The federal credit union regulator’s inspector general office has a long list of audits and reviews ahead of it in 2019, including “new starts” that seem likely to include material loss reviews of the largest 2018 failures of insured credit unions following heavy losses from involvement in the taxicab medallion market.
Also slated are looks at whether all credit unions should be required to obtain certified public accountant (CPA) audits, whether NCUA adequately assesses credit union real estate portfolios, whether the agency’s exam process adequately assesses the risk of credit union service organizations (CUSOs), and more.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG), in its 2019 annual performance plan, includes four “carryover” audits from 2018. These address NCUA’s information technology (IT) equipment inventory policies, procedures, and practices; shared NCUA-state supervisory agency oversight of federally insured, state-chartered credit unions; the efficiency and effectiveness of NCUA’s processing of consumer complaints; and audits of the agency’s four permanent funds, reports of which are due out in mid-February. (Those funds are the agency’s operating fund, the National Credit Union Share Insurance Fund, the Central Liquidity Facility, and the Community Development Revolving Loan Fund.)
“New starts” in the 2019 list of reviews and audits are numerous. Among the mandatory audits listed are the following:
Material loss reviews.The Federal Credit Union Act requires the OIG to review and report on any credit union material losses exceeding $25 million to the National Credit Union Share Insurance Fund (NCUSIF). In addition, the Dodd-Frank Act requires the OIG to conduct a limited review of all losses to the fund and elevate to a material loss review those that have unusual circumstances regardless of the loss amount. The aim of the reviews is to determine the cause(s) of the credit union failure(s) and the resulting loss to the NCUSIF and assess the NCUA’s supervision of the credit union(s).[NCUA has reported that during the nine-month period ending last Sept. 30, the NCUSIF logged $744.9 million in losses due to six credit union failures. That figure may change over time based on the performance of remaining assets, NCUA has noted. Of the six failed credit unions, the two largest – Melrose Credit Union and LOMTO Federal Credit Union – suffered heavy losses due to their involvement in the failing taxicab medallion market.]
Federal Information Security Modernization Act (FISMA) of 2014. This statute requires federal agency IGs to test the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems; and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency. NCUA’s OIG also assesses the agency’s privacy program. The plan says the aim of this evaluation is to determine whether NCUA information security and privacy management policies and procedures comply with FISMA 2014 and federal regulations and standards.
Government Charge Card Abuse Prevention Act of 2012. The Government Charge Card Abuse Prevention Act of 2012 requires all agencies to establish and maintain safeguards and internal controls for charge cards. It also establishes reporting and audit requirements to avoid improper payments and protect privacy, among other things. The NCUA IG plan says its review will focus on the NCUA’s purchase and travel card programs to analyze risks of illegal, improper, or erroneous purchases and payments and provide and report recommendations – if warranted – to agency management, the Director of the Office of Management and Budget, and the Congress.
In addition, the plan shows the OIG will again perform an audit of the agency’s closing package schedule as part of the fiscal 2019 federal government’s consolidated financial statement audit; and audits for the four permanent funds.
Several “new starts” for 2019 include a look at aspects of credit union supervision. These are part of the OIG’s “discretionary” list for the coming year. Among these discretionary new starts are:
- whether all credit unions should be required to have a certified public accountant (CPA) audit or other independent agreed-upon procedures conducted annually (the plan notes, among other things, that in “several” material loss reviews, the IG determined “that a lack of an independent audit contributed to credit union failure”);
- whether examiners adequately assess credit union real estate loan portfolios, associated risks, and credit union actions to mitigate any identified risks;
- whether the NCUA’s examination process adequately assesses the risk of credit union service organizations (CUSOs) and credit union management’s due diligence over those organizations;
- whether the NCUA has established internal controls to properly identify, secure, and dispose of personally identifiable information (PII) found within the records of liquidated credit unions;
- whether the NCUA’s quality control review (QCR) process is effective as a quality assurance tool and feedback mechanism for examiners and supervisors, including whether management tracks and implements QCR recommendations;
- whether the Office of National Examinations and Supervision (ONES), which is responsible for supervising corporate credit unions and natural person credit unions with assets greater than $10 billion, provides for adequate oversight of its credit unions’ cybersecurity programs.