National Credit Union Administration (NCUA).
Advance notice of proposed rulemaking.
The National Credit Union Administration (NCUA) requests public comment on whether and how to modify its Supervisory Committee audit rules to require credit unions to obtain an “attestation on internal controls” in connection with their annual audits; to identify and impose assessment and attestation standards for such engagements; to impose minimum qualifications for Supervisory Committee members; and to identify and impose a standard for the independence required of State-licensed, compensated auditors.
Comments must be received on or before April 24, 2006.
You may submit comments by any one of the following methods (Please send comments by one method only):
- Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
- NCUA Web Site: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_ regs/proposed_regs.html. Follow the instructions for submitting comments.
- E-mail: Address to email@example.com. Include “[Your name] Comments on Part 715 ANPR, Supervisory Committee Audits” in the e-mail subject line.
- Fax: (703) 518-6319. Use the subject line described above for e-mail.
- Mail: Address to Mary Rupp, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.
- Hand Delivery/Courier: Same as mail address.
FOR FURTHER INFORMATION CONTACT:
Karen Kelbly, Chief Accountant, Office of Examination and Insurance, telephone: (703) 518-6389; Steven W. Widerman, Trial Attorney, Office of General Counsel, telephone: (703) 518-6557.End Further Info End Preamble Start Supplemental Information
A. Existing Part 715
In 1998, the Credit Union Membership Access Act (“CUMAA”), Public Law 105-219, 112 Stat. 913 (1998), amended the Federal Credit Union Act to require credit unions having assets of $10 million or more to follow generally accepted accounting principles (“GAAP”) in all reports and statements filed with the NCUA Board. 12 U.S.C. 1782(a)(6)(C). CUMAA further required credit unions having assets of $500 million or more to obtain an annual independent audit of its financial statements (“financial statement audit”) performed in accordance with generally accepted auditing standards (“GAAS”) by an independent certified public accountant or public accountant licensed by the appropriate State or jurisdiction. 12 U.S.C. 1782(a)(6)(D).
Beyond the requirement to adhere to GAAP, the CUMAA amendments imposed no minimum audit requirements on federally-chartered credit unions having less than $500 million in assets. See 64 FR 41029 (July 29, 1999). And in contrast to other federally-insured financial institutions, 12 U.S.C. 1831m(c), CUMAA did not require credit unions to obtain, in connection with their annual audits, an “attestation on internal controls” by the credit union's independent accountant (hereinafter referred to as “external auditor”).
In 1999, NCUA comprehensively overhauled its Supervisory Committee audit rules to conform to the CUMAA amendments. 64 FR 41029. Amended part 715 follows CUMAA in requiring credit unions having assets of $500 million or more to annually obtain a financial statement audit. 12 CFR 715.5. However, part 715 gives those having less than $500 million in assets a choice among several audit options: (1) A financial statement audit; (2) a “balance sheet audit”; (3) a “report on examination of internal controls over Call Reporting”; and (4) an audit as prescribed by NCUA's Supervisory Committee Guide. 12 CFR 715.7. None of these audit options requires an additional “attestation on internal controls” of the scope prescribed for other federally-insured financial institutions.
B. Request for Comments
Through this Advance Notice of Proposed Rulemaking, the NCUA Board seeks public comment in the form of answers to questions on four discrete issues: (A) Whether to require credit unions to obtain an “attestation on internal controls” in connection with their annual audits (questions 1 through 7 below); (B) What standards should govern the assessment and attestation components of such an engagement (questions 8 and 9 below); (C) What qualifications should be required as prerequisites to serve on a Supervisory Committee (questions 10 through 13 below); and (D) What standard should dictate the degree of independence required of state-licensed, compensated auditors (question 14 below). The NCUA Board also seeks input on several miscellaneous issues involving audit options for credit unions having less than $500 million in assets, requirements for delivery and regulatory access to audit reports, and the terms and conditions in engagement letters, including limitations on auditor liability (questions 15 through 22 below).
To facilitate consideration of the public's views, please address your comments to the questions set forth in section II. below for each subject. To maximize the value of your comments, it is essential to explain the reasons that support your conclusions. In addition, it is important to organize and identify your comments by corresponding question number and subject so that each question is addressed separately. You will have a further opportunity to comment comprehensively on the issues raised by these questions if the NCUA Board issues a proposed rule for public consideration.
II. Issues for Comment
A. Internal Control Assessment and Attestation
An “attestation on internal controls” has two principal components. First, management must report its assessments of the effectiveness of the internal control structure and procedures Start Printed Page 9279established and maintained by the credit union. Then, its external auditor must examine, attest to, and report separately on management's written assertions (i.e., derived from its assessments) on the effectiveness of the internal control structure and procedures. The scope on an “attestation on internal controls” may be limited only to the effectiveness of internal controls over financial statements prepared for regulatory purposes, such as Call Reports. An example of this is the “report on examination of internal controls over Call Reporting,” an audit option currently available to some credit unions. 12 CFR 715.7(b). Or the scope on an “internal control attestation” engagement may extend to the effectiveness of internal controls over all financial reporting, i.e., financial statements prepared in accordance with GAAP and required regulatory reports.
The Sarbanes-Oxley Act, Public Law 107-204, 116 Stat. 745, 789 (2002), enacted in 2002, requires all public companies, in connection with an annual financial statement audit, to obtain an “attestation on internal controls” over financial reporting. 15 U.S.C. 7262. This requirement is similar to that which the Federal Deposit Insurance Corporation Improvements Act (“FDICIA”) has imposed on federally-insured financial institutions, other than credit unions, since 1991. 12 U.S.C. 1831m(c).
In 2003, the U.S. General Accounting Office (now the U.S. General Accountability Office) (“GAO”) suggested that “NCUA might gain an evaluation of an institution's internal controls, comparable to other depository institution regulators, if credit unions were required, like banks and thrifts, to provide management evaluations of internal controls and their auditor's assessments of such evaluations.” GAO, Credit Unions: Financial Condition Has Improved, But Opportunities Exist to Enhance Oversight and Share Insurance Management (GAO-04-91) (“GAO Report”) at 81. GAO further recommended “making credit unions with assets of $500 million or more subject to the FDICIA requirement that management and external auditors report on the internal control structure and procedures for financial reporting * * *.” Id. at 83-84. GAO reiterated this recommendation in 2005. GAO, Issues Regarding the Tax-Exempt Status of Credit Unions (GAO-06-220T) at 4. However, since GAO made its recommendation, the Federal Deposit Insurance Corporation (“FDIC”) has increased from $500 million to $1 billion the minimum asset size of the institutions required by FDICIA to obtain an “attestation on internal controls” over all financial reporting. 12 CFR 363.3(b); 70 FR 71226 (Nov. 28, 2005).
NCUA concurred with GAO's recommendation to consider adopting a FDICIA-like attestation requirement, noting that it already provided guidance strongly encouraging large credit unions to voluntarily provide reporting on internal controls. GAO Report at 84; see enclosure to NCUA, Letter to Credit Unions No. 03-FCU-7 (Oct. 2003). GAO left the matter of ensuring parity in internal control reporting among all federally-insured financial institutions for Congressional consideration. However, NCUA believes that legislation is not necessary because the agency has the authority-which GAO acknowledged—to implement regulations requiring credit unions to provide these reports should it become necessary. Id. at 84-85. To determine the extent to which such reports are necessary, the NCUA Board invites public comments in response to the following questions:
1. Should part 715 require, in addition to a financial statement audit, an “attestation on internal controls” over financial reporting above a certain minimum asset size threshold? Explain why or why not.
2. What minimum asset size threshold would be appropriate for requiring, in addition to a financial statement audit, an “attestation on internal controls” over financial reporting, given the additional burden on management and its external auditor? Explain the reasons for the threshold you favor.
3. Should the minimum asset size threshold for requiring an “attestation on internal controls” over financial reporting be the same for natural person credit unions and corporate credit unions? Explain why.
4. Should management's assessments of the effectiveness of internal controls and the attestation by its external auditor cover all financial reporting, (i.e., financial statements prepared in accordance with GAAP and those prepared for regulatory reporting purposes), or should it be more narrowly framed to cover only certain types of financial reporting? If so, which types?
5. Should the same auditor be permitted to perform both the financial statement audit and the “attestation on internal controls” over financial reporting, or should a credit union be allowed to engage one auditor to perform the financial statement audit and another to perform the “attestation on internal controls?” Explain the reasons for your answer.
6. If an “attestation on internal controls” were required of credit unions, should it be required annually or less frequently? Why?
7. If an “attestation on internal controls” were required of credit unions, when should the requirement become effective (i.e., in the fiscal period beginning after December 15 of what year)?
B. Standards Governing Internal Control Assessments and Attestations
Management's responsibility in an “attestation on internal controls”—to report its assessments of the effectiveness of the internal control structure and procedures established and maintained by the credit union—and the external auditor's responsibility—to examine, attest to, and report on management's assessments—each must be done in accordance with a standard recognized by the auditing industry. For management, the most commonly recognized standard for establishing, maintaining and assessing the effectiveness of the internal control structure is the Internal Control—Integrated Framework (1994 ed.) developed by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”). For the external auditor's attestation, the standard for non-public companies thus far has been the American Institute of Certified Public Accountants (“AICPA”) AT 501 internal control attestation standard.
The AICPA has exposed for public comment a revised AT 501 that is more in line with the Public Company Accounting Oversight Board's (“PCAOB”) Auditing Standard No. 2 (“AS 2”) that applies to public companies under Sarbanes-Oxley, 15 U.S.C. 7262(b). The final revisions to AT 501 are likely to require greater documentation and testing of internal control over financial reporting by Start Printed Page 9280management to enable the auditor to fulfill the attestation responsibility.
To assist the NCUA Board in determining what assessment and attestation standards should apply to credit union “attestation on internal controls” engagements, please comment in response to the following questions:
8. If credit unions were required to obtain an “attestation on internal controls,” should part 715 require that those attestations, whether for a natural person or corporate credit union, adhere to the PCAOB's AS 2 standard that applies to public companies, or to the AICPA's revised AT 501 standard that applies to non-public companies? Please explain your preference.
9. Should NCUA mandate COSO's Internal Control—Integrated Framework as the standard all credit union management must follow when establishing, maintaining and assessing the effectiveness of the internal control structure and procedures, or should each credit union have the option to choose its own standard?
C. Qualificatons of Supervisory Committee Members
A credit union's Supervisory Committee is appointed by its board of directors and “shall consist of not less than three members nor more than five, one of whom may be a director other than the compensated officer of the board.” 12 U.S.C. 1761(b). Further, “no member of the credit committee, if applicable, or any employee of th[e] credit union may be appointed to the committee.” NCUA, Federal Credit Union Standard ByLaws Art. IX, section 1 (Rev. 10/99), 65 FR 55760 (Oct. 14, 1999). See also 70 FR 40924, 40928 (July 15, 2005). Apart from these disqualifications based on position and not asset size, part 715 imposes no affirmative qualifications as a prerequisite to serve on a Supervisory Committee.
For financial institutions other than credit unions, the audit committee is the analog to a credit union Supervisory Committee. For institutions with total assets of $1 billion or more, FDIC requires the audit committee to be comprised completely of members who are independent of management of the institution. 12 CFR 363.5(a)(1). If this limitation were to apply to Supervisory Committees, 103 natural persons and 17 corporate credit unions would be affected. For institutions with total assets of $500 million or more but less than $1 billion, FDIC requires the majority of the members of the audit committee to be independent of management of the institution. 12 CFR 363.5(a)(2). If this limitation were to apply to Supervisory Committees, 258 natural persons and 22 corporate credit unions would be affected. Exceptions to these restrictions are permitted when it imposes a hardship in recruiting and retaining competent members. Id.
Finally, for institutions with total assets of more then $3 billion, FDIC requires audit committee members to have banking or related financial management expertise, access to their own outside counsel, and no association with any large customer of the institution. 12 CFR 363.5(b). If the asset threshold for these qualifications were to apply to Supervisory Committees, 12 natural person and 6 corporate credit unions would be affected. To assist the NCUA Board in determining whether to develop such qualifications as prerequisites for Supervisory Committee membership, please respond to the following questions:
10. Should Supervisory Committee members of credit unions above a certain minimum asset size threshold be required to have a minimum level of experience or expertise in credit union, banking or other financial matters? If so, what criteria should they be required to meet and what should the minimum asset size threshold be?
11. Should Supervisory Committee members of credit unions above a certain minimum asset size threshold be required to have access to their own outside counsel? If so, at what minimum asset size threshold?
12. Should Supervisory Committee members of credit unions above a certain minimum asset size threshold be prohibited from being associated with any large customer of the credit union other than its sponsor? If so, at what minimum asset size threshold?
13. If any of the qualifications addressed in questions 10, 11 and 12 above were required of Supervisory Committee members, would credit unions have difficulty in recruiting and retaining competent individuals to serve in sufficient numbers? If so, describe the obstacles associated with each qualification.
D. Independence of State-Licensed, Compensated Auditors
Under existing part 715, a financial statement audit of a federally-insured credit union must be “performed in accordance with GAAS by an independent person who is [State-licensed].” 12 CFR 715.5(a). GAAS incorporates the AICPA “independence” standards that apply when an independent, licensed certified public accountant audits financial statements. 12 CFR 715.2(f). FDIC requires independent accountants who audit institutions with assets of $500 million or more to not only meet the AICPA's Code of Professional Conduct, but also to meet the “independence” standards and interpretations of the U.S. Securities and Exchange Commission (“SEC”) and its staff. 12 CFR part 363 App. A ¶ 14. To assist the NCUA Board in determining what “independence” standards should apply to State-licensed, compensated auditors, please comment in response to the following question:
14. Should a State-licensed, compensated auditor who performs a financial statement audit and/or “internal control attestation” be required to meet just the AICPA's “independence” standards, or should they be required to also meet SEC's “independence” requirements and interpretations? If not both, why not?
E. Audit Options, Reports and Engagements
Experience with part 715 over the last six years has raised a number of miscellaneous issues. To assist the NCUA Board in addressing these issues, please respond to the following questions:
15. Is there value in retaining the “balance sheet audit” in existing § 715.7(a) as an audit option for credit unions with less than $500 million in assets?
16. Is there value in retaining the “Supervisory Committee Guide audit” in existing § 715.7(c) as an audit option for credit unions with less than $500 million in assets? Start Printed Page 9281
17. Should part 715 require credit unions that obtain a financial statement audit and/or an “attestation on internal controls” (whether as required or voluntarily) to forward a copy of the auditor's report to NCUA? If so, how soon after the audit period-end? If not, why not?
18. Should part 715 require credit unions to provide NCUA with a copy of any management letter, qualification, or other report issued by its external auditor in connection with services provided to the credit union? If so, how soon after the credit union receives it? If not, why not?
19. If credit unions were required to forward external auditors' reports to NCUA, should part 715 require the auditor to review those reports with the Supervisory Committee before forwarding them to NCUA?
20. Existing part 715 requires a credit union's engagement letter to prescribe a target date of 120 days after the audit period-end for delivery of the audit report. Should this period be extended or shortened? What sanctions should be imposed against a credit union that fails to include the target delivery date within its engagement letter?
21. Should part 715 require credit unions to notify NCUA in writing when they enter into an engagement with an auditor, and/or when an engagement ceases by reason of the auditor's dismissal or resignation? If so in cases of dismissal or resignation, should the credit union be required to include reasons for the dismissal or resignation?
22. NCUA recently joined in the final Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters, 71 FR 6847 (Feb. 9, 2006). Should credit union Supervisory Committees be prohibited by regulation from executing engagement letters that contain language limiting various forms of auditor liability to the credit union? Should Supervisory Committees be prohibited from waiving the auditor's punitive damages liability?Start Signature
By the National Credit Union Administration Board on February 16, 2006.
Mary F. Rupp,
Secretary of the Board.
1. In contrast to NCUA, Congress gave FDIC the authority to adjust the minimum asset threshold that triggers FDICIA's audit requirements. 12 U.S.C. 1831m(j)(2). Thus, FDICIA originally set the minimum asset threshold for requiring a financial statement audit at $150 million. 12 U.S.C. 1831m(j)(1). FDIC then raised the threshold to $500 million. 12 CFR 363.1(a); 58 FR 31332 (June 2, 1993).Back to Citation
2. See 12 U.S.C. 1761d, 1782a(a)(2), 1789(a)(8) and (11) as implemented by 12 CFR 715, 741.202(a) (federally-insured natural person credit unions) and 12 U.S.C. 1761d, 1766(a), 1782a(a)(2), 1789(a)(8) and (11) as implemented by 12 CFR 704.15(a) (federally-insured corporate credit unions).Back to Citation
3. AS 2 is available at: http://www.pcaobus.org/Standards/StandardsandRelatedRules/Auditing StandardNo.2.aspx. For the exposure draft of revised AT 501, see AICPA Auditing Standards Board, Proposed Statement on Standards for Attestation Engagements dated Jan. 19, 2006, available at: http://www.aicpa.org/download/exposure/EDAT501.pdf.Back to Citation
4. For GAAS “independence” standards, see generally AU § 220—Independence in AICPA, Professional Standards (updated 12/05) and ET § 100—Independence, Integrity and Objectivity in AICPA, Code of Professional Conduct. For SEC “independence” standards and interpretations, see generally SEC, Strengthening the Commission's Requirements Regarding Auditor Independence, Release Nos. 33-8183; 34-47265; 35-27642; IC-25915; IA-2103, FR-68, File No. S7-49-02 (January 28, 2003), 68 FR 6005 (Feb. 5, 2003).Back to Citation
[FR Doc. E6-2531 Filed 2-22-06; 8:45 am]
BILLING CODE 7535-01-P