Supervisory Committee Audits, 9278-9281 [E6-2531]

Agencies

• National Credit Union Administration

[Federal Register Volume 71, Number 36 (Thursday, February 23, 2006)]
[Proposed Rules]
[Pages 9278-9281]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E6-2531]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 71, No. 36 / Thursday, February 23, 2006 / 
Proposed Rules

[[Page 9278]]



NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Parts 704, 715, and 741


Supervisory Committee Audits

AGENCY: National Credit Union Administration (NCUA).

ACTION: Advance notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The National Credit Union Administration (NCUA) requests 
public comment on whether and how to modify its Supervisory Committee 
audit rules to require credit unions to obtain an ``attestation on 
internal controls'' in connection with their annual audits; to identify 
and impose assessment and attestation standards for such engagements; 
to impose minimum qualifications for Supervisory Committee members; and 
to identify and impose a standard for the independence required of 
State-licensed, compensated auditors.

DATES: Comments must be received on or before April 24, 2006.

ADDRESSES: You may submit comments by any one of the following methods 
(Please send comments by one method only):
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     NCUA Web Site: https://www.ncua.gov/
RegulationsOpinionsLaws/proposed_regs/proposed_regs.html. Follow the 
instructions for submitting comments.
     E-mail: Address to regcomments@ncua.gov. Include ``[Your 
name] Comments on Part 715 ANPR, Supervisory Committee Audits'' in the 
e-mail subject line.
     Fax: (703) 518-6319. Use the subject line described above 
for e-mail.
     Mail: Address to Mary Rupp, Secretary of the Board, 
National Credit Union Administration, 1775 Duke Street, Alexandria, 
Virginia 22314-3428.
     Hand Delivery/Courier: Same as mail address.

FOR FURTHER INFORMATION CONTACT: Karen Kelbly, Chief Accountant, Office 
of Examination and Insurance, telephone: (703) 518-6389; Steven W. 
Widerman, Trial Attorney, Office of General Counsel, telephone: (703) 
518-6557.

SUPPLEMENTARY INFORMATION:

I. Background

A. Existing Part 715

    In 1998, the Credit Union Membership Access Act (``CUMAA''), Public 
Law 105-219, 112 Stat. 913 (1998), amended the Federal Credit Union Act 
to require credit unions having assets of $10 million or more to follow 
generally accepted accounting principles (``GAAP'') in all reports and 
statements filed with the NCUA Board. 12 U.S.C. 1782(a)(6)(C). CUMAA 
further required credit unions having assets of $500 million or more to 
obtain an annual independent audit of its financial statements 
(``financial statement audit'') performed in accordance with generally 
accepted auditing standards (``GAAS'') by an independent certified 
public accountant or public accountant licensed by the appropriate 
State or jurisdiction. 12 U.S.C. 1782(a)(6)(D).
    Beyond the requirement to adhere to GAAP, the CUMAA amendments 
imposed no minimum audit requirements on federally-chartered credit 
unions having less than $500 million in assets. See 64 FR 41029 (July 
29, 1999). And in contrast to other federally-insured financial 
institutions, 12 U.S.C. 1831m(c), CUMAA did not require credit unions 
to obtain, in connection with their annual audits, an ``attestation on 
internal controls'' by the credit union's independent accountant 
(hereinafter referred to as ``external auditor'').
    In 1999, NCUA comprehensively overhauled its Supervisory Committee 
audit rules to conform to the CUMAA amendments. 64 FR 41029. Amended 
part 715 follows CUMAA in requiring credit unions having assets of $500 
million or more to annually obtain a financial statement audit. 12 CFR 
715.5. However, part 715 gives those having less than $500 million in 
assets a choice among several audit options: (1) A financial statement 
audit; (2) a ``balance sheet audit''; (3) a ``report on examination of 
internal controls over Call Reporting''; and (4) an audit as prescribed 
by NCUA's Supervisory Committee Guide. 12 CFR 715.7. None of these 
audit options requires an additional ``attestation on internal 
controls'' of the scope prescribed for other federally-insured 
financial institutions.

B. Request for Comments

    Through this Advance Notice of Proposed Rulemaking, the NCUA Board 
seeks public comment in the form of answers to questions on four 
discrete issues: (A) Whether to require credit unions to obtain an 
``attestation on internal controls'' in connection with their annual 
audits (questions 1 through 7 below); (B) What standards should govern 
the assessment and attestation components of such an engagement 
(questions 8 and 9 below); (C) What qualifications should be required 
as prerequisites to serve on a Supervisory Committee (questions 10 
through 13 below); and (D) What standard should dictate the degree of 
independence required of state-licensed, compensated auditors (question 
14 below). The NCUA Board also seeks input on several miscellaneous 
issues involving audit options for credit unions having less than $500 
million in assets, requirements for delivery and regulatory access to 
audit reports, and the terms and conditions in engagement letters, 
including limitations on auditor liability (questions 15 through 22 
below).
    To facilitate consideration of the public's views, please address 
your comments to the questions set forth in section II. below for each 
subject. To maximize the value of your comments, it is essential to 
explain the reasons that support your conclusions. In addition, it is 
important to organize and identify your comments by corresponding 
question number and subject so that each question is addressed 
separately. You will have a further opportunity to comment 
comprehensively on the issues raised by these questions if the NCUA 
Board issues a proposed rule for public consideration.

II. Issues for Comment

A. Internal Control Assessment and Attestation

    An ``attestation on internal controls'' has two principal 
components. First, management must report its assessments of the 
effectiveness of the internal control structure and procedures

[[Page 9279]]

established and maintained by the credit union. Then, its external 
auditor must examine, attest to, and report separately on management's 
written assertions (i.e., derived from its assessments) on the 
effectiveness of the internal control structure and procedures. The 
scope on an ``attestation on internal controls'' may be limited only to 
the effectiveness of internal controls over financial statements 
prepared for regulatory purposes, such as Call Reports. An example of 
this is the ``report on examination of internal controls over Call 
Reporting,'' an audit option currently available to some credit unions. 
12 CFR 715.7(b). Or the scope on an ``internal control attestation'' 
engagement may extend to the effectiveness of internal controls over 
all financial reporting, i.e., financial statements prepared in 
accordance with GAAP and required regulatory reports.
    The Sarbanes-Oxley Act, Public Law 107-204, 116 Stat. 745, 789 
(2002), enacted in 2002, requires all public companies, in connection 
with an annual financial statement audit, to obtain an ``attestation on 
internal controls'' over financial reporting. 15 U.S.C. 7262. This 
requirement is similar to that which the Federal Deposit Insurance 
Corporation Improvements Act (``FDICIA'') has imposed on federally-
insured financial institutions, other than credit unions, since 1991. 
12 U.S.C. 1831m(c).
    In 2003, the U.S. General Accounting Office (now the U.S. General 
Accountability Office) (``GAO'') suggested that ``NCUA might gain an 
evaluation of an institution's internal controls, comparable to other 
depository institution regulators, if credit unions were required, like 
banks and thrifts, to provide management evaluations of internal 
controls and their auditor's assessments of such evaluations.'' GAO, 
Credit Unions: Financial Condition Has Improved, But Opportunities 
Exist to Enhance Oversight and Share Insurance Management (GAO-04-91) 
(``GAO Report'') at 81. GAO further recommended ``making credit unions 
with assets of $500 million or more subject to the FDICIA requirement 
that management and external auditors report on the internal control 
structure and procedures for financial reporting * * *.'' Id. at 83-84. 
GAO reiterated this recommendation in 2005. GAO, Issues Regarding the 
Tax-Exempt Status of Credit Unions (GAO-06-220T) at 4. However, since 
GAO made its recommendation, the Federal Deposit Insurance Corporation 
(``FDIC'') has increased from $500 million to $1 billion the minimum 
asset size of the institutions required by FDICIA to obtain an 
``attestation on internal controls'' over all financial reporting. 12 
CFR 363.3(b); 70 FR 71226 (Nov. 28, 2005).\1\
---------------------------------------------------------------------------

    \1\ In contrast to NCUA, Congress gave FDIC the authority to 
adjust the minimum asset threshold that triggers FDICIA's audit 
requirements. 12 U.S.C. 1831m(j)(2). Thus, FDICIA originally set the 
minimum asset threshold for requiring a financial statement audit at 
$150 million. 12 U.S.C. 1831m(j)(1). FDIC then raised the threshold 
to $500 million. 12 CFR 363.1(a); 58 FR 31332 (June 2, 1993).
---------------------------------------------------------------------------

    NCUA concurred with GAO's recommendation to consider adopting a 
FDICIA-like attestation requirement, noting that it already provided 
guidance strongly encouraging large credit unions to voluntarily 
provide reporting on internal controls. GAO Report at 84; see enclosure 
to NCUA, Letter to Credit Unions No. 03-FCU-7 (Oct. 2003). GAO left the 
matter of ensuring parity in internal control reporting among all 
federally-insured financial institutions for Congressional 
consideration. However, NCUA believes that legislation is not necessary 
because the agency has the authority-which GAO acknowledged--to 
implement regulations requiring credit unions to provide these reports 
should it become necessary.\2\ Id. at 84-85. To determine the extent to 
which such reports are necessary, the NCUA Board invites public 
comments in response to the following questions:
---------------------------------------------------------------------------

    \2\ See 12 U.S.C. 1761d, 1782a(a)(2), 1789(a)(8) and (11) as 
implemented by 12 CFR 715, 741.202(a) (federally-insured natural 
person credit unions) and 12 U.S.C. 1761d, 1766(a), 1782a(a)(2), 
1789(a)(8) and (11) as implemented by 12 CFR 704.15(a) (federally-
insured corporate credit unions).
---------------------------------------------------------------------------

Questions No.
    1. Should part 715 require, in addition to a financial statement 
audit, an ``attestation on internal controls'' over financial reporting 
above a certain minimum asset size threshold? Explain why or why not.
    2. What minimum asset size threshold would be appropriate for 
requiring, in addition to a financial statement audit, an ``attestation 
on internal controls'' over financial reporting, given the additional 
burden on management and its external auditor? Explain the reasons for 
the threshold you favor.
    3. Should the minimum asset size threshold for requiring an 
``attestation on internal controls'' over financial reporting be the 
same for natural person credit unions and corporate credit unions? 
Explain why.
    4. Should management's assessments of the effectiveness of internal 
controls and the attestation by its external auditor cover all 
financial reporting, (i.e., financial statements prepared in accordance 
with GAAP and those prepared for regulatory reporting purposes), or 
should it be more narrowly framed to cover only certain types of 
financial reporting? If so, which types?
    5. Should the same auditor be permitted to perform both the 
financial statement audit and the ``attestation on internal controls'' 
over financial reporting, or should a credit union be allowed to engage 
one auditor to perform the financial statement audit and another to 
perform the ``attestation on internal controls?'' Explain the reasons 
for your answer.
    6. If an ``attestation on internal controls'' were required of 
credit unions, should it be required annually or less frequently? Why?
    7. If an ``attestation on internal controls'' were required of 
credit unions, when should the requirement become effective (i.e., in 
the fiscal period beginning after December 15 of what year)?

B. Standards Governing Internal Control Assessments and Attestations

    Management's responsibility in an ``attestation on internal 
controls''--to report its assessments of the effectiveness of the 
internal control structure and procedures established and maintained by 
the credit union--and the external auditor's responsibility--to 
examine, attest to, and report on management's assessments--each must 
be done in accordance with a standard recognized by the auditing 
industry. For management, the most commonly recognized standard for 
establishing, maintaining and assessing the effectiveness of the 
internal control structure is the Internal Control--Integrated 
Framework (1994 ed.) developed by the Committee of Sponsoring 
Organizations of the Treadway Commission (``COSO''). For the external 
auditor's attestation, the standard for non-public companies thus far 
has been the American Institute of Certified Public Accountants 
(``AICPA'') AT 501 internal control attestation standard.
    The AICPA has exposed for public comment a revised AT 501 that is 
more in line with the Public Company Accounting Oversight Board's 
(``PCAOB'') Auditing Standard No. 2 (``AS 2'') that applies to public 
companies under Sarbanes-Oxley, 15 U.S.C. 7262(b). The final revisions 
to AT 501 are likely to require greater documentation and testing of 
internal control over financial reporting by

[[Page 9280]]

management to enable the auditor to fulfill the attestation 
responsibility.\3\
---------------------------------------------------------------------------

    \3\ AS 2 is available at: https://www.pcaobus.org/Standards/
StandardsandRelatedRules/Auditing StandardNo.2.aspx. For the 
exposure draft of revised AT 501, see AICPA Auditing Standards 
Board, Proposed Statement on Standards for Attestation Engagements 
dated Jan. 19, 2006, available at: https://www.aicpa.org/download/
exposure/EDAT501.pdf.
---------------------------------------------------------------------------

    To assist the NCUA Board in determining what assessment and 
attestation standards should apply to credit union ``attestation on 
internal controls'' engagements, please comment in response to the 
following questions:
Question No.
    8. If credit unions were required to obtain an ``attestation on 
internal controls,'' should part 715 require that those attestations, 
whether for a natural person or corporate credit union, adhere to the 
PCAOB's AS 2 standard that applies to public companies, or to the 
AICPA's revised AT 501 standard that applies to non-public companies? 
Please explain your preference.
    9. Should NCUA mandate COSO's Internal Control--Integrated 
Framework as the standard all credit union management must follow when 
establishing, maintaining and assessing the effectiveness of the 
internal control structure and procedures, or should each credit union 
have the option to choose its own standard?

C. Qualificatons of Supervisory Committee Members

    A credit union's Supervisory Committee is appointed by its board of 
directors and ``shall consist of not less than three members nor more 
than five, one of whom may be a director other than the compensated 
officer of the board.'' 12 U.S.C. 1761(b). Further, ``no member of the 
credit committee, if applicable, or any employee of th[e] credit union 
may be appointed to the committee.'' NCUA, Federal Credit Union 
Standard ByLaws Art. IX, section 1 (Rev. 10/99), 65 FR 55760 (Oct. 14, 
1999). See also 70 FR 40924, 40928 (July 15, 2005). Apart from these 
disqualifications based on position and not asset size, part 715 
imposes no affirmative qualifications as a prerequisite to serve on a 
Supervisory Committee.
    For financial institutions other than credit unions, the audit 
committee is the analog to a credit union Supervisory Committee. For 
institutions with total assets of $1 billion or more, FDIC requires the 
audit committee to be comprised completely of members who are 
independent of management of the institution. 12 CFR 363.5(a)(1). If 
this limitation were to apply to Supervisory Committees, 103 natural 
persons and 17 corporate credit unions would be affected. For 
institutions with total assets of $500 million or more but less than $1 
billion, FDIC requires the majority of the members of the audit 
committee to be independent of management of the institution. 12 CFR 
363.5(a)(2). If this limitation were to apply to Supervisory 
Committees, 258 natural persons and 22 corporate credit unions would be 
affected. Exceptions to these restrictions are permitted when it 
imposes a hardship in recruiting and retaining competent members. Id.
    Finally, for institutions with total assets of more then $3 
billion, FDIC requires audit committee members to have banking or 
related financial management expertise, access to their own outside 
counsel, and no association with any large customer of the institution. 
12 CFR 363.5(b). If the asset threshold for these qualifications were 
to apply to Supervisory Committees, 12 natural person and 6 corporate 
credit unions would be affected. To assist the NCUA Board in 
determining whether to develop such qualifications as prerequisites for 
Supervisory Committee membership, please respond to the following 
questions:
Question No.
    10. Should Supervisory Committee members of credit unions above a 
certain minimum asset size threshold be required to have a minimum 
level of experience or expertise in credit union, banking or other 
financial matters? If so, what criteria should they be required to meet 
and what should the minimum asset size threshold be?
    11. Should Supervisory Committee members of credit unions above a 
certain minimum asset size threshold be required to have access to 
their own outside counsel? If so, at what minimum asset size threshold?
    12. Should Supervisory Committee members of credit unions above a 
certain minimum asset size threshold be prohibited from being 
associated with any large customer of the credit union other than its 
sponsor? If so, at what minimum asset size threshold?
    13. If any of the qualifications addressed in questions 10, 11 and 
12 above were required of Supervisory Committee members, would credit 
unions have difficulty in recruiting and retaining competent 
individuals to serve in sufficient numbers? If so, describe the 
obstacles associated with each qualification.

D. Independence of State-Licensed, Compensated Auditors

    Under existing part 715, a financial statement audit of a 
federally-insured credit union must be ``performed in accordance with 
GAAS by an independent person who is [State-licensed].'' 12 CFR 
715.5(a). GAAS incorporates the AICPA ``independence'' standards that 
apply when an independent, licensed certified public accountant audits 
financial statements. 12 CFR 715.2(f). FDIC requires independent 
accountants who audit institutions with assets of $500 million or more 
to not only meet the AICPA's Code of Professional Conduct, but also to 
meet the ``independence'' standards and interpretations of the U.S. 
Securities and Exchange Commission (``SEC'') and its staff.\4\ 12 CFR 
part 363 App. A ] 14. To assist the NCUA Board in determining what 
``independence'' standards should apply to State-licensed, compensated 
auditors, please comment in response to the following question:
---------------------------------------------------------------------------

    \4\ For GAAS ``independence'' standards, see generally AU Sec.  
220--Independence in AICPA, Professional Standards (updated 12/05) 
and ET Sec.  100--Independence, Integrity and Objectivity in AICPA, 
Code of Professional Conduct. For SEC ``independence'' standards and 
interpretations, see generally SEC, Strengthening the Commission's 
Requirements Regarding Auditor Independence, Release Nos. 33-8183; 
34-47265; 35-27642; IC-25915; IA-2103, FR-68, File No. S7-49-02 
(January 28, 2003), 68 FR 6005 (Feb. 5, 2003).
---------------------------------------------------------------------------

Question No.
    14. Should a State-licensed, compensated auditor who performs a 
financial statement audit and/or ``internal control attestation'' be 
required to meet just the AICPA's ``independence'' standards, or should 
they be required to also meet SEC's ``independence'' requirements and 
interpretations? If not both, why not?

E. Audit Options, Reports and Engagements

    Experience with part 715 over the last six years has raised a 
number of miscellaneous issues. To assist the NCUA Board in addressing 
these issues, please respond to the following questions:
Question No.
    15. Is there value in retaining the ``balance sheet audit'' in 
existing Sec.  715.7(a) as an audit option for credit unions with less 
than $500 million in assets?
    16. Is there value in retaining the ``Supervisory Committee Guide 
audit'' in existing Sec.  715.7(c) as an audit option for credit unions 
with less than $500 million in assets?

[[Page 9281]]

    17. Should part 715 require credit unions that obtain a financial 
statement audit and/or an ``attestation on internal controls'' (whether 
as required or voluntarily) to forward a copy of the auditor's report 
to NCUA? If so, how soon after the audit period-end? If not, why not?
    18. Should part 715 require credit unions to provide NCUA with a 
copy of any management letter, qualification, or other report issued by 
its external auditor in connection with services provided to the credit 
union? If so, how soon after the credit union receives it? If not, why 
not?
    19. If credit unions were required to forward external auditors' 
reports to NCUA, should part 715 require the auditor to review those 
reports with the Supervisory Committee before forwarding them to NCUA?
    20. Existing part 715 requires a credit union's engagement letter 
to prescribe a target date of 120 days after the audit period-end for 
delivery of the audit report. Should this period be extended or 
shortened? What sanctions should be imposed against a credit union that 
fails to include the target delivery date within its engagement letter?
    21. Should part 715 require credit unions to notify NCUA in writing 
when they enter into an engagement with an auditor, and/or when an 
engagement ceases by reason of the auditor's dismissal or resignation? 
If so in cases of dismissal or resignation, should the credit union be 
required to include reasons for the dismissal or resignation?
    22. NCUA recently joined in the final Interagency Advisory on the 
Unsafe and Unsound Use of Limitation of Liability Provisions in 
External Audit Engagement Letters, 71 FR 6847 (Feb. 9, 2006). Should 
credit union Supervisory Committees be prohibited by regulation from 
executing engagement letters that contain language limiting various 
forms of auditor liability to the credit union? Should Supervisory 
Committees be prohibited from waiving the auditor's punitive damages 
liability?

    By the National Credit Union Administration Board on February 
16, 2006.
Mary F. Rupp,
Secretary of the Board.
 [FR Doc. E6-2531 Filed 2-22-06; 8:45 am]
BILLING CODE 7535-01-P