with the requirements of this part, as prescribed in §§ 715.11 and 715.12 of this part.

(a) Annual audit requirement. A federally-insured credit union is required to obtain an annual supervisory committee audit which occurs at least once every calendar year (period of performance) and must cover the period elapsed since the last audit period (period effectively covered).

(b) Financial statement audit option. Any federally-insured credit union, whether Federal or State chartered and regardless of asset size, may choose to fulfill its Supervisory Committee audit responsibility by obtaining an annual audit of its financial statements performed in accordance with GAAS by an independent person who is licensed to do so by the State or jurisdiction in which the credit union is principally located. (A “financial statement audit” is distinct from a “supervisory committee audit,” although a financial statement audit is included among the options for fulfilling the supervisory committee audit requirement in this section. Compare § 715.2(c).)

(c) Other audit options. A federally insured credit union which does not choose to obtain a financial statement audit as permitted by subsection (b) must fulfill its supervisory audit responsibility under either of § 715.5 or § 715.6 of this part, whichever is applicable. See Table 1. For purposes of this part, a credit union's asset size is the amount of total assets reported in the year-end Call Report (NCUA Form 5300) filed for the calendar year-end immediately preceding the period under audit.

(a) Total assets of $500 million or greater. To fulfill its Supervisory Committee audit responsibility, a Federal credit union having total assets of $500 million or greater, except as provided in § 703.106(b)(3) of this chapter, must obtain an annual audit of its financial statements performed in accordance with Generally Accepted Auditing Standards by an independent person who is licensed to do so by the State or jurisdiction in which the credit union is principally located.

(b) Total assets of less than $500 million but more than $10 million. To fulfill its Supervisory Committee audit responsibility, a Federally-chartered credit union having total assets of less than $500 million but more than $10 million which does not choose to obtain an audit under § 715.5(a), must obtain an annual supervisory committee audit as prescribed in § 715.7.

(c) Total assets of $10 million or less. To fulfill its Supervisory Committee audit responsibility, a Federally-chartered credit union having total assets of $10 million or less must obtain an annual Supervisory Committee audit as prescribed in § 715.7.

(d) Other requirements. A federally chartered credit union, regardless of which audit it is required to obtain under this section, must meet other applicable requirements of this part.

(a) Total assets of $500 million or greater. To fulfill its Supervisory Committee audit responsibility, a federally-insured State-chartered credit union having total assets of $500 million or greater must obtain an annual audit of its financial statements performed in accordance with GAAS by an independent person who is licensed to do so by the State or jurisdiction in which the credit union is principally located.

(b) Total assets of less than $500 million. To fulfill its Supervisory Committee audit responsibility, a federally-insured State-chartered credit union having total assets of less than $500 million must obtain either an annual supervisory committee audit as prescribed under either § 715.6(a) or § 715.7, or an audit as prescribed by the State or jurisdiction in which the credit union is principally located, whichever audit is more stringent.

(c) Other requirements. A federally-insured, state-chartered credit union, regardless of which audit it is required to obtain under this section, must meet other applicable requirements of this part except §§ 715.5 and 715.12.

A credit union which is not required to obtain a financial statement audit may fulfill its supervisory committee responsibility by obtaining an Other Supervisory Committee Audit. Such an audit is one that is performed by the supervisory committee, its internal auditor, or any other qualified person (such as a certified public accountant, public accountant, league auditor, credit union auditor consultant, retired financial institutions examiner, etc.) that satisfies the minimum requirements in appendix A of this part. Qualified persons who are not State-licensed cannot provide assurance services under this section.

(a) Verification obligation. The Supervisory Committee shall, at least once every two years, cause the passbooks (including any book, statements of account, or other record approved by the NCUA Board) and accounts of the members to be verified against the records of the treasurer of the credit union.

(b) Methods. Any of the following methods may be used to verify members' passbooks and accounts, as appropriate:

(1) Controlled verification. A controlled verification of 100 percent of members' share and loan accounts;

(2) Statistical method. A sampling method which provides for:

(i) Random selection:

(ii) A sample which is representative of the population from which it was selected;

(iii) An equal chance of selecting each dollar in the population;

(iv) Sufficient accounts in both number and scope on which to base conclusions concerning management's financial reporting objectives; and

(v) Additional procedures to be performed if evidence provided by confirmations alone is not sufficient.

(3) Non-statistical method. When the verification is performed by an Independent person licensed by the State or jurisdiction in which the credit union is principally located, the auditor may choose among the sampling methods set forth in paragraphs (b)(1) and (2) of this section and non-statistical sampling methods consistent with GAAS if such methods provide for:

(i) Sufficient accounts in both number and scope on which to base conclusions concerning management's financial reporting objectives to provide assurance that the General Ledger accounts are fairly stated in relation to the financial statements taken as a whole;

(ii) Additional procedures to be performed by the auditor if evidence provided by confirmations alone is not sufficient; and

(iii) Documentation of the sampling procedures used and of their consistency with GAAS (to be provided to the NCUA Board upon request).

(c) Retention of records. The supervisory committee must retain the records of each verification of members' passbooks and accounts until it completes the next verification of members' passbooks and accounts.

(a) Unrelated to officials. A compensated auditor who performs a Supervisory Committee audit on behalf of a credit union shall not be related by blood or marriage to any management employee, member of either the board of directors, the Supervisory Committee or the credit committee, or loan officer of that credit union.

(b) Engagement letter. The engagement of a compensated auditor to perform all or a portion of the scope of a financial statement audit or supervisory committee audit shall be evidenced by an engagement letter. In all cases, the engagement must be contracted directly with the Supervisory Committee. The engagement letter must be signed by the compensated auditor and acknowledged therein by the Supervisory Committee prior to commencement of the engagement.

(c) Contents of letter. The engagement letter shall:

(1) Specify the terms, conditions, and objectives of the engagement;

(2) Identify the basis of accounting to be used;

(3) If an Other Supervisory Committee Audit, include an appendix setting forth the procedures to be performed;

(4) Specify the rate of, or total, compensation to be paid for the audit;

(5) Provide that the auditor shall, upon completion of the engagement, deliver to the Supervisory Committee a written report of the audit and notice in writing, either within the report or communicated separately, of any internal control reportable conditions and/or irregularities or illegal acts, if any, which come to the auditor's attention during the normal course of the audit (i.e., no notice required if none noted);

(6) Specify a target date of delivery of the written reports, so that such target date will enable the credit union to meet its annual audit requirements in this part;

(7) Certify that NCUA staff and/or the State credit union supervisor, or designated representatives of each, will be provided unconditional access to the complete set of original working papers, either at the offices of the credit union or at a mutually agreed upon location, for purposes of inspection; and

(8) Acknowledge that working papers shall be retained for a minimum of three years from the date of the written audit report.

(d) Complete scope. If the engagement is to perform an Other Supervisory Committee Audit intended to fully meet the requirements of § 715.7, the engagement letter shall certify that the audit will address at least the minimum requirements in appendix A of this part.

(e) Exclusions from scope. If the engagement is to perform an Other Supervisory Committee Audit which will exclude any of the minimum requirements in appendix A of this part, the engagement letter shall:

(1) Identify the excluded items;

(2) State that, because of the exclusion(s), the resulting audit will not, by itself, fulfill the scope of a supervisory committee audit; and

(3) Caution that the supervisory committee will remain responsible for fulfilling the scope of a supervisory committee audit with respect to the excluded items.

(a) Audit report. Upon completion and/or receipt of the written report of a financial statement audit or a supervisory committee audit, the Supervisory Committee must verify that the audit was performed and reported in accordance with the terms of the engagement letter prescribed herein. The Supervisory Committee must submit the report(s) to the board of directors, and provide a summary of the results of the audit to the members of the credit union orally or in writing at the next annual meeting of the credit union. If a member so requests, the Supervisory Committee shall provide the member access to the full audit report. If the NCUA so requests, the Supervisory Committee shall provide NCUA a copy of each of the audit reports it receives or produces.

(b) Working papers. The supervisory committee shall be responsible for preparing and maintaining, or making available, a complete set of original working papers supporting each supervisory committee audit. The supervisory committee shall, upon request, provide NCUA staff unconditional access to such working papers, either at the offices of the credit union or at a mutually agreeable location, for purposes of inspecting such working papers.

(a) Sanctions. Failure of a supervisory committee and/or its independent compensated auditor or other person to comply with the requirements of this section, or the terms of an engagement letter required by this section, is grounds for:

(1) The regional director to reject the supervisory committee audit and provide a reasonable opportunity to correct deficiencies;

(2) The regional director to impose the remedies available in § 715.12, provided any of the conditions specified therein is present; and

(3) The NCUA Board to seek formal administrative sanctions against the supervisory committee and/or its independent, compensated auditor pursuant to section 206(r) of the Federal Credit Union Act, 12 U.S.C. 1786(r).

(b) State Charters. In the case of a federally-insured state chartered credit union, NCUA shall provide the state regulator an opportunity to timely impose a remedy satisfactory to NCUA before exercising it authority under § 741.202 of this chapter to impose a sanction permitted under paragraph (a) of this section.

(a) Audit by alternative licensed person. The NCUA Board may compel a federal credit union to obtain a supervisory committee audit which meets the minimum requirements of § 715.5 or § 715.7, and which is performed by an independent person who is licensed by the State or jurisdiction in which the credit union is principally located, for any fiscal year in which any of the following three conditions is present:

(1) The Supervisory Committee has not obtained an annual financial statement audit or performed a supervisory committee audit; or

(2) The Supervisory Committee has obtained a financial statement audit or performed a supervisory committee audit which does not meet the requirements of part 715 including those in § 715.8.

(3) The credit union has experienced serious and persistent recordkeeping deficiencies as defined in paragraph (c) of this section.

(b) Financial statement audit required. The NCUA Board may compel a federal credit union to obtain a financial statement audit performed in accordance with GAAS by an independent person who is licensed by the State or jurisdiction in which the credit union is principally located (even if such audit is not required by § 715.5), for any fiscal year in which the credit union has experienced serious and persistent recordkeeping deficiencies as defined in paragraph (c) of this section. The objective of a financial statement audit performed under this paragraph is to reconstruct the records of the credit union sufficient to allow an unqualified or, if necessary, a qualified opinion on the credit union's financial statements. An adverse opinion or disclaimer of opinion should be the exception rather than the norm.

(c) “Serious and persistent recordkeeping deficiencies.” A record-keeping deficiency is “serious” if the NCUA Board reasonably believes that the board of directors and management of the credit union have not timely met financial reporting objectives and established practices and procedures sufficient to safeguard members' assets. A serious recordkeeping deficiency is “persistent” when it continues beyond a usual, expected or reasonable period of time.

This appendix presents minimum procedures which a supervisory committee, its internal auditor, or other qualified person must complete when a credit union chooses the Other Supervisory Committee Audit option for completing its annual audit requirements under § 715.7.

This option may not be adequate for all credit unions as it is designed for smaller, less complex credit unions. The supervisory committee, internal auditor, or other qualified person may also need to perform additional procedures to supplement these minimum procedures if the specific circumstances of a particular credit union so dictate. The supervisory committee must apply its judgment in determining the procedures necessary to meet audit requirements in this part. The supervisory committee remains responsible to ensure that a complete set of test procedures is performed. All test procedures will be done using balances and samples for the applicable audit period under review.

Any time the test or confirmation procedures include making a sample or selection, the supervisory committee's report, its internal auditor's report, or other qualified person's report on minimum procedures should describe the method of selection and the number of selected items.

For purposes of this appendix, the following definitions will apply:

• Confirm or confirmation refers to a written verification with a third-party (person or organization) pertaining to an account balance or condition. Examples of confirmation letters are bank/corporate credit union account confirmation, investment account confirmation, borrowing or line of credit confirmation, attorney letter confirmation, and member share/loan account confirmation.

• Materiality refers to a statement, fact or item, which, giving full consideration to the surrounding circumstances as they exist at the time, it is of such a nature that its disclosure, or the method of treating it, would be likely to influence or to make a difference in the judgment and conduct of a reasonable person. Materiality should take into account ending balances as well as the volume of transactions in an account. Typically, balances or transaction volume greater than 5 percent of the credit union's net worth should be considered material for purposes of this appendix.

• Review refers to the examination of Board minutes, policies and procedures, and a review of a sample portion of activities, rather than all of the activities.

• Test refers to procedures applied to the individual items that compose an account balance or class of transactions. The tests involve confirmation, inspection, or observation procedures to provide evidence about the recorded amount.

The supervisory committee, internal auditor, or other qualified person must perform and document the following minimum procedures:

○ Loans

○ Cash on deposit

○ Investments

○ Shares

○ Borrowings

○ Bank reconciliation procedures

○ Cash controls

○ Dormant account controls

○ Wire and ACH transfer controls

○ Loan approval and disbursement procedures

○ Controls over accounts of employees and officials

○ Other real estate owned

○ Foreclosed and repossessed assets