COMMON AUDIT FINDINGS AND HOW TO

AVOID THEM Presented by:

Jennifer N Hoskins, CPA, MPA, CICA

Partner

Objectives

• Review the most common audit findings found during the annual audit

• Determine the causes of these findings

• Learn ways to avoid them in future audits

Supervisory Override Reports

• Reports that detail transactions that were permitted after obtaining a supervisory override. These types of transactions are usually “blocked” in the computer system; the system will not allow the transaction to occur until a Supervisor “keys” in a code or physically turns a key at a terminal. Supervisory override controls are established due to the sensitive nature of the transaction and the need to verify that the transaction should take place. Some examples where supervisory overrides may be required include any type of access to dormant accounts; employee access to their own, immediate family member, or another employee’s account; putting a no-mail code on a member account; and some file maintenance changes such as loan due dates or interest rate changes.

Common Findings

• No review of supervisory override reports

• Review of supervisory override report by an employee with override capability

• Incorrect set up of overrides

File Maintenance Reports

Reports that detail changes to selected fields of credit union information reflecting a “before” and “after” change to information. Examples of the types of information changes that would appear on the file maintenance reports include but are not limited to the following changes: name, interest rates, address, phone number, frequency of loan payments, loan due date changes, additional individuals added to selected accounts, etc.

Common Findings

• No review of file maintenance reports

• Review of file maintenance report by an employee with override capability

• Lack of useful file maintenance reports

Dormant Accounts

Share of share equivalent account in which there has been no member generated activity for a specified period of time. Due to the nature of dormant accounts and the inactivity of these accounts, they are usually the target for fraudulent activity.

Common Findings

• No review of the dormant account report

• No review of accounts which fell off the dormant account report

• The employee performing the review of the dormant report can perform transactions on dormant accounts

Common Findings

• No override required for deposits and withdrawals made on dormant accounts

• Dormant accounts not being escheated to the state timely

No-Mail Accounts

An account which has been requested by the member that the statement not to be mailed to them or the statement was returned to the Credit Union due to a bad address.

Common Findings

• No written policy

• Member is not required to sign a form authorizing the statement not to be mailed

• No override required to code an account as no mail

• No review of a report of no-mail accounts

Common Findings

• The employee reviewing the no-mail report has the ability to flag an account as no-mail

Annual Disclosure Statement

A Disclosure Statement is an updated list of related accounts to the officials and employees of the credit union. The Disclosure Statement should cover issues such as related accounts at the credit union, loans which the credit union employee is a co-signer on, vendor relationships, etc. The Disclosure Statement should be filled out at date of hire and signed and witnessed annually thereafter. In addition, the officials and employees must inform the credit union of any subsequent changes during the year. This procedure is critical because of the constantly changing relationships at the credit union and also, updated information must be included as part of the monitoring process.

Sample Disclosure Statement

Common Findings

• No requirement to have employees fill out an annual disclosure statement

• Disclosure statements not being updated annually

• Disclosure statements not being filled out by new employees or volunteers

Common Findings • No periodic review of share statements

• No periodic review of personal credit card statements

• The review of the statements in not independent and no compensating control is in place

Employee and Official Account Statements

SSAE 16 Reports

SSAE 16 (formerly SAS 70) audits provide this assurance by examining, documenting, and testing (as needed), an array of internal controls within third-party service organizations. As of June 15, 2011, SAS 70 was replaced by a new standard, SSAE 16, which is also known as a SOC 1 (Service Organization Control report).

Types of SSAE 16 (SOC 1) Reports

Common Findings

• No documented review of the SSAE 16 reports

• Not obtaining SSAE 16 reports for all systems

Sample “Client Control

Considerations”

Reconciliations

• Reconciliations not prepared

• Reconciliations not prepared timely

• The preparer is not signing off and dating the reconciliation

• The reviewer is not signing off and dating the reconciliation

Common Findings

Reconciliations

• No review of reconciliations

• Old outstanding items on reconciliation

• Unknown items on reconciliation

Common Findings

Troubled Debt Restructurings (TDRs)

Common TDR Finding #1

Not properly classifying a loan as a TDR

TDR Evaluation Decision Tree

Is debtor experiencing financial difficulties ASC 310-40-15-20?

Yes

Has creditor granted a concession ASC 310-40-15 and ASC 310-40-15-

13 through 15-19?

Yes

The modification is within the scope of ASC 310-40 (Troubled debt restructurings by creditors).

The modification/restructuring is not within the scope of ASC 310-40.

Therefore, creditor should apply the guidance under ASC 310-20.

No

No

Concessions

• Transfer of assets to satisfy debt (including foreclosure/ repossession)

• Issuance of an equity interest to satisfy debt, unless previously agreed on

• Modification of terms of a debt **** • Substitution or addition of debtor(s) when the

substitute or additional debtor(s) are under control of original debtor

Modification of Terms

• Reduction of interest rate ( permanent or temporary)

• Extension of the maturity date

• Reduction of the loan amount and/or accrued interest

Common TDR Finding #2

Allowance for TDR loan not computed in accordance with

GAAP

Two parts to TDR allowance

• Present Value effect measured with effective interest rate (original loan’s interest rate)

• Default Risk measured using management’s best estimate

Present Value

Example

Default Risk

• Additional risk that the member will default on the loan again

• Management must determine if there is any risk the member may default on the new terms of the loan

– Then must quantify the risk

Thank You!

Jennifer Hoskins, CPA, MPA, CICA

Partner

Nearman, Maynard, Vallez, CPAs

jhoskins@nearman.com

(305) 598-1730 Ext 226