Supervisory committees choose audit firms, but have authority to do much more.
Credit unions have three power centers: management, the board and the supervisory committee. On paper, supervisory committees have vast power. By unanimous vote they can dismiss any board member, executive officer or credit committee member. They can hear directly from disgruntled members and deal directly with the National Credit Union Administration, bypassing management and the board. While usually they exercise their powers inconspicuously and cooperatively—primarily ensuring that the CU is properly audited—the time may be coming when supervisory committees will grow into their larger potential.
Members of CU supervisory committees are recruited and appointed by boards to terms set by the boards—typically one to three years unpaid. While management, board and supervisory committee generally work together cooperatively, their separate fiduciary duties and sometimes their personalities can lead to conflict, says attorney Andrew Keeney, a partner in the Kaufman & Canoles PC law firm, Norfolk, Va.
In one CU, a supervisory committee member with an agenda was disruptive—and not reappointed when his term was up. In another, both NCUA examiners and supervisory committee members were alarmed by the behavior of the board.
“The supervisory committee was prepared to come in, change the locks, dismiss the board and take over the credit union,” Keeney recalls.
|A New Charge for Supervisory Committees: Driving ERM?
Knowing the significant risks credit unions face today—from economic shifts to fraud to changing regulations—a key question credit unions have been asking themselves lately is: “Who owns the overarching risk identification and mitigation effort at a credit union?” according to Michael Daigneault, principal/founder of Quantum Governance L3C, Vienna, Va., a CUES strategic provider.
Daigneault suggests that the right answer might be the supervisory committee, as “risk management” is the spirit of the supervisory committee’s charge: overseeing the safety and soundness of a credit union.
“Supervisory committee should keep audit as a main focus,” he says. “But CUs have gotten a lot more complex. Risks today are more complex than just ‘manage the funds.’ The risks come from a variety of areas, all of which might have an impact on the money, but come from wider scope kinds of issues, such as technology strategy, regulations. Who is it that should look at that bouillabaisse of risks that are coming at them and help to make sense of them for the board? The ideal body to do that is the supervisory committee.”
While management is often deeply involved in risk management, Daigneault says, it may get mired in siloed details. While the board drives policy and oversees what management is doing to identify and mitigate risks, Daigneault’s clients say this didn’t necessarily mean the board was owning risk management. And risk management needs an owner, he contends.
“I’m not suggesting that the supervisory committee formulate the final enterprise risk management policy, but should be a force in insuring its existence and effectiveness,” he explains. Supervisory committee members today drive the idea that boards need good asset/liability management and conflict of interest policies. In the future, the supervisory committee could be “a facilitator and an active voice in fostering the notion that a comprehensive, well-thought-out enterprise risk management policy needs to be created and implemented. Instead of just overseeing audit, in the future the supervisory committee could oversee the broader scope of risk management, of which audit is one component.”
Daigneault is a CUES strategic partner.
Learn more about the enterprise risk management offering of CUES Supplier member and strategic provider Cornerstone Advisors Inc., Scottsdale, Ariz.
Further investigation proved their concerns were justified, but only about the chairman, who had clear conflicts of interest, and was forced to resign. Supervisory committee decisions must be unanimous, he notes.
Supervisory committee members, like board members, have the liability that goes hand in hand with their responsibility, and they must be indemnified and covered under the same directors and officers’ liability policies as board members, he adds.
“The supervisory committee is a watchdog,” Keeney says. “They watch over management and the board.”
How to Hire Auditors
In the old days, committee members actually completed the required annual audit themselves, Keeney says. They did cash counts and account verification in branches. But as CUs grew in size and complexity and regulatory standards were raised, audits passed from volunteers to professionals at all but the smallest CUs. Now a primary job of the supervisory committee is to select a firm to perform the audits.
Experience with CUs is at least as important as price in choosing an audit firm, according to Gerald S. Dunning, CIA, CISA, CFE, a 23-year supervisory committee veteran.
“You have to look at cost, but you have to look beyond it,” says Dunning, who currently serves as chairman of the three-person supervisory committee of $1.2 billion Caltech Employees Federal Credit Union in La Canada, Calif., where he previously worked as an internal auditor for 15 years. “CUs are a specialized industry, and you want a firm that knows CUs. Otherwise, you’ll be their guinea pig.”
Price can be somewhat negotiable. “Auditors all have their busy seasons, and you may be able to get a discount by timing your financial reporting to hit their off seasons,” says Dunning, who’s also a member of the five-person supervisory committee of $1.1 billion Partners Federal Credit Union, the Disney employees CU headquartered in Burbank, Calif.; chairman of the board of the National Association of Credit Union Supervisory Committee and Audit Committee Members, Del Mar, Calif.; and—by day—senior internal auditor for the Orange County Transportation Authority in Orange, Calif.
“Always check references, he adds. “A management reference is OK, but references from supervisory committee members are better.”
When initiating a search for an audit firm, “don’t blindside your current auditor,” Dunning advises. “Let them know what you’re planning and include them in the RFP unless you’re dissatisfied with them for some reason. They may turn out to be your best choice.”
Identifying appropriate audit firms for an RFP doesn’t have to be a complicated or frequent process, suggests Ronald Parker, CPA, a consultant based in Tucson, Ariz., and a member of $403 million Pima Federal Credit Union’s supervisory committee, Tucson.
“Most audit firms specialize in industries, and there aren’t that many that specialize in credit unions. In any given market, the number is probably less than ten.” That’s enough to provide a competitive selection, but not enough to justify an extensive search, Parker says. Firms that provide services to just one or two credit unions may not have a full enough understanding of risk areas and regulatory compliance. It’s also useful to find a firm that has experience auditing CUs that use the same systems as your CU, he points out.
CUs should go through an external auditor search every three to five years “to test the waters and review your options,” Dunning recommends. Many CU boards think it’s a good idea to get a fresh set of eyes on their financials, even if it just means rotating the senior partner in charge of the audit, he notes.
Some CUs get comfortable with their external auditor and routinely renew the engagement as long as they are satisfied, notes Harold Antao, manager of risk advisory services at McGladrey LLP, Chicago, and some switch firms every three years by policy, often returning to their old firm three years later.
Parker is skeptical of changing auditors routinely. “If you find a good fit, stick with it,” he advises. “Sometimes a regulator may suggest a change of auditors, but there is no such requirement. Why not keep the same audit firm if they’re doing quality work at a fair price? The quality of an audit goes up, not down, with time and experience.”
For CU supervisory committees looking nationally or regionally for experienced CU audit firms, Dunning recommends the “Credit Union CPA Market Share Guide” offered by Callahan & Associates, Washington, D.C. “You have to pay for it, but it can be well worth it. It’s a quick way to see the whole market and who the appropriate players would be for your CU.”
Internal Audit, Too
A CU’s supervisory committee also hires the internal auditor, Dunning says. The internal audit function can be a staff position or contracted out. According to the Standards for the Professional Practice of Internal Auditing, the best practice is to have the internal auditor report directly to the supervisory committee and have a “dotted line” reporting relationship—for day-to-day, administrative purposes—to the CEO. If the internal audit function is contracted out, it is best practice to not use the same audit firm that performs the annual financial audit for the credit union.
The supervisory committee is also responsible for reviewing the NCUA or state audit, Dunning notes, and any other outside audits or reviews that report on CU operations. Supervisory committees share responsibility with management and the board for third-party vendor due diligence and usually focus on vendors that impact safety and soundness, Keeney says. This would mean the CU’s choice of a core processor more than its landscaping contractor, for example.
While dealing with audits is probably the supervisory committee’s most conspicuous duty, it’s not necessarily the most sensitive one, Keeney points out. If a member feels his or her rights were violated or that an ethical violation occurred and complains to NCUA or the Consumer Financial Protection Bureau, the agency contacts the supervisory committee—not management or the board—and asks the committee to investigate and report back.
Keeney notes that if a credit union is $10 billion or greater in assets, CFPB handles any complaints. If a credit union is smaller than $10 billion (and all are except a few), CFPB refers any consumer complaint it receives to NCUA, and NCUA then sends it to the supervisory committee.
While supervisory committees tend to keep low profiles, they’re certainly visible. “Most CUs have a link on their website to the supervisory committee, with instructions on how to contact them,” Keeney reports. Most correspondence still comes as traditional mail to a post office box that only the supervisory committee can access, but email traffic to a separate email address is starting to build, he adds.
“There has to be privacy protection so members know that what they write won’t be seen by the staff or the board,” he points out. Complaints are rarely received in person or over the phone, he adds. “Committee members are numbers people who know the value of an audit trail. They want everything documented.”
Knowledgeable Volunteers, Plus
Supervisory committees can ensure the knowledge of their members with training. And they can also expand their knowledge reach by appropriately leveraging outside expertise.
In September, NCUA released a series of training videos for supervisory committee members. CUs also might send new members to schools like CUES’ Supervisory Committee Development Seminar, next slated for July in Nashville, Tenn., which Parker has led in the past.
Some supervisory committee members bring professional expertise to the table. For example, over his 35-year career, Dunning has qualified as a Certified Internal Auditor, a Certified Information Systems Auditor and a Certified Fraud Examiner. And Parker is a Certified Public Accountant.
“Most committee members are not auditing, accounting or finance professionals,” Parker says. “But, as committee members, we have to be able to hire and supervise professionals. We look to management for advice, but it’s a balancing act.”
Parker is one of seven on the Pima FCU supervisory committee. The statutory limit is five, so he is technically a non-voting advisor who meets with the committee and participates in discussions.
“Committees can and should recruit advisors in areas where the committee may lack specific expertise,” he points out. “It is extremely important to evaluate the effectiveness of your committee regularly and add members and advisors in areas that may need to be improved.”
It’s important for supervisory committees to have a great exchange with the CU’s board of directors. Pima FCU’s supervisory committee sends a representative to board meetings and welcomes a liaison board member to its committee meetings, Parker reports. “It’s good to get feedback from the board as we consider our actions,” he says.
Supervisory committees are required to meet at least quarterly, but usually meet as needed. The two CU supervisory committees on which Dunning serves have met monthly in the past and now meet bi-monthly. The Caltech EFCU meetings are face to face. Partners FCU supervisory committee meetings are usually conference calls.
Does having a board member on the supervisory committee make the committee a less effective watchdog? Some might say yes, since it theoretically lessens the independence of the two groups. Some might say no since a liaison member can improve communication and make the supervisory committee a more informed watchdog. In the end, the final decision about what to do will depend on the personalities and the particular situation of the CU in question.
Randy Boysun, managing shareholder of Douglas Wilson & Co., Great Falls, Mont., provides auditing services for Montana credit unions. On his own time he volunteers as chairman of a supervisory committee at a CU that his firm does not audit: $195 million Montana Federal Credit Union in Great Falls. He’s been a board member of that CU since 1983, so it was a simple matter of the board persuading its CPA member to add the supervisory committee duties to his board duties. No heavy lifting has been required so far; the engagement of the current audit firm has been routinely extended each year, he reports.
Boysun explains why someone would serve on a supervisory committee. “I’ve been attracted to credit unions and their mission since I was a kid,” he reports. “It helps me personally and professionally to
Richard H. Gamble is a freelance writer based in Colorado.